Legal solutions for innovators and other smart people

terms and conditions

RSS does not mean Reuse Share Sell: taking the Pulse of noncommercial

Posted Tue, 22/06/2010 - 14:52 by Paul

feed-icon-96x96.pngThe Pulse RSS reader caused quite a stir when Steve Jobs demonstrated it during his recent WWDC keynote speech. He talked briefly about Pulse's merits and as used it as an example of the sorts of applications which are available for the iPad in the iTunes App Store. He probably didn't count on the New York Times' lawyers taking issue with the Times' feed being one of the feeds Pulse ships with by default, particularly considering that Pulse is a paid application. NYT's lawyers wrote to Apple requesting that Pulse be pulled from the App Store alleging as follows:

The Pulse News Reader app, makes commercial use of the NYTimes.com and Boston.com RSS feeds, in violation of their Terms of Use*. Thus, the use of our content is unlicensed. The app also frames the NYTimes.com and Boston.com websites in violation of their respective Terms of Use.

I note that the app is delivered with the NYTimes.com RSS feed preloaded, which is prominently featured in the screen shots used to sell the app on iTunes.

The full email was republished on Kara Swisher's blog. The NYT's terms of service provide as follows:

2. NYTIMES.COM CONTENT

2.1 The contents of the NYTimes.com sites are intended for your personal, noncommercial use. All materials published on NYTimes.com (including, but not limited to news articles, photographs, images, illustrations, audio clips and video clips, also known as the "Content") are protected by copyright, and owned or controlled by The New York Times Company, NYTimes.com, or the party credited as the provider of the Content. You shall abide by all additional copyright notices, information, or restrictions contained in any Content accessed through the Service.

2.2 The Service and its Contents are protected by copyright pursuant to U.S. and international copyright laws. You may not modify, publish, transmit, participate in the transfer or sale of, reproduce (except as provided in Section 2.3 of these Terms of Service), create new works from, distribute, perform, display, or in any way exploit, any of the Content or the Service (including software) in whole or in part.

2.3 You may download or copy the Content and other downloadable items displayed on the Service for personal use only, provided that you maintain all copyright and other notices contained therein. Copying or storing of any Content for other than personal use is expressly prohibited without prior written permission from The New York Times Rights and Permissions Department, or the copyright holder identified in the copyright notice contained in the Content.

The terms of service clearly restrict use of NYT content to "personal, noncommercial" use and, as the extract from NYT's lawyer above indicates, NYT was of the view that including the NYT's feed in the Pulse application was a commercial use of that content, apparently because the NYT believes its content was used to sell Pulse. NYT also objected to Pulse "framing" NYT and Boston Globe content in the application, presumably a reference to how these websites can be displayed in Pulse like a Web browser. In fact, Pulse incorporates a Web browser to display actual Web pages rather than just the published RSS or Atom feeds.

I have been listening to the debate on a recent episode of This Week in Law about the merits of NYT's lawyer's contention that Pulse infringed NYT's terms of service and made use of NYT's and its affiliate's content for uses that were not personal and noncommercial. Evan Brown expressed a view early on in the podcast that seemed to mirror the view held by NYT's lawyer; namely that the terms of service prohibit commercial use of NYT's content and Pulse's use of the content was commercial, therefore a violation of the content license the NYT grants to its readers. This, in turn, justified NYT's call for the application to be pulled. I initially agreed with his view and disagreed with TWIL host Denise Howell's arguments that aggregators like Pulse should be regarded as utilities and effectively exempt from any argument that they infringe copyright simply because they display content feeds that the content owner publishes (I believe that summarizes her argument fairly).

I do see Denise's point and agree that regarding a paid RSS reader as infringing copyright because it displays a feed which may have a noncommercial restriction is as absurd as claiming Google; Mozilla; Apple, Opera or any Web browser developer is liable for copyright infringement because their browsers display content with similar restrictions. On the other hand, I don't believe that this is what the real issue is. The real issue in this case is whether a paid RSS reader like Pulse is making commercial use of content either by displaying it at all or if it displays the restricted content in its marketing material? The term "noncommercial" has proven to be a particularly tough one to pin down, so much so that Creative Commons commissioned a study on what people generally understand by this term.

On the one hand, Pulse is a paid application and a user's purchasing decision may be influenced by the appearance of the NYT's content in the application when it is demonstrated. What if the NYT's content was not included in the application's demonstrations? What if a user purchased the application and subsequently added the NYT's feed to Pulse and consumed that content on a personal and noncommercial basis? Would this use still be tainted by the price charged to use Pulse? NYT's lawyers would seem to argue this is the case but this argument is increasingly absurd when you consider that the argument necessarily means that Google, Mozilla, Apple and Co. must similarly be on the hook for copyright infringement if people view the NYT website in their browsers.

The central question should be whether the use of the content is permitted by the relevant content provider's terms of service or content license and not whether the technology used to access that content permits that access, as I understand Howell's argument to suggest, in part. Assuming I understood this to be one of Howell's points correctly, the logical implication of her further argument is that it should be legal to pirate and share pirated content because the means exist to make this possible. Rather, the argument should focus on the relevant content license which may have been applied to the content (or, in the absence of a license, the restrictions of copyright law itself).

