Facebook, Scoble, Manifestos and European Privacy Law.

Thanks to truly brilliant stream of  Auntie P.

I’m very late to this, and originally I wasn’t planning to comment on the Scoble-Facebook thingy, (see techmeme) but after seeing James Governor’s deli.cio.us link comment,about Nick Carr’s post, I figured I’d jump in.

James said…

my take: Che? No. Scoble the Mike Huckabee of the A-list. He thinks privacy is “just a theory” but runs awesome home and webspun campaigns… aw shucks

Spot on James. (thanks also to James for getting me into this CC flickr photo thingy)

Part of Robert’s defence is that he was “only” collecting

Names and email address and birthday.

But name, email address and birthday are personal data.

Here in ye old Europe we have a pretty clear legal definition of personal information.

Personal data are defined as “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;” (art. 2 a of the EU Data Protection Directive)

I don’t want to go into a long history of European privacy law here, but The ancient runes (1980) of the OECD guidelines are a good starting place. The seven principles governing the OECD’s recommendations for protection of personal data were:

   1. Notice—data subjects should be given notice when their data is being collected;
   2. Purpose—data should only be used for the purpose stated and not for any other purposes;
   3. Consent—data should not be disclosed without the data subject’s consent;
   4. Security—collected data should be kept secure from any potential abuses;
   5. Disclosure—data subjects should be informed as to who is collecting their data;
   6. Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
   7. Accountability—data subjects should have a method available to them to hold data collectors accountable for following the above principle

These principles eventually wound up as the foundation of the Data Protection Directive, which in turn ended up in the national law of all EU countries. They would make a good start for anyone building a terms of service for an offering that consumes personal data too.

The principles in the UK Act are defined as follows

Personal data:

  1. Shall be processed fairly and lawfully
  2. Shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose(s)
  3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”.
  4. Shall be accurate and, where necessary, kept up to date.
  5. Processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.

Robert Scoble’s actions may be perceived as noble in some quarters, but they don’t impress me. He single-handedly bashed through most of the basic principles of privacy with his scraping exercise, never mind Facebook’s terms of service. Facebook was right to take Robert on here. Facebook is subject to the provisions of European Data Protection Law. Facebook is part of the safe harbor. 

Carr nails it.

Facebook has an obligation to protect the data entrusted to it by its members. At the very least, members should have the right to decide whether or not their personal information can be scraped out of the Facebook database. Scoble did not give them that choice. That doesn’t mean that Facebook is the hero. It, like other social networks, happily scrapes information from members’ email accounts to identify possible new members. Facebook will scrape when it suits its commercial interest but will block scraping when it doesn’t. Still, in this particular case, Facebook did what it needed to do: protect the information and the interests of its members. Until controls are in place, unauthorized scraping of other members’ personal information shouldn’t be allowed.

What the Scoble affair reveals is that the issue of “data portability” is not a simple issue but a fraught one. Data scraping can make our lives easier, but it can also put us at risk.

So does Anne

Even if Scoble’s Facebook friends agreed to let him view their data on Facebook, they didn’t agree to let him take that information wherever he wants to do with what he wants. He could use a screen scraping program to grab data that they consider just-among-friends and stick it out in public without any regard for their privacy settings. You might say, “Scoble wouldn’t do that” but it’s Facebook’s responsibility to see that it doesn’t happen.

Data portability could be designed into Facebook in such a way that it doesn’t compromise user’s privacy. At the very least, an opt-in to profile sharing outside Facebook would need to be provided. Allowing uncontrolled screen scraping is not the answer

And Loren Feldman’s acerbic take is well worth a watch.  See the comments too. This one from Patrica, (who has a super  golf blog)

Though evidently there are a number of geek wannabes out there just itching to join a data martyr movement.

Hat tip gapingvoid’s twitter

You may find this article on the position of Facebook in UK law interesting. Facebook could move at speed to suspend Robert, but seem awfully unwilling to let other people voluntarily remove themselves.  I’ve rambled before about Facebook and data protection law.

Robert, no doubt, had good intentions, but he was breaking the law, both in terms of the Facebook terms and conditions, and for those Europeans lurking in his 5000 “Friends”, a good bit of data protection law too.  Processing 5000 records moves one beyond the realms of Dunbar’s law into data controller mode.

I’m glad to see blawgs joining the discussion, for instance the Canadian Privacy Law Blog.  Also I’m very pleased to see privacy manifestos emerging, such as this one over on gigaOM, but rather than inventing stuff from new, I’d propose that the web 2.0 gurus get talking with some folks who know privacy and its complexities.  It is a lot harder than it looks. 

The right to privacy is one of the most complex legal and technical issues, and not just since web 2.0.  The Germans passed privacy laws in the 1970’s and are still grappling with the balance between privacy, security, freedom of speech.  One of the most famous cases in US law is mainly about privacy rights. 

The more folks start thinking and talking about privacy, and the sooner privacy impacts buying decisions the better. 

Daniel Solove’s recent book is a damn good place to start, especially from a US perspective.

For the technical challenges, Jeff Jonas is a must read. I’d like all developers who touch personal data to read and understand Kim Cameron’s laws of Identity.

I’d love to see more from Pangloss or on this too, oh and a Geeklawyer rant would be nice too.  I hope to be at this conference next year, the 8th Privacy Enhancing Technologies Symposium (PETS 2008).  It would be even better if Facebook sent some folks along too.


81 thoughts on “Facebook, Scoble, Manifestos and European Privacy Law.”

  1. Heh:) I am actually contracted to write my goddamn long awaited article on facebook and privacy for a book appearing from Stanford Press by end January — so any minute I will actually start it 🙂 Thanks for all the refs, oh, AND CONGRATS ON THE NEW JOB!

