117048243_7cc6bb0b87_b

Impending Legal Precedent for GPL Licensing?

If you pay attention to the WordPress world, you might be aware that a landmark lawsuit is likely to be filed. I say landmark expecting that both sides will litigate and not settle – something that is desperately needed in the United States to validate and uphold the scope of the GPL license.

WordPress is a free software that is licensed under GPLv2 – a license that was created in 1991 to protect the ability of developers and users to gain access to software, create derivative works and distribute the copyrighted code in its entirety under the same protective license.

One of the tenants of the GPL that is argued prolifically is that derivative works are works that “link” into other works via APIs and dependencies (such as library dependencies). According to the argument, software that is considered a derivative work must retain the same licensing as the GPL’d work that it links into.

There are many legal (and non-legal) minds who would like to interpret this license in a variety of ways. There have been notable legal cases around the GPL in the United States, but all (to the best of my knowledge) have settled prior to litigation. One of these cases, Progress Software v MySQL AB, revolved around a product called Nusphere that was bundled with MySQL but was proprietary and incompatible with the GPL. The judge refused to grant summary judgement and eventually MySQL simply did not bundle the proprietary software.

Another case avoided judicial decision – and thus avoided judicial precedence. That case, Free Software Foundation v. Cisco, was settled out of court with a donation from Cisco and a pledge of commitment to the GPL.

Today, a major incident happened that has been brewing for years now. Due to an unfortunate incident which involved source code for the popular Thesis theme for WordPress (from DIYThemes) becoming compromised by a hacker, tempers started boiling over. Matt Mullenweg, founder of WordPress and the public face of )Automattic, the largest company behind the WordPress project, ended up on a live interview alongside Chris Pearson of DIYThemes.

Matt suggests (I think accurately) that a theme that is provided for WordPress (it does not work without WordPress) is a derivative work and requires GPL compatibility. He also suggests (accurately, I think) that GPL compliance would only enhance DIYTheme’s business as evidenced by countless other proprietary software providers who have gone open source.

Not to mention that a license does insinuate adherence to legal requirements provided by the license. If you don’t agree to the terms of the license, you’re not permitted to use the software. Makes sense.

Chris’ defense is that Thesis is completely independent of WordPress (which I question the rationality of since the software cannot exist absent of WordPress). He believes he has a business and economic right to maintain a license that is at odds with WordPress’ GPL license.

So my editorial question is… compliance with the WordPress GPL license is optional but compliance with the Thesis license is not? Hmmm.

Matt, in so many words, has already indicated that there will be a lawsuit that comes out of this. This could be landmark as, if the suit were not settled, it could define the parameters of open source software creation, usage and distribution reaching into every aspect of our life. Who uses Firefox? Yeah… depending on the outcome, that could be affected.

In a perfect world, the two sides reach an amicable solution. Thesis is popular, but it is not the only game in town. However, the second best solution is a legal precedent governing GPL software.

So we stand by and wait.

Image by Joe Gratz

It's February 16. Do You Know Where Your Facebook Photos are?

On February 4th, the largest social network by all accounts, Facebook, quietly updated it’s terms of service to grant itself an unending and irrevocable license to use all content ever uploaded to its service.

Photo by  pshabThis is fundamentally not all that out of sorts from what most services do when licensing user content, but their lawyers are clearly a a few cards short of a full deck of 52. Consumerist says it best:

Want to close your account? Good for you, but Facebook still has the right to do whatever it wants with your old content. They can even sublicense it if they want.

I’ve begun advising people, clients and otherwise, not to upload any content to Facebook except links. Links merely point to the actual content. Most blogs and content site these days provide a “Share with Facebook” tool that will allow readers (or yourself) submit content to Facebook. The sticky point is that you are not actually uploading the photo, or the video to Facebook itself. Merely an excerpt and thumbnail.

If you run a blog and you use Facebook, drop everything you’re doing and go over to AddThis, sign up to use their free widget and install it. We have it here and it’s a great enabler for readers that allows readers to share with more than just Facebook. Try it on this post.

Unfortunately, there’s no retroactive immunity. Like Congress with the Patriot Act and Stimulus Bill, this thing slid through in the dead of night without so much as a peep and you’re expected to swallow the pill and be happy with it. Facebook never offered you a chance to decline the new TOS, nor did they offer to grandfather content previously uploaded. So feel free to delete stuff you never meant to give away for any constructive or nefarious purpose out there – it’s gone.

I would caution against simply abstaining from Facebook, however. It is the worlds largest social network for a reason and avoiding it will mean a significant cost to your company, brand, etc. However, be wise in how you actually share that content.
— Photo by Pshab

Update: Facebook CEO Mark Zuckerberg clarifies.

One of the questions about our new terms of use is whether Facebook can use this information forever. When a person shares something like a message with a friend, two copies of that information are created””one in the person’s sent messages box and the other in their friend’s inbox. Even if the person deactivates their account, their friend still has a copy of that message. We think this is the right way for Facebook to work, and it is consistent with how other services like email work. One of the reasons we updated our terms was to make this more clear

-snip-

We still have work to do to communicate more clearly about these issues, and our terms are one example of this. Our philosophy that people own their information and control who they share it with has remained constant. A lot of the language in our terms is overly formal and protective of the rights we need to provide this service to you. Over time we will continue to clarify our positions and make the terms simpler.

