no privacy right in identity linked to ip address

The Ontario Court of Appeal released its decision in R v. Ward earlier today. The case involved the conviction of a worthless low-life pedophile by the name of David Ward.

The police were able to find him due, in part, by tracking down his IP address and asking his ISP to provide the identity of the customer using the IP address at the time. His ISP did so voluntarily, even though the police did not have a search warrant. The appeal focused on whether or not he had been subject to unreasonable search and seizure, in violation of the the Charter of Rights, and whether or not he had a reasonable expectation of privacy.

The Court of Appeal’s decision concluded that the disclosure of this information by the ISP to the police did not violate his Charter  rights nor was there, nor should there have been, a reasonable expectation of privacy.

While my personal sentiments in respect of Mr. Ward would be that I could care less if he rotted in a jail cell for the rest of his days, the ends, as they say, do not always justify the means. And if the law is to be applied equally to everyone, I do believe there are some rather disconcerting implications regarding the conclusions in this case, notwithstanding the court’s attempt to put a ring fence around its application.

No time for the detailed analysis right now but it will be forthcoming. In the meantime, I encourage you to read the case – what do you think?

buying illegal drugs on the internet

I suppose that headline is also found in quite a bit of spam. Oh well. I read with interest this story in Forbes about how the Silk Road site is facilitating about $2 million a month in illegal drug sales over the internet, using technologies such as Bitcoin for payment (which apparently is untraceable) and Tor to serve the site (which apparently is also untraceable). As an aside, the only reason I say “apparently” is because it always seems that no matter how airtight any electronic security measure seems to be, there always eventually seems to be someone who comes along who is sufficiently clever and/or dedicated to bypass it.

My initial thought on this story was that it was rather a shame that such useful technology would be put to such notorious uses, and wondered how long it would be until someone called for government control or prohibition of such technologies. Yes, yes, I know, this hearkens back the now somewhat dated debate regarding controls over crypto and the release of the rather poorly received Clipper chip. And yet, I still encounter those who feel that this is the proper approach to such technologies, and the only way that criminals who use such technologies can be pursued and apprehended with any reasonable measure of efficacy.

Perhaps needless to say, but I don’t quite agree with such an approach, largely for the same, very practical reasons that Clipper did not succeed (which I’ll leave to you and Google to find). That being said, I’m fully expecting the dialogue around this story to broach this debate once again.

 

who invented the internet

Had been planning just to tweet this now (someone old) story in the Wall Street Journal about Who Really Invented the Internet but thought I’d comment just a bit. The opinion piece is written by Gordon Crovitz, who seems to have some really solid, heavy-duty credentials – they make me look like a special needs student:

Gordon Crovitz is a media and information industry advisor and executive, including former publisher of The Wall Street Journal, executive vice president of Dow Jones and president of its Consumer Media Group. He has been active in digital media since the early 1990s, overseeing the growth of The Wall Street Journal Online to more than one million paying subscribers, making WSJ.com the largest paid news site on the Web. He launched the Factiva business-search service and led the acquisition for Dow Jones of the MarketWatch Web site, VentureOne database, Private Equity Analyst newsletter and online news services VentureWire (Silicon Valley), e-Financial News (London) and VWD (Frankfurt).

He is co-founder of Journalism Online, a member of the board of directors of ProQuest and Blurb and is on the board of advisors of several early-stage companies, including SocialMedian (sold to XING), UpCompany, Halogen Guides, YouNoodle, Peer39, SkyGrid, ExpertCEO and Clickability. He is an investor in Betaworks, a New York incubator for startups, and in Business Insider.

Earlier in his career, Gordon wrote the “Rule of Law” column for the Journal and won several awards including the Gerald Loeb Award for business commentary. He was editor and publisher of the Far Eastern Economic Review in Hong Kong and editorial-page editor of The Wall Street Journal Europe in Brussels.