I see selling content as a clear case of commercial use. On the other hand, enabling a person to view content in a freely available Web browser shouldn't be regarded as commercial use of the content. The fact that Pulse is a paid application shouldn't, in itself, make displaying the NYT's content (either the website itself or its published feeds) commercial but perhaps selling the application with an implication of NYT's endorsement or, worse, that NYT content is part of the deal could be commercial use of NYT's content. The answer to this question isn't clear but the closer Pulse's developer gets to actually making profit from NYT's content directly, the clearer it is that his use of NYT's content is commercial. The developer is probably best served removing NYT content from the application as it ships and to refrain from referring to it or displaying it in the application in his marketing material.

What this furore highlights, though, is that some publishers publish their content under restrictive content licenses which are typically detailed in their terms and conditions. I have advised a couple clients who has assumed that if content is published through a feed they should be free to use that content however they please but this is simply not the case. Irrespective of the technology used to publish the content, content licenses still apply to that content and use of the content should be moderated accordingly.

Facebook passes the privacy ball to developers

Posted Thu, 29/04/2010 - 11:33 by Paul

Changes to the Facebook Platform for developers

I’ve written about the legal labyrinth developers for Facebook’s Platform must navigate in a previous post. Facebook has outlined its changes to the Facebook Platform for developers in its post titled “A New Data Model”. The post describes the changes to Facebook’s Platform from behind the scenes. There are a number of interesting changes which are concerning.

Generally speaking Facebook is putting some distance between developers and users. Its new approach is summed up in this paragraph from the post:

These changes reflect two core beliefs: first, user data belongs to the user; they should have transparency and control over it. And second, you should be able to build relationships with your users; we should not be in the way. We hope these improvements will foster more trust and engagement for our platform and the applications and websites using it.

By putting some distance between itself and users, Facebook doesn’t have to take responsibility for errant developers who abuse the new levels of access they are being granted to users’ personal information. On one hand it probably lightens the administrative load on Facebook to keep a watchful eye on the Facebook Platform ecosystem but it also gives Facebook an excuse when a user’s personal information is abused: its not Facebook’s job to manage a user’s relationship with the developer. The hope is that developers will conduct themselves responsibly but there have already been instances of developers who have abused the system and misused users’ personal information through their applications.

For starters the permissions developers require from users to permit social applications and socially aware websites to access users’ profile information are not as granular as they were before Facebook shifted away from its previous Facebook Connect approval and authentication model. One of the changes is that instead of being required to approve a series of requests to reference different aspects of a user’s profile, all the necessary permissions are collection in a single dialogue:

While this certainly makes obtaining permissions from users a lot simpler for developers and gives the appearance of a simpler approval mechanism for users, it removes the option of allowing access to some parts of a user’s profile and not to others. Instead, using a social application or socially aware website becomes an either/or option for users: either they grant all the permissions requested or they don’t benefit from the social functionality of the site or the application.

Facebook has also removed the 24 hour retention limit on some profile information which, coupled with increased profile publicity thanks to changes to profile publicity in December 2009, increases the risk of users’ personal information abuse. Developers still require users’ consent to access and store their personal information and if they obtain explicit consent, they will be able to do more with users’ profile information than simply display it back to them. As a starting point developers will have access to users’ User ID, name and email address and, thanks to Facebook’s real-time updates, developers will also receive updates when users change their profile information which they have given developers access to.

One of the challenges with this degree of data retention and Facebook’s hands-off approach is that users will have to take greater responsibility for managing their profile information (as much as they can, Facebook has already decided that some profile information will be public by default and the majority of users are not savvy enough to change those defaults where possible). Another challenge is that developers are expected to publish privacy policies for their applications and websites and give users an option to delete their personal information. This is particularly concerning because once the information has been passed along to an unscrupulous developer, you can’t unscramble that egg.

These are just overviews of some of the implications of the new Facebook Platform. There are even more privacy concerns and a marked absence of adequate answers. As has become its habit, Facebook couches these changes in user friendliness and convenience terms which disguise the underlying threats to users’ privacy in the hope that more people will drink the Koolaid than will question its motives.

Complying with privacy law

As I mentioned above, Facebook requires developers to make sure they comply with applicable privacy laws. In South Africa developers should anticipate the Protection of Personal Information Bill which is making its way through Parliament. This legislation, when enacted, will likely require developers to publish a detailed privacy policy describing what personal information they will collect from users and what they intend doing with that personal information. I wrote about the essential requirements of a privacy policy in a recent post titled “Privacy policies that don’t suck”. The key issue there is to obtain informed consent from users to collect that personal information and process it in the manner the developer intends. Depending on what personal information the developer intends collecting, specific consent to collect personal information for a specific session may also be required.

To add to all of this, Facebook’s global nature may also necessitate that developers factor in privacy laws in other countries and regions. The European Union has a fairly developed body of laws and regulations dealing with data collection and privacy and developers may need to cater for these rules as well.

This is one of the challenges of Facebook shifting the responsibility for how developers interact with users’ personal information to the developers. Developers not only need to take care to comply with Facebook’s own policies but they also have to cater for privacy laws which may impact on their applications. For users the challenge is managing their personal information better on Facebook and taking care not to give permission to collect and process their personal information without first taking the time to understand exactly what will be done with it. This decentralised approach opens the door to even more abuses and users will be left picking up the pieces while Facebook shrugs its shoulders.

