arbitrary electronic search & seizure + canadian border = ok

Following the judgement and policy confirming that US customs can conduct searches without suspicion, some of my colleagues in the trade group at McCarthy have published an e-Alert that describes Canadian authorities’ approach to searches of electronic devices at the Canadian border:

CBSA has yet to publish a report detailing its policy on border searches of electronic devices. That said, the CBSA has stated that its examination authority under the Customs Act extends to electronic storage devices. Other sources of information also suggest that they, like their American counterparts, do not accord electronic devices special status at the border. For example, the Canadian Customs Act broadly defines “goods” to include “any document in any form”, suggesting no special treatment for electronic documents. Canadian case law also supports this interpretation. In a 2008 Ontario Court of Justice decision, the Court stated that it saw no intrinsic difference between a computer search and a detailed examination of the contents of one’s suitcase.

2. Searches Without Suspicion

Given their characterization as ordinary goods, it follows that a border official can search travelers’ electronic goods even in the absence of suspicion regarding the traveler or the electronic device.

The article also provides some background on the situation with the US, confidentiality regarding information obtained from such searches, ability to detain electronic devices for further inspections, privileged information, and some thoughts on how to protect your information.

If you cross the border frequently with sensitive business information, it is well worth a read, as is my previous post on the US policy.

asp issues

Will keep this short – I was reading an article (whose authors will go unnamed) describing some recent trends in software licensing and issues arising from those trends. One trend that was highlighted was the change from licensing of software to be installed and operated by a licensee (with maintenance and support from the licensor) to a vendor-hosted model (or “application service provider” or “ASP” for short), where the vendor instead sets up the software on its own machine and the vendor’s customers then make use of the software remotely – often through a browser, but sometimes through other “thin” clients.

What was the primary issue they identified? To make sure you get acceptance testing. Hmmm. Well, hate to disagree but I would think there might be a few others that might be at least (if not more) important. So, without further ado, some thoughts on what to keep an eye out for if you are thinking of signing up to an ASP service, in no particular order:

Your Data – Will your ASP be storing your data? Will it be your primary repository of your data? Is your data important? Does your data contain sensitive, confidential or personal information? If so, then you should make sure that your ASP is handling your data appropriately, including giving adequate assurances that it is only used for providing the service (and not anything else) and that appropriate security measures are taken to protect it, such as encrypted communications when sending/receiving as well as encrypted storage. We’ve all read the recent horror stories about certain large corporations who have misplaced, lost, or inadvertently disclosed sensitive data, such as credit card numbers. Make sure it isn’t your company making the headlines.

Service Levels and/or Easy Outs – Addresses the same issue as acceptance testing but in a different way. Typically one big advantage of ASPs is that there is no big upfront licensing fee and therefore no big upfront capital to invest, or risk regarding that capital investment in the event the software doesn’t do what it was expected to do. Thus, the concept of acceptance testing was invented to address this big upfront risk, with the thinking that you get to kick the tires extensively before you hand over the the truckload of cash. And if the testing doesn’t pan out, you don’t pay. OTOH, ASPs usually involve a periodic (typically monthly) payment which is much smaller. In effect, the monthly service fee can be thought of as a replacement for: (1) the amortized cost of the initial license fee; (2) maintenance and support; (3) investment in hardware and infrastructure; and (4) additional people costs on the vendor side, to keep (3) up and running. Very often this is a win-win situation, since vendors can often achieve economies of scale by running a large number of instances centrally at one dedicated data centre (and ironically to some extent harkening back to the days of mainframes + terminals – but I digress) and offer very attactive savings over what it would otherwise cost a customer to maintain the application in-house.

