flash intro pages – a useful analogy

Posted on by No Comments ↓

Just a short one today before I get back to work. Completely unrelated to law.  If you’re building a website, and thinking of using flash, and, moreover, thinking of having a flash splash page, you may want to consider this sage advice:

Jared said, “When we have clients who are thinking about Flash splash pages, we tell them to go to their local supermarket and bring a mime with them. Have the mime stand in front of the supermarket, and, as each customer tries to enter, do a little show that lasts two minutes, welcoming them to the supermarket and trying to explain the bread is on aisle six and milk is on sale today.

“Then stand back and count how many people watch the mime, how many people get past the mime as quickly as possible, and how many people punch the mime out.

“That should give you a good idea as to how well their splash page will be received. That’s the crux of it.”

MarketingSherpa: Uproar over Anti-Flash Intro Survey Results by way of The Oatmeal.

woman sues rogers for exposing affair to husband

Posted on by No Comments ↓

Can mobile carriers be liable for divorce? I guess we’ll find out soon enough. There was a story in the Toronto Star this morning that told of a woman who is suing Rogers for $600,000 because her husband left her. She alleges this was caused by Rogers taking the liberty of sending her husband a consolidated bill when he signed up for internet and home phone. They apparently then lumped in her cell phone bill, which she alleges she did not request. When the husband saw the bill and noticed a series of long phone calls, he called the number and apparently found out about his wife’s affair.

Needless to say, Rogers is asserting that it is not liable, primarily it seems on the basis of lack of causality – i.e. it was the affair that led to the break-up, not the disclosure of personal information. Of course the wife will argue that the break-up would not have happened but for Rogers disclosure, which is likely alleged to be in contravention of her agreement with Rogers or the Canadian Personal Information Protection and Electronic Documents Act.

Interestingly, on the latter front, she apparently did not choose to make a complaint to the federal privacy commissioner, instead deciding to proceed by way of a statement of claim in the Ontario Superior Court.

I have my doubts as to the likelihood of her success. Despite the unfortunate circumstance she and her two young children now find themselves, I don’t think the courts will have much sympathy for her claim. Even if there were a breach by Rogers, I’m not sure how much in the way of damages she would be awarded. The question here would be whether the court believes the damages would have been foreseeable by Rogers. I think that would be unlikely. But who knows. In any event, I’m sure this is a case that The Ashley Madison Agency will be following very closely.

draft electronic document regulations for financial institutions published

Posted on by No Comments ↓

Last week (May 8 to be exact) the federal government published draft regulations relating to the use of electronic documents by federally regulated financial institutions. These regulations are part of a process that began in 2005 to harmonize and modernize legislation governing banks, insurance companies, trust companies and cooperatives.

The new regulations set out the general requirements that such institutions must meet in order to use electronic documents when dealing with stakeholders. You can find links to the draft regulations and a regulatory impact analysis at the end of this post.

Here’s the Coles Notes summary:

  • electronic documents related to securities transfers are excluded;
  • electronic documents must be in clear and simple language that is not misleading
  • a requirement to provide a document may be satisfied by making the document available through a generally accessible electronic source (such as a website) and giving notice (whether paper or electronic) to the person to whom the document must be provided, unless there’s a requirement under the legislation to deliver to a specific place, in which case the website mechanism won’t work;
  • consent to receive electronic documents can be obtained from addressees in writing (paper or electronic) or orally, but, unless it’s just a one time consent, they must be notified in writing (paper or electronic) regarding:
    • when their consent  is effective,
    • that they can revoke their consent,
    • that they are responsible for updating the address to which electronic documents are delivered, and
    • that the sender will only retain electronic documents for a specified period, following which it becomes the responsibility of the recipient to retain a copy
  • the notification or consent above, if in electronic form, must be provided in a form that can be retained by the recipient for future reference
  • consent must include address designated for receipt and a list of notices covered by the consent and, if consent is provided orally, the sender must confirm such information, as well as that in the original notice, in writing (paper or electronic)
  • consent can be revoked in writing (paper or electronic) or orally
  • revocation must be confirmed in writing and when it takes effect and, if provided in electronic form, must be accessible and capable of being retained for future reference
  • an electronic document is considered provided to someone when it:
    • leaves an information system in the control of the sender, or
    • when it is posted or made available through the secure website of the sender (no reference to a notice needing to be sent to them)
  • an electronic document is considered received by someone when it:
    • enters the information system designated by them
    • it is posted or made available through the secure website of the sender, or
    • the recipient receives the notice mentioned in the third bullet above (i.e. when posting to a website, the notice alerting the recipient that it’s available)
  • electronic signatures must consist of letters, characters, numbers or symbols in digital form incorporated, attached or associated with an electronic document

