Feed aggregator

Decertifying the worst voting machine in the US

Freedom to Tinker - Wed, 2015/04/15 - 09:26
On Apr 14 2015, the Virginia State Board of Elections immediately decertified use of the AVS WinVote touchscreen Direct Recording Electronic (DRE) voting machine. This seems pretty minor, but it received a tremendous amount of pushback from some local election officials. In this post, I’ll explain how we got to that point, and what the […]

Back to the Drawing Board: Bell Drops Opt-Out Targeted Ad Program

Michael Geist Law RSS Feed - Tue, 2015/04/14 - 08:18

Days after the Office of the Privacy Commissioner of Canada released its decision that found that Bell was violating Canadian privacy law with its targeted ad program, the communications giant advised that it is withdrawing its program and deleting all customer profiles. A company spokesperson stated yesterday that Bell plans to re-introduce the program using an opt-in consent approach. That would likely require more than just a change to the privacy policy since the company would need to provide customers with incentives or compensation to get much acceptance to be voluntarily tracked.

My weekly technology law column (Toronto Star version, homepage version) notes that Bell’s targeted advertising program, which creates customer profiles that include age, gender, account location, credit score, pricing plan, and average revenue per user, generated controversy from the moment it was announced in October 2013. The communications giant maintained that it complied with Canadian privacy laws, yet many clearly disagreed as the Privacy Commissioner of Canada received an unprecedented barrage of complaints.

While concerns about tracking Internet usage and search queries garnered headlines, the fundamental legal issue was whether Bell was entitled to force its millions of customers to opt-out of the targeted advertising program if they did not wish to participate or if the law requires an explicit, opt-in approach in which consumers must proactively ask to be included before their tracking information is used for advertising purposes.

Last week the Privacy Commissioner of Canada rendered his verdict: Bell’s targeted advertising program violates the law since the consumer data used by Bell is sufficiently sensitive such that an opt-out approach does not adequately protect user privacy. Bell argued that the information it collects is non-sensitive and that opt-out was therefore good enough.

If the consumer data is taken piece by piece, Bell might have been right. Yet in an era of “big data”, the Privacy Commissioner effectively concluded that the sum of personal information is more than the parts. In the case of Bell, he placed the spotlight on the remarkable scale of the company’s data collection and usage:

“Bell is able to track every website its customers visit, every app they use – and in the future, potentially every TV show they watch and every call they make – using Bell’s network, whether at home or abroad. Under the RAP [Relevant Advertising Program], Bell can use this information to infer a wide range of both general and specific interests. The combination of this information with the extensive account/demographic information (e.g., age range, gender, average revenue per user, preferred language and postal code) used by Bell for the RAP will result in highly detailed and rich multi-dimensional profiles that, in our view, individuals are likely to consider quite sensitive.”

Bell was willing to make small adjustments to its program in response to the Privacy Commissioner’s concerns, but for months it would not budge on the opt-in issue. Indeed, with over 113,000 customers taking the trouble to navigate the opt-out form on its website in the first year alone, it likely knows that few will agree to have their personal information tracked and used without any compensation or incentives (by contrast, AT&T offers a discount on high-speed Internet services in some U.S. locations if customers allow it to track their web browsing history to deliver customized advertising).

Hours after the release of the Privacy Commissioner’s decision – which indicated that it was considering filing a legal action against Bell at the Federal Court of Canada to enforce the ruling – Bell issued a brief statement conceding that it is prepared to comply with all of the findings, including the opt-in requirement. The Privacy Commissioner met with company officials last Wednesday, but was apparently still unsatisfied with its compliance plans. That changed on Monday as the company caved on the opt-in issue.

While a courtroom showdown has been averted, Bell’s brazen decision to initially reject the ruling points to Canadian privacy law’s biggest flaw. Unlike provincial privacy commissioners and data protection regulators around the world, Canada’s federal privacy commissioner does not have order making power, relying instead on moral suasion or media pressure to convince companies to comply with the law.

The government claims that the law provides strong privacy protections, but merely hoping that companies will abide by their privacy obligations is not good enough. With Bill S-4, the Digital Privacy Act, currently before the House of Commons, the Bell targeted advertising case demonstrates why reforms are urgently needed to provide the Privacy Commissioner of Canada with long overdue power to enforce the law.

The post Back to the Drawing Board: Bell Drops Opt-Out Targeted Ad Program appeared first on Michael Geist.

