Is sharing naked photos of your kids child pornography?

(Update 2014-06-12): Professor James Grant, an Associate Professor of Law at the University of the Witwatersrand, has published an article on his site, titled “Child Pornography: Distribution by Parents“, in which he explores the implications of the Criminal Law (Sexual Offences) Amendment Act which also deals with child pornography. That Act also has a pretty broad definition of “child pornography”, possibly even broader than the Films and Publications Act, and is even more problematic for parents. I especially like his comment on the law (and not just because he mentions me):

This is an analysis of the law as it is. It is not a comment on what the law ought to be. I’m not sure our law should be this strict. But then I wish I didn’t live in a world full of depraved monsters. Paul Jacobson has already made all of the sensible remarks. Put the best interests of your child above any of your interests. All I can add is alot of scepticism about human nature. I have met and studied the wrong kind of people and am probably now speaking as a father of the two year old girl I looked after this morning. People are always amazed that their wonderful, kind and friendly neighbour turns out to be a monster. We must never forget for one moment that evil and depravity is banal and that monsters must live somewhere. But here is the problem, in our era of immediate communication and instant access, everyone is your neighbour.

You should definitely read his article too.


The National Prosecuting Authority’s recent warning that “any image of a naked child is child pornography” has, understandably attracted quite a bit of attention. Why is “any image of a naked child” pornography? According to the NPA’s Advocate Bonnie Currie-Gamwo –

… the reason for that is quite simple; it can be abused. What you do innocently, others take and they abuse it.

The NPA cautioned parents against publishing naked photos of their children online as the NPA considers this to be child pornography and the NPA may well prosecute parents who don’t heed the warning. This is problematic for both parents who have become accustomed to sharing photos of their kids growing up as well as photographers commissioned to do family shoots, in particular popular newborn baby shoots and who may have published some of the photos from these shoots in their online catalogues, with or without parents’ consent.

What is “child pornography”

Child pornography is a significant problem and the ease with which content can be shared online has only contributed to child pornography’s proliferation. That said, the NPA’s blanket statement that “any image of a naked child” is child pornography may be too broad. Unfortunately the NPA doesn’t seem to have specified which laws it interprets so broadly.

One possibility is that the NPA is referencing the Films and Publications Act which regulates “the creation, production, possession and distribution of films, games and certain publications” in order to –

  • provide consumer advice to enable adults to make informed viewing, reading and gaming choices, both for themselves and for children in their care;
  • protect children from exposure to disturbing and harmful materials and from premature exposure to adult experiences; and
  • make the use of children in and the exposure of children to pornography punishable.

The Films and Publications Act defines “child pornography” as follows:

child pornography” includes any image, however created, or any description of a person, real or simulated, who is, or who is depicted, made to appear, look like, represented or described as being under the age of 18 years—

(i) engaged in sexual conduct;
(ii) participating in, or assisting another person to participate in, sexual conduct; or
(iii) showing or describing the body, or parts of the body, of such a person in a manner or in circumstances which, within context, amounts to sexual exploitation, or in such a manner that it is capable of being used for the purposes of sexual exploitation;

The Act states that any person who –

(a) unlawfully possesses;
(b) creates, produces or in any way contributes to, or assists in the creation or production of;
(c) imports or in any way takes steps to procure, obtain or access or in any way knowingly assists in, or facilitates the importation, procurement, obtaining or accessing of; or
(d) knowingly makes available, exports, broadcasts or in any way distributes or causes to be made available, exported, broadcast or distributed or assists in making available, exporting, broadcasting or distributing,

any film, game or publication which contains depictions, descriptions or scenes of child pornography or which advocates, advertises, encourages or promotes child pornography or the sexual exploitation of children, shall be guilty of an offence.

Perspectives on “sexual exploitation” of children

The term “sexual conduct” includes a variety of sexual acts and this is the focus of the first two parts of the “child pornography” definition. These two parts are fairly clear but it is the third part which is possibly what the NPA is referring to –

showing or describing the body, or parts of the body, of such a person in a manner or in circumstances which, within context, amounts to sexual exploitation, or in such a manner that it is capable of being used for the purposes of sexual exploitation

The Act doesn’t define “sexual exploitation” so we need to understand what this term means in order to understand the scope of this part of the definition. The World Congress against Commercial Sexual Exploitation of Children defined the “commercial sexual exploitation of children” as:

sexual abuse by the adult and remuneration in cash or kind to the child or a third person or persons. The child is treated as a sexual object and as a commercial object.

