more draft regulations to canadian anti-spam legislation published

A while back I had posted an entry on some draft regulations under Canada’s Anti-Spam Legis­la­tion which were published by the CRTC for public comment.  Those regulations related primarily to consent mechanisms and what information must be provided in e-mails.

Late last week, another round of draft regulations were released. This time, by the Governor in Counsel rather than the CRTC. For what it’s worth, here’s a compressed version of same. I’ve taken the liberty of appending the full wording at the end of the post, which can also be found in the Canada Gazette (with the added bonus of a regulatory impact analysis statement). This summary is a bit wordier as the regulations need a bit of background in order to be properly understood, and are a bit more complicated. Anyway, here it is FWIW:

  1. Section 6(5) of CASL exempts certain types of messages from the requirements to get prior consent and provide certain information before sending e-mails. These include messages to individuals with whom the sender has “personal or family relationships”. The regulations define both of these:
    • a family relationship  means:
      • a blood relationship (children, grandchildren, parents, grandparents, brothers, sisters or others of common or “collateral” descent);
      • relationship by marriage or common-law partnership (including in-laws in either case); or
      • adoption (including blood relations of the person doing the adopting).
    • a personal relationship means a relationship with someone who the sender has:
      • met in person at some point in the past;
      • had a two way communication within the past two years; and
      • the meeting and communication were not related to a “commercial activity”.
  2. Section 10(2) of CASL allows someone  (let’s call that someone the “Original Consentee”) to get consent from a person (let’s call them the “Target”) to send or alter messages or install software on behalf of third parties (let’s call those third parties “Additional Consentees”) whose identities are not known. To do so, there are two requirements: First, the Original Consentee must disclose specific information about itself (see my earlier post). Second, the Original Consentee must comply with the regulations. The regulations basically try to ensure there are seamless links between the Original Consentee and Additional Consentees from the Target’s perspective, as follows:
    • Requirements to send messages:
      • any message sent to the Target must identify the Original Consentee; and
      • each Additional Consentee must provide an unsubscribe mechanism that complies with CASL and which also allows the Target to withdraw consent from the Original Consentee and any other Additional Consentee;
    • Requirements related to withdrawal of consent by a Target:
      • the Original Consentee must ensure that any Additional Consentee who receives withdrawal of consent from a Target notifies the Original Consentee of those for whom consent has been withdrawn (i.e. the Original Consentee, the Additional Consentee receiving the notice of withdrawal, and any other Additional Consentees); and
      • the Original Consentee must:
        • give effect to the withdrawal of consent;
        • promptly notify any other Additional Consentees for whom consent has been withdrawn (other than of course the Additional Consentee who received the withdrawal); and
        • ensure that each other Additional Consentee for whom consent has been withdrawn also gives effect to the withdrawal of consent
  3. Section 6 of the Act provides that consent for messages can be express or implied. However, consent is only implied in certain situations. One of those situations is an existing “non-business relationship”. In turn, there are different categories of “non-business relationship”, one of which membership with a club, association or voluntary organization within two years immediately before the day the message is sent. The regulations clarify what is meant by membership and what constitutes a club, association or voluntary organization:
    • membership means being accepted as a member; and
    • club, association or voluntary organization basically means a non-profit. To drive home the point, the regulation specifies that it can be operated for any purpose other than profit, and that no proprietor, member or shareholder can personally benefit from any income of the organization, except for organizations promoting amateur athletics in Canada.

The concepts are a bit convoluted, particularly those summarized in paragraph 2 above (which, as an aside, I think leave open some questions of interpretation, which I might address in a later post). Perhaps at a later time I’ll try to come up with an illustrative example of how 2 works (or at least my best guess as to how it’s supposed to work). Also, I believe in my previous post I referred to “e-mail”. Just to be clear, the Act applies not only to e-mail, but to any “commercial electronic messages”, which is fairly broad and could include SMS messages, messages through websites, IM, etc.

As with the last set, open for comments for 60 days following the publication date (July 9, 2011).

Full regulation to save you a click:

ELECTRONIC COMMERCE PROTECTION REGULATIONS

DEFINITION

1. In these Regulations “Act” means AnAct to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act.

PERSONAL RELATIONSHIP AND FAMILY RELATIONSHIP

2. For the purposes of paragraph 6(5)(a) of the Act

  1. (a) “family relationship” means the relationship between individuals who are connected by
    1. (i) a blood relationship, if one individual is the child or other descendant of the other individual, the parent or grandparent of the other individual, the brother or sister of the other individual or of collateral descent from the other individual’s grandparent,
    2. (ii) marriage, if one individual is married to the other individual or to an individual connected by a blood relationship to that other individual,
    3. (iii) a common-law partnership, if one individual is in a common-law partnership with the other individual or with an individual who is connected by a blood relationship to that other individual; and
    4. (iv) adoption, if one individual has been adopted, either legally or in fact, as the child of the other individual or as the child of an individual who is connected by a blood relationship to that other individual; and
  2. (b) “personal relationship” means the relationship, other than in relation to a commercial activity, between an individual who sends the message and the individual to whom the message is sent, if they have had an in-person meeting and, within the previous two years, a two-way communication.

