no privacy right in identity linked to ip address

The Ontario Court of Appeal released its decision in R v. Ward earlier today. The case involved the conviction of a worthless low-life pedophile by the name of David Ward.

The police were able to find him due, in part, by tracking down his IP address and asking his ISP to provide the identity of the customer using the IP address at the time. His ISP did so voluntarily, even though the police did not have a search warrant. The appeal focused on whether or not he had been subject to unreasonable search and seizure, in violation of the the Charter of Rights, and whether or not he had a reasonable expectation of privacy.

The Court of Appeal’s decision concluded that the disclosure of this information by the ISP to the police did not violate his Charter  rights nor was there, nor should there have been, a reasonable expectation of privacy.

While my personal sentiments in respect of Mr. Ward would be that I could care less if he rotted in a jail cell for the rest of his days, the ends, as they say, do not always justify the means. And if the law is to be applied equally to everyone, I do believe there are some rather disconcerting implications regarding the conclusions in this case, notwithstanding the court’s attempt to put a ring fence around its application.

No time for the detailed analysis right now but it will be forthcoming. In the meantime, I encourage you to read the case – what do you think?

the gizmodo/jason chen/search warrant debacle

There have been many views expressed on both the propriety of Gizmodo breaking the story on the next-gen iPhone as well as the subsequent search warrant executed by the police against Jason Chen, the Gizmodo reporter that broke the story. Needless to say, each side has its supporters. A good summary with links to contrasting views can be found on GigaOm.

I won’t rehash all the arguments either for or against the execution of the warrant or its validity – you can check out the link above for all of that. The only thing I did want to point out was the possibility that a previous, somewhat similar case, may perhaps have prompted the criminal investigation leading to the search warrant. O’Grady v. The Superior Court of Santa Clara County (pdf) was a case in 2006 that also involved Apple. Apple was seeking civil subpoenas to certain websites that published information that it claimed to be trade secrets, in order to discover the source of the disclosures. The publishers moved for a protective order, which was denied at trial. However, the protective order was granted on appeal.

Though there were various bases on which the court found in favour of the websites, the one that seems relevant to the Chen search warrant relates to the California reporter’s shield – the same California legislation cited by the chief operating officer of Gizmodo as making the search illegal. In short, the appeal court in O’Grady found that “any subpoenas seeking unpublished information from petitioners would be unenforceable through contempt proceedings in light of the California reporter’s shield (Cal. Const., art. I, § 2, subd (b); Evid. Code, § 1070)”.

More importantly, the appeal court had this to say about what was alleged by Apple to be criminal activity and reviewing the lower courts findings on same:

The court found petitioners’ assertion of a constitutional privilege “overstated” because “[r]eporters and their sources do not have a license to violate criminal laws such as Penal Code [section] 499c [(§ 499c)].” 8 The court assumed petitioners to be journalists, but wrote that “this is not the equivalent of a free pass” and that they could still be compelled to reveal information relating to a crime. The court repeatedly alluded to the supposed presence of criminal or larcenous conduct. The court also faulted petitioners for failing to establish “what public interest was served” by the publications in question. While acknowledging evidence that thousands of people were interested in the information in question, the court opined that “an interested public is not the same as the public interest.” The court implied that the publications in question were not “ ‘protected speech.’”

Though the appeal court didn’t dwell much further on the relevance of the alleged criminal acts to the California reporter’s shield in the body of the decision, the foonote to the excerpt above is rather informative:

8 Section 499c criminalizes the misappropriation or attempted misappropriation of trade secrets under specified circumstances. Although Apple alluded to this statute in its memorandum below, and does so again before us, it has never demonstrated that the facts here could establish a criminal theft of trade secrets. That offense requires proof of, among other things, “intent to deprive or withhold the control of [the] trade secret from its owner, or . . . to appropriate [the] trade secret to [the defendant’s] own use or to the use of another . . . .” (§ 499c, subd. (b).) Since Apple has never argued the point, no occasion is presented to consider whether the inferred circumstances of the disclosure here could be found to constitute a crime. For present purposes we are concerned only with an allegedly tortious disclosure of a trade secret presumably by an Apple employee.”

