YouTube user data must be turned over to Viacom, judge rules

A federal judge this week ordered Google to provide Viacom with records of which users watched which videos on YouTube. The ruling raises fears that the video viewing histories of tens of millions of people could be exposed. The sheer amount of data we're talking about here is massive -- for each and every YouTube video ever watched since YouTube launched in 2005, Google now has to to turn over to Viacom the login name of every user who had watched every video, and their the IP addresses.

Snip from NYT story by Miguel Helft:

Google and Viacom said they were hoping to come up with a way to protect the anonymity of the site’s visitors. Viacom also said that the information would be safeguarded by a protective order restricting access to the data to outside lawyers, who will use it solely to press Viacom’s $1 billion copyright suit against Google.

Still, the judge’s order, which was made public late Wednesday, renewed concerns among privacy advocates that Internet companies like Google are collecting unprecedented amounts of private information that could be misused or fall unexpectedly into the hands of third parties.

“These very large databases of transactional information become honey pots for law enforcement or for litigants,” said Chris Hoofnagle, a senior fellow at the Berkeley Center for Law and Technology.

Google Told to Turn Over User Data of YouTube [New York Times]

Update: Here's a related statement from the EFF.


  1. The Video Privacy Protection Act:

    In particular, (b)(2)(F) which seems to cover exactly this situation. Note that it makes Viacom, not Google, responsible for providing the prior notice. My data will be in those logs, and I haven’t been given notice by Viacom that they’re requesting disclosure.

    Yes, a letter goes in the mail tomorrow.

  2. What if you are not an American citizen? How does an American judge have the right to tell Google to release my information to an American company?

  3. The problem in cases like this is that, while Google and Viacom have lawyers in the room, no one represents the YouTube users.

    Secret_Life: it appears that unlike European law, American law doesn’t think it’s your information, they think that it is Google’s information.

    Todd Knarr: you might have a good argument, but it’s going to take a good attorney to make it. Perhaps the EFF might be interested in stepping in.

  4. Secret Life: It goes even further than that. Americans are supposed to be protected by the bill of rights. (this very well counts as a search and seizure.). Though apparently the movie/music industry doesn’t think the bill of rights apply on the internet, or anywhere else for that matter.

  5. Does this include UK users data? US judges surely can’t demand data from other countries…? YouTube would have to sort the data mountain, possibly making it too unreasonable a task to be expected by this Judge.

  6. When you think about it, if they are suing Google over copyright, there’s really not much of a reason for why they need the IPs or usernames of people who merely view the videos.

  7. Once they have the usernames and IPs of people, all they need to do is employ a small army of recent CS/IT and law graduates to sift through the data, and start filing infringement suits on an industrial scale.

    Given the kinds of payouts they’ve been awarded in the past, this would even be a profitable enterprise.

    With luck, it really would be the final straw, though.

  8. Depending on what Viacom does with the data, this could be copyright armageddon (Copygeddon?) – the final battle between rights holders and consumers.

    At the very least a whole lot of consumers will suddenly realise they are at war.

    It’s a bit sad that the creators are likely to just end up being pushed to the side.

  9. @Foolster41

    Sorry, but this certainly doesn’t come under search and seizure rights, as in no way are Google’s logs your property and you have no expectation of privacy.

    A similar scenario is the police going into a shop and saying “can we see your security footage.” It just so happens that Google happens to have infinitely long security tapes, we all know this, in fact Google privacy policy on Youtube states:

    “We use both your personally identifiable information and certain non-personally-identifiable information (such as anonymous user usage data, cookies, IP addresses, browser type, clickstream data, etc.) to improve the quality and design of the YouTube Sites and to create new features, promotions, functionality, and services by storing, tracking, analyzing, and processing user preferences and trends, as well as user activity and communications.”

    So it’s clear Google does store that data, so as a user you knew what you were getting yourself into.

    I certainly don’t agree with the ruling, but arguing that it goes against the bill of rights isn’t helping because it clearly isn’t true, with even a cursory glance.

  10. Todd Knarr– doesn’t the Video Protection Act page you linked to, specifically subsection (b)(2) subparagraph (c) stating:

    A video tape service provider may disclose personally identifiable information concerning any consumer—to a law enforcement agency pursuant to a warrant issued under the Federal Rules of Criminal Procedure, an equivalent State warrant, a grand jury subpoena, or a court order;

    cover this exact scenario? They’ve got a court order from the Judge asking for this data.

  11. #15: Tarnished Coin, I’m not so sure it’s that clear cut. As #6 points out, in the EU, this data would almost certainly be considered to be the property of the users. In the US, this is not the case.

    I’m not quite sure what EU law would say about the security footage scenario, but certainly data gathered on private individuals by a company is considered to remain the property of the individuals, and laws are heading further towards giving individuals more control over it.

  12. Kieran, fully agree- in the EU there is much more respect for personal data, be it living in a companies database or on your computer, but the USA has certainly dragged it heels along gaining similar protections.

