Blogger? Where is your privacy policy?

If you are a blogger, here is something to ponder. If you have comments enabled on your blog or even have people registering on your blog to comment or otherwise interact with your site, you should have a privacy policy in place. Why? Well, because draft privacy legislation doing the rounds in Parliament will require that you publish one on your blog.

The thing is, if you allow people to comment on your blog and, like the majority of blogs these days, your blog contains fields for the commentator’s name, email address and web address, you are collecting personal information which is protected by that draft legislation and which, in turn, requires that you publish a policy that tells visitors to your site the following:

  • what information you are collecting;
  • what you are going to do with that information; and
  • manipulation and disclosure of that personal information.

There is an increasing number of legal pitfalls for publishers which must increasingly be dealt with using website terms of use and privacy policies. It sounds like overkill for your blog about your life which you may contribute to once or twice a week for your family members and three friends but that is simply not the case. Like most contracts and terms and conditions we encounter in our daily lives, these sorts of documents become risk management tools. We use them to guard against an array of risks that usually don’t occur to people, such as intellectual property infringement and privacy concerns. There are also jurisdictional issues, dispute resolution mechanisms and indemnities.

This may sound like a scam to make lawyers even richer but consider the possible consequences of being sued for copyright infringement on your blog or defamation arising out of inflammatory comments your visitors make. What about personal information stored in your admin section being accessed and sold off by unauthorised third parties? There are real risks which should be borne in mind. Social media empowers everyone to become a publisher. With that power comes the responsibility both to yourself and to your readers to put measures in place to minimise risk.

These implications for smaller publishers got me thinking about what bloggers can do to protect themselves. The usual solution is to either rip terms of use from sites on the Web (which are often poorly drafted or which are not really applicable to our legal system). A better solution is to have your lawyer prepare these documents for you. There is an initial cost which is far outweighed by the cost of litigation.

Lawyers really shouldn’t ignore Facebook

Kevin O’Keefe has published a post titled “Why lawyers can’t ignore Facebook for networking“. The post basically lists some statistics (for example, 150 000 new registrations a day, the most growth with users over the age of 25 and the fact that the average user spends 20 minutes on the site) which emphasise how valuable Facebook is as a potential networking tool. What is equally important to me is the fact that there are 150 000 more people signing up each day who are becoming part of a network that is governed by a set of contracts and laws which could impact on them should something go awry.

I am really not an alarmist but I find it interesting that there is still a fair amount of interest in the risks posed by services like Facebook by the mainstream media. I have been interviewed a couple times in the last week or two by journalists interested in users’ rights should something go wrong (I wrote a little about some of the issues here and here). I was interviewed today about privacy issues and identity theft on Facebook and although the Facebook terms of use are not all that bad relative to other services’ terms of use, users really need to be mindful of what they are agreeing to when they click on the link or checkbox indicating that they have read the terms of use and agree to them. It is a good idea to read the terms of use or, if you can’t make out any English words in the legalese, chat to a lawyer for clarification. As O’Keefe’s article points out, Facebook is becoming a very popular business networking tool. This means that business users are potentially exchanging business information on their profiles and using the messaging tool on Facebook which could theoretically be compromised by hackers or a bug in the software. This, in turn, means that this potentially sensitive information could wind up in the wrong person’s hands and the question then becomes what your remedies may be.

The terms and conditions you agree to on services like Facebook (and it isn’t just Facebook – any decent web service will have a decent set of terms and conditions – it just makes good sense to put these terms and conditions in place on every web site) you contractually limit your options if something goes badly. In the case of Facebook you agree, for example, that you can’t hold Facebook liable for a number of things ranging from bugs to organised hacks. You also consent to the law of a state in the USA and to the jurisdiction of American courts so this presents a practical challenge. If you choose to litigate against Facebook you have to cover the costs of an American legal team in addition to a local legal team as well as the associated costs of conducting litigation in another country.

