In my ebook (A Practical Guide to WordPress and the GPL) which will be out within the next 6-8 hours, I’ve included a one page summary of the GPL which I hope will make it easy for people to understand the core concepts of the GPL. That summary outlines the position in relation to copying and distribution, fees, modifications/derivative works, distributing non-source forms, termination, and downstream licensing:
This particular summary follows the flow of the clauses in the GPL and that’s why it flows through the subject headings I’ve just mentioned. One consequence of this common approach to summarising legal documents is that the discussion of a single topic may contain a summary of both a person’s rights and a person’s obligations. For example, the discussion of modifications / derivative works says:
“You may modify the Program or any part of it and distribute the modifications or new work as long as modified files contain notices regarding the existence and date of changes and any work that you distribute or publish that contains or is derived from the Program or any part of it is licensed as a whole at no charge to all third parties under the GPL.”
As you can see, this paragraph says “you are free to do A but if you do you also need to do X”. Rights and obligations. This approach is repeated, where relevant, for each subject.
Now, in my normal day job, I’ve done a huge amount of work on open licensing of government copyright works and that has involved very close examination and implementation of the Creative Commons licences. Not surprisingly, then, my mind immediately gravitated towards the ‘human readable deeds’ that Creative Commons produces for its licences. Those deeds take a slightly different approach to summarising the legal terms of the licence. Instead of addressing licence content on a subject by subject basis, which would include rights and potentially obligations per subject, they take a “you can do A, B and C, as long as you do X, Y and Z” approach. In other words, they state all freedoms and then list the obligations. For some people, this may be easier to follow.
With that in mind, last night I whipped up a GPL human readable summary, modelled on the approach taken by Creative Commons. This is what it looks like:
(Please retweet as the more that take this super quick poll the better.)
So, the email
This is what I said:
As you’ll know, the sale of a commercial theme or plugin usually entails access to the theme or plugin for download as well as a right to support and updates for a defined period, usually 12 months. It seems to me that some ‘public redistributors’ leverage the fact that they, as purchasers, can get access to support and updates. In other words, they use this access to seek support relevant to ‘their customers’ and/or they use it to get access to updates which they then release for download on their own sites.
Now, this sort of activity is generally permitted by the GPL, as long as they do it in the right sort of way and don’t breach any trademark rights or relevant laws. This might make you think that this kind of behaviour can’t be controlled contractually. But I think it can, at least to some extent.
After I wrote this, I did a search on the web to see whether I could find other businesses doing something similar to what I’m proposing. Lo and behold, it seems that Red Hat did this a few years ago. See GPL expert gives Red Hat the all-clear.
All the best.
P.S. I appreciate that a mere legal term relating to support won’t stop people who are hell-bent on redistributing GPL’d themes or plugins on a publicly accessible website from doing so. But it may stop a subset of people who actually care about their access to support and updates. The inclusion of such a clause might also make would-be redistributors wonder whether that kind of redistribution is ethical.”
Now for the poll
The poll has now closed. Thanks to all those who spent the time taking the poll. Much appreciated.
(Thanks to The Art Gallery of Knoxville for the “FREE BEER 3.3 Ready to Drink!” image https://www.flickr.com/photos/16038409@N02/2327155978/, licensed under a Creative Commons Attribution-ShareAlike 2.0 Generic licence https://creativecommons.org/licenses/by-sa/2.0/)
I observed that, whilst many countries don’t have laws that require disclosure of cookies, in Europe there are specific (and controversial) cookie laws. Website owners in European Member States are required to:
provide clear and comprehensive information about the cookies they are using; and
obtain consent to store a cookie on a user or subscriber’s device.
There are some narrow exceptions but I don’t think I need to mention them again.
The questions I want to explore in this post are these:
What are the implications of the European cookie laws for European users of WordPress.com and Jetpack?
Are users of WordPress.com and Jetpack able to obtain sufficient information as to the cookies that these services set?
If not, do the cookie laws erect an obstacle (at least for those who care) to European use of WordPress.com and/or Jetpack?
Implications of cookie laws for European users
The implications of the cookie laws for European users of WordPress.com and Jetpack are clear: they need to be able to provide information on the cookies that these services set and to include a consent mechanism.
Are users of WordPress.com and Jetpack able to obtain sufficient information from Automattic?
Status in 2014
In November 2014, a Spanish user of WordPress.com posted this message in the WordPress.com forums:
“There are new politics in Europe. In Spain (and maybe other countries of Europe) we need to inform about cookies. …”
I chimed in with this:
In the meantime, is someone able to name what cookies (if any) are generated by Jetpack/WordPress.com Stats when used on a WordPress.org (self-installed) site?
Many thanks for your help.
In December a WordPress.com Happiness Engineer kindly updated me, stating that “we don’t have a list of cookies readily available, so it may take some time before we have those details you requested”.
Time marched on and, well, my focus shifted to other matters.
Fast forward to 2015 – Automattic invests in cookie transparency
Fast forward to July 2015. Last week I found out that Automattic has been putting considerable effort into fostering cookie transparency. Automattic has created the following:
A cookies disclosure page for WordPress.com
A widget that displays a cookies banner
A cookies disclosure page for Jetpack
Turning to the widget, you can add an “EU Cookie Law Banner” to your WordPress.com site by adding the widget of that name to the widgets section in your site’s customizer. There’s a range of settings. For example, you can hide the banner after a user clicks the ‘close and accept’ button, or after the user scrolls the page, or after a defined period of time. You can amend the default text if you wish, you can change the colour scheme (light or dark, more if you’re a premium user), you can link to the WordPress.com cookie information or to your own cookies policy page, and you can change the button text. Here is what the default banner looks like:
Last but not least, the Jetpack cookies page explains that cookies are used by Jetpack in a variety of different ways and that the cookies set will depend on the Jetpack features that are enabled. It notes that the cookies are only set when a user interacts with one of these, or to allow admin functions to be performed in wp-admin. It then names and provides other details on the cookies that are set for visitors and registered users of sites with the Jetpack plugin installed.
As a lawyer who has been a bit frustrated in the past about the inability to obtain information on the cookies set by WordPress.com and Jetpack, I think these developments are superb. They go a substantial way towards enabling those in Europe to comply with the cookie transparency laws.
Whether a site run by someone in a given European country complies with that country’s laws is not Automattic’s responsibility, of course, but Automattic has clearly invested a good deal of time and money in helping its European users.
Any remaining obstacle?
Cookie lists not exhaustive
You might want to note that the cookies listed for WordPress.com are not exhaustive. Rather, the kinds of cookies used are explained and numerous examples are given. The cookies page is clear in stating that the listed cookies are examples. This, I understand, is due to the dynamic and evolving nature of WordPress.com. An exhaustive list of cookies that is valid in one month might become out of date in another. Automattic is certainly not alone in taking this approach. It seems to be the same kind of approach that Google takes.
