In Ontario, conventional wisdom was that invasion of privacy was not something you could sue for. But that is changing, as evidenced by a just released decision of the Ontario Superior Court of Justice called Jane Doe 464533. That decision awarded damages and costs totaling $141,000, plus an order for the defendant to destroy any video or images he may still have, never to share any intimate images of the plaintiff, and to not communicate with the plaintiff or her family. A pdf version of the decision is here: Doe – redacted
Until this decision, the first case of a successful tort action for invasion of privacy was Jones and Tsige. The tort in that case was called intrusion upon seclusion, and basically applies only to nosy neighbour cases. In other words, where an individual accesses personal information on someone for nothing more than curiosity. The damages for that are capped to such an extent that in practice it probably isn’t worth taking it to court.
Some privacy class actions have been started since then, which would require an expansion of current law to succeed, but none have reached trial.
In the Jane Doe case the defendant was a former boyfriend of the plaintiff who convinced her to take an intimate video of herself, promising that he would not show it to anyone. But of course he posted it online. That lead to severe emotional distress for the plaintiff.
While the decision is ground breaking, there is a caveat to it. The defendant did not file a statement of defence, and this decision was based on a motion for default judgment. So while the decision is well reasoned, there was no contrary position presented. This issue will eventually make it to an appeal court in another case to settle the law.
This decision will no doubt be analysed and cited by anyone attempting to sue for a privacy breach, or seeking a remedy for cyberbullying or revenge porn.
Cross-posted to Slaw
Microsoft has just ended support for Internet Explorer versions 10 and earlier. That means Microsoft will no longer provide security patches, which makes them risky to use from a security perspective.
Anyone still using those versions should update to IE 11 immediately. Those using Windows 10 can use the Edge browser instead. Edge works well, but unfortunately does not yet support add ons like password managers. Another option is of course to use Chrome.
If there is a need to use an earlier version of IE because of legacy internet applications that are not up to current standards, IE 11 includes an “enterprise mode” that will run those.
And if you are still using Windows 8 or an earlier operating system, it’s time to upgrade to at least 8.1. Security support is still available, but not full support. Windows 10 is the best option. For most, that upgrade is free. If you are still using Windows XP – yes, some still are – its way past the time to upgrade – its not even getting security support anymore, and is a potential security risk.
Cross posted to Slaw
The annual Consumer Electronics Show is now underway in Las Vegas – where tech companies show off their latest and greatest. Popular themes this year include drones, internet of things, and cars. And of course TVs. LG is showing OLED 4K TVs that are impossibly thin – 2.57 mm, yes, mm thin. While they are expensive, and there isn’t much 4K content yet, that is expected to change much faster than HD came to market.
It is easy to scoff at some of the individual items that show up at CES, and certainly some of them will never gain any traction, but the better focus is on trends and where we are headed. ZDNet, for example, sees IOT and wearable becoming useful, and AR and VR getting a purpose beyond gaming.
If you are interested in following CES, there is lots of coverage in the tech press – such as CNET and The Verge.
Cross posted to Slaw
Sometimes we get so wrapped up in the specs and quirks of our current technology that we forget how far we have come.
To put it in perspective, consider a smartwatch. There are many ways to measure computer performance – CPU speed, amount of ram, amount of storage memory, network speed, etc. A common way to compare basic performance, though, is by FLOPS, or floating operations per second.
A smartwatch can do somewhere in the range of 3 to 9 gigaflops. To put that in perspective, the Cray-2 supercomputer in 1985 could do about 1.9 gigaflops. You could buy one then for about $17,000,000. It used 200 kilowatts of power (that’s several times the power a typical home electrical system provides), occupied 16 square feet of floor space (if you ignore its separate cooling system) and weighed 5500 pounds. (A pdf brochure with the details is here.) I’m sure no one then thought we would ever strap something like that on our wrists, let alone order one online and have it arrive a couple days later.
Makes one wonder what the next few decades will bring.
Cross-posted to Slaw
Confidentiality for business information is rarely implied at law, so if a business is going to share sensitive information with someone, it needs to protect that by a non-disclosure agreement (NDA). NDAs (also called confidentiality agreements) can be either standalone or as part of a larger agreement.
NDAs are routine and are often considered standard agreements – but here are 8 things to think about.
- Should it be mutual to protect both parties’ information, or does it need to only protect one party?
- Does it need to protect just the discloser’s information, or is third party information involved?
- Does the confidential information include personal information as defined under privacy laws? If so, it may need some additional or different wording to comply with privacy obligations.
- NDAs have 2 basic elements – what the recipient can do with the information, and who the recipient can share the information with both inside and outside of the organization.
- Should the definition of confidential information describe what is confidential, or is it only confidential if it is marked confidential? Requiring marking makes it clear for the recipient, but the owner has to remember to do that, and it can be a nuisance to deal with oral or unwritten material.
- Does the information cease to be confidential after a fixed number of years, or does it last until the information gets in the public domain?
- If it is a standalone NDA that is a precursor to a substantive agreement, it needs to be addressed again in the substantive agreement – either by replacing it with new NDA language, or by explicitly confirming that the original NDA continues.
- Be on the lookout for other things buried within an NDA. They usually stick to NDA concepts, but occasionally contain unexpected provisions.
Every time there is a tragic attack on people or property, there is a cry from various authorities or politicians for law enforcement to get unfettered access to all kinds of communication tools.
But that would cause far more harm than good, and is a really bad idea.
The argument goes something like this:
These bad actors hide behind encrypted communications to plan their evil deeds. Therefore to stop them law enforcement needs to have access to all this. Therefore we need to have backdoors built into all encryption that law enforcement can use.
This is flawed in many ways.
There is no evidence that unfettered access to communications helps. Sometimes the information was actually available, but no one managed to put it together ahead of time to stop the evil deed.
