Top
Subscribe to Legal Notes
* indicates required
Back office

Entries in social networks (5)

Friday
Jan272012

Your cloud assets and profiles after you die


Imel Rautenbach recently asked me what happens to your content and profiles in the cloud when you die. Its an important question and I've started hearing it a lot lately. There are a couple reasons for this. The first reason that comes to mind is that people are increasingly concerned about what happens to their Facebook and Twitter profiles after they pass away? As ephemeral as these profiles and their content may seem, for many people these services (and other social Web services) document a person's thoughts and life experiences. Facebook with its Timeline feature is specifically designed to become a social and interactive life journal where you effectively maintain a media rich narrative of your life and your connections.

In some cases these social services will offer family and friends a way to keep a deceased person's profile alive in a suspended state. Facebook, for example, can memorialise a profile:

When a user passes away, we memorialize their account to protect their privacy. Memorializing an account sets the account privacy so that only confirmed friends can see the profile (timeline) or locate it in search. Friends and family can leave posts in remembrance. Memorializing an account also prevents anyone from logging into the account.

Dormant social media profiles and accounts could prove to be fertile ground for identity thieves going forward, especially if the late user didn't make use of the relevant privacy controls to restrict access to sensitive personal information.

Funeral

Another reason why its important to think about your assets in the cloud is that we are increasingly storing significant amounts of data on cloud services. These data include photos and other multimedia as well as business and financial data. There are a variety of services which make it very easy to keep our data in the cloud and at a relatively low cost. You may use Evernote to store important information about insurance policies and bank accounts or Dropbox to store vital business and personal documents. Services like Backupify help you back up a variety of cloud based services and Amazon S3 gives you access to vast amounts of storage space at a pretty low cost.

Until now families sorting through a deceased family member's estate would have had to collate and work through assorted files and paper documents, that will likely change. Families are finding themselves faced with disparate digital archives which often contain the sort of information they require to manage and wind up an estate. It is very possible that a person could die and leave very little paper-based information which a family would require to manage and wind up the estate because all of that data would be digitally stored in the cloud. The challenge is that the only person who tends to know how to access those accounts has passed away, taking those details with him or her. One option would be to contact the service concerned, armed with proof of the person's passing, and ask for access. Another is far simpler and requires some planning.

Services like LastPass and 1Password offer convenient and secure ways to manage passwords for all these cloud services. They offer tremendous security benefits because they rely on a master password to securely pass your account specific access credentials to the relevant service. This means you don't have to type in your username and password every time and risk that being intercepted. If you are not using one of these services, you should seriously consider it. Aside from the security benefits, these services also offer a way for your family members to access your cloud services when you are gone. One strategy is to give your master password and username to your spouse and a second trusted family member or friend. Provided they keep that information securely, it will provide them with a convenient way to access your important data after you are gone. Just remember to pass along any password or other access credential updates!

Unfortunately your cloud services profiles and accounts are not the sorts of assets you can hand down to your heirs. The rights you have to access and use these services tend to be personal rights which tend to terminate when you die and can longer exercise any rights. The nature of these profiles and accounts is that they are closely associated with a person's identity, unlike assets like a house which can be transferred to a different person and in which owners tend to have "real" rights which are formally registered. One implication of this is that these profiles and accounts could be terminated when the services concerned learn of your death so it is essential that you give your family and, where appropriate, close friends access to these digital assets.

As an aside, it looks like legislators are starting to look into how best to deal with these digital assets after death. StThato pointed this out to me:

AuthorPaul Jacobson | DateFriday, January 27, 2012 at 9:04AM | | CommentPost a Comment
in ,
Wednesday
Nov092011

What parents can do to better protect their children's privacy online

School children singing, Pie Town, New Mexico (LOC)

Our children are growing up with digital devices and an increasingly social Web and are, in the process, sharing their personal information, oblivious to the risks. Parents are increasingly finding themselves in foreign territory with no real idea where to begin to address their children's privacy. This post is intended to give parents an overview of the privacy frameworks in place and some of the factors to bear in mind.

Protection of Personal Information Bill

This is a draft Bill, making its way through Parliament at the moment. It gives the right to privacy in the Bill of Rights more substance. The Bill focuses on privacy as in informational self-determination, as opposed to privacy as in secrecy. It establishes a framework for what personal information can be collected from whom and what can be done with that personal information. I wrote about this in my post titled "Privacy is about choice":

Privacy has become more about informational self-determination - each person's ability to decide what becomes of their personal information. Facebook has been a bit of a cowboy with users' personal information for some time now and the primary concern, as I see it, is that Facebook has decided, from time to time, to expose more of users' profile information to the public Web and make that level of disclosure a new default. It has also progressively changed its privacy policy to allow for greater transparency. What it has done is severely limit users' choices to the point where their choice has become whether to include information on their profiles or not, bearing in mind that any of their personal information could suddenly be made public.