  2. Thanks for the link Thomas. FYI – the Privacy Manifesto I published on GigaOm is largely based on the Canadian model. I deliberately chose to not go reinventing because it seems easier to get the enlightened companies already out there to go to the next step.

    Great list of privacy resources, by the way.

    Cheers, A

  3. I may be misunderstanding this, but if I give someone access to personal information that I have chosen to put online, I can’t stop them from doing whatever they want with that data. Isn’t it my responsibility to decide who gets access to my personal data? Why would I fault the vehicle for gathering the data if I’m the one doing the driving?

    Again, I may have missed your point here.

  4. You’re wrong, but that’s OK.

    My friends gave me permission to use their stuff when they gave me access to their information. It’s not like I was getting access to non friends.

    Here’s a better way to look at this:

    1. Is it OK for me to send you an email if you give me access to your email address on Facebook? If so, how would I do that? I’d need to put it in Gmail or Outlook or some other email system, right? So, what’s the difference between me manually cutting and pasting and me running a script that does that?

    2. Can I send you a birthday card if you give me access to your birthday? Yes? OK, but how would I do that? Wouldn’t I need to cut and paste your email address AGAIN to do that?

    3. What we need isn’t more laws, but more granular controls and more users who understand those controls. If I don’t want you to put my email address into other systems, why would I share them in the first place with you? After all, Facebook has its own way to send messages to me, so why give over emails? If you don’t want me to use your birthday for my own purposes why share those?

    4. I was using this data FOR MYSELF. Plaxo wasn’t going to use it. There needs to be a “fair use” capability so I can use this kind of data for myself to send you emails, do business with you, and so I can send you birthday cards.

  5. You are implying that Scoble and other “scrapers” do so for the purpose of processing them.

    I do not “scrape” those social networks to work with the data in a commercial way but to have my goddam address book updated as my contacts decided to use more than just one system.

    Xing, my primary system, allows me to set per contact what I allow others to see of my profile – one person gets all data, another one not even my mail address. This is a fine grained mechanism. But in the end, if a person gives me their biz card, and half a profile, I will not store that away in two places but in one.

    Hence the putting everything together in one place, which happens to be my computer (and my mobile).

    The privacy laws do not deal with this initially. They deal with companies using data for or against the consumer and iirc specifically mention that it does not apply along the line of “personal systems”.

    They need adaption, as suddenly a single person – example Robert – is able to “work” with data, something only done before from companies with the ressources.

    The lines are not as clear anymore as they have been before.

    [Don’t get me wrong, I do like our European Privacy Laws]

  6. Robert,
    thanks for dropping by.

    I’d like to think I’m right, but your opinion is of course, yours.
    The directive I’m talking about is here.

    1.From my understanding you were testing a Plaxo product with this data. This isn’t personal processing. (see the Lindqvist case for a really interesting saga)
    You are acting, I would suggest, as a data controller. (see Article 2(c) of the directive.

    2.using live data to test a product is not the purpose for which the data was provided, hence breaching the second principle.

    3.People gave you that data in the context of facebook, not plaxo. Plaxo may be a fine service, but it has a chequered reputation.
    again, breaching the second principle.

    I’d suggest that the act would consider this processing. Please see the definitions in the directive, ie.
    b) ‘processing of personal data’ (‘processing’) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

    Robert was testing the product for Plaxo, so there is more than personal use at stake here.

    I’m very impressed with Xing’s granular model.I need to invest more time in there.

    The canadian model is a great starting point.

    The law makes it quite clear that if you give the data for one purpose you have a right for it to be used only for that purpose.

    I’ve not made this law up, the right to privacy is a fundamental human right, at least here in Europe.

    The law is unwieldy, poorly enforced, and due a significant rewrite. But it is still the law.

  7. If I put an email into Gmail, Gmail doesn’t have the right to use that email in anything other than my account.

    This was just that. A personal use of a script to add email addresses to my own account (in this case, a test account that now has been deleted).

    Tell me: is there any difference between me manually copying and pasting email addresses into Outlook or me using a script to do that?

    In my world: no.

    If the EU says there’s a difference, well, then that might explain why so few tech companies start out in the EU.

  8. @Robert – your assertion is breathtaking. I’d suggest that Thomas knows a lot more about EU privacy laws than most and that is what is being discussed. Not the narrow US position.

    If the data portability working group is to make this stick, it won’t come via an informal agreement among like minded software vendors. As with all software processes, they have to be compliant with the laws of the land in which they operate.

    This is something that had not been discussed until Thomas took it upon himself to lay out the laws as they apply in the EU. This is fundamental stuff.

    The laws don’t talk about fair use but define the circumstances and ways in which data can be used.

    To the UK’s law – it says:
    “Shall be processed fairly and lawfully”

    You did neither, therefore you were breaking the law. There can be no argument here.

  9. @Robert – that’s an unnecessarily silly remark. The world is flat – right? The EU has as many citizens as the US. Australia and Germany have far tighter laws. Are the only people who ‘get it’ in the US? Are we all idiots? If that’s your position then quite frankly its one that is narrow in the extreme.

  10. My take…if Scoble did break the law/rule/etc, it’s a dumb law. By being friends with someone on Facebook aren’t you giving them consent to take the data that’s on your profile and use it (whether that use is to memorize it, write it down, etc). So what’s the difference between me having the consent to “view” someone’s data and me memorizing it or copy/pasting it, or using a personal assistant (human or script) to copy it, as long as it’s for my own PERSONAL use?

    Regardless of the law, people should just use common sense. If you don’t want people to know your name/birthday/email, don’t be friends with them or share that info with them.

  11. Robert,
    I didn’t write the law/Directive. The law grew out of the fear of data driven persecution.

    My data belongs to me, I may loan it to you, but there comes a point when I may want it back. A bit like a book.

