Revenge Porn, Copyrights and Data Ownership: Where Does Our Data Begin and End?

By Jedidiah Bracy, CIPP/US, CIPP/E

There was an interesting article in The Atlantic Monthly this week about revenge porn and copyright law—and I’m hoping some of you out there can help me.

But first, let me step back.

Of all the vile things on the Internet, revenge porn lingers at the top; and of all the vile people facilitating such vengeful filth is Hunter Moore—also known as the “Most Hated Man on the Internet.” Moore was recently arrested for actions taken to create his website IsAnyoneUp. Moore, according to a court indictment, had help from Charles “Gary Jones” Evens to hack into the e-mail accounts of certain victims to find, steal and post naked photos—often with the victim’s profile and contact information juxtaposed next to the photo. The site was also the receptacle of compromising photos sent in from jealous ex-spouses.

One charge against Moore and Evens relies on the controversial Computer Fraud and Abuse Act (CFAA) for their “unauthorized access of a protected computer to obtain information.” Depending on the case, victims can use state voyeurism or Peeping Tom laws, defamation suits or false light claims.

But these actions are generally only successful against the submitters of compromising photos, not the website hosting them, because of Section 230 of the Communications Decency Act. Service providers are not liable for user-generated content. The law came about after the financial firm portrayed in The Wolf of Wall Street successfully sued service provider Prodigy. Lawmakers worried such liability “would crush the Internet.” Indeed, I am reminded by the case in Italy against Google Global Privacy Counsel Peter Fleischer, who, along with other executives, faced jail time after a company-owned video streaming service hosted a video uploaded by Italian students mocking another student. After almost four years, the case was finally closed, but not without giving Fleischer and the others a good scare.

Without Section 230, as Atlantic columnist Amanda Levendowski points out, restaurants could sue Yelp for bad reviews. Not only would the Internet be crushed, so would the First Amendment.

She also points out the danger of the CFAA, in that its language—drafted in the mid-1980s—is notoriously vague. “Giving prosecutors as poorly drafted a law is like putting a wounded antelope in front of a lion,” she writes, “they can’t resist going for the jugular.” Anyone familiar with the plight of the late Internet activist Aaron Schwartz knows this reality all too well.

But, there is a lot of motivation to prevent these bottom-dwelling revenge porn websites. So far, three states have revenge porn laws. Levendowski, rightly, I believe, worries that more laws will only give us a “CFAA 2.0.” A bigger, badder and more dangerous, albeit, well-intentioned law.

So here’s where some of you lawyers can step in.

Moore, while explaining his legal position for why he can get away with what he does, on Bob Garfield’s When On The Media, said this:

“[B]ut when you take a picture of yourself in the mirror, it was intended for somebody else so, actually, the person you sent the picture to actually owns that picture, because it was intended as a gift. So whatever the—that person does with the picture, you don’t even own the nude picture of yourself anymore ... So that’s how I’m protected.”

Levendowski writes that Moore is dead wrong, citing that 80 percent of revenge porn photos are “selfies.” Meaning the subject took a photo of themselves and had the photo mined from their device or hard drive, and thus own the copyright of their photo, and under the takedown provisions within the Digital Millenium Copyright Act (DCMA), victims can compel websites to take down their photo and search engines to de-index websites with their photo—“all without having to hire a lawyer,” Levendowski writes.

Such an avenue, she argues, prevents overbroad laws, doesn’t affect Section 230 provisions and leaves stalking, harassment and privacy laws untouched.

If this is true, doesn’t this bring up other avenues of data ownership? To what extent do I own my biometric data, for example—the DNA properties held within that hair left behind on the subway?

How about my faceprint?

In 2012, I spoke with Dr. Joseph Attick, an early developer of facial recognition identity management systems. Attick has argued that our faceprints should be copyrighted.

Since my faceprint is captured by facial recognition technology, and not “created” by me, the DCMA wouldn’t apply. But isn’t the copyright concept getting us closer to avoiding overly broad laws like the CFAA? And overly paternalistic ones as well?

How about a lighter version of the Right to be Forgotten, where, under certain circumstances, a user has some rights and can issue similar takedowns as seen with the DCMA? Could that be a step in the right direction?

No one wants to take down the Internet less than me, and I understand what a burden a constant stream of requests for takedowns of small pieces of data could be, especially for young Internet firms without the resources of the goliaths. But surely there must be a balance somewhere that allows me to object to information about me being stored or displayed somewhere I'd rather it not be. 

More from Jedidiah Bracy

About the Author

As editor of the Privacy Perspectives, Jedidiah Bracy moderates the many views, angles and, well, perspectives that inform information privacy and all its adjacent professions.

In addition to editing the Privacy Perspectives, Bracy facilitates the vetting, writing, editing and curation for the Daily Dashboard, the IAPP Canada Dashboard Digest, the IAPP Europe Data Protection Digest and the IAPP ANZ Dashboard Digest. He writes feature articles for The Privacy Advisor on information privacy law, data protection and the privacy profession.

When not mulling over the current state of information privacy in the digital age, Bracy enjoys watching international soccer, listening to his music library and tasting a finely wrought craft beer. You can follow him @jedbracy

See all posts by Jedidiah Bracy


  • February 12, 2014
    R. Jason Cronk

    I’m not going to go into a detailed analysis of copyright law but I’ll give you the short answer. First off, selfies would we copyrighted by the photographer (aka the person in the picture) as original works. Pictures taken by forelorned lovers would not as they would be copyrighted by the ex. Faces are not copyrightable as they are more akin to facts. Copyright only covers original works of authorship. See…a plastic surgeon that rearranged your face might make a claim but you as the ostentatious owner of your face can’t claim it is an original work of authorship. Now, a particular image of your face is copyrightable but not your face. Similar reasoning goes for other factual elements about you, dna, hair color, etc.

    • April 16, 2014

      Thanks for the breakdown, Jason. Now, with facial recognition tech, we’re getting into proprietary face patterns owned by the FR company, too. I wonder if we need to start thinking of getting faceprints to be considered PII? Hard not to be cynical about that though.

  • February 13, 2014
    Heather Federman

    Part of the problem is that the victims are unaware of what (if any) easy to do actions they can take. Do any simple revenge-porn DMCA-type take down tools exist? And how can the original photographer be notified when they have become a victim? Must they wait for the photo to viral or is there a more immediate method of communication?

    • April 16, 2014

      Those are great questions, Heather. I would imagine any photo-tagging technology (say designed to alert a person when used) would pose a whole slew of additional privacy concerns. It would be helpful if there were a clearinghouse website, though, with tools for victims.

To post your comment, please enter the word you see in the image below:

To post your comment, please enter the word you see in the image below:

Get your free study guide now!
Get your free study guide now!