A few months ago, I left my Blackberry in favour of an Android device and I thought I'd share my experience for any lawyers out there who have been drooling over the many devices that have been hitting the market in the past while and may be wondering about making the switch.

I've had my Samsung Galaxy S Vibrant on the Bell Canada network for a few months now and I have to say that I adore it. It's my first Android device and I switched from a Blackberry Bold that was on the Rogers network.

I'm the only person at my firm, other than some IT guys who pilot different devices from time to time, who is not using a Blackberry. One of the conditions of getting it was that I would be "self supporting," which is not a big problem for a geek like me. But the degree of self-support hasn't been that high, though it's difficult to say where the supporting ends and the tinkering/tweaking starts.

In order to get the OK to hook the device up to the firm's network, the device had to use a password/PIN to login, had to securely link to our infrastructure via SSL (at least) and I had to be able to be remotely wiped if I lost it. Check, check and check.

For me, the most important considerations was that it had to work with my firm's existing Microsoft-exchange based e-mail infrastructure. I didn't wan to have to use a Blackberry for e-mail/calendar and my Android for everything else. That was a bit of a challenge, but easily overcome.

I installed Android 2.2 Froyo, which has better exchange support. It wasn't perfect, though. The device came with two different e-mail applications, the stock one and one that's part of Samsung's Social Hub. The stock one wasn't updating my contacts from the Exchange Server and the Social Hub one wasn't updating my calendar. So I had to have them both running to make sure all my bases were covered. And though they purported to have push functionality, mail was delayed a bit. Not by much, but I wanted instant.

So I did some looking around and found Nitrodesk's Touchdown. I installed the 30-day trial two weeks ago and within a week forked out the US$20 to get the license (the only difference between the 30-day trial and the licensed version is you can't change your signature in the trial version). The Exchange integration with Touchdown is head and shoulders above the programs that came with the device. Now, my mail is instant, my contacts are always synched and changes to my calendar are updated almost instantly.

I've also downloaded a program called Office Talk, which gives me access to my firm's Microsoft OCS instant messaging platform and presence notifications. (None of my Blackberry-toting colleagues have access to the firm's IM away from their desks.)

One of the cool features that comes stock on the Galaxy S Vibrant is the Swype keyboard. Since there's no built-in keyboard, users can choose from dozens out there. The Swype keyboard allows you to just drag your finger from letter to letter on the keyboard image, and it knows what you're typing. You don't even need to be very accurate, since it knows when you drag your finger dear the "D" to the "A", then close to "V" and back around near the "E", you're probably typing "Dave." Much easier, at least to me, than trying to poke at small keys. Another keyboard layout that's included allows for voice input that is shockingly accurate.

Once I got my messaging/calendar/contacts arrangement perfectly sorted out, my Android phone is head and shoulders above my old Blackberry. Comparing the screens and the web-browsers is not a fair fight. I can watch a full movie on it without eye strain. The web-browser is a real browser that runs flash. I can stream content without a hiccup. The Google Maps app is awesome and I use the turn-by-turn navigation regularly. (No need for an in-car GPS, particularly since the navigation app now caches mapping info so it works without a wireless signal.)

Some of my clients use Skype to connect far-flung employees, and it works great on the device (no video support yet, but it's coming). There are other really useful apps in the Android market, like Tasker which allows you to customize all of the phone's settings. I've used it to automatically set it to silent mode when when the phone is face-down in meetings. Similarly, it detects when it's in my car-dock and changes to "car mode", which can read incoming e-mails and redirects all calls to the speaker phone. It can even be programmed to change settings when you're in a particular place, like shutting off e-mail downloading when you're at home.

Another great feature for mobile lawyers is that you can turn the device into a mobile WiFi hot-spot. I've found myself in meetings where I needed a document from our document management system, but had no WiFi. Within seconds, I can turn my phone into a WiFi router so I can connect my laptop to my office network and get the document. Piece o' cake.

My kids, of course, love the games. I never had my kids ask if they could use my Blackberry, but they're constantly asking to use my phone to play Angry Birds, Doodle Jump, Fruit Ninja and Raging Thunder 2. (While I'm writing this, my eight-year-old just walked up and asked "Can I play on your phone?")

So, overall, I'd say that RIM no longer has a stranglehold on the enterprise. I could go back to a Blackberry, but I sure don't want to. The only downside is that there's so much innovation and iteration going on that I'm envious of newer Nexus S. And the just-announced Galaxy S II. And the Xoom tablet with Honeycomb.

How often do you have to capture the contents of websites, for use in presentations, as trial exhibits or to illustrate your fabulous slaw.ca posts? You can do the usual "print screen" function that's built into your operating system, but that usually snags a whole bunch of other stuff (like your toolbars or other tabs that are open). Usually you want to show the web page only, without other distracting stuff that detracts from what you want to convey. In addition, using "print screen" it only captures the portion of the webpage what's visible on the screen, not the entire page. Other techniques, like printing the page to PDF, often change the formatting and layout of the page.

Over the last few months, I've switched to using the Chrome browser almost exclusively and was very excited to discover a great app in the Chrome Store that, at the very least, will cut down on the amont of editing I have to do of image files for including in PowerPoint presentations. The free app is, appropriately enough, called Screen Capture. With one click, you can choose to capture a portion fo the screen, just the whole screen or the entire page. It will also snag the rest of it horizontally and vertically so you don't miss anything. And it'll save it as a lossless PNG.

If you regularly need to capture any online content, you need this.

You may have seen the recent Wall Street Journal article on the privacy implications of certain iPhone, iPod Touch and Android apps that disclose information to advertising networks without the explicit knowledge of the user. It didn't take long, but now a class action lawsuit filed in California against Apple for allowing this to happen. See: Apple sued over privacy in iPhone, iPad apps | Apple – CNET News.

I think that this lawsuit is directed at the wrong party (Apple Computer Inc.) and, if it is at all successful, will be harmful to the internet.

This is similar to going after Facebook for everything that their app developers do. Where on party provides a platform (in this case, a mobile device) and another party builds applications on that platform, the key issue that needs to be addressed where privacy is concerned is “where should accountability for privacy lie?” Getting it wrong will stifle innovation in this currently burgeoning area of the Internet ecosystem. Placing all the responsibility on the platform provider will discourage innovators from making new technologies available to the public, to the detriment of those users who are supposed to be protected by privacy rules. Instead, third-party service and application providers should be responsible to users (and to the courts) for their collection, use and disclosure of personal information.

Just imagine what might happen if the already restrictive Apple is found liable for providing app developers too much latitude in structuring their apps. Would this encourage innovation in applications for users? Nope.

Similarly, should HP or Microsoft be responsible if I download spyware? No. Just because this technology is newer, we shouldn't be thinking we need to start from scratch without common sense.

We are increasingly seeing platforms built on platforms, where third-parties can build on the technologies of others to contribute to the rich diversity of the Internet ecosystem. Layers of platforms, built by a diversity of innovators, is the key to what makes the Internet so cool. Open APIs and an open development environment lead to really great and innovative applications.

Perhaps the most widely known “online platform” in recent times is the framework that has been provided by Facebook to allow for the interaction of Facebook’s end-users with various third-party applications, including games, surveys and the like. Like most new technologies that handle personal information, the development of the Facebook platform requires close scrutiny from the perspective of consumer privacy. They perhaps didn't get it right the first time around, but they've apparently learned from their mis-steps. But if something happens on Facebook (with an app) that is abusive of privacy, it doesn't mean that it's completely Facebook's fault. But it's a conclusion that is all to easy to reach. Same goes for privacy abuse on an iPhone: just because Apple created the device doesn't mean that it's really Apple's fault.

These “platforms” are fundamentally akin to the hardware and operating systems that are available on large servers and, most importantly, similar to operating systems available on personal electronic devices, including personal computers, personal digital assistants and smart phones. When Facebook welcomed third-party applications onto its “platform”, Facebook went from being a single purpose application to an operating system on which, or through which, individual users are able to execute a range of applications provided by third-parties. The appropriate analogy would be the movement from dedicated, single-purpose word processing systems, such as those offered by single vendors in the 1960’s and 70’s, to personal computers that allowed the end-user to install and therefore interact with multiple software packages provided by multiple software vendors. In many instances, third-party applications are able to interact with each other and, almost invariably, all of them interact with the operating system. The move from single purpose devices to more general computing systems did not engender a significant fear about privacy. The platform (mainly, the operating system) was installed on hardware owned by the end-user him/herself, and the user decided what applications to install. This decision was hopefully an informed one in which the user was able to identify.

The suggestion that the hardware manufacturer or the supplier of the operating system is ultimately responsible for applications developed by third parties that are installed by end-users is very problematic, bordering on absurd, and lets the third-party application developers off the hook too easily. It also implicitly assumes that the third-party application provider is somehow acting on behalf of the other party. On the contrary, most third-party applications are installed and run independently of the creators of the platform . The individual chooses what applications are run. It is the user that makes the decision as to what software to install, hopefully based on clear disclosure by the application developer. It is the user’s decision as to whether the application that may use her personal information is installed and run. That use of personal information is no longer on the platform provider’s account, but rather on the application developer’s account. The application provider should be fully accountable for its collection, use and disclosure. In connection with that, the application provider should have the burden of complying fully with the obligations set out in law.

Most platforms are designed to permit significant interaction with user data so that legitimate functions are unimpeded. For example, programmers on Microsoft Vista systems are able to access email inboxes and documents. If that access is misused, one would not point the finger at Microsoft. Similarly, one should not point the finger at the provider of an online platform for what happens when a well informed user installs software him/herself that uses personal information.

This conclusion still applies if the provider of the platform ultimately controls what applications can be integrated with it. For example, Apple requires those who distribute applications for the iPod Touch, iPhone and iPad to register and agree to certain terms and conditions. Apple currently has thousands of third-party applications distributed through their app store, all of whom have a contractual relationship with Apple and with their end-users. However, until this lawsuit there has been no suggestion that Apple is accountable for the actions of third-party applications. Similarly, third-party developers of the Twitter API are able to build onto Twitter to extend its functionality in desirable (and perhaps undesirable ways), but as long as the end-user has installed the third-party app or has consented to connecting the third-party service to the user’s Twitter account, it should not be Twitter that is held responsible for the application developer. A final example is Research in Motion's Blackberry device. Most of these devices are equipped with GPS transceivers and a number of software products enable to user to broadcast his or her location. If a user has chosen to disclose this personal information, it should not be RIM that is accountable.

To be clear, I am not suggesting that the provider of a platform has no obligation with respect to the handling of personal information. The platform provider is responsible for its own collection, use and disclosure of personal information. The same should be the case for third-party application providers. But the two parties, unless they are jointly providing a service to the end-users, should be kept distinct and each should be accountable for its own collection, use and disclosure of personal information.

The final question is, "why is this important?" This is important because we are seeing fantastic innovation on the internet based on sophisticated computing platforms that are welcoming to new, innovative developers. Software and user experiences can be crowdsourced. Oftentimes, the platforms and the application developers have no relationship at all. To hold all platform creators responsible for all applications that can be installed on them will likely have two very negative consequences: first, it will provide an incentive to lock down platforms, which will stifle creativity and innovation. Second, it will provide an incentive to interject complicated legalistic structures between the platform and the third-party apps, also stifling innovation and creativity.