While the Bill is still subject to change, we can draw on a few of the trends in the Bill:

  • Personal information can only be collected with the data subject's consent, generally speaking (the term "data subject" is the term used for the person whose personal information is collected);
  • Data subjects' consent must be informed and this means the party collecting the personal information must inform the data subject what personal information is being collected and what it will be used for (this is the rationale for detailed privacy policies);
  • Personal information should only be used for the purpose it is collected for and should either be destroyed or anonymised (the Bill talks about "de-identifying" personal information)
    • ; and
  • Personal information should be kept secure and only disclosed where the data subject consents to disclosure or where required by legal authority.

Children's personal information is subject to a further requirement. By children, I am talking about children under the age of 18 (a person is legally recognised as an adult, a major, when that person turns 18 - there are exceptions, though, relating to an incapacity or inability to manage the person's own affairs). The February 2011 draft of the Bill (the current draft as I type this) requires prior consent from a "competent person" before collecting and using a child's personal information. A "competent person" is defined as follows:

A “competent person”, for purposes of paragraph (a), means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child

The position with children is different to general personal information processing because it requires prior consent from that competent person (usually a parent or guardian). In practice this can be a little tricky to obtain for various reasons. The first reason is that, when it comes to the major social networks, its not clear that the Protection of Personal Information Bill applies to those social networks. That said, the provisions dealing with data transfers outside South Africa require that countries this personal information is transferred to subscribe to similar personal information protection principles in their laws.

Consumer Protection Act

The Consumer Protection Act highlights another reason obtaining consent from children for collection of their personal information is tricky. As I pointed out in my post "Why Website terms and conditions matter", a website's terms and conditions is a contract between the site's visitors and users and the site owner. This implies that the parties to this contract have the legal ability to enter into a contract in the first place (this is also known as "contractual capacity"). Section 39 of the Consumer Protection Act deals with this issue when it comes to children:

Agreements with persons lacking legal capacity

39. (1) An agreement to enter into a transaction, or for the supply of any goods or services, to or at the direction of a consumer—

(a) ...
(b) is voidable at the option of the consumer, if—

(i) at the time the agreement was made the consumer was an unemancipated minor;
(ii) the agreement was made without the consent of an adult responsible for that minor; and
(iii) the agreement has not been ratified by either—

(aa) an adult responsible for that minor; or
(bb) the consumer after being emancipated or becoming an adult.

(2) Subsection (1) does not apply to an agreement if the consumer, or any person acting on behalf of the consumer, directly or indirectly, by act or omission—

(a) induced the supplier to believe that the consumer had an unfettered legal capacity to contract; or
(b) attempted to obscure or suppress the fact that the consumer did not have an unfettered legal capacity to contract.

What this means is that a child can enter into a contract with a social network but the parent or guardian whose consent is necessary to ratify or confirm the contract can effectively void that contract. Bear in mind that the contract here probably includes a privacy policy in terms of which the child presumably confirmed that the "competent person" concerned had consented to the social network collecting the child's personal information. The risk to the social network is that the parent or guardian would decide to void the contract between the child and the social network and, effectively, negate the consent to the social network's collection of the child's personal information. This presents a practical challenge to social networks when it comes to applying contractual terms to children's access to their services and their collection of children's personal information.

Social networks

The major social networks and services like Facebook and Google's various services cater for children accessing their services. Facebook's protections are more robust than Google's in many respects. Facebook limits who can see children's Facebook activity. According to Facebook's Safety Centre –

The only people who can see what teenagers post are their Facebook friends, friends of friends and networks (like the school they attend). We maintain added protections and security settings for teenagers (aged 13-17) that ensure their profiles and posts don't show up in public search results. Similarly, if teenagers share their location through Places, only their Facebook friends can see it.

Parents should spend some time reading through the information provided in social networks' privacy information pages. Here are a couple that will probably be pretty relevant:

General tips

Parents should acknowledge that their children are digital natives. Digital is an important part of their daily lives and will be increasingly important in almost all aspects of our daily lives, including the business environment. Trying to block access to this may not work, either for long or at all. Instead parents should engage with their children as much as possible about the services they are using and educate them about the very real risks of disclosing too much information about themselves.

