Feed aggregator

Why Watching the Watchers Isn’t Enough: My Talk on Privacy, Snowden & Bill C-51

Michael Geist Law RSS Feed - 2 hours 20 min ago

Last month, I had the honour of speaking at the Pathways to Privacy Symposium, a privacy event sponsored by the Privacy Commissioner of Canada and hosted by the University of Ottawa. The event featured many excellent presentations (the full seven hours can be viewed here). My talk focused on the recent emphasis on the need to improve oversight, a common refrain in reaction to both the Snowden surveillance revelations and Bill C-51, the anti-terrorism bill.  While better oversight is necessary, I argue that it is not sufficient to address the legal shortcomings found in both Canada’s surveillance legislation and Bill C-51. The full talk (which unfortunately has slightly delayed sound) can be viewed here or below.

The post Why Watching the Watchers Isn’t Enough: My Talk on Privacy, Snowden & Bill C-51 appeared first on Michael Geist.

FREAK Attack: The Chickens of ‘90s Crypto Restriction Come Home to Roost

Freedom to Tinker - Tue, 2015/03/03 - 15:06
Today researchers disclosed a new security flaw in TLS/SSL, the protocol used to secure web connections. The flaw is significant in itself, but it is also a good example of what can go wrong when government asks to build weaknesses into security systems. Back in the early 1990s, it was illegal to export most products […]

Don’t Go Changing: The Canadian Broadcaster Fight Against Legal and Regulatory Reform

Michael Geist Law RSS Feed - Tue, 2015/03/03 - 11:43

Throughout the Canadian Radio-television and Telecommunications Commission TalkTV hearing, Canadian broadcasters such as Bell (CTV), Rogers (CITY), and Shaw (Global), tried to assure Canada’s regulator that they were ready to embrace the digital future and prepared for regulatory change. Yet in recent weeks, it has become increasingly apparent that Canadian broadcasters plan to fight change every step of the way.

The effort to keep core business models intact are sometimes obvious. For example, new services such as Shomi and CraveTV are often characterized as Netflix competitors, but given their linkage to a conventional cable or satellite television subscription, are a transparent attempt to persuade consumers to retain existing services and not cut the cord. The viability of those services remains to be seen, but more interesting are the regulatory and legal fights, where Canadian broadcasters are waging an ongoing battle against change.

Bell Media leads the way with the two legal challenges against recent CRTC decisions. Yesterday it asked the Federal Court of Appeal to overrule the CRTC on its decision to ban simultaneous substitution from Super Bowl broadcasts starting in 2017. The Bell motion for leave to appeal strikes me as weak:

  • it argues that the decision is unreasonable based largely on the grounds that it interprets broadcast policy differently than the CRTC
  • claims procedural unfairness on the basis that the CRTC did not give notice on the prospect of targeting simsub for the Super Bowl (it did)
  • says that Bell is being discriminated against by singling out one licensee (the CRTC decision does not do that)
  • suggests that it interferes with Bell’s commercial agreement with the NFL (Bell remains the exclusive Canadian broadcaster).

Bell claims that “the policy reasons for which simultaneous substitution was introduced apply as much, if not more, today than they did in the early 1970s.” I do not think that is correct (my post on why simultaneous substitution is less relevant), but Bell is effectively saying that nothing has changed and that the broadcast rules should not either.

Bell’s other legal challenge – over the application of the Telecommunications Act undue preference rules to its MobileTV service – features the company arguing that it should be entitled to engage in undue preferences for its own services provided that it is a broadcasting service. While there are good arguments that its service is covered by the Telecommunications Act (which prohibits undue preferences), this seems like a position that cannot last long term. Even if Bell wins in court, the Canadian government would surely step in to ensure that undue preference rules apply in these circumstances. For all the talk of change, Bell will spend enormous sums of money to argue that the rules should stay the same and that the largest media organization in the country should be permitted to grant itself undue preferences.

Bell is hardly alone in this regard. Last week’s post on a Rogers executive calling on the Canadian government to block the use of virtual private networks to stop Canadians from accessing U.S. Netflix reflects broadcaster frustration with consumers using technologies to circumvent geographically-based rights restrictions. Given that television licensing has long been based on geographic borders, the gradual elimination of the effectiveness of those limitations leaves broadcasters looking for new rules to stop the use of those technologies in an effort to re-affirm their longstanding business models. Rather than adapt to change, the focus is on government intervention to stop what are viewed as technological threats.

In fact, at the same Content Industry Connect conference, Barbara Williams, Shaw Media’s President, argued that if we really cared about the Canadian broadcast system, Canada would have blocked U.S. signals (tweets reporting on the comment that the “mistake” was not blocking U.S. television signals in the Canadian market here, here, and here). Leaving aside the irony of an executive of a cable company arguing against U.S. television signals in Canada (the cable industry was built on delivering U.S. signals), the comment reflects the lament over the loss of control and the shift in power from broadcaster to consumer.

The CRTC has made it clear that it plans to reform broadcast regulation with policies that place “Canadians at the centre of the communication system.” Broadcasters have claimed to support the shift, but scratch below the surface of the soundbites and you find they want things to stay the same. Consumers have paid the price as broadcasters have benefited from foreign investment restrictions, simultaneous substitution, and a myriad of other rules. Content creators are also invariably prepared to defend the status quo (ACTRA even wrote a letter supporting Super Bowl simsub), since any decline in broadcaster revenues are ultimately viewed as a loss in support for new content creation. The regulator, government, and public are clearly ready for change. For the broadcasters, the playbook for retaining existing rules is seemingly down to lawsuits and government intervention.

The post Don’t Go Changing: The Canadian Broadcaster Fight Against Legal and Regulatory Reform appeared first on Michael Geist.

