Pages

Monday, 28 January 2008

UK blogs, boards, Web 2.0 sites: how to not get sued






If you run or post on a blog, message board / discussion forum, internet group, social networking site or internet mailing list, how can you avoid (or at least minimise) your "legal risk" - the risk of someone suing you for what you've posted or for the other content on your site (whether put up by you or someone else), winning, and then making you pay them lots of dosh or censoring you - making you delete posts, messages, images or other content from your site, or even take down your site completely? Worst case scenario, you could even be prosecuted and imprisoned for certain kinds of content, e.g. inciting terrorism.

How can you protect yourself from being sued?

The first step in protecting yourself from legal liability is of course to make yourself aware of the risks you face.

To my mind, if you post to or run a blog, forum, mailing list or Web 2.0 site etc, there could be several different kinds of content on it, and personally I'd want to know what the risks are for every one of those categories. Legal action could be taken against you over:
  • Own content - stuff you've added yourself, e.g. the text in your blog posts, or MySpace, or a Facebook wall, your uploaded Flickr photos or YouTube videos, emails you've posted to a Yahoo! Group, Google Group or Usenet newsgroup, maybe even your chats. Anything you say online could expose you to legal risk, especially if it can later be found via the web. Obviously you can be sued for what you've posted to a Website, whether it's your own web site or someone else's e.g. a message board.

  • Hyperlinks - stuff you've just linked to, e.g. a blog post where you've just hyper linked to another web page, pic, video or other web content (I suspect that when you embed a photo or Flash video etc from another site or put it in an iframe, so that the full content is visible on your own site, it's going to be treated in the same way as if you'd put it up yourself in full on your own site).

  • Other people's content (if you run or own a site) - stuff other people have added or uploaded to your site - e.g. comments added by readers to your blog post; posts others make on your bulletin board or forum (which could include not just text but also graphics, videos, or links); archived emails from a Mailman mailing list, archived chats etc.

Blogs / Message Boards / Groups / Web 2.0 Sites - 15 Legal Do's & Don'ts

So here are 15 suggested do's and don'ts for blogging or posting on forums, social networking sites, mailing lists etc, which I've developed mainly from the talk which is covered in more detail below, with my own views added; I'm sure there could be more, but these are just a few ideas - for general info, it is not legal advice, and it only deals with the position in the UK.

They probably represent the "most paranoid approach", as I'm a cautious scaredycat type - in practice people might be able to get away with some of these things, but strictly they could get into big trouble for it if they're caught or sued, so don't say I haven't warned you! (Updated to number them and add a couple from the longer stuff below.)

1. Don't blog (or say anything else online) about your work or your employer. If you (and hence them) are identifiable, you could be fired if you say anything that could bring them into disrepute or amount to disclosure of their confidential information.

2. Before you say anything online about your work or employer, do check your contract with your employer. Imp's note: Some contracts may ban you from blogging, even in your spare time about interests unrelated to your work. Some may even claim all copyright in your blog contents!

3. Do make sure what you say about other people or corporations is true - check your facts and your sources.

4. Don't defame someone, i.e. post nasty (and untrue) things about them which make people think less of them, whether they are a real person or a company. That includes just repeating or quoting what someone else said, especially rumours. Saying "allegedly" is not enough to save you! Innuendo can be defamatory, i.e. the context counts; so can unwarranted exaggeration of something negative. If they sue you, it's up to you to prove it's true, if you think it is - which ain't easy. Or else you have to prove that you did check your sources carefully enough, etc - ditto. If you can't prove something easily, clearly, beyond doubt - don't say it!

5. Don't moderate posts or comments on your board or site, or if you do don't let anything through which could be defamatory. Even if you don't moderate, so that your website is just a mere "conduit" for information and you wouldn't know if someone had posted a defamatory post, you have to remove it once you know about it or you've been notified about it (even if you believe it's not in fact defamatory).

6. So do have a clear "notice and take down" policy for your site, unmissable by your readers / users / contributors (more below), and if there's a complaint then do take down (remove) the offending post or comment first and ask questions later, as that's the only way to protect yourself in UK law (if you weren't the person who said whatever's been complained about).

7. Don't copy someone else's work on your web site without permission, whether it's text (like a blog post), photos or images, drawings, illustrations, videos, music, speech or other audio, etc. Saying where you got it from or who originally created it is not enough, it's not the same as getting permission. Even copying an extract isn't necessarily safe - if your extract is recognisably from the original work, that could be "substantial" enough for you to be sued. Making an adaptation or parody of the original material without permission could be a copyright infringement too. (A Creative Commons licence, such as for this blog, is a form of permission, normally for private non-commercial copying provided you credit the creator appropriately.)

8. Don't do anything that might suggest your site or service originates from an existing brand of someone else's - e.g. displaying someone else's trademarked logos on your blog or site; just mentioning someone else's trademark may be OK if you don't suggest that (e.g. do include disclaimers about it) but don't do anything that might cheapen or "dilute" that trade mark, e.g. a parody of it.

