Social Media And Privacy October 9 2009Presentation Transcript
Privacy and Disclosure Minefields in Social Media: Identifying and Overcoming the Key Issues and Challenges MANAGING SOCIAL MEDIA October 6-7, 2009 Sutton Place Hotel, Toronto Mark S. Hayes Martin P.J. Kratz Ariane Siegel
Outline Introduction – Privacy Issues and Social Media The Facebook Decision Reasonableness Managing Privacy Related Liability for Social Media Operators Social Media and Litigation Social Media and Children Questions
Managing Social Media Introduction – Privacy Issues and Social Media
Privacy Issues and Social Media Social Media is all about sharing personal information A new dimension to the way people interact Role similar to what local newspapers and radio stations once did-bring a community of people with common interests and values together to share ideas Platform now reaches multitudes of peoples simultaneously Includes ability to interact instantaneously and share not only printed information but rich media, with pictures, music, videos Privacy issues affect website operators and their affiliates, advertisers, users, hackers, employers and law enforcement Raises issues on knowledge and consent for lawful uses
Privacy Issues and Social Media Business, legal and technology issues intersect Target audience (jurisdiction, age, business) What personal information will be posted What personal information will be collected How will personal information be used Will personal information be shared (developers, other third parties) How long will personal information be retained Where will personal information be processed Safeguards Access
Privacy Issues and Social Media More Canadians on Facebook than… Study of 2000 young people Dr. Avner Levin at Ryerson, more than 48% log on more than once a day Attitudes about OSN – not too much concern that personal information would be accessed by employer Lots of personal information posted OPC Study: Focus Testing Privacy Issues and Potential Risks of Social Networking Sites http://www.priv.gc.ca/information/survey/2009/decima_2009_02_e.cfm
Privacy Issues and Social Media More Canadians on Facebook than… Young Canadians have a unique perception that we call network privacy (Levin) Privacy concerns relate to personal information ending up in “unauthorized” social network They believe they can control online presence feel largely accountable for breaches
Managing Social Media The Facebook Decision
The Facebook Decision Complaint Against Facebook by CIPPIC Key Issues: Application to non-Canadian website operators Advertising Consent of non-members Sharing of Personal Information with Third Parties Data Retention /Account Deactivation
The Facebook Decision APPLICATION Underlying assumption - PIPEDA applies to website operators collecting personal information of Canadians Lawson v. Accutech PIPEDA not long arm statute Would not apply to entities without infrastructure / employees in Canada FTC similar approach, COPPA applies to any website operator collecting personal information about Americans
The Facebook Decision ADVERTISING Facebook needs revenue to offer service Advertising is essential to the provision of the service, and persons who wish to use the service must be willing to receive a certain amount of advertising. Facebook Ads - Aggregate information given to advertisers Targeted ads delivered - non invasive No opting out Social Ads can opt-out
The Facebook Decision CONSENT OF NON-USERS Resolution: Facebook agreed to provide information users need to ensure that they have the consent of non-users to share their e-mail addresses with Facebook Company must exercise reasonable due diligence to make sure this is happening
The Facebook Decision SHARING OF PERSONAL INFORMATION Key Issues: Sharing of Personal Information with developers Resolution: will prevent an application from accessing information until it obtains express consent for each type of data it wants to access
The Facebook Decision DATA RETENTION Facebook keeping Personal Information for long periods Deactivation does not mean deletion Resolution: Notice and deletion option Facebook agreed to make it clear that users have the option of either deactivating their account or deleting their account. No prescribed retention period
Managing Social Media Reasonableness
Reasonableness Reasonableness is a flexible and adaptable concept Can adapt to specific circumstances Can change over time The requirement of “reasonableness” is inherent throughout Canadian privacy law Threshold issues Extent of disclosure Security Etc.
Reasonableness There is a reasonableness threshold An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances. Where an organization collects, use or discloses personal information, it may do so only to the extent that is reasonable for meeting the purposes for which it was collected, used or disclosed.