Residual risk? Unlikely
Does the fact that the cookies lists are not exhaustive pose significant residual risk to European users of WordPress.com? I can’t comment on how the European ePrivacy Directive has been implemented and interpreted in every European member state (there will likely be variance in interpretation across member states), but I can tell you what the United Kingdom’s Information Commissioner has said, namely, this:
“What do we need to do to comply?
The rules on cookies are in regulation 6. The basic rule is that you must:
tell people the cookies are there;
explain what the cookies are doing and why; and
get the person’s consent to store a cookie on their device.
As long as you do this the first time you set cookies, you do not have to repeat it every time the same person visits your website. However, bear in mind that devices may be used by different people. If there is likely to be more than one user, you may want to consider repeating this process at suitable intervals.
What information must we give users?
[The Privacy and Electronic Communications Regulations] do not set out exactly what information you must provide or how to provide it – this is up to you. The only requirement is that it must be “clear and comprehensive” information about your purposes. You must explain the way the cookies (or other similar technologies) work and what you use them for, and the explanation must be clear and easily available. Users must be able to understand the potential consequences of allowing the cookies. You may need to make sure the language and level of detail are appropriate for your intended audience.”
In my view, the approaches taken by Automattic and Google are pragmatic and provide users with reasonable and digestible information on the fact that cookies are used, what the cookies are doing and why they are doing it. They also provide clear examples of named cookies. Arguably that is sufficient.
There will probably be those who will say the gold standard is listing each and every cookie – and yes if you do that you ought to be safe – but, for large or complex operations, that approach runs the risk of producing monstrous cookie policies that most people will never read, resulting in overly bureaucratic processes for minimal gain. They could even be counter-productive. In my view, a sensible compromise needs to be struck between transparency interests and usability or readability interests. There’s little point in drafting something that is so complete, yet so monstrously detailed, that it’ll never enter anyone’s consciousness.
If you’re in the United Kingdom, I’d be astonished if the Information Commissioner were to take a stricter view, given what it has said publicly (as quoted above). Let us hope the same common sense prevails in the other European member states.
(Update: I need to be clear that I don’t know the position in other European member states on this particular issue. I know there has been inconsistent implementation of the Directive’s requirements in relation to prior consent to the setting of cookies. It wouldn’t surprise me if there were different interpretations on this point too, but I just don’t know. That said, it is widely recognised that the lack of uniformity across Europe is shambolic and that cases involving enforcement are rare.)
Of course, what these businesses say in their terms is constrained – or should be constrained – by the requirements of the GPL, at least in situations where they’ve created derivative works of WordPress or other GPL’d code or where they’ve otherwise chosen to apply the GPL to their themes or plugins.
In this post, I’m going to focus on theme and plugin shops that have expressly applied – or purport to have expressly applied – the GPL 100% to their themes or plugins. I’m going to discuss four kinds businesses:
businesses that clearly understand the GPL and get their licensing statements right;
businesses whose licensing statements are difficult to understand;
businesses that either don’t understand the GPL or do understand it but cloud or misrepresent (either innocently or deliberately) the freedoms that the GPL confers on purchasers of their themes or plugins; and
businesses who just get the GPL plain and unambiguously wrong.
I’ll also comment on businesses whose terms purport to reserve a right to change the licensing of their themes at any time. Note that almost all of the theme shops I’ve reviewed are commercial theme providers with a listing on WordPress.org.
Businesses that get it right
“All digital goods provided by Array are released under the GNU Public License version 2.0. Go create something beautiful and share it with us.”
Nice. Even within their minimalist terms they want to delight their customers.
Businesses that opt for the second variant go a bit further and say something like this:
“All [our] themes are licensed under the GPLv2.You can use our themes for personal and commercial projects and for as many websites as you like.”
Many businesses’ terms are along these lines. In my view, they provide helpful guidance to purchasers.
Businesses whose terms are difficult to understand
I’ve come across one theme shop that says, without more, that its ‘theme code’ is licensed under the GPL. But what does ‘theme code’ actually mean? Would theme code include non-code assets within a theme’s zip file? Arguably not. This sort of licensing actually looks more like a split licence to me than full GPL. The intended meaning is unclear.
Businesses whose terms cloud or misrepresent the GPL freedoms
Some businesses who say their themes are GPL-licensed offer basic versions of themes or plugins for free or a low cost as well as ‘premium’ versions of the themes or plugins which have more functionality. That’s all fine. What’s not so fine is when they draw a distinction – either expressly or implicitly – between what can be done with a basic or low cost version as against what can be done with the premium version. I’m not referring to the different levels of functionality. Rather, I’m referring to the number of sites on which the theme or plugin can be used. For example, some theme shops say very little or nothing about what can be done with the basic or low cost version but then say, for the premium version, that it can be ‘used on unlimited websites’ or that purchasing a premium version comes with ‘the right to use the theme on an unlimited number of websites’.
To my mind, this may prompt some users to infer that the basic version cannot be used on unlimited websites. Logically, of course, the fact that ‘unlimited websites’ is stated for the premium version whilst nothing is said for the basic or low cost version doesn’t necessarily mean that the basic or low cost version can only be used on a small number of websites or a single website. However, drawing the distinction I’ve mentioned isn’t helpful and does nothing to explain to users of the basic or low cost version that, under the GPL, they too can use their version on unlimited websites. It seems that some theme or plugin businesses draw this distinction to encourage more customers to buy the premium version but I’d suggest that, in doing so, they’re not being as transparent as one might expect in relation to what the GPL allows.
Another and perhaps worse variant of this is where a theme shop says that, if you buy one of its GPL’d themes, you can use it ‘on any websites you own’. To my mind this is misleading. You do not have to own a website to use the GPL’d theme for that website. You can use it on any website, regardless of whether you own it. Now, I’m not suggesting that this excellent theme shop that is listed on wordpress.org is intending to mislead anyone, but the wording is misleading as it implies that one cannot use the theme on a client’s site. This is particularly so when the terms go on to say that, if you purchase a developer package, you can use the theme on an unlimited number of client sites.
Businesses whose terms get the GPL plain wrong
Purported rights to alter licence terms
The short point is that a theme shop that purports to retain the right to change the licensing of its themes, when those themes have already been licensed under the GPL, should not be read as restricting those who already have the themes from exercising the freedoms that the GPL gives them.
Theme and plugin shops deploy a range of approaches as to how they describe the GPL-licensing of their products, from good to not-so-good to bad. I’m not suggesting that all theme and plugin shops whose terms fall in the not-so-good or bad camps are deliberately misleading customers. I suspect the reality is that some are doing this, for economic reasons, while others or their lawyers have either misunderstood the GPL or used language which just isn’t quite right, if not quite wrong.
