Facebook and Legal Risk

Question:

If I am considering using information from someone’s Facebook profile in my next article or blog post, are there any legal landmines that I need to avoid?

Response By → Levine Sullivan Koch & Schulz:

(Posted on June 19, 2009)

There may be, depending upon the circumstances.  Relying on a Facebook profile as a source of information may create a number of legal risks, typically - although not exclusively - concerning the profile owner’s privacy and intellectual property rights. 

To illustrate these types of risks, imagine this:  There is a blogger who writes about everything there is to know about the State University football team.  She loves being the first to know - and post - the inside scoop.  Her newest idea is to Facebook friend some of the guys on the team to see if she can find anything in their profiles to include in her blog. 

First, she looks up the starting quarterback and, because his privacy settings are not turned on at all, she is able to see his relationship status (“It’s complicated”), a recent status update (“Watch out, got me some new juice!”), and a series of photos he said he took on a recent trip. 

Next, the blogger searches Facebook for a high school sophomore whom she knows is already being recruited by the State U team.  Because of his privacy settings, his profile can only be viewed by friends.  On a whim (or maybe because she got the idea here), the blogger creates a new Facebook profile, using a fake name and a racy photo.  From this profile, she sends the high school recruit a friend invite in which she implies that she met him at a recent party.  Surprisingly (or not so), the recruit friends her.  The blogger reads through his wall and sees a post in which the recruit wrote something that suggested he was part of a support group for child victims of sexual molestation.  She also sees that the recruit has 15 Facebook friends. 

Privacy Rights.  One potentially significant legal issue that the blogger should evaluate before posting anything she found on these profile pages is whether she could legitimately be accused of violating either football player’s right of privacy.  A so-called “publication of private facts” claim allows an individual to seek financial compensation from someone who posts “private” but true information about that individual on a blog if doing so would be considered “highly offensive” and the information is not of “legitimate public concern.”  (See previous privacy post, below.)

The first requirement for this claim is that the information is “private.”  In the above scenarios, if the blogger were to republish the quarterback’s comment about his relationship status (“It’s complicated”), it would be unlikely trigger a successful privacy claim - both because the statement is not the type of “highly offensive” or intimate detail that is usually covered by the tort and because the comment itself isn’t “private” in any meaningful sense, as it can essentially be viewed by “any person with a computer” because the quarterback’s privacy settings are not turned on at all.

In contrast, it is less clear whether the blogger’s republication of the high school recruit’s statement about the support group could possibly give rise to a privacy claim, but greater caution is called for here.  Although facts about sexual abuse may be intimate details of one’s private life, particularly that of a minor, whether those facts are legally “private” within the meaning of the tort can still turn on how many people know about them and whether their revelation would be “highly offensive” under the circumstances.  In addition, the information might be of legitimate public concern or otherwise non-actionable if it had also been disclosed in the context of a legal proceeding.

In the off-line context, at least one court has concluded that facts related to sexual molestation could remain “private” within the meaning of the tort if shared only with select individuals - immediate family and close friends.  But, in the online context, this reasoning may not hold.  In other words, while a court may conclude that a person maintains an expectation of privacy after personally sharing intimate details with close friends and relatives face-to-face, a court might conversely find an expectation of privacy lacking when the same information is broadcast to a group in a format in which it can be quickly and easily forwarded to an even larger group.  Here, keep in mind too that the recruit has shared this information with the blogger, someone whom the recruit presumably believes he only recently met at a party.  And we do not know who the recruit’s other 15 Facebook friends are or their relationship to him.

At bottom, given these factual circumstances, the recruit’s claim may fail even before he reaches the point where he would also need to establish that the blogger’s republication of this information is both highly offensive and not of legitimate public concern.  But, where information on a social network site appears to be intimate in nature and it appears to be shared only with a limited group, there is more reason to believe that privacy issues potentially lurk.

Intellectual Property Rights.  A second legal issue facing the blogger involves the law of copyright.  Even though the quarterback likely could not advance a privacy claim, the blogger still needs to know that the quarterback may have legally-protectable intellectual property rights in the photographs he posted on his Facebook page.  As we described below, copyright protection applies to all manner of expression once that expression is captured in a tangible form, such as in photographs.  Before the blogger does anything with those photos, she should consider whether the use she is contemplating is legally permissible. 

Copyright law, speaking generally, provides the quarterback the exclusive right to reproduce, distribute, or publicly display his photographs.  With some exceptions, if the blogger were to download and repost the photos on her own website and allow others to download them, she may be infringing upon the quarterback’s copyright in the photos.  To minimize the risk of a copyright claim, the blogger could instead post a link to the photos on the quarterback’s profile or could post the photos in a context that would constitute “fair use” (See previous post, below.) under federal law. 

Fraud, Misrepresentation, or Trespass.  Third, although the law is still evolving in the Internet world in this regard, it is theoretically possible that the use of a fake profile to friend the high school recruit and to access his profile could raise an issue of fraud, misrepresentation, or trespass.  Courts have rarely considered how these theories apply to Internet-based conduct - or have done so in circumstances that likely shed little light on the potential for liability under the facts imagined here.  In one high-profile case, a woman created a fake MySpace profile - and pretended to be a 16-year-old boy - to retaliate against a 14-year-old girl who had a falling out with her daughter.  In the course of this ruse, the “boy” developed a romantic interest in the girl but then abruptly ended the relationship; shortly thereafter, the girl committed suicide.  The woman was convicted of a misdemeanor under a federal computer fraud statute for violating the MySpace terms of service - which obligate members to provide truthful registration data and prohibit harassment - in order to obtain information and for doing so in furtherance of tortious conduct, i.e., intentional infliction of emotional distress.  Commentators have roundly criticized the prosecution as pursuing a dubious legal theory.