Whoops. Facebook fumbles again.

Companies Using Beacon Will Undoubtedly be Sued

Privacy policies. They are the walls of separation that protect users from the over-indulging nature of companies and provide strict legal protections for both the user and the company. Privacy policies are generally penned by lawyers who like writing obscure documents that do these things.

Facebook Beacon, as we talked about, is a major privacy violator. Facebook’s official policy on this states that:

When you send an action to Facebook, the user is immediately alerted of the story you wish to publish and will be alerted again when they sign into Facebook. The user can choose to opt out of the story in either instance, but the user doesn’t need to take any action for the story to be published on Facebook.

Putting aside the obvious problems surrounding Facebook’s opt-in/opt-out policy, the real problem lies in the fact that partner companies are sending data to Facebook without permission in the first place. Undoubtedly, it is a violation of their own privacy policies. This begs the question: will some big-shot lawyer come along and file a class action lawsuit on behalf of the 50M+ Facebook users who have fallen victim to this conspiratorial betrayal of their trust and privacy?

Let’s explore some privacy policies to see what these companies are allowed to do as it pertains to third parties and user data.

Hotwire has a policy that allows for third party release of info for specific purposes but stipulates that the firms cannot share the data with other organizations:

Hotwire will also share your information with business firms contracted to provide specific services to us, in a manner consistent with this Privacy Policy. For instance, if Hotwire were to hold a sweepstakes offer on our Site, we may choose to hire a Sweepstakes Administration firm to handle the legal requirements surrounding entrant and winner selection and validation. We also share complete booking data for registered coolExtras members with Affinion Group, a loyalty marketing firm that administers coolExtras rebates. In situations such as this where your data is shared with a third-party firm, these firms are contractually obligated to only use your personal data for the purpose for which the relationship exists. These firms do not have the right to share your data with other organizations or contact you outside the bounds of their contract with us.

GameFly expressly forbids itself from transferring personally identifying data to anyone except in the case of a merger or acquisition or in the case of subpoena or cooperating with law enforcement:

Disclosure and/or Transfer of Personal Information

We may disclose any and/or all personal information about you in the good faith belief that we are required to do so by law, including but not limited to requests pursuant to subpoena or court order, and/or disclosure to local, state, or federal law enforcement, or other government officials pursuant to investigations they are conducting. In addition, in the event of a merger, acquisition, reorganization, bankruptcy, or other similar event, GameFly’s customer information may be transferred to our successor or assign.

Aggregate Information

We may provide our prospective partners, advertisers, and other third parties with aggregate data about members and visitors to the GameFly Website. However, such data is anonymous, and we do not disclose personally identifying information about specific users.

eBay has not introduced Beacon yet, but appears to be angling to do so and also protect itself and its users, something I applaud. Furthermore, their privacy policy explicitly allows for such sharing of information.

Web beacons

A web beacon is an electronic image placed in the web page code that can serve many of the same purposes as cookies. Web beacons are used to track the traffic patterns of users from one page to another in order to maximize web traffic flow.

How eBay protects your privacy with third parties

eBay may work with other companies who place cookies or web beacons on our websites. These companies help operate our websites and provide you with additional products and services. They are subject to confidentiality agreements with eBay and other legal restrictions. eBay does not permit any of these companies to collect personal information using cookies or web beacons on our websites.

While eBay may be angling to protect itself, OVerstock.com has no excuse considering purchases are explicitly banned from being disclosed to third parties not involved in closing the transaction (e.g. credit card companies):

We may collect information actively generated by the purchase of a product or service, such as a payment method. We use this information to process your order and analyze and support your use of the Overstock.com web site. This information may be disclosed only to our staff and to third parties involved in the completion of your transaction, the delivery of your order or the analysis and support of your use of the Overstock.com web site.

Blockbuster is over the top with their privacy policy readily admitting to sharing personally identifiable information:

Blockbuster, its affiliates and franchisees (if permitted by Blockbuster) on occasion may disclose to their business partners certain data, such as names and addresses and the genre of products rented or purchased by Users or Members, so that the business partner may send their own direct marketing communications to Users and Members. Blockbuster will not provide User or Member e-mail addresses to business partners, unless the User or Member has provided express permission to Blockbuster. If you would prefer that Blockbuster not use disclose your personal information to its business partners for direct marketing purposes, subject to legal, or contractual restrictions and legal notice you may opt out of such uses and/or disclosures by (a) checking the appropriate “Opt Out” box in any applicable e-mail communication or e-newsletter, (b) sending an e-mail to blockbuster@custhelp.com (c) writing to us at 1201 Elm Street, ATTN: Online Customer Loyalty, Dallas, TX 75270 or (d) visiting your local BLOCKBUSTER store.

So the problem here is not only Facebook. Facebook pledges to protect these company’s users privacy. My question is… why is Facebook doing the job these companies should be doing in accordance with their own privacy policy. I will go out on a limb right now and say for the record that I will gladly sign on to any class-action lawsuit on behalf of Facebook’s 50M+ users who have had their privacy violated on account of this program. Companies like Coca-cola have wisely decided not to get involved. Others have foolishly determined that they will stay involved.

I guess we’ll let the dust settle on this.