Wednesday, September 26, 2012
2012/13 : the video!
Wednesday, December 09, 2009
Facebook Privacy:: Fact or theory?
Xmas comes early for privacy advocates?!
"Facebook has ordered its 350 million users to sort out their privacy settings right now, before it throws the switch on its revamped security system.
The social networker farmer in chief Mark Zuckerberg, told its users last week that, "We're adding something that many of you have asked for — the ability to control who sees each individual piece of content you create or upload." He also promised a simplified privacy page.
..In today's warning, coinciding with the actual launch of the tools, Facebook promised its new Publisher Privacy Control would allow users to set a privacy setting for each piece on content they create.The firm is also removing its "regional networks", in favour of four basic control settings: friends, friends of friends, everyone and customised.
This will be allied with an "easy, intuitive and accessible" privacy settings page."
Well, hmm, let's see - but Blogzilla. looks like we may finally have to rewrite that FB paper!
Of course in other news today, Sophos, who discovered 2 years ago that most FB users would revel their most private details to cartoon frog, found that 2 years on, relicating the study in Australia, ... well, nothing had really changed.
"The survey found that 46% of users in a fictional 21 year old's age group accepted the offered friendship, while 41% of a fictional 56 year old's peers did.
On Facebook once someone has been accepted as your 'friend' they can see more information about you, but you can still choose to hide information from those friends or limit it to specific groups amongst your online friends....
"Both groups were very liberal with their email addresses and with their birthdays," said Sophos head of technology in Asia Pacific Paul Ducklin. "This is worrying because these details make an excellent starting point for scammers and social engineers.""
Ah well, you can't have everything!
Wednesday, November 18, 2009
Privacy and Facebook, IGF style
The updated powerpoint can be found here.
Wednesday, October 28, 2009
Death and Facebook
Pangloss is always pleased to see things she's been lecturing about for a year turn into reality, and here comes one again. Facebook have decided to formalise the procedures they already, to some extent had, for "memorialising" the profiles of users who have become deceased. The Grauniad reports:
"When someone leaves us, they don't leave our memories or our social network. To reflect that reality, we created the idea of 'memorialised' profiles as a place where people can save and share their memories of those who've passed," explained Max Kelly, Facebook head of security, on the company's blog.
But what does it mean, that an account gets "memorialised"? The contact information and status updates are removed, and the profile is set private. No one can log into it any more. Only Facebook friends can locate the profile via search and leave posts on the wall for remembrance."
Although neither the Guardian nor Facebook mention it, it seems likely this too is a response to the recent demand by the Canadian Privacy Commissioner that FB put their house in order. But is this really the best option, or the only alternative (as it has been presented) to deletion by default?
As Pangloss has suggested before, is it not really up to the user themselves if they wish to see their site "memorialised", or if they feel this might be mawkish and upsetting? Would it not be better and indeed simpler for FB to provide a preference switch for the user to say in advance what they want, rather than relying on the impetus of the family to make a choice on death? And what if the user leaves a wish in their will which conflicts with what the family say to FB - will anyone have an interest to intervene?
Another problem, which the Guardian has also spotted, is that FB has simultaneously rolled out a "Reconnect" feature which encourages users to get back in touch with friends they've lost touch with. From FB's company blog, one user comment exposes the problem:
Pangloss wonders bye the bye if is coincidental these changes have been made fairly shortly after the Jewish New Year and the Day of Atonement (Yom Kippur) when one remembers the dead and gone .. a connection recently made by Jewish Week who interviewed Pangloss a month back on this exact matter. The idea floated there that eulogy posts on FB memorialised profiles are a sort of collective post death mourning in these godless times, is an interesting and slightly scarey one. How long before FB goes 3D and starts offering an optional virtual funeral with avatars of deceased and friends? (And what adverts would they sell alongside??)
Pangloss herself is laid up right now with a bad back, by the way, and definitely feels after all this like she has one foot in the web 2.0 grave..
Monday, September 21, 2009
Facebook and privacy
"A Look at the Facebook Privacy Class Action (Beacon) Settlement
Facebook announced on Friday that it settled the class action challenging its "Beacon" advertising program. [Inside Facebook; h/t Jim McCullagh on Twitter] You can access the key docs here: [pdf] (Settlement Agreement; Motion for Preliminary Approval).Net result? Facebook establishes a privacy foundation funded with $9.5 million (or what's left of this amount after attorneys' fees, costs, and class claims are deducted). "
Thursday, August 27, 2009
Canada Forces Facebook to make Privacy Changes
In a remarkable turn of events, Facebook has agreed to add significant new privacy safeguards and make other changes in response to the Privacy Commissioner of Canada’s recent investigation into the popular social networking site’s privacy policies and practices.