Traditionally, courts have demonstrated a marked reluctance to impose liability on journalists who misrepresent their identities to obtain entry to a location or to obtain and publish truthful information.  In many cases, the damages alleged are found not to flow from the alleged trespass or fraud - but instead from the plaintiff’s own conduct or from the publication of the information which is entitled to the full protection of the First Amendment.  Analogously, courts should be equally reluctant to impose liability on a blogger who uses a fake profile to obtain and publish truthful information, especially where the information is of legitimate public concern.

Defamation.  Fourth, if the information the blogger reposts is not true and injurious to reputation, she may face a different legal problem.  As the blogger already knows, Facebook profiles are easy to create.  What if she were to write, on the sole basis of the quarterback’s reference to using “juice” (and, say, despite all other evidence to the contrary known to her) that he was using steroids - and then discover that the whole profile was a prank? In that case, the blogger could face a claim of defamation, i.e., publication of a false statement about another person that tends to harm his reputation so as to lower him in the estimation of the community and that was made in reckless disregard of the probable falsity of the statement. 

All in all, while Facebook may offer a wealth of information, under certain circumstances caution may be warranted with regard to how that information is accessed or used.  To reduce risk, the safest route for journalists and bloggers with questions based on their specific situation is to consult an attorney with experience in this area. 

From Geanne:  Thank you Levine Sullivan Koch & Schulz for considering Facebook and reporting and publishing-related legal risk.

Book Reviews and Legal Risk

Question:

What are the legal issues involved with book reviews? Can a reviewer be sued? What are the defenses?

Response By Geanne Rosenberg:

(Posted on May 25, 2009)

The primary areas of legal risk for book reviewers are in libel and, to a much lesser extent, copyright law.  See, Rule 1 and the related defamation materials (http://www.kcnn.org/legal_risk/Rule_1 and http://www.kcnn.org/legal_risk/rule_1_defamation).  See, Rule 6 on copyright concerns (http://www.kcnn.org/legal_risk/rule_6).

In the United States, there are very powerful protections against libel claims. For example, opinion is protected.  So if you were to say that you really disliked a book, you found it extremely boring, and you’d prefer to spend your time in a dental chair, no problem.  The biggest concern would be the possibility of false statements of fact being included in a review.  For example, if you were to state that you think the author is an alcoholic and must have been intoxicated at least half the time she was writing, or that the author, in writing about child abuse, reveals an understanding that can only come with being the perpetrator of horrible abuses, and those things are untrue and provably false, that’s legally risky.  Also, if the book includes libelous statements about someone and you repeat those statements in your review, you can be legally vulnerable.  So, if the author writes that his ex-spouse engaged in criminal activity and you repeat that without first verifying the truth of the statements and it turns out the purported facts you’re repeating are false, you can be at risk. 

Bottom line: Opinions are fine, but assertions of fact that might be damaging to someone’s reputation should be verified.  Truth, after all, is a complete defense to any defamation claim.

Quoting too much of a book’s content without permission could raise copyright concerns, although you would have some powerful protection under the “fair use” doctrine.  How much is too much is debatable.  If you were to download the entire text, that would be a big problem.  On the other hand, quoting short excerpts of text in the context of your opinions and commentary generally would be fine.  Publishing with permission of the copyright holder eliminates the legal risk under copyright law.  Again, please see Rule 6 (http://www.kcnn.org/legal_risk/rule_6) for a more complete discussion of copyright law and for further resources.

—Geanne

The Children’s Online Privacy Protection Act and the Children’s Internet Protection Act

Question:

What are the Children’s Online Privacy Protection Act and the Children’s Internet Protection Act and how might they relate to the work of bloggers, citizen journalists, educational organizations and other online publishers whose subjects, audience and/or participants may include children?  What bright line rules and best practices can help ensure compliance?

Response By → Levine Sullivan Koch & Schulz:

(Posted on March 19, 2009)

The Children’s Online Privacy Protection Act

The Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501-6508; 16 C.F.R. Part 312, is designed to place parents in control of personal information collected from young children. The statute applies to commercial Web sites that either are directed to children or knowingly collect personal information from pre-teens. Under the law, such Web sites must post privacy policies and obtain parental consent before collecting personal information from children under the age of 13.

The FTC determines whether a Web site (or section thereof) is “directed to children” using a number of factors, including whether its subject matter and language are child-oriented, whether it uses animated characters, and whether advertising on the site is targeted toward children.  The FTC may also consider statistics on the actual ages of a Web site’s users.

A Web site won’t violate COPPA if it blocks children under 13 from participating.  However, those wishing to qualify for this exception should be careful that their age input screens are not designed in a way that would encourage children to respond falsely.  For example, an age input screen should not state that a participant must be 13 alongside the request for the would-be participant’s age.   

“Personal information” means individually identifiable information, such as name, address, email address, gender and hobbies, and includes any persistent identifier that is tied to such information if it can be used to identify, contact, or locate the individual. COPPA also covers personal information collected from children about their parents, friends or other persons. The rules apply whether the information collection is voluntary, such as for a social networking site, or mandatory, such as to participate in a contest. If a Web site isn’t collecting personal information from children, COPPA really isn’t a concern.  However, even for Web sites that do not collect children’s information, a posted privacy policy can reassure visitors about the Web site’s information practices. 
Foreign-based Web site must comply with COPPA if they are directed to, or if they knowingly collect personal information from, children in the United States. COPPA generally does not apply to noncommercial, nonprofit entities. 

