The Political Web

I made a thing.

On Sunday I mentioned how OpenTech always makes me feel a bit embarrassed that I’m not doing more useful stuff – particularly in the kinds of areas that OpenTech speakers care about.

Usually, real life takes over before I get a chance to do anything about it and I forget about my embarrassment until the next OpenTech. This year, I managed to harness my embarrassment and actually do something productive.

It’s not like I built anything from scratch. This is is really just me finally shipping something that I’ve been working on (off and on – more off than on) for almost five years. I built the first prototype at a hack day in 2008. I even wrote about it at the time.

The Political Web is a site that is intended to be a one-stop-shop for finding out information about British MPs. Currently each MP has a page which lists a number of standard web pages that contain information about the MP (Wikipedia, The Guardian, TheyWorkForYou – things like that). Of course each MP also has a number of non-standard pages on the internet (an official web site, a blog, perhaps a Twitter account) and adding those is going to be a harder job.

Previously two things have stopped me launching this. One was the fact that I wanted to support those all of those other sources of information. But I’ve decided to go for a “minimum viable product” approach and show you what I’ve already got. The other thing that prevented me talking about it much was that I thought I’d need someone to make it look nice (my web design skills are horrible). But the arrival of Bootstrap means that even a design ignoramus like me can build a site that looks more than half-decent.

So there you go. It’s there for you to play with. And there will (hopefully) be more coming soon. Please let me know if you find it useful.

And thanks to all the giants whose shoulders I’m standing on. The site wouldn’t exist without the TheyWorkForYou API, the Perl Dancer framework and Twitter Bootstrap.


Internet Security Rule One

Internet security rule one is “do not share your password with anyone”. There should be no exceptions to this rule. If anyone asks you to share your password with them, your answer should always be no.

Sometimes people say “oh well, it’s only a password for [some unimportant web site] – what harm could it do?” And, of course, perhaps giving someone your password for that particular unimportant web site won’t do any harm. But it’s a chink in your armour. By revealing your password for that site you’ve set a precedent. You just might be that little less protective the next time that someone asks you to share your password.

It’s called the Password Anti-Pattern and its shortcomings have been well-documented for several years. I wrote about it with specific reference to Twitter a few years  ago.

There are two levels of problem here. Firstly there’s the fact that you’ve given a third party complete access to interact with the web site for you. If it’s your Twitter password you’ve given away then the third-party service can do anything to your Twitter account that you can do yourself – right up to closing your account.

I assume that everyone can work that out for themselves. But the second problem is more subtle. Obviously any web site where I have an account is storing my password somewhere (probably in a database). And any third-party service that I want to share my password with also stores that password. So what’s the difference?

The difference is that the original web site is (hopefully) following basic password storage principles and storing my password using non-reversible encryption. The third-party site can’t do that. The third-party site needs access to the plain-text version of the password so it can be used to log on to the original web site. Oh, sure, they’ll hopefully store the password in their database in some encrypted format, but it will have to be a reversible encryption so that they can get a plain-text version of it back when they need to use it to log in to the original site.

So if someone somehow gets a copy of the original web site’s database, your password is held in some industrial-strength non-reversible encrypted format. But if they get a copy of the third-party service’s database, they’ll have your password in a far less secure format. If, at the same time, they manage to grab the third-party service’s source code then they’ll know exactly what process to follow to get the plain-text version of your password from the encrypted version.

Of course, you’d hope that their data centre is secure and no-one will ever steal their database or their source code. But it could happen. And the more passwords that you share, the more chance there is that someone, somewhere will get hold of data that you’d rather not have.

There is, of course, a way round this. It’s called OAuth. With OAuth, you don’t need to give anyone your password. You can authorise certain applications (or services) to take certain actions on your behalf on particular web sites. So, for example, I can let Twitterfeed post to my Twitter account without giving it my password. And that’s all it can do. It can’t follow new people, maintain my Twitter lists or close my account.