He graduated from the University of Chicago and has law degrees from Wadham College, Oxford University, which he attended as a Rhodes scholar, and Yale Law School.

Wow.

Anyway, the premise of the article is that the US government didn’t create the internet:

It’s an urban legend that the government launched the Internet. The myth is that the Pentagon created the Internet to keep its communications lines up even in a nuclear strike. The truth is a more interesting story about how innovation happens—and about how hard it is to build successful technology companies even once the government gets out of the way.

Interesting premise, but quite surprised by some statements he makes in support of it which seem to be a bit inaccurate. Such as equating the invention of Ethernet with the invention of the internet. Or suggesting that the Ethernet was “developed to link  different computer networks”.

Oops. Looks like others have already dissected this much more thoroughly. See Ars Technica and the LA Times.

electronic document regulations for financial institutions finalized

Earlier this year (May 8 to be precise), the Canadian federal government published some draft regulations relat­ing to the use of elec­tronic doc­u­ments by fed­er­ally reg­u­lated fin­an­cial insti­tu­tions. You can find a rather brief summary in an earlier post, along with some colour commentary comparing the regulations against similar types of provisions in the Ontario Consumer Protection Act and Electronic Commerce Act. You can find the earlier draft regulations in that post or at the Canada Gazette website (scroll down to the bottom).

In any event, about two weeks ago (November 10 to be precise), the federal government released the finalized regulations for banks and bank holding companies, cooperative credit associations, insurance and insurance holding companies and trust and loan companies.

If you haven’t yet reviewed the legislation, you may want to look at my earlier post, which remains, I think, somewhat useful, as the revisions made between the draft and final regulations are not that significant. If you’d like to see for yourself, I’ve taken the liberty of generating redlines (in Word format) for each of them (banks – redline,  coops – redlineinsur – redline and trusts – redline) or you can read the summary below.

There’s basically two items that are common across all the regulations. The first isn’t really much of a change but rather the fixing of the date upon which they come into force, which has now been set for June 1, 2011. The second change is a minor clarification that specific information provided in a consent is only applicable if that consent is provided in writing (whether in paper or electronic form). Here’s the specific change, which looks to be common across all four regulations:

(4) TheIf the addressee’s consent is provided in writing, in paper or electronic form, it must include the name of the information system designated by the addressee for the receipt of the electronic document and a list, in paper or electronic form, of the notices, documents or other information that is covered by the consent.

Seems to make sense, given that such consent can also be provided orally, and that is addressed in the next clause:

(5) If the addressee’s consent is provided orally, the originator or the person acting for the originator must, without delay, provide the addressee in writing, in paper or electronic form, with the information referred to in subsection (2) and confirm the information referred to in subsection (4).

The federal government’s provides the following comments in the related regulatory impact analysis statement (scroll down toward the end) with respect to this change, the in-force date and some changes which had been requested but were not made:

Consultation

After pre-publication of these regulations on May 8, 2010, in the Canada Gazette, Part I, comments related to about 10 different issues were raised from financial industry associations. Only two of the four regulations were commented on, namely the Electronic Documents Regulations and the Policyholders Disclosure Regulations. In addition, the comments did not raise any substantial concerns but rather focused on ensuring that the regulations efficiently achieved the stated policy goals.

As a result, the Government has made minor modifications to the Electronic Documents Regulations to more efficiently handle situations where a customer of a financial institution provides oral consent for the electronic delivery of documents. The previous version of the Regulations appeared to require customers to give financial institutions written documentation when giving consent in call cases — notwithstanding the fact that the Regulations allow for consent to be granted orally. Section 5(4) now sets out the information that must be provided when consent is not provided orally (including the name of the information system designated by the addressee and a list of the notices, documents or other information that is covered by the consent). Section 5(5) goes on to set out the responsibilities of the originator to properly document oral consent and confirm the information received from the customer.

