Posted by Veronica Scott & Kate Ballis
Ben Grubb’s arrest raises many questions about the law. In this post, we look at two of them:
- what rights do users have over information they upload to social networking sites?
- what can journalists publish?
You may recall that Chris Gatford’s wife set her Facebook photo privacy settings to the highest level, but security expert Christian Heinrich was still able to access them without her permission. Heinrich demonstrated how he accessed her photos in order to demonstrate that not everything a person posts to a social networking site is secure. Grubb obtained the photo, and with legal advice, the Sydney Morning Herald (SMH) published the photo alongside Grubb’s
article.
Who is looking at your photos?
While users may ‘own’ the information and content they post to social networking sites, once posted, that ownership may become meaningless. Users of social networking sites are responsible for deciding what they upload for sharing. The issue then becomes: who can see and use that information? Even though they may not read it, when a user registers with Facebook (or any other social networking website) they are bound by its
terms and conditions (including its privacy policy). Facebook users are given the responsibility of monitoring their own privacy settings. Facebook provides privacy controls by which users can customise settings to control which people, websites and applications can see their information. The default setting is “everyone”.
Facebook’s
Privacy Policy states that if the user leaves the default privacy settings as “everyone”, then the information becomes publicly available information, and may be accessed by everyone on the internet (not just Facebook users), be indexed by search engines, and imported, exported, distributed and redistributed by anyone without any privacy limitations in place. Similarly, Facebook's
Statement of Rights and Responsibilities provides that when you publish content or information using the "everyone" setting, it means that the user allows everyone (including people outside of Facebook) to access and use that information, and to associate it with them. In copyright terms, the "everyone" setting appears to gives rise to a broad licence, granted by the user, to all of the world. And it is not clear whether (and on what terms) this licence may be revoked. Can, for example, a grocery chain in the Czech Republic
use your family photo on a billboard advertisement?
And even if the user deletes information from Facebook that was once viewable by “everyone”, the information may still be at large on the internet, beyond the user's practical control.
Who is using your information?
Monitoring privacy settings on all the types of information posted to social networking sites is the first step to protecting personal information. But, as Heinrich demonstrated, privacy settings are not necessarily watertight.
For instance, Facebook’s Privacy Policy provides that anyone can use copy and paste functionality to capture any information from Facebook. This means that even if the user’s content is set to private, anyone who gains access to a photo, for instance, could copy it to their computer and paste it into an email and send to anyone else on the internet (although this does raise its own legal issues, principally copyright). Even if a user deletes their account, copies of information may remain viewable elsewhere to the extent it has been shared with others, or was copied or stored by other users.
Who is liable for breaches?
Facebook disclaims responsibility for breaches of privacy. The Facebook Privacy Policy states:
... no security measures are perfect or impenetrable. We cannot control the actions of other users with whom you share your information. We cannot guarantee that only authorised persons will view your information. We cannot ensure that information you share on Facebook will not become publicly available.
In addition, Facebook reserves the right to disclose any user information pursuant to subpoenas, court orders, or other requests from companies, lawyers courts or government entities, if it has a good faith belief that the response is required by law in the relevant jurisdiction. This includes the email address of the Facebook user, their profile contact information, status update history, user photos (including those uploaded by other users), and private messages.
The Brocial Network
How does the Heinrich demonstration (and subsequent SMH publication) compare with the recent
Brocial Network controversy?
The Brocial Network was a private Facebook group of more than 8,000 male members, set up two weeks ago to circulate and comment on photos of scantily clad women the men had copied from the Facebook profiles of their 'friends'. While the Facebook page has since been taken down, it raises related legal issues.
The photo of Gatford’s wife was arguably unlawfully obtained (in contravention of
section 478.1 of the Commonwealth Criminal Code), as Heinrich “hacked” the Facebook site in order to obtain it. But the men in the Brocial Network were Facebook “friends” with the women whose photos they have copied and posted on the network.
Facebook’s Privacy Policy states that users can use the copy and paste functions to capture any information from Facebook. The men in the Brocial Network group may have infringed the privacy rights of the women whose photos they had appropriated, but the property was not unlawfully obtained. Presently, there is no right to privacy at common law or under legislation in Australia. Companies like Facebook are subject to the Commonwealth
Privacy Act 1988 which governs the use, disclosure, collection and storage of personal data of Australian residents by companies. The
Privacy Act does not, however, apply to individuals, and there is also an exemption for the media (though there is a set of Privacy Standards which have been developed by the Australian Press Council which its member media organisations are committed to observe). You can read more about privacy rights in Australia in our post on the
St Kilda schoolgirl saga.