    The context in which you use the data is important. I may be cool with the data in xing or facebook, but I may not want it in plaxo. That should be my call, not yours.

    Portability for the data collector needs to be balanced with the privacy rights of the data subject.

  12. Thanks, Thomas, for your very useful exposition of European privacy laws in relation to this.

    I’m one of Robert Scoble’s Facebook friends, and I live in Europe and thus, I suppose, have European expectations of privacy, and I was not happy to hear that he’d scraped my info to transfer it to another service. I posted my response at my blog, jill/txt.

    I’m going to ignore the rather silly attack on Europeans in general.

  13. Scoble: If the EU says there’s a difference, well, then that might explain why so few tech companies start out in the EU.

    I think you know you have got under someones skin when they start the petty insults.

  14. Jill
    One of the things I would like to see from the data protection authorities is clearer guidance. I’m not a lawyer, so don’t consider this post to be an advisory.

    Although it focuses on US law, the Solove book I mentioned above is an excellent starting point.

    Those that knock the EU law should perhaps pause and look at its context.

    Robert, by all acounts, seems to be a fine upstanding fellow, but the law cant have one set of rules for the nice people, and another for the bad guys.

  15. Scoble was using an automated harvester to collect data.

    Just like spammers do.

    Only difference is he’s Scoble and so he should be allowed.


  16. Apparently you got the wrong end of the stick regarding my blog post about Ché Scoble. Let me spell it out. Read the post again. I did not back his position, I merely reported on it. The Ché scoble crack was a *joke*. You may have heard of them, they are quite popular I gather.

  17. So the EU law states that shared personal information can only be used for the purpose for which it was shared.

    There seems to be some sort of divined understanding of why people shared their personal information with Mr. Scoble, and an all-too-convenient (for my taste) assumption that his actions violated that use.

    If I give someone a business card, I have no idea where that information gets stored (and no, I can’t ask for it to be returned at any point). If that person stores my info in Outlook — they make business card readers, so you don’t have to do it manually, which may be worth its own uproar — then decides to switch to Gmail, they’ll export and import. How does that violate my privacy, by US or EU law?

    To my eyes, there’s just something about what happened here that simply freaks some people out, and I can’t put my finger on it. Is it just that Scoble did it with _so many_ friends? Was sharing your info with him just so easy that you didn’t realize what you were doing? People do often reveal more to strangers — face to face and online — than they would to friends, and the “old” world of email groups and forums certainly provided the necessary anonymity for that. When sites like MySpace and Facebook arrived, weren’t people excited that they could now have more “real” and more open online communities?

    Maybe this is just the thing that made us pull back a bit. “You said you wanted real and open online commmunities.” “Not _that_ real and open.”

    My question is: who will say what was the intended purpose of Scoble’s 5000 friends in sharing their information with him, so that we can then declare he didn’t use it for that purpose.

  18. It’s amazing how EU citizens get their knickers in a bunch when someone makes a (really mild) remark about the EU, but you all so frequently and happily blast away at the US that it’s virtually impossible to have a discussion of any substance.

  19. I really cant see the issue here, or the continued reference to European and other privacy laws?

    Granted Robert Scoble didnt follow Facebooks ‘laws’ by using the script, and then dealt with the consequences, but all he was doing was pulling the contact details of his friends (not anyone else). He already has access to that data so it was just the method that was considered underhanded to Facebook – not the data he was accessing.

    Anyway when you join Facebook doesnt it default to try to access everyone in your outlook contacts list to encourage them to also sign up??? Food for thought!

  20. All that Scoble’s stunt did for me was provide motivation to go in and delete and hide everything that I don’t already share with the world via LinkedIn. He proved the obvious – I can’t rely upon my friends to read my mind about what I want (and don’t want) done with my data.

    Why I bothered to share anything else anyway, I can’t imagine.

    @Robert: As far as I know, there is a pretty consistent understanding that automated activities *are* different than manual ones. Anyway, if I understand Thomas’s post correctly, even a manual copy of the Facebook data to a private data repository would be considered illegal.

  21. Can someone explain to me how this legally is any different to the Facebook function that allows me to import contact information from other services like hotmail, yahoo, gmail, etc.

    The technical difference is that Scoble used a screen scraping script rather than some sort of inbuilt export capability. This is banned in the Facebook Terms but it is not the issue that I am questioning here.

    Should this capability be switched off in Facebook because it is illegal in the EU.

    –nick coster

  22. @theotherthomasotter: Plaxo is simply the tool, Scoble wasn’t harvesting the data for Plaxo, but for his own use; a critical distinction. Additionally, I’m not sure I agree with your assumption that giving the data in Facebook implies that it is only within the context of Facebook. The business card and Outlook analogy above works well. I see Plaxo as a simple repository of data (at least in this case). I don’t believe it is the law’s intent for a user to request permission to transfer address books between Yahoo mail and Gmail, for instance. Perhaps the resolution to this is for users to limit the amount of personal information displayed to Scoble, which is a Facebook feature (kinda). Facebook should shift the default to values here to the most restrictive settings and let users opt-up the access. I’m certain that, if this were before the courts, the definition of “purpose” (for the “one purpose”) would be one of the key discussions.

    @Dennis: Well, I would guess that we disagree on both your points, that Robert processed this “fairly and legally” and that there “can be no argument here”. Hence the arguments before you.

    I’ll need to review the language on these laws. However, they appear to quite dated, and technology has certainly outpaced them.

  23. I think one big distinction that many are missing is that when you sign up to these services you allow (if you choose) for them to access your address and email your contacts – INVITING them to join but not automatically adding them.

    Plaxo however does add them to their online service – it is an online version of your address book afterall, but what is unclear is what Plaxo does with the data once it scraped it or what it was doing.