Twitter is a good example. In 2007 and 2008 a whole ecosystem grew up around Twitter. Many services offered cool and interesting services to add on to your basic Twitter account (Twitterfeed was one of them). But they all needed your Twitter username and password, so anyone who was at all security-conscious couldn’t use them. But in 2009 Twitter implemented OAuth. And, a few months later, they turned off the old authentication scheme so that you now only use OAuth to talk to Twitter.

The remaining problem is that OAuth only works when the original web site has implemented it. And that’s quite a lot of work. There are still many web sites out there which have lots of useful information out there locked behind a username and password with no other way to access it.

All of which brings me to what prompted this post. Earlier today a friend pointed me at a web site which provided a really useful service. But when I looked, it did it by asking for my login details for another web site. I’m not going to name either of the sites involved (my friend works for the third-party site and I don’t want to embarrass her), but it was a really useful service and it made me sad that I couldn’t use it.

Of course, as my friend explained, they had no alternative. The original site didn’t have OAuth support, so the only way they could get hold of the useful data was to log in as the user.

To my mind, that’s not a good reason for implementing the password anti-pattern. To my mind that’s where you say “oh well, that was a good idea – shame it’s not going to work” and start to lobby the original web site for some kind of OAuth support. But that’s not likely to happen as the point of this service is to compare different offerings and make suggestions of how the user could save money by switching to competitors. I can’t really see the original companies being keen to support that.

So we’re left with a situation where this third-party has implemented the password anti-pattern. And, as far as I can see, they’ve made quite a nice little business out of it. But makes me really uncomfortable to see what they’re doing. I’m pretty sure that I can trust them with my data, but I’m not prepared to compromise my principles in order to access this useful service. They are teaching people that it’s okay to share their passwords. And it’s not. It never is.

And it doesn’t stop with this company promoting their own service. On their site they have testimonials from a number of well-known web sites, newspapers and television programmes saying what a wonderful service it is. They have technology correspondents, who I would expect to know better, singing their praises and encouraging people to sign up for the service – telling people to break the first rule of internet security.

It all makes me rather depressed.

Look, I’ll tell you what. I’ve got a really good idea for an add-on for your online banking service. Just leave the login details in a comment below and I’ll set it up for you.


Free Web Advice: TalkTalk

Ten days ago I got a cold-call from TalkTalk. They called me on a number which is registered with the TPS and I have no existing business relationship with them so they should not have called that number.

In this situation most people, and this includes me, will probably just be mildly rude to the caller and hang up. But on this occasion I decided that I would take it further. I went to their web site to find a way to complain to them.

The don’t make it easy to find a way to get in touch via their web site, but eventually I found this form. The form starts by asking what your question is about. But the choice of subjects doesn’t include “Unwanted Cold Calls”. Eventually I decided to use “Joining TalkTalk” as it was the only option that seemed even vaguely appropriate. My problems didn’t end there as the form then changed to present me with a another list of options to choose from. Once more none of them matched so I chose “Before You Order” which was, at least, technically accurate.

Filling in the rest of the form was easy. I gave them my contact details, selected the option saying that I wasn’t a customer and wrote a description of my complain.

Lesson one: Making it hard to contact you will not stop people from contacting you. It will only ensure that that they are a little bit more angry with you when they eventually work out how to do it.

A couple of days later I got a reply by email. But it was useless. They said that they would remove my details from their marketing list (within 28 days!) but completely ignored my request for an explanation of why they thought it was reasonable to call me in the first place. So I replied to the email explaining in some detail why their response was unsatisfactory.

A few minutes later. I got an email telling me that my message could not be delivered as the email address was unknown. They had sent the email from an invalid email address. Presumably this is to stop people getting into a dialogue with them. Maybe it works for some people, but it didn’t work for me. I went straight back to the web form from hell and explained their shortcoming to them.

Lesson two: Never ever send customer complaint responses from an undeliverable email address. It gets your customers (and potential customers) really angry.

