The story begins at the AusCERT Conference (described by AusCERT as “…the premier IT security event for IT security professionals and anyone with an interest in IT security”).
An IT security consultant, Mr Christian Heinrich, was giving a presentation on what he claimed were the short-comings of Facebook’s privacy settings. For non-users of Facebook (anyone?) these privacy settings allow the users to decide who else can view and access their Facebook page. “Public” means that anyone can see everything on your Facebook page; most people restrict access to the specific people they invite – their “friends.”
The basic problem is that Facebook stores content (such as photos and videos) on unsecured servers as part of a content delivery network. This process, in which content is hosted on multiple servers around the world concurrently, makes it quicker for users of Facebook to view content, particular videos. According to Heinrich, rather than protecting this content with encryption or passwords, the content can be accessed by anyone who is able to determine or guess the correct URL, the URL having been randomly assigned using an algorithm.
[URL stands for uniform resource locator. It works just like a phone number, but for the internet. The combination of words, numbers and symbols that makes up a particular URL is what identifies a given website to those computers looking to find it. It is what you type into the address bar at the top of your browers.]
Through the use of an specifically designed computer program, Heinrich was able to determine the URL of the Facebook page of a professional rival, Mr Gatford. During Heinrich’s presentation, he demonstrated how he was able to gain access to Gatford’s Facebook page, and also displayed photos Gatford had uploaded, all without Gatford’s knowledge or permission.
Mr Ben Grubb of the Sydney Morning Herald reported the story, and the Sydney Morning Herald also published the photos. Subsequently, the police interviewed, and briefly arrested, Grubb, following a complaint from Gatford. In his interview with police Grubb acknowledged having a copy of the photos on his iPad. The police also took away Grubb’s iPad away.
Examples of savvy internet users accessing content that is supposed to be confidential, private or secure are increasingly common. Even this particular practice, of guessing a URL in order to gain access to confidential material has been considered by the courts. In Dais Studio Pty Ltd v Bullet Creative Pty Ltd, Mr Ben Petro (represented by Mallesons) was able to access source code relating to clients of his former employer. Petro didn’t need to enter passwords or overcome other security measures to access the information. Rather, he knew the naming conventions for client files that his former employer used. By entering the correct URL, he was able to access these files and use the information they contained. Based on assessment of what Petro was able to do, the court decided that Dais Studio failed to take “…any serious steps to protect the confidentiality of the files on which it sues in this proceeding,” and accordingly, there was no breach of confidentiality obligations.
While the Queensland police consider the criminality or otherwise of Mr Heinrich’s acts, consider this issue from an IP perspective. Has Heinrich breached the copyright of Gatford?
We first need to consider the status of Gatford’s photos. As the photographer, Gatford owns the copyright to the photos. He has then voluntarily uploaded the photos to Facebook, and this is where they were accessed by Heinrich.
Users of Facebook are subject to the terms and conditions of the website. So what does the “Facebook Statement of Rights and Responsibilities” say about the copyright of Gatford’s content?
2. Sharing Your Content and Information
You own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application settings. In addition:
1. For content that is covered by intellectual property rights, like photos and videos (“IP content”), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (“IP License”). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.
By uploading his photos to the website, Gatford has given Facebook a licence to them. The terms of that licence are very broad – there are no limits or caveats regarding how or when Facebook can use Gatford’s photos.
However, this provision somewhat blurs the issues of copyright and privacy. [Facebook has a separate privacy policy.] It basically states “our licence is subject to your privacy settings.” Assuming Gatford did not have his privacy settings on public, has Facebook breached its copyright licence with Gatford?
Unfortunately, these terms of use only provoke more questions. For example, does Gatford’s licence to Facebook also constitute a licence to any other users he has invited to view his content? If so, what are the terms of such a licence? What about in this case, where Heinrich has supposedly accessed the photos without the authorisation of Gatford?
Facebook has a process for complaints about copyright breach by fellow Facebook users. But, the issue here is that the content was not accessed by a fellow Facebook user – it was accessed by someone savvy enough to work out the URL for Gatford’s Facebook page, thus circumventing the normal user access controls, and with it, Gatford’s privacy settings.
In its Privacy Policy, Facebook states:
Risks inherent in sharing information. Although we allow you to set privacy options that limit access to your information, please be aware that no security measures are perfect or impenetrable. We cannot control the actions of other users with whom you share your information. We cannot guarantee that only authorized persons will view your information. We cannot ensure that information you share on Facebook will not become publicly available. We are not responsible for third party circumvention of any privacy settings or security measures on Facebook. You can reduce these risks by using common sense security practices such as choosing a strong password, using different passwords for different services, and using up to date antivirus software.
If what Heinrich alleges is true, has Facebook failed its own “common sense security” test?