Recently, I was enjoying a rare quiet evening when my phone rang. No caller ID. At 9:30pm, I wasn’t expecting a telemarketeer, so I took the call. It turned out to be a telemarketeer after all, but a peculiar kind: a police officer told me in a stern voice that I had been seen biking at night without my bicycle lights on. That couldn’t be right: if I had been seen, my lights must have been working!

But when I tried to interrupt the officer to tell him that this wasn’t true, I was in for another surprise. This wasn’t a real officer - it was a voice recording!

Was this a joke by one of my friends? Far from it: officer Van Geel was part of an official Dutch campaign to promote bike lighting.

We Dutch like our bikes. We have millions of them, but virtually none of them have a working head- or taillight. This causes over 10,000 accidents, killing 40 and wounding 500 cyclists every year. Although the law has been on the books for decades, the Dutch consider it unfair to suddenly start ticketing people for 20 Euros. This prompted the government campaign “Lights on!” as part of their general “Gets you home” promotions for road safety. That campaign makes sense. But this part of it didn’t.

Telephone spam has been illegal since 1998. Before that, people would get unsolicited telephone calls with prerecorded messages they couldn’t interrupt or turn off. You’re thinking, why not hang up? The computer would just call back a minute later. Most annoying indeed. Thankfully, Directive 97/66/EC and its Dutch implementation outlaw the use of “automated calling systems without human intervention (automatic calling machines) or facsimile machines for the purposes of direct marketing” unless the operator had prior consent. And yes, that includes messages in the public interest.

Still slightly annoyed at being disturbed during the one free evening this month, I blogged about it and returned to my beer. The next morning, my stats had gone through the roof: Dutch shock blog Geenstijl had picked it up! Soon thereafter news site Webwereld opened with a response by the organizers: this was educational so it wasn’t spam. And besides, one of your friends had to have given them the phone number first.

Excuse me?

Yes, that was exactly how this campaign was organized: go to a website, enter your friend’s phone number and they will be called by officer Van Geel. Sure, there was an attempt to get consent by e-mail from the victim first, but that was so easy to fool it wasn’t even funny.

Is this how to teach kids to treat their friends’ personal data? The campaign was aimed at children, after all, including a nice big poster for schools. Kids should be careful whom they give their personal data to, except when someone who looks like a cop asks for it apparently. Right. Not surprisingly, this tattling aspect caused big criticism from the Dutch organisation Parents Online and even from political parties.

It thus shouldn’t come as a surprise that the next Monday, officer Van Geel got an early retirement.

Arnoud Engelfriet is a Dutch IT lawyer and a European patent attorney. He writes about law and technology on his website IusMentis.com. His bicycle lights are in perfect working order.

When sourcing additional Creative Commons-licensed images for the Japan picture book I am making from photo-sharing sites such as Flickr, I realized that pictures that portray people are not necessarily free to use, because of so-called portrait rights, despite of what the CC license says.

In today’s post, I would like to touch briefly on a limitation to the use of open content in general, with Creative Commons as a particular example. The limitation is that the author cannot give away, by license, more rights than he or she has. In the case of pictures (and videos and other works) that include people, such rights that are not for the author to control may include the right of those portrayed to object to publication on the basis of their so-called portrait rights.

What are Portrait Rights?

In short, portrait rights form a limited right to object to (control) the publication of photos (or videos), on the basis of privacy, a bankable reputation, or both, for well-known persons, persons in private situations and/or professional models. (This is under Dutch law, your mileage may vary depending on your jurisdiction.)

In their contribution [pdf] to The Future of the Public Domain - Identifying the Commons in Information Law (Information Law Series 16, The Hague: Kluwer Law International 2006) Professor Bernt Hugenholtz and Lucie Gibault of the University of Amsterdam summarize it so:

The right to privacy is at the core of so-called rights of publicity or ‘portrait rights’, that provide increasingly powerful proprietary protection to pecuniary interests in marketable names and images of public or less than public figures.

Are Portrait Rights Different in the Context of Creative Commons-Licensed Works?

