In Monty Python’s “The Meaning of Life” John Cleese and Eric Idle show up at Terry Gilliam’s house to remove his liver as part of an organ donation program.
When Gilliam objects noting “I’m still using it” the interlopers pull out his liver donation card, which permits the extraction. When Gilliam protests that the card notes that the organ is to be donated “in the event of death,” Cleese notes that “nobody who has had their liver removed by us has ever survived long…”
In other words, read the fine print. Nowhere is this truer than in Facebook’s new privacy policy on its stand-alone Messenger Service.
Terms of Service, Terms of Use, Privacy Policies and End User License Agreements have always been what the law calls “contracts of adhesion” or “take it or leave it” contracts, where one party has no ability to negotiate the contract terms.
That’s not all that unusual. If you buy a ticket (actually a license) to a Yankee game, the fine print on the back limits the Yankee’s liability if a baseball, a bat, or an usher hits you.
Your rental car agreement allows the car company to track your movements, and if you violate your agreement (say, by driving the car into Mexico without permission) they can (and do) tack on a hefty fee of hundreds of dollars. Like the liver donor, it’s generally tough luck – you agreed to it.
The law will enforce terms in contracts of adhesion unless they are “unconscionable,” which means different things to different judges. To some, terms that are unfair and unreasonable make the list.
To others, if you didn’t want your pumping liver ripped from your body with a pair of bolt cutters, well, you shouldn’t have agreed to whatever product or service you clicked on.
Which brings us to Facebook messenger’s new terms of service.
This stand-alone app for Android and iPhone allows Facebook members to chat with each other. There are certain terms and conditions you might expect in a messenger app contract – you know, like they don’t guarantee that your messages will get through (it isn’t 411 after all) and they are not responsible if the person you are chatting with turns out to be the Boston strangler.
You might also expect disclaimers of warranties, choice of law, blah blah blah.
Expect the unexpected.
When you download the messaging app, you are giving Facebook the right to just about everything. In fact, here are just a few of the things you are agreeing to:
· Allows the app to change the state of network connectivity [that is, they can disconnect you, reconnect you, slow you down, speed you up, or keep you offline permanently. They can move you from one provider to another, force you to incur roaming fees, or do whatever constitutes changing the state of network connectivity.]
· Allows the app to call phone numbers without your intervention. This may result in unexpected charges or calls. Malicious apps may cost you money by making calls without your confirmation. [Note, they can also reach agreements with the phone company to get a kickback for these calls. Doesn’t say to whom they may call. Maybe the NSA? It’s one thing if you ASK to be connected to a Facebook friend and the app connects you via cell phone. But that’s “without your intervention.” So clearly Facebook plans something else here. Not sure what.]
· Allows the app to send SMS messages. This may result in unexpected charges. Malicious apps may cost you money by sending messages without your confirmation. [OK, so what’s NOT malicious? The app will send SMS messages to whom? Saying what? For what purpose? And why would Facebook want to install and not block malicious apps?]
· Allows the app to record audio with a microphone. This permission allows the app to record audio at any time without your confirmation. [Um, way creepy. And not sure that this constitutes “consent” to monitor under the various wiretap statutes. Is “without your confirmation” the same as “without your knowledge or consent?” What exactly does the app do, and why?]
· Allows the app to take pictures and videos with the camera. This permission allows the app to use the camera at any time without your confirmation. [Again, is “without your confirmation” the same as “without your consent?” If what Facebook is saying is that when you click on a video call, it opens the webcam, that’s cool. If it is saying that by downloading the app we can watch you sleep, not as cool.]
· Allows the app to read your phone’s call log, including data about incoming and outgoing calls. This permission allows apps to save your call log data, and malicious apps may share call log data without your knowledge. [What the heck???]
· Allows the app to read data about your contacts stored on your phone, including the frequency with which you’ve called, emailed, or communicated in other ways with specific individuals. [See above]
· Allows the app to read personal profile information stored on your device, such as your name and contact information. This means the app can identify you and may send your profile information to others. [Um, to whom? Why? For what purpose? With what limitations?]
· Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call. [Why??]
· Allows the app to get a list of accounts known by the phone. This may include any accounts created by applications you have installed. [Bank accounts? Online dating sites?]
Let me start by saying that this is NOT a privacy policy. A privacy policy is designed to tell customers what data is being collected, WHY it is being collected, HOW it is going to be used, BY WHOM it is going to be used, WITH WHOM it is going to be shared, for what purposes it is being shared, HOW it will be secured, and when it will be deleted or removed.
This is none of that. This is a policy that says, if you download (not even use) this app, we own everything on your phone. And everything connected to it. That’s not a privacy policy. It’s extortion.
What’s worse, some of this data is protected under the law. My medical records are protected under HIPAA if they are in the hands of a “covered entity” or that entity’s “business associate.”
But by downloading the app, I am providing Facebook access to my blue cross/blue shield account in a way that does not make them covered by HIPAA. So they can collect and sell my medical and insurance records at will. Same with my phone records. In the hands of the phone company, they are protected under the telecommunications act. Not so for Facebook. Banking records are protected in the hands of the bank under GLBA. If Facebook can access them under the app (which the terms suggest they can) GLBA doesn’t apply. The records can be bought and sold!
And what’s with all this discussion of malicious apps and code? I am not authorizing any malicious apps or code. Is Facebook telling me that they will install malicious apps? That installing their app makes me more prone to malicious apps? That someone can piggyback their app and get into my stuff?
Good contracts – even contracts of adhesion – should at least be capable of being understood by the parties. They don’t have to be fair, but they can’t b unconscionable. I don’t think this one passes that test. Oops.. gotta run, there’s someone at the door about my organ donor card.