Facebook strips users of even more privacy options

Posted Tue, 20/04/2010 - 16:19 by Paul

Facebook is becoming synonymous with forced publicity and a flagrant disregard for users' control over their personal information. It is also changing the way that large providers like Facebook and Google will treat users' personal information. It is almost trite that privacy as in secrecy is pretty much over for anyone who is active on the social Web. It sounds harsh and a little outrageous to make that statement (I'm not the first) but it is an uncomfortable truth. At the same time a new approach to privacy has emerged in the last couple years which could be the next best thing: privacy as in users' control over their personal information.

In a world where real secrecy online doesn't really exist, control over how much personal information to expose to who becomes really important. Meaningful control over your personal information is also referred to as "informational self-determination" and it is central to decent privacy policies. Facebook has made a number of changes to how it is handling users personal information and it has done so under the guise of giving users more control over their personal information. This is just insidious. What Facebook regards as more control over users' personal information is really a series of changes to privacy setting defaults and controls that appear more user friendly but really detract from the level of control users enjoyed previously. The last round of privacy control changes, for example, changed privacy defaults to "Everyone" for a range of personal information categories. If users weren't careful they would have exposed far more of their personal information to the public Web than they may have been comfortable with previously.

All of these changes are made under the auspices of Facebook's privacy policy which is amended using a curiously deceptive practice of being more transparent about the changes. Facebook publishes the proposed changes to its terms, the Statement of Rights and Responsibilities, and gives users an opportunity to comment. Here is how it works:

13. Amendments

  1. We can change this Statement if we provide you notice (by posting the change on the Facebook Site Governance Page) and an opportunity to comment To get notice of any future changes to this Statement, visit our Facebook Site Governance Page and become a fan.
  2. For changes to sections 7, 8, 9, and 11 (sections relating to payments, application developers, website operators, and advertisers), we will give you a minimum of three days notice. For all other changes we will give you a minimum of seven days notice. All such comments must be made on the Facebook Site Governance Page.
  3. If more than 7,000 users comment on the proposed change, we will also give you the opportunity to participate in a vote in which you will be provided alternatives. The vote shall be binding on us if more than 30% of all active registered users as of the date of the notice vote.
  4. We can make changes for legal or administrative reasons upon notice without opportunity to comment.

So users have an opportunity to comment on proposed changes but if the number of votes on the proposed changes don't meet the "30% of all active registered users", the vote won't be binding. Bear in mind that there are 450 400 million users and while not all of those users are "active registered users", 30% works out to a lot of votes! The current draft privacy policy and draft Statement of Rights and Responsibilities don't seem to have nearly enough votes or comments to meaningfully influence the amendment process. This means that these proposed changes will likely be implemented and users can expect even more of their personal information to be exposed publicly based on Facebook's determination that people are and should be more public.

Users will now find that much of their personal information is becoming publicly available, whether they like it or not. What does "publicly available" mean?

Publicly available information includes your name, profile picture, gender, current city, networks, friend list, and Pages. This information makes it easier for friends, family, and other people you know to connect with you.

Publicly available information is visible to people visiting your profile page, and Facebook-enhanced applications (like applications you use or websites you connect to using Facebook) may access this information. It does not allow people without Facebook accounts to contact you.

The latest changes also introduce a new way of handling your interests. According to the Facebook blog:

More Connected Profiles

Some of you added information about yourself, such as your likes and interests, favorite books, music and movies, when you first joined Facebook. But we've noticed that more than three times as many of you have connected to Facebook Pages, such as those for bands, non-profits, universities or anything else you care about, as a way to express yourself. So to make it even easier to display your affiliations, we've improved the profile.

Now, certain parts of your profile, including your current city, hometown, education and work, and likes and interests, will contain "connections." Instead of just boring text, these connections are actually Pages, so your profile will become immediately more connected to the places, things and experiences that matter to you.

Here's how it works:

  • Opt-in to new connections: When you next visit your profile page on Facebook, you'll see a box appear that recommends Pages based on the interests and affiliations you'd previously added to your profile. You can then either connect to all these Pages—by clicking "Link All to My Profile"—or choose specific Pages. You can opt to only connect to some of those Pages by going to "Choose Pages Individually" and checking or unchecking specific Pages. Once you make your choice, any text you'd previously had for the current city, hometown, education and work, and likes and interests sections of your profile will be replaced by links to these Pages. If you would still like to express yourself with free-form text, you can still use the "Bio" section of your profile. You also can also use features and applications like Notes, status updates or Photos to share more about yourself.

This may not seem like a problematic change but it could be for someone who has interests that they may prefer to be kept relatively secret or at least limited to a smaller group of friends (take a look at the EFF's post about these changes).

Another controversial change is Facebook's plans to work with content providers it has pre-approved to share your personal information with them. What will happen is that you will see content more tailored to your preferences or profile when you visit these sites and will have to opt-out if you don't want to be greeted with this level of customization. This has attracted some attention and Facebook responded as follows:

We also received questions about the proposed new language in the Privacy Policy relating to our plans to work with some pre-approved partner websites to offer a personalized experience when you arrive at these sites. Based on your comments, we think it's important to clarify a couple of points, even though this program has not yet been launched or even finalized.