Of course I am not saying you shouldn’t use Facebook. I use it myself and think it is, on the whole, a fantastic service. What I am saying is that you need to know what you are agreeing to and conduct yourself accordingly.

Can you trust Facebook (part 2)

In my previous post about the Facebook chaos that ensued on 31 July 2007 I talked about Facebook’s privacy policy. I also mentioned another important document on the Facebook website, the Facebook terms of use. It is almost a given that when people sign up for a service on the Web they routinely check the box that says something along the lines of “I have read the terms of use and I agree to them” without actually reading those terms of use. Here is the first thing Facebook users need to know about the terms:

These Terms of Use constitute the entire agreement between you and Company regarding the use of the Site and/or the Service, superseding any prior agreements between you and Company relating to your use of the Site or the Service.

Facebook’s terms of use constitute a contract between you and Facebook. Your use of the service and clicking on the checkbox are both indications that you have agreed to the terms and consider yourself bound by them. If you do not agree to the terms of use then you must not use Facebook. You don’t need to sign something with a pen for this contract to bind you, the act of checking that box or using the service will probably be sufficient because they evidence your intention to be bound by this contract.

This is just the starting point.

Facebook’s terms of use are pretty detailed and cover a range of topics from the scope of the terms, definitions of words and phrases used in the terms of use, disclaimers of liability, limitations of liability, consents to jurisdiction and governing law, licenses applied to your content on the site and more. This is an important document to take a look at it because through these terms of use you and Facebook have shaped your rights and remedies available to you.

The clause that is particularly relevant given yesterday’s events is the clause dealing with user content posted on the site:

You are solely responsible for the photos, profiles, messages, notes, text, information, music, video, advertisements, listings, and other content that you upload, publish or display (hereinafter, “post”) on or through the Service or the Site, or transmit to or share with other users (collectively the “User Content”). You may not post, transmit, or share User Content on the Site or Service that you did not create or that you do not have permission to post. You understand and agree that the Company may, but is not obligated to, review the Site and may delete or remove (without notice) any Site Content or User Content in its sole discretion, for any reason or no reason, including without limitation User Content that in the sole judgment of the Company violates this Agreement or the Facebook Code of Conduct, or which might be offensive, illegal, or that might violate the rights, harm, or threaten the safety of users or others. You are solely responsible at your sole cost and expense for creating backup copies and replacing any User Content you post or store on the Site or provide to the Company.

 

When you post User Content to the Site, you authorize and direct us to make such copies thereof as we deem necessary in order to facilitate the posting and storage of the User Content on the Site. By posting User Content to any part of the Site, you automatically grant, and you represent and warrant that you have the right to grant, to the Company an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use, copy, publicly perform, publicly display, reformat, translate, excerpt (in whole or in part) and distribute such User Content for any purpose on or in connection with the Site or the promotion thereof, to prepare derivative works of, or incorporate into other works, such User Content, and to grant and authorize sublicenses of the foregoing. You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content.

The next important clause is the disclaimer clause in terms of which Facebook disclaims liability for a number of things. This means Facebook doesn’t regard itself as being liable for the following:

The Company is not responsible or liable in any manner for any User Content or Third Party Applications, Software or Content posted on the Site or in connection with the Service, whether posted or caused by users of the Site, by Facebook, by third parties or by any of the equipment or programming associated with or utilized in the Site or the Service. Although we provide rules for user conduct and postings, we do not control and are not responsible for what users post, transmit or share on the Site and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on the Site or in connection with any User Content or Third Party Applications, Software or Content. The Company is not responsible for the conduct, whether online or offline, of any user of the Site or Service.

