Upload
francis-houston
View
216
Download
2
Embed Size (px)
Citation preview
Lilian EdwardsAssociate Director, SCRIPT Centre for IP and
TechnologyProfessor of Internet Law, University of Sheffield
Much work done on Social Networking Sites and privacy , eg, Facebook
Commonly known that SNS business model involves collecting/processing personal data, in return for free services
Data may be used by advertisers, or sold on to marketers.
Very data rich environment – d.o.b., contacts, address(es), hobbies, likes, etc – especially from kids/YAs
Online marketing set to exceed all other media, already worth £2.5 bn (Ofcom, 08).
VWs/SNSs excellent opportunity to target marketing to kids as avoids broadcasting rules – campaigns frequently run for “online junk foods” (Which?, July 08) – editorial content not ads?
Bebo – Cadbury Creme Eggs; MacDonalds Kid Zone online games ; cf UK TV since 1 Jan 08 ads for high fat food illegal during children’s TV programmes
Children/young people rarely alert to risks of data disclosure eg ID theft, phishing, paedophiles, stalking/bullying as well as “commercialisation”
Also feels like “private/friends” space not public space – expectations are not “reasonable”
High sociability factor in both games and SNSs Ads/marketing blend seamlessly into
social/gaming experience so lack of “notice” – Kidzone Happy Meal games
Ads may be inappropriate eg “sexualised” (Byron)
VWS not always free like SNSs, so ads may not be as dominant a revenue stream?
But same problems may arise. Byron Review: 25 % of children play online
games for around 22 hrs per wk
UK/EU - Data protection law (DPA 98) – consent is guard against misuse. “Free, informed & genuine” consent. See DP Directive & Walport Review.
In England uncertain when child has capacity to consent to giving away data under DPA 98 – Gillick maturity test (Scotland = 12) .
Consent to what data collected, for what purposes, for how long, how stored, who given to
But - invariably given as condition of registration, either via terms of service, or privacy policy
In practice, p.p.s never read & contract therefore rules What if sensitive personal data disclosed? Eg sexuality,
religion, any picture disclosing race or health (ECJ Lindqvist, UK Murray v Big Picture)
Should require “explicit” consent?◦ But no – exception where data voluntarily exposed in public
What rules do VWs play by?? Eg Second Life: Privacy policy refers to ToS and 6
other policies No under 13s allowed – but established only by
child entering birth date Privacy policy can be changed by notice only – no
apparent need for new consent Direct and indirect data collection – disclosed data
PLUS website usage, computer hardware and Internet connection, 2L usage
If bankruptcy or merger, 2L may sell or transfer your personal data without further consent
What about interoperability?? Result: ad-supplied billboards and “product
placement”
Eg WoW – parent must consent for minor (how?) and if child states under 13, they do not save personal data. “We urge parents to instruct children not to give out real names, addresses or phone numbers”. Also “urged” to review privacy policy.
“Parental supervision” tools consists of limiting hours of play – no tools for supervising data disclosed, or ads received.
Blizzard collect similar data to 2L but also assert◦ may merge it into 3rd party dbs◦ provide it to 3rd party advertisers and marketers ◦ collection allowed by affiliiates as well as Blizzard. Cf FB
“app” problem. Opt-out in these 3 cases. You can ask for data to be deleted – but only on
termination of a/c! Both 2L and WoW clearly based on US law (COPPA)
.
VW p.p. norms may be worse for kids than SNSs, given absence of real control by law
More complete record of data collected – every act, conversation, consumer choice in the game /VW - cf FB – only partial disclosure.
Huge time logged in-game – and many very consumerist, eg Sims Online.
Is data collected accurate or useful? About “real person” or “virtual persona”?
Important given likely use in profiling/merger of data – possible use in civil/criminal law eg subpoenaed evidence, etc. If you shoot orcs in game, are you a likely murderer?
Will data be updated, of kids especially?? Arguably subscription games should use/deliver
data as revenue less than free VWs/SNSs – but no evidence from Blizzard.
Google in-game data collection patent – filed 2005, disclosed 2007
Collects info about a user’s interests and gaming behaviour by monitoring such in games/via gaming platforms
Presumably privacy policy somewhere – where? On web? Shrink-wrap on platform packing? Will it make amy difference?
Info almost certain to be linked to real life info Google acquires via search data/Gmail etc. Consequences?
Unregulated VWs/games will invariably collect maximum and deliver maximum ads - $£
EU DP law in practice has no effect – also globalised market with mainly US privacy norms
Privacy policies are figleafs => Co- not just self-regulation required Current attempts at state involvement eg HO
Code on SNSs tend to rely on public/parental/child education, not top down regulation
State regulation of VWs/ games mainly concerned with sex/violence & rating , eg Byron – yet loss of personal data is top threat to kids, above porn, violence and stalking online (Livingstone)
PEGI merely asks for standard privacy policy.
NOT just parental supervision – outclassed by kids plus mobile Net will make it redundant
Code defaults might help – not just privacy tools provision (prominence?) but, eg, default “friends only” visibility of child profile info (as suggested in HO SNS code). Is there a VW equivalent?
Proper age verification? Cf “Adultcheck” for porn Vetting and approval of standardised industry privacy
codes by state organ? Applying broadcasting children’s content codes and
CAP Code effectively to VWs/SNSs? But how to do all this effectively in a globalised virtual
world??