The UK National Society for the Prevention of Cruelty to Children describes “sexual exploitation” as follows:

Child sexual exploitation (CSE) is a form of sexual abuse that involves the manipulation and/or coercion of young people under the age of 18 into sexual activity in exchange for things such as money, gifts, accommodation, affection or status. The manipulation or ‘grooming’ process involves befriending children, gaining their trust, and often feeding them drugs and alcohol, sometimes over a long period of time, before the abuse begins. The abusive relationship between victim and perpetrator involves an imbalance of power which limits the victim’s options. It is a form of abuse which is often misunderstood by victims and outsiders as consensual. Although it is true that the victim can be tricked into believing they are in a loving relationship, no child under the age of 18 can ever consent to being abused or exploited.

The United Nations’ task force for Protection from Sexual Exploitation and Abuse describes “sexual exploitation” in the following terms:

“The term “sexual exploitation” means any actual or attempted abuse of a position of vulnerability, differential power, or trust, for sexual purposes, including, but not limited to, profiting monetarily, socially or politically from the sexual exploitation of another.” (UN Secretary-General’s Bulletin on protection from sexual exploitation and abuse (PSEA) (ST/SGB/2003/13))

These three explanations of “sexual exploitation” when it comes to children have common elements:

  • Manipulation, coercion or an abuse of a relatively vulnerable position for sexual purposes;
  • Children’s lack of legal, cognitive or even emotional capability to consent to being exploited sexually.

The idea of sexual exploitation lies at the core of what most people think about when the topic of “child pornography” is raised and it is a vile set of behaviours that do terrible harm to the most vulnerable members of our society. As a parent and as a human being, there is really no justification for this sort of conduct.

Any naked pictures?

The question, though, is whether a parent publishing naked photos of his or her children “amounts to sexual exploitation, or in such a manner that it is capable of being used for the purposes of sexual exploitation”? This question is distinct from a different question, namely whether parents should be publishing naked photos of their children, even if it isn’t child pornography? This second question has more to do with your children’s right to privacy and how you are effectively making decisions for them about how little privacy they will have in a connected world where the Internet doesn’t forget.

Returning to the “child pornography” issue (based on the Films and Publications Act, at any rate), the NPA’s contention that any image of a naked child is child pornography seems to be too broad. The NPA seems to be relying on the last part of the definition which whether the photos are “capable of being used for the purposes of sexual exploitation”? Or, as Advocate Currie-Gamwo put it:

… the reason for that is quite simple; it can be abused. What you do innocently, others take and they abuse it.

Regardless of how your child is depicted in the photo, if the photo can be abused by others, the NPA seems to be saying that falls within “purposes of sexual exploitation”. Going further, parents who publish these photos must be held accountable for the depraved “others” misuse of those photos of your children.

I don’t practice criminal law but that strikes me as a particularly chilling approach to criminal liability and it may not be consistent with how the Films and Publications Act describes the nature of the offence which I outlined earlier. The Act lists what seem to be a series of positive acts and references “knowingly” doing certain things. If a parent were to be held accountable because a paedophile downloaded a photo of his or her child and somehow used it “for the purposes of sexual exploitation”, I wonder whether the parent’s potential negligence could be used to hold the parent liable, even if the parent reasonably ought to have known that this was how the photos could have been misused?

Where does this leave us?

Aside from depictions of children engaged in or participating in forms of sexual conduct, the Films and Publications Act seems to target descriptions or depictions of children’s bodies that amount to actively manipulating, coercing or abusing children, in the process taking advantage of their vulnerability, for sexual purposes. This sort of conduct is clearly abhorrent.

Whether content amounts to child pornography isn’t always clear and there is certainly room for interpretation based on the context but classifying “any image of a naked child” as pornography seems to be interpreting the law too broadly, especially if the possible consequences for parents sharing these sorts of photos with friends and family with innocent intentions can be so severe.