As many in the WordPress community will know by now thanks to Jeff Chandler’s helpful post on the case, recently Chris Pearson was unsuccessful in his complaint against Automattic regarding its purchase of the thesis.com domain name. Pearson had sought to have the domain transferred to him. I want to say a few things about this case but I’m not going to get emotional about it nor will I publish any comments that come across as hostile, abusive or potentially defamatory. My interest is to point out a few things that do not seem prominent in the discussions I’ve seen to date and to do so from a hopefully dispassionate legal perspective.
The key facts seem to be these:
Many years ago, Chris Pearson developed a theme for WordPress called Thesis. When released, Pearson did not license Thesis under the GPL.
In due course, there was heated if not acrimonious debate between Matt Mullenweg and Pearson as to the licensing of Thesis. Mullenweg argued that Thesis should be licensed under the GPL; Pearson argued he was not required to do so. (I’ve said a bit more about this in WordPress themes, the GPL and the conundrum of derivative works).
At one point, it looked as though Pearson would be sued, but it didn’t come to that. Nevertheless, it seems clear that deep battle scars remained on both sides. At one point Mullenweg even appears to have offered to give Thesis purchasers a GPL premium theme of their choice at no cost. (To really understand what many believe to be the true context for this case, you need to listen to the debate between Pearson and Mullenweg on Mixergy back in 2010.)
Eventually, in July 2010, Pearson changed the licensing for Thesis, announcing this on Twitter: “Friends and lovers: Thesis now sports a split GPL license. Huzzah for harmony! #thesiswp”
Pearson owns registered trademarks for both “Thesis” and “Thesis Theme”, in each case for “web site development software”. These trademarks were registered in October and November 2011 and it appears that Pearson has been using the names since 2008.
In more recent times, Automattic and Pearson were both approached by a third-party for the possible purchase of the thesis.com domain name. Automattic was the higher bidder, paying $100,000 for the domain name.
Pearson instituted proceedings in accordance with ICANN’s Uniform Domain Name Dispute Resolution Policy (UDRP). Pearson argued that he had registered trademark rights in the THESIS mark; that Automattic’s domain name thesis.com was identical to that mark (except for the top level domain name “.com” which was not relevant); that Automattic does not have any products named ‘thesis’ or offer services using the ‘thesis’ name; that Automattic’s registration of the disputed domain name, to sell competing products, likely violates Pearson’s trademark rights; and that Automattic purchased the disputed domain name to confuse and redirect customers and potential customers to Automattic’s competing webpage.
Automattic argued, among other things, that “thesis” is a generic term; that it was using the disputed domain name in connection with a blogging site, such use serving as an invitation to Internet users to discuss, object, and debate certain topical issues and, therefore, falling within the definition of the term “thesis”; that Automattic purchased the domain name pursuant to a bona fide offering of goods under the UDRP; and that Pearson had not proven bad faith with supporting evidence (this argument was made because one of the three things a complainant must establish is that the ‘domain name has been registered and is being used in bad faith’).
The Panel made these key findings:
Pearson established legal rights and legitimate interests in the mark contained in its entirety within the disputed domain name;
Automattic failed to submit extrinsic proof to support the claim of rights or interests in the disputed domain name;
the disputed domain name is identical to Pearson’s legal and protected mark; and
Pearson failed to bring sufficient proof to show that Automattic registered and used the disputed domain name in bad faith.
Now, as Jeff noted in his post, paragraph 4(a) of the UDRP requires a complainant to prove each of the following three elements to obtain an order that a domain name should be cancelled or transferred:
the domain name registered by the respondent is identical or confusingly similar to a trademark or service mark in which the complainant has rights; and
the respondent has no rights or legitimate interests in respect of the domain name; and
the domain name has been registered and is being used in bad faith.
The first two elements were satisfied. Only the third was not but that is because Pearson failed to bring sufficient proof to show that Automattic registered and used the disputed domain name in bad faith.
It’s important, in my view, to look at what the Panel actually said. In relation to the second element, the Panel said this (I’ve replaced references to Complainant and Respondent with Pearson and Automattic):
“Rights to or Legitimate Interests:
… In the instant case the Panel finds that [Automattic] is not commonly known by the disputed domain name.
… The Panel finds that [Automattic] is using the disputed domain name to redirect internet users to [Automattic’s] competing webpage, which is not a bona fide offering of goods or service or a legitimate noncommercial or fair use of the domain name under Policy ¶¶ 4(c)(i) and 4(c)(iii). …
The Panel finds that [Pearson] established a prima facie case in support of its arguments that [Automattic] lacks rights and legitimate interests under Policy ¶ 4(a)(ii), which showing is light. … However, [Automattic’s] offer draws the Panel’s attention to a troublesome area. Allegedly, [Automattic] and [Pearson] were both approached by a third-party for the possible purchase of the <thesis.com> domain name, and [Automattic] was the higher bidder, paying $100,000.00 for the domain name. Such a purchase has been considered a bona fide offering of goods under Policy ¶ 4(c)(i) by past panels. … Therefore, this Panel considers that [Automattic’s] purchase of the <thesis.com> domain name for $100,000.00 could confer rights sufficient for Policy ¶ 4(c)(i) rights and legitimate interests, had adequate evidence to that effect been adduced. The Panel notes, however, that [Automattic] did not provide documentary evidence establishing this purchase of the disputed domain name for $100,000.00 and therefore the Panel declines to give that claim full credibility without such proof, which would have been easy for [Automattic] to provide and which should be [Automattic’s] burden to provide if the Panel were to rely on that claim as proof of rights.
Further, [Automattic] is purportedly using the disputed domain name in connection with a blogging site as per its Attached Exhibit (<themeshaper.com> home page). [Automattic] argues that such use serves as an invitation to Internet users to discuss, object, and debate certain topical issues. Panels have found rights and legitimate interests where a respondent was hosting a noncommercial website. … Yet, here as well, [Automattic] provides nothing more than the invitation to engage in such activities. Therefore, the Panel declines to find that [Automattic] actually operates the <thesis.com> domain name in connection with a legitimate noncommercial or fair use per Policy ¶ 4(c)(iii).
[Automattic] also argues that the term of the <thesis.com> domain name is common and generic/descriptive, and therefore, [Pearson] does not have an exclusive monopoly on the term on the Internet. Contrary to [Automattic’s] position, the appropriate authority registered THESIS as a mark and [Pearson] established those legal rights to that mark. [Automattic’s] premise is contradicted by this governmental proof of legal rights.
The Panel finds that [Pearson] has made out a prima facie case that [Automattic] lacks rights or legitimate interests in the disputed domain name and that [Automattic] has not rebutted that prima facie case. [Pearson] has therefore satisfied the elements of ICANN Policy ¶ 4(a)(ii).”