9. Don't register a domain name that includes a famous trademark in it - the brand owner could take it off you.

10. Don't leak or talk about any information that could be confidential, whether about your work or anything else.

11. While sensible civilised people wouldn't do it anyway, don't say anything that could be taken as "criminal speech":
  • revealing too much about a court case that's still ongoing (exactly how much is too much isn't so clear), or
  • inciting or supporting etc terrorism, racial hatred or religious hatred.
12. In terms of links posted on your site:
  • Posting a mere link to a defamatory webpage or page which infringes a trademark is probably just about safe (unlike with copyright where it definitely isn't, see below), but really I wouldn't, just to be on the safe side.
  • Don't even link to something which:
    • might have been unlawfully copied without permission - whether it's text, images, audio, video, software etc.
    • could be a leak of confidential information (especially something that is a trade secret or could affect a listed company's share price), or
    • could be criminal speech
  • (You could theoretically be sued just as much as the person who originally copied or uploaded it or said it - and in the case of criminal speech, even face jail.)
13. Do think about whether you may need to take legal advice in more than one country, i.e. at a minimum the countries where you live; where you have assets; where your hosting provider company is from; and where your hosting provider's servers are located. The laws on copyright, defamation etc may be quite different in other countries.

14. If it's important for you to avoid censorship, do investigate the options and pick a hosting company whose country's laws are liberal (from your viewpoint) on defamation, copyright etc laws, and whose servers are located similarly in a liberal country.

15. Do consider responding to the UK government, who are currently consulting on changing the laws on copyright, to bring them more into line with the realities of the digital age following the Gowers review (one of Imp's bugbears: I plan a separate post on that soon!)

Now on to the detail.

The UK position?

There's a lot of info out there on legal risks for blogs and other kinds of websites, e.g. by the excellent Electronic Frontier Foundation (see their legal guide for bloggers and students who blog).

The problem is, most of it is written for Americans. And the law in the UK and other countries isn't necessarily the same as the law in the United States, so unfortunately what holds true in the US may not apply to you or me.

This post is largely based on a very clear, comprehensive and helpful talk on the position in the UK by Robert Lands, Head of IP and Media at UK lawyers Finers Stephen Innocent, at Log in, Blog to, Log out (And Don't Get Sued) on 23 Jan 2008 - an excellent event organised by Own-It. I'd previously flagged it as worth going to, and it certainly was.

So if you run a blog or Web 2.0 service in the UK, read on - I'll try to summarise what he said as best I can, bearing in mind that I'm no expert in this area.

Big red warning

To echo what Robert's put on his slides, this post is for general info only and isn't intended as legal advice, so don't sue me on it! Remember, all this is very general and simplified. If you need advice on your own position, go line the pockets of a lawyer who's expert in the field in the country you need to know about (or in the UK get some free advice from Own-It).

Any mistakes are mine, not his, and I've added or embellished a few things (which I've flagged with "Imp's note") and also added a few links to background info.

Podcast

For those who prefer audio, the talk is going to be podcast. The podcast will probably be available from around early March - keep checking Own-It's podcast page or subscribe to their podcast feed (what are feeds?; intro to podcasts).

Slides

Here are Robert's slides, so you can follow them if you wish, but be warned that my write up isn't always going to follow them exactly:



Now to my summary of Robert's talk.

UK position - Legal Blogging 101

1. Do I have a legal right to say what I like?

In the UK, in brief, no. Freedom of expression / speech isn't as enshrined here as in the USA, sadly for us.

2. Can I get fired if I blog about my job?

Yes, you can.

A blogger in Scotland who worked for a bookstore chain (which he called "Bastardstones") got fired. Imp's note: more on Joe Gordon's story; apparently he was fired for "bringing the company into disrepute", and "gross misconduct".

Maybe that name's a bit obvious, but someone working for a British bank in France changed all the names and still got fired because she posted a pic of herself, and it was said that her employers could have been identified by anyone who identified her.

Imp's note: I don't know if he was talking about the Catherine Sanderson story. If so, she did get fired - but then won unfair dismissal damages, and got a 2-book deal from Penguin from it! However, of course most of us won't get any book deal offers... I try very hard not to blog about my work but still, all this is a major reason why I don't want my photo to be posted online in relation to my blog, and why I hide from the cameras at BarCamps etc.)

Imp's note: Surely there must be a risk not just with blogging, but if you say anything publicly online about your job - i.e. doesn't all this mean that it's worth watching what you say about your job or employer or colleagues e.g. on an electronic bulletin board, in a comment on someone else's blog post, on Facebook, maybe even on any electronic mailing list or group?

3. Do I have a right to remain anonymous?

No, you don't, in the UK.

If you're suspected of copyright infringement or defamation in particular, it's possible they could get a court order against your ISP to reveal your identity.

Imp's note: in the defamation context at least, the USA protects bloggers' freedom of speech and anonymity much better. The European Court in McLibel (see later) had it right about UK libel laws being bad for freedom of expression!

4. Can I get sued?

Yes, you can - no surprises there.

So, on what grounds could you be sued over the content on your blog or website?

There are lots of ways you could get done for content on your site. Unfortunately.

