For the London Free Press – January 23, 2012 – Read this on Canoe

The Office of the Privacy Commissioner of Canada (OPC) recently tabled its Annual Report on the Privacy Act. The airport scanner issue receiving much of the press, however there are a number of other noteworthy items in the report. The Privacy Act is the legislation that applies to the Canadian federal government.

Regarding airport scanners, the major concern is whether the Canadian Air Transport Security Authority (CATSA) and the airport screeners it hires under contract are respecting the privacy rights of travellers. While some elements of good privacy management were found, an audit performed earlier in the year identified a number of areas for concern. Of particular note was the security over the images produced by the full-body scanners. Despite being strictly prohibited, a cellphone and closed-circuit television camera were found in the room where officers were viewing the images. These issues were discovered during the audit and were addressed by CATSA.

CATSA has also suggested a plan to observe passengers in the airport pre-boarding areas for suspicious behaviour. OPC expressed a number of concerns including the potential for inappropriate risk profiling based on characteristics such as race, ethnicity, age or gender.

The report also looked at various forms of biometric information such as fingerprints and facial images. Although the collection of biometric information can lead to highly reliable identification systems — certainly more reliable than paper systems — the collection and use of this information has also raised significant privacy concerns. While biometric information has the potential to bolster identification systems, it can also lead to privacy concerns regarding covert collection of data, cross-matching and unwanted secondary disclosure. To aid organizations looking to utilize biometric information, the OPC has prepared a primer that helps to identify the pros and cons of biometric data systems.

Also addressed in the report was a complaint made by an individual who was asked by Canada Post to provide identification in order to terminate the rental of a postal box. After review, OPC found that Canada Post has a statutory obligation to provide a secure postal service and that the collection of personal information was consistent with that mandate. The purpose of the data collection was to ensure that postal boxes were not being used or closed fraudulently and further to aid in the investigation of illegal goods shipments. OPC determined that the collection of data for these purposes was reasonable and that the complaint made was not well founded.

Privacy issues are often a balancing act between too much and too little. OPC’s annual report looks to identify areas of concern and make recommendations as to how to strike an appropriate balance. Governments require personal information to properly exercise their functions, however the question quickly becomes “how much collection and use is too much?” A complete copy of OPC’s Annual Report to Parliament is on OPC’s website at www.priv.gc.ca.

For the London Free Press – January 9, 2012 – Read this on Canoe

Here are some tech developments to look out for in 2012.

The proposed amendments to Pipeda, the Canadian federal-privacy legislation, will be passed. Several of the amendments are long overdue, and will give some practical relief to business, without any compromise to personal privacy.

The change with the most visible effect will be the requirement for a business that experiences certain privacy breaches to report the breach to the privacy commissioner or to the individuals whose information may have been compromised.

The federal anti-spam legislation expected to be in force in 2011 is still waiting for regulations to be passed before coming into force.

The draft regulations received a lot of criticism, and may be revised prior to the act coming into force. The act will be a compliance headache for many organizations, unless the regulations effectively narrow the broad definition of spam.

The act is intended to provide tools to stop what we all understand to be spam. But the act defines spam to include e-mails that many businesses or charities routinely send that the recipients probably would not consider to be spam.

The smartphone and tablet revolution will continue. Whether you are a fan of Apple, Android, or Windows Phone 7 (yes, Microsoft is still in the phone game with a new operating system that has been favourably reviewed), there will be new choices to buy. This always-connected, location-aware, augmented-reality world will lead to challenges to privacy, advertising and business models.

We will start to hear more about digital wallets and near-field communications (NFC). Our smartphones will eventually become our wallets and credit cards, allowing us to pay at stores like a tap-and-go card.

North America lags behind other parts of the world in near-field communications, but expect to see more phones with this ability on the market this year. There is some speculation there could be some near-field communications wallet promotion around the Olympic Summer Games in London, England.

The players in this field may extend beyond the traditional banks and credit-card companies. Companies such as Google and cellphone carriers are trying to get a part of this business. If we have choices, we need to watch to ensure we get the same protections for lost or compromised phones as we now get for lost cards.

Another buzzphrase we will hear more is “the Internet of things.” Sensor technology, and electronics in general, are becoming more pervasive and cheaper. So in addition to connecting to people and websites on the Internet, we will increasingly be able to connect to things such as our home thermostats and appliances. At the same time, voice control and gesture control will lead to new ways to interact with our devices.

For the London Free Press – December 12, 2011 – Read this on Canoe

If you are looking for a gift to buy someone who seems to have or want the latest tech products, here are some suggestions.