    What Robert did was legally wrong, but what Plaxo did was even worse, for me though regardless of all of that I want to know why Plaxo went under the radar instead of working with Facebook to provide a “search my contacts” feature just like Outlook, GMail, Yahoo etc. The conspiracy theorist in me says Plaxo was looking for a way to make FB obsolete and easy for you to move your data over – if you scrape 3 items why not the rest – do any of those running (Robert mentioned others) know what else was being scraped? Did anyone run a trace to see if it was realy only doing what they say it was?

  24. I hate to chime in with a rude sounding email, but I can’t resist.

    When it comes to laws, why do you think lawyers charge hundreds of dollars an hour? Because the laws that govern a country or in this case the EU are so damn complicated and vague. And even if you get five lawyers to read a specific law each of them will have a different opinion of what it means.

    Therefore, I doubt any commenters on this blog post are indeed lawyers and if they are so are not experts in the field of privacy laws.

    With that said, with my acknowledged ignorace, in my opinion I’m guessing that Robert IS NOT bound by EU privacy laws in this case. He access data that resides on a US based server and is therefore subject to U.S. privacy laws. In this case there is no way he can violate EU laws because he isn’t subject to them.

    Unless of course there are International treaties on privacy that bring us all closer together in ways we don’t know about.

  25. @tripdaman, I’m no lawyer but your point seems fairly reasonable. About what Robert argued, if you use information from Facebook and store it in your HD it might be ok, be it manually or with a script. If you use that information IN or FOR another company, like in this case Plaxo, be it manually or with a script, you are breaking a couple of privacy laws. But as tripdaman said, he’s safe as he’s under US law. Nevertheless I think Scoble should think about this carefully to avoid future problems.

  26. So are you telling me that if I have a whole bunch of business cards, run them on OCRs to scrape the information and then export all of that to Gmail or Outlook, I’m violating EU laws? Because that’s the precise analog analog (sorry for the pun) of what Scoble did.

  27. Not at all Jon. I know it sounds pedantic, but the fact is that many users rely on Facebook’s guarantees with respect to their personal data. If I put my information into Facebook, and share it with you, I still have an expectation that that data won’t, en masse, leave Facebook. If I give it to you directly, on a piece of paper, that represents a different kind of compact.

    It’s my data. Not yours, nor Facebooks. I gave it to Facebook under terms and conditions that we both agreed to, and I don’t expect that they will unilaterally change those conditions in the future.

    It’s pretty simple really.

  28. I agree with Robert. Thomas, I think you are not considering the right issue.
    Scraping is just a technical mean. If you have access to someone’s profile, you have access to all the information that is on this profile. Whether you’re manually writing it on a piece of paper or have a script creating an xml file is irrelevant.
    The point is: your friend gave you access to this information.

  29. Just because I let someone borrow my car to run an errand doesn’t mean they can borrow my car whenever they want, and it certainly doesn’t mean it’s theirs.

    This is how I see the differnce between “manually using info, vrs running a script to get info” and using it in a location that is different than the indented use “Facebook” not plaxo, not his gmail account. etc.

    Unless you intend on specifically using that information to contact me directly, or anyone else directly there is no point in running a script to get everyone’s data out in the first place. If you want to contact someone directly then go copy their info, and email them directly, if it’s someone you contact frequently then store it in your outlook or gmail or whatever.

    At least at that point it’s a personal relationship and not a I have 5,000 “Friends” so I need to collect all their data and put it someplace else just because I want to.

    For someone who complains alot about compainies not getting their PR person out in times of crisis, Scoble has had very little to say in his defence and certainly has not convinced to many people that what he has done is indeed “ethical or right”

  30. You did not answer his question with regards to using something like gmail to email you by copying and pasting. That is a valid question and one that you should answer.

    Second, I was required to enter my email address into this… where is it going? Are you not breaking a law? Is it being stored? The answer on the latter is that it clearly is… However, I did not give you the right to store it. I do not see that it states it will be stored.

    How do I get my data back from you? How am I assured you are not doing anything nefarious with it?

    Why do you need my address? Clearly there is no reason for you to require unless you would like to somehow use it for verification or for possible contact, both of which I do not see a notice for nor consent to except as Robert states his using the Facebook email addresses are for… That is by submitting it in the first place, I have given consent not to Facebook, but to you the person.

    All of that said, I would like you to respond given the above, as well as the query by Robert.

  31. @Alec

    Your assertion if defective given places such as this blog that ask for email addresses, and names, with no such agreement upon submitting a comment.

    Are you actually asserting that if I write it on paper that you then have some different, albeit nebulous intent of use? Such as what? If you write it on paper then people should assume they can only contact you via paper? If the email address in Facebook is only to be used within Facebook, then what is the purpose of having it available? Your assertion is absurd given that if the email address was not meant to be used, then it would not be available. You could simply use standard Facebook only messaging. The sharing and publication of the email address grants an intent of use, and that use given the means (email) is going to be done with an outside non-Facebook system (since you are releasing this information and not just using Facebook only messaging). How else is one to use that email address given that according to your “pretty simple” statement, it is not to be used because using gmail, Outlook or anything else would store it and make it illegal.

    Your assertion is not simple really, it is simply defective.Astonishing.

  32. benb,
    I think you have a great point, however I think it’s a bit off as well.

    First off, by posting a response and entering your email you are in fact giving your consent to store your email. Your right in that it doesn’t say that it won’t be stored, however it also doesn’t state that it will be stored.

    By hitting that “submit comment” button you are agreeing to the fact that your email will be used somehow, but you also expect that your email will be used only on this site and not sold or given to anyone else based of even the most general level of trust.

