5 traps for lawmakers

Today’s Slaw post.

I heard Josh Linkner speak yesterday at a TechAlliance event.  He talked about 5 growth traps for business, and as I reflect upon his message, his 5 traps are things that lawmakers fall into constantly.

  1. The over correct.  Going overboard to correct problems.
  2. The money trap. Throwing money at problems rather than creativity.
  3. Religion over science.  Vision is important, but you can’t ignore the data.
  4. Complexity.  Using your own technical language rather than making it simple .
  5. Gorging.  Trying to do too many things and not knowing when to say no.

http://harrisonpensa.com/lawyers/david-canton

Facebook comments by juror causes mistrial

Today’s Slaw post

A Facebook comment by a juror made before a trial has resulted in a mistrial. CBC news reports that on the first day of a Moncton murder trial of Fred Prosser, the victim’s family brought to the judge’s attention the fact that one of the jurors was a member of a Facebook group against the accused, and had posted comments on it. The judge declared a mistrial to avoid the possibility that this juror had already tainted the rest of the jury.

You can hear David Fraser’s comments in this CBC interview. David comments that many people don’t appreciate that the rules of the offline world apply to the online world as well. I couldn’t agree more.

On the one hand, some people totally forget the old rules and do things on social media that they would never do in a letter to the editor. But on the other hand, some people are more comfortable with the risks of things they are familiar with than new things.

This often explains why some people do imprudent things online, and why some organizations try to unduly suppress online activity.

http://harrisonpensa.com/lawyers/david-canton/

Child porn reporting law applies to anyone providing internet access

The Canadian Federal law An Act respecting the mandatory reporting of Internet child pornography by persons who provide an Internet service came into force on Dec 8.  (Even though the regulations under the act won’t be published until next week.)

The Act requires those providing an “Internet Service” to report to either the police, or to Cybertip.ca depending on the circumstances, any child pornography they become aware of on the net, or if anyone is using their service to commit child pornography offences under the Criminal Code. 

They don’t have to look for it, but if they become aware of it, and don’t report it, it is an offense subject to significant fines.

It is noteworthy that the law applies to more than just what we would consider ISP’s.  It applies to anyone “providing Internet access, Internet content hosting or electronic mail” to the public.

So that would include anyone providing open wi-fi to the public, such as a coffee shop or municipality.  If you provide any kind of public access to the internet, you need to understand your obligations under this law.

 

Survey says Three Strikes Law won’t deter piracy

That’s the title of my Slaw post for today.  It reads as follows.

A survey by British ISP BE Broadband shows that if the three strikes proposal in the UK Digital Economy Act becomes law, it won’t significantly deter behaviour. Only 5% of those surveyed said they would reduce or stop using filesharing software. 47% said they would simply take steps to conceal their IP address.

This article at TorrentFreak.com talks about some of the concerns about three strikes laws, such as putting innocent users at risk, and a UN report that says such laws breach human rights.

Three-strikes laws are a controversial proposal to address download infringement concerns of creators and publishers of movies and music.

The concept is that if someone alleges an internet user is downloading copyrighted material, they can advise their ISP. The ISP then tells the customer to cease this illegal activity. If this happens three times, the ISP must turn off the customer’s internet access.

My view, and that of many others, is that such laws are draconian and should not exist. This link is to posts I have written about this topic before including links to others with similar thoughts, including a short video interview with author Cory Doctorow.

 

French broadcasters can’t mention Twitter or Facebook

In what strikes me as a bizarre ruling, the body that regulates radio and television in France has ruled that presenters must say “follow us on social media”, rather than “follow us on Twitter”, or “follow us on Facebook”. 

The reason?  It violates France’s ban on secret advertising.  The regulator’s statement says ”.. the reference to these pages by naming the relevant social networks is an advertising character who contravenes the provisions of Article 9 of Decree of 27 March 1992 prohibiting surreptitious advertising”.

For more detail, see this Out-Law.com article, and this BBC report.

Anti-spam move totes defences: Unfortunately it’s so broadly defined it will affect how many organizations conduct business

For the London Free Press – March 7, 2011

Read this on Canoe

The anti-spam bill — Bill C-28 — was recently passed, and will be in force this year. It gives new tools to fight spam, but unfortunately defines spam so broadly that it will affect how most organizations conduct business.

