William Carleton, Counselor @ Law

I've been exchanging DMs with some of my lawyer friends on Twitter, musing over the question: might Twitter's community of independent developers have any legal recourse when Twitter unilaterally changes rules, rules on which many developers have built services?

Some of these services, built on top of Twitter, are businesses in their own right.

The informal lawyer colloquy gets to the same place that the development community arrived at last month: *don't* build a business predicated on Twitter's API terms staying the same. I can recall Fred Willson blogging warnings to the same effect months ago, years perhaps. :/

But let's go ahead and let the air out of the balloon by talking just a bit about the legal theory that might have been the most promising. It is a kind of breach-of-contract theory, though it might be fairer to characterize the theory as something the common law has imposed over the years when contract law fails, or when there isn't actually a contract or contractual language to support the claims of someone that we intuitively feel has been wronged.

Suffice it to say: you don't always have to have a written contract in order to obtain legal relief for something that feels like breach of contract.

If I tell you, "bring your produce to my fair, it's important that your goods are there, I will advertise the fact and sell tickets based on you being there, and you can use the refrigerated warehouse to store things," you might rent a truck, haul your produce across the mountains, and bear the risk that you might not sell enough nectarines to make the venture profitable.

What you won't expect, however, is for the fair proprietor to lock the gate as you pull up, and, as you roll down your window, hand you a flyer which reads: "we've decided to focus on funnel cakes, scones and deep fried candy bars at the fair this year; independent produce no longer welcome."

Final, critical piece of this hypothetical: you don't have a written contract.

As you drive back over the mountains, temperatures soaring, fruit getting overripe in the container, do you have any legal recourse?

I think you probably do! You relied on the fair proprietor's promises to your detriment. It is reasonable to think the fair promoter would have expected you to rely on those promises, and to act on them, and to spend money to get your fruit to the fair.

Change the hypothetical in this respect: the promoter is indeed permitting fruit to be sold at the fair, but, at the last minute, he accepts sponsorship dollars from a big grocery chain that demands that only its processed, dried fruits, and a smattering of poor quality fruit flown in from out of state, be sold at the fair. There is some small controversy from a consumer advocacy group that objects to the fair advertising that promises "local organic produce."

I think your chances of getting, as damages, the full expectancy of whatever profits you would have made, had the promoter kept his promise, now go way up. (Though you still have the issue of how to measure those profits, and you may still have some duty to find a supermarket or distributor on the way home to whom you can unload your fruit, to mitigate your damages.)

The situation for Twitter's independent developers both is and is not like the above hypothetical.

It is *like* the hypothetical, insofar as Twitter encouraged independent developers to build on its platform. What I just said is an assertion of fact, which, in court, may entail marshaling evidence. But Twitter would make this process easier by the following statement in its Developer Rules of the Road:

"We want to empower our ecosystem partners to build valuable businesses around the information flowing through Twitter."

That's like the fair promoter saying, "come on over and sell your nectarines!"

But the situation for Twitter's independent developers is *not like* the above hypothetical in a most critical respect. Twitter's rules also clearly say:

"Twitter may update or modify the Twitter API, Rules, and other terms and conditions, including the Display Guidelines, from time to time its sole discretion by posting the changes on this site or by otherwise notifying you (such notice may be via email). You acknowledge that these updates and modifications may adversely affect how your Service accesses or communicates with the Twitter API. If any change is unacceptable to you, your only recourse is to terminate this agreement by ceasing all use of the Twitter API and Twitter Content. Your continued access or use of the Twitter API or any Twitter Content will constitute binding acceptance of the change."

That muddies up the reasonableness of your reliance. That shifts the focus to you, the reasonableness of your persistence, the path you took in the face of an unequivocal warning.

It's as if the fair promoter had said, "Yeah, we do have a community group that wants fresh fruit at the fair. Tell you what, head over, I'll see what I can do to make space. But look, no promises. I have a deal with a big food distributor and they may not want you there. We'll see if we can slip you in the back unnoticed, at least for the first few days."

Photo by Karen / Flickr.

Twitter has recently revised its terms of service and privacy policy again.

I haven't had the time to prepare thorough redlines to surface all of the changes, but I did make a quick peek comparison of a section of Twitter's privacy policy, titled, "Information Sharing and Disclosure." Here's that comparison, 17 May 2012 laid over 23 June 2011:

Twitter's growing up. I like how they are ditching some of the earlier, gratuitous euphemisms (a/k/a, the earnest bullshit) that marks a young company speaking to its self-perception rather than describing reality. The example of that evolution at work here is in how "certain trusted parties" is struck in favor of the matter-of-fact "service providers." It adds credibility.

Not only do changes like that add credibility; they foreground all the more effectively the more surprising changes that mark affirmative decisions to stand by users against the Man. To whit:

"[N]othing in this Privacy Policy is intended to limit any legal defenses or objections that you may have to a third party’s, including a government’s, request to disclose your information."

