iapp-privacycore
OneTrust_Webcon_BB_300x250_ad_04.25.2016.v5-01
PSR16_WebBanner_300x250-wCopy
Revenge Porn, Copyrights and Data Ownership: Where Does Our Data Begin and End?

There was an interesting article in The Atlantic Monthly this week about revenge porn and copyright law—and I’m hoping some of you out there can help me.

But first, let me step back.

Of all the vile things on the Internet, revenge porn lingers at the top; and of all the vile people facilitating such vengeful filth is Hunter Moore—also known as the “Most Hated Man on the Internet.” Moore was recently arrested for actions taken to create his website IsAnyoneUp. Moore, according to a court indictment, had help from Charles “Gary Jones” Evens to hack into the e-mail accounts of certain victims to find, steal and post naked photos—often with the victim’s profile and contact information juxtaposed next to the photo. The site was also the receptacle of compromising photos sent in from jealous ex-spouses.

One charge against Moore and Evens relies on the controversial Computer Fraud and Abuse Act (CFAA) for their “unauthorized access of a protected computer to obtain information.” Depending on the case, victims can use state voyeurism or Peeping Tom laws, defamation suits or false light claims.

But these actions are generally only successful against the submitters of compromising photos, not the website hosting them, because of Section 230 of the Communications Decency Act. Service providers are not liable for user-generated content. The law came about after the financial firm portrayed in The Wolf of Wall Street successfully sued service provider Prodigy. Lawmakers worried such liability “would crush the Internet.” Indeed, I am reminded by the case in Italy against Google Global Privacy Counsel Peter Fleischer, who, along with other executives, faced jail time after a company-owned video streaming service hosted a video uploaded by Italian students mocking another student. After almost four years, the case was finally closed, but not without giving Fleischer and the others a good scare.

Without Section 230, as Atlantic columnist Amanda Levendowski points out, restaurants could sue Yelp for bad reviews. Not only would the Internet be crushed, so would the First Amendment.

She also points out the danger of the CFAA, in that its language—drafted in the mid-1980s—is notoriously vague. “Giving prosecutors as poorly drafted a law is like putting a wounded antelope in front of a lion,” she writes, “they can’t resist going for the jugular.” Anyone familiar with the plight of the late Internet activist Aaron Schwartz knows this reality all too well.

But, there is a lot of motivation to prevent these bottom-dwelling revenge porn websites. So far, three states have revenge porn laws. Levendowski, rightly, I believe, worries that more laws will only give us a “CFAA 2.0.” A bigger, badder and more dangerous, albeit, well-intentioned law.

So here’s where some of you lawyers can step in.

Moore, while explaining his legal position for why he can get away with what he does, on Bob Garfield’s When On The Media, said this:

“[B]ut when you take a picture of yourself in the mirror, it was intended for somebody else so, actually, the person you sent the picture to actually owns that picture, because it was intended as a gift. So whatever the—that person does with the picture, you don’t even own the nude picture of yourself anymore ... So that’s how I’m protected.”

Levendowski writes that Moore is dead wrong, citing that 80 percent of revenge porn photos are “selfies.” Meaning the subject took a photo of themselves and had the photo mined from their device or hard drive, and thus own the copyright of their photo, and under the takedown provisions within the Digital Millenium Copyright Act (DCMA), victims can compel websites to take down their photo and search engines to de-index websites with their photo—“all without having to hire a lawyer,” Levendowski writes.

Such an avenue, she argues, prevents overbroad laws, doesn’t affect Section 230 provisions and leaves stalking, harassment and privacy laws untouched.

If this is true, doesn’t this bring up other avenues of data ownership? To what extent do I own my biometric data, for example—the DNA properties held within that hair left behind on the subway?

How about my faceprint?

In 2012, I spoke with Dr. Joseph Attick, an early developer of facial recognition identity management systems. Attick has argued that our faceprints should be copyrighted.

Since my faceprint is captured by facial recognition technology, and not “created” by me, the DCMA wouldn’t apply. But isn’t the copyright concept getting us closer to avoiding overly broad laws like the CFAA? And overly paternalistic ones as well?

How about a lighter version of the Right to be Forgotten, where, under certain circumstances, a user has some rights and can issue similar takedowns as seen with the DCMA? Could that be a step in the right direction?

No one wants to take down the Internet less than me, and I understand what a burden a constant stream of requests for takedowns of small pieces of data could be, especially for young Internet firms without the resources of the goliaths. But surely there must be a balance somewhere that allows me to object to information about me being stored or displayed somewhere I'd rather it not be.

Written By

Jedidiah Bracy, CIPP/E, CIPP/US

4 Comments

If you want to comment on this post, you need to login.

  • R. Jason Cronk Feb 12, 2014

    I'm not going to go into a detailed analysis of copyright law but I'll give you the short answer. First off, selfies would we copyrighted by the photographer (aka the person in the picture) as original works. Pictures taken by forelorned lovers would not as they would be copyrighted by the ex. Faces are not copyrightable as they are more akin to facts. Copyright only covers original works of authorship. See http://www.copyright.gov/help/faq/faq-protect.html   ....now...a plastic surgeon that rearranged your face might make a claim but you as the ostentatious owner of your face can't claim it is an original work of authorship. Now, a particular image of your face is copyrightable but not your face. Similar reasoning goes for other factual elements about you, dna, hair color, etc. 
  • Heather Federman Feb 13, 2014

    Part of the problem is that the victims are unaware of what (if any) easy to do actions they can take. Do any simple revenge-porn DMCA-type take down tools exist? And how can the original photographer be notified when they have become a victim? Must they wait for the photo to viral or is there a more immediate method of communication? 
  • Jedidiah Apr 16, 2014

    Those are great questions, Heather. I would imagine any photo-tagging technology (say designed to alert a person when used) would pose a whole slew of additional privacy concerns. It would be helpful if there were a clearinghouse website, though, with tools for victims. 
  • Jedidiah Apr 16, 2014

    Thanks for the breakdown, Jason. Now, with facial recognition tech, we're getting into proprietary face patterns owned by the FR company, too. I wonder if we need to start thinking of getting faceprints to be considered PII? Hard not to be cynical about that though. 

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

NEW! FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Schooled in Privacy

Looking to get some higher-ed in privacy? Check out these schools that include data privacy courses in their curricula.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

The Industry of Privacy

Take stock, compare your practices to those of other organizations, and get budget with these studies on the industry of privacy.

More Resources »

P.S.R.—One Powerhouse Program

The program is too good to miss. The speakers are world-renowned. P.S.R. brings you the best of the best in privacy and security. Don't wait: Register now!

Speak at the Intensive!

The call for proposals for our London event, the Data Protection Intensive, is now open! Submit your session idea today.

Time to Get to Work at the Congress

Thought leadership, a thriving community and unrivaled education...the Congress prepares you for the challenges ahead. Register today.

GDPR Comprehensive London: Last Chance!

The IAPP GDPR Comprehensive heads to London this fall. This is your last chance at this popular program this year!

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»