Category: Privacy (Consumer Privacy)

0

Facebook’s Beacon: News Feeds All Over Again?

facebook3.jpgI recently blogged about Facebook’s Beacon, where it adds information to user profiles of their purchases at participating external websites such as Fandango. Beacon is starting to spark a privacy outcry among Facebook users. From the AP:

Some users of the online hangout Facebook are complaining that its two-week-old marketing program is publicizing their purchases for friends to see.

Those users say they never noticed a small box that appears on a corner of their Web browsers following transactions at Fandango, Overstock and other online retailers. The box alerts users that information is about to be shared with Facebook unless they click on “No Thanks.” It disappears after about 20 seconds, after which consent is assumed.

Users are given a second notice the next time they log on to Facebook, but they can easily miss it if they quickly click away to visit a friend’s page or check e-mail.

Back in 2006, Facebook rolled out a new feature called News Feeds that sparked a privacy outcry among its users and prompted Facebook to issue a letter of apology. Perhaps it is deja vu all over again with Beacon. According to the AP story:

Users are able to decline sharing on a site-by-site basis, but can’t withdraw from the program entirely. . . .

Liberal advocacy group MoveOn.org formed a protest group Tuesday and had more than 6,000 members by Wednesday. The group is calling on Facebook to stop revealing online purchases and letting companies use names for endorsements without “explicit permission.”

“We want Facebook to realize that their users are rightly concerned that private information is being made public,” MoveOn spokesman Adam Green said, adding that Facebook could quell concerns by seeking “opt in” consent rather than leaving it to users to “opt out” by taking steps to decline sharing.

Maybe Facebook should realize something that strikes many as common sense — if people want something to appear in their profiles, they’ll put it there themselves.

3

The Facebook-Fandango Connection: Invasion of Privacy?

facebook3.jpgfandango.jpg

Facebook recently rolled out a new advertising program called Social Ads, where Facebook users’ images, names, and words are used to help advertise products and services. I blogged about Facebook’s Social Ads here and here, contending that they are likely a violation of the tort of appropriation of name or likeness as well as the right to publicity tort.

Peter Lattman at the WSJ Blog has a great new post about Facebook that throws in another even more troubling wrinkle:

Last Sunday the Law Blog purchased three tickets to “Bee Movie” on Fandango, the movie site. After we did this, Facebook automatically updated our profile to say, “Peter bought ‘Bee Movie’ on Fandango.”

Huh? Did we want everyone on Facebook to know our movie-buying habits? Not really. But it seems we agreed to this. According to Fandango’s privacy policy, which we agreed to by using the site, “If you are a member of a social network service (such as Facebook, MySpace, etc.) or you use other Internet sites where you have authorized them to gather information about your online behavior on Fandango . . . Fandango may share information regarding your activities . . . with those third parties pursuant to your authorization.”

Then we checked out our privacy settings on Facebook. Under “Privacy Settings for External Websites,” there’s a Fandango icon, indicating that we’ve agreed to have our actions on Fandango sent to our Facebook profile. We changed our profile, mandating that they never — never! — do this again.

This case illustrates why the current legal regime regulating personal information at most websites is so deeply flawed. The default settings are set to allow information sharing and disclosure, with users often completely unaware of how their information is going to be used. Businesses frequently tout how they are protecting privacy by providing users with “notice and choice” about how their information will be collected, used, and disseminated. Yet the system rarely results in informed consumers or meaningful choices.

So imagine: You go to Fandango and buy tickets to see a movie — and then all of a sudden your purchase is being revealed publicly to everybody you know on Facebook. You probably didn’t even know that Facebook had this deal with Fandango. What if more websites like Fandango start to collude with Facebook? Does this mean that every time we visit a website, every time we make a purchase, the information starts showing up in our Facebook profiles and on our friends’ Facebook profiles?

At least Social Ads, as I understood it, involved people publicly stating they liked or used a product. This is still problematic, for the reasons I discussed in my posts — being used in an ad unwittingly is a harm even if one has publicly praised the things being advertised in the past. But now Facebook is taking things one step beyond by exposing people’s personal information to the public. Perhaps Peter Lattman doesn’t want the world to know that he saw Bee Movie. Perhaps he does. But this is something he should decide, not the corporate officials at Facebook or Fandango.