Some comments have not been reflected as stakeholders requested changes that were inconsistent with the policy intent of the regulations. For example, requested changes to the Policyholder Disclosure Regulations would have had the effect of unduly narrowing the scope of information provided to holders of insurance policies with governance rights attached. Other comments to remove from the definition of adjustable policies those where an insurance company can indirectly change the premium or charge for insurance would have had the effect of restricting the Government’s ability to ensure compliance with the regulations.

Implementation, enforcement and service standards

Industry representatives asked that the regulations come into force from six months to one year after final publication, indicating operational challenges (systems, procedures, training). To allow financial institutions sufficient time to prepare documentation in advance of annual general meetings, this package of regulations will come into force on June 1, 2011.

The regulations do not require any new mechanisms to ensure compliance and enforcement. The Office of the Superintendent of Financial Institutions (OSFI) already administers the governance provisions in the federal financial institutions statutes. As such, OSFI would ensure compliance with the new requirements using its existing compliance tools, including compliance agreements and administrative monetary penalties.

draft electronic document regulations for financial institutions published

Last week (May 8 to be exact) the federal government published draft regulations relating to the use of electronic documents by federally regulated financial institutions. These regulations are part of a process that began in 2005 to harmonize and modernize legislation governing banks, insurance companies, trust companies and cooperatives.

The new regulations set out the general requirements that such institutions must meet in order to use electronic documents when dealing with stakeholders. You can find links to the draft regulations and a regulatory impact analysis at the end of this post.

Here’s the Coles Notes summary:

  • electronic documents related to securities transfers are excluded;
  • electronic documents must be in clear and simple language that is not misleading
  • a requirement to provide a document may be satisfied by making the document available through a generally accessible electronic source (such as a website) and giving notice (whether paper or electronic) to the person to whom the document must be provided, unless there’s a requirement under the legislation to deliver to a specific place, in which case the website mechanism won’t work;
  • consent to receive electronic documents can be obtained from addressees in writing (paper or electronic) or orally, but, unless it’s just a one time consent, they must be notified in writing (paper or electronic) regarding:
    • when their consent  is effective,
    • that they can revoke their consent,
    • that they are responsible for updating the address to which electronic documents are delivered, and
    • that the sender will only retain electronic documents for a specified period, following which it becomes the responsibility of the recipient to retain a copy
  • the notification or consent above, if in electronic form, must be provided in a form that can be retained by the recipient for future reference
  • consent must include address designated for receipt and a list of notices covered by the consent and, if consent is provided orally, the sender must confirm such information, as well as that in the original notice, in writing (paper or electronic)
  • consent can be revoked in writing (paper or electronic) or orally
  • revocation must be confirmed in writing and when it takes effect and, if provided in electronic form, must be accessible and capable of being retained for future reference
  • an electronic document is considered provided to someone when it:
    • leaves an information system in the control of the sender, or
    • when it is posted or made available through the secure website of the sender (no reference to a notice needing to be sent to them)
  • an electronic document is considered received by someone when it:
    • enters the information system designated by them
    • it is posted or made available through the secure website of the sender, or
    • the recipient receives the notice mentioned in the third bullet above (i.e. when posting to a website, the notice alerting the recipient that it’s available)
  • electronic signatures must consist of letters, characters, numbers or symbols in digital form incorporated, attached or associated with an electronic document

Not quite clear to me why the provision on sending doesn’t refer to the alert notice being sent. Nor is it clear to me what the reference to “secure” websites means. But apart from those nits, one of the good things about these new regulations is that they expressly provide for a mechanism that permits the delivery of electronic documents by posting to a website, combined with the delivery of a notice (which can of course be much shorter) that the electronic documents are available. In contrast, other acts, such as the Ontario Consumer Protection Act and its associated regulations do not expressly permit such a mechanism when it comes to delivery of “internet agreements” – for example, s. 33(3) of the regulations indicate that an internet agreement is considered delivered by:

1. Transmitting it in a manner that ensures that the consumer is able to retain, print and access it for future reference, such as sending it by e-mail to an e-mail address that the consumer has given the supplier for providing information related to the agreement.