The MPAA’s Attempt to Revive SOPA Through A State Attorney General

Google Public Policy BLOG - Mon, 2015/03/02 - 14:52
Posted by Kent Walker, SVP and General Counsel
We are deeply concerned about recent reports that the Motion Picture Association of America (MPAA) led a secret, coordinated campaign to revive the failed SOPA legislation through other means, and helped manufacture legal arguments in connection with an investigation by Mississippi State Attorney General Jim Hood.
Almost three years ago, millions of Americans helped stop a piece of congressional legislation—supported by the MPAA—called the Stop Online Piracy Act (SOPA). If passed, SOPA would have led to censorship across the web. No wonder that 115,000 websites—including Google—participated in a protest, and over the course of a single day, Congress received more than 8 million phone calls and 4 million emails, as well as getting 10 million petition signatures.
Here is what recent press reports have revealed over the past few days about the MPAA’s campaign:
The MPAA conspired to achieve SOPA’s goals through non-legislative meansAccording to The Verge, “at the beginning of this year, the MPAA and six studios … joined together to begin a new campaign” to figure how it could secretly revive SOPA. It “joined together to begin a new campaign” to achieve wholesale site-blocking by “[convincing] state prosecutors to take up the fight against [Google].” The movie studios “budgeted $500,000 a year towards providing legal support”—and the MPAA later sought up to $1.175 million for this campaign.
The MPAA pointed its guns at Google With that money, the MPAA then hired its long-time law firm Jenner & Block to go after Google while also funding an astroturf group—the Digital Citizens Alliance—with the same goal of attacking Google. (Source: The New York Times).
The MPAA did the legal legwork for the Mississippi State Attorney GeneralThe MPAA then pitched Mississippi State Attorney General Jim Hood, an admitted SOPA supporter, and Attorney General Hood sent Google a letter making numerous accusations about the company. The letter was signed by General Hood but was actually drafted by an attorney at Jenner & Block—the MPAA’s law firm. As the New York Times has reported, the letter was only minimally edited by the state Attorney General before he signed it. Here is what the document showed about its true origin:We've redacted the name of the attorney to protect her privacy
Even though Google takes industry-leading measures in dealing with problematic content on our services, Attorney General Hood proceeded to send Google a sweeping 79-page subpoena, covering a variety of topics over which he lacks jurisdiction. The Verge reported that the MPAA and its members discussed such subpoenas and certainly knew about this subpoena’s existence before it was even sent to Google.
Attorney General Hood told the Huffington Post earlier this week that the MPAA "has no major influence on my decision-making,” and that he “has never asked [the] MPAA a legal question” and “isn't sure which lawyers they employ.” And yet today the Huffington Post and the Verge revealed that Attorney General Hood had numerous conversations with both MPAA staff and Jenner & Block attorneys about this matter.
While we of course have serious legal concerns about all of this, one disappointing part of this story is what this all means for the MPAA itself, an organization founded in part “to promote and defend the First Amendment and artists' right to free expression.” Why, then, is it trying to secretly censor the Internet?
UPDATE - Friday, December 19: Because Attorney General Hood's 79-page subpoena constitutes an unjustified attack that violates well-established U.S. laws governing Internet platforms and online intermediaries, we are today asking a federal court to set that subpoena aside (our brief is here). We are also asking those with a hand in this campaign to preserve all relevant documents.  We regret having to take this matter to court, and we are doing so only after years of efforts to explain both the merits of our position and the extensive steps we've taken on our platforms.

UPDATE - Monday, March 2: Today, a federal court entered a preliminary injunction against a subpoena issued by the Mississippi Attorney General. We're pleased with the court's ruling, which recognizes that the MPAA’s long-running campaign to censor the web—which started with SOPA—is contrary to federal law. We’ll continue working to protect people using our services: in 2014 alone, we removed more than 500 million bad ads and over 180 million YouTube videos for policy violations.

Secret Memo Reveals RCMP Records on Requests for Subscriber Data “Inaccurate and Incomplete”

Michael Geist Law RSS Feed - Mon, 2015/03/02 - 10:43

Last fall, Daniel Therrien, the government’s newly appointed Privacy Commissioner of Canada, released the annual report on the Privacy Act, the legislation that governs how government collects, uses, and discloses personal information. The lead story from the report was the result of an audit of the Royal Canadian Mounted Police practices regarding warrantless requests for telecom subscriber information.

The audit had been expected to shed new light into RCMP information requests. Auditors were forced to terminate the investigation, however, when they realized that Canada’s national police force simply did not compile the requested information. When asked why the information was not collected, RCMP officials responded that its information management system was never designed to capture access requests.

While that raised serious concerns – the RCMP has since promised to study mechanisms for reporting requests with recommendations expected in April – my weekly technology law column (Toronto Star version, homepage version) reports that documents recently obtained under the Access to Information Act reveal that the publicly released audit results significantly understated the severity of the problem. Indeed, after the draft final report was provided to the RCMP in advance for comment, several of the findings were toned down for the public release.

Behind the scenes, however, documents suggest that Privacy Commissioner of Canada auditors were deeply concerned with what they found. In fact, just two days before the public release of the audit, one of the lead auditors wrote a memorandum to file to ensure that there was a paper trail chronicling what actually took place.

The memorandum specifically references a 2010 RCMP document that purported to list tens of thousands of warrantless subscriber information requests. The document indicated that 94 per cent of requests involving customer name and address information was provided voluntarily without a warrant.

The Privacy Commissioner of Canada auditors apparently expected that document, which was previously released under the Access to Information Act, to serve as the starting point for their review of RCMP practices. The internal memorandum notes that “we expected that these statistics would be accurate, complete, and up-to-date and that they would allow us to review RCMP files related to such warrantless requests.”

Once the auditors began examining the data, however, they found something entirely different. The internal memorandum states that “based on the evidence below we found, on the contrary, that the statistics provided for 2010 (and later for 2011-2013) were inaccurate, incomplete, not current, and they were not useful identifying PROS files for review.”

The internal memorandum continues by citing specific problems with the RCMP evidence, acknowledging that “problems with the reliability of data were also provided by way of interviews with senior officials.” The details of those interviews are redacted, however, the memorandum states that “from these discussions we also found that statistics for warrantless access are inaccurate because of lack of reporting, multiple reporting or overlapping reporting.”

The conclusion leaves little doubt about the problems the auditors encountered. It goes far further than the publicly released report, noting that “based on our review of statistics and interviews with senior officials at the RCMP we were unable to rely upon the numbers provided for warrantless access requests, nor was there any linkage between reports of such requests and the actual operational files containing such requests.”

In short, the Privacy Commissioner of Canada set out to audit the RCMP in the hope of uncovering the details behind requests for subscriber information. What it encountered instead was inaccurate data and an effort to downplay the problems within the public report.

The incident highlights the limits of Canadian oversight over law enforcement and surveillance activities. The use of the privacy commissioner’s audit power is frequently lauded as a mechanism to ensure that government does not run afoul of the law. Yet despite identifying inaccurate and incomplete data on a high profile privacy issue, the public audit report does not use the terms “inaccurate” or “incomplete.”

The shortcomings in both practice and oversight point to the need for a strong legislative and policy response. As a starting point, the RCMP should provide detailed guidance on its policy on customer name and address requests and regularly report on those requests. Moreover, mandatory reporting requirements for telecommunications companies on subscriber disclosures could be added to Bill S-4, the government’s privacy reform package that is currently before the House of Commons.

The post Secret Memo Reveals RCMP Records on Requests for Subscriber Data “Inaccurate and Incomplete” appeared first on Michael Geist.

RCMP Records on Requests for Subscriber Data “Inaccurate and Incomplete”

Michael Geist Law RSS Feed - Mon, 2015/03/02 - 10:40

Appeared in the Toronto Star on February 28, 2015 as RCMP Records Called ‘Incomplete and Inaccurate’ in Memo

Last fall, Daniel Therrien, the government’s newly appointed Privacy Commissioner of Canada, released the annual report on the Privacy Act, the legislation that governs how government collects, uses, and discloses personal information. The lead story from the report was the result of an audit of the Royal Canadian Mounted Police practices regarding warrantless requests for telecom subscriber information.