Anyway, the point being that there is less upfront risk with an ASP solution, provided of course, you’re: (a) not locked in to a 50 year contract; or (b) you have really good assurances that the software will be up and running as needed when you need it. Its good to have both, but at the same time it can also be thought of, to some extent, as an either-or proposition – if you can arrange for a month to month contract, then if the ASP stinks, just terminate and go elsewhere. Alternatively, if you get ironclad service levels (including significant credits and termination rights) then you might be willing to commit longer. Of course, you’ll also need to ensure that you have the ability, in the case of a month to month agreement or termination rights, to move to another service easily, and to get your data back, etc. But I’ll leave that for another time.

Anyway, not necessarily saying that acceptance testing isn’t important (and in fact if you need to spend a ton of money to have the vendor customize a solution for you it may still be very important) but just a couple of other issues to keep in mind.

privacy vs the news (us version)

Interesting case summarized by Loeb and Loeb. A guy bitten by a killer whale sues someone for broadcasting the tape showing the incident without his consent. The guy claims, amongst other things, infringement of rights of privacy. Interestingly, the court held:

…that the plaintiff did not have a reasonable expectation of privacy in a video that he had previously licensed for broadcast on national television. The court rejected plaintiff’s argument that once-public facts could become private again and held that, even if the video were considered private, its broadcast
was protected as a newsworthy event.

What I find particularly interesting is the very last part, which seems to suggest that if it’s newsworthy, that somehow trumps the right to privacy. I can imagine that this would likely not be the case here in Canada. One example of where the courts here have done in directly the opposite direction is with respect to the horrific crimes of Paul Bernardo and Karla Homolka, where a wide ban was imposed on materials related to the murders of two young women in order to protect the victims and their families.

I wonder how such a statement (albeit something that could very well be considered obiter) might be applied in other circumstances involving the victims of accidents or crimes, to the detriment of those victims…

the (not so) long arm of the tax authorities

The recent case involving the Canada Revenue Agency and eBay took an interesting (and perhaps somewhat ironic) twist on access to information. Without getting into too much detail, the essence of the issue was this: CRA wanted eBay Canada to cough up information on folks known as “Power Sellers” – those that sell a lot of stuff on eBay. Presumably so that CRA could helpfully remind those folks of their tax obligations in the unfortunate event they somehow forgot to report all the income they made in Canada by selling on eBay.

eBay Canada’s response was that the legal entity in Canada did not in fact own that information and it was also not stored in Canada. Rather, the information was owned by some of its affiliates and stored in the US, outside of Canadian jurisdiction. So they couldn’t provide the information, they asserted.

Unfortunately (for eBay) it came out that eBay Canada was able to access the information even though it didn’t own the data. In fact, it had to be able to access that information in order to run its business. So the court ruled in favour of the CRA, with this rather cogent analysis:

The issue as to the reach of section 231.2 when information, though stored electronically outside Canada, is available to and used by those in Canada, must be approached from the point of view of the realities of today’s world. Such information cannot truly be said to “reside” only in one place or be “owned” by only one person. The reality is that the information is readily and instantaneously available to those within the group of eBay entities in a variety of places. It is irrelevant where the electronically-stored information is located or who as among those entities, if any, by agreement or otherwise asserts “ownership” of the information. It is “both here and there” to use the words of Justice Binnie in Society of Composers, Authors and Music Publishers of Canada v. Canadian Ass’n of Internet Providers, [2004] 2 S.C.R. 427 at paragraph 59. It is instructive to review his reasons, for the Court, at paragraphs 57 to 63 in dealing with whether jurisdiction may be exercised in Canada respecting certain Internet communications, including an important reference to Libman v. The Queen, [1985] 2 SCR 178 and the concept of a “real and substantial link”.

