Download - Social Media And Privacy October 9 2009
Privacy and Disclosure Minefields in Social Media: Identifying and Overcoming
the Key Issues and Challenges
MANAGING SOCIAL MEDIAOctober 6-7, 2009 Sutton Place Hotel, Toronto
Mark S. HayesMartin P.J. Kratz
Ariane Siegel
Outline Introduction – Privacy Issues and Social Media The Facebook Decision Reasonableness Managing Privacy Related Liability for Social
Media Operators Social Media and Litigation Social Media and Children Questions
Managing Social Media
Introduction – Privacy Issues and Social Media
Privacy Issues and Social Media Social Media is all about sharing personal information A new dimension to the way people interact Role similar to what local newspapers and radio stations
once did-bring a community of people with common interests and values together to share ideas
Platform now reaches multitudes of peoples simultaneously Includes ability to interact instantaneously and share not
only printed information but rich media, with pictures, music, videos
Privacy issues affect website operators and their affiliates, advertisers, users, hackers, employers and law enforcement
Raises issues on knowledge and consent for lawful uses
Privacy Issues and Social Media Business, legal and technology issues intersect Target audience (jurisdiction, age, business) What personal information will be posted What personal information will be collected How will personal information be used Will personal information be shared (developers, other third
parties) How long will personal information be retained Where will personal information be processed Safeguards Access
Privacy Issues and Social MediaMore Canadians on Facebook than… Study of 2000 young people Dr. Avner Levin at Ryerson, more than 48% log on more than
once a day Attitudes about OSN – not too much concern that personal
information would be accessed by employer Lots of personal information posted OPC Study: Focus Testing Privacy Issues and Potential Risks
of Social Networking Sites http://www.priv.gc.ca/information/survey/2009/decima_2009_02_e.cfm
Privacy Issues and Social Media
More Canadians on Facebook than…
Young Canadians have a unique perception that we call network privacy (Levin)
Privacy concerns relate to personal information ending up in “unauthorized” social network
They believe they can control online presence feel largely accountable for breaches
Managing Social Media
The Facebook Decision
The Facebook Decision Complaint Against Facebook by CIPPIC Key Issues:
Application to non-Canadian website operators Advertising Consent of non-members Sharing of Personal Information with Third
Parties Data Retention /Account Deactivation
The Facebook Decision APPLICATION Underlying assumption - PIPEDA applies to
website operators collecting personal information of Canadians
Lawson v. Accutech PIPEDA not long arm statute Would not apply to entities without infrastructure /
employees in Canada FTC similar approach, COPPA applies to any
website operator collecting personal information about Americans
The Facebook Decision ADVERTISING Facebook needs revenue to offer service Advertising is essential to the provision of the
service, and persons who wish to use the service must be willing to receive a certain amount of advertising.
Facebook Ads - Aggregate information given to advertisers
Targeted ads delivered - non invasive No opting out Social Ads can opt-out
The Facebook Decision CONSENT OF NON-USERS Resolution: Facebook agreed to provide
information users need to ensure that they have the consent of non-users to share their e-mail addresses with Facebook
Company must exercise reasonable due diligence to make sure this is happening
The Facebook Decision SHARING OF PERSONAL INFORMATION Key Issues: Sharing of Personal Information with
developers Resolution: will prevent an application from
accessing information until it obtains express consent for each type of data it wants to access
The Facebook Decision DATA RETENTION Facebook keeping Personal Information for long
periods Deactivation does not mean deletion Resolution: Notice and deletion option Facebook agreed to make it clear that users have
the option of either deactivating their account or deleting their account.
No prescribed retention period
Managing Social Media
Reasonableness
Reasonableness Reasonableness is a flexible and adaptable
conceptCan adapt to specific circumstancesCan change over time
The requirement of “reasonableness” is inherent throughout Canadian privacy law Threshold issues Extent of disclosure Security Etc.
Reasonableness There is a reasonableness threshold
An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
Where an organization collects, use or discloses personal information, it may do so only to the extent that is reasonable for meeting the purposes for which it was collected, used or disclosed.
Reasonableness Basic Privacy Compliance Question:
Is it reasonable to permit the collection of personal information by Facebook from users in exchange for the free service Facebook offers?