"The following is an overview of key issues raised during the investigation and Facebook’s response:
1. Third-party Application Developers
Issue: The sharing of personal information with third-party developers creating Facebook applications such as games and quizzes raises serious privacy risks. With more than one million developers around the globe, the Commissioner is concerned about a lack of adequate safeguards to effectively restrict those developers from accessing users’ personal information, along with information about their online “friends.”
Response: Facebook has agreed to retrofit its application platform in a way that will prevent any application from accessing information until it obtains express consent for each category of personal information it wishes to access. Under this new permissions model, users adding an application will be advised that the application wants access to specific categories of information. The user will be able to control which categories of information an application is permitted to access. There will also be a link to a statement by the developer to explain how it will use the data.
This change will require significant technological changes. Developers using the platform will also need to adapt their applications and Facebook expects the entire process to take one year to implement.
2. Deactivation of Accounts
Issue: Facebook provides confusing information about the distinction between account deactivation – whereby personal information is held in digital storage – and deletion – whereby personal information is actually erased from Facebook servers. As well, Facebook should implement a retention policy under which the personal information of users who have deactivated their accounts will be deleted from the site’s servers after a reasonable length of time.
Response: Facebook has agreed to make it clear to users that they have the option of either deactivating their account or deleting their account. This distinction will be explained in Facebook’s privacy policy and users will receive a notice about the delete option during the deactivation process.
While we asked for a retention policy, we looked at the issue again and considered what Facebook was proposing. We determined the company’s approach – providing clarity about the options, offering a clear choice, and alleviating the confusion – is acceptable because it will allow users to make informed decisions about how their personal information is to be handled.
....4. Accounts of Deceased Users
Issue: People should have a better way to provide meaningful consent to have their account “memorialized” after their death. As such, Facebook should be clear in its privacy policy that it will keep a user’s profile online after death so that friends can post comments and pay tribute.
Response: Facebook agreed to change the wording in its privacy policy to explain what will happen in the event of a user’s death."
Pangloss is mildly amused that only two years after she, Ian Brown and Chris Marsden presented a paper highlighting the privacy and security issues around the use of third party apps on Facebook, changes are finally being made.
The interesting issue will be if these changes are only made for Facebook in Canada or applied worldwide; similar legal pressure has not, it seems, being exerted in other jurisdictions such as the UK and the US - but there has certainly been concern over the repeated use of third party apps as an easy way to collect personal data for fraudulent or criminal purposes, or to spread malware. One might speculate that if FB are investing in developing new more privacy-compliant code it might as well install it system-wide given the PR advantages and the fact that FB's growth appears to have peaked (the rate of growth has been declining since about January 08). Chris Soghoian on Twitter seems to indicate the changes will be worldwide. If so, the Canadians have certainly done us all a favour.
Pangloss is also intrigued by the Canadian concern over Facebook's treatment of profiles on death. While the matter is certainly a pressing one (with 200 million users, not all young, FB profiles are, sadly, often a major concern to relatives after death) in fact FB has been pretty much in the vanguard in the area of transmision of digital assets, in at least providing a clear and accessible way for relatives to ask for profiles to be "memorialised" after death.
Other sites where digital "assets" remain after death (eg eBay, Flickr, et al) are in general much less clear about what rights they offer relativesafter death, have hard to penetrate procedures on the matter, or actively refuse to allow relatives control after death (see the famous Yahoo! case where relatives of a US marine were initially refused access to his emails after death because the privacy policy forbade passing on information to any third party. At least in the US, the privacy policy remains unchanged to date.)
However in my recent talk on this subject, I also suggested that it would be easy for FB in its various preference suggestions to allow users themselves to indicate what they would like done with their profiles after death. Not all want their profiles left open for comments after death ; some would like them closed down; others might like a friend or relatives to make the decision what to do. One size does not fit all and a solution should also consider and balance the interests of both the profile owner and the relatives. However if FB take a lead here under Canadian persuasion, they may well benefit all by becoming a good practice example in a rather under-considered part of the web 2.0 field.
Monday, July 13, 2009
Death 2.0
There's also a write up to go with it here.
I'll be giving an updated version of this at GiKii in Amsterdam in September :-)
Thursday, June 18, 2009
Facebook, DP and Apps
According to FT,
"regulators say tighter rules are needed to protect personal data given to these third-party developers. In particular, they believe developers should be subject to tough European Union privacy and data protection rules, even when the companies concerned are located far from Europe.At the same time, they argue that many corporate marketers who have turned to new forms of social media as a way to reach consumers should also be subjected to stiffer regulations."
Which is pretty much what Ian Brown and I suggested only two years ago :) (Incidentally that piece is finally seeing the published light of say shortly in Andrea Matwyshwn's great edited collection, Harbouring Data (Stanford U Press).
I'm not finding this opinion on the usual Art 29 page: if anyone has it in advance, I would very much like to see it.
