Feed aggregator

The Canadian Anti-Spam Law Panic: Same As It Ever Was

Michael Geist Law RSS Feed - Thu, 2014/06/26 - 07:35
As the Canadian media reports on the panic associated with the new anti-spam law set to take effect next week, consider the following from Macleans titled "Few Companies Prepared for New Privacy Law":

The new law..says organizations can only collect personal information for a stated reason - and can use it only for that purpose. Among others things, that means a company that supplies a service can't sell its list of subscribers to another company's marketing department. Individuals must be informed, and give their consent, before personal information is collected, used or disclosed..But most firms are unaware of the new law."

The article continues by noting that "there's confusion over which organizations might be exempt" and that "there is no grandfather clause - all existing customer information needs to be compliant." The message is similar in a Globe and Mail article titled "Many small firms not ready for privacy rules", which also notes the possibility of a constitutional challenge. An IT World Canada reiterates that concern in its coverage:

most Canadian organizations are not aware of the [law]. And very few are prepared to comply.

What makes these articles noteworthy is that none involve CASL. Instead, they all date from 2004, when the current private sector privacy law (PIPEDA) was about to take effect. Then, as now, there was ominous warnings about how ill-prepared Canadian business was to address their privacy law obligations. Yet as I noted in my post on complying with the new anti-spam law:

For any organization that already sends commercial electronic messages, they presumably comply with PIPEDA, the private sector privacy law, that requires organizations to obtain user consent, allow users to withdraw their consent, and provide the necessary contact information to do so.  Compliance with the new anti-spam law (CASL) involves much the same obligations. While there are certainly some additional technical requirements and complications (along with tough penalties for failure to comply), the basics of the law involve consent, withdrawal of consent (ie. unsubscribe), and accessible contact information.

While CASL does create some new obligations, what is not new is the claims that business is unaware and unprepared to address their privacy law obligations.

Re: Why Canada’s anti-spam legislation is creating so much spam

Russell McOrmond on Disqus - Wed, 2014/06/25 - 05:02

Interesting the Entertainment Software Association of Canada is mentioned in this one as well. The anti-SPAM law also had anti-malware provisions, and these bad actors continue to ask for the legally protected "right" to install software on our computers without our informed consent. Nasty stuff, and glad the government is finally outlawing this extremely harmful practise. As we use our computers in more and more aspects of our lives, ensuring that they are under the control of their owners and not unauthorized third parties becomes even more critical.

Given the economic and other costs of SPAM to our communications systems, I believe the minimal transitional training hardship for businesses (for-profit or non-profit) to conform to what should have been common courtesy are well worth it. Just because you are non-profit doesn't give you some right to abuse our common communications systems, and just because you use volunteers doesn't mean those volunteers shouldn't be trained. There are many things that volunteers need training on in order to not cause harm to themselves and others, and it is about time that training against the abuse of communications systems becomes added to the common courtesy understanding by everyone who uses email.

API Copyright Update: Oracle wins this round

IPBlog (Calgary) - Mon, 2014/06/23 - 14:00
By Richard Stobbe The basic question "are APIs eligible for copyright protection?" has consumed much analysis (and legal fees) during the lawsuit between Oracle and Google, which started in 2010. (For more reading on our long-running coverage of the long-running Oracle vs. Google patent and copyright litigation, see below.) The basic premise ...

Podcast: How Amazon is holding Hachette hostage

Here's a reading (MP3) of my latest Guardian column, How Amazon is holding Hachette hostage, which examines how Hachette's insistence on DRM for their ebooks has taken away all their negotiating leverage with Amazon, resulting in Amazon pulling Hachette's books from its catalog in the course of a dispute over discounting:

Under US law (the 1998 Digital Millennium Copyright Act) and its global counterparts (such as the EUCD), only the company that put the DRM on a copyrighted work can remove it. Although you can learn how to remove Amazon's DRM with literally a single, three-word search, it is nevertheless illegal to do so, unless you're Amazon. So while it's technical child's play to release a Hachette app that converts your Kindle library to work with Apple's Ibooks or Google's Play Store, such a move is illegal.

It is an own-goal masterstroke. It is precisely because Hachette has been so successful in selling its ebooks through Amazon that it can't afford to walk away from the retailer. By allowing Amazon to put a lock on its products whose key only Amazon possessed, Hachette has allowed Amazon to utterly usurp its relationship with its customers. The law of DRM means that neither the writer who created a book, nor the publisher who invested in it, gets to control its digital destiny: the lion's share of copyright control goes to the ebook retailer whose sole contribution to the book was running it through a formatting script that locked it up with Amazon's DRM.

