Non-Disclosure Agreements – enforced silence?

Posted on January 16, 2013 by John Carr

 

Over the years I have worked for many different high tech companies. As I recall in each case under the contractual agreement I entered into there was either an implied or, more often, an express term requiring me to keep confidential any commercially sensitive information that came to my attention during the course of my employment. Such “Non Disclosure Agreements” (NDAs) are standard practice in the business world. You are often required to sign one even before you start discussing the terms of your engagement.

NDAs usually make clear that anything you already knew or was in the public domain is not covered. Sometimes there might be a clause saying the NDA anyway expires after a certain amount of time following the completion of the contract.

Being able to prove you already knew something or that it was already in the public domain might be tricky. This alone can introduce an element of uncertainty or instability into the relationship between the person signing the NDA and the company asking for the promise of silence.

To enforce or not to enforce?

Some companies are known to be fairly relaxed about enforcing their NDAs but others are red hot. I guess it depends on the nature or sensitivity of the information in question. Either way you ignore NDAs at your peril.

In practice a company need not necessarily go so far as to sue for damages for breach or seek an injunction to enforce an NDA. If word got around that you had signed an NDA but would not honour it your professional horizons might suddenly become rather constricted.

I know of at least one organization where NDAs caused all sorts of problems among a group that met periodically to discuss policy. They finally decided to institute a standing item on every agenda. It required everyone taking part in the forum to declare if they had entered into any contracts or NDAs since the last time they had all met. It’s not difficult to work out why they took that view.

The implications of NDAs

There are two types of concern which arise in relation to NDAs. The first is how they might impact on individuals who are working together or collaborating on a related project.

In respect of information covered by an NDA, almost by definition it will be information someone else has decided needs to be kept under wraps. I’m guessing that means it is or could be important in some way or other. If it wasn’t why bother?

Thus if you have signed an NDA and you later need to engage in discussions with colleagues which touch on territory covered by it, in all likelihood that discussion cannot take place on equal terms.

We all go to meetings all the time where there are unequal levels of knowledge or understanding arising from differences in intellectual capacity or, more usually, the amount of homework people have done. That’s a different issue. With NDAs you may know key facts others simply can’t. You are bound to be at an unfair advantage that could work to the material detriment of others.

If the existence of an NDA is openly acknowledged, everybody can at least take a view on it. Against that, not openly declaring the existence of a relevant NDA is almost certain to be deceitful at some level.

The second area of concern with NDAs, in the context of NGOs, is how they might impact on or limit an NGO’s freedom to act or comment on matters of wider public interest, or what it says about the closeness of the relationship between the NGO and the company concerned. Perhaps for some types of NGOs these sorts of things will never be important. But that will not be the case for all of them.

A row with Facebook is what prompted all this

I mention all this by way of a preamble or as background to a petit contretemps I recently had with Facebook over an NDA I was required to sign as a pre-condition of attending a particular meeting.

In the end, after several months, we reached an amicable negotiated settlement so I am not going to complain about the outcome. Nor am I going to breach the NDA I signed but I am going to question the role of NDAs, at least in the context of the world of online child safety and the position of NGOs.

But first let me make clear Facebook is not the only company to have asked me to sign an NDA in my role as an NGO representative and online child safety advocate. I signed NDAs when I went on visits to Microsoft’s offices, first in Seattle, later in Brussels, and when I went to Google’s offices in London. Inexplicably, I have not yet been invited to the big Googleplex across the water.

Horses for courses

In the case of my visits with Microsoft I had no problem with the NDA. It was upfront from the get go. I knew about it before I was committed to making the journey to Seattle, and as you will see there was no alternative but to go there (not that I complained mind).

Microsoft were in the process of developing a number of new family safety tools. They wanted my opinion on them. I’m sure Microsoft were having lots of similar discussions with other people from the child safety world but, since they were still in the early stages of the product development cycle, I thought it was reasonable to expect me not to speak publicly about what I learned, at least not until after the product was launched. That was the deal. I stuck to it. It wasn’t a vow of permanent silence. It was time limited.

Sign on the dotted line

Both Facebook and Google have this thing where, if you meet them on their premises, as you go in you have to sign in. Don’t sign you don’t proceed. With both companies what you are in fact signing is not only a form to announce your presence, but also an NDA.