Facebook decision All users receive Facebook ads, can not opt out Traditionally Privacy Commissioner
distinguished between primary and secondary marketing purposes
Finds advertising is essential to the provision of Facebook’s service and persons who use the service must accept some ads
Reasonableness Who decides what is reasonable?
Privacy Commissioner’s office applies objective testFacebook’s user feedback is not
determinative
While a protective standard – what happens when the culture changes underneath the objective assessment of what is reasonable?
Reasonableness Is reasonableness different for web collection, use
and disclosure? Is there a discrete internet culture to which a
different standard might apply? The acceptance of compulsory ads on Facebook was
seen as reasonable, a departure from traditional privacy analysis
Courts and tribunals, however, have consistently applied the general law as applicable to the Internet
Reasonableness Internet Culture is different
The sense of what is reasonable is different on the web
Barlow, EFF (1996) "Governments of the Industrial World, you weary
giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.“
Reasonableness What are users sharing on social media sites?
Is it “reasonable”?
Estimated 61% of 13-17 year olds have a profile on line Half with pictures
Much of the social network information may be kept private but only if the privacy features are turned on.
What does your child say about herself? What information is an invitation to ID theft or
worse?
Social Network Profile Information
Basic – gender, hometown, DOB, political & religious views
Education – high school and post secondary institutions, dates
Contact – address, email address, IM screen names, telephone & cell numbers
Work – current and previous employment/employers
Relationship – status, sexual orientation
Picture – photos of you, family, friends, school mates
Personal – activities, interests (music, movies, quotations)
Groups – names and links to all the groups and networks you join
Social Network Profile Information Typical information on Facebook U Guelph study 2008
Birthdates 96%
E-mail 85%
Relationship status 81%
Personal interests 58%
Current city 42%
Phone number 24%
Social Network Profile Information Likelihood to post information (out of 7 max) U Guelph study 2008
Profile photos 6.6
Traveling photos 6.17
Photos with boy / girl friend 5.91
Photos in Bikini / swim suit 4.23
Photos making out 2.52
Photos doing something illegal
2.45
Photos doing drugs 1.99
Naked photos 1.49
Reasonableness Is there any privacy expectation left on the web? Emily Nussbaum, writing in the New Yorker, identifies a
generational trend. It is only the older generations that still seem to care about privacy.
“Say Everything As younger people reveal their private lives on the
Internet, the older generation looks on with alarm and misapprehension not seen since the early days of rock and roll. The future belongs to the uninhibited.”
Nussbaum writes beginning with a 26 year old bartender who, among other things, has posted nude pictures of herself on her MySpace page but sees it all as a way to document her life and share it with others.
Will she think so positively of it when she seeks to get married, changes jobs, etc.?http://www.nymag.com/news/features/27341
Reasonableness Emily Nussbaum’s conclusions are:
There is a true generational gap last one was 50 years ago
They think of themselves as having an audience They have archived their adolescence Their skin is thicker than yours
Reasonableness Young people seem to accept that the idea of a
private life is an illusion Maybe they are correct
We live in an age of surveillance Security cameras on the streets, train stations Transaction details tracked every time you
swipe your Starbucks card, use a debit card Your employer monitors your emails The NSA monitors your telephone calls
Our lives are lived in public whether we seek to acknowledge it or not …
Reasonableness But it can go too far … Poor choices are harder to erase or forget “Susie's” 2000 “special” video for her (then)
boyfriend Posted on the web, becomes a viral video
Paris Hilton sex tape 2004 In the public there has been a dramatic shift in
what is considered reasonable 20 years earlier Miss America lost her crown
for a similar expose What will be “routine” in 10 years or 20?
Reasonableness Is privacy an antiquated concept? Will the Facebook generation live to regret what
they have shared with others? Do the earlier generations just have to get used to
a new way of thinking about privacy? How does a privacy commissioner’s office confront
a generational attitude change to the concept of privacy? Which generation gets to decide?
How will that shift the view of what is “reasonable”?
Reasonableness Acceptance of the Facebook ads for access to the
social media service was found reasonable
How far might that go?
Would that change if it became a paid site?