First, it's important to underscore that this will be a test with a handful of carefully selected partners to provide express personalization on their sites. These partners will be pre-selected, reviewed, and bound by contracts with Facebook – much like other partners we have worked with in other contexts to deliver unique and innovative experiences. For example, we're working with Yahoo! to integrate Facebook across their properties, AOL to integrate our chat with AIM, and we first partnered with CNN.com to make their broadcast of the Presidential Inauguration more social with the launch of the Facebook live stream application.

In addition, partners who participate in this test will be required to provide an easy and prominent method for you to opt out directly from their website and delete your data if you do opt out. There will also be new features on Facebook.com to help you control your experience when you visit these sites.

In sum, the core idea behind this test is to work with partners to enable them to present you with a better, more relevant, and tailored experience when you visit their sites. While we have not finalized these features or partnerships, we think this is an exciting opportunity to make surfing the web a smoother and more engaging experience for people who use Facebook.

Again, this may give rise to an improved experience of those sites for many but what about Facebook users who don't want their profile information to be handed to these content providers? What about users' choice whether to pass that information along like they have with the current Facebook Connect option many sites implement? Facebook has decided (or perhaps Mark Zuckerberg, Facebook's 20-something leader has decided) that we should be more public with our personal information and it is forcing a change in our habits to make the social Web fit this determination. I don't know about you but I object to that as a user and as a lawyer despite how public I am online. I want to have a choice what I want to share and what I want to keep private.

Instead we have posts from Facebook telling us how much better we would be if we shared more with other people and if we used Facebook more to do just that. This sort of thing sounds a lot like propaganda to me to support someone else's decision about my personal information.

I keep thinking back to that line in Spiderman where Uncle Ben tells Peter Parker that "with great power, comes great responsibility". Facebook has more than 450 400 million users. If Facebook was a country it would be bigger than the United States in terms of population below China at 1.3 billion people and India at 1.2 billion people. There are more than 1.5 billion people using the Internet. Facebook's users make up just less than a third of that number. By any measure, Facebook controls a significant number of people's personal information and rather than taking steps to protect its users who should be given meaningful control over their personal information, Facebook is adopting a very paternalistic approach to this and is making these decisions for us based on a consent we gave to a previous version of its privacy policy and terms (yes, this is a direct consequence of you just checking the "I agree" box and signing up with Facebook in the first place - how is that for the power of a site terms and privacy policy?). If this doesn't scare you, it should.

So what are the options? Opt out of Facebook? Perhaps but given Facebook's size and growing influence on the social Web that could be the equivalent of opting out of society and heading for the hills. Another option is to remove the personal information you don't want shared but that would just detract from your profile's value to your friends. It is a difficult dilemma for many.

The bottom line here is that Facebook does not respect its users' right to determine what is done with their personal information on Facebook, especially where those users don't want a stripped down Facebook experience.

MWeb ADSL launch illustrates why Legal should talk to Business

Posted Thu, 18/03/2010 - 17:56 by Paul

MWeb launched its new uncapped ADSL products on Thursday to both fanfare and criticism. While many commentators on Twitter cheered MWeb on for its low prices that have made uncapped ADSL possible for families which were previously saddled with low bandwidth caps and otherwise prohibitively high ADSL costs, a number of commentators started to read MWeb’s ADSL Service Terms (“the terms”) and pointed out a number of inconsistencies between the message that MWeb’s marketing team were sending out into the marketplace and what the terms themselves said. As the terms read, they watered down MWeb’s claims of an uncapped and, depending on whether you chose a home or business option, uncapped ADSL solution. The terms were described as “Draconian” and generally regarded as painting a very different picture to the marketing-speak.

While MWeb quickly became aware that the terms don’t correspond with and support the business and marketing teams’ intention for the uncapped products and quickly took steps to correct the misconceptions that arose from a cursory analysis of the terms, this launch has become a case study of both how to engage with fans and critics on the social Web as well as the necessity for terms and conditions to correspond with and support both the business and marketing imperatives for the product in question. What impressed me as a social media lawyer is how MWeb’s management quickly came out and clarified its intentions for its products, addressed the concerns raised and instructed its legal team to amend the terms to bring them into line with the products’ intended specifications. I was consulted very briefly and superficially on how best to amend the terms so I won’t discuss the terms further but MWeb’s approach to the apparent inconsistencies is admirable.

MWEB t&c tweet.png

What I would like to highlight is the general importance of aligning terms and conditions with business objectives. It is trite that most people don’t actually read terms and conditions despite these documents being so important. I’ve written a number of articles that highlight why terms and conditions matter in very real terms on this site (feel free to take a gander through the archives for examples like FNB’s How Can We Help You terms, Twitter’s terms of use and why website terms and conditions matter). The simple fact is that when the proverbial poo hits the fan, the reference point is the applicable terms and conditions. These frequently understated documents are legal contracts that generally bind users to a legal framework they are far too often unaware of because they don’t take the time to read them.

The risk with the MWeb terms being inconsistent with the products’ specifications which its business and marketing teams communicated through the media and on services like Twitter is that if push comes to shove and a dispute arises while these terms remain in force, the terms themselves will be used to resolve the dispute, not the series of interviews and tweets published online. At worst, these contradictory messages may create a contractual quagmire for MWeb and harm MWeb’s reputation and undermine its efforts to sell what appears to be a great product range that will radically change how a substantial number of South Africans access the Internet. In other words, poorly drafted terms and conditions can damage or even scuttle even the best of intentions. Another thing to bear in mind is that even if your terms and conditions accurately reflect your intentions for your products or services, they must be drafted in plain language or they will fall foul of the new Consumer Protection Act. Complex legalese can be your enemy too.

