Crypto backdoors are a horrible idea

From time to time various law enforcement and government types whine that encryption is a bad thing because it allows criminals to hide from authorities.  That is usually followed by a call for security backdoors that allow government authorities to get around the security measures.

That’s a really bad idea – or as Cory Doctorow puts it in a post entitled Once Again: Crypto backdoors are an insane, dangerous idea: “Among cryptographers, the idea that you can make cryptosystems with deliberate weaknesses intended to allow third parties to bypass them is universally considered Just Plain Stupid.”

They build in a vulnerability to exploit – there are enough problems keeping things secure already.  And the thought that government authorities can be trusted to use that backdoor only for the “right” purposes, and to keep the backdoor out of the hands of others is wishful thinking.

Cross-posted to Slaw

Chatting in Secret

The Intercept has an article entitled Chatting in Secret While We’re All Being Watched that’s a good read for anyone interested in how to keep communications private.  It was written by Micah Lee, who works with Glenn Greenwald to ensure their communications with Edward Snowden are private.

Even if you don’t want to read the detailed technical instructions on how to go about it, at least read the first part of the article that explains at a high level how communications can be intercepted, and the steps needed to stop that risk.

Communicating in secret is not easy.  It takes effort to set it up, and it’s easy to slip up along the way.  As is usually the case in any kind of security – physical or electronic – its about raising the difficulty level for someone to breach the security.  The more efforts someone might take to try to intercept your communications, the more work it takes to keep it secret.  For example, you raise the sophistication level of the thief who might burglarize your house as you increase security – from locking your doors, to deadbolts, to break resistant glass, to alarms, etc.  It doesn’t take much extra security to make the thief go to another house, but it may take a lot more if a thief wants something specific in your house .

Edward Snowden’s communications, for example, require very diligent efforts, given the resources that various authorities might use to intercept those communications.

For the record, I think Snowden should be given a medal and a ticker tape parade, not jail time.  I recommend watching Citizenfour, the documentary about Snowden that won the Academy Award for Best Documentary Feature at the 2015 Oscars.  Also to read security expert Bruce Schneier’s book Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.  Another book to put this into context in Canada (based on my read of the introduction – I haven’t made it farther than that yet) is Law, Privacy and Surveillance in Canada in the Post-Snowden Era, edited by Michael Geist.

I challenge anyone to watch/read those and not be creeped out.

Cross-posted to Slaw

When “use” is not trademark “use”

Law sometimes hinges on subtle distinctions that are not obvious, and can lead to surprising results.  The meaning of the word “use” for trademark purposes, for example.

A key principle of trademark law is that a business must actually “use” its trademark to keep its trademark registration alive, or to enforce its trademark rights against others.

But the legal concept of “use” for trademark purposes is narrower than most would suspect, and can result in a surprising loss of trademark rights for a business.

For example, a trademark on the side of a building, or on a business card, or on letterhead is not “use”.

A couple of recent cases in the Federal Court and the Federal Court of Appeal remind us of this.

It is common to register a corporate name as a trademark.  That’s fine if it is actually used as a trademark – but mere use as a corporate name is not enough to amount to trademark use.

Similarly, mere use of the trademark within an email or other text is not enough if it looks like the rest of the text.  It must somehow  look different than the rest of the text.

For example, if your company name is Abcd Widgets Inc, and your trademark is ABCD, the use of Abcd Widgets Inc. is not use of the trademark.  ABCD must be used independently.  And in text, using abcd is not use, but using ABCD may be, as it looks different than the surrounding text (unless, of course, the rest is in all caps as well.)

Cross posted to Slaw

Digital Privacy Act amends PIPEDA

Several amendments were made last week to PIPEDA, the federal private sector privacy legislation.   This has been sitting around in draft for a long time.  Except for sections creating a new mandatory breach notification scheme, the amendments are now in force.  The breach notification scheme requires some regulations before it comes into effect.  More on that at the end of this post.

Several of these changes were long overdue, and bring PIPEDA more in line with some of the Provincial Acts that were drafted after PIPEDA.

Here are some of the highlights that are in force now:

  • The business contact exception from the definition of personal information has been broadened.
  • Provisions have been added to allow the transfer of personal information to an acquiring business for both diligence and closing purposes. Most have been approaching this in a similar way, but vendors/purchasers, and their counsel should make sure they comply with the exact requirements.
  • A new section says consent is only valid if the individual would understand what they are consenting to.  This speaks to the clarity of the explanation, and is particularly important when dealing with children.
  • Several new exceptions to the collection, use and disclosure of personal information without consent have been added.  Such as witness statements, communication to next of kin of ill or deceased persons, and fraud prevention.
  • The Commissioner now has a compliance agreement remedy.

The breach notification sections that come into effect at a later date include:

  • Mandatory reporting to the Commissioner of a breach where “…it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.”  That test is somewhat subjective, and will no doubt cause some consternation in practice.  Guidance is included on relevant factors to consider and what constitutes “significant harm”.
  • The report must contain certain information and be on a form that will be in the regulations yet to be released.
  • Affected individuals must be similarly notified.
  • Businesses will be required to maintain records of “… every breach of security safeguards involving personal information under its control”, and provide a copy to the Commissioner on request. Note that this is “every” breach without regard to a harm threshold.  This could pose a challenging compliance issue for large organizations.
  • The whistleblowing provision has been amended to allow a complainant to “request” that their identity be kept confidential.
  • The section with the $100,000 fine for interfering with an investigation has been amended to make it an offence to contravene the reporting requirements.  That will make the decision of whether a breach passes the reporting threshold a serious matter to ponder.

