Fairfax journalist Ben Grubb was briefly arrested by Queensland Police yesterday after writing an article about an intenet security expert who gave a conference slideshow presentation on the ease of bypassing Facebook’s privacy controls to obtain a user’s photographs without a username or password. The security expert had allegedly sent Grubb copies of some of the “private” Facebook images that he had accessed.
Grubb’s story: privacy, news and the strong arm of the law
When I questioned under what legislation they had the right to seize my iPad, Coultis told me I was under arrest in relation to receiving unlawfully obtained property.
What?
[...]
Throughout this, my phone did not stop ringing and buzzing as the Twitterverse took up my case. Hundreds of tweets were directed my way and to the Queensland Police media unit, questioning why a journalist had been arrested and sending me messages of support. At one point, when Coultis accompanied me to the toilet because I desperately needed to go, I showed him the responses.Shortly before 6pm, I was given a receipt for my iPad and Coultis told me that I was “un-arrested”. I was free to go, but, to the best of my knowledge, my iPad remains at an exhibits facility in Brisbane. I was told that forensics officers were going to make a complete copy of the information on my iPad, whether it related to this matter or not.
Cyber law risks making the ‘ordinary’ criminal: expert
A senior lecturer in internet law says the arrest of a Fairfax journalist over his receipt of an unauthorised Facebook photo “defies sensible explanation” and the entire matter exposes serious failings in Australian cyber crime laws.
[...]
Mr Black said the Cyber Crime Act was at odds with Facebook’s terms of service, which says there are no guarantees private photos will not be accessed. He said when users upload photos to Facebook they were granting the company a “non-exlusive licence” to use the photo but Facebook did not obtain ownership of it.The way the Cyber Crime Act was drafted was so broad that a whole range of “more or less ordinary activity” could attract criminal charges, Mr Black said.
This incident certainly strikes me as overreach, both in the drafting of the original law and in the police response to this particular incident.
(this post’s headline is a gift to @DrewBoyTweets)
That’s Qld unfortunately. The more things change the more they stay
The quote from the police that really makes me shake my head is the one about receiving a photograph obtained from a Facebook account without the user’s permission being the same as receiving a stolen TV.
It’s just so totally not.
What I don’t get is how come Fairfax are making a 20 year old the deputy technology editor. Oh and count up the number of times Apple products get a mention. Anyway sounds like this security guy must be a bit of a loose cannon and the police, well as some said, Queensland … say no more. So some great all round stupid going on.
i think arresting the journalist for receiving stolen images is a bit over the top. However, if some nutbar gave a stolen photo of me to a journo and the journo saw fit to publish it on the fairfax website, I would feel quite violated. no one (who had the right) gave fairfax permission to publish that photo. It may not be theft, but it is a breach of the guy’s privacy.
particularly alanic given that the original presentation had some confused idea that it dealt with people’s privacy.
Images are not the property of just anyone who finds them. And the way this guy “found” the image was akin to looking in every window he walked past until he found the window of a particular person, and then taking the photos off their mantel piece. put that way do you still feel this is innocuous?
I am not so surprised that the Cyber (how 1990s!) Crime legislation is flawed. But it is a little comforting that this particular law was revealed be an ass when used against a photogenic member of the media like Ben Grubb, rather than a reclusive Asperger’s sufferer like Gary McKinnon.
However, if some nutbar gave a stolen photo of me to a journo and the journo saw fit to publish it on the fairfax website, I would feel quite violated.
But he never did, Sean. He was doing the traditional thing of “helping police with their inquiries”, which in general is a good thing.
Fairfax showed a photo of the “victim”‘s husband, but that particular photo was in the public domain, and was vetted by lawyers before being displayed. It’s all in the transcript if you care to look.
And it really looks like they only arrested him to justify taking his ipad, judging by the sequence of events. Anyway it is good to have this tested against someone with a platform to get their side of the story out
Well the transcript says
“Yes, there is a picture of Chris Gatford on the website, which was in public domain as Christian likes to describe it”
And yes, Ben grubb says he checked with fairfax lawyers, but who knows what he told them. Heinrich has a vested interest in saying that the photos were in the public domain.
From the description of how Heinrich got the photos I would not say they were in the public domain ( but like Heinrich I am not a lawyer).