The implications in this case are relatively clear. In other cases, it may become less so. For example, what happens with this concept when someone who once stored their docs on their local hard drive starts using Google Docs, only to find out that the authorities in whatever far-flung jurisdiction have ordered an affiliate of Google to disclose that information? Or in the near future when things like Prism get to a point where users aren’t even sure whether their data is here, there, or elsewhere. Interesting times, indeed.

silly lawsuit of the week

OK. Short version of the story in InformationWeek: Woman puts up a website. She puts a “webwrap” agreement at the bottom – i.e. basically a contract that says if you use the site then you agree to the contract. Still some question as to whether such a mechanism is binding, but anyway…

So the Internet Archive of course comes along and indexes her site. Which apparently is a violation of the webwrap. So she sues, representing herself, I believe. The court throws out everything on a preliminary motion by IA except for the breach of contract.

InformationWork observes that “Her suit asserts that the Internet Archive’s programmatic visitation of her site constitutes acceptance of her terms, despite the obvious inability of a Web crawler to understand those terms and the absence of a robots.txt file to warn crawlers away.” (my emphasis). They then conclude with this statement:

If a notice such as Shell’s is ultimately construed to represent just such a “meaningful opportunity” to an illiterate computer, the opt-out era on the Net may have to change. Sites that rely on automated content gathering like the Internet Archive, not to mention Google, will have to convince publishers to opt in before indexing or otherwise capturing their content. Either that or they’ll have to teach their Web spiders how to read contracts.

(my emphasis).

They already have – sort of. It’s called robots.txt – the thing referred to above. For those of you who haven’t heard of this, its a little file that you put on the top level of your site and which is the equivalent of a “no soliciation” sign on your door. Its been around for at least a decade (probably longer) and most (if not all) search engines

From the Internet Archive’s FAQ:

How can I remove my site’s pages from the Wayback Machine?

The Internet Archive is not interested in preserving or offering access to Web sites or other Internet documents of persons who do not want their materials in the collection. By placing a simple robots.txt file on your Web server, you can exclude your site from being crawled as well as exclude any historical pages from the Wayback Machine.

Internet Archive uses the exclusion policy intended for use by both academic and non-academic digital repositories and archivists. See our exclusion policy.

You can find exclusion directions at exclude.php. If you cannot place the robots.txt file, opt not to, or have further questions, email us at info at archive dot org.

standardized methods of communications – privacy policies, etc. – more. Question is, will people be required to use it, or simply disregard and act dumb?

from the “another security headache” department

Yes postings have been sparse lately – things getting busy so alas. Anyway, very short (but rather alarming) note from Wired about copiers. Though I knew most copiers now used digital technology of some sort, I had no idea they actually contained full-blown hard drives that store your copies. The exact reason why they need hard drives to copy documents, and why the data needs to remain on the drives, is a bit of a mystery to me, and something the article doesn’t go into. I’d had always just assumed that the image information was stored somewhere temporarily and disappeared when you finished copying. Apparently not. Anyway, here’s a brief excerpt:

most digital copiers manufactured in the past five years have disk drives – the same kind of data-storage mechanism found in computers – to reproduce documents. As a result, the seemingly innocuous machines that are commonly used to spit out copies of tax returns for millions of Americans can retain the data being scanned.

If the data on the copier’s disk aren’t protected with encryption or an overwrite mechanism, and if someone with malicious motives gets access to the machine, industry experts say sensitive information from original documents could get into the wrong hands.

I guess someone, somewhere, will be selling add-on kits for copiers relatively shortly…

ALPR is….

short for Automatic License Plate Recognition. Sometimes I find mention of the most interesting things in the most unexpected places. Like this brief article on how police in British Columbia are currently using a system that can easily and quickly scan license plate numbers as they drive along that I saw in bookofjoe. Surprised I didn’t see see it anywhere else, oddly enough, particularly given the implications for privacy, etc. Not necessarily that there are any – after all, license plates are there so that they can be seen by the public at large and police officers. That being said, I find it interesting how the application of new technology (optical recognition) to old technology (license plates), significantly alters the implications of how the old technology is perceived.

Sure, its one thing to have police on the lookout for a particular license plate on a car with a known felon who is escaping, but it seems to be quite another for a police car to scan and process thousands upon thousands of license plates while driving around the city.