What parents should seriously consider is whether they should share seemingly innocent photos of their naked or partially naked children online. As I mentioned above, the Internet doesn’t forget and when you publish photos of your children publicly, you make decisions about their present and future privacy for them without them being able to make a meaningful decision themselves.

Until this sort of issue reaches a court and is decided (possibly on an interpretation of the law or an assessment of the parents’ right to privacy as a counterweight to the NPA’s scrutiny), we are left with the NPA’s threats of dire action and deciding whether sharing photos of our children is worth the risk posed by an arguably overzealous group of prosecutors. In the context of that uncertainty, here are a few suggestions:

  1. If you feel the urge to publish a naked photo of your child, remember the NPA’s view that it is child pornography and also the reality that there are people who scour the Internet for photos of children to meet their depraved needs. Ask yourself if you want to fuel those needs for the sake of attention from your friends and family?
  2. If you decide to share photos of your children, limit who you share the photos with. It may not help you from the NPA’s perspective but limiting the photos to people who you know and trust keeps those photos out of the hands of those you don’t and adds a little more protection of your children’s privacy.
  3. Photos of children in sexually suggestive or explicit poses are not ok. The law clearly criminalises these sorts of photos so don’t take them and don’t share them.
  4. If you are a photographer and you have been asked to do a photo shoot where the kids may be naked (for example, a newborn shoot), perhaps refrain from publishing those photos or, at least, be very selective about which ones you publish as part of your portfolio. Make sure you ask the parents for consent before you publish any photos of their children (your blanket consent in your privacy policy is not enough) and that the parents understand this additional risk of criminal prosecution.

Regardless of whether the NPA’s interpretation is justified, one clear principle of our law when it comes to children is that we always ask what is in their best interests. Is publishing photos of your naked children in their best interests, or just in yours?

Reasonably practicable compliance with POPI is not enough

When considering how much you should do to comply with legislation like the Protection of Personal Information Act, you have three choices:

  1. Do as little as possible and see what you can get away with;
  2. Calculate the degree of “reasonably practicable” compliance required and stick with that;
  3. Adopt a more holistic approach to compliance.

Of the three options, the first is clearly a recipe for disaster. The only questions are when disaster will strike and how devastating will it be?

The second option is a popular one. To begin with, it is a practical solution because it takes into account what the law requires of you in order to meet the law’s standard so you limit your potentially significant investment in a compliance program without a corresponding quantitative benefit. Makes sense, right? In a way, yes, but what it doesn’t take into account is that your primary compliance risk is increasingly not regulators (at least not in South Africa where regulators often lack the capacity to respond very quickly), but rather the people who are directly affected by your decisions.

In other words, complying with laws like the Consumer Protection Act and Protection of Personal Information Act is not a quantitative exercise where you empirically (or as close to empirically as a legal compliance assessment can be) calculate your desired degree of compliance and work to that standard. Instead compliance is qualitative.

John Giles published a terrific post on the Michalsons blog titled “Only do what is reasonably practicable to comply with POPI” in which he explains POPI’s baseline compliance standard which is based on reasonableness and how this translates into what is likely an effective quantitative approach to compliance. It is worth saving the article because it is a handy reference for when you need to understand what the law means by “reasonably practicable”.

I don’t believe that this is enough, though. If anything, the question of what is reasonably practicable should only be part of your assessment of what you should do. The next, and arguably more important, question should be “What should we do to ensure not only compliance with the law but also to earn our customers’ trust?”. No, I’m not suggesting you drink the “rainbows and unicorns” energy drink and incur real money complying with some nebulous standard because your customers will like you more. Well, not entirely. What I am suggesting is that there is another dimension to compliance with legislation that affects people in very personal ways.

When you look at recent privacy controversies involving services like Facebook, Google and SnapChat, one theme that emerges from each of these controversies is not that these companies handled users’ personal information in ways they necessarily concealed from users. Their privacy policies describe what they do with users’ personal information in varying degrees. What really upsets users is that they weren’t expecting these companies to do the things they did because users tend to develop a set of expectations of what to expect from their providers which is typically not informed by privacy policies (because few people read them). These expectations are informed by what these companies tell them in marketing campaigns, what other users and the media tell them, what their friends share with them and their experiences with the services themselves.