    This is what people did with Facebook as well, they agreed to be friends with scoble, thus allowing their information to be seen by him and used if necessary either within facebook or direct contact. You do not expect that he will data mine the data to use elsewhere from facebook.

    Also, nowhere does it say you have to supply a real email address, what is preventing you from entering in some random useless email account?

  33. @Micah

    I suspect that if I give you my business card, or my contact information on a sheet of paper, I expect that you will understand that to mean that you get out the shard of paper or tattered business card every time you want to contact me… Right? You are not allowed to store the email address or anything else on your computer, because that would be tantamount to using my car whenever you want.You will also need to delete any email you send or all records of a conversation because I did not give you that right to store it.

    Further, you should not use any scanner to pull in the data from the business card, because that is automation and prohibited.

    You have to be kidding.

  34. Benb,
    So if I called up Vista print and I said, send me a copy of every single business card that you have ever printed. I want to scan them all and put them in my outlook, facebook, plaxo accounts.

    They of course say, “umm no way” I say, but there was that one time that I ordered cards from you so that gives me the right to get a copy all your other cards doesn’t it, we are all in the same “social network” so what does it matter?

    Why would vista print not do this, umm because it would be very bad business practices and people would probably get very upset, even if it was “just a business card”

  35. I just wonder why anyone would add Scoble as a “friend” in Facebook anyway. For me he’s just a blogger that I read sometimes. Friends are people that you know, and can trust (normally!). Do you know and trust Robert Scoble? Of course not. So if you add people that you don’t really know then you run the risk that they will do something to you (or with your information) that you don’t really like. So for me the real problem here lies with the people who added him as a friend in the first place.

  36. Great post Thomas and this really does have to be thrashed out properly.

    There is a big difference between private data access and transfer particularly in EU law. Also There are basic access and control rights for individuals. Both of these issues can be resolved by respecting ownership and control, whats more with the right tools we can still achieve social networking goals, I have written about the basic principle ideas here :


  37. Thanks everyone for dropping by.
    This post wasn’t about business cards, or outlook, but about the specific case of scraping data out of facebook.

    The mix of views and theories on the law suggests that the Data Protection Authorities need to do a much better job at enlightening us all on what this law actually does or doesn’t allow.

  38. It seems a remarkable attitude that if I lend you something (my personal data) it is my own silly (European, perhaps) fault to expect that you will abide by the conditions I placed on the loan.

  39. Well people used to laugh about the GPL but the EFF have successfully defended it. The GPL has great success I would suggest private data have the GPL like clauses that mean changes derivatives of the data get returned to owner.

    Thus the data should be protected by an appropriately defined license, including modification/duplication sections similar to GPL.


  40. Micah: Your analogy with regards to a printing company is insane. It has no connection with what is being discussed. The only data that Scoble had access to was data that was EXPLICITLY shared by EACH INDIVIDUAL USER.

    I think everyone needs to be careful with their analogies. Comparing the sharing of data on facebook with sharing of physical books and cars doesn’t work for the same reason that we all think its crazy for record companies to compare downloading MP3s with physical CD theft: If I lend you my car, I can’t physically use my car. If I share my e-mail address with you, I can still share it (and use it) with other people! And if I share my e-mail address with you, I expect that you may import it into your address book, wherever that may reside!

    I think rxmar23 said it best, and no one has yet contested what he/she said (go back up and read it, but I’ll quote what I think is the most salient bit here):
    “If I give someone a business card, I have no idea where that information gets stored (and no, I can’t ask for it to be returned at any point). If that person stores my info in Outlook — they make business card readers, so you don’t have to do it manually, which may be worth its own uproar — then decides to switch to Gmail, they’ll export and import. How does that violate my privacy, by US or EU law?”

  41. All this hullabalu over Scoble scraping some freely available info off of his own facebook account. Astounding! :^/

    And we consider ourselves to be so important that our freely given information to this man is causing all this ruckas? Methinks some of you need to get over yourselves.

    @ the commenter that asked about having to give his/her email address in order to post your comment: Who the hell says that you have to provide an accurate one? YOU freely gave YOUR information by doing so. Don’t go blaming the owner of this post for a feature that’s a default of most all blogs known to mankind!

  42. Scobie keep scraping me, every time I make a comment on your site it get ton’s of hits on mine ! Add me to your blogroll, take my picture, expose the hell out of me ! As you I have good taste !

  43. Part of the problem is that the majority of Scoble’s “friends” added him to their social network without realizing/caring that they were also adding themselves to his. If Scoble is my friend, then I’m his friend. If I’m Scoble’s friend, then he has made the (clearly debatable) decision that it is fair use of your Facebook “business card” to add it to his desired data repository. Most importantly, he assumes responsibility for what [Outlook, Gmail, Plaxo, whatever] will do with his friends’ data – typically NOTHING.

    Any time you give your address to someone – be it on paper, via e-mail, on a WordPress comment, through Facebook/MySpace/LinkedIn – there is an implied contract of fair use: that it won’t be signed up to arbitrary e-mail lists, sold to the highest bidder, given to strangers, etc. Part of this contract has to be the assumption that the data will be kept for future reference – as part of this implicit agreement you are trusting the recipient to keep it safe. If Scoble feels that [Outlook, Gmail, Plaxo, etc] is a safe place to store data given to him by friends and contacts, that’s his prerogative.

    To try another analogy: Suppose a virus infects your computer and e-mails itself to your full Outlook address book. The address was added to Outlook in faith that it would be used for individual purposes. Now that it has been “mined”, have you – as the address book owner – now broken EU law? Suppose instead you had stored your contacts with Plaxo, which protected your data from everyone but yourself. Who cares if the data got into Outlook/Plaxo from manual entry or a Facebook extract – what should be important to your friends is that their data was abused in Outlook and not in Plaxo. In either case, by giving the data to me, your mother, or Scoble, you are leaving it to us to be responsible with the data.