The main ones in the UK, according to Robert, are:
  1. Defamation
  2. Copyright breach
  3. Trade mark infringement
  4. Disclosing confidential information
  5. Certain types of expression or speech which by law are criminalised (e.g. inciting racist violence).
Defamation is probably the biggest risk for most of us, Robert thinks.

Imp's note: I believe copyright is as big a risk, personally, because bloggers quote from news sites or other blogs etc a lot, or link to them - and similarly for photos and pics.

Defamation

The basics

Libel vs slander - libel is recorded (e.g. writing, podcast), slander isn't (speech that's not recorded). Perhaps the former is potentially permanent, the latter more transitory. But they're both forms of defamation.

What's a “defamatory imputation”? To defame someone means to "To lower the estimation of a person in the eyes of right thinking members of society" - a rather quaint archaic formulation, but it is what it is.

"Vulgar abuse" isn't defamation. (Imp's note: but it's hard to know where do you draw the line, when does something go beyond mere abuse? So it's good news that some judges at least are being more sensible about all this, and saying that even something which is strictly defamatory could be so trivial that it doesn't justify invading the privacy of the "saloon bar moaners" who said it - see the Sheffield Wednesday case article.)

Imp's note: Afterwards, some of us were discussing it and had heard that mere opinion should not be treated as defamation too. Perhaps Robert didn't mention it because it's a defence as "fair comment" only if it's based in fact, which in practice is too hard to show?

You can't defame a group. So, "all men are lousy cooks" isn't defamatory. But you can defame a class, e.g. if you said "all men who work in the kitchens of hotel X are lousy cooks".

For bloggers, and indeed users of message boards and the like, the main problem is that the law hasn't caught up with technological reality. In terms of defamation, we are judged by the same standards as professional journalists and publishers (see the section below on defences). If we fall short of those high standards, we can be sued.

Robert outlined the famous McLibel case, the longest running trial in English legal history, where hamburger chain McDonalds sued Helen Steel and Dave Morris for libel. They'd handed out “What’s Wrong With McDonalds” leaflets outside McDonalds, though they didn't write them. While McDonalds won in the end, the saga was a huge PR misfire for McDonalds, as millions of people read the leaflets online as a result of hearing about the case, when only a few hard copies had ever been handed out! And of course there was much publicity about the health etc issues McDonalds were accused of.

Imp's note: the European Court of Human Rights also (to quote Wikipedia) ruled that "the original case had breached Article 6 (right to a fair trial) and Article 10 (right to freedom of expression) of the European Convention on Human Rights and ordered that the UK government pay the McLibel Two £57,000 in compensation. In making their decision, the ECHR criticised the way in which UK laws had failed to protect the public right to criticise corporations whose business practices affect people's lives and the environment (which violates Article 10) and criticised the biased nature of the trial due to the defendants' lack of legal aid, the complex and oppressive nature of the UK libel laws, and the imbalance in resources between the parties to the case (which violates Article 6)."

Defences to defamation

The main possible defences to a defamation charge are:

Justification - that what was said was true. The problem is the burden of proof - it's up to the accused to prove what was said was true, not for the accuser to prove that it was false. So the poor blogger would have to show that what they said was correct.

Qualified privilege (for responsible journalism). Robert's firm was involved in the leading House of Lords case on this (the highest court in the UK), called Dow Jones v Jameel. This case improved the position for journalists, but it's still a high hurdle as you have to show that you investigated your sources thoroughly and really checked out the story. Now, how many bloggers or posters on forums or MySpace are going to do that?

Service providers - there may also be defences for "service providers" - see later.

Defamation - FAQs

1. My server is in Mongolia, which country’s laws apply?

If you defame someone with a reputation in the UK, and your webpage or blog is accessible in the UK,then they can sue you under English law - it doesn't matter where the server is located.

2. Do I have to comply with all laws all over the world?

Theoretically, yes! The Net is accessible pretty much globally.

But in practice it may not be an issue if you don't have any assets in a particular country.

Imp's note: I suspect you may also need to think about whether you're ever going to physically visit or live in a particular country, too, not just whether you have assets there. If country X flings people in jail for libel, you defame someone (maybe a citizen of X), and they sue you in X, then even if you've no assets in X it might not be a good idea to visit X!

Also, to me it's not just money but also freedom of speech. If your server is in X and you get sued in X, even if you have no assets there and don't ever plan to go to X, they could shut your server down. Of course, you could move your hosting to another country instead, but there's still the inconvenience factor.

In other words, I guess you have to be sensible and consider which countries' laws are most likely to be able to affect you in real life, whether financially or in terms of censorship, and then take advice from experts in those countries if you need to. To me, it seems the main countries to be concerned about (though of course there could be others) are where:
  • you live
  • you have assets
  • you're likely to visit
  • the server hosting your site is located, or
  • the company owning the server hosting your site is from, or is located (as their country's courts could order them to shut down your server even if located in a different country).
While Robert discussed different countries' laws in the context of defamation, I believe this is a more general legal risk point because you may have to think about "Which countries could I get made to pay money in or be censored by?" in the context of copyright laws etc too - see below. /Imp's note.