The question you should perhaps ask yourself, as a service provider, is whether your terms and conditions support or undermine your business? Is your legal team on the same page as your business team or is all that legalese just getting in the way?

Image credit: Vanishing by timtom.ch licensed under a Creative Commons Attribution Non Commercial ShareAlike 2.0 license

The right to link and your freedom of expression

Posted Wed, 17/02/2010 - 17:09 by Paul

A number of companies have a curious clause in their website terms of use that prohibits anyone from linking to their websites. I wrote about one example of this a while ago when I mentioned provisions in Standard Bank's conditions of access (I'm afraid you are going to have to find the terms yourself, I am not permitted to link to them although I have quoted them in my post). Standard Bank is by no means the only company that does this and this tendency continues to both puzzle and frustrate me both as a blogger and a social media lawyer. It just doesn't make much sense to me.

I recently came across a post by Jeff Jarvis titled "The right to link" which got me thinking about this issue again, this time in the context of the freedom of expression enshrined in our Bill of Rights which states the following:

16 Freedom of expression

(1) Everyone has the right to freedom of expression, which includes-

(a) freedom of the press and other media;

(b) freedom to receive or impart information or ideas;

(c) freedom of artistic creativity; and

(d) academic freedom and freedom of scientific research.

(2) The right in subsection (1) does not extend to-

(a) propaganda for war;

(b) incitement of imminent violence; or

(c) advocacy of hatred that is based on race, ethnicity, gender or religion, and that constitutes incitement to cause harm.

The section of the right that interests me for the purposes of this post is article 16(1)(b) which protects the freedom to "receive or impart information or ideas". A hyperlink (that typically blue link you click on in your browser which takes you to a web page or location on a web page) is a reference of sorts. Wikipedia defines a "hyperlink" as follows:

In computing, a hyperlink (or link) is a reference to a document that the reader can directly follow, or that is followed automatically. The reference points to a whole document or to a specific element within a document.

One of the definitions of a "reference" which I found on Google is the following:

A reference is something such as a number or a name that tells you where you can obtain the information you want.

So one way of thinking about a hyperlink is as a reference to information. Surely part of receiving or imparting information or ideas is making reference to them, as article 16(1)(b) seems to contemplate? Hyperlinking has become a contentious issue in the context of online news sites, particularly Rupert Murdoch's online News Corp properties. Murdoch has linked (excuse the pun) the issue to a copyright issue because the contention that Google is stealing already pressured newspaper publishers' content is a particularly emotional one. In his op-ed piece in the Wall Street Journal last year, Google's CEO, Eric Schmidt, presented a very different perspective. The whole article is worth reading but this extract stood out for me:

Google is a great source of promotion. We send online news publishers a billion clicks a month from Google News and more than three billion extra visits from our other services, such as Web Search and iGoogle. That is 100,000 opportunities a minute to win loyal readers and generate revenue—for free. In terms of copyright, another bone of contention, we only show a headline and a couple of lines from each story. If readers want to read on they have to click through to the newspaper's Web site. (The exception are stories we host through a licensing agreement with news services.) And if they wish, publishers can remove their content from our search index, or from Google News.

WorldWideWebAroundWikipedia.png

This brings me to a myth one of the fathers of the Internet, Tim Berners-Lee, dispelled in April 1997 on a webpage titled "Links and Law: Myths":

Myth: "A normal link is an incitement to copy the linked document in a way which infringes copyright".

This is a serious misunderstanding. The ability to refer to a document (or a person or any thing else) is in general a fundamental right of free speech to the same extent that speech is free. Making the reference with a hypertext link is more efficient but changes nothing else.

When the "speech" itself is illegal, whether or not it contains hypertext links, then its illegality should not be affected by the fact that it is in electronic form.

Users and information providers and lawyers have to share this convention. If they do not, people will be frightened to make links for fear of legal implications. I received a mail message asking for "permission" to link to our site. I refused as I insisted that permission was not needed.

I added the emphasis to the first paragraph of the response to the myth because I believe that encapsulates what it means to link to something on the Internet - it is an exercise of a right to free speech. In the context of the South African Bill of Rights, this equates to the broader freedom of expression.

Jarvis expressed the point in privacy terms and this makes a lot of sense too:

Right. Linking is not a privilege that the recipient of the link should control – any more than politicians should decide who may or may not quote them. The test is not whether the creator of the link charges (Murdoch’s newspapers will charge and they link). The test is whether the thing we are linking to is public. If it is public for one it should be public for all.

...

In the end, this fight is over control. News Corp is desperately trying to maintain its control over access to and packaging and pricing of information that now flows freely from many sources. Thanks to the internet, it is losing it – in more than one sense.

Clauses in terms of use that prohibit links to otherwise publicly accessible web pages is an affront to the freedom of expression and makes about as much sense as newspaper publishers turning away "100,000 opportunities a minute to win loyal readers and generate revenue—for free", even if it is on a smaller scale. Reading the response Standard Bank sent to me and which I published in my post, it seems that News Corp isn't the only organisation obsessed with controlling the hyperlink. Any organisation which attempts to control who may or may not link to publicly accessible web pages is in the same boat.