The Site and the Service may be temporarily unavailable from time to time for maintenance or other reasons. Company assumes no responsibility for any error, omission, interruption, deletion, defect, delay in operation or transmission, communications line failure, theft or destruction or unauthorized access to, or alteration of, User communications. The Company is not responsible for any technical malfunction or other problems of any telephone network or service, computer systems, servers or providers, computer or mobile phone equipment, software, failure of email or players on account of technical problems or traffic congestion on the Internet or at any Site or combination thereof, including injury or damage to User’s or to any other person’s computer, mobile phone, or other hardware or software, related to or resulting from using or downloading materials in connection with the Web and/or in connection with the Service, including without limitation any Mobile Client software. Under no circumstances will the Company be responsible for any loss or damage, including any loss or damage to any User Content or personal injury or death, resulting from anyone’s use of the Site or the Service, any User Content or Third Party Applications, Software or Content posted on or through the Site or the Service or transmitted to Users, or any interactions between users of the Site, whether online or offline.

There were rumours yesterday that the Facebook site was hacked. It also seems that the site was undergoing maintenance. It doesn’t really matter which took place because the end result is that people gained access to messages and information they should not have gained access to. This disclaimer means that Facebook is not contractually liable for any losses or damages you may have suffered when your inbox found itself in the hands of some other user. This protection is expanded through a limitation of liability clause and an indemnity clause. The end result is that Facebook has sought to minimise its possible exposure as a result of the service being hacked or just going wonky, if not eliminate the risk of exposure altogether. To add salt to your wounds, when you contracted with Facebook you also agreed that the law of the State of Delaware would govern your contract with Facebook and any dispute arising between you and Facebook. Where a dispute is not to be dealt with through an arbitration (which you also agree to), you specifically agree that the state and federal courts in California have jurisdiction to adjudicate any dispute you may have with Facebook. This means that if you decide to litigate you will have to submit to the law of the State of Delaware and you will either go through an arbitration process under the auspices of the American Arbitration Association or in Californian courts. Few things focus your attention on the value and merits of your claim than the requirement that you institute that claim in a foreign country with a foreign legal system. If you thought you could persuade a local court to override these terms, think again. Our courts place a fair amount of importance on your freedom to contract and the desire to enforce contracts.

What this all boils down to is that you could have contracted yourself out of a claim against Facebook if some sensitive information you published on Facebook (privately or publicly) is passed on to a third party. The outrage about people’s inboxes being swapped around as a result of a hack or maintenance glitch simply don’t translate into an actionable claim against Facebook that that means you have to be careful about what you publish on Facebook. A number of people have seen the potential value of Facebook for business users (I have tended to agree with them lately) but this most recent issue casts some doubt over whether Facebook is the best platform for potentially sensitive communications. The same could be said for your personal communications.

Granted this post and my previous one have focussed on Facebook but what I have said probably applies to just about every other social networking site available at the moment. All of these sites have terms of use that shift the responsibility for just about everything to do with your use of the site onto your shoulders, including having to bear the risk of some unauthorised person seeing your content and information. Short of unplugging, these are risks that will have to managed rather than avoided. There are a couple things you can do to protect yourself and while I certainly don’t profess to be an expert in these measures, I do suggest deciding in advance where your comfort level is and how much information about you, you are comfortable with floating around on the Web. At the very least I would suggest that you not reveal your home address or any information that could help indentify your home address or your kids’ schools. Don’t give out your identity number/social security number or your credit card details (unless you are satisfied the site has adequate security to protect your information – a bank may be a good example). Beyond that you need to operate on the assumption that everything you publish on Facebook (even the information that is not totally public) could be leaked out into the Wild and act accordingly.

Identity theft is one thing (and even here you have a measure of control if you are careful) and giving your identity away is quite another.

Who do you trust?

Can you trust Facebook?

Facebook logo.pngThere was quite a bit of excitement today about Facebook. I noticed questions being posted on Twitter asking whether anyone else had experienced any problems accessing Facebook. My access was a bit slow so I thought there may have been a problem with Facebook’s servers. There was also some mention somewhere about Facebook possibly being hacked. Either way, I didn’t think too much about it because my access was soon pretty much restored. That was until I was asked by IM whether my inbox was still intact. It then transpired that people had been logging into their Facebook accounts only to find someone else’s messages in their Facebook inbox. There were also more mentions of messages being sent apparently from people whose inboxes had been exchanged for other people’s inboxes. In short, it was chaos.