“Poor Peter,” Fandango and Facebook will say, “But you should have read our privacy policies! It’s all your fault Peter.” Fandango’s privacy policy states:

Read More

4

Facebook and the Appropriation of Name or Likeness Tort

facebook.jpgA few days ago, I posted about Facebook’s new Social Ads and I argued that they might give rise to an action under the appropriation of name or likeness tort. The most common formulation of the appropriation tort is defined in the Restatement (Second) of Torts § 652C: “One who appropriates to his own use or benefit the name or likeness of another is subject to liability to the other for invasion of his privacy.”

A related tort, a spin-off of appropriation, is the “right of publicity” which as defined by the Restatement (Third) of the Law of Unfair Competition § 46: “One who appropriates the commercial value of a person’s identity by using without consent the person’s name, likeness, or other indicia of identity for purpose of trade is subject to liability for [monetary and injunctive] relief.”

These two torts have sometimes been confused with each other, but the basic difference is that appropriation protects one’s dignitary interests in not desiring to have one’s identity exploited and used for another’s benefit whereas the right of publicity protects a person’s property interest in the commercial value of her identity.

Both torts are potentially applicable to Facebook’s Social Ads.

Over at Digital Daily, John Paczkowski discusses my post and adds:

Now Facebook claims no personally identifiable information is shared with an advertiser in creating a Social Ad. “Facebook has always empowered users to make choices about sharing their data, and with Facebook Ads we are extending that to marketing messages that appear on the site,” the company explains. “Facebook users will only see Social Ads to the extent their friends are sharing information with them.” That’s certainly a thoughtful assurance. But it doesn’t exactly address the issue of Facebook appropriating user identities for its own benefit.

At the NYT”s Bits, Saul Hansell discusses the response of Chris Kelly, the chief privacy officer of Facebook:

Mr. Kelly said the advertisements are simply a “representation” of the action users have taken: choosing to link themselves to a product. He added that in many states, consenting to something online is now seen as the equivalent of written consent.

And he argued that it would be difficult for someone used in one of these ads to object because that person had already chosen to publicly identify themselves with the brand doing the advertising.

“We are fairly confident that our operation is well presented to users and that they can make their own choices about whether they want to affiliate with brands that put up Facebook pages,” Mr. Kelly said.

I don’t agree with Kelly’s take on the law. Suppose Michael Jordan says on national TV that he likes Wheaties. Does this allow Wheaties to use his image on its cereal box or in a commercial? The answer is no. The fact that Jordan says he likes Wheaties can be used in a news story; it can be used in a biography of Jordan. But it cannot be used in a commercial advertisement. Comment (c) to the Restatement’s section on appropriation states that “the defendant must have appropriated for his own use or benefit the reputation, prestige, social or commercial standing, public interest or other values of the plaintiff’s name or likeness.” That’s exactly what’s being done with Social Ads. They are not merely reporting facts (which is ok under appropriation and publicity); instead, they are using the reputation and standing of people to promote commercial products and services.

The fact that a person publicly states that she likes a product is not equivalent to that person’s consent to be used in an advertisement. Otherwise, Coca Cola could snap a photo of a celebrity drinking a can of Coke and then use the photo in its ad campaign without paying the celebrity. That celebrity’s lawyers would be licking their chops if that were to happen.

Read More

14

The New Facebook Ads — Starring You: Another Privacy Debacle?

facebook.jpgFacebook recently announced a new advertising scheme. Instead of using celebrities to hawk products, it will use . . . you! That’s right, pictures of you and your friends will appear on Facebook ads to make products more enticing to Facebook customers.

As Facebook’s website describes its new “Social Ads” program:

Facebook Social Ads allow your businesses to become part of people’s daily conversations. Ads can be displayed in the left hand Ad Space — visible to users as they browse Facebook to connect with their friends — as well as in the context of News Feed — attached to relevant social stories. The social stories, such as a friend’s becoming a fan of your Facebook Page or a friend’s taking an action on your website, make your ad more interesting and more relevant. Social Ads are placed in highly visible parts of the site without interrupting the user experience on Facebook.

Here’s the sample ad that Facebook includes on its social ad description page:

facebook-social-ad.jpg

According to the NY Times:

Facebook wants to put your face on advertisements for products that you like.

Facebook .com is a social networking site that lets people accumulate “friends” and share preferences and play games with them. Each member creates a home page where he or she can post photographs, likes and dislikes and updates about their activities.

Yesterday, in a twist on word-of-mouth marketing, Facebook began selling ads that display people’s profile photos next to commercial messages that are shown to their friends about items they purchased or registered an opinion about.