Cross-posted to Slaw

Bill C-51 (Anti-Terrorist Act, 2015) passed by Senate despite massive opposition

Bill C-51 (Anti-Terrorist Act, 2015) has been passed by the Senate despite massive opposition against its privacy unfriendly invasive powers.  See, for example, commentary by the Canadian Civil Liberties Association, this article by security law professors entitled “Why Can’t Canada Get National Security Law Right“, and this post on Openmedia.ca .

Yet in the United States, the USA Freedom Act was just passed that pulled back a bit on the ability of the NSA to collect domestic data.

There seems to be no evidence that all this invasive spying and data collection actually reduces or prevents terrorism or crime.  The cost is enormous – both in terms of the direct cost of collecting, storing and analyzing it – and the costs to the economy.  A new report from the Information Technology and Innovation Foundation says that US companies will likely lose more than $35 billion in foreign business as a result of NSA operations.

And that’s not to mention the cost to civil liberties and privacy.  As many people have pointed out, 1984 was supposed to be a warning, not an instruction manual.

1984 warning

Cross-posted to Slaw

Ontario Privacy Commissioner releases Annual Report

Ontario Privacy Commissioner Brian Beamish just released his first annual report.

It is an interesting read for anyone interested in access and privacy issues.

Topics include details on some noteworthy access and privacy decisions, open government, police body cameras, sharing of CPIC information with US border officials, contents of police record checks, and comments on personal health privacy.

It also contains stats on complaints and appeals.

Cross-posted to Slaw

Will self-driving cars spontaneously reboot?

A common rebuke to self-driving cars are thoughts about cars behaving like computers – like freezing or rebooting while driving. Those make amusing sound bytes or twitter comments, but there is a grain of truth to it. Self driving technology has come a long way, but while computers and software can follow programmed instructions, and can learn over time, humans are still better at many things.

An article in the New York Times entitled Why Robots Will Always Need Us does a good job of putting this in context, in part by the experience of aircraft.

Author Nicholas Carr points out that:

Pilots, physicians and other professionals routinely navigate unexpected dangers with great aplomb but little credit. Even in our daily routines, we perform feats of perception and skill that lie beyond the capacity of the sharpest computers. … Computers are wonderful at following instructions, but they’re terrible at improvisation. Their talents end at the limits of their programming.

and

In 2013, the Federal Aviation Administration noted that overreliance on automation has become a major factor in air disasters and urged airlines to give pilots more opportunities to fly manually.

That’s not to say that we should smugly dismiss automation or technology. Lawyers, for example, who dismiss the ability of software to replace certain things we do are in for a rude awakening.

In general, computer code is never bug free, is never perfect, and is not able to do certain things. (You can say the same for us humans, though.) For example, the aircraft industry spends huge amounts of time and money testing the software that operates aircraft. On the other hand, the types of things computers can do well are increasing, and will increase over time. At some point there may be breakthroughs that make computers more reliable and better at the things us humans are more adept at. But we are not there yet.

Cross-posted to Slaw

Is a self driving car in your future?

Depending on how you define a self driving car – probably sooner than you think.

Sometimes new technology seems to come out of nowhere, but it often creeps up on us.  Legal disruptions that new tech spawns often follows the same path – usually a combination of lagging behind new technology, and getting in the way of new technology.

Current advances that come to mind include smart watches, drones, electric cars, and Tesla’s Powerwall.

Take self driving cars for example.

Its not as if we will go directly from a totally human driven car to a totally autonomous car.  They will creep up on us.  The Google self driving car gets a lot of press, and understandably so, but mainstream auto makers are rolling out these features now. We already have cars with features such as self parking, adaptive cruise control, cross traffic alerts, and lane departure warnings.  Over time these will morph from warning systems to taking control for a brief time to driving for longer period of time.  Self driving will start on highways before it moves to city driving.

Actually, self driving trucks might become prevalent sooner than self driving cars.

truck

Cross-posted to Slaw.

Google search favours mobile friendly sites

Is your website mobile friendly? As of yesterday, Google search ranks mobile friendly sites higher in search results.

This means that if someone does a google search from a mobile device, a site that is mobile friendly will appear higher in the search results than one that is not mobile friendly and would otherwise rank the same.

Given the high and trending higher percentage of time people use phones and tablets for search compared to PC’s, it is increasingly important that web sites be mobile friendly.

You can test a URL for mobile friendliness on this google page. In case you are wondering, Slaw, my elegal blog, and the Harrison Pensa web site all pass the test.

So take the test for your web site, and if it doesn’t pass, talk to your web developer.

Cross posted to Slaw.

The smartwatch era is here

If you are an Apple fan, April 24 2015 marks the beginning of the smartwatch era – the date the Apple Watch is available. (Preorders start Apr 10th.) Smartwatches have been around for a while, but given the Apple reality distortion field, they will initially sell in large numbers, even though they are the most expensive ones available. The basic Apple watch is functionally the same as the most expensive gold watch edition that starts at $10,000. (Someone said that if you can afford a $10,000 watch, you probably don’t need to know what time it is.)

But there are alternatives, including several Android versions, the Pebble, and the Microsoft Band. Version 2 of several of these are expected soon.

Smartwatches are designed to be an interface to your smartphone. But if you want something that comes at this from a different approach, check out the Neptune – from a Canadian company that takes the intriguing approach of making the device on your wrist the main computer. There are still a few days left to take advantage of their indiegogo campaign.

Personally – as much as I want one – I’m waiting for the upcoming second gen Android versions. But then again that Neptune is rather cool…

Cross posted to Slaw

http://harrisonpensa.com/lawyers/david-canton