Facebook’s mission is to make the world more open, people more available one’s to each others, to make information more accessible. Facebook is the people, is the communities. But what are the economics behind SNSs? These social networking sites are expensive to maintain, and so a business plan is required… and this business plan often includes (or involves) intellectual property rights. Intellectual property rights often hold by third parties.
What are the copyright consequences of creating content on a social networking site? what jurisdiction applies? What appears on the sites is protected. But who owns these rights?
In the case of Facebook, IP rights are transferred (non-exclusively) to Facebook, with no financial compensation, also transferable at its turn, etc. In the case of MySpace the license includes transforming content, etc.
A CC-by-nc-nd license would be a good solution to all these agreements where usage is allowed but with more restrictive clauses that clearly benefit the copyright owner. Protecting your rights ex-ante is most difficult in SNS.
When there’s infringement, liability has to be demonstrated and author ownership also recognized.
Another problem is that once the content is made available, the operator of the site should communicate that it is published under copyright law. If it includes adaptation, then the limits of the right to make derivative works should also be clearly stated on the platform.
What happens when there’s more than one creator and people have collaborated to create that work? On user generated content sites, things get complicated, because collaborative work overlaps with a sequence of several re-creations (or modifications) of the original work.
In the US, in a joint work one of the joint authors can exploit the work on their own, but in Europe agreement must be reached among all joint authors. When there are incremental contributions (v1.0, v1.1, v1.2, etc.) exploitation of the work becomes way more complicated as incremental authorship increasingly becomes unclear.
The potential value of the works shared also poses different problems: while it’s likely to see IP problems on YouTube because of the higher potential value of the content shared there, this is less likely to happen in e.g. Flickr or Facebook.
Possible defences
Copyright does not apply because there is no “copy”, as the original was used
The original can be used because there is a signed license
It’s part of an exception to the law (and there are lots of them and distinguishing whether they apply and which one applies is really complicated)
What’s the liability of the intermediaries? SNSs, those making links, carriers, hosting providers, etc.
In Europe copyright and trademark infringement applies equally, though there are some safe harbours that cover intermediaries on some specific cases. But as soon as you don’t fall on safe harbours, the principles of copyright infringement apply, but they are not the same ones across Europe and, also, not the same ones as in the US.
Indeed, even within country regulatory frameworks, difficulties still apply: e.g. what is a hosting provider? Does it have to monitor all the content on its site? Is it an editor (like in a journal) or just a holding platform?
In order to benefit from the safe harbour (US law) YouTube cannot perform any kind of price discrimination for advertising depending on the content watched (e.g. home made video vs. commercial Hollywood movies). This is not optimal on a business model point of view, but it is a requisite of the safe harbour clause on the US copyright law (“you don’t know what’s on your site”).
Difference between IT Law and IT for Lawyers. It is very difficult that IT Law and IT regulation can answer all the questions that the Internet is bringing on the table.
The Spanish Constitution (1978) already spoke about privacy and honour, but later on this article was limited to data protection in the Spanish Law (1999). Privacy and data get separated one from the other (good), but privacy seems to be forgotten from the citizen bill of rights (bad).
In Spain, all rights infringements are understood the “old” way but infringements related to data. Most likely Spanish Law should be updated in fields such as privacy or security under the light of the debate that is taking place at the international level.
The international community seems to be reaching a growing consensus based on:
Awareness raising in the field of privacy and digital competences, including engineers that are coding the applications
Liability of the providers, but also of the users when they upload or tag third parties’ content or information
Right to inform: about privacy risks (or information leakages), identity, consent, etc.
Technological measures: use of nicknames, privacy by default, privacy enhancing technologies (PET), etc.
The problem is that social network analysis to mine data from SNSs represents a real threat even when the user is behaving correctly concerning their own privacy. The semantic web will make this even more transparent and privacy more fragile.
What is then the role of Privacy enhancing technologies?
Privacy preserving data mining (P2PM) technologies, to block data mining procedures
Use of several nicknames to protect access and avoid nickname tracking
Reputation systems that guarantee privacy: be able to change nicknames, etc. but keep reputation despite the changes of digital identities
Technologies for transparency and information control
Summing up, regulation in privacy issues is still limited and technology is underused and expensive (PETs are normally added up ex-post, which implies costs). We should maybe be moving towards privacy in the design, that privacy is part of the core business. PETs would then disappear and be embedded in the usual code and practices.
Q&A:
Miquel Peguera: Could control by ISPs be set by agreement or contract and then disable the safe harbour? Could YouTube discriminate prices based on the number of visits? Does it make any sense to protect a user identity by using nicknames, when precisely is the absence of nicknames the norm in SNSs? Alain Strowel: Control is difficult to state by contract. Jane Ginsburg: This kind of agreements might imply a legal incoherence. Regarding popularity and price discrimination, it should be proven that this is a legitimate criteria, and that popularity is not an intrinsic characteristic for copyrighted material.
James Grimmelmann: the increasing value of trademarks and names on the Internet, bound to digital identity and usually regulated by the domain name registry might now be at stake when SNSs such Facebook allow you to create subdomains under their domain. How does this change things? Alain Strowel: it surely puts a lot of pressure on trademark law, indeed, and trademark liability, and not only IP law.
Q: How will ISP and content and online services providers agreements evolve? Jane Ginsburg: We’d expect to see more compatibilities amongst contracts across jurisdictions. People should figure out how to draft contracts that can be enforceable in as much jurisdictions as possible.
