Its not unusual for the law to say one can do something – but the right business or personal or ethical decision is to not do or enforce what the law allows. Take copyright for example.

I was asked recently when giving a presentation on a summary of IP law if a certain action violated copyright. My answer was that it probably did, but the next question to ask was whether the owner of the copyright cared, or indeed would welcome it.

Techdirt has a post that refers to a New York Times article that illustrates this point. (Lets ignore any fair use/fair dealing issues here.) Seems that a band put out a music video that was essentially a series of scenes from the Die Hard movies. Within days after it showed up on YouTube last summer, the studio demanded it be removed.

A few months ago, the studio contacted the band and offered to pay them to repost and update the video to promote the new Die Hard movie that comes out this week.

So the question is – why did the studio bother to force it to be taken down last summer when they knew the new movie was in the works? Or was the studio sly as a Fox, with a plan all along that they would remove it, then have it put back on shortly before the new movie came out to attract attention – including from people like the New York Times and Techdirt who give more publicity by writing about the copyright controversy?

Read the Techdirt post

Read the New York Times article

For the London Free Press – June 23, 2007

Read this on Canoe

We are experiencing an increase in surveillance such as cameras, car black boxes, GPS tracking, and heightened security. This creeping intrusiveness is rather, well, creepy.

The United Kingdom, for example, has more than four million surveillance cameras. Individuals are photographed on average 300 times a day.

The rebuttal when someone expresses discomfort at this increased surveillance is: “If you are doing nothing wrong, what’s the problem?”

Government and society define what behaviour is right and wrong, accepted and unacceptable. That definition often changes. Having extensive information on individuals opens us to the abuse of that information and power.

The world has always benefitted from those who are innovative and different and not afraid to question norms. Many scientific developments and social enlightenments have flown in the face of conventional wisdom.

The more information there is available about us, the greater the chances someone might misuse it. Examples include fraud, identity theft, predation or the technical enforcement of every possible legal infraction.

Society has always depended on discretion in the enforcement of the law so enforcement is consistent with the intent of various laws. Enforcement is not intended to punish every technical transgression. Chronic surveillance makes it too easy to eliminate that discretion.

Just because we desire privacy doesn’t mean we are doing anything wrong or that we have something to hide.

If you are not convinced there should be limits, ask yourself:

- Why do we close our blinds and lock our doors?

- Why do we not want our medical and financial records to be freely available?

- Why do we sometimes drive differently when a police car is behind us even when we think we are driving properly?

- Would you want all of your conversations with everyone to become public?

- Would you want to post photos of your children along with their names, routes to school and favourite candy?

Surveillance often is justified by motherhood statements about the prevention of some evil. We must be vigilant to ensure that increased surveillance does indeed result in the intended goal, without causing more harm than good.

Technology makes it too easy to disseminate and combine information. We must ensure that, wherever possible, recorded information is kept only for short periods, isolated so it serves only its narrow, intended, justified purpose, and is not shared. Just because we have the ability to store, share, combine and manipulate massive amounts of information, doesn’t mean we should.

Michael Geist comments on the just released report, saying that The report and its recommendations are stunning as they represent the most lopsided copyright related report since Sam Bulte chaired the Canadian Heritage Committee.

Among other things, they seem to recommend DMCA type protection, which I don’t understand as the US DMCA experience has not been good.

Another thing I don’t understand is the apparent willingness of Canadian governments (no matter which party is in power) to simply adopt the positions of industry lobby groups. They should also seek out and consider other points of view, do some diligence into their positions and stats, and unwind the spin they put on issues.

Read Michael’s comments

Read Techdirt’s comments

For those that are counting – 9 days to go before the iPhone is available. Keep in mind that while there is no question that it is a cool and innovative device, it is aimed at the consumer market. It is not designed to play nice with the corporate desktop, where Blackberry’s and Windows Mobile devices reign supreme.

So if you want an iPhone for work purposes – check it out carefully before you buy to make sure it will meet your needs. I suspect lots of people will try to use them for business use, and perhaps web apps will be created for the iPhone browser that will bridge the gap. I’m sure we will see commentary on this soon after it is on the market.

For those that just can’t wait to get one – Steve Rubel points to an article entitled Waiting for Your iPhone: Five Ways to Handle the Unbearable Stress

For the London Free Press – June 19, 2007

Read this on Canoe

It is becoming more necessary to encrypt sensitive data on portable devices such as laptops, personal digital assistants and even thumbdrives so it can’t be read if it falls into the wrong hands.

A recent fact sheet from the Ontario privacy commissioner contains useful advice for any business that needs to encrypt data.

The May 2007 fact sheet — available on the privacy commissioner’s website (ipc.on.ca) — is entitled Encrypting Personal Health Information on Mobile Devices. It is especially important for health care information in Ontario, as the Personal Health Information Protection Act requires individuals to be notified if there is a data breach or loss involving their information. However, the fact sheet is relevant to all kinds of sensitive information, not just personal health information.

The privacy commissioner takes the position that if a device containing personal information is lost, it is not considered a privacy breach if the data has been encrypted. That position is consistent with privacy laws in other jurisdictions that require breach notification, such as California.

The rationale is, since encryption turns normal data into seeming random symbols, or cyphertext — which cannot be read without the correct digital key — there is no disclosure.

Most privacy commissioners feel personal information on portable devices should be encrypted in any event under current privacy laws.

The commissioner states in the fact sheet the types of encryption that will be satisfactory for mobile devices and the kinds that will not.

In particular, the fact sheet states that login passwords are not sufficient protection by themselves, as are current built-in encryption tools for Windows XP or Apple OS X

Login passwords may prevent casual access to data, but typical passwords are too weak and are vulnerable to readily available password-cracking tools.