The audit had been expected to shed new light into RCMP information requests. Auditors were forced to terminate the investigation, however, when they realized that Canada’s national police force simply did not compile the requested information. When asked why the information was not collected, RCMP officials responded that its information management system was never designed to capture access requests.

While that raised serious concerns – the RCMP has since promised to study mechanisms for reporting requests with recommendations expected in April – documents recently obtained under the Access to Information Act reveal that the publicly released audit results significantly understated the severity of the problem. Indeed, after the draft final report was provided to the RCMP in advance for comment, several of the findings were toned down for the public release.

Behind the scenes, however, documents suggest that Privacy Commissioner of Canada auditors were deeply concerned with what they found. In fact, just two days before the public release of the audit, one of the lead auditors wrote a memorandum to file to ensure that there was a paper trail chronicling what actually took place.

The memorandum specifically references a 2010 RCMP document that purported to list tens of thousands of warrantless subscriber information requests. The document indicated that 94 per cent of requests involving customer name and address information was provided voluntarily without a warrant.

The Privacy Commissioner of Canada auditors apparently expected that document, which was previously released under the Access to Information Act, to serve as the starting point for their review of RCMP practices. The internal memorandum notes that “we expected that these statistics would be accurate, complete, and up-to-date and that they would allow us to review RCMP files related to such warrantless requests.”

Once the auditors began examining the data, however, they found something entirely different. The internal memorandum states that “based on the evidence below we found, on the contrary, that the statistics provided for 2010 (and later for 2011-2013) were inaccurate, incomplete, not current, and they were not useful identifying PROS files for review.”

The internal memorandum continues by citing specific problems with the RCMP evidence, acknowledging that “problems with the reliability of data were also provided by way of interviews with senior officials.” The details of those interviews are redacted, however, the memorandum states that “from these discussions we also found that statistics for warrantless access are inaccurate because of lack of reporting, multiple reporting or overlapping reporting.”

The conclusion leaves little doubt about the problems the auditors encountered. It goes far further than the publicly released report, noting that “based on our review of statistics and interviews with senior officials at the RCMP we were unable to rely upon the numbers provided for warrantless access requests, nor was there any linkage between reports of such requests and the actual operational files containing such requests.”

In short, the Privacy Commissioner of Canada set out to audit the RCMP in the hope of uncovering the details behind requests for subscriber information. What it encountered instead was inaccurate data and an effort to downplay the problems within the public report.

The incident highlights the limits of Canadian oversight over law enforcement and surveillance activities. The use of the privacy commissioner’s audit power is frequently lauded as a mechanism to ensure that government does not run afoul of the law. Yet despite identifying inaccurate and incomplete data on a high profile privacy issue, the public audit report does not use the terms “inaccurate” or “incomplete.”

The shortcomings in both practice and oversight point to the need for a strong legislative and policy response. As a starting point, the RCMP should provide detailed guidance on its policy on customer name and address requests and regularly report on those requests. Moreover, mandatory reporting requirements for telecommunications companies on subscriber disclosures could be added to Bill S-4, the government’s privacy reform package that is currently before the House of Commons.

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can be reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.

The post RCMP Records on Requests for Subscriber Data “Inaccurate and Incomplete” appeared first on Michael Geist.

Rogers Executive Calls on Canadian Government to Shut Down VPNs

Michael Geist Law RSS Feed - Fri, 2015/02/27 - 09:24

The Content Industry Connect conference, which was held in Toronto yesterday, featured a panel of leading television executives from Bell, the CBC, Corus, Rogers, and Shaw Media. Several people were live-tweeting the event when a comment from Rogers Senior Vice President David Purdy caught my eye. According to Kelly Lynne Ashton, a media policy expert, Purdy called on the Canadian government to shut down the use of virtual private networks:

@Klashton27 tweet by Kelly Lynne Ashton

A similar tweet was posted by Marcia Douglas, a Bell Fund program manager:

@Marcia_Douglas tweet by Marcia Douglas

Conference organizers posted yet another tweet, this one involving Purdy lamenting the inability to block over-the-top video services:

@CICConnect tweet by Content I Connect

The frustration over the popularity of Netflix (including Canadians accessing U.S. Netflix) is unsurprising. If Rogers is upset over VPN use to access U.S. Netflix, it should take it up with Netflix. Instead, focusing on consumer VPN use by suggesting that the solution lies in blocking legal technologies in order to stop consumer access is a dangerous one. Countries like China have tried to regulate VPNs, while Iran and Oman have tried to ban them. A Canadian attempt to do so would be subject to an immediate legal challenge, particularly since virtual private networks are widely used within the business community and play a crucial role for consumers in preserving user privacy, enabling access to information, and facilitating free speech. There is no indication that the Canadian government has any interest in targeting VPNs, but it comes as a shock to hear a Rogers executive calling for them to be shut down.

The post Rogers Executive Calls on Canadian Government to Shut Down VPNs appeared first on Michael Geist.

A clear line between offense and defense

Freedom to Tinker - Thu, 2015/02/26 - 12:59
The New York Times, in an editorial today entitled “Arms Control for a Cyberage“, writes, The problem is that unlike conventional weapons, with cyberweapons “there’s no clear line between offense and defense,” as President Obama noted this month in an interview with Re/code, a technology news publication. Defense in cyberwarfare consists of pre-emptively locating the […]

We can de-anonymize programmers from coding style. What are the implications?

Freedom to Tinker - Thu, 2015/02/26 - 12:20
In a recent post, I talked about our paper showing how to identify anonymous programmers from their coding styles. We used a combination of lexical features (e.g., variable name choices), layout features (e.g., spacing), and syntactic features (i.e., grammatical structure of source code) to represent programmers’ coding styles. The previous post focused on the overall […]

Be Careful What You Wish For: Bell Launches Legal Challenge Against CRTC Net Neutrality Decision

Michael Geist Law RSS Feed - Wed, 2015/02/25 - 11:28

In December 2010, the U.S. Federal Communications Commission passed the Open Internet Order, which featured relatively weak net neutrality rules. Despite their limited impact (the Order did not go as far as the Canadian Internet traffic management practices which were established a year earlier), Verizon challenged their validity in court. A U.S. appeals court sided with Verizon in 2014, ruling that the FCC did not have the authority to issue the order. The Verizon win proved to be short-lived, however, since later this week, the FCC will pass new net neutrality rules that go much further than the 2010 order. As Ars Technica recently noted, the Verizon net neutrality gamble backfired.

The Verizon blunder came to mind this past weekend as word began to circulate that Bell is seeking leave from the courts to challenge the CRTC’s recent net neutrality ruling involving its mobile television service. The company argues that the CRTC does not have the jurisdiction to issue its ruling under the Telecommunications Act (which forbids undue preferences) since the service should be governed by the Broadcasting Act (which does not have an undue preference provision). From Bell’s perspective, the court challenge presumably seems like a no-brainer: if it wins, the ruling is struck down. If it loses, it still delays the implementation of the CRTC decision for months or even years, thereby maintaining its existing practice for the time being.