The FTC monitors the Internet for compliance with COPPA and the public may also submit complaints to the FTC regarding alleged violations.  Violations of the COPPA regulations may subject a Web site operator to civil penalties of up to $11,000 per violation.  If you think that your Web site may not be in compliance with COPPA, you should immediately stop collecting, disclosing or using personal information from children until you are certain you are in compliance. 
If your Web site or online service falls within the COPPA regulations, before collecting any information from children under 13, you must:

1. Draft a clear and comprehensive privacy policy describing your information practices.
Your privacy policy should inform people about the types of information your Web site collects and how that information is used. It must include: (1) the name, address, telephone number, and email address of each operator that collects or maintains personal information from children through your site; (2) what information is collected from children and whether it is collected actively or passively (for example, you must disclose that your site uses “cookies” or other passive information collection technologies if you intend to combine such passively collected non-personal information with personal information); (3) how the information is or may be used; (4) whether the information is disclosed to third parties, details about the disclosure(s), and that the parent may deny consent to the disclosure(s); (5) that the child’s participation in an activity cannot be conditioned on the disclosure of more information than is reasonably necessary to participate; and (6) that the parent can review the child’s personal information and refuse to permit the further collection or use thereof. The policy should be written in plain language and you should avoid contradictory or ambiguous statements. 
If your Web site has multiple operators that collect information through the site, you may list the contact information for one operator who will respond to all inquiries from parents, but you must also list the names of all the other operators. To keep your privacy policy simple, you can include a clear and prominent link to this complete list of operators, provided you ensure that parents may easily access this list.

2. Prominently post the privacy policy on your home page, and provide a link to the policy on every page where personal information is collected.
COPPA requires that you post a link to the privacy policy clearly and prominently on your home page and also on other places from which personal information is collected. The links must stand out and be noticeable to visitors by using, for example, a larger font size in a different color on a contrasting background.  A link is not clear and prominent if it is in small print at the bottom of the page, or is indistinguishable from a number of other adjacent links.  If your site includes both sections targeted to a general audience and sections targeted specifically to children, you may use a single privacy policy that includes the information required under COPPA.  However, links for the children’s policy (which must be prominently displayed on each children’s page) should take visitors directly to the relevant section where policies related to children’s information are discussed. 

3. Provide notice to parents about the site’s information collection practices and obtain verifiable parental consent before collecting personal information from children under 13.

If your Web site collects any personal information from children under 13, you must send parents a “direct notice” that (1) informs the parent that you wish to collect personal information from the child; (2) contains all the information set forth in your online privacy policy; and (3) depending on how you intend to use the information, certain additional information, for example:

• Where you are seeking verifiable consent from the parent, your notice must state that the parent’s consent is required for the collection, use, or disclosure of information, and explain how the parent may provide consent.
   
• Where your collection of the child’s online contact information falls solely within the “multiple-use” exception (described below), your notice must state: that you have collected the child’s online contact information; that the parent may refuse to permit further contact with the child and direct you to delete the child’s information; how the parent can have the child’s information deleted; and that if the parent fails to respond, you may use the child’s online contact information for the stated purpose.
   
• Where your collection of a child’s name and online contact information falls solely within the “child safety” exception (described below), your notice must state that you have collected the child’s name and online contact information to protect the safety of the child, that the parent may refuse to permit the use of the information and require its deletion, and that if the parent fails to respond, you may use the information for the stated purpose.

The notice should not include any materials promoting products or services, or other unrelated information. You may send your direct notice to parents via email, and you may use a link to your privacy policy to inform parents of its content.

COPPA generally requires you obtain verifiable parental consent before collecting any personal information from a child, unless your collection fits into one of five “email exceptions,” under which you may collect a child’s, and sometimes a parent’s, online contact information before obtaining parental consent. These exceptions include:

1. Collecting the name and/or online contact information of a parent or child for the sole purpose of providing the required direct notice and obtaining parental consent. If consent has not been obtained after a reasonable time from the date the information was collected, you must delete the child’s personal information from your records.

2. Collecting a child’s online contact information solely to respond to a specific request from the child, as long as the information provided is not used to re-contact the child and is deleted immediately after responding to the child’s specific request.

3. Collecting a child’s and/or a parent’s online contact information in order to send periodic communications, such as online newsletters, site updates, or password reminders (the “multiple-use” exception). Immediately after the initial contact and before making any additional response to the child, you must make reasonable efforts to ensure that the parent receives notice and is informed of the opportunity to opt-out of further use of the information collected. Note that you do not have to obtain the parent’s affirmative consent, and the parent must contact you to discontinue repeated communications, however you will not have met the “reasonable efforts” requirement if you receive notification that your email notice has bounced back or delivery failed in some other manner.

4. Collecting a child’s name and online contact information where necessary to protect the safety of a child participating on the site (the “child safety” exception). You must use reasonable efforts to provide a parent with notice and you may only use the child’s information for the sole purpose of protecting the child’s safety.  You cannot use the information to re-contact the child or for any other purpose, and may not disclose the child’s information on your Web site or online service.

5. Collecting a child’s name and online contact information for the sole purpose of protecting the security or integrity of your site, to take precautions against liability, to respond to judicial process, or to provide information to law enforcement agencies or for an investigation on a matter related to public safety.
If you plan to collect, maintain or disclose information for any other purpose, you must obtain verifiable parental consent.  You can use any of several different methods, provided that the method you choose is reasonably calculated to ensure that the person providing consent is, in fact, the child’s parent. COPPA sets forth several alternatives. However, if you are going to disclose children’s personal information to third parties, or make it publicly available by providing an online service such as a social networking site, chat rooms, or message boards, or hosting a blog or personal home pages, etc., then you must use one of the more reliable methods to obtain consent:

• Supply a form that parents may print, fill out, sign, and mail or fax back to you;
   
• Require parents to use a credit card in connection with a transaction (for example, a membership or subscription fee, a purchase, or a charge to cover the cost of processing the credit card); note that it must be an actual transaction, simply collecting the number is not sufficient;
   
• Maintain a toll-free telephone number staffed by trained personnel for parents to call in their consent; or
   
• Obtain consent through an email from the parent, if that email contains a digital signature, or other digital certificate that uses public key technology obtained through one of the above methods.