The more books Hachette sold with Amazon DRM, the more its customers would have to give up to follow it to a competing store.


after Marrakesh

Fair Duty by Meera Nair - Mon, 2014/06/23 - 10:59

June 28 marks the one year anniversary of the completion of a diplomatic conference to facilitate access to published works for blind, visually impaired and print disabled people. Known as the Marrakesh Treaty, its purpose is to address the book famine that currently exists with respect to anyone of limited reading capability, by: (i) facilitating creation of appropriately formatted materials with the use of exceptions to copyright; and (ii) allowing countries to share materials, thereby reducing costs all round. Hailed as the Miracle in Marrakesh, it is the first multilateral treaty on limitations and exceptions to copyright, and gives credence to the view that negotiation among stakeholders is possible.

But no one had any expectation that the treaty would move forward smoothly. (Some of my earlier coverage is here and here). Prior to last year’s conference, Tatiana Sinodinou posted a detailed assessment of the situation; reminding us that these negotiations began more than thirty years earlier, when UNESCO and WIPO jointly created a working group to examine the possibilities for enhancing access to copyrighted material for those handicapped by visual or auditory limitations.

Sinodinou eloquently captured the tension of what lay ahead: “… The road to Marrakesh is open but is not paved with roses and the outcome of the negotiations is awaited with both hope and reservations.” Given that history, the cooperation found a year ago was worthy of attribution to the miraculous. But tangible benefit is yet to be had; the miracle may give way to mirage if concerted action is not taken.

With the treaty language adopted on 27 June 2013, delegates were invited to sign the treaty on 28 June 2013 and agree to:

… to introduce a standard set of limitations and exceptions to copyright rules in order to permit reproduction, distribution and making available of published works in formats designed to be accessible to [blind, visually impaired and print disabled persons] and to permit exchange of these works across borders by organizations that serve those beneficiaries …

Fifty-one countries immediately obliged. Over the past year, sixteen others signed. And this morning came the welcome news that Australia, Finland, Ireland and Norway have also signed.

PHOTO: Australia, Finland, Ireland & Norway sign “books for blind” Marrakesh Treaty – http://t.co/ZRjpR5EBoq pic.twitter.com/cPVTduhFIu

— WIPO (@WIPO) June 23, 2014

Canada’s absence of support is glaring, particularly given the role Canada purportedly played in negotiating the treaty; see Sara Bannerman’s remarks here and Michael Geist’s remarks here.

Geist points out that Canadian law will only need minor modification and that the Federal Government could make such changes during the upcoming scheduled review of Canadian copyright law in 2017. But, he also writes:

The biggest change would likely come from the need to establish an entity that would facilitate, promote, and disseminate accessible format copies of work and exchange information with other countries about accessible works. In other words, the treaty would require Canada to invest in improving access for the blind.

Fortunately, CELA might serve that need. Officially launched on 1 April 2014, with a formal debut at the Canadian Library Association’s National Conference on 29 May 2014, the Centre for Equitable Library Access (CELA) is a non-profit organization that serves Canadians with print disabilities. Supported by the Canadian Urban Libraries Council and the Canadian National Institute for the Blind, CELA already has 600 member libraries across Canada. Among the services provided by CELA are:

- A broad choice of formats including audio, braille, e-text and described video
– Access to a growing collection of over 230,000 alternate format items including books, magazines, newspapers and described videos
– A broad selection of genres: fiction, non-fiction, poetry, children’s, young adult, business, self-help, poetry and more
– A choice of delivery options: Direct download to computer, handheld devices and DAISY player; CD and braille mailed to home
– Training and expertise on accessibility

Of course, this only makes it more perplexing that our government is holding back on signing the treaty.

On a brighter note; Israel, which is not yet among the list of signatories, nevertheless amended its copyright law expressly to comply with the treaty requirements. At Israel Technology Law, Eli Greenbaum writes that the Israeli implementation exceeds the minimum standards required. (Hopefully, ratification is forthcoming quickly.) And it appears that India had planned to ratify the treaty by now; in his coverage last month for SpicyIP, Swaraj Paul Barooah writes: “G.R. Raghavender, Registrar of Copyrights, has stated that the ratification is expected by the end of May, 2014.” (Perhaps the election delayed the plans, but the new Indian government intends to act quickly?)

