The current issue of Out-law.com (from the UK law firm Pinsent Masons) has an article entitled Privacy and law: 10 ways to win public trust in a surveillance society.

Its an interesting read for anyone concerned about the issue of public surveillance.

It states: Function creep is very easy for Government to justify. For example, what is the justification to limit access to surveillance data only for anti-terrorism purposes? Why should serious crimes that are not terrorist related – a brutal murder or rape, for instance – be excluded? If other serious crime becomes an acceptable reason for using these retained data, why not all violent crime? After all, surely we want to find the perpetrator who attacked and mugged a pensioner and stole the £10 in her purse?

And if the authorities use these retained data for a £10 theft, why not use access to the personal data to trace a £400 Council Tax arrears, or an £80 fine for dropping litter. Then, if the retained data are used in tracing £100 of debt, why not use the personal data to improve efficiency of service delivery and save £100? It is this kind of reasoning which explains why function creep is inevitable and why the Government chose, contrary to all its public consultation documents and without Parliamentary debate on the subject, to allow the ID Card database to be used for a general administration purpose by all public authorities.

As I’ve said before, I find this trend towards increased surveillance and data collection by government authorities creepy.

Read the Pinsent Masons article

PC Mag has an article entitled Don’t Trust the Servers that talks about the dangers of putting your data at the mercy of the servers of another. The second page of the article is the bit that rings true for me.

ASP/ Apps on Tap/ Software as a Service models have great advantages to users, and have been growing in popularity. One thing that has always bothered me though, is what happens if the service is suddenly not available for some reason – such as the vendor going out of business. If that service is a critical one for your business, it could be a disaster.

There are ways to deal with that however, such as arranging for a local copy of the data. The right solution will vary in the circumstances.

I have always thought this issue has held back the popularity of such services for the business market. On the other hand, many users don’t even consider this. I am helping a potential user of such a product negotiate an agreement with an asp at the moment. As part of its diligence, my client talked to other users of the service – none of whom had even considered the issue!

To put it in perspective, take a look at this quote from the article, where the author speculates the sales pitch if ASP’s were the norm first, then desktop apps came along.

You can image the advertising push. “Now control your own data!” “Faster processing power now.” “Cheaper!” “Everything at your fingertips.” “No need to worry about network outages.” “Faster, cheaper, more reliable.” On and on. I can almost hear the marketing types brag about how much better “shrink wrap” software is than the flaky online apps. The best line for the emergence of the desktop computer in a reverse timeline would be “It’s about time!”

Read the PCMag article

For the London Free Press – August 27, 2007

Read this on Canoe

How reliable are your organization’s backup and emergency recovery plans?

A recent incident in California that shut down several popular websites showed how important it is to test business continuity plans to ensure they will work as planned.

A power outage in San Francisco knocked out electricity to tens of thousands of Pacific Gas and Electric Co. customers, including buildings and businesses with hordes of employees.

The outage affected the data centre 365 Main Inc., which hosts a number of popular websites such as GameSpot, Craigslist, Yelp and Typepad. Those websites were rendered offline for several hours, leaving millions of web surfers frustrated.

That’s despite the fact 365 Main Inc. had backup procedures and generators in place that were intended to prevent that. Unfortunately a problem occurred that their testing had not uncovered.

Backup generators are supposed to start immediately when a power failure occurs. It took about 45 minutes in this instance before power to the data centre was restored by backup generators.

365 Main Inc.’s San Francisco facility has complete backup systems for electrical power to protect against a power loss. 365 Main in a March 2007 press release stated that “in the unlikely event of a cut to a primary power feed, the state-of-the-art electrical system instantly switches to live backup generators to keep the data centre continuously running and shield tenants from costly downtime.”

In a news release issued a few days after the power failure, 365 Main said that three of the 10 backup power generators failed to complete their start sequence. Their investigation discovered a weakness in an essential component of the backup generator system. The problem was with the generator’s electronic controllers, which have since been fixed and tested.

In the wake of the outage, 365 Main’s president and chief executive, Chris Dolan, offered an apology to customers impacted by the incident and stated the concerns had been addressed as a top priority, the core problem identified and steps had been taken to prevent this type of problem from happening again. 365 Main is also honouring its service level agreements with all customers affected by the drop in service.

Despite the malfunction, 365 Main says this facility has delivered 99.9942 per cent power uptime to customers during the last five years, since its inception, inclusive of the July outage.

The event in San Francisco illustrates the importance of testing backup and emergency recovery plans on a regular basis. In addition to emergency generators, this applies to things like data backup, or indeed any element of a business continuity plan.

Forty-five minutes may not seem like much time, but even that amount of time can be significant for an organization relying on an online presence or computing systems to provide their services. The time an organization can tolerate being offline will vary. No matter what that time is, a recovery plan is of little use if it doesn’t work.

I’ve avoided commenting on the recent Macleans cover story entitled Lawyers are rats that tarred the entire profession with the sins of a few bad apples. Various legal groups are in an uproar.

I was disappointed that a publication would stoop that low to sell copies, and frustrated that many people would believe it regardless of reality.

I only mention it now because Steve Matthews has a good post about it on his Vancouver Law Librarian Blog that is worth a read as it summarizes the situation well and puts it in a good perspective.

Read Steve’s post

A man was recently arrested in London England for stealing wifi signals. He was sitting on a wall outside a house using his laptop. Police arrested him after he said he was using an unsecured wifi connection from a nearby house.

Apparently that may be a crime in England. To my knowledge, it is at best unclear if this would breach any Canadian laws. While I have not looked at this issue in a while, my recollection is that it would be a stretch to interpret Canadian criminal laws to cover such an action. Arrests have been made here for stealing wifi – but they tend to be in instances where the person is using it for some illegal purpose.

