Privacy

Posts on privacy issues

Google and other image search engines are a free and easy way to get visual information. Search engines are not the best way to find an image for your blog. Your copy of an online search image may not cause trouble if used in an off-line collage or physical artwork. Use of that same image online, however, carries enormous risk. Unfortunately, search engine results obscure image ownership information.  Images bounce around the internet as they are screen-captured, downloaded from social media, mixed with other material, and shared by users. The owner of the website where you found the image likely does not own the image or provide permission from subjects appearing in the image.

Nevertheless, the photographer and each party or location depicted in the photo has rights in the image. Obtaining each of their permissions to use the image for your particular personal, commercial, or professional use is required to avoid liability. Although most images online are of unknown provenance, people and businesses continue to use online search images without permission. Several clients this year received demand letters relating to the use of online images without permission. Here are a few reasons to avoid risk by not right-clicking an image:

  1. Photo Trolls are Copyright Owners with Registered Claims to Copyright. While true, certain copyright owners are very aggressive about policing their rights. They use electronic infringement detection tools to identify potential infringement of their copyrights then demand several thousand dollars per image to settle. Ignore their demand letters at your peril. (more…)

On November 19, 2014, the Federal Trade Commission announced that it is seeking public comment on a second proposed verifiable parental consent method by AgeCheq, an online privacy protection service. The Children’s Online Privacy Protection Act (COPPA) requires children and family-friendly website operators and app developers to (1) post privacy policies and (2) notify and obtain verifiable consent from parents prior to collecting, using, or disclosing personal information from children under the age of 13.

There are considerable challenges to obtaining verifiable consent from parents in real time–particularly for use of online services by children. The rule lays out a number of acceptable methods for gaining verifiable parental consent and includes a provision allowing parties to submit new consent methods to the FTC for approval. Age Cheq’s new proposal eliminates the need for paper signatures by providing a digitally signed parental declaration authenticated by a verification code on the parent’s mobile device.

(more…)

Can Newsworthiness fade away? A tabloid figure of the 1970's loses her fight for privacy.

Captor of the Manacled MormanJoyce McKinney allegedly kidnapped and raped a Morman missionary dubbed the Morman Sex Slave by the Daily Mirror. McKinney was the Diaper Wearing Astronaut of her time. Tabloid media’s entertainment value comes from invading the personal lives of notable and notorious people. Invasion of privacy laws protect people from injury from unwanted attention. Public figures like elected officials and celebrities who seek public attention seldom win lawsuits for invasion of privacy. The First Amendment protects newsworthy stories. Sensational stories may transform a private person into a limited public figure because she is related to a newsworthy event like the Manacled Morman story. When the story fades into history, does its newsworthy status evaporate?  Do limited public figures like Joyce McKinney have a right to keep their notorious acts in the past? (more…)

Or perhaps the notices are a hoax virus– spread by friends bullying friends to spam others to show respect for the poster’s privacy and copyrights. Posting and re posting the Facebook Privacy Notice will not change Facebook’s policies.  If privacy is a concern, adjust privacy settings or avoid using Facebook for private communications. If controlling content is a concern, avoid posting images or register copyright in important materials before posting. To use Facebook, users give it a limited right to “share” their user content. This right does not place user content in the public domain. (more…)

Keeping your Facebook images private is a confounding problem. Ask Mark Zuckerberg’s sister Randi who couldn’t make sense of  FB’s privacy settings. Kashmir Hill, a privacy commentator at Forbes posted a funny analysis of the Zuckerberg predicament and easy to follow directions on how to adjust your settings to keep family photos more private. The settings are easy once you know where to look. User posting behavior sometimes doesn’t match with User privacy concerns.

Regarding content posted online as public is best– no matter what the privacy policy says.  Social media and other interactive businesses struggle  to keep their policies (and practices) current and reflective of how technology actually uses data to provide services online. Users who follow the steps in Kashmir Hill’s article and thinking before posting private content will have fewer social media privacy concerns.

Facebook gets a new groove: proposed updates to privacy and use policies

I guess we of Facebook Nation no longer “think” as one.  Last week Facebook announced proposed changes to its Data Use Policy (explains collection and use of data) and Statement of Rights and Responsibilities (terms of use).

As of November 28, Facebook will be able to change its policies with seven days notice to users. No more voting. In the past, voting on changes allowed some users to flood the system and obscure other user’s input. Will the proposed changes offer more transparency or enhance user’s experience?

The Data Use Policy is slowly becoming less opaque but still obscures some collection methods. For example, the Data Use policy does not explain how the Facebook “Like” button on third party sites may collect about our activities on each website we visit after “liking” a site and then share data with affiliates who serve targeted ads elsewhere.

Will the proposed changes affect businesses and marketeers using Facebook for corporate events, product launches and brand communications?  While the proposed changes do not seem to affect developer and marketing activity, empowering consumers with privacy settings could curb the digital love.

Everything needed to “understand” Facebook’s new moves is here.

Websites should consider treating children as an attractive nuisance. Even consider putting up fences to keep them out. 

The FTC is monitoring many websites that attract children (even unintentionally) for COPPA violations. The Children’s Online Privacy Protection Act, COPPA, requires websites to  obtain verifiable parental consent before collecting personal information from kids under age 13.  Sites that are “directed” to such children must also disclose to parents what it collects about their children, how it uses the information and what it discloses to third parties. If the websites do not comply with COPPA the Federal Trade Commission may investigate, and impose fines and consent orders to curb websites’ tracking of children under 13.