Yet this case might prove to be another illustration of the maxim, “be careful what you wish for, you just might get it.” First, the case is no slam dunk for Bell. I asked Len St. Aubin, the former Director General of Telecommunications Policy at Industry Canada and currently an independent consultant to comment on the case.  He offered the following analysis:

“The CRTC got it right: there is no confusion in the Mobile TV Decision. At its core, the issue before the CRTC was whether a wireless telecommunications common carrier can escape its common carriage obligations under the Telecommunications Act in the treatment of its jointly-owned content service (mobile-TV) simply by labelling that service “broadcasting”. The CRTC found that mobile TV is “broadcasting” but that it is being delivered by the carrier on the same network capacity used to deliver other telecoms traffic. In that configuration, the CRTC rightly concluded that the carrier cannot confer an undue preference on itself, i.e.: on its own content service — “broadcasting” or otherwise.

In context, whether or not mobile TV is “broadcasting” is mostly a side-show. Since 1991, the Broadcasting Act and regulation do not require that broadcasters own or operate transmission facilities; so an argument based on a link between a broadcaster and transmission facilities has no basis in the Act. Broadcasters can, and do, lease capacity from carriers to reach the public. Section 28 of the T Act follows through on Parliament’s intent in the B Act: It explicitly recognizes this flexibility by giving the CRTC (not carriers or broadcasters) specific authority to take into account broadcasting objectives in considering whether a preference or disadvantage is undue where broadcasting is delivered directly to the public on common carrier facilities. The Commission considered S. 28 and concluded that, broadcasting or otherwise, self-dealing is self-dealing.

In some instances, where the same network infrastructure is used by an entity that is both a carrier and a broadcaster, capacity is dedicated — physically and/or virtually — to either service. For example: phone and Internet offered by cable-TV operators; and IPTV offered by telephone companies. Such arrangements have normally been subject to CRTC approval, given the potential to: a) negatively impact broadcasting in a cable-TV system; or, b) negatively impact telecommunications on a carrier’s network. This analogy was raised in the proceeding. But in the mobile TV case, there was no dedicated capacity — let alone any approved by the CRTC. Rather, mobile TV was being delivered via the public telecoms network alongside all other traffic, and hence subject to the same common carriage expectations.

Any other outcome would give vertically-integrated “converged” companies tremendous opportunity for self-dealing anti-competitive behaviour.

As for network capacity…. if mobile carriers really have enough to offer their own bandwidth-intensive multi-channel mobile-TV services under such favourable usage allowances, maybe the CRTC should take a close look at their much-more-constrained generally applicable usage caps.  Are they legitimate economic Internet Traffic Management Practices grounded in real network capacity constraints, or just revenue-maximizing pricing strategies?

Second, even if Bell is right and it wins in court, much like Verizon, it may still lose. Support for net neutrality remains strong in Canada and the government has left little doubt that it is prepared to oppose telecom companies in the name of broader consumer and pro-innovation interests. A win for Bell would immediately lead to vocal calls for tougher net neutrality rules along with increased regulation of vertically integrated companies and undue preference rules for broadcasting. In fact, the lawsuit alone may foster momentum for expanded rules to safeguard an open Internet in Canada (along with rules to prevent the chilling effect of joining students and single mothers in the appellate process with threats of legal costs). The CRTC decision is consistent with rulings in several other countries. Competitors such as Rogers abandoned the Bell approach in the light of the law. Bell is certainly within its legal right to appeal, but like Verizon it may also find that the gamble ultimately backfires.

The post Be Careful What You Wish For: Bell Launches Legal Challenge Against CRTC Net Neutrality Decision appeared first on Michael Geist.

Why the Demise of the Sun News Network May Be a Preview of Things to Come

Michael Geist Law RSS Feed - Tue, 2015/02/24 - 10:19

The abrupt end of the Sun News Network – its owners pulled the plug on the all-news channel without warning earlier this month – sparked considerable commentary with many lamenting the lost jobs, others examining the quality of the content, and some celebrating the end of a service that was controversial from the moment it launched. Largely left unsaid, however, is that its demise signals the beginning of a new era in Canadian broadcasting in which services are allowed to fail rather than being propped up through regulatory or government support.

My weekly technology law column (Toronto Star version, homepage version) notes the Canadian broadcasting system has long been shielded from market forces through a broad array of regulations that offer both financial compensation and marketplace protection. Those rules have been a boon to broadcasters, who have seen some services succeed with limited viewers and original content.

Mandatory carriage is the best-known support mechanism. The regulatory equivalent of a winning lottery ticket, inclusion on the list of “must carry” services guarantees subscription payments from all cable and satellite subscribers. The Sun News Network applied for mandatory carriage, but the Canadian Radio-television and Telecommunications Commission rejected its request along with virtually all other applications for the privileged status.

While must-carry status has long been the most direct path toward broadcast revenues, the government and the CRTC wield a much larger regulatory toolbox. Conventional broadcasters benefit from simultaneous substitution, a regulatory policy which allows them to substitute U.S. signals with the Canadian version – including ads – when the same program airs at the same time in both countries. The CRTC recently announced plans to ban simsub from the Super Bowl, but decided to retain it for other broadcasts after concluding that it generates $250 million in revenue per year for the Canadian system.

Until recently those same broadcasters also benefited from the Local Programming Improvement Fund, which the CRTC created in 2008 to assist local broadcasters. The LPIF resulted in a 1.5 per cent surcharge on consumer cable and satellite bills, paying out $300 million to broadcasters over its three years of existence (the CRTC announced plans to terminate the program in 2012).

Without regulations to stop the practice, broadcast distributors bundle services together, forcing consumers to buy packages of channels featuring ones they do not want along with ones they do. Some channels included in popular packages generate subscription revenue despite having low ratings and limited interest from viewers.

Direct payments and bundled services may be the most obvious methods of support, but broadcasters have also benefited from a protected marketplace. For example, foreign investment restrictions in the broadcast sector have shielded Canadian companies from foreign competition. This system initially kept U.S. giants such as ESPN, HBO, and MTV out of the market, thereby fostering the development of alternative Canadian sports, movie, and music specialty services.

The Sun News Network understandably hoped to cash in on this system, but its launch coincided with the gradual unraveling of Canadian broadcast regulation. The LPIF is gone, new mandatory carriage channels are non-starters, the value of simultaneous substitution is eroding, and the CRTC will soon require cable and satellite companies to offer all channels on a pick-and-pay basis.

The emerging environment places more control in the hands of consumers, who can pick from conventional broadcasters, specialty services, and unregulated Internet-based streaming services such as Netflix. The combination of increased choice and lost regulatory support will invariably mean that more services will fail in the months ahead.