    Ultimately, it’s no more reasonable to expect permission to be stored in [arbitrary online contact/social service] than it is to be stored in Outlook or any other digital address book, assuming that service’s terms of use pass your acquaintance’s expectations for fair use. If your view of fair use might not align with your friends’, then check first and either don’t share the data or make the implied contract more explicit.

  44. “If the EU says there’s a difference, well, then that might explain why so few tech companies start out in the EU.” – Scoble

    Spot on!

    Look, if you don’t want your data used by people you share it with, don’t share it in the first place. Any further argument is illogical.

  45. Should we not redefine ‘friends’ as Scoble uses the word? Is everyone on Scoble’s Facebook profile his ‘friend’?

    Oh, by the way, Scoble has 4658 ‘friends’ on Facebook. With my 95 real friends, I feel like Jack-No-Mates… 😦

  46. Robert, no doubt, had good intentions, but he was breaking the law, both in terms of the Facebook terms and conditions, and for those Europeans lurking in his 5000 “Friends”, a good bit of data protection law too.

    That’s a pretty serious accusation. Which law exactly did he break?

    The EU directive you cited says the directive does NOT apply to the processing of personal data “by a natural person in the course of a purely personal or household activity.” (See Article 3.)

    Scoble doesn’t work for Plaxo, and (as far as we know) wasn’t paid by Plaxo for testing the screen-scraping feature; he didn’t sell or publish the information he scraped, so isn’t the onus on you, O Accuser, to show how it WASN’T a “purely personal or household activity?”

    Maybe you’d be better off trying to prove that Scoble’s not a “natural person.”

    You say in the comments that what Robert did wasn’t “personal processing,” and the only argument you offer in support is to parenthetically add, “(see the Lindqvist case for a really interesting saga).”

    The Lindqvist case concerned a woman who collected personal information about her friends and then published it on the public Internet. (The main problem was that the information could be “transferred” to non-EEA countries.)

    Scoble didn’t make the information he gathered public. The cases have NOTHING to do with each other. You fail at the Internet.

    To top it off, the ruling against Lindqvist was eventually reversed by the European Court of Justice. Apparently if you go up high enough, sometimes even the EU can recognize stupidity?

    Don’t let me stop you from making wild accusations, though! Why worry about your government loses names and bank account numbers for 25 million people when you can accuse Scoble of being a lawbreaker for making a copy of his friends’ email addresses….

  47. Robert says: “My friends gave me permission to use their stuff when they gave me access to their information.”

    Actually, they didn’t. They gave you the right to use their information from a service which has a clear policy of not allowing that data to be exported.

    *That* is the issue here. The situation isn’t the same as if (say) I allowed Robert access to the information I have in Plaxo, where there is a clear consent from me for that data to be exported into other services (Plaxo has always supported two-way sync between web and Outlook, and has introduced sync to other services).

    And that’s why this is a data protection issue, and the whole “openness” debate is a red herring. With Facebook, I have not given consent to anyone to export my data, even those people I’ve friended. Using something like Plaxo or LinkedIn (which allows vCard export), I have.

    Romuald says: “Scraping is just a technical mean. If you have access to someone’s profile, you have access to all the information that is on this profile.”

    Simply because something is technically possible doesn’t make it either moral or legal, and now should it: lots of things are “technical means” while being either illegal or wrong or both.

  48. Hi Thomas,

    I’m part of the Data Portability Group, and I’m working on trying to work out various aspects of the technical solutions. I’m actually in the UK myself. We’d love you to join the group and help with our policy blueprints so we can try to make this a reality for everyone. Drop me a line if you’re interested and I can arrange you being invited into the group.


  49. Perhaps I’m just not understanding the issue entirely, but from reading Robert’s blog, it appears that the only thing he did wrong was utilize a script to grab all the information associated with his FB account “friends,” yes? So, instead of hiring a coder to write the script, or buying a script, he should have paid a data entry clerk to copy, verbatim, all the contact information associated with his FB account friends. Would that be a problem? Is that “exporting” data? And if so, doesn’t that mean that one can’t e-mail any of their FB contacts unless they *already* had that contact’s e-mail address (since it can’t be “exported” from FB)?

  50. Karim discussed much of my initial point vis a vis the law, but I wanted to add a few additional points, and some philosophy:

    1) I agree with Facebook’s position to block Scoble’s access, but not based on some EU data privacy argument. Facebook’s decision was correct for a much simpler reason: he clearly violated their ToS.

    “All content on the Site and available through the Service, including … information, … and their selection and arrangement … are the proprietary property of the Company. … No Site Content may be modified, copied, distributed, framed, reproduced, republished, downloaded, displayed, posted, transmitted, or sold in any form or by any means, … without the Company’s prior written permission, except your own User Content (as defined below) that you legally post on the Site. … [Y]ou are granted a limited license to access and use … and to download or print a copy of any portion of the Site Content to which you have properly gained access solely for your personal, non-commercial use, provided that you keep all copyright or other proprietary notices intact. Except for your own User Content, you may not upload or republish Site Content on any Internet, Intranet or Extranet site or incorporate the information in any other database or compilation, and any other use of the Site Content is strictly prohibited.”


    2) In my opinion, that’s all he’s done. Thomas still hasn’t successfully convinced me that the business card analogy posited above doesn’t apply. Whether Scoble screen scraped, data dumped, or manually copied the files into Plaxo by hand, is irrelevant. And absent evidence (NDA aside!) that he had some sort of financial relationship with Plaxo, I can’t see how him using that particular tool changes things one whit.

    If it was Outlook or Gmail that he ported this information to, would any of the folks upset in this instance be any less so?