When a provider steps outside its users’ collective expectations, mobs form and there is chaos in the metaphorical streets. The fact that these companies stuck to their published privacy policies and terms and conditions is largely irrelevant because users are not wholly rational and analytical. They don’t go back to the legal documents, read them quietly and go back to their daily lives when they realise that they mis-read or misunderstood the legal terms and conditions. No, they are outraged because the companies violated the trust users placed in these companies based on users’ expectations.

You may not have the same number of customers as Facebook, Google or SnapChat and your business may be different but if you are considering Protection of Personal Information Act or Consumer Protection Act compliance, you are dealing with the same people: consumers who have expectations and perceptions which you influence but certainly don’t control. If you violate the trust they place in you, the response will be swift and the consequences from a reputational perspective could be severe.

Fountain Square in Downtown Cincinnati Is a Public Square That Works for the City and Its People in a Myriad of Ways: Tyler Davidson Fountain 05/1973

When you develop your compliance program, assess what is reasonably practicable and set that as your commercial baseline. Then, consider how transparent you can be with your customers about what you intend doing with their personal information?

I remember reading a discussion about partners cheating on each other and at one point in the article the writer said that cheating isn’t just about the act but also the thoughts that precede it. If you have thoughts about another person which you don’t want to share with your partner, that is probably a good indication you are contemplating something you shouldn’t be doing. Apply that to your compliance program and ask yourself if you are comfortable disclosing what you intend doing with your customers’ personal information to them? If you are, be transparent about it in your privacy statement/policy and in your communications with your customers.

If you don’t feel comfortable being transparent about how you intend using your customers’ personal information and, instead, intend hiding behind technical legal compliance with the law to justify your data use, you may be setting yourself up for a bitter divorce and a costly battle with your customers. By the time the regulators arrive to assess your compliance, the damage will already have been done and the reasonably practicable thing to do will be to pick up the pieces of your reputation (and possibly your business) and start earning your customers’ trust again.

When it comes to data protection, transparency and trust are essential

Fountain Square in Downtown Cincinnati Is a Public Square That Works for the City and Its People in a Myriad of Ways: Light Rain Falls at End of Noontime Israeli Birthday Celebration 05/1973
Fountain Square in Downtown Cincinnati Is a Public Square That Works for the City and Its People in a Myriad of Ways: Light Rain Falls at End of Noontime Israeli Birthday Celebration 05/1973

When it comes to privacy, two key success factors are transparency that engenders trust. Responsible data processing is how you move from transparency to trust.

I wrote an article about this which I published on LinkedIn (it was also published on MarkLives) which I titled “Trust is more important than sales“. You may find it interesting.

A transparent approach to privacy policies

Transparent definition

Richard Beaumont’s article “Transparency Should Be the New Privacy” echoes a point I’ve also been making recently: data protection or privacy is mostly about transparency and trust. Sure, compliance is essential but from a data subject or consumer’s perspective, how transparent you are about how your process the data subject’s personal information and whether your activities engender trust are arguably as important. Achieving that requires a varied approach to data protection and one of the key elements is the document you publish about this, namely the privacy policy (also known as a “data protection policy”, “privacy statement” and other titles).

As Beaumont points out:

The website privacy policy is the basis on which organisations can claim they have received consent from customers/visitors to collect whatever data they want and do what they like with it. In a data-driven world, they are important documents. Expensive lawyers are often paid large sums of money to write them in the full knowledge that they will rarely be read. Of necessity, it is written in legalese that most people won’t fully understand, and it is long because it has to cover all eventualities.

Of course, hardly anybody reads them. In the vast majority of cases, it would be a colossal waste of time.

I don’t agree with an approach that obscures privacy policy wording by using legalese and complex language but privacy policies are typically not read and understood before data subjects share their personal information. On the other hand, Beaumont makes a number of good points about the purpose of most privacy policies:

However, the problem is not really with the privacy policy itself as a document; it is the fact that it has been mis-sold to us. We are led to believe its purpose is to inform. We are told this because consent relies on us being informed about what we are consenting to. It is the basis of almost all privacy law throughout the world.

