For the London Free Press – August 30, 2010

Read this on Canoe

The open data movement – the concept that certain data should be made available to everyone to use without restriction- is growing steadily in popularity.

An example of open data use is the eatsure.ca London restaurant inspection score site using data from the health unit. Another is the Next Stop mobile app that shows the actual location of London transit buses using data from London Transit.

The concept applies mainly to data held by government and public corporations. They have information from which the public can benefit and it allows individuals to use and present that data in ways that the owner of the data may not have the time or inclination to do.

It is similar to the concept of transparency, which upholds that government and business should be accountable to their stakeholders.

While the concept of transparency and open data are laudable, all types of information should not be freely available.

Privacy obligations prohibit personal information from being disclosed. And there are other things that, for various reasons, ought to be confidential.

Some information needs to be kept confidential for competitive reasons, and to facilitate frank and open internal discussion on various matters.

For example, negotiations or bids for a contract could get derailed if the details were disclosed.

Open data means we can’t rely on practical obscurity to filter things that are theoretically public, but in practice are quasi-private because it is not easy to access. Court files and property assessment information, for instance, are public, but it takes time and effort to get to them, thus in practice, limiting access somewhat. Attempts to put them online have resulted in privacy and security concerns.

Open data does not apply to information about individuals. The decision to reveal personal information is, for the most part, the decision of that individual.

Except where freedom of information legislation requires disclosure, individuals and organizations still are at liberty to make their own decisions about what information to disclose.

Open data is a good concept, and will result in information being used in new and useful ways.

The concept, however, is a movement, not an obligation. Those opening up data need to think about what information ought to be disclosed, and what limits are needed to protect personal, confidential and sensitive information.

Public transit locations, restaurant inspection data, and information about the status of public facilities are easy to justify making open. Each type of data needs some critical thought to ensure opening it is appropriate and does not violate legal or contractual obligations.

For the London Free Press – August 23, 2010

Read this on Canoe

Best Buy employee nearly fired for online video poking fun at iPhone consumers

The amusing (though sprinkled with colourful language) iPhone 4 vs. HTC EVO video on YouTube almost cost the creator — a Best Buy employee — his job.

The video portrays an electronics store employee trying to convince a person wanting an iPhone 4 to buy an HTC EVO 4G instead. The video has had about seven million views.

The video was made by Brian Maupin, a 25-year-old from Kansas City, Mo. For the past 3 1/2 years he worked at Best Buy selling mobile phones, something he may decide never to do again. This comes after he was suspended from work and faced threats of being fired.

Maupin explained Best Buy “felt it disparaged a brand they carried (iPhone/Apple) as well as the store itself and were fearful of stockholders and customers being turned off to Best Buy Mobile.”

But if you watch the video, you will see there isn’t any mention of Best Buy at all. The cartoon employee identifies the store as “Phone Mart.” The characters are not wearing anything that resembles the Best Buy uniform and are standing in an outdoor field with a pink tree.

Best Buy recently announced they will not fire Maupin.

“We have completed our investigation into the videos created and posted by Brian Maupin, the aspiring film-maker and Best Buy employee. This is an important situation for us because it involved balancing our social media guidelines with a commitment to creating a supportive environment for our employees. It’s important to note that our investigation involved three videos that were posted in late June because they were openly disparaging of our employees, our customers and our vendor partners. . . . Contrary to rumours, Brian has not been fired, and is scheduled to return to his job.”

But Maupin has chosen to take a leave of absence and is thinking about kick starting his graphic design career.

“I’m not planning on returning to work — immediately, anyway. Honestly, I don’t know how I could return considering some of the things that were said to me and not have a lot of awkwardness on the job. I’m looking at possible jobs in graphic art — nothing definite yet, but I’m searching.”

Maupin has taken a stab at the situation in his most recent video, “TweetFired”.

In TweetFired, a pants salesman at fictitious “Stacks o’ Slacks” gets a stern talking to by his boss because of the tweets he posts on his Twitter account — tweets that have absolutely nothing to do with his job. His boss has apparently been stalking him on social media, and accuses him of “painting a very negative picture of working here in 140 characters or less.”

Internet tools and social media increasingly blur how one’s personal and work life overlap. Employers struggle with the extent to which they may be prejudiced by those actions, whether they should just ignore it, and what legal rights they have over actions employees consider personal.

For the London Free Press – August 16, 2010

Read this on Canoe

[UPDATE: Also take a look at this related Techdirt post entitled The Insanity Of Music Licensing: In One Single Graphic ]

Radio royalties are complex.