If they have an iPhone or iPad, get a gift card to the Apple app store. The recipient will be able to choose from a long list of items, ranging from music and apps to car mounts.

Many accessories are available for smartphones and tablets. For someone who is partial to classic arcade video games, such as Missile Command, ThinkGeek sells the iCade Arcade Cabinet that turns an iPad into a table top arcade game complete with joystick and buttons.

For the musically inclined, an external microphone to use with the GarageBand iPad app might be appreciated. Or an Amplitude iRig to plug a guitar into an iPad or iPhone to turn it into a mobile amplifier/effects studio.

Smartphone cameras are getting so good that they can replace point and shoot cameras. Adapters are available, such as the Glif for an iPhone, that will mount a smartphone to a tripod just like a real camera.

Some day using your cell phone as your credit card will seem as normal as using a debit card today. Smartphones are becoming equipped with technology called near-field communications, or NFC, that will allow the phone to act as a digital wallet. All one has to do is to hold the phone near a card reader. NFC and digital wallets have been in trials for several years.

But we don’t have to wait for NFC. You can, for example, get a Starbucks gift card that can be used by a smartphone app to pay for your Starbucks purchase.

Smartphones and tablets are all controlled by touch. The screens are capacitive, meaning that your fingers have to actually touch the screen to work it. That’s fine until you want to use it with gloves on in the cold. But there is a solution to that. You can buy gloves made with conductive fibres that work with touch screens. Or Twittens brand gloves that let you expose you thumb and forefinger to operate a phone or camera.

If you are buying for the adventurous sort, consider a GoPro HD Hero video camera. It comes with mounts to attach it to a helmet, wing, surfboard, bike or pretty much anything.

High-definition video content is available online from various sources, or might reside in files on one’s computer. Much better, though, to watch it on a big screen TV than a small computer screen.

There are many ways to stream content to a TV from Internet-based services or a computer. Depending on what the individual’s technology of choice is, options include Apple TV, Roku (which you may have to import from the U.S. until sometime in 2012), or even an Xbox. Some Blu-Ray players also include this ability.

If price is no object, check out the “Expensive Gifts” category at blastr.com. The rocket belt, or the working TRON light cycle would no doubt be appreciated.

For the London Free Press – November 28, 2011 – Read this on Canoe

Social media blurs the lines between the personal and work life of employees, and employers are faced with the difficult task of regulating its use in and out of the workplace.

Social media can be beneficial for a business. It can be used for advertising, marketing, networking and keeping in touch with customers. On the other hand, it can be detrimental to a business if employees use social media to criticize their employers, customers or the products they sell.

Over a year ago, a Best Buy employee in Missouri was almost fired for making a video that portrayed an electronics store employee trying to convince someone to buy a phone other than an iPhone.

The video didn’t identify Best Buy, but the employee was suspended and almost fired because Best Buy found the video was “openly disparaging of our employees, our customers and our vendor partners.”

In September, a Starbucks barista from California was fired after he made a video of himself singing. In the song, called The Starbucks Rant Song, he makes fun of customers, products and the company.

Three months after it was posted on YouTube, Starbucks found out about it and fired him. Even though the barista said the video was just an attempt at satire, his lyrics were certainly a criticism of his employer.

In these two situations, both videos were made outside of the workplace. The question is whether they cross a line that allows an employer to do something about it.

The American National Labor Relations Board released a report on the outcome of investigations into cases involving use of social media. The board took the position regardless of whether there is a social media policy, an employer “can’t discipline employees who discuss workplace responsibilities and performance together online, even if the online conversation includes swearing or insults.”

It also states if a business does have a policy, they should “make sure it does not try to control what employees can say and cannot say about the company. If it does, you can be in trouble with the NLRB.”

That perspective rings true in Canada as well. But that’s not to say employees have free reign to say whatever they want on personal social media channels. If an employee discloses an employer’s confidential information in a tweet, the employer would have cause for concern no different than if the employee said it in a work e-mail.

But if the employee is criticizing his or her employer, or stating a personal opinion that might be different than management’s — the employer’s best response may be to do nothing.

A good way to reduce chances of misuse of social media is to have a social media policy that sets expectations. A tool to create a social media policy can be found at policytool.net.

For the London Free Press – November 7, 2011 – Read this on Canoe

The Canadian government recently introduced Bill C-12 (the Safeguarding Canadians’ Personal Information Act) that contains amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA).

The PIPEDA privacy legislation charted new territory when it was enacted a few years ago. Most of these amendments are a result of things learned since then, and have been contemplated for some time.