    I’m not sure where the law stands on an EU citizen visiting, an American company with the servers likely located on American soil, I would assume that the data would fall under American rules, as for, say, which might very well be a different matter.

  13. What bothers me is that the data Viacom is asking for doesn’t seem relevant to the case. Most of the videos on Youtube have no connection with Viacom so why should they get to know anything about them?

    Holy crap, I just realized: Viacom is going to have a list of every person who’s ever been rickrolled.

  14. Tarnished Coin: You have a point. Not my info. but still, Google shouldn’t have to give the information.

    I kind of over-reacted because it is information about me after all, and I dislike it being thrown about like this.

  15. It would be the ultimate form of irony that Viacom has been offered retro-active immunity for doing something that was clearly illegal at time, while at that same moment, they could consider sueing people for doing something that was clearly legal at the time.

  16. @#15 & #17, Tarnished Coin: To quote your quote with a different emphasis,

    A video tape service provider may disclose personally identifiable information concerning any consumer—to a law enforcement agency

    There is (or at least there should be) a world of difference between handing something to the police and handing it to representatives of a corporation.

  17. #11 (When you think about it, if they are suing Google over copyright, there’s really not much of a reason for why they need the IPs or usernames of people who merely view the videos.) and #21: That as my first thought exactly.

  18. Maybe Google should not have been obliged to hand over these data, but the ruling points at a more fundamental problem: Google should never have kept all these data in the first place.

    I mean: A complete log of all film requests, comments, views, etc. on YouTube EVAH, complete with IP address login name and all? Why do they keep this information if not to invade people’s privacy?

    I could understand it if they had been able to give their log information a week back, or so. The log information Viacom has requested ought to have been deleted a long time ago.

  19. so what is the terms of agreement at google for uploading content? Do they put the users in charge of copyright clearance? What about – may I mention it – embeds? Are blog owners embedding copyrighted material from youtube liable? (I have not come to a sufficent legal world wide conclusion to this as of yet and I am still researching since about 1.5 month in regards of embeds and Creative Commons).
    This lawsuit open so many can of worms that the internet might spill out worms for the next millenium.

  20. >Kieran, fully agree- in the EU there is much more respect for personal data, be it living in a companies database or on your computer, but the USA has certainly dragged it heels along gaining similar protections.< as can be seen by the countless of mass data leaks in the UK and in germany in the last year. or the sending of flight passenger information to the US - nowaday on EVERY flight you take - to the us and anywhere else outside the EU. The only thing the EU is better at is keeping their citizens more confused and therefore more in the dark at what is actually happening.

  21. @#26, Agger: On the face of it, Google are pretty well covered on that point.

    According to Youtube’s Viewing History page, “These are your recently watched videos. We respect your privacy, and do not share this information with anyone. You can clear your history by clicking the ‘Clear Viewing History’ link at bottom.”

    Things might get a little more interesting down at Mountain View if that button doesn’t actually do what it claims to, though.

  22. #11 & #25

    The IP addresses (or at least a way to measure individual views on each video) are probably required for Viacom to assess the “damage” or “losses” caused by the videos being available for free on YouTube. But they cetainly don’t need to have personally identifying information.

    Also, since I am an innocent internet user, surely I trusted youtube to provide a legal service and content. How could I possibly know which videos were legally uploaded and which weren’t.

    So, as viewers, this is not our problem. We used a service, and shockingly, found out later that some of the material YouTube presented to us was uploaded illicitly. (unless Viacom gets the upload info too.. uh oh)

  23. @#24 Tubman, I caught that in TwoTonkaToys link, perhaps that will be the EFF’s primary attack point?

    Falk, have you ever read the DPA? The UK->US passenger sharing information is within it’s limits– simply stated the DPA ensures data is:

    • Fairly and lawfully processed
    • Processed for limited purposes
    • Adequate, relevant and not excessive
    • Accurate and up to date
    • Not kept for longer than is necessary
    • Processed in line with your rights
    • Not transferred to other countries without adequate protection

    And of course the important section on allowing you to get a company to give you all information it has on you.

    Now, I’ve used the DPA to get information out of a companies, and it works. That’s more then you can do in the states. The processed for limited purposes is a wonderful section, which comes especially into its own when you get into data mining.

    Would any of these rules change the current Google problem, maybe, I could at least see where you could argue some points.

    As for the UK->US flight data, it’s a tough call, we’re landing in their country and they wish to know the details on the passengers that are landing. Previously it was a 15 minute before departure, now that’s increased (or shortly will be) to 72 hours– a simple solution it to vote with your wallet.
    Personally for me, the UK->US passenger share isn’t that bothersome, fullname, sex, dob and eventually a id number that would associate myself with previous US visits.
    That’s all information contained in my passport, or in their current invasive fingerprinting system which I have to pass through to gain access to their country.
    With the new rules, I at least find out I was denied entry to the USA in the UK airport, rather then being treated a great deal worse in the USA then getting turned back. What specifically about it do you disagree with? I may have missed something that changes my mind, so would be interested to know.

