Having arrived from Dublin the night before as part of a triangular journey (Stansted-Dublin, Dublin-Edinburgh, Edinburgh-Stansted), I was first up on Tuesday morning with my own presentation.  This time around, my topic was What We Talk About When We Talk About Google (or WWTAWWTAG as it is in my notes).  The idea for this presentation came from earlier (and as yet, incomplete) work on the Google Books case, and how it seemed to come at a time when Google’s treatment by politicians, NGOs and academics was in a state of flux.  Google is also involved in some of the most controversial media and technology policy issues on the table right now, everything from net neutrality to privacy.  So it seemed interesting to dig a little deeper. My presentation (which you can download here as PDF) was therefore an attempt to explore the question in the title in a number of different ways.  For example, I looked at the ways in which both courts and parliamentarians in the UK refer to Google – and compared that with a sample of news coverage, finding not just some differences (with the parliamentary discussion still focusing on Google as a general resource for search) but also some interesting internal differences within the media (in this sample, the Daily Mail / Mail on Sunday got very upset about Google Street View).  I also illustrated the different faces of Google through various parodies/cartoons produced by others, and talked about the various friends and allies that are found in Google’s public policy activities, and the result in the Viacom case.  I do hope to do some more detailed work on this, as it was more interesting (to me, at least) than I had thought.  Curiously, it also drew quite a lot of good laughs, with Ray Corrigan giving it a joint comedy award.  This is not my usual territory.  I don’t think my students would write ‘stand-up comedian’ on their feedback forms.

Luckily, the following presenter, Trevor Callaghan, had genuine claim to the comedy tag, with a discussion of Google and social networking.  It was a really through and unquestionably unprintable exploration of the topic, made more lively by the use of Prezi and diversions into broader issues of data, identity and privacy.  It’s really interesting how he was able to get a sense of what Facebook’s business and cultural models are, and how they differ from other players often grouped alongside them.  The final presentation in that morning session was another Gikii serial offender, Andrea Matwyshyn.  Her presentation looked at issues of authorised access, with a particular focus on the US Computer Fraud and Abuse Act (CFAA) and similar legislation.  Her key arguments were the divisions between criminal and civil issues (in particular, the role of contracts and terms of service), and she mentioned a number of key US decisions (such as the Lori Drew case and Register.com v Verio) and the problems stemming from then, including a pretty obvious circuit split (e.g. the difference between IAC v Citrin and LVRC v Brekka).  She questioned the purpose of the CFAA and other legislation and whether it was meeting its aims.

The second session had yours truly in the chair, and it included a range of papers on the broad theme of intellectual property:

• Steven Hetcher, “Conceptual Art, Found Art, Ephemeral Art, and Non-Art: Challenges to Copyright’s Relevance“.  Steven’s talk (from a US point of view) considered the ‘discrimination’ against forms of contemporary art that, being ‘unfixed’, are not within the common concept of copyright law as based on fixation.  In some cases, the work is the process, with no fixed object … although if unfixed art is to be protected, does this raise questions of artistic merit as an alternative mechanism for delimiting the reach of copyright?  With a wide range of slides (including a Damien Hirst shark sighting), there was also time to talk about Christopher Lowry’s work as discussed in Satava v Lowry, a 2003 case.
• Gaia Bernstein, ”Disseminating Technologies“.  This paper was an attempt to go beyond the rhetoric of ‘IP wars’ and to discuss the acceptance and dissemination of new technologies.  It builds on the author’s recently-publisehd work on innovation (e.g. here).  She traced the differences between approaches to technology in the cases of copyright and patent, and the interaction of both with competition.  She put forward an argument that the user’s role was not given the treatment it deserves, and subsequently pointed to a number of situations of market failures where (due to network effects or the importance of time) specific intervention was necessary.  Really interesting stuff, and bonus points for talking about Minitel.
• Christopher Lever, ”Netizen Kane: The Death of Journalism, Artificial Intelligence & Fair Use/Dealing“. The third paper used some very creative metaphors and images that were both botanical and big-screen (Citizen Kane), with an introductory discussion of the future of newspapers and journalism and the relevance of fair use and fair dealing giving way to a critique of the failings of DRM and a thorough analysis of the work of Ozlem Uzuner on digital fingerprinting and unique expression.
• Chamu Kappuswamy, “Dancing on thin ice – Discussions on traditional cultural expression (TCE) at WIPO”.  The final presentation in a very busy session.  Her presentation provoked a lively online and offline discussion on what constitutes TCE in a British or Scottish context, but also offered some valuable points on differences (even where in apparent agreement) between the approaches of UNESCO and WIPO and between traditional knowledge (often patent-related) and cultural expression (often copyright-related), and the links between international legal efforts regarding TCE, folklore, and intangible heritage.

The afternoon session included an even wider range of presentations. Simon Bradshaw & Hugh Hancock talked about (and created live before our very eyes) the prospect of interesting legal issues pertaining to machinima, suggesting that the ease with which this type of audiovisual work can be created will continue to be a fertile one for legal action and academic analysis (not least the prospect of issues around new provisions in the Crime & Policing Act 2009).  Ren Reynolds (with Melissa de Zwart, who wasn’t able to join us in person) talked about online games, statutory regulation of such in Korea, analogies (and case law) from physical sports like rugby, and the relationship between the rules of the game and other laws and rules, and the contract/license distinction.  The last presentations zoomed out and looked at  developments across disciplines: Abbe Brown (presentation here) reviewed the various issues, forces and actors in Internet governance and international cooperation (highlighting different approaches and parallel debates), while Michael Dizon (presentation here) presented a post-Lessig/(Andrew)Murray analysis of ‘the network is the law’.

Also, we had cake.  And that’s it about Gikii for this year.  Don’t forget to download the presentations…

Anyway, the topic of the talk was ‘death and the web’, and these are my notes (handwritten at first, typed up on the train afterwards).  As always, this is my summary of what was said, please contact the speaker to verify quotes/assertions if you need a more formal report. But from now on, this is a paraphrased summary of what the speaker said.

