For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.

I think this violates the grant that the user is giving Facebook. If they deleted the content, it's supposed to be gone - Facebook no longer has a license to display it on their site. Facebook has, in public communications, stated that the qualification there is about their messages where you could send effectively an email to another person and both sides have to delete the message - just like with email.

As human beings, we should do a lot of things for pragmatic purposes. That doesn't make it good. In a certain way, it's like knowing that you live in a neighborhood with a criminal and "well, I guess it's my fault that I didn't lock my door or even bothered to go out of the house."

I'm all for Facebook changing to try and do new things, but sometimes there's a lack of consent that's disturbing given that Facebook has been telling users to expect control over their sharing. We've seen articles about the ability for third parties to add you to a group and for that adding to be advertized to your friends. I understand that we should consider anything we post to Facebook public. However, Facebook has strongly encouraged us to put things we don't want public on Facebook with an assurance of privacy. As such, I don't think it's unreasonable to rake Facebook over the coals over this (if it's true). It's the type of bad behavior that should be admonished.

I'm certainly not arguing that companies need to do what their users want or anything like that. However, we call out bad companies as bad. In this case, it looks like they're even violating their own ToS (if the story is true). If Facebook had started out like Tumblr or Twitter or Geocities where you're really trying to post public content, it would be one thing. Facebook didn't start out that way and, in fact, encouraged us to think of them as protecting private content. Let's say Google decided to sell or publicly display your email tomorrow. We'd admonish that. It's a violation without your permission. Is the reason we should consider things posted to Facebook as public that we've seen Facebook be scummy for years now and should have learned that their promises are nonsense?

I don't think you're wrong or anything. I just think that "buyer beware" or "well, you shouldn't have rented an apartment in that neighborhood" are great ways to look at it.

* P.S. Nothing in this comment is meant to cast judgement on whether or not Facebook is doing the things the article accuses them of. I haven't researched it. It's simply to note that Facebook portrays itself as both 1. not sharing your content further than you allow and 2. allowing you to remove content other than things like messages which might be in someone else's inbox. If they're violating that, they're violating what they're telling users.

It would be interesting to try to send Facebook a DMCA take-down notice if they undelete your content.

But wait. What if another person's privacy settings preclude one's ability to know if people have shared my content or not, and/or whether those people deleted it?

Doesn't that place Facebook in a realm of ultimate deniability with respect to whether or not they are still in lawful possession of this implicit IP License?

Case in point:

  1. I upload a scandalous and controversial image, accidentally.

  2. I have a friend, who can see the album that contains the 

     image. [thus it is "shared"]

  3. This "friend" immediately shares it. [satisfying the 

     requisite logical AND whereby it is simultaneously both 

     shared and not yet deleted by them]

  4. The friend UNFRIENDS me (OH NOES!), and locks me out of 

     viewing anything related to their account.

  5. I delete the image, believing that I am revoking the 

     implicit IP License.

  6. Unbeknownst to me, Facebook retains an IP License by virtue 

     of the fact that someone else has not deleted the image.

  7. Due to Facebook's policy, they are bound by their own 

     privacy obligations to the other user, to withhold from me 

     information regarding WHO still possesses the image, and 

     will not tell me HOW they are able to claim lawful 

     possession of an IP License for the image I am trying to 

     revoke.

  8. I am stuck in the very limbo that OP is complaining about, 

     whereby Facebook claims to have an implicit License to 

     publish content, but will refuse to disclose the evidence 

     of who has yet to delete the image, as prove that their own 

     license is derived by the actions of another.

  9. In theory, this other user might very well "forget" their 

     Facebook password (whoopsie! but innocently, and certainly 

     not as revenge...) and lock themselves out of their own 

     account. In this manner Facebook now entitles themselves to 

     the IP rights of this image in perpetuity, without the 

     potential for revocation, because thei refuse to unlock the 

     sharer's account without adequate proof.

Like, simply by virtue of sharing, any person who then accesses the content and then re-shares it and refuses to delete it, is then acting as the de-facto rights holder from which all of Facebook's privileges are derived.

But by letting another Facebook user access your shared content, as a peer, it's not immediately clear where that peer truly derives their eternal permission to forever re-share everything they ever had access to as your friend. Why does that person possess eternal rights to share YOUR content on Facebook, simply by being listed as your friend? Where does that part come from? Isn't that behavior enabled by Facebook? And doesn't Facebook reserve the right to redefine how things are "shared" at will? So then, doesn't that mean that Facebook is enabling itself?

Doesn't it seem like there is strong potential for a conflict of interest between Facebook and the other two parties involved?

It says that their license to display the image is subject to your privacy settings. Simply setting the image to Only You doesn't remove the image, but would ensure no one can see it. It effectively revokes Facebook's license to show the image to all your friends. If none of your friends can view it, they cannot share it, and it should remove any of their previous shares. Then you can delete it.