So the question is – should it be illegal to simply use someone else’s wifi signal?

I don’t think it should be. While there is good reason to use security measures so others can’t use your wifi signal (helps keep others out of your network, avoids the risk that someone else will use it for something innapropriate that gets traced back to your IP address, and prevents that use from slowing down your connection) – I don’t see that it should be illegal per se to use someone else’s unsecured wifi signal.

Techdirt says this is no different than reading by light coming from a house. While that sounds good, its a bit specious, as using another’s light can’t decrease the light available to the owner, and can’t lead to any negative consequences depending on what the individual is reading.

Read more about this incident on Out-law.com

Read Techdirt’s spin

I am quoted in an article in the July/August issue of the Canadian Bar Association’s National magazine entitled E-data dilemmas – The ethics of document retention in an electronic world. I take the position that law firms have an ethical responsibility to the environment and should use electronic alternatives to reduce the amount of paper we generate. See page 56 at the link below.

Also take a look at page 17 where fellow blogger David Fraser of the Canadian Privacy Law Blog is quoted on factors to keep in mind when shopping for an e-mail encryption system.

Another article worth a look is on collaboration software and tools for things like virtual meetings and document collaboration. (page 51)

And for Battlestar Galactica fans, there is an amusing article at page 62 on the similarities between judges and cylons.

Read the National articles

David Fraser points out that the Canadian Privacy Commissioner has launched an online training tool to help retailers comply with privacy obligations. It is aimed at small business.

While I applaud this approach, its not just small business that continues to violate privacy concepts.

Many still print full card numbers on receipts, or show that they don’t really understand the issue when they don’t print them on the consumer copy, but print them on their own.

And an experience my wife had at a major retailer last weekend shows that staff are not always trained properly. She was returning an item bought a few days earlier that was defective. Privacy commissioner decisions have been given on the return issue, so what can and can’t be asked for and recorded is clear. The item was bought using the store’s credit card, and the refund was being put back on that card, so ID should not have been an issue. The clerk asked for our phone number. When my wife asked why she wanted the phone number, in addition to the clerk having no idea why, she got visibly angry at the question.

Read David’s post for more detail about the training tool

For the London Free Press – August 20, 2007

Read this on Canoe

The Supreme Court of Canada recently dismissed a class action suit against Dell launched in Quebec. The case has some useful observations about e-commerce.

The issue arose from Dell’s mistaken posting of incorrect low prices on its website. Dell refused to honour those prices.

The case turned on the enforceability of Dell’s terms and conditions and in particular a section that said consumers had to use arbitration rather than class actions. The decision is now academic in some provinces, such as Ontario and Quebec, which have recently enacted legislation to make terms that deny consumer resort to class proceedings unenforceable.

Despite that and despite the case being decided under the Quebec civil code, the court made some observations that bode well for e-commerce in general.

Click wrap agreements — where one clicks “I agree” to be bound by an agreement — are binding, but there has been some question whether terms found on links on a page are binding on users.

Part of the case hinged on whether linked documents formed part of the main web pages. The court stated that: “The evidence . . . shows that the consumer could access the page of Dell’s website containing the arbitration clause directly by clicking on the highlighted hyperlink entitled Terms and Conditions of Sale. This link reappeared on every page the consumer accessed. When the consumer clicked on the link, a page containing the terms and conditions of sale, including the arbitration clause, appeared on the screen . . . (The) clause was no more difficult for the consumer to access than would have been the case had he or she been given a paper copy of the entire contract on which the terms and conditions of sale appeared on the back of the first page.”

The dissent had a similar point of view, saying, “We are dealing with a different means of doing business than has heretofore been generally considered by the courts, with terminology and concepts that may not easily, though nevertheless must be, fit within the existing body of contract law . . “(As) e-commerce increasingly gains a greater foothold within our society, courts must be mindful of advancing the goal of commercial certainty . . . (The) context demands that a certain level of computer competence be attributed to those who choose to engage in e-commerce.

“It is true . . . that the hyperlink to the Terms and Conditions of Sale was in smaller print, located at the bottom of the Configurator Page. The evidence was that Dell places a hyperlink to its Terms and Conditions of Sale at the bottom of every shopping page on its site.

“This is consistent with industry standards. In fact, this is the placement that was at the time recommended by Industry Canada’s Office of Consumer Affairs (Your Internet Business: Earning Consumer Trust — A Guide to Consumer Protection for On-line Merchants (1999), at page 10).

“It is proper to assume, then, that consumers that were engaging in e-commerce at the time would have expected to find a company’s terms and conditions at the bottom of the web page.”

SCO is the company that has sued IBM and others claiming that Linux uses UNIX source code that belongs to SCO.

The judge hearing the case recently ruled on several summary judgment motions, including a decision that Novell owns the Unix copyrights, not SCO. While the case is not over yet, that is a fundamental decision against SCO, and good news for all Linux users. Novell has publicly stated that they have no intention of taking any actions regarding Linux.

For more detail and commentary, see the Groklaw blog post of August 10, and subsequent entries.

The Globe and Mail has an article entitled Is Wikipedia becoming a hub for propaganda? Tracking website shows thousands of changes to articles originated from federal government offices.

It describes changes to Wikipedia entries that came from individuals using federal government computers. Its rather disturbing, but perhaps not surprising.

Wikipedia entries are designed to be edited by anyone. While its perfectly acceptable for government sources to edit or add facts, the article describes edits that were made to reflect personal or political views or agendas.

Read the Globe article