Along with various recent reports suggesting that privacy defaults on social networking sites need tighter attention, for everyone not just children, it does seem the privacy and security risks of SNSs are finally getting the serious attention they deserve. (Is it just a coincidence btw that this happens as the Iranian situation shows more clearly than ever the power wielded by social networks these days??)
Tuesday, June 16, 2009
Brandjacking and FaceSquatting
Twitter has had quite a history of this, as the current locus of choice for celebrity blogging - but it is also, less obviously, becoming of enormous commercial significance - just a few days ago Dell proudly announced it had sold c $3m worth of computers through its Twitter shop (though as one commenter wisely says, are these new sales or just diverted from other salespoints??)
To respond to this, Twitter has just announced a verified account process - at first rolled out only for personal, not commercial, usernames and aimed at famous names (eg the likes of Neil Gaiman and Stephen Fry, who have been plagued by imitators/admirers). The new service at the moment merely invites those afflicted to submit their details but not does not give any details of what evidence will be used to ascertain who is who , nor how to distinguish between two worthy competitors for the same name - eg my brother is called Jonathan Edwards and is a consultant IT and office automation lawyer, but there is also Jonathan Edwards the former medal winning triple jumper! Who should get the Twitter space? Neither is exactly Janet Jackson... and arguably though the sport one may be more famous, my brother can make better commercial use of this particular space?? Interestingly anyone can apply to be verified - so Pangloss has, sub nom Lilian Edwards! Let's see if they reply :-)
And even practically as Lisa was speaking, the social network "domainspace" expanded enormously with Facebook's sudden overnight launch of personal usernames. The resulting land grab and predictable accompanying furore of lost and fraudulent claims has been rather wonderfully, named Facesquatting and all kinds of virtual dust is still settling. The Grauniad say "Facebook says 500,000 users grabbed their usernames within 15 minutes of the system going live, with no reports of major squabbles so far."
Lisa suggested that as with domain names, the law of trade marks should be relevant to protect brands, and needs re examining to see if it could meet this kind of challenge. She then canvassed the kinds of problems that may result, familiar to those who've followed the ICANN wars. What about businesses whose name is a generic, like Apple Computers ? Should they get preferential treatment on Twitter or FB when they wouldn't in TM law?
Pangloss checked and on FB, Apple-we-know-and-love has Apple Store and Apple Ipod, but the page "Apple" has actually been registered by, er, a lover of apples. Yes, the green vitamin-loaded things! PG is quietly pleased at this triumph of nature over commerce :)
So should the Cox- lover be deposed by FB, or if they don't play ball, even sued under TM law, or fined under the US Anti CyberSquatting law, or local equivalents? If so, why? And what about Fiona Apple the singer, who sells most her records over the Internet these days, and also has an FB "be a fan" page??
Social networks were originally set up to allow people to be, well, social, not to sell things - and to be fans of things like pop groups, books, movies, comics and er fruit : all extensions of their personality. Yet as the Grauniad wisely suggest, it is likely the SNSs will bend over backwards to make provision to allow remedies against "facesquatting" etc because the businesses and the celebrities are the place where they will, if ever, find a revenue stream more reliable than mere ads. As the Grauniad adds : "
"In truth, though, I think the odd timing shows us something else: that the real target of Facebook usernames aren't users at all, but the companies, brands and high-profile celebrities who can be convinced to pay for services somewhere down the line.
And they've already had their usernames granted to them, regardless of the timing of the launch. Anyone else is just going along for the ride."
Multiple registrations on multiple networks (FaceBook, Twitter, Bebo, whatever) will also be a problem. The brand-owners are already aghast at the prospect of the extension of the URL domain name space to cover internationalised domain names (Kanji, Korean alphabet, etc) because they see this not as an opportunity to brand more effectively to their customer bases , but as creating hundreds of new domain names they'll have to buy up and police to avoid cybersquatting. What should be a blessing has become a curse. Interestingly, PG has been directed to a lovely tool to check whether your name is available on multiple SNSs - reportedly it has been much used in the Facebook username goldrush!!
Pangloss is deeply unsure if some new version of TMs and domain name law should be adapted or invented for the social namespace. For one, there is simply not, or at least not always, the same problem as there is with domain names used as URLs: that there can be only one. There is already more than one Lilian Edwards on Facebook (and I am lucky to have an unusual first name) but there can only be one lilian.facebook.com (and it is not me) or even liianedwards.co.uk.
Is it really helping any to give me yet more opportunities to fight it out with the other Liians ) at least one of whom has her own business, selling elephant drawings!!) ? Isn't the real solution here better granular search facilities on FB and other sites, not giving out and policing unique vanity URLs? There is already substantial evidence the public now overwhelmingly finds sites via Google not via typing in random URLs anyway.
But - as Lisa pointed out - is the issue not actually more of public confusion, than of brand maintenance? If I find a site called Dell on Twitter, will I assume it is the real Dell selling me reputable computers, not some rip-off merchant? Perhaps, but here as noted Twitter is already bringing in its own solutions (and asking businesses to pay for a verified site at some future point doesn't seem too wrong to me either, if it leads to $3m extra sales.).