On July 9, 2010, the Copyright Board of Canada issued its long-awaited Commercial Radio tariff and reasons. It dealt with payments radio stations must pay to copyright collectives to obtain rights to play music.

The rights to use most music flows through copyright collectives that collect royalties from broadcasters and other users, so they don’t have to deal with rights holders individually. The collectives in turn pay the royalties to the rights holders.

Even with the collectives taking the place of rights holders, the various copyright payments broadcasters must pay for music are complex. Radio stations must pay for six different rights.

The board stated:

A Canadian radio station that broadcasts recorded music off a server reproduces and communicates musical works, performers’ performances and sound recordings. Four copyrights and two remuneration rights must be accounted for.

The board estimates that commercial radio stations will pay a total of $85 million annually in royalties under the new rates, an increase of $13 million over previous rates.

Of the $85 million in royalties, the board estimates $51 million will go to SOCAN, $13 million to Re:Sound, $11 million to CSI, $10 million to AVLA/SOPROQ and $200,000 to ArtistI.

SOCAN administers the exclusive right of the owner of the copyright in a musical work to communicate it to the public by telecommunication for most composers, authors, and publishers.

The second and third rights are the remuneration rights that performers and record companies enjoy when a recording of a musical work is communicated to the public by telecommunication. Re:Sound administers these rights for most eligible performers and makers.

The fourth set of rights is the exclusive right to reproduce a musical work. CSI, SODRAC and CMRRA administer these rights.

The fifth set of rights is the exclusive right to reproduce a sound recording. AVLA and SOPROQ act for most record producers, record companies and artists.

The sixth set of rights is the exclusive right in a performer’s performance to reproduce the performance for a purpose other than the purpose for which authorization was given. ArtistI, ACTRA PRS, AFM Canada Artisl, and others administer this right.

The estimated $85 million in royalties payable by radio broadcasters does not include instances where collectives have not filed tariffs. As a result, the $85 million estimate may be understating the monies payable by radio broadcasters.

The Commercial Radio tariff is a consolidation of several proposed tariffs filed in 2007 and 2008. If the board’s decision ends up being judicially reviewed by the Federal Court of Appeal, a final decision will likely be over a year away.

For the London Free Press – August 9, 2010

Read this on Canoe

Case involves actions undertaken by insurer State Farm on behalf of a client

The Federal Court of Canada recently released an important decision on the parameters of “commercial activity” under the Personal Information Protection and Electronic Documents Act (PIPEDA): State Farm v Privacy Commissioner.

The act is a Canadian law relating to data privacy. It governs how private-sector organizations collect, use and disclose personal information in the course of commercial business.

The act defines commercial activity as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”

In State Farm v Privacy Commissioner, the State Farm Mutual Automobile Insurance Co. questioned the privacy commissioner’s jurisdiction to investigate a refusal to provide access to personal information and her power to compel the production of documents during the course of an investigation.

Specifically, it dealt with a situation where State Farm retained a private investigator on behalf of an insured person who had been sued by a motor-vehicle accident plaintiff. The private investigator conducted video surveillance on the plaintiff. The plaintiff sought access to the surveillance footage under the act.

The court concluded it would not be commercial activity for a defendant, herself, to collect evidence for the defence of a tort claim. There is no “commercial character” associated with that particular activity. The court then concluded that, because the primary characterization of the activity is not commercial, using a third party (such as an insurer, a law firm or a private investigator) to carry it out does not render it commercial.

“I conclude that, on a proper construction of PIPEDA, if the primary activity or conduct at hand – in this case the collection of evidence on a plaintiff by an individual defendant in order to mount a defence to a civil tort action — is not a commercial activity contemplated by PIPEDA, then that activity or conduct remains exempt from PIPEDA even if third parties are retained by an individual to carry out that activity or conduct on his or her behalf. The primary characterization of the activity or conduct in issue is the dominant factor in assessing the commercial character of that activity or conduct under PIPEDA, not the incidental relationship between the one who seeks to carry out the activity or conduct and third parties.”

In this case, the insurer-insured and attorney-client relationships are simply incidental to the primary non-commercial activity or conduct at issue, namely the collection of evidence by the defendant . . . in order to defend herself in the civil tort action brought against her.

In other words, the decision essentially says that if the act does not apply to something that X does, the fact that X hires someone else to do it (which is a commercial activity) does not turn that something into commercial activity for X, and thus does not make it subject to the Personal Information Protection and Electronic Documents Act.

For the London Free Press – July 26, 2010

Read this on Canoe

Customers and regulators take a dim view of companies that don’t safeguard private information

Twitter recently agreed to settle the Federal Trade Commission’s charges that it deceived consumers and put their information at risk through inappropriate and inadequate privacy measures. The charges were that Twitter represented it keeps user information safe, but its actual security measures were not adequate to do that.