As with the loss of the Sun News Network, some viewers will be left disappointed. The all-news channel may have been among the first to feel the effects of a marketplace that directly links the viability of broadcast services with actual consumer demand, but it surely will not be the last.

The post Why the Demise of the Sun News Network May Be a Preview of Things to Come appeared first on Michael Geist.

Why the Demise of Sun News Network May Be a Preview of Things to Come

Michael Geist Law RSS Feed - Tue, 2015/02/24 - 10:17

Appeared in the Toronto Star on February 21, 2015 as Why the Demise of Sun News Network May Be a Preview of Things to Come

The abrupt end of the Sun News Network – its owners pulled the plug on the all-news channel without warning earlier this month – sparked considerable commentary with many lamenting the lost jobs, others examining the quality of the content, and some celebrating the end of a service that was controversial from the moment it launched. Largely left unsaid, however, is that its demise signals the beginning of a new era in Canadian broadcasting in which services are allowed to fail rather than being propped up through regulatory or government support.

The Canadian broadcasting system has long been shielded from market forces through a broad array of regulations that offer both financial compensation and marketplace protection. Those rules have been a boon to broadcasters, who have seen some services succeed with limited viewers and original content.

Mandatory carriage is the best-known support mechanism. The regulatory equivalent of a winning lottery ticket, inclusion on the list of “must carry” services guarantees subscription payments from all cable and satellite subscribers. The Sun News Network applied for mandatory carriage, but the Canadian Radio-television and Telecommunications Commission rejected its request along with virtually all other applications for the privileged status.

While must-carry status has long been the most direct path toward broadcast revenues, the government and the CRTC wield a much larger regulatory toolbox. Conventional broadcasters benefit from simultaneous substitution, a regulatory policy which allows them to substitute U.S. signals with the Canadian version – including ads – when the same program airs at the same time in both countries. The CRTC recently announced plans to ban simsub from the Super Bowl, but decided to retain it for other broadcasts after concluding that it generates $250 million in revenue per year for the Canadian system.

Until recently those same broadcasters also benefited from the Local Programming Improvement Fund, which the CRTC created in 2008 to assist local broadcasters. The LPIF resulted in a 1.5 per cent surcharge on consumer cable and satellite bills, paying out $300 million to broadcasters over its three years of existence (the CRTC announced plans to terminate the program in 2012).

Without regulations to stop the practice, broadcast distributors bundle services together, forcing consumers to buy packages of channels featuring ones they do not want along with ones they do. Some channels included in popular packages generate subscription revenue despite having low ratings and limited interest from viewers.

Direct payments and bundled services may be the most obvious methods of support, but broadcasters have also benefited from a protected marketplace. For example, foreign investment restrictions in the broadcast sector have shielded Canadian companies from foreign competition. This system initially kept U.S. giants such as ESPN, HBO, and MTV out of the market, thereby fostering the development of alternative Canadian sports, movie, and music specialty services.

The Sun News Network understandably hoped to cash in on this system, but its launch coincided with the gradual unraveling of Canadian broadcast regulation. The LPIF is gone, new mandatory carriage channels are non-starters, the value of simultaneous substitution is eroding, and the CRTC will soon require cable and satellite companies to offer all channels on a pick-and-pay basis.

The emerging environment places more control in the hands of consumers, who can pick from conventional broadcasters, specialty services, and unregulated Internet-based streaming services such as Netflix. The combination of increased choice and lost regulatory support will invariably mean that more services will fail in the months ahead.

As with the loss of the Sun News Network, some viewers will be left disappointed. The all-news channel may have been among the first to feel the effects of a marketplace that directly links the viability of broadcast services with actual consumer demand, but it surely will not be the last.

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can be reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.

The post Why the Demise of Sun News Network May Be a Preview of Things to Come appeared first on Michael Geist.

Citizen Four and the Canadian Surveillance Story

Michael Geist Law RSS Feed - Mon, 2015/02/23 - 11:54

Citizen Four, Laura Poitras’ enormously important behind-the-scenes documentary film on Edward Snowden, won the Academy Award last night for best documentary. The film is truly a must-see for anyone concerned with privacy and surveillance. It not only provides a compelling reminder of the massive scale and scope of surveillance today, but it also exposes us to the human side of Snowden’s decision to leave his life behind in order to tell the world about secret surveillance activity.

Canada is not mentioned in the film, but that is not because we have been immune to similar surveillance activity. In the months since the Snowden revelations began, there have been many Canadian-related stories including reports on G8/G20 spying, industrial spying in Brazil, the “airport wifi” surveillance program, and the massive Internet download surveillance program.

Moreover, Canada helps tap into undersea Internet cables and it actively works with the NSA and other signals intelligence agencies as part of the “five eyes” group. With limited Internet exchange points, a significant portion of our domestic Internet traffic enters the United States and is therefore subject to U.S. surveillance. Virtually everyone uses U.S. based Internet services such as Google and Facebook and the metadata programs in the U.S. would appear to exist here too.

Yet despite the steady stream of revelations, the government dismisses the importance of metadata and characterizes oversight as “red tape”. Bill C-51, the anti-terrorism bill, would make matters far worse given the massive expansion of government sharing of information. The inclusion of CSE, Canada’s NSA counterpart, suggests that CSE information could be readily shared across government departments despite repeated claims that its work does not target Canadians. As I noted last week, the bill also permits additional use and disclosure of information “in accordance with the law…to any person, for any purpose.” Section 6 states:

For greater certainty, nothing in this Act prevents a head, or their delegate, who receives information under subsection 5(1) from, in accordance with the law, using that information, or further disclosing it to any person, for any purpose.

Disclosure to any person for any purpose. The Snowden story is our story.

The post Citizen Four and the Canadian Surveillance Story appeared first on Michael Geist.

Lenovo Pays For Careless Product Decisions

Freedom to Tinker - Mon, 2015/02/23 - 08:00
The discovery last week that Lenovo laptops had been shipping with preinstalled adware that left users wide open to security exploitation triggered a lot of righteous anger in the tech community. David Auerbach at Slate wrote that Lenovo had “betrayed its customers and sold out their security”. Whenever a big company does something so monumentally […]

Feb 23-27, celebrating fair dealing

Fair Duty by Meera Nair - Fri, 2015/02/20 - 01:23

February 23-27 marks Fair Use Week in the United States, and thus by association, Fair Dealing Week for other jurisdictions. The Association of Research Libraries (ARL) is promoting a community celebration of these limits upon copyright that enable the system of copyright to live up to its mandate to promote creativity, advance knowledge and bolster innovation, and reap just rewards not only for the creators involved but for the creators yet to come as well. ARL pays particular attention to Canada: “… in Canada, fair dealing is a critical right of the user intended to facilitate balance in copyright law and accommodate freedom of expression.”

Readers may remember that user rights gained prominence in Canada in 2004, via CCH Canadian. Writing for the Supreme Court of Canada, in a decision supported with unanimity, Chief Justice Beverley McLachlin states:

The fair dealing exception, like other exceptions in the Copyright Act, is a user’s right. In order to maintain the proper balance between the rights of a copyright owner and users’ interests, it must not be interpreted restrictively (para.48).