In the Twitter celebrityspace there is also a rather cute emergent norm, that when a name has been snaffled, the celebrity renames as " -himself" - so eg Neil Gaiman is @neilhimself.
As well as these "norm" solutions, if the problem is public confusion, can't that be better met by enforcing existing public laws on false advertising, fraudulent commercial practices, etc, than by inviting vast swathes of private trade mark litigation, which might in turn need the reinvention of the ICANN UDRP procedure, international treaty negotiation, etc etc, all over again? This seems to me like a place where we should not in knee jerk fashion turn to an IP solution. We don't need more property for companies to fight over here, and given the costs of policing the brand, they possibly don't want it either; all we need are workable solutions for consumers.
Lisa pointed out correctly that most false advertising rules only apply to commercial actors - but this doesn't have to be so. In fact in the UK, it is an offense in advertising law to deceptively hold yourself out as a private person when you are in fact a business ( for more on this and the problem of the emergent hybrid consumer or "prosumer" see Christine Riefa's chapter on e-contracts in the upcoming - guess what - 3rd edn of Edwards and Waelde eds Law and the Internet.)
Let's stop and think a bit before we jump again to create yet more new IP rights, ok?
Pangloss is now at a hotel with a pool and a beach :-)) so she's going to try to take a break from all this intellectual fever!! Bye for now :)
Sunday, March 29, 2009
Facebook reaches 200 million members
Interesting graphics from the New York Times on the rise and rise of Facebook: which has doubled its global membership from 100 to 200 million in eight months - quite remarkable.
Some interesting comments on FB's recent concessions towards user pressure to roll back some of FB's changes of terms and conditions, and unpopular redesign of the web interface.
" “It’s not a democracy,” Mr. Cox says of his company’s relationship with users. “We are here to build an Internet medium for communicating and we think we have enough perspective to do that and be caretakers of that vision.” "
On privacy settings, where FB continue merely to allow users to protect themselves, FB admit only around 20% users use any privacy settings.
Most interestingly (in an article which is at points inches away from a puff post) are FB's attempts to present itself not as a provider of intrusive advertising in a private space but as a promoter of a new style of "interactive advertising" which will maintain momentum even as advertising revenues dry up forother providers dependent on ad revenue such as free webmail services.
"Facebook’s approach is to invite advertisers to join in the conversation. New “engagement” ads ask users to become fans of products and companies — sometimes with the promise of discounts. If a person gives in, that commercial allegiance is then broadcast to all of the person’s friends on the site.
A new kind of engagement ad, now being tested, will invite people to vote — “what’s your favorite color M&M?” for example — and brands will pay every time a Facebook member participates.
“We are trying to provide the antidote for the consumer rebellion against interruptive advertising,” says Sheryl Sandberg, Facebook’s chief operating officer and Mr. Zuckerberg’s business consigliere."..Facebook recently introduced advertising tools to let companies focus on users based on the language they use on the site and their geographic location. So, for example, an advertiser can now tailor a message to the Latino community in Los Angeles or French speakers in Montreal." "
Pangloss sez: sounds like an attempt to repackage the much disliked Facebook Beacon, and step away from the bad press around Phorm in particular and targeted advertising in general. But is it more than puff? Even if users get to vote on their favourite M and M flavour, they will still not get to vote on the conditions under which FB pass on their personal data to third party marketers, despite the ra ra of consultation on the FB principles (see previous post).
Notably FB say they will never charge users for part or all of the FB services despite the credit crunch . However they do not say they will never pass on non-anonymised personal data to third parties, something which is currently barred by their own terms but could change in future (and is not barred by proposed FB Principle 3 either).
On the other hand the idea that users might actually be paid for giving their public allegiance to a product is interesting. Only the other week Pangloss vigorously denied the market would ever support paying for personal data (other than in costs-nothing considerations like air miles and loyalty card points) when it already routinely collects it for free. Maybe this is the first glint of a market sea change?
Full article here.
Friday, March 27, 2009
Democracy Comes to Facebook?
Facebook Principles
Rights and Responsibilities
Pangloss is getting on train to Edinburgh to go to SCRIPT-ed, and will read them then to see if they actually change anything useful. But the sheer act of undertaking such consultation with a 100 million plus userbase, even if it is only PR, is really quite a remarkable landmark in the governance of web 2.0.
Also taking the Database State Report, the Digital Rights Agency consultation and various other reports. There will be blogging!