In the end, users benefit from innovative new products and services, and should look to the application providers to be accountable for their own collection, use and disclosure. Making the platform developers responsible for it is paternalistic and problematic.

Update: you can find the pleadings on Justia here. The claim is against Apple, Inc, Backflip, Dictionary.Com, Pandora, Inc, and The Weather Channel.

Since the advent of the Personal Information Protection and Electronic Documents Act, there has been uncertainty among lawyers, private investigators and insurers about what impact this law has on the litigation of private tort claims. There has been some guidance from the Ontario courts in the Ferenczy decision, but the law was still unsettled. The only case to address this, Ferenczy v MCI Medical Clinics, was all about whether information collected (allegedly) in violation of PIPEDA would nevertheless be admissible. The court concluded that PIPEDA does not apply to the collection of surveillance information by a PI to defend a court claim, but arguably that conclusion is obiter.

The Office of the Privacy Commissioner of Canada has taken the position that PIPEDA applies to insurers undertaking the defense of their insureds. This position has led to the conclusion that plaintiffs have a right of access, under PIPEDA, to the insurer’s files and perhaps some of those maintained by defence counsel. While PIPEDA does allow some collection of information, such as surveillance, without the consent of the individual in limited circumstances, the Commissioner has maintained (in a finding and in guidance to the industry) that this is only permissible where all other avenues of investigation have been exhausted.

The rules appear to be settled as a result of a recent decision of the Federal Court in State Farm v Privacy Commissioner of Canada, 2010 FC 736. A number of insurers have been dealing with requests for access to privileged information and complaints about video surveillance. The insurer in this case argued that the defence of an insured under a policy of insurance is not “commercial activity”. Fundamentally, is is a private claim between private individuals. One party to the private lawsuit has the advantage of being defended by an insurance company, which has an obligation to collect information to defend the claim. Because PIPEDA regulates the collection, use and disclosure of personal information in the course of commercial activity, a finding that defending a tort claim is not commercial activity would mean that the law does not apply. The courts already addressing the underlying tort claim would be the proper place to address document disclosure and possible privacy claims.

This insurer challenged the jurisdiction of the Privacy Commissioner to investigate a complaint made by a personal injury plaintiff. The Commissioner decided that because the insurance company is carrying on commercial activities generally, the law applies. State Farm challenged this decision by bringing an application for judicial review in the Federal Court of Canada. Four other virtually identical cases were stayed pending the resolution of this case. After a two day hearing, the Federal Court decided on July 9, 2010 that PIPEDA does not apply to the defense of a third-party tort action, even if carried out by an insurance company.

The Court concluded that it would not be a commercial activity for a defendant, herself, to collect evidence for the defence of a tort claim. There is no “commercial character” associated with that particular activity. The Court then concluded that, because the primary characterization of the activity is not commercial, using a third party (such as an insurer, a law firm or a private investigator) to carry it out does not render it commercial:

[106] I conclude that, on a proper construction of PIPEDA, if the primary activity or conduct at hand, in this case the collection of evidence on a plaintiff by an individual defendant in order to mount a defence to a civil tort action, is not a commercial activity contemplated by PIPEDA, then that activity or conduct remains exempt from PIPEDA even if third parties are retained by an individual to carry out that activity or conduct on his or her behalf. The primary characterization of the activity or conduct in issue is thus the dominant factor in assessing the commercial character of that activity or conduct under PIPEDA, not the incidental relationship between the one who seeks to carry out the activity or conduct and third parties. In this case, the insurer-insured and attorney-client relationships are simply incidental to the primary non-commercial activity or conduct at issue, namely the collection of evidence by the defendant Ms. Vetter in order to defend herself in the civil tort action brought against her by Mr. Gaudet.

In the end, the investigation reports and the surveillance video at issue were determined to not be subject to PIPEDA.

The Court also considered the OPC’s jurisdiction to investigate complaints such as the one at issue. Under PIPEDA, the Commissioner must investigate all complaints, so the OPC does have authority under PIPEDA to investigate to “test the bona fides of the exemption or non-application claim.” The Court does not provide specific guidance on the extent to which the OPC is able to investigate to determine whether PIPEDA applies at all. It would be arguable that once an insurer, in any future cases, has established that it is defending a third-party claim on behalf of an insured, the Commissioner would have to cease its investigation.

It must be underscored that this case only applies to the defense of third-party claims. Where there is a coverage dispute or other controversy with the insurer’s own policy-holder, the relationship between the parties is commercial because of the underlying policy so that PIPEDA would likely apply. It must also be emphasized that the findings of the Federal Court in State Farm v Privacy Commissioner do not apply in British Columbia, Alberta and Quebec where provincial privacy laws do not rely on “commercial activity” as the basis for jurisdiction. It will remain “business as usual” in those provinces.

Unless this decision is appealed, it stands for the proposition that the use of a commercial agent does not mean that the underlying activities are automatically subject to PIPEDA.

(Check out Dan Michaluk's great summary as well.)

I was reading an interesting article in the Lawyer's Weekly today on the recent Supreme Court of Canada decision in R. v. Morelli, [2010] SCC 8. In his article, "Reforming Search & Seizure" (sadly, not available online), Professor Benjamin Goold makes the following comment that I tripped over while reading:

Although Justice Fish almost certainly went too far when he claimed that it is "difficult to imagine a search more intrusive, extensive or invasive of one's privacy than the search and seizure of a personal computer," the fact remains that such a search represents a serious infringement of an individual's right to be secure against unreasonable search and seizure under s. 8 of the Charter.

I have to say I'm with Justice Fish on this one. He didn't go too far in making that statement, and I'm glad to hear it.

A personal (emphasis on the "personal") computer is more than just a container of wires, chips and magnetic media. A huge amount of highly personal data resides on home computers. Think about what's on your personal computer. Probably years worth of e-mails, scanned documents, tax returns, photos, home videos. If a person already has a lawyer, the computer almost certainly contains privileged correspondence. Your browsing history shows what ailments you were looking into on WebMD . In this day and age, the personal computer has become the shoeboxes of photos on the shelf in a closet. It is the equivalent of the bundle of letters in a desk drawer. An order for the police to seize your computer is akin to an order that all of your family records should be taken.

In far too many cases, a pesonal computer is an instrument of criminality and horrible exploitation. I'm not suggesting they are sacred, only that Justice Fish is right.

[1] This case concerns the right of everyone in Canada, including the appellant, to be secure against unreasonable search and seizure. And it relates, more particularly, to the search and seizure of personal computers.

[2] It is difficult to imagine a search more intrusive, extensive, or invasive of one’s privacy than the search and seizure of a personal computer.

[3] First, police officers enter your home, take possession of your computer, and carry it off for examination in a place unknown and inaccessible to you. There, without supervision or constraint, they scour the entire contents of your hard drive: your emails sent and received; accompanying attachments; your personal notes and correspondence; your meetings and appointments; your medical and financial records; and all other saved documents that you have downloaded, copied, scanned, or created. The police scrutinize as well the electronic roadmap of your cybernetic peregrinations, where you have been and what you appear to have seen on the Internet — generally by design, but sometimes by accident.

These searches can be incredibly intrusive and those with a role to play in the justice system need to be reminded of that.

On Tuesday, May 25, the Minister of Industry introduced in Parliament Bill C29, also known as an Act to amend the Personal Information Protection and Electronic Documents Act.

Bill C-29 is the long-awaited government response to the five year mandatory review of PIPEDA and contains a number of very significant amendments that, if passed, will alter the landscape of privacy law compliance in Canada. At a very high level, it provides mandatory breach notification for security breaches related to personal information, attempts to clarify the confusing “lawful authority” provisions in Section 7 and also facilitates the disclosure of customer and employee information in connection with business transactions. This post will attempt to summarize the significant amendments, but since the ink is barely dry on the bill readers should check out the amendments for themselves either at the parliamentary website or on the marked up version that I have created and have posted to the Canadian Privacy Law Blog.

Business Contact Information

The first significant change is the exclusion of “Business Contact Information” from the purview of the statute. "Business Contact Information" refers to an individual’s name, position name or title, work contact details (including e-mail address) and any similar information of the individual so that, in the new Section 4.01, business contact information is excluded from the provisions of PIPEDA if business contact information is collected, used or disclosed solely for the purpose of communicating with the individual in relation to their work.

Valid Consent

Bill C-29 raises the bar, or at least clarified, what is necessary to get consent from an individual. Section 6.1, entitled “Valid Consent” clarifies that the consent that is required under Principle 3 of the CSA Model Code is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting. This likely raises the bar on what is valid consent.

Witness Statements and Work Product

In Section 7, which allows the collection, use or disclosure of personal information without consent a number of changes have been added to permit the collection, use and disclosure of information in witness statements where it is necessary to assess, process or settle an insurance claim. In addition, information produced by individuals in the course of their employment is exempt from the consent requirements provided that the collection, use and disclosure are consistent with the purposes for which the information was produced. This particular exemption codifies what is often referred to as “work product” exception to consent.

Lawful Authority

Also in Section 7, the government has attempted to clarify what has been a very confusing provision regarding disclosures to law enforcement. Section 7(3)(c.1) permits the disclosure to government institutions and law enforcement where the government body has identified its “lawful authority” to obtain the information. The meaning of "lawful authority" has been very problematic since the first version of PIPEDA, with interpretations ranging from legal authority to compel or just part of a lawful process. Though I have strong opinions on what it should mean, I was looking for clarification on what Parliament thinks it means. I was disappointed. Lawful authority is "defined" in the new Section 7(3)(c.1):

(3.1) For greater certainty, for the purpose of paragraph (3)(c.1)

(a) lawful authority refers to lawful authority other than

(i) a subpoena or warrant issued, or an order made, by a court, person or body with jurisdiction to compel the production of information, or

(ii) rules of court relating to the production of records; and

(b) the organization that discloses the personal information is not required to verify the validity of the lawful authority identified by the government institution or the part of a government institution.

Also in Section 7(3)(c.1), the government has added to the circumstances where information could be disclosed without consent, provided there is lawful authority of course, for the purpose of performing policing services that are not otherwise referred to in Section 7(3)(c.1). Sub paragraph (iv) permits a disclosure for the purpose of notifying next of kin of an injured, ill or deceased individual.

Gag Order

A notable addition to PIPEDA is a “gag order” that prohibits an organization from notifying an individual that information has been requested or obtained by a government institution or part of a government institution under a range of provisions contained in Section 7(3). Before it notifies the individual, it has to notify the government institution and get their OK. If the government institution vetoes the disclosure, the organization is not allowed to notify the individual but is required to notify the Privacy Commissioner.

This above provision supplements what had previously been the case where an individual had made a request for access to their own personal information or an account of its collection, use or disclosure where that personal information had been the subject of a government request.