In relation to the third element, the Panel said (among other things) this:
[Pearson] claims that [Automattic’s] use of the disputed <thesis.com> domain name is to divert and confuse customers and potential customers. The Panel notes that [Pearson] did not include an exhibit showing that <thesis.com> redirects to a webpage owned by [Automattic]. The Panel suggests that the submissions might point toward use by [Automattic] that would support findings of bad faith, pursuant to Policy ¶ 4(b)(iv) if evidence had been adduced to that effect. However, [Pearson] failed to bring that proof to the Panel. …
The Panel therefore finds that [Pearson] failed to meet the burden of proof of bad faith registration and use under Policy ¶ 4(a)(iii). …
… Therefore, the Panel finds that [Pearson] failed to support its allegations under Policy ¶ 4(a)(iii) and finds for [Automattic].
The Panel does not adopt [Automattic’s] contention that the <thesis.com> domain name is comprised entirely of a common term that has many meanings apart from use in [Pearson’s] THESIS mark. …”
So, in essence, the first of the three required elements was clearly satisfied given Pearson’s trademark rights and the second element was satisfied because Automattic had not rebutted Pearson’s case that Automattic has no rights or legitimate interests in the domain name thesis.com. It appears that Pearson hadn’t, however, adduced sufficient evidence to establish the bad faith element.
Comment on panel’s reasoning
I’d like to zoom in on two aspects of the Panel’s reasoning. The first is the Panel’s suggestion that “[Automattic’s] purchase of the <thesis.com> domain name for $100,000.00 could confer rights sufficient for Policy ¶ 4(c)(i) rights and legitimate interests, had adequate evidence to that effect been adduced”. To understand this comment, you need to know what ¶ 4(c)(i) of the UDRP says. It says this:
“… Any of the following circumstances, in particular but without limitation, if found by the Panel to be proved based on its evaluation of all evidence presented, shall demonstrate your rights or legitimate interests to the domain name for purposes of Paragraph 4(a)(ii):
(i) before any notice to you of the dispute, your use of, or demonstrable preparations to use, the domain name or a name corresponding to the domain name in connection with a bona fide offering of goods or services”
With respect, in my view the suggestion that paragraph 4(c)(i) might have been found to apply here is tenuous, given the historic conflict between Pearson and Automattic’s head regarding the Thesis theme. That historic conflict must, in my view, colour the analysis of whether the name was being used in connection with a bona fide offering of goods or services. Cross-examination on this point in court proceedings could be fertile ground for a litigator. Note also that $100,000 is a lot of money to pay for an allegedly generic domain name that has no obvious connection with Automattic’s business. It would be interesting to see Automattic’s domain name inventory.
The second element of the Panel’s reasoning that I want to zoom in on is this:
“[Pearson] claims that [Automattic’s] use of the disputed <thesis.com> domain name is to divert and confuse customers and potential customers. The Panel notes that [Pearson] did not include an exhibit showing that <thesis.com> redirects to a webpage owned by Respondent. The Panel suggests that the submissions might point toward use by [Automattic] that would support findings of bad faith, pursuant to Policy ¶ 4(b)(iv) if evidence had been adduced to that effect. However, Complainant failed to bring that proof to the Panel.”
Paragraph 4(b)(iv) of the UDRP says this:
b. Evidence of Registration and Use in Bad Faith. For the purposes of Paragraph 4(a)(iii), the following circumstances, in particular but without limitation, if found by the Panel to be present, shall be evidence of the registration and use of a domain name in bad faith:
(iv) by using the domain name, you have intentionally attempted to attract, for commercial gain, Internet users to your web site or other on-line location, by creating a likelihood of confusion with the complainant’s mark as to the source, sponsorship, affiliation, or endorsement of your web site or location or of a product or service on your web site or location.”
According to the Panel, Pearson hadn’t adduced evidence to this effect. Had he done so, he may have succeeded. At the date of writing this post, thesis.com still redirects to themeshaper.com and let’s not forget that themeshaper.com is now an Automattic property. The left sidebar states expressly that it’s the “home to the Automattic Theme Division”.
The other point to note is that the four circumstances in paragraph 4(b) of the UDRP are not an exhaustive list of the scenarios in which bad faith might be found. If you look at the opening wording above, it says “the following circumstances, in particular but without limitation“. The listed scenarios are scenarios which will, if proved, indicate bad faith but they do not (in my view) preclude a panel from finding bad faith in other scenarios. That is the effect of the words “but without limitation”.
Other legal remedies
I noted at the outset that the UDRP dispute resolution process has it roots in contract. The registrant of a domain name agrees to submit to the dispute resolution process in its contract with the registrant.
The UDRP process is not, however, the only means by which a person can seek a remedy when feeling aggrieved by another person’s registration of a domain name that conflicts with existing trademark rights. And the fact that a complainant is unsuccessful before a UDRP panel doesn’t necessarily mean the outcome would be the same in court proceedings. Depending on the facts of a given case and the country in which a claim is brought, other remedies may lie in trademark law (for trademark infringement), tort law (for something called passing off) or fair trading or cybersquatting legislation (which exists in some countries but not others).
I make no comment on how the pursuit of such other remedies might pan out in this particular situation. For one thing there’s the fact that themeshaper.com itself isn’t overtly selling anything. At the same time, it is promoting themes on WordPress.org and, more significantly, it does link to Automattic’s commercial ventures, through the “Blog at WordPress.com” link and the Automattic image link in the footer.
Let’s wrap it up
I think I’ve said about all I want to say. As a long-time WordPress user and community observer, it has been tempting to express my own non-legal views on what’s happened here but, because I said this would be a legally oriented post, I haven’t. The only thing I’ll say is that I hope fallout management is in place because this episode seems to have reopened a rift in the WordPress community that many thought was long closed.
If you’re a designer who source images for a client’s website, do you ensure you and your client have the right to use them?
An interesting wee tale
A UK case from 2012 provides a number of important reminders for those who design and own websites, including public sector agencies (Hoffman v Drug Abuse Resistance Education (UK) Ltd  EWPCC 2 (19 January 2012)). It’s an interesting tale about a website owner who copied photos from another website in the mistaken belief that they were Crown copyright photos that could be re-used without permission when, in fact, they could not. There’s a photographer, a charity, a web developer, a government-sponsored website, the photos and … a copyright infringement claim. This isn’t a WordPress-specific story, but one that may be of interest to some WordPress users.
Briefly, the main facts appearing from the judgment are these:
Mr Hoffman was the copyright owner of a range of photos of drugs;
the defendant charity published copies of those photos on its website;
the defendant had used a web design firm to produce its website;
that firm had found a Government sponsored website called “Talk to FRANK” on which the photographs appeared;
the defendant understood that the site was covered by Crown copyright and that the images could be re-used when, in fact, they could not; the photos were not Crown copyright;
the Department of Health acknowledged the site was not clear and tried to pursue the matter on behalf of the defendant (and others) but without success;
Mr Hoffman brought proceedings against the defendant for copyright infringement.