Managing Social Media
Managing Privacy Related Liability for Social Media Operators
Managing Privacy Related Liability for Social Media Operators Social Media Site operators face evolving legal
and regulatory scrutiny Operate in an environment of less legal certainty
over their liability Seek means to manage their own liability on
various issues, including privacy compliance obligations
Typical approaches involve User acceptance of Terms of Use / Terms of Service User acceptance of risks Dispute resolution mechanisms
Managing Privacy Related Liability for Social Media Operators Mere reliance on the Terms of Service is alone
insufficient Facebook approach to state a requirement for
application developers in the applicable terms was found not sufficient to address Facebook‘s responsibility
Facebook required to take further steps to ensure developers were aware of the applicable requirement (to obtain consent in this case) and comply with it
Managing Privacy Related Liability for Social Media Operators Additional means contemplated in the Facebook
case included: Prominence to specific obligations in developer
guidelines Adjust template to facilitate space for
explanation for users But mere warnings may not be sufficient:
COPPA experience - consider the audience and the ability to understand the terms and warnings
Avoid “legalese”
Managing Privacy Related Liability for Social Media Operators
Address all of the customary safeguards sought in any outsourcingAudit rightsData ownership and immediate access rightsControls
Addition of security measures where applicable
Restriction of access Segregation of personal information and
limiting access to only that strictly necessary for a specific function by a party
Managing Privacy Related Liability for Social Media Operators Other options for social media operators to
manage riskFacilitate the ability of 3rd parties to get
direct user consent where applicableIdentified for application developers in
the Facebook case
Managing Privacy Related Liability for Social Media Operators Shifting risk to the user
In the Facebook case users post personal information on non-membersVulnerability from use of mobile devices
Becomes the responsibility of the Facebook user to obtain the consent, address security of own devices
Facebook may reasonably rely on user’s to obtain non-user’s consent … provided Facebook exercises due diligence
Important that Facebook informs users Notification when applicable
Managing Privacy Related Liability for Social Media Operators Reliance on 3rd party or privacy compliance
verification process Common under COPPA Optional with Facebook for third party
application developers Advantages of compulsory vs. voluntary approach
Managing Privacy Related Liability for Social Media Operators For social media operators other than
Facebook …
… safety of the herd
In the absence of defined standards adoption of practices commented upon as acceptable becomes a risk mitigation approach
Managing Social Media
Social Media and Litigation
Social Media and Litigation Recent explosion in cases involving social media
issues Most common types of cases:
Family Criminal Personal injury
Social Media and Litigation Uses for evidence from social media sites:
Evidence that party’s actions are inconsistent with positions or evidence in action (e.g. extent of disability)
Party’s “friends” or contacts belie claim that party did not know or have contact with an individual
Party’s communications (sent or received) are inconsistent with evidence or legal obligations (e.g. non-contact order)
Privacy and Social Media Evidence Issues raised:
Is production of social media evidence prohibited by privacy statutes?
When can party be compelled to divulge contents of social media profile or pages?
When can social media site operator be required to divulge information such as IP address of subscriber?
Privacy Statutes and Litigation Exemptions All Canadian personal information privacy statutes
have exemptions for litigation production PIPEDA: disclosure without consent if:
Required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information (s. 7(3)(c))
Required to comply with rules of court relating to the production of records (s. 7(3)(c))
Required by law (s. 7(3)(i))
Privacy Statutes and Litigation Exemptions S. 7(3)(i) and latter part of s. 7(3)(c) will require
party to litigation to disclose any relevant personal information in their possession or control May still be subject to PIPEDA restrictions in hands of
opposing party In any event, implied undertaking of confidentiality will
apply S. 7(3)(c) will require third party to disclose personal
information, but only in response to court order Subpoena issued by party’s lawyer (as is allowed in
many provinces) will not suffice Provincial statutes are generally similar
Privacy Statutes and Litigation Exemptions Litigants who tried to resist production of relevant
evidence on basis of privacy consistently unsuccessful
Ferenczy v. MCI Medical Clinics (2004), 70 O.R. (3d) 277 Plaintiff tried to exclude damning surveillance
evidence Court found implied consent by plaintiff to
surreptitious observation of personal injury plaintiffs when physical capabilities in issue
In any event, violation of PIPEDA has no direct impact on the issue of the admissibility of evidence
PCC has not accepted Ferenczy as precedent
Production of Social Media Evidence Social media evidence is primarily a relevance