If you are going to use children’s personal information only for internal purposes, that is, you will not be disclosing the information to third parties or making it publicly available, then you can use any of the above methods, or you can use an “email plus” method, under which you may request (in your direct notice to parents) that they provide consent in a return email. After receiving the parent’s email consent, you must then take steps (the “plus”) to confirm that it was, in fact, the parent who provided consent, by:

• Requesting in your initial email seeking consent that parents include a phone or fax number or mailing address in the reply email, so that you can follow up to confirm consent; or
   
• After a reasonable time delay, sending another email to the parent to confirm consent. Your confirmatory email should include all the same information contained in your initial direct notice, inform parents that they can revoke their consent, and inform them of how to do so.

It is a best practice to have a readily available backup method for those parents who cannot, or will not, use your primary means of providing consent, for example, via the print-and-send form, which is easy for parents without access to email or a credit card. The FTC recommends that you provide parents with passwords or PIN numbers as a way to confirm a parent’s identity for future contacts.

4. Give parents the ability to review the personal information collected from their child, a choice regarding whether or not their child’s personal information will be disclosed to third parties, and the opportunity to delete the collected information and opt-out of future collection or use thereof.

You must provide parents with the ability to access and review the personal information you have collected from their child after taking reasonable steps to verify that the person seeking such access is indeed the child’s parent.  This is why providing parents with a password or PIN number can be very helpful.  Other reasonable methods for verifying the parent’s identify include: providing a method for the parent to make their request in writing, such as an email address or fax number; using a credit card transaction; using digital signatures; or asking the parent to submit a driver’s license.

Note that it is not necessary for you to keep all the information you have ever collected from the child in case the parent wants to review it.

If a parent chooses to have his/her child’s information deleted or to opt-out of future collection and use of the child’s information, you must keep in mind that a child’s participation in online activities such as games or contests cannot be conditioned on the child disclosing more personal information than is reasonably necessary to participate in that activity.  Where the public disclosure of information is integral to the Web site’s operation, such as in the case of social networking sites and similar services, you are not required to give parents the option that you will collect their child’s information, but not disclose it to third parties.  On the other hand, you may not be able to reasonably condition a child’s participation in a game upon their providing personal information. 

5. Maintain the confidentiality, security, and integrity of information you collect from children. 

It is important that you carefully review your information practices and privacy policy, looking closely at what information you collect; how you collect it; how you use it; whether the information is necessary for the activities on your site; whether you have adequate procedures for providing parents with notice and obtaining verifiable consent; and whether you have adequate means for parents to review and delete their children’s information.  You can review additional educational materials on the FTC’s Web site at http://www.ftc.gov/privacy/privacyinitiatives/childrens_educ.html. The FTC also has a COPPA-compliance checklist, which is available at http://www.ftc.gov/bcp/conline/edcams/coppa/checklist.htm

The Children’s Internet Protection Act

The Children’s Internet Protection Act (CIPA), the requirements of which are generally found in 20 U.S.C. § 6777, was enacted by Congress to address concerns about children accessing offensive content over the Internet on school and library computers. CIPA applies to such institutions that receive funding for Internet access or internal connections from the E-rate program, a program that makes certain communications technology more affordable for eligible schools and libraries. CIPA does not affect E-rate funding for schools and libraries receiving discounts only for telecommunications, such as telephone service.

Schools and libraries subject to CIPA may not receive the discounts offered by the E-rate program unless they certify that they have an Internet safety policy addressing the following issues:

• Access by minors to inappropriate matter on the Internet;
• The safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications;
• Unauthorized access including “hacking” and other unlawful activities by minors online;
• Unauthorized disclosure, use, and dissemination of personal information regarding minors; and
• Technological measures designed to restrict minors’ access to materials harmful to minors.

They must also certify that, as part of their Internet safety policy, they are educating minors about appropriate online behavior, including cyberbullying awareness and response and interacting with other individuals on social networking sites and in chat rooms.

Schools and libraries participating in the E-rate program must also have technology protection measures in place to block or filter Internet access to materials that are: (a) are obscene, (b) child pornography, or (c) harmful to minors.  “Harmful to minors” is defined as any material that (a) taken as a whole and with respect to minors, appeals to a prurient interest in nudity sex, or excretion; (b) depicts, describes or represents, in a patently offensive way with respect to what is suitable for minors, an actual or simulated sexual act or sexual contact, actual or simulated normal or perverted sexual acts, or a lewd exhibition of the genitals; or (c) taken as a whole, lacks serious literary, artistic, political, or scientific value as to minors. Schools subject to CIPA also are required to adopt and enforce a policy to monitor online activities of minors.

School and library administrators must provide reasonable public notice and hold at least one public hearing to address their proposed technology protection measure and Internet safety policy.

CIPA does not require the tracking of Internet use by minors or adults.  In addition, an authorized person may disable the blocking or filtering measures during any use by an adult to enable access to blocked materials for bona fide research or other lawful purposes.

From Geanne:  Thank you Levine Sullivan Koch & Schulz for this very thorough reply.

Video Links and Copyright Concerns

Question:

When using video in connection with blogs, is providing a link to video that may be protected by copyright permissible, or is that unclear, and are there any parameters or useful rules of thumb for bloggers and citizen journalists?

Response By → Levine Sullivan Koch & Schulz:

(Posted on January 10, 2009.)

Copyright protection applies to all manner of expression once that expression is captured in a tangible form from which others (with their own senses or with the aid of a device) can perceive the work.  Thus, in addition to written, pictorial, musical or artistic works, among others, copyright applies to videos or other audiovisual works.  Moreover, copyright applies not only to creative works, but to factual works such as news clips and video of actual events.  Thus, anytime a blogger or citizen journalist wishes to use video that was not created by them, they should consider whether, under the principles of copyright law, the use is permissible.