Removing Investigative Bodies

Notably, these amendments have completely done away with investigative bodies. It used to be that under Section 7(3), an organization could disclose personal information to designated investigative bodies for the purposes of investigations. Investigative bodies included the Insurance Fraud Bureau of Canada, most Barristers’ Societies and other professional regulators. Instead, the new Section 7(3)(d.1) permits disclosures to another organization where that disclosure is necessary to investigate a breach of an agreement or a violation of the laws of Canada or Province or is necessary to prevent, detect or suppress fraud where it would be reasonable to expect the disclosure with the knowledge or consent of the individual would undermine the ability to prevent, detect or suppress the fraud. Subsection (d.2) allows disclosures to government institutions or next of kin related to “financial abuse”. Finally, Subsection (d.3) further permits disclosures for notifying the next of kin of injured, ill or deceased individuals.

Business Transactions

The new Section 7.1 permits disclosures and uses of information in connection with a “prospective business transaction”. This term is defined to include a range of transactions, including purchase or sale of a business, mergers and amalgamations, financings, leasings, and joint ventures. This section 7.1, parties to a perspective business transaction can use and disclose personal information without the knowledge or consent of the individual if they have entered into an agreement that requires the recipient to use the information and disclose it solely for the purposes related to the transaction, to protect that information with appropriate safe guard and, if the transaction does not proceed, to return or destroy the information within a reasonable period of time. It is also a condition that personal information be necessary to determine whether to proceed with the transaction and is necessary to complete the transaction. Once the transaction is completed, Subsection (2) permits the parties to the transaction to use and disclose the personal information without consent, provided they have entered into an agreement that requires them to reach only used information for the purposes for which it was originally collected, to protect that information and to give effect any withdrawal with consent as is already provided for under Principle 3 of the CSA Model Code. It is an overriding condition that the personal information be necessary for carrying on the business or the activity that was the object of the transaction and that the individuals are notified within a reasonable time after the transaction has completed of the transaction and that their personal information has been disclosed.

This provision that permits the use and disclosure of personal information for business transactions does not apply to business transactions where the primary purpose or result is the purchase, sale or other acquisition of personal information.

Employee Personal Information

The new Section 7.2 will mark a significant change in how PIPEDA applies to employees of federal works, undertakings and businesses. No longer is consent of the individual required to collect use and disclose employee personal information if that collection use or disclosure is necessary to establish, manage, or terminate the employment relationship, provided that the employer has notified the individual that the personal information will be or may be collected, user disclosed for these purposes.

Breach Notification – Notification of the Commissioner

Perhaps the most notable addition to PIPEDA in Bill C29 is the addition of Division 1.1, which deals with breaches of security safe guards. The new section 10.1 requires an organization to report to the Privacy Commissioner any “material breach” of security safeguards. Whether the breach is material depends upon the sensitivity of the information, the number of individuals whose personal information was compromised and an assessment by the organization whether the cause of the breach or a pattern of breaches indicates a systematic problem. The form of the notice will be set out in the regulations. The Commissioner has no power to require the organization to notify individuals, nor does she have any power to seek a remedy on behalf of affected individuals unless they themselves complain.

Breach Notification – Notification of the Individual

The new Section 10.2 deals with notification to the individual, which is mandatory if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual. Section 10.2(2) defines significant harm to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. Subsection (3) then goes on to provide guidance on whether there is a “real risk”, which is based on the sensitivity of the information and the probability that the personal information has been, is being or will be misused. The notification has to contain enough information to allow the individual to understand the significance of the breach to them and to take steps to mitigate that harm. Notice has to be given as soon as feasible after the organization confirms the occurrence of the breach and concludes that they are required to give notice occasionally under Section 10.2(1). The form and manner of notice may be prescribed in regulations, which I anticipate will allow for notice to large groups of people though the mass media where it is not feasible to give individual notice.

This new Section 10.3 allows organizations to give breach notification to other organizations that will help to reduce the risk of harm that could result from the breach or to mitigate that harm.

Earlier this week, Michel-Adrian Sheppard blogged on Slaw about Google's new Government Requests Tool (Google Releases Data on Government Requests for Private User Data). I blogged about it as well here. I'm all in favor of pulling this out of the shadows and into the sunlight.

It's interesting to peruse the numbers and to read the FAQ.

While the information provided raises a bunch of questions, they are very important questions to ask. What are the nature of the demands for customer information? Criminal law or national security? What are the relevant Google products involved? Why so many government demands in Brazil?

But I'd really like to see other online service providers step up and provide this level of transparency. Bell, Aliant, Rogers, Shaw and other Canadian online service providers and ISPs should provide this same information for their operations. How many requests do they currently get? From whom? Which province? What is the legal authority? With or without a court order?

This is particularly relevant as the former Bill C-47 (Technical Assistance for Law Enforcement in the 21st Century Act) will likely return to Parliament which, if passed, will allow the police to demand customer information from telecommunications companies in Canada without a warrant.

Late last year, the RCMP changed its policy for access to criminal records information via the Canadian Police Information Centre (CPIC). Reputable companies, up until that point, had been able to obtain police records clearances through local police departments. These clearances were conditional upon the background checking company obtaining signed consent from the individual and making those consent forms available for spot audits. Provided the proper consent was obtained, background checking companies had been able to provide same-day results if the name, address and date of birth provided did not result in any "hits" in CPIC. In most cases, where there may be derogatory information, the individual would have to appear for fingerprinting so that his or her identity could be confirmed. This practice meant that those who had clear records could go on to the next stage of the process for their job application, volunteering application or whatever.

For records where a pardon has been granted for certain sexual offences, a notation is made in CPIC's databases. It used to be that the police would provide, with the individual's written consent, confirmation that no such notation exists provided that the person was being screened for working or volunteering with vulnerable populations.

These checks were facilitated by professional background screening companies, in cooperation with law enforcement, who would often be able to provide an "all clear" within the day.

Now, all screening requires fingerprints and about 120 days' wait. The RCMP is saying that they are simply doing what the Criminal Records Act requires them to do. I don't buy it. The Act says that the RCMP can disclose the existence of a notation if the person has provided written consent and the check is made for a paid or volunteer position that is one of authority or trust relative to children or vulnerable persons.

According to an article in today's Globe & Mail, a number of volunteer-staffed organizations have cancelled programs because the 120 day wait cannot be accommodated. What may be worse, some organizations may be foregoing these checks and permitting unscreened people to work closely with vulnerable populations.

This is untenable, in my view. I'm not in favour of widespread criminal records checking where it is not relevant to the position, but these checks are very often relevant for certain employment or volunteer positions. Provided the person has provided clear, informed, unambiguous consent, there is no reason why an "all clear" can't be given forthwith. I can understand that you would want to avoid the possibility of erroneously saying that a person has a criminal record or a pardoned sexual conviction, so the practice of fingerprinting should continue where there might be a "hit". But where there is no reason to think a person has a record, that information should be provided right away.

Volunteerism is important. Silly policies should not have the effect of impeding volunteer efforts, nor should they discourage prudent screening that keeps predators away from the vulnerable.

I've been a faithful follower of Cryptome for quite some time. Cryptome has been posting very interesting and controversial content on the internet since 1996. It was the first WikiLeaks. Recent readers would note some publications that are very interesting for those who are interested a look at the level of cooperation of between internet service providers and law enforcement. Some of the reaction has been overblown, in my view. Nobody should be surprised that service providers hand over customer information in response to warrants and subpoenaes. Where the law requires it, banks do it, pharmacies do it, libraries do it and credit card companies do it. I think it would be shocking if service providers didn't have policies and procedures for this. What would be more troubling would be the extent to which service providers hand over information in the absence of a lawful requirement.

Most recently, Microsoft served a DMCA notice on Cryptome and its hosting provider, demanding that their Global Criminal Compliance Handbook be removed. Cryptome countered and Microsoft ultimately caved. My personal view is that service providers should make this information public so that customers really understand their digital footprints.

So if you want to see what Facebook, AOL, PayPal, MySpace, AOL and Skype will provide in response to a lawful demand, check out Cryptome.

And for lawyers, these documents will tell you what you can expect to get in response to a lawful demand.

I hope that this is not a new theme emerging: privacy proceedings in limbo.

Last week I wrote about how the recent vacancy of the Information and Privacy Commissioner's office in BC could have placed all pending files on hold. Now, this week, we have a decision [PDF] from the Alberta Court of Appeal that suggests the Commissioner there, Frank Work, may have lost jurisdiction over at least 180 pending cases.

The legislation in issue requires the Commissioner to follow certaint timelines, which can be extended by the Commissioner. From the Personal Information Protection Act:

50(5) An inquiry into a matter that is the subject of a written request referred to in section 47 must be completed within 90 days from the day that the written request was received by the Commissioner unless the Commissioner

(a) notifies the person who made the written request, the organization concerned and any other person given a copy of the written request that the Commissioner is extending that period, and

(b) provides an anticipated date for the completion of the review.

Some lower court decisions have found that the Commissioner would lose jurisdiction for not complying with the timelines, while other authorities have not found such a drastic effect from such a lapse. But in any event, the decision means that the Commissioner may have lost jurisdiction in many cases currently sitting on his desk.

According to an interview with the Edmonton Journal, Commissioner Frank Work says that he intends to appeal to the Supreme Court of Canada.

This past week, the Government of British Columbia announced that Information and Privacy Commissioner David Loukidelis would be leaving that post to take on the role of Deputy Attorney General of the province. The transition will be effective February 1, 2010 though his resignation as Commissioner [PDF] was effective immediately.

David was appointed Commissioner in 1999 and he has overseen a dramatic transformation in privacy laws affecting British Columbians. The Personal Information Protection Act came into being during his tenure and his report on the effect of the USA Patriot Act on the privacy of Canadians is known around the world. He has had a great relationship with the privacy bar. I am sure I speak for most practitioners in saying he will be greatly missed in the privacy world.

This is sufficiently newsworthy for Slaw. But there's a twist.

Apparently, no provision was made for an interim Commissioner and the Office of the Information and Privacy Commissioner has received advice that without an interim Commissioner, there is no jurisdiction for the office to do anything. Under the Freedom of Information and Protection of Privacy Act, the powers of the Commissioner are vested in the person of the Commissioner, who can delegate those powers. As they see it, if that office is vacant, there is nobody who can exercise those powers and they are of the view that the previously delegated powers are now defunct. The Office apparently can't open files and can't grant extensions for access requests. Mary Carlson wrote an urgent letter to Premier and then another to the Speaker of the Legislature [PDF], asking whether an interim commissioner had been appointed and, if not, to do so urgently.

It will be very interesting to see how this story unfolds.

(As an aside, Jennifer Stoddart's seven year term as the Federal Privacy Commissioner comes to an end in December of this year. She is eligible to be reappointed, but I don't expect we'll hear anything definitive about her future plans until closer to the end of the year. Just in case, note to Stephen Harper: Mind the gap.)

This just in: the Government of BC has appointed an interim Commissioner.

I've noticed that lawyers tend to be second wave adopters of technology. Not quite on the cutting edge, but once that edge blurs into the maintstream most (young? progressive? keen? geeky?) lawyers are there. There are dozens of examples, from e-mail to social media. Lawyers, law firms and legal education are all there. But one thing I've noticed is that the massive movement to video seems to have left lawyers behind (or, more likely, lawyers have left it behind).