And fairfax took the photos down last night, so I think fairfax’s lawyers may not be so sanguine about the public domain status of them
Since it is likely that not a single journo would hesitate before taking private photos off facebook and using them, then it would actually be great to see a few more of them arrested. A nice spot of jail would probably be in order too with hopefully some unauthorised shots of them taken while they were on the prison dunny. This is a bit like the outrage of a serial criminal arrested for the one crime they didn’t do.
Meanwhile, ASIO gets more power.
Sharing Your Content and Information
You own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application settings.
In addition: For content that is covered by intellectual property rights, like photos and videos (“IP content”), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (“IP License”).
This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it. When you delete IP content, it is deleted in a manner similar to emptying the recycle bin on a computer. However, you understand that removed content may persist in backup copies for a reasonable period of time (but will not be available to others).
When you publish content or information using the “everyone” setting, it means that you are allowing everyone, including people off of Facebook, to access and use that information, and to associate it with you (i.e., your name and profile picture).
Charlie is absolutely correct about the way that photos can be accessed on Facebook its all down to how users enable their privacy settings. sadly many people think that only their circle of real friends will ever see the nonsense that they post on social networking sites.
Further only photos from pages at the highest possible privacy settings can realistically be claimed to be “stolen” If you post images on the basis that anyone may see them, or that friends of friends may view them. You are effectively making them entirely public and if anyone, including journalists find them on this basis then it is the fault of the person who posted them if any embarrassment ensues rather than anyone who promotes something that has already made public by the Facebook (or any other photo sharing service like Flicker ). Typically the deluded want to think that the things that they make public should be off limits to criticism or review as the provisions of the copyright act allow.
My post @ 12 is straight from FB’s terms, conditions & privavcy stuff. So that is what they advise etc…
What The Worst of Perth said @10. While it’s certainly important to educate people about how easy it is for people to access images you thought were private, “Because I could” is still not an acceptable reason for journos to publish images whose intellectual property belongs to private citizens without their permission.
Yes, all this talk of privacy settings etc is touching, but laughable, because journos, all journos will use a private photo no matter what, if the story is big enough and worry about fake apologies and bogus excuses later. Just look at Flickr discussion boards. Virtually every day photographers are complaing about major Australian newspapers ripping off their shots which are clearly and unambiguously copyrighted. Truth is that jounos don’t give one shit about your privacy or copyright no matter how it is labelled or what your wishes are, so it’s a little hard to have any sympathy for Mr Grubb.
The Worst of Perth#16
You are missing the point and the distinction between making something public and keeping it private. If any face book user does not want any of their images shown to the world then think twice before you publish them and make it clear to your friends and family that you don’t want any images of your self posted by them either.
The reality is that unless the image is made public in the first place short of doing a break and enter of your house no journalist could possibly get your pictures anyway.
So the message is if you want your pictures to remain private then YOU have to keep them that way , its that simple.
So if you accidentally leave a diary or private letter out on your front porch, a passing journo should feel free to publish it on the front page?
There is an important distinction between making an image available on a public platform and giving up one’s intellectual property rights as the creator of that image.
From what I gather about the case, the images used by Heinrich in his presentation were, if no longer (by dint of Terms Of Use provisions) the intellectual property of the other security pundit’s wife (from whose Facebook account they originated), then they were still the intellectual property of Facebook. By no understanding of the term were they in the public domain. But Ben Grubb didn’t publish any of those photos. Apparently the photograph accompanying his article was one of the other security pundit, sourced from elsewhere.
I still have not seen the photo used in the newspaper article (it’s not included in the current online version) so I still don’t know whether that particular photo was All Rights Reserved or Creative Commons License or what.
However, if that particular photo was a publicity photo used by the other guy to promote his business, which is the impression I have, then surely he doesn’t have its copyright status as All Rights Reserved?
Anna
While I appreciate the point that you are making but if you substitute a community notice board for the front porch in your analogy, because it is closer to the mark when we are considering Face book et al, then anything placed there is not really private any more now is it?
So my point is if you put put something on public display or share it with others without specific limitations (IE “don’t share this with anyone else please”) then it is no longer private in any real sense now is it?
I saw the article when it was still up. The accompanying photo was of a man sitting in his lounge room with a pixellated image of a child next to him. The child was playing with some sort of standing toy. It was definitely a personal photo. The man in the photo was not pixellated and was identified as the security rival of the person who gave the presentation.