Generally, copyright law gives copyright owners the exclusive right to reproduce, distribute, publicly perform, publicly display or prepare derivatives of their work. In most circumstances, anyone who exercises any of these rights, without the permission of the copyright owner, is infringing the copyright.  For example, if you have created a short video depicting an event and, without your permission, someone copies the video, uploads it to her own Web site, and lets visitors download copies, that person is infringing your copyright by engaging in a number of the exclusive rights (reproduction, distribution, possibly public performance and display).  However, the copyright law prohibition of unauthorized use is not absolute.  Under certain circumstances, the doctrine of “fair use” requires that particular publicly beneficial uses be allowed, notwithstanding the lack of permission from (and sometimes over the objection of) the copyright owner.  In addition, as the Internet continues to evolve, and courts become more familiar with its workings, some uses—including certain linking—that may resemble copyright infringement have been judged not to be infringing based on the technical aspect of how a given video is provided to users.

Technical issues and infringement

Recent decisions by the influential Courts of Appeals for the Second Circuit and Ninth Circuit show that courts are now taking a much more technical approach to assessing issues of copyright infringement.  Thus, to determine whether content is being infringed by being publicly displayed, publicly performed or distributed via a given Web site, courts will consider on whose server the content actually resides and whether the content is presented to users by being served directly to them or simply presented through inline links to another site.  These courts have held that, in order to infringe by performance, display or distribution, the putative infringer must actually possess a copy of the work. 

When the content actually is on a third party’s Web site and resides on that site’s servers, and you merely employ an inline link such that the content appears in a frame on your site, the copy is served from the third party’s site to users, and technically never resides on your site or servers.  Under the holding of some recent cases, you would not be committing infringement.  Likewise, simply linking to content residing elsewhere generally should not amount to direct infringement on your part.

Note that, while linking to content residing elsewhere on the Internet typically does not amount to infringement, a blogger can become liable for infringing acts committed by others if the blogger is aware that content on another site is in fact infringing but nevertheless provides a link to and encourages users to access the infringing content.  In that circumstance, although the blogger will not have engaged in any directly infringing act, he or she could be held liable for contributory infringement based on his or her knowing participation in the infringing conduct of others.

In contrast to links, where an unauthorized copy of a video resides on your site or servers, you likely would be deemed to be an infringer unless your use of the video qualifies as a fair use.  Thus, if you were to make a copy of an over-the-air broadcast or download a video from someone else’s site and upload it to your own site, you would be reproducing copyrighted content.  By providing that content to the visitors to your site, you also would be distributing (for example if you made the content available for downloading), or publicly performing or publicly displaying (for example if you streamed the content to your users) and thereby committing additional acts of infringement.

Fair Use

The doctrine of “fair use” may permit some uses of works that would otherwise constitute infringement.  Fair use is a statutory provision that balances a copyright owner’s exclusive right to control use of his or her work against the public’s need to have that work available for publicly beneficial purposes.  Courts often describe the doctrine of fair use as the most difficult concept to apply in all of copyright law.  Under Section 107 of the Copyright Act, use of someone else’s work for such purposes as commentary, criticism, news reporting, research and scholarly reports, among other things, may be considered to be a fair use, and thus non-infringing, based on a balancing of four factors: (1) the purpose and character of the use, (2) the nature of the copyrighted work, (3) the amount and substantiality of the portion used, and (4) the effect of the use upon the copyright owner’s potential market.  Despite the presence of these statutory factors, there are no hard and fast rules that govern the application of fair use; each use must be addressed on its facts. 

• Uses are more likely to be fair when they “transform” the work that is being used.  That is, where the use builds upon the original, for example providing a critique of the original, or adds content that builds on the message of the original.
   
• Uses are less likely to be fair when they simply present the original for the same purpose as it originally was used.  For example, if a video of a live event appeared on a news program, and you want to report on the same news event but do not have your own video, showing a copy of the original news program’s video is not likely to be fair.
   
• Uses that “scoop” the copyright owner’s first use of the work are less likely to be fair.  For example, if you rush to get a video distributed via your Web site before the copyright owner broadcasts it, this fact will weigh against fair use.
   
• Taking more than is appropriate for a proper purpose is less likely to be fair.  Thus, if you are making a point for which 10 seconds of a three minute video might be crucial, but you use the entire video, this fact will weigh against fair use.
   
• Uses that interfere with the market for the original work tend not to be fair.  If the copyright owner typically offers licenses to bloggers and others to make the type of use you want to make, using the content without obtaining that license tends not to be fair.

Permission from the copyright owner is the safest route if you wish to upload or distribute another’s video content.  If you don’t have that permission, because of the complexity and unsettled nature of this area of the law, it may be helpful to consult with a qualified attorney before uploading or otherwise reproducing or distributing another’s video content.

From Geanne:  Thank you Levine Sullivan Koch & Schulz for this thoughtful response.

Proposed Federal Shield Law’s Potential Impact on Citizen Journalists

Question:

Is the proposed federal shield law dead?  If it is ultimately passed, would it be helpful or hurtful to bloggers and citizen journalists?

Response By → Levine Sullivan Koch & Schulz:

(Posted on November 5, 2008.)

No, efforts to pass a federal shield law are not dead, but they will likely have to wait until next year and the new Administration to move forward.  It is unclear whether it would help or hurt bloggers and citizen journalists. 

When discussing the proposed shield law, it is important to recognize that there are two versions of the law under consideration by the Congress, the House bill (H.R. 2102) and the Senate bill (S. 2035), and that the two bills differ in a number of ways. 

The House bill passed overwhelmingly and with broad bipartisan support, 398 to 21, on October 16, 2007.  The Senate bill experienced a procedural setback on July 30, 2008, when efforts to bring it to the floor for a vote failed as a result of maneuvering related to debate on amendments to an energy speculation bill.  However, a number of supporters of the bill considered the vote, and the Senate’s attention to the issue, a positive development.  At this juncture, given the explosive financial crisis on Wall Street, it seems unlikely the bill will be taken up again in this session. 

Because there are some differences between the House bill and the current form of the Senate bill, the impact of a federal shield law on bloggers and citizen journalists will turn on which provisions are ultimately incorporated into a final law.  Interestingly, regardless of who might be protected by the law, the present Senate version provides somewhat less protection for confidential sources in certain situations - like civil litigation - than does the House bill.  However, in its current form, the protections the Senate bill does recognize would likely cover a greater number of bloggers and citizen journalists than the House bill. 

