Sen. Jay Rockefeller (D. WV), current Chairman of the Senate Commerce Committee, has sent a note to Mark Zuckerberg.  It was not, as you might imagine, a friend request, or a request to play Mob Wars.  Instead, Sen. Rockefeller had a few questions for the reluctant star of The Social Networkregarding Facebook’s privacy enforcement efforts.  As you might guess, this missive was spurned on by the recent Wall Street Journalexpose on the widespread sharing of data by Facebook Apps.  In part, Sen. Rockefeller’s note included the following:

The Journal’s report raises serious questions about Facebook’s commitment and ability to enforce its own explicit privacy policies on behalf of consumers. One quoted Facebook official asserts that, “[o]ur technical systems have always been complemented by strong policy enforcement, and we will continue to rely on both to keep people in control of their information.” However, given the scope of the reported privacy breach and the fact that Facebook’s most popular apps are not abiding by your company’s rules, this assertion appears to be strained. Consequently, I request that you provide answers – with specificity – to the following questions:

1) How does Facebook enforce its Privacy Policy relating to affiliated application operators and websites? What logistical protocols are in place to promote maximum compliance? What resources, including the number of personnel, does Facebook dedicate to monitoring and enforcing application operators’ compliance with its Privacy Policy?

2) What penalties does Facebook impose on application operators and websites that violate the company’s Privacy Policy? Are offending application operators allowed to continue to do business with Facebook?

3) Does Facebook take steps to retrieve information from application operators found in violation of the company’s Privacy Policy?

4) The Journal article quotes a Facebook official that asserts the company has “taken steps… to significantly limit RapLeaf’s ability to use any Facebook-related data.” What exactly does this mean?

5) According to the Journal article, there appears to be a pattern of privacy infractions involving Facebook applications. Specifically, what other past problems has Facebook encountered with regard to applications, and what steps did Facebook take to rectify them? Are these applications still available on Facebook’s platform?

6) To the extent that personal data has been shared in violation of Facebook’s Privacy Policy, what steps has Facebook taken to notify individual users as to the specific information that has been mishandled, and who has had access to that information?

Now, here at Legally Social we are on record as being somewhat nonplussed by the “scandal,” but these are legitimate questions.  More critically, they underline an important fact about the world of social media and privacy: what you are obligated to do under the law at any given moment may have very little relevance as to whether you get into trouble. 

Let’s repeat that, because it is a dramatic change: just because something is “legal” in the world of social media doesn’t mean that it won’t still be a problem.  Because technology is evolving so quickly, and the law has not even remotely caught up (heck, there are legitimate arguments that copyright law hasn’t really ever caught up to the invention of the computer) there is a significant gap between the expectations of consumers and legislators and the laws and regulations as actually written.   When the gap between expectations and “reality” is big enough, there is a tendency for regulators and legislators to simply look for creative ways to fit square pegs into round holes — to find some way to punish “wrongdoers” regardless of whether or not the law actually was meant to address the issue at hand.

We appear to be approaching such a moment right now, and it is thus a precarious time.  Rather than merely address the simple question of “what is legal,” lawyers and social media entrepreneurs need to consider other possibilities, including questions of “what is going to get me hauled in front of a congressional committee,” and “what is going to put me in a political advertisement in the Attorney General’s race in some random state.”  This does not mean that social media needs to be more conservative; rather, it means that social media needs to be more creative about disclosure, consent and enforcement.  In the end, being questioned by congress is not a big deal, so long as you have compelling answers to provide.  Right now, that’s the key takeaway from Facebook’s growing pains, and the meteoric rise of Web 2.0.

In the famous Seinfeld episode The Pool Guy, George Costanza panics when confronted with the prospect of one group of friends meeting his girlfriend, Susan.  He has successfully kept his relationships in independent silos, you see, and he has no idea how (or whether) they will mix together.   Hilarity, of course, ensues — his “worlds collide!” as he so aptly puts it — but in your own life, hilarity may not exactly be the result when different aspects of your life are suddenly placed in uncomfortable proximity with each other.

With the rise of social media, each one of us has a choice: either engage in strict social media hygiene (using one social media platform for friends, another for business) or be prepared for work colleagues to know everything about your penchant for extreme knitting and Powerman 5000.