Until twenty countries ratify the treaty, and none have done so yet, the treaty cannot have force. In a lecture given at the Berkman Center on 23 April 2014, Justin Hughes, (chief negotiator for the United States for the Marrakesh Treaty) was unequivocal that much more needs to be done:

The real policy goal, the real thing we should care about is getting educational/cultural/informational materials into the hands of persons with print disabilities. And when you sign the treaty, you haven’t succeeded.

This journey is far from over; the road did not stop at Marrakesh.


More reading:

Explanatory notes, courtesy of World Blind Union.
User Guide to The Marrakesh Treaty, prepared by Jonathan Band.
The 1982 WIPO/UNESCO report is available at Knowledge Ecology International.


Update July 1  India becomes the first country to ratify the Marrakesh Treaty (dated to June 30, 2014)




My talk at the Edinburgh Publishing Conference

Here's my talk at last week's Edinburgh Publishing Conference, called "Information Doesn't Want to Be Free."

How Hachette made the rope that Amazon is hanging it with

In my latest Guardian column, "How Amazon is holding Hachette hostage," I discuss the petard that the French publishing giant Hachette is being hoisted upon by Amazon. Hachette insisted that Amazon sell its books with "Digital Rights Management" that only Amazon is allowed to remove, and now Hachette can't afford to pull its books from Amazon, because its customers can only read their books with Amazon's technology. So now, Hachette has reduced itself to a commodity supplier to Amazon, and has frittered away all its market power. The other four major publishers are headed into the same place with Amazon, and unless they dump DRM quick, they're going to suffer the same fate.

Under US law (the 1998 Digital Millennium Copyright Act) and its global counterparts (such as the EUCD), only the company that put the DRM on a copyrighted work can remove it. Although you can learn how to remove Amazon's DRM with literally a single, three-word search, it is nevertheless illegal to do so, unless you're Amazon. So while it's technical child's play to release a Hachette app that converts your Kindle library to work with Apple's Ibooks or Google's Play Store, such a move is illegal.

It is an own-goal masterstroke. It is precisely because Hachette has been so successful in selling its ebooks through Amazon that it can't afford to walk away from the retailer. By allowing Amazon to put a lock on its products whose key only Amazon possessed, Hachette has allowed Amazon to utterly usurp its relationship with its customers. The law of DRM means that neither the writer who created a book, nor the publisher who invested in it, gets to control its digital destiny: the lion's share of copyright control goes to the ebook retailer whose sole contribution to the book was running it through a formatting script that locked it up with Amazon's DRM.

The more books Hachette sold with Amazon DRM, the more its customers would have to give up to follow it to a competing store.

How Amazon is holding Hachette hostage

(Image: Noose, Old Austin County Jail, Bellville, Texas 0130101348BW, Patrick Feller, CC-BY)

Supreme Court issues unanimous decision in Alice Corp. v. CLS Bank

SFLC News Releases - Thu, 2014/06/19 - 17:51
Supreme Court issues unanimous decision in Alice Corp. v. CLS Bank

Say Anything: The Government's Response to its Disintegrating "Privacy" Reform Strategy

Michael Geist Law RSS Feed - Thu, 2014/06/19 - 03:48
The Supreme Court of Canada's Spencer decision is still only a few days old, but it has become clear that the ruling has left the government's privacy and lawful access strategy in tatters. I've posted earlier on how the decision - which held that Canadians have reasonable expectation of privacy in their subscriber information and that voluntary disclosure of such information to the police constitutes an unlawful search - blows away the government's plans for Bills C-13 and S-4 by contradicting longstanding government policy positions.

While there are options for the government to establish reforms that are consistent with the court ruling and that would grant police the access they say they need, government ministers have instead adopted a rather bizarre response of saying anything, no matter how inconsistent with prior positions, the court's analysis, or public comments from authorities such as the Privacy Commissioner of Canada. There is admittedly a track record for this: Conservatives have dismissed privacy concerns from Carole Todd, the Boys and Girls Club of Canada, the Privacy Commissioner of Canada, and many more. Further, the Conservative leader in the Senate claims Spencer has "no impact whatsoever" on Bill S-4. 

However, the inconsistencies or misleading comments from government ministers takes this to another level. The government's brief to the Supreme Court of Canada in the Spencer case states:

does a person enjoy a reasonable expectation of privacy in subscriber information? Put another way, should the police have to get judicial authorization to determine the physical address of an internet connection and the subscriber's name before they apply for judicial authorization to search that physical address? The answer to those questions must be "no", for the subscriber information sought says nothing more than that a person or company has an internet link.