3. Is it OK if I make clear I’m quoting someone else?

No. Re-publishing a libel is the same as publishing it, in the UK. You could get sued as much as the person who originally said or wrote it.

Imp's note: what about just linking to a defamatory comment, without quoting it? I asked Robert about that afterwards. He thought that would probably not be defamatory if it was a mere link. Still, I wouldn't take the chance, myself!

Imp's note: it seems that, in the USA, you can't get sued for just repeating a libel, at least if you just republish it unchanged without adding your agreement etc! - the person defamed has to sue the original source, whoever originally said or wrote it, which is surely the more sensible approach.

4. Are you responsible if someone takes your comments out of context?

No. Context is very important. It can make something defamatory which otherwise wouldn't be; you can defame by innuendo, on the basis of extrinsic knowledge which is not apparent from the words used.

In the 1930's a newspaper published a picture of an amateur golfer with a chocolate bar. That was considered very defamatory because it suggested he'd been paid by the chocolate company to play golf! (In those days golf was an amateur gentlemen's sport..)

5. I’m flat broke so can’t pay damages - will anyone bother to sue me?

Maybe not, but they may still sue you to try to protect their reputation, as in McLibel (even though that backfired on McDonalds).

In other words, they could sue you to try to shut you up, censor or gag you.

How can you protect yourself if you run a blog, board or Web 2.0 site?

If you're a Web service provider, if your site contains other people's content, e.g. a video sharing site or photo sharing site or indeed online forum or even blog, are you responsible for clearing your contributors' or users' content? (Imp's note: I've added "blog" because other people can add comments to your posts, what if they say something defamatory? I asked Robert afterwards and he agreed that I had a point there. I've since searched and found that you could potentially be sued for not removing defamatory comments from your blog too - e.g. see this post.)

Service provider defences

There are two main defences for service providers in the UK:
  • Defamation Act section 1 – “Innocent Dissemination”. You have a defence from a defamation suit if your site was just a conduit for the defamatory content and you didn't know it was there - as long as you remove the offending content once you know it's there, or have been given notice that it's there.

  • Electronic Communications Regulations 2003 - “Mere Hosting” (Imp's note: was this meant to refer to the Electronic Commerce (EC Directive) Regulations 2002?). This is similar to innocent dissemination but broader, in that it covers being sued for breach of copyright too.

Notice and Take Down Policies

As a result, it's important for providers to have a "notice and take down policy", unmissable by your contributors / users / readers.

This should make clear that you won't monitor posts (if that's the case) - but that you do reserve the right to delete their posts or comments, and you will if it's unlawful or you've been told that it is, and you won't have any liability to the poster if you do. (No doubt Robert's firm or other IT lawyers can help with the wording!)

The Mumsnet Story

There have been plenty of reports about what happened to parenting forum Mumsnet. This forum, mostly frequented by young mothers, has about 100,000 subscribers making 15,000 posts per day (about 5.5m per year).

There were discussions about controversial parenting guru Gina Ford, who's written various books on parenting techniques. Some people were very critical of her, and her lawyers asked Mumsnet to take down the posts.

Mumsnet felt that the posts concerned were not defamatory (I won't repeat them here, I thought they were just silly & they made me laugh!), and they refused to take them down.

Eventually someone said something else about Gina Ford (which I won't repeat here, just in case - but it was so absurd that even though it was obviously negative about her, there's no way anyone could have believed they were true! So personally I don't understand how they could have been thought "defamatory" in the strict sense.)

Gina Ford then wrote to Mumsnet's ISP instead (who hosted the bulletin board, I assume) and they threatened to close the site down so Mumsnet had no choice but to remove the threads in question. Gina Ford still sued for damages and an apology, and it was settled in the end with a jointly agreed statement and no admission of liability (Robert's firm helped Mumsnet in all this).

Mumsnet's Problems

Now there were several problems for Mumsnet.

With the sheer volume of posts (5.5 million a year) there was no way they could pre-vet postings, logistically.

They had an abuse policy, and they abided by it – they didn't take the postings down because they didn't believe those postings were defamatory. The problem is that, by abiding by their abuse policy, they were effectively taking an editorial decision.

So they couldn't use the "innocent dissemination" / "mere hosting" defences, which are only available to passive conduits if they remove material once they've been notified that it may be defamatory. It doesn't matter if they believe there's a defence, they should have immediately taken it down.

Because the defence can only be invoked by those who take down immediately, UK service providers for their own protection will therefore take down first and ask questions later. This means it's very easy for people to censor posts or websites they don't like, just by claiming that they're defamatory - effectively it's for the site or users to have to spend the time and money to show why the material taken down wasn't defamatory etc and should be put back up.

All this really does raise important questions about freedom of speech in the UK (Imp's note e.g. see the New York Times article about the use of UK libel laws to try to silence critics). Should the law be changed? Websites are not newspapers, but they're treated in the same way.

In my personal view defamation law in the UK is surely out of date, and civil liberties are suffering for it. As an aside I have to say I've always thought that something was wrong with the system in the UK generally, when celebrities can get millions of pounds for injury to their "reputation" while people who are physically injured, even permanently, e.g. by drunk drivers, rarely get enough to be worth anything, never mind compensate them for the health issues they'll have to suffer for the rest of their lives.