CONDITIONS FOR USE OF CONSENT

3. (1) For the purposes of paragraph 10(2)(b) of the Act, a person who obtained express consent on behalf of a person whose identity was unknown may authorize any person to use the consent on the condition that the person who obtained consent ensures that, in any commercial electronic message sent to the person from whom consent was obtained,

  1. (a) the person who obtained consent is identified; and
  1. (b) the authorized person provides an unsubscribe mechanism that, in addition to meeting the requirements set out in section 11 of the Act, allows the person from whom consent was obtained to withdraw their consent from the person who obtained consent or any other person who is authorized to use the consent.

(2) The person who obtained consent must ensure that, on receipt of an indication of withdrawal of consent by the authorized person who sent the commercial electronic message, that authorized person notifies the person who obtained consent that consent has been withdrawn from, as the case may be,

  1. (a) the person who obtained consent;
  2. (b) the authorized person who sent the commercial electronic message; or
  3. (c) any other person who is authorized to use the consent.

(3) The person who obtained consent must inform, without delay, a person referred to in paragraph 2(c) of the withdrawal of consent on receipt of notification of withdrawal of consent from that person.

(4) The person who obtained consent must give effect to a withdrawal of consent and, if applicable, ensure that a person referred to in paragraph 2(c) gives effect to the withdrawal of consent, in accordance with subsection 11(3) of the Act.

MEMBERSHIP, CLUB, ASSOCIATION AND VOLUNTARY ORGANIZATION

4. (1) For the purposes of paragraph 10(13)(c) of the Act, membership is the status of having been accepted as a member of a club, association or voluntary organization in accordance with the membership requirements of the club, association or organization.

(2) For the purposes of paragraph 10(13)(c) of the Act, a club, association or voluntary organization is a non-profit organization that is organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any purpose other than profit, if no part of its income is payable to, or otherwise available for the personal benefit of any proprietor, member or shareholder of that organization unless the proprietor, member or shareholder is an organization the primary purpose of which is the promotion of amateur athletics in Canada.

COMING INTO FORCE

5. These Regulations come into force on the day on which they are registered.

internet e-mail is not secure

From time to time I have moaned and groaned about the lack of security regarding e-mail. Oddly enough, many people who use e-mail on a daily basis for sensitive business communications don’t realize that, generally speaking, e-mail is, by default, not secure. Nothing is magically encrypted when you send or receive e-mails and, to the extent someone can intercept an e-mail, it can be read very easily. I don’t recall who said it, but I do remember the phrase that e-mail should be considered no different than sending a postcard – anyone along the way will be able to read it.

Oddly enough, for some reason, most folks in the business world – including lawyers, bankers, VCs, as well as very smart technology folks – either are not aware of this issue or, if they are, don’t consider it to be much of a risk. To illustrate – I was talking with someone the other day about the marvels of Blackberries. One reason, I was told, that Blackberries have gained such widespread acceptance is their bulletproof security. From what I understand, transmissions to and from the devices is encrypted using some very serious, very heavy duty technology. I pointed out, however, that the encrypted communication was only between the Enterprise Server and the device. So, while it was great that no one could pick up the wireles signal and eavesdrop that way, it would be quite possible once the e-mail made it back on to their mail server and was transmitted via SMTP, at which point it would no longer be encrypted at all (unless other measures had been taken) between their mail server and to the recipients mail server. So although it might be quite secure for e-mails within the organization, for external e-mails, not so much. That being the case, I questioned the value of a partial encryption path for external e-mails. To me, it seemed like armor plating your body, except for your head and chest. I ruminated that it is a question of when, not if, lawsuit or some other form of liability would attach due to someone exploiting this lack of security.

So I read with interest an article on reportonbusiness.com about insider trading as a result of IT folks hacking e-mail:

Regulators revealed yesterday that an information technology analyst working at TD Securities Inc. in Calgary was reading the personal e-mails of investment bankers working on the deal, and bought Synenco securities using undisclosed information about a pending offer from French energy giant Total SA.

While it appears no senior officials involved in any of the recent cases knew their companies’ confidential information had been breached, regulators say firms are responsible for ensuring critical e-mail is not intercepted.

I didn’t see anything in the article about the consequences for the companies. It will be interesting to see what happens. Then again, according to the article, this isn’t the first time this sort of thing happens.

All that being said, there are tools to ensure that e-mails and other communications are made security. There are built-in encryption tools in Outlook. There is PGP. There are services offering encrypted e-mail and other communications through access to secure websites. The fact of the matter, however, is that they’re all an incredible pain in the ass to use. You need to securely exchange public keys. You need to sign up for the web service. You need to go to the website to read and reply. And so on. So, in the meantime, not much is done and millions of unencrypted, easily read e-mails with highly sensitive and confidential information continue to flow through the ether. I imagine at some point something on a much larger scale will occur, and at that point, the imperative will be much stronger to implement security measures for e-mail (at least sensitive/confidential e-mails) or to replace it with something stronger altogether. My suggestion would be that firms exchanging sensitive information by e-mail seriously think about adopting such measures before that. Or run the risk of being the poster-boy for that imperative.

silly lawsuit of the week

OK. Short version of the story in InformationWeek: Woman puts up a website. She puts a “webwrap” agreement at the bottom – i.e. basically a contract that says if you use the site then you agree to the contract. Still some question as to whether such a mechanism is binding, but anyway…

So the Internet Archive of course comes along and indexes her site. Which apparently is a violation of the webwrap. So she sues, representing herself, I believe. The court throws out everything on a preliminary motion by IA except for the breach of contract.