My eldest kids have videos on YouTube. I've picked up an HD camcorder for less than $150. The barriers to entry have been reduced to virtually nothing, but I haven't been able to find any useful, educational law-related video content online.

It is not that it cannot be done. Fellow practitioners of my non-legal obsession, photography, have jumped on the video bandwagon with both feet and are educating hobbyists in all aspects of the craft. For free and for fee. Leaders, such as Scott Kelby, have loads of quality content avilable at no charge. Check out D-Town TV for 25 quality episodes on just about every photographic topic. If you're more of a Canon person, you can get your gear and technique fix at LensFlare35. There are hours and hours of free content out there, and much of it is professionally produced. If you're willing to pay for some serious online education, Kelby Training and others will teach you all you need to know about photraphy, lighting, weddings and photoshop.

There's a reason why masses of educational video content are available online. It's a great way to learn.

Obviously photographers are a creative bunch, so it shouldn't be a surprise they are embracing technology to learn and share. But this is no longer cutting edge. Where are the CLE providers? Where is video-on-demand CLE?

(Perhaps it's there and I've just been spending too much time with my eye in the viewfinder. If so, don't hesitate to tell me in the comments.)

I often wonder why it appears that only a small handful of people are regularly engaged in real discussions about what is happening with privacy in Canada. These discussions typically — at least in my experience — take place on blogs, tweets flying around the 'net and regular submissions to parliament by organizations like the Canadian Bar Association. Security breaches regularly get coverage in the media but the creeping erosion of privacy in pursuit of crime-free neighbourhoods and safe travelling seldom gets much attention.

The proposed implementation of body scanners in Canadian airports is a major exception to this and I've been delighted to see some real discussion about this very intrusive technology. The Halifax Chronicle Herald ran a front page story (Safety versus privacy) in which they kindly allowed me to share my thoughts. Our local CTV station had a piece that eschewed soundbites and instead focused on balancing privacy and the desire for security. Brian Bowman's monthly column in the Winnipeg Sun (Privacy folks crying wolf on scanners) offers his nuanced opinion and concludes:

I want to be safe when I fly. I also want my privacy respected. Canadians have every right to demand both. Thankfully, if you look at the manner in which the scanners will be rolled out, there appears to be a good balance between security and privacy.

Frank Work, the Information and Privacy Commissioner of Alberta, doesn't mince words in an interview with the Edmonton Sun (Privacy boss pans scans):

"What will they do next, after the next incident? We're running out of toys and technological silver bullets," said Work, one day after the federal government announced the new airport security measures.

….

"The bottom line is it's a dignity issue, and either out of fear or because we don't want to stand in line too long, we've forsaken any notion of dignity — it's like, all right, we'll assume the position," said Work.

…

Work said that because human-monitored body scanners aren't perfect, showing only a surface view of the nude passenger, he believes it's a matter of time and/or tragedy before the next step is taken.

"The system is still prone to failure, so let's say the next guy packs his ass with however many grams of (plastic explosive) he can shove up there, and either successfully or unsuccessfully detonates it. What do they do next?" said Work.

…

"At what point do we say, 'Holy crap man, you're patting me down, you've got pictures of me naked, you've got me squatting on a chair, and you've taken my water bottle away'. I mean at what point is enough, enough?"

The Federal Commissioner, in October and well before the recent underwear bomber incident, gave conditional approval to the technology for secondary screening (A necessary image – The Globe and Mail).

Meanwhile, well-respected security expert Bruce Schneier (Schneier on Security: Post-Underwear-Bomber Airport Security), suggests that government is accomplishing little by looking backwards:

Despite this, the proposed fixes focus on the details of the plot rather than the broad threat. We're going to install full-body scanners, even though there are lots of ways to hide PETN — stuff it in a body cavity, spread it thin on a garment — from the machines. We're going to profile people traveling from 14 countries, even though it's easy for a terrorist to travel from a different country. Seating requirements for the last hour of flight were the most ridiculous example.

The problem with all these measures is that they're only effective if we guess the plot correctly. Defending against a particular tactic or target makes sense if tactics and targets are few. But there are hundreds of tactics and millions of targets, so all these measures will do is force the terrorists to make a minor modification to their plot.

It's magical thinking: If we defend against what the terrorists did last time, we'll somehow defend against what they do one time. Of course this doesn't work. We take away guns and bombs, so the terrorists use box cutters. We take away box cutters and corkscrews, and the terrorists hide explosives in their shoes. We screen shoes, they use liquids. We limit liquids, they sew PETN into their underwear. We implement full-body scanners, and they're going to do something else. This is a stupid game; we should stop playing it.

The cynic in me thinks that the debate may not change anything, but if it raises awareness of how privacy is being traded away in favour of security (or the illusion of security), that's a good thing in and of itself.

I am greatly afeared that this may be old news to some (though I did search slaw.ca to try to make sure that it has not been mentioned here), but it was news to me. And very cool news indeed. The federal parlimentary website has added XML/RSS tracking for the status of Bills. Want to know when a bill is out of committee, or has been sent to the Senate for a sober second thought? Just go to LEGISInfo, choose your favourite bill (or your least favourite bill). Then click on the tag and let your browser or RSS reader keep on top of it for you.

XML, is there anything you can't do?

The Vancouver Sun is reporting that the current government plans to introduce a Bill in Parliament tomorrow that will require internet service providers to report suspected child pornography on sites they host or that are linked from sites they host: Ottawa aims to strengthen Internet child porn laws.

The text is not available, but when considered along with Bill C-47, the government appears to be singling out the telecommunications industry to take on additional law enforcement duties. We've generally been technology neutral in our criminal laws, but there seems to be a trend emerging to focus on what's online (perhaps to the exclusion of other venues for offensive activities). If it's a good idea to report this kind of horrible activity (to the tune of multi-thousand dollar fines for failing to do so), then shouldn't everybody have the same obligation? I'm just asking …

Today's Halifax Chronicle Herald reports that the current mayor of Cape Breton municipality, John Morgan, is about to face a disciplinary hearing by the Nova Scotia Barristers Society for professional misconduct. He's not accused of bad lawyering (he hasn't been practicing since becoming mayor in 2000), but of being discourteous to the bench in media interviews in connection with a particularly contentious lawsuit brought by the municipality against the province for a greater share of equilization funds. From the Herald article:

"Specifically, the charges allege that the member failed in his duty to encourage public respect for justice and to uphold and try to improve the administration of justice," the society said on its website.

In addition, the society said the mayor "failed to discharge his duty, as a lawyer who holds public office, to adhere to the standards of conduct as high as those which the handbook requires of a lawyer."

He’s also accused of failing to "treat the court with courtesy and respect" and failing "to uphold and encourage public respect for justice and the administration of justice."

This should be an interesting case, considering how many lawyers go into public office and how extreme political discourse has become. Untimately, to what extent should the rules of professional conduct apply to limit political speech? And should lawyer/politicians be the only ones held to standards of conduct? (I would think that may put them at a political disadvantage, but make them better politicians.)

Over the last week, privacy regulators from around the world have been meeting in Madrid at the 31st International Conference of Data Protection and Privacy Commissioners. Canada's own Privacy Commissioner, Jennifer Stoddart, has not surprisingly had a prominent role in the conference, chairing a plenary session on internet privacy. She was also a speaker at another plenary session on moving towards a global privacy framework. The private sector have been involved in the discussions and it appears that there is growing consensus that the global economy and global internet necessitate global (or at least globally compatible) privacy standards. I haven't managed to get my hands on the final communique, but Agence France Press sumarizes some of the key principles that will be the basis of of this framework:

AFP: Experts agree on proposed global privacy standards

… Under the proposed standards, data may only be processed after obtaining the "free, unambiguous and informed consent" of the data subjects and it should be deleted when it is no longer necessary for the purposes for which it was gathered.

Data collectors must identify themselves, state in clear language the purpose of the data processing and the recipients of the gathered data.

International transfers of personal data may only be carried out to a country which "affords, as a minimum, the level of protection provided for in the document," according to the proposed standards, agreed by representatives from privacy protection agencies….

It will be interesting to see where this leads.

More than twenty years ago, Canada was on the cutting edge with its newly minted Privacy Act and the Access to Information Act. Since then, we've seen each of the provinces step up to implement similar regulation for their public sectors. Though the federal laws set the benchmark at the time, they have both remained frozen in time. Despite calls from various sectors for significant reform, the Standing Committee on Access to Information, Privacy and Ethics asked the Information Commissioner and the Privacy Commissioner for their "quick fixes" or patches that may help the laws hobble along into the current century.

The Privacy Commissioner's wish list included ten quick fixes and the Information Commissioner called for a dozen immediate changes. Though the quick fixes would help, both continue to call for a complete review of the laws to ensure that they are keeping up with changing times.

Following hearings and committe recommendations, the Minister of Justice has responded to the Standing Committee on Access to Information, Privacy and Ethics' reports on reform to the Privacy Act and the Access to Information Act with a robust "thanks, but no thanks". Perhaps not surprising, but disappointing to many who follow this field.

The reports and responses are worth the read:

House of Commons Committees – ETHI (40-2) – Reports and Government Responses

Report 11 – The Access to Information Act: First Steps Towards Renewal (Adopted by the Committee on June 15, 2009; Presented to the House on June 18, 2009)

Government Response: 11th Report of the Standing Committee on Access to Information, Privacy and Ethics, "The Access to Information Act: First Steps Towards Renewal" (Presented to the House on October 9, 2009)

Report 10 – The Privacy Act: First Steps Towards Renewal (Adopted by the Committee on June 8, 2009; Presented to the House on June 12, 2009)

Government Response: Tenth Report of the Standing Committee on Access to Information, Privacy and Ethics, "The Privacy Act: First Steps Towards Renewal" (Presented to the House on October 9, 2009)

In the privacy community, there has been a debate over whether it is lawful, under PIPEDA, for a custodian of personal information to provide customer information when then police come knocking. The debate has been most heated in the arena of internet service providers customer names and addresses to the police when presented with an IP address. PIPEDA allows a number of disclosures of personal information without consent pursuant to Section 7(3) of the statute. One exception to the general rule relates directly to law enforcement requests:

Disclosure without knowledge or consent

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is …

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province; [emphasis added]

The debate has raged over differing interpretations of “lawful authority”, and there are conflicting decisions from the Courts over whether internet service providers can disclose customer name and address information to the police in response to a request.

For example, in Re S.C., 2006 ONCJ 343, the court set aside a search warrant that was based on information obtained from an ISP in response to a law enforcement request. In R. v. Kwok, the court found that the customer had a reasonable expectation of privacy in his name and address information and that the police should have obtained a warrant to get this information from the internet service provider. From paragraph 35 of that decision:

"The subscriber, in this case, in my view, and based on my reading of the authorities, has an expectation of privacy in respect of this personal information [name and address]. The investigation of these types of crimes is essential and important, but there must always be the proper balancing of the procedures used by the police and the right of citizens to be free from unreasonable search and seizure. Shortcuts, such as set out in s. 7(3)(c) of PIPEDA in the circumstances of this case must be used with great caution, given the notions of freedom and democracy we come to expect in our community. In my view, the police should have procured a warrant to obtain the subscriber information, that is the name and address of the Applicant, in this case, as I have found the name and address is information from which intimate personal details of lifestyle and choices can be obtained. I therefore find there has been a s. 8 violation."