On two separate occasions hackers gained unauthorized administrative control of Twitter and access to non-public tweets and user information.

In the first security breach, a hacker used an automated password-guessing tool to access Twitter’s administrative account.

In the second breach, a Twitter employee’s e-mail account was compromised and his or her administrative password inferred from other passwords stored in the e-mail account.

If this had occurred in Canada, it would be regulated by the Personal Information Protection and Electronic Documents Act (PIPEDA). The United States does not have equivalent privacy legislation.

The FTC approach in these situations is to charge the company with misleading advertising for not living up to its privacy policy.

The FTC charged Twitter with making representations regarding its privacy and security measures which were false and deceptive in violation of Section 5(a) of the Federal Trade Commission Act.

The terms of settlement include the following.

Twitter is barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of non-public consumer information.

This appears to be little more than a restatement of Section 5(a) of the Federal Trade Commission Act. However, including this in the terms of settlement provides the Federal Trade Commission with more tools for punishment in the event of a violation.

Twitter may be fined $16,000 per violation of the settlement agreement for the life of the agreement.

Twitter must establish a comprehensive information security program. The program is to include detailed risk assessment and safeguards based on that risk assessment.

The safeguards must be regularly tested and re-assessed as its operations and business change.

The security program will be assessed by an independent security auditor every other year for the next 10 years. Those reports must be provided to the FTC.

Twitter also must maintain certain records for the FTC, including any statements it makes regarding security and privacy, customer complaints relating to the FTC complaint and its responses, and any documents that suggest non-compliance with the settlement.

Whether it is the FTC taking action on misleading advertising grounds, the Canadian Privacy Commissioner taking action under PIPEDA, or simply customers becoming upset at security breaches, businesses can’t afford security and privacy breaches.

The lesson is, it’s far better to consider and deal with security and privacy issues on your own at the outset, then to have problems and face the wrath of regulators and customers alike.

For the London Free Press – July 12, 2010

Read this on Canoe

So-called ‘cloud computing’ can be valuable — but it can also come with risks

Cloud computing – essentially providing computer services over the Internet – is a growing trend.

Ontario’s privacy commissioner recently released a report dealing with privacy issues that arise from the cloud.

There are many definitions and debates over just what cloud computing is, but it entails storing your information and/or running software on computers belonging to others that you access over the Internet.

For example, instead of creating this column using word-processing software installed on a computer in my office and saving it here, it could be created and stored in the cloud from any computer using services such as Google Docs, or Microsoft Office Web apps.

It is a compelling model, as it can provide advantages in cost, simplicity, portability and scalability.

It can, though, pose issues around things like privacy, confidentiality, security, business continuity and disaster recovery. The importance of those issues vary depending on how the particular cloud product works, what it’s used it for, and how mission critical it is.

The privacy commissioner’s discussion paper – Modelling Cloud Computing Architecture Without Compromising Privacy: A Privacy by Design Approach – discusses relevant privacy issues.

The report discusses a variety of different models included in the term “cloud.”

The report sheds light on which types of risks are associated with different types of “clouds,” some of which are riskier than others from a privacy and security standpoint.

The decision to use cloud computing is one each individual or business must make bearing in mind the type and sensitivity of their information, how valuable that information might be and whether local copies can be saved.

Since the loss or compromise of sensitive data can be incredibly damaging to an organization, careful consideration is required.

It’s important for organizations to take time to review what type of cloud model they intend to use, and whether it’s adequate from various perspectives, including operational, cost, access and privacy.

The type of data stored by an organization may change over time. Organizations evolve and sensitivities change. Re-evaluation of an organization’s cloud model at regular intervals, or when major projects occur, will help ensure data is kept in an appropriate manner.

The bottom line is that it’s important for anyone using cloud-based services to understand how that particular service operates and what promises it makes concerning privacy, security and continuity of data. The importance of those factors will vary depending on the nature of the information involved, and how critical the service is to the user.

If it is not adequate, either negotiate to make it adequate, or go somewhere else.

This report, and a previous white paper entitled Privacy in the Clouds (both available on the web at ipc.on.ca) are helpful for potential users to understand and deal with privacy issues that arise from the cloud.

They are also useful to help anyone providing cloud-based services deal with privacy issues for their services.

Ideally, providers will design their services to be privacy-friendly from the outset – an approach the commissioner calls “privacy by design.”