Reasonableness Basic Privacy Compliance Question: Is it reasonable to permit the collection of personal information by Facebook from users in exchange for the free service Facebook offers? Facebook decision All users receive Facebook ads, can not opt out Traditionally Privacy Commissioner distinguished between primary and secondary marketing purposes Finds advertising is essential to the provision of Facebook’s service and persons who use the service must accept some ads
Reasonableness Who decides what is reasonable? Privacy Commissioner’s office applies objective test Facebook’s user feedback is not determinative While a protective standard – what happens when the culture changes underneath the objective assessment of what is reasonable?
Reasonableness Is reasonableness different for web collection, use and disclosure? Is there a discrete internet culture to which a different standard might apply? The acceptance of compulsory ads on Facebook was seen as reasonable, a departure from traditional privacy analysis Courts and tribunals, however, have consistently applied the general law as applicable to the Internet
Reasonableness Internet Culture is different The sense of what is reasonable is different on the web Barlow, EFF (1996) "Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.“
Reasonableness What are users sharing on social media sites? Is it “reasonable”? Estimated 61% of 13-17 year olds have a profile on line Half with pictures Much of the social network information may be kept private but only if the privacy features are turned on. What does your child say about herself? What information is an invitation to ID theft or worse?
Social Network Profile Information
Social Network Profile Information
Typical information on Facebook
U Guelph study 2008
Social Network Profile Information
Likelihood to post information (out of 7 max)
U Guelph study 2008
Reasonableness Is there any privacy expectation left on the web? Emily Nussbaum, writing in the New Yorker, identifies a generational trend. It is only the older generations that still seem to care about privacy. “Say Everything As younger people reveal their private lives on the Internet, the older generation looks on with alarm and misapprehension not seen since the early days of rock and roll. The future belongs to the uninhibited.” Nussbaum writes beginning with a 26 year old bartender who, among other things, has posted nude pictures of herself on her MySpace page but sees it all as a way to document her life and share it with others. Will she think so positively of it when she seeks to get married, changes jobs, etc.? http://www.nymag.com/news/features/27341
Reasonableness Emily Nussbaum’s conclusions are: There is a true generational gap last one was 50 years ago They think of themselves as having an audience They have archived their adolescence Their skin is thicker than yours
Reasonableness Young people seem to accept that the idea of a private life is an illusion Maybe they are correct We live in an age of surveillance Security cameras on the streets, train stations Transaction details tracked every time you swipe your Starbucks card, use a debit card Your employer monitors your emails The NSA monitors your telephone calls Our lives are lived in public whether we seek to acknowledge it or not …
Reasonableness But it can go too far … Poor choices are harder to erase or forget “Susie's” 2000 “special” video for her (then) boyfriend Posted on the web, becomes a viral video Paris Hilton sex tape 2004 In the public there has been a dramatic shift in what is considered reasonable 20 years earlier Miss America lost her crown for a similar expose What will be “routine” in 10 years or 20?
Reasonableness Is privacy an antiquated concept? Will the Facebook generation live to regret what they have shared with others? Do the earlier generations just have to get used to a new way of thinking about privacy? How does a privacy commissioner’s office confront a generational attitude change to the concept of privacy? Which generation gets to decide? How will that shift the view of what is “reasonable”?
Reasonableness Acceptance of the Facebook ads for access to the social media service was found reasonable How far might that go? Would that change if it became a paid site?