More recently, in R. v. Ward, 2008 ONCJ 355 (CanLII), the court determined that the customer did not have a reasonable expectation of privacy with respect to this information because the service agreement imposed upon him by Bell’s Sympatico service reduced, if not destroyed, whatever expectation of privacy he might otherwise have had. Similarly, in R. v. Wilson, the court also found no reasonable expectation of privacy.

The pendulum may be swinging the other way. Last week, the Ontario Court of Justice released its decision in R. v. Cuttell. The Court concluded there is a reasonable expectation of privacy in customer account records, but this expectation can be destroyed by an ISP if their service agreement grants them wide latitude to hand over customer information. The judge accepted that a broadly-worded statement in Bell's contract with the customer might supplant the reasonable expectation of privacy but there was no proof brought by the police that the Bell contract applied to this customer. What is perhaps most interesting is that the Judge lamendted the fact that the increasing use of "we will disclose" language in ISP contracts tilt the balance of privacy away from individuals toward the police, without the ability of the Courts to impartially consider what is reasonable in the circumstances.

All of this may become moot (and then some!) thanks to currently pending legislation. Bill C-47, entitled Technical Assistance for Law Enforcement in the 21st Century Act, is about to come up for committee review in parliament. Introduced along with Bill C-46, Investigative Powers for the 21st Century Act, both bills represent a significant shift in the powers of law enforcement. Though marketed as updating current police powers to keep pace with technology, C-47 would give law enforcement virtually unfettered access to customer information from internet and telecommunications service providers without any judicial oversight. The particular provision is at Section 16:

Provision of subscriber information

16. (1) Every telecommunications service provider shall provide a person designated under subsection (3), on his or her written request, with any information in the service provider’s possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address, mobile identification number, electronic serial number, local service provider identifier, international mobile equipment identity number, international mobile subscriber identity number and subscriber identity module card number that are associated with the subscriber’s service and equipment.

I am of the view that there should be appropriate judicial oversight of any regime in which service providers are required to identify their users to law enforcement officials. (Subject to exceptions in exigent circumstances.) It is only with judicial oversight that society can be assured that the appropriate balance between privacy and public safety is maintained. The government’s proposal provides no oversight and the powers of law enforcement are completely unfettered. If the concern is that search warrants are too time consuming, then appropriate resources should be put in place to provide for rapid review by independent judicial officers. Removing all the stops from law enforcement powers it not appropriate in this case.

Currently there is a disparity of practices among telecommunication service providers and internet service providers across Canada when dealing with a request from a law enforcement agent to provide a customer name and address connected with a specific IP address. This is due to at least a measure of uncertainty in interpreting the service provider’s obligations under the Personal Information Protection and Electronic Documents Act. Most ISPs will provide customer name and address information if law enforcement officers make a written request in the course of investigation related to child exploitation. In other sorts of investigations, a search warrant is required. Other internet service providers require a search warrant in all circumstances to disclose this information.

For example, Clause 16 as drafted does much more than impose the obligation for service providers to carry out a “reverse look-up” to match one piece of information (such as an IP address) with customer billing information. Instead, it would require the service provider to give law enforcement a laundry list of information in response to any request. This sort of information would be IP address, mobile identification number, electronic serial number, phone number, equipment identifiers and others. This, on its face, goes beyond what law enforcement has been asking for, at least in public.

This power is not subject to meaningful review and is completely unfettered. There is no restriction on the circumstances under which these powers can be used. Currently, requests of this nature generally relate to child exploitation investigations or compelling national security/public safety matters. As drafted, law enforcement would be able to use these powers in connection with parking violations and very minor concerns. In fact, these powers could be used in the complete absence of a lawful investigation. In addition, there is no limitation whatsoever on the volume of these sorts of requests. It would be possible for a law enforcement agency to require the name, address, e-mail address and IP address of every single one of their customers. I think most would say this goes over the line.

It has been said before that a customer’s name and address is not “personal information” or if it is, it is not sensitive information. That misses the point. A customer’s name and address, when connected with an IP address or a mobile phone serial number, is never used in isolation. It is always connected with other information relating to that individual’s behaviours or activities. An individual citizen can carry on their “offline” life in relative anonymity without having to produce identification every time they visit a store or look at a particular book in a library. The realities of network communications mean that every activity undertaken by an individual on the internet, lawful or not, leaves a record of that individual’s IP address. The only protection for that individual’s anonymity is that the connection between the IP address and other identifiers can only be made by the telecommunications service provider. Connecting the identity of an individual to his or her online activities amounts to a collection of personal information that should only be done by law enforcement where the circumstances are sufficiently compelling to tilt the balance in favour of law enforcement/public safety. These provisions do not maintain the traditional balance as has developed in Canada under the Charter and in fact go dramatically and unreasonably in favour of law enforcement.

I've been surprised that discussion of this topic has mostly been contained within the privacy community and hope that the upcoming parliamentary hearings on C-46/C-47 will bring the debate into the wider community, where it belongs.

Today, October 2, 2009, is the last day of Right to Know Week in Canada.

Right to Know Week was originally started in Sofia, Bulgaria in 2002 as a result of a meeting of Access to Information Commissioners from around the world. Its purpose is to raise awareness of the necessity of access to information in democratic societies. This is the fourth year that it has been formally recognized in Canada and it has started to pick up momentum. The Office of the Information Commissioner of Canada set up a website at righttoknow.ca to detail the many events that were taking place across the country.

I had the honour to sit on a panel at the University of Ottawa this week to discuss freedom of information from a legal perspective. There was a general consensus that something is broken in the federal system as delays in getting information stretch from months to years. Though it was organized by the OIC, the panelists pulled no punches. For example, Amir Attaran from the University of Ottawa called for the complete dismantling of the Office of the Information Commissioner, replacing the obudsman model with an American-style "go directly to court" system. Interestingly, David Stratas of Heenan Blaikie LLP and Paul Szabo, Member of Parliament and Chair of the Access to Information, Privacy and Ethics Standing Committee, called for the entrenchment of the Right to Information in the Charter. I was very interested to hear from Denis Kratchanov, General Counsel and Director, Information Law and Privacy Section, Justice Canada, to provide the very-seldom heard perspective from within the bureaucracy. Just a great panel and the moderator, Vincent Kazmierski, facilitator, had a tough time keeping it within the two hours allocated.

This panel was just one of a series organized by the OIC, all of which will be broadcast on CPAC. The broadcast schedule hasn't been set yet, but I strongly recommend checking all of them out. And keep your eyes peeled around this time next year, as I expect Right to Know Week 2010 will be as interesting and thought-provoking as this year, if not more so.

Yesterday, the Justice and Public Safety ministers unveiled the latest generation of proposed "lawful access" legislation. Variations had been introduced in the past by previous Liberal governments, only to die on the order paper.

The texts of Bills C-46 and C-47 are now online at the Parliament website for your reading pleasure (and here are the summaries included in the bills when tabled in Parliament):

C-46 An Act to amend the Criminal Code, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act aka Investigative Powers for the 21st Century Act.
First Reading

SUMMARY

The enactment amends the Criminal Code to add new investigative powers in relation to computer crime and the use of new technologies in the commission of crimes. It provides, among other things, for

(a) the power to make preservation demands and orders to compel the preservation of electronic evidence;

(b) new production orders to compel the production of data relating to the transmission of communications and the location of transactions, individuals or things;

(c) a warrant to obtain transmission data that will extend to all means of telecommunication the investigative powers that are currently restricted to data associated with telephones; and

(d) warrants that will enable the tracking of transactions, individuals and things and that are subject to legal thresholds appropriate to the interests at stake.

The enactment amends offences in the Criminal Code relating to hate propaganda and its communication over the Internet, false information, indecent communications, harassing communications, devices used to obtain telecommunication services without payment and devices used to obtain the unauthorized use of computer systems or to commit mischief. It also creates an offence of agreeing or arranging with another person by a means of telecommunication to commit a sexual offence against a child.

The enactment amends the Competition Act to make applicable, for the purpose of enforcing certain provisions of that Act, the new provisions being added to the Criminal Code respecting demands and orders for the preservation of computer data and orders for the production of documents relating to the transmission of communications or financial data. It also modernizes the provisions of the Act relating to electronic evidence and provides for more effective enforcement in a technologically advanced environment.

The enactment also amends the Mutual Legal Assistance in Criminal Matters Act to make some of the new investigative powers being added to the Criminal Code available to Canadian authorities executing incoming requests for assistance and to allow the Commissioner of Competition to execute search warrants under the Mutual Legal Assistance in Criminal Matters Act.

C-47 An Act regulating telecommunications facilities to support investigations aka Technical Assistance for Law Enforcement in the 21st Century Act.
First Reading

SUMMARY

This enactment requires telecommunications service providers to put in place and maintain certain capabilities that facilitate the lawful interception of information transmitted by telecommunications and to provide basic information about their subscribers to the Royal Canadian Mounted Police, the Canadian Security Intelligence Service, the Commissioner of Competition and any police service constituted under the laws of a province.

This will surely be controversial. Already, articles on the legislative initiatives have garnered thousands of mostly negative comments on CBC and the Globe & Mail.

Interestingly, Stockwell Day when he was Minister of Public Safety said on CBC's Search Engine [MP3 Podcast] that:

"We are not, in any way, shape or form, wanting extra powers to police to pursue items without a warrant. That is not what our purported legislation is going to be doing. That is previous Liberal legislation and that's not the path we're walking down at all."

He was similarly quoted in the Ottawa Citizen.

The topic of warrantless access to customer information is one that I find very problematic. At the press conference, it was said that this is "not a privacy issue, but a child safety issue." Also, it was said that if there's a privacy issue, it's about the privacy of exploited children. That's too simplistic. It's a privacy issue and a child safety issue and the issue requires a bit more nuance than was conveyed by the Ministers and the Bills' supporters.

The suggestion that customer name and address information is not sensitive information because it is the sort of info listed in a phone book misses the point. The sensitivity of the information depends on the context. Your name on a list of residents in a city is not particularly revealing, but your name on a list of people who are being treated for depression surely is. If police are looking for a customer's name and address, it's not because they're carrying out a census. It's because they think they have something nasty to connect that person to. And if they are looking for it without a warrant, it's because they don't have enough evidence to satisfy a judge or a justice of the peace. Or because they think constitutional rights to privacy are an inconvenience.

Supporters of lawful access also suggest that IP addresses are just like phone numbers. That also misses the point. You choose who you give your phone number to. Everywhere you go on the internet, even if you think you're anonymous, you're leaving your IP address. It's as though in the real world you left a trail of cards with only your (unlisted) phone number on them. People do completely lawful things on the internet and have an expectation of privacy with respect to those activities. Connecting their digital "footprints" to their offline identities should only be done with a warrant.