It would seem clear that the court took pains to distinguish between a tortious disclosure of a trade secret, versus a criminal misappropriation of a trade secret. And although the court does not make any findings as to what might have happened if there were a basis to claim of criminal wrongdoing, the implication of the note above is that the findings on appeal may well have been different, if only apple had presented any facts to establish a crime. (All that being said, the EFF has expressed the opinion that both the California shield law as well as the federal Privacy Protection Act would make such a search illegal, even if a crime were committed)

So here Apple is, facing a similar situation as in O’Grady, and knowing that it will likely have either very limited or no ability to successfully obtain civil subpoenas given the finding in O’Grady, but with a little crack in the door suggesting that if criminal misconduct could be successfully demonstrated, it may have some chance of success. That seems better than nothing.

Given the above, it seems logical that Apple would want to request the DA to commence a criminal investigation (though to be clear, reports indicate that the DA has declined to indicate who instigated the investigation), either for plain theft or for theft of trade secrets, in order to enable it to seek some sort of remedy for the leaked information, though I’ll admit that if the above is correct its not clear to me exactly what remedy Apple would be seeking – in contrast to O’Grady, the identity of the Apple rep who lost the phone (and all the gory details) is already public. Perhaps the identity of the person who picked it up (which doesn’t appear to be public)? Though I’m not sure what that gets Apple, other than perhaps fiery retribution against the fellow and disgorgement of his ill-gotten gains (the $5,000 that Gizmodo paid him for the phone). Will be interesting to see how it plays out.

chrome a windows killer? i doubt it

Read an article in eWeek that left me scratching my head a bit. The nub below:

Then later:

And that would spell doom for Microsoft. It’s one thing to squeeze Microsoft out of the Internet game by dominating search and Web services. It’s another entirely to come after the software giant’s core operating system business, wielding the Web as your platform.

Must admit I have a lot of trouble seeing that, as I would have thought in order to supplant Windows, it would need to be gone, and to go from a browser that sits on an o/s to replacing the o/s seems to be a rather large leap. A huge leap, actually.

What they’re suggesting might happen is already a possibility today. There is definitely something that can supplant Windows altogether, and provide access to all the web-oriented apps, etc. that Google offers. Its cheap (sometimes free), stable and has pretty good UIs – in fact, a selection of UIs and different flavours. Its called Linux. However, for a variety reasons, it hasn’t kicked Microsoft’s ass yet (at least on the desktop – there are a few areas where it definitely does, such as web and other server functions).

To suggest, then, that, because Google has come out with a browser, that that will lead to the supplanting of Windows seems, IMHO, to be a bit far-fetched. I’m not suggesting that Google wouldn’t have the wherewithal to try to go after the desktop. They may do so. Though I’m not sure if they’d want to – they have a pretty good business model already…

Anyway, if and when they do something like that it will be so much larger an undertaking than Chrome that the links between that and Chrome would be tenuous at best, other than possibly bundling Chrome within whatever o/s they create.

Even possibly on the application front, I can see Google putting some pressure on MS, and how this might tie with Chrome. But not the o/s on which the whole thing runs.

So I think for the time being, Bill and Steve probably don’t have much to worry about with Chrome’s introduction, at least when it comes to the o/s business (IE on the other hand, is another matter altogether…).

arbitrary electronic search & seizure + canadian border = ok

Following the judgement and policy confirming that US customs can conduct searches without suspicion, some of my colleagues in the trade group at McCarthy have published an e-Alert that describes Canadian authorities’ approach to searches of electronic devices at the Canadian border:

CBSA has yet to publish a report detailing its policy on border searches of electronic devices. That said, the CBSA has stated that its examination authority under the Customs Act extends to electronic storage devices. Other sources of information also suggest that they, like their American counterparts, do not accord electronic devices special status at the border. For example, the Canadian Customs Act broadly defines “goods” to include “any document in any form”, suggesting no special treatment for electronic documents. Canadian case law also supports this interpretation. In a 2008 Ontario Court of Justice decision, the Court stated that it saw no intrinsic difference between a computer search and a detailed examination of the contents of one’s suitcase.

2. Searches Without Suspicion

Given their characterization as ordinary goods, it follows that a border official can search travelers’ electronic goods even in the absence of suspicion regarding the traveler or the electronic device.

The article also provides some background on the situation with the US, confidentiality regarding information obtained from such searches, ability to detain electronic devices for further inspections, privileged information, and some thoughts on how to protect your information.