For the London Free Press – July 5, 2010

Read this on Canoe

Canadian lawyers are suing for $50 million, claiming the company is making legal documents available for a fee without the authors’ approval

A class action was filed on May 25 against Thomson Reuters Corp. and Thomson Reuters Canada Ltd. on behalf of a class of Canadian lawyers and law firms across Canada to the tune of $50 million.

The lawsuit alleges that Thomson breaches copyright laws by making lawyer-created legal documents available for a fee and subscription without permission from, or compensation to, the authors of the documents.

How do they do this? It is alleged that Thomson copies publicly available court filings. That includes legal documents such as facta, pleadings, affidavits and notices of motion, prepared by lawyers. It then makes them available for download via its “Litigator” service.

The user subscribes to the service and pays a fee, then is permitted to copy and edit the documents. At no time are the authors of these documents informed that their documents are copied, sold, or reproduced.

Of notable offence to the plaintiffs is the fact that the copies available for download are branded with a statement that asserts Thomson’s copyright over the documents: “[copy] Thomson Reuters Canada Limited or its Licensors. All rights reserved.”

Lawyers are perhaps the original mash-up artists when it comes to legal documents of all kinds. All lawyers copy parts from similar documents other lawyers create and use – whether they are contracts or court documents. It is one way lawyers have always learned and documents have been improved. Lawyers have not for the most part considered copyright issues when it comes to their own documents.

The question is whether the service Thomson provides is different and whether it crosses a copyright line.

The statement of claim issued by the plaintiffs pleads that the lawyers are the owners of copyright in these legal materials and that Thomson has infringed the Copyright Act by its actions.

More specifically, the claim states:

“The defendants took more than 50,000 legal documents created by members of the proposed class, removed them from court files and copied them, scanned them into a downloadable format, posted them in their database, and then made them available to subscribers for a fee.”

Counsel for the plaintiffs are seeking to have the lawsuit certified as a class action.

If the case is certified by the court, all persons who fit the class definition will automatically be included in the class unless they choose to opt out.

Among the many claims made, the plaintiffs have asked for $50 million in general damages for the class, disgorgement of profits made by Thomson from the infringement, $1 million in punitive damages, litigation costs, and a permanent injunction from using the documents.

Thomson of course has a different viewpoint, and will defend the action.

The case will be decided on the subtleties of copyright law. But it boils down to this.

Though the sharing of legal documents has always been an accepted and necessary way of practising law, does doing it in a commercial way such as Thomson does cross a legal line?

For the London Free Press – June 28, 2010

Read this on Canoe

PERSONAL INFORMATION: The language pertaining to ‘lawful authority’ and breach notification is open to interpretation

Bill C-29 was recently introduced to amend the Personal Information Protection and Electronic Documents Act. The bill is an attempt to address a number of shortcomings in the legislation that governs private-sector privacy in Ontario and other provinces.

Most of the changes are welcome. Two changes are controversial: the definition of “lawful authority” and privacy breach notification.

“Lawful authority” determines when an entity can release information to the police without a warrant.

The act permits disclosure of information to government bodies where it has identified its “lawful authority” to obtain the information. Much debate has arisen as to what constitutes “lawful authority.” As a result, some entities won’t release personal information to police without a warrant.

Bill C-29 has attempted to clarify “lawful authority” as follows:

(a) lawful authority refers to lawful authority other than (i) a subpoena or warrant issued, or an order made, by a court, person or body with jurisdiction to compel the production of information, or (ii) rules of court relating to the production of records; and (b) the organization that discloses the personal information is not required to verify the validity of the lawful authority identified by the government institution or the part of a government institution.

So it tells us what “lawful authority” is not, but not how to know when it exists. It really isn’t very helpful.

The second issue deals with breach notification.

The Personal Information Protection and Electronic Documents Act does not require any notification to either customers or the privacy commissioner if personal information has been lost or stolen. The proposed amendments add requirements to notify the privacy commissioner and/or affected individuals in certain circumstances.

That language has threshold tests that are not as clear as they might be. If this language stays, it may take a privacy commissioner or court decision to clarify.

For example, the privacy commissioner must be notified where a “material” breach has occurred. Since “material” remains a subjective test, it is somewhat at the discretion of the entity to determine whether the breach is “material.”

Individuals must be notified only “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.” Again, this requirement is somewhat at the discretion of the entity that would have to notify the individual.

Some will argue that the discretionary component of the notification requirements is valuable as it is not mandatory to disclose minor breaches. That may be a good thing, but it will take some time to figure out how to apply the tests in practice. The difficult part is knowing where the threshold actually is.

The wording of the breach notification provisions leaves the possibility that entities may abuse the discretion provided to them and choose not to report breaches that many would argue are major. That’s especially true since there is no fine or penalty for not doing so.