The Supreme Court has consistently reminded Canadians that copyright is a set of limited rights, and that those limits are critical to the proper functioning of the system as a whole. Yet, even after 11 years of well-articulated, thoughtful reminders, it remains that copyright is often perceived as a measure of absolute control. Such perception is cultivated perhaps unintentionally by people/organizations who have a genuine desire to behave in a law-abiding manner and thus restrict behaviour that need not be restricted. With time, we may hope that such misunderstanding will subside. More potent and damaging is the conduct of members within the publishing community who actively promote misinformation.

For instance, consider the following notice that graces the frontmatter of far too many books:

All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher.

If one unpacks this passage, the first sentence is correct. All the rights offered within copyright law have been reserved to the benefit of the copyright holder. At this juncture though, one should remember that extensive as those rights are, copyright holders are not permitted the right to refuse exceptions defined within the same law.  Copyright holders cannot pick the parts of the Copyright Act they wish to accept, and the parts which are to be dispensed with. But the sentence that follows in the passage tries to do exactly that; it categorically denies unauthorized use, despite the fact that fair dealing, fair use, and a host of other exceptions, can allow reproduction and transmission, by whatever means, without the consent of the publisher.

 

Update – February 28, 2015

Fair Dealing / Fair Use week sparked an outpouring of dialogue about our exceptions for unauthorized use. My favorite was Jonathan Band’s description of the many sightings of fair use in the daily life of a legislative assistant.

And, it was with great pleasure that I contributed the following posts to Harvard Library and the Office for Scholarly Communication, and University of Toronto Scholarly Communications and Copyright Office. My thanks to Kyle Courtney and Daniela Cancilla for the invitations to participate with their respective universities.

North of 49, posted February 24, 2015: “The proximity of the United States to Canada occasionally leads to some confusion north of the 49th parallel; in common parlance, fair use eclipses fair dealing. I cannot resist reminding others: we are Canadian; our exception is fair dealing. Yet it is only appropriate to also say that Canada has benefited greatly by American fair use. From our vantage point, we were able to appreciate the opportunity provided by flexibility in the language of exceptions, suffer the worst of fair use’s growing pains by proxy, and step ahead of such pain in our own development of exceptions.” To read more, see link or pdf.

Fair Dealing: Protector of the Public Domain, posted February 27, 2015“This past week marked Fair Dealing / Fair Use Week 2015. It was pleasing to see many Canadians within the educational community taking interest in our system of copyright. But, I confess to some disappointment that this interest should have blossomed only belatedly – after 2012. True, in that year the Copyright Act was revised with increased scope given to exceptional uses of copyrighted material. Also true, in 2012 the Supreme Court handed down two more decisions emphasizing the merits of fair dealing. But we cannot lose sight of the fact those decisions were based upon our previous Act which did not include any provision for “education.”  or can we forget our Court began speaking to the importance of fair dealing a full decade earlier, emphasizing that fair dealing is our mode of entry into the public domain.” To read more, see link or pdf.


“Total Information Awareness”: The Disastrous Privacy Consequences of Bill C-51

Michael Geist Law RSS Feed - Thu, 2015/02/19 - 11:24

The House of Commons debate over Bill C-51, the anti-terrorism bill, began yesterday with strong opposition from the NDP, disappointing support from the Liberals, and an effort to politicize seemingly any criticism or analysis from the Conservative government. With the government already serving notice that it will limit debate, the hopes for a non-partisan, in-depth analysis of the anti-terrorism legislation may have already been dashed. This is an incredibly troubling development since the proposed legislation has all the hallmarks of being pulled together quickly with limited analysis. Yet both the Conservatives and Liberals seem content to stick to breezy talking points rather than genuinely work toward a bill that provides Canadians with better safeguards against security threats while also preserving privacy and instituting effective oversight.

The only detailed review to date has come from Professors Kent Roach and Craig Forcese. Their ongoing work – three lengthy background papers so far (Advocating or Promoting Terrorism, new CSIS powers, expanded information sharing) – provides by far the most exhaustive analysis of the bill and is a must-read for anyone concerned with the issue. Indeed, once you have read their work, it becomes readily apparent that all should be concerned with this legislation. Much of the focus to date has been on the lack of oversight and the expansive new powers granted to CSIS. However, the privacy implications of Bill C-51′s information sharing provisions also cry out for study and reform.

At first glance, expanding information sharing within government seems like a good idea since the consequences of failing to head-off a terrorist attack because one government institution was unaware of what another knew could be devastating. Given the lack of Liberal study (it is simply not possible that the party fully assessed the legislation before pledging its support), it perhaps unsurprising that leader Justin Trudeau identifies expanded information sharing as one of the positive aspects of the bill.

However, Bill C-51′s Security of Canada Information Sharing Act, a bill within the bill, goes far further than sharing information related to terrorist activity. As Roach and Forcese persuasively argue, the bill effectively creates a “total information awareness” approach that represents a radical shift away from our traditional understanding of public sector privacy protection.

Daniel Therrien, the Privacy Commissioner of Canada appointed by this government less than a year ago, was the first to focus on the privacy implications of Bill C-51. Within hours of release of the bill, Therrien warned:

At this early stage, I can say that I am concerned with the breadth of the new authorities to be conferred by the proposed new Security of Canada Information Sharing Act.  This Act would seemingly allow departments and agencies to share the personal information of all individuals, including ordinary Canadians who may not be suspected of terrorist activities, for the purpose of detecting and identifying new security threats.  It is not clear that this would be a proportional measure that respects the privacy rights of Canadians. In the public discussion on Bill C-51, it will be important to be clear about whose information would be shared with national security agencies, for which specific purpose and under what conditions, including any applicable safeguards.

Roach and Forcese dig further into this issue, concluding that the information sharing provisions are excessive and unbalanced. There is much to digest, but the privacy concerns largely come down to three linked issues:

  • First, the bill permits information sharing across government for an incredibly wide range of purposes, most of which have nothing to do with terrorism (“It is, quite simply, the broadest concept of security that we have ever seen codified into law in Canada.”).
  • Second, the scope of sharing is remarkably broad: 17 government institutions with the prospect of cabinet expansion as well as further disclosure “to any person, for any purpose.”
  • Third, the oversight over public sector privacy has long been viewed as inadequate. In fact, calls for Privacy Act reform date back over three decades. The notion that the law is equipped to deal with this massive expansion in sharing personal information is simply not credible.

A more detailed look at each issue follows below. The cumulative effect is to grant government near-total power to share information for purposes that extend far beyond terrorism with few safeguards or privacy protections.