The warrantless disclosure of customer information is just one aspect of this legislation, all of which requires very careful public scrutiny.

A friend pointed me to what I think may be The Next Great Thing that may actually enable the dream of networked collaboration and communication. It's Google Wave and it hasn't left the labs yet. But if the video is any indication, it's amazing:

It's a long video (an hour and a quarter), but worth the watch.

We hear all the time about technology-enabled collaboration, but it seems more theory than reality. Until now (or whenever Wave is launched), it usually requires closed systems, hosted applications, hefty license fees or incompatible software. The Wave model puts e-mail, IM, editing, document sharing, editing and collaboration (and social networking and blogging) in one interface, presumably all hosted on Google's servers but globally accessible.

It looks incredibly cool, but is there any likelihood that corporations or law firms will pick up on it? Will privacy and security concerns keep them playing in their own sandboxes, separated from each other and stuck e-mailing draft documents back and forth?

The Philadelphia Bar Association has issued an advisory opinion (PDF) concluding that it is unethical for a lawyer to have a third party "friend" somoene on Facebook for the purposes of getting information about that Facebook user.

Facebook lets users fine tune their privacy settings, allowing a user to lock down all their info so it is only visible by friends or subsets of friends. I'm personally of the view that if a user has locked down their privacy settings, they are explicitly expressing an expectation of privacy in the material that is posted. But if someone voluntarily friends someone who made the request for investigation puropses, have they waived that privacy vis-a-vis that person? And is it unethical to try to obtain that info for the purposes of investigation? The Philly bar thinks so, but it would be interesting to know what Slaw readers have to say.

Feel free to comment on this opinion and this issue.

I expect that the needs of lawyers are somewhat different from the general public when it comes to the websites of public bodies, particularly those of regulators and tribunals. What got me thinking about it was a solicitation to provide feedback on the British Columbia Information and Privacy Commissioner's website as they embark on a refresh or redesign.

I assume that when most public bodies are thinking about their websites, they look at how to make it useful for the general public. Which is obviously important, but I know that I'm a heavy user of a number of government websites and databases, including the Privacy Commissioners', the Canadian Intellectual Property Office, and the Nova Scotia Companies Office. I don't think a (work) day goes by without looking up something on those sites. I'm sure that if the sites I've just listed did a survey, the majority of their hits (and certainly returning visitors) are lawyers.

Does that mean that the websites should be designed for lawyers? Or should they be like pharmaceutical products' sites, where the splash page presents a link for patients and another for physicians. Perhaps not, but I'd suggest that all of them should closely look at who is visiting, what they're doing and how can it be made as easy as possible.

It may be useful for those who design websites to hear from lawyers about what they want from a site they visit on a regular basis. And I guess it's up to lawyers to make their voices heard!

So I'll start the conversation:

1. The way Federal Government "bilingual" domain names work just sucks. It could be much more elegent. I understand that the Canada Revenue Agency is CRA in English and ARC in French. If you want the Canada Revenue Agency, instead of having http://www.cra.gc.ca redirect to http://www.cra-arc.gc.ca/menu-eng.html (the english version), it goes to the splash page and asks you English or French? If I'm thinking "ARC", I'm probably looking for French (and vice versa).

2. I like the Advanced Search Engine at the Privacy Commissioner's website. Though most findings end up on CanLII, I go there to look by industry, section of the Act, principle, etc. Well done, privcom!
3. I don't want to have to agree to terms of use each time I visit, as is the case at the Registry of Joint Stock Companies (RJSC) in Nova Scotia. Over and over and over again.
4. On the topic of the RJSC, I want permalinks to the each result. It's much easier to send a link to upated content to someone.
5. Not to beat up the RJSC, "Print Versions" should not have an ugly "PRINT" button and "CLOSE WINDOW" button that appears on the page you print.

Since lawyers are not known for having a shortage of opinions, any other thoughts for usability guidelines for lawyers? Add them in the comments ….

This past week, Google introduced a snazzy new application for smartphones. It's called Google Latitude and it's a bit like a location-based Twitter. It uses the GPS in your blackberry so you can know where your friends are and they can track you, too. In an age when more and more people are voluntarily putting personal information online, this takes it a next step by creating a record of where you are at almost all times.

Google touts the privacy settings, so you can adjust who can see where you are and when. The introductory video (below) has some good uses for it, such as having an assurance that your parents made it home from the airport during a storm.

There's no doubt it's cool and I'm sure the Facebook and Twitter fans will pick it up, but it's another example of how much pesonal information is being amassed in Google's massive databanks. Though we leave a massive digital data trail in our day-to-day lives, the big risk is assembling more of it in one place where it can be analyzed or retrieved later. Though you may decide to be hidden to your friends, as long as the thing is on, Google knows where you are and is undoubtedly logging it. To be fair, your phone company knows where you are at all times if you have smartphone, but adding your location to the mix of data Google knows about you has significant privacy implications. It would be handy information for the police and for lawyers in many cases. (How fast were you driving just before the accident?)

How much information are you giving to Google and how much is too much?

I wrote two weeks ago about privacy issues related to the log files that are created and retained by internet companies. The moral of that story was that there is a significant amount of information that is collected in these logs and when they are retained and collated, they can reveal a lot of personal information. I concluded by saying:

I don’t think it’s too far fetched to think of a day when it will become standard for all investigations involving the internet to include a warrant served on Google or Yahoo! or Microsoft for all logs related to a particular user or IP address or both.

In Canada, many may remember "lawful access", which was the subject of a number of consultations beginning in 2002. The consultation backgrounder and FAQ solicited comment on preservation orders (here) but the topic was not addressed when the Liberal government introduced the Modernization of Investigative Techniques Act (MITA). I am sure that preservation orders remain on the wish lists for law enforcement in Canada, but they're not here yet.

Europe has taken a different path. In 2006, the European Union adopted Directive 2006/24/EC entitled "on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks". The Directive is meant to harmonize the retention rules of the members of the European Union. It requires that member states adopt rules or legislation to make it mandatory for communications providers to retain certain log-type data for at least six to twelve months. From the "Subject Matter and Scope" clause of the Directive:

1. This Directive aims to harmonise Member States' provisions concerning the obligations of the providers of publicly available electronic communications services or of public communications networks with respect to the retention of certain data which are generated or processed by them, in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law.

The Directive goes beyond web communications and includes e-mail, telephone, VOIP and mobile phones. The sort of data that has to be collected and retained is that which identifies the source of the communication, the destination of the communication, the device that was used to make the communication and the "user ID" (defined to mean "a unique identifier allocated to persons when they subscribe to or register with an Internet access service or Internet communications service"). The Directive makes is plain that communications providers are not to retain the content of the communication (Article 5(2)).

While the Directive is aimed at saving information so that it can be obtained after the fact in connection with investigations, the debate over data retention in the United States has mainly focused on what has been reported to be informal and secret arrangements made by the National Security Agency and various telephone companies to save telephone calling information. This story was broken by USA Today: USATODAY.com – NSA has massive database of Americans' phone calls.

In addition, US criminal law permits law enforcement to make a written request for the preservation of records for 90 days (renewable for a further 90 days) (US CODE: Title 18, s. 2703(f)):

(f) Requirement To Preserve Evidence.—

(1) In general.— A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.

(2) Period of retention.— Records referred to in paragraph (1) shall be retained for a period of 90 days, which shall be extended for an additional 90-day period upon a renewed request by the governmental entity.

More recently, the Bush Administration has been pushing for broader retention requirements: FBI, politicos renew push for ISP data retention laws | Politics and Law – CNET News.

This posting has presented a brief snapshot of some legal initiatives that affect internet log retention in a selection of countries. It does not seem likely to me that the debate is over; we will likely see EU-type proposals put forward in both Canada and the US in the coming years.

In the past two weeks, the New York Times reported that Microsoft has made a minor concession with European privacy authorities about how long it retains its log files. A committee of European privacy regulators had asked that these logs be kept for only six months. Microsoft's response? Eighteen months.Yahoo used to keep them for thirteen months and just announced it will cut retention to 90 days. Google keeps them for nine.

The privacy implictions of these innocuous log files have been underestimated, particularly when you think about the fulsome picture of your private life that companies like Google may be assembling about you. The information in an ordinary web-server log usually contains the just a tid-bit of information. One "hit" on a website may look like this (but all on one line):

127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700]
"GET /apache_pb.gif HTTP/1.0" 200 2326
"http://www.example.com/start.html" "Mozilla/4.08 [en] (Win98; I ;Nav)" 

The first bundle of numbers is the IP address of the computer that requested a particular web-page. "Frank" refers to a userid, which is usually not eabled. The next field is the date" Following that, and usually preceded by "GET" is the command your web-browser sent to the server. The next bits are the status code returned by the server and then the size of the entity requested. Next is something called a "referer" (mis-spelled) , followed by details about your browser.

Since many people often share the same IP address (it could be one IP for an entire company or just a group of people in a house using the same internet connection), some have argued it is not personal information and a log-file doesn't contain personal information. The problem is that even if an IP address is not directly connected to one individual, one can do some easy analysis to make the connections. After AOL released supposedly de-identified search logs to researchers, an intrepid reporter was able to track down at least one of the users who had some very personal health-related searches in the logs (see: Users identifiable by AOL search data).

What's additionally troubling from a privacy point of view is that the large inernet companies, like Google, Yahoo and Microsoft, don't just have your search queries. Increasingly, they have a huge trove of data sources in their logs.

Take Google, for example. Google has their famous Google search. They also have GMail, Google Analytics, Google AdSense, Google Documents, Google Toolbar and more. Each time you "hit" one of their sites, you're in their logs. Most internet users hit Google's logs dozens of times a day and on many of those occasions aren't even aware that they're using a Google service. Google has what is probably the most popular and widely used network of online advertising: AdSense. Each time you go to a website that features Google's ads, your computer sends a request to Google's servers and that "hit" goes into their logs, along with the information about what site you were visiting, when you visited and what ad was served. If you click on the ad, even more information is collected and logged. But even if you don't visit a site with Google's ads, there's a very good chance that the webmaster is using Google Analytics to find out about useage of his or her site. (Full disclosure: I use Google Analytics for my site at www.privacylawyer.ca.) I should also note that Yahoo! and MSN also have advertising networks, which collect the same sort of information.What this means is that Google, Yahoo and Microsoft register in their logs a significant portion of your usage of the internet.

And if you have a Google, Yahoo! or MSN account, that hit can be connected to your account details, includig your name.

I don't think it's too far fetched to think of a day when it will become standard for all investigations involving the internet to inlcude a warrant served on Google or Yahoo! or Microsoft for all logs related to a particular user or IP address or both.

Next week, I'll discuss efforts being made by governments and law enforcement to make log rentention mandatory.

Yesterday, the Privacy Commissioner of Canada tabled her annual report on the Privacy Act. While she came down hard on a number of federal bodies such as the passport office, one aspect of the report should be of interest to lawyers generally.