A couple of days later I got another reply. This one came from someone who at least seemed willing to try to deal with my problem. But they seemed somewhat confused. They said that they were unable to locate my file in their system and asked me to confirm whether or not I was a TalkTalk customer. Two problems with this. Firstly, they’re asking me to provide more details and not giving me an easy way to get the information back to them. And secondly, a few paragraphs back when I was talking about filling in the form for the first time I said that I “selected the option saying that I wasn’t a customer”. Yes, this information is included in the contact form. So why ask me for it.

Lesson three: If you ask someone for more information in order to progress a complaint, give them an easy way to get back to you. Otherwise they’ll just get even more angry.

Lesson four: If your contact form collects information, them make sure that information is available to the people dealing with the complaint. Asking people to repeat information that they have already given you is a great way to make them really angry.

I went back to the dreaded web form and filled it in again. Every reply I get has a case number assigned to it. Each new reply I submit generates a new case number. I’ve been copying the case numbers from the emails I’ve received and pasting them into the new request in the hope that someone will tie all of the replies together into a single thread.

Lesson five: Make it easy for your customer (or potential customer) to track the progress of their single ticket through your system. Forcing people to open multiple tickets for the same issue will just confuse your support staff and anger your customers.

Five simple lessons. All based around the idea that you really don’t want to make customers (or potential customers) angry. Let’s review the list.

Lesson one: Making it hard to contact you will not stop people from contacting you.
Lesson two: Never ever send customer complaint responses from an undeliverable email address.
Lesson three: If you ask someone for more information in order to progress a complaint, give them an easy way to get back to you.
Lesson four: If your contact form collects information, them make sure that information is available to the people dealing with the complaint.
Lesson five: Make it easy for your customer (or potential customer) to track the progress of their single ticket through your system.

Throughout this piece I’ve portrayed myself as a potential customer. I’m not, of course. The way the company have dealt with this complain has ensured that I’m never going to do business with TalkTalk.

But I’ll continue pushing this until they answer my questions. I’ll let you know how I get on.


Free Web Advice: VirginMedia

I’m not a web designer, but I’ve been working in this industry since before there were web sites so I like to think I know a bit about what does and doesn’t work as far as web site usability goes. It’s mainly the stuff which doesn’t work that stands out. And there’s so much of it.

Earlier this week I was using the VirginMedia web site. Specifically, I wanted to log on to my account and download a PDF copy of my latest bill. There were three things in the process that really annoyed me. I should point out that I’m a registered user of the site, so I already had an account set up.

Username or email
The login screen asks for your username and password. That’s pretty standard stuff, of course. But when a site asks me for a username then I assume that it is going to be “davorg” (the username I’ve used on web sites for as long as I can remember). In this case, that’s not what they wanted. Your username on the VirginMedia site is your email address. Other sites use email addresses as your username, but in most cases they then label the field as “email”. Labelling it as “username” adds an unnecessary complication. I gave them my username and, as it was incorrect, the error message pointed out that my username would, in fact, be my email address. So they recovered from the problem well, but there was a moment or two of unnecessary frustration.

Limited length passwords
Having established what my username was, my next problem was remembering my password. I tried a few likely candidates and, eventually, resorted to the “forgot my password” link. That sent me an email containing a link to a page where I could set a new password. And that’s when I remembered why I had forgotten the original password.

VirginMedia have strange limits on what can go in your password. They have the usual stuff about having both letters and digits in your password, but they also have a maximum length of ten characters. That’s why I couldn’t remember it – most of my standard passwords are longer than that. It seems strange to restrict users to such short passwords.

It’s worrying in another way too. If you’re following best practice for dealing with users’ passwords then you won’t be storing the password in plain text. You’ll have some encrypted version of the password. And many of the popular encryption algorithms (for example, MD5) have the property that no matter how long the text that you start with is the “hashed” version will always be the same length. So you create a database column of that length and you don ‘t need to restrict your users at all. Having this restriction isn’t conclusive proof that they’re storing plain text password, but it’s enough to worry me slightly.

