Pitfalls of Social Networking

The social networking phenomenon is revolutionising the way in which we communicate with each other. But what of the legal issues and the dangers it brings. In this article we outline some guidance on the risks and liabilities to social media users, and to employers who perceive it as a challenge.

The addictive habit of social networking as a recent Web 2.0 phenomenon has created a revolution in the way we communicate with our peers.  Dedicated social networking sites such as Facebook, My Space, You Tube and Flicker have exploded into our lives, Facebook in particular claiming more than 170 million subscribers worldwide. We can also include micro-blogging sites such as Twitter as social networks.  

Average user age of social networkers is about 34 but it is significant that social networks are heavily used by many of more tender years (even if most new users are over 25).  The Facebook brand has been valued globally at 15 billion but the value of social networking sites collectively is by no means supported only by frivolous users.  New platforms such as LinkedIn are aimed at business professionals and, like any social networks, can be a valuable tool for building commercial relationships, networking and personal development.

Like all revolutions, the effects of social networking will take time to become fully apparent.  But some of the legal consequences are with us now.

Privacy issues generally follow because of data protection legislation in  which lays down principles to regulate the use of data about living people. Data protection is a concern for social networking site users as well as individuals whose data is revealed and circulated by users of social networks.

Some 78% of IT organisations believe that social networks and other internet services can constitute a danger in the hands of unsupervised employees.  Concerns in particular range from the potentially catastrophic impact of leakage of commercially confidential information or client data to merely disproportionate use of sites by employees in work time.  None of the risks are specific to social networks as for some time there have been concerns of a similar nature over irresponsible email and website use.

Privacy

We will look firstly at privacy and data protection issues from the perspective of individual users.

Users of sites may often be very careless about their own privacy. They may forget that they are posting information about themselves which is available to everyone, with little possibility of retracting it if it proves to be embarrassing at a later date. The responsibilities for the protection of privacy do not only rest with the subscriber. A heavy responsibility for legal compliance is upon the providers of the social networks, as we shall see. But there seems to be a casual disregard among many users who post information about themselves which can be seen by a people at large and used for purposes which the subscriber would not agree to.

What risks are subscribers taking?

Clearly, if subscribers upload information which puts their reputation in a poor light, they run the risk of employers and teachers acting upon it to their detriment.  Regular site users who are not aware of the consequences of putting information about themselves online should be aware of examples, such as the Oxford University students investigated and disciplined by the university authorities for rowdy, post-exam behaviour after appearing in images on Facebook pages, and the Catholic school teacher dismissed for saying on MySpace that he was gay. The top tennis juniors David Rice and Naomi Brady lost their funding when pictures of them drinking beer and partying were discovered on a social network site by the Lawn Tennis Association.

The media have also latched on to social networks to discover information about people in the public eye.  Examples here are the suspects in the Meredith Kercher murder trial taking place in . The Information Commissioner (the independent authority enforcing data protection law in the ) has provided specific guidance to young people which encourages them to keep control of their “data footprint”. It isn’t widely realised that it is difficult to retract information which is cached and could still be accessible through search engines for a considerable period of time.

In addition to legitimate surveillance leading to unwelcome but perhaps deserved consequences, some site users may be at risk to stalkers or paedophiles, including those people who “groom” young people for sexual activity.

Phishing or data theft are further concerns. It is easy for information to be obtained from social networking sites which, in combination with other data, may be sufficient to hijack personal identities for fraudulent purposes. It would for example be inadvisable for subscribers to use obvious passwords or the same passwords that they have for access to their internet banking facilities.

Defamation

Even non-users of social networking sites may be the targets of false profiles. Juventus footballer Alessandro del Piero proposes to sue Facebook on account of a bogus account representing him as having fascist views. He has not set up a Facebook account but claims that some third party has been able to do so using his picture in a neo-Nazi context. Facebook and Twitter have been the networks most subject to the creation of fake or abusive material concerning individuals recently. Solutions to this problem proposed by the networks themselves seem some way off, but lawyers will have noted carefully last year’s case of Applause Store Productions and Firsht v Grant Raphael in the High Court. The facts of this case were that a Facebook profile and group entitled “Has Matthew Firsht lied to you?” was created, on the computer having the defendant’s IP address, which linked to defamatory comments about both of the claimants. Mr Raphael was held to be responsible despite his denial. The case is significant as it illustrates that social networks are like any media for the publication of libellous remarks and that liability can be attributed to non-bona fide users (despite technical difficulties in this case in establishing evidence of the defendant’s actions). Damages awarded amounted to £22,000 notwithstanding the short time of about two weeks during which the false profile was accessible, which the judge found to be adequate to allow it to be seen by a significant number of people.

