Google Drive vs Dropbox: who owns your stuff?

April 25, 2012 by Leave a comment

Who owns the data you store on Google’s new cloud-based storage service (and so-called “Dropbox-killer”), Google Drive?

Following the announcement of Google Drive, a number of people suggested that (unlike Dropbox) Google’s terms and conditions give it “ownership” of the data you store on the service. However, these claims are confusing two separate issues: ownership, and scope of licence.

Google’s terms are, in fact, explicit on the ownership of users’ content (a point that seems to have been overlooked by some of its critics):

Some of our Services allow you to submit content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.

Users do give Google a very wide-ranging licence in respect of that content:

When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide licence to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes that we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.

But even this is not completely unrestricted:

The rights that you grant in this licence are for the limited purpose of operating, promoting and improving our Services, and to develop new ones.

Anyone with a Google account has already given Google this licence in respect of other services. In some cases, such as Gmail, this licence will cover a lot of material that they would no doubt consider highly sensitive, and certainly not something they would want Google to “communicate, publish, publicly perform, publicly display and distribute”. Google Drive is likely to hold equally sensitive information that currently sits on users’ hard drives.

Google’s licence terms have been compared with those of Dropbox, who have had their own problems over their ownership and licensing terms in the past, but whose terms and conditions now state that:

You retain full ownership to your stuff. We don’t claim any ownership to any of it. These Terms do not grant us any rights to your stuff or intellectual property except for the limited rights that are needed to run the Services, as explained below.

We may need your permission to do things you ask us to do with your stuff, for example, hosting your files, or sharing them at your direction. This includes product features visible to you, for example, image thumbnails or document previews. It also includes design choices we make to technically administer our Services, for example, how we redundantly backup data to keep it safe. You give us the permissions we need to do those things solely to provide the Services.

In practice, the scope of this licence is probably not vastly different from the one in Google’s terms, but it reads more reassuringly for customers, emphasising throughout the “limited” nature of these rights, which are “solely” to provide the services.

What can other web-based, consumer-facing businesses learn from this?

  1. Don’t neglect the legal terms when launching a new product. Yes, I know, I would say that – but Google’s error appears to have been to launch a new product without considering how its existing legal terms would apply (or be perceived to apply) to a product that gives them access to a lot of data previously unavailable to them.
  2. People are highly sensitive about content ownership and licensing – and rightly so, though often I find people (even in a business setting) focus too much on “ownership” and not enough on “scope of use”, which in practice is usually more important. As we’ve seen, Google’s terms are actually clear on ownership of data, but their licensing terms are phrased in such a way that leads many to consider that in practice Google is as good as claiming ownership anyway.
  3. Legalese can backfire. The problem with Google’s terms is that they are phrased in a very “legalistic” way. Lawyers may be able to pick the bones out of verbiage like “use, host, store, reproduce, modify, create derivative works, communicate, publish, publicly perform, publicly display and distribute”, but many users just read this as “all your content are belong to us”. Dropbox learned the hard way that saying simply, in plain English, what you need and intend to do, making it clear that you understand the potential concerns, is the only way to get customers to trust you. It will be interesting to see how Google responds to this same message from customers.

Filed under Contracts and T&Cs, Intellectual Property Rights Tagged with , ,

Olympic advertising divide?

March 13, 2012 by Leave a comment

I’ve discussed before both here and elsewhere the  rules on advertising around Olympic and Paralympic venues later this year.

However, other rules on advertising will have an even more widespread effect, in particular the ban on all forms of “association” of brands with the London Olympics – even if the “association” is done indirectly, through the use of phrases such as “Summer 2012″.

I’ve written an article for the Guardian Media Network on this issue, which is available here: 2012 Olympics: advertisers beware overstepping the line.

Filed under Regulatory Issues Tagged with , , , ,

Breaching advertising guidelines? You’re not when you’re #spon

March 7, 2012 by Leave a comment

A marketing campaign by confectionary giant Mars has been cleared by the Advertising Standards Authority (ASA) in its first investigation involving social networking site Twitter.

The ASA launched its investigation after receiving complaints regarding a chain of bizarre economy and knitting-related tweets sent in January from the official accounts of the footballer Rio Ferdinand and model Katie Price followed by a final Snickers tweet and a photograph.