What does this mean in real terms? Well, a clause prohibiting hyperlinking, perhaps even deep-linking, may be unconstitutional if it does, as I suggest, unjustifiably infringe the freedom of expression. That being said, I don't see a case reaching the Constitutional Court any time soon, if at all. Another question which you may ask is whether the terms of use have any significance where crawlers and other electronic agents traverse the Web automatically linking to these websites? The short answer is that in terms of the Electronic Communications and Transactions Act, an electronic agent can bring its principal into a contractual relationship with a site owner. The underlying contract would be the terms of use.

In real terms it may just mean that organisations which incorporate these linking prohibitions into their terms are starving themselves of oxygen online when they deny visitors the opportunity to link to their sites and develop a connection to the organisation or brand behind the site. As Jeff Jarvis put it in his post titled "The link economy v. the content economy":

... Let’s say that the real value in this equation is not content and information — both of which are now quickly commodified — but links, which are the new currency of media. Links can be exploited and monetized; get links and you can grab audience and show ads and make money. Content is becoming a cost burden, what you have to have to get the links, but in and of itself, content can’t draw value without an audience, without links.

Postscript: I would like to just point out that the purpose of this post was not to single Standard Bank out as a fundamental rights violator. I have previously written about its terms of use so it was a convenient example to use in this story.

Does your company have a social media policy?

Posted Mon, 18/01/2010 - 18:52 by Paul

The social Web can be a scary space for a company venturing out and adopting social media initiatives as part of their overall marketing strategies. Engaging with customers on social media platforms like Twitter and Facebook involves a loss of control over the message and the conversation.

Actually, I don't believe companies and brand owners have real control over their brands and the conversations springing up around their brands largely due to the distributed and viral nature of these platforms. What companies can attempt to do is engage with the people who are talking about them and their brands and participate in a brand and relationship building exercise.

Now this sounds like the sort of marketing speak you might expect from, well, marketing types but an awareness of these sorts of dynamics is essential if you have any hope of understanding and working with the legal issues that arise out of social media initiatives. One tool which a growing number of companies are using is a social media policy. This video interview with Adam Brown, Head Of Social Media at Coca-Cola, gives a pretty good overview of what a social media policy should address (thanks to my client who referred this video to me):

I really like Coca-Cola's approach to its social media policy. A big part of the policy is intended to establish a broad framework (in this case a set of principles and values) that governs how various stakeholders make use of social media based on their roles within the organisation. I firmly believe that educating employees and other stakeholders about the social Web and social media tools goes a long way to reducing exposure to liability.

Combine that with a clear and carefully thought out framework that caters for the multitude of regulatory and other relevant compliance considerations and you are better equipped to manage the uncertainties that remain part and parcel of social media marketing campaigns and initiatives. It is also a good idea to approach a social media policy from the right perspective as lawyers. Lawyers have a tendency to try and cover all the bases and create documents that are very specific and prescriptive. The challenge with social media policies is that their subject matter is virtually in a state of constant flux as new services emerge and new uses for existing services become popular. A policy that is too specific will quickly become irrelevant or just inappropriate.

In addition, the process of developing a social media policy should create a better awareness of what the various social media tools can help the company achieve, where the risk areas are and strategies to help manage them. A better awareness means a more informed decision making process and the comfort of have a plan to deal with issues which may pop up along the way.

Social media policies will become increasingly valuable as more businesses start using social media. Just remember that social media policies, perhaps more than any other policy document, should be reviewed regularly to ensure that they remain relevant, appropriate and effective.

Changes at Jacobson Attorneys

Posted Mon, 04/01/2010 - 08:57 by Paul

Perhaps the biggest change is that Jacobson Attorneys is now a partnership. My partner is Shirley Fodor and she has joined from Tabacks where she was a director. Here is a little information about Shirley from her profile:

Shirley Fodor completed her studies (BCom, LLb LLM Public International Law (Cum Laude)) at the Rand Afrikaans University (now the University of Johannesburg) in 2000 and articled with the late Julian Solomon in commercial litigation. Upon completion of her articles she spent two years in academia at Rhodes University and the University of the Witwatersrand, lecturing in the law of contract, the law of negotiable instruments, commercial law, company law, public international law and the law of civil procedure. She joined Mervyn Taback Incorporated and Taback and Associates in 2005 where she accepted a directorship in January 2007 until she resigned in December 2009 to join Jacobson Attorneys. Shirley is additionally qualified to practice in England and Wales.

Shirley is well versed in all aspects of commercial law and has experience in various sectors of industry including the mining sector and fast moving consumer goods. She has been involved in numerous high profile mergers and acquisitions, BEE restructures, listings and is frequently called upon to provide opinions on various aspects of these transactions.

Shirley is heading up the firm's commercial department and will handle a range of commercial and corporate work from general agreements to mergers and acquisitions, corporate restructuring and listings.

Shirley is supported by Efi Bar-on who is consulting to Jacobson Attorneys. Efi is an experienced commercial attorney who did articles with me at Werksmans, worked at what was then Jowell Glynn & Marais as well as at one of the big banks in its legal department. My focus will be more on Web and digital media related matters for the most part. I have also taken on the role of senior partner in our new partnership.

