buying illegal drugs on the internet

I suppose that headline is also found in quite a bit of spam. Oh well. I read with interest this story in Forbes about how the Silk Road site is facilitating about $2 million a month in illegal drug sales over the internet, using technologies such as Bitcoin for payment (which apparently is untraceable) and Tor to serve the site (which apparently is also untraceable). As an aside, the only reason I say “apparently” is because it always seems that no matter how airtight any electronic security measure seems to be, there always eventually seems to be someone who comes along who is sufficiently clever and/or dedicated to bypass it.

My initial thought on this story was that it was rather a shame that such useful technology would be put to such notorious uses, and wondered how long it would be until someone called for government control or prohibition of such technologies. Yes, yes, I know, this hearkens back the now somewhat dated debate regarding controls over crypto and the release of the rather poorly received Clipper chip. And yet, I still encounter those who feel that this is the proper approach to such technologies, and the only way that criminals who use such technologies can be pursued and apprehended with any reasonable measure of efficacy.

Perhaps needless to say, but I don’t quite agree with such an approach, largely for the same, very practical reasons that Clipper did not succeed (which I’ll leave to you and Google to find). That being said, I’m fully expecting the dialogue around this story to broach this debate once again.

 

electronic document regulations for financial institutions finalized

Earlier this year (May 8 to be precise), the Canadian federal government published some draft regulations relat­ing to the use of elec­tronic doc­u­ments by fed­er­ally reg­u­lated fin­an­cial insti­tu­tions. You can find a rather brief summary in an earlier post, along with some colour commentary comparing the regulations against similar types of provisions in the Ontario Consumer Protection Act and Electronic Commerce Act. You can find the earlier draft regulations in that post or at the Canada Gazette website (scroll down to the bottom).

In any event, about two weeks ago (November 10 to be precise), the federal government released the finalized regulations for banks and bank holding companies, cooperative credit associations, insurance and insurance holding companies and trust and loan companies.

If you haven’t yet reviewed the legislation, you may want to look at my earlier post, which remains, I think, somewhat useful, as the revisions made between the draft and final regulations are not that significant. If you’d like to see for yourself, I’ve taken the liberty of generating redlines (in Word format) for each of them (banks – redline,  coops – redlineinsur – redline and trusts – redline) or you can read the summary below.

There’s basically two items that are common across all the regulations. The first isn’t really much of a change but rather the fixing of the date upon which they come into force, which has now been set for June 1, 2011. The second change is a minor clarification that specific information provided in a consent is only applicable if that consent is provided in writing (whether in paper or electronic form). Here’s the specific change, which looks to be common across all four regulations:

(4) TheIf the addressee’s consent is provided in writing, in paper or electronic form, it must include the name of the information system designated by the addressee for the receipt of the electronic document and a list, in paper or electronic form, of the notices, documents or other information that is covered by the consent.

Seems to make sense, given that such consent can also be provided orally, and that is addressed in the next clause:

(5) If the addressee’s consent is provided orally, the originator or the person acting for the originator must, without delay, provide the addressee in writing, in paper or electronic form, with the information referred to in subsection (2) and confirm the information referred to in subsection (4).

The federal government’s provides the following comments in the related regulatory impact analysis statement (scroll down toward the end) with respect to this change, the in-force date and some changes which had been requested but were not made:

Consultation

After pre-publication of these regulations on May 8, 2010, in the Canada Gazette, Part I, comments related to about 10 different issues were raised from financial industry associations. Only two of the four regulations were commented on, namely the Electronic Documents Regulations and the Policyholders Disclosure Regulations. In addition, the comments did not raise any substantial concerns but rather focused on ensuring that the regulations efficiently achieved the stated policy goals.

As a result, the Government has made minor modifications to the Electronic Documents Regulations to more efficiently handle situations where a customer of a financial institution provides oral consent for the electronic delivery of documents. The previous version of the Regulations appeared to require customers to give financial institutions written documentation when giving consent in call cases — notwithstanding the fact that the Regulations allow for consent to be granted orally. Section 5(4) now sets out the information that must be provided when consent is not provided orally (including the name of the information system designated by the addressee and a list of the notices, documents or other information that is covered by the consent). Section 5(5) goes on to set out the responsibilities of the originator to properly document oral consent and confirm the information received from the customer.

Some comments have not been reflected as stakeholders requested changes that were inconsistent with the policy intent of the regulations. For example, requested changes to the Policyholder Disclosure Regulations would have had the effect of unduly narrowing the scope of information provided to holders of insurance policies with governance rights attached. Other comments to remove from the definition of adjustable policies those where an insurance company can indirectly change the premium or charge for insurance would have had the effect of restricting the Government’s ability to ensure compliance with the regulations.