Justice Minister Peter MacKay argued in favour of voluntary disclosure in the House of Commons when moving that Bill C-13 be read a second time:

organizations would still be bound by the Personal Information Protection and Electronic Documents Act, something known as PIPEDA, which makes it clear that an organization is entitled to voluntarily disclose personal information to the police, without the consent of the person to have the information relayed.

The court responded directly to these positions in Spencer:

in the totality of the circumstances of this case, there is a reasonable expectation of privacy in the subscriber information. The disclosure of this information will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous. A request by a police officer that an ISP voluntarily disclose such information amounts to a search.

Yet how does MacKay now characterize the decision? On Tuesday, he argued that the case confirms what the government has said all along:

The Supreme Court's decision actually confirms what the government has said all along, that Bill C-13's proposals regarding voluntary disclosures do not provide legal authority for access to information without a warrant.

On Wednesday, he doubled down by quoting from the Spencer decision:

let us look at the actual Supreme Court decision, paragraph 73. It is a declaratory provision that confirms the existing common law powers of police officers to make enquiries as indicated by the fact that the section begins with the phrase “for a greater certainty”. That is exactly what we have been saying. It is the same provision of Bill C-13.

Yet anyone who reads paragraph 73 will know that MacKay references only the first half of the paragraph.  Read in its entirety, the court argues the opposite:

With respect, I cannot accept that this conclusion applies to s. 7(3) (c.1)(ii) of PIPEDA .Section 487.014(1)  is a declaratory provision that confirms the existing common law powers of police officers to make enquiries, as indicated by the fact that the section begins with the phrase “[f]or greater certainty”: see Ward, at para. 49. PIPEDA  is a statute whose purpose, as set out in s. 3 , is to increase the protection of personal information. Since in the circumstances of this case the police do not have the power to conduct a search for subscriber information in the absence of exigent circumstances or a reasonable law, I do not see how they could gain a new search power through the combination of a declaratory provision and a provision enacted to promote the protection of personal information.

MacKay is not alone in engaging in creative interpretations. Daniel Therrien, the new Privacy Commissioner who was just appointed by the Conservatives, gave an interview to the Globe and Mail this week , in which he said that Bills C-13 and S-4 should be reviewed in light of the Spencer decision. Within hours, Industry Minister James Moore responded to a question on twitter about warrantless disclosure by stating that the Privacy Commissioner supports the bill.

Use of ADR in Technology Transactions

IPBlog (Calgary) - Wed, 2014/06/18 - 12:00
By Richard Stobbe A recent WIPO Survey assessed the use of alternative dispute resolution (ADR) clauses in various technology transactions, and the results make for interesting reading for anyone who is in the business of negotiating technology deals. The goal of the survey was to establish trends in the use of ADR ...

A significant milestone for digital due process

Google Public Policy BLOG - Wed, 2014/06/18 - 11:28
Posted by David Lieber, Senior Privacy Policy Counsel 

Although the recent debate around government surveillance has focused on the reach of the National Security Agency (NSA) and the Foreign Intelligence Surveillance Act (FISA), we have long supported efforts to update the Electronic Communications Privacy Act (ECPA) so that the government must obtain a warrant to require a provider to disclose content stored with the provider. 

The ongoing campaign to update ECPA reached a significant milestone today. For the first time, a majority of Members in the U.S. House of Representatives have gone on record to support bipartisan legislation (H.R. 1852) sponsored by Representatives Yoder (R-KS), Graves (R-GA), and Polis (D-CO) that would create a bright-line, warrant-for-content rule for electronic communications. 

This common-sense reform is long overdue. While well-intentioned when enacted in 1986, ECPA no longer reflects users’ reasonable expectations of privacy. For example, an email may receive more robust privacy protections under ECPA depending on how old it is, whether it has been opened, and where it is stored — while users attach no importance to these distinctions. The Department of Justice itself has acknowledged that there is no principled reason for this rule. 

In 2010, a federal appeals court said that ECPA itself is unconstitutional to the extent that it authorizes the government to obtain the content of emails without a warrant. Google agrees with the court that the Fourth Amendment requires that the government issue a search warrant to compel a provider to disclose the content of communications that a user stores with a provider. 

Congress should send a clear message about the limits of government surveillance by enacting legislation that would create a bright-line, warrant-for-content standard. Now that a majority has gone on record to support this common sense update, we once again urge Congress to expeditiously pass legislation to update ECPA.

Why Has Canada Still Not Signed the WIPO Copyright to Support the Blind?