    3) Now, I think what’s more interesting in this mess is to consider a few questions.

    a. Does Facebook face potential liability under the EU Data Protection Law pending similar (unchecked) actions by its users ?
    b. Is their concern really with the EU Data bits at all, or are they more annoyed by the concept that the time and energy they’ve invested in developing the site could go away if such behavior were allowed to continue?

    Finally, I’ll agree with the moral “wrong-ness” of the behavior, but I question whether its right for us to hang our moral hopes on the law. The U.S. in particular (which is the only country I can really speak for), has a rather nasty history of tying law and morality together and bringing about nasty consequences (see: the various dark periods banning alcohol, books, sex, and even speech). Scoble _did_ violate the social contract with his “friends,” but I don’t think what he did is, or should be, legally wrong. The moment we start punishing the facts in the case with criminal and/or civil remedies for, what is essentially moral harm sans damage, is in my opinion, the moment we need to become mindreaders.

    After all, a law premised on moral assumption never turns out well.

  51. @Merlin

    You are wrong in thinking I was serious about my concern – for me. First, my statement was pointing out the absurdity of some of the other comments suggesting things such as not being able to take things from paper to email, or taking information that YOU choose to put in Facebook and make public and finally the terms of service.

    You rightly point out that I entered my email address, knowing that I am passing it on. My point was that nowhere on this blog does it say what happens to my email… right? You can assume it gets stored, but then again, maybe it does not? We do not know. There is no EULA or disclaimer telling us.. Right? So point being I am giving it out and not really knowing how the blog owner will use it. In the same way, when I post my email address for ALL Facebook friends to use, I am granting the same sort of access and use as this blog.

    In other words, this blog post is breaking the same law and going against its own arguments as are many of the people trying to make arguments about use of the information.

    Fact is, if YOU CHOOSE to post your email address and make it public, if YOU CHOOSE to make other information public to your “friends” or groups, you are granting use to the PEOPLE you grant access to. Just like I do not know what the email address is used for on this blog entry, I am granting him access to contact me. You grant other Facebook users access to email you or use the information you want. TO EMAIL YOU THEY MUST USE AN EMAIL APPLICATION (web or otherwise) and thus that information is entered somewhere.

  52. @Micah

    Wrong.. I never said a third party has that right, I said that by giving out the business card there is an implied fair use. I am granting you access to the information on the card.

    Your assertion is so wrong that I have to believe you must be kidding. Your assertion would be akin to you calling up Facebook as some person who may or may not know me and get my information. That is clearly not the same as me giving you my information and assuming you will use it.

    To use the defective printing analogy, if I give you my business card, and perhaps have given you several over the years, I have no idea if you have taken the to the printer to get copied so you have them in a form you prefer.. Perhaps you have a sheet printed with them all on a single page. I have no idea… but I did grant you the use of that information. That is in no way the same as never receiving all of my cards, having any of my cards and then tracking down and contacting the printer. Where you can come up with that is beyond me. It makes no sense whatsoever.

  53. Wow, this is a very interesting conversation! I must say that I’m really impressed by the comments from Benb and Karim (“You fail at the Internet” has to be one of the funniest things I’ve ever read!).

    And I can see that this has become a comparison of apples and oranges here. Some of you are protesting Scoble’s methods of information transfer, while others are discussing his rights to that information. It really is quite foolish of anyone to suppose that providing an email address, on Facebook or Myspace or on any other forum for that matter, should _never_ be used but on that particular social application! My question is how? My girlfriend has her email address on Facebook, and while I already have it stored elsewhere, suppose I lost it or deleted it from my account and needed to re-store it in my address book….would I therefore be guilty of breaking some foreign law simply by transporting it (memorizing, writing it down, etc) from her FB page to my email address book?

    Any answer in the affirmative here, should be subject to a mental evaluation. Seriously.

  54. Strange that Thomas refuses to debate any of these valid issues.

    I think its fair to say that Scoble was wrong in breaching the ToS, but to say there is something morally wrong or legally wrong is ridiculous. I have been a facebook member since may of 2004 when i got my .edu email address. When i signed up i did so with the intent of sharing my information with others to make it easier to get/keep in touch. Why would i have a problem with said friends using the information in a way that made it easy to stay in touch with me regardless of how that occured within reason? That is the whole point of using facebook.

    Furthermore, facebook makes it extremely easy to regulate what you share, so it is your responsibily to do so. Its clearly the socialist mindset of the EUians on here that find offense with what Scoble did.

    1. Thanks for the great information and the video. I love the SBA’s &#;8t02Stra2egies for Growth” series, all of the videos have such helpful information for small businesses to succeed and grow. I’ve reposted their videos concerning government contracting for small businesses on my blog

  55. Pingback: Been busy : AccMan
  56. Firstly, thanks to everyone for visiting and commenting.

    #65 I’m not refusing to debate anything, just a little bit of day job to do.

    But anyway, herewith my responses.

    1. The law exists. The right to privacy is written into the universal declaration of human rights, and in the constitutions of most EU countries. The law has evolved over 45 years to help protect what many Europeans hold dear. Ask most Germans about Datenschutz, and they will tell you it is important. A look into European and especially Germany history would tell you why. Think Stasi, and worse.

    Just because something is technically easy doesn’t make it right. see #57

    2. American Privacy Protection is not in good shape. http://blogs.zdnet.com/BTL/?p=7549

    3.Facebook has to obey this Directive with regards to the data about EU citizens. Facebook has signed up to the safe harbor agreement, so it has an obligation under EU Directive and national laws. (As does Plaxo)

    4.The facebook terms and conditions determine the “rules” for facebook data usage. – so Robert’s point at #5 is incorrect. See lawnun at #61, who explains the T&C issues. What you mean by sharing is governed by the T&C, not common sense or what you thought sharing meant.

    also Ian at #57 articulates the issue of permission and purpose excellently. See also the link at #56

    # 22 rxmar23. You (if you are one of the 5000) shared your data with robert via facebook, so facebook’s t&cs govern that sharing. (see #57 again)

    5.Robert was testing an alpha release product for Plaxo. See this link http://www.out-law.com/page-3957
    for the position regarding using live data for testing.

