“Anonymized” data really isn’t—and here’s why not – Ars Technica

You have zero privacy anyway. Get over it.

So spoke Scott McNealy more than a decade ago. At the time he made this statement, he received a fair amount of criticism. Turns out, he might very well have had a point, though perhaps for reasons he might not have foreseen.

A recent paper highlights the issue of the “reidentification” or “deanonymization” of anonymized personal information. However, the issue goes beyond anonymized information to the very heart how one should define personal information that is or should be protected under privacy legislation.

“Anonymized” data really isn’t—and here’s why not – Ars Technica.

Canadian privacy legislation simply defines personal information as “information about an identifiable individual” (excluding certain information about someone in their capacity as an employee). However, what does “about an identifiable individual” mean? Does it mean that the person collecting the particular nugget of information can associate it with a person’s identity? Or, perhaps more disconcertingly, does it include data that has the potential to be associated with someone by analyzing that particular bit of information, which alone (or even in conjunction with all the other information collected by a given organization) could not be linked with a particular individual, with information available from other sources?

multitasking

This one isn’t quite law related or quite technology rated, though it sort of touches on both. Just wanted to share something quite remarkable I saw this evening.

I was riding home in a cab with my wife and young son, going down Bay St. at about 8 pm this evening. While stopped at the lights, I casually noticed a gentleman, sitting in the car beside us, obviously very preoccupied with something, looking at his Blackberry  with some degree of concentration and furiously typing away with his thumbs It was quite easy to see given the backlight of his BB was very bright.

After a few seconds the light changed, he sped onwards, and so did we. And he continued to type, with some degree of vigour, apparently fully preoccupied with his urgent e-mail.

So, you ask, what is so remarkable about this, you ask? Surely this isn’t the first time I’ve seen someone tapping away on a BB in a cab, right? And the answer to that would be no. Definitely see it all the time. In fact, do it myself sometime. Great time saver.

So what’s the big deal? He was the one driving! Certainly understand perhaps taking a quick peek at your BB when stopped at the lights. But amazingly, this fellow that I saw simply continued to tap away busily while pressing the accelerator and speeding away. Neither of his hands were on the wheel, and it was quite clear to me that his vision was focused on his BB and not the road (though admittedly he did see the light turn green). I couldn’t tell if he perhaps was guiding the wheel with his elbows.

The stretch of Bay St. we were on is fairly straight, so I imagine someone could just take their hands off the wheel for a stretch and continue relatively unscathed. But do so, and at the same time also try to write an e-mail to someone? What sort of e-mail could possibly be so important to worth risking your life (and the lives of those around you)? Moreover, what kind of person would be so pressed for time that the could not let the e-mail wait a few minutes until they pulled over somewhere to compose it? I can’t imagine that he did a very good job at either.

While nothing much happened this time (he managed to make his left a bit later – too out of range to see what happened to his BB (but obviously with at least one hand off of it) I do wish him the best that karma may have in store for him.

Fair Use and the DMCA

An article in Wired News with the dramatic title of “Lawmakers Tout DMCA Killer” describes the most recent attempt to: (a) water down the protections afforded to content owners by the DMCA; (b) ensure the preservation of fair use rights on the part of users. As is usual, each side has its own rhetoric to describe what is happening, so in fairness I took the liberty of offering to readers of this blog the two alternative descriptions above. The nub:

The Boucher and Doolittle bill (.pdf), called the Fair Use Act of 2007, would free consumers to circumvent digital locks on media under six special circumstances.

Librarians would be allowed to bypass DRM technology to update or preserve their collections. Journalists, researchers and educators could do the same in pursuit of their work. Everyday consumers would get to “transmit work over a home or personal network” so long as movies, music and other personal media didn’t find their way on to the internet for distribution.

And then of course on the other side:

“The suggestion that fair use and technological innovation is endangered is ignoring reality,” said MPAA spokeswoman Gayle Osterberg. “This is addressing a problem that doesn’t exist.”

Osterberg pointed to a study the U.S. Copyright Office conducts every three years to determine whether fair use is being adversely affected. “The balance that Congress built into the DMCA is working.” The danger, Osterberg said, is in attempting to “enshrine exemptions” to copyright law.

To suggest that content owners have the right to be paid for their work is, for me, a  no-brainer. That being said, I wonder whether the DMCA and increasingly more complex and invasive DRM schemes will ultimately backfire – sure they protect the content, but they sure as heck are a pain in the ass – just my personal take on it. For example, I’d love to buy digital music, but having experienced the controls that iTunes imposes and suddenly having all my tracks disappear, I just don’t bother with it now. Not to mention the incredible hoops one needs to go through to display, say, Blu-ray on a computer – at least in its original, non-downgraded resolution – why bother with all of that at all?