However, if that were true, it wouldn’t be buried in a link at the bottom of the page and written in dense text that is often also in a smaller font than the rest of the site. Website designers and copywriters know how to inform people online. The privacy policy is the document on any website least likely to inform the visitor in any meaningful way.

The reality is that the privacy policy is designed to protect the owners in the case of a dispute—which is what most legal documents are designed to do. There is nothing wrong with this—these documents are necessary in certain circumstances. It’s just that they don’t fulfil the more common need for accessible information about privacy practices at the company.

He goes on to propose a “transparency policy” as an alternative to a conventional privacy policy. I don’t think we need a new term for the document except where using a new name shifts our perception of the document’s role. I’ve been reading a lot more about more visual legal documents and I like Beaumont’s suggested approach, at least in part:

The transparency statement will be short, clear and simple to understand. It might borrow from the “layered” privacy policy model and would almost certainly involve a strong visual element. It will be easily accessible and you will be encouraged to look at it, especially on a first visit. It will be the basis on which the website will set your expectations for how you and your data will be treated.

His model involves a transparency statement operating alongside a privacy policy which would give the transparency statement important “legal weight”. I don’t think this is necessary, though. I prefer some lawyers’ approach of publishing a “privacy statement” rather than a privacy policy. Although privacy policies are frequently framed as documents you, as a data subject, agree to, they can function just as well as statements of what personal information is being collected; how it is being processed and under what circumstances that personal information may be disclosed and to whom.

When I prepare privacy policies, I usually pair them with a website’s terms and conditions which invoke the privacy policy as an explanation of what personal information is processed and how. The terms and conditions then reference the privacy policy and provide the “legal weight” Beaumont refers to. In that model, a privacy policy could be reframed as a streamlined privacy statement along similar lines to Beaumont’s suggested transparency statement and lawyers. Inferring agreement with a privacy statement becomes largely unnecessary and it would only really be important to establish that data subjects agreed to the terms and conditions themselves which, in turn, would point to the privacy statement for information about personal information processing.

A streamlined privacy statement would also be better suited to more visual representations of its contents which makes them far more intelligible and, by extension, a company’s data processing activities more transparent. With more transparency comes more accountability and trust. In addition –

Because the transparency statement is also more likely to be read, commented on and engaged with, it will likely improve over time, and accepted standards might emerge. This would potentially create a virtuous circle that further improves clarity for consumers.

Emerging standards have further benefits which I find really exciting. The bottom line, though, is Beaumont’s conclusion:

Transparency statements could be the vehicle to enable the majority of people to make better-informed choices than they currently do and use a truly market-driven approach to online privacy practice.

SnapChat privacy is not what you think

SnapChat’s privacy controls are what made it both enormously popular and troubling to its young users’ parents. When SnapChat launched, it gave users the ability to share photos and videos which promptly vanished into the ether. This appealed to its typically young and privacy conscious users because they finally had a way to share stuff with each other with impunity. This obviously bothered parents and teachers as it potentially gave their children a way to share content they shouldn’t share.

An Federal Trade Commission investigation has led to acknowledgements that content posted on SnapChat isn’t nearly as temporary as everyone may have thought. The New York Times published an article titled “Off the Record in a Chat App? Don’t Be Sure” which began with the following:

What happens on the Internet stays on the Internet.

That truth was laid bare on Thursday, when Snapchat, the popular mobile messaging service, agreed to settle charges by the Federal Trade Commission that messages sent through the company’s app did not disappear as easily as promised.

Snapchat has built its service on a pitch that has always seemed almost too good to be true: that people can send any photo or video to friends and have it vanish without a trace. That promise has appealed to millions of people, particularly younger Internet users seeking refuge from nosy parents, school administrators and potential employers.

Oversight or lie?

The FTC’s release includes the following background to its investigation and its stance:

Snapchat, the developer of a popular mobile messaging app, has agreed to settle Federal Trade Commission charges that it deceived consumers with promises about the disappearing nature of messages sent through the service. The FTC case also alleged that the company deceived consumers over the amount of personal data it collected and the security measures taken to protect that data from misuse and unauthorized disclosure. In fact, the case alleges, Snapchat’s failure to secure its Find Friends feature resulted in a security breach that enabled attackers to compile a database of 4.6 million Snapchat usernames and phone numbers.