Now for starters, this isn’t a topic that is mentioned all that often, except in dramatic events that make it into tabloid newspapers.  Yet with 400m Facebook users, some will be dead by tomorrow – and with the average age being 34 (in 2007 – probably older now), this is a developing issue.  So what happens to ‘digital assets’ – this doesn’t just mean virtual property in the sense of massively multi-player online role-playing games (MMORPGS), but a broader concept including profiles and personal data.  Who owns all this when you die – you or the platform?  The issues include preservation, succession, and value (economic, dignity or other wise).

Traditionally, we see ‘love letters’ and the like as important sources for research.  But the equivalent today may be an email, a YouTube song, a Facebook update or a blog post.  In our digital lives, many of us ‘self-map’ through web 2.0 services.  We may not keep a private diary, but some will share information with ‘strangers’.  Where is the balance, especially as between privacy and the public interest?  The Library of Congress announced this year that it had acquired all public Twitter messages (with some horrified at this) and services like the Wayback Machine (archive.org) are engaged in big projects.

But of course, much of the information we are talking about is in ‘walled gardens’; some may maintain their own sites but many others use services like Facebook.  This will mean accepting terms and conditions, and the existence of restrictions on ‘getting data out’, through both technical and legal means.  Digital assets can range from email to preferences on last.fm (would we like to know what famous poets listened to, if we had the data?) and even reputation such as that associated with eBay, which can have important economic consequences, or ‘friend of a friend’ networks.  The issues are both of data protection and ownership/IP.  In the case of the latter, we need to look at the license (non-exclusive but quite broad) as well as the restrictions on access.  Facebook is a service that has a ‘death policy’, i.e allowing particular relatives/friends of deceased (although not proper legal categories of succession) to apply to delete or memorialise the account (but not to take it over).  There is no way for the user to indicate a preference for actions after his or her own death – should there be?

So we see the impact of intermediaries, property, multiple parties and also the location (for legal purposes) of the relevant property.  Furthermore, there are wide disparities as between the practice of various services, such as Yahoo (complete deletion) vs last.fm (maintain as is part of community data).  Yahoo was indeed the subject of one of the few cases on this topic, relating to access to the email account of a deceased soldier.

In general: do we believe in privacy after death?  Both libel and data protection have restrictions.  Even something we understand (or think we do) like organ donation still provides for a family veto.  But think about email – would you want your family having full access?

There are various emerging suggestions, including digitalwills (like LegacyLocker), including passwords with the actual will – but most people don’t have wills, particular younger people who die suddenly.  Should we instead regulate the platform – or encourage disintermediation at the level of the individual user?

(Talk ends).

In the question and answer session, a number of additional issues were explored, including the role of self-archiving (noting that a lot of web 2.0 content is but a copy so the original can be treated differently), access to physical-digital artefacts (a portable hard drive, for example) after death, jurisdiction and choice of law questions, Gmail and the Data Protection Directive, the powerlessness of the individual user, and the relevance of probate orders (or similar devices) for virtual assets that may appear to be de minimis.

A very interesting talk, then, and one that takes on particular relevance as the Data Protection Directive is reviewed in Europe and the struggles of services like Facebook in dealing with high-profile privacy disputes continues.  I do wonder (and said from the floor) how researchers, librarians and archivists will deal with the opportunity (but also the dangers) of a very different type of record of the activities and communications of the deceased than many are used to.  Think too of the individual – I had an interesting conversation with a colleague recently about the role of the personal email archive – do you have every email you ever sent?  I have some (probably more than others), but not all (damn Hotmail automatic delete some time in the 90s), in a variety of formats and filing systems.  Others keep a single searchable file but not a system of folders, or purge on a regular basis.  But that’s certainly not the case for other (non-email) aspects of life.  Things to think about, for sure.

I’m delighted to present a guest post here – first time I’m doing this, but a very appropriate choice of topic. Oisín Tobin (who will start his own blog soon!) is a scholar and PhD Candidate in the Law School in Trinity College Dublin, where his work focuses on the legal regulation of ʻthe cloudʼ. He recently completed his BCL, with distinction, in Merton College, Oxford. Cloud computing is, of course, one of the most interesting legal and technical issues, and Oisín’s new blog will no doubt be an important source for information and debates on this emerging area. Over to him:

Clouds are likely to disperse, though there is a risk of litigation later in the week.
Ideas, particularly ʻbigʼ and influential ideas, have a way of percolating in the background before suddenly and forcibly thrusting their way upon the public consciousness. The past weeks may have marked marked such a watershed moment in the development of the cloud computing. Unfortunately, this unveiling has less resembled a technological revolution than a French farce.

The failure of the T-Mobileʼs Sidekick cloud based mobile phone system, due to somewhat unclear problems at its cloud infrastructure provider Danger (a subsidiary of Microsoft) and the resulting loss (but later apparent recovery) of personal data including contact details, photographs and messages has exposed, in stark, shocking and public terms, the unpleasant and large scale consequences that can result from a failure in the cloud. While consumers have long been conformable with cloud based services such as gmail and facebook this extremely public failure of a well established cloud computing service marks the first real public exposure of the nature and risks of cloud computing.

Unfortunately for T-Mobile and Danger/Microsoft the technical and PR headache created by this failure only represents the start of their difficulties stemming from this crash: where there are lots of unhappy people, a cock-up and money, one can be certain that the lawyers will not be far behind.

According to CNET at least two class actions have already been filed in the Californian courts, including one (Thomson v. T-Mobile) brought by KamberEdelson, a heavyweight firm that recently forced a settlement with Amazon over the unilateral, and deeply ironic, deletion of copies of 1984 and Animal Farm from usersʼ Kindles

So what are the legal issues that are likely to stem from this, and similar cases, and what do they tell us about the legal risks of the cloud?

Broadly speaking four sets of legal issues (conflicts, negligence, contract and consumer protection law) are likely to dominate any litigation in this area.

As a preliminary matter, it is necessary to bear in mind is the precise relationship between the consumer, T-Mobile, and Danger/Microsoft in this incident. From media reports, it appears that this service was based on a chain of contracts: the consumer had a contract with T-Mobile for the provision of this ʻsidekickʼ service; T-Mobile, in turn, had a contract with Danger/Microsoft for the provision of the cloud infrastructure on which the service ran. Indeed, it seems that consumers had no idea Microsoft was actually providing the infrastructure on which their mobile phones ran.