Not necessarily. Although the law is the same, current differences in process might make for added uncertainty for peer-produced Creative Commons-licensed works. As a result of portrait rights, stock image agencies have developed the practice of licensing out only model-released images, where the model has released his or her portrait rights (and promise not to make any claims on the basis of portrait rights ideally). Consequently, there is a reasonable assurance that, as a licensee of such images, you are indeed free to use them. (However, taking a look at the license agreement of a large stock agency, I noticed that their warranty on this point is limited.)

This practice of obtaining model releases does not seem to exist for user-generated/pro-am pictures, although I noticed how on, for example Flickr, authors sometimes add a “model released” statement, the value of which is uncertain.

How to Deal With Portrait Rights when it Regards Creative Commons-Licensed Works

When using a CC-licensed work that includes people, use common sense and, when in doubt ask the photographer, and possibly a lawyer. (With regard to Creative Commons-licensed works that mention they are “model released” I might still contact the author to see the extent and any conditions of such release.) Portrait rights, at least under Dutch law, are not always available, and not absolute. Whether your interest in publishing the pictures outweighs the interest of those portrayed is a question of fact. Notwithstanding, you can imagine yourself at the place of those portrayed, and see whether you would welcome publication. When still in doubt, consider using suitable alternates.

In my opinion, the issue of portrait rights increases the transaction costs (contacting the photographer and/or looking for alternates) of using CC-licensed works, at least for those images that include people and for which you are not sure that no portrait rights are applicable.

So, not to finish on too gloomy a note, two portrait-rights related bonus links. One, World Portraits (“a fair trade photo collection of people from around the world”), an initiative from the Dutch press agency ANP whereby those portrayed receive a royalty for the use of their image. Two, Fotos Encontradas, a site from Argentine with an amazing collection of found photos, more often than not (family) snapshots and portraits.

‡‡ [This is a post from Technology Law Culture: http://tlc.oosterbaan.net//. Olivier Oosterbaan, IT and media lawyer in Rotterdam, the Netherlands, maintains this blog.]

(Picture by: Tss, me again, under an Attribution 2.0 license. I did *not* get a model release from the Japanese youngsters portrayed.)

In a 5 January 2007 ruling a Dutch district court held that an ISP had to provide personal data of a subscriber, who maintained a bittorrent tracker site, to the anti-piracy organization BREIN. In Brein v. KPN Telecom, the district court of The Hague held in summary proceedings that the tracker admin was liable for its actions under tort, but did not infringe copyrights directly. (This would be similar to the U.S. vicarious liability or contributory infringement actions.) In addition, the court held that the ISP was required, on equitable grounds, to provide name and residence information of its subscriber to BREIN, and terminate the connection of the subscriber if the same site would again come online.

This case confirms and develops Supreme Court case law that an ISP might be held to provide to copyright holders personal data of a customer under a theory of tort. (Pessers v. Lycos, in Dutch.)

Interestingly, the lower court here dismissed the claim that the mere provision of a bittorrent tracker site (and the tracker files) constitutes distribution or the making available of copyrighted works, and therefore a direct copyright infringement.

This case is the most recent installment in the ongoing scuffle between ISPs (and indirectly some of their subscribers that are likely infringing copyrights) and copyright holders and collecting societies.

An Adamant Maintainer of A Tracker Site

A broadband customer of KPN, the Dutch incumbent, decided to run a bittorrent tracker site from home, over the ADSL connection provided by KPN. The tracker dutchtorrent.org charged a fee for access to the site. So, although presumably no directly infringing material was hosted on the server, the tracker did allow for massive infringement by the users of the site. BREIN did apparently send a cease and desist letter to the admin, which the admin chose to ignore. The website did go off-line, but the admin did not provide BREIN with a written confirmation that it would not go online again, a customary request in connection with a cease and desist letter. In fact, the admin did post some belligerent statements (on the site or elsewhere on the Internet, that is not clear from the ruling), indicating the intention to go online again in the future.

BREIN was not able to determine the name and address of the website admin via public sources and consequently, BREIN was not able to hold the admin liable, in court or otherwise. Since KPN did not provide the information on request either, BREIN decided to sue KPN in order to obtain information on the identity of the bittorrent tracker site admin.