We are re-positioning the firm as a focussed commercial, corporate and Web/digital media law firm and will start becoming more selective about new clients.

We have also updated our terms of appointment to increase our hourly rates and modify our retainer fee structure a little.

Does your mobile network respect your privacy?

Posted Tue, 22/12/2009 - 10:32 by Paul

With all the concern about how much of your personal information providers like Google and Facebook collect and what they do with it, its easy to lose sight of a potentially bigger threat to privacy much closer to home. While there are roughly 5.2 million unique Internet users in South Africa, there are in excess of 50 million mobile phone connections in South Africa (figures sourced from World Wide Worx). Given the number of South Africans using mobile phones, it is important to ask how much of our personal information the networks have collected and what they are doing with that personal information.

My brother has been involved in a dispute with MTN about some anomalous data charges for some time now and an MTN representative recently sent him a spreadsheet detailing every Web address he visited with his mobile phone over the period of a month. He has an iPhone. The spreadsheet has over 19 000 entries and includes Google mail accounts, Facebook links and many more. Many of these Google mail links are links to specific mail items although you would still need to be logged into his account to view the mail items. I had two thoughts when he told me about this list and when I actually took a look at it for the purposes of this post. The first thought is that there was a fair amount of controversy over Google's Web history feature in Google Search a while back. If all the mobile networks are collecting this data, it is arguably as bad, or more of a threat to personal privacy than Google's Web history. Consider the sites you visit on your mobile phone and ask yourself whether you want that information collected? A related question is what else MTN knows about you? If it is collecting a detailed browsing history, is MTN also caching the pages you visit?

The second thought I had was more of a question really. Does MTN's privacy policy cater for this degree of personal information collection? In other words, does MTN have permission to collect this personal information?

MTN's privacy policy published to its website includes the following introduction:

1. Introduction

1.1. This website, which is accessible at www.mtn.co.za, is made available by Mobile Telephone Networks (Pty) Limited ("MTN").

1.2. MTN respects the privacy of your personal information. We have prepared this privacy policy to let you know how we will treat any personal information that may be provided to us. We will take all reasonable measures to protect your personal information and keep it confidential.

On the subject of personal information it says the following:

2. What is personal information?

In order to provide you with the services offered on this website, you may be required to provide MTN with personal information. Personal information is information which identifies you as an individual, including but not limited to, your race, age, contact details, any identifying number assigned to you and any information relating to transactions in which you have been involved.

3. What we collect

3.1. On some web pages of this website, you may be requested to provide certain personal information. The types of personal information collected at these pages may include your name, handset details, contact and billing information, and transaction information.

3.2. In order to tailor our subsequent communications to you and continuously improve our products and services, we may also ask you to provide us with information regarding your personal or professional interests, demographics, experience with our products and this website, and more detailed contact preferences.

So far the categories of personal information MTN collects is more or less what you would expect as a mobile phone user. It is the personal information you give your service provider when you sign up for a contract or buy a pre-paid SIM card. Bear in mind that despite the emphasis on personal information collected through the site, this privacy policy is also intended to govern personal information to enable MTN to "provide you with the services offered on this website". This seems to include your mobile phone service itself.

The only real mention of tracking your browsing habits is in the section dealing with cookies in your Web browser:

MTN uses cookies. When you visit a MTN website, we place a text file called a "cookie" in the browser directory of your computer's hard drive. A cookie is a small piece of information that a website can store on your web browser and later retrieve. The cookie cannot be read by any website other than the one that set up the cookie. Cookies enable this website to recognise the information you have consented to give to this website, such as the Lightboxes you have created, and help us determine what portions of this website are most appropriate for your professional needs. As a result, cookies will allow you to retrieve previous image search results, access Lightboxes with ease, and view your previous invoices. We do NOT use cookies to examine your surfing behaviour before or after leaving a MTN website. Cookies do not damage your system and do not collect your personal information. (emphasis added)

What is interesting about this section is that MTN says it specifically does not track your browsing habits. Granted this is in the context of cookies placed in your browser and the browsing history my brother shared with me appears to have more to do with the access point his iPhone is configured to use. At the same time it suggests MTN does not track the sites you visit and yet this is exactly what is going on behind the scenes.

The only real comfort in the privacy policy is MTN's limited assurance that it doesn't share or otherwise disclose your personal information (although the assurance seems to be confined to personal information disclosed when registering on the MTN website):

If you register on this website, we will not make your personal information available to anyone unless permitted or required to do so by law. We will therefore not sell, rent or provide your personal information to unauthorised entities or third parties for their independent use without your consent. We may, however, share your personal information with our affiliates within the MTN Group of companies.

Vodacom's privacy policy is a little more upfront about the fact that it tracks sites you visit although it anonymizes this information in contrast to MTN which retains not just the mobile number the browsing history is associated with but the date and time those addresses were visited. It is worth taking a look at Cell C's and Virgin Mobile's policies too if you use their services.

So why all the fuss? Well, despite not having binding privacy legislation in South Africa, there is a body of privacy law at a common law level, reinforced by the right to privacy in the Bill of Rights, which protects your privacy and personal information. Personal information should not be taken lightly. It goes to our identity in an increasingly connected and digital world and is connected to our right to dignity which is one of the primary rights in the Bill of Rights (to the extent there is a hierarchy). I wrote about the right to privacy a while ago in some detail but the following section is just as relevant here:

The right to privacy is a general right to privacy first. The individual rights are subsets of the more general right itself. There is a two step test used to determine whether conduct constitutes a violation of the right to privacy in the Bill of Rights:

  • Has a law or a party's conduct infringed the right, taking into account the right's scope; and
  • If there is an infringment, is it justified under the Limitations clause in the Bill of Rights?