If you cross the border frequently with sensitive business information, it is well worth a read, as is my previous post on the US policy.

premature cuil punditing

I was a bit surprised to read all the hype (or anti-hype, if there is such a thing) on cuil – the new search engine that debuted just a few days ago. I read an article in the paper this morning on it, pronouncing it to be failure. Then this in Time, also declaring it not to live up to Google:

“Anybody who thought [Cuil] was this Google killer can really see now that no, that’s not going to happen today — and the likelihood is that’s not going to happen a year from now,” says Danny Sullivan, internet search guru and editor-in-chief of SearchEngineLand.

Yes, I do understand that things happen faster on all things internet, but c’mon, pronouncing them DOA in less than a week after their launch? Seriously?

Let’s do a bit of a reality check. Sure, the folks behind cuil have some great credentials – previously engineers at Google, developers of AltaVista, etc. etc. But you’re comparing a startup with a few million in VC money with the 800 lb gorilla of the internet. An 800 lb gorilla that has been around for many, many years. And which has been able to grow its revenue into the billions. And which has been able to invest huge chunks of that revenue into its technology and infrastructure.

So when people say cuil, less than a week out of the gate is no Google killer, it seems to be that the appropriate response is “Duh. Of course not.” Where was Google a week after it launched?

Anyway, perhaps it’s more of a knee-jerk reaction to what people have described as the “hype” surrounding the startup – that commentators want to be seen as not buying into it. But making such broad pronouncements so early? A little premature if you ask me.

arbitrary electronic search & seizure + us border = ok

I imagine its not much of a surprise given the current environment in the states (as well as, to some extent, similar past rulings in the US). Wired reports arbitrary searches of electronics are OK:

Federal agents at the border do not need any reason to search through travelers’ laptops, cell phones or digital cameras for evidence of crimes, a federal appeals court ruled Monday, extending the government’s power to look through belongings like suitcases at the border to electronics.

Needless to say, consideration should be given to taking some steps to protect confidential or sensitive records that you would not want to be seized. And no, I don’t mean nudie pictures or the like, but things such as confidential information of your business, or that of third parties who have entrusted you with confidential information, or personal information. That being said, Wired also made this observation:

The 9th’s ruling did not, however, clarify whether a traveler has to help the government search his computer, by providing the login information, or what would happen when the government decided to search a laptop with encrypted data on the drive. The defendant in the case can appeal the decision to the U.S. Supreme Court, but the Court is unlikely to take up an issue that two separate appeals courts have agreed upon.

Alternatively, better to leave all sensitive data at the office and, if required, connect through a VPN, retrieve, then erase before crossing.

Well, at least we can thank our stars that the ruling doesn’t apply to “highly intrusive searches of the person”. Yet.

Update: The EFF has published an article on possible ways to minimize the risk of laptop searches. They point out that encryption might not be all that handy:

If, however, you don’t respond to CBP’s demands, the agency does have the authority to search, detain, and even prohibit you from entering the county. CBP has more authority to turn non-citizens away than it does to exclude U.S. persons from entering the country, but we don’t know how the agents are allowed to use this authority to execute searches or get access to password protected information. CBP also has the authority to seize your property at the border. Agents cannot seize anything they like (for example, your wedding ring), but we do not know what standards agents are told to follow to determine whether they can and should take your laptop but let you by.

Elaborating on my suggested approach, they point out the following:

Another option is to bring a clean laptop and get the information you need over the internet once you arrive at your destination, send your work product back, and then delete the data before returning to the United States. Historically, the Foreign Intelligence Surveillance Act (FISA) generally prohibited warrantless interception of this information exchange. However, the Protect America Act amended FISA so that surveillance of people reasonably believed to be located outside the United States no longer requires a warrant. Your email or telnet session can now be intercepted without a warrant. If all you are concerned about is keeping border agents from rummaging through your revealing vacation photos, you may not care. If you are dealing with trade secrets or confidential client data, an encrypted VPN is a better solution.

Anyway, worth a read if you do cross the border with sensitive information.