First up, we have to tackle some profoundly difficult conflicts of laws and jurisdiction problems. In the Thomson action we have two Washington based corporations (T-Mobile and Microsoft) and a Californian based company (Danger) being sued in Federal Court in California, by a customer resident in Georgia, due to a national failure of a mobile phone system. Jurisdiction is being claimed as proper because Danger (i.e. the cloud operator itself) is resident in California and as a result, the conduct complained of (i.e. the failure of the cloud) happened in California. This is so even though the unilateral contract between T-Mobile and its customers expressly bars class actions and requires arbitration or, in the alternative, that the consumer sues in the courts of his or her own state, which here would be Georgia. If the Federal Court accepts the case, it would create an interesting precedent, suggesting that a service provider that relies on the cloud may, despite having a choice of court and law agreement with their customers, find themselves being sued in the jurisdiction where the cloud is physically located (and the law of the place applied), on the ground that the wrong doing took place where the servers are located and/or operated.

The second issue, and the core of the Thomson action, is a claim in negligence. Negligence is a notoriously malleable tort, covering everything from inappropriately placed snails, to excessively hot coffee, to poor professional advice – how does it apply to the cloud?

In essence, Thomsonʼs argument is that T-Mobile, as the service provider, and Danger/ Microsoft, as the infrastructure provider, were both under a duty of care to consumers to protect and ensure access to consumer data. It is alleged that there was a failure to exercise reasonable skill and care in discharging this duty (particularly by the failure to invest adequate resources) causing loss. Although the Thomson pleadings simply refer to the negligence of the ʻDefendantsʼ, all lumped together, it is worth separating out the case against Danger/Microsoft from that against T-Mobile, since the details of any claim in negligence against them would necessarily be different.

In proceedings against the service provider (T-Mobile), the essence of the claim would be an assertion that they were negligent in contracting with Danger/T-Mobile to provide their infrastructure (or, at least negligent in failing to closely monitor Microsoftʼs performance). Such an argument, if it was successful, would seem to be the ultimate renunciation of the assertion that ʻno one ever got fired for buying Microsoftʼ! If such a claim was succeeded, it would seem to indicate that business that buy-in cloud computing power to provide services to their own customers, may be liable in negligence if their infrastructure provider doesnʼt prove up to the task.

As an aside, itʼs worth nothing that if a claim along these lines was brought in the UK or Ireland, then it may be bolstered by strong statutory support from European data protection law. The Data Protection Directive requires EU members to adopt laws providing inter alia that data controllers (such as T-Mobile) deploy sufficient technical measures to prevent accidental data loss and obliges them choose a data processor (as Danger/Microsoft would be described here) that also deploys sufficient safeguards. These statutory obligations could be seen as creating a statutory duty of care to safeguard data that may also ground a separate civil action in negligence.

Slightly different issues would be key in negligence proceedings against the infrastructure providers, such as Microsoft. Here, the key issue would be whether or not they are under
any duty of care to the end user of a cloud service, as opposed to the businesses with whom they contract directly.

However, even if a negligence case could be successfully made out against either Microsoft/ Danger or T-Mobile, the companies may seek to hide behind exclusionary clauses disclaiming any liability for negligence. This brings us to the second set of issues coming out of this dispute: contract law.

As was noted at the outset, we have two distinct sets of contracts on these facts: those between T-Mobile and its consumers, and between T-Mobile and Microsoft. As far as one can work out from media reports, there is no direct contract between Microsoft and the end users.
This last fact is vital, as Microsoft lacking any direct contract with consumers, would have no exclusionary clause to hide behind if it was hit in negligence. Moreover, assuming that traditional common law privity of contract rules applied to this dispute, it would seem that consumers would be unable to bring breach of contract proceedings against Microsoft for its failure to provide the service.

However, should a situation like this arise in future under English law, it is worth bearing in mind that the Contracts (Rights of Third Parties) Act 1999 allows for a third party to bring proceedings for breach of contract, where they form part of a class of persons who are expressly authorised to do so by the contract itself. Draftsmen writing English law cloud computing contracts should give some thought to whether or not the end users of a cloud computing service should be given such a right to directly sue the infrastructure provider.

So what then of the contracts between T-Mobile and its customers? Itʼs noteworthy that the Thomson complaint makes no reference to any breach of contract on the part of T-Mobile, despite the fact that the core of this dispute is T-Mobileʼs failure to provide its customers with a service they contracted and paid for. One wonders if this was due to the presence of half a dozen exclusionary clauses in the terms of service: Clause 5 allows for unilateral alteration of the terms of service; clause 7 specifically disclaims all liability for problems relating to service availability and quality; clause 17 allows T-Mobile to ‘limit, suspend or terminate’ the service, without notice, for any reason; clause 21 provides, to the maximum permissible extent, that the good is provided ‘as is’ and ‘with all faults’ and disclaims any implied terms of merchantability or fitness for purpose (!); clause 22 states, interestingly in a cloud context, that T-Mobile will not be liable for the problems caused by a third party.

Thus, it appears that, in effect, T-Mobile are not contractually required to provide a functioning service! They can walk away from the existing terms at their election and they are expressly exempted from any liability (including, it appears, in negligence) for any problems caused by the failure of its cloud providers. It will be very interesting to see if these exemption clauses allow it to escape liability on the facts.

Itʼs worth nothing however, that, if a cloud computing provider in England or Ireland sought to rely on such a clause they would likely face an uphill battle. Aside from the fact that contract which imposes liability on one party (the consumer) but not the other (the service provider) is hardly a contract at all, such a clause would seem apt to fall foul of the Unfair Consumer Terms Directive. Moreover, it may be set aside in equity as unconscionable.

Finally, the contractual relationship between T-Mobile and Microsoft is worthy of note. According to Techcrunch, a service level agreement, or SLA, is in existence that requires the Microsoft to maintain 99.5 of up-time. It is rumored that Microsoft is making payments in excess of 700,000 a day for breach of the SLA. Although this amount seems considerable, it is worth bearing in mind the massive, perhaps incalculable, brand damage that T-Mobile has suffered from this incident (see, for example, Perez Hiltonʼs expletive laden rant under the headline T-Mobile Seriously Screws their Customers ). In future, companies that will rely on the cloud to deliver services to their own customers may wish to consider the drafting the SLA to ensure that they will receive adequate compensation from the cloud provider for the massive PR damage likely to ensue in the event of an infrastructure failure.