The Limitations clause is article 36:

36 Limitation of rights
(1) The rights in the Bill of Rights may be limited only in terms of law of general application to the extent that the limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom, taking into account all relevant factors, including-
(a) the nature of the right;
(b) the importance of the purpose of the limitation;
(c) the nature and extent of the limitation;
(d) the relation between the limitation and its purpose; and
(e) less restrictive means to achieve the purpose.
(2) Except as provided in subsection (1) or in any other provision of the Constitution, no law may limit any right entrenched in the Bill of Rights.

So what does this all mean so far? It means there is a general right to privacy which can be limited by a law that applies generally.

...

The general right to privacy should protect another important interest called "informational self-determination". This interest includes the ability to control what information is collected, how and and when it is used. It also includes the ability to access information which is held by another party and be able to determine what personal information has been collected and correct it if it is inaccurate (the Promotion of Access to Information Act was passed to protect and give effect to this aspect of informational self-determination).

So what does all this mean? It means that not only would your consent be required to enable someone to collect your personal information where it isn't otherwise permissible but you have a say over what that information can be used for, not to mention the ability to find out what personal information authorised parties have collected and correct it if need be.

Perhaps the primary issue here is that MTN is arguably not informing its users exactly what personal information it is collecting about them. Its own privacy policy is either incomplete or it is misleading and this undermines what should be informed consent to collect and process personal information. Going further, users have no real idea what becomes of this personal information and whether it is disseminated to anyone.

To add salt to the wound, so to speak, what about the integrity of this personal information database? Is it accurate? Is it secure? Who has access to that information? Is your personal information leaking (or being leaked) to other providers? Have you found yourself receiving an unusual amount of spam on your mobile phone? Where are those spammers getting your details?

World Wide Worx recently reported the following trend:

The number of people banking from their cellphones has exceeded that of people banking from their PCs in South Africa, with more than a quarter of bank customers turning to their cellphones for services ranging from informational transaction types such as balance enquiries to financial transaction types which include account payments.

This is frightening news if your personal information associated with your mobile banking use is being collected by your network (and other providers) without your knowledge, let alone consent. Besides the increased risk of identity theft, this sort of information could enable some pretty detailed profiling and perhaps even breaches of security when it comes to banking services, email services and other sensitive services you access with your mobile phone.

Bottom line: We just don't know what is going on every time we open our phone's mobile browser. It could be bad, very bad.

Image credit: privacy by Alan Cleaver published under a Creative Commons Attribution 2.0 license

Changing perceptions of the social Web from a legal perspective

Posted Fri, 27/11/2009 - 08:29 by Paul

I was invited to speak at the IT Governance Forum/Conference yesterday in Rosebank. I spoke about social media and some of the legal challenges social media use introduces. I have this nagging feeling that many people don't take social media seriously enough to recognise that there are real legal challenges.

I made the point that social media is perhaps seen as a little warm and fuzzy and without all that much substance. There is a lot of emphasis on sharing and not all that much on the very real impact social media can have on a business' bottom line.

Many of the attendees at the event weren't familiar with Twitter, for example, and while Twitter might be seen as somewhat superficial, it can have a profound impact on a business if the right people spread bad reviews (or good, for that matter) to the right connections.

My slides are below if you are interested in the topics I talked about:

Social media: Legal and business challenges

Oops, we just did a Facebook

Posted Wed, 25/11/2009 - 12:06 by Paul

On Monday I posted new terms of appointment which include a new variable fee model. The update was effective immediately and made in terms of an enabling mechanism in the previous terms of appointment which allow for autonomous updates. That mechanism is important because it allows this firm to update its terms of appointment across the board without the added complexity of revisiting terms of appointment with each client, each of whom may have different requirements. Individual negotiations would lead to an overly complex array of legal frameworks for different clients and managing those frameworks would be prohibitively expensive. This is a mechanism common to virtually every business' terms and it exists for practical reasons. That being said, there is no reason why the process of updating terms of appointment (or other terms, for that matter) shouldn't take clients' feedback into account where possible.

Updating our terms of appointment the way we did was a little reminiscent of how Facebook updated its website terms of use back in February 2009. The terms were updated without specifically informing users and contained some pretty onerous terms that many users were very unhappy with. This isn't to say that our terms of appointment are equally onerous but there are certain aspects of the terms which some of our clients have raised concerns about, in particular the (now proposed) variable fee model.

I thought it would be a good idea to practice what we preach so I have set up a survey designed to elicit feedback on various aspects of our fee model and to help us design a fee model our clients will be more comfortable with. For example, I am not a fan of the typical law firm billing model which is typically based on an hourly fee but some clients prefer it. We would very much appreciate it if you could take the time to complete this survey below and give us feedback, even if you are not one of our clients. Odds are, you are someone's client and you have your own thoughts about which fee models work for you and which ones don't.

Our goal is complete our review process by the end of December and to implement an updated terms of appointment by 1 January 2010 so please submit feedback before then?