The defendant’s position was that it “had not intentionally or knowingly infringed [Mr Hoffman’s] copyright” and “the Department of Health and their misleading web site were the cause of any infringement”.
The Court decided that the defendant was in fact liable. The fact that the defendant may have thought that it had permission to use the images was not a defence to infringement under the relevant provision of England’s Copyright Designs and Patents Act 1988. Similarly, the fact it had employed a firm to produce the website did not enable the defendant to avoid liability.
The defendant could also not rely on section 97(1) of the Act which states that “[w]here in an action for infringement of copyright it is shown that at the time of the infringement the defendant did not know, and had no reason to believe, that copyright subsisted in the work to which the action relates, the plaintiff is not entitled to damages against him, but without prejudice to any other remedy.” The court sympathised with the defendant but held that the facts did not support reliance on this defence:
“The defendant understood it had permission under what it understood to be the relevant copyright. That is a very different thing from an argument that the defendant had no reason to believe copyright subsisted at all … . To believe that one had permission under (in this case) Crown copyright is the opposite of a belief or reason to believe that there is no copyright in existence.”
The court awarded damages, interest and costs in favour of Mr Hoffman.
The case serves as a reminder for a number of players in the web industry, including (on the facts of this case) public sector agencies:
web designers need to be careful when suggesting to clients that they can reuse copyright images or other copyright content from other websites; without permission from the true copyright owner, such content should not be re-used;
if in doubt as to whether third party web content can be re-used, the safest course is to get in touch with the site owner (or, if it’s clear that the content comes from another source, that source);
public sector agencies need to be careful when describing the copyright status and re-use permissions of copyright content on their websites because, if they get it wrong, they can expose members of the public to risk at the hands of the true copyright owners (and could themselves be the subject of challenge or feel at least ethically obliged to assist those who have unwittingly upset the true copyright owners); and
website owners need to be careful to ensure, when using third party copyright content on their websites, that sufficient rights clearance processes have been followed (unless they are happy to run the risk of a claim of infringement).
What about you?
Have you ever found yourself in a similar position? If so, feel free to chime in with a comment below.
As many will know, the WordPress Foundation has commenced court proceedings against Mr Yablon and PC-VIP, Inc in relation to the use of “WordPress” in “The WordPress Helpers” website and multiple domain names: thewordpresshelpers.com, thewordpresshelpdesk.com, thewordpresstrainers.com, thewordpressteachers.com, thewordpressdoctors.com, wordpresstraffic.com and thewordpresstutors.com. Attempts to resolve the matter without resorting to court proceedings have, it seems, been unsuccessful.
The WordPress Foundation’s complaint against Mr Yablon and PC-VIP, Inc, filed with the United States District Court for the Northern District of California, contains five claims for relief. It also seeks a jury trial. The complaint is available online if you’d like to read it.
Fools rush in where angels fear to tread
I don’t propose to express an opinion on whether and if so how many of the claims may succeed. Not only is it more appropriate to leave that to US trademark and cybersquatting attorneys but we are yet to see a statement of defence from the defendants and we are probably not fully aware of the full range of facts (other than the obvious ones) that underpin the WordPress Foundation’s complaint and that will need to be established for at least some of the claims.
Instead, I propose to summarise the claims and then provide, for each, the main U.S. statutory provisions that underpin the claims (hopefully I’ve found the latest versions). My goal here is simply to provide those interested in this dispute with more information as to the bases for the claims. Note that in some cases I’ve only included the main ’cause of action’ provisions and not all the provisions setting out the remedies that may be available where a cause of action (or claim) is established. There’s only so much of this stuff you’ll want to read… . After that, I’ll make a few comments on the nature of these proceedings and close this post by summarising an interesting US trademark / domain name case from 2003.
1. Infringement of federally registered trademarks, in violation of the Lanham Act, including but not limited to 15 USC § 1114, for which it seeks injunctive relief and damages
5 U.S. Code § 1114 – Remedies; infringement; innocent infringement by printers and publishers
(1) Any person who shall, without the consent of the registrant—
(a) use in commerce any reproduction, counterfeit, copy, or colorable imitation of a registered mark in connection with the sale, offering for sale, distribution, or advertising of any goods or services on or in connection with which such use is likely to cause confusion, or to cause mistake, or to deceive; or
(b) reproduce, counterfeit, copy, or colorably imitate a registered mark and apply such reproduction, counterfeit, copy, or colorable imitation to labels, signs, prints, packages, wrappers, receptacles or advertisements intended to be used in commerce upon or in connection with the sale, offering for sale, distribution, or advertising of goods or services on or in connection with which such use is likely to cause confusion, or to cause mistake, or to deceive,
shall be liable in a civil action by the registrant for the remedies hereinafter provided. Under subsection (b) hereof, the registrant shall not be entitled to recover profits or damages unless the acts have been committed with knowledge that such imitation is intended to be used to cause confusion, or to cause mistake, or to deceive.
2. False designation of origin and unfair competition, in violation of 15 USC § 1125(a), for which the WordPress Foundation seeks injunctive relief and damages
15 U.S. Code § 1125 – False designations of origin, false descriptions, and dilution forbidden
(a) Civil action
(1) Any person who, on or in connection with any goods or services, or any container for goods, uses in commerce any word, term, name, symbol, or device, or any combination thereof, or any false designation of origin, false or misleading description of fact, or false or misleading representation of fact, which—
(A) is likely to cause confusion, or to cause mistake, or to deceive as to the affiliation, connection, or association of such person with another person, or as to the origin, sponsorship, or approval of his or her goods, services, or commercial activities by another person, or
(B) in commercial advertising or promotion, misrepresents the nature, characteristics, qualities, or geographic origin of his or her or another person’s goods, services, or commercial activities,
shall be liable in a civil action by any person who believes that he or she is or is likely to be damaged by such act.
3. Violation of the Anticybersquatting Consumer Protection Act under section 43(d) of the Lanham Act, 15 USC § 1125(d), for which the WordPress Foundation seeks immediate transfer of any names incorporating the WordPress trademarks and statutory damages
(d) Cyberpiracy prevention
(A) A person shall be liable in a civil action by the owner of a mark, including a personal name which is protected as a mark under this section, if, without regard to the goods or services of the parties, that person—
(i) has a bad faith intent to profit from that mark, including a personal name which is protected as a mark under this section; and
(ii) registers, traffics in, or uses a domain name that—
(I) in the case of a mark that is distinctive at the time of registration of the domain name, is identical or confusingly similar to that mark;
(II) in the case of a famous mark that is famous at the time of registration of the domain name, is identical or confusingly similar to or dilutive of that mark; or
(III) is a trademark, word, or name protected by reason of section 706 of title 18 or section 220506 of title 36.
