I’m no lawyer and have no idea if those terms are enforceable or even legal. Practically I think Facebook is just punching itself in the face here, but it is their platform and they do have some say in how it’s used.
The point of my original post is that I’ve had experience where researchers try to use the ends to justify their means and then cry foul when they are told that this means can’t be allowed to continue. (Eg in the infosec context rather than breaking into an account they own through some vulnerability, set up automation to break into thousands of those owned by customers and download all of their data).
Again I’m giving the researchers the benefit of the doubt, but i think the phenomenon still applies and in the general case is worth paying attention to when this kind of headline comes out.
I have the right to do anything I want with the data facebook sends to my computer - including sending it to NYU researchers.