Naming downloaded files
Having (finally) logged into my account it was easy enough to find the link to download my current bill. And within seconds I had the file on my computer. But the file was called “GeneratePDF”. And when I come to download next month’s bill that will also be called “GeneratePDF”. What has happened here is that GeneratePDF is the address in their web site that is used to.. well… generate PDFs. And in the absence of other information, browsers will name downloaded files using the address that they came from. It’s easy enough to change that default behaviour using the content-disposition header. Using this header it would be easy to tell my browser to save the downloaded file as, for example, vm-2011-05.pdf. Anything would have been more useful than the current set-up. Notice that the current name doesn’t even have a ‘.pdf’ extension so it’s likely that on some computers double-clicking the downloaded file won’t open in the the user’s PDF-reading software.

So there you have three things that annoyed me about the VirginMedia site. And the really annoying thing is that two of them (the first and third) are really trivial to fix. The second is probably harder to fix, but it’s possibly evidence of some rather broken design decisions taken early in the process of developing this web site.

I tweeted these three issues on Wednesday and I got a response from the virginmedia Twitter account saying “Ok, some fair points there. Will feed this back for you, thanks for taking the time to let us know!” I’ll be downloading my bill every month, so I’ll let you know if anything gets fixed.


The Political Web

Long-time readers might remember The Political Web, a web site that I threw together at a BBC hack day a couple of years ago.

The site has languished as I haven’t had time to do anything with it for well over a year, but last night I refreshed the database that powers it so that it now contains details of all of the new constituencies and MPs.
I have other plans too (just no real idea when I’ll have time to implement them).

Election Imminent

There’s just over a month until the most likely looking date for this year’s General Election. I’m already getting canvassers knocking on my door and phoning me up even though the starting pistol hasn’t been fired yet.
It’s going to be an interesting election. Not least because so many people seem to be floating voters this time. It’s true that there’s a widespread dissatisfaction with the current government, but I’m hoping that people can cast their minds back to early 1997 and remember just how bad things were under the Tories. Perhaps this will be the election when the Lib Dems really break through. Or perhaps a number of smaller parties and independent candidates will be successful.
It’s certainly likely to be a internet-aware election than we’ve had before. Far more MPs than ever before are blogging or twittering or otherwise using the internet to get their message out. Some of them are even using it to listen to the voters. To be honest I’m not sure to what extent (if at all) the internet is raising the level of the debate.
But the internet is making it easier for the voters to get information about the candidates. I wanted to bring your attention to three sites that you’ll probably find useful over the next five or six weeks.
  • Your Next MP is a community-driven site that hopes to have details of all of the candidates standing in all of the constituencies in the UK. Please check the details that they have for your constituency; correct anything that is wrong and add anything that is missing.
  • Skeptical Voter is another community-driven site, but this time with a more specific agenda. The people behind this site want to know what the candidates think about the issues that are important to people in the growing skeptical/rational movement. They plan to contact all of the candidates and find out their views on things like the teaching of creationism in schools and the role of scientific advisors in setting government policy. Once again, they’d appreciate your help in gathering as much data as possible.
  • Democracy Club is another site that is looking for volunteers. They are trying to gather a small group of volunteers for every constituency. Those volunteers will then be given various tasks do do. For example, they’re currently trying to track down the contact details for as many candidates as possible. The Democracy Club people are trying to gather as much data as possible about the various candidates which they then want to share with anyone who can make use of it. Your Next MP, for example, is making heavy use of candidate data generated by the Democracy Cub.
So there you are. Three sites that are aiming to make you better informed about the coming election. And three sites that are trying to raise the level of debate by getting local people involved in local politics. I think that this can only be a good thing. I strongly recommend that you consider getting involved.

Competition is Good

For over two years, I’ve been running Planet Westminster. It’s a simple site which aggregates blog postings from all UK MPs. I built it in an afternoon (based on my software Perlanet) and have tweaked it here and there since then. I always thought that it would good to have it working well before next year’s election campaign gets under way as I think that blogs will be an important part of that election.

This morning, I see that I’m not the only one with that idea. Blogminster is doing the same thing. And the annoying thing is that it seems to be doing it better than me. Not only does it just look nicer than my site (I never claimed to be a web designer!) but it has some really nice features – for example the ability to show just the blogs of MPs for just one party. They also have more MPs on their list than I have – it’s been a while since I did one of my sporadic trawls to find new MPs’ blogs. But that’s ok, I can just steal details from their list.