This is not necessarily a good or a bad thing — and whether it is a positive or a negative in your own life may depend on a whole host of factors, including the type of job you have, the age of your friends and colleagues, and the type of extracurricular activities you engage in.  It is striking how — when speaking with young professionals in their early 20s — they cannot even imagine a world where work and social existence are separate.  They’ve never been adults in a world where you didn’t know what your friends and colleagues were up to.  The sheer quantity of texting, messaging, status updates and tweets in their lives is daunting, and they see no reason to place artificial limits on it.  Conversely, older professionals (even those who are tech savvy and quite comfortable with social media) are appalled at the notion that these worlds may ever overlap.

This generational difference in the ways of social media is likely to grow even more extreme in the years to come, as ever more social media intensive kids grow into adults with communication habits wildly divergent from what we’ve seen before.   Obviously, this represents an opportunity, but it also represents a danger — both for the companies involved, and the individuals who may be breaching trusts and duties without a second thought.

Thus, we should all consider how we engage with social media today — and not merely in the abstract, but in practice.  Who do we “friend,” and what type of person really reads our status updates.  Why are we saying what we’re saying, and do we really need to say it?  These can be uncomfortable questions, but they must be asked if we are to remain calm when worlds collide.

Legally Social spent this past weekend at Blogworld New Media Expoin Las Vegas, and can safely report (a) that the world of social media remains dynamic, forward thinking and intense; (b) that people in social media still don’t think about the legal ramifications of what they’re doing as much as they ought to, and (c) Las Vegas is profoundly amusing.

I live-tweeted a several panels (you can follow me @legallysocial) but for me the most important aspect of the conference was seeing the interaction between the old social media format (which was highly informal and largely consisted of bloggers talking amongst themselves) and the new paradigm (which is far more focused on commerce, marketing and co-branding).  Once upon a time, bloggers could joke about “taking the Boeing” as shorthand for selling out.  Now, the idea of “selling out” is preposterous, with the word “monetize” thrown around more often than any other word including “and” “the” or “a”.  Social media interaction is no longer thought of as a hobby for pajama-clad folks blogging from their basement; instead it is a sophisticated marketing tool used by the largest companies in the world (and the smallest) to develop dialogue with their customers. To be sure, the number of social media devotees focused on their hobbies and their lives remains large, but what is interesting is that this more informal world is now almost indistinguishable from the land of professional marketers.

This will lead, of course, to all sorts of interesting issues over the next few years, ranging from brand control and privacy to employment law and innovation.  But right now, we should all be pleased to witness the early stages of a new communications paradigm.  Web 2.0 is still less than a decade old (at most).  We have many years (and many more versions) yet to come.  It is an exciting time, indeed, and next year should be even better.

I’ll be appearing live on WGN TV’s 5:00 pm broadcast today to talk about social media, privacy, Facebook and all of our other favorite topics.  Be sure to check it out!

UPDATE: Here’s the link to the interview.

If it seems that Facebook privacy scares are a regular occurrence in the media at this point, you are correct.  Today’s issue: certain apps are sharing your information.

As you can imagine, all of us here at Legally Social are shocked, shocked to hear about this stunning new development. 

Obviously, this is hardly news.  Given the number of apps used by Facebook’s 500 million users, and the fact that Facebook is merely the channel through which the apps are distributed, the likelihood that many apps would share information beyond what they promise is pretty much assured.  For that reason, the scare lede is, in many respects, somewhat misleading in itself:

The issue affects tens of millions of Facebook app users, including people who set their profiles to Facebook’s strictest privacy settings.

Note the passive voice.  The article isn’t saying that Facebook is sharing the information, but that the information is being shared.  But as you’ll see, the issue isn’t what Facebook is doing – the issue is whether or not by signing up for certain Facebook apps you are buying into practices that are forbidden by Facebook (“Facebook prohibits app makers from transferring data about users to outside advertising and data companies, even if a user agrees.”)  And in fact, when Facebook was informed by the Wall Street Journal of what was going on, the expected thing happened:

Most apps aren’t made by Facebook, but by independent software developers. Several apps became unavailable to Facebook users after the Journal informed Facebook that the apps were transmitting personal information; the specific reason for their unavailability remains unclear.