Michael Geist Law RSS Feed - Wed, 2014/06/18 - 04:13
Countries from around the world last year reached agreement on a landmark copyright treaty designed to improve access to works for the blind and visually impaired. As the first copyright treaty focused on the needs of users, the success was quickly billed the "Miracle in Marrakesh" (the location for the final round of negotiations) with more than 50 countries immediately signing the treaty.

The pact, which was concluded on June 27, 2013, established a one-year timeline for initial signatures, stating that it was "open for signature at the Diplomatic Conference in Marrakesh, and thereafter at the headquarters of WIPO [the World Intellectual Property Organization] by any eligible party for one year after its adoption."

My weekly technology law column (Toronto Star version, homepage version) notes that in the months since the diplomatic conference, 67 countries have signed it. The list of signatories includes most of Canada's closest allies, including the United States, European Union, United Kingdom, and France. The major developing economies such as Brazil, China, and India have also signed the agreement. Curiously absent from the list of signatories, however, is Canada.

The issue was raised in the House of Commons by NDP MP Peggy Nash, leading to the following exchange with Industry Minister James Moore:

Nash: Mr. Speaker, over 90% of published materials are simply not accessible to blind and visually impaired Canadians. The Marrakesh treaty on copyright seeks to fix this problem. Sixty-seven countries have signed on, including the EU, U.K., India, and China, but not Canada. The Conservatives left these measures out of their proposed copyright changes. The treaty's deadline is June 27. Will the Conservatives do the right thing and sign this treaty so we can improve access for visually impaired Canadians?

Moore: Mr. Speaker, of course our government has taken the lead with our Copyright Modernization Act. In fact, just today we put in place the notice regime to further modernize our copyright regime in this country. With regard to those who are perceptually disabled, my colleague should know very well that when we put together the Copyright Modernization Act, we worked with the Canadian National Institute for the Blind and others. Of course, we are more than willing to look at ways to improve our copyright legislation to ensure that all Canadians recognize that their needs are met in Canadian law.

In other words, when asked specifically why Canada has yet to sign the treaty, Moore refused to provide a direct answer.

Canada's failure to sign the treaty is particularly surprising given the important role it reportedly played in facilitating a deal. Reports from Marrakesh indicated that Canada worked to find common ground and helped craft the final agreement. Moreover, from both policy and legal perspectives, supporting the treaty would appear to be a proverbial no-brainer.

The treaty expands access for the blind by facilitating the export of works to the more than 300 million blind and visually impaired people around the world, which is needed since only a tiny percentage of books are ever made into accessible formats. Further, it restricts digital locks from impeding access, by permitting the removal of technological restrictions on electronic books for the benefit of the blind and visually impaired.

The treaty would require few changes to Canadian law. The basic requirements of the treaty are an exception or limitation in national law that permits the creation of accessible format copies for the blind or visually impaired without permission of the copyright holder as well as a scheme to permit the cross-border exchange of qualifying copies.

Canada already has an exception in national law relating to persons with perceptual disabilities. The current exception is not identical to the treaty requirements and would need some modest tweaking to comply with the new international standard.

The biggest change would likely come from the need to establish an entity that would facilitate, promote, and disseminate accessible format copies of work and exchange information with other countries about accessible works. In other words, the treaty would require Canada to invest in improving access for the blind.

Given the narrow goals of promoting greater access for the visually impaired, signing the treaty should be relatively uncontroversial. Indeed, while both the U.S. and European Union expressed some concerns during the negotiation process, both are now signatories.

With a copyright review planned for 2017, Canada could sign the treaty now with the expectation of incorporating the necessary reforms as part of the next reform process. Alternatively, there are several bills currently before the House of Commons that involve intellectual property issues that could be amended to include the necessary changes.

Regardless of what legislative approach is adopted, the first step is for Canada to sign the treaty before the June 27th deadline. Failure to become part of the initial group of signatories would raise troubling questions about why the government was unwilling to take a strong stand in favour of the rights of the blind and visually impaired in Canada.

Harper Government announces last step implimenting C-11

Digital Copyright Canada BLOG - Tue, 2014/06/17 - 15:30

In a press release, the Harper Government Announces the Coming into Force of the Notice and Notice Regime, using the same language they used to promote the controversial bill.

While I agree that the copyright portions of that bill could be claimed to be "balanced", I will still state the anti-technology ownership "TPM" sections of the bill were unbalanced.

