Richard Boulton home

Facebook CIA madness

23 April 2013

Take a look at the linked NDA (or as they call it "Confidential Information Acknowledgement") from Facebook: UK_CIA.pdf

In particular, note the following phrases:

  1. "we consider any information you learn while you’re here, to be our confidential information."
  2. "you will not use any confidential information you learn while you’re here for anything other than for the purpose of the visit"
  3. "you will not share that confidential information with anyone else."

Now, I strongly dislike NDAs: I think they're a blunt instrument, mainly of use for intimidation and to cause chilling effects, and that they replace mutual trust with mutual suspicion which is a bad foundation for any relationship. Putting that aside, this is probably an acceptable NDA if you're going to Facebook's office for a business meeting, and I might sign it (with sadness) in that context.

However, last year I was asked to sign this NDA when visiting Facebook's office for an evening tech meetup on machine learning; the talk was later broadcast publically on the internet (well, pretty publically; Facebook login required, but no NDA required!). I didn't sign, told the Facebook staff why, and was required to leave the office and miss the meetup. I'd hoped this NDA had been dropped but hear that it's still being used. And people are still signing it!

Let's look at what this NDA says:

  1. First, it defines the phrase "confidential information" to mean "anything you learn while you're here". No restrictions on this: literally "anything you learn". This would include, in my case for example, some machine learning algorithm that's in an openly published paper that I just hadn't come across yet. To the best of my knowledge, this is a legal document, and this is a clear definition of a term, so any further use of that term in the document is expected to follow that definition.

  2. Next, it asks you to agree that you will not use "confidential information" for anything other than the purpose of the visit. So, I'm not allowed to use that algorithm I've just learnt about, despite it being fully public knowledge. Unacceptable.

  3. Also, it asks you not to share that "confidential information" with anyone else. So, I'm not allowed to tell anyone else about the existence of this public algorithm either. Ridiculous.

It does not matter that a "common sense" reading of the agreement would assume that the confidential information referred to in phrases (2) and (3) doesn't include things which don't seem "confidential". The document has clearly defined what it means by "confidential". Unless you feel like getting a lawyer to analyse this agreement, and then feel ready to take it to court if challenged, you should assume it means what it says, not what you'd like it to say.

This is pretty sneaky, actually; the whole thing is dressed up not to sound like a legal document, and buried in the middle of some friendly text saying perfectly reasonable things, is an utterly unreasonable and outrageous trap. Combine this with the pressure of expectation that you'll just sign a "simple NDA", our natural desire not to want to be "difficult", and wanting to be allowed to go to an interesting meetup, and its not surprising that most people just sign it.

However, if I'd signed this NDA, I would not feel safe discussing anything I'd learnt at the meetup with anyone else, or implementing any code or system based on this. Since that's what I do for a living, I wouldn't feel safe doing my job any more. There's no way I could sign it.

TL;DR:

Two principles I try to follow:

So, here's a plea:

This is probably most effective if you sign up, turn up, and clearly and publically refuse to sign. They'll ask you to leave, with "regret", so be ready to go to the pub with your like-minded friends and have a meetup there instead.

Oh, and if any other large companies are trying this, read their NDAs very carefully to ensure that you're happy to follow it before signing it, or better yet, publically and loudly (but politely) refuse to sign it and don't attend.

Several people tell me I should just have signed this NDA and nothing would have come of it; I agree that Facebook probably don't intend for it to have a chilling effect on discussion of published algorithms, etc., but: NO, NO, NO

Rolling over and accepting things is why this kind of rubbish happens. Let's stamp it out before it spreads any further.