The language of the current draft of the Senate bill uses a functional test to decide who would be protected by the law.  It applies to all individuals engaged in “journalism,” a term that is defined as “the regular gathering, preparing, collecting, photographing, recording, writing, editing, reporting, or publishing of news or information that concerns local, national, or international events or other matters of public interest for dissemination to the public.”  Many bloggers and citizen journalists, provided they address public issues on a regular basis, would seem to be protected by this legislation. 

In contrast, although the House bill employs the same definition of journalism, it adds a professionalism test to decide who is protected.  It only applies to professional journalists, that is, individuals engaged in journalism “for a substantial portion of the person’s livelihood or for substantial financial gain.”  Thus, although some might satisfy this standard, the majority of bloggers and citizen journalists probably would not. 

Since the Senate bill is the less substantively protective of the two, it may have a better chance of passing in the House than the House bill does in the Senate.  However, as the proposed law will likely be taken up under a new Administration and in a new Congress, it is difficult to predict at this juncture what the final version might look like.  Moreover, particularly given some of the limitations of the Senate bill, if it is this version that is passed, the courts may have a great deal to say about exactly how the law would be interpreted and applied.

From Geanne:  Thank you Levine Sullivan Koch & Schulz for this helpful reply.

How Privacy Laws Pertain to Information Available on the Internet

Question:

A legal claim that private facts have been wrongfully published generally requires that the facts at issue were not previously public.  Does that mean that if truthful personal information about a private person, such as financial or medical data or an ancient shoplifting arrest is posted in some obscure location on the Internet, perhaps within a database or deep inside a social networking site, that anyone can republish it without worrying about a private facts claim?  In other words, once truthful information has been publicly accessible online, is it fair game for re-publication by a blogger or citizen journalist or anyone else?

Response By → Levine Sullivan Koch & Schulz:

(Posted on September 20, 2008)

Overview

Historically, truthful information that is not kept private has been fair game for republication, even when the information is about a private (i.e., non-famous) person.  Technology has altered the legal landscape somewhat, however.  Both the pervasive nature of the Internet and technological glitches resulting in accidental disclosure of information have led courts to alter this general rule in some circumstances where sensitive personal information, like medical or financial information, is at stake.  As a result, there is no easy, clear answer to the hypothetical question posed above.  A general understanding of the law governing the disclosure of private facts should, however, assist a citizen journalist in assessing the risk presented by republishing a given piece of information found on the Internet.

Most states make the “unwarranted publication of intimate details of a person’s private life” unlawful, although the precise contours of the law governing such claims vary from state to state.  Liability for this kind of invasion of privacy primarily turns on whether the person whose data is disclosed has a reasonable expectation of privacy in that data.  This, in turn, can depend on a variety of factors, including the nature of the information, the context in which it was initially revealed, and the extent of its initial disclosure.  Even where a person has a reasonable expectation of privacy in the facts disclosed, however, there can be no liability if the information is of legitimate concern to the public. 

Public Disclosure of Private Facts

A person suing for public disclosure of private facts is required to prove that another person (1) gave publicity (2) to a private fact (3) that is not of legitimate concern to the public, where (4) such disclosure is highly offensive to a reasonable person.  In the hypothetical scenario posed above, the blogger or citizen journalist is giving publicity to the information, and the disclosure would arguably be “highly offensive” to any reasonable person given the sensitive, personal nature of the information.  (The categories of information that most often give rise to this kind of invasion of privacy claim include mental and physical health, sexual relations and orientation, family matters, status as a crime victim, and personal financial matters).  Therefore, the likely battleground in any such lawsuit would be the second and third elements—whether the facts can truly be considered “private” when they previously have been posted on the Internet, and whether they are of legitimate concern to the public. 

What Makes a Fact “Private”?

Information is recognized by the law as being “private” when a person has a reasonable expectation of keeping the matter private.  A person’s reasonable privacy expectations change depending on the nature of the information and how it was disclosed:

(1) Public Records

At one end of the spectrum - the least private end - is information in official government records.  One does not have a reasonable expectation in the privacy of information contained in public records, and thus such information is virtually always fair game for republication.  This is true even where the information is not ordinarily made accessible to the public, and the initial disclosure is inadvertent or in violation of the law. 

The United States Supreme Court has held that the publication of truthful information contained in official public records cannot be punished absent “a state interest of the highest order.”  And the Court was not kidding when it said “highest order”; it even rejected an invasion of privacy claim based on a newspaper’s publication of the name of a 17-year-old rape and murder victim - which it obtained from a review of an indictment - even though a state statute outlawed publication of that information.  Most courts have held that this principle applies despite the passage of time; even information in “ancient” public records does not revert to private status. 

Suffice it to say, therefore, that a person can rarely successfully sue for invasion of privacy where facts contained in public files are published (or, as in our hypothetical, republished).  So, for instance, the person in the hypothetical above could not successfully sue for publication of the ancient shoplifting arrest since the information is contained in a public record (even if the blogger did not obtain the information from the official public record). 

This principle has also been held to apply even where once-private information makes its way into the public record.  One court held, for example, that medical information that was publicized one time at an open hearing was no longer private.     

(2) Publicized Information

Even where the matter disclosed is not in a public record, it may have otherwise become sufficiently public that it enjoys no privacy protection under the law.  Courts have long held that “there can be no privacy with respect to a matter which is already public or has previously become part of the ‘public domain.’”  Thus, when a person voluntarily publicizes information about herself to any significant number of individuals, even in a limited way, she may forfeit her right to privacy in that information. 

For example, one court held that a nude dancer had no basis for complaining about a newspaper’s publication of photos of her when she originally circulated the photos to publicize herself and the clubs where she was appearing.  Another court reached a similar result when a newspaper republished a person’s name and address only after he previously disclosed the information in numerous letters to the newspaper and to a congressman.  And the disclosure that the man who saved President Ford’s life was homosexual did not violate his privacy because he had marched in gay parades and acknowledged his sexual orientation to a large circle of friends.