I wonder whether this is, in a way, history repeating itself in a way. I am old enough to remember the early days of software protection – virtually every high-end game or application used fairly sophisticated techniques (like writing non-standard tracks on floppies in between standard tracks) in attempting to prevent piracy. Granted, these have never gone away altogether, particularly for super high end software that needs dongles and and the like, and of course recently there has been a resurgence in the levels of protection that have been layered on in Windows, but after the initial, almost universal lockdown of software long ago, there came a period where it seemed many (if not most) software developers just stopped using such measures.  At least that’s what seemed to happen. I’m not quite sure why, but I wonder if this same pattern will repeat with content rather than software. I suspect not. But hey, you never know.

In the meantime, off I go, reluctantly, in the cold, cold winter, to the nearest record shop to buy music the old fashioned way…


Alarm Bells Over Vista’s “Fine Print”

I like Michael Geist. He’s a law professor at the University of Ottawa and writes a column in the Toronto Star. Not that agree with everything he says, but I certainly do respect the fellow. He’s a sort of Lawrence Lessig of the Great White North, for those of you from the US. A lot of what he says has merit, or at least is worthy of debate. But when I read his last column on how Vista’s legal fine print raises red flags, well, it left me scratching my head a bit. Don’t get me wrong, I don’t think Microsoft is the world’s saviour or anything, and from the perspective of a user I’m not that keen on all the DRM stuff in Vista and the headaches it will cause in using protected content, but OTOH I did raise a bit of an eyebrow to some of his comments on the Vista license. Such as:

Vista’s legal fine print includes extensive provisions granting Microsoft the right to regularly check the legitimacy of the software and holds the prospect of deleting certain programs without the user’s knowledge. During the installation process, users “activate” Vista by associating it with a particular computer or device and transmitting certain hardware information directly to Microsoft.

I don’t particularly like activation, but this is nothing new – Windows XP has activation and as for hardware information, I’m not sure how sensitive I would consider the make or model of my video card to be. I also find the reference to “deleting certain programs” to be a bit overstated. I wasn’t able to find anything about deleting programs in the Vista license I got from the MS website. It implies that Vista can suddenly go wild and start erasing other stuff you’ve installed. The only thing I was able to find was in Section 5(c), which says:

If, after a validation check, the software is found not to be properly licensed, the functionality of the software may be affected. For example, you may

  • need to reactivate the software, or
  • receive reminders to obtain a properly licensed copy of the software,

or you may not be able to

  • use or continue to use some of the features of the software,

Again, nothing particularly surprising – XP had the same thing – you don’t have validated software, you can’t use certain features of the software (i.e. Windows Vista, not other stuff).

Continuing on:

Even after installation, the legal agreement grants Microsoft the right to revalidate the software or to require users to reactivate it should they make changes to their computer components. In addition, it sets significant limits on the ability to copy or transfer the software, prohibiting anything more than a single backup copy and setting strict limits on transferring the software to different devices or users.

On revalidation, again, nothing new at least compared to XP – same complaints of course as well. As for backup copies – well, its pretty standard to only permit one backup. I’d prefer more but I don’t find it super-alarming to be limited to one. As for “strict limits on transferring” these are set out in Section 16:

a. Software Other Than Windows Anytime Upgrade. The first user of the software may
make a one time transfer of the software, and this agreement, directly to a third party. The first
user must uninstall the software before transferring it separately from the device. The first user
may not retain any copies.
b. Windows Anytime Upgrade Software. You may transfer the software directly to a third
party only with the licensed device. You may not keep any copies of the software or any earlier
version.
c. Other Requirements. Before any permitted transfer, the other party must agree that this
agreement applies to the transfer and use of the software. The transfer must include the proof
of license.

I gotta say I don’t find any of the above particularly strict, onerous or burdensome. Before you transfer, you must uninstall and not retain any copies. The transferee must agree to the agreement. You must transfer proof of the license. Hmmm. Doesn’t seem that bad.

Then, onto Windows Defender:

Vista also incorporates Windows Defender, an anti-virus program that actively scans computers for “spyware, adware, and other potentially unwanted software.” The agreement does not define any of these terms, leaving it to Microsoft to determine what constitutes unwanted software.

C’mon. There is a general understanding of what constitutes spyware and adware. And yes, “potentially unwanted software” is vague. But how then, should it be defined? “Bad stuff”? Interestingly he fails to mention the language that follows:

If it finds potentially unwanted software, the software will ask you if you want to ignore, disable (quarantine) or remove it. Any potentially unwanted software rated “high” or “severe,” will automatically be removed after scanning unless you change the default setting. Removing or disabling potentially unwanted software may result in
· other software on your computer ceasing to work, or
· your breaching a license to use other software on your computer.
By using this software, it is possible that you will also remove or disable software that is not
potentially unwanted software.