But I really need to put some effort into improving my site. Some things I’d like to do:

  • Make it look prettier
  • Just display the latest entry from each MP
  • Have filtered pages for each party
  • Have a separate page for each MP showing previous entries
  • Have an option to not display all of each entry (some MPs can write a lot)

There are also some things I need to work out with the parsing of the data and the formatting of the output.

Some of these improvements will also be useful to other people using Perlanet. Some of them are probably going to need to be custom built for this site.

It’s clear that I got the site to a “just barely usable” state and have largely ignored it since. I’ve proved that the concept works and is useful, but it’s not really in a suitable condition to be shared with the world. That needs to change.

If you have any interest in getting involved in fixing the site, then please let me know. I’m particularly interested in anyone who can make it look nicer.


Building Web Sites is Easy

The geek shall inherit the Earth. But the semi-geek won’t be far behind.

Back in April I wrote a piece about MPs’ web sites. I came to the conclusion that a large number of MPs have web sites that are over-complex and therefore cost more money to build and maintain than they should have done. They also fail in supplying basic functionality to users (for example, many have invalid web feeds) because they are often written from scratch by people who don’t really understand the web. I made the point that a real geek would have not written a new system, but would use some of the excellent open source or hosted services that are available.

I was reminded of this at the Open Tech conference in July[1]. There were a few talks that touched on this issue. In his “10 Cultures” talk, Bill Thompson discussed the differences between the geeks and the rest of the world and how the rest of the world is becoming dependent on the geeks. Immediately after Bill, Ben Goldacre’s talk touched on many of his usual subjects (the dearth of good science journalism and the lack of scientific literacy in the general population) before coming back round to echo some of Bill’s themes. Ben knows what tools he needs to build in order to fight his battles effectively and he knows that he’s not geek enough to build them. He therefore put out a call for a “geek posse” to help him to build the tools that he wants.

Both of these talks got me thinking about the geek/non-geek divide, but it wasn’t until I saw Will Perrin and Fran Sainsbury’s talk “Spread the Web” that I started to draw comparisons with the MPs’ sites that I’d written about earlier. Will and Fran talked about the problem of organisations who paid for expensive web sites many years ago and who are now left with a hard to maintain system that doesn’t give them a good presence on the web. This is exactly the same problem as I had recognised, but in a far wider context. It’s not just MPs who spend too much money on crap web sites. Anyone can do it. And many organisations do. Will and Fran aren’t hard-core geeks, but they know enough about WordPress and other similar systems to help organisations to replace their nasty old web sites with some newer and simpler which works.

Two weeks ago Lloyd Shepherd wrote about how he had set up a web site for his wife’s school using WordPress. Like Will and Fran, Lloyd is no geek (as he freely admits) but he knows enough about the technology to identify the best technology for the job and wrangle it into a web site which is probably more usable than the majority of school web sites. In his article, Lloyd asked why more people don’t do this and a really interesting discussion followed in the comments.

So here’s what we know:

  • There are many organisations out there who want web sites but don’t have the technical knowledge to decide how best to do it.
  • Many of these organisations (schools, charities and local groups would be good examples) are short of money.
  • The most effective way for these organisations to build web sites is often by using tools like WordPress and Drupal.
  • The IT professionals that most of these organisations approach for advice don’t seem to know about these solutions and end up proposing expensive proprietary monstrosities.
  • You don’t need to be total geek to build these sites, “semi geeks” like Lloyd, Will and Fran are perfectly capable of doing it.

I think that the problem is that knowledge of the WordPress or Drupal approach is pretty sparse outside of the geek (and semi geek) circles that I and most of my readers move in. Even most of the IT industry still seems unaware (or, perhaps, untrusting) of these open source solutions.

I don’t have a solution. I’m just pointing out obvious problems here. I suppose there’s some kind of education gap that needs to be filled. I’m considering asking my local council if I can run some kind of “building web sites” evening class to try to spread this knowledge.