There are plenty of motivations to use Social Networking Sites (SNS) and many risky ways for your privacy and security in using them. Why, then, keep using them?
SNS have profiles for their individuals, links to other people and a social graph that maps your network.
Your profile expresses and identifies, in some way, with your identity. But it’s not only what you say about you, but what your “friends” say about you: the people you befriend in a SNS is also adding up to your own identity.
People that you befriend, talk about you, comment the things you say or state, and links between users are created. Links that, all together, form a social graph where you can map your friends, the friends or your friends, etc.
Some false assumptions in SNSs
If everybody’s doing it, you do it too
There’s many people doing it, so I’ll keep unnoticed
False sense of privacy, “I’m alone here”
Feeling that everybody’s like us in the SNS
Electronic mediation makes us underestimate the impact of our actions
Distorted sense of (real) friendship and of knowing who the others are
Feeling that everything is under control and that one can “see” everything
Social harms
Disclosure: letting some intimacies known on SNS can spread quicker and broader than anywhere else
Surveillance: the mere sense of being watched all the time is by definition a limit to your own freedom (and scary and creepy to many too)
Instability: assumptions about an SNS that prove wrong along time, leading to privacy issues, e.g. seein photos you shouldn’t be allowed to see, Facebook Beacon, bugs…
Disagreement: you might not agree with some privacy issues, e.g. you can remove a tag from a photo, but not the photo itself. Or you would want to remove someone as a friend, but this someone feel hurt if you do, which leads to an embarrassing situation.
Spillovers: my decisions might have consequences to your privacy. Your decision on your profile affect who can see my information (e.g. you decide your friends list is public, hence I appear on your profile)
Denigration: defamation, attacks to persona, including how you present yourself. And this can be really subjective: how you match different groups of people (professional acquaintances, family, friends) reading the same type of information about you, without context, without filtering. And more: your profile can degenerate into an advertising platform.
Solutions?
Clearer privacy policies, but how to make simple what is complex?
Better technical controls to customize your privacy levels, better definitions, higher accuracy or detail in controlling your privacy setup
Data ownership: you should be free to take your information and move it where you want, data portability. If I’m your friend on a SNS: whose is this information (i.e. “we are friends”), yours or mine? Data portability is a solution but also a way to circumvent and decontextualize some security issues about privacy
The same motivations that drive us into SNS are the ones that lead to mistakes, and mistakes lead to harms. This makes really difficult how to solve some problems related to privacy.
Most privacy violations are produced by ourselves, we have met the enemy and he is us, it’s individual users (not anonymous big brothers) the ones that are violating privacy on a peer-to-peer basis.
Privacy violations spread as a virus: SNS are privacy viruses that spread from person to person.
Q&A
Miquel Peguera: how should default settings be set? is data portability the solution? A: default settings should be set to more privacy friendly levels. New features, for instance, are set on an opt-out basis, not an opt-in. The problem with data portability is whose is the ownership of data, specially when this “ownership” is shared?
Q: why is Facebook’s newsfeed a weapon? A: The problem is that there is a huge granularity on what you (and Facebook… and advertisers) can see and use for several purposes.
Ismael Peña-López: isn’t privacy overstated? A: Even if that might be true, the question is that people seeked some cover in SNS thinking that they privacy was assured there vs. the openness of the broad Internet. And the fact is that people got outraged when they found they search for privacy had been violated. So the point is not whether privacy is good or not, but that some people’s desire for privacy was guaranteed and then systematically violated.
Q: What happens when privacy can lead to crime? A: A big difference between SNS and typical surveillance tools is that the later are held by the power that should be having this kind of control, and opperated on a transparency basis. Instead, SNS surveillance systems are more complex, distributed and highly out of control.
Mònica Vilasau: are we more confident on the Net than offline? A: Psicologycal effects are really important in how we behave on SNSs.
Daithí Mac Sithigh: What are going to be the next steps of Facebook in the subject of privacy? A: Facebook is an extraordinary arrogant company. Dealing with privacy discussion, they would acknowledge they made a mistake, but won’t move back and, especially, won’t loose control.
Q: Can we increase control on existing or new SNSs? A: What we’ve been seeing so far is that this is a major challenge, that what people look for in networks is exactly the opposite of what would be needed to make these networks more privacy compliant.
More Information
Grimmelmann, J. (forthcoming 2009) Saving Facebook In Iowa Law Review, #94
The next 5th Internet, Law and Political Science Congress has been scheduled for 6th and 7th July 2009. Organized by the School of Law and Political Science at the Open University of Catalonia (Barcelona, Spain), the event has evolved into an interesting forum where it is highlighted what’s happening nowadays in the fields of law and cyberlaw, intellectual property rights, privacy, data protection, freedom, political engagement, politics 2.0, empowerment, etc.
Aimed to both researchers and practitioners, during the four editions that we’ve been running the congress, we’ve had here people the like of Jonathan Zittrain, John Palfrey, Eben Moglen, Helen Margetts, Lillian Edwards, Yves Poullet, Erick Iriarte, Stefano Rodotà or Benjamin Barber, among others.
The main topic this year is social networking sites (SNSs, in a broad sense). We want to have sessions were at least two speakers present opposite points of view (pros and cons). The programme (almost closed, though some changes might apply) is as follows:
Keynote speech with James Grimmelmann, providing an analysis of the law and policy of privacy on social network sites, and an evaluation of some possible policy interventions.
Daithí Mac Sithigh will be the official reporter of the event, providing, at the end of each day, a summary of the main subjects dealt in that day’s sessions.