While many parents are unfamiliar with the services their children are using, perhaps even intimidated by those services, they should make every effort to find out more. Often this means creating their own profiles on some of these services and "friending" their kids (even though this would probably mortify your teenagers) so you can keep an eye on what they are doing. That said, children can probably manipulate privacy settings to hide their activities so it falls to parents to learn as much as they possibly can about services like Facebook, Twitter, Google+ and Mxit and what these services' privacy practices are.

Parents are users too and they should bear in mind that their social activities can comprise their children's privacy. I wrote about this is a post titled "The privacy myth" a while ago (the post's main theme is that privacy as in secrecy is a myth online) –

There are two strategies which can help mitigate the effect of the Internet on personal privacy. The first is to proactively manage your identity online. This means using services like ClaimID to create coherent and comprehensive personal profiles online and taking steps to differentiate aspects of your personality from those that either have no link to you or which are misrepresentations or misuses of your identity.

Another simple, yet powerful, strategy is to decide in advance which items of your personal information will never be disclosed online, ever. This strategy depends on the principle that what you don't disclose can't be disseminated and misused. Examples of personal information never to disclose may include your identity number, your home address, your home phone number, your children's school and so on. Particularly sensitive personal information should be closely guarded from disclosure at all times and this requires vigilance.

The major social networks have improved their privacy practices quite a bit in the last few years. There is a common perception that Facebook is inherently insecure but its worth bearing in mind that children may be more at risk when they are out and about in public compared to when they are using Facebook with their privacy settings responsibly configured.

Protecting your children's privacy is not easy and it is more about controlling what is disclosed and how its used rather than keeping it hidden altogether. That said, it can be done but it require diligence and attentiveness.

Update: I have come across a couple sites dealing with children's safety online which may be informative:

AuthorPaul Jacobson | DateWednesday, November 9, 2011 at 11:07AM | | CommentPost a Comment
in , ,
Wednesday
Oct262011

The trouble with online defamation

I frequently receive calls or emails from people asking for help with online defamation, usually on Facebook. The people who contact me are often at their wits' end and want to sue the people defaming them, thinking that will fix the problem. Unfortunately, that can often make it worse. The challenge with online defamation is that the usual legal approach can aggravate the harm being suffered and the better course of action doesn't necessarily fix anything. Dealing with online defamation is often a matter of damage control and this is primarily due to the social Web's nature.

Pro-abortusdemonstratie / Pro abortion demonstration

Social networks like Facebook, Twitter and Google+ empower their users to express themselves on a scale typically not seen before the Web became social. This has shifted power dynamics in profound ways. We recently saw how Facebook and Twitter played important roles in the Arab Spring in Egypt and other countries in the Middle East. It is important that the social Web remain as free and accessible as possible because a free social Web is a powerful tool for freedom generally. At the same time, the social Web, like most tools, has darker applications and defamation online is one of those applications.

Of course, that is an oversimplification. A form of expression can be defamatory and be justifiable and permissible if, on its face, it harms its target's reputation and yet its publication serves a legitimate purpose. When people contact me about defamation online (the term they often use is "slander"), the published material is often not justifiable and is motivated by malice.

The typical legal response to this sort of defamatory material (or any defamatory material, for that matter) is to demand its removal and that the publisher take some form of remedial action to address the harm caused. The problem is that adopting this approach to defamatory statements or material published online can aggravate the situation far more than the person harmed could have anticipated.

Two case studies illustrate this phenomenon well. The first and older case study involves the performer, Barbara Streisand, and her efforts to stop photographs of her coastal home from being published after it was photographed during a coastal survey. Despite her most efforts, photographs of her house were published online, repeatedly. This case study gave the phenomenon its name: the Streisand Effect. A number of subsequent stories validated and reinforced the Streisand Effect including the 2007 Digg-AACS Encryption Key controversy and, more recently, the 2011 Ryan Giggs-UK "Superinjunction" controversy. Both of these more recent case studies illustrate the challenge of adopting a classic legal approach to a social Web problem. In the 2007 Digg controversy, Toshiba's attorney at the time, Michael Avery, summed up this challenge as follows:

If you try to stick up for what you have a legal right to do, and you're somewhat worse off because of it, that's an interesting concept.

When it comes to defamation online, particularly on social networks like Facebook, defamatory statements' harmful impact may only be exacerbated by adopting a traditional legal approach. This isn't to say that the defamation isn't unjustifiable, harmful and actionable but the very real possibility that addressing this misconduct like a conventional legal problem could drastically inflame the situation, and the resulting harm, is an important consideration when planning a response. What is required is a more flexible approach having regard to the specific dynamics involved as well as the platform used. There is no single approach which will be appropriate for all cases.