As previously mentioned, the position is very different in the USA in relation to defamation. Imp's note: However, it's not all perfect in the land of free speech - for copyright rather than defamation reasons, the "take down first, ask later" practice has now become the norm in the USA too, e.g. what happened to me in relation to my vidcasts of the BBC iPlayer, when effectively the BBC used US copyright laws (the US DMCA) to silence what they thought was a leak (though it wasn't, and even though they later apologised to me). I don't think it's right that the DMCA can be abused, either.

Imp's note: here are some more links I found on defamation and ISPs, or defamation generally -

Copyright Issues

In the UK, you could also get sued for copyright infringement.

This mainly means copying someone else's work without permission, whether it's text, photos, music, videos etc. So quoting someone, reproducing their text or picture or video on your site, playing their music on your site - that could all get you into copyright doo doo. And a big gotcha to watch is that you can be done for "copying" even when you've only copied just a bit of the work - you're not allowed to copy a "substantial" part of their work, but it isn't clear what "substantial" means; it's a qualitative test, and if the bit that you've copied is recognisably from that work, then you've probably copied a "substantial" enough part to be infringing. Imp's note: That could include just a few notes of a tune if it's the "hook", for instance.

Even creating derivative works (adaptations) or parodies of someone else's work could get you into trouble for copyright infringement (unlike in the USA - again! - where parody is allowed in the interests of freedom of speech. The UK Intellectual Property Office are currently consulting on changing the copyright law to allow parody, I'll be writing more on that another time, but please do write in to say that you support that liberalisation, if you do).

Another copyright no no in the UK is "authorising" a copyright breach, doing something that promotes copying. Electronics company Amstrad was sued over this, because they made a twin cassette deck unit which, it was argued, made them an "authoriser". The court said that the machine could be used for legitimate things too, so Amstrad won.

While it's now less easy to be done for "authorising", there's a newer (and likelier) way in which you can be sued for copyright - namely, "making available" - making an infringing copy available to the public. That includes just linking to e.g. an unlawful copy of text, music / audio or video (which someone else has copied and uploaded), illegally copied software, etc - even if no one actually downloads or opens it via your link. Having the link to the material on your blog or site is enough.

Imp's note: see this fuller list of things you can't do without the copyright owner's permission, and the moral rights of the copyright owner.

Imp's note: this post isn't about how you protect your own work from being copied etc by other people without permission. That was briefly discussed at the talk, e.g. using the © symbol (Imp's note: and your name and publication date) - but I won't deal with it here. I do plan a post on it in future though.

Trade Marks & Domains

If you refer to a famous (or even not so famous) brand in your blog post or website, or show their logo to illustrate your post, does that get you into trouble on the trademark front?

Now if you just mention a trademark in your blog, e.g. that you like the taste of Coca Cola (which I do! Pepsi, eeeww), and you're clearly not using the trademark to indicate the origin of your blog as being from Coca Cola, then that's unlikely to be a trademark infringement. (Imp's note: I guess that's why I see websites and blogs saying "this site isn't associated with X in any way".)

What about if you use X's logo? It's probably best not to, as it might be taken to indicate that your blog comes from X, but in practice many people do that in blog posts. Putting a disclaimer ("this blog has nothing to do with X" etc) would probably help.

Trademark dilution is more of a potential problem. That's where you do something to dilute or cheapen a trade mark. There was an example where, in an article about Dutch electronics company Philips possibly having collaborated with the Nazis during World War 2, they displayed Philips's logo but replaced the stars with swastikas. That was "dilution".

So, you need to be careful about dilution, especially with parodies, and especially in the USA where it's more of an issue now since the US Trademark Dilution Revision Act 2006 which made the standard "likely dilution" (instead of actual dilution) - so as long as what you did was "likely" to dilute the trademark, you can be sued even if it didn't actually dilute it.

Domain names are another area to watch. If your site's domain name includes someone else's trade mark, they could take the domain name away from you.

Imp's note: what if other people had put up the trademark infringing content on your site, e.g. in a comment or in a forum post? Is that covered by the service provider protections too?

Imp's note: what if you link to a webpage that contains trade mark infringing content? I asked Robert that afterwards, and he thought it was probably OK - but again, safest not to do it, and I'd remove the link if I heard the content was infringing, just in case!

Confidential Information

You can be sued over confidential information eg trade secrets, revealed on your website, and an injunction granted to make you remove the material as well as perhaps pay damages.

Care particularly needs to be taken about giving out any information about your employer. By law employees have an obligation of trust to their employer, and revealing details about your employer or work to the public could be considered a betrayal of that trust, especially if your employer is a listed company (whose shares are listed on a stock exchange) and your information could affect its share price.

However, that doesn't mean that your employer owns the copyright in your blog. Normally, they won't, unless you've e.g. been employed to write a blog for them. They do have copyright in what you produce during the course of your employment, but not what you do privately - so e.g. if a lawyer wrote a blog about technology their employer wouldn't own the copyright in their blog, unless their employment contract says they do - and some contracts do say that!