EDIT: Come to think of it, I have a feeling that "unless your content has been shared with others" behaves more narrowly in practice than it could by reading the text. Probably, it would apply to edges cases beyond Facebook's reasonable control - like a notification of a picture to a phone. The app only checks for updates every so often, and it may be out of service for a while, but a thumbnail is sent. You could delete the image, but until they check Facebook's servers, the person has effective control over the thumbnail, which is a derivative work of your copyrighted image, legally. Facebook is just covering their bases there.

Without your consent, they made private photos public. You didn't do that. You used their privacy settings which they created to prevent this type of situation. To have FB disregard their own privacy settings is 100% on them.

But, instead of blaming FB, you blame yourself. In light of the total collapse of privacy we've experienced recently, it's really sad that that seems perfectly rational.

But I agree with you about Facebook. I closed my account three years ago. (Heh -- three weeks later they tried to recruit me. I turned them down.)

FB is happy to "destroy privacy" like a child unable to consider the real implications.

How do you apply that seemingly unassailable stance to something like iPhone/iCloud, where photos you take with the only camera you have on you during once-in-a-lifetime-moments are immediately and automatically uploaded to a third party for safekeeping?

The solution to all of this data retention/spying stuff is not "start being meticulously paranoid with all of your data", not the least of which is because that won't scale to the majority of the population (and it must, if we are to retain a free society). Furthermore, communications metadata (such as email envelopes with your residential IP and timestamp, cell tower logs that reveal your location, or call logs that reveal your social graph) can't be kept secret unless you _stop communicating with people_. It's a non-starter.

The solution is to alter the legal environment such that these large troves of centralized data are much harder to exploit for evil, both by service providers and military intelligence organizations.

I apply it equally. The same goes for VPS, EC2, etc., and (especially given recent revelations) it's clear it should apply even to unencrypted communications over the Internet even between nodes you control.

At what point can you actually have a basis for legal recourse?

Once again the problem is that we don't have decentralized technology that would store our data encrypted and serve it only to those who we have granted access. But we will. Actually the new MegaUpload is encrypted.

A: if you want to keep it secret. How often do people find themselves in once in a lifetime moments that they want to keep secret, and want to take photos of, but only have an iphone with them?

B: iphones are not the only phones with built in cameras. If you care about privacy to that extent, you wouldn't own one.

That said, I agree with you. One example is when Service providers unilaterally change their tos by asserting that continued usage implies consent. This puts too much power in the hands of companies like Facebook, where many users are too embedded not to continue.

They agreed to keep your stuff private under their settings, and then they just unilaterally decide that it should be public? Screw that. This could be a winnable class action lawsuit.

There's really nothing you can do about this state of affairs except quit FB. They know you won't so they'll just keep fucking you. FB doesn't respect you like they don't respect their own ToS. Their job is to fuck you, over and over. That's their business plan and purpose of existence. Your job is to get fucked. Recognize your place in this relationship.

If you're uncomfortable about this relationship then leave. Otherwise STFU. Stop telling me that FB did something terrible with your precious personal information again. It's like someone complaining that their car got stolen after they left the keys sitting on top of it in a bad neighborhood. WTF did you expect?

Or actually, it does, but in the sense that your argument is pretty much analogous to the "if you have nothing to hide" argument.

Furthermore, even if you don't use facebook, or use it for reading only, you can always assume that every piece of data your friends give them, from photos with your face in them to the contents of their address book (with your birthday, nickname, private phone numbers, etc) will be stored by them forever.

Even if they don't display the data on the public site, don't think they don't mine it for actionable changes to ad targeting.

It was recently discovered that they were leaking data that they were collecting from people's address books. Turns out that their app was uploading it for friends-matching but they were (logically) storing it silently alongside your profile.

It may well be possible that, via just their mobile app's userbase's contacts, they have the vast majority of the social graph for the entire planet, even their non-users.

Those users have volunteered sufficient data that, given that planetary graph, they can infer many attributes (with high accuracy) associated with those who actively avoid them.

It's sort of the same concept as how facial recognition technology and traffic analysis can uniquely ID all mass transit users, even those who don't use credit cards (your name's in the magstripe) to pay the fare. Given enough data, they can fill in the holes with sufficient accuracy and encompass everyone.

The problem here is that I do consider everything I do on the Internet to be public, but most average people don't. This is why I don't have a Facebook, which admittedly is probably a big killer for my social life in my age group being a late teenager. People in their late teens/early twenties are reckless when it comes to the Internet and I simply can't risk being associated with any of that.

Don't blame facebook, blame Canada. Facebookers just do their job :-)

I'm getting tired of people finding excuses for Facebook like "hey, you should've known it's bad, just don't do that, and then it's fine". How about you stop using it?