Intellectual property law still applies, surely? Obviously you have given permission for the photo to be seen by members of that network because that’s part of the TOS, but once it’s taken out of that network by a third party and used elsewhere then that third party is breaching your IP and also the assigned license given to the network.
Mindy, thanks for the description of the photo, which was very different from my impression. It certainly sounds like publishing without permission to me, which is an IP breach.
Of course, breaching IP is a matter of civil liabilities and not a crime. Being interviewed by police and having the property confiscated still seems heavy handed. Guessing a URL, even with technical assistance to predict it, is not hacking/cracking any passwords. Facebook could easily make photos much more secure, but they choose not to. Someone copying an unsecured image online is not a crime, even if it breaches IP law.
That’s incorrect @tigtog, the photo Grubb published was ‘stolen’ from the Facebook profile of Heinrich’s rival and included his wife and children.
Grubb repeatedly repeats the line that he was arrested ‘for publishing a story’ which is completely untrue. Fairfax repeatedly repeats the line that he was arrested ‘after publishing a story’ which is a deliberate attempt to misrepresent the situation. It is just as dishonest as saying he was arrested ‘after the sinking of the Titanic’.
Police were investigating a complaint and Grubb was arrested because he refused to hand over evidence obviously directly related to that investigation.
No acknowledgment at all in Fairfax that they first published the picture including the wife and children, then edited out the children, then edited out the wife, then removed the picture altogether. This in itself is evidence that Fairfax (gradually) realised that they had done the wrong thing.
The vast majority of the public dialogue (though not here, kudos) has basically been aping the Fairfax spin which deliberately misrepresents the situation and makes no mention at all of numerous key facts.
Fairfax have used their media power to whitewash the issue and obliterate any questioning of their behaviour.
Police handling of the situation was obviously clumsy and they deserve to be criticised, but both Fairfax’s and Grubb’s behaviour has been clearly unethical and deliberately dishonest.
Thanks Tig Tog
Your comment helps flesh out the distinctions here but I still think that many who get upset about the reuse of Photos don’t understand the difference between breaches of civil law ( I.E. breaching copyright) and criminal law (I.E.theft). Just the same as they don’t understand the difference between what is really private and that which has been made public .
LOL ‘repeatedly repeats’, was scribbling that down pretty quickly, continually repeats perhaps…
Note that copyright is not absolute – there are several exemptions in Australia for “fair dealing”. One of those is for news reporting, so given the photos were originally used in a conference presentation, the SMH publishing the photo would probably not be infringement. There is also an exemption for research, though I suspect the person who did the original copying even though he may be a security researcher may be on weaker grounds there. And for people that care there is also an exemption for parody or satire, so if you don’t want one of your embarassing photos potentially appearing on the chaser, don’t upload them in the first place
Also, I’m not aware of the details of the facebok exploit, but photos on that site intentionally can be accessed via a url that does not require authentication. This url is only visible to the person who uploaded the image in the first place so they can share photos with people who do not have a facebook account. But obviously once shared, the url can be shared with anyone else.
ok, so what i understand of how the photographs were gathered is like this ( I work in IT but am not a security person)
Facebook works with lots of servers that have to synchronise their data. For this reason you sometimes see that the facebook feed changes order or things appear and disappear, I believe it is this syncing happening (or not happening).
The syncing is managed by a network that is invisible to the user. This is the Content Distribution Network. This should be secure, but apparently it is well known that many of them are not. Heinrich used a brute force attack to pull lots of data out of this network, then sifted it to find the photo he wanted. His point (such as it is) is that facebook is insecure.
his other point seems to be that the other security consultant doesn’t really know about security, or why would he let his wife use facebook, which is insecure. I cant see that he has made that point at all, but that is beside the point.
So the URL he is using is not a published URL, it is exploiting a weakness in the Facebook infrastructure. sort of like phone tapping is not the same as listening in the next room to someone’s conversation.
I believe (OK, wikipedia tells me) that unauthorised access to data held in a computer system is a federal offence under the Crimes act. Certainly every computer I have used in the last 10 years has a disclaimer to that effect.
So i think there is an argument that heinrich has committed a crime, whereas Ben Grubb just has an unusually appropriate surname.
heinrich’s best defense is that the Facebook CDN is clearly unsecured, and because it is not intended to be a public network is probably does not have a disclaimer. From memory the reason that computer systems now have the disclaimer when you log on is that when early breaches in Australia were prosecuted (20 years ago) they collapsed because the computer systems had no such disclaimer.