Similarly, built-in encryption tools provide limited protection because they rely on the user’s password.

The recommended encryption standard set out by the privacy commissioner for the secure storage of data is the advanced encryption standard (AES). AES-128 is sufficient, but the stronger AES-192 or AES-256 are suggested. The fact sheet lists five example encryption solutions to consider.

Encryption standards are always evolving. Custodians of sensitive data must ensure any solution that is selected meets the accepted standards in effect at the time and that they are regularly reviewed and updated.

A few days ago a former Dell sales manager published on Consumerist a piece entitled 22 Confessions Of A Former Dell Sales Manager. That lead to letter from Dell legal counsel demanding that the post be removed. That just resulted in more attention, and Dell has since issued an apology.

This is a classic example of not thinking through a reaction. Dell puts it well in their reply when they say: instead of trying to control information that was made public, we should have simply corrected anything that was inaccurate. We didn’t do that, and now we’re paying for it.

Frankly, while I can understand why Dell’s first reaction might have been upset to see such a post from a former employee, there was nothing in it that was really harmful.

Its worthwhile to read the intitial post, the Dell lawyer’s letter, the reply by the Consumerist (I found that amusing), and the Dell response. Those are all available on the Consumerist site, and from a Techdirt post.

And while I normally agree with Techdirt, I don’t agree with their ongoing thought that such things happen when lawyers make business decisions. I agree that lawyers need to rethink reactions to things that are posted on the Web and advise accordingly, but lawyers don’t fire off these letters on their own. A business person instructs them to send such letters.

Read the Consumerst post

Read the Dell apology

Read the Techdirt post

Michael Geist points to a new Canadian website dealing with net neutrality called What is Net Neutrality. Its worth a look for anyone interested in the issue. Since everyone uses the Internet, this issue impacts us all. The issue is also being raised for wireless services.

Network neutrality is essentially about whether ISP’s, or the owners of the pipes, can play with the traffic to prioritize some traffic at the expense of others. That’s not an issue if it improves the quality of the data, so long as it is not at the expense of another. Favouring one’s own VOIP service for example, while degrading 3rd party VOIP.

One of the simplest examples is on a comment to Michael’s post. That comment was credited to Cory Doctorow of Boing Boing. I tracked down the Boing Boing post – which attributes it to Craig Newmark of Craiglist.

The actual excerpt from Cory’s post is:

it would be like calling Joe’s Pizza and having the phone company tell you that since Joe hadn’t paid for “guaranteed connections” to you, that you’d have to wait three minutes before they’d put the call though (but you can talk to a Domino’s operator right now if you’d like!).

For earlier comments of mine on net neutrality, click on it in my tag cloud.

Read Michael’s post

Go to the What is Net Neutrality site

Read Cory’s post

For the London Free Press – June 14, 2007

Read this on Canoe

Online access to public records brings a wealth of benefits ranging from greater government access to cost-savings and efficiencies. But access to online records must be looked at differently than access to paper records.

The protection afforded by practical obscurity is lost when records are put online.

Practical obscurity means often where paper records are public, few people look at them because of practical difficulties. For example, court records are public — but it is not common for people to go to the courthouse and look at files to find out what’s happening with the action of a neighbour. It takes time, few know how to do it, and there is an embarrassment factor. Put those records online and all of those go away.

There have been instances where court records have been put online, and the number of queries skyrocketed.

One theory is these documents are public anyway, so it shouldn’t matter. However, due to presence of sensitive, personal data, an increase in access to public records can bring potential dangers, including heightened risk of identity theft and frivolous snooping into affairs of others. It also increases the ability to manipulate information.

Privacy commissioners and courts have dealt with this issue on assessment rolls in at least three provinces. British Columbia in 1996, Ontario in 2006, and Quebec in 2007.

For example, in 1996, the City of Victoria provided property assessment information to the public through the Internet. The new service would allow the public to search the database by property owner’s name, address and roll number.

On the first day of operation, it received more than 15,000 visitors. Until then, the city had received about 25 calls per day inquiring about property assessments.

The widespread criticism that ensued focused on the unintended consequences, namely the privacy rights of property owners in Victoria.

The position of office of the information and privacy commissioner is public records pose a challenge to the privacy of citizens and, once in digital format, pose an even greater challenge.

Privacy commissioners are sensitive to the ability to search online, and the ability to combine information leads to risks to privacy that don’t exist when the same records are in paper form.

They have felt the need to limit searching by names, and to restrict the uses that can be made from the information. It may, for example, be acceptable to search assessment rolls by address to get comparable assessment info, but not to search through it by name.

We need to be cautious about putting records online that are available on paper. Thought needs to be put into the reason records are public and how they might be used differently online.

That’s the title of an article in the latest Info-Tech Advisor, a regular newsletter of the Info-Tech Research Group.

Creating meaningful, measurable, and effective service levels for service provider agreements is not easy. They can, however, be very important to the success of a service arrangement.

This article has some good insight into how to create an effective SLA.

The Info-Tech Advisor is only available by paid subscription, but a pdf of this article is at the link below, with their permission.

Read the Info-Tech article

Go to Info-Tech’s web site

The blogosphere has several posts about an incident last weekend where a reporter was ejected from a baseball game because he was live-blogging the game. While there is no intellectual property protection for facts (eg the score of a game, the fact that a player just hit a home run), the venue owners do have some control over what one does when one is in their venue by virtue of contract (ie the ticket or journalist conditions.)

Consider this. If the reporter (or any individual for that matter) was watching a live TV broadcast of the game from anywhere other than the stadium, and live-blogging while watching it – I can’t imagine how they could be stopped. So query what is really accomplished by the blogging ban.

Read a Techdirt post

Read a CNet article

Read a Real Lawyers Have Blogs post that sets out the position of the 2 sides