issue, not a privacy issue Privacy one factor to be considered in determining
relevance and proportionality of requested production
Court will order production of “private” Facebook pages if there is sufficient grounds to conclude that they contain relevant evidence
Will not allow “fishing expedition”
Murphy v. Perger, 2007 Ont. S.C. Motor vehicle accident Plaintiff had publicly available site which contained
photographs of the plaintiff engaged in social activities
Defendant requested access to private Facebook profile - plaintiff had 366 “friends”
Successful ex parte preservation motion to avoid spoliation
Facebook production ordered: given nature of Facebook and that plaintiff’s public site includes photographs, reasonable to conclude Facebook profile would as well
Any invasion of privacy is “minimal”
Leduc v. Roman, 2009 Ont. S.C. Motor vehicle accident No questions on discovery about Facebook Medical exam: plaintiff told doctor “that he did not
have friends in his current area, although he had “a lot on Facebook””
Defendant demanded production of all pages of plaintiff’s Facebook profile
Master refused production – SCJ overturned
Leduc v. Roman, 2009 Ont. S.C. “That a person’s Facebook profile may contain documents
relevant to the issues in an action is beyond controversy.” Where party has both public and private profile,
reasonable to infer that content on public profile similar to content on private profile
Where user has only private profile, can infer from social networking purpose of Facebook "that users intend to take advantage of Facebook's applications to make personal information available to others”
Facebook “likely contains some content relevant to the issue of how Mr. Leduc has been able to lead his life since the accident”
Production of Social Media Evidence Appears to be open season on production of
almost any social media information Precise test to be applied will depend on nature of
action At this point, likely professional negligence not to:
Look at social media sites in any case where character or activities of individual party or witness may be relevant
Seek production if information not forthcoming Must advise clients that relevant portions of web
sites relating to them must be listed in affidavit of documents
Disclosure of Subscriber Details Numerous criminal cases involving voluntary
disclosure to police of subscriber information by ISPs General rule is that disclosure is permitted under
PIPEDA and Charter if subscriber agreement permits disclosure
No reasonable expectation of privacy Same reasoning likely applies to social networking
sites, although no cases yet
Terms of Service Facebook: “We may be required to disclose user information
pursuant to lawful requests, such as subpoenas or court orders, or in compliance with applicable laws. We do not reveal information until we have a good faith belief that an information request by law enforcement or private litigants meets applicable legal standards. Additionally, we may share account or other information when we believe it is necessary to comply with law, to protect our interests or property, to prevent fraud or other illegal activity perpetrated through the Facebook service or using the Facebook name, or to prevent imminent bodily harm. This may include sharing information with other companies, lawyers, agents or government agencies.”
Based on ISP cases, this would likely allow disclosure
Terms of Service Google/YouTube: “We have a good faith belief that
access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law.”
Not as clear – what is an “enforceable governmental request”?
Bottom Line Courts are not going to pay much attention to
“privacy” if it impacts on: Providing full disclosure Finding the truth Being fair to both parties
Where production right is questionable and information is very sensitive, privacy may be one factor of many to be considered in determining proportionality of request for information
In most cases, if you have made information available on social media sites, it is going to be produced
Managing Social Media
Social Media and Children
Social Media and Children
COPPA in US Age screen for under 13 Sliding scale over 13 and over 18 CMA Guidelines in Canada 13, 14 and 15 Contact information only
Express Consent Teenager 13, 14 and 15 Personal information beyond contact information
Express Consent of Teenager and parent or guardian Capacity to consent in Canada
Social Media and Children
Capacity to consent in Canada Minor under 18 can’t give valid consent to
contract contrary to their interests Criminal Code Issues re consent FTC DOB recommendations: don’t encourage
lying Note Aspects of Facebook findings limited to users
over 18
Social Media and Children FTC wants sites to prevent children from back-
clicking to change their DOBs once they have been blocked.
Facebook Agreement in May 2008 with 49 U.S. attorneys general. prevent underage users from accessing the site; protect minors from inappropriate contact; protect minors from inappropriate content; and provide safety tools for all social networking site
users. Agreed to implement and enforce the feature of “age
locking”, monitor and review the profile of any user who initiates an age change indicating that he or she is over or under 18.
Questions
Mark S. HayesMartin P.J. Kratz
Ariane Siegel
Follow Up Martin Hayes, [email protected] 416-966-ELAW (3529)
Martin Kratz, [email protected] 403 298 3650
Ariane Siegel, [email protected] 416 369 7228