For example, going forward, a Facebook user who rents a movie on Blockbuster.com will be asked if he would like to have his movie choice broadcast out to all his friends on Facebook. And those friends would have no choice but to receive that movie message, along with an ad from Blockbuster.

At this point in reading the article, it seems as though participation in the ads (by the person being used in the ad) is fully consensual. But the article goes on to say:

Read More

3

The Future of Reputation: Gossip, Rumor, and Privacy on the Internet

Cover-new.jpgI‘m very excited to announce that my new book, The Future of Reputation: Gossip, Rumor, and Privacy, is now hot off the presses! Copies are now in stock and available on Amazon.com and Barnes & Noble’s website. Copies will hit bookstores in a few weeks.

From the book jacket:

Teeming with chatrooms, online discussion groups, and blogs, the Internet offers previously unimagined opportunities for personal expression and communication. But there’s a dark side to the story. A trail of information fragments about us is forever preserved on the Internet, instantly available in a Google search. A permanent chronicle of our private lives—often of dubious reliability and sometimes totally false—will follow us wherever we go, accessible to friends, strangers, dates, employers, neighbors, relatives, and anyone else who cares to look. This engrossing book, brimming with amazing examples of gossip, slander, and rumor on the Internet, explores the profound implications of the online collision between free speech and privacy.

Daniel Solove, an authority on information privacy law, offers a fascinating account of how the Internet is transforming gossip, the way we shame others, and our ability to protect our own reputations. Focusing on blogs, Internet communities, cybermobs, and other current trends, he shows that, ironically, the unconstrained flow of information on the Internet may impede opportunities for self-development and freedom. Long-standing notions of privacy need review, the author contends: unless we establish a balance between privacy and free speech, we may discover that the freedom of the Internet makes us less free.

For quite some time, I’ve been thinking about the issue of how to balance the privacy and free speech issues involved with blogging and social networking sites. In the book, I do my best to propose some solutions, but my primary goal is to spark debate and discussion. I’m aiming to reach as broad an audience as possible and to make the book lively yet educational. I hope I’ve achieved these goals.

I welcome any feedback. Please let me know what you think of the book, as I’d be very interested in your thoughts.

1

The Do Not Call List’s Memory Lapse

DNC-List.gifSo you signed up for the federal Do Not Call List and expect not to receive any more of those annoying telemarketing calls ever again. Think again. Signing up expires after 5 years, so if you signed up back when the list first came into existence, you’ll need to sign up all over again soon. It’s the FTC’s way of making us feel like Sisyphus. Lame.

According to the AP:

The cherished dinner hour void of telemarketers could vanish next year for millions of people when phone numbers begin dropping off the national Do Not Call list.

The Federal Trade Commission, which oversees the list, says there is a simple fix. But some lawmakers think it is a hassle to expect people to re-register their phone numbers every five years.

Numbers placed on the registry, begun in June 2003, are valid for five years. For the millions of people who signed onto the list in its early days, their numbers will automatically drop off beginning next June if they do not enroll again.

The article also states:

Since the registry began, the government has filed cases against more than 30 companies, resulting in $8.8 million in civil penalties and $8.6 million in redress to consumers and forfeitures.

Only a few more than 30? That’s it? I strongly doubt compliance with the Do Not Call List has been this good. Smells like weak enforcement to me.

Hat tip: Adler at the VC

0

Information Privacy Law Casebook Update

casebook2.jpgI’m pleased to announce that Paul Schwartz and I have just completed an update to our casebook, Information Privacy Law (Aspen 2006). The update is 111 pages, and is available for download (free of charge) at the casebook’s website. Among other things, it includes excerpts of many new cases: Bonome v. Kaysen, Barrett v. Rosenthal, MacWade v. Kelly, US v. Andrus, Warshak v. US, Doe v. Cahill, US v. Ellison, Gonzales v. Google, Georgia v. Randolph, Copland v. UK, and more. It also includes discussions of the NSA surveillance program, the litigation regarding the NSA surveillance, the Protect America Act of 2007 (amending FISA), national security letter litigation, the Virginia Tech shooting and privacy laws, data security breaches, US-EU sharing of airline passenger data, and more. Additionally, it includes excerpts from many new scholarly books and articles.

A new edition is in the works, and it will be ready for use in the spring 2009 semester. The book will be available in late 2008 so instructors can plan their courses. If you’re a professor currently using the book or are considering using the book in a class, please email me with any comments and suggestions for the next edition.

0

Why There’s No First Amendment Right to Sell Personal Data

There are a number of really interesting cases pending in the First Circuit and its lower federal courts that raise questions of confidentiality and free speech in the context of the commercial trade in prescription drug information. In New Hampshire, Maine, and Vermont, data mining companies have raised First Amendment challenges to state laws that restrict the ability of pharmacists to sell information about which doctors prescribed which drugs. More information about these cases from the AP can be found here. I’ve written about this phenomenon here, arguing that there are sound doctrinal, jurisprudential, and policy reasons to reject any idea that regulation of the commercial data trade raises any serious First Amendment problems.

These cases all involve laws passed by states concerned about the sale of prescription information to data mining companies, who buy information about which doctors prescribe which drugs from pharmacies and then massage the data for use in marketing and other industry purposes. The laws vary in their particulars, but basically forbid or regulate the ability of pharmacies to sell the information. In April, a federal district court in the New Hampshire case struck down New Hampshire’s law under the Central Hudson test as violating the companies’ free speech rights. The First Amendment argument can be boiled down as follows: because the laws stop pharmacies from telling other people about their customers, they violate the pharmacy companies’ free speech rights and are therefore unconstitutional.

I think this is a silly argument, as I explain after the jump.

Read More

From First Amendment Absolutism to Financial Meltdown?

There is a very interesting post by William Birdthistle on potential rating agency responsibility for the subprime mortgage meltdown contagion. As the WSJ reported,

In 2000, Standard & Poor’s made a decision about an arcane corner of the mortgage market. It said a type of mortgage that involves a “piggyback,” where borrowers simultaneously take out a second loan for the down payment, was no more likely to default than a standard mortgage. While its pronouncement went unnoticed outside the mortgage world, piggybacks soon were part of a movement that transformed America’s home-loan industry: a boom in “subprime” mortgages taken out by buyers with weak credit.

Here come the regulators. Some economists are quick to criticize the ratings agencies:

[T]the real-estate bubble of recent years, like the stock bubble of the late 1990s, both caused and was fed by widespread malfeasance. Rating agencies like Moody’s Investors Service, which get paid a lot of money for rating mortgage-backed securities, seem to have played a similar role to that played by complaisant accountants in the corporate scandals of a few years ago. In the ’90s, accountants certified dubious earning statements; in this decade, rating agencies declared dubious mortgage-backed securities to be highest-quality, AAA assets.

But there’s a big difference between accountants and raters: the latter get first amendment protection for their assessments. Is this a wise extension of the first amendment? It’s a difficult question, but I think the new scandals will lead to increasing calls for regulation, if not liability, of the ratings agencies.

Read More

RIAA’s Turn to Be a Defendant

Matthew Sag has convincingly argued that RIAA’s litigation war against downloaders is rational for the industry: it’s basically self-financing, as just about every defendant is too terrified of massive statutory damages to put up a fight. But the record industry’s declining fortunes may make its court victories Pyrrhic.

Moreover, a scorched earth litigation strategy against infringers is getting less viable as a few defendants fight back. For example, one litigant has found a creative way of subjecting RIAA’s tactics to public scrutiny:

Former RIAA defendant Tanya Andersen is now suing the major record labels and the RIAA for negligent and illegal investigation and prosecution. In a thirteen count civil suit filed in Oregon District Court, she alleges that record labels didn’t use properly licensed investigators and violated her privacy.

I’m still waiting for someone to bring the antitrust lawsuit that was forestalled by Bertelsmann’s purchase of Napster a few years ago. As Napster-slaying Judge Patel said of the RIAA’s distribution strategy then, “These ventures look bad, smell bad and sound bad” from an antitrust perspective.

Of course, given the lassitude of federal authorities, the antitrust case will be hard to make. But I look forward to more privacy challenges. As Sonia Katyal has argued,

recent developments in copyright law. . . have invited intellectual property owners to create extrajudicial systems of monitoring and enforcement that detect, deter, and control acts of consumer infringement. As a result, . . . intellectual property rights have been fundamentally altered—from a defensive shield into an offensively oriented type of weapon that can be used by intellectual property creators to record the activities of their consumers, and also to enforce particular standards of use and expression. . . .

If agencies fail to police these tactics, perhaps only individuals can fight for themselves. But as Bruce Scheier asks, why doesn’t the US have a privacy commissioner?

Hat Tip: BoingBoing.