Regulating Business Models that Capitalize on User Posted Personal Information of Others: How Can Canada’s Privacy Regime Protect Victims of Online Shaming Businesses?
Dr. Andrea Slane (University of Ontario Institute of Technology) and Dr. Ganaele Langlois (York University)
August 2016
Note: This submission was contributed by the author(s) to the Office of the Privacy Commissioner of Canada’s Consultation on Online Reputation.
Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.
Summary
This essay addresses the problem of online businesses that specifically solicit, encourage and profit from users posting sensitive personal information of others. The authors argue that the Personal Information and Electronic Documents Act (PIPEDA) is well positioned to address such misuses of personal information, provided that the Act is interpreted to 1) consider specific soliciting and encouraging of users to post information of others as a “collection” of personal information, and 2) where the design of the business relies on users posting that type of information, that this is then also “use” of the personal information of the data subjects by the business. The essay sets out some of the ways that “revenge porn” websites, for instance, profit from collecting and using the sensitive personal information of others via their users, including through advertising and directing traffic to other pay porn sites.
The authors also argue that PIPEDA could be amended to incorporate clear direction regarding when a business will be liable for third party posting of the personal information of others. A good model for such liability can be taken from the Copyright Act, which considers a business to have itself infringed copyright where the service it provides is “primarily for the purpose of enabling acts of copyright infringement” and where such infringement by users in fact occurs. The Copyright Act sets out factors to be considered when determining whether a business primarily operates to enable copyright infringement, each of which translate well into factors that could be used to determine if a business primarily exists to enable invasion of privacy by users (as understood via existing legal standards, such as the criminal offence of non-consensual distribution of intimate images, or the tort of publication of private facts).
Finally the essay also argues that PIPEDA should be amended to increase the enforcement powers of the Privacy Commissioner, along the lines of the United States Federal Trade Commission (FTC). The FTC has increasingly come to serve as the data protection regulator in the United States, and has recently prosecuted its first “revenge porn” business for unfair and deceptive business practices. The FTC is able to issue orders and fines, and the authors argue that the Privacy Commissioner should similarly be empowered to issue binding orders and administrative monetary penalties (AMPs). Without stronger enforcement, the authors argue, the lure of profits to be garnered from privacy violating business models will continue to result in grave exposure of Canadians’ sensitive personal information online.
Full submission:
Note: As this submission was provided by an entity not subject to the Official Languages Act, the full document is only available in the language provided.
In the late 1990s, the dominant theme of any debate about regulating Internet-based businesses was that governments should exercise restraint and mostly leave such businesses alone. This hands-off approach was thought to best protect the value of this new platform as a free and open space for both technological and commercial innovation and for freedom of expression online.Footnote 1 The Internet was thought to enable a vast and diverse enough market that self-regulation would ensure sufficient competition among providers of both services and content, thus providing incentive for businesses dealing with problems themselves and rendering regulation by government unnecessary.Footnote 2
At the same time, the expanding information economy inspired Canadian policy-makers to develop a regime for protecting consumers’ privacy interests in their dealings with businesses.Footnote 3 The Personal Information Protection and Electronic Documents Act (PIPEDA) established rules that any organization involved in commercial activities in Canada must abide by regarding the collection, use and disclosure of the personal information of consumers. PIPEDA sets out the parameters of legitimate data management, and constrains illegitimate collection, use and disclosure. These measures are necessary in order to mitigate ever expanding risk of harm arising from the creation, compilation and integration of online and offline data about every person.
The Office of the Privacy Commissioner of Canada (OPC) was created to interpret and enforce PIPEDA (among other things), but without the ability to issue binding orders or impose penalties. Injunctions and monetary penalties for businesses that infringe consumer privacy can only be imposed by the Federal Court, and so far claimants must prove damages in order to receive compensation.Footnote 4 This approach was in keeping with the spirit of granting online businesses that traffic in information and user expression tremendous leeway to self-regulate, and to work out solutions (with OPC guidance) rather than to face regulation and set penalties.