2. Transmitting it by fax to the fax number that the consumer has given the supplier for providing information related to the agreement.

3. Mailing or delivering it to an address that the consumer has given the supplier for providing information related to the agreement.

4. Providing it to the consumer in any other manner that allows the supplier to prove that the consumer has received it.

Similarly, the equivalence rules in the Ontario Electronic Commerce Act specifically exclude the posting of information to a website as satisfying a legal requirement to provide information or a document in writing:

10. (1) For the purposes of sections 6, 7 and 8, electronic information or an electronic document is not provided to a person if it is merely made available for access by the person, for example on a website.

Same

(2) For greater certainty, the following are examples of actions that constitute providing electronic information or an electronic document to a person, if section 6, 7 or 8 is otherwise complied with:

1. Sending the electronic information or electronic document to the person by electronic mail.

2. Displaying it to the person in the course of a transaction that is being conducted electronically.

Though in both cases there is some room either to argue that a web-based posting could satisfy the requirements of either act (e.g. posting to a website plus sending a notice of availability would not be “merely” making the information available on a website), it’s certainly not as expressly permitted as in the new draft regulations.

Of course, the regulations should be read in connection with the corresponding provisions (Bank Act – scroll down to Part XVIII, Insurance Companies Act – scroll down to Part XX, Trust and Loan Companies Act – scroll down to Part XIV.1, Cooperative Credit Associations Act – scroll down to Part XVII.1) in each act relating to the use of electronic documents.

Links to draft regulations: Regulatory Impact Analysis; Bank Regulations; Insurance Company Regulations; Trust and Loan Companies Regulations; Cooperative Credit Associations Regulations

anonymous e-mailers, forum posters, meet norwich orders

A very nice summary of a recent Ontario case on Norwich orders by Omar Ha-Redeye in Slaw. Within the context of anonymous internet communications (anonymous e-mail accounts, forum postings, etc.), a Norwich order can be used to compel a service provider (such as an ISP, a forum host or e-mail service provider) to provide information on its customer in an attempt to identify the individual who has sent an e-mail or posted a message that has given rise to a claim or potential claim.

The case noted by Omar related to a defamatory e-mail that was sent from an anonymous Gmail account. The person making the claim needed to take a few steps in order to attempt to identify the alleged wrongdoer. First, as it is possible to open a Gmail account without submitting full/accurate personal information, he would have needed to obtain a Norwich order from Google. That order likely would have requested from Google a listing of the IP addresses used to create and/or access the specified Gmail account and the times at which they were used. Once the IP addresses were obtained, it would be easy to identify the ISPs or organizations which were allocated those addresses through a WHOIS or similar enquiry (generally IP address allocations are public information). IP addresses typically are not sufficient to identify a particular individual since most (if not all) of them are allocated to organizations, who then either permit specific computers within their organization to use them on a permanent basis (static IP addresses), or allocate them on a dynamic basis. In the case of most ISPs, they will maintain a pool of IP addresses that are used as their customers switch on their computers and access their accounts, so that the address allocated to any particular customer may vary over time.

Consequently, one the wronged party had obtained the relevant IP addresses and identified the ISPs, he would have needed to file a Norwich order against the ISPs to obtain information regarding the account holders who had used the IP addresses at the indicated times. The ISP’s records would allow them to do this, as ISPs will usually need to validate the identity of their customers when they sign up. The case at hand involved this second step, and the wronged party was successful in having the Norwich order issued against the ISPs.