Businesses can’t just ignore the legislation. Remedies include fines of up to $1 million for individuals, $10 million for others, and private rights of action. Directors and officers can be liable if they authorized or acquiesced in the offence. Employers are liable for the actions of their employees acting within the scope of their authority.

The Act applies to the sending of commercial electronic messages that many of us would not consider spam. An e-mail to just one person you met at an event who you consider a potential customer may be considered spam.

The legislation starts with a broad definition of “commercial electronic message,” and says you cannot send such a message unless it fits within a specific exemption. It will be important to figure out the boundaries of “commercial activity.”

“Electronic message” is broadly defined to include a message sent via e-mail, instant message, phone, or “any similar account.” This encompasses forms of social media, depending on how the message is directed.

In some circumstances you can send the message, but must include accurate information about the sender, and a way to opt out of future messages.

Messages will not be considered spam if the recipient has consented to receiving the message. But it is up to the sender to show the recipient has consented if there is a complaint.

The Act has extensive provisions defining what amounts to explicit or implicit consent. It includes things we might expect, such as on-going business, personal or family relationships. There is also an exemption for “existing non-business relationships” which include donations, volunteer work, or memberships that have occurred within the last two years. Charities will need to review these provisions carefully, as they will affect how they approach prospective patrons, donors and volunteers. Also exempted are messages to those who publish their address or have provided you with their address — so long as the message is relevant. That means since my e-mail address is published on my firm’s website and other places, you may be able to e-mail me with anything relevant to the practice of law — but you won’t be able to e-mail me trying to sell me a trip. If I hand you my business card, the same applies.

So while the intention of the Act is to control what we all understand as spam, it has the potential to affect many things we may not consider spam. Similar to privacy legislation, this Act will no doubt lead to situations where we will consider it spam if we receive it, but not consider the same thing spam if we send it. Until we see drafted regulations, we aren’t sure what a typical organization must do to comply with the legislation. We will need to sort that out over the next few months.

Bill c-52 Investigating and Preventing Criminal Electronic Communications

David Fraser has a post worth reading entitled Investigating and Preventing Criminal Electronic Communications Act bill one step closer to (warrantless) surveillance state.

The bill has been called “lawful access” , or “awful access” depending on your perspective.  It will give more power to government authorities to get information from telecommunications service providers without a warrant.

David uses the example of secret police in Belarus who used this kind of power to identify people at an anti-government demonstration.

As he puts it “If we’re shocked at what repressive regimes are doing to their citizens, we shouldn’t be giving our own governments tools to be repressive.”

Anti-spam Act – bill C-28 – how it might affect you

That’s the title of my Slaw post for today.  It reads as follows:

The anti-spam bill – Bill C-28 – was recently passed, and is expected to be in force sometime later this year.

If you think it won’t affect you because you don’t send mass emails trying to sell random products, and don’t infest other people’s computers with spyware, you would be wrong.

It applies to the sending of commercial electronic messages that many of us would not consider to be spam.  An email to just one person that you consider a potential customer or client who you met at an event may fall into the prohibitions.  And it applies to other forms of electronic communications, such as instant messages, and various kinds of social media.

It can also apply to software updates in certain circumstances.

So while the intention is to control what we all understand as spam and spyware, it has the potential to affect many things that we may not intuitively consider spam or spyware.  Similar to privacy legislation, this Act will no doubt lead to situations where our first reaction is to label it spam or spyware if we receive it, but not consider the same thing spam or spyware if we send it.

There are details that will be covered in yet to be drafted regulations.  Personally, I would like to see some kind of volume threshold where it is deemed not to be spam if it’s a targeted message sent to a small number of individuals.

Until we see the regulations, it is going to be hard to give specific advice to a typical business or organization as to what they must do to comply.  Many things that could potentially affect a typical business fit threshold situations that might result in a different answer depending on the regulations.  The penalties are significant, so it’s not legislation to be taken lightly.  Remedies include fines of up to $1,000,000 for individuals, $10,000,000 for others, and private rights of action.

Some things are “reviewable conduct”, meaning that it is subject to the investigatory and order making powers of the Privacy or Competition Commissioners.

The act is long and complex, and includes amendments to four existing acts – the CRTC Act, Competition Act, PIPEDA, and Telecommunications Act.

