I tweeted this yesterday, but thought it merited more comment.  According to an article in the Washington Post:

“Betty “B.J.” Ostergren wanted to persuade Virginia to take sensitive personal data off state Web sites. To make her point, she created her own site and then posted public records that included the Social Security numbers of government officials.

That’s the title of my Slaw post for today.  It reads as follows.

There has been much written on Slaw and other places about the paperless office, or the virtual office. 

My personal view is that for the most part, we either already have the tools to accomplish it, or if we don’t have them, they can be acquired at low cost.   The barrier is mostly our will to do it.  Some people don’t see the need, or have a hard time giving up paper, or just find it hard to change.

Technolawyer points to an article that’s worth a read by New York lawyer Jay Fleishman entitled Being a Virtual Lawyer is all Mindset, not Technology.  While the article talks about the virtual office, the same goes for the paperless office, as a paperless office is essentially a virtual office that stays in one place.

For the record, I’m not totally paperless yet, but I’m getting close.  Perhaps I just need to take a few minutes to think about the paper that still flows through my office, and decide how to deal with it.

One of the most controversial aspects of the copyright reform bill is the digital lock provisions, which make it unlawful to break digital locks, even if it is only to exercise a right copyright law actually gives you.

A new US case has limited the effect of the US DMCA digital lock provisions, saying that they don’t prevent one from braking a digital lock to view or use a work.   As Michael Geist points out, that makes the Canadian proposal much tougher than the existing US provisions.

For the London Free Press – July 26, 2010

Read this on Canoe

Customers and regulators take a dim view of companies that don’t safeguard private information

Twitter recently agreed to settle the Federal Trade Commission’s charges that it deceived consumers and put their information at risk through inappropriate and inadequate privacy measures. The charges were that Twitter represented it keeps user information safe, but its actual security measures were not adequate to do that.

On two separate occasions hackers gained unauthorized administrative control of Twitter and access to non-public tweets and user information.

In the first security breach, a hacker used an automated password-guessing tool to access Twitter’s administrative account.

In the second breach, a Twitter employee’s e-mail account was compromised and his or her administrative password inferred from other passwords stored in the e-mail account.

If this had occurred in Canada, it would be regulated by the Personal Information Protection and Electronic Documents Act (PIPEDA). The United States does not have equivalent privacy legislation.

The FTC approach in these situations is to charge the company with misleading advertising for not living up to its privacy policy.

The FTC charged Twitter with making representations regarding its privacy and security measures which were false and deceptive in violation of Section 5(a) of the Federal Trade Commission Act.

The terms of settlement include the following.

Twitter is barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of non-public consumer information.

This appears to be little more than a restatement of Section 5(a) of the Federal Trade Commission Act. However, including this in the terms of settlement provides the Federal Trade Commission with more tools for punishment in the event of a violation.

Twitter may be fined $16,000 per violation of the settlement agreement for the life of the agreement.

Twitter must establish a comprehensive information security program. The program is to include detailed risk assessment and safeguards based on that risk assessment.

The safeguards must be regularly tested and re-assessed as its operations and business change.

The security program will be assessed by an independent security auditor every other year for the next 10 years. Those reports must be provided to the FTC.

Twitter also must maintain certain records for the FTC, including any statements it makes regarding security and privacy, customer complaints relating to the FTC complaint and its responses, and any documents that suggest non-compliance with the settlement.

Whether it is the FTC taking action on misleading advertising grounds, the Canadian Privacy Commissioner taking action under PIPEDA, or simply customers becoming upset at security breaches, businesses can’t afford security and privacy breaches.

The lesson is, it’s far better to consider and deal with security and privacy issues on your own at the outset, then to have problems and face the wrath of regulators and customers alike.

Steve Jobs is currently holding a press conference to talk about the iPhone 4 antenna issue.  Its a carefully crafted message, as are all of his presentations – but its a lesson in how to deal with product issues.  

Admit there is a problem. Put the problem in perspective by giving some numbers on complaints, sales, returns, and comparisons to previous models, etc.  Show testing of other types of smartphones to say its a category issue, not just us.  Then say they want their customers to be happy, offer a generous return policy if a customer is unhappy, and offer a free case to everyone (that’s not a token, cases help avoid the problem).

And its not as if the iPhone 4 has flopped.  They sold 3 million in 3 weeks.

That’s the title of my Slaw post for today.  It reads as follows.

Whether you are an Apple fan or not, the apparent flaw with the iPhone 4 external antenna gets interesting on many levels – including the tech itself, why it wasn’t found during pre-launch testing, Apple’s reaction, customer relations, and testing by various entities. 

It seems that if you hold the iPhone in a way that your hand touches a certain spot on the antenna that are on the edge of the phone, it causes signal loss, and degrades reception.  Apple started out suggesting it was a software issue – but has since said that the fix is to hold the phone in a certain way.  Which resulted in this YouTube video showing how Steve Jobs and others in Apple ads are holding it “wrong”.

Apparently the problem can be solved by putting the phone in a case, or by applying tape to the offending spot.   (Is adding tape the equivalent of taping your glasses?)