On January 24 the Manchester United defender tweeted “Really getting into the knitting!!! Helps me relax after high-pressure world of the Premiership”.  In further postings, he added “Can’t wait 2 get home from training and finish that cardigan”; “Just popping out 2 get more wool!!!”; “Cardy finished. Now 4 the matching mittens!!!”

His fifth tweet read “You’re not you when you’re hungry @snickersUk #hungry #spon”.

In Price’s tweets she wrote about subjects such as the eurozone debt crisis, China’s GDP figures and the economic concept of quantitative easing before finally tweeting a picture of herself holding a Snickers bar with the same message as Ferdiand’s “You’re not you when you’re hungry @snickersUk #hungry #spon”.

In making its decision, the ASA considered two points: (a) whether it should have been stated in the first four ‘teaser’ tweets that they were marketing communications and (b) whether the hashtag “#spon” in the final ‘reveal’ tweet made it clear enough that that tweet was a marketing communication.

Responding to the complaints, Mars said that it had “considered in detail” the extent to which the tweets were marketing communications and believed only the last one needed to be identified. Mars argued consumers could not have been misled into making a purchase by the first four tweets as their meaning only became apparent once the campaign was revealed with the fifth message.

The ASA accepted Mars’ argument that the tweets contained the hashtag “#spon” to indicate sponsored content but it disagreed with Mars that the first four only became marketing communications after the final tweet was posted and stated that all five tweets should be considered to be part of an “orchestrated advertising campaign”.

However, the ASA said the final tweet was clearly highlighted as an advertising campaign and that having seen the final ‘reveal’ tweet consumers would understand that the series of tweets were part of a marketing communication. It held that it was acceptable that the first four tweets were not individually labelled as being part of the overall marketing communication and concluded that the ads did not breach the CAP code.

This investigation highlights the importance of disclosing paid-for promotions in all forms of advertising media including blogs, posts and microblogs like Twitter. Whether this is by using hashtags such as #spon, #paid-promotion or #advert or some other statement, in order to avoid breaching advertising legislation, promoters should ensure that consumers understand when they are reading paid-for promotional content regardless of the media through which that content is being displayed.

Filed under Regulatory Issues Tagged with , , , , , ,

Talking Olympic advertising

January 26, 2012 by Leave a comment

In a recent post, I discussed the laws prohibiting advertising activity round Olympic venues in the summer.

One of the affected venues is the Ricoh Arena in Coventry, which will be renamed the City of Coventry Stadium for use in Olympic football matches. Shane O’Connor from BBC Radio Coventry & Warwickshire interviewed me at 7.40 this morning to talk about the law behind these advertising restrictions. Here’s a recording of our conversation:

Filed under Regulatory Issues Tagged with , , , , ,

Data protection: out with the old, in with the new

January 25, 2012 by Leave a comment

The widely-trailed revision to EU data protection law has been unveiled today by the European Commission, who have proposed a “comprehensive reform” to EU data protection legislation.

The fundamental change is moving from national laws made under a harmonising directive, to a single regulation which will apply directly across Europe. While it’s going to take a little while to work through all the details – and the proposal still has to be discussed and ratified by EU member states and the European parliament – the key changes as summarised in the Commission’s press release are:

  • A single set of rules on data protection, valid across the EU.
  • Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year.
  • Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data.
  • For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
  • Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU.
  • Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
  • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services.
  • A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
  • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
  • Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.

In addition, there will be a new directive to “apply general data protection principles and rules for police and judicial cooperation in criminal matters”.

The “right to be forgotten” has been the most widely-publicised measure under consideration, and will certainly raise some tricky practical issues. However, I suspect that the biggest practical impact will come from the requirement for explicit consent, where consent is required. At present, certainly under UK data protection law, a lot of reliance is placed on implied consent; see, for example, the Information Commissioner’s guidance on the new cookies law, as discussed in a previous post. Explicit consent will greatly increase the practical burden on many businesses.

The new law, if adopted, will come into force two years after it is adopted, giving businesses and other organisations time to prepare for the new regime.

Filed under Data Protection Tagged with , , , , ,

Photographic copyright: higher but wider?

January 25, 2012 by Leave a comment

The IP Kat blog has an interesting discussion of copyright infringement of photographs.

To cut a long story short, the High Court was asked to judge on whether copyright in the following image (created by a Mr Fielder, with the copyright owned by Temple Island Collections):

was infringed by the following image (used by New English Teas on the packaging for one of their products):

The court decided that the answer was yes, since the creators of the second image has been aware of the existence of the first image, and were unable to show they hadn’t copied it.