Implementation, enforcement and service standards

Industry representatives asked that the regulations come into force from six months to one year after final publication, indicating operational challenges (systems, procedures, training). To allow financial institutions sufficient time to prepare documentation in advance of annual general meetings, this package of regulations will come into force on June 1, 2011.

The regulations do not require any new mechanisms to ensure compliance and enforcement. The Office of the Superintendent of Financial Institutions (OSFI) already administers the governance provisions in the federal financial institutions statutes. As such, OSFI would ensure compliance with the new requirements using its existing compliance tools, including compliance agreements and administrative monetary penalties.

flash intro pages – a useful analogy

Just a short one today before I get back to work. Completely unrelated to law.  If you’re building a website, and thinking of using flash, and, moreover, thinking of having a flash splash page, you may want to consider this sage advice:

Jared said, “When we have clients who are thinking about Flash splash pages, we tell them to go to their local supermarket and bring a mime with them. Have the mime stand in front of the supermarket, and, as each customer tries to enter, do a little show that lasts two minutes, welcoming them to the supermarket and trying to explain the bread is on aisle six and milk is on sale today.

“Then stand back and count how many people watch the mime, how many people get past the mime as quickly as possible, and how many people punch the mime out.

“That should give you a good idea as to how well their splash page will be received. That’s the crux of it.”

MarketingSherpa: Uproar over Anti-Flash Intro Survey Results by way of The Oatmeal.

draft electronic document regulations for financial institutions published

Last week (May 8 to be exact) the federal government published draft regulations relating to the use of electronic documents by federally regulated financial institutions. These regulations are part of a process that began in 2005 to harmonize and modernize legislation governing banks, insurance companies, trust companies and cooperatives.

The new regulations set out the general requirements that such institutions must meet in order to use electronic documents when dealing with stakeholders. You can find links to the draft regulations and a regulatory impact analysis at the end of this post.

Here’s the Coles Notes summary:

  • electronic documents related to securities transfers are excluded;
  • electronic documents must be in clear and simple language that is not misleading
  • a requirement to provide a document may be satisfied by making the document available through a generally accessible electronic source (such as a website) and giving notice (whether paper or electronic) to the person to whom the document must be provided, unless there’s a requirement under the legislation to deliver to a specific place, in which case the website mechanism won’t work;
  • consent to receive electronic documents can be obtained from addressees in writing (paper or electronic) or orally, but, unless it’s just a one time consent, they must be notified in writing (paper or electronic) regarding:
    • when their consent  is effective,
    • that they can revoke their consent,
    • that they are responsible for updating the address to which electronic documents are delivered, and
    • that the sender will only retain electronic documents for a specified period, following which it becomes the responsibility of the recipient to retain a copy
  • the notification or consent above, if in electronic form, must be provided in a form that can be retained by the recipient for future reference
  • consent must include address designated for receipt and a list of notices covered by the consent and, if consent is provided orally, the sender must confirm such information, as well as that in the original notice, in writing (paper or electronic)
  • consent can be revoked in writing (paper or electronic) or orally
  • revocation must be confirmed in writing and when it takes effect and, if provided in electronic form, must be accessible and capable of being retained for future reference
  • an electronic document is considered provided to someone when it:
    • leaves an information system in the control of the sender, or
    • when it is posted or made available through the secure website of the sender (no reference to a notice needing to be sent to them)
  • an electronic document is considered received by someone when it:
    • enters the information system designated by them
    • it is posted or made available through the secure website of the sender, or
    • the recipient receives the notice mentioned in the third bullet above (i.e. when posting to a website, the notice alerting the recipient that it’s available)
  • electronic signatures must consist of letters, characters, numbers or symbols in digital form incorporated, attached or associated with an electronic document

Not quite clear to me why the provision on sending doesn’t refer to the alert notice being sent. Nor is it clear to me what the reference to “secure” websites means. But apart from those nits, one of the good things about these new regulations is that they expressly provide for a mechanism that permits the delivery of electronic documents by posting to a website, combined with the delivery of a notice (which can of course be much shorter) that the electronic documents are available. In contrast, other acts, such as the Ontario Consumer Protection Act and its associated regulations do not expressly permit such a mechanism when it comes to delivery of “internet agreements” – for example, s. 33(3) of the regulations indicate that an internet agreement is considered delivered by:

1. Transmitting it in a manner that ensures that the consumer is able to retain, print and access it for future reference, such as sending it by e-mail to an e-mail address that the consumer has given the supplier for providing information related to the agreement.

2. Transmitting it by fax to the fax number that the consumer has given the supplier for providing information related to the agreement.

3. Mailing or delivering it to an address that the consumer has given the supplier for providing information related to the agreement.