One enterprising person is selling iTape, stating that the proceeds are going to charity.

There have been suggestions that there should be a recall, or that Apple should offer free cases, or that its not important enough to worry about.

For the London Free Press – July 12, 2010

Read this on Canoe

So-called ‘cloud computing’ can be valuable — but it can also come with risks

Cloud computing – essentially providing computer services over the Internet – is a growing trend.

Ontario’s privacy commissioner recently released a report dealing with privacy issues that arise from the cloud.

There are many definitions and debates over just what cloud computing is, but it entails storing your information and/or running software on computers belonging to others that you access over the Internet.

For example, instead of creating this column using word-processing software installed on a computer in my office and saving it here, it could be created and stored in the cloud from any computer using services such as Google Docs, or Microsoft Office Web apps.

It is a compelling model, as it can provide advantages in cost, simplicity, portability and scalability.

It can, though, pose issues around things like privacy, confidentiality, security, business continuity and disaster recovery. The importance of those issues vary depending on how the particular cloud product works, what it’s used it for, and how mission critical it is.

The privacy commissioner’s discussion paper – Modelling Cloud Computing Architecture Without Compromising Privacy: A Privacy by Design Approach – discusses relevant privacy issues.

The report discusses a variety of different models included in the term “cloud.”

The report sheds light on which types of risks are associated with different types of “clouds,” some of which are riskier than others from a privacy and security standpoint.

The decision to use cloud computing is one each individual or business must make bearing in mind the type and sensitivity of their information, how valuable that information might be and whether local copies can be saved.

Since the loss or compromise of sensitive data can be incredibly damaging to an organization, careful consideration is required.

It’s important for organizations to take time to review what type of cloud model they intend to use, and whether it’s adequate from various perspectives, including operational, cost, access and privacy.

The type of data stored by an organization may change over time. Organizations evolve and sensitivities change. Re-evaluation of an organization’s cloud model at regular intervals, or when major projects occur, will help ensure data is kept in an appropriate manner.

The bottom line is that it’s important for anyone using cloud-based services to understand how that particular service operates and what promises it makes concerning privacy, security and continuity of data. The importance of those factors will vary depending on the nature of the information involved, and how critical the service is to the user.

If it is not adequate, either negotiate to make it adequate, or go somewhere else.

This report, and a previous white paper entitled Privacy in the Clouds (both available on the web at ipc.on.ca) are helpful for potential users to understand and deal with privacy issues that arise from the cloud.

They are also useful to help anyone providing cloud-based services deal with privacy issues for their services.

Ideally, providers will design their services to be privacy-friendly from the outset – an approach the commissioner calls “privacy by design.”

For the London Free Press – July 5, 2010

Read this on Canoe

Canadian lawyers are suing for $50 million, claiming the company is making legal documents available for a fee without the authors’ approval

A class action was filed on May 25 against Thomson Reuters Corp. and Thomson Reuters Canada Ltd. on behalf of a class of Canadian lawyers and law firms across Canada to the tune of $50 million.

The lawsuit alleges that Thomson breaches copyright laws by making lawyer-created legal documents available for a fee and subscription without permission from, or compensation to, the authors of the documents.

How do they do this? It is alleged that Thomson copies publicly available court filings. That includes legal documents such as facta, pleadings, affidavits and notices of motion, prepared by lawyers. It then makes them available for download via its “Litigator” service.

The user subscribes to the service and pays a fee, then is permitted to copy and edit the documents. At no time are the authors of these documents informed that their documents are copied, sold, or reproduced.

Of notable offence to the plaintiffs is the fact that the copies available for download are branded with a statement that asserts Thomson’s copyright over the documents: “[copy] Thomson Reuters Canada Limited or its Licensors. All rights reserved.”

Lawyers are perhaps the original mash-up artists when it comes to legal documents of all kinds. All lawyers copy parts from similar documents other lawyers create and use – whether they are contracts or court documents. It is one way lawyers have always learned and documents have been improved. Lawyers have not for the most part considered copyright issues when it comes to their own documents.

The question is whether the service Thomson provides is different and whether it crosses a copyright line.

The statement of claim issued by the plaintiffs pleads that the lawyers are the owners of copyright in these legal materials and that Thomson has infringed the Copyright Act by its actions.

More specifically, the claim states:

“The defendants took more than 50,000 legal documents created by members of the proposed class, removed them from court files and copied them, scanned them into a downloadable format, posted them in their database, and then made them available to subscribers for a fee.”

Counsel for the plaintiffs are seeking to have the lawsuit certified as a class action.

If the case is certified by the court, all persons who fit the class definition will automatically be included in the class unless they choose to opt out.

Among the many claims made, the plaintiffs have asked for $50 million in general damages for the class, disgorgement of profits made by Thomson from the infringement, $1 million in punitive damages, litigation costs, and a permanent injunction from using the documents.

Thomson of course has a different viewpoint, and will defend the action.

The case will be decided on the subtleties of copyright law. But it boils down to this.

Though the sharing of legal documents has always been an accepted and necessary way of practising law, does doing it in a commercial way such as Thomson does cross a legal line?