(i) In determining whether a person has a bad faith intent described under subparagraph (A), a court may consider factors such as, but not limited to—
(I) the trademark or other intellectual property rights of the person, if any, in the domain name;
(II) the extent to which the domain name consists of the legal name of the person or a name that is otherwise commonly used to identify that person;
(III) the person’s prior use, if any, of the domain name in connection with the bona fide offering of any goods or services;
(IV) the person’s bona fide noncommercial or fair use of the mark in a site accessible under the domain name;
(V) the person’s intent to divert consumers from the mark owner’s online location to a site accessible under the domain name that could harm the goodwill represented by the mark, either for commercial gain or with the intent to tarnish or disparage the mark, by creating a likelihood of confusion as to the source, sponsorship, affiliation, or endorsement of the site;
(VI) the person’s offer to transfer, sell, or otherwise assign the domain name to the mark owner or any third party for financial gain without having used, or having an intent to use, the domain name in the bona fide offering of any goods or services, or the person’s prior conduct indicating a pattern of such conduct;
(VII) the person’s provision of material and misleading false contact information when applying for the registration of the domain name, the person’s intentional failure to maintain accurate contact information, or the person’s prior conduct indicating a pattern of such conduct;
(VIII) the person’s registration or acquisition of multiple domain names which the person knows are identical or confusingly similar to marks of others that are distinctive at the time of registration of such domain names, or dilutive of famous marks of others that are famous at the time of registration of such domain names, without regard to the goods or services of the parties; and
(IX) the extent to which the mark incorporated in the person’s domain name registration is or is not distinctive and famous within the meaning of subsection (c).
(ii) Bad faith intent described under subparagraph (A) shall not be found in any case in which the court determines that the person believed and had reasonable grounds to believe that the use of the domain name was a fair use or otherwise lawful.
4. Unauthorized use of the WordPress trademarks contrary to the California Business and Professions Code § 14245, for which the WordPress Foundation seeks injunctive relief, recovery of profits and damages
California Business and Professions Code Section 14245
(a) A person who does any of the following shall be subject to a civil action by the owner of the registered mark, and the remedies provided in Section 14250:
(1) Uses, without the consent of the registrant, any reproduction, counterfeit, copy, or colorable imitation of a mark registered under this chapter in connection with the sale, distribution, offering for sale, or advertising of goods or services on or in connection with which the use is likely to cause confusion or mistake, or to deceive as to the source of origin of the goods or services.
(2) Reproduces, counterfeits, copies, or colorably imitates the mark and applies the reproduction, counterfeit, copy, or colorable imitation to labels, signs, prints, packages, wrappers, receptacles, or advertisements intended to be used upon or in connection with the sale or other distribution in this state of goods or services. The registrant shall not be entitled under this paragraph to recover profits or damages unless the acts have been committed with knowledge that the mark is intended to be used to cause confusion or mistake, or to deceive.
5. Unfair competition contrary to the California Business and Professions Code § 17200 et seq, for which the WordPress Foundation seeks injunctive relief and an order that the defendants disgorge all profits on the use, display or sale of the infringing services
California Business and Professions Code Sections 17200 et seq
17200. As used in this chapter, unfair competition shall mean and include any unlawful, unfair or fraudulent business act or practice and unfair, deceptive, untrue or misleading advertising and any act prohibited by Chapter 1 (commencing with Section 17500) of Part 3 of Division 7 of the Business and Professions Code.
17201. As used in this chapter, the term person shall mean and include natural persons, corporations, firms, partnerships, joint stock companies, associations and other organizations of persons.
17202. Notwithstanding Section 3369 of the Civil Code, specific or preventive relief may be granted to enforce a penalty, forfeiture, or penal law in a case of unfair competition.
17203. Injunctive Relief–Court Orders
Any person who engages, has engaged, or proposes to engage in unfair competition may be enjoined in any court of competent jurisdiction. The court may make such orders or judgments, including the appointment of a receiver, as may be necessary to prevent the use or employment by any person of any practice which constitutes unfair competition, as defined in this chapter, or as may be necessary to restore to any person in interest any money or property, real or personal, which may have been acquired by means of such unfair competition. Any person may pursue representative claims or relief on behalf of others only if the claimant meets the standing requirements of Section 17204 and complies with Section 382 of the Code of Civil Procedure, but these limitations do not apply to claims brought under this chapter by the Attorney General, or any district attorney, county counsel, city attorney, or city prosecutor in this state.
17205. Unless otherwise expressly provided, the remedies or penalties provided by this chapter are cumulative to each other and to the remedies or penalties available under all other laws of this state.
A couple of comments
Whilst I won’t express an opinion on these claims, it is clear that the Court will need to consider a range of issues, both factual and legal. One of those issues is whether use of the WordPress trademark in the domain names is likely to cause confusion. Note that this issue is judged from an ordinary consumer’s point of view. Tech-savvy WordPress users with a solid understanding of the WordPress community (e.g., the Chandlers and the Lemas of this world) are highly unlikely to represent the ordinary consumer’s point of view. Think, instead, of someone who is relatively new to WordPress, who is having trouble with something, and who comes across the likes of thewordpresshelpers.com or thewordpresshelpdesk.com. Would there be a likelihood of confusion?
One other point I’d make is that it is likely to be particularly time-consuming and expensive (perhaps very expensive) to see this matter through to trial. And if all the remedies sought against the defendants were to be granted, the consequences might be severe. For these reasons, and in drawing on my 10 years’ experience (in an earlier life) as a litigation lawyer, we may well see this case settle before a jury gets its hands on it. Only time will tell. For now, though, the parties seem entrenched and ready for battle.
A case study
I thought I’d end this post by noting the case of PACCAR Inc v TeleScan Technologies LLC, 115 F. Supp. 2d 772 (E.D. Mich 2000), aff’d in part, 319 F.3d 243 (6th Cir. 2003) which is usefully summarised in J D Hart’s excellent Internet Law: A Field Guide(6 ed, BNA Books, 2008), as follows:
“PACCAR, a manufacturer of heavy trucks and truck parts under the “Peterbilt” and “Kenworth” trademarks, filed suit against TeleScan Technologies, the operator of several websites that allow consumers to locate new and used heavy truck dealers. TeleScan had registered domain names that incorporated PACCAR’s trademarks (peterbilttrucks.com, kenworthtrucks.com, peterbiltnewtrucks.com, kenworthdealers.com and others).
The trial court issued a preliminary injunction, ordered TeleScan to transfer registration of the challenged domain names to PACCAR, and enjoined [i.e., prohibited] TeleScan from using any PACCAR mark or colorable imitation of any such mark in any domain name, metatag, or portion of a web page (such as “wallpaper”) if such use would cause consumers to associate the Peterbilt or Kenworth marks with TeleScan. The court also ordered TeleScan to post the order on its website.