The risk of a breach of intellectual property rights often described as “image rights” is obviously significant for celebrities and public figures but the use of social networks to make false and defamatory statements is a risk to which almost anyone can be exposed.     

The effects of data protection legislation

The Data Protection Act 1998 (“DPA”) will apply to subscriber content made available on social networks which are subject to law in the . The DPA regulates the “processing” of all “personal data”, which covers the caching, storage, manipulation and publication of information submitted which is about identifiable subscribers as individuals – in other words,  holding the data electronically and making it available for viewing by all subscribers.  

Data about users or other people uploaded to any site is almost certainly going to be “personal data” within the meaning of the DPA, so not surprisingly, all issues must firstly be considered in the light of the DPA. Photographs, knowledge of “friends”, personal preferences and real names will all in combination or separately say something about you as an individual and so have the necessary biographical quality about you to constitute “personal data”.

In the social networking context, it will also be relevant that “sensitive personal data” is processed. The DPA defines sensitive personal data as personal data which relates to an individual’s racial or ethnic origins, political opinions, religious or philosophical beliefs, physical or mental health, sexual life or criminal history. Routine details such as names, photographs and personal preferences may in combination amount to sensitive personal data.

Social network providers are in the business of encouraging subscribers to give as much of their personal data away as possible. This has the advantage of making the network in question more exciting, which in turn attracts more advertising and so drives revenue. Because of the very nature of social networks, much information voluntarily given by users will doubtless include sensitive personal data.

Providers of UK-based social networking sites are regulated by the DPA because they are “data controllers” who must comply with all of the eight “data protection principles” of the DPA. These include the requirement to process personal data fairly and lawfully. In this connection, they must ensure that they have justification as specified in the DPA to “process” the personal data of subscribers. Generally, such justification amounts to having the consent of the person concerned, which, in the case of sensitive personal data, means “explicit” consent.

Before looking further at consent, other more self-explanatory data protection principles of relevance make it clear that personal data shall be obtained only for specified purposes. Personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed; and shall be accurate and kept up to date and not kept longer than is necessary for their purposes. Although most of these are mitigated considerably at the option of the subscriber, they are all relevant to the ongoing duty of the network provider to comply with the DPA.  

Has consent been given to use personal information?

In general, social network site providers’ terms of business provide for consent to be given by the user in question for his information to be held and made available on the site in question. It is clear under data protection law that consent must always be informed.

The business of giving consent appears to be straightforward but there are always ambiguities. On Facebook, privacy settings can be chosen but in default of a more restrictive setting, profiles can be seen by friends of users as well as everyone in the users’ groups and networks. If a user uploads personal data to the chosen site, hasn’t consent been given? Unfortunately the position is not quite so clear.

Many readers of this article will have seen recent press coverage of how Facebook has dealt with complaints from the public regarding its new contract terms (Terms of Service). As proposed, Facebook wanted its terms to confer on it perpetual ownership of all content placed on the site, even if users “removed” all or any items of content. Facebook’s terms effectively reserved its right to use content and data as it pleased and forever. The storm of protest which ensued (and no doubt the possibility of a complaint to the Federal Trade Commission in the ) has persuaded Facebook to revert to its original terms on a temporary basis which puts it on a par with other networks where content disappears after the account is deleted. Mark Zuckerberg, Facebook’s CEO, said: “our philosophy is that people own their information and control who they share it with”. This was hardly the case when it appeared that Facebook felt it could do what it liked with personal data for all time.

Facebook’s “climbdown” is a welcome result. The realisation by network providers that they do not have a complete free hand to utilise personal data is consistent with the data protection principles, in particular the need for active consent which can be withdrawn or modified by the user. “Consent” within the meaning of the DPA means informed consent.  This must mean that the user can withdraw it, in part or completely, at any time. “Explicit” consent (of relevance to sensitive personal data) must incorporate a requirement that the subscriber knows exactly what he or she is consenting to. In both cases, any imperfect knowledge of any privacy settings, or other limitations on accessibility by other users which apply, may compromise or negate consent. There is also the imperfect realisation that a user’s content, once made available in the social network, could be there for all time. Given that users are often young, they may be careless of the wider consequences at first. But as their careers develop, exuberant behaviour may be seen on a networking site by potential employers, organisations or the press. If there is any realisation that this may happen, users will naturally want to withdraw or reduce the scope of their consent. A responsible and DPA-compliant site provider will, in our view, need to respond accordingly, treating personal and sensitive personal data as that of the subscriber and not its own. It will also accept and implement procedures to ensure that the subscriber has a permanent option to amend or remove it as he sees fit. It will also have to ensure that the process of implementing consent modifications is transparent and not unduly cumbersome to activate.        