With Google I didn’t really think the NDA would ever matter so I didn’t give it any thought at the time. I certainly didn’t read it in detail. I was on my way to a meeting, not asking for a headache by looking at a ton of legalese.

The planned meetings with Google were all about doing a deep dive around a range of well known policy issues. I definitely gained some new and valuable insights into Google’s thinking but it wasn’t the kind of stuff which would make me want to rush to write a blog full of world-shattering revelations.

With Facebook it was a little different but the precise nature of the difference is not really germane to the argument I want to put here. What happened with Facebook, however, did set me thinking not only about the NDA I had signed with them but also the ones I had signed previously with Microsoft and Google, as well as those I might yet be asked to sign by others.

What is the purpose of NDAs in what is or ought to be a public policy space? If there is no contractual, commercial or other financial or research-based relationship what does an NDA achieve? We are all meant to be working to common goals and we are repeatedly told internet companies do not want to compete on child safety, just as airlines don’t compete on air safety records. If there is a straightforward contractual, commercial or other financial or research-based relationship then we are in a different and more obvious place. It has to be openly declared. NDAs are highly proximate and should therefore be thought of as a form of contract even if no money or other appreciable benefit moves between the two parties.

The conclusion I think I have come to is, in similar circumstances, I would sign a Microsoft-type NDA again, but I won’t sign standard NDAs with anyone if they impose on me, in advance, a general obligation not to speak about anything new that I learn in the course of any exchanges we might have.

I never again want to end up in the position I recently found myself with Facebook, having to ask for at least a partial release from the NDA. Like I said, I got it eventually but that’s not quite the point. I kind of feel I should never have gone to the meeting on those terms in the first place. Hey ho. It’s easy to be wise after the event.

My researches

I’ve done a bit of digging on the question of NDAs. It was a relief to discover I wasn’t the only person to have encountered and thought about this issue. It’s not creeping paranoia on my part.

The US-based Center for Democracy and Technology (CDT), a highly respected free speech body, simply won’t go to any meetings where they are required to sign a company’s standard NDA. Apparently the CDT is willing to consider signing specific and limited NDAs, and they have drawn up their own standard form to cover such eventualities, but the presumption is against them altogether. I believe most of the other US free speech bodies follow suit and the UK’s Open Rights Group has adopted a similar position.

I guess it is more or less obvious why free speech bodies would be unwilling to agree to shackle themselves or be put into a compromising situation vis-à-vis big business interests. Even allowing the appearance that they are willing to be gagged on the company’s terms would look odd to at least parts of the outside world. Are child protection NGOs in any different position? I don’t think they are. Observing Chatham House rules is one thing, and that could lead you into potentially difficult territory, but a blanket ban takes you somewhere else altogether.

I am not suggesting that companies use NDAs in a calculated, cynical or manipulative way to silence potential critics or to smother them in the self-aggrandising, flattering embrace of shared confidences, but I think it is very important that even the suspicion that this could be happening should never be allowed any oxygen.

The curious case of Facebook’s Safety Advisory Board

Facebook has a Safety Advisory Board. This Board clearly matters to Facebook as a company. Here’s how I know.

Fraley et al v Facebook ended up in court in California. It turns on Facebook’s alleged use of sub-18 year olds’ Facebook identities, pictures or other personal information. The plaintiffs say that, through Sponsored Storiesthese were used to sell products, but without the permission of the sub-18 year olds concerned.

It looks like Facebook has offered to settle the case but in the earlier stages, in filing,  Facebook’s lead Attorney, one Jeffrey M. Gutkin, submitted a range of papers showing how seriously Facebook took the issue of online child protection and child welfare. Exhibit J of those papers is about the Safety Advisory Board. The names and logos of the Board members’ organizations are paraded as if they were a shield. Stay with me on this.