But I think we also just need to offer to help. Do you know a cash-strapped charity or local school that could do with a bit of help rebuilding their web site? You don’t need to be an expert. This stuff really isn’t hard. And you’ll be helping to make the world (well, the web at least) a better place.

If you’re not a hard-core geek can you become a semi geek?

[1] I said I’d discuss it in more detail later – I didn’t expect it would be almost three months!


Support From The Internet

I’m currently in Lisbon for YAPC Europe. I very nearly didn’t make it. I flew out on Friday and on Friday morning, about three hours before I was supposed to leave the house, I discovered that my passport was missing.

I realise, of course, that looking for your passport on the day that you are planning to travel is a rather stupid way to organise your life. But that’s not what I did. I made sure that I knew where my passport was two weeks before that. Except it turns out that wasn’t my current passport. That was an old expired passport which, for reasons too boring to go into, hasn’t had the corner cut off in the way that expired passports are supposed to.

Just before 9am, I twittered my predicament.

Hmmm… I appear to be having some slight difficulty tracking down my passport *FX: Mild panic*

An hour and a half later, I still sound calm (almost joking), but internally the panic was rising.

If I was a passport, where would I be hiding?

At that point I think that some of my Twitter followers realised that I was serious and started to send helpful suggestions.

@davorg in the cupboard where the cereals are [@davecampbell]

@davorg Old suit or jacket pockets? Maybe in a suitcase? [@OvidPerl]

@davorg Even reading that has me moving to check that mine is where I think it is. Hope it doesn’t stay hidden for long! [@keiosu]

@davorg I found mine hiding under a stack of dirty dishes. [@__Abigail__]

@davorg sock drawer at ours usually [@gellyfish]

Every time I went back to Twitter, there were three or four new encouraging messages.

@davorg odds are you’ve packed it already [@SeanClarke]

@davorg My passport is in my dressing-gown pocket, but I suppose that’s unlikely to help you. [@robinhouston]

@davorg sock drawer? bedside table? [@davehodg]

@davorg I remember a Perlmonks user finding his passport in a slipper [@larsen]

@davorg When did you last use your passport? Is it tucked in the carry-on bag you were using? Filing cabinet? Safe? [@rozallin]

@davorg buried in the middle of a pile of filing/paperwork .. or is that just my wifey that does that? [@chiselwright]

@davorg The trousers you were wearing when you last entered the country? [@theorbtwo]

A lot of the suggestions weren’t particularly helpful, but by about 11am the support I was getting from Twitter was about the only thing that was keeping me sane. My stress is starting to show in typos.

Thanks for all
the advice. The passport remains elusive, but I’m sure I@m getting
closer. And I don’t need to leave for an hour or so :-/

The advice kept on coming.

@davorg Drawer. Bedside table? [@antoniojl]

@davorg If I was a passport I would hide in a suitcase, ready to go. [@anniemaggiemay]

And then it started to take a different tack.

@davorg if we had id cards, you wouldn’t need a passport :> [@pfig]

@davorg You’re an EU citizen. Showing your ID isn’t enough? My girlfriend says she can travel to Portugal on her French ID. [@OvidPerl]

@davorg you don’t need passport to come to Portugal! I believe you are EU citizen :) [@braceta]

Unfortunately, I’d already eliminated that option.

Phoned Passport Agency and BA to see if there is any chance of travelling without it. Of course not.

Then, at 12:33:

Found it. It was in the scanner!!!

One day perhaps I’ll find time to explain exactly why it was in the scanner. But for now I’ll just say that I only found it because I was looking in random places that I knew it couldn’t possibly be.

My Twitter followers were as happy as I was.

@davorg Hooray! [@mrvaidya]

@davorg heh and yay! [@chiselwright]

@davorg Of course! Bloody identity thieves! [@antoniojl]

Of course, the drama wasn’t completely over. I still had to get to the airport in time for my plane. At 12:59, I wrote:

Inna taxi to LHR. Hurrah! Excitment not over yet. Might not get there in time.

Still more encouragement from Twitter.