So Defender will ask you what to do (which he doesn’t mention), except for “high” or “severe” software, which it removes unless you change the setting (which he does). Well, I can understand the auto-removal thing. If it was left off by default (i.e. didn’t remove), then fingers would be pointed at MS at having lousy default security settings – a criticism often levelled (and, I think, justifiably so) at XP’s security settings – the rock on the other side of the hard place Michael identifies.

Then this:

Once operational, the agreement warns that Windows Defender will, by default, automatically remove software rated “high” or “severe,” even though that may result in other software ceasing to work or mistakenly result in the removal of software that is not unwanted.

C’mon Michael, that’s a bit over the top, isn’t it? Even “nice” spyware removers, like Spybot (highly recommended, btw) specifically warn that removing spyware might remove or cause other software not to work any more. Of course. Because many of the filthy, evil, nasty folks who distribute spyware or adware bundle it up with software that people actually want to use, and bundle it up in such as way that you can’t get rid of the spyware without killing the other software. Go figure.

Lastly:

For greater certainty, the terms and conditions remove any doubt about who is in control by providing that “this agreement only gives you some rights to use the software. Microsoft reserves all other rights.” For those users frustrated by the software’s limitations, Microsoft cautions that “you may not work around any technical limitations in the software.”

Grr. Of course. Show me a commercial license that gives anyone “all” rights to use the software without restriction. Actually, even the GPL doesn’t permit that – there are still limitations and restrictions even in open source code as to what you can and can’t do. I don’t think its fair to point to this type of language and imply that Microsoft is up to no good here. Same goes with the last sentence. Sure, you can’t hack the software. Doesn’t surprise me.

I never thought I’d be defending Microsoft’s licensing practices. Not to mention questioning Mr. Geist’s criticisms of same. But there you go. Not that I necessarily think, OTOH, that you should go out and buy Vista. Though it is pretty.

Pretexting, Ethics and Clients

Still catching up a bit – very quick post on the HP “pretexting” thing. As you may recall, HP asserted that its practice of pretexting – i.e. pretending to be someone else to get confidential telephone records – was legal. They were investigated leaks to the press by one of their board members and had resorted to this practice to try and find the leak. I had commented elsewhere long ago when this story first broke that even if it were illegal, very few (if anyone) could consider such actions the least bit ethical.

As most of you know apparently there was some disagreement as to legality and a few folks at HP were charged. Then I read this recent story about how HP was ending its special ties to Larry Sonsini, of the California powerhouse firm of Wilson Sonsini:

Sonsini – famous for decades in these parts – gained national fame in September during HP’s spy scandal hearings in front of Congress. Emails between the lawyer, HP executives and former director Tom Perkins raised serious questions about how sound Sonsini’s advice was around the practice of pretexting. He seemed to indicate that phone record fraud sounded like fair game, after being nudged in that direction by HP’s internal lawyers.

My emphasis. Its unfortunate to hear of something like this. I don’t doubt that he took the time and effort to research the law to come to a reasonable opinion on the matter before advising his client – obviously it was a very grey area of the law. In those circumstances its unfortunate that he didn’t perhaps suggest, notwithstanding the black letter of the law, that it would be unwise do take the course of action they were contemplating. That as good corporate citizens with a significant public profile, that such a practice is not something they should even consider. But then again, maybe he did and they didn’t listen (and of course he would surely have the good sense never to say that in public and embarrass a major client) or maybe he thought that such comments were not for legal counsel to make. Who knows.

The situation is not unfamiliar to many lawyers – particularly when it comes to giving opinions – lawyers are sometimes subjected to pressure to deliver the opinion that a client wants to hear rather than the one they should probably be delivering. By this I’m certainly not suggesting lawyers are delivering bad or incorrect opinions. What I am saying is that there are often grey areas of the law (which tend to be the areas on which legal expertise are sought) and in respect of which opinions can go one of two or more ways. And sometimes, the client will want to hear a certain outcome – for example, in the case of HP, I’m sure they would have liked the comfort to hear from their external counsel that their actions were legal – it would serve as some evidence that they took some degree of diligence and could serve to mitigate consequences if it turned out governmental authorities differed. If he, on the other hand, refused, or proffered a legal opinion that it was fine but qualified with a recommendation not to take such actions, HP likely would have not been very happy with him. And everyone knows what happens when clients aren’t happy.

Its an unfortunate situation to be in. Particuarly in this case, where, at the end of the day, HP still, obviously, isn’t happy with him.