The trial court applied traditional analysis to PACCAR’s claims of trademark infringement and dilution under the Lanham Act. The trial court rejected TeleScan’s argument that its use of the PACCAR marks in its domain names was akin to the user of a manufacturer’s marks to identify a vehicle in a classified ad or to identify merchandise for the purpose of stocking, displaying, or reselling. The trial court stated, “[A] classified advertisement communicates information as to the source of the truck, not information as to the seller of the truck. Words in domain names, however, do communicate information as to the nature of the entity sponsoring the website.” 115 F. Supp. 2d at 779. Because the domain names identified the websites, not the trucks that TeleScan advertised via those websites, the court found trademark infringement and dilution.
The U.S. Court of Appeals for the Sixth Circuit affirmed the trial court’s injunction, except to the extent it had enjoined TeleScan from using PACCAR marks in its metatags. The appellate court rejected TeleScan’s argument that its disclaimer disavowing affiliation with the trademark owner corrected any initial interest confusion caused by TeleScan’s use of PACCAR’s marks in its domain names.”
For now, over and out.
Update after initial post published
Jeff Chandler has drawn my attention to Aaron Hall’s article “‘Nominative Fair Use’ Allows Trademark Used on Website & Domain Name'”. The article and the Toyota / Lexus case to which it refers are certainly interesting.
The case involved (among other things) the defendants’ use of the trademark “Lexus” in some domain names (buy-a-lexus.com and buyorleaselexus.com). The District Court found trademark infringement but the United States Court of Appeals for the Ninth Circuit disagreed and held it was a situation of nominative fair use. The case is, I suggest, essential reading. It’s available online. I suspect the defendants may seek to rely on it. In that event, I would expect the WordPress Foundation’s lawyers to try to distinguish it on the facts; that is, they would say the facts are quite different here. They might say, for example, that it’s not like you can describe a Lexus car with LX or LS or the like. Compare WP that is commonly used to refer to the WordPress software; a practice that has become something of a community norm. WordPress is subject to trademark protection. WP is not. WordPress Foundation lawyers are also likely to refer to potentially useful passages in the judgement but bear in mind that so too are the defendants.
A part of me would not want to see this case go to trial because it is so easy for the defendants to make it go away and the risks they face are high. They don’t have to do that though (meaning they’re entitled to contest this in court of they wish) and there’s another part of me that would like it to go trial as the ultimate judgment (I say ultimate because a first instance decision might be appealed) could be expected to provide useful guidance. If this case does make its way to trial, the judgment will be a fascinating read!
When I refer to the “licensor”, I’m usually talking about the stock imagery service. When I refer to the “licensee”, I’m talking about the person or organisation that is purchasing a license from the stock imagery service to use the selected images in his, her, its or a client’s end site, product or service. IP is a common acronym for intellectual property (such as copyright) and IPR is a common acronym for intellectual property rights.
Images used at licensee’s risk
If the quality and pricing of the images across these two services (for example) were the same, I know which one I’d prefer.
Single user restrictions
“Editorial Use Only” content
I have seen a number of stock imagery provider terms which state that content that is marked “Editorial Use Only” cannot be used in certain ways. Sometimes “Editorial Use” may restrict use in certain types of websites. This may make it important to consider whether, if you’re using an “Editorial Use Only” image, you’re permitted to use it in the way you wish.
Web use limited to 72dpi
Care in use of images featuring models or other persons
Sometimes terms may state, for example, that if any content featuring a model or property is used in connection with a subject that would be unflattering or unduly controversial to a reasonable person, one “must accompany each such use with a statement adjacent to the Content that indicates that: (i) the Content is being used for illustrative purposes only; and (ii) any person depicted in the Content, if any, is a model, unless the Content itself clearly and undisputedly reflects the model or person in such potentially sensitive subject matter in which case the Content may be used or displayed in a manner that portrays the model or person in the same context and to the same degree depicted in the Content itself”. If this were relevant to your use of a given stock image, compliance may have design or presentation implications. Where that’s the case, you may wish to look elsewhere for your image.
Guarantees and indemnities in favour of the stock imagery provider
Hi everyone. This is a slightly edited re-posting of a guest post I wrote for BobWP. I’m re-posting it here, with Bob’s blessing, simply because I like to keep all my content in one place.
As many readers will know, when sourcing images for your blog or website, you can’t just do a Google images search, find an image you like, copy it and insert it in your post editor. Well, you can, physically, but legally this is a recipe for copyright infringement.
If you don’t have your own images, two common alternatives are to:
purchase a licence to images from the likes of iStock, Shutterstock and Bigstock; or
find and use images that have been either licensed under a Creative Commons licence or released into the public domain under CC0 (pronounced CC zero).
In this post, I’m going to focus on the latter: Creative Commons. Whilst some people are familiar with Creative Commons licensing, many people are not, particularly if they’ve had no need to use Creative Commons-licensed material in the past or to release material under a Creative Commons licence. For this reason, I’m going to:
introduce Creative Commons and its licences; and
explain how to comply with the attribution requirements that are common to all of the Creative Commons licences (but not CC0).
I’ll also explain what CC0 is all about and how it differs from the Creative Commons licences.
Creative Commons and its licences
For those not familiar with Creative Commons, here’s a short intro: Creative Commons is a non-profit organisation founded in the United States in 2001 by proponents of reduced legal restrictions on the sharing and use of copyright works. Headquartered in California, it also has affiliate organisations around the world. It aims to establish a middle way between full copyright control and the uncontrolled uses of intellectual property. To do so, it provides a range of copyright licences, freely available to the public, which allow those creating intellectual property to mark their work with the freedoms they want it to carry. As Creative Commons puts it on its website:
“Our tools give everyone … a simple, standardized way to keep their copyright while allowing certain uses of their work — a “some rights reserved” approach to copyright — which makes their creative, educational, and scientific content instantly more compatible with the full potential of the internet. The combination of our tools and our users is a vast and growing digital commons, a pool of content that can be copied, distributed, edited, remixed, and built upon, all within the boundaries of copyright law.”
There are six Creative Commons licences. The licences all confer a set of baseline rights on licensees (e.g., as to copying, use and distribution) and a set of baseline obligations and restrictions (e.g., licensees cannot sublicense the licensed work and they must not falsely attribute the work to someone else). All of the licences also contain one or more “licence elements”. There are four Creative Commons licence elements: Attribution, NonCommercial, NoDerivatives and ShareAlike. The Attribution element is common to all of the licences. The other three elements are used in different combinations across five out of the six licences. Here’s a handy video produced by the New Zealand Creative Commons affiliate (Creative Commons Aotearoa New Zealand) that explains the licences in more detail:
Complying with attribution requirements
As noted above, and as you’ll have heard in the video, the Attribution element (or requirement) is common to all of the licences.
Each of the Creative Commons licences comes in the form of both a “human readable summary” and the full legal terms. It is the full legal terms that are binding. The human readable summary for the Creative Commons Attribution 4.0 International licence describes the attribution requirement as follows:
“Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.”