The Commissioner reports on a whole range of complaints against tribunals and quasi-judicial bodies for publishing sensitive personal information about parties and non-parties. Decisions and tribunal records have always contained such information, but now that more of these decisions are readily available online, complainants are not happy that searching for their names online will bring up these decisions in the results.

The Commissioner is hampered by the fact that she can't order them to change their practices and that many of the disclosures are arguably permissible under the Privacy Act. In any event, she has issued a number of recommendations that have been ignored by many of the tribunals at issue:

• Reasonably depersonalize future decisions that will be posted on the Internet through the use of randomly assigned initials in place of individuals’ names; or post only a summary of the decision with no identifying personal information.

• Observe suggested guidelines respecting the exercise of discretion to disclose personal information in any case where an institution proposes to disclose personal information in decisions in electronic form on the Internet.
• Remove decisions that form the basis of the complaints to the OPC from the Internet on a priority basis until they can be reasonably depersonalized through the use of randomly assigned initials and re-posted in compliance with the Privacy Act.
• Restrict the indexing by name of past decisions by global search engines through the use of an appropriate “web robot exclusion protocol;” or remove from or reasonably depersonalize all past decisions on the Internet through the use of randomly assigned initials, within a reasonable amount of time.

And in case you were thinking this may sound somewhat familiar, the Canadian Judicial Council tackled this issue in its 2005: Use of Personal Information in Judgments and Recommended Protocol (PDF).

The Canadian Press is reporting that the planned extension of US passenger screening is going ahead next year. Unlike existing rules, which require airlines to provide passenger information for flights headed to the US, the new rules will require them to provide this information even if the flight is only traversing US airspace. (See: The Canadian Press: New U.S. air security rules create turbulence in Canada.)

This raises a whole host of issues, particularly on the privacy front. The names are being scrubbed against the US no-fly list, which is notoriously of dubious quality. It has interfered with the travel plans of infants and a US Senators. It also includes the name of a certain Canadian who has been proven by a public inquiry to not be a terrorist. How many Canadians will be prevented from completing their travels to non-US destinations because they have a name similar to one on the no-fly list? I guarantee that no Canadian airline will change their route to avoid American airspace so that a passenger can be accommodated.

In addition, how is the information going to be used? Will it go into a massive database to be mined for future uses? Will US authorities force aircraft to land to arrest a passenger who is not a terrorist threat, but is otherwise wanted? Will there be a list of Canadians who regularly (and completely lawfully) travel to the embargoed island of Cuba?

This is a real conundrum. One can wave one's arms in the air and yell about privacy, but the fact remains that the United States has sovereignty over its airspace and can refuse access for whatever reason it wants. It can put conditions on that access. At the end of the day, if you want to travel and your flight takes you through their airspace, this is one of those conditions.

This sounds like part of a law school exam question: The (US) government files an indictment against an outlaw biker gang and seeks forfeiture of its assets. Among those assets are a registered trade-mark for the name of the gang and a distinctive logo. The services with which the trade-mark is associated include, in code, operating biker gang (actually "ASSOCIATION SERVICES, NAMELY, PROMOTING THE INTERESTS OF PERSONS INTERESTED IN THE RECREATION OF RIDING MOTORCYCLES"). The prosecutor says that once the mark is forfeited, police can seize bikers' colours as trade-mark infringement. Discuss.

I'm not going to give away the answer, except to say it hasn't been written yet.

Hint: rights of the holder of a registered trade-mark derive from use in the United States, so the government can only enforce the mark if it is using it. For more comment, see: Law Blog – WSJ.com : What Will the Gov't Do With the Mongol Trademark?.

A recent story from Nova Scotia has focused a lot of attention on pre-employment screening and the use of polygraphs. Hopefully, it will encourage a larger discussion on both sides of the issue.

According to media reports, anybody applying for a job that falls within the purview of the Halifax Police Service and Fire Service is required to pay for a polygraph examination that includes a range of questions, some of which have been considered to be objectionable. (See the full questionnaire here (pdf).)

Others have objected to the use of a polygraph, as many assert it is not a reliable indicator of truthiness truthfulness. (If you want a refresher on how Canadian courts are to treat polygraphs, check out R. v. Béland, 1987 CanLII 27 (S.C.C.)).

The media coverage has been plentiful, from the local papers to CBC's The National (Quicktime).
The former FOIPOP Review Officer has made his thoughts known (Ex-watchdog: Ditch polygraphs) as has his successor Dulcie McCallum (Nova Scotians deserve same privacy protection as others).

Any debate and discussion is a good thing. It should, hopefully, focus the mind on one of the principes of privacy best practices that appears in almost every public and private sector privacy law: only collect information that's reasonably necessary for the (reasonable) purposes. If it's not necessary or not reasonable, don't collect it. Other important principles to consider: who has access to the information, how is it used and how long is it kept around?

And now for something completely different somewhat relevant, yet inadmissible:

A couple of days ago, David Bilinsky blogged on Slaw about the new Client ID rules that have come into force in most jurisdictions in Canada (Slaw: New Client ID Rules). The rules are an attempt by the legal profession's regulators to try to get the federal government to back off from attempting to undermine solicitor client privilege in pursuit of money launderers.

While I'm no fan of money laundering, I have to say I'm not a fan of the new rules.

The purpose of the rules is to "know your client" in the same ways that banks are supposed to know theirs. But imposing this rule in cases where no money or valuables will pass through the lawyer's trust account may has implications for access to justice, lawyer efficiency and raises privacy issues that are not adequately addressed.

I strongly believe that individuals should have a right to anonymity, subject only to reasonable restrictions. While clients should not be able to use a lawyer's trust account anonymously, I haven't heard any compelling arguments as to why a lawyer would need to confirm a person's identity before giving them simple legal advice. Lawyers frequently get calls out of the blue from strangers or from friends of clients who need quick advice in order to effectively preserve their rights. The new rules impose a barrier to being able to do that. There may be other circumstances where a client may wish to (and have a compelling reason to) remain anonymous to the person from whom they are seeking advice.

The rules affect efficiency because they impose a requirement to confirm the client's identity each time a new matter is commenced. Even for those clients with whom you deal in a daily basis.

And the privacy angle (there's almost always one): The rules require that you keep a copy of official government ID for clients for whom you have to verify identity. It is not enough to have inspected them, but a copy must be made and kept. But for how long? Privacy laws require that you only collect personal information that is necessary for the purposes and you only keep it for as long as is reasonable to fulfill those purposes. This identity requirement is pushing the line and may actually go a little over it.

In my opinion, the new rules are overkill for addressing what may or may not be a real problem.

The American election season has almost come to an end, leaving in its wake a large volume of creative expression by the campaigns and by citizens. Viral videos have been created and circulated by candidates and their supporters since the primaries, but a recent video provides an interesting lesson in intellectual property management.

Many would remember the series of "wassup" advertisements put out by Budweiser starting in 1999 (YouTube – Wassup). You may have completely forgotten about it until this week, when a video supporting Barak Obama circulated over the internet (YouTube – Wassup 2008). It uses the same general concept, the same "look and feel" and the same actors. It was made by the same producer who did the ad for Budweiser. Which raises the question of why Budweiser would let something so closely associated with its products be used in such a partisan way.

The fact is, they didn't. According to BusinessWeek, Charles Stone III originally licensed the wassup idea to Budweiser for five years of use for $37,000. Many said that he was almost giving it away at that price, considering how much mileage Budweiser got out of the idea. But nine years later, he pulled together 50 volunteers and used the idea to strongly promote his candidate.

So what does this have to do with law? It provides a good lesson on why certain rights in intellectual property licensing should be carefully considered. Budweiser probably does not want to be associated with a particular presidential campaign and likely wishes it had bought the rights outright. Stone, on the other hand, is pretty thrilled to have kept the rights and now has the opportunity to coattail on the huge Budweiser publicity machine to spread the word for his candidate.

Food for thought.

In the space of a week, "Joe the Plumber" from Toledo, Ohio has become a minor celebrity. Since he asked Barak Obama on the campaign trail about the effect of Obama's tax policy last week, he was repeatedly used by John McCain as an example and archetype of a small business owner.

I think the story is a bit of an archetype of inadvertent celebrity and dirt-digging that just about anyone is vulnerable to when their private life is thrown into the prevailing media orgy. Dirt is dug with little concern about the effect on the unwitting subject.

So what happens next in the current environment of 24 hour news and general media frenzy? Joe the Plumber is not only thrown into the spotlight, but his life is laid under the microscope. All because he dared to step into a camera's eye by asking serious question to a political candidate. Instead of a serious discussion of tax policy and its effect on business growth, the media goes after Joe as if his private life is newsworthy. And it provides an illustration of how much info about a private citizen can be quickly ferreted out in a very brief period.

Within 24 hours of the Debate, Joe's records have been pulled and supposedly newsworthy tidbits are dangled before the public.

Stop the presses, he's not really named Joe! It's Samuel J. Wurzelbacher!

What else is he hiding?
He's a registered Republican (voters lists are public and he registered for the GOP to vote in the primary).

Dig deeper!
His name is misspelled on the voters list!

What else?
He's not a plumber! OMG!

Not scandalous enough! Get us more!
He owes taxes and a lien has been filed against his house. (Read all about it: The Associated Press: Is 'Joe the Plumber' a plumber? That's debatable.)

How is this relevant? How is this newsworthy?

Meanwhile, he was the star of a Saturday Night Live Thursday night special as John McCain's invisible friend with a magical plunger (along with Simon the unicorn who lives under McCain's bed). The real Joe the Plumber has also been offered $800,000 for the joetheplumber.com domain name.

The man is not Britney Spears and he didn't make himself a public figure. I'm left thinking "leave Joe alone".

But maybe he's not a victim of zealous media and doesn't want to be left alone. Apparently, he's passed on an invitation to appear with McCain at a campaign rally since he'll be in New York for TV interviews.

But ask yourself: what would the media be able to find out about you if you dared speak at a public forum?

For a chuckle, check out: What is "Joe the Plumber" hiding from the American people?.

With much fanfare, media attention and crashing of computers, Canada's Do NOT Call List Today went live on September 30, 2008. At leat that was the first day for consumers to add themselves to the list (at https://www.lnnte-dncl.gc.ca/).

The scheme really isn't live yet and the barrage of annoying calls I received last night alone is evidence of that. It really appears that telemarketers are trying to squeeze in as many calls as possible. The regulations establishing the list give a telemarketer thirty days to get an updated list and it is only then that they cannot call you if your name is on it. But if your name is on it, they can still call you if they are a political party, a political candidate, a charity, a newspaper flogging subscriptions or a company with which you have an existing business relationship. Also, public opinion surveys are not bound by the do not call list rules. But you can ask to be put on their internal do not call list. Seems like a string of yes, no, yes, maybe. But no.

Since the website has been up and running, I've not only put my numbers on it but have also taken a look around. The procedure for registering a complaint is very simple and I expect the next statistics we see are the number of complaints registered. The telemarketing companies I've spoken to are taking compliance very seriously, but I'm curious whether they are the exception rather than the rule.

