The outcry led to Instagram “clarifying” their terms a couple of days later to assure users that they’re not asserting ownership and don’t plan to use users’ uploaded photos for advertising. Personally, I suspect it was a change rather than a clarification. Many security and privacy professionals like myself think many in the industry have adopted an unspoken practice of pushing the privacy envelope as far as they can and retreating only on items that cause users to scream. Episodes like this go a long way to prove that opinion. And, sadly it’s becoming more common because it works.
While the “clarification” mollified the outrage quickly, it raises a broader question that sadly isn’t being addressed. Who REALLY owns the pictures that you upload to services like Instagram, Pinterest, or Flickr?
There are really two answers that you can give to this question. Lawyers talk about the difference between “de jure” and “de facto”: this is a fancy way of differentiating between how something is or ought to be under the law (de jure), and how something is in fact or reality (de facto). That distinction applies to this question: there is a “de jure” answer and a “de facto” answer. It’s worth noting here that lawyers tend to operate in the world of “de jure” answers and security people in the world of “de facto answers”.
The “de facto” answer to this question, though, is a simple one that applies universally to the practice of uploading photos not only to social media sites but to the Internet as a whole.
Who really owns your pictures when you upload them to the Internet? Not you any more. Not really in the sense that you have or will have total control over them.
The fact is that the Internet by design is meant to share data and information. At the core of the DNA of the Internet is the ability to view information AND copy AND disseminate it. This is why we see media companies struggling (and failing) to build a business model around content on the Internet: their business are predicated on control of content (for revenue) and the Internet was built for the opposite.
Things like terms of service that specify you “own” the content you upload protects you from your content being used by the service in ways you don’t want, but does nothing to protect you from others who can view and access the content from using it in ways you don’t want (and may even know about).
As examples, I spoke with a local news station a few months ago about a woman who had discovered that pictures and information she had posted on a legitimate dating website had been copied and used without her approval or knowledge by an online adult dating site. In another example, a local lawyer who had his LinkedIn profile copied and used to populate a bogus one supporting a financial scam. When asked what someone could do to keep these things from happening to them, I had to say that the only true protection is to not post the information at all.
I’m not saying you can or should expect this to happen every time to all the pictures or information that you post. But I’ve said that online security and privacy is about understanding risks and then either accepting and/or mitigating them. So when we’re talking about who “owns” the pictures or information that you post, we have to start by being realistic and acknowledging and understanding the risk that there is no true “ownership” in the sense of total control of the information on the Internet. Once we acknowledge that, if we decide to accept that risk by going ahead and posting pictures and information, then we can look at mitigating that risk.
In my next column, I’ll talk about some specifics to think about for mitigating the risks associated with your pictures and information being misused. But for now, the important thing is to understand the reality that when you upload photos and information, it’s no really yours any more.