Why Bell’s Opting-Out Approach Isn’t Good Enough

Michael Geist Law RSS Feed - Tue, 2015/04/14 - 08:14

Appeared in the Toronto Star on April 11, 2015 as Why Bell’s Opting-Out Approach Isn’t Good Enough

Bell’s targeted advertising program, which creates customer profiles that include age, gender, account location, credit score, pricing plan, and average revenue per user, generated controversy from the moment it was announced in October 2013. The communications giant maintained that it complied with Canadian privacy laws, yet many clearly disagreed as the Privacy Commissioner of Canada received an unprecedented barrage of complaints.

While concerns about tracking Internet usage and search queries garnered headlines, the fundamental legal issue was whether Bell was entitled to force its millions of customers to opt-out of the targeted advertising program if they did not wish to participate or if the law requires an explicit, opt-in approach in which consumers must proactively ask to be included before their tracking information is used for advertising purposes.

Last week the Privacy Commissioner of Canada rendered his verdict: Bell’s targeted advertising program violates the law since the consumer data used by Bell is sufficiently sensitive such that an opt-out approach does not adequately protect user privacy. Bell argued that the information it collects is non-sensitive and that opt-out was therefore good enough.

If the consumer data is taken piece by piece, Bell might have been right. Yet in an era of “big data”, the Privacy Commissioner effectively concluded that the sum of personal information is more than the parts. In the case of Bell, he placed the spotlight on the remarkable scale of the company’s data collection and usage:

“Bell is able to track every website its customers visit, every app they use – and in the future, potentially every TV show they watch and every call they make – using Bell’s network, whether at home or abroad. Under the RAP [Relevant Advertising Program], Bell can use this information to infer a wide range of both general and specific interests. The combination of this information with the extensive account/demographic information (e.g., age range, gender, average revenue per user, preferred language and postal code) used by Bell for the RAP will result in highly detailed and rich multi-dimensional profiles that, in our view, individuals are likely to consider quite sensitive.”

Bell was willing to make small adjustments to its program in response to the Privacy Commissioner’s concerns, but for months it would not budge on the opt-in issue. Indeed, with over 113,000 customers taking the trouble to navigate the opt-out form on its website in the first year alone, it likely knows that few will agree to have their personal information tracked and used without any compensation or incentives (by contrast, AT&T offers a discount on high-speed Internet services in some U.S. locations if customers allow it to track their web browsing history to deliver customized advertising).

Hours after the release of the Privacy Commissioner’s decision – which indicated that it was considering filing a legal action against Bell at the Federal Court of Canada to enforce the ruling – Bell issued a brief statement conceding that it is prepared to comply with all of the findings, including the opt-in requirement. The Privacy Commissioner met with company officials on Wednesday, but was apparently still unsatisfied with its compliance plans.

While a courtroom showdown may yet be averted, Bell’s brazen decision to initially reject the ruling points to Canadian privacy law’s biggest flaw. Unlike provincial privacy commissioners and data protection regulators around the world, Canada’s federal privacy commissioner does not have order making power, relying instead on moral suasion or media pressure to convince companies to comply with the law.

The government claims that the law provides strong privacy protections, but merely hoping that companies will abide by their privacy obligations is not good enough. With Bill S-4, the Digital Privacy Act, currently before the House of Commons, the Bell targeted advertising case demonstrates why reforms are urgently needed to provide the Privacy Commissioner of Canada with long overdue power to enforce the law.

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can be reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.

The post Why Bell’s Opting-Out Approach Isn’t Good Enough appeared first on Michael Geist.

The Copyright Notice Flood: What to Consider If You Receive a Copyright Infringement Notification

Michael Geist Law RSS Feed - Mon, 2015/04/13 - 09:37

For the past few months, I’ve received daily emails from people who have been sent a copyright infringement notification as part of Canada’s notice-and-notice system. Most of the notifications come from CEG-TEK, a U.S.-based anti-piracy firm. Canadian Internet providers are now required by law to forward these notifications and CEG TEK has been taking advantage of a loophole in the system to include a settlement demand within the notification. Some of the recipients claim that the notification has been sent in error. Others say that they have received multiple notifications for a single download. In some cases, the recipient has clicked on the settlement demand link, while in others the person has called the company and revealed their identity. In virtually every case, they are looking for advice on what to do.