Finally, I note OUT_Law agrees with me that Google Street View is not illegal though for different reasons. Struan focuses on the recent UK ECHR-based case law on invasion of privacy as "breach of confidence", noting that the JK Rowling case seems to confirm that the UK courts do not recognise a right not to be photographed in a public place unless you, the data subject, are the focus of the camera's attention. Pangloss is less keen on this argument than her own resting on Art 7(f) of the DPD, (surprise), partly because the Art 8 ECHR law is in such flux and partly because it reinforces the data protection equivalent case of Durant which many DP commentators feel was wrongly decided. but it's a good piece : read it.
Thursday, February 19, 2009
Facebook U-Turn on New Terms and Conditions
As I said to the interviewer but which failed to get quoted, the real interest in this little storm in a digital tea cup has been in demonstrating what lawyers know but users rarely think of, namely that Facebook can change their terms any time they damn well like, to be more - or usually less - privacy-friendly.
At the moment, FB's privacy policy declares that users only consent to the sharing of their data with advertisers and marketers in anonymised or aggregated form - but there is no reason why that can't change any day to FB selling full details of user's personal data. And given the downturn in the advertising fortunes of web 2.0, and the fact that Facebook anecdotally still makes almost no money despite its huge userbase and is worth far less than was once thought, can that day be far away?
Ownership of personal data and control over user's own generated content are issue that could well be regulated by model clauses in the current boom in Codes of Practice for social networking sites: instead unsurprisingly they tend to concentrate on kiddy safety - see eg the latest EC effort in this direction. THe proposals do however include the useful provision that the profiles of all users under 18 should be set to "friends only" by default. (This ignores the need for protection of adult privacy though.)
In any case, even sales of aggregate anonymised data now pose a danger to privacy which current DP law wholly fails to notice. At the recent Information Security Best Practices conference 2009 run by Wharton College, Pennsylvania, several security expert speakers in te Data Mining and Privacy panel emphasised the improvements in deriving personal data from aggregate data. The bottom line appears to be that anonymised data as a concept is heading for extinction. Interesting times.
(And despite all this Pangloss is still on FB, albeit behind a lot of privacy locks. Do as I say not as I do, kiddoes.)
Schedule update:
24 February , PLC seminar: "Social Networking Sites, Privacy and Other Legal Aspects", sold out but contact Claire.Dine@practicallaw.com for cancellations.
4 March , Aberdeen University Law Faculty, "Phishing In A Cyber Credit Crunch World".
18-20 March, WSRI Web Science Conference, Athens, chairing panel on "“What can Web Science Do for the Privacy of Data Subjects?: Law, Privacy and Data Retention in a Post 9/11 World”
23 March, London, attending Privacy Value Network Advisory Board.
30-31 March: speaking at SCRIPT-ed Governance of New Technologies Conference, Edinburgh
22-23 April: speaking at BILETA 2009 - The 24th Annual Conference, Winchester
That'll do for now:)
Sunday, January 25, 2009
Interesting times: Pope Lambasts Facebook
"The key quote, which clearly seems to refer to Facebook friending (or at least to so-called 'friend harvesters'): "If the desire for virtual connectedness becomes obsessive, it may in fact function to isolate individuals from real social interaction."
Here's the full paragraph: "The concept of friendship has enjoyed a renewed prominence in the vocabulary of the new digital social networks that have emerged in the last few years. The concept is one of the noblest achievements of human culture. ... We should be careful, therefore, never to trivialise the concept or the experience of friendship. It would be sad if our desire to sustain and develop on-line friendships were to be at the cost of our availability to engage with our families, our neighbours and those we meet in the daily reality of our places of work, education and recreation. If the desire for virtual connectedness becomes obsessive, it may in fact function to isolate individuals from real social interaction while also disrupting the patterns of rest, silence and reflection that are necessary for healthy human development."
"
Perhaps the Pope has been reading too many articles about the sad but rather silly story of the man who killed his wife for changing her status on Facebook to single.
As anyone who's ever used Facebook much probably knows, FB operates on the "closed universe" assumption that anyone who deletes any preference actually intends to mean the opposite. So various friends of mine have found that if X decides not to keep displaying the fact that she is married to Y (for example), FB sends a note to all your friends (or "friends") saying "X ended her relationship with Y". This tends to create a flurry of emails asking whatever happened, so at least it's a way of connecting with old friends :-)
If that is what happened in this case though, it really would be beyond silly into near tragic.
Connectedly, Pangloss is saying something or other about virtual worlds, social networking and privacy at the rather interesting looking Digital Lives conference run by the British Library in London on Feb 9-11. She may or may not mention the Pope...
While I'm at it, Pangloss (rescheduled from last year when I was ill) is also talking on social networking sites and the law at PLC (Practical law Company) in London on February 24. Details at www.practicallaw.com but I understand it's already full, although there is a waiting list. End advert!
Friday, July 25, 2008
Just another silly season Friday..
In the immortal words of John MacEnroe..