For example, the new bill amends the “business card exemption” to make it clear that one’s business e-mail address is not personal information.

It was a glaring error when a person’s business telephone number and physical address was deemed not to be personal information, but their business e-mail address was considered personal information.

Provisions are included to govern privacy issues when personal information is transferred during corporate mergers and acquisitions. That includes things such as customer information. This was another glaring error that needed to be corrected.

One of the controversial sections of PIPEDA was the ability (but not the obligation) to provide personal information to government authorities if they provide the custodian of the information with proof of its “lawful authority.”

The meaning of “lawful authority” has been debated over the years. Out of an abundance of caution, many organizations simply required a subpoena or court order before they would turn personal information over to police.

The proposed amendments contain a provision saying that lawful authority means something other than a subpoena or court order. But this addition is not helpful in describing what lawful authority is.

The amendments contain lengthy provisions that will, for the first time, require disclosure of privacy breaches. When enacted, these provisions will require certain breaches to be reported to either the privacy commissioner, to individuals who may be affected, or both.

Not all privacy breaches must be disclosed. The amendments list various factors to determine whether a breach is material and thus must be disclosed to the commissioner.

Factors include the sensitivity of the personal information, the number of individuals affected, and whether the breach indicates there is a systemic problem.

The test to determine whether a breach must be disclosed to individuals is slightly different, being whether “the breach creates a real risk of significant harm to the individual.”

The tests to determine when the thresholds have been reached to require disclosure to the commissioner or the public are somewhat subjective. No doubt the privacy commissioner will interpret the thresholds to be lower than some entities facing a breach would interpret it.

It will be interesting to see how the breach disclosure sections work in practice. Some entities have been very forthright about disclosing privacy breaches. They may consider it the right thing to do, or fear the headline risk if the fact there was a breach is disclosed by another source.

Of course, we may not know how many privacy breaches have not been disclosed that these sections will now require to be disclosed.

For the London Free Press – October 24, 2011 – Read this on Canoe

Are Browse-wrap agreements binding?

Most web sites contain a link at the bottom of the page to “terms of use”. But are they binding on those who use the website? A recent Canadian case says they are.

Despite the prevalence of terms of use linked to the bottom of web pages, Canadian courts have not spent much time discussing whether they are binding the same way that “click-wrap” agreements are.

The Ontario Superior Court decision in Century 21 Canada Limited Partnership versus Rogers Communications Inc. shed some light on this issue. The case discussed the evolution of agreements as software sales have shifted from boxed software purchases to online.

“Shrink wrap” agreements are contracts that are entered into by the purchaser when they tear open the shrink wrap of a software purchase. Implicit in the opening of the packaging is the idea that the user is agreeing to be bound by the terms of use.

“Click wrap” agreements are when users are required to indicate their agreement by clicking on an “I Agree” box. Implicit in the “click” is the idea that the user is agreeing to be bound by the terms of use.

A “browse wrap” agreement does not require the user to click an “I Agree” box, instead the mere use of the website on which it appears may lead to a finding that the user is bound by the terms of use.

Click wrap agreements are binding in Canada pursuant to case law and legislation. The difficulty in “browse wrap” agreements is that the user may not realize a website contains terms of use, and even if the user is aware of the terms of use, the user may not agree to be bound.

But being bound by agreements one has not read is not a new concept. There are a series of ticket cases where fine print on the back of a ticket or document were held to be binding, provided that it is brought to the person’s attention. It doesn’t matter if the person actually read it, provided they could have easily read it if they wanted to.

Zoocasa, a subsidiary of Rogers Communications Inc., was “scraping” online real estate listings from Century 21′s website and reposting them on its own site with additional information. Zoocasa admits it had knowledge of Century 21′s terms of use, which included a term prohibiting scraping. The court found Zoocasa’s access and use of the website following actual notice of the terms of use constituted acceptance of the terms of use. Part of the court’s decision turned on the fact that Zoocasa is a sophisticated business entity and is therefore familiar with the concept of terms of use within a website.

The court did not have to determine if Zoocasa had clear notice of the terms of use because this fact was admitted.

Given that it is common practice for websites to have links to terms of use at the bottom of its pages, it would be logical to assume that would be sufficient to constitute notice.

For the London Free Press – October 3, 2011

Read this on Canoe

ONLINE: ONTARIO SUPERIOR COURT DECISION DOES NOT MEAN YOU CAN SAY WHATEVER YOU WANT WITH IMPUNITY

The Ontario Superior Court recently decided that a blog comment must pass a higher threshold before it’s considered defamatory than statements made in other places.