The final legal issues that would be likely come to the fore in any law suit over this incident would stem from the consumer protection law. While consumer protection law is not an area that immediately springs to mind when one thinks of technology regulation, it may prove to be decisive in the area of cloud computing. Any legal issues in this area would result from the divergence between the profound marketing claims about the safety and reliability of cloud computing and the somewhat more uncertain reality. Indeed, lawyers who think they are drafting rock solid contracts for cloud computing companies, complete with ʻas isʼ and broad exclusionary clauses, may, in fact, be storing up trouble – if the companyʼs marking is based on claims of effective service, reliability and safety while the underlying legal reality is that the company offers no guarantees and only has to provide services on such terms as it sees fit, then such marketing may be seen as misleading consumers.

This divergence between the legal reality and marketing puff has already lead to a complaint against Google being lodged with the Federal Trade Commission. Moreover, Californian consumer protection law, along with negligence, it forms a central plank in the Thomas complaint. Its worth stressing that T-mobile is a Washington based company, being sued by a Georgia resident individual – yet the Thomson compliant contains an attempt to apply Californian consumer protection law, on the ground that the back-office cloud services were operated from Dangerʼs premise in California. If this claim succeeds, it could have profound effects on the development of a cloud – a company that buys in cloud computing services could find itself bound by the consumer protection law of the jurisdiction where the cloud itself is located, even where the material consumer transactions took place in another jurisdiction.

The success, or failure, of the cloud is not simply a question of business models and technology, it depends on law. If customers and business are not comfortable and certain of their rights with the cloud, then they will be slow to use it. The Sidekick failure represents the first proper legal test for the cloud – it remains to be seen how it will do.

The use of social media and various technologies by the conference participants (tag idp2009) has been useful, but it also underlines the importance of being critical friends rather than unabashed fans. With the experience of many attendees in the use of social networking sites, as well as the research and regulatory dimensions that others are familiar with, there is a strong responsibility on each person to highlight problems, potential gaps in the legal or political systems, and long-term implications. So far, we have seen this done in particular through questions from the audience. However, we cannot forget (and this was underlined through a show of hands) that we, the conference participants, are more likely to understand (and amend) our privacy settings than the public at large…

If someone had come along from the EU’s fabled Article 29 Working Party, they would most likely have shed a few tears of joy at just how influential its recent recommendation on online social networking (5/2009) has been, particularly the explanation given by Esther Mitjans. It has shaped the terms of our debate today, and while WP documents are not necessarily accurate predictors of further legislative action, it stands for itself as an important part of the debate, though with the note expressed by some questioners in the third session of the day that aspects of it may be unrealistic. There are good links here with Antoni Roig’s discussion of ethical engineering and how this is reflected in the opinion.

James Grimmelmann’s keynote address asked us (or wondered if we should or how we could) save Facebook, based on his forthcoming Iowa Law Review piece. Setting out the possible harms and the available solutions, he was conscious of the way in which users can pose threats to each other, but also of the weaknesses of quick legal solutions.

Two (living but absent) ghosts did affect our deliberations. The first was Boril Lindqvist, the well-meaning Swedish churchgoer who published information (including sensitive personal data) on a parish website, the subject of legal proceedings that went all the way to the European Court of Justice and forms the backdrop to the A29 opinion and the enduring idea that data protection in the EU is ‘different’. Mitjans’ discussion on both limitations and new vulnerabilities reflects the problems that the Court had with Lindqvist’s case and the various calls for reform of the Directive. The second presence is that of Lori Drew, who was charged with a computer misuse offence in the US in respect of her use of MySpace for what is sometimes termed cyberbullying, disobeying terms of use and being accused of unauthorised access on that basis. Just this weekend, we have learned that her conviction has been overturned, and this does indicate that shoehorning every social harm into narrow(er) legal categories is still resisted, but the broader conversation on age verification and on responsible use of social networking sites has been brought to us today, particular by Pablo Perez.

The reason that this conference comes at such a useful time is highlighted by how three news stories in the UK that have been published in the past 24 hours illustrate the academic questions that we have been discussing. These stories were: the disclosure that the new head of intelligence service MI6 (yes, the James Bond one) is the subject of family photos published on Facebook by his wife [an illustration of social risk assessment as presented by Grimmelmann but also of just how pervasive 'youth'-driven social networks are outside their core constituency!], the announcement that Phorm has lost its agreement with ISP BT to use deep packet inspection to provide contextual advertising [showing the power of privacy activism, usefully compared with the fuss on Facebook Beacon that Grimmelmann relied on so clearly, but also the unresolved issue of monetising that Barbara Navarro was very honest about], and finally the decision of the Press Complaints Commission that the Sunday Express should not have published its controversial story on the ‘Dunblane survivors’ based on publicly available Facebook profiles [the background to which can only be understood after hearing Antoni Roig's dissection of human dignity as a fundamental right and Franck Dumortier's analysis of decontextualisation and Facebook].

IP was on our agenda today, too, with Jane Ginsberg and Alain Strowel drawing on the ludicrous nature of some terms of use, but also going deeper into the operation of copyright in ‘web 2.0′ and how different types of use and distribution engage various aspects of the law in the US and EU. It was an important reminder that copyright is a multifaceted concept and that, where issues are unresolved, new web services highlight those issues and bring them to the forefront of legal and public debate. Questions like the definition of an intermediary, or even the narrower category of a ‘host’, do deserve full consideration, and the inconsistent approaches taken even within one jurisdiction makes it difficult to establish what the true rules are.

Some questions, then, as we move into a slightly less ‘legal’ set of presentations in day two. What will we do with these new websites, as they become established – and how will we stay safe? Are social network sites and the corporations that back them too powerful? We have seen useful academic work on search engines, and there is increasing interest in applying such analysis to our new friends in Facebook, MySpace, Twitter…and indeed, we may have reached a point where there is sufficient information and evidence to make some serious decisions on whether changes are needed (or indeed not needed) to relevant legal provisions. In earlier conferences I have attended, ‘wait and see’ has been a strong meme, but my impression of today’s discussions is that some questions, such as the terms of use debate, have reached a point where intervention will either happen and happen properly or be set aside as wholly undesirable or inappropriate. Please do follow our proceedings on day two as we try to answer (some of) these questions!