Given the variety of house and senate bills proposing information disclosures without court oversight being pushed by the Harper Government, the notice&notice regime in the Copyright Act will soon be moot. It is highly unlikely that an aggressive copyright holder will use N&N when they will be able to get subscriber information without a court order and communicate threats directly to ISP customers.

read more

My Tedxoxbridge talk: How to break the Internet

I gave a talk last month in Cambridge at the Tedxoxbridge event called How to break the Internet, about how urgent it is that the Internet is fundamentally broken, and why we should be hopeful that we can fix it.

Government Rejects Supreme Court Privacy Decision: Claims Ruling Has No Effect on Privacy Reform

Michael Geist Law RSS Feed - Tue, 2014/06/17 - 04:22
Having had the benefit of a few days to consider the implications of the Supreme Court of Canada decision in Spencer, the Senate last night proceeded to ignore the court and pass Bill S-4, the Digital Privacy Act, unchanged. The bill extends the ability to disclose subscriber information without a warrant from law enforcement to any private sector organizations by including a provision that allows organizations to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. Given the Spencer decision, it seems unlikely that organizations will voluntarily disclose such information as they would face the prospect of complaints for violations of PIPEDA.

Despite a strong ruling from the Supreme Court of Canada that explicitly rejected the very foundation of the government's arguments for voluntary warrantless disclosure, the government's response is "the decision has no effect whatsoever on Bill S-4."

As I posted yesterday, the government had argued in committee that:

In the instance of PIPEDA, because of the type of information provided in a pre‑warrant phase such as basic subscriber information, it would be consistent with privacy expectations and therefore it's not really putting telecoms, for example, in some unique position in terms of police investigations.

The Supreme Court of Canada rejected this view, concluding that:

there is a reasonable expectation of privacy in the subscriber information. The disclosure of this information will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous.

That cannot be credibly described as "no effect whatsoever." Indeed, the government's recently appointed Privacy Commissioner also pointed to Spencer and urged the government to consider the implications on S-4. 

In another post yesterday on the future of C-13 and S-4, I lamented that the "government could adopt the 'bury our heads in the sand approach' by leaving the provisions unchanged, knowing that they will be unused or subject to challenge." I argued that a better approach would be to address the issue directly, providing certainty to businesses and Canadians.

Perhaps unsurprisingly given its recent track record on privacy, it has chosen the head in the sand approach. During debate at the Senate yesterday, Conservative Senators repeatedly argued that Bill S-4 actually strengthens privacy, despite the fact that it opens the door to warrantless voluntary disclosure to any organization (it also enshrines weak data breach rules that do not provide protection as strong as that found in some other jurisdictions). Moreover, they tried to distinguish Spencer by arguing that it involves a criminal investigation disclosure to police, while the S-4 expansion of warrantless disclosure involves disclosures to private organizations.

Yet the principle is obviously the same: there is a reasonable expectation of privacy in subscriber information that should not be disclosed without a warrant or court order. No organization should be disclosing that information and when they do, they are likely to face a complaint with the Privacy Commissioner of Canada for violating PIPEDA. By leaving S-4 unchanged, the government is encouraging voluntary disclosures even after the Supreme Court explicitly ruled against them.

While the bill must still pass through the House of Commons, the government's decision to rush the legislation through the Senate (it conducted only a few hours of hearings) and to seemingly ignore the Supreme Court's decision creates further uncertainty for Canadians and Canadian businesses. Everyone needs rules that comply with the letter and spirit of the Spencer decision, which Bill S-4 fails to do on both counts. 

Canadian Copyright Notice-and-Notice System to Take Effect in 2015

Michael Geist Law RSS Feed - Tue, 2014/06/17 - 03:44
The government today announced that there will be no additional regulations associated with the notice-and-notice rules that provide rights holders with the ability to have Internet providers forward notifications to subscribers alleging infringement. The government had delayed implementation of the rules amid a consultation on the issue. The notice-and-notice system does not require the ISP to disclose the subscriber's personal information to the rights holder nor to takedown the content. The system, which other countries are now considering due to its effectiveness, is set to take effect on January 1, 2015.

Global Deletion Orders? B.C. Court Orders Google To Remove Websites From its Worldwide Index

Michael Geist Law RSS Feed - Tue, 2014/06/17 - 02:11
In the aftermath of the European Court of Justice "right to be forgotten" decision, many asked whether a similar ruling could arise in Canada. While a privacy-related ruling has yet to hit Canada, last week the Supreme Court of British Columbia relied in part on the decision in issuing an unprecedented order requiring Google to remove websites from its global index. The ruling in Equustek Solutions Inc. v. Jack is unusual since its reach extends far beyond Canada. Rather than ordering the company to remove certain links from the search results available through Google.ca, the order intentionally targets the entire database, requiring the company to ensure that no one, anywhere in the world, can see the search results. Note that this differs from the European right to be forgotten ruling, which is limited to Europe.