Imp's note: so, best to check your employment contract, just in case.

Imp's note: what about if you link to something that is confidential information which shouldn't be disclosed? Again I asked Robert about this afterwards, and he thinks that (along with linking to copyright-infringing material) this is the key area where you could be at risk of being sued for a mere link. So avoid doing it!

Criminal Speech

There are other ways in which you could be sued or even charged with a criminal offence in the UK, over material on your website.

The main ones are:
  • Contempt of Court - talking too much about an ongoing trial (Imp's note: newspapers often report high profile trials, so exactly what details are too much or shouldn't be discussed or revealed? This wasn't covered in detail at the talk.)

  • Terrorism Act 2006 - inciting, encouraging or supporting terrorism

  • Racial and Religious Hatred Act 2006 - pretty self-explanatory, inciting racial hatred etc

  • Blasphemy - this crime is so old in origin that it only applies to the Christian religion. Even so, in 2007 someone tried a private prosecution over "Jerry Springer: The Opera" for blasphemy, and last month they lost - the judge said that for something to be blasphemous it must be so offensive in manner that it undermines society generally. The last successful prosecution for blasphemy was over 30 years ago - so it's probably toothless. Still, don't forget the Religious Hatred Act.
Imp's note: This wasn't mentioned in the talk, but if a blogger is sued in the UK to reveal their sources, are they protected here in the same way as journalists are? At least one UK lawyer thinks so. I guess we'll see...

What about Deep Linking?

This wasn't discussed at the talk at all. Deep linking is linking straight to a specific page on a site, rather than their main home page. I know many companies don't like it and do their best to stop people doing it (e.g. LG Mobile have succeeded, via technological tweaks, in doing that and making life much harder for their users). But I don't know if you can be legally done for deep linking in the UK?

The other talk at the 23 Jan event comprised some very interesting thoughts on the evolution of blogging by Dan Hon. I'll cover that in a separate post.

Saturday, 26 January 2008

Be in a BBC documentary?






Fancy being on the Beeb? For a forthcoming BBC 3 documentary on the nature of fame and celebrity, the BBC are looking for people to play the role of the paparazzi in a music video.

If you're free on Sunday 17 February 2008 in London, why not apply?? Stephanie.seabrook@bbc.co.uk

No singing abilities appear to be required. But presumably snapping ones? I suspect they're not paying anything, either, but hey you'll be on the telly...

How to secure BTHomeHub, SpeedTouch, other routers; & don't click dodgy links!






If you use for your home broadband connection:
be warned that your router could be at risk of being attacked and controlled by bad hackers. (Your router or residential gateway is the box you use for your computer's broadband connection, usually connected between your computer and your DSL or ADSL copper phone line.)

Here's a list of some suggested security tips in the form of "do's & don'ts" - the scary stories after the list should be enough reason to take the list seriously and to take the precautions mentioned!

Don't -

Don't visit other websites while you're logged in to your router's main control page (or indeed perhaps any other passworded webpage), particularly if you have the LinkSys or Alice Gate router mentioned. This issue shouldn't be a problem unless you visit a very specific kind of dodgy site (e.g. through clicking an innocuous seeming link from an email or another webpage), but why take the risk?

If you need to login to your router, for safety's sake don't have other webpages are open in the same browser (or indeed perhaps any other browser), and don't even think of surfing to anywhere else until you've logged out of your router interface.

Do -

1. Password protect your router

Make sure a password has to be entered to reconfigure your router, and also change the password from the standard default password that came with the router to a secure one that you've made up.

BT recently prompted their users to change the password, but I don't know if that was as standard, or only if you tried to visit your router configuration page (and how often do most people do that?)

Later below is a practical guide on how to change the password on the BTHomeHub.

2. Deactivate UPnP

If your router has UPnP (Universal Plug & Play), disable it (unless you need to use it of course) - again, I give a step by step howto below on how to disable or deactivate UPnP on the BT HomeHub router. It should be similar for other kinds of routers, you just need to hunt around the settings and keep trying different options, hopefully the screenshots below will help.

Heise Security also recommend changing the default subnet - "usually 192.168.1.0" - to another one like 192.168.23.0. Now here, I can guess what they're getting at (change the default settings to something less common so the bad guys can't figure it out so easily), but I'm less sure what they mean - change the default gateway's IP address? The IP addresses of the individual computers on your network? Anyone know?

3. Use Firefox with NoScript

Use the free Firefox browser to visit sites (rather than e.g. Internet Explorer), but in conjunction with the free NoScript add-on which blocks many kinds of attacks (including cross site scripting vulnerabilities in router logins, mentioned below).

NoScript is very easy to use and lets you selectively allow only the websites you trust, do if you don't have Firefox already, consider with NoScript; and also see how to configure Outlook to open emailed links in Firefox automatically, instead of IE).

4. Be suspicious of links in emails, bulletin boards or forums, websites, chatrooms etc

Be very careful about clicking links sent in emails, posted on message boards or websites or in chatrooms etc - it may look innocent (and of course the bad guys will try their best to make you think it's legit or worth clicking), but if it sends you to a dodgy site, they can take over your browser, router, and your computer, without your realising it. Ahem, this means in particular links to porn or "software crack" sites or other illegal content offered for "free" - TANSTAAFL! Only click links you absolutely trust. Bad guys can spoof emails so that they appear to come from your friends or family. Remember the key "Don't"!

