You've Been Tagged

An interesting case with big privacy implications looming: A Kentucky Court of Appeals holds you don’t need a person’s permission to tag them in a Facebook photo (LaLonde vs. LaLonde).

This is one of a growing number of cases featuring painful consequences for drunken photos posted on Facebook (See Jeff Rosen’s wonderful NYT Magazine article here). In this case, a mother lost custody of her daughter based on evidence featuring, among other things, Facebook photos showing her drinking. This was against her psychologist’s advice, given that she was treated by medication for bipolar disorder, which could trigger adverse effects when combined with alcohol. As noted above, really painful stuff...

One of the mother’s arguments was that this piece of evidence should be suppressed given that “Facebook allows anyone to post pictures and then ‘tag’ or identify the people in the pictures [and] she never gave permission for the photographs to be published in this manner.” The court tersely responds: “There is nothing within the law that requires her permission when someone takes a picture and posts it on a Facebook page. There is nothing that requires her permission when she was ‘tagged’ or identified as a person in those pictures.”

This raises some interesting issues highly relevant for the policy talk taking place today on both sides of the Atlantic (see here and here and here):

• Right to oblivion: the decision comes at the other end of the spectrum from the recent talk by European policymakers about a “right to oblivion”. It is difficult to ask for oblivion when third parties post damning information about you and tag your name to it. Ask them to take it off and you’re encroaching on the most powerful human right of all – the freedom of speech.

• Do Not Track: The FTC Do Not Track (DNT) proposal (essentially a one-stop, universal opt-out from online behavioral ads (OBA)), as well as the imminent entry into force of Article 5(3) of the European e-Privacy Directive, requiring opt-in consent for third party tracking cookies, reinvigorated the debate of opt-in vs. opt-out in the online sphere. Yet with cases like LaLonde it appears that the focus of regulatory attention may be misplaced. The arena for the privacy vs. data use tug of war has moved on from OBA (which most users now take as a given) to appending online and offline information, geo location tracking, face recognition, biometrics and other intrusive practices. Information posed on Facebook is increasingly used as evidence in court cases involving domestic relations, employment, and more. Personally, I find judicial, employment, insurance and credit decisions, which are based on online or SNS data, far more troubling than use of online data for ad targeting.

• Location tracking: Photo tagging and, even more so, face recognition, pose an increasing threat to anonymity in public spaces. Skip work or school, and a friend (or foe) might capture your image at the beach or bar and post it online for your boss or teacher to see. One’s ability to conceal the fact of being somewhere sometime has greatly diminished. The delineation of the public and private spheres is increasingly blurred.

• Collection and use of personal data by third parties. The universe of privacy regulation has so far revolved around a central axis of individual consent. I’ve noted before that consent is somewhat of a wild card in privacy regulation. It often seems artificial construct based on legal fiction (does anyone meaningfully consent to Google’s Terms of Use?); yet you can’t really do without it since lack of consent is inherent in privacy infringements. With increasing collection and use of personal data by third parties, consent is losing its force as even a fig leaf for data use practices. Some other theory must be put in place to replace consent – legitimate business interest? Free flow of information? If not, regulators should come down hard on the market for collection and use of third party data, particularly data brokers.