1.    Information sharing purposes

The bill opens the door to information sharing due to “activity that undermines the security of Canada.” Rather than using the CSIS Act definition, however, it creates a new expansive definition that covers:

any activity, including any of the following activities, if it undermines the sovereignty, security or territorial integrity of Canada or the lives or the security of the people of Canada: (a) interference with the capability of the Government of Canada in relation to intelligence, defence, border operations, public safety, the administration of justice, diplomatic or consular relations, or the economic or financial stability of Canada;
(
b) changing or unduly influencing a government in Canada by force or unlawful means;
(
c) espionage, sabotage or covert foreign-influenced activities;
(
d) terrorism;
(
e) proliferation of nuclear, chemical, radiological or biological weapons;
(
f) interference with critical infrastructure;
(
g) interference with the global information infrastructure, as defined in section 273.61 of the National Defence Act; [that provision reads: ““global information infrastructure” includes electromagnetic emissions, communications systems, information technology systems and networks, and any data or technical information carried on, contained in or relating to those emissions, systems or networks.”]
(
h) an activity that causes serious harm to a person or their property because of that person’s association with Canada; and
(
i) an activity that takes place in Canada and undermines the security of another state. For greater certainty, it does not include lawful advocacy, protest, dissent and artistic expression.

Terrorism is included within the definition, but several of these provisions would seemingly allow for information sharing for almost any investigative purpose, particularly “public safety” and the “economic or financial stability of Canada” (think of the government’s recent reaction to the proposed CP strike, which was said to have major implications for the protection of the Canadian economy).

2.    Scope of Sharing

The government not only opens the door to sharing information for a myriad of non-terrorism purposes, but it also permits access for a broad array of government institutions and departments. The bill currently identifies the following 17 institutions and departments:

  • Canadian Border Services Agency
  • Canada Revenue Agency
  • Canadian Armed Forces
  • Canadian Food Inspection Agency
  • Canadian Nuclear Safety Commission
  • CSIS
  • CSE
  • Citizen and Immigration
  • Finance
  • Foreign Affairs, Trade, and Development
  • Health
  • National Defence
  • Public Safety
  • Transport
  • FINTRAC
  • Public Health Agency
  • RCMP

That list can grow, however, with cabinet empowered to add institutions and departments by regulation. Moreover, the inclusion of CSE, which has been the focal point of the Internet surveillance debate due to the Snowden revelations, suggests that CSE information could be readily shared across government departments despite repeated claims that its work does not target Canadians.

In addition to this form of information sharing, the bill also permits additional use and disclosure of information “in accordance with the law…to any person, for any purpose.” Section 6 states:

For greater certainty, nothing in this Act prevents a head, or their delegate, who receives information under subsection 5(1) from, in accordance with the law, using that information, or further disclosing it to any person, for any purpose.

Roach and Forcese note that “in accordance with the law” is unclear, leaving the prospect of literally permitting disclosure to anyone for any reason.

3.    Woeful Oversight

Since the enactment of the Privacy Act in 1983, every federal privacy commissioner has urged the government of the day to strengthen it. Those calls have grown louder over the past decade as PIPEDA places tougher obligations on the private sector than the government places on itself. The law as it currently stands has weak annual reporting requirements from government agencies, does not provide much protection to Canadians from abusive treatment by foreign states, does not give the Privacy Commissioner order-making power, does not provide redress in cases involving harm, does not prevent over-collection of personal information, does not protect against surveillance where the data is not recorded, and does not feature security breach disclosure requirements. The expansion on information sharing without addressing the oversight and safeguards of the Privacy Act should simply be a non-starter.

The post “Total Information Awareness”: The Disastrous Privacy Consequences of Bill C-51 appeared first on Michael Geist.

Re: A costly lesson for the Post about the value of facts

Russell McOrmond on Disqus - Thu, 2015/02/19 - 11:15

You didn't have to be a "leftist" to be embarrassed by Sun News Network or Ezra Levant, just Canadian. I'm someone who would vote progressive conservative, if only the progressive arm of the Canadian conservative moment had a party again. The social conservatives in the Harper Conservative party, and the even more socially conservative types at SNN only represent an insignificant minority in the largely socially liberal (but ranging from conservative to liberal on other areas of policy) Canadian people.

I've largely given up on trying to make use of the mainstream media to get "news". Don't watch commercial television news (which includes the CBC), and even find I want to shout at most of what I hear on the radio. There is just too much of a biased agenda with the "journalists" that work for these outfits, which I bumped into often when working on technology law like copyright where the journalist union bosses were pushing their narrow ideology through most media.

A Small Rule Change That Could Give the U.S. Government Sweeping New Warrant Power

Google Public Policy BLOG - Wed, 2015/02/18 - 13:45
Posted by Richard Salgado, Legal Director, Law Enforcement and Information Security
At the request of the Department of Justice, a little-known body -- the Advisory Committee on the Rules of Criminal Procedure -- is proposing a significant change to procedural rules that could have profound implications for the privacy rights and security interests of everyone who uses the Internet.  Last week, Google filed comments opposing this change.
It starts with the Federal Rule of Criminal Procedure 41, an arcane but important procedural rule on the issuance of search warrants.  Today, Rule 41 prohibits a federal judge from issuing a search warrant outside of the judge’s district, with some exceptions.  The Advisory Committee’s proposed change would significantly expand those exceptions in cases involving computers and networks.  The proposed change would allow the U.S. government to obtain a warrant to conduct “remote access” searches of electronic storage media if the physical location of the media is “concealed through technological means,” or to facilitate botnet investigations in certain circumstances.  
The implications of this expansion of warrant power are significant, and are better addressed by Congress.  
First, in setting aside the traditional limits under Rule 41, the proposed amendment would likely end up being used by U.S. authorities to directly search computers and devices around the world.  Even if the intent of the proposed change is to permit U.S. authorities to obtain a warrant to directly access and retrieve data only from computers and devices within the U.S., there is nothing in the proposed change to Rule 41 that would prevent access to computers and devices worldwide.
The U.S. has many diplomatic arrangements in place with other countries to cooperate in investigations that cross national borders, including Mutual Legal Assistance Treaties (MLATs).  Google supports ongoing efforts to improve cooperation among governments, and we are concerned that the proposed change to Rule 41 could undermine those efforts.  The significant foreign relations issues associated with the proposed change to Rule 41 should be addressed by Congress and the President, not the Advisory Committee.
Second, the proposed change threatens to undermine the privacy rights and computer security of Internet users.  For example, the change would excuse territorial limits on the use of warrants to conduct “remote access” searches where the physical location of the media is “concealed through technological means.”  The proposed change does not define what a “remote search” is or under what circumstances and conditions a remote search can be undertaken; it merely assumes such searches, whatever they may be, are constitutional and otherwise legal.  It carries with it the specter of government hacking without any Congressional debate or democratic policymaking process.  
Likewise, the change seemingly means that the limit on warrants is excused in any instance where a Virtual Private Network (VPN) is set up.  Banks, online retailers, communications providers and other businesses around the world commonly use VPNs to help keep their networks and users’ information secure.  A VPN can obscure the actual location of a network, however, and thus could be subject to a remote search warrant where it would not have been otherwise.     The Advisory Committee is entertaining a dramatic change to electronic surveillance rules.  Congress is the proper body to determine whether such changes are warranted, and we urge the Committee to respect Congress’ traditional role in prescribing the substantive rules governing electronic surveillance.