Similarly, information that is in public view for anyone to see can be republished.  In these situations, a person also has no basis for complaining of further publicity because the information is part of the “public domain.”  In one case that makes the point clear, a court held that the publication of a photograph of two young women at a rock concert with body paint on their exposed breasts was not unlawful, even though the concert was on private property, because the women’s activities were “open to the public eye.” 

Indeed, even the involuntary disclosure of information can diminish one’s expectation of privacy in it.  Once the information has been pervasively publicized, or if it is open to the public eye, courts usually will not recognize a right of privacy in that information.  So, for instance, a citizen journalist probably would not be held liable for posting a video of an emergency rescue made in a hurricane, even where that rescue involved medical procedures, so long as the rescue was made in a public area in plain view and not in the confines of an ambulance or helicopter. 

(3) Limited Disclosure

The trickiest situation arises where information is not widely disclosed.  A matter may remain private where it is revealed only to a single individual or to a small, select group of people.  Courts sometimes see a legally significant difference between this type of limited or selective disclosure and the disclosure of the same facts to members of the public at large. 

This doctrine of limited disclosure becomes particularly important in circumstances, suggested by the hypothetical, where it appears that information of a sensitive personal nature has been unintentionally disclosed.  To the extent that such information is inadvertently disclosed or left open to a large audience, courts will often find a valid privacy expectation in it, even if it has been published on the Internet to a theoretical worldwide audience.

Thus, for example, a person’s disclosure of his financial data to an online banking service, or posting his medical data on a pharmaceutical Web site, might not be viewed as transforming the information from private to public - even if that information is viewable in some remote place on the Internet.  Indeed, at least one blogger has been prohibited from disclosing patients’ personally identifying medical information that she found online.  The blogger said that she had discovered the information on a publicly available Web site created by a medical organization.  The organization acknowledged the data posting, but claimed both that it was inadvertent and that a regular Internet search would not have pointed a user to the patient’s information.  The court found these factors important to the analysis and rejected the blogger’s contention that the information had lost its private character.

Similarly, another court held that the anonymous Internet posting of a small segment of an explicit video portraying sexual conduct between former rock star Bret Michaels and actress Pamela Anderson did not render the contents of the video fair game for republication by an adult entertainment business.  The court held that because the video had not been viewed by a wide audience before it was removed from the web, and Michaels and Anderson had not left their conduct open to public view, they had a reasonable expectation of privacy in the images on the video. 

When Is a Fact Newsworthy?

Even if the information disclosed is a private fact, the First Amendment forbids liability for the disclosure if the matter is “newsworthy” - in other words, if it is of “legitimate public concern.”  Unfortunately, the determination of what matters are of legitimate public concern is the most problematic and unsettled aspect of the law of privacy.

Most courts use a broad definition of newsworthiness, limiting its scope only when information is not truly reported for any purpose other than “prying” into the private affairs of another:

In determining what is a matter of legitimate public interest, account must be taken of the customs and conventions of the community; and in the last analysis what is proper becomes a matter of community mores.  The line is to be drawn when publicity ceases to be the giving of information to which the public is entitled and becomes a morbid and sensational prying into private lives for its own sake, with which a reasonable member of the public, with decent standards, would say that he had no concern.

These courts look to see (1) whether the publication overall concerns a newsworthy topic, and (2) whether each fact disclosed in the publication bears some nexus to that topic - in other words, whether the fact was included “for its own sake” and not to advance the point of the overall publication. 

Thus, one court held that it was not unlawful for a news report about a doctor’s malpractice claims to reveal facts about her psychiatric history and marital problems because those facts were “substantially relevant to the newsworthy topic of policing the medical profession.” 

Similarly, another court was called upon to determine “whether the possibly private facts complained of - broadly speaking, an accident victim’s appearance and words during the rescue and evacuation - were of legitimate public interest.”  The court concluded they were:  “the broadcast video depicting” the accident victim’s “injured physical state (which was not luridly shown) and audio showing her disorientation and despair were substantially relevant to the segment’s newsworthy subject matter.”  (The accident victim wasn’t clearly identifiable in the video segment and only her first name, “Ruth”, was stated.)
 
Where the overall focus of a report is further removed from the particular facts at issue, courts are less likely to find those particular facts are “newsworthy.”  For example, one court allowed a privacy claim to proceed where the person objected to the use of “before” and “after” photos of her face lift to illustrate a television report on plastic surgery.  While the public “undoubtedly has an interest in plastic surgery,” the court found that the use of the particular photos “neither strengthened the impact nor the credibility of the presentations nor otherwise enhanced the public’s general awareness of the issues and facts concerning plastic surgery.”

In sum, many courts give deference to reporters and editors to choose what details will most effectively contribute to the credibility and persuasive value of a publication, and therefore what details are “newsworthy”:

That the broadcast could have been edited to exclude some of the person’s words and images and still excite a minimum degree of viewer interest is not determinative.  Nor is the possibility that the members of this or another court, or a jury, might find a differently edited broadcast more to their taste or even more interesting.  The courts do not, and constitutionally could not, sit as superior editors of the press. 

Other courts have proven less deferential to the news media, however, and a blogger or citizen journalist unaffiliated with a traditional news media outlet might receive less deference still. 

The Bottom Line

Whether a citizen journalist or blogger may republish sensitive, private information about a private person found in an obscure location on the Internet is a “totality of the circumstances”-type analysis that may depend on a variety of factors, including:

• the nature of the information
• the manner in which it was placed on the Internet
• whether the information is of public record
• how “public” the information has become by virtue of the place where it resides on the Internet
• whether the information is of legitimate concern to the public - i.e., whether the facts disclosed bear a logical relationship to a newsworthy subject, and whether they are intrusive in great disproportion to their relevance.