The implications are enormous since if a Canadian court has the power to limit access to information for the globe, presumably other courts would as well. While the court does not grapple with this possibility, what happens if a Russian court orders Google to remove gay and lesbian sites from its database? Or if Iran orders it remove Israeli sites from the database? The possibilities are endless since local rules of freedom of expression often differ from country to country. Yet the B.C. court adopts the view that it can issue an order with global effect. Its reasoning is very weak, concluding that:

the injunction would compel Google to take steps in California or the state in which its search engine is controlled, and would not therefore direct that steps be taken around the world. That the effect of the injunction could reach beyond one state is a separate issue.

Unfortunately, it does not engage effectively with this "separate issue."

The case involves a company that claims that another company used its trade secrets to create a competing product along with "bait and switch" tactics to trick users into purchasing their product. The defendant company had been the target of several court orders demanding that it stop selling the copied product on their website. Google voluntarily removed search results for the site from Google.ca search results, but was unwilling to block the sites from its worldwide search results.

The case turned largely on jurisdictional questions: could a B.C. court assert jurisdiction over Google? Was a Canadian court the right court to hear the case when Google is based in California?  Is it appropriate to issue an order requiring the complete removal of results for all users worldwide?

The court answered affirmatively to all questions. On the issue of jurisdiction, the court cited the European Court of Justice decision, concluding that the companies search and advertising services were inextricably linked and that therefore Google has a Canadian connection. As for concerns that the decision would give every state jurisdiction over Google, the court was unmoved:

I will address here Google's submission that this analysis would give every state in the world jurisdiction over Google’s search services. That may be so. But if so, it flows as a natural consequence of Google doing business on a global scale, not from a flaw in the territorial competence analysis.

Further, on concerns that the B.C. court order would have global effect, the court was similarly unpersuaded:

I note that Google objects to British Columbia retaining jurisdiction because the order sought would require Google to take steps in relation to its websites worldwide. That objection is not resolved by "going to California". If the order involves worldwide relief, a California court will be no more appropriate a forum than British Columbia to make such an order. Even if the order can be construed more narrowly as requiring Google to take steps at the site where the computers controlling the search programs are located, Google has not established that those computers are located in California, or that they can only be reprogrammed there.

The issues raised by the decision date back to the very beginning of the globalization of the Internet and the World Wide Web as many worried about jurisdictional over-reach with courts applying local laws to a global audience. This decision provides the sense that the court felt that Google's global reach needed to be matched by the court's reach. While there is much to be said for asserting jurisdiction over Google - if it does business in the jurisdiction, the law should apply - attempts to extend blocking orders to a global audience has very troubling implications that could lead to a run on court orders that target the company's global search results.

Homeland shortlisted for the Sunburst Award

I'm honoured and delighted to learn that my novel Homeland has been shortlisted for Canada's Sunburst Award, a juried prize for excellence in speculative fiction. I've won the Sunburst twice before, and this is one of my proudest accomplishments; I'm indebted to the jury for their kindness this year. The other nominees are a very good slate indeed -- including Nalo Hopkinson's Sister Mine and Charles de Lint's The Cats of Tanglewood Forest.

Podcast: News from the future for Wired UK

Here's a reading (MP3) of a short story I wrote for the July, 2014 issue of Wired UK in the form of a news dispatch from the year 2024 -- specifically, a parliamentary sketch from a raucous Prime Minister's Question Time where a desperate issue of computer security rears its head:

Quick: what do all of these have in common: your gran's cochlear implant, the Whatsapp stack, the Zipcar by your flat, the Co-Op's 3D printing kiosk, a Boots dispensary, your Virgin thermostat, a set of Tata artificial legs, and cheap heads-up goggles that come free with a Mister Men game?

If you're stumped, you're not alone. But Prime Minister Lane Fox had no trouble drawing a line around them today during PMQs in a moment that blindsided the Lab-Con coalition leader Jon Cruddas, who'd asked about the Princess Sophia hacking affair. Seasoned Whitehall watchers might reasonably have expected the PM to be defensive, after a group of still-anonymous hackers captured video, audio and sensitive personal communications by hijacking the Princess's home network. The fingerpointing from GCHQ and MI6 has been good for headlines, and no one would have been surprised to hear the PM give the security services a bollocking, in Westminster's age-old tradition of blame-passing.