Not quite clear to me why the provision on sending doesn’t refer to the alert notice being sent. Nor is it clear to me what the reference to “secure” websites means. But apart from those nits, one of the good things about these new regulations is that they expressly provide for a mechanism that permits the delivery of electronic documents by posting to a website, combined with the delivery of a notice (which can of course be much shorter) that the electronic documents are available. In contrast, other acts, such as the Ontario Consumer Protection Act and its associated regulations do not expressly permit such a mechanism when it comes to delivery of “internet agreements” – for example, s. 33(3) of the regulations indicate that an internet agreement is considered delivered by:

1. Transmitting it in a manner that ensures that the consumer is able to retain, print and access it for future reference, such as sending it by e-mail to an e-mail address that the consumer has given the supplier for providing information related to the agreement.

2. Transmitting it by fax to the fax number that the consumer has given the supplier for providing information related to the agreement.

3. Mailing or delivering it to an address that the consumer has given the supplier for providing information related to the agreement.

4. Providing it to the consumer in any other manner that allows the supplier to prove that the consumer has received it.

Similarly, the equivalence rules in the Ontario Electronic Commerce Act specifically exclude the posting of information to a website as satisfying a legal requirement to provide information or a document in writing:

10. (1) For the purposes of sections 6, 7 and 8, electronic information or an electronic document is not provided to a person if it is merely made available for access by the person, for example on a website.

Same

(2) For greater certainty, the following are examples of actions that constitute providing electronic information or an electronic document to a person, if section 6, 7 or 8 is otherwise complied with:

1. Sending the electronic information or electronic document to the person by electronic mail.

2. Displaying it to the person in the course of a transaction that is being conducted electronically.

Though in both cases there is some room either to argue that a web-based posting could satisfy the requirements of either act (e.g. posting to a website plus sending a notice of availability would not be “merely” making the information available on a website), it’s certainly not as expressly permitted as in the new draft regulations.

Of course, the regulations should be read in connection with the corresponding provisions (Bank Act – scroll down to Part XVIII, Insurance Companies Act – scroll down to Part XX, Trust and Loan Companies Act – scroll down to Part XIV.1, Cooperative Credit Associations Act – scroll down to Part XVII.1) in each act relating to the use of electronic documents.

Links to draft regulations: Regulatory Impact Analysis; Bank Regulations; Insurance Company Regulations; Trust and Loan Companies Regulations; Cooperative Credit Associations Regulations

alberta enacts breach notification requirement

Posted on by No Comments ↓

Alberta’s Personal Information Protection Amendment Act, 2009 came into effect over the weekend (May 1, to be precise). The amendments included a variety of changes but perhaps most notably include a new notification requirement if an organization experiences a security breach.

The Alberta government has come out with a brochure (PDF) to help organizations understand their obligations under this new requirement. Here’s the Coles Notes version:

  • you must notify the Alberta Privacy Commissioner of any loss, unauthorized access or unauthorized disclosure of personal information without delay
  • notification is mandatory (i.e. it’s an offence if you don’t) if a reasonable person believes there is a real risk of significant harm to an individual as a result of the breach and optional if it isn’t
  • the Commissioner then decides whether individuals need to be notified. If they do, the Commissioner will tell you and you will need to comply accordingly

The brochure itself contains helpful explanations, examples and illustrations on some of these concepts, such as what is meant by “real risk of significant harm” and who is responsible for notification, which I won’t regurgitate here.