From Geanne:  Thank you Levine Sullivan Koch & Schulz for shedding new light on this rarely addressed, but bound to arise, issue.

Guide To Takedown Notices And The DMCA’s Safe Harbor

Question:

What is a DMCA takedown notice and what should a blogger or Web site producer do if he/she receives one?

Response By → Levine Sullivan Koch & Schulz:

(Posted on June 26, 2008)

A DMCA “takedown notice” is formal notification that content posted on a Web site, blog, or other online forum is in violation of copyright law.  Receipt of such a notice by a “service provider”, such as a Web site operator, blogger, online forum, or other Internet-based host for third-party content, necessitates a prompt response.  Some basic first steps when a DMCA takedown notice arrives:

1.  Evaluate the takedown notice and related content;

2. Depending upon the outcome of that evaluation, remove or temporarily disable access to the content at issue;

3. Notify the original poster of the complaint. 

By way of background, the →Digital Millennium Copyright Act, known as the DMCA, was added to federal copyright law in 1998. The DMCA addresses electronic and Internet-related issues.  One portion of the DMCA includes “anti-circumvention” provisions.  These anti-circumvention rules make it unlawful to avoid copyright protection measures (such as protections against unlawful copying that are built into software, DVDs, CDs and the like).  The rules also prohibit trafficking in devices designed to circumvent such copyright protection measures.  Another portion of the DMCA relates to takedown notices.  This portion creates a “safe harbor” for online service providers (“OSP’s”) against copyright infringement claims relating to third-party posts provided certain requirements are met. 

An OSP that follows the DMCA rules and appropriately removes infringing material, as outlined below, can protect itself against liability. 

Generally, copyright law gives copyright owners the exclusive right to reproduce, distribute, publicly perform, publicly display or prepare derivatives of their work.  In the context of the Internet, loading a copy of a work — such as a file consisting of a photo, news report or video — onto a server is deemed to be reproducing that work.  Similarly, making that work available to Internet users, for example by streaming a video from your server to a user’s computer or permitting the user to download a copy, is deemed to be either distributing, publicly performing or publicly displaying the work.  Subject to important limitations such as fair use, a person who engages in those acts without the copyright owner’s permission may be committing copyright infringement. 

Copyright infringement is a strict liability offense (i.e., the fact that you may have been unaware that your acts constituted infringement or that you acted innocently or unintentionally is no defense).  If you exercise any of the exclusive rights reserved to the copyright owner (i.e., reproducing the work), you are potentially liable for infringement. 

This basic structure of copyright law had the potential to stifle the Internet.  That’s because those providing Internet hosting or forums for third-party content could easily be in violation of copyright law without any intent, fault or awareness concerning the infringing content.  Here’s where the DMCA “safe harbor” comes in.  It enables hosts to avoid liability for infringing content posted by third parties.  However, this safe harbor does not protect those who post infringing content.

To obtain immunity against copyright claims under the DMCA, certain procedures must be followed.

First, the host or Web site proprietor must have designated an agent to receive notices of claimed infringement.  The statute requires that the Web site desiring to benefit from the safe harbor provide the following information on its Web site: the name, address, phone number and email address of the designated agent.  In addition, the contact information for the designated agent must be registered with the Copyright Office.  A form for registering a designated agent is available at http://www.copyright.gov/onlinesp/agent.pdf.  Currently, there is an $80 fee for registering a designated agent.  It is important to remember to update this information promptly when it changes, or else risk losing the protection of the safe harbor.  Indeed, one federal appellate court found that DMCA immunity did not automatically apply where the OSP had changed its designated agent and failed to post an update or amend the registration with the Copyright Office.  For several months, takedown notices to the OSP consequently disappeared into an unmonitored mailbox.

Second, in order to qualify for the safe harbor, a Web site must adopt a policy complying with DMCA takedown procedures, and post the policy in its terms of use.  Many Web site owners also include as part of the terms of use for their Web sites provisions identifying their designated agents and listing the requisite information. 

Finally, the operator must follow specific procedures when it receives a proper notice of possible infringement.  The notification must include six elements:

1. a physical or electronic signature of someone authorized to act on behalf of the copyright owner;

2. identification of the work that has allegedly been infringed;

3. identification of the Web site material that is allegedly infringing;

4. information for the Web site owner to contact the complaining party, such as a postal address, telephone number, or email address;

5. a statement that the complaining party has a good faith belief that the allegedly infringing use is not authorized or legal; and

6. a statement that the information in the takedown notice is accurate and, under penalty of perjury, that the author of the takedown notice is authorized to act on behalf of the copyright owner.

Upon receiving a proper complaint, the Web site operator should “take down” the challenged material “expeditiously,” either by removing the posting or by temporarily disabling access to it, and then take reasonable steps to provide prompt notification to the user who originally posted the allegedly infringing material.  If there is a valid “counter-notification,” where that original poster claims that the material does not infringe a copyright, then the operator must provide a copy of the counter-notice to the person who claimed infringement and restore access to the disputed material after 10 days, but before 14 days, unless the person claiming infringement files a lawsuit seeking a court order.  A proper counter-notification, like the takedown notice, must include specific elements by statute:

1. a physical or electronic signature of the third party poster or “subscriber”;

2. identification of the material that was removed or disabled from the Web site;

3. a statement under penalty of perjury that the subscriber has a good faith belief the challenged material was misidentified or that the notification was mistaken; and

4. the subscriber’s name, address, and telephone number, along with a statement that the subscriber submits to jurisdiction in federal district court and will accept service from the person who filed the notification.

It is important to note that the safe harbor protections do not apply where the Web site actually knows or should know that the posted material is infringing, or otherwise receives a financial benefit directly attributable to the infringement. Caveats aside, however, the DMCA offers significant protections for websites against liability for copyright infringement by others - so long as sites follow comply with the requirements of the DMCA, including the detailed take-down process.