Back after coffee for a roundtable discussion on legal issues of all sorts. In the chair is Raquel Xalabarder, who makes the perceptive remark that we still struggle with definitions of the platforms that we are talking about. Platforms, though, clearly create rights and obligations – for the users and for the owners.

Profs. Jane Ginsburg from Columbia Law School and Alain Strowel of Saint-Louis in Brussels but also a lawyer with Covington & Burling collaborate on their presentation, weaving back and forth regarding copyright issues. Strowel opens with a reference to the recent FT article on Facebook, highlighting the desire for openness, sharing and co-operation. This is ‘free’ but there is an invisible or dark side, which is the economics. IP fits into this category. As services develop, they become more IP-conscious – look for example at Twitter’s assertion of trademark. We should distinguish between content originated by the users and content that is ‘made by others’.

This brings us over to Ginsburg, who will look at user-created content; typically this content is automatically endowed with protection (subject to the usual fixation and originality requirements), reminding us that literary merit is not a requirement of copyright law. She reads extracts from the Facebook and MySpace standard terms and translates them into their real meaning – to me, this is the gift that never stops giving, and the audience responds accordingly. The Creative Commons icons are a useful way of adopting user-friendly and meaningful terms … but they are certainly not ‘self-enforcing’ and actual enforcement is extremely difficult (not to mention certain registration requirements under US law).

Strowel picks up the question of non-UGC (i.e. potentially infringing content published on these platforms) and the various degrees of liability, considering the possible infringements (distribution? reproduction? derivative work?) as well as limitations to the law (the unclear status of ‘making available’ as applied to mere placement on the Internet in the US). It is refreshing to go into this in detail – often we take for granted some of the more complicated ‘old’ aspects of copyright law (or what Strowel calls the mechanics of copyright) when considering it in the digital context.

Selected other comments (from both contributors – put together they engaged in a good discussion/rotation):

- there is an issue in comparing something like YouTube (where the infringing content on which secondary liability is alleged is ‘high value’) with other sites where this is not the issue.
- even under EU law there are different interpretations from state to state of implied licences as applied to copyright.
- Art 5 EUCD (limitations) is quite different to (the flexible but unpredictable) ‘fair use’ doctrine in the US – the various cases on thumbnails are discussed as an example of this.
- there are more intermediaries on the Internet than was expected – and they can be in different categories when it comes to liability; hosting providers (inc. social networking sites) are different to traditional web-hosts too (multiple third parties, many more pages than a normal website, intermediary both technical and advertising-based) – art 14 EUCD has a too-brief definition of hosting provider in any event (does it cover Facebook? Strowel argues it is not certain)
- brief discussion of the French cases: MySpace, DailyMotion, Google Video have all been the subject of legal proceedings with some inconsistent results and some elaboration on the concept of notice; all of this is in the context of the (unresolved) Viacom case in the US, which may well be superceded by industry principles.
- YouTube’s business model is affected by the steps required to keep the safe harbour: they cannot tailor their advertising in the way that they might like to, as doing so would affect their categorisation
- can a HADOPI-like solution deal with repeat infringers outside of the ISP context?

Speaking separately, Antoni Roig, a professor of constitutional law at the home-town Universitat Autònoma de Barcelona, brings the questions back into the realm of public law, but also wondering what the differences are between ‘IT law’ and ‘IT for lawyers’, and how jurists and engineers approach privacy in different ways. (Interestingly, he says that the Spanish data protection regulations date from 1978, along with the Constitution). Privacy and data protection can have different aspects – they are in many respects separate legal regimes, with the EU having a particular role on data protection and the role of the Article 29 Working Party. The courts have acknowledged a right to data protection but there is also the use of the human dignity clause as a way of ‘updating’ rights. Is the US moving towards an EU-style data protection framework?

Roig summarises the A29 approach as including on principles of
- awareness amongst the users not to give data if necessary (& this affects the providers too; the principles mention this which is a surprisingly radical move towards ethical engineering)
- informing the user e.g. when there has been a breach

He also has some good words for the role of privacy-enhancing technologies (PETs), and how they play a part in a constitutional concept of privacy based not on law alone. Persistent pseudonyms are crucial to success here. (We will be returning to data protection in the afternoon session). By designing for privacy, we can achieve a long-term solution even though there may be short-term difficulties with making it work. Legal scholars have not really legitimised these technologies yet, though there is potential for showing a court that a tool that protects privacy could prevent a violation of fundamental rights. Concluding, he argues that the European approach to RFID, where incorporation of privacy at the design stage is being encouraged, is promising and brings with it some optimism.

Issues covered in the Q&A included the power of terms and conditions, the potential for advertising revenue without violating safe harbour, the difference between the ‘user’ and the ‘provider’ terminology (should bloggers be considered providers for safe harbour purposes?), multiple vs unique pseudonyms (and the relationship with biometrics), the convergence between trademark law and domain name policy (with Facebook URLs being a good example of where there is controversy), the L’Oreal/Ebay litigation at the ECJ and the French courts

Our first session is the keynote address by the excellent James Grimmelmann, of New York University and more. He’s talking about Facebook as an example of social networking and privacy as an example of a controversial issue – but hoping to get broader themes from that. The presentation draws upon his forthcoming Iowa Law Review article of the same name, with a draft available here. Sites we are interested in at this conference are ‘social’ network sites and that is important – both for the positive and the negative aspects. To illustrate, he shows a video of ghost-riding the whip (hopping out of a car while still ‘driving’ it) – it would be a category error to say that this is ’caused’ by or attributable to the technology (car), and therefore we would need to consider the social factors in order to discuss it. The same applies to social networking – whether for the Ghost Riding The Whip Association’s Facebook page (no, really) – and therefore we will look at the social assessment and harms in relation to privacy and Facebook.

(1) Why are these sites ‘social’ networks? These can be general, but also more specific (like Ravelry for knitting). The common theme (with assistance from boyd & Ellison) is profiles (about ‘I’ and identity), links (relationships – ‘you’) and the social graph (community – ‘them’). Grimmelmann shows various examples of all three (based on his own presence and that of others), drawing some good laughs with profiles of people in the audience and also the quirkier side of the social graph.