The case highlights a couple of points of general application.

1. Copyright in photographs

The court confirmed that a photograph will only attract copyright if it is the photographer’s own “intellectual creation”, and the judge suggested three aspects which could make a photograph “original”:

  • “specialities of angle of shot, light and shade, exposure and effects achieved with filters, developing techniques and so on”;
  • “creation of the scene to be photographed”;
  • “being in the right place at the right time”.

In this case, the court had no difficulty finding that the first image was Mr Fielder’s own intellectual creation, by reason of its composition and the visual contrasts involved. However, this is a long way from the traditional English law approach in which (as one IP textbook puts it) “pointing the camera at a subject and pressing the shutter” was considered enough to gain copyright protection.

This suggests that many photographs over which copyright is asserted may in fact fall outside the scope of its protection – though elements such as “being in the right place at the right time” would still seem to cast the net quite widely.

2. Infringing copyright in photographs

Again the traditional approach has been that infringing copyright in a photograph involved actually reproducing that photograph (or a substantial part of it). There was nothing to stop you taking your own photograph which happened to incorporate the same features as another image. As the IP Kat observes, this does seem to extend the scope of protection for photographs to include “an idea, a lay-out or a scheme for such a photograph”.

For this reason, it may be that the losing party in this case will hop on the next bus (sorry…) to the Court of Appeal. In the meantime, though, this case highlights some interesting issues in what can be a very sensitive area for photographers: on the one hand confirming that the bar for copyright protection is higher than previously thought, but on the other suggesting that the scope of protection, if acquired at all, may be wider than previously thought.

Filed under Intellectual Property Rights Tagged with , , ,

Cookies: the rules become clearer

January 11, 2012 by Leave a comment

Businesses and other website operators looking for a belated new year’s resolution should take a look at the revised guidance on the use of cookies (PDF) issued by the Information Commissioner’s office just before Christmas and start thinking about how to comply.

Launching the guidance, the Information Commissioner said that businesses “must try harder” in preparing to comply with the new law, which came into force in May 2011 and will be fully enforced from the end of May 2012. More constructively, the revised guidance sets out some practical measures which websites can adopt to help ensure compliance with the new law.

The new law requires websites to obtain prior, informed consent from users before placing cookies on those users’ computers or mobile devices. As the new guidance puts it, before setting cookies you must:

  • tell people that the cookies are there,
  • explain what the cookies are doing, and
  • obtain their consent to store a cookie on their device.

The only exception is where the cookie is “strictly necessary” for technical reasons. The guidance confirms that this is a narrow exception, and will not (for example) cover cookies used for analytics or to tailor a greeting when a user returns to a site.

As a start point for compliance, the ICO guidance recommends a three-step approach:

  1. Check what type of cookies you use and how you use them.
  2. Assess how privacy-intrusive your use of cookies is.
  3. Decide how to obtain consent from users.

The more privacy-intrusive your use of cookies is, the more you will need to do in order to inform users and get their consent.

Providing information

The ICO recommends that cookie information should not simply be hidden behind a link saying “Privacy policy”. Instead, links should either read “Privacy and cookies”, say, or there should be a separate link for information on cookies. The guidance gives several examples of how to make this information more prominent.

Inferring consent

One very helpful suggestion made by the ICO is that consent to placing could be inferred if a user continues to use a website after being told of the use of cookies. This would involve some kind of pop-up notification when the user first visits the site, with a confirmation that a cookie has been set if the user then continues on to another page without clicking the “refuse cookies” link.

I suspect that this approach will prove highly popular with websites, given it avoids the problem experienced by websites that require positive consent such as ticking a box before placing cookies. One analysis suggested that only around 5% of users of the ICO’s website (which follows this tick-box approach) were agreeing to cookies – a figure which would have been ruinous for many websites.

However, inferring consent does still require a clear message to be displayed to first-time visitors. It is not enough to rely on a general “Privacy and cookies”-type link.

Opportunities for consent

The ICO guidance also suggests that websites look out for opportunities to obtain positive consent from users. One opportunity comes where new registered users are asked to agree to its terms and conditions as part of the sign-up process – though existing registered users will need to be told about any change to the terms to allow for cookies.