If you absolutely have to click an unknown link, as mentioned above make sure you're not logged in to your router at the time. Indeed, a Gmail vulnerability - since fixed - meant that if you clicked certain malicious links while you were logged in to your Gmail account (in another browser tab or window), the attacker could then read all of your Gmail, even if you later logged out of Gmail, via a technique known as CSRF (cross site request forgery). So if you've the slightest doubt about any link, make sure you're not logged in to any passworded site before you click it, and indeed you might want to close every other browser tab & window before you click it, and make sure you visit that link using only Firefox with NoScript.

Scary stories

1. Clicking on malicious link, with un-passworded router

Mexican users were sent an email with a link, supposedly to an e-greeting card. When they clicked that link, attackers used the user's email software behind the scenes to change their router settings (if it was a particular kind of router popular in Mexico), so that if the user later tried to go to a well known Mexican banking site, they were sent instead, invisibly, to the bad guys' phishing site - which they'd set up to look just like the real banking site.

So the user would unknowingly enter their user logon / password details for the banking site, and then of course the criminals had got their banking login details. This is
a form of "drive by pharming". Now in that case, no password was needed to reconfigure the router, so the baddies were able to take it over.

(See
Heise post for details. Making use of a HTTP GET request, if you must know!)

2. Clicking on malicious link, while logged in to router (LinkSys WRT54GL, or Alice Gate 2 Plus WiFi model, others?)

Click on a dodgy link while you're logged in to your router's configuration page, and attackers can turn off your LinkSys WRT54GL firewall, turn off your Alice Gate 2 Plus wi fi encryption, and generally open your computer up to all kinds of attacks. And also make other changes to your LinkSys router too, e.g. like perhaps like the Mexican attack above if you visit banking or similar sites.

As & when LinkSys come up with a fix (they haven't yet), obviously you should upgrade!

(See
Heise posts and Neohapsis for technical details.)

3. Clicking on malicious link, with UPnP active on router (it's active by default on the BTHomeHub, and perhaps SpeedTouch routers)

Making use of cross-site scripting (XSS) holes in the login dialogue of BTHomeHub etc routers, attackers could change your router settings via UPnP in order to get through your firewall and change other router configurations, and perhaps also expose you to phishing attacks to get your banking login details, as in the Mexican example.

Note that even if you're using Firefox with NoScript, this particular attack may still work if there are special Flash applets on the malicious site - unless you've disabled UPnP.

(For techie details see Heise post and GnuCitizen posts.)

How to change your router password and turn off UPnP (BTHomeHub)

If you have a BTHomeHub router:
  1. Make sure all other webpages and tabs are closed, just in case!

  2. Go to your router configuration page, usually http://bthomehub.home/

  3. To change your password

    1. On the left, click Basic Config, and enter your existing user name and password when prompted. (The default user and password for the HomeHub is admin and admin!)


    2. Then under Basic Config on the left, click Admin Password:

    3. Enter your old then new passwords, and click Change Password, and that's it. Don't forget your new password!


  4. To disable UPnP

    1. On the left, click Advanced


    2. Then click "Continue to advanced" (and enter user / password again if prompted)


    3. Under Configuration on the left, click Application Sharing


    4. Under Application Sharing on the left, click UPnP


    5. UNtick "Use UPnP", and click Apply.


And be safe out there!

Macs: free virus scanner ClamXav for ClamAV






If you use an Apple Mac computer you might want to try a free, open source virus scanner called ClamXav which provides a user-friendly interface to the open source ClamAV anti-virus software.

I don't have Mac OS X myself so I haven't been able to test it, but free anti-virus software has got to be worth trying as I gather that most Mac anti-virus software isn't cheap.

Via Heise Security, who have a bit more info about ClamXav 1.1.

Sunday, 20 January 2008

BarCampLondon3 video: use Yahoo! Pipes to build your lifestream






As you'd expect from the title, this video from BarCampLondon3 in November 2007 is a quick practical run through by Cristiano Betta of how to use Yahoo! Pipes to build your "lifestream" - no, that's not "lifestream" in the sense of a cult religion, before you run away! (In fact Cristiano beat me to it in finding the video I'd uploaded before I'd had a chance to blog it).

Yahoo! Pipes lets non-programmers build mashups relatively easy, by drag & drop etc, of content from different web sources, as long as the source has a feed whether Atom, RSS or other XML (see my introduction to feeds - Pipes are obviously another great way of making use of feeds).

The official description of Pipes: "an interactive feed aggregator and manipulator. Using Pipes, you can create feeds that are more powerful, useful and relevant."

In this case, Cristiano grabbed feeds from blogs where he's a contributor, then filtered out the other posts to leave only his posts, then combined his posts with his feeds from other web services like Flickr, Delicious, Twitter and Upcoming - so he could display a single combo webpage with all his sources: his "lifestream".