Can journalists report on social media content?
So, if all this personal information is available from social networking sites (and the internet in general), what is in the public domain? And more importantly, what can journalists report on and what can news sources publish?
In February this year, the UK’s Press Complaints Commission (
PCC) - which is similar to the Australian Press Complaints Commission - ruled that journalists can report on tweets.
The UK’s Daily Mail had reported on a woman’s tweets and she took her case to the PCC, claiming that her privacy had been violated. The woman insisted that her tweets were private, as she only had 700 followers. The PCC, however, held that '
the potential audience for the information is actually much larger than the 700 people who followed the complainant directly, not least because any message could easily be re-tweeted'
. In that case, the material posted by the complainant was open to public view, and the fact that the information was publicly accessible was key to the PCC's assessment as to whether or not the tweets were private. The PCC stated that the applicant should have restricted her privacy settings if she did not want such a large audience to view her tweets. The PCC's decision to allow publication was also based on the fact that they considered the tweets to be in the public interest. Although this was a UK decision (by a self-regulatory body) and does not carry any legal precedent for courts in Australia, in an online world that crosses jurisdictional barriers, decisions like this at least suggest the direction the Australian privacy regulator and courts might take.
The PCC's ruling raises the question of what information obtained from social networking sites journalists can report on. If the user has numerous “friends” or the information privacy settings are set to “everyone”, according Facebook’s Privacy Policy, this constitutes publicly available information.
Many media organisations have social media policies about how they use social networking sites for work and research. A clear policy should be in place to guide journalists as to how they report information from these sites.
What precautions should journalists take?
Even if journalists are reporting on social media content that is in the public domain, there are situations where private information retains its private nature, even after it has entered the public domain. For instance, even though the photo of Pippa Middleton, topless on a yacht in Spain, was published in newspapers (in the public domain), the photo still contains information of a private nature.
In a 2006 decision of the Victorian Supreme Court (in a case brought by the AFL and Players Association against a variety of media organisations), Justice Kellam
held that, notwithstanding the disclosure of confidential information about three AFL players’ drug tests on online football forums and on a pay TV program known as “Fox Footy,” the confidential information (eg their names) had not entered the public domain, and therefore had not lost its confidential nature. In that case, the media was permanently restrained from publishing the identities of the three AFL players. Justice Kellam said that whether or not confidential material has entered the public domain is a matter of fact, determined by the accessibility of the information, the size of the audience, whether limited publication would become known to an 'ever-widening group of people', and whether the information referring to the confidential information is merely speculation or has some authority. If a journalist obtains confidential information from social networking sites, then they must consider these factors to determine whether, although available on the internet, the information has actually entered the public domain and whether there are other reasons why the law would allow them to publish information which is otherwise confidential.
Journalists reporting on social media content that is in the public domain must also be mindful of whether the material breaches any other laws, particularly defamation or copyright laws.
If a tweet or a statement made on Facebook is defamatory, and the journalist quotes it and the newspaper publishes it, then subject to the usual defences, the journalist and the newspaper could be liable for defamation. Similarly, publishing a photo or other content that a user has posted to a social networking site may infringe that user's copyright.
Finally, journalists should be aware that, under the new shield laws (which recently amended the Commonwealth
Evidence Act 1995), in any Commonwealth legal proceedings, the law will favour the journalist not disclosing the identity of the sources of their information if the journalists have promised their source that they will not. Journalists are also bound by their Code of Ethics to keep the identity of their sources confidential if they have agreed to do so. Importantly, these shield laws did not apply to Ben Grubb, who was "arrested" under Queensland law.
What can social networking site users do to protect their information?
Users of social networking sites should, in the first instance,
actively monitor the privacy settings in respect of information they post to social networking sites. It is the user’s responsibility to do this, and if there is any disclosure of their private information, a decision about liability and their rights may hinge upon the fact that the user has not controlled their own privacy settings so as to prevent disclosure.
But, as discussed above, in a world of hackers, privacy settings are not watertight, and social networking sites such as Facebook make no promises that anything a user uploads will be secure and be prevented from entering the public domain. And whether lawful or not, the simple “copy, paste” or “save as” functions can quickly take a user’s content from a social networking site and publish it to the world. Aspiring artists, photographers, cinematographers, poets and musicians should also be wary of the fact that uploading content on Facebook means giving Facebook a non-exclusive license to use that copyright in any way.
So users should think carefully before uploading a photo or other content, posting their status, or even writing a private message to another user. As the law currently stands, once the information is on the internet, the user's practical ability to stem any damage arising from the dissemination of that information - and its use by third parties - may be very limited indeed.
Partner: David Poulton