While this is old hat in the US, with many (most?) US states already having having such requirements in place, it is relatively new in Canada. Apart from the somewhat terse breach notification requirements under the Ontario Personal Health Information Protection Act, Alberta’s legislation appears to be the first in Canada. The concept however has been subject to discussion for some time now. Other provinces (I believe Newfoundland and New Brunswick) have legislation pending along the same lines, but Alberta’s is the first to address breaches relating to personal information generally, not just health information. The Uniform Law Commission of Canada has also studied the matter a fair bit and came out with a report and draft legislation (PDF) last year. John Gregory, the General Counsel of the Ontario Ministry of the Attorney General, has also given presentations (PPT) on the topic.

In short, all this points to the fact that it isn’t a question of whether there will be such requirements throughout Canada, but rather when. Organizations that hold a significant amount of personal information would be well-advised to consider the adequacy of their existing security measures and whether they need to be upgrade, given the potential cost of security breaches in light of these requirements.

the gizmodo/jason chen/search warrant debacle

Posted on by No Comments ↓

There have been many views expressed on both the propriety of Gizmodo breaking the story on the next-gen iPhone as well as the subsequent search warrant executed by the police against Jason Chen, the Gizmodo reporter that broke the story. Needless to say, each side has its supporters. A good summary with links to contrasting views can be found on GigaOm.

I won’t rehash all the arguments either for or against the execution of the warrant or its validity – you can check out the link above for all of that. The only thing I did want to point out was the possibility that a previous, somewhat similar case, may perhaps have prompted the criminal investigation leading to the search warrant. O’Grady v. The Superior Court of Santa Clara County (pdf) was a case in 2006 that also involved Apple. Apple was seeking civil subpoenas to certain websites that published information that it claimed to be trade secrets, in order to discover the source of the disclosures. The publishers moved for a protective order, which was denied at trial. However, the protective order was granted on appeal.

Though there were various bases on which the court found in favour of the websites, the one that seems relevant to the Chen search warrant relates to the California reporter’s shield – the same California legislation cited by the chief operating officer of Gizmodo as making the search illegal. In short, the appeal court in O’Grady found that “any subpoenas seeking unpublished information from petitioners would be unenforceable through contempt proceedings in light of the California reporter’s shield (Cal. Const., art. I, § 2, subd (b); Evid. Code, § 1070)”.

More importantly, the appeal court had this to say about what was alleged by Apple to be criminal activity and reviewing the lower courts findings on same:

The court found petitioners’ assertion of a constitutional privilege “overstated” because “[r]eporters and their sources do not have a license to violate criminal laws such as Penal Code [section] 499c [(§ 499c)].” 8 The court assumed petitioners to be journalists, but wrote that “this is not the equivalent of a free pass” and that they could still be compelled to reveal information relating to a crime. The court repeatedly alluded to the supposed presence of criminal or larcenous conduct. The court also faulted petitioners for failing to establish “what public interest was served” by the publications in question. While acknowledging evidence that thousands of people were interested in the information in question, the court opined that “an interested public is not the same as the public interest.” The court implied that the publications in question were not “ ‘protected speech.’”

Though the appeal court didn’t dwell much further on the relevance of the alleged criminal acts to the California reporter’s shield in the body of the decision, the foonote to the excerpt above is rather informative:

8 Section 499c criminalizes the misappropriation or attempted misappropriation of trade secrets under specified circumstances. Although Apple alluded to this statute in its memorandum below, and does so again before us, it has never demonstrated that the facts here could establish a criminal theft of trade secrets. That offense requires proof of, among other things, “intent to deprive or withhold the control of [the] trade secret from its owner, or . . . to appropriate [the] trade secret to [the defendant’s] own use or to the use of another . . . .” (§ 499c, subd. (b).) Since Apple has never argued the point, no occasion is presented to consider whether the inferred circumstances of the disclosure here could be found to constitute a crime. For present purposes we are concerned only with an allegedly tortious disclosure of a trade secret presumably by an Apple employee.”