(2) It’s no surprise, then, that we use social skills/tools to assess the risks attached with social networking. Old contradictions like ‘you wouldn’t jump off a bridge if your friends did’ vs ‘safety in numbers’ remain present. You are alone, yet surrounded. What we believe (e.g. in relation to knowledge of being watched) may not match up that well with the actual privacy risks. In a useful phrase, Grimmelmann describes these ‘cognitive shortcuts’ as heuristics rather than calculations.

(3) What are the harms, then? With assistance from Solove’s taxonomy, we are talking about
disclosure: information that you don’t want shared, shared (photos, upsetting your employers, breaking up with your (un)beloved…and even law enforcement). Estimates around five cases a week where a court has a significant reference to something on social networking sites;
surveillance: the feeling of being watched, with the panopticon being a problem even if specific information is not ‘misused’ ; how does something like the Facebook newsfeed relate to this?;
instability: things ‘change’, such as the opening up of certain information through Facebook public profiles, not to mention things like Beacon and new viruses;
disagreement: something like removing tags on photos is a possible disagreement that may not have occurred to you before. Another example would be the evolution of social norms in terms of ‘defriending’ someone, or the ‘top 8′ feature on certain sites;
spillover: my decisions have consequences for your privacy. This becomes even more important as the number of users of Facebook (or other sites) increases – makes it a different situation when it’s a more limited group.
denigration: other users affect your self-presentation. Here we talk about Beacon too, where purchases show up in the news feeds of others. Your endorsement is giving to a product, in many cases with your knowledge or genuine consent.

(4) Solutions? The important question is how do proposed solutions match with social habits? If you argue for privacy policies, for example, the problem is that people don’t read it – or indeed end up less informed after reading the (lengthy) policy. Indeed, the policies tend to include very generous get-out clauses. Similarly, in the case of technical controls (e.g. Facebook privacy settings), only 1 in 5 people ever change their settings – and even for those that do, it’s hard to know in advance what a photo is going to consist of so settings are by nature vague and crude, and subject to abuse by unreliable contacts. Data portability is of interest, based on market pressure (we’ll take our data and go) – but can get you banned, and can violate the trust (and privacy) of others in any event.

(5) Three (disquieting) conclusions: it’s hard to partition good and bad behaviour, with the motivations, mistakes and harms deeply linked, all based on connection; privacy violations are often ‘peer-produced’ rather than the expected Government/corporate ‘watching us’ (that is there too, but it’s not the only thing); sites like Facebook are a ‘privacy virus’, in that we spread information and encourage others to act in a (possibly) risky way.

In Q&A, Miquel Peguera (and others) mention the recent A29 Working Party document on social networking (in PDF here); Grimmelmann gives a shout-out to Ian Brown and Lilian Edwards (not here, but now here in spirit!) for their proposals on default settings. In response to a ‘devil’s advocate’ point from Ismael (“privacy doesn’t matter”), Grimmelmann discussed the evolution of his own paper, moving from a point like this to an understanding of how users make choices and what the consequences of these choices are, or indeed how the choice does not deliver the expected or desired result. A questioner (didn’t catch the name) makes a thoughtful intervention on the psychological impact of information sharing, in terms of the way that people will act when they wouldn’t have before.

My own question related to the surprisingly high-profile appointment of new lobbyists by Facebook and what approach it is likely to take with regard to possible legislation on relevant issues. Grimmelmann notes the high profile of privacy counsel Chris Kelly, noting that Facebook is ‘one of the most arrogant companies out there; in terms of general statements about how their model is changing the world, but also very accommodating in terms of privacy, admits mistakes, talks about enhancing user control – they take the problem seriously. Turning to legislation, they might exploit the situation and accept minimum legislative mandates for competitive reasons – or alternatively, oppose it and use (non-mandated) privacy controls as a competitive advantage.

This is some sort of a liveblog. I’ll make mistakes, and I’m multitasking, being selective and also working through translation in some cases, so this is an impression rather than a transcript. Enjoy.

Good morning! With all the usual health warnings (I’ve adapted mine above from David Weinberger‘s model – thanks…), I will present (both today and tomorrow) coverage of the fifth annual Internet, Law and Politics (IDP in Catalan and Spanish) conference, at the Universitat Oberta de Catalunya (Open University of Catalonia). For those attending the conference, you will also see me at the end of each day presenting as rapporteur, and on this blog, I’ll try to post an update in respect of each of the main sessions. You can find the full programme here. The theme of the conference this year is social networking – pros and cons. Coverage also comes from UOC’s own Ismael Peña-López at his ICTlogy website, tagged (as you can too) idp2009 and available here.

We start with introductions: first from Eduard Aibar (VP for Research at UOC), highlighting the links between academic research and broader questions of social relevance, with social networks being a very useful way to explore this. We have our first mention of Obama – the first of many, I am sure! He adds that some of the speakers have travelled a long way. This blogger hasn’t had the longest journey (that prize probably goes to James Grimmelmann, more about him soon), but it is indeed a pleasure to have travelled to Barcelona. The other half of the introduction is given by the director of law and political sciences at the university, Agustí Cerrillo, who picks up the theme of an ‘encounter’ between different perspectives with a common concern regarding the Internet. He gives a summary of past conferences including cybercrime, e-commerce and privacy; social network sites are having a particular impact on society, including particular sectors. There are opportunities but also corresponding risks, for example with the exchange of personal information. It’s important to engage in thorough analysis of the challenge of social networks including from a legal point of view, so as to understand whether the law is fit for purpose. Cerrillo talks us through the programme, which as I say is available right here. He wraps up with a summary of all the technologies and platforms in use – blogging, Twitter, Facebook, YouTube, free-licensed journals, and much, much more.

One day, on the board, Jill posts in a daily chitchat thread that she is having a miserable day because one of her students (unnamed) turned in an assignment of questionable quality.

Kristen (or Osenga, or Prof. Osenga – see, online communication messes with forms of address already!) puts forward a few different options that the diligent prof could avail of. I think the best answer, though, comes from one of the commenters (‘ER’), who says:

Jill could post more innocuous information, or statements she would be comfortable being overheard (by several million of her closest friends) saying aloud, while saving “friend” discussions of more sensitive sorts for the personal, one-to-one messaging (available in most any on-line forum) between her and individual members of her knitting board.