Canadian Chamber of Commerce, Canadian Marketing Association Take Aim At Digital Privacy Act’s Consent Provision

Michael Geist Law RSS Feed - Wed, 2015/02/18 - 11:13

The Standing Committee on Industry, Science and Technology continues its hearing on the Digital Privacy Act (Bill S-4) yesterday, with appearances from Privacy Commissioner of Canada Daniel Therrien, the Canadian Chamber of Commerce, and the Canadian Marketing Association. Therrien expressed general support for the bill, but concern with the expanded voluntary disclosure provision.

The Canadian Chamber of Commerce and the Canadian Marketing Association seemed to take the committee by surprise by criticizing a provision in the bill that clarifies what constitutes meaningful consent. The proposed provision states:

6.1 For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

That provision should be uncontroversial given that it only describes what most would take to mean consent, namely that the person to whom the activities are directed would understand the consequences of consent. Indeed, Therrien expressed support for the change, noting:

As for the proposed provision that aims to enhance the concept of valid consent, I believe this is a useful clarification of what constitutes meaningful consent under PIPEDA.  It underscores the need for organizations to clearly specify what personal information they are collecting and why in a manner that is suited to the target audience.

Yet immediately after Therrien wrapped up, both the Canadian Chamber of Commerce and the CMA criticized the change. The Chamber described it as “unnecessary” and urged deletion. The CMA also called for it to be deleted:

I think the concern here is that the clause, as written, could lead to a broad interpretation with additional obligations. We’ve heard that the concern is about children and vulnerable groups. However, that’s not what the bill says, it’s much broader than that, and we would like some clarification of that bill. Actually, our recommendation would be to drop this clause or, as a fallback, to amend it to clarify that it is intended to apply only to vulnerable groups.

This led to an interesting exchange with Conservative MP Mike Lake, who noted:

I don’t really understand the hesitation from both of you regarding that kind of language. I think most Canadians would expect that a user taking a look at a website or signing up for an organization’s activities would be able to understand what that information is going to be used for.

The CMA responded:

I think the industry accepts, particularly when you’re dealing with children and youth, that you need to have privacy policies worded in such a way that they would be reasonable understandable by that audience. But how far does it go? If I have a multitude of sites, and for operational reasons I’d obviously like to have a single privacy policy for each one, how granular do I have to be? If one of my sites is directed at hockey fans, do I have to do survey research to tailor that to hockey fans because they might have a different way of understanding the way things are presented. Or if I’m a game manufacturer and I have a role playing game and I have something like Candy Crush and then I have a word game, do I have to have something different for each of those? I think this is what we’re concerned about.

Lake wasn’t buying the concern, noting that you do have to have something different for those different audiences, adding:

How far do you have to go? You have to go to the point where the person would understand the nature, purpose and consequences of the collection, use, or disclosure of the personal information. That seems pretty clear.

The strong response from Lake – who also swiftly rejected the Chamber’s comment that the provision does not define “vulnerable” groups – suggests that removing the clarification of consent is not in the cards.  However, when combined with the other recommendations (including higher thresholds on some of the data breach disclosure rules), it appears that business groups plan to fight provisions in Bill S-4 that would improve privacy protections.

The post Canadian Chamber of Commerce, Canadian Marketing Association Take Aim At Digital Privacy Act’s Consent Provision appeared first on Michael Geist.

Why Bell’s Targeted Ad Approach Falls Short on Privacy

Michael Geist Law RSS Feed - Tue, 2015/02/17 - 11:08

In October 2013, Bell announced the launch of a targeted advertising program that uses its customers’ personal information to deliver more “relevant advertising.” The announcement sparked hundreds of complaints with the Privacy Commissioner of Canada and a filing by the Public Interest Advocacy Centre over the same issue with the Canadian Radio-television and Telecommunications Commission.

My weekly technology law column (Toronto Star version, homepage version) notes that nearly a year and a half later, the complaints and filings remain unresolved. The CRTC case has succeeded in placing considerably more information on the public record, however, offering a better perspective on what Bell is doing and why its privacy approach falls short.

From Bell’s perspective, the targeted advertising approach, which it calls RAP or Relevant Ads Program, does not involve the collection of additional information (it already collects whatever is being used) and the company allows users to opt-out of this use of their information if they so choose. Moreover, it argues that the program is similar to what telecom companies in the United States as well as Internet giants such as Google and Facebook offer.

Yet documents now available on the public record reveal that there are important differences creating serious privacy concerns.

First, Bell has adopted an opt-out approach, automatically including millions of customers in its targeted advertising program unless they proactively ask not to be included. In the United States, some of the comparable programs are either opt-in or compensate users for the use of their information. For example, AT&T offers a discount on high-speed Internet services in some locations if customers allow it to track their web browsing history to deliver customized advertising.

Bell’s opt-out approach places the onus entirely on the user, who may not recognize the privacy implications of the system nor feel that they can take the time to opt-out of every unwanted use of their information. The cost-shift to users is precisely why Canada implemented the do-not-call list (which allows for a single opt-out of all unwanted telemarketing calls) and anti-spam legislation backed by an opt-in requirement.

While marketers can usually count on few people opting-out, Bell has revealed that 113,000 customers opted-out of its program in the first year alone. That may be a fraction of the total number of Bell subscribers, but if more than hundred thousand Canadians took the time to opt-out, there are likely many more that share similar concerns.

Second, Bell has access to customer data that is far more extensive than the Internet companies, who are largely limited to profiles based on Internet use. Bell acknowledges in the public record documents that advertisers can create profiles that include age, gender, account location (including postal code), credit score, pricing plan, and average revenue per user.

In addition to the use of financial information, Bell also tracks and retains individual Internet usage. The company offers advertisers profiles based on user interests, which are derived from the websites that users visit. Bell says that it retains Guavus, a U.S.-based data mining company, to assist in its efforts to assess Internet usage. It acknowledges that all website visits are logged for 30 days in a “probe buffer” and that all web addresses are logged in “Context Awareness Engine” for 90 days. The logged information is not aggregated and can be traced to the specific individual.

Moreover, Bell has also built in the capability to track search queries by pulling search terms directly from website address requests. The functionality is currently disabled, but the company says that it envisions using search terms to developed a more detailed user profile to market to advertisers.

The combined power of financial data, location information, and Internet usage gives Bell a remarkably detailed profile of its users. While the company does not disclose the information to third parties, its use of the information still triggers Canadian privacy law. The full profile represents an enormous amount of personal information, which is why the company’s opt-out approach leaves millions of Canadians with inadequate privacy protections.

The post Why Bell’s Targeted Ad Approach Falls Short on Privacy appeared first on Michael Geist.

Syndicate content