There is no way that backdoors can be limited to use by law enforcement. They will inevitably be discovered by others and used for evil, thus rendering encryption and all the protection it provides useless.
Bad actors will stay a step ahead. If mainstream communications and encryption tools have backdoors, they will just create their own secure communications channels.
But don’t just take my word for this. Read, for example, this article by security expert Bruce Schneier entitled Why we Encrypt.
And this article by Cory Doctorow on how ridiculous British Prime Minister David Cameron’s comments on the need to backdoor encryption are entitled What David Cameron just proposed would endanger every Briton and destroy the IT industry.
And this article by Mike Masnick of Techdirt entitled The Paris Attacks Were An Intelligence Community Failure, Not An ‘Encryption’ Problem.
Cross posted to Slaw
Businesses often use agreements that others have created for things like software licensing, web terms and conditions, customer agreements, privacy policies and HR policies.
That can be dangerous. Just because an agreement works for Microsoft or Google doesn’t mean it fits your situation. Using these as a guide or rough draft can’t hurt – but using them without a critical review of whether they work for your situation is fraught with risk.
Here are 7 reasons someone else’s document won’t work for you
- US based limitation of liability clauses usually miss a key Canadian concept that can limit its effectiveness.
- Limitations of liability may not be effective in different jurisdictions. In the UK, for example, limitations of liability are in practice unenforceable.
- For things like privacy policies, being compliant with privacy laws involves far more than just sticking up a policy. And there are often significant differences in the laws behind them.
- That DMCA copyright notice in US based web terms is meaningless in Canadian law.
- Different business models and facts can require very different terms. For example, are the services aimed at children? Is the product software, or is it an online service?
- Large corporations tend to use longer, more complex, wordier agreements than are really necessary. People accept those from large corporations because it seems to go with the territory, but is that what you want to put in front of your customers?
- There is a risk that the document won’t address an issue that is unique to your business or jurisdiction.
Privacy laws apply to every business that knows any information about individuals.
Here are 11 things you should know about privacy.
- There are many privacy statutes that may apply depending on the nature of the information, the nature of your business, and what province your customers are in. Health information, for example, is usually subject to different statutes than other personal information.
- In general, if you want to use someone’s personal information for something they would not think is necessary to provide your services, you need their permission.
- Mandatory breach notification is becoming more common. Some provincial statutes require it, PIPEDA now includes breach notification provisions that are coming into effect soon. The notice requirements include some rather subjective tests, and must be reviewed carefully if you have a privacy breach.
- The definition of personal information is fairly broad. It includes things like an IP address, and depending on the jurisdiction, may include car license plates.
- You must have a privacy officer who is accountable and available to your customers.
- A privacy audit may be in order. Make sure you understand what information you actually do collect, use and disclose. A disconnect between reality and what your policy says is a recipe for disaster.
- Privacy, anti-spam legislation (CASL), and Don Not Call legislation complement each other, work together, and shouldn’t be viewed in isolation.
- Some privacy laws (in particular some provincial laws dealing with public sector or health information) say that data can’t reside outside of Canada.
- Having processes and protections in place to keep personal information out of the wrong hands is crucial. It is equally crucial to deal with a privacy breach appropriately to reduce legal, customer, and headline risk.
Cybersecurity was a major topic at the recent Canadian IT Law Association conference. It can be a daunting subject to ponder when dealing with various types of services, cloud providers, and the methods, standards and assurances available to lower the risk of a security breach. Cyber insurance to cover some of these risks is a growing field.
This Cyber Security Report Card (pdf) is a good high level summary of the things that businesses should think about when considering security issues for their organization. It was provided by one of the luncheon speakers, John Millar of Digital Boundary Group, which is an IT security testing firm.
(For transparency, Digital Boundary Group is a client of mine.)
Cross posted to Slaw
The cloud is a fluffy concept, and takes many different forms, but basically means any computer services that are provided on systems that you access over the internet. Examples include things like gmail, dropbox, and Google docs. It can include sophisticated applications for accounting, document management, and other business processes. Other forms include just the physical infrastructure that you install and manage your own software on. The cloud can offer many advantages when used properly, but also carries risks that need to be managed.
Here are 8 things to consider when using the cloud.
- Consider how mission critical the cloud service is to your business. Far more diligence and care is required for a service that is crucial to the operation of your business.
- Make sure you have a backup or mirror of the data in case something goes wrong.
- If the application is mission critical, make sure you have a continuity plan in place to keep operational if the cloud service is temporarily out of service or permanently gone.
- Privacy, security and encryption are essential to consider. Look at what information is stored and manipulated, who has access to it and how they access it, and what the consequences are if that information was compromised. Encryption is a complex subject and requires the right questions to be asked. Is it only when at rest? Is it during transit? Who has the encryption key? While it is not always practical, a zero knowledge approach where the vendor can’t access the data is ideal.
- If you use platform or infrastructure as a service where you are in control of certain aspects of it, make sure you get expert technical advice to set it up to make sure it is done right.
- Pay close attention to the provider’s service agreement. For basic, commodity services, the agreements will be non-negotiable and will include limited or zero liability if something goes wrong. As the cloud service becomes more sophisticated, personalized, and costly, those agreements tend to become more negotiable. The terms of the service agreement can be a risk assessment factor.
- In some circumstances privacy laws can dictate where data is stored or manipulated, or what you have to tell customers. Or your customers may perceive an advantage for the data to be housed in Canada, even though from a practical basis the risks may not vary much amongst first world countries. If any of these apply to you, make sure the location is where you need it to be.
- All the promises a vendor makes about data location, service levels, and data security have no teeth unless they are referred to in the service agreement, and are meaningless if not backed up by some consequence.