And in Congressional hearings

Some time before the Fraley case got started, the written testimony of Joe Sullivan, Facebook’s Chief Security Officer, was presented at Congressional hearings held on 28th July, 2010. The following statement appears on page 4

From the beginning, Facebook sought to provide a safer environment than was generally available to people on the web, and as we have expanded beyond college students, we have worked hard to deliver a safer online experience for all of our users. We reach out to law enforcement and Internet privacy, safety, and security experts everywhere to learn about best practices and to build on them. For example, in December, we convened a Safety Advisory Board consisting of representatives from five leading online safety organizations (Childnet International, Common Sense Media, ConnectSafely.org, the Family Online Safety Institute, and WiredSafety) to provide independent advice on teen online safety. (my emphasis)

If Facebook were giving similar testimony today they would have to find space somewhere to add the word “muzzled”. At least for some of the members of the Safety Advisory Board if not all of them, attendance at Board meetings is now governed by an NDA. Facebook clearly likes NDAs a lot.

My understanding is it was not always like that with the Board. I believe it wasn’t like that on 28th July, 2010, but things changed soon after.

Common Sense Media (CSM) is a major child welfare organization in the USA. As we have seen from the Congressional testimony they were members of the Safety Advisory Board in July, 2010. They ceased to be in November, 2010, just four months after Mr Sullivan gave his evidence and less than twelve months after CSM first joined the Board.

As far as I can see CSM are the only organization to have been on the Board and then to have come off. From my enquiries I am reasonably sure that the relationship ended by mutual consent because CSM were not willing to agree that they would not publicly criticize Facebook’s policies and practices as and when they themselves felt it was necessary. This led to a parting of the ways.

Facebook occupies a uniquely important position

Given the singularly important position of Facebook in the whole online child protection space in the English-speaking world and far beyond, I have to say that I find CSM’s stance wholly understandable. Obviously they, like me, recognize the importance of working constructively with Facebook as and when needed but with an NDA in place you run the risk of being thought a client or a partner not a free spirit.

By the way I exempt FOSI from these comments because they are, in any event, an industry Forum. Facebook pays a subscription to be a member of FOSI. Indeed right now a senior executive of Facebook is FOSI’s Chair.

I accept that in one’s dealings with internet companies, the police or whoever, there may be particular instances where topics crop up and a great deal of discretion is required in relation to how they are handled. Talking about them in public might do more harm than good. I have been party to lots of situations of that kind, but here, sight unseen and routinely to be bound by an all-embracing agreement such as is implied by an NDA cannot be right. That makes you part of Facebook’s PR Department. A public interest body should not fetter itself in that way.

I don’t doubt that all of the people at Facebook who deal with the Safety Advisory Board are sympatico and, like all the Safety Advisory Board Members, are sincerely devoted to putting children’s and young people’s interests front and centre. But I find it hard to believe there are no friction points around child safety within Facebook and, if there are, whose interests are served by not bringing the wider online child safety community into the conversation? In fact, really it is more than that. Not only are the existing members not bringing us into the conversation they have consciously decided to exclude us from it. I can vouch for the fact that not once has any Board member ever discussed with me or anyone I know anything at all to do with how the Board works or what big debates are raging within Facebook around child safety. Their silence makes them complicit in everything Facebook does.

If Facebook needs reliable, professional advice on online child safety they are perfectly capable of getting it. Indeed they directly employ some extremely knowledgeable people and if they felt they required extra input they could hire some or all of the people currently on their Safety Advisory Board. At least that way the organizations or individuals concerned could say straight out that they are in a commercial relationship with Facebook so there may be limits on what they can say about any given situation.

That much is so obvious it makes me think the Safety Advisory Board must really be there for other reasons.  I think we got an insight into those other reasons in that Californian court room and on Capitol Hill. Joe Sullivan used the word independent. The wording on the Facebook web site now describes the Board’s role as consultative but the implication remains the same. Yet how can anyone truly be said to be independent if they have tape across their mouth?

About John Carr

John Carr is one of the world's leading authorities on children's and young people's use of digital technologies. He is Senior Technical Adviser to Bangkok-based global NGO ECPAT International and is Secretary of the UK's Children's Charities' Coalition on Internet Safety. John is now or has formerly been an Adviser to the Council of Europe, the UN (ITU), the EU and UNICEF. John has advised many of the world's largest technology companies on online child safety. John's skill as a writer has also been widely recognised. http://johncarrcv.blogspot.com
This entry was posted in Consent, Default settings, Facebook, Google, Microsoft, Privacy, Regulation, Self-regulation. Bookmark the permalink.