My online presence is a mix of different things. I have this blog, which is by now a fairly academic sort of place, so it would be unlikely that I’d raise an eyebrow about a student, other than at a very general level. My second blog is consciously ‘personal’ in tone and again reflects things that I do outside of my job (like Jill and her knitting), but other than perhaps casting doubt on my credibility and taste when it comes to music and the like, there’s unlikely to be anything there that would cause a student to feel uncomfortable enough to make a complaint! My Facebook account is private (i.e. you need to be a friend to see it, and the privacy settings are relatively high in terms of things like tagging and notification), but as my friends there are a mix of personal and professional contacts (including some former students from my tutorial teaching in Dublin, though no current students – that’s another debate that I’ll explore when I need to, but it hasn’t arisen yet), I tend to keep things relatively brief, and make use of messaging and Scrabble and the occasional wall post, and don’t really use status updates.

Of course, there are plenty of other things out there on the Internet, perhaps indicating political views and so on, but I see that as fairly unavoidable especially having been regularly online for over 10 years now. I think ER is right – if you choose your models with care then there aren’t really that many changes in behaviour necessary. I’m not saying that Jill’s comment was particularly deserving of censure – it seems fairly mild alright – but it’s an issue that can be avoided without too much difficulty. In any event, I’m very glad that Kristen wrote this post.

Your thoughts?

Unless otherwise indicated, what follows is a non-verbatim approximation of what was said. Please correct any errors if you spoke and spot them. Things in [square brackets] are entirely my own views or additions and weren’t said at the symposium. Prior posts on privacy on this blog are here.

Daniel Solove’s presentation

Solove gave a quick overview of the context of Internet privacy, and discussed a number of specific cases that illustrated the changing nature of privacy:

• Dog Poop Girl – a cellphone picture of a dog doing what dogs do on train, published, the owner identified (as being irresponsible for not cleaning up), personal info published; it ended up on BoingBoing, media, posters and much more. “The Internet allows a cyber-posse to amass from around the world in an instant”.
  
• Personal blogging is in a way like diaries, containing intimate details of your personal life – but also the lives of others! But it’s very pervasive…will parents say to their child: “Well yes we could read your blog .. or you could just tell us about your school day“? (Solove displayed this cartoon or a version of it)
  
• 40% of blogs are written by under 19s…this is ‘Generation Google’, entire lives chronicled online [lots of things in common with Digital Natives here]
  
• Star Wars Kid – put up on site by friends and in just a few weeks, millions of views, went viral, embellished by others, mashups (loads of ‘em). Now he’s extremely well-known. Is this a good thing?
  
• Washingtonienne (Jessica Cutler) – anonymous blog which was personal, including lots of stuff about sexual partners – highlighted by Wonkette, followed by significant magazine coverage, a book deal, etc. One partner sued her for invasion of privacy … though she has now declared bankruptcy.

But maybe this sort of scrutiny of reputation is a good thing? Yes, but information out of context leads to hasty judgements that don’t really capture the truth of a character. And the libertarian norms which are generally good can actually lead to the opposite, people can be “shackled to their past”.

What can the law do? A little bit, but not a lot. A solution must deal with education, social attitudes, etc. So he analyses three “paths” – libertarian (hands off – things will get worse if you bring the law in; problem is that the norms may not develop the way we want to), authoritarian (censor and restrict – increasing willingness to do this in the US, too reactive, chills speech), middle ground (threat of lawsuit forces responsibility and accountability -recommended approach, but doesn’t want too many cases as it’s expensive) [again, this is a trend in the current phase of cyberlaw, so Solove is in very good company]

He then discussed the ‘Warren and Brandeis‘ privacy tort in the US, where you can sue for spreading private information not of legitimate concern. In the UK, it’s the modified breach of confidence tort, expanded post-HRA to be similar to US. [In Ireland, we have neither as such (breach of confidence exists but not as it now does in the UK), although we do have a small number of cases where a suit for breach of the constitutional right of privacy has been successful, a proposed tort in the stalled Privacy Bill, and a presumptive requirement under international law (ECHR) and domestic remedy (ECHR Act) to deal with the Von Hannover approach to Article 8 of the Convention on privacy]

Often, we have a binary understanding of privacy – places are private (home) vs public (the county fair). But we do have expectations of privacy in public place, and it’s so easy to capture (cellphone, CCTV, etc). The breach of confidence remedy in the UK is extensive and includes information between friends.

It’s also about control. Dr Laura Schlessinger, a conservative commentator, was not impressed when nude photos of her (taken in her wild past) were circulated. [I'm passing on looking them up] She sued the website to get the photos taken down, but lost due to free speech concerns. Then the ‘voyeur’ website that published them won cases against other sites for stealing their pictures! This shows that the idea that there’s nothing that the law can do to restrict information is false – in this case, there was copyright protection. “If you have a choice between copyright and privacy, choose copyright”, as the protections are more powerful.

And then there’s speech. Solove thinks that US law overprotects speech and underprotects privacy. Section 230 of the CDA immunises websites, ISPs etc for content supplied by others…and it’s complete immunity, which goes way too far. Juicycampus.com is an example. This illustrates how the law is “getting the balance wrong, encouraging irresponsibility rather than responsibility”. Small legal changes would nudge norms in the right direction.

Panel Discussion

Caroline (CarC) and Daniel (DS) were joined by Damien Mulley (DM), Jim Carroll (JC), Cormac Callinan (CorC) and Niall Larkin (NL). I didn’t get every point, I’m afraid, but I’ve tried to capture as much as I could (in almost all cases, summary rather than verbatim). ?? means a question or point from the floor.

We started with a general question to the panel on social networking and privacy. NL: People are sharing, learning to express themselves, “growing up online”. If it goes on the Internet, it stays on the Internet. DM: everything you do on Facebook is logged, i.e profile visits. They got in trouble last year, because even when you closed an account, info was still stored. Profile built up to sell on to advertisers, understanding behaviour. And they will hand to law enforcement without subpoenas. (full-time members of staff just doing this). There’s also profiling by companies etc, though people don’t really know this is happening. JC: it’s already happening with loyalty cards, though it’s now easier again for the marketers. It comes down to how much you care about it. DS: ubiquity of information collection. Mentions cloud computing – they have all your documents. Popular for marketers and for governments. Analysis tools are getting more sophisticated too. Terrorist profiling too (it works for Amazon, will it work for government?)