So should you be worried?  The answer, as with all things of this sort, is simple: of course! Engaging in social media communications (as a provider, as a user, or even a dilettante) is not a risk free activity: bad actors abound, just like in the real world.  Nothing is a risk free activity, and there are dangers lurking behind any activity from buying some groceries (slip and fall cases are common) to clicking on a link in an e-mail sent to you by a friend (phishing remains a both popular and effective means of stealing your most valuable data).  The key thing is to understand that the risks exist, and to act accordingly. 

Each time you sign up for an app, or expand your use, you are expanding the chance that something could go wrong with your data.  But the same risk exists each time you buy from a new store online, or engage in any new behavior with a new commercial partner.  But even in the case before us today, some Facebook users came out better than others:

The information being transmitted is one of Facebook’s basic building blocks: the unique “Facebook ID” number assigned to every user on the site. Since a Facebook user ID is a public part of any Facebook profile, anyone can use an ID number to look up a person’s name, using a standard Web browser, even if that person has set all of his or her Facebook information to be private. For other users, the Facebook ID reveals information they have set to share with “everyone,” including age, residence, occupation and photos.

In other words, if you set your privacy settings properly, the worst that happened was that your name was shared.  This is, obviously, not ideal, and the folks involved can and should be subject to the scrutiny that this practice will now receive.  However, your name is shared on mailing lists all the time.  Has anyone read the privacy policy for Amazon.com, or any other major online retailer recently?  This is not exactly a new phenomenon — data mining is, as I have mentioned repeatedly, the killer app of social media.  If you think that social media exists for charitable reasons, think again.

So, to sum things up, the key takeaway from the new Facebook privacy scare:

The company says it has disabled thousands of applications at times for violating its policies. It’s unclear how many, if any, of those cases involved passing user information to marketing companies.

In other words, Facebook is actually doing the right thing here, and has been doing the right thing for several months, but the system is not perfect, and many apps still do things that they shouldn’t.  So caveat emptor: if you want to ensure that your data is never shared, do not use electronic media.  At. All.  If you use electronic media, your data is at risk.  Period.  The only question is whether you (as a company) are doing the things you should do to make sure that your customer expectations are in line with what you’re actually doing with their data, and whether you (as an individual) understand what is being promised, and the risks that may apply.

It goes without saying that you should have a privacy policy if you are accepting personally identifiable information through your web presence or social media initiative.  The Federal Trade Commission, by the way, agrees — and trust me, you don’t want the FTC taking an interest in you or your business.

But ironically, all of that time, money and brainpower you spent on crafting a best-of-breed privacy policy may result in a document read by…no one.  Go ahead — check your analytics — see how often someone takes a look at your privacy policy, or even your terms and conditions.  Not a big source of hits, is it?  That one person who looked at your privacy policy last week?  That was me. 

And even when consumers have independent access to information about privacy, they don’t seem to be paying attention.  According to one recent study, even on Facebook (the subject of endless media focus on privacy) 25% of users don’t use privacy controls.  So if users don’t care, why should you?  Believe it or not, I get this question all the time: “Can’t I just copy a privacy policy from someone and then just paste it into a link?”

Yet even if no one (and I mean literally no one) looks at your privacy policy, if you accept personally identifiable information you need one.   A good one.  One customized for you and you alone.  Beyond the regulators-will-get-exceptionally-angry explanation (and you should not underestimate the power of an irritated regulator), there is another, self-interested reason for this – and it is both aspirational and practical. 

If you do not have a policy, your organization will have no sense of its limits.  Putting one together forces you 9and your team) to decide what it wants to be doing, and why.  It forces you to weigh the benefits against the risks.  In other words, it forces you to have a strategy. 

That normative function is great — but having a privacy policy also forces you to do an empirical analysis of what you’re doing right now.  A good privacy policy describes your activity with clear-eyed accuracy.  The process of drafting a privacy policy forces you to engage in a review of your marketing practices that allows you to get your arms around what is actually happening in your organization.  I can assure you that even sophisticated folks are often surprised by what they find.

So do people read your privacy policy?  Probably not.  Should you have one? In the immortal words of my eleven year-old son: duh!