Directors and officers can be personally liable if they authorized or acquiesced in the offence.  Employers are vicariously liable for the actions of their employees acting within the scope of their authority.

While we await the regulations, here are some things to ponder for those who don’t consider themselves spammers.

The act starts with a broad definition of “commercial electronic message”, and says that you can’t send them unless it fits within a specific exemption.  One of the keys will be to figure out what the boundaries are of “commercial activity”.

“Electronic message” is broadly defined to include a message to email, instant message, phone, or “any similar account”.  That could include things like a twitter direct message – but I would think not a general tweet to people who choose to follow you.

In some circumstances you can send the message, but must include accurate information about the sender, and a way to opt out of future messages.

It is not spam if the recipient consented to receive the message.  The Act has extensive provisions defining what amounts to explicit or implicit consent.  It includes things we might expect, such as on ongoing business, personal or family relationship – some of which have two year windows.  Also exempted are messages to those who publish their address or have provided you with their address – so long as the message is relevant.  I suspect that means that since my email address is published on our firm web site and other places, you will be able to email me with anything relevant to the practice of law – but you won’t be able to email me trying to sell me a trip.

Or if I hand you my business card, the same applies.

It is up to the sender to show that they have consent if there is a complaint.  So will we need to track that to be safe, i.e. somehow track that you got my address from our web site, or the card I handed you?

Directors and officers personal liability will be tempered if they can show diligence.  Since almost everyone in an organization routinely sends email, tweets, etc., organizations may want to set up policies and training programs to educate employees and reduce potential corporate, director and officer liability.

Exemptions for an “existing non-business relationship” includes donations, volunteer work, or memberships – with a two year window.  Charities will need to review these provisions carefully, as they will affect how they approach prospective donors and volunteers.

One example to think about is a press release.  Those sending a press release will need to think about the purpose of the release, and who is on the email list.  Is it being sent beyond traditional news services?  Does the fact that a recipient has published their email address on their firm’s website mean that they can or cannot get the release depending on the content of the release?  Does the fact, for example, that my email address is listed on my newspaper column mean I can be sent emails that could not be sent if my address was only on our firm web site?  Does it make a difference that I may be listed somewhere on a list of journalists because I write a newspaper column?  Are bloggers considered the same as journalists?  Does it make a difference if my address is disclosed on various social media platforms, such as Facebook, LinkedIn, Twitter, or .tel?  

Am I restricted from sending personalized individual emails to a handful of influential people active on social media who I hope will spread whatever message I want to get out?  Am I going to have to analyse each recipient to see how close or distant a connection they have under the exemptions, or how their email address has been published?

Will the answer be different if I send it to them as direct message on twitter, rather than by email?

How will senders possibly track all this, or find the time to do so?

Those creating and selling software will need to consider how this affects them.  The Act adopts the broad definitions of “computer program” and “computer system” from the criminal code.  It thus applies to any electronic instructions that execute to perform a function, on any device capable of executing them.  That would include phones and tablets.  And since almost everything includes some kind of computing power these days – might some of these provisions affect things such as PVR’s or cars?

The Act has provisions that affect software that collects personal information.  Certain functions will require specific permission, such as anything that changes or interferes with settings, interferes with a user’s control, or causes it to communicate with another computer.  Consider, for example, how that might apply to software that is licensed for a specific term that automatically stops working at the end, or allows the vendor to cripple it for non-payment.

Software vendors may have to amend their EULA’s to comply.  And some circumstances will require specific permission with full disclosure before the change can be made, regardless of the contents of a EULA.  So software vendors will have to think through how their software works, how the Act might come into play, and what permissions are required. 

Another thought for software vendors is whether changing from a traditional installed software model to a hosted SAAS or cloud model will avoid some of these issues.

Stay tuned for more as the regulations are drafted and we come to grips with the ramifications.  There will no doubt be a lot written about this over the next few months, as well as educational opportunities.

From spam to copyright, lots of new laws on the way

For the London Free Press – December 13, 2010

Read this on Canoe

Proposed legislation could have major implications for businesses, consumers

Development and innovation of technology inevitably breeds new laws to regulate that technology. For lawyers practising Information Technology law, there is a considerable amount of potential new law to digest.