According to the FTC’s complaint, Snapchat made multiple misrepresentations to consumers about its product that stood in stark contrast to how the app actually worked.

“If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises,” said FTC Chairwoman Edith Ramirez. “Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”

Touting the “ephemeral” nature of “snaps,” the term used to describe photo and video messages sent via the app, Snapchat marketed the app’s central feature as the user’s ability to send snaps that would “disappear forever” after the sender-designated time period expired. Despite Snapchat’s claims, the complaint describes several simple ways that recipients could save snaps indefinitely.

Consumers can, for example, use third-party apps to log into the Snapchat service, according to the complaint. Because the service’s deletion feature only functions in the official Snapchat app, recipients can use these widely available third-party apps to view and save snaps indefinitely. Indeed, such third-party apps have been downloaded millions of times. Despite a security researcher warning the company about this possibility, the complaint alleges, Snapchat continued to misrepresent that the sender controls how long a recipient can view a snap.

SnapChat published a brief statement about its agreement with the FTC on its blog which includes the following statement which is fairly worrying:

While we were focused on building, some things didn’t get the attention they could have. One of those was being more precise with how we communicated with the Snapchat community. This morning we entered into a consent decree with the FTC that addresses concerns raised by the commission. Even before today’s consent decree was announced, we had resolved most of those concerns over the past year by improving the wording of our privacy policy, app description, and in-app just-in-time notifications.

On the one hand, the FTC essentially found that SnapChat has been misleading its users about its service’s privacy practices and, on the other hand, SnapChat pointed to a communications lapse, almost as an oversight. Considering that SnapChat has always been focused on the fleeting nature of content posted on the service and the privacy benefits for its users, this doesn’t seem very plausible.

“Improved” privacy policy wording

SnapChat updated its privacy policy on 1 May. The section “Information You Provide To Us” is revealing because it qualifies “Snaps'” transient nature so much, transience seems to be the exception, rather than default behaviour:

We collect information you provide directly to us. For example, we collect information when you create an account, use the Services to send or receive messages, including photos or videos taken via our Services (“Snaps”) and content sent via the chat screen (“Chats”), request customer support or otherwise communicate with us. The types of information we may collect include your username, password, email address, phone number, age and any other information you choose to provide.

When you send or receive messages, we also temporarily collect, process and store the contents of those messages (such as photos, videos, captions and/or Chats) on our servers. The contents of those messages are also temporarily stored on the devices of recipients. Once all recipients have viewed a Snap, we automatically delete the Snap from our servers and our Services are programmed to delete the Snap from the Snapchat app on the recipients’ devices. Similarly, our Services are programmed to automatically delete a Chat after you and the recipient have seen it and swiped out of the chat screen, unless either one of you taps to save it. Please note that users with access to the Replay feature are able to view a Snap additional times before it is deleted from their device and if you add a Snap to your Story it will be viewable for 24 hours. Additionally, we cannot guarantee that deletion of any message always occurs within a particular timeframe. We also cannot prevent others from making copies of your messages (e.g., by taking a screenshot). If we are able to detect that the recipient has captured a screenshot of a Snap that you send, we will attempt to notify you. In addition, as for any other digital information, there may be ways to access messages while still in temporary storage on recipients’ devices or, forensically, even after they are deleted. You should not use Snapchat to send messages if you want to be certain that the recipient cannot keep a copy.

If you read the second paragraph carefully, you’ll notice the following exceptions to what most users assumed was the service’s default behaviour: permanently deleting Snaps after specified time intervals. I have highlighted the exceptions in the quotes below.