Other opportunities may come where users set preferences or use new features for the first time: for example, a notice saying “We will use a cookie to remember this”, with a link to the cookies policy.

Analytics cookies

Analytics cookies – often for Google Analytics – are one of the most widespread types of cookie. The ICO’s position on analytics cookies is that they are not technically essential for websites, so consent will be required for them.

The ICO recognises that in some cases it is not practical to obtain consent before setting analytics cookies, as these are often set the moment a user first visits the site. However, in that case information on the use of cookies must be highlighted clearly on the site.

Having said all that, the ICO does drop a large hint that it does not regard analytics cookies as posing a serious risk to privacy. In the very last paragraph of the 27-page guidance document, they state that “it is highly unlikely that priority would be given to focusing on uses of cookies where there is a low level of intrusiveness” – which includes “first party cookies used only for analytical purposes”, provided clear information is given on the site.

Third party and advertising cookies

Third party cookies, especially those used for online advertising, are the most problematic from a privacy point of view. The ICO’s research suggests that even well-informed internet users are unaware of the distinction between first party and third party cookies – that is, cookies used by someone other than the website owner.

Information on the use of third party cookies will need to be clearly set out as part of informing users and obtaining consent. Both the website owner and the third party will want to ensure that their respective obligations are clear: if you run an advertising-supported website, you will want to ensure that the advertising provider is obliged to provide accurate and complete information on their use of cookies (so that you can put this in your own cookies information); conversely, the advertising provider will want to ensure that participating websites are compliant with the law, as otherwise this will put the advertising provider themselves in breach.

The guidance acknowledges, though, that third party cookies remain “one of the most challenging areas in which to achieve compliance”, given the higher privacy concerns over such cookies and their critical importance to online advertising.

Conclusion

It remains to be seen how the new law will operate in practice. Levels of compliance remain woefully low, so it is hard to discern any “best practice” emerging at present. However, the ICO’s guidance does at last suggest some practical ways in which websites can comply with the law without losing the benefits of using cookies.

Filed under Behavioural Advertising & Cookies Tagged with , , , , , ,

Olympic advertising ban: a pre-emptive ambush?

December 12, 2011 by Leave a comment

One of the key measures proposed to protect the interests of sponsors for the 2012 London Olympics and Paralympics is a prohibition on unauthorised advertising, including “ambush advertising”, around Olympic event sites.

The regulations imposing this advertising ban have now been implemented, as The London Olympic Games and Paralympic Games (Advertising and Trading) (England) Regulations 2011, and the LOCOG website has guidance on the regulations and how to comply with them. Crucially, this includes the maps of the “event zones” where advertising will be banned around the time of the Games.

The ban will apply for different periods for each event zone, as listed in Schedule 2 to the regulations, with the longest ban being around the Olympic Park itself: from 23 July to 13 August (for the Olympic Games), and then from 28 August to 9 September (for the Paralympic Games).

Anyone wishing to display advertisements within event zones during the relevant period (including existing traders) will need prior authorisation from LOCOG.

The types of “advertising activity” banned under the regulations are very broad, ranging from conventional billboards and signs to leaflet distributions and even the wearing of “advertising attire”.The thoroughness of the regulations is perhaps best shown by their express application of the ban to:

(i) an advertisement to be displayed on an animal, or

(ii) an apparatus by which an advertisement is displayed to be carried or held by an animal.

The mind boggles.

There is an exemption for people (though not for animals!) wearing clothes which carry advertisements, provided this isn’t part of an ambush marketing campaign, and also for “not-for-profit bodies”.

The regulations have been attacked by both advertisers and campaigners as “draconian” and an assault on freedom of expression. LOCOG, however, argues that the rules will “not only help protect the investment of sponsors”, but are also intended to ensure “a welcoming environment for spectators”.

Filed under Regulatory Issues Tagged with , , , ,

Battle of the business models

November 17, 2011 by Leave a comment

Wired magazine has a fascinating interview with Jeff Bezos, CEO of Amazon, to coincide with the first shipping of the Kindle Fire, Amazon’s rival to the iPad.

