YouTube case opens can of worms on online privacy


NET RESULTS:A US JUDGE'S decision to award entertainment conglomerate Viacom access to millions of Google records about user access to video site YouTube - including IP addresses, user names, and viewing records - is a stark reminder that privacy on the internet remains relative and that EU protections may in practice, be meaningless.

The records were demanded as part of a $1 billion copyright lawsuit that Viacom has brought against Google, which owns YouTube. It's the type of lawsuit that has always been predicted for the video storage site and one of the reasons that many web observers wondered how YouTube, in its pre-Google ownership days, would ever find a business plan before going down in legal flames.

For that matter, many still wonder how Google will find an adequate business plan and the lawsuit - and this judge's decision - pinpoints YouTube's Achilles heel.

Yes, YouTube is fabulously popular - according to analyst comScore, some 4.1 billion videos were available on YouTube in April, 38 per cent of all videos offered online, but large numbers of those videos come from copyright material - TV shows, films, videos of concerts and other staged, and hence copyright, events.

Some initial, smaller lawsuits have already gone after YouTube and the site has a policy of removing copyright content when notified. But how do you police 4.1 billion videos?

Fortunately for the site, many media companies and artists have taken a "don't ask, don't tell" approach, realising there's a publicity benefit to the exposure of their shows or performances, while some have no problem at all with uploads for the same reason.

More recently, some media outlets have negotiated arrangements to enable videos to be shown - it's one emerging business model.

But Viacom's lawsuit underlines how potent the issue of copyright remains online and how unlikely any easy and quick rapprochement is between online companies, to enable the sharing of information, and copyright holders.

Caught in the crossfire are individual users of such services. Some, of course, may theoretically be copyright violators themselves, if they uploaded protected content, but the actions of individuals are not part of its lawsuit, Viacom says.

It insists it wants the records - including IP addresses - to determine viewing patterns, which in turn may determine how much money Google might make off of advertising or services linked to given videos or pages on the YouTube service.

That may be. If so, Google countered, then Viacom should allow Google to make the data anonymous so that identifiers such as IP addresses are removed. Viacom has said though that such information and other user detail helps it determine how many times a video is viewed.

If the information is handed over, many users may be concerned at how revealing it may be of their own activity (we do some pretty embarrassing things online in what we often, probably mistakenly, consider the "privacy" of home internet use) and exactly how that detail could be used.

There are much larger questions of why Google needs to retain IP addresses and other revealing data - an issue that is at the very heart of a major, ongoing tussle with the EU that could restrict how Google operates in Europe. Already, the company has had to change some procedures to accommodate EU data privacy regulations.

While Google's public face in the Viacom suit is one of defending its users by requesting IP data be made anonymous before being handed over to Viacom, Google nonetheless stores and processes such information itself.

Google argues that such information is central to providing the many services its users love, but it is extremely difficult to ascertain how so, and how necessarily so, because the ways in which such data is used remains - to some extent, understandably - a secretive part of its business environment.

The EU is currently arguing that IP addresses should be considered personal information and fall under data protection regulation. However, the Viacom case is showing that, as privacy advocates have been arguing, this may mean zilch in real terms.

Once EU users access a service, their details can be stored on servers anywhere in the world and the provenance of those details, in legal terms, becomes murky. Yes, they may be data theoretically protected under EU law but in practicality - as with the Google data - once those details are on US or other servers and demanded under US law for a case that has nothing directly to do with Europeans, it is going to be handed over despite EU protestations - if any.

If the data is, rightly or wrongly, so easily surrendered for a mere commercial case (and some prominent US privacy lawyers argue the Viacom judge was wrong to do so), then one can imagine the ease with which law enforcement might get hold of similarly highly revealing information.

All of which begs the question: what does online privacy really mean? Are EU data safeguards just political window dressing and if so, how can our privacy be better protected, as so many aspects of our private lives move inexorably online?