Nothing of the sort. Though the PM leaned heavily on her cane as she rose, she seemed to double in stature as she spoke, eyes glinting and her free hand thumping the Dispatch Box: "The Princess Sophia affair is the latest installment in a decades-old policy failure that weakened the security of computer users to the benefit of powerful corporations and our security services. This policy, the so-called 'anti-circumvention' rules, have no place in an information society.


The Supreme Court Eviscerates Voluntary Disclosure, Part 2: What Comes Next for C-13 and S-4?

Michael Geist Law RSS Feed - Mon, 2014/06/16 - 04:18
In the fall of 2007, Public Safety Canada quietly launched a lawful access consultation that envisioned mandatory disclosure of customer name and address information. After I posted the consultation online, the department claimed that the consultation was not secret and then-Public Safety Minister Stockwell Day suggested that the document actually contained old Liberal wording. Day promised not introduce legislation compelling disclosure without a court order, a commitment that Peter Van Loan, the next Public Safety Minister, rejected when the Conservatives introduced their first lawful access bill in 2009.

This third post on Spencer (case summary, comparison with government talking points) begins with some lawful access history because it is important for understanding what might come in the aftermath of the Supreme Court of Canada's evisceration of the government's arguments on voluntary disclosure of personal information in the Spencer decision. The starting point for the voluntary disclosure provisions in Bills C-13 and S-4 can be traced back to the 2007 consultation. Law enforcement complained about inconsistent access to customer name and address information and sought new provisions to make such disclosure mandatory (PIPEDA permitted voluntary disclosure but did not require it).

Public Safety responded with a plan to create a mandatory disclosure provision, but hit a roadblock when Day promised no warrantless disclosure. Once Day was shuffled out of that position, the Van Loan and Vic Toews lawful access bills both brought it back, with Van Loan's bill specifying 13 identifiers that would be required to be disclosed and Toews' bill slimming the list down to six identifiers. Both bills did not proceed past first reading: the Van Loan bill died with an election call weeks after it was introduced and the Toews bill was infamously shelved after the public outrage over the bill and Toews characterization of either siding with the government or child pornographers.

After then-Justice Minister Rob Nicholson promised no Criminal Code reforms based on the Toews bill (another promise that did not last long), the government adopted a different approach. If mandatory warrantless disclosure was out (the Spencer decision makes it clear those provisions would have been struck down as unconstitutional), a more robust voluntary disclosure system might do the trick.  PIPEDA already contains voluntary disclosure provisions, which are used thousands of times every year.  The government envisioned expanding the current system by offering full criminal and civil immunity for voluntary disclosures in Bill C-13 and expanding the scope of voluntary disclosures to public officials (in C-13) and any private sector organization (in S-4). The Privacy Commissioner and other experts argued against the changes, but the government relied on claims that disclosure was permitted by law (now debunked by the Supreme Court) to support the policy.

All of which raises the question of what comes next. With the Spencer decision, the expanded voluntary warrantless disclosure strategy is effectively dead. Law enforcement will not seek voluntary disclosure (except in exigent circumstances) since it is likely to be treated as an illegal search and the resulting information will be inadmissable. In any event, telecom companies will no longer provide customer name and address information on a voluntary basis since that is likely to be treated as a violation of Canadian privacy law.  With no one seeking voluntary disclosure and no one providing it, the C-13 and S-4 provisions have been neutered by the Supreme Court. In fact, the immunity provision now seems inoperable since it is contingent on a lawful voluntary disclosure, which customer name and address information is not.

The government could adopt the "bury our heads in the sand approach" by leaving the provisions unchanged, knowing that they will be unused or subject to challenge. That would run counter to the spirit of the Supreme Court ruling and do nothing to assist law enforcement. The better approach would be to directly address the problems in the bills and the current legislation. The first involves voluntary warrantless disclosure of subscriber information. Those provisions in C-13 and S-4 should be dropped from the bill. Moreover, the existing PIPEDA provisions should also be eliminated. In their place, a new subscriber information warrant could be developed that ensures court oversight, an appropriate standard given the Supreme Court of Canada's finding of the privacy import of such information, and a system to allow law enforcement to apply for a subscriber information warrant expeditiously.

Second, the transmission data warrant (typically referred to as metadata) in C-13 should be amended as many recommended to the committee. Numerous witnesses (myself included) argued that the reason to suspect standard was too low given the privacy implications of metadata and that the reason to believe standard was more appropriate. Given the Spencer decision, the transmission data warrant is a court challenge waiting to happen and adopting the higher standard would provide far more legal certainty.
Syndicate content