It would seem clear that the court took pains to distinguish between a tortious disclosure of a trade secret, versus a criminal misappropriation of a trade secret. And although the court does not make any findings as to what might have happened if there were a basis to claim of criminal wrongdoing, the implication of the note above is that the findings on appeal may well have been different, if only apple had presented any facts to establish a crime. (All that being said, the EFF has expressed the opinion that both the California shield law as well as the federal Privacy Protection Act would make such a search illegal, even if a crime were committed)

So here Apple is, facing a similar situation as in O’Grady, and knowing that it will likely have either very limited or no ability to successfully obtain civil subpoenas given the finding in O’Grady, but with a little crack in the door suggesting that if criminal misconduct could be successfully demonstrated, it may have some chance of success. That seems better than nothing.

Given the above, it seems logical that Apple would want to request the DA to commence a criminal investigation (though to be clear, reports indicate that the DA has declined to indicate who instigated the investigation), either for plain theft or for theft of trade secrets, in order to enable it to seek some sort of remedy for the leaked information, though I’ll admit that if the above is correct its not clear to me exactly what remedy Apple would be seeking – in contrast to O’Grady, the identity of the Apple rep who lost the phone (and all the gory details) is already public. Perhaps the identity of the person who picked it up (which doesn’t appear to be public)? Though I’m not sure what that gets Apple, other than perhaps fiery retribution against the fellow and disgorgement of his ill-gotten gains (the $5,000 that Gizmodo paid him for the phone). Will be interesting to see how it plays out.

statute of anne’s 300th anniversary – good? bad?

Posted on by No Comments ↓

As some of you may know, April 10 marked the 300th anniversary of the Statute of Anne, otherwise known as “An Act for the Encouragement of Learning, by Vesting the Copies of Printed Books in the Authors or Purchasers of such Copies, during the Times therein mentioned” and generally recognized as the first copyright statute and the origin of modern copyright law. Of course, in recognition of this milestone, there have been a number of comments, op-eds and articles recognizing the passage of three centuries of copyright law.

I read, with interest, the article on Google’s Public Policy Blog, entitled “Celebrating copyright” which described the effect of the statute as follows:

The Statute of Anne changed this system. For the first time, it granted authors rights to their works, and made it so anyone was eligible for a copyright. In this way, early copyright was anti-authoritarian and directly aimed at promoting free expression by shifting power to writers and away from printers and the state.

It also was aimed at promoting competition and the emergence of new creators and distributors. Rather than perpetual rights, copyrights would only exist for limited terms. This was intended to constrain a monopoly like the Stationers Company from existing in the future. Because any bookseller would be able to reprint valuable works after a certain period, it would be easier for others to enter the market and make these works available to the public.

Compare this with a similar piece published by the Software Freedom Law Centre, simply entitled “The 300th Anniversary of the Statute of Anne“:

By the end of the 17th century, this partnership lapsed, threatening the publishers’ monopoly. The publishers tried repeatedly to reinstitute the scheme, but amidst the growing importance of the electorate and an increasing hostility to private monopolies, all their efforts failed. The publishers had to change their strategy. If they were unable to reestablish copyright all for themselves, the next best thing for them would be to assign property rights directly to authors, who, unable to print and distribute their works on their own, would have no choice but to contract with the publishers. Publishers could then bargain with the authors to get exclusive publication rights, in essence perpetuating their monopoly over books.With this goal in mind, the publishers convinced Parliament that the creation of strong intellectual property rights was essential to encourage the advancement of learning.

So the Statute of Anne was born, and on April 10, 1710, became law.