  24. @Robbo, Actually I think the judge did specify that the data was delivered in a series of 4 terabyte hard drives. Although I did hear this on slashdot so I may just be pulling it out of my arse.

  25. @29: Falk, while I certainly agree that there are troublesome developments regarding privacy rights in the EU, there is a big difference between leaks – which implies that there are laws regarding the matter – and almost no legislation at all. Comparing with the US, privacy in the EU is actually not that bad. Sometimes it helps to know a bit about the subject. This constant FUD against the EU is highly annoying.

  26. This is a little confusing. If YouTube is responsible for what it posts (copyright or no), why are visitors to the site being sought after?

    Anyhow, after moving to a new job where the net admin is all too happy to be my nanny and stop me from endangering myself, I’ve been awoken to just how “new” the internet is in terms of its maturity regarding the liberty of THE PEOPLE.

  27. Zittrain has a discussion of how the bar a party has to pass is much lower for discovery of personal information stored on third-party servers than if it was on one’s PC (so, exactly this kind of scenario) in his new book (pgs 186-7). It really is worrisome that once you use an online service, the data on you there is stored forever and subject to scrutiny by the service itself, another private party (Viacom, say) or the government.


    Hey, that was my idea! (It seems they posted first, though…)

    Guess I’m not the only one that wants to screw them over. However, in the TechCrunch comments there’s speculation about whether this would actually fly (see comment #18 over there).

  28. Foolster41: it is information about me after all, and I dislike it being thrown about like this.

    Agger: A complete log of all film requests, comments, views, etc. on YouTube EVAH, complete with IP address login name and all? Why do they keep this information if not to invade people’s privacy?

    I still don’t understand why people expect privacy on the internet. What videos you watched on YouTube is not “your private information”, it’s information about how you interacted with someone else’s machine. Unless that someone explicitly told you that they would keep secret all information about how you interacted with their machine, I don’t know why you’d just assume they’d keep it secret. What (other than the desire to meet users’ unreasonable expectations) keeps webmasters from publicly posting their server request logs online? Why do people expect that server access data is private?

    IMnsHO, server requests are like a conversation. If you talk with me, later on I might be talking with someone else and repeat part of the conversation you had with me if it is relevant, UNLESS during that conversation you explicitly told me that the conversation should be kept private. Right? Why do you expect it to be any different when you (through a web browser) “talk” with a web server? When a witness is called to testify in court, is that a violation of privacy? How is it different to get a web server to reveal what IP addresses accessed what content?

  29. One thing that *does* seriously worry me about this, and it’s somewhat related to the Rickroll phenomenon:

    If a viewer blindly clicks on an unlabeled YouTube link thinking it might be something relevant, and ends up registering a hit before realizing the video was *not* what was expected, that’s still going to be listed in the logs.

    Same thing with embeds, where even when the content itself is clear, the *source* isn’t until actually clicking through to the video page. In other words, something may very well look like an embed of an officially sponsored upload when it’s not.

    How will Viacom even be able to determine that the copyrighted material was viewed with full intent?

    (Which also reminds me: one of the Rickroll variations I’ve seen is of the Pop-Up Video version. Pop-Up Video was shown on VH1. Which is owned, of course, by Viacom. If you get my drift.)

  30. If we look at the RIAA as an example, I’m pretty confident that they are going to try to go after the people that uploaded Viacom content not those that viewed said content. “Making available” and all that…

  31. @42
    Which is legitimate, is sleazy. If you use a DVD for public view (say, show a movie behind your DJ set in a club) that would be illegal as well. but they aren’t going to go after the club goers. just you. and the club owner.

    So therefore, the club owner is Youtube, and the DJ is the person who uploaded the video.

    The thing I find funny is, I use youtube a lot for live performances (no record label can claim to own them unless ripped from a DVD) or older videos that simply aren’t shown on TV anymore. So things they basically wouldn’t be making any money from anyway.

  32. So… how long before Viacom tries to sue me for posting my own videos without their consent… or starts watching to see when I post videos of my cat acting cutely so they may more expediently demand that I remove it to avoid infringing their fictional copyrights?

  33. Wonder if I’ll be viewed as having “terrorist traits” due to my viewing of pro-Constitution/anti-government videos?

  34. This is an incredibly frightening precedent.

    Somebody (EFF?) should sue AT&T over something ridiculous and subpoena the Daytona database with this Viacom case as precedent.

    This is a serious legal hole that needs to be thrust into the spotlight as a problem and appropriately patched for good.

  35. Why does YouTube store that information in the first place?

    If only people, I dunno, ran their own webservers from home, hosting regular MPEG-4 videos over HTTP, using hyperlinks.

    System Preferences -> Sharing -> Web Sharing -> On.
    Plus a free DynamicDNS account.

    It even works for MyFace.

Comments are closed.