That sentence is new, it's substantive, it's not expressed in a self-aggrandizing way, and it's meaningful. Twitter is talking after walking, too; I imagine this particular change expresses a policy the company worked out in the course of opposing the New York judge in the recent standing case that Ziff and I blogged about.

Is this (the U.S.) a great country or what? In Europe or elsewhere, I can't help but imagine, a regulator would be involved, and companies wouldn't naturally assume they had the right to change the rules.

High stakes reading of Twitter's terms of service in the New York court proceeding that has been getting a ton of attention.

I haven't followed all of the issues and arguments presented, but a key procedural point appears to turn on just how much control a Twitter user has over her tweets.

The procedural point is whether the Twitter user, whose tweets are at issue, has "standing" to intervene in New York State's efforts to get copies of his #OWS (and possibly other) tweets directly from Twitter.

"Standing" is a legal doctrine that has to do with who may and may not show up and have a voice either in a particular lawsuit or in a discrete legal proceeding. To make up a very rough example, suppose John and Sally from Atlanta file for divorce in a Georgia court. The Pope in Rome hears about this. Believing in the sanctity of marriage, the Pope flies to Georgia, attempts to file a motion with the court to deny the divorce, and while he's at it asks the court to subpoena the local office of Planned Parenthood to obtain records of birth control dispensed to John and Sally. Because the Pope's interest in John and Sally's personal lives is so attenuated, he lacks "standing." Consequently, the court needn't pay any attention at all to the Pope in the matter.

While, in the hypothetical above, it is clear that an interloper should not be able to slow the wheels of legal process down, sometimes rulings about "standing" are counter-intuitive. "Standing" rulings can seem downright crazy when persons with obvious interests at stake are told the doors to the court are closed.

The New York proceeding gives us a "standing" ruling in the latter category. How could a Tweeter not have standing in a case that was all about access to his own tweets?

Well, in addressing that question, the judge in the case cited Twitter's terms of service, which give Twitter very broad rights to use every tweet posted to Twitter. "Every single time the defendant used Twitter’s services," the judge wrote, "the defendant was granting a license for Twitter to use, display and distribute the defendant’s Tweets to anyone and for any purpose it may have."

The judge continued, "Twitter’s license to use the defendant’s Tweets means that the Tweets the defendant posted were not his. The defendant’s inability to preclude Twitter’s use of his Tweets demonstrates a lack of proprietary interests in his Tweets." Ergo, no standing for the defendant to challenge New York State's attempts to obtain the defendant's tweets directly from Twitter.

Why I find this so interesting is that, in response, Twitter takes a fairly unequivocal and highly public position about ownership and control of user generated content.

Here's part of what Twitter says to the court (citations omitted):

"Twitter’s Terms of Service make absolutely clear that its users own their content. The Terms of Service expressly state: 'You retain your rights to any Content you submit, post or display on or through the Services.' See Terms of Service (available at http://twitter.com/tos). Twitter users neither transfer nor lose their proprietary interest in their content by granting a license to Twitter to provide the services. Moreover, unlike bank records, the content that Twitter users create and submit to Twitter are clearly a form of electronic communication that, accordingly, implicates First Amendment protections . . . ."

Now, as a Twitter user, I have to say, I like that argument and the use of the word "proprietary."

To me, it suggests that Twitter will have to check with you before it starts using your tweets and your likeness in the way Facebook exploits user posts and personal attributes to promote branded products. The argument Twitter is making to the New York court suggests that, broad though Twitter's public publication right may be, you as a Twitter user can pull back, take ownership of, assert control over, even limit, what Twitter may do with your tweets.

Photo: "stand your ground" by akshay moon / Flickr.

One of the pleasures of redlining is that you can map a tour of changes made in a landscape of text.

I haven't yet had a chance to read Google's overhauled privacy policy. The changes look to be so substantial, it may be difficult for a redline to throw discrete instances of wordsmithing into relief.

That said, here is a small section of the anticipated Google privacy policy, marked against the version to be replaced. This passage, at least, does yield the experience only a redline will afford.

I don't have time this morning to fully narrate a tour. I'll just call out three highlights:

• The implication that Google's security efforts will meet a certain industry or societal standard ("appropriate") is elided if not entirely replaced with the promise that Google will "work hard."
•  Google itself is added as a beneficiary of its security efforts.
• "Google employees, contractors and agents" go from working on Google's "behalf," to working "for" Google. This I think introduces the possibility of agency, or a degree of it, for which Google itself may not be responsible.

Ever wish you could negotiate terms of service with your favorite social media services?

The government actually does this. What's more, the likes of Facebook, LinkedIn, YouTube, Foursquare, and Tumblr make concessions.

From the model agreement that the GSA asks would-be government vendors to consult, here are some interesting provisions:

"Advertisements: Company agrees not to serve or display any commercial advertisements or solicitations in the publicly available portion of the Site displaying content uploaded by or under the control of the Agency. This exclusion shall not extend to house ads, which Company may place in a non-intrusive manner."