On the other hand, when it comes to privacy, the “headline risk” of not abiding by the legislation, or being perceived to not be doing the right thing, is perhaps as big a motivator as anything.

For the London Free Press – June 21, 2010

Read this on Canoe

Many people are not concerned about their privacy on Facebook – but they should be. Facebook’s recent changes are a good lesson in how not to make changes that affect or control privacy.On April 21, 2010, at a Facebook developers’ conference called “F8″, the company introduced new features that essentially allow Facebook users to share more information about themselves with more people.

This sounds great, but the changes were made in a way that opened up people’s information without asking them first.

In other words, the new privacy defaults were more permissive than the previous defaults, and things that were private suddenly became public. Privacy options were expanded, but many found the options too complex and difficult to understand, thus requiring a lot of time and energy for each user to go in and adjust the settings.

That assumes of course that users first found out about the changes, understood that they needed to alter privacy settings, and took the time to actually do it.

Facebook believes that more users want to share more information about themselves as society becomes more transparent, and the new default settings reflected this. This is different from the more private attitude that Facebook started out with.

Frankly, that’s a decision that users must decide for themselves on an individual basis. You and I should get to decide that, not Facebook founder Mark Zuckerberg. Transparency is a good thing when it comes to understanding privacy choices, but transparency about an individual’s information is a decision that each individual must get to make for themselves.

Transparency is a concept that is now in vogue for business and government alike. It is about accountability to their stakeholders. That concept does not, however, translate to us as individuals or our personal information.

It may be that Facebook was trying to be more like Twitter. The difference is that everyone knows that comments one makes on Twitter can be seen by anyone, as Twitter’s fundamental purpose is to share one’s thoughts with the world. That’s not the understanding people have when they sign up for Facebook.

User outrage has lead to recent changes. Facebook has created more simplified options on their privacy settings page, including cutting the number of settings from 50 to around 15 and consolidating seven pages of choices into three.

The lessons here for anyone providing services are numerous:

- Don’t make changes that automatically open up user information more than it already is. 

- Make privacy choices as clear and simple as possible.

- Make clear what information will be shared with whom, so users can make informed choices.

- Set defaults conservatively and allow users to open it up – not the other way.

- Think about privacy when doing new things to get it right at the outset. 

And if you are a Facebook user and have not looked at your privacy settings recently, take another look and change them if they are not to your liking.

For the London Free Press – June 14, 2010

Read this on Canoe

A UK court ruled it would be unfair to enforce a limitation of liability clause where the buyer relied on the company’s advice

Commercial software purchases can be major investments. If problems arise or the buyer ultimately finds the software is not the right solution, either the buyer or seller must bear the cost of the product, lost profits and additional staffing.

Software companies include limitation of liability clauses in their standard terms and conditions, but this has not stopped courts from awarding damages to buyers in some situations.

The recent United Kingdom court decision of Red Sky v. London Kingsway Hall Hotel suggests that how the sale is conducted may determine which party is liable.

The court said it would be unfair to enforce a limitation of liability clause where the buyer relied on the software company’s advice in deciding to purchase the product and the product was inappropriate for the buyer’s intended use.

The software in question was meant to provide reservations and point-of-sale functions for hotels. After installation, the buyer found it did not meet its needs, and replaced it with other software.

The court also said that standard terms including a limitation of liability clause are predicated on the fact that a prospective customer would investigate the software and make up its own mind whether to purchase based on demonstrations and the operating documents.

UK courts have placed a heavy onus on software companies to provide the buyer with all relevant information if they wish to rely on limitation of liability clauses. What is relevant or sufficient will necessarily vary from case to case.

But it is clear – at least in the UK – that software companies are expected to take steps to ensure that the buyer has a fair chance to assess the product before purchase.

In this case, the court said the limitation of liability clause was unfair under the UK’s Unfair Contract Terms Act, as the software was not fit for its purpose. Basically, the software vendor was not transparent enough to give the buyer enough information to make an informed decision on the suitability of the software for its particular needs.

In the end, the court found the vendor liable for 110,000 pounds in damages for software that it had been paid 50,000 pounds.

Though Canadian courts may not have gone this far based on the same reasoning, Canadian courts have found liability despite limitation clauses where they find them to be unconscionable in the circumstances. Unconscionable means that it has to be more than unfair or unreasonable. Essentially, courts won’t allow vendors or their products to be incompetent, or cavalier in their claims, then hide behind limitation clauses.

Every product vendor, whether it sells software, online services, or other products, clearly wants to market their products in their best possible light. But it is wise to be as transparent as possible about the products, especially when it comes to helping purchasers make buying decisions.