Defamation is the communication to third parties of a false statement that tends to injure the reputation of an individual. Slander is oral defamation. Libel is written defamation.

The reasoning in the case of Baglow v. Smith includes the thought that an ongoing blogging thread is akin to a debate. The person who felt wronged by a comment has an opportunity to reply to set the record straight and lessen the impact on his reputation of the original statement.

That makes sense if the two parties were already both involved in the online banter. But might be less applicable if the aggrieved party had not been involved in the debate prior to the comment.

Another thought was that given the nature of the online forum, readers would be less likely to interpret comments such as in this case — which suggested the person was a Taliban supporter — as being intended to be factual.

It probably didn’t help the complainant’s case that he had made some derogatory comments of his own in the comment thread. To determine if a statement is defamatory, it must be looked at in the context of the conversation or publication as a whole, and not as an isolated statement.

But this decision doesn’t mean the Internet is a defamation- free zone and that one can say whatever one wants with impunity. It just means the analysis as to whether particular comments on the Internet amount to defamation considers the nature of the medium. That makes sense, as defamation is about what the public thinks as a result of the comment.

Earlier defamation decisions about material posted on the Internet have awarded higher damage awards than if it had been published on paper. The rationale is there is a broader distribution of the comment.

So we could be in the position where a defamatory comment in an article on the Internet or in a blog post or on some form of social media might have a risk of a higher damage award — but the threshold for being considered defamatory in the first place is higher. In other words, more potential damages, but less risk of being found defamatory in the first place.

And the risk of a comment being considered defamatory might be less if discussion ensues, especially if the aggrieved party is involved in the discussions.

The bottom line — if someone makes a comment online about you that you think might affect your reputation, you should think carefully about what to do about it.

On the one hand, it might not attract enough attention to do any real harm, and the wrong reaction might just bring more attention to it. On the other hand, its online nature gives the opportunity for a measured, rational reply to set the record straight.

For the London Free Press – September 19, 2011 – Read this on Canoe

Whether a domain name (such as www.harrisonpensa.com) is property that one owns — or just “a bundle of rights” — has been the subject of legal debate. The Ontario Court of Appeal recently said it is property.

The domain-name-as-property position makes sense in a world where, for example, in the early 2000s, wallstreet.com sold for more than $1 million and wine.com for more than $3 million.

Domain names are registered on a first-come, first-serve basis. The individual or company that registers the name receives the exclusive right to use the name, for which it pays a fee of a few dollars per year.

Registrars accredited by the Internet Corporation for Assigned Names and Numbers act as overlord, allowing domain registrants to use the domain name subject to any restrictions they may impose.

If a domain name is a licence, clauses may be included in a service agreement that might, for example, impose restrictions on assignment. If a domain name is property, such restrictions may be hard to uphold. If a domain name is property, a registrant will have rights relating to the domain name which include the right to use, convey, develop, exclude, bequeath, profit from, assign and dispose of, with or without consideration.

A licence is a special permission to do something on, or with somebody else’s property which, were it not for the licence, could be legally prevented or give rise to legal action.

Conversely, property is the right to control how and by whom a particular thing may be used. If a domain name is a licence, registrants are at the mercy of the registrar to determine how the domain name will be used. If a domain name is property, the registrants are free to use the domain name in any manner they like and cannot be legally prevented from doing so by the registrar.

In the recent Ontario Court of Appeal decision, Tucows.Com Co v. Lojas Renner S.A. (2009), the court settled the licence/property debate, at least in Ontario.

Tucows.Com Co. (“Tucows”) is the registrant of more than 30,000 domain names. Lojas Renner (“Renner”) is a Brazilian subsidiary of JC Penny and has registered the trademark Renner in Brazil and other states. Renner made a complaint to the Internet Corporation for Assigned Names and Numbers regarding Tucows’ registration of the domain name “Renner.” In response, Tucows initiated its own action in Ontario for ownership of the domain name.

The Ontario Court of Appeal examined the traditional common-law attributes of property, specifically whether there exists “a collection of rights over things that can be enforced against others.” The court found the rights associated with a domain name include those rights.

As a result, the Ontario Court of Appeal found the domain name, as a business asset of Tucows, was intangible property.

This decision won’t have dramatic impact on the day-to-day use of domain names, but helps clarify their legal status for many issues ranging from ownership disputes to the right to bequeath them to heirs.