I received a call from a journalist at The Times to ask me about the implications of this mess and I started looking at the small print on the Facebook site. There are two main documents on the site which seem to be relevant to the chaos on the site. The first is the Facebook privacy policy and the second are the terms of use. The big question is the effect of these errors or outages on Facebook and what people can do about it. The one thing that came to mind is that there is a movement towards using Facebook as a business networking site. What happens if discussions you are having with a potential business partner are suddenly presented to a competitor or just some unknown third party? What if your personal and intimate messages with some “friends” find their way into your wife’s inbox? What do you do then? What can you do?

The privacy policy begins with two principles. The first principle is that you can control how much information is made public and the second is that you can only access what others permit you to access. The policy then describes what information Facebook collects from its users and how its users can exercise a degree of control over that process. You may have strong views about Facebook collecting any information about you so it is worthwhile reading the policy which is written for the end user, you, and not in obscure legalese. This one paragraph caught my eye in particular because it struck me as being so relevant to this afternoon’s excitement:

You post User Content (as defined in the Facebook Terms of Use) on the Site at your own risk. Although we allow you to set privacy options that limit access to your pages, please be aware that no security measures are perfect or impenetrable. We cannot control the actions of other Users with whom you may choose to share your pages and information. Therefore, we cannot and do not guarantee that User Content you post on the Site will not be viewed by unauthorized persons. We are not responsible for circumvention of any privacy settings or security measures contained on the Site. You understand and acknowledge that, even after removal, copies of User Content may remain viewable in cached and archived pages or if other Users have copied or stored your User Content.

When it comes to sharing your information with third parties, the following paragraph sums up the Facebook policy quite nicely:

Facebook is about sharing information with others — friends and people in your networks — while providing you with privacy settings that restrict other users from accessing your information. We allow you to choose the information you provide to friends and networks through Facebook. Our network architecture and your privacy settings allow you to make informed choices about who has access to your information. We do not provide contact information to third party marketers without your permission. We share your information with third parties only in limited circumstances where we believe such sharing is 1) reasonably necessary to offer the service, 2) legally required or, 3) permitted by you.

Of course the use of all of these Facebook Applications complicates matters somewhat because these applications often take advantage of information contained in your profile and are developed by third party developers so you really need to be mindful of who these developers are and whether you consider them to be trustworthy.

One of my concerns was the security of my information on Facebook and I am happy to see that this is being taken relatively seriously by Facebook. When I chatted to the journalist from The Times earlier today I told her that Facebook users need to be careful about storing their credit card details on Facebook because is that information is not being secured then it can only go badly. Here is what Facebook is doing to secure your information:

Facebook takes appropriate precautions to protect our users’ information. Your account information is located on a secured server behind a firewall. When you enter sensitive information (such as credit card number or your password), we encrypt that information using secure socket layer technology (SSL). (To learn more about SSL, go to http://en.wikipedia.org/wiki/Secure_Sockets_Layer). Because email and instant messaging are not recognized as secure communications, we request that you not send private information to us by email or instant messaging services. If you have any questions about the security of Facebook Web Site, please contact us at privacy@facebook.com.

This privacy policy is pretty clear about a number of things including the fact that information you publish on the site is potentially being collected and used by Facebook in the course of its business. That information which may be shared with third parties may not be personally identifiable and you do have some measure of control over how much information is disclosed to whom. When I read the opening part of the privacy policy it occurred to me that the overriding message of the privacy policy is that we, as users, have a fair amount of responsibility for what we publish on Facebook. Sure Facebook collects some of our information but much of that depends on what you make public so if you don’t want people to know your phone number or home address, don’t publish it or only make that information public to your close friends. I was listening to episode 3 of Flamebait, a Mail & Guardian podcast, where Vincent and Nic were talking about some guy who started a search for a girl he saw at a party and who was eventually identified by someone who knows her. I don’t know if this guy was able to use the information he obtained through Facebook to make contact with this girl but this sort of thing is possible if you are not mindful of how much information you publish and where you publish it.

