 |
 |
Dear All, Having done a bit of desk research on this one, it seems that e-Cards are already in fairly widespread use in UK museums, including several National institutions. While there are several different models of use, none that I have come across thus far include a legal disclaimer as part of the process of actually sending an e-Card, though there are several which include disclaimers as a footer to the resulting message. While most seem to require you to enter your username and email address as well as the details of the recipient, these seem just to be text fields, and there is no authentication that I can see. It seems to me that Mark's IT specialist is right that the technical solution to this would be to implement some form either of verification or user registration which includes authenticating the sender's email address. However, this only overcomes part of the problem as it would be relatively simple to set up a temporary web-based mail account to get past the verification process. Also, most of the messages I have received back thus far have been stamped with messages of the form 'this e-Card has been sent to you from XXX museum' with a link back to the organisational root URL. This implies to me some responsibility for the content of the message attached to the card. Similarly, there are several systems which don't email the card, but instead email a link to the card stored on the museum's web server. This, it seems to me, compounds the libel problem since the organisation would effectively be hosting and publishing the libellous material itself. I also looked to the commercial/broadcast sector to see if they had come across this one. The BBC provide e-Cards from within the BBCi website. There is a link to generic terms and conditions and a privacy statement which governs the whole site, but the focus of this is on the BBC's responsibilities relating to personal data rather than the issues arising from e-Card use. However, when the e-Card arrives from the BBC, it includes a generic disclaimer relating to the content of the e-Card. This effectively dissociates the BBC from any libellous content and offers a mail link to the BBCi webmaster to report any abuses of the system. Another interesting approach which has been adopted by several commercial organisations is to lock down what the user can say. Instead of a freetext box into which a user could write potentially libellous material/embed code or tags etc, there is a series of drop-down list boxes which allow the user to select from a number of generic greeting messages. This approach seems particularly prevalent on sites aimed at a younger audience - see for example the 'D-Card' facility on the Disney site: http://www.disney.co.uk/DisneyOnline/D-Cards/ It seems to me that, given the obvious issues in implementing a technical verification process, that a good old-fashioned disclaimer both on the homepage of the e-Card function and embedded into the signature of the resulting email may be the simplest solution. Of course, I have no idea how applicable these would be in law, but it seems to me that there's an awful lot of e-Card usage going on without this fairly basic level of protection. I hope this is useful! Nick Nick Poole Regional Policy Adviser Museums, Libraries and Archives Council 16 Queen Anne's Gate London SW1H 9AA Tel 020 7273 1410 New! Visit the Cornucopia database of UK museum collections at http://www.cornucopia.org.uk Visit the MLA Council website at http://www.resource.gov.uk Visit the Peoples Network website at http://www.peoplesnetwork.gov.uk Join the Resourcenews email list at http://www.jiscmail.ac.uk Join the Cultural Diversity email list at http://www.jiscmail.ac.uk -----Original Message----- From: James Johnson [mailto:[log in to unmask]] Sent: Monday, March 15, 2004 11:08 PM To: [log in to unmask] Subject: Re: E-cards - security issues? Mark, A UK-based children's museum asked me about creating an e-card system for them. I advised them to be cautious for reasons I will explain. I don't think the SPAM problem is really too much of an issue -- from a technical perspective it is not difficult to stop someone who might, for instance, write a programming script to send lots of email messages via the e-card system. What concerns me more are the legal and PR issues that could arise from such as system. As your IT consultant has pointed out, someone could use such a system to send cards anonymously, or so that they appear to be from someone else. Potentially, such messages could be libelous. I believe there is some precedent in UK law for the transmitter of such a message to be legally responsible for it, not the (anonymous) sender. In the case of the children's museum as an example of a problem that might arise I suggested a child might send anonymous messages via the system accusing a teacher of something so serious that it might damage his/her career. Such a teacher could accuse the museum of not having controls in place to prevent such an event occurring, which might result in bad publicity and/or legal action against the museum. You might think that this kind of thing would be extremely unlikely, but there was a case some years ago where children made serious allegations against a teacher on an internet chat board, and in that case the service provider was found to be legally responsible (although the case was not as simple as I've described it here). Of course, with a children's museum there is perhaps a need to be more cautious than for other types of organisation. But I believe your IT specialist is right to err on the side of caution and to make you aware of the problems that might arise from such a system. I hope this helps. James Johnson Publitek New Media Ltd. ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________