Risk to business

Any risk to business will depend on whether employers allow access to social networks in work time or through computers provided for use in the workplace. The concerns of businesses whose employees use social networks through a work-provided computer relate mainly to unrestricted and irresponsible use. At the lowest level, a keenness to explore the potential of networking in office hours results in inefficiency and wasted work time. More seriously, employees can be sharing information about their employers which amounts to leakage of proprietary information which is confidential. They may also be reproducing material which infringes the employer’s own intellectual property rights such as copyright in company documents. Risks of this nature are inherent in the irresponsible use of emails generally.

There have been instances of deliberate damage to an employer’s reputation. Social network groups and networks lend themselves to the creation of abusive and critical comment, analogous to “suck sites” (stand-alone websites dedicated to the denigration of a particular company, organisation, product or service). Clearly, where abusive groups and networks are seen by existing employers, disciplinary action can be taken. Certain Virgin Atlantic cabin crew members were dismissed for participating in discussion groups on Facebook in which passengers were insulted and the aeroplanes were alleged to be full of cockroaches. Very recently, a fireman in  has been disciplined for insulting members of the public (he has claimed that a third party hacked into his account!).

General discussions on any blogging forum always carry the risk of reputational damage, since even false or humorous comments, even if they are not believed explicitly, may (on the “mud sticks” principle) create a bad impression of an organisation and drive business away. Actions for defamation may simply not be appropriate, for costs reasons or because they would not result in appropriate compensation. Any action which keeps the offending material in the public eye may also be inadvisable from a public relations perspective.

What can employers do?

It is always possible to set internet filters to block access to any social networking sites. But in the social and business environment of today, a blanket ban on use is not advisable. The Trades Union Congress (TUC) has provided guidance to employers to the effect that bans amount to an overreaction as it displays a degree of lack of trust in the employees of a business. Specific bans on certain sites (such as OUTeverywhere aimed at the gay and lesbian community) may well be discriminatory and the likely subject of legal actions by employees. The encouragement of social networking as the polar opposite of banning them may well be the best practice for enlightened employers, as the think tank Demos has proposed. The use of sites such as LinkedIn – and perhaps many other sites as well – could be productive networking which ultimately accrues to the employer’s advantage.

The TUC has recognised that use of networking sites can be regulated by an acceptable use policy made binding on employees as an element of their contract terms. Policies can be flexible and “sold” to employees as a necessary part of achieving the balance between productivity and a good working environment. Policies can deal with such matters as the time of day when sites can be accessed as well as the kind of material which can be uploaded or put into blogs and the like. An element of discretion is always necessary.

In order to enforce policies, where access can be obtained, it is legitimate within certain constraints to monitor electronic communications of employees. The balance to be struck here is to balance the legitimate protection of an employer’s business and the privacy that attaches to an employee’s private communications, even in a work environment. Although it is of greater potential effect with respect to the policing of ordinary email traffic, the Information Commissioner’s Employment Practices Data Protection Code: Part 3 (Monitoring at Work) may be relevant to the mitigation of at least some of the risks to employers arising out of social networking in the workplace. The Code covers systematic as well as occasional monitoring of website visits as well as of emails and matters such as covert surveillance of employees. It anticipates that “impact assessments” will be done to enable employers to act proportionately and ensures that data collected from any monitoring exercise will be kept securely and only accessed by senior management. Employees must be given due notice of all key monitoring policy considerations.

There is of course a limitation on how much information an employer can glean in practice from social networking sites. Many of the risks to employers we identify in this article are not avoided by monitoring but it helps to create an environment in which employees will be more cautious about the content they contribute.     

In conclusion

Social networking sites are a huge social force which will bring unquantifiable benefits in a globalised world, as well as problems.  In particular, they have the effect of blurring the private and business domains, which ought not to be a problem for employers who see quality and effectiveness of their employees as something to be encouraged.

Many of the problems with social networking sites are created by irresponsible or even malicious use by users, whether to their own detriment or that of others. But there is nothing harmful about social networking sites in themselves if common sense and sensible practice is applied by all concerned.