What the interview highlights is the way the internet (at least in the English-speaking world) is increasingly concentrating into four “ecosystems” – Google, Apple, Facebook and Amazon – with each of these having a distinctive business model:

  • Apple’s model is hardware-centric. The content it sells through iTunes and the App Store is a means to an end, the end being to sell its highly profitable, premium-priced devices such as the iPhone, iPad and Mac. Its lower-priced devices such as Apple TV and the iPod Touch serve the same end, operating (as I can testify from personal experience!) as a “gateway drug” to the more expensive models by ensuring people buy into the ecosystem.
  • Amazon’s model is content-centric. This is the polar opposite to Apple: Amazon makes money from selling content, and it therefore keeps its device prices at rock-bottom in order to draw people into its content ecosystem. In his interview with Wired, Bezos doesn’t rule out literally giving away the Kindle in future.
  • Google’s model is data-centric. Its mission statement is “to organize the world’s information and make it universally accessible and useful” – not least to make it useful to its advertisers. Hence Google generally gives away its products for free, whether that’s services like Gmail and Picasa for consumers, or the Android operating system for mobile phone developers and networks. The products are aimed at encouraging people to put more and more of their information into Google’s servers.
  • Facebook’s model is social-centric (sorry!). Like Google, its aim is to collect as much data as possible about people so that it can then sell advertising. However, it comes at this at a different angle from Google, building out from people’s social relationships – highly valuable information that is donated to it by its 800m users.

It remains to be seen which of these models will win out or how they will coexist. However, a couple of questions come out of this.

First, you’ll notice that the above list makes no mention of Twitter. Twitter may be a hugely popular service, but it’s a long way from constituting an ecosystem or dominant business model to compete with Apple, Amazon, Google and Facebook. It’s something that people use, not somewhere that people live.

Second, what does this mean for smaller companies seeking to make money online? Increasingly the routes to do so lie through one or more of those ecosystems: through developing apps for Apple, Android or Facebook, through ensuring a strong presence on Google, through having content available through Amazon. This provides people with a lot of opportunities – just see how the App Store can make software available to tens of millions of potential customers – but also reflects something of a reduction in the “free for all” that has driven innovation online to date.

Something of that concern for a reduction in freewheeling innovation can be seen in Bezos’ criticism of the software and business method patents that helped Amazon in the past, but which he now clearly sees as more of a threat:

For many years, I have thought that software patents should either be eliminated or dramatically shortened. It’s impossible to measure the toll they’ve had on the software industry, but on balance, it has been negative.

Whatever your view on software patents, they are certainly playing a central role in the concentration of internet business into a small number of ecosystems, between which fierce battles rage in patent courts around the world. Again, it remains to be seen what effect this will have on innovation for smaller companies.

Filed under Web Tagged with , , , , , ,

ICO gives businesses a year to comply with new cookies law

May 26, 2011 by Leave a comment

As an update to my post on the new cookies law, the ICO has now published guidance on their approach to enforcement of the new law (PDF). The guidance itself can be found here (PDF).

The key point is that the ICO is giving businesses a year to comply with the new law. Full compliance will only be expected from May 2012. However, this doesn’t mean that organisations can sit on their hands in the meantime. As the ICO guidance puts it:

The Commissioner does not though condone organisations taking no action in the period up to May 2012. Organisations should be taking steps to ensure they can properly comply with the revised rules for cookies by May 2012. If it appears to the Commissioner that particular organisations are not making adequate compliant by May 2012 he may issue them with a warning as to the future use of his enforcement powers.

If the ICO receive complaints about non-compliant cookies during this period, they will ask website owners to explain what steps they are taking to ensure compliance by May 2012.

There is still a great deal of confusion in the marketplace about what the new law means in practice and how businesses can comply. Some are suggesting that websites offering aggregated opt-outs to multiple standard cookies will be enough to comply with the law. However, the law is clear: it is not enough to offer an opt-out, however well publicised and coordinated. Users must give prior informed consent before cookies can be used by a particular website.

Hopefully over the next few months it will become clearer what approaches are seen as most effective in practice. The ICO has implemented a header on its website asking people to consent to cookies, but even they acknowledge this cumbersome and intrusive approach is not going to be appropriate for most other organisations.

Of more practical use for most businesses is the ICO’s example, in its own privacy policy, of how to set out information about what cookies are used. The table used by the ICO strikes me as a very clear and user-friendly way of informing website users about what cookies are being used and for what purpose.

Filed under Behavioural Advertising & Cookies Tagged with , ,

Older posts

Follow

Get every new post delivered to your Inbox.

Join 381 other followers