It'd be good if it had the IT Crowd in it too :) (So hey, Judith, are they infringing personality rights too? is there an exception in the German law of personality for parody or comment)
Sez OUT_LAW:
"The Court looked into the degree to which the pursuit of artistic freedom interfered with the personality rights of Meiwes. It found that artistic freedom was not so powerful a right that it allowed for someone's life to be made into a horror film.
Meiwes advertised online for someone to be killed and eaten by him. Bernd Jürgen Brandes responded to his advert and tried to join Meiwes in eating his own severed penis before being killed and eaten."
But his life *IS * A HORROR FILM!!!
Wow it's a great time to be a privacy lawyer. Nazi orgies (allegedly). German cannibals. Any guesses on what next?
EDIT: Ok, this next. But hey, haven't all the cool kids given up playing Scrabulous anyway?
Well that took a full ten minutes..
Also this, about which I can say little other than that it's about time they started selling close-target limited tactical nuclear strikes on eBay.
I think I'll go back to bed! :)
Thursday, July 24, 2008
Meanhile after Mosley.. a privacy and libel round up
So what do we think of the Mosley case? In many ways this is absolutely nothing new let alone "landmark". We have had a long string of cases which support the idea that press intrusion into the firmly private lives of celebrities will be regarded as a serious breach of privacy. This wasn't even a difficult case: the events took place in private behind closed and locked doors, not in the more contested world of the outdoors (cf Rowling (Murray v Big Picture)); the case wasn't contaminated as in Douglas by the existence of a threatened connected revenue stream. It wasn't a contested kiss and tell dispute as in Ash where opposing rights of freedom of expression and privacy of non-press parties clashed. This really was a pure privacy and reputation case, about as intimately private a matter as you can get, an exotic sex life, where the incentive of the newspaper was to sell lots of newspapers. It doesn't seem surprising therefore that the damages award was so high, or that the judge was so critical of the paper involved.
Nor is there really anything very new on the tabloid side. It's clear if there really had been a "public right to know" here, the case would have gone the other way. But the Nazi allegations were never proven and the NotW botched its defence. Frankly , Pangloss remains bemused how even if Mr Mosley did spend every Tuesday goosestepping in jackboots and lederhosen singing Tomorrow Belongs To Me, this would have much to do with his "public" role, the handling of Formula 1 racing. But perhaps this is one of these sporty things we females are not privy to. (I don't understand why footballers are expected to have faithful marriages either, or why the public should care either way.)
Still, as my colleague Judith Rauhofer wrote to me triumphantly to say, this case certainly affirms the aphorism from earlier cases, that even if the public is "interested", it won't necessarily be "in the public interest" for the details to be disclosed.
The much bigger issue is how far will the flowering emergence of UK post HRA privacy jurisprudence go. Almost everyone except the tabloids thinks the UK's tabloid press needs restrained, by privacy case law in the absence of legislation.
But what if it is not the press but me or you who had blown the gaffe on Mosley? We live in the web 2.0 world after all. What if I had spilled it in my blog.? What if someone had set up a fake Mosley Facebook profile in which his interests were claimed to be the Luftwaffe, iron crosses and Eva Braun, his sexuality was described as Random Play with Whips, and his politics as Neo-Fascist?
This isn't altogether a hypothetical. Oddly enough today someone also got successfully sued for 15K damages for libel, and £2K for privacy, for setting up a fake profile on Facebook in an attempt to embarrass and belittle his former mate from school. (he sounds quite a horrible person, but that's not the point really.)
The fake FB profile actually involved lies about the alleged subject, or it wouldn't have lead to a libel award. But the next case , after Mosley and the rest, could easily only involve private and damaging, but not false, details.
One clear example that clarifies where this might lead is one Judith and I debated at the Law and Society conference in Montreal - is there now a human right not to be "outed"? Tonight I've watched a documentary in which John Barrowman explained in copious detail how glad he is to be gay. But not everyone feels that way. Indubitably, outing can cause damage - everything from loss of job to loss of friends and emotional distress to suicide in some cases. Shouldn't it be actionable?
But - Do I , an individual have the ethical duty not to harm my fellow man, if I do not lie? Maybe I do , but that is still a long way from a legal duty. The judge in the Mosley case stated:
"The law now affords protection to information in respect of which there
is a reasonable expectation of privacy, even in circumstances
where there is no pre-existing relationship giving rise of itself to an
enforceable duty of confidence. That is because the law is concerned to
prevent the violation of a citizen's autonomy, dignity and self-esteem."
But don't I too , as part of my rights of autonomy and personality and self esteem, have a right to describe the world how I see it, as long as I don't lie, defame or negligently misstate? These are`my duties of care, the traditional limits of freedom of speech. I am not required in general to protect and sustain the image my friends and enemies want to project - to be part of their personal PR agency. Nor should I be.
Of course if I out my friends, they are unlikely to stay my friends and I might well be ostracised in my social group. Shouldn't these social norms and sanctions suffice? Yet it is hard to see exactly where to draw the line between the next Facebook case, the one about privacy not defamation, and the outing example. There is also surely a societal interest in truth, and critique, as well as in privacy.