My typical response has been to point to my earlier posts on the issue that have explained Canada’s notice-and-notice system, the misuse of the system by rights holders in sending misleading information about Canadian copyright law, the government’s failure to stop the inclusion of settlement demands within the notices, and the massive expansion in the number of notices with the arrival of CEG TEK. I also point to Industry Canada’s page on the notice-and-notice system, which provides the government’s perspective on the issue. These resources can be helpful, but what most people really want to know is whether they should pay the settlement or ignore it. I don’t condone infringement but I believe that the misuse of the notice and notice system is extremely problematic. Moreover, I certainly think people that did not infringe copyright should not pay a settlement demand. I’m unable to provide specific legal advice, but I can provide more information that may assist in making a more informed decision about a system that was designed to discourage infringement, not create a loophole to facilitate settlement demands.

What does the rights holder know about the subscriber when they send the notification?

The short answer is not much. Internet providers do not disclose their subscribers’ personal information as part of the notice-and-notice process. The rights holder merely has an IP address and evidence it claims links that address to a copyright infringement. It does not know who receives the actual notice.

What steps are needed for a rights holder to sue in Canada?

As discussed in my other posts, the notices forwarded by Internet providers are an unproven allegation of infringement. For a rights holder to successfully pursue a case against an alleged individual infringer, it would first need to obtain a court order requiring the Internet provider to disclose the identity of the subscriber. Canadian courts have established privacy safeguards around potential disclosure of such information. The ISP may oppose the disclosure of the subscribers identity or argue for subscriber notification of the legal process.

If the rights holder succeeds in obtaining the subscriber’s personal information, it might then send another demand letter seeking payment in return for settling the case. Canadian courts have recently required that such letters be reviewed by the court before being sent to subscribers.

If the subscriber refuses to settle, the rights holder could pursue an infringement action in court. The rights holder would be required to prove its rights in the work, that an infringement occurred, and that the subscriber was responsible for the infringement. The rights holder would likely also need to provide some evidence of damages, given the cap on non-commercial infringement under the law discussed below. The subscriber could challenge these claims in court, potentially providing evidence that they were not involved in the unauthorized download (perhaps due to an error by the rights holder, incorrect IP address information, or an insecure wireless network) or by attempting to make the case that their actions did not violate Canadian copyright law.

What are the damages if a rights holder is successful in their lawsuit?

The legal process described above is expensive, yet the potential payoff from litigation against individuals is limited. The government established a new cap on liability for non-commercial infringement in its 2012 copyright reform package. The law now sets a maximum liability of C$5000 for all non-commercial infringements. The provision states:

Subject to this section, a copyright owner may elect, at any time before final judgment is rendered, to recover, instead of damages and profits referred to in subsection 35(1), an award of statutory damages for which any one infringer is liable individually, or for which any two or more infringers are liable jointly and severally,

(b) in a sum of not less than $100 and not more than $5,000 that the court considers just, with respect to all infringements involved in the proceedings for all works or other subject-matter, if the infringements are for non-commercial purposes

The government’s intent was clearly to ensure that the maximum applied to all infringement from all rights holders. Indeed, the government’s fact sheet on the bill stated:

The Bill ensures that Canadians are not subject to unreasonable penalties by significantly reducing statutory damages for infringement for non-commercial purposes by individuals, providing the courts with the flexibility to award between $100 and $5,000 in total damages. Using the same example of five illegally downloaded songs, the individual would only be liable for a penalty of between $100 and $5,000 under the proposed changes. The Bill will ensure that courts take proportionality into account in awarding damages.

Some rights holders have recently argued that they could choose to pursue actual damages, rather than the non-commercial statutory damages. Yet the primary reason governments implemented statutory damages is that proving actual damages can be very difficult. As Howard Knopf rightly notes, to suggest that rights holder might be able to prove significant actual damages in mass copyright litigation is “extremely far fetched.”

Has anyone successfully sued a downloader for non-commercial infringement in Canada?

Not to my knowledge. The members of the Canadian Recording Industry Association ultimately abandoned the first file sharing lawsuits launched in 2004. More recently, Voltage Pictures has sought a court order for the identity of roughly 2,000 TekSavvy subscribers. After more than two years of litigation, it has obtained an order for the subscribers’ identity but that information has not been released due to an ongoing dispute over the costs its must pay before the information is made available.

Does CEG TEK regularly follow through on the demand letter with lawsuits?

According to the Cashman Law Firm, it has not sued anyone in two years in the United States. I am not aware of any lawsuits being filed in Canada.

The post The Copyright Notice Flood: What to Consider If You Receive a Copyright Infringement Notification appeared first on Michael Geist.

Syndicate content