In the next part of this series of posts, I’ll talk a bit about Facebook’s terms of use and the possible issues that arise out of that …

Upload but remember your rights

There are so many file sharing sites on the Web today that it is becoming difficult to keep track of them all. There is a wealth of choice and so many ways to store, share and manipulate your content. There is also a hidden danger which you need to be aware of as a content owner.

Each of these sites have their own sets of terms and conditions governing use of the content to the site and what you may or may not upload. Popular examples of these sites include YouTube and Flickr for video and photo uploads, respectively. The reason why you, as a content creator, should be careful when you post to these sites is that once uploaded, your content may be licensed for use in ways you did not intend it to be used. An example of this was recently covered in the iCommons blog:

A friend of mine sent me a link to a message about copyright infringement involving Creative Commons (CC) licences at Buzznet, a community website that allows photo, video and text sharing.

Buzznet.com – serious theft, beware,? writes kmye-chan, a French graphic artist who found her works copied without permission by Buzznets users. Kmye-chan is angered, not just by people copying her works without permission, but also by the Buzznet system, which by default licences all works under a CC Attribution licence.

The gist of her argument is as follows: copying of works without attribution or permission is common on the internet. No big deal, I immediately think. Most of them didnt give credit, so I was going to ask them to credit me, she said. Proper attribution is all she usually cares about, because she feels that the rules of copyright serve as a hindrance to further copying of her works.

But through default open licensing with CC licences, the unauthorised copy becomes available under quite liberal conditions, to which the original author has not agreed. While regular copyright hinders further downstream copying through its all rights reserved rule, CC licensing on this type of site presents the unauthorised copy as available, often even for commercial reuse.

I think this is an important criticism: that the use of CC licensing, upon infringement of the downstream copies of a work, makes the unauthorized copying even more damaging to the author of the original piece.

It is ironic that a site that uses Creative Commons licensing would be subject to criticism for violating users’ own licensing conditions but this is just one example of a more pervasive risk. If you intend your content to be licensed in a particular way then you really need to do your homework and review the terms and conditions applicable to the site you are uploading to. More and more sites do support a variety of licensing conditions (Flickr and Zoopy.com [the Zoopy.com reference has subsequently been added as yet another excellent example of a file sharing site that embraces Creative Commons licensing – disclosure: Zoopy.com has been a client of this firm] are two good examples – they allows you to license your photos using a variety of Creative Commons licenses) and if you would prefer your content to be licensed under a specific license then check to see whether your preferred site supports that license.

The alternative is blindly uploading your content and, by doing that, granting a different license to the service concerned that you didn’t originally intend to grant. Basically, you give rights away that you originally wanted to retain. It is worth taking a few minutes and review the terms and conditions of the site concerned (or have your lawyer review them for you) before you make use of the service.

Corporate laws go digital

Charged has an article about legislation that was tabled in Parliament recently. The Corporate Laws Amendment Bill (No. 6 of 2006) will, when passed, facilitate the digital filing of notices, corporate information and the digital certification of registration documents:

An amendment to South Africa’s corporate laws, tabled in Parliament recently, provides for the use of electronic signatures, the online registration of companies and close corporations and the electronic lodgement of corporate notices and forms.

According to technology lawyer, Reinhardt Buys of Buys Inc. Attorneys, the Corporate Laws Amendment Bill 6 of 2006 is a giant leap towards effective e-government and a true paperless regulatory environment for local businesses.

The Bill also seeks to amend both the Companies Act, 1973, and the Close Corporations Act, 1984, so as to enable electronic disclosure of corporate information, cost-effective ways of publishing notices of incorporation and electronic certification of registration documents.

This is quite exciting legislation because it could bring digital filings into the mainstream through business and, in the process, make out a strong case for digital filings in other areas to improve efficiency and reduce the costs associated with paper filings. One area which could benefit from digital filings is our court system.

(via Buys Incorporated)