Do we really want the whole world to be a giant self fulfillment and image protection arcade? or do we want the right to say, "but look - the Emperor has no clothes." Or perhaps even, in today's case, no jackboots.
Monday, February 11, 2008
"Just ask the 27 workers at the Automobile Club of Southern California fired for messages about colleagues on their MySpace sites; the Florida sheriff's deputy whose MySpace page revealed his heavy drinking and fascination with female breasts – and swiftly found himself handing in his badge; the Argos worker in Wokingham fired for saying on Facebook that working at the firm was "shit"; the Las Vegas teacher at a Catholic school fired after he declared himself gay on his MySpace page; the staff of an Ottawa grocery chain fired for their "negative comments" on Facebook; the 19 Northampton police officers investigated for Facebook comments; and Kevin Colvin, an intern at Anglo Irish Bank, who told his employers he had a family emergency, but whose Facebook page revealed he had, in reality, been cavorting in drag at a Hallowe'en party."
However the piece does have a new(ish) point, that worries about social network sites may shift from the obvious paedophiles, stalkers and ID thieves t more "civil" observers:
"That something as ubiquitous as social network sites (they have 13.7 million UK users) are exploited by paedophiles and other serious criminals is not surprising. Happily, the numbers affected are small. But the use of personal page content in civil disputes, divorces, employment and legal actions will affect far more of the millions now innocently sharing their thoughts and intimate moments with the online world. "
Pangloss is, as usual, almost finished an article on all this :) Send donations of spare time to allow her to complete it!!
Ps while we're at it, two interesting recent comments on the ongoing facebook/SCrabulous affair - Jonathan Zittrain here and the irrepressible Daithi Mac Sithigh here.
Friday, January 25, 2008
Facebook, the holiday romance
Wednesday, September 05, 2007
Facebook and privacy returns
But wait - they're actually doing it RIGHT.
a. They're only allowing name and profile pictures to appear in search results - not all the rest which tends to include highly personal material.
b. everyone appears to be getting prominent notice IN ADVANCE that they can opt out of their info being released onto Google
c. most impressively, if like me (and I imagine rather rarely) you'd already opted to "hide" on facebook, ie, not be searchable by name in their listing, you are automatically opted out of the Google release.
This appeared at the top of my FB profile this morning:
"Facebook now enables anyone to search for Facebook users who have public search listings from our Welcome page. In a few weeks we will allow users to make these public search listings visible to search engines like Google. Public Search Listings only include names and profile pictures.
Because you have restricted your search privacy settings your public search listing will not be shown. If you want friends who are not yet on Facebook to be able to search for you by name, you can change your settings on the Search Privacy page.
No privacy rules are changing; if you do choose to make this public search listing available, anyone who discovers your public search listing must sign up and login to contact you via Facebook. "
This strikes me as for once a good example of how privacy on line in web 2.0 ought to be handled - congrats to FB.
You could argue that a site like FB should not open itself to Google at all (in the interests of default privacy, etc etc) but the fact is that sites like Spock.com are already begining to scrape social networking sites like FB and make the data they contain searchable with no user opt-out or notice, and dubious supervision - so this at least pre-empts such attention, and gives the user some control.
It's also interesting that this is a case of the market dovetailing with privacy-enhancing code. FB WANT you to sign up for FB and go to their site to read that highly personal stuff - not read it on Google away from their adverts and apps (or on Spock.com).
LiveJournal, by comparison, an open source blogging site normally regarded as fairly privacy conscious, don't care (much) about ads (they make money from paid subs and are run by volunteers), so they also don't stop you allowing spiders to grab your whole blog. User choice prevails and as we all know by now, user choice when the default is no privacy, usually means disclosure by inertia. (You can opt out of spiders on LJ too, of course - but the option is distinctly not that obvious.)
Wednesday, June 27, 2007
FaceBook Brought to Book?
The article reveals that creating an "exploit" in FaceBook - ie hacking the privacy of unsuspecting users - is trivially easy. All you have to do is use Advanced Search and you can search across controversial (and in European DP language, "sensitive") pieces of data such as Religion and Sexuality in apparently unlimited numbers of profiles. This is true even if the user has taken steps to protect the privacy of their data (see below). As Ian comments this is a security failure on FB's part, which should have been trivially easy to fix in their code.
Having just returned from the SCL Conference where it was revealed that over 3 million people in the UK are on Facebook (including apparently nearly every corporate lawyer in the UK.. and definitely at Allen and Overy :-) and it is growing in the UK at 6% per WEEK, this is serious, er, excrement.