The legal text that the human summary is summarising, in the Creative Commons Attribution 4.0 International licence, is as follows:
“Section 3 – License Conditions.
Your exercise of the Licensed Rights is expressly made subject to the following conditions.
1. If You Share the Licensed Material (including in modified form), You must:
A. retain the following if it is supplied by the Licensor with the Licensed Material:
i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);
ii. a copyright notice;
iii. a notice that refers to this Public License;
iv. a notice that refers to the disclaimer of warranties;
v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;
B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and
C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.
2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.
3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.”
This might make you think attribution is complicated but, in reality, it’s really quite simple because most people who license photos under Creative Commons licences do not specify any particular form of attribution or any particular notices. Where that is the case, and where you’re simply copying and not adapting the photo, this kind of attribution will suffice (this one is an example of the statements I’ve used on WP and Legal Stuff for Creative Commons licensed images):
Note that I’ve provided links to both the source of the image on Flickr and to the URL for the Creative Commons licence. You don’t have to say “Thanks to [name of author/photographer]”. I just do that sometimes because I want to express my gratitude. You can drop the gratitude if you like and say something like this:
You might be wondering why the attribution statement above refers to what is now an old version of a Creative Commons licence (the Creative Commons Attribution-ShareAlike 2.0 Generic licence). The reason for this is that this is the licence version that Flickr has used and made available to its users (that is, users who want to apply a Creative Commons licence to their photos) for many years.
If an image were licensed under the newer Creative Commons 4.0 International licences, the attribution statement would be along these lines (in this example I’m using the Creative Commons Attribution 4.0 International license):
Sticking with the 4.0 International licences for now, you’ll have seen above that the Creative Commons Attribution 4.0 International licence states that you must “indicate if You modified the Licensed Material and retain an indication of any previous modifications”. A similar requirement (albeit not identical) exists in earlier versions of the licences. This means that if you do modify a photo that is licensed under a Creative Commons licence that allows modification (i.e., all variants of the licences except the NoDerivative forms), you need to indicate that you modified it. I’ve modified a Creative Commons licensed image for the featured image in this post (this particular image was licensed under a Japanese Creative Commons Attribution licence). At the bottom of this post, I’ve attributed the image as follows:
Does using a Creative Commons licensed image mean I’m bullet-proof from a copyright infringement claim?
The answer to this question is no because usually you’ll have no way of knowing whether the person who applied the licence to the image was the owner of the copyright in the image or was authorised by the true owner to release it under the selected Creative Commons licence. That said, in all the time I’ve been using Creative Commons licensed images, I’ve not had a single problem. This, I suspect, is also likely to be the case for the vast majority of people across the planet who use Creative Commons licensed images.
If someone were to complain that his or her image had been taken by another person and Creative Commons licensed without permission, the simplest solution would be to take the image off your site and replace it with a different image. Theoretically the true owner could pursue you for copyright infringement but, in the vast, vast majority of cases, that is highly unlikely.
Personally, I have no qualms at all about using Creative Commons licensed images, despite the theoretical risk I’ve just discussed. The only reservation I have relates to using Creative Commons licensed images of identifiable people. I’ll discuss that point below.
CC0 is not primarily a licence. It’s a tool that seeks to enable an owner of copyright in a work to waive the copyright in that work, thereby freeing it of copyright-related restrictions on re-use and releasing it into the public domain (at least from a copyright perspective). It also states that, if or to the extent that the waiver is legally ineffective in a given country, an extremely broad and obligation-free licence is granted instead; this is generally known as the ‘licence-fallback’. So the tool, in essence, is a waiver + licence fallback.
There is no attribution requirement for an image that is released under CC0, even if the waiver is ineffective and the licence fallback kicks in. You can, therefore, use a CC0’d image without having to make any attribution back to the owner/author/photographer.
The best source of high quality CC0’d images on the web (in my view anway) is Unsplash. Here’s an example:
A potentially broad range of rights
You might think that a photographer who owns the copyright in an image (which they often will do under their contracts with customers) could do whatever he or she likes with it, that he or she could (for example) license it under any Creative Commons licence or release it under CC0. In many cases that will be true but the position needs to be qualified where an identifiable person appears in the photo, particularly if that person commissioned the photo or the photo is somehow private in nature. This is because, in such circumstances, the totality of rights involved may be greater than just copyright.
Depending on the circumstances and the country’s laws that apply, the person in the photo may have privacy rights, the right to be shown in the photo in a particular manner, contractual rights in his or contract with the photographer (if there is one), character merchandising rights, publicity rights and/or other rights to control one’s own image or personality (this last one being more common in civil law jurisdictions).
For example, photos taken in a person’s home or on some other private property may be private in nature and, in some countries, even photos taken of a person in a public place have the potential to be private in nature if, for example, the photos were obviously private or their publication could be offensive in some other way. And particular care needs to be taken with photographs of children (on this point see the United Kingdom Court of Appeal’s decision in a case involving the taking of JK Rowling’s child when the family was out for a walk in the street: Murray v Big Pictures (UK) Ltd  EWCA Civ 446). It is important to emphasise too that the relevant rights and the circumstances in which consent is required differ from jurisdiction to jurisdiction.
The kinds of rights referred to above will, when they exist, often limit the circumstances in which a photo of a person can be used, even where in a given country the photographer is the copyright owner.
This is the main reason for so-called “model releases”, or “image releases” as they are also known. They serve two main purposes: obtaining the relevant permissions from the subject of the photo and protecting the photographer (and potentially other users depending on the breadth of the release) from liability in relation to any use that falls within the scope of the release. In essence, a model release allows certain specified uses and releases the authorised person(s) from liability in relation to those uses. You can find some examples of model releases here and here.
If you’re not sure whether a Creative Commons licensed or CC0’d photo of an identifiable person has been the subject of an appropriately wide model/image release, you may want to be careful about using the image on your site. Either that or, if the person in the photo were to complain, take the photo down immediately.
If you have any questions on this post, please feel free to ask them in the comments below. I’ll do my best to answer. Have a great day!
These terms were over 4,500 words long. I’m not sure how any user is supposed to understand what has changed in these circumstances. In many if not most countries, users will bound by the changes, thanks to what’s called a unilateral variation clause (a clause that allows one contracting party to amend a contract’s terms without the consent of the other party) together with a fairly standard “you’re responsible for reviewing the terms on a regular basis” statement, but the point I’m driving at here is not a legal one. It’s a ‘respect your customers’ one.
A statement in any of these places doesn’t need to specify the changes word by word with military precision, but it is helpful to summarise the changes for the (perhaps small) subset of customers who might actually care about what could be a change to their contractual rights or obligations.
Now, I know that many sites don’t do this and that many customers wouldn’t care but, in a competitive market, why risk losing those customers who might care about such things to a competitor?