@davorg i fel the sonic boom as you whizzed past :) [@rjw1]

I was too busy to tweet for a while, but finally at 14:35 I found time to write:

Made it. Sitting in departure lounge waiting to board. Thanks for all your help. Hope you all enjoyed the drama.

And I think everyone was as relieved as I was.

@davorg – just happy you’re on the way safely. [@unixdaemon]

@davorg woo hoo – well done :) [@davecampbell]

@davorg Awesome! See you in Portugal on Sunday :) [@OvidPerl]

@davorg The HP techies here in the Bracknell office have been enthralled by yr mini soap opera. Glad you made it :-) [@edwenn]

@davorg Yay! Well done! [@antoniojl]

glad that @davorg found his passport in time. [@maokt]

@davorg Well done, and thanks for the entertainment! [@robinhouston]

@davorg w00t! U made it. Should have started a sweepstake in the office :) [@cyberdees]

My Twitter statuses are also fed through to my Facebook page. So friends were commenting there too. And I’m really grateful for all of the comments that I got from both places. It would have been really easy to have given up and cancelled the trip, but knowing that there were all these people out there rooting for me gave me the incentive to keep going.

I can categorically state that in this instance both Twitter and Facebook were wonderful systems.

Thanks to everyone who commented.


Checking Copyright

There’s a lot of material out there on the internet. And the nature of the internet means that it’s easy to reuse that material without paying any attention to copyright. If my browser can display an image, then I can save that image to my local disk and then, perhaps, use it on my own web site or in some other publication.

But just because it’s easy from a practical perspective, that doesn’t mean that it’s legal to do it. Much of the material on the web is subject to various copyright restrictions. And if you’re going to be a responsible internet citizen then you’re going to ensure that you are careful not to use any material in ways that are contrary to the copyright.

If you are, say, a national newspaper then you’re going to want to be really sure that you’re being careful about copyright. I’m sure that someone like (to pick a paper at random) the Daily Mail would get very upset if they found someone using one of their photos without permission or without giving correct attribution. It’s therefore reasonable to expect them to offer the same courtesy to others.

Take a look at this story about Philip Schofield and Twitter. Don’t bother to read it. It’s the usual Mail nonsense. They’re complaining that Schofield shares too many details of his life on Twitter. But they do it (ironically, I’m sure) by poring over every detail of a meal in the Fat Duck. No, don’t read the words. Take a look at the pictures. Schofield has illustrated his evening by posting photos to TwitPic. TwitPic is a Twitter “add-on” that allows you to share photos as easily as Twitter allows you share text.

Notice that the Mail have put a copyright attribution on each of Schofield’s photos. They all say “© Twitpic”, implying that that TwitPic own the copyright on the photos. But if you take a few seconds to read TwitPic’s terms and conditions, you find that they say:

All images uploaded are copyright © their respective owners

TwitPic lay no claim at all to copyright on the pictures, so the Daily Mail are attributing copyright to the wrong people. It’s not at all hard to find this out (it’s a link labelled “terms” at the bottom of the page – exactly the same, in fact, as it is on the Mail site), but the lazy Daily Mail picture editor couldn’t be bothered to do that and just guessed at the copyright situation.

And whilst we’re talking about the Mail not understanding copyright, it’s worth remidning ourselves of the nonsense in their terms and conditions.

  • 3.2. You agree not to:
  • 3.2.1. use any part of the materials on this Site for commercial
    purposes without obtaining a licence to do so from us or our licensors;
  • 3.2.2. copy, reproduce, distribute, republish, download, display,
    post or transmit in any form or by any means any content of this Site,
    except as permitted above;
  • 3.2.3. provide a link to this Site from any other website without obtaining our prior written consent.

Under clause 3.2.3, I’ve broken their terms at least twice in this article. But clause 3.2.2 is the really interesting one. You’re not allowed to download or display the content of the site. Which makes it rather hard to view it in a browser. Idiots.

Update: They have now changed the copyright on the photos to “© Philip Schofield/Twitter”. So that’s one less piece of stupidity in the world. The struggle continues.