Norwich orders are very useful devices to help advance claims where a wrongdoer attempts to use the cloak of anonymity to protect him or herself from liability. That being said, technology being what it is, there are limits to what a Norwich order can do. For example, if a wrongdoer used cash-only web-cafes, free anonymous wifi connections or, anonymization proxies, IP spoofing or pirates third party wifi signals or hacks into a third party computer, it may be more difficult to successfully identify the wrongdoer (though even in these cases it may not be impossible). Along similar lines, the defence of a claim by an individual whose information was obtained in such a manner could also assert that, although the account with the ISP was in his or her name, it wasn’t that individual who actually initiated the wrongful communication – e.g. shared ISP connection with others or hacked computer or internet connection. In short, while a Norwich order will provide useful information that will likely lead in the right direction to track down a wrongdoer, ultimately the only information it will provide is the linkage between an IP address used for wrongdoing and the account holder allocated that IP address, and not necessarily the individual committing the wrongdoing.

dooced, canadian style

A good article in The Lawyer’s Weekly about someone getting dooced in Alberta. The short version: Woman blogs anonymously about her supervisors and co-workers, but in a way that makes all of them easily recognizable to anyone in her work place. Oh, and things she says aren’t exactly nice. Her employer fires her as a result. Goes to arbitration and the termination is upheld. Perhaps not all that suprising. Anyway, some thoughts and tips from the article:

Although the dismissal was upheld in Alberta Union, not all Web 2.0 posts that an employer finds distasteful will provide grounds for discipline or termination. Blogging or Facebooking at work is one thing, but the general rule regarding discipline for off-duty conduct is that an employer is not the custodian of their employees’ private lives. Exceptions are made when, as it was found in Alberta Union, the posts irreparably harm the employment relationship. This can include conduct that:

• prevents employees from performing their duties satisfactorily;

• interferes with employees’ ability to work effectively with fellow co-workers;

• breaks confidentiality policies or employees’ duty of fidelity to the employer;

• harasses or defames management or fellow employees;

• deliberately attempts to undermine management’s ability to direct its workforce;

• harms the company’s reputation (however, rank and file employees may be held to a lower standard than those employees who hold higher positions of trust or responsibility).

Counsel should encourage employers to take measures to prevent the sort of conduct that attracts discipline in the first place. Having a discussion with employees is a good start. The general tenor of blogs and social networking sites is akin to casual conversation, and, naturally, many people will talk about work.

Unfortunately, as Alberta Union illustrates, many employees are unaware Web 2.0 conduct can affect their careers and attract legitimate sanction. Pointing this out to employees can save both the employer and the employee a lot of grief.

Alberta v. Alberta Union of Provincial Employees (R. Grievance), [2008] A.G.A.A. No. 20

chrome a windows killer? i doubt it

Read an article in eWeek that left me scratching my head a bit. The nub below:

Then later:

And that would spell doom for Microsoft. It’s one thing to squeeze Microsoft out of the Internet game by dominating search and Web services. It’s another entirely to come after the software giant’s core operating system business, wielding the Web as your platform.

Must admit I have a lot of trouble seeing that, as I would have thought in order to supplant Windows, it would need to be gone, and to go from a browser that sits on an o/s to replacing the o/s seems to be a rather large leap. A huge leap, actually.

What they’re suggesting might happen is already a possibility today. There is definitely something that can supplant Windows altogether, and provide access to all the web-oriented apps, etc. that Google offers. Its cheap (sometimes free), stable and has pretty good UIs – in fact, a selection of UIs and different flavours. Its called Linux. However, for a variety reasons, it hasn’t kicked Microsoft’s ass yet (at least on the desktop – there are a few areas where it definitely does, such as web and other server functions).

To suggest, then, that, because Google has come out with a browser, that that will lead to the supplanting of Windows seems, IMHO, to be a bit far-fetched. I’m not suggesting that Google wouldn’t have the wherewithal to try to go after the desktop. They may do so. Though I’m not sure if they’d want to – they have a pretty good business model already…

Anyway, if and when they do something like that it will be so much larger an undertaking than Chrome that the links between that and Chrome would be tenuous at best, other than possibly bundling Chrome within whatever o/s they create.