So what can be done? From an organizational perspective, implementing an Online Reputation Management solution may make a lot of sense. Companies may be defamed too and this defamation frequently results in reputational harm. Simply monitoring keywords and phrases is part of the process which should also include a more detailed strategic plan for dealing with negative and positive sentiment as well as legal input throughout the process to anticipate and cater for potential legal issue which may arise. From an individual perspective, responses may include reporting abuse with the platform's proprietor; laying criminal charges; engaging directly; not taking any active steps for the time being and, when left with little choice, having an appropriately worded demand letter prepared and sent to the culprits.

There are other challenges facing online defamation cases which can be similarly difficult to overcome. One concern is that defamers may be publishing under a pseudonym and are effectively anonymous. This presents a fundamental difficulty because you can only really take action against a known party and if the culprit has used pseudonymous handles and names for his or her profiles, email addresses and other identifiers, suing will be a practical impossibility. Another, very real, concern is the cost of legal action relative to the harm suffered. In the case of individuals, litigation costs are frequently prohibitive; potential damages generally less than they may expect and costs recoveries are cold comfort after a protracted and expensive campaign. Costs are less of an issue for companies which tend to be more able to afford these costs but the challenge here is that taking action may lead to a disproportionate increase in the harm suffered making legal action more of a "principle" based decision which is rarely the ideal motivation for legal action.

A lawyer's role in these sorts of case is less to rush in, guns blazing, and more to get a handle on the situation and help shape responses while anticipating the worst and preparing as much as is possible for a formal dispute. In between there is usually considerable scope for a multi-faceted approach to defamation and the resulting reputational harm where lawyers still play a role. They're just not necessarily the cavalry anymore.

AuthorPaul Jacobson | DateWednesday, October 26, 2011 at 4:59AM | | CommentPost a Comment
in , ,
Wednesday
Apr132011

"Free" online services and privacy law

One aspect of the seemingly free services we use every day (Facebook, Twitter, Google Search and many more) which people tend not to pick up on is that these services really are not free at all. While we don't part with currency to use these services, we do part with our personal information in exchange for meaningful access to these services and what they can do for us. This isn't necessarily bad but it is a reality on the social Web.

A number of local online services are similarly offered, ostensibly for free to users, and they leverage personal information in similar ways and for similar reasons. The anticipated Protection of Personal Information Bill deals with how personal information may be "processed" by various parties and is organised around a number of Information Protection Principles:

  1. Accountability;
  2. Processing limitation;
  3. Purpose specification;
  4. Further processing limitation;
  5. Information quality;
  6. Openness;
  7. Security safeguards; and
  8. Data subject participation.

These principles can be unpacked further to reveal a fair amount of specificity about what personal information can be processed, by whom and to what end. I'll probably unpack many of these principles in the coming months and it will be interesting to see how the Protection of Personal Information Act will interface with the Consumer Protection Act when it is eventually passed and implemented.

What local companies offering "free" online services will need to bear in mind that is that they will have to cater for an increasingly complex legal framework if they rely on personal information to make their service offerings worthwhile from their perspective. This paradigm is also something users should understand and bear in mind when they use these services.

Mich Joel talks about this paradigm and how he fears it may endanger the Web's social nature in his talk at TEDxConcordia recently.:

AuthorPaul Jacobson | DateWednesday, April 13, 2011 at 5:06PM | | CommentPost a Comment
in , ,
Friday
Jan142011

Why our obsession with Facebook should matter to you

I just noticed this on Mashable and thought I would share it with you. There are some pretty interesting statistics which are worth bearing in mind when developing an approach to Facebook as a marketing channel as well as developing your approach to your employees' social media use, whether that be through a social media policy or similar policy framework within your business.

What is revealing about this infographic is that Facebook is an increasing part of younger people's lives, as well as us older types. This becomes an important consideration when deciding how much access to the social Web employers will permit. One risk (and I think it is a real risk) is that prospective hires may shy away from employers that are more restrictive than those who permit more moderate access to the social Web. Another consideration is how much news and information people receive through social networks. Often this news and information is what enables people to do their jobs a little more effectively in an increasingly connected world. Cutting off access to those social networks is going to be increasingly analogous to denying employees access to email.

AuthorPaul Jacobson | DateFriday, January 14, 2011 at 12:11PM | | CommentPost a Comment
in