Cristiano's blog also has his guide in step by step text format. It does need a few extra steps but I shall leave the Javascripting to experts like Kirk! I've been meaning to have a play with Pipes since it first came out, but it's one of my get a round tuit things...




BarCampLondon3 video: self-publishing via Lyx & Lulu






This video of a BarCampLondon3 presentation in November 2007 may be of interest to writers, journalists and aspiring writers.

It's a guide to the art of self-publishing - how to publish and distribute your own (hard copy) book, or indeed thesis or dissertation, DIY, using various tools and services such as the open source Lyx word processor, GIMP for cover / illustrations, and self-publishing website Lulu. It's by Victoria Lamburn, who's published quite a few fiction books of her own.

There's a detailed overview of Lyx and its advantages - it's LaTex-based WYSIWYM (what you see is what you mean) and, in her view, produces better typography, control of fonts etc than Word or Writer - in terms of kerning, ligatures etc - basically how to get your book to look professional, presentationally, even if you're not a typesetting expert.

There are tips e.g. on the image you want to use for your cover, the benefits of submitting to Lulu in PDF format, and a short overview of Lulu and its options (such as privacy settings you control, with limited access only to your work; size of the book, etc), tips on submitting to Lulu including the importance of keywords (tags), and the potential of much better profit margins for the author than with conventional publishers. Different distributions are available e.g. through well known online booksellers like Barnes & Noble, Amazon, or you can choose to exclusively distribute and market it yourself, etc.

Lulu can also be used for distributing music via CDs and videos via DVDs. It does seem to really empower the creative in relation to controlling and setting your terms for distribution, pricing, etc - and seems a relatively economical way to get your work out there, too. To me, services like Lulu are one of the great developments have come out of the rise of the Internet.



Thursday, 17 January 2008

Dataportability explained: short snazzy video






Coincidentally, soon after my last post with the video of Ian Forrester's presentation at BarCampLondon3 on data portability and Dataportability.org, I came across this brief "plain English" video by Michael Pick of SmashCut Media, which explains the benefits of data portability for non-techies: a PR promo video for Dataportability.org, if you like - though there's no writhing lithe ladeez or gentz, sorry to disappoint you, it doesn't try to take promo that far!

It's called "DataPortability - Connect, Control, Share, Remix" and you can view it below:


DataPortability - Connect, Control, Share, Remix from Smashcut Media on Vimeo.


Via Common Craft (whose own excellent explanatory video for non-geeks on RSS feeds I've previously recommended).

Monday, 14 January 2008

BarCampLondon3 video: data portability






This video from BarCampLondon3 in November 2007 is of BarCampLondon organiser extraodinaire Ian Forrester, talking about the the dream and goal of data portability - standardisation of identity and other personal data and its exchange (and controlling its sharing and privacy), notably the laudable Dataportability.org initiative which seems to be increasingly gaining momentum, with lots of the great & the good of the Net already involved, such as Ian himself. To quote from their site:

"Philosophy As users, our identity, photos, videos and other forms of personal data should be discoverable by, and shared between our chosen (and trusted) tools or vendors. We need a DHCP for Identity. A distributed File System for data. The technologies already exist, we simply need a complete reference design to put the pieces together.

Mission Mission To put all existing technologies and initiatives in context to create a reference design for end-to-end Data Portability. To promote that design to the developer, vendor and end-user community."

Of course, cautious paranoid that I am, a major point to my mind is total user control of privacy settings - it's my personal data, I'll only want to use a system that lets me control, easily but quite precisely, exactly which people or groups will be able to access exactly which information about me. Which is the opposite of Facebook -I'm now on it but I admit I don't like it and rarely visit, as Facebook make too much of your data too public by default, which is scary, and opting out is too hard. Both are deliberate, I'm convinced. They also they claim to be able to re-use, as much as they like, for whatever they like, it seems to me, all YOUR data that YOU put on their site. Although to be fair Google seem to claim much the same thing and there's a lot less fuss about that.

Anyway, back on track, I'm sure we'll be hearing a lot more about data portability in future, particularly with increasing convergence of Internet and mobile.



Sunday, 13 January 2008

BarCampLondon3 video: from Web 2.0 to Mobile 2.0 - the transition






Another video from BarCampLondon3 held in November 2007, of a lively discussion whose title is self-explanatory, on how the mobile web might develop. Unfortunately I didn't get the name of the main speaker (I think he was German but there was a big contingent from Germany so that won't help narrow it down much!) - if anyone can tell me I'll update this post to add it. No slides were uploaded.



Wednesday, 9 January 2008

BarCampLondon3 video: DIY user research






This video from BarCampLondon3 is of a session by Leisa Reichelt on how to conduct basic prototyping, user research and usability testing for your service or product, relatively easily and cheaply, and still get decent results.

Obviously the main focus is on web services, with an emphasis on obtaining helpful information on core areas (i.e. your proposition / idea, the structure and basic information architecture, how well you are communicating the key concepts behind your product, and how well you are getting its benefits across to users as well as how to improve the user experience), through simple but effective user research - and on a low budget! Again, the accompanying slides are also below.