Many website policies include a disclaimer that the website is “NOT directed” to children under age 13 and prohibit or limit access by children under 13 only with direct parental supervision.  Unfortunately, these policies will not limit the liability of a website operator if it knows kids under 13 are providing personal information to its website.  Then, the website is likely to be considered to be directed to such children.  If a website operator knows that kids are attracted to its website, then the website must comply with COPPA as if it the website is intentionally directed to children under 13.

Artist Arena manages fan sites for Justin Bieber, Rhiannon and Selena Gomez (among others)  together collected personal information from more than 25,000 children under the age of 13 without seeking verifiable parental consent.  Artist Arena’s fansites were intentionally directed to ‘tweens as the target audience of the celebrities featured on its fan sites and had COPPA policies, but failed to actually notify the parents and obtain their permission before collecting info from their children.  Artist Arena settled with the FTC, agreeing to pay a cool million dollars, enter into a consent decree against future  COPPA violations, and destroy all data it unlawfully collected from children.

The take-away?

Kids are adept at learning new technology and have unfettered access to smartphones, tablets and desktop computers.  So, it goes without saying that many registration schemes aimed at preventing kids from accessing an attractive website are quickly overcome.  A policy prohibiting use by children is definitely not sufficient. Operators of interactive websites (sites with blogs, forums, comment and sharing features) can’t ignore kids under 13 who are using the site .  Their data stream will likely “rat them (and the operator) out.”  With notice of kids, the operator must either block access or adopt a COPPA policy and enforce it. Get the COPPA FAQ’s  here.

As for Beiberfever.com? Users who admit to being age 13 or younger are persistently blocked from registering:

We are sorry, but you can not register at this time.

Hat/Tip to Sharon Snyder for sending me this Washington Post article about Artist Arena’s woes.

@FTC: Google pays $22M for (unintentional) misrepresentation of privacy practices - no intent required

The FTC hosted a super fascinating Twitter “conversation” following its announcement of the $22 million settlement with Google over its privacy violation in overriding the Safari browser’s privacy settings without notifying users. FTC Department of Enforcement staffers  exchanged tweets with a few privacy-focused Twitter users. Many tweets focused on whether Google intentionally deceived users as to its privacy practices, or if the privacy breach was an accident. Other tweets keyed in on how Google’s fine was calculated, and asked when the FTC first learned of Google’s secret Safari tracking. The FTC responded that Goggle’s intent is irrelevant to the question of whether there are misrepresentations in privacy policies. This reflects FTC precededent. One FTC tweet reflected cynicism that the tech giant is unable to control its privacy practices, saying  “unintentional is Google’s story.”

The takeaway is that over promising protection of personal data in a privacy policy is a bad idea.  Even accidental violations of a privacy policy are actionable. Too many unforeseeable risks are poised by collecting and sharing user data (from hackers to a lack of coordination with technology partners) to make such promises. Ask Twitter about its own FTC settlement.  Expectations (of both consumers and regulators) about the content of privacy policies have changed. Most websites need new policies that contemplate the changes to COPPA,  increased expectations for privacy disclosures for mobile devices and protection of offline data.  Website operators must understand how their technology use the website’s customer data. Details about how both personally identifiable and non-personally identifiable information is collected, shared and protected should be disclosed.

Tweeps who engaged with the FTC last week might wonder how their tweets are being used.  The FTC’s privacy preactices are disclosed in the FTC’s Privacy Impact Assessment and chart showing how user information is collected when interacting with the FTC.

Does your website have a Facebook “Like” button? Is your website, mobile site or mobile app directed at adults but attracts children under age 13?  Pull out your pens.  The Wall Street Journal reports that today FTC is expected to issue new rules proposed last fall to protect children online and on mobile devices. The new rules take effect following  a 30 day comment period.  Take a minute to compare your website audience and information collection practices to the disclosures made in your website terms of use and privacy policy. There are often gaps and mismatches in even the most well meaning policies.  For example, a “Like” button on your website collects and reports a stream of data about your visitors to Facebook — whether they “Like” your website or not.  Is that what your privacy policy discloses?

How about children? How often have you seen kids using tablets and smartphones while their parents are busy? How many younger ‘tweens have their own smartphones? Many children, even very young ones are quite adept with mobile devices.  My secretary’s almost-two-old grandchild already knows how (more…)

Maryland–cutting edge? After a contentious end of session, Maryland became the first state in the U.S. to pass a law prohibiting its employers to demand social media account information from current or prospective employees. April 9th’s Sine Die (the session is “without days”) dragged into a stalemate early Tuesday, forcing Maryland to pass a Doomsday Budget requiring massive funding cuts in vital state services like education.

Imagine our delight to discovered an a hidden easter egg–Senate Bill 433 which forbids Maryland employers and their HR people from requiring or requesting social media names and passwords from employees or prospective hires.  It is understandable that employers dislike surprises and that “inside information” often reduces the likelihood of surprises.  However, as the Baltimore Sun reports, the bill’s sponsors rightly likened such practices to eavesdropping on private telephone calls. Have you checked out your HR Policy to see if your folks are running Facebook checks? Even without requiring a password it might seem “creepy” to your employees.

My law students would be interested in discussing whether Maryland’s law could extend to similarly invasive practices by NCAA coaches. In some ways an NCAA athlete’s situation is akin to that of an employee or intern. The New York Times ran a piece a couple weeks about some colleges that require athletes to provide access to their Facebook or Twitter accounts, either by downloading software to monitor them or simply requiring that they let a coach, an administrator or a third-party company “friend” them on Facebook or follow them on Twitter.

Does one have a reasonable expectation of privacy on Twitter or Facebook? Perhaps not on a person’s public pages, but one would expect to have privacy in private portions of social media accounts. (Another reminder to finetune #privacy_settings!) But using monitoring software to track athlete conduct online is not only creepy, it could run afoul of anti-stalking laws.