For the London Free Press – August 22, 2011 - Read this on Canoe

The increasing use of e-signatures raises several questions about their suitability for legal documents

Adobe recently announced the acquisition of EchoSign, a web-based provider of electronic signatures and signature automation. If ink was used to finalize the deal, it had not even dried yet when RPost, a self-proclaimed pioneer of e-signatures, launched a lawsuit against Adobe and EchoSign for patent infringement.

News coverage of the lawsuit described how millions of individuals and businesses worldwide have been using this technology to remotely automate the entire signature process with the click of a button. This is all fine in theory, but, when parties to a contract are relying on it, will an e-signature hold up in court?

According to the Ontario Electronic Commerce Act (ECA), a legal requirement that a document be signed (with a very few exceptions, such as wills, powers of attorney for individuals, documents for land transfer, and negotiable instruments) is satisfied by an electronic signature. The question then is: what is required to meet the definition of a legally binding e-signature?

The act defines “electronic signature” as “electronic information that a person creates or adopts in order to sign a document and that is in, attached to or associated with the document.”

Similarly, the Personal Information Protection and Electronic Documents Act (PIPEDA) defines “electronic signature” as “a signature that consists of one or more letters, characters, numbers or other symbols in digital form incorporated in, attached to or associated with an electronic document.”

Although it’s possible to digitize handwriting so that it’s displayed as an image, an electronic signature doesn’t need to look like a handwritten signature or even contain the letters of the signatory’s name, as long as it’s “associated with” the document.

There are two basic legal requirements concerning the reliability of an e-signature that must be satisfied. It must be reliable to identify the person, and to associate the e-signature with the relevant electronic document.

So how do services such as EchoSign do that? Essentially, you load the document to be signed on to the EchoSign service, along with the email address of the person who is to sign it. The person identifies themself by logging in to an existing social media account, and clicks to sign the document. The service returns the document, along with details about the signature, including the date, the email account used by the signatory who created the document, where it was sent, who viewed it, how the signatory’s signature was verified, and to whom and when the signed document was returned.

If, for example, the signatory identified themselves with their Twitter account, it includes their Twitter identity and the image they use for their account.

While we may be used to actual handwritten signatures, one has to ask whether this type of process might be more reliable, and less prone to fraud than the traditional method, particularly where the parties are not together when it’s signed.

For the London Free Press – August 8, 2011 – Read this on Canoe

The Internet Corporation for Assigned Names and Numbers (ICANN) recently approved a new program for registering generic top-level domain names (gTLDs). The door has opened to allow for almost anything.

The current most commonly recognized TLD is .com, followed by .org.

By 2013, Internet users can expect to see an influx of new internet domain extensions, such as .bank, or ones using major brand names.

The new program will open up the Internet domain market for businesses, organizations and individuals who wish to distinguish themselves or their products in the virtual world by having a personalized domain extension. ICANN anticipates many of the new domain extensions will be registered by cities and other geographic locations, by corporations and by special interest groups.

Those who wish to register a gTLD must submit an application to ICANN and pay a $185,000 application fee. ICANN will begin accepting applications between Jan. 12, 2012 and April 12, 2012. After the application deadline, ICANN will review each application and assess whether the proposed domain extension will be appropriate.

ICANN has introduced a list of conditions and qualifications that must be met by gTLD applicants to ensure they have sufficient financial, technical and operational capabilities to administrate and maintain their gTLD. For example, applicants are first required to undergo background screening of their general business diligence and criminal history to validate the legitimacy of their application and prevent cyber-fraud.

If an applicant passes the background screening, it will be subject to several assessments and evaluations to determine whether their proposed gTLD is feasible. This includes a review to determine whether it will create user confusion or too closely resembles another gTLD. There is a process to determine which applicant will prevail if there are multiple applicants for the same gTLD.

Administrating a gTLD involves a huge commitment and the responsibility to ensure security, ease of access and uninterrupted use. Unlike registering a website domain, such as google.com,a gTLD can accommodate thousands of different websites with the same domain extension.

ICANN’s decision to expand the gTLD registry presents some potential challenges and concerns that must be addressed. For example, gTLDs are border-less but the entities that own the rights to administer a gTLD are confined to the country in which they reside.

A Canadian entity might, for example, acquire the right to administer the domain extension . bank and restrict its use to legitimate banks. However, other countries with different laws about what constitutes a bank may also wish to use the . bank domain extension. Such a situation may give rise to conflicts and liabilities if not adequately prepared for in advance.

The expansion of the gTLD will certainly make the Internet a more interesting place to explore as businesses and individuals seek to distinguish themselves and their products or services online. More information about the ICAN gTLD application process is in its Applicant Guidebook on its website at icann.org.