DM asks the audience – do you care that your data is being stored and used? [I think about half put their hands up]

??: a debt collector friend has been told to use Bebo in their work. This is a sign of how much awareness there is of the potential of such sites for data collection.

??: what about problems of international law, when content is hosted in a different country? Corc: it’s very difficult, there’s lots of international cooperation, there’s most in child protection, but data protection as an example of where it doesn’t work, there’s virtually no protection in US, despite safe harbour (between EU and US) which controls only certain aspects and is very limited.

??: is there ‘decentralised responsibility’, i.e. the user has agreed to terms and conditions when they signed up? DS: how many people read the privacy policies? They can change them unilaterally at any time. And for Facebook, there’s a policy, there’s privacy settings, and a 6000-word TOS. “No-one reads these things”.

??: Creative Commons has simplified IP contracting, could you do this for privacy? DS: sceptical, you use so many sites in a day and it’s very difficult to keep up with. A FTC commissioner he met confessed to not reading Facebook’s privacy policy. CarC: lawyers work very hard to make things “simple” but they are often hiding stuff! NL: as danah boyd says, as a citizen of the Internet you should have some basic rights.

??: There’s a naivety that people think social networking sites are there for their benefit, but they are ultimately commercial enterprises. DS: people are fine with it until something bad happens. They can want certain uses of data but not others….how do you know in advance? JC: when it’s taken out of context, there is trouble: i.e. publication of Bebo photographs in a newspaper. CorC: yes, but there’s also a lot of misunderstanding, i.e. ‘if you turn off your phone you can’t be tracked’ (not true – it’s effectively personal GPS), even possible to have remote activation of microphone. If someone had said 10 years ago that you’d carry a GPS tracker you’d say they were insane but now you pay €35 a month for the pleasure! DS: there was a backlash against bank accounts in the US in the early days of banking – but people chose to give up some privacy in return for value. But when does data mining turn into surveillance?

??: What can we get our government to do to protect against privacy infringement? And teenagers liked the idea of the mobile phone tracking – is this another generation gap? CorC: mentioned “phonewalking” services (bringing the tracked phone to where you ‘should’ be – big business of the future! Copyright law is very effective because of lobbying power; businesses of course are there to make money, you should always assume this, and also – distinguish between privacy and data protection. Asking Bebo and Facebook to protect you is not feasible, it’s not their job to do it as they can always see and know everything, and their motive is profit. DM – I want to be told when people access my information, i.e. what the companies or their allies do, and including government information too (e.g. social welfare).

DS – there is an “optimism bias”. And it’s hard to visualise all the people reading your blog as compared to that of an true audience. In one study, 70% of people agreed that a privacy policy means no 3rd party sharing (this is not). NL: visualisation is concealed in some (social networks encourage to share with ‘friends’) but not others like YouTube (‘broadcast yourself’ makes it very clear)

?? – Big Brother is important but we are also contributing to this – “we are BB”. Balance between rights and responsibilities – i.e. as a blogger, what am I putting out there?

?? – what about Gmail turning information over to Government without telling you. The government that would legislate to protect us has a particular role too as being a threat to privacy. DS: yes, an see in particular the discussion of FISA in the US.

?? is there a catch 22, you need unique ID of some sort in order to make Internet services and presence work. I like my anonymity, which is compromised. And these issues are nothing compared to Yahoo turning over information to China. CorC – you don’t really have anonymity, Irish ISPs share your information across the world. And you leave a significant footprint. [Cormac was very honest and direct in these contributions, which is appreciated].

??: there are two separate privacy debates happening, one about the protection of public figures against ‘media intrusion’ that is happening in the political and legal arena and a separate one that we are hearing here about privacy policies, commercial exploitation, Government surveillance that is not being legislated for. [That was me]

?? can there be a realistic remedy, very hard to deal with violations as not everyone can go to the High Court.

CorC – remember in Europe we don’t have immunisation of ISPs and hosts as with the CDA in the US (it’s about knowledge). DS: that’s interesting, when I say that in the US I’m told that it would lead to the total shutdown of the Internet and no free speech.

Summary

Three quick observations. If you were there, please add your own, including issues that you might not have had time to raise in the Q&A.

A very interesting symposium, with a particular need to note the strength of contributions from the floor. Although I wondered (like Justin) about how it related to the festival as a whole, I think the fact that the vast majority of those present were ‘active’ in various types of media, digital culture, etc meant that there was a lot that did not need to be reiterated (I’ve given talks about Facebook where the basic concept has to be explained, which while important, leads to a different type of question), and also a very informed line of questioning to what was an extremely heavy-hitting panel, with some of the best-known local bloggers and journalists, a leading international privacy scholar, and two important practitioner perspectives from Callinan and Campbell).

I hadn’t heard Daniel Solove speak before, though I’ve read his books and cited his blog posts in papers. He explained the issues very clearly to what was clearly not a legal audience, but managed to do so without leaving out crucial details like US-Europe differences in the relevant areas of law. And he talked about Warren and Brandeis at 10am in a basement full of film producers, and everyone followed what he was on about.

An audience member did raise the issue of gender balance, although in defence of the organisers, both Rachel O’Connell (Bebo) and Karlin Lillington (Irish Times) were invited but unable to attend.

All the info is here. Not sure if I’ll be there this year, though I’ve been to the first two (here’s the 2007 report) and very much recommend that you go.

Our esteemed organisers say:

GikIII, a two day workshop on the intersections between law, technology and popular culture, will be held on September 24-25, 2008 in Oxford, England. GikII is so cutting edge that it is the nano-blade of workshops, so expect all sorts of challenging papers, tenuous legal connections, l33t powerpoint and keynote skillz, uber-geekery, and a healthy dose of lolcatz. Previous GikIIs explored Facebook privacy settings before privacy had become fashionable again, and looked at the pressing legal issues in subjects as varied as Harry Potter, killer robots, anime, fandom, virtual property and tattoos. All papers exploring the interaction between “geek” subjects and the law are welcome, but emphasis on popular culture is always favoured. This year’s workshop will also have a special session which explores the topics of complexity, networks and regulation.

Send your abstract of no more than 500 words to ian.brown@oii.ox.ac.uk, l.edwards@soton.ac.uk or a.guadamuz@ed.ac.uk by July 15th.