Even possibly on the application front, I can see Google putting some pressure on MS, and how this might tie with Chrome. But not the o/s on which the whole thing runs.

So I think for the time being, Bill and Steve probably don’t have much to worry about with Chrome’s introduction, at least when it comes to the o/s business (IE on the other hand, is another matter altogether…).

google announces new browser

Most of you probably already have heard that Google has officially announced its new browser, Chrome, which will be released to the public (in beta form) later today. It is an open source project that has a very, very interesting set of features that enhance security, privacy, speed and stability, including  multiprocessing architecture.

You can read more about the features in the comic that Google has published to walk you through it. What a great approach. Wikipedia also has a bit of a compressed summary of the new features as well, which is a bit quicker to get through than the comic.

Will be very interesting to see how this browser does. I imagine it likely will be quite good, given most of the stuff that Google has offered. That being said, I was a bit concerned as to what this meant for Mozilla, whose existence (or at least revenue) I understand depends significantly on its relationship with Google, which is now, effectively, a competitor of sorts. Mozilla’s CEO has already posted his reactions to Chrome. Whether or not it turns out to be a good thing or bad thing remains to be seen – there are already a few folks who have alluded to the possibility of a Google “monopoly” and/or anti-competitive behaviour through Chrome. IMHO I think that’s rather unlikely.

At the end of the day, though, I think this will only serve to enhance the choices people have, browser wise, and improve things all around. Though I’m hoping it will not lead to the demise of Mozilla. I like Mozilla. And of course Firefox.

Update: Alas several hours later no Chrome love for yours truly. If you haven’t given it a shot by all means do so and let me know if you get through. I imagine that’s what happen when a billion or so people try to download the same thing, notwithstanding Google’s massive pipes and data centres. (see below) Also, saw a great story in The Register, that poked a bit of fun at Google. A little sample that, coincidentally, fits right in with the law-related theme of this blog:

Further update: Seems I had a bad link. Tried again (googled) and was able to download from a different URL. Very easily, actually. But, alas, apparently need to close the browser I’m using to install…

Further further update: Installed and running. So far, so good. Rather bare bones but impressive memory footprint, and very snappy, both on launch and, well, pretty well everything else. A very simple and straightforward approach that doesn’t have a million options, choices and tweaks, or nifty integrations (a la Flock). Miss my plugins though. And not surprising there don’t appear to be any for Chrome right now, at least AFAIK.

Another update: Works well but does not play well with Facebook – some links/features just don’t work.

premature cuil punditing

I was a bit surprised to read all the hype (or anti-hype, if there is such a thing) on cuil – the new search engine that debuted just a few days ago. I read an article in the paper this morning on it, pronouncing it to be failure. Then this in Time, also declaring it not to live up to Google:

“Anybody who thought [Cuil] was this Google killer can really see now that no, that’s not going to happen today — and the likelihood is that’s not going to happen a year from now,” says Danny Sullivan, internet search guru and editor-in-chief of SearchEngineLand.

Yes, I do understand that things happen faster on all things internet, but c’mon, pronouncing them DOA in less than a week after their launch? Seriously?

Let’s do a bit of a reality check. Sure, the folks behind cuil have some great credentials – previously engineers at Google, developers of AltaVista, etc. etc. But you’re comparing a startup with a few million in VC money with the 800 lb gorilla of the internet. An 800 lb gorilla that has been around for many, many years. And which has been able to grow its revenue into the billions. And which has been able to invest huge chunks of that revenue into its technology and infrastructure.

So when people say cuil, less than a week out of the gate is no Google killer, it seems to be that the appropriate response is “Duh. Of course not.” Where was Google a week after it launched?

Anyway, perhaps it’s more of a knee-jerk reaction to what people have described as the “hype” surrounding the startup – that commentators want to be seen as not buying into it. But making such broad pronouncements so early? A little premature if you ask me.