InformationWork observes that “Her suit asserts that the Internet Archive’s programmatic visitation of her site constitutes acceptance of her terms, despite the obvious inability of a Web crawler to understand those terms and the absence of a robots.txt file to warn crawlers away.” (my emphasis). They then conclude with this statement:

If a notice such as Shell’s is ultimately construed to represent just such a “meaningful opportunity” to an illiterate computer, the opt-out era on the Net may have to change. Sites that rely on automated content gathering like the Internet Archive, not to mention Google, will have to convince publishers to opt in before indexing or otherwise capturing their content. Either that or they’ll have to teach their Web spiders how to read contracts.

(my emphasis).

They already have – sort of. It’s called robots.txt – the thing referred to above. For those of you who haven’t heard of this, its a little file that you put on the top level of your site and which is the equivalent of a “no soliciation” sign on your door. Its been around for at least a decade (probably longer) and most (if not all) search engines

From the Internet Archive’s FAQ:

How can I remove my site’s pages from the Wayback Machine?

The Internet Archive is not interested in preserving or offering access to Web sites or other Internet documents of persons who do not want their materials in the collection. By placing a simple robots.txt file on your Web server, you can exclude your site from being crawled as well as exclude any historical pages from the Wayback Machine.

Internet Archive uses the exclusion policy intended for use by both academic and non-academic digital repositories and archivists. See our exclusion policy.

You can find exclusion directions at exclude.php. If you cannot place the robots.txt file, opt not to, or have further questions, email us at info at archive dot org.

standardized methods of communications – privacy policies, etc. – more. Question is, will people be required to use it, or simply disregard and act dumb?

Microsoft Patents RSS. Or Tries To. Maybe.

Interesting post on someone else’s blog about Microsoft apparently trying to patent RSS:

The applications, filed last June but just made public yesterday, cover subscribing and discovering what Microsoft calls “Web feeds.” That comes as a bit of a shock to anyone who’s been working on RSS, which has its origins in a format developed seven years ago at Netscape Communications.

Microsoft executive Don Dodge, while not involved in the patent applications, says he suspects the filings were made to defend the company against “patent trolls”. (The filings were made shortly before Microsoft announced plans to build RSS technology into its upcoming Vista operating system.) Still, if granted, the patents would give Microsoft a legal cudgel to wield against other companies using RSS.

Well. They do have a point. Generally speaking, I don’t think patent trolls (those that basically file overly broad patents and then sit on them in a dark cave until someone who actually does something useful, and therefore has deep pockets, unwittingly infringes, at which point the troll comes out and clubs them over the head with a lawsuit or settlement) are a good thing. That being said, its ironic that Microsoft feels the need to abuse the system in the same way as patent trolls in order to proactively defend itself. It will be interesting to see how things turn out.

Unfortunately, I’m not necesarily sure that prior art would necessarily invalidate these patents – after all, most of NTP’s patents were more or less considered invalid, but that didn’t stop them from collecting several hundred million from RIM. And its not like there haven’t been other, um, rather broad patents asserted in the past. You know, like back in 2002, when British Telecom asserted ownership of hyperlinks (which they lost) though of course BT doesn’t quite fit the description of a patent troll.

Then again, it begs the question as to who or what should or shouldn’t be considered a patent troll – for example, its well known that IBM has a huge, gigantic, enormous arsenal of patents at its disposal. IBM also actively licenses these patents (and of course threatens litigation where it believes its rights are being violated), but it isn’t necessarily the case that IBM would otherwise have exploited these patents in what I’ll call “active” business – i.e. making and selling something based on the patent as opposed to primarily seeking royalties and licenses from those do – even though IBM does do so in some cases. So does that make IBM a patent troll? What about Philo T. Farnsworth who, arguably, never started producing televisions but instead sought legal claims against others?

My perhaps overly simplistic take on this is that patent trolls are not inherently the problem, but rather the ability, primarily in the US, to register patents that should have never issued in the first place. If someone comes up with a smart, cool, inventive, and truly novel way of doing something, then they should certainly be free to either produce something with it, or sue the living daylights out of someone else who comes along and infringes the IP even if they don’t (or can’t) make productive use of it themselves. Not actively exploiting a patent is not necessarily tantamount to being a bad guy, IMHO.

It will be interesting to see what happens on this front, if anything. If nothing does, then I may well turn to drafting patents, the first being “Method of Utilizing a Rhythmic Cadence in the Expansion and Contraction of Multiple Muscular Groupings to Faciliate Indefinite Continuation of Metabolism of Cell Structures.” I like the sound of that. Yes indeed.