As the Internet evolved to produce a vast array of platforms and applications which primarily facilitate information exchange among users, a primary legal arena became what degree of liability, if any, hosts and intermediaries should incur for the wrongdoing of individuals using theirs services.Footnote 5 Legal systems all over the developed world grappled with the many varied ways that Internet-based businesses provide forums for users to post information and media: including personal information of others and media which they had no right to post. “Safe harbors” were developed to protect true intermediaries and platform hosts from legal liability which they would have no realistic way to monitor (and where such monitoring would be undesirable for users generally).Footnote 6 This again was thought to be the best way to preserve the open market for technological and commercial innovation. More recently, however, the law in Canada and other jurisdictions has been recognizing that online businesses that specifically promote and encourage users to post illegal content should not be afforded the benefit of these otherwise justifiable safe harbors.Footnote 7
In these submissions on online reputation, we focus on businesses that specifically traffic in the sensitive personal information of others, and how PIPEDA is and should be used to limit the damaging practices of such businesses, and how it should be amended to make it more effective in dealing with this sort of privacy-violating and reputation damaging business model. The prime example of such a model is shaming websites that encourage users to post intimate images of others without their consent (the most egregious of which are popularly called “revenge porn” sites). These sites solicit anonymous users to post images that plainly violate the privacy of those pictured: most of the photos and videos feature exposed genitals and breasts or explicit sex acts, and are images which originated within intimate relationships and were never meant for public distribution; others are hacked from victims’ digital storage and were never meant for any distribution at all.Footnote 8 These images are expressly tied to identifying information (such as name and location) and are searchable both within the site and as indexed by general search engines. Given the popularity of these shaming sites, anyone searching for information about that person will very likely turn up the shaming site in the top 10 hits.Footnote 9 This means that these sites radically transform the online reputation of the subject of shaming, so that it is difficult for her (as most are women) to craft a reputation that is not primarily defined by non-consensually shared pictures of a private nature. As such, informational violence has been done to the subject’s online and offline subjectivity, defined as it increasingly is by the matrix of data points and their interpretation in myriad contexts.
The OPC discussion paper on online reputation states that the OPC has received many complaints about this type of business.Footnote 10 The paper names two barriers to the OPC’s asserting authority over these sites: 1) jurisdiction, as many of these sites are based elsewhere (commonly the United States) in that there must be a “real and substantial connection to Canada” in order for PIPEDA to apply, and 2) that PIPEDA only applies to organizations engaged in a commercial activity, and some of these sites are not set up for profit.Footnote 11 To this latter point the OPC discussion paper notes that “Under Canada’s private sector privacy legislation, organizations must obtain the individual’s consent to collect, use and disclose their personal information in the course of commercial activity, unless narrow exemptions apply. Individuals who post information in their personal capacity are not covered by private sector privacy laws.”Footnote 12
We suggest in Part I that the OPC has authority to address most complaints about shaming sites that host the personal information of Canadians whenever any sort of revenue is generated by the site to its owners: even if the business is based elsewhere and even where the sensitive information is submitted by anonymous individual users rather than being directly collected by the business itself. However, in Part II we suggest that PIPEDA should be strengthened in two ways. First, in order to make clear what sorts of business models run awry of PIPEDA by way of the user behavior they foster, PIPEDA should be amended along the lines of the statutory provisions against services that enable and encourage copyright infringement found in the Copyright Act. Second, the OPC should be granted stronger enforcement powers that would meaningfully and expeditiously sanction businesses engaging in unfair, privacy-violating business practices and deter others from setting up similar models.
Part I: Existing Authority of the OPC to Address Complaints about Shaming Websites and other Digital Services
Since the OPC indicates in the discussion paper that it has asserted authority over shaming websites where it has established jurisdiction and commercial activityFootnote 13, we want to lend our support to the interpretation of these requirements as already met in most cases where Canadians would find their intimate photos posted. We further suggest, while not explicitly addressed in the OPC paper, that businesses that explicitly solicit content from individual users are “collecting” the personal information of the subject of a photo/profile, even if indirectly, and then “using” that information as the core content of what they offer as a service: these are not mere hosts, but rather active in the process of collecting and using the personal information of those pictured without their consent.