"Changes to standard TOS: Language in the TOS reserving to Company the right to change the TOS without notice at any time is hereby amended to grant You at least three days adv ance notice of any material change to the TOS. Company shall send this notice to the email address You designate at the time You sign up for service, and You shall notify Company of any change in the notification email address during the life of the Amendment."

"Access and use:  Company acknowledges that the Agency's use of Company's Site and Services may energize significant citizen engagement and otherwise become important to the Agency 's mission. Language in the TOS allowing Company to terminate service or close the Agency's account at any time, for any reason, is modified to reflect the Parties' agreement that Company may unilaterally terminate service and/or terminate Agency's account only for breach of Agency’s obligations under the TOS or Agency's material failure to comply with the instructions and guidelines posted on the Site, or if Company ceases to operate its Site or Services generally. Company will provide Agency with a reasonable opportunity to cure any breach or failure on Agency's part."

"Limitation of liability:  The Parties agree that nothing in the Limitation of Liability clause or elsewhere in the TOS in any way grants Company a waiver from, release of, or limitation of liability pertaining to, any past, current or future violation of federal law."

Makes you think!

Flickr photo by king of monks. I don't know the artist or the location of the works pictured.

There's another approach to privacy policies and terms of service for social media and web services. One that essentially addresses the high cost of reading TOS.

This approach let's you off the hook for ignoring TOS altogether. 

It's called, "government regulation."

Rather than give primacy to freedom of contract, the prescriptive, regulatory model says to the company: cross a certain line, and your service term or privacy policy won't be enforceable against the user. Or worse.

Charles Stross blogged a rant recently about Klout, and it's worth reading to get a sense of how different his underlying assumptions are. Stross brings a British and European perspective to web service TOS:

"Klout operates under American privacy law, or rather, the lack of it. If you created a Klout account in the past, you were unable to delete it short of sending legal letters (until November 1st, when they kindly added an 'opt out' mechanism). More to the point, Klout analyse your social graph and create accounts for all your contacts without asking them for prior consent. It also appears to use an unwitting user's Twitter or FB credentials to post updates on their Klout scores, prompting the curious-but-ignorant to click on a link to Klout, whereupon they will be offered a chance to log in with their Facebook or Twitter credentials. So it spreads like herpes and it's just as hard to get rid of. . . .

"Here in the civilized world we have a fundamental right to privacy. Klout, by its viral nature (and particularly by tracking people without their prior consent) is engaging in flat-out illegal practices."

Stross's post, and the robust community he attracts in his comment thread, go on to inventory various UK and EU laws and policies that put rules in place that American companies simply don't have to follow when dealing with American users.

A client of my law firm just sent a link to a slide deck prepared by a European firm, Osborne Clarke, that gives an overview of what will and won't work within TOS directed at European users. The deck makes the following point: in Europe, "each clause of a EULA/ToS could be subjected to a test of reasonableness (meaning you can't just say whatever you want)."

One example in the slide deck (pictured) stood out for me. It has to do with a TOS term that purports to say that the user has agreed to not participate in a class action lawsuit against the web service. The Osborne Clarke deck says, no: you can't enforce that under UK law.

The reason this example stood out for me was that I have only recently read a similar clause, in the terms of service for the Kindle Fire service: "You and Amazon each agree that any dispute resolution proceedings will be conducted only on an individual basis and not in a class, consolidated or representative action."

Enforceable in the US? That might be a win for freedom of contract over paternalistic government regulation. And it may also take us right back to the conundrum of having to read every word of every TOS and privacy policy!

Yesterday's post ended asking you to contemplate actually reading the privacy policies and terms of service that govern use of your favorite social media sites and web services.

It would have been economically rational of you to say, "no."

I say that based on the finding of a study, "The Cost of Reading Privacy Policies," by Aleecia M. McDonald and Lorrie Faith Cranor:

"We estimate that reading privacy policies carries costs in time of approximately 201 hours a year, worth about $3,534 annually per American Internet user. Nationally, if Americans were to read online privacy policies word-for-word, we estimate the value of time lost as about $781 billion annually."

Christopher Soghoian links to this study in his post and it does indeed support his points that no one reads privacy policies and no one should be expected to.

Privacy policies and TOS may be a waste of otherwise monetizable time, but the study is worth your investment (worth reading); you can quickly glean the basis on which the authors estimate how much time it takes to read an average privacy policy, and how to value both the time at work and time at home that would be spent.

The part I like best about the study is the suggestion that online advertising as a business model is not worth it.

"We present a range of values, and found the national opportunity cost for just the time to read policies is on the order of $781 billion. Additional time for comparing policies between multiple sites in order to make informed decisions about privacy brings the social cost well above the market for online advertising. Given that web users also have some value for their privacy on top of the time it takes to read policies, this suggests that under the current self-regulation framework [where users are charged with responsibility for reading and understanding the rules], targeted online advertising may have negative social utility."

Emphasis added.

Next in this series: Brits who think Americans are crazy to make privacy a matter of contract law.