Managing Social Media Managing Privacy Related Liability for Social Media Operators
Managing Privacy Related Liability for Social Media Operators Mere reliance on the Terms of Service is alone insufficient Facebook approach to state a requirement for application developers in the applicable terms was found not sufficient to address Facebook‘s responsibility Facebook required to take further steps to ensure developers were aware of the applicable requirement (to obtain consent in this case) and comply with it
Managing Privacy Related Liability for Social Media Operators Additional means contemplated in the Facebook case included: Prominence to specific obligations in developer guidelines Adjust template to facilitate space for explanation for users But mere warnings may not be sufficient: COPPA experience - consider the audience and the ability to understand the terms and warnings Avoid “legalese”
Managing Privacy Related Liability for Social Media Operators Address all of the customary safeguards sought in any outsourcing Audit rights Data ownership and immediate access rights Controls Addition of security measures where applicable Restriction of access Segregation of personal information and limiting access to only that strictly necessary for a specific function by a party
Managing Privacy Related Liability for Social Media Operators Other options for social media operators to manage risk Facilitate the ability of 3rd parties to get direct user consent where applicable Identified for application developers in the Facebook case
Managing Privacy Related Liability for Social Media Operators Shifting risk to the user In the Facebook case users post personal information on non-members Vulnerability from use of mobile devices Becomes the responsibility of the Facebook user to obtain the consent, address security of own devices Facebook may reasonably rely on user’s to obtain non-user’s consent … provided Facebook exercises due diligence Important that Facebook informs users Notification when applicable
Managing Privacy Related Liability for Social Media Operators Reliance on 3rd party or privacy compliance verification process Common under COPPA Optional with Facebook for third party application developers Advantages of compulsory vs. voluntary approach
Managing Privacy Related Liability for Social Media Operators For social media operators other than Facebook … … safety of the herd In the absence of defined standards adoption of practices commented upon as acceptable becomes a risk mitigation approach
Managing Social Media Social Media and Litigation
Social Media and Litigation Recent explosion in cases involving social media issues Most common types of cases: Family Criminal Personal injury
Social Media and Litigation Uses for evidence from social media sites: Evidence that party’s actions are inconsistent with positions or evidence in action (e.g. extent of disability) Party’s “friends” or contacts belie claim that party did not know or have contact with an individual Party’s communications (sent or received) are inconsistent with evidence or legal obligations (e.g. non-contact order)
Privacy and Social Media Evidence Issues raised: Is production of social media evidence prohibited by privacy statutes? When can party be compelled to divulge contents of social media profile or pages? When can social media site operator be required to divulge information such as IP address of subscriber?
Privacy Statutes and Litigation Exemptions All Canadian personal information privacy statutes have exemptions for litigation production PIPEDA: disclosure without consent if: Required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information (s. 7(3)(c)) Required to comply with rules of court relating to the production of records (s. 7(3)(c)) Required by law (s. 7(3)(i))
Privacy Statutes and Litigation Exemptions S. 7(3)(i) and latter part of s. 7(3)(c) will require party to litigation to disclose any relevant personal information in their possession or control May still be subject to PIPEDA restrictions in hands of opposing party In any event, implied undertaking of confidentiality will apply S. 7(3)(c) will require third party to disclose personal information, but only in response to court order Subpoena issued by party’s lawyer (as is allowed in many provinces) will not suffice Provincial statutes are generally similar
Privacy Statutes and Litigation Exemptions Litigants who tried to resist production of relevant evidence on basis of privacy consistently unsuccessful Ferenczy v. MCI Medical Clinics (2004), 70 O.R. (3d) 277 Plaintiff tried to exclude damning surveillance evidence Court found implied consent by plaintiff to surreptitious observation of personal injury plaintiffs when physical capabilities in issue In any event, violation of PIPEDA has no direct impact on the issue of the admissibility of evidence PCC has not accepted Ferenczy as precedent
Production of Social Media Evidence Social media evidence is primarily a relevance issue, not a privacy issue Privacy one factor to be considered in determining relevance and proportionality of requested production Court will order production of “private” Facebook pages if there is sufficient grounds to conclude that they contain relevant evidence Will not allow “fishing expedition”
Murphy v. Perger, 2007 Ont. S.C. Motor vehicle accident Plaintiff had publicly available site which contained photographs of the plaintiff engaged in social activities Defendant requested access to private Facebook profile - plaintiff had 366 “friends” Successful ex parte preservationmotion to avoid spoliation Facebook production ordered: given nature of Facebook and that plaintiff’s public site includes photographs, reasonable to conclude Facebook profile would as well Any invasion of privacy is “minimal”
Leduc v. Roman, 2009 Ont. S.C.