Ia. Jurisdiction
Many shaming websites that promote user submissions of personal information are or should be subject to Canadian jurisdiction, because one of the major draws of these sites is that they require location information for the subject of the shaming material, and then make that material searchable by location. In other words, a central feature of the online shaming dynamic is that users can look up intimate photos or damning personal information about people in their own community. Being exposed to an audience in your local social environment enhances the immediate impact of online shaming on the victim, perhaps even more than the fact that this information is now globally available for all the world to see. The location information facilitates further privacy violations (victims report that users of these sites take it upon themselves to point employers and family members to the photos) as well as facilitating online and offline harassment (victims report being contacted by strangers, threatening violence or wanting sex).Footnote 14
The revenge porn website MyEx.com, for instance, permits users to search specifically for Canadians whose intimate images have been posted to the site.Footnote 15 The website is designed to solicit such specific location information, in that the site prompts anonymous users to fill out an online form if they want to post intimate images. The form requires at a minimum the name and location of the subject of the photo. Canada is in the drop down menu of this form as a top choice, just under the United States, and if Canada is selected then a secondary drop down menu prompts users to select a province or territory.Footnote 16 Shaming websites that are location-based like this and specifically prompt posting of Canadians’ personal information should clearly qualify as within the jurisdiction of Canadian law.Footnote 17
Ib. Commercial Activity
While shaming websites themselves are usually free in that they do not charge users a fee, this does not mean they do not profit from the traffic to and from the website: Profit is garnered through advertising that appears in pop-up or banner ads (much of it for pornography), and through mechanisms that direct users to related sites (e.g. buttons that appear to link to internal pages, but really link to external pages of pay porn providers).Footnote 18
In some cases, these sites have also generated revenue by charging a fee to victims who want their photos and profiles removed: various legal mechanisms have been employed in the United States to crack down on this business model (criminal charges of extortion and identity theftFootnote 19; and most relevant to these submissions, prosecution by the Federal Trade Commission for unfair and deceptive business practices), as discussed in greater detail below.Footnote 20
Whenever a website garners some commercial benefit, be it through advertising, directing traffic, or some sort of fee-based service, it engages in a commercial activity that makes it subject to PIPEDA.
Ic. Indirect Collection of Personal Information
In order to bring home that PIPEDA already applies to these businesses, we encourage the OPC to make explicit that indirect collection of personal information via individual users still counts as “collection” for the purpose of PIPEDA in certain circumstances. Where users are specifically invited to post photographs or other personal information of others, especially where the site itself would not exist but for the posting of this sort of information by individual users, this sort of business should be considered to have collected that personal information. Further, because these sites would not exist if it were not for third party posters uploading the personal information of others, the sites should be considered to have “used” this information in the course of their commercial activities (that is, garnering revenue from advertising or directing site traffic). Again, this means that the consent requirements of PIPEDA should apply.
Part II: Strengthening PIPEDA and the OPC to be Better Able to Address and Deter Online Shaming Businesses
The business of online shaming is highly lucrative and relies entirely on the darker side of human curiosity and attention: without significant penalties and meaningful enforcement, the lure of easy profit off the reputational harm of others will be simply too great. We therefore suggest that: 1) the liability of businesses that specifically encourage users to post sensitive personal information of others be made clearly liable under PIPEDA, and that 2) the OPC be empowered to both a) issue orders that enjoin businesses that violate PIPEDA from carrying on with those practices, and b) impose administrative monetary penalties (AMPs).
Since non-consensual distribution of intimate images is now a crime in Canada, a model for imposing liability on some Internet service providers who specifically enable and encourage posting illegal content already exists in Canada in the Copyright Act.Footnote 21 Recent developments regarding privacy torts also point to the illegality of “publication of private facts” which would also fit this model of secondary liability for site operators.Footnote 22
A model for stronger enforcement powers is harder to come by, but may benefit from adopting the model the United States Federal Trade Commission, which recently prosecuted its first case against a revenge porn site operator, and so has begun developing means to address revenge porn as a privacy and consumer protection issue. While this is complicated in Canada by provincial authority over most consumer protection, there may be some avenues for strengthening coordination between provincial consumer protection enforcement and the OPC.