Pangloss's own experimentation proves that in fact hacking FaceBook is even easier than this. Suppose you want to stalk person X who you know lives in London. All you have to do is set up an FB profile, join the London network - which requires NO validation, certainly not a University of London email address or the like - and suddenly you can see all their personal details - some of which (on brief inspection) are highly revealing , of social and sexual data that many people would not want public. Of course they may not have joined the London network - but very often it will be very easy to guess what network the stalkee is in.
Of course, will say FaceBook, you, the stalkee, can stop this. You can in fact change all your privacy defaults on FB so no one can see ANYTHING on your profile site unless they are people you have accepted as "Friends". (Pangloss has just gone and done this, with a vengeance.) Fair enough, except that the default privacy settings on FB are almost entirely in favour of disclosure and there is very little direction or instruction on the site to "change these defaults for heaven's sake, 300,000 people can see who you want to sleep with".
As the blogger above, Quiet Paranoia (great name) comments, "Users cannot be expected to know that the contents of their private profiles can be mined via [advanced] searches, and thus, very few do set the search permissions associated with their profile."
I agree. If an er um respected professor of privacy law can take some while to realise how exposed her data is on FaceBook, then it is unreasonable to expect children of 16 or 17 (FB is associated with high school students but the T & C say 13 up) to make these kind of difficult judgment calls, when what they are really concerned about is popularity and finding out about the good parties?
FB will say that they have provided opt-in to privacy, and anyone who does not avail themselves of the tools available is impliedly giving consent to processing of their data. They wil also point to their privacy policy which does not give the impression of overwhelming concern about the remarkably weak default privacy protection and indeed, security, offered by FaceBook.
"You post User Content (as defined in the Facebook Terms of Use) on the Site at your own risk. Although we allow you to set privacy options that limit access to your pages, please be aware that no security measures are perfect or impenetrable. We cannot control the actions of other Users with whom you may choose to share your pages and information. Therefore, we cannot and do not guarantee that User Content you post on the Site will not be viewed by unauthorized persons. We are not responsible for circumvention of any privacy settings or security measures contained on the Site. You understand and acknowledge that, even after removal, copies of User Content may remain viewable in cached and archived pages or if other Users have copied or stored your User Content."
Even Pangloss, who is no privacy fundamentalist, does not think this is good enough, particularly in relation to "sensitive personal data" where "explicit consent" to processing by third parties is required. (Is searching via key words "processing"? Almost certainly - see Art 2 of the Data Protection Directive which includes "retrieval" whether or not by automatic means. )
But FB will again say : Everyone who signs up to FB assents to the T & C. Does that mean they have given the requisite explicit consent to processing of sensitive data even by "unauthorised third parties"? Even if in pure contract law the T & C can be read this way, at this point both DP law and the Unfair Contract Terms Directive should surely both converge to make such a clause either void or unenforceable?
In comparison, another social networking site where Pangloss hangs out, Live Journal, has not only very sophisticated privacy controls, but also a culture of discussion and awareness that privacy and openness can be manipulated by the software. Of course privacy breaches do still occur (via "cut and paste fairies" for example) but they are pretty rare.
Do we need a legal solution? Is there a case for extension of DP law to cover the setting of defaults on social network sites? Should privacy not be the default, by law (perhaps with some exceptions to preserve functionality, such as name and network) and openness the opt-out, rather than the reverse? Maybe. Maybe all that is needed is an Industry Code of Practice combined with some upping of awareness of the issue. However with the number of people - especially young pre-employment proto-citizens - involved in web 2.0 sites rising by the minute, this really does seem an issue which is not merely knee jerk alarmism and should not be swept under the carpet. First year students may not care now about spilling their sexuality and contacts to the world: they may when they are older, wiser and looking for employment :)
Another suggestion might be the automatic expiry of social networking data after say six months unless the user chooses to opt in to keeping their data out there. Viktor Mayer-Schoenberger has made this kind of suggestion recently. In social networking sites where the whole business model is based around large databases of personal data, data is routinely retained apparently forever. Data retention is another area where the DPO authorities might want to have a bit of a look at whether the law needs tweaked.
Monday, June 18, 2007
HumanLaw Blog Book
In other news, an unlikely segment of the User Generated Content world have just mounted yet another rebellion (cf AACS and Digg; LiveJournal and Strikethrough) - lawyers. After FaceBook was banned at Allen and Overy, the IT department was bombarded with complaints until they were forced to climb down.
Pangloss is not very surprised , following recent anecdotal discoveries that every respectable IT and law professional she knows appears to have joined FaceBook in the last month and a half. It is now officially CyberStalking 2.0 central (TM: Ian Brown). FB now seems to be becoming the first really major Web 2.0 site to transition from kiddy site full of tagged pictures of drunken debauchery, to grown up networking site essential for your everyday lawyer, banker or journalist. (One might argue that Second Life also vies for this title - but despite the discovery that it fuill of private islands hosting the creme de la creme of global capitalism, Pangloss still thinks its current interface is too crummy for world domination.)
More on this from myself and others at the SCL conference this Friday!