IP: Aus police raise question over re-use of photos from Facebook

The explanation given by the Queensland police as to why Grubb is suspected of an offence makes perfect sense and is an example of the kind of logic that police should apply in a rapidly evolving world instead of waiting for legislation to create specific offences. It's a good approach - it's basically the common law approach - saying "there are laws that are designed to prevent this harm and your conduct fits within a broad definition of that harm."

Opponents of the approach say that it stifles development and free speech, that citizens cannot know what is against the law unless the law is specific. That is a view which is best summarised as "everything is legal unless made specifically illegal." A higher moral perspective would take a broadly opposite view "nothing is legal unless specifically made so - or it can be demonstrated as causing no harm."

What Queensland Police argue, in summary, is this: where a user of social media (in the instant case it was Facebook) makes information private, then that data belongs to the user and the user alone. There is a parallel argument which revolves around permission to access data: if data is marked as private, then accessing that data without permission amounts to unauthorised (and in many countries, therefore, illegal) access - in effect hacking.

Grubb did not, according to reports, access the private data himself. a "security researcher" reported to be named Christian Heinrich obtained photographs that were in an area that the user had marked as "private" for his "friends" only.

Grubb was arrested and questioned before being released without charge. The investigation relates not to the "break in" but to receiving the photographs that were obtained in the break in: the closest analogy is that of handling stolen goods.

The range of possible conduct that is open to question is wide: everything from soliciting to conspiracy as well as substantive offences.

The situation is complicated by reason of the fact that the servers from which the data was obtained are outside Australian jurisdiction.

Queensland police were responding to a complaint from a member of the public and declined to give further information save to say ""an alleged hacking incident that saw private material being obtained unlawfully”.

Grubb wrote an article, published by Fairfax in the Sydney Morning Herald on 17th May based on the presentation made by Heinrich, starting it by saying "The wife of an Australian security expert has been targeted by another security expert in a Facebook privacy vulnerability test demonstrated at a security conference in Queensland." Grubb was arrested shortly after that article appeared on the internet. His iPad, which he had used at the conference, was held as evidence.

But the story presents some kind of feud between Heinrich, who according to Grubb's article "admitted he did not like Gatford" and Chris Gatford, director of rival security firm HackLabs.

Heinrich's paper was not presented to the whole conference but to a small group of 20 in a side room; later Heinrich gave Grubb a private viewing, leaving with him a copy of the presentation including the photographs.

Reading Grubb's article ((SMH.Com - here) it is difficult to see why Grubb is in any way to blame. His article is, in fact, critical of the Heinrich's conduct while acknowledging that he has proved this and a number of other flaws in social media security. Specifically, what Grubb has not done is to republish the photographs. In short, he has behaved in what, on the face of it, is a responsible manner for a journalist exposing a significant problem. While falling short of full-blown investigative journalism, it is nevertheless going down that road.

Queensland Police say that having possession of the photos is similar to having possession of a stolen TV. That argument stacks up in some ways but it is difficult to see its merit in relation to Grubb - and indeed Fairfax as his employer. He needs to be able to collect and secure evidence to back up his stories so as not to find himself liable to litigation by someone who is aggrieved at his comments.

Gatford declined to comment about Heinrich's conduct when Grubb asked him to do so.

SMH.Com has followed up with research into how a Facebook group collects personal photos from those named as "friends" and then re-posts them to a private men-only group who enjoy ogling women in scanty clothing. The result, the paper says, is that some women are subjected to many "friend" requests from men they don't know. (SMH.Com - Story). This raises the question of rights in the photos, an issue which Facebook deals with in its conditions but is notoriously bad at enforcing.