IIa. Copyright: A Model for Imposing Liability on Businesses that Exist to Exploit the Non-Consensual Posting of Personal Information of Others
Copyright has been a particularly active arena in Canadian law, as it has elsewhere, when it comes to user posted content. The drawn out process of reforming Canada’s copyright regime to meet the challenges of the digital age finally culminated in the passage of the Copyright Modernization Act in 2012.Footnote 23 This Act included amendments to the Copyright Act that aimed to clarify the legal liability of hosting services that specifically enabled online copyright infringement by individual users. The Copyright Act now contains a provision that states that “It is an infringement of copyright for a person, by means of the Internet or another digital network, to provide a service primarily for the purpose of enabling acts of copyright infringement if an actual infringement of copyright occurs by means of the Internet or another digital network as a result of the use of that service.” (emphasis added)Footnote 24
Among the factors that a court may consider when determining whether a service provider operates primarily for the purpose of enabling copyright infringement are:
“(a) whether the person expressly or implicitly marketed or promoted the service as one that could be used to enable acts of copyright infringement;
(b) whether the person had knowledge that the service was used to enable a significant number of acts of copyright infringement;;
(c) whether the service has significant uses other than to enable acts of copyright infringement;;
(d) the person’s ability, as part of providing the service, to limit acts of copyright infringement, and any action taken by the person to do so;;
(e) any benefits the person received as a result of enabling the acts of copyright infringement; and;
(f) the economic viability of the provision of the service if it were not used to enable acts of copyright infringement.”Footnote 25
This sort of liability should also be imposed on businesses that operate primarily for the purpose of enabling users to post the personal information of others without their consent.Footnote 26 This sort of offence would clearly cover most revenge porn sites, when factors similar to those enumerated for copyright liability are applied to privacy violation: (a) revenge porn sites and many amateur porn sites are expressly marketed and promoted as providing a forum for users to post intimate images of others, implicitly without consent (e.g. solicitations to “post your ex-GF”Footnote 27); (b) revenge porn site operators know their services are being used to post a significant number of intimate images without the consent of the subject of those photos; (c) the sites often have no other significant use other than hosting non-consensually posted intimate images; (d) the site operators deliberately do not require any proof of consent, even as they disingenuously claim in their terms of service that users are not permitted to post images without consent; (e) revenge porn site operators’ profits stem entirely from the draw of users to the non-consensually posted content; and (f) the sites would not garner the profits that they currently do if they did not specifically enable non-consensual posting of intimate images.Footnote 28
We note that the OPC recently examined some of these same factors in its finding that Globe24H, a site that reposted public Canadian court decisions and made them searchable by ordinary search engines, had violated PIPEDA. We applaud the OPC for refusing to allow Globe24H to hide behind disingenuous claims of providing a public service and instead finding that the site existed primarily to extract fees from individuals who wanted the decisions in which their information appeared to be taken down from the site.Footnote 29 The Globe24H finding should serve as a model for examining other online businesses that primarily exist in order to profit from the exposure of the personal information of others without their consent.
IIb. Privacy and Consumer Protection: The Federal Trade Commission as Enforcement Model
The Federal Trade Commission (FTC) has largely taken on the role of consumer data protection authority in the United States: that is, doing what the OPC does here in Canada. This makes for an interesting and fruitful fit with other aspects of the FTC’s mandate, namely consumer protection and competition.