For example, Bill C-28, the Fighting Internet and Wireless Spam Act, brings in several anti-spam measures. While this is welcome by most people, the language may take in things we may not consider to be spam and affect how typical businesses communicate. Since the penalties are significant, we need to take a close look at this act before it takes effect to understand what it will mean for a typical business or organization.

Bill C-29 would make several changes to the Personal Information Protection and Electronic Documents Act. Most of these were expected – and welcome – because they address issues arising from the current law.

But there are new parts that could use clarification. Language that tries to clarify what constitutes “lawful authority” to release information to law enforcement when requested doesn’t make clear what proof or threshold of proof is required. It also contains language requiring that the privacy commissioner and affected individuals be notified of breaches in some circumstances. The language has threshold tests, which on the surface are not as clear as they might be. If this language stays, it may take a decision by the privacy commissioner and/or a court to clarify the threshold.

Bill C-32, the Copyright Modernization Act, is the latest of several attempts to amend the Copyright Act. Controversial elements include digital lock provisions that would let publishers trump user rights. Much has been written about this, including a book entitled From Radical Extremism to Balanced Copyright: Canadian Copyright and the Digital Agenda, written by several copyright experts.

Bill C-51, which would amend the Criminal Code, Competition Act and Mutual Legal Assistance in Criminal Matters Act a.k.a. Investigative Powers for the 21st Century Act, is the latest effort to give law enforcement more access to electronic communications.

But what proponents call “lawful access” bills, critics deride as “awful access” bills. They question whether making things easier for law enforcement is worth the significant erosion in privacy and extra costs to Internet service providers.

These bills may have far-reaching practical implications, not only for many businesses and organizations, but also for consumers.

FISA – new anti-spam bill introduced

That’s the title of my Slaw post for today.  It reads as follows.

The Canadian government introduced two important new bills yesterday. Bill C-29 amends PIPEDA – I’ll leave commentary on that to David Fraser.

Bill C-28 is the “Fighting Internet and Wireless Spam Act” or FISA.  It is essentially the same as the “Electronic Commerce Protection Act” that was proposed previously. Here is Industry Canada’s news release, and the bill itself.

It targets the sending of what we would typically call spam, or unwanted commercial email, as well as spyware and phishing.

From the news release:

The proposed FISA is intended to deter the most damaging and deceptive forms of spam, such as identity theft, phishing and spyware, from occurring in Canada and to help drive spammers out of Canada.

The proposed FISA legislation provides a comprehensive regulatory regime that uses economic disincentives to protect electronic commerce and is modelled on international best practices. To enforce the legislation, the bill would use the expertise, and expand the mandates, of the three enforcement agencies: the Canadian Radio-television and Telecommunications Commission, Competition Bureau Canada and the Office of the Privacy Commissioner of Canada.

Industry Canada will act as a national coordinating body to increase consumer and business awareness and education, to further coordinate work with the private sector and to conduct research and intelligence gathering.

The bill is quite long and detailed. Monetary penalties are significant ($1 million for individuals, $10 million for businesses). A private right of action will allow anyone to take civil action against violators.

The bill essentially defines spam as a commercial message sent via email, IM, phone, or similar method. Sending spam is prohibited unless the recipient has consented, and the message contains certain prescribed information identifying the sender and how to unsubscribe.

That definition is extremely broad, and would capture things no one would consider spam  – so it goes on to describe several exceptions, such as providing requested information, or warranty or product recall information, or where there is a specifically defined “existing business relationship”.

One thing I find interesting is that the volume of the messages does not seem to be important. In other words, 1 email or text message to 1 recipient can be considered spam.

One of the exceptions is a message “that is sent by or on behalf of an individual to another individual with whom they have a personal or family relationship, as defined in the regulations. “

The bill clearly applies to what we all call spam. Hopefully it will be an effective tool to help reduce spam that comes from Canada.

We can’t, though, simply think that the bill only applies to spamers, and that we don’t have to pay attention to it. 

We will have to consider carefully how it applies to what we as lawyers and our clients do that will be caught by this. To some extent, the regulations will be important. For example, will a “personal relationship” include a situation where I meet someone at a social or networking event or meeting who might be a potential client, and then follow up later with an email to that person?

When the bill gets passed (from what I’ve seen there is a good chance it will be), and the regulations get drafted, we will have to take some time to figure out in more detail how this affects things that well intentioned businesses (and lawyers) do that they don’t consider to be spam.