Another update: More advice from Bruce Schneier on how to deal with customs (both in the US and elsewhere) and also safeguard sensitive information. I particularly like this suggestion (which he offers after also suggesting the VPN approach that I mentioned above) though it does require a little white lie:

If you can’t [use a clean laptop and download via secure VPN], consider putting your sensitive data on a USB drive or even a camera memory card: even 16GB cards are reasonably priced these days. Encrypt it, of course, because it’s easy to lose something that small. Slip it in your pocket, and it’s likely to remain unnoticed even if the customs agent pokes through your laptop. If someone does discover it, you can try saying: “I don’t know what’s on there. My boss told me to give it to the head of the New York office.” If you’ve chosen a strong encryption password, you won’t care if he confiscates it.

Further update: US customs, presumably emboldened by the court’s decision, have published their official policy (PDF) describing arbitrary search. The good news is that the reaction, at least in some corners, is somewhat less than favourable. From a recent article in the Washington Post:

“The policies . . . are truly alarming,” said Sen. Russell Feingold (D-Wis.), who is probing the government’s border search practices. He said he intends to introduce legislation soon that would require reasonable suspicion for border searches, as well as prohibit profiling on race, religion or national origin.

There’s also some description of what the good folks at Customs would do, including treatment of privileged materials, etc. If you frequently travel to the US with sensitive business materials, you would do well to review the policy. I may post a summary at some point…

Also, another less than enthusiastic op-ed piece in USA Today.

the (not so) long arm of the tax authorities

The recent case involving the Canada Revenue Agency and eBay took an interesting (and perhaps somewhat ironic) twist on access to information. Without getting into too much detail, the essence of the issue was this: CRA wanted eBay Canada to cough up information on folks known as “Power Sellers” – those that sell a lot of stuff on eBay. Presumably so that CRA could helpfully remind those folks of their tax obligations in the unfortunate event they somehow forgot to report all the income they made in Canada by selling on eBay.

eBay Canada’s response was that the legal entity in Canada did not in fact own that information and it was also not stored in Canada. Rather, the information was owned by some of its affiliates and stored in the US, outside of Canadian jurisdiction. So they couldn’t provide the information, they asserted.

Unfortunately (for eBay) it came out that eBay Canada was able to access the information even though it didn’t own the data. In fact, it had to be able to access that information in order to run its business. So the court ruled in favour of the CRA, with this rather cogent analysis:

The issue as to the reach of section 231.2 when information, though stored electronically outside Canada, is available to and used by those in Canada, must be approached from the point of view of the realities of today’s world. Such information cannot truly be said to “reside” only in one place or be “owned” by only one person. The reality is that the information is readily and instantaneously available to those within the group of eBay entities in a variety of places. It is irrelevant where the electronically-stored information is located or who as among those entities, if any, by agreement or otherwise asserts “ownership” of the information. It is “both here and there” to use the words of Justice Binnie in Society of Composers, Authors and Music Publishers of Canada v. Canadian Ass’n of Internet Providers, [2004] 2 S.C.R. 427 at paragraph 59. It is instructive to review his reasons, for the Court, at paragraphs 57 to 63 in dealing with whether jurisdiction may be exercised in Canada respecting certain Internet communications, including an important reference to Libman v. The Queen, [1985] 2 SCR 178 and the concept of a “real and substantial link”.

The implications in this case are relatively clear. In other cases, it may become less so. For example, what happens with this concept when someone who once stored their docs on their local hard drive starts using Google Docs, only to find out that the authorities in whatever far-flung jurisdiction have ordered an affiliate of Google to disclose that information? Or in the near future when things like Prism get to a point where users aren’t even sure whether their data is here, there, or elsewhere. Interesting times, indeed.

taking the fun out of blogging

As a lawyer, I understand the need for policies, procedures, practices, etc. when running a business, managing vendors, employees, etc. Of course. Sure. That’s part of work – both my work and the work of my clients. But when I see an article entitled “Blogging Policies and Best Practices for Lawyers and Law Firms” well, gotta say, my eyes start glazing over.

Not that there’s anything particularly bad or wrong about the article. In fact, it offers some good advice on avoiding “ethical minefields”, creating “powerful marketing tools” and ensuring you realize a good return on your “investment”.