Motor vehicle accident No questions on discovery about Facebook Medical exam: plaintiff told doctor “that he did not have friends in his current area, although he had “a lot on Facebook”” Defendant demanded production of all pages of plaintiff’s Facebook profile Master refused production – SCJ overturned
Leduc v. Roman, 2009 Ont. S.C. “That a person’s Facebook profile may contain documents relevant to the issues in an action is beyond controversy.” Where party has both public and private profile, reasonable to infer that content on public profile similar to content on private profile Where user has only private profile, can infer from social networking purpose of Facebook "that users intend to take advantage of Facebook's applications to make personal information available to others” Facebook “likely contains some content relevant to the issue of how Mr. Leduc has been able to lead his life since the accident”
Production of Social Media Evidence Appears to be open season on production of almost any social media information Precise test to be applied will depend on nature of action At this point, likely professional negligence not to: Look at social media sites in any case where character or activities of individual party or witness may be relevant Seek production if information not forthcoming Must advise clients that relevant portions of web sites relating to them must be listed in affidavit of documents
Disclosure of Subscriber Details Numerous criminal cases involving voluntary disclosure to police of subscriber information by ISPs General rule is that disclosure is permitted under PIPEDA and Charter if subscriber agreement permits disclosure No reasonable expectation of privacy Same reasoning likely applies to social networking sites, although no cases yet
Terms of Service Facebook: “We may be required to disclose user information pursuant to lawful requests, such as subpoenas or court orders, or in compliance with applicable laws. We do not reveal information until we have a good faith belief that an information request by law enforcement or private litigants meets applicable legal standards. Additionally, we may share account or other information when we believe it is necessary to comply with law, to protect our interests or property, to prevent fraud or other illegal activity perpetrated through the Facebook service or using the Facebook name, or to prevent imminent bodily harm. This may include sharing information with other companies, lawyers, agents or government agencies.” Based on ISP cases, this would likely allow disclosure
Terms of Service Google/YouTube: “We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law.” Not as clear – what is an “enforceable governmental request”?
Bottom Line Courts are not going to pay much attention to “privacy” if it impacts on: Providing full disclosure Finding the truth Being fair to both parties Where production right is questionable and information is very sensitive, privacy may be one factor of many to be considered in determining proportionality of request for information In most cases, if you have made information available on social media sites, it is going to be produced
Managing Social Media Social Media and Children
Social Media and Children COPPA in US Age screen for under 13 Sliding scale over 13 and over 18 CMA Guidelines in Canada 13, 14 and 15 Contact information only Express Consent Teenager 13, 14 and 15 Personal information beyond contact information Express Consent of Teenager and parent or guardian Capacity to consent in Canada
Social Media and Children Capacity to consent in Canada Minor under 18 can’t give valid consent to contract contrary to their interests Criminal Code Issues re consent FTC DOB recommendations: don’t encourage lying Note Aspects of Facebook findings limited to users over 18
Social Media and Children FTC wants sites to prevent children from back-clicking to change their DOBs once they have been blocked. Facebook Agreement in May 2008 with 49 U.S. attorneys general. prevent underage users from accessing the site; protect minors from inappropriate contact; protect minors from inappropriate content; and provide safety tools for all social networking site users. Agreed to implement and enforce the feature of “age locking”, monitor and review the profile of any user who initiates an age change indicating that he or she is over or under 18.
Questions Mark S. Hayes Martin P.J. Kratz Ariane Siegel
Follow Up Martin Hayes, firstname.lastname@example.org 416-966-ELAW (3529) Martin Kratz, email@example.com 403 298 3650 Ariane Siegel, firstname.lastname@example.org 416 369 7228