In its complaint against revenge porn site operator Craig Brittain, the FTC alleged that Brittain had violated section 5 of the Federal Trade Commission ActFootnote 30 which prohibits “unfair or deceptive acts or practices in or affecting commerce.”Footnote 31 Unfair acts or practices are those that cause or are likely to cause substantial injury to consumers; that cannot be reasonably avoided by consumers; and where the injury is not outweighed by countervailing benefits to consumers or to competition.Footnote 32 The FTC lists a variety of Brittain’s practices that it deemed unfair, including the common revenge porn business model as a whole, whereby Brittain “encouraged and solicited individuals to submit, anonymously, photographs of other individuals with their intimate parts exposed for posting on the Website” and “required that all submissions include at least two photographs, one of which had to be a full or partial nude, as well as the subject’s full name, date of birth (or age), town and state, a link to the subject’s Facebook profile, and phone number.”Footnote 33 The Complaint also notes that Brittain sometimes added additional personal information that he was able to locate on his own.Footnote 34 Other unfair business practices that specifically violate the privacy of the people whose photos were posted included a “bounty” system, whereby users could post requests for intimate photos of specific people from the site’s user base for a fee, from which Brittain took a cut, and the extortion business model where he charged high fees for removing profiles via a second company he controlled.Footnote 35
The advocacy group Electronic Privacy Information Center (EPIC) filed a comment on the “Proposed Consent Order with Craig Brittain that would settle his alleged violation of the FTC Act”Footnote 36, supporting the FTC decision to prosecute Brittain and encouraging the FTC to continue to develop its authority in addressing consumer privacy issues, including by prosecuting more such revenge porn cases.Footnote 37 EPIC supported prosecuting Brittain because, among other acts, he “unfairly disseminated photographs of individuals with their intimate parts exposed, along with personal information about them, for commercial gain and without the subject’s knowledge or consent, despite the fact that he knew or should have known that the individuals had a reasonable expectation their image would not be disseminated in that manner.”Footnote 38 EPIC characterizes the revenge porn business as among a class of online “businesses that misappropriate images of people and sell those images to third parties for purposes to which the image subject did not consent.”Footnote 39
Given its enforcement powers, the FTC was able to issue an order against Brittain barring him from operating this type of business and requiring that he remove and destroy all of the intimate images in his possession.Footnote 40 The order states that Brittain (and anyone else associated with his business) is “permanently restrained and enjoined from disseminating, through a website or online service, a video or photograph of an individual with his or her intimate parts exposed” without following basic personal information handling principles of informed consent for sensitive personal information — principles enshrined in PIPEDA in Canada. Specifically, the FTC states that in order to post an intimate image of someone, the business must disclose that the image will be disseminated for commercial gain on a website or online service directly to the individual in the photograph or video—“not as part of a “privacy policy,” “terms of use,” or similar document posted on a website or online service”—and to obtain affirmative express consent from that pictured individual in writing.Footnote 41 Legal scholars Danielle Citron and Woodrow Hartzog hailed the decision and order, stating that the FTC had rightly determined that “people cannot exploit personal information shared in confidence for commercial gain” and declaring that this decision might finally kill revenge porn businesses.Footnote 42
While the OPC has a narrower mandate than the FTC, it would surely come to a similar conclusion under PIPEDA. At present, the OPC does not have the powers of the FTC, however. If PIPEDA is to be used to help victims of shaming websites reclaim control over their online reputations, then the enforcement issues already identified by the OPC need to be addressed: in particular, the Commissioner needs enforcement power to issue orders and AMPs.Footnote 43 Indeed the FTC’s mandates are covered by three different types of entities in Canada, with different powers and enforcement authorities. While the Federal Trade Commission Act in the United States covers competition law and consumer protection, which has now come to include consumer data protection, in Canada competition is overseen by the Competition Bureau (set up as an independent law enforcement agency that administers and enforces the Competition ActFootnote 44 — including issuing AMPs for some deceptive marketing practices), consumer protection is mainly a provincial power, administered and enforced by provincial ministries (some of which have authority to issue AMPsFootnote 45), and consumer privacy is mainly administered and investigated by the OPC, but injunctions and monetary penalties can only be issued by bringing a non-compliant business before the Federal Court.Footnote 46
This means that while Canadians have in the past prided themselves on their more robust data protection regime, now the United States appears to have more ability to address egregious privacy-violating and reputation damaging businesses than Canada. We strongly encourage reform that would bring the Canadian data protection regime in line with these international developments.
Conclusion
While we have supported the OPC’s work so far in finding that PIPEDA applies to many revenge porn businesses, we have also argued that the OPC needs powers like those of the FTC in the United States, so that injunctions and fines could expeditiously be imposed on such businesses that expressly and specifically profit from privacy violation. To assuage concerns about overly broad intermediary liability, clearer guidelines for imposing liability on hosts of third party content can be found in the recent amendments to the Copyright Act, which similarly deals with drawing a line between businesses whose primary purpose is to enable the illegal activity of users and businesses that truly serve only as general hosts.
Without both greater enforcement powers and clearer authority over hosts that would discourage these businesses from operating in the first place, Canadians will continue to be exposed to ongoing reputational damage to their online and offline selves, from which it is difficult, if not impossible to recover.
- Date modified: