Virtual friend fires employee

Here's a story for those that were interested to read that making a comment such as "ma job it pointLESS" on Facebook might lead to dismissal.

It's a salutary tale from Switzerland, that epitome of neutrality, about a woman who lost her job after her employers noted she was using Facebook whilst allegedly suffering from a migraine.

The woman admitted to accessing Facebook from her iPhone whilst lying in bed, but complained that Nationale Suisse had created a fictitious Facebook persona in order to become her "friend" and that the company had spied on her once she accepted this virtual friend. Whilst this begs the question as to why the woman accepted the Facebook friendship of a complete stranger, the story does highlight the potentially dire consequences of using communication networks at inappropriate times or in inappropriate ways. See the BBC's report here.

Whilst the government has decided not to set up a single centralised database, it does intend to ask internet service providers and mobile phone networks, amongst others, to extend the range of information they currently hold on their subscribers and to organise it in a manner that is more easily used by the police, MI5 and other public bodies investigating crime and terrorism. So, for those thinking along Orwellian lines, it is more "Surveillance Siblings" than "Big Brother".

The consultation period runs until 20 July 2009. Legislation to ensure that all data that public authorities might need, including third party data, is collected and retained by communications service providers may follow.

Those employed in the private sector should note that, under the current proposals, only the collecting communications firm and certain public authorities would have access to the information collected; to monitor an employee's Facebook usage, companies such as National Suisse will still need to create friendly fictitious Facebook personae and become virtual friends with their staff.

The story caught this Naked Lawyer's eye because it almost ties in with the announcement

on 27 April that the UK government wishes to have more information about communications, including visits to online chatrooms and social network sites such as Facebook, collected by communications firms for use by UK security services. The consultation document is called "Protecting the Public in a Changing Communications Environment".

Phorm here to obscurity?

Phorm is a behavioural advertising tool that can be used to analyse a customer's web surfing habits to enable targeted advertising.  The use of Phorm has resulted in a number of concerns being raised within the technology sector over individual privacy and data protection.  The Open Rights Group being particularly vocal.

The EU have, on 14 April, launched legal proceedings against the UK over problems with the UK's implementation of EU ePrivacy and personal data protection rules.  They have concluded that there are "problems in the way the UK has implemented parts of EU rules on the confidentiality of communications" and have asked the UK to respond to their questions in this first stage of the proceedings within 2 months of 14 April 2009.  The full press release can be found on the Europa website.

The Open Rights Group wrote to to the biggest users of the Internet (namely Amazon, eBay, Facebook, Google, Microsoft and Yahoo!) asking them to opt-out of the use of Phom technology.  Webwise, the name Phorm is being marketed under, does enable ISPs to opt-out of its monitoring services, however, due to the way the system works the contents of all websites visited will still be mirrored to the Phorm system but not analysed.

Both Amazon and Wikipedia have chosen to opt-out of Webwise.  Amazon stated simply that "We have contacted Webwise requesting that we opt-out for all our domains".  Wikipedia's statement was slightly more enlightening.  Wikipedia stated "After some internal discussion on whether opting out of the Phorm user-profiling system in the UK would legitimize it, we're going ahead and requesting an opt-out for all the domains under the Wikimedia Foundation's control".

Maybe Phorm will not prove as controversial as first thought if other major users of the Internet (and then maybe all of them) opt-out.  We wait for further developments.

Not a boring facebook story

You cannot say that working at Ivell Marketing & Logistics is boring, as one employee found out to her cost at the end of February. Ivell Marketing & Logistics is a firm with offices in Shanghai, Xiamen, Guangzhou, Kaohsiung and Clacton-on-sea. 

One employee, Kimberley Swann, 16, had been working in the Clacton office for three weeks when she was fired by the firm after sounding off on her Facebook page about her job being boring. The comments were brought to her employers' attention by the employee's Facebook friends who worked at the same firm. Her employer decided that the disrespect and dissatisfaction shown undermined the employer-employee relationship and made it untenable.

As Miss Swann had been employed for less than one year, she is unable to bring a claim for unfair dismissal. We will, therefore, never know whether an Employment Tribunal would have found the dismissal unfair. (Miss Swann's mother however is in no doubt that it was, pointing out that Kimberley "says Clacton is boring but we're not going to throw her out of the house for it.")

This case highlights that comments on social networking sites cannot be regarded as private. The BBC have published their report and interview with the employee in question on-line. 

One crumb of comfort for Miss Swann and other Facebook users is that Facebook has reverted to its original terms and conditions of use after a row erupted over changes proposed at the beginning of February which The Consumerist summarised as meaning that "anything you upload to Facebook can be used by Facebook in any way they deem fit, forever, no matter what you do later".

Mark Zuckerberg, the founder of Facebook, commented on 17 February "Over the past few days, we received a lot of questions and comments about the changes and what they mean for people and their information. Based on this feedback, we have decided to return to our previous terms of use while we resolve the issues that people have raised."  Which news is certainly welcomed by several members of the Naked Law team, amongst others.

Incidentally, for those that are interested, the actual comment made by Kimberley Swann was: "ma job it pointLESS". However, Ivell Marketing did not cite Miss Swann's blatant disregard for the English language as a reason for her dismissal.

Safer surfing for young social networkers

In an attempt to stamp out cyber-bullying, seventeen social networking websites agreed on 10 February 2009 to put safeguards in place to protect young internet users from unwittingly giving out personal information. The move was part of the European Commission's "Safer Internet Day" and the seventeen websites, which include Facebook, MySpace, YouTube and Bebo have promised significant progress will be made by April 2009 towards ensuring that young people using these sites will be protected.

The measures to be implemented include enabling users to report abuse with a single click, making the default setting for online profiles and contact lists set to "private" for users under 18; ensuring that private profiles of users under 18 will no longer be searchable, and placing privacy options in more prominent locations so users know who can see what they've posted online.

Online social networking is a popular past time, with about 42 million people regularly using social networking websites. This number is expected to double by 2012, and it is obviously important that barriers to prevent privacy violation and illegal activities are put in place and maintained. A "block bullying online" video will be broadcast on public and private TV channels all over Europe throughout 2009.

Too much Latitude on privacy?

Fellow Naked Lawyer Peter might think that Latitude is a sedate music festival held annually on the Suffolk coast, but in fact it’s Google’s new location tracking technology.

It allows users to share their current location with each other and can display individual locations on a map. As someone that has never used Facebook for the simple reason that there are lots of people I don’t want to be able to track me down, this idea slightly alarms. We all know that our locations are largely trackable in retrospect via CCTV, credit card and mobile phone usage etc. In many cases this has significant benefits, in tracking criminals or if you’ve got lost on a mountain (although the lack of cameras and cash points might be an issue there). But do you really want people to know precisely where you are at any time?

According to the Guardian’s report, Google say that all its tracking features are “opt-in” and that different privacy levels can be set for each contact. But there are still a couple of major issues. Firstly, will people understand the settings and/or the implications of allowing people to view their locations? As a lawyer, I tend to read the small print, but most people don’t – just look at the publicity around users’ failure to grasp the security settings on Facebook. Secondly, what is Google itself going to do with all this location data? On what terms might it disclose it to others (whether in real time or afterwards)?

I can only imagine that there have been and will continue to be some major headaches for Google’s data protection lawyers as they get to grips with the implications and draft their privacy policies. Given the all too familiar headlines about loss and misuse of personal data, Google will no doubt be keen to look whiter than white.

Freedom to be Private

The UK doesn't have a distinct 'law of privacy'. Privacy law has grown organically in recent years from a series of pre-existing laws, mainly surrounding breach of confidence and human rights legislation.

There have been a number of high profile cases which have affected the development of the law. These include Douglas v Hello (Catherine Zeta-Douglas and Michael Douglas wedding photos), Campbell v Mirror Group Newspapers (photos of Naomi Campbell leaving a clinic), or indeed the JK Rowling decision (JK Rowling's son entitlement to rivacy).

Last summer the High Court awarded Max Moseley £60,000 in damages for invasion of privacy when a video of him engaged in 'unconventional activities' was posted online. It subsequently formed the basis of a series of news articles, most notably in the News of the World (which resulted in this case).

This last case seems to have stirred the ire of a number of journalists, angry that the law of privacy has moved in a direction which they perceive restricts their freedom of speech. The Times commented on the growing 'privacy rights being created by the Courts'. Paul Dacre, Daily Mail editor, has also commented that the decisions have taken away their right to 'freedom of expression'.

On the back of this, Jack Straw is reported to have told the Joint Committee on Human Rights that, 'It is my intention — and I understand this is exactly what is going to happen — that there should be a select committee of MPs to look at the law of privacy'. It seems we should watch this space for potential legislative intervention.

This writer isn't a big fan of a moralising press trying to use freedom of speech as a justification for the publication of any sensational new story. There are competing rights involved here, and a sensible balanced approach needs to be taken between the rights of the individual to privacy and the rights of others to publish material they deem of public interest. 

The organic development of the law on privacy could, therefore, justify a systematic review. The cases on this area have focussed on a small number of high profile individuals, with more time being spent on the interesting and contrversial facts and participants than on the law behind the cases. What is needed instead is a focus on the (tedious) detail that is required to make an effective legal framework. This issue doesn't just affect the press, it affects the right of the individual to privacy, or indeed to freedom of speech. 

It is particularly important that this law is clear in a world where anyone could breach another's privacy simply by clicking 'post'.

An attack on rights, or a necessity?

New law being implemented in March as part of an EC Directive, will require internet service providers (ISPs) to keep information about every e-mail sent or received by every person in the UK for a period 12 months.

 

Under the Regulation of Investigatory Powers Act passed in 2000 and the Anti-Terrorism Crime and Security Act 2001 (Part 11), companies like Telcos and some ISPs are already under an obligation to keep this information in case it is needed by a police or security service investigation.  The existing European Data Retention Directive also seeks to ensure that investigators have access to this information for the purpose of police investigation, as they do under UK law, but does not call for centralised, government-run databases as is predicted will evolve from the new e-mail laws.

Under the new provisions, details of which can be found in the Consultation pubslished in August 2008, not only will ISPs collate data from an estimate of three billion emails per day, but they will also be paid between £25 and £70 million to ensure that they obey the law.  Critics argue that spending billions to keep tabs on someone on the off chance that they may be a criminal is not a productive use of tax payer’s money.  It is interesting to note that although the data is said by the Home Office to be useful to combating crime, only the timing, number and location of each communication are kept; the content is not stored.  Although privacy laws would have something to say about it, what is the use or storing the emails for combatting crime if the content is not stored?  Is there in reality another purpose behind the measures?

 

To further exacerbate criticism, although on paper the new law will apply to all ISPs, the Home Office is apparently planning for small ISPs to be exempt.  But what happens when our criminal friend doesn’t get caught as he’s using a small ISP, after the government has spent billions in attempting to catch him?

Have you 'Googled' the privacy policy?

Privacy and data protection appears to be the topic of the moment, with many new cases being reported on, and publicity surrounding data protection breaches.  We have mentioned a number of these cases on our blog over the past few weeks. 

The BBC has reported last week on some complaints being made about the positioning of Google's privacy policy.  Prompted by this, I wanted to see just how accessible Google have made their policy. I discovered that at the bottom of the i-Google home page there is a link to the policy: however the page reached from clicking on that link is not actually the policy but a 'privacy notice' which then links to a 'privacy policy' with a further one or two clicks depending on the link selected.

The complaints about Google's site have been made in the US, and in the context of compliance with the online privacy protection act 2003 applicable in California.  Not being a US lawyer, I am not going to comment on whether Google comply or not in this case. But I thought a brief mention about privacy policies and why they are so important to include on websites might be useful to readers. 

Anyone who runs a website needs to be aware of the legal requirements surrounding the use of personal data, as these not only come into play where the site actually asks users to enter personal information about themselves.  Even the use of cookies to track on-line movements of users of the website, and other data obtained about traffic using the site including location data, and browsing activities, could amount to what's known as 'processing of personal data'. Under UK law, users of any website should be informed if their personal data is going to be 'processed', and how the information obtained about them will be used and stored. The best way of notifying users is by including an easily accessible privacy policy on your site, with clear and obvious links to it from your home page.  The privacy groups in the US were complaining that Google had not got this right under US law.

Under UK law, website owners must also be careful to be data protection compliant with what they do with the data, and consent is required to be obtained from individuals before certain types of processing can be undertaken (for example use for direct marketing by email, disclosure to third parties) of personal data.  It is important to note that inclusion of a privacy policy of itself if not sufficient to ensure compliance with the Data Protection Act 1988.

Expelliamus!

JK Rowling has recently won a privacy ruling on behalf of her son.

David Murray, now 5, was the subject of covertly taken photographs when aged 19 months, when out with his mother on a public street. Joanne Murray and her husband objected to this on the basis that it was an intrusion into David’s right to privacy. When summarizing the reasons for endorsing their case, Master of the Rolls Anthony Clarke stated “if a child of parents who are not in the public eye could reasonably expect not to have photographs of him published in the media, so too should the child of a famous parent”.

This effectively overturns an earlier judgment that David had no arguable case that he had a right to privacy in a public place. It opens the door to further legal action, rather than being a conclusive result.

This case is also interesting in that it further bolsters the view that a breach of the right to privacy could automatically lead to a breach of the data protection act. If the right to privacy is breached, then use of that personal data may also constitute ‘unlawful and unfair’ use of a person’s personal data.

My opinion is that, at a simple level, this judgment is potentially a helpful clarification of the existing law of privacy in a specific context. The judgment does not extend the existing right to privacy. Rather it looks at the right to privacy afforded to the children of celebrities. J K Rowling was not trying to secure a ruling that she should be afforded a right to privacy in a public place, rather she was trying to secure a ruling that her child should not be subject to any more intrusion than any other child, notwithstanding her celebrity status.

The case will now proceed to full trial (assuming the parties do not settle) in due course.

Larry's still not happy

Mark and I went along to the SCL's annual lecture last night to see Prof Larry Lessig talk about "corruption 2.0".  I'd not seen him speak before (though I've followed the output from his blog for some time).  Once I'd got used to his staccato powerpoint style (does every word really need a separate slide for emphasis?), I was (predictably) wowed and convinced by many of his arguments.

I particularly liked his (more familiar) arguments about the scope and effect of copyright insidiously expanding to make contemporary "read write" culture illegal - though his point that legislators do just get things wrong (climate change, copyright extension, recommended diets) - and the lack of US privacy legislation - made me feel suitably indignant.  As I was supposed to feel.

And the "remix" section was great too.  It's never a bad thing to be reminded about some of those classic YouTube moments, such as Blair and Bush duetting to Lionel Ritchie's "Endless Love".  I've always been a big fan of some of the "mashups" my pal William puts on his Christmas compilation CDs, notably including the Beatles' "Christmas Time Is Here Again" with Boston's "More Than a Feeling".

I was only sad that there weren't more people there to see the performance.  In a theatre holding up to 460, I reckon there were no more than 100 people present.  Was this because the SCL had been over-ambitious in its choice of venue?  Or the conflict with the Chelsea v Liverpool match?  Or the fact it was a Wednesday night?  Or is Prof Lessig too radical for the taste of most tech lawyers?