I've also noticed a few companies that appear to be masquerading as survey companies to avoid the rules to flog cruises, condos and the like. These are generally done using Automatic Dialing-Announcing Devices (or ADADs). The use of ADADs for telemarketing (selling anything) purposes is prohibited. Their use seems to be increasingly common and how the CRTC will deal with them remains to be seen.

If you want more info on the national DNCL, you can check out some past posts and these resources:

• Canadian Do Not Call List – Wikipedia, the free encyclopedia;
• C-37, amending the Telecommunciations Act permitting the Do Not Call List;
• National Do Not Call List (DNCL) info from the CRTC
• Unsolicited Telecommunications Rules and Amendment to the Unsolicited Telecommunications Rules;

And if you're inclined to tell telemarketers not to call you, you should also take advantage of iOptOut.

I have to apologize for falling down on the job in my contributing to Slaw since my inclusion among the exalted Slawyers a few weeks ago. I have to confess I’ve been distracted by a combination of being busy at work and rediscovering a passion for photography. (You can check out some of my recent work on my site or on Flickr.)

I find it interesting that regularly taking photos changes the way you look at things. Colours, shadows, textures and perspectives stand out a lot more than they used to. Everyone walks around with particular filters affecting their perceptions. Every scene is a potential photo and every situation has a legal aspect. The law is everywhere and combining the two has made me more aware of legal issues for photographers. (I suppose it's a mental version of "if all you have is a hammer, everything looks like a nail.")

If you hang out on Flickr or in other photography communities, you'll notice a lot of discussion about intellectual property rights. While most of the discourse related to copyright in the past little while has revolved around music, it's interesting to listen to photographers. Unlike most recording artists and musicians, photographers create and market their own content directly. Other than some large stock agencies, there is no analogue to the record companies who lobby on their behalf and become the face of the content creators. Unauthorized copying of works seems to be more personal to photographers than I've heard musicians speak of unauthorized song downloads.

The IP needs of photographers are unique. Most are amateurs licensing photos on the side or are small businesses. They don't have the time, energy or cash to negotiate individual licenses or even seek out legal advice. I am not surprised to see that a huge number of amateur photographers have bought into the Creative Commons system of making some rights available to the world at large. The different CC licenses are a bit of a lingua franca and content creators are able to mix and match different permissible uses, from "some rights reserved" to dedicated to the public domain. While CC generally focuses on non-commercial use of intellectual property, photographers have developed a very interesting scheme of articulating and embedding IP rights and licensing schemes, similar to INCOTERMS which may be more familiar to most lawyers.

The PLUS Coalition is a non-profit association that has developed the Picture Licensing Universal System. Unlike the CC system, the PLUS system is much more granular in expressing how an image may be used, by whom, for how long and in what format. For example, the PAPA family of licenses deals with print advertising:

Use in any print advertising in a magazine, newspaper, directory, insert or program. Applies to a specified end user product or service.

• Duration,
• PLUS Region,
• Region Constraints,
• PLUS Industry,
• End User,
• Product or Service Name,
• License Start Date

The PLUS system creates a machine readable license and offers software to translate this:

|PLUS|V0120|U001|1IAK1UNA2BOB3PQW4SCP5VUP6QCK7DZA8RHQ8IAT8LEN9ENE|

into this:

Term Value
Standard PLUS
LDF Version 1.20
# of Media Usages 1

Usage # A
Media Matrix: Advertising | Periodicals | Magazine (Consumer Magazine) | Printed
Placement: Multiple Placements on Any Interior Pages
Size: Up To Full Page Image | Up To Full Page Ad
Version: Single Version
Quantity: Up To 2 Million Total Circulation
Duration: Up To 1 Year
Region(s): Northern America | USA
Industry(ies): Airline Transportation
Language(s): English
Exclusivity: Non-Exclusive

While I'm not sure that many lawyers will have an immediate use for the PLUS Service, I would suggest that lawyers with any IP licensing practice check it out. It contains a wealth of information and the glossary of licensing terminology is a great resource.

Blogging lawyers are not like ordinary bloggers. Most bloggers don’t have to worry about the issue of conflicts of interests and client confidentiality. Lawyers, on the other hand, have to worry about legal ethics. Since I started blogging more than three years go, it’s been an issue that I’ve always had to keep in the back of my mind every time I even think about a blog post. With the plethora of blogging lawyers, I am surprised that I haven’t seen much discussion on the topic. (If there has been, please point me to it!)

I blog primarily in the area of privacy law. Ideally, I would want my blog to be a complete and up-to-date resource on what’s happening in privacy law but client loyalty has meant that there are some significant gaps in what I can write. Sometimes a notable story hits the media which I’d love to report on my blog, but there’s always a possibility that the parties involved may be a client. In my case, I work for a firm of over two hundred lawyers in five offices. We have a vast number of clients, many of which are multinationals thanks to Nova Scotia's cross-border friendly Companies Act. They may not be a current client and I may not have any first hand knowledge of the situation, but the problem of deemed knowledge and client loyalty mean that I have to hesitate before writing about it. If the minute book of the company or any of its affiliates is on a shelf in our corporate services department, I can’t say a peep.

The legal blogosphere would benefit tremendously, I think, from a discussion about client confidentiality and the blogging lawyer. My practice may be bordering on the paranoid side, which usually involves the following practices:

• If there’s any possibility that any of the parties involved are or were a client of your firm, run a conflict search and do not post anything.

• If any of the parties involves is a client or former client, don’t write anything unless you have the client’s permission.
• If you have any “inside knowledge” of the event, don’t write anything unless you have the client’s permission.

Is this taking it too far? Not far enough? Conflicts and client confidentiality may be one reason that is holding back lawyers from blogging. A consensus on best practices would benefit us all.

Please feel free to comment on this post with your thoughts on the issue.

Last week, in my first posting on Slaw, I wrote about what appears to be some sort of unnamed force that draws certain people into law school and then into law firms with little conscious agency on the part of the individual. Years after this process has pushed the lawyer onto a certain path, the lawyer will look up from his or her desk and wonder how they got there and why they are miserable in their chosen career.

I also suggested in my last posting that I have an answer to this problem. “Answer” may be too strong a word, but I have seen lawyers that have satisfaction in the profession and others who are miserable (and bail out shortly after becoming aware of their misery and their options).

The thing that distinguishes happy lawyers from unhappy lawyers, at the risk of a gross oversimplification, is that happy lawyers like what they are doing and did not get there by accident. The law is a wildly diverse profession. There’s something for everyone. But the key is to match what you like to do with what opportunities there are in the profession. It is very easy to try to emulate lawyers who appear to be happy, but what’s good for them may not be good for you. For example, I work with some very happy tax lawyers. They love what they do and who they do it with. But if I were to wake up and discover that I was a tax lawyer, I would head for the exit, pronto. It’s not for me. It doesn’t match the sort of work I like to do and the sorts of problems I like to solve. It’s perfect for the colleagues I’m thinking of, just not for me. That doesn’t mean that practicing tax law is not a good position to have. It’s the opposite, since tax law is a very lucrative career path, but it just isn’t for me and no amount of money will make it bearable.

The one thing that I’ve seen in common among those who I know are happy in the legal field is that they got where they are because they chose to. They were immune to the unnamed force, or at least knew how to swim against its currents. They thought about some pretty basic questions:

• What do I like to do?

• What sort of people do I like to work with?
• What rewards do I think I need?
• What do I do in my spare time and is there any way to integrate that into my practice?
• Am I introverted or extraverted?
• Can I sit at a desk for hours or do I need to be up and about a lot?
• Do I enjoy speaking in public?
• Do you enjoy heavy problem solving or would you prefer to apply established principles to relatively similar fact situation?
• What life experience do I have?
• Do I work for the weekend?

Asking these basic questions can suggest, in my view, the sorts of legal options to be considered. If you are a musician, love playing in a band and enjoy hanging around with musicians and creative types, you may be someone who should go into entertainment law. If the toughest decision you’ve ever made was between law school and accounting school, tax law may be where you should go. If what you like is making piles of money, and that’s more satisfying than anything else, you can probably suffer through doing work you don’t like as long as it’s very lucrative.

Students heading to law school should ask themselves these questions and others like them. It is difficult, at that early stage, to find out what areas in the profession may align with the answers but the have the luxury of time to investigate. Then they should head in that general direction. Unhappy lawyers should take a weekend off and think about these things. With the knowledge of the profession they’ve picked up along the way, they have an advantage in knowing what possibilities there are in the profession.

I am humbled by the invitation to join the illustrious team that has turned Slaw.Ca into Canada’s leading legal group blog. It’s a great site and I hope that I can contribute in a positive way. My day job is privacy and technology law, with a little bit of related blogging on the side at the Canadian Privacy Law Blog. I’m pleased to have an opportunity to write a bit about “things legal” that are not necessarily about privacy or technology. (Although I’ve come to think everything is about privacy and technology.)

If I sound like I enjoy what I’m doing, it’s absolutely true. I have to confess I am one of the happiest lawyers I know. The legal media (including legal blogs) are full of stories of high levels of attrition, lawyer burn-out, and general malaise in the profession, but I do not think it is entirely pervasive. (I know a few other lawyers who happen to love what they are doing, too, but many more who are carriers of this malaise.)

There may be some prophylaxis for this chronic condition.

My first week of law school, which wasn’t that long ago, was filled with anxiety and new faces but each conversation with each new person started with “why’d you choose to go to law school.” My memory may be getting hazy at this point, but I seem to recall that most of the answers were along the lines of: “I did well on the LSAT, so I’m here”, “I have a poli sci degree”, “I didn’t get into dental school.” I was surprised that the students seemed to be drawn by an irresistible force and little free will was involved.

While there, I thought of law school as a factory, with a large conveyor belt that was moving through and ultimately delivering students at the door of large law firms. For many, the conveyor belt continues at the door of the firm and takes them to burnout or retirement. I remember interview week when everyone was so keen at getting interviews with just the right firms and then hoping for offers. Few people shopped around for firms or acted as though they may be making among the most important decisions of their lives. That firm is the best or the biggest and therefore you must want to work there. So after practicing for a few weeks, the look up from their desks and realize they’ve made a big mistake. Just because securities/tax/M&A/etc. was the most sought after position doesn’t mean it’s the job for you. But by the time the realization hits, inertia or student loans keep you there. Or they pay you enough to suck it up.

Maybe I am completely naïve, but I don’t think it needs to be that way. The problem seems to be, to me at least, that students taking the LSAT have no idea what they’re getting themselves in for. They look out and see an endless horizon, but this unnamed force draws them to the professions. Do they know what a lawyer does? They’ve almost certainly seen them on TV, but most lawyers will tell you that the practice of law is nothing like its depiction on the other side of the tube. Most of them have skills that will make them good law students (at least that’s what the LSAT is telling them), but does that mean they will enjoy being a lawyer? Not necessarily. My completely unscientific polling methodology leads me to conclude that people rarely love what they are doing if they realize they got where they are by default (or the unnamed force).

What’s the answer? I’m afraid you’ll have to wait until next week (or you can offer your own answers in the comments below). Have a great long weekend.