Ugh. To be perfectly honest one of the primary reasons I blog is not to realize a return on investment, or to create a powerful marketing tool, but rather just to offer casual observations (or ruminations) on my work or things related to my work. In other words, its a bit of fun, as compared, for example, to writing a formal research paper, journal article, or a 100 page outsourcing contract. For those types of writing, there are many, many rules, requirements and policies to remember and adhere to, amongst other considerations. And relatively speaking, its not quite as much writing that stuff as it is posting what are ostensibly meandering ramblings about the next new thing. Don’t get me wrong, its certainly interesting and challenging work, but its not the type of thing one typically does to relax.

I guess what I’m getting at is along the same lines as the previous post about making blogging part of someone’s job. Its kind of like saying that its part of your job to chat up your friends at work on a regular basis. Its kind of like saying that there should be internal policies governing who you go to lunch with, and what you talk about over lunch. In other words, to me, it seems to take all the fun out of it. It makes it seem like work. It puts you in the mindset that it is work. And, to be perfectly honest, I think it makes it less interesting, because you’re too worried about the time being put into it. Too worried about whether you’re writing for your “target market”. Too worried about “visualizing and addressing your market”. Too worried on making your blog sound “informal and conversational”. Too worried about this, that and the other thing, none of which have much to do with the subject matter of what you’re writing about.

Of course, this is just my take on blogging and what I hope to achieve (or perhaps rather not to achieve) by doing it.

the internet: how not to learn to commit crimes

A story in the the Daily Record. The phrase “the thing speaks for itself” (which is one of those handy latin phrases I learned in law school but almost never use, except of course in blog posts – res ipsa loquitur, for you latinphiles out there…) seems to be appropriate for this:

At exactly 5:45:34 on April 18, 2004 a computer taken from the office of the attorney of Melanie McGuire, did a search on the words “How To Commit Murder.”

That same day searches on Google and MSN search engines, were conducted on such topics as `instant poisons,` `undetectable poisons,’ ‘fatal digoxin doses,’ and gun laws in New Jersey and Pennsylvania.

Ten days later, according to allegations by the state of New Jersey, McGuire murdered her husband, William T. McGuire, at their Woodbridge apartment, using a gun obtained in Pennsylvania, one day after obtaining a prescription for a sedative known as the “date rape” drug.

As a married man, it also makes me wonder what exactly is it about divorce that is really so bad that people resort to the apparently more preferable alternative of brutally murdering their spouses (as I delicately knock on wood…).

Via Slashdot.

silly lawsuit of the week

OK. Short version of the story in InformationWeek: Woman puts up a website. She puts a “webwrap” agreement at the bottom – i.e. basically a contract that says if you use the site then you agree to the contract. Still some question as to whether such a mechanism is binding, but anyway…

So the Internet Archive of course comes along and indexes her site. Which apparently is a violation of the webwrap. So she sues, representing herself, I believe. The court throws out everything on a preliminary motion by IA except for the breach of contract.

InformationWork observes that “Her suit asserts that the Internet Archive’s programmatic visitation of her site constitutes acceptance of her terms, despite the obvious inability of a Web crawler to understand those terms and the absence of a robots.txt file to warn crawlers away.” (my emphasis). They then conclude with this statement:

If a notice such as Shell’s is ultimately construed to represent just such a “meaningful opportunity” to an illiterate computer, the opt-out era on the Net may have to change. Sites that rely on automated content gathering like the Internet Archive, not to mention Google, will have to convince publishers to opt in before indexing or otherwise capturing their content. Either that or they’ll have to teach their Web spiders how to read contracts.

(my emphasis).

They already have – sort of. It’s called robots.txt – the thing referred to above. For those of you who haven’t heard of this, its a little file that you put on the top level of your site and which is the equivalent of a “no soliciation” sign on your door. Its been around for at least a decade (probably longer) and most (if not all) search engines

From the Internet Archive’s FAQ:

How can I remove my site’s pages from the Wayback Machine?

The Internet Archive is not interested in preserving or offering access to Web sites or other Internet documents of persons who do not want their materials in the collection. By placing a simple robots.txt file on your Web server, you can exclude your site from being crawled as well as exclude any historical pages from the Wayback Machine.

Internet Archive uses the exclusion policy intended for use by both academic and non-academic digital repositories and archivists. See our exclusion policy.

You can find exclusion directions at exclude.php. If you cannot place the robots.txt file, opt not to, or have further questions, email us at info at archive dot org.

standardized methods of communications – privacy policies, etc. – more. Question is, will people be required to use it, or simply disregard and act dumb?