I find it interesting (though perhaps not surprising) that two different groups can come, more or less, to two seemingly diametrically opposed conclusions regarding the effect, or intended effect, of the statute. Perhaps not surprisingly in this day and age, opinions on copyright do vary significantly. It seems that this variance also happens to find its way into the recounting of history.

foss tool to… detect foss

Posted on by No Comments ↓

Saw the announcement for this and thought it would be of interest. It’s a new tool called Binary Analysis. You can go to the site for more info but in short it scans through object code (including firmware) to detect specified source code. Apparently it includes automated checking for Linux kernel code.

Might come in handy for compliance checking, though, as the site itself indicates, it’s no substitute for a compliance engineer and the development of appropriate development policies. Also might come in handy if you’re doing due diligence on a potential acquisition if you suspect there might be some open source in what you’ve been told is proprietary. Usually the vendor recommended for that sort of work is Black Duck but I imagine Binary Analysis may be good for a quick and dirty check.

Created with the participation of Armijn Hemel, the same fellow that runs gpl-violations.org – an organization that tracks, publicizes and occasionally takes legal action against those infringing GPL licensed software.

google open sourcing vp8 codec

Posted on by No Comments ↓

Interesting but perhaps not surprising news that Google will make the VP8 video codec open source. You can read in more detail by following the link but here’s a quick rundown: Many companies have decided to support H.264 for video streaming, including Google, Apple and Microsoft. Others, like Mozilla (the creator of Firefox), have not, as they are concerned about adopting, as a standard, proprietary technology that may one day require payment of royalties. Instead, they have chosen to support Ogg Theora, an open source codec based on a much earlier version of VP8. Making VP8 open source will remove this divide and will likely encourage the adoption of VP8 as a standard in place of either, as VP8 appears to be technically superior to both H.264 and Ogg Theora (which was developed from a much earlier iteration of VP8) and presumably would be free of potential licensing issues (and fees) associated with proprietary solutions such as H.264.

Perhaps not surprising given Google’s approach in mobile (i.e. the Android open source platform). Though it is worth noting that Google isn’t enchanted with all things open source, as evidenced by the hubbub about it and the Affero GPL a few years ago…

standardized seed financing docs

Posted on by No Comments ↓

Great article by Brad Feld on attempts to draw up standardized seed round funding documents. According to Brad there have now been four different sets of template documents developed in the US for use in seed round financings, each of which is a little bit different. He is now attempting to reach out to some US law firms in an attempt to come up with one single set for the US. Why? To reduce the inevitable haggling and negotiation over terms and reduce legal fees.

If you’re looking for first round financing, worth taking a look at just to get a sense of what sort of terms have achieved some measure of acceptance as being “market” (or at least that some VCs and entrepreneurs can agree on). That being said, if you’re in Canada, some of the things won’t quite work due to differences in the law.

Seems like a great idea. Anyone aware of an initiative like this in Canada?

“Anonymized” data really isn’t—and here’s why not – Ars Technica

Posted on by No Comments ↓

You have zero privacy anyway. Get over it.

So spoke Scott McNealy more than a decade ago. At the time he made this statement, he received a fair amount of criticism. Turns out, he might very well have had a point, though perhaps for reasons he might not have foreseen.

A recent paper highlights the issue of the “reidentification” or “deanonymization” of anonymized personal information. However, the issue goes beyond anonymized information to the very heart how one should define personal information that is or should be protected under privacy legislation.

“Anonymized” data really isn’t—and here’s why not – Ars Technica.

Canadian privacy legislation simply defines personal information as “information about an identifiable individual” (excluding certain information about someone in their capacity as an employee). However, what does “about an identifiable individual” mean? Does it mean that the person collecting the particular nugget of information can associate it with a person’s identity? Or, perhaps more disconcertingly, does it include data that has the potential to be associated with someone by analyzing that particular bit of information, which alone (or even in conjunction with all the other information collected by a given organization) could not be linked with a particular individual, with information available from other sources?