  1. “Similarly, our Services are programmed to automatically delete a Chat after you and the recipient have seen it and swiped out of the chat screen, unless either one of you taps to save it
  2. “… users with access to the Replay feature are able to view a Snap additional times before it is deleted from their device”
  3. “… if you add a Snap to your Story it will be viewable for 24 hours
  4. “Additionally, we cannot guarantee that deletion of any message always occurs within a particular timeframe
  5. “We also cannot prevent others from making copies of your messages …”
  6. “In addition, as for any other digital information, there may be ways to access messages while still in temporary storage on recipients’ devices or, forensically, even after they are deleted

The last sentence emphasises how much its users should rely on the service for meaningful privacy:

You should not use Snapchat to send messages if you want to be certain that the recipient cannot keep a copy.

Where does this leave SnapChat users?

The problem with these revelations is not that Snaps are actually accessible and may endure in some form or another. The problem is that SnapChat pitched a service that doesn’t retain its users’ content. SnapChat rose to prominence at a time when the world was reeling from revelations about unprecedented government surveillance which seemed to reach deep into a variety of online services we assumed were secure. It’s promise was to protect its users’ privacy and their content from unwanted scrutiny. In many respects, SnapChat seemed to be the first of a new wave of services that placed control in users’ hands.

In the process, SnapChat misled its users fairly dramatically and that is the most troubling aspect of this story. SnapChat users relied on an assumption that their content is transient and this has turned out not to be the case at all. Putting this into context, though, this doesn’t mean SnapChat is inherently less private than any other chat service. Short of poor security practices, this isn’t necessarily the case. It means that SnapChat is fairly comparable to other chat services which haven’t made similar claims about the privacy of their users’ communications.

That said, a significant challenge is that a significant proportion of SnapChat’s users are probably under the age of 18. Although US services are more concerned about children under the age of 13 using their services due to certain laws protecting children in the United States, our law doesn’t draw this distinction. In South Africa, a person under the age of 18 is a child and subject to special protections which SnapChat has had almost no regard for. Not only has SnapChat arguably processed children’s personal information in a manner which would not be acceptable in our law, it is misled those children about the extent to which it protects their privacy. At the very least, they and their parents should be very concerned and circumspect about continuing to use the service.

On a related note, it is worth reading Information Week’s article titled “5 Ways SnapChat Violated Your Privacy, Security“.

How to deal with stalkers taking photos of you

I spoke to Kieno Kammies on 567 CapeTalk radio this morning about a troubling trend. As you can hear from the segment, below, the concern is partly about people being photographed in suspicious ways in public. One example is a person following women around shooting video of them or taking photos without their knowledge. This isn’t so much about a person taking a photograph of a scene that happens to include women walking past but actually targeting those women.

Whether this is a privacy issue depends very much on the subject matter and the context. In this respect it comes down to legitimate expectations of privacy in the case of adults and appropriate consent when it comes to children (at least in terms of the Protection of Personal Information Act). The law that is likely to be more appropriate here is the Protection from Harassment Act which targets forms of harassment which the Act defines as follows:

harassment” means directly or indirectly engaging in conduct that the 5 respondent knows or ought to know-

(a) causes harm or inspires the reasonable belief that harm may be caused to the complainant or a related person by unreasonably-

(i) following, watching, pursuing or accosting of the complainant or a related person, or loitering outside of or near the building or place where the complainant or a related person resides, works, carries on business, studies or happens to be;

(ii) engaging in verbal, electronic or any other communication aimed at the complainant or a re.lated person, by any means, whether or not conversation ensues; or

(iii) sending, delivering or causing the delivery of letters, telegrams, packages, facsimiles, electronic mail or other objects to the complainant or a related person or leaving them where they will be found by, given to. or brought to the attention of, the complainant or a related person; or

(b) amounts to sexual harassment of the complainant or a related person;

<

p>The harm the Act protects against may be “any mental, psychological, physical or economic harm”.

This Act is designed to be user friendly and the Regulations describe which forms to use for which steps and who to approach at each step. The Department of Justice and Constitutional Development has a comprehensive page with links to the Act, the Regulations and the various forms. The process was designed in such a way that you don’t need an attorney to assist you (although you can have one helping you) and you need not know the harasser’s identity either. The Act creates a mechanism whereby the police may be instructed to investigate and identify the suspected harasser.

This legislation can be used for a various activities which fall into the “harassment” definition including stalkers like the ones described in the segment as well as cyber-bullying and more.