To get the court to require KPN to provide the information, BREIN would have to show that its interest in being able to hold the admin liable outweighed the interests of KPN and the subscriber.

From the ruling, it appears that the court groked well how bittorent, and a bittorrent site, works: no actual distribution of files takes place via the site, but the tracker files allow visitors of the site to download and upload files (most often, copyrighted works) .

Consequently, the court did not go along with the claimants argument that the making available of the tracker files constituted the distribution or making available of copyrighted works.

The court did however hold that, on the basis of the “mere nature of the files,” the admin of the site must have been aware that its site facilitated in a structured manner, infringement of copyrights and neighboring rights. It is not entirely clear from the published judgment, but I would assume that this is on the basis of the file names of the tracker files, which included “Over the Hedge” and “The Devil Wears Prada, ” and not on the basis of the mere bittorrent protocol.

This, and the fact that the admin charged a fee for access to the site, amounted for the court to a breach of the admin’s duty of care toward the copyright holders. The court did not go along with the claim of the ISP that BREIN, the claimant, did not provide a specified or itemized list of torrents relating to protected works when sending a cease and desist letter to the admin.

A Hesitant ISP

In November 2005, the Dutch Supreme Court had held in Pessers v. Lycos that an ISP could be held to provide subscriber data under certain circumstances. This separately from any safe-harbor provisions under the eCommerce Directive, which provide the ISP protection from liability for acts of infringements by its users.

In its defense, KPN tried to widen the requirements of Pessers v. Lycos, to include that the claimant did not obtain initial information illegally, a likelihood that the subscriber acted tortuously, and that the subscriber data is likely to lead to the actual person who acted tortuously.

The court did not go along with this and required, on the basis of the previously established rule in Pessers v. Lycos, that KPN had to provide BREIN with the subscriber data.

Most importantly, the court held that BREIN was not required to exhaust alternative means of trying to obtain the name and address of the admin, before it could turn to the ISP.

BREIN had also asked that KPN terminate the subscription of the bittorrent site admin, insofar the admin would maintain the same or similar tracker sites. The court also honored this request, going beyond the safe-harbor provisions of the eCommerce Directive, but not entirely. (This is possible, as the Directive is not exhaustive and allows for additional procedures or measures in the Member States.)

Recognizing the difficulty for KPN if it had to judge whether or not subscriber conduct was tortuous or not, the court held that KPN had to terminate the access of the subscriber upon request from BREIN, but only if the same dutchtorrent.org (or a completely similar) website would go online, under threat of a EUR 1,000 a day fine.

And this is I think the most important aspect, having to judge the illegality of customer behavior requires resources from an ISP, and potentially exposes the ISP to liability towards subscribers for removing content or terminating access, liability that might not be entirely written away in the applicable terms and conditions.

And a Determined Anti-Piracy Organization

To my knowledge, this is the second time that BREIN wins a case against an ISP, asking the ISP to provided subscriber data. (The first time was against the ISP UPC/Chello in the summer of 2006.)

According to BREIN (“the joint anti-piracy program of authors, artists and producers of music, film and interactive software”) they shut down some 115 sites in 2006, totaling 1.5 million users. (Source, in Dutch.) I am not sure what the total number of larger tracker sites was, but that is an impressive number.

A Summer Make?

As this case again shows, the EU safe-harbor rules harmonize liability for, amongst others, copyright infringements, only up to a point. National judges can, under their national civil law, go above and beyond that, and they are getting the cases that allow them to do so. It does not make ISP’s liable for now, but they clearly do have an additional burden to provide subscriber data under certain circumstances. The Netherlands is becoming an interesting jurisdiction to seek standing.

‡‡ [This is a post from Technology Law Culture: http://tlc.oosterbaan.net//. Olivier Oosterbaan, IT and media lawyer in Rotterdam, the Netherlands, maintains this blog.]

(Picture by: me, of a torrent in the North Cascades mountain range. Some rights reserved: BY-NC-ND 2.5 CC license.)