4. Providing it to the consumer in any other manner that allows the supplier to prove that the consumer has received it.

Similarly, the equivalence rules in the Ontario Electronic Commerce Act specifically exclude the posting of information to a website as satisfying a legal requirement to provide information or a document in writing:

10. (1) For the purposes of sections 6, 7 and 8, electronic information or an electronic document is not provided to a person if it is merely made available for access by the person, for example on a website.

Same

(2) For greater certainty, the following are examples of actions that constitute providing electronic information or an electronic document to a person, if section 6, 7 or 8 is otherwise complied with:

1. Sending the electronic information or electronic document to the person by electronic mail.

2. Displaying it to the person in the course of a transaction that is being conducted electronically.

Though in both cases there is some room either to argue that a web-based posting could satisfy the requirements of either act (e.g. posting to a website plus sending a notice of availability would not be “merely” making the information available on a website), it’s certainly not as expressly permitted as in the new draft regulations.

Of course, the regulations should be read in connection with the corresponding provisions (Bank Act – scroll down to Part XVIII, Insurance Companies Act – scroll down to Part XX, Trust and Loan Companies Act – scroll down to Part XIV.1, Cooperative Credit Associations Act – scroll down to Part XVII.1) in each act relating to the use of electronic documents.

Links to draft regulations: Regulatory Impact Analysis; Bank Regulations; Insurance Company Regulations; Trust and Loan Companies Regulations; Cooperative Credit Associations Regulations

silly lawsuit of the week

OK. Short version of the story in InformationWeek: Woman puts up a website. She puts a “webwrap” agreement at the bottom – i.e. basically a contract that says if you use the site then you agree to the contract. Still some question as to whether such a mechanism is binding, but anyway…

So the Internet Archive of course comes along and indexes her site. Which apparently is a violation of the webwrap. So she sues, representing herself, I believe. The court throws out everything on a preliminary motion by IA except for the breach of contract.

InformationWork observes that “Her suit asserts that the Internet Archive’s programmatic visitation of her site constitutes acceptance of her terms, despite the obvious inability of a Web crawler to understand those terms and the absence of a robots.txt file to warn crawlers away.” (my emphasis). They then conclude with this statement:

If a notice such as Shell’s is ultimately construed to represent just such a “meaningful opportunity” to an illiterate computer, the opt-out era on the Net may have to change. Sites that rely on automated content gathering like the Internet Archive, not to mention Google, will have to convince publishers to opt in before indexing or otherwise capturing their content. Either that or they’ll have to teach their Web spiders how to read contracts.

(my emphasis).

They already have – sort of. It’s called robots.txt – the thing referred to above. For those of you who haven’t heard of this, its a little file that you put on the top level of your site and which is the equivalent of a “no soliciation” sign on your door. Its been around for at least a decade (probably longer) and most (if not all) search engines

From the Internet Archive’s FAQ:

How can I remove my site’s pages from the Wayback Machine?

The Internet Archive is not interested in preserving or offering access to Web sites or other Internet documents of persons who do not want their materials in the collection. By placing a simple robots.txt file on your Web server, you can exclude your site from being crawled as well as exclude any historical pages from the Wayback Machine.

Internet Archive uses the exclusion policy intended for use by both academic and non-academic digital repositories and archivists. See our exclusion policy.

You can find exclusion directions at exclude.php. If you cannot place the robots.txt file, opt not to, or have further questions, email us at info at archive dot org.

standardized methods of communications – privacy policies, etc. – more. Question is, will people be required to use it, or simply disregard and act dumb?

Top Ten Twenty Lies

Yes, this is a bit old, but quite good. I was wandering around and found these two articles on Guy Kawasaki’s website, about The Top Ten Lies of Venture Capitalists and The Top Ten Lies of Entrepreneurs. Great, great reading. One small snippet from each. On the VC side:

“This is a vanilla term sheet.” There is no such thing as a vanilla term sheet. Do you think corporate finance attorneys are paid $400/hour to push out vanilla term sheets? If entrepreneurs insist on using a flavor of ice cream to describe term sheets, the only flavor that works is Rocky Road. This is why they need their own $400/hour attorney too–as opposed to Uncle Joe the divorce lawyer.

and one on the Entrepreneur side:

“Oracle is too big/dumb/slow to be a threat.” Larry Ellison has his own jet. He can keep the San Jose Airport open for his late night landings. His boat is so big that it can barely get under the Golden Gate Bridge. Meanwhile, entrepreneurs are flying on Southwest out of Oakland and stealing the free peanuts. There’s a reason why Larry is where he is, and entrepreneurs are where they are, and it’s not that he’s big, dumb, and slow. Competing with Oracle, Microsoft, and other large companies is a very difficult task. Entrepreneurs who utter this lie look at best naive. You think it’s bravado, but venture capitalists think it’s stupidity.

Great stuff.