The Wall Street Journal is reporting that Facebook and the FTC are finalizing a settlement agreement regarding some of Facebook’s numerous past privacy flubs. The WSJ reports:

According to people familiar with the talks, the settlement would require Facebook to obtain users’ consent before making “material retroactive changes” to its privacy policies. That means that Facebook must get consent to share data in a way that is different from how the user originally agreed the data could be used.

The thing is, that’s already the rule. While there’s no law that specifically says a company like Facebook can’t retroactively change the way it uses user information, the FTC treats it as an unfair and deceptive trade practice – kind of like a bait-and-switch. You decide you’re comfortable putting information like your gender and dating status on your Facebook page because Facebook promised it would only show that stuff to your friends. And then it goes and makes it all public: Bait and switch.

Since we don’t have comprehensive privacy laws in the US, the only real way to hold companies like Facebook to their word when they say things like “your information is private” is to approach it from a consumer protection angle. Lying to your users about how their personal information is going to be used (or changing your mind later and not telling anyone) is unfair and deceptive, and is exactly the type of thing the FTC can address through fines.

So, making Facebook agree to get express consent before making material retroactive changes to its privacy policies is a bit like making it write “I will not chew gum in class” fifty times on the blackboard before it can go out to recess. The really interesting part of the settlement agreement is that, like Google did in the Buzz settlement, and Twitter did concerning its security, Facebook is agreeing to submit to independent privacy audits for the next twenty years.

My hope for the long term outcome of this settlement agreement is that Facebook will be more upfront and transparent about their privacy practices, and not pull the bait-and-switch move on privacy that they’ve become known for. Hopefully, this will in turn lead to fewer Facebook-privacy-policy-instigated Chicken-Little-style paranoia outbreaks.

The judgements against copyright troll Righthaven are starting to pile up. Righthaven recently tried (unsuccessfully) to convince a Nevada court that $34k was more money than it could reasonably scrape together to post a bond while it appealed the adverse judgment in that case. Now another Nevada court has ruled against Righthaven, awarding the defendant Thomas DiBiase reasonable attorneys’ fees and costs; this time in the even larger amount of $119,488.00. That’s got to hurt.

Update: Apparently this is a parody of the actual ad, which is only slightly less ridiculous…

The British Transport Police’s newest anti-terrorism campaign focusses on? illegal downloading? That seems to be the case, based on this billboard, as tweeted this weekend by @case_hardened:

In case you can’t see it, the billboard features a picture of a small crowd in an outdoor shopping area – and at the center, a mom with adorable baby. The text of the billboard reads:

“A bomb won’t go off here because weeks before the criminal pirating films was caught by monitoring his internet history. Pirating films funds terrorism and organized crime. Report it today.
Confidential Anti-Terrorist Hotline
Call 0800 789 321″

The logic is a bit difficult to follow, but the message is clear: if you are against the government monitoring your internet use, you are for killing babies.

We’ve been hearing for a while that counterfeit goods, including DVDs, software, and even handbags, fund terrorism, but it doesn’t follow that an individual illegally downloading movies from the internet is helping terrorists. And it sure doesn’t follow that monitoring individuals’ internet use for illegal downloads is going to stop terrorists. On the whole, I think this campaign by the British Transport Police may have the opposite of the effect intended – the “Confidential Anti-Terrorist Hotline” is going to be bogged down with reports of copyright violations instead of tips about actual terrorist activities.

On Wednesday, George Washington Law professor and former federal prosecutor Orin Kerr authored an op-ed in The Wall Street Journal, posing the question “Should faking a name on Facebook be a felony?” He was, of course, talking about the infamous Computer Fraud and Abuse Act (CFAA), which Congress is preparing to update. The CFAA, as has been noted here many times, is a federal law passed in the ’80s and initially designed to combat malicious computer hacking, but which has become bloated, stretched and over-applied in the years since.

At the root of many of the arguably overreaching applications of the CFAA is the prohibition on conduct which “exceeds authorized access” to a computer system. According to Kerr:

The problem is that a lot of routine computer use can exceed “authorized access.” Courts are still struggling to interpret this language. But the Justice Department believes that it applies incredibly broadly to include “terms of use” violations and breaches of workplace computer-use policies.

Breaching an agreement or ignoring your boss might be bad. But should it be a federal crime just because it involves a computer? If interpreted this way, the law gives computer owners the power to criminalize any computer use they don’t like.

And Professor Kerr should know, he was the attorney who defended Lori Drew when she was charged with a felony for making a fake MySpace profile. The Justice Department’s position that a violation of a terms of service constitutes a federal crime basically makes the Federal government the enforcer of private contracts. Got an employee spending too much time on Facebook? Turn them in to the Feds. Someone posting comments you just don’t like on your blog? Call the DOJ. Or threaten to. The chilling effect alone should be enough to keep your users in line.

Would you believe that some politicians are even thinking of making the bill even worse?

Professor Kerr’s primary concern expressed in the op-ed was that the CFAA was going to be amended to make any violation of the CFAA a felony. Hopefully, this won’t pan out. The original Administration proposal (pdf) did increase the baseline punishment for any violation of the CFAA (including exceeding authorized access) from a misdemeanor level offense (less than one year) to a felony. But, thankfully, the Judiciary Committee didn’t take the Administration’s suggestion. Lets hope it stays that way as this bill makes its epic journey through the Washington legislative sausage maker.

There is yet a glimmer of rational-thought hope. Senators Grassley and Franken have introduced an amendment (pdf) which would modify the definition of “exceeds authorized access” to exclude violations of a TOS, if that’s the only basis for the charge of violating the CFAA, effectively improving the CFAA instead of making it worse. Fingers crossed that the amendment makes it in.