    6. Date of Birth, name and email are personal data, according to the directive.
    (see the definition in the post)

    7. Plaxo has a rather unsavory history of privacy management or lack thereof. See Zoliblog, techcrunch etc. And the comment at #16

    8. The issue that I raised has nothing to do with Business Cards. I’m not discussing here what Robert may or may not do with my business card data. (If any data protection officials are reading this, this would make a good guidance note.)

    I would expect, in absence of T&Cs, the business card exchange would imply consent to use the data in the context of the relationship.If you chat up a person in a bar, and give them you card, in the hope they call you, you may feel aggrieved if they give that data to someone else.

    8. The main area of debate for me would be the definition of private use. Brought up by Nicole at #6

    9.I don’t believe testing a product on behalf a company under NDA is private use, and I would expect that the court would question whether the 5000 people in the database weren’t there for some sort of business related purpose. Robert may have a case to say this is for personal use only, but the very public nature of what he does blurs the lines between private and business use significantly.

    #54 Karim I referenced the ECJ ruling on the Lindqvist case to show that the court has a very narrow definition of domestic use. Volunteer work is not considered personal use, so the issue of whether Robert was paid by Plaxo is not material.

    Karim, I believe you have misread the ECJ judgement, the issue of data transfer isn’t relevant here. The Swedish DP authorities asked the ECJ for clarification, especially on the data transfer issue and status of websites. The Reversal of the Swedish decision was about the status of a website and data transfer, the court confirmed the narrow definition of domestic use. This narrow definition has since been used in a number of other cases

    The discussion of the domestic exception is relevant here.

    9. Karim, indeed the loss of that data (from the UK tax dept)was bad news, but I live in Germany, I did study at a Scottish University though.

    10.#65 Tobias, Facebook only regulates what I share if the users don’t ignore the T&Cs and hack-scrape it.

    Expand the scope of the dataset to include a few more data items and you might feel a little else comfortable.

    And finally, I’d like to believe that I’m not insane #64. I like living in Germany, partly because the legal system here agrees with my beliefs.

    I have a strong academic background in this particular law, having done my LLM on the the UK Act and how it functions or fails to function with regards to e-recruitment.

    I’ve studied it and worked with it in practice quite extensively for the past decade, and I’ve advised many companies how to build good privacy practice into major ERP systems design.

    The law has many problems, especially with the concept of data transfer (This was what the reversal was in Lindqvist.) The law came into existence prior to the rapid growth of the Internet, and is due some significant revision.

    For those interested, I also expanded on the relationship between privacy and portability in this post here.


    This doesn’t mean that I’m right. This post is simply my opinion. I’m not a practicing lawyer, or a Judge.

  57. Hi Thomas,

    Great article and the comments make for fantastic reading. Have spoken to Paul Jones yet about being involved in the data-portability group?

    It is something I have a large interest in and would be keen to take part in/learn more about..

    Let me know,


    Some background:

    I wrote a piece recently which went on to discuss privacy etc in the comments which can be found here:


  58. Hi Thomas,
    Well done!
    I think that you clearly explained the issue and there are many that through the different examples (business cards, cars or whatever) show that they are not understanding the central point, that is that under EU legislation the data does not belong to Robert but to his Facebook friends, and that the access they have given him comes attached with a set of conditions: the “purpose” of contacting them through Facebook and all the other conditions included in the FB Terms of Service. Following the not-very-suited example of the business card, it is incorrect to equate the scrapping from FB to scanning and putting the business cards into a computer (they were already in a computer); the correct analogy would be to copy all your cards into somebody else’s computer (Plaxo would have access to the same data that Robert would).
    I think that in US law is even simpler, because it is very likely that the data would be found to belong to Facebook anyway…
    So, when you all decide to join data portability groups, make sure that you are “porting” your own data…

  59. Pingback: A Fool's Wisdom
  60. It seems there’s pretty much a blanket exception for personal use, which this clearly was (nobody has shown any business involvement: how RS came to have a copy of the software in question is irrelevant: Plaxo weren’t getting the data, he was).

    That leaves Facebook’s T&Cs, which do technically prohibit ‘incorporating into a database’. Of course, a literal reading of that would also prohibit me clicking on any e-mail address in Facebook, since that results in the address being stored and processed by my e-mail client! Worse still, technically this also prohibits me from visiting Facebook at all, since doing so results in the pages I view being indexed by Google Desktop, which uses the dreaded ‘database’ of which certain legislators and Facebook’s lawyers seem to have a bizarre phobia…

    He is specifically permitted to ‘display’ and ‘download’ the information; the only real question, then, is whether or not Facebook’s prohibition on ‘databases’ should be taken literally – thus prohibiting many of us (indeed, literally all of us if you regard a filesystem to fall under the heading of a database!) from visiting their site in the first place – or more reasonably, acknowledging the reality that we provide each other with contact information for, essentially, precisely the thought-crime of which Scoble is being accused: putting the e-mail addresses into whatever software we use for e-mail and other communications!

  61. Freedom of speech should be there in every country to promote the countries reputation. The fundamental rights are hampering the individual thoughts so, in my view speech privacy system should be included in the fundamental rights.

  62. After looking into a number of the articles on your blog,
    I honestly like your way of blogging. I saved as
    a favorite it to my bookmark site list and will be checking back soon.
    Please check out my web site too and let me know how you

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: