Would such an order be made in favour of private parties here? Would the private bodies first have to begin a legal proceeding against the pseudonymous tweeters – a civil action? a private prosecution? a human rights tribunal proceeding? Would they have to bring Twitter in as a party, whether or not claiming direct relief against Twitter?

Would a Canadian court (or other tribunal) make a direct order against Twitter, or would it seek letters rogatory or use some such evidence-gathering procedure to get information from Twitter in California? Has either process been done in Canada? What has Twitter done in response?

I take it to be relatively well established in Internet law these days that the laws of a place where Internet content is accessible will apply to that content, whether or not the content is legally acceptable or protected where it originated. This is true of expression as of other kinds of content (like commercial offers). I don't claim that everyone is comfortable with that result, but the law has found a number of principled justifications for the result.

The enforcement of foreign judgments based on the results of that application of law may be a separate question.

Other views?

The amendments will come into force on proclamation. The government has been talking and will continue to talk with stakeholders about measures that might be useful to ensure that the change does not increase the risks of real estate fraud. (If you have suggestions about such measures, feel free to mention them here.)

The Ontario Real Estate Association was enthusiastic about the change.

It is safe to assume that the private member's bill that did the same thing, along with other changes, will not proceed.

A US court decision has recently refused to admit such evidence, as not being properly based on science. One expert quoted in the article calls this use ‘junk science’.

Have there been attacks on the use of cell phone records in Canada on the ground that they are not reliable indicators of location? Should there be?

The US case referred to tracking by use of the relation of the phone to cell transmission towers, not to GPS data. The latter are still considered very reliable, so far as I know.

As the official announcement states:

CPSR was launched in 1981 in Palo Alto, California, to question the
computerization of war in the United States via the Strategic Computing
Initiative to use artificial intelligence in war, and, soon after, the
Strategic Defense Initiative Star Wars. Over the years CPSR evolved
into a big tent organization that addressed a variety of computer-related
areas including workplace issues, privacy, participatory design, freedom of
information, community networks, and many others.

Now, of course, there are hundreds, if not thousands, of organizations and
movements that are concerned not only about the misuses of ICT by
governments and corporations (and others) but also about trying to develop
approaches that help communities work together to address issues related to
economic and other inequalities and environmental degradation as well as
broader issues such as war and peace…

Although in many ways the issues that CPSR helped publicize have changed
forms they generally still remain. The ethical and other issues surrounding
the computerization of war, for one thing, have not gone away just because
they're not prominent on the public agenda. CPSR's original focus on the
use of artificial intelligence in battle management etc. and the
possibility of launch on warning is probably still pertinent. The advent of
ubiquitous and inexpensive drones definitely is.

What Canadian organizations have a similar mandate?

A recent Swiss case – in the Federal Supreme Court – held that senders of emails have a duty to verify receipt in almost all cases. On the facts of the case, the result may be OK: an agent for a taxpayer emailed its client to warn of a tax filing deadline; the email went astray and the client was penalized. The risk was that of the agent. (It's not a case about the law of agency.)

The case states a general proposition that the risk of non-delivery of an email is always on the sender – because delivery is known to be not thoroughly reliable.

Would this be the law in Canada, or where you are? is that too strong a proposition? Suppose the sender could prove that the email got to the addressee's computer but was filtered out or lost once there. When does the risk (and responsibility) shift to the addressee?

(The questions are the civil side of those I posed last week about whether a regulatory or prosecutorial body could start a proceeding by email notice, without statutory or contractual authorization. Would it be acceptable if the regulator or prosecutor checked to see if the notice of hearing – e.g. – had been received?)

Is it a situation like signatures, where the risk that a signature is forged always lies on the person relying on the signature?

Is it true that the delivery of emails less reliable than that of postal mail, or faxes? Is it sufficiently true that rules of law should be built on that proposition?

The more interconnected the world becomes, the more people (businesses, governments) are exposed to harm generated online. “Cyberthreats”have become a leading source of worry for many knowledgeable people. The Internet is a dangerous place. Hacking that was once the domain of geeks wanting to show off their exploits is now big business, with division of labour (those who collect the information pass it on to those who use it) and serious resources. Tools for most forms of nastiness are readily available for sale at reasonable prices.

Crime has been joined by state and perhaps private espionage in the illicit domain, and some claim that “cyber-war” cannot be far behind, if it has not already made its appearance. (On the other hand, no one has actually died in such an incident yet, compared to millions of dead in the world wars of the 20th century and many thousands in many other “offline” wars. There is a risk of inflation of vocabulary.)

Much publicity was given to a report by Mandiant this year saying that massive numbers of successful online attacks on U.S. businesses originated with a building near Shanghai owned by the Chinese People's Liberation Army. The President of the United States issued an “Executive Order” about cyber-threats to criticial infrastructure, by which components of that infrastructure (a very broad group) would be notified of their status (not likely to be news) and any imminent threats detected by U.S. IT security forces.

Canada's Department of Public Safety has published a national Cyber-Security Strategy. In October, 2012, the Auditor General published a review of Canada's readiness, finding it wanting. We have no right to feel comfortable.

Faced with these very real threats (and some of the perceived ones), people naturally want to know what they can do about them. Will the police protect them? Will government? Will the providers of information technology: the hardware, the communications links, the programs, the apps? While the answer may be “all of the above”to some extent, it is increasingly clear that security begins at home.

But once one has the latest firewall and anti-virus and has installed the latest patches on all one's programs, and has trained oneself and one's staff in good security practices, what happens if one is still compromised? How far does self-help extend?

The right to engage in active self-defence, also known as “hacking back”, is currently the topic of much discussion (including a brief note here at Slaw.) Many presentations at the 2013 RSA Conference on IT Security focused on this topic, including three out of the eight in the”law track” of lectures and panels (and even a mock trial). It may be considered good that the IT people are thinking about legalities; frequently the IT folks deal with cyber-threats without mentioning them to their lawyers.

There are a number of different activities that may be considered to be active defence: intelligence gathering (Where are the attacks coming from? How are they being made? Who is behind them? Who else is being attacked? What are they after?) and aggressive defence: stopping the attack, following and deleting one's data in the adversary's hands, and reducing the adversary's capacity to continue the attack.

Is this legal? The discussion has focused mainly on the criminal risk, with a close reading of the relevant statutes and adapting traditional justifications. The civil risk is starting to draw attention too. Other categories of risk are the practical and the military. These three will be the subject of another column.

Criminal risk

There seems to be no concern about intelligence gathering in one's own computer. One can analyse whatever is there, however deeply hidden, and the only question is whether one recognizes what one finds and is able to do anything about it. So I can delete or quarantine any malware I can detect, without liability.

The questions arise when I go outside my computer. For purposes of this discussion we are talking about online computer communications, rather than attacks carried out via mobile hardware (though the Stuxnet attack that some consider the only actual act of cyber-warfare to date was perpetrated through infected USB drives.)

Am I allowed to follow the data in my computer back to the computer it came from? What can I do when I get there – given that 'being there' is a metaphor? What I am doing is sending commands to another computer and causing it to respond by sending me data.

Unauthorized access

Two provisions of the Criminal Code of Canada may apply. The first is s. 341.1 that prohibits access to a computer or data 'fraudulently and without colour of right'. Usually the term 'fraudulently' requires some kind of undue financial motive, though if one were to guess or crack a password in order to gain access, that element of the offence might be the subject of argument in a prosecution.

The legality of access is more likely to present the issue of 'colour of right'. What right can one claim to be poking about inside someone else's computer? Is the need for information about harm being done sufficient? Is the need to stop the harm sufficient?

One can look for one's colour of right by analogy to the law of trespass on physical property. Can I enter my neighbours' house without their consent to find the source of a loud noise? To find the source of water that is flooding my yard, or basement? To put out a fire that threatens the neighbourhood? These examples presume that the neighbours are not intentionally causing the harm – but suppose that they are? And they might not be at home – but is the neighbours' computer (or one around the world) unoccupied in any meaningful sense?

Trespass analogies do not work very well. One can imagine a flow of electrons having a physical effect on another computer, and there have been efforts in the US to characterize sending unwanted messages to a computer as trespass to chattels. Nevertheless it seems artificial. Is a password the equivalent of a lock on a door or a sign on a lawn? One can trespass by walking through an unlocked door, but perhaps not by walking across an unfenced yard, if there is no sign. What is the computer equivalent of a sign? Avoiding the difficulties of applying such analogies was one of the reasons for the express provisions of the Code. Indeed one of the motivations for the Council of Europe's Cybercrime Convention was to ensure that many countries had basic laws against intrusion on and misuse of computers, following cases in which creation and distribution of malware was held not to be against the law in some countries.

A more thorough review of the use of analogy in applying criminal laws to computer investigations is found in the works of Orin Kerr.

Mischief to data 

The second main provision of the Criminal Code is s. 430(1.1) prohibiting mischief to data. This would be relevant if one went beyond investigation to active defence, such as deletion of files or programs that were thought to be causing the damage. The offence includes destruction of data and rendering data inoperative or ineffective – just what one would want to do to malware that was affecting one's computer. Section 429 provides a defence to a charge under this provision, however: one may not be convicted where one 'proves that he acted with legal justification or excuse and with colour of right.'

The reference to 'legal justification or excuse' may provide a broader defence than the absence of fraudulent intent in the access provision. Two legal justifications are most likely to be used: self-defence and necessity.

Self-defence (of property) 

It is clear that one can defend one's property against attack, by an act that is 'reasonable in the circumstances' (s. 35 of the Criminal Code.) That includes a reasonable belief that one's property was in fact under threat. Is it reasonable to extend self-defence to acts beyond cutting one's computer off from the source of the attack? If it were not possible to be selective in blocking the attacker, for example without cutting off all online communications, then a more active defence might be allowable. These days the law might not require somebody to do without any Internet connection because of a history of being attacked.

How possible is it to fine-tune one's counter-attack? What are the risks of going too far, of causing collateral damage, of going beyond what is reasonable in the circumstances? Is a certain (or uncertain) amount of collateral damage reasonable in order to achieve the basic defence?

Necessity

The other main line of argument in the face of criminal charges would be necessity. This is in large part an aspect of self-defence, but it applies at common law, outside the Code. There must be imminent peril to the person who claims necessity. The case law does not appear to have dealt with peril to property, unlike the codified rule on defence of one's property. The courts have been very willing to limit the scope of necessity. One must have no reasonable legal alternative to the illegal action one has taken, and one must act in proportion to the risk.

To succeed, one would certainly have to show that one's own system was as secure as possible, with all safeguards in place, with all patches applied, and so on. If it were possible to block the suspected source of infection or attack, that must be done. When would that not be enough? Is any source of communication so necessary that an infection of that source 'must' be taken down? But why not just inform the people responsible for the other system that it is infected or distributing malware? If they intend to harm you, is it really necessary that you continue to deal with them? If they do not intend to harm you, why would notice to them not be sufficient?

The other serious question that undermines a defence of necessity would be, 'why not tell the police and let them deal with it?' That's what the police are for, to stop criminal activity. They have legal powers beyond those of the general citizen, including – with judicial authority – the right to intercept the flow of information and to require information to be made available to it. (The extent of those powers in the information age continues to be a matter of current debate in the courts and in Parliament.)

There is at least US precedent for private action with judicial authority. Microsoft discovered by its own data flow analysis that malware was coming from a particular address. It applied to the court for authority to disable the source, and was successful. Such an action would certainly meet the Criminal Code requirements for legal justification. It may be noted that not everyone is comfortable with even judicially-controlled self-help.

The American position on hacking back has been extensively debated. The issue there tends to turn on the application of the Computer Fraud and Abuse Act (CFAA), which prohibits 'unauthorized' access to a computer. 'Unauthorized' is not defined, though there are numerous and inconsistent judicial decisions on the term – not generally in the context of self-defence, however. Liability under the CFAA often turns on there being damage of more than $5000. Accessing a computer to investigate the source of communications, or possibly even disabling a malware server, might not meet that standard. Canadian law gives a bit more guidance, but still does not clearly resolve just what one can do and not do.

Intermediary computers

An important complicating factor in the whole discussion is the likelihood that any attack on one's computer system is an indirect or disguised attack. It is probably not coming from one's neighbour's computer, but from somewhere else. The takeover of innocent (though possibly negligently run) computers by hackers, who use them as 'bots', i.e. automatons to send messages at the hackers' command, is very common. Botnets of a hundred thousand machines are not unknown.

Thus the risk of harming an innocent machine, and its owner, is substantial, as one hacks back against what is harming one's own system. It is not clear how that affects one's colour of right or legal justification for accessing or destroying data on that machine. Generally one's legal rights must be exercised reasonably, which would seem to require at least reasonable care to ensure that one had the right target. An investigation of an innocent (but compromised) computer might be more likely to escape prosecution, or conviction, than doing damage to it.

Conclusion (continuation)

The debate continues, but in the context of unclear law as well as contentious policy. (If the third party's computer is already compromised, how much additional harm does the counter-attacker do, and should we care?) Should the law encourage a type of vigilante justice, taking the law into one's own hands? Do we trust the usual official hands, whether law enforcement or even military authorities, to do the job? Is it possible to legislate sufficiently specific grounds for active defence that most of the risks will be avoided, and the potential harm from hacking back will be less than the harm caused by the attacks?

The next column will review civil, military and practical elements to the hacking back discussion.

The regulator would have an email address of the regulated body, but assume that there is no contract or statute that allows for ‘originating process’ to be presumed to be delivered if delivered electronically.

I am aware that the Rules of Civil Procedure allow lawyers for parties in civil actions to exchange documents by email, once the action has begun – but not the ‘originating process’ like the statement of claim.

I am also aware that some courts have allowed parties to serve originating process as ‘substitute service’ (the traditional service in person having been tried and failed) by electronic means, notably by posting messages to the defendant’s Facebook page or by Twitter (a notice of injunction).

I am not aware of such methods being used in a prosecution or regulation context. Am I missing something? How could the regulator prevent a denial of receipt by the addressee? (How can it decrease the prospects of repudiation?) Must there be contractual or statutory authority to support delivery?

In Ontario College of Pharmacists v. 1724665 Ontario Inc., 2013 CanLII 13655 (ON SC), the court held that a call centre in Ontario that was acting for a company in Belize taking orders for drugs made in China for delivery to patients in the United States was carrying on the practice of pharmacy in Ontario to the degree that the Ontario regulator had jurisdiction over it. The College of Pharmacists was given the injunction it had sought against the call centre.

A write-up of the case is found in a newsletter from the law firm of Steinecke Maciura LeBlanc.

Does that result seem realistic to you, or will it create difficulties in practice in future cases?

Canadian jurisdictions do not (so far as I know) have legislation with ‘unfair terms’ in the name, while the UK has implemented the EU Directive on Unfair Terms. (French courts held a decade ago that online contracts, notably the AOL (2004) and Tiscali (2005) subscriber agreements, were subject to the comparable French law – and invalidated a large proportion of the terms that those contracts had imported from US sources.)

We do, however, have consumer protection legislation in all provinces, and other kinds of business regulation. Is there any doubt that the terms of EULAs would be covered by that legislation? Is there an argument that EULAs would be a matter of federal jurisdiction as part of services (or goods, at times) offered through telecommunications? Should the medium of communication of the EULA matter to the applicable law? EULAs can show up when one loads a CD bought at the local store, as well as when one downloads a program or app or … almost anything.

Besides the Competition Act’s basic rules against misrepresentation, is there a federal law that protects consumers as thoroughly as the provincial statutes? Does there have to be, or is all this matter clearly provincial?

I have not yet found in the documents answers to some questions that occur to me off the cuff. (The answers may be in there somewhere – feel free to provide via comments.)

• Who pays? It appears to be taxpayer-funded, rather than relying on user fees. There is mention of a cost of 4.6 million Euros (annually?).
• What law applies? This list has previously discussed the EU work on a single sales law and a ‘blue button’ device for web users to elect a common sales law.
• What is the process? There will be coordinators and neutrals provided. Do they have a set progression from negotiation to mediation to adjudication, as the UNCITRAL ODR project has recommended? Will the mediator be barred from being the adjudicator?
• How is the result enforced? The top-level documents appear to assume that once the dispute is ‘resolved’, everybody goes along. What happens if they don’t? 

A different order of question is how this may relate to the UNCITRAL project. Are the EU proposals consistent with the current direction of that work? Is it helpful to the UNCITRAL work for the EU to be voting in favour of ODR, or is it distracting from or subversive of the global thinking?

Views?

Everybody knows that computers are everywhere. This is old news. It used to be that a mechanic could fix an errant brake light in my car for 15 minutes of labour and a 15-cent bulb. Now I need a computer diagnosis and the replacement of a sophisticated multi-function panel. Hmmm – $175.00. Progress!

What may still be news is the degree to which the computers are talking to each other – and if they can talk, then they can be overheard.

Let's start with cars. Richard and Cheryl Balough point out that the average car these days can run some 70 computer systems, all of them interlinked for completeness of diagnostic capacity and no doubt for ease of design. What this means, among other things, is that all the systems in the car can be accessed through any one system – whether the entertainment system (slip in a compromised CD or USB), the remote-entry key signal (interceptible by by-standers), or even the tire-pressure reader that reports back to the central monitor.

US federal law requires cars to have diagnostic capacity that can be read by mechanics. Not all of these systems are produced by the car's manufacturers. There is an after-market. This means that the technical specifications are known more widely, and thus available to people who do not have the owner's best interests in mind. Someone could interfere with a car's operations, either starting it for his or her own purposes or stopping it unexpectedly. The potential for chaos, not to say carnage, is significant. Vehicle-to-vehicle communication is growing, to avoid accidents or allow the 'safety' of self-driving cars. No doubt it brings with it the possibility of hijacking. Could really bad guys attack a whole fleet of cars?

Shrinking the scale for a moment, consider devices implanted in people's bodies, like a pacemaker. Again to facilitate diagnosis, these devices can often be read and even adjusted without the wearer having to undergo surgery. This makes these devices susceptible to outside interference, accidental or intentional. For example, it is possible to hack into insulin pumps worn by diabetics. The consequences are obviously serious.

One does not need to be the target of an attack, or of negligence, to be affected by it. A US company that was paid to install a robot-controlled parking system in a garage shut the garage down over a dispute with the garage's owner over the licence fee. Too bad about the cars trapped inside. Remote access makes this kind of interference easier. There isn't even a parking-lot attendant with a padlock for irate drivers to accost.

Consider as well that a lot of devices that do not yet contain computers at least send data to computers, which can combine and analyse the data in interesting and unexpected ways. Electric cars that are charged on the smart grid may be identifiable individually at the outlet to which they are plugged – so if you are visiting somewhere you should not be, perhaps you should have a full charge before you arrive.

Refrigerators connected to the Internet were a kind of meme for 'smart' things for a time – wouldn't it be helpful if the refrigerator could read the best-before dates on the perishables and report them out to the owner? But do you want your insurance company knowing the amount of deep-dish double-cheese pizzas you are eating? (Perhaps your pizzeria is selling that information, but that's a different question.)

More tales from the grid can be found in the 'The Spy Who Came In from the Refrigerator'. Most of the prospects mentioned are at present beyond most Canadian grids' capacity, but for how long?

Returning to cars for a moment: for an example of the kinds of information that cars are now collecting, consider this article in which Tesla Motors rebuts an unfavourable review by the New York Times by disclosing exactly how far and fast the car was driven, with what percentage of a charge, over the time that the journalist had had it. The car logged all that information automatically and the manufacturer (and anyone else who knew how) could figure it out and report it.

Insurance companies in the US (and Canada?) are offering rate rebates to drivers who allow them access to the on-board diagnostics, since it allows the insurers to analyse the driving behaviour – speeding, for example – and set a rate by how the car is driven. Law enforcement authorities are often interested in the diagnostic systems after an accident. Can your car turn you in? Will the leasing company or the rental agency turn you in, or charge you for violating the rental agreement based on evidence from the on-board system?

Ought there to be a law? We rely here a great deal on section 342.1 of the Criminal Code that prohibits the unauthorized access to computer systems – where the access is fraudulent and without colour of right. The interception of signals to or from a computer system is separately banned.

But how far does colour of right go? Is it acceptable if the terms of use or licence agreement allow the communication? For that matter, will we ever buy anything in this brave new world, or only take a limited interest by licence? What limits can apply in a licence arrangement? A notorious example of a surprising capacity to control 'things' remotely (in time and place) was Amazon.com's erasure of the text of the novel 1984 from its Kindle readers because it turned out that the edition 'sold' was subject to a copyright claim. People who had bought the text in good faith found their e-books and study annotations gone. Amazon apologized, but who knows what other powers it might have over what people read on its Kindle e-readers? Can – and does – Amazon track everything Kindle owners read, and their annotations, and does it sell that information? What about the sellers of other e-readers?

Will Canadian privacy laws prevent such incidents or such general tracking? First, one has to know what is happening, and the imagination can scarcely keep up with the reality. PIPEDA applies to commercial collection, use or disclosure of personal information, but just what is 'commercial'? Reselling personal information is a pretty clear case. A licence 'agreement' is not a definitive solution for the party that wants the information, since one cannot collect (or use, or disclose) information even with the consent of the individual unless the collection (use, disclosure) is 'reasonable'. (PIPEDA s. 5(3) ) That said, enforcement of privacy rights, alone or in the face of a broadly-worded 'consent', may not be easy, fast, or cheap.

One hears a lot of talk about the Internet of Things, where billions of objects will be connected to each other, each with its own IP address. We seem to be making uneven progress to that destination, but the pioneers are encountering some uncomfortable challenges. Some of them are elaborations of familiar assaults on privacy, though there is some novelty in the ability of data miners and aggregators to formulate meaningful profiles of us based on apparently fragmentary and insignificant information. Privacy statutes that focus on particularly sensitive bits of data, like credit card or social insurance numbers, are too limited on that Net. Such statutes will never mention the expiry date on your Brie. Fortunately Canadian statutes tend to define personal information more generally.

Other manifestations of the Internet of Things, those based on computer communications among objects we think of as inanimate, such as those described in the opening part of this note, present different challenges. The language of the Criminal Code may be comprehensive, but the best security is in prevention, not prosecution. The challenge will be to keep up with technology so we know what the threats are, and with luck, have some idea how to avert them.

On the other hand, perhaps we do not really want to avert them. We may prefer the convenience, even the cool factor, of interconnectedness. Or we will sell our information directly, for a reduction in our insurance rates.

Is there work for law reformers in the Internet of Things, and if so, where should they start?

Acting on a complaint by a manager/member of such a club, the Information and Privacy Commissioner of Ontario recently ordered that the LCBO stop collecting this personal information. In response, the LCBO stopped filling orders from the wine clubs.

According to the CBC story, a spokesperson for the LCBO said the LCBO asked for club members' personal information to prevent illegal re-sale, and to contact consumers in case of a recall.

But the Information and Privacy Commissioner ruled the LCBO was only able to provide "anecdotal or hypothetical evidence" to support its position and that the collection of the personal information was not necessary.

Naturally a number of wine lovers (and drinkers) are not pleased to have their supply dry up. One club recently circulated this note to its members:

We have contacted the senior representatives at LCBO Private Ordering and have requested that they confirm the LCBO's action and to let us know how we can to process our wine club orders (including the many we have recently received but have not placed with the LCBO). We are awaiting their reply.

In the interim, please let your local MPP know your feelings on the issue and why not drop Bob Peter, President and Chief Executive Officer of the LCBO a line.

No matter what, please keep those orders flowing. Working with our partners at the LCBO, we'll find a way to get them processed.

Where should the line be drawn between a regulator’s duty to regulate and a drinker’s right to privacy?

Canadian law prohibits discrimination in employment on the ground of national origin, among other things. This is governed by human rights codes and employment standards laws, both subject to the Charter of Rights and Freedoms, which guarantees equal protection of law regardless of national origin etc.

So what do Canadian companies do when they contract with US government agencies for sensitive work? There is a defence sharing agreement between Canada and the US, is there not? Do Canadian companies ignore human rights laws and refuse to offer jobs to people from the US prohibited list, or do they conform with Canadian law and hope the US does not find out? Or is there an exception somewhere to the non-discrimination rule that would apply? Is ability to work for the US government a bona fide occupational requirement?

Are there cases on this? It must come up from time to time.

Any word on official Canadian attention to such matters?

Do you know of any legal barriers that would prevent especially state-based operators of information systems (whether ‘critical’ or not) from defending their systems? Do any privacy laws, or communications interception rules, or unauthorized access prohibitions, stand in the way of comprehensive or even aggressive defence measures? Is there a difference between the rights or duties of public sector organizations and private-sector organizations in this regard?

Is some law reform needed to facilitate effective defences?

I ask for a purpose: I am on a panel at the RSA Conference on information security later this month, the topic for which is exactly that: legal barriers to defending information systems.

Here’s the description:

As governments seek to protect their networks against cyber attacks, they are frequently constrained by laws designed to protect privacy, citizens’ rights to access information and employee rights. This panel will discuss where the law is unclear or unhelpful for agencies responding to cyber security threats such as monitoring, blocking network traffic and incident investigations.

For Canadian purposes, I can’t think of any such legal barriers. What am I overlooking?

Both the Canadian and the Ontario Privacy Commissioners have commented on allegations of special risk of having personal information in the US because of that statute. Neither have supported the concerns. A recent summary of the discussion is found in the Ontario IPC's decision PC 12-39 concerning the Ministry of Natural Resources at pages 5 – 6.

Essentially both commissioners say that there is no more risk of PI finding its way into the 'wrong' hands under that Act than under the equivalent Canadian legislation, and the exchange of information across the border by law enforcement agencies is routine.

They also cite privacy experts David Fraser and Michael Geist to the same effect.

Other privacy complaints based on storing PI in the US have failed in the past, in Ontario and British Columbia and probably elsewhere.

Anyone in Canada subject to privacy laws must ensure that third-party recipients (sub-contractors) of that information comply with restrictions equivalent to those in force in the home jurisdiction.
But the fact that the information may be subject to discovery by law enforcement officials is not a reason not to store it in the US. (I do not know if all foreign storage would be as acceptable. Views?)

Does that sound right to you?

Is there any obligation to inform people that their PI will be stored in the US, or otherwise outside of Canada? If so, should it be part of the recorded message (‘this call may be recorded for quality assurance purposes. The recording will be stored in the country with the cheapest bandwidth’)?

What's the duty of care of mobile devices as pertains to patches/updates provided by the vendor and/or provider?

Example:

I bought an Android phone in June 2012, which received an over-the-air OS upgrade in late July to Android 4.0.4. This release was provided to me well after the version was released to the public. Also, since that time, 2 other versions of Android (4.1 and 4.2) have been made available. There are known security vulnerabilities in the 4.0.4 release.

Yet I've certainly not received a further update of any sort. Moreover, it's actually common for devices to only receive 1 update after their release, with future updates abandoned.

Now, previously, people would jailbreak their phones and force-feed the updates manually. However, for new tablet owners, thanks to a bizarre ruling under the DMCA, this is no longer a *legal* option (it's still apparently ok for smartphones). This is especially interesting since mobile carriers do sell mobile-enabled tablets.

So… what obligation do vendors and service providers have to provide updates to mobile devices? Is there a commercially reasonable duty of care that must be provided? Are they meeting it? Or, are they (vendors/providers) unfairly pushing this responsibility onto customers?

And, do customers have adequate grounds for legal recourse if their devices become compromised because the vendor or provider have failed to push out an available update? What do you think?

Views? What would you do for your phone, or advise your clients to do with theirs? Would it be a breach of warranty, say of fitness for purpose, for the manufacturer or vendor to allow a machine one has sold to become vulnerable to attack in such a short time? Does not that type of warranty sometimes require the product to stay operational for a period, depending on the price etc? What is a reasonable expectation of the sort that might give content to such a warranty?

Could a no-contact order be made for FB use, e.g. not to friend or comment on any FB page relating to or about a designated person?

Meanwhile, also on FB, another employee was dismissed for FB postings about her job and employer. Similar cases exist in Canada. Is this idea problematic for you? Again, what limits are there or should there be to the relevance of postings on one’s personal site for one’s job? Is the difference from the content of private conversations just the lack of privacy, or the breadth of communication? Or is there a qualitative difference?

Neither issue is restricted to FB, of course. The ban on use could apply to any site where children are likely to be present. Disrespect for one’s employer can be expressed on Twitter and elsewhere.

Also meanwhile on FB, the Florida Supreme Court will consider whether a judge can hear a case prosecuted by a FB friend. Would that be a problem in a Canadian court? Would it matter if the case were a civil matter? Do any of the social media advice sites set up by the judiciary deal with this?

The court reviews a great deal of English (and a bit of Canadian) law on the point. It also considers the practical implications of holding that either the sender or the recipient has a property right in the contents of an email. (para 60 – 69).

This was not a case where the employee was using the correspondence contrary to the interests of the employer, but a case where the employer, under new ownership, wanted to find out what had been communicated between its former CEO and third parties.

Would the case be decided in the same way in Canada? We have R v Stewart in the Supreme Court of Canada in 1988, holding that information as such could not be stolen because there was no property in it. (Ian Kyer has written a detailed review of the circumstances and issues in that case – Tucker, Ziff & Muir, Canadian Property Law Cases in Context, Osgoode Society, 2012 – suggesting it was wrongly decided.) The English Court cites at para 53 Binnie J’s reasons in Cadbury Schweppes Inc v FBI Foods Ltd.

How would you want to plead the case so that new management (ownership) of a business can find out what was done by the previous management that has legal implications for the company now?

(h/t Baker & McKenzie IT updates)

The Internet was invented by a state agency (the Defense Advanced Research Projects Agency, known as DARPA) for military reasons. By design its communications divided into nodes that were intended to be self-sustaining rather than dependent on central control. The Internet initially spread outside the military through academic communities used to free speech. Its explosive growth was based on readily understood free browsers on the World Wide Web – browsers largely supplied by the private sector, whether for profit (Microsoft, Apple) or not for profit (Mozilla Foundation).

The wild west

As a result, it seemed reasonable, not to say intoxicating, to think in the mid-1990s that this communications phenomenon with its massive social and economic impact was somehow free of government controls. Thus John Perry Barlow's famous Declaration of the Independence of Cyberspace, and Johnson and Post's Law and Borders: “The Net thus radically subverts a system of rule-making based on borders between physical spaces, at least with respect to the claim that cyberspace should naturally be governed by territorially defined rules.”

Even in the relatively early days of its popular use, however, there were reminders that 'the Internet is not a No-Law Land'. Laws applicable to communications (such as defamation, fraud and hate speech) and to property (such as copyright) applied to online communications as well. But as some of the early attempts to bring it under control failed, such as the plan to have an anti-encryption 'back door' built into the relevant hardware (the Clipper chip), naturally there was optimism that freedom of expression and participation would prevail over 'the people who run things'.

The U.S. government controlled much of the early developments of the Net. President Clinton's policy was to keep state control away from the Internet as much as possible, in order to promote the expansion of online business. Shortly after that policy was proclaimed, the Internet Corporation for Assigned Numbers and Names (ICANN), a California not-for-profit corporation, was given the authority to run the naming infrastructure, though on a contract with the U.S. Department of Commerce that continues. The point was to allow for a maximum of 'self-regulation' which has been largely successful, though there were sceptics from the early days.

This optimism was also easy to find in the political sphere at the turn of the century, when national liberation movements seemed able to work around traditional forms of censorship. Among others, Professor Henry Perritt wrote in “The Internet and Public International Law” (online fragment and paywall), 88 Ky.L.R. 885 (2000), that NGOs played a proportionately greater role in international than in domestic law reform, because the institutional structure for international governmental functions was less complete than at home. Thanks to the Internet, sharing information and plans was qualitatively different from what it could be with letter mail, telephone and fax.

I wrote a little overview of the Internet and law reform back then that was fairly upbeat.

The sheriff arrives

Governments have been pushing back, however. Part of the response would be perfectly legitimate anywhere. It is the responsibility of government to govern the residents of the territories for which they are responsible, and that includes to some extent their dealings across borders. While finding people online, deciding where they are and thus who has the right to govern them, and figuring out what they are doing, raises new challenges, it is still the exercise of traditional government power.

The debate about whether government's powers have been reduced or defeated, or on the other hand whether they have become too intrusive or harmful, tends to focus on freedom of expression and of political opposition, and the means available to suppress these activities. However, well-established limits to governments' offline powers seem threatened online as well, so the concerns are sometimes broader than just 'politics'.

It is the fate of limits on government that is of most interest in this column.

Among the best known efforts of governments to control the Internet have been those of China and Iran, where tolerance of dissidents has been low. The Great Firewall of China has been operating for many years, with considerable success. (There is even an app by which one can check if a site is being blocked in China – which reports that the app itself is not blocked there.)

Considerable efforts have been made in less repressive countries to provide tools to avoid such detection and censorship. Among the best known is the Citizen Lab at the University of Toronto and its circumvention program Psiphon.

In recent years some outbursts of optimism about the impact of the Internet and social media have been short-lived, such as that surrounding the use of Twitter to coordinate election protects in Iran in 2009. Some positive impact has been seen in some of the countries touched by the Arab Spring, though that phenomenon was very diverse and has had very diverse results. Of course the state of many of the countries is still in rapid evolution, so conclusions should be cautious.

Some reports make it clear that at least in Tunisia and Egypt – arguably the most 'successful' uprisings to date – social media played a large role in providing access to ideas and in permitting coordination of efforts against the government. Others are more nuanced but agree that social media were at least a catalyst to change already begun.

The government of Egypt at one point cut off the Internet to the country entirely. It could do this because of its control over the state-run telecommunications companies that held all the physical connections to the Net. However, it may be that cutting off the social media conversations drove their users into the streets, where the protests became irresistible. (The role of the Internet in distracting the public is not immaterial either, and some connectivity can satisfy demands for modern conveniences and lower pressure for political reform.)

Governments are getting smarter about control in such circumstances, and perhaps more ruthless. The Syrian government opened the country for the first time to Twitter and Facebook in 2011. However, it turned out that the government was able to track the signals and the computers used by anyone sending critical messages, so the Internet was used to find dissidents. "Users who tried to access Facebook in Syria were presented with a fake security certificate that triggered a warning on most browsers. People who ignored it and logged in would be giving up their user name and password, and with them, their private messages and contacts.”

Law and order

Numerous governments are using the Net and technology to fight back , or to main control they have always had. There is nothing inevitable about free expression even online. High technology companies are usually happy to sell state-of-the-art interception and monitoring tools to any government who will pay for them. Service providers on a global level find themselves complying with local government's policies on censorship as the price of doing business in such countries. Google's ongoing struggles with Chinese demands for censorship have attracted attention largely because most companies do not push back.

Indeed Egypt's highly visible – if not politically successful – closing down of the Internet has led to claims that other governments, even western ones, including the U.S. government, should have that power too.

As noted earlier, governments have always taken the position that their laws applied to the use of the Internet on their territory or by users in their territory. The principle is fairly clear. The question has been in part the application of legal principles of jurisdiction and in larger part the difficulty of detecting offences and enforcing rights or penalties. Going after intermediaries and proxies has long been one 'solution' to such questions.

In recent years we have seen governments, including democratic ones, targeting the Internet infrastructure. The US government has seized domains outright, sometimes with little due process or even explanation, usually to protect intellectual property rather than to suppress dissent. It has closed down servers despite the presence of much legitimate content on them. State government has managed (so far) to seize domain names of sites that it alleged were connected with online gaming. So the Internet's structure of nodes and alternative routing does not protect against law enforcement willing to sideswipe legal activities to get at the illegal ones.

The new world order

Part of what is changing that produces this kind of action is the desire to fight terrorism. The voices for censorship and intervention that could be set aside in the 1990s became much louder after the attacks of September 2001. Thus the Council of Europe (most European countries, plus Canada and the U.S. as observers) adopted the Convention on Cybercrime in 2004 that requires member states to impose obligations on Internet intermediaries to keep traffic information for two years and make it available to law enforcement and security interests. “Law enforcement authorities must be granted the power to compel an Internet Service Provider to monitor a person's activities online in real time.”

This Convention is one of the motivations behind the government of Canada's repeated attempts to introduce 'lawful access' legislation (in its most recent appearance, Bill C-30), to give law enforcement authorities rights to easy and largely unsupervised rights to get information from communications intermediaries, and to make the intermediaries hold on to the data in searchable form, generally at their own expense.

On the international level, attempts by government to impose their regimes on the Internet continue. China and Iran have been mentioned, but others work in the same vein. The narrowest access may be provided by North Korea , which allows a few of its residents to access a very partial homegrown computer interconnection system.

In the early part of the decade there was pressure on the privately-run ICANN to open up its governance and to provide top-level domain names in writing systems other than Roman, which has now been done.

Nations gathered in a series of 'Internet governance forums', culminating in the World Summit on the Information Society (WSIS) in 2005, with follow-up meetings in later years. However, these meetings have stayed away from proposing 'solutions' to the governance or operations of the Net.

A much greater threat is seen to come from the International Telecommunications Union (ITU). This body, founded in the 19th century to govern telegrams and later telephones, is composed of national governments. There is no role for non-governmental organizations or business corporations. Many of the member states of the ITU routinely censor communications in other media (and often do unpleasant things to the people responsible for the communicating), and would like to bring the Internet and its users under their wing too.

The World Conference on International Telecommunications (WCIT-12) meeting of the ITU in Dubai in December 2012 debated general principles for assuring the free flow of information around the world, promoting affordable and equitable access for all and laying the foundation for ongoing innovation and market growth.” The aim was to update international regulations last formulated in 1988.

It was probably foreseeable that a number of democracies would refuse to sign the final treaty hammered out at the meeting: the United States, Canada and several other countries refused to sign because it would permit too much government regulation of cyberspace. Time will tell what influence the treaty has on member states and on Internet access around the world – but governments are not surrendering any control, to be sure. (On the other hand, the meeting may have been mainly about the money .)

Conclusions (though the debate is not over yet)

The forces of access and Internet censorship in North America invoke what I think of as the Four Horsemen of the Internet Apocalypse, the threat of whom must, it is alleged, be resisted by all possible measures: terrorists, child pornographers, copyright pirates and Internet gamblers. The Cybercrime Convention deals with the first three expressly, and many of the innovative – not to say extreme – enforcement actions by U.S. authorities in recent years have been exercised in pursuit of the gamblers.

Governments find political, economic and social pressures to control in the 'common good' (after all, who is the government except a body that acts in the name of the people, whether or not the people have a serious role in saying who the government is?) It appears at present as if the technological and policy pressures to put governments back in control are largely succeeding. The notion of limits on government have never been universal, and they are under threat in countries where they have in the past been respected. Governments use the power of fear to justify their use of the intrusive technology.

Security expert Bruce Schneier has said that information technology multiplies the power of the person who uses it – but that user may be government as well as business or political opposition, and when it is the government, liberties may be threatened.

If, as some people say, the Internet is becoming 'feudal', with masses of users being bound by technological fealty to large private bodies like Amazon, Google or Apple – an assertion that must await another column – then one may recall that the feudal system in western European history (still Canada's primary heritage) eventually fell under the sway of the king. Having very powerful 'barons' provides yet further useful pressure points for effective government control of the Internet.

………

P.S. This note has not raised questions of cyberwarfare or cybersecurity, except for the brief note on the Cybercrime Convention. While these matters raise fundamental questions of the role of governments as defenders and prosecutors of the national interest, they do not relate directly to the abilities of government to control the day-to-day activities of the Internet. I will return to these questions in a future column.

• don't disturb the proceedings
• don't distribute any information that is subject to a publication ban
• don't take any pictures
• don't distribute recordings (though lawyers and journalists may make recordings for their own use)

However, "Members of the public are not permitted to use electronic devices in the courtroom unless the presiding judge orders otherwise." In other words, the rules of section 136 of the Courts of Justice Act continue to apply to the general public, as they will apply to photography by those who have the general permission noted above.

Does this seem appropriate to you?

How will supervising officials, or for that matter compliance-minded people in the courtroom, decide who falls into the class 'media or journalists', in this day of widespread blogging? The Supreme Court of Canada has recognized that rules about defamation (notably the right of responsible reporting of matters of public interest) apply to anyone reporting, not just accredited journalists. And these days many employed journalists are also self-employed on the side. Should one try to distinguish between a professional and someone doing it for free?

Do you have any other concerns with the protocol? Does it go far enough? Will you take advantage of it, and how?

Happy new technology year!

There is a paragraph on the Canadian experience – is it accurate? Of course our courts do 'criticize' Parliament in holding legislation ultra vires on occasion, or inoperative for constitutional reasons.

The article also notes the impact of the decision on legislative drafting, making it allegedly less likely to be complicated and overly detailed.

The Uniform Law Conference of Canada has a current project to update the Uniform Interpretation Act. Should a new Uniform Act expressly deal with the use of legislative history by the courts, and if so, how?

[h/t to Sandra Petersson of the University of Alberta for pointing out the Wikiepedia main page entry.]

The tribunal, the Commission sur les lésions professionnelles (CLP), has returned to the social media admissibility question Campeau et Services alimentaires Delta Dailyfood Canada inc., 2012 QCCLP 7666 (CanLII).

A worker was injured and had to take a lot of time off work. At one point her injuries caused her a case of depression that also kept her off work. To test whether this was serious, the employer created a fictitious account on Facebook, giving the alleged member characteristics chosen deliberately to appeal to the employee. The employee friended the fictitious member, which gave that member – and the employer – access to the employee's friends-only posts and information.

The workplace injuries tribunal rejected the employee's case, and the employee appealed to the CLP. The CLP held that the evidence from Facebook was not admissible. They reviewed article 2858 of the Quebec Civil Code, which says (as above) that a tribunal must reject evidence obtained in conditions that infringe fundamental rights and liberties and whose use would cast the administration of justice in disrepute. This article is an express exception to the admissibility of any fact relevant to the dispute.

The decision analyses these factors in some detail (paragraphs 15 through 76). The infringement of rights affected the employee's privacy rights, guaranteed against private-sector infringement by the Quebec Charter though not the federal Charter.

The test for bringing the administration of justice into disrepute was a matter of proportionality. Judged by standards from cases in the Quebec Court of Appeal and the Supreme Court of Canada, the CLP held that using the FB evidence would have that result. Fishing expeditions seem likely to meet that standard consistently.

Would the case be decided differently without the express rule in the Civil Code about infringement of rights and the reputation of the administration of justice? Could a tribunal in a common-law jurisdiction have reached the same result?

1. Journalistic violation of privacy: PIPEDA s. 7(1)(c) gives an exemption from the rules about collection of personal information for journalistic purposes.

Section 32 of the Data Protection Act (UK), by contrast, provides a journalism exception only if, in addition,

(b) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and

(c) the data controller reasonably believes that, in all the circumstances, compliance with [the provision being violated] is incompatible with the special purposes [i.e. journalism]

Lord Levenson’s recent report on abuse of press freedoms recommends even stricter controls.

In the light of this, is Canada’s journalism exception demanding enough of those who violate privacy in its name?

2. In U.S. v Stanley, WL 5512987, a court held that there is no reasonable expectation on privacy in wireless signals, so the police could use a device (called a ‘moocher hunter’!) to trace wireless signals, to find out who was trafficking in child pornography using a neighbour’s wireless signal. (A properly warranted search of the neighbour’s computer had turned up nothing, so the question was whether someone else was using the signal for the illegal purpose. Answer: yes. Moocherhunter answer: Stanley.)

Would Canadian law after Tessling (heat sensors), Gomboc (electricity meters) and Patrick (garbage bags) be any different?

The commentary by Orin Kerr (via the Stanley link above) quotes from the decision that Mr Stanley cited in his constitutional defence the US Supreme Court’s equivalent to the Tessling case, Kyllo v. United States, 533 U.S. 27 (2001), which went the other way from Tessling and found that the warrantless use of a heat detector was not permitted. The Stanley court distinguished it. Our courts would not have to take that step, I guess.

Should Mr Stanley have a better defence in Canada against the use of such a device?

You will recall that the project is looking for international rules to govern the creation and use of electronic transferable records (ETR), that is, documents that entitle their holder to the delivery of goods or money. The meeting decided that there was enough interest in the topic among businesses and member states to pursue the topic further.

At the outset, the group determined that the elements of negotiability were matters of substantive law, and this project should be about electronic format only. As a result, the work could proceed without distinguishing between negotiable or non-negotiable transferable records. (20-21 – paragraph numbers of the report) It did, however, distinguish between transferable records and ‘electronic means of payment’, which would not be part of the project. Likewise electronic equivalents of securities, such as shares and bonds, would be excluded.(22)

A few other highlights:

• ‘Possession’ of a paper record would be demonstrated by ‘control’ of an electronic record. (This is a long-standing principle.)(24)
• Any rules developed would be technology neutral (not depend on the adoption of any particular technology to satisfy them) and system neutral. (23)
• A distinction must be drawn between ‘issuance’ and ‘release’ of ETRs. Issuance was a substantive law concept; release was the putting the ETR under the control of its first holder, so essential to the project.(31)
• A distinction must also be drawn between a ‘register’ and a ‘repository’ – though the report is less clear on the distinction. My guess is that registers may have legal duties and consequences, repositories are just places where ETRs may be. (31)
• Somewhere the rules have to allow for the expression of consent to deal electronically at all in such matters.(32)
• Uniqueness of ETRs is not an end in itself, but a means to avoid multiple claims, based on multiple documents, against the same goods or money. Thus, it was said, the methods of achieving uniqueness might vary in light of the technology used and other circumstances.(33)
• Anonymity (or pseudonymity) should be provided for, so that ETRs can be the equivalent of a ‘bearer’ document on paper.(42)
• Some provision should be made to permit the amendment of ETRs once issued, but consent by all parties might be needed.(45 – 49)
• Rules on the transfer of control of ETRs were crucial to an operating system of rules (not surprisingly, since ‘transfer’ is the T in ETR!)(50 – 58)
• An equivalent to pledges and guarantees based on ETRs as security needed to be devised.(63 – 65)
• The rules needed an electronic functional equivalent of ‘presentation’ of paper-based documents. The report does not hint what this might be. (70 – 71)
• It would also be good to have rules for converting paper records to electronic form, and perhaps back again.(73 – 77)
• Rules were also needed about the full or partial cessation of ETRs to have any legal effect (78 – 82)

You can see that the Working Group was comprehensive in its discussion. The Secretariat was asked to prepare for the next meeting (in New York, May 2013) a set of rules in the form of a Model Law, though the final product of the Group may be in some other form.(93)

Would such a set of rules appear useful to you, for your clients? What do they need to see in such rules? Are there topics that the Working Group should be addressing that they are not (yet)? Do any approaches mentioned in the report seem more promising that others, or less, and why?

I will let you know when the draft rules are available, probably some time in April 2013, but don’t let their absence stop you from taking a view now of what they should be!

In Ireland, a receiver is investigating the corporate and personal affairs of Sean Quinn in his dealings with the Bank of Ireland. The High Court of Ireland has ordered that several members of the Quinn family turn over to the receiver the passwords needed to access a number of their personal and business accounts. The court responded to concerns about privacy by limiting the number of people who can have access and the nature and date of the records to be accessed.

The US law firm Steptoe and Johnson has commented with respect to this case,

Courts globally are just beginning to wrestle with whether they can order people to turn over encryption keys or passwords, or to produce unencrypted data, and what limits, if any, to put on searches for electronic evidence that might be buried in a sea of unrelated, private data. So nearly every decision in the area is breaking new ground.

Would this happen in Canada? If not, why not? Does it matter whether it is a criminal case, a civil case or – as here – a regulatory investigation (in a bankruptcy proceeding)?

German newspapers seem to be taking a different route but probably to the same intended destination. They have apparently persuaded the German parliament to allow them to charge royalties to search engines that link to their stories.

Once the search engines block their sites from their searches, won’t the newspapers get less revenue from their own sites, for missed advertising or for other reasons?

One sees the temptation for government in this line of the story, though: ‘Other European countries …were interested in following Germany’s initiative because of the potential tax revenues these countries would earn from the proposed royalty fees.’ Not to mention that the newspaper publishers are no doubt better connected to legislators in those countries than are the owners of search engines.

Is this likely to be a success, from the point of view of the newspapers? Is it a way of preserving value in the Internet era? Will it be a lucrative source of tax revenue for the governments of the territories where the newspapers publish?

The Australian courts have followed the French – but not the UK opinion mentioned above – and have found Google liable in defamation for the suggestions that its algorithm makes when someone starts a search. Here, searching for the person's name led to suggested sites that involved criminals.

Does this strike you as a fair result? Can Google (or another search engine that wants to help people complete their search queries based on what others have searched) prevent this result? Do they have to deal with complaints on an individual basis, so that when X complains, they just block auto-complete for any search of X? Can that be done, in practice – comparing the expense of doing so to the potential expense of damages and costs …

Would this kind of decision make it harder for those who "Google bomb" people, i.e. flood the internet with disparaging comments so that search engines turn up those comments when a person's name is searched? (Or would the perpetrators be liable for defamation anyway?) I recall that being done to President Bush (the younger) – searching for some unlikely but pungent phrase ('miserable failure') produced the president as the first result. Google shut this one (and others) down: http://searchengineland.com/google-kills-bushs-miserable-failure-search-other-google-bombs-10363 . (This article, which is a few years old, notes that while Google 'fixed' the Google bomb, other search engines were still open to being manipulated this way.)

Under section 127 of the Communications Act it is an offence if someone ‘sends by means of a public electronic communications network a message or other matter that is grossly offensive or of an indecent, obscene or menacing character.’

I don’t take the DPP to be saying that a one-to-one message on a social medium would never be prosecuted, but as a matter of approach, the reach would matter.

What do you think? Is that a fair basis for prosecution, or should only the offensiveness of the message count – assuming that the person deciding to lay the charges judges that it meets the standard of ‘grossly offensive’?

Have we any equivalent to such an offence in Canada? We have a ban on hate speech – should prosecutions for that depend on how many people become aware of it? We also have section 13 of the Canadian Human Rights Act that deals with the communication of ‘hate messages’ by telephone or on the Internet. The latter would cover social media. (The link here goes into some detail about the provision and why it was extended to the Net.)

So: should scope matter as much as substance here? Is it all a matter of allocating prosecutorial and court resources efficiently? Could someone defend a charge on the basis that the message was not as offensive (whatever the test happens to be) as a more narrowly distributed message that did not lead to charges? (Sounds unlikely to me – just as it’s not a defence to a charge of driving 20 kph over the speed limit that the car in front of you was driving 30 kph over.)

Views?

To what extent is the use of these measures problematic for people who rely on technology to make information accessible to them because of physical or other disabilities? The simplest example is the inability of text readers to read PDF images, so a scanned text that becomes such an image is not accessible.

Besides the risk of reducing one’s intended target market (or simply one’s destined reader), is there a legal issue in not meeting the increasingly demanding standards of electronic accessibility? Ontario’s standards under the Accessibility for Ontarians with Disabilities Act are applying to the private sector more and more broadly, government often being the first to have to comply.

The basic principles of electronic accessibility have been developed by the WC3 consortium; most legislated rules rely on them. Are they sufficiently mindful of security needs? Are people (including businesses and governments) that create ‘secure’ documents or sites or services that are not accessible simply not paying sufficient attention to these laws or standards?

We have discussed before the private actions for enforcement in the US, the likes of which could spill over into Canada. There have been suits against Target Stores for insufficiently accessible web sites, and against Netflix for distributing movies without closed captioning for the deaf. Both suits have settled. Netflix recently agreed to have closed captioning in all its first-run movies by 2014. Can these actions be settled because there are fewer security demands on the kinds of services or sites at issue? Or is this the wave of the future for all applications?

What do your clients do, or what do you advise them to do? For that matter, what do you do to ensure your own communications are accessible to all? Do you worry about security in any sense in doing so, or should you?

The online world has been greatly affected by the rise of social media, whose principal characteristic is interactivity among the users of a particular service or communication channel. The possibility of not just one-to-many but also many-to-one and many-to-many communications have put focus on 'the crowd' – a potentially almost infinite number of Internet users who may participate in a conversation in a number of roles.

This has led to the emergence of the term 'crowdsourcing', meaning an express solicitation of Internet users generally to contribute to solving a problem. No doubt the popularity of the term has been assisted by the impact of James Surowiecki's book The Wisdom of Crowds .

This note describes two recent initiatives in resolving disputes online through what their creators call crowdsourcing, though they make quite different appeals to 'the crowd'.

1. ODR Exchange

The first of the two is the ODR Exchange, based in Prague. It is designed to be a technological and process-based framework on which dispute resolution service providers can build facilities that would be offered to buyers and sellers engaged in cross-border electronic commerce. ODRExchange will not itself resolve disputes. It offers templates for making basic types of claims in consumer transactions, responding to them, and making decisions, especially in consumer transactions. These templates are to be adopted and adapted by service providers around the world.

ODR Exchange hopes in this way to enable disputants and those who offer them services – mediators and arbitrators, platform builders, consumer agencies, and so on – to build and participate in dispute resolution systems around the word that will resolve differences in an economical and efficient manner. The aim is to build the necessary degrees of trust to enable people to make online deals across national borders. All processes and protocols will be open system to provide maximum flexibility in their application.

The appeal to the 'crowd' in this model is to bring together the diverse interests, each for its own motives, that will provide all the different functionalities needed for a self-sustaining system. The result will be not a single big global player (the ODR Exchange does not aspire to that status) but 'a wide group of interconnected private, public and semi-private entities around the world.' The ODR Exchange will provide the initial documentation and protocols – the 'backbone technology' – and assemble the initial group of stakeholders and do what it can to encourage the model to propagate itself onto a global scale.

Success will depend on 'massive' participation by online sellers. They might have an incentive to join and comply by being allowed to use an ODR 'trustmark' to certify to potential customers that they are subject to this fair and efficient process. Consumer agencies might administer the trustmark and ensure that participating merchants complied with their obligations. Naming and shaming is one of the key measures for enforcement. Merchants approved by the system and bearing the trustmark should be able to count on increased cross-border business that would justify the cost of compliance.

The concepts themselves are kept as simple as possible, with diagrams, icons and flow-charts to assist in understanding the role of each instruction. This means restricting legal problems to the basics – but basics that probably cover over 80% of all consumer disputes: were the goods or services delivered, were they the right ones, did they meet expectations? And on the other side, did the customer pay, or meet other obligations to return defective goods? A layout of the concepts and processes in action is available here. The ODR exchange says that so far in its (quite extensive) research, it has not encountered different legal rules for these simple situations.' These simple cases are resolved in the same or very similar manner all over the world'. As a result the choice of law becomes much less important to the resolution.

It is anticipated that all the content can be made available in multiple languages. Since each part of the template is constant, its content can be used in different languages by each party to a dispute. A change to part of the master text will cascade through the system to change each language version in a consistent way. Thus parties in different countries can have confidence that they can go behind the promotional website in their language if they need to pursue a remedy against the foreign merchant that uses another language at home..

The system is designed to work with the forthcoming UNCITRAL ODR Rules that may be adopted in the November 2012 session of the the ODR Working Group. The founder of the ODR Exchange, Zbynek Loebl, has been actively promoting a global consensus on those Rules. His innovative technology, in the hands of the crowd, may be able to answer some of the practical questions that UNCITRAL has been raising.

2. eQuibbly

On a different scale, a new ODR service based in Toronto (though apparently aimed at at least a North American market) aims to solve particular disputes through 'crowd-sourced' mediations, as well as more traditional (though online) arbitrations. eQuibbly allows people to describe their disputes on the site and invites the other side to give their perspective. The processes for all types of dispute resolution are set out in videos on the site. Then users of the site can say what they think should happen.

The site puts it this way:

As a collective, you trust your friends and neighbors to provide you with accurate and useful information every time you look something up on Wikipedia and TripAdvisor, and to make the appropriate decision when choosing your government, which controls so many aspects of your life. So why not have them help you resolve your disputes?

The resolution of public disputes will not be binding, as the public is standing in the role of a mediator, who does not have the power to bind, only to suggest. Disputes may be conducted privately, with participation from those chosen by the parties. These may be non-binding as well, serving as a kind of neutral evaluation, or binding. If they are binding, they are for legal purposes arbitrations subject to the applicable law. One sees this at the eQuibbly site, whose arbitration rules are long and fairly technical, unlike the chatty text on the rest of the site.

All the services of the site are free. The business model is not clear from the site itself. While crowd-sourcing the mediators is clearly inexpensive, the site itself is well presented, and maintaining and providing access to the disputes and comments uses bandwidth that one normally has to pay for. Whether good arbitrators will be willing to work for nothing is not clear. It may be that the web site is free, including the communication among the parties and with the arbitrators, but the arbitrators that the parties invite agree to participate only for compensation.

According to the founder of the site, Lance Soskin, in the future some parts of the service will eventually be offered for money, while the crowd-sourced public disputes will be left as a free 'attraction' to the site, and as a service for the disputants who benefit from those discussions.

At present data are not available as to the use made of the site for private, especially binding, resolutions. A number of public disputes are available for review on the site.

What next?

These ODR systems are only two of what will no doubt become many appeals to the crowd to resolve disputes. Whether the crowd will turn out to be wise in these cases, time will tell.

One of my quick points was that there could be an issue about the entitlement of an ex-employee to a professional LinkedIn account. The case I had in mind in listing the issue was one involving a woman named Linda Eagle, who built up a company with her own name, but when she sold it and the new owners fired her, a dispute arose whether they could keep her LinkedIn profile. Since her assistant had her password, the employers managed to take over the profile. She sued.

A court in the US has ruled [PDF] that Ms Eagle does not have a case under the Computer Fraud and Abuse Act (CFAA) for unauthorized use, but she may have a case under state law of conversion. (Can the tort of conversion can cover data or other such claims?) The link above is to an ABA story, whose title is misleading because it mentions only the dismissal of the federal case but not the maintenance of the state law case. Neither has been decided; this was only about jurisdiction.

So: what would you advise your clients? Your partners?

Question: is it secure enough for lawyers? I know that the Ontario government does not allow me (or others) to download the software (or any other software….) to make it work. But I have heard as well from private sector lawyers that their IT departments don’t think Skype is secure enough to use professionally.

Is that your view, or experience?

What is the issue:

• that Skype wants to set itself up by default to run as a server (a default that one can change)?
• That people will be able to tap into conversations as they happen?
• That conversations leave a record that may be accessible to unauthorized people later? (the video conference or text messages one might send during the meeting, or both?)

Other?

Do you use Skype in your practice, and if not, why not? And if so, is it on a balance of convenience basis or because you do not believe there are security issues at all?

Some commentators have pointed to an evolution in the way Skype is run under its recent ownership by Microsoft. See also this story.

What do you think? Would our law be improved by provisions like those in the German law?

Your clients who do consumer e-commerce in the EU will run into this kind of law in all member states before long. (It must be in force by mid-2014.) How will you advise them?

How do you advise your clients to accommodate this kind of rule to m-commerce, where the consumer reads the information disclosed on a very small screen (though slowly getting larger)?

The Canadian template applies only to sales over $50, so the kind of detail described in the article is not needed for, say, an iTunes download or most apps that need to be bought. Just as well, probably.

Views?

There are legal and ethical questions here. A review of the ethical ones appears in Stewart Baker's blog, Skating on Stilts. (He is a former General Counsel of the US National Security Agency, among other high-level achievements.)

Mr Baker argues for private defence as well as for state-operated defence. What do you think?

Care to speculate about whether defending your system, or poisoning the attacker's system, would constitute 'colour of right' that is a defence against a charge of unauthorized access to someone else's computer system? [Criminal Code s 342.1]

His legal analysis is under US law, of course, since that's where he's writing, but this passage sounds applicable to the Criminal Code provision I alluded to above:

To oversimplify a bit, violations of the [Computer Fraud and Abuse Act] depend on "authorization." If you have authorization, it's nearly impossible to violate the CFAA, no matter what you do to a computer. If you don't, it's nearly impossible to avoid violating the CFAA.

But the CFAA doesn't define "authorization."

Likewise the Criminal Code does not define "colour of right". Do the concepts overlap for this purpose?

A very pungent description of the ‘Privacy? Never heard of it!’ world of advertising and the discussions about these standards can be found on ZDNet. (h/t David Cheifetz)

And even browsers set to ‘do not track’ will not comply with the EU’s recent rules on getting consent before placing cookies — which are what allow the tracking in the first place. Perhaps just as well, if advertisers are going to ignore those settings.

Will PIPEDA or its substantially similar provincial counterparts change advertisers’ behaviour in Canada?

According to this Outlaw.com story, the American Association of National Advertisers has complained about this. Tracking, it says, allows for advertising better targeted to users’ interests, thus more likely to be effective, thus more lucrative for the advertisers, thus providing more money to support the ‘free’ content on the Internet. Blocking tracking by default ‘takes the information out of the information economy’.

Tracking data "also supports robust consumer protections including safety mechanisms that range from fraud detection in financial services to prevention of online threats," say the advertisers.

Privacy advocates have been objecting for some time to the ability of advertisers to follow Internet users from site to site and to collect data on where people have gone, even for commercial reasons, without users’ express consent or (probably) knowledge. Presumably Microsoft has been listening to them.

It’s pretty clear that whichever way the browser is set by default is the way that most users are going to leave it set. So the advertisers are happy enough that users have the ability to turn off tracking, knowing that most will not do so.

Who is right here?

Is there a role for the law, i.e. state intervention of some kind in this decision?

In any event, here is a very brief note of three recent decisions of Quebec courts (thanks to a publication by Nicolas Vermeys and Patrick Gingras for Éditions Yvon Blais.) Are there any similar decisions in other Canadian (or other) courts? Would those courts be likely to do the same thing under their applicable law? Should they, in any event?

1. Family law: disputing and chronically hostile parents ordered to communicate only by email, and by phone only if there is a child-related emergency: P.G. v S.L. 2012 QCCS 2107 (CanLII)

2. Employment law: employer finds employee sending confidential information from business email to his home email; employer uses password cracking program to get into employee’s home email, finds that the information is being sent on to competitor. Held: evidence of home email use is admissible and will not bring the administration of justice into disrepute: Pneus Touchette Distribution v Pneus Chartrand et al 2012 QCCS 3241 (CanLII)

3. Defamation: holding of SCC in Crookes v Newton that publication of hyperlinks to defamatory material is not in itself defamation does not apply when the links go to material written by the person providing the link. In other words, you can’t link to your own defamation with impunity. That’s not likely to be a controversial ruling. Laforest v Collins et al 2012 QCCS 3078 (CanLII) (para 84ff)

Would any of these holdings be controversial in the courts you are familiar with? Are there parallels you can refer us to?

Is this a problem, at least potentially? Are car owners going to run into digital rights management (DRM) and technical protection measure (TPM) problems? As one commentator asked, if Apple complains about Ford’s driver/car interface, will Ford have to remove features from your car that you have become used to? Will the terms of use of your car be ‘upgrade, or you can’t drive to work today’? Your electronic system could lock down the hood so you really can’t repair your car any more.

Will we need to amend the Copyright Act again (!) to avoid abuse of this kind of right, now that we can’t avoid technical protection measures?

Is there a risk of fake patches being sent out – a new form of malware that could drive you off the road?

I don’t suppose one would be able to amend the purchase contract when one buys a car, to avoid the operation of this process. One’s only protection may be to buy increasingly out-of-date cars (or rely on a bicycle…)

The Secretariat has just published the main working papers for the meeting – WP 118 and WP.118/Add1. They are on the UNCITRAL site in the working group document section under E-commerce (of course): http://www.uncitral.org/uncitral/en/commission/working_groups/4Electronic_Commerce.html.

The US, Spain and Colombia have also submitted their overview of the issues, as WP.119.

In addition, the ABA's task force on identity management have submitted a paper on that topic, as WP.120. Not only can ID management be a separate topic, but it relates directly to authentication questions that arise with electronic transferable records. One has to be very confident of the identity of the person who controls the record and the person to whom it is being transferred, to make the system work.

I suppose that some of you won't want to sit down and read all these documents from start to finish in order to comment, even with the knowledge that members of some national delegations may see the comments. Your chance to influence the course of international law!

In that case, I could direct your attention to a matter dealt with at paragraphs 42 – 49 of WP.118/Add.1 about how one can transfer paper documents to electronic form, and vice versa, without losing their reliability and thus their legal effect. Does the description sound right to you? Do your clients have an interest in ever doing that?

More later, perhaps, but feel free to comment on anything in the papers. I have raised before whether the need for the project had been demonstrated. WP.119 addresses that question directly.

On Thursday last week, eight judges in South Korea's Constitutional Court unanimously struck down a law requiring the use of real names online on the grounds that it violated the constitutional right to free speech.

Would the Canadian Charter or other law produce the same effect if Parliament passed a similar statute?

Is there any remedy against a private service provider sought to enforce such a policy? I know that Facebook states that users must use their real names, bit I also know that that rule is not universally applied. (It is a bit hard to police that number of users …)

Is there any case for such a law or policy, on balance?

Views?

The U.S. Department of Defense, the General Services Administration, and NASA last month proposed a change to the Federal Acquisition Regulation (FAR) that would require contractors to safeguard their information systems containing information provided by or generated for the government. The proposed rule … would require government contracts with all federal contractors and appropriate subcontractors to mandate basic information security measures.

Is this a good idea?

In particular, should Canadian governments be concerned about the security of the IT systems in place among businesses that contract with them? If so, should cybersecurity standards be imposed by contract, as a condition of public procurement? Or should they be fixed in law instead, so that businesses that do not bid on government contract would also have to be secure?

(The US promotes a number of government policies by the economic incentive of requiring compliance in order to get government work. So far as I know, that is not common here. Is that because we have a more efficient legislative or enforcement system?)

Are governments in Canada credible in talking about cybersecurity, so that such a requirement of the public sector would be fair?

One particular element of the argument surprised me, and I would be interested in your views.

In the case, an employee brought a complaint before a labour tribunal against her employer, claimed that the employer had created, or allowed to continue, an atmosphere of harassment. As evidence, she brought printouts of comments made by her work colleagues on the Facebook page of another colleague who was also (for a while) a Facebook friend of the complainant.

The employer objected to this evidence, among other reasons, because it infringed on the privacy interests of the employees who made those comments.

Does this make sense to you, that the employer would have standing to invoke the privacy interests of third parties? What relevance is their privacy to the dispute between the employer and the employee? If a claim depends on what someone else said, can the claimant be prevented from proving it out of some kind of legal right to privacy of the people who said it? (Note that whether this is hearsay evidence is a separate question, also argued in the case.)

For that matter, could the third parties intervene to object to their words being used, as an infringement on their privacy? Would it be appropriate for the tribunal to raise their privacy interests on its own motion?

Is evidence 'improperly obtained' just because it violates the privacy interests of the person whom it concerns? Could use of such privacy-violating evidence 'bring the administration of justice into disrepute' so the evidence should be excluded?

Does it depend on how it was obtained? I suppose if one got the evidence by wiretap or other illegal or distasteful method, a court could refuse to admit it on that ground, just as it would do for tangible evidence obtained the same way. But when is 'privacy' on its own a sufficient ground to exclude relevant evidence?

In the instant case, the tribunal held that the commenters had no expectation of privacy for comments on Facebook with respect to the class of 'friends of friends' that could be almost infinite. My question is broader: even if they had had an expectation of privacy, could that expectation prevail over a claim that needed the evidence?

What are the limits, or even the rules, here?

This is not the same issue as whether 'private' information (on Facebook or elsewhere) has to be disclosed by a party to litigation, in the discovery process. Third parties are not subject (in Canada) to discovery.

My note mentioned a provision of the rules of procedure of the tribunal that barred evidence that violated fundamental rights (of anybody, apparently), and a section of the Manitoba Privacy Act that bars the use in any civil proceeding of any evidence obtained by a breach of privacy as defined in the Act. Is such a provision common, and should it be?

How would that affect, say, defamation cases? Sometimes defamation is in a conversation that the person defamed was not intended to overhear. Could the evidence be excluded because the plaintiff should not have been listening? (The defendant in that example would be a direct party, not a 'third party'. Has anyone in this scenario a maintainable privacy interest that could be invoked in the proceeding?)

When we did the UECA in 1999, we had in mind that a voice mail message might be an electronic document and the association of the content with the speaker could well constitute a signature.

There is some law that a signature must be an intentional act, and whether just saying ‘Hello, it’s John, I accept your offer to sell me your house’ would constitute an intention to sign, I am not sure.

There is also a lot of law finding all sorts of marks and codes to be signatures, usually to prevent someone from getting out of an obligation on the ground that the Statute of Frauds required a more formal signature. So the degree of intention needed may be small.

The UNCITRAL Electronic Communications Convention allows electronic signatures to fulfil legal signing requirements if the method used is shown to ‘identify the party and to indicate that party’s intention in respect of the information contained in the electronic communication’. So my voice mail example above would qualify under the ECC.

Is there some reason that a voice message should not satisfy that definition?

So: how about voice mail – or other form of recording? (One imagines a transaction where party is unable to write, or a remote transaction done by phone or on video conference.) Assuming that the questions of storage and authentic reproduction are solved, is there a problem taking the recording itself as a signature? Does it matter about the recording medium: digital or other (probably not on a wax cylinder, these days)?

Is this any different from using a voice recording to be the document itself, i.e. to serve as writing? Would that be problematic, in your view?

By the way, Australia’s Electronic Transactions Act seems to limit the use of recorded speech as electronic communication. The definition of ‘electronic communications’ says it means this:

(b) a communication of information in the form of speech by means of guided and/or unguided electromagnetic energy, where the speech is processed at its destination by an automated voice recognition system.

The ULCC was aware of the Australian text and decided not to put any such limit on our law.

In the Internet age, people still have the same interests and passions as they had before electronic communications became pervasive, but they have different methods of expressing them. It may be a challenge to apply traditional rules of law to those methods. This note reviews one example of such a challenge, with respect to the use of evidence from Facebook and the reliance on Wikipedia to inform the tribunal of relevant facts.

In Landry c. Provigo Québec Inc (Maxi & Cie), 2011 QCCLP 1802 (CanLII), Madame Landry complained about harassment at her workplace at Provigo, the Quebec grocery chain. Her case was dismissed by the Commission de la santé et de la sécurité du travail [Workplace Health and Safety Commission] and went on appeal to the Commission des lésions professionnelles [Commission on workplace injuries]. The complainant relied in part on printouts of comments made on the Facebook page by friends of a colleague whom she had recently friended. These comments were not favourable to her. (The actual nature of the harassment is not disclosed in the judgment.)

FACEBOOK 

The employer objected to the admission of the Facebook pages on three grounds: they lacked integrity, they were hearsay, and their admission would violate privacy rights of the people commenting. The Commission noted that the use of Facebook pages in labour cases seemed to be well established, citing several cases, but that the admissibility had apparently not been directly challenged before.(para 33)

Integrity

The complainant had printed out several pages of her friend's Facebook account in four batches, but submitted only some of the pages as evidence, the others not being about her, she said. The employer claimed that the selection was the equivalent of untraceable editing and the text was therefore unreliable. The Commission held that the texts submitted themselves had integrity, in that nothing had been omitted from them or changed in them. There was no parallel to edited surveillance videos or other instances where evidence as presented might have been altered.

There are logically two aspects of 'integrity' here, though neither the employer nor the Commission distinguished them consistently. The first, and perhaps less important, is the impact of the editing, dealt with above. The second, more fundamental, is the authentication of the evidence. The Civil Code of Quebec (article 2855) says that any material evidence must be shown independently to be authentic – unless it is an electronic document (what Quebec legislation refers to as a 'technological document'). Technological documents benefit from a special rule (and a printout of a text taken from a website is such a document for this purpose.) In that context, the Commission reviewed Quebec's Act to Establish a Legal Framework for Information Technology, RSQ, c C-1.1. 

Section 5 of the Act says, in part:

 The legal value of a document, particularly its capacity to produce legal effects and its admissibility as evidence, is neither increased nor diminished solely because of the medium or technology chosen.

A document whose integrity is ensured has the same legal value whether it is a paper document or a document in any other medium, insofar as, in the case of a technology-based document, it otherwise complies with the legal rules applicable to paper documents.

A document in a medium or based on technology that does not allow its integrity to be confirmed or denied may, depending on the circumstances, be admissible as testimonial evidence or real evidence and serve as commencement of proof, as provided for in article 2865 of the Civil Code.

The Civil Code says that a technological document needs to be authenticated only if it falls into the third paragraph of section 5 of the Act, i.e. it is one 'based on a technology that does not allow its integrity to be confirmed or denied'. However, section 7 of the Act presumes that such a document has integrity and puts the onus of proof on the party denying it. Section 7 says this:

It is not necessary to prove that the medium of a document or that the processes, systems or technology used to communicate by means of a document ensure its integrity, unless the person contesting the admission of the document establishes, upon a preponderance of evidence, that the integrity of the document has been affected.

Further, the Code of Civil Procedure (s. 89) requires for this purpose that the party challenging the document submit an affidavit specifying the facts and reasons that support the lack of integrity of the document in question. This had not been done in the Landry case. (para 52)

By way of comparison, the Uniform Electronic Evidence Act creates a presumption of the integrity of the computer system of a proponent of an electronic record, for the purposes of the best evidence rule. (Uniform Act s. 5(a)) It may be that this presumption could be used in support of authentication as well. (Uniform Act s. 2(2)) It is certainly a good deal weaker than the presumption in Quebec law.

The Commission noted finally that it was not bound by the strict rules of evidence in any event. (para 45) It held that the challenge on the ground of lack of integrity failed.

Hearsay

The employer said that the words of Mme Landry's fellow employees were hearsay and thus inadmissible. The employees were not available for cross-examination by the employer. The Commission disposed of this argument quickly. The names and pictures of the employees in question appeared with their comments on the Facebook pages printed and submitted by the complainant. If the employer wanted to call them to the hearing and ask them questions, it was free to do so.

The Commission found as well (para 56) that the documents presented 'sufficient guarantees of trustworthiness', though it did not explain how. Perhaps the presumptions of integrity already set out were considered to spill over into the hearsay analysis.

The complainant submitted as well that the comments of the employees were not hearsay because not proferred to prove their truth but to show that they had been made by her fellow workers and constituted harassment. The Commission could have decided the point in her favour on this ground as well.

(The status of the content of websites as hearsay can be a problem in many cases. A more detailed review of the issue will have to await another occasion.)

Privacy

The employer pointed to the rules of procedure of the Commission itself, which say this:

11. [...] Il doit toutefois, même d’office, rejeter tout élément de preuve obtenu dans des conditions qui portent atteinte aux droits et libertés fondamentaux et dont l’utilisation est susceptible de déconsidérer l’administration de la justice. [It must however, even on its own motion, reject any element of the evidence obtained in conditions that infringe on fundamental rights and liberties and whose use may tend to bring the administration of justice into disrepute.] (para 11)

One might compare Manitoba's Privacy Act, s. 7:

No evidence obtained by virtue or in consequence of a violation of privacy in respect of which an action may be brought under this Act is admissible in any civil proceedings.

Thus the Commission needed to decide if there were any such infringement. Are comments posted on Facebook part of the private sphere? (para 65). It held that they were not. Getting access to the comments was done in accordance with the general rules of Facebook. Becoming someone's friend gave access to comments of friends of that friend. While that relationship lasted, the complainant had legitimate access to the comments. (After the complaint was filed, she was defriended and lost access to them.) 'This principle of interaction of different users is at the base of a social network like Facebook." (para 67)[translation]

While comments on Facebook are personal to the commenter and do not bind anyone else, one must distinguish between personal comments and private comments. (para 69)

[70] Une personne qui détient un compte Facebook permet à ses amis et aux amis de ses amis de prendre connaissance de ses commentaires. Cette personne peut contrôler la liste de ses amis, mais il devient plus difficile de contrôler l’accès à son profil aux amis de ses amis, liste qui peut s’allonger presque à l’infini. Nous sommes donc loin du caractère privé du profil de cette personne et des commentaires qu’elle émet. [A person who has a Facebook account allows his or her friends and friends of friends to know his or her comments. The person may control the list of his or her friends, but it is more difficult to control access to one's profile by friends of friends, a list that can stretch almost to infinity. We are thus far from any private character with respect to the person's profile and the comments that he or she makes.]

One may compare Leduc v Roman 2009 CanLII 6838 (ON SC) in Ontario:

Facebook profiles are not designed to function as diaries; they enable users to construct personal networks or communities of 'friends' with whom they can share information about themselves, and on which 'friends' may post information about the user. (para 31)

Thus the Commission was in the Canadian mainstream in treating Facebook comments are not private for the purpose of admissibility into evidence. (Slaw has discussed frequently the separate question whether personal information on Facebook is compellable on examination for discovery. The general answer is Yes, but fishing expeditions for such information will be discouraged.)

WIKIPEDIA

The Commission began its review by considering the nature of Facebook, on which it informed itself by referring to the French edition of Wikipedia. It said that it was common practice for tribunals to refer to dictionaries to understand the usual meaning of a word or expression. 'In the modern world', Wikipedia could be considered a dictionary for this purpose. (para 31).

Slaw has considered the use of Wikipedia in courts and tribunals here , here and here . Despite considerable scepticism about such use, including in courts themselves, references are remarkably common, especially, it appears, in administrative tribunals. Nicolas Vermeys and Patrick Gingras classify 184 Canadian uses found on CanLII up to the summer of 2011: to define medical, legal and economic terms (and at least once to understand if a term was defamatory), to explain scientific, mechanical or mathematical concepts and the rules of grammar, to get a translation, or to provide background facts of history, geography, economics and sociology. ('Citer ou ne pas citer: la preuve par Wikipedia', Repères, September 2011, Editions Yvon Blais., text and notes 8 to 21 and 79 to 83. The article was inspired by the Landry case discussed here.)

Concerns

The Commission in Landry did not question whether Wikipedia could be considered a dictionary. However, the site defines itself as a kind of encylopedia, that is, an explanatory text rather than a definition. It is in the nature of explanations to be debatable, and thus more risky to rely on than a source of definitions. (We can skip over the rich literature on statutory and other forms of legal interpretation that raise issues with the use of definitions themselves.)

As an explanation, how reliable is Wikipedia? Its texts can be created and modified at any time by anyone with access to the Internet (with a few exceptions now for particularly notorious topics or controversial people whose entries are more tightly controlled.) Thus the level of expertise involved can vary widely, and from one day to the next. Wikipedia itself says this about reliance:

PLEASE BE AWARE THAT ANY INFORMATION YOU MAY FIND IN WIKIPEDIA MAY BE INACCURATE, MISLEADING, DANGEROUS, ADDICTIVE, UNETHICAL OR ILLEGAL.

Some information on Wikipedia may create an unreasonable risk for readers who choose to apply or use the information in their own activities or to promote the information for use by third parties.

Perhaps even more important than the question of knowledgeability of the contributors is that of their neutrality. The text of articles can be slanted to one's own preferences. While the whole world may be watching (and amending), and Wikipedia has editors to enforce its standards of neutrality of point of view and of citation of authoritative sources, any particular article may escape their attention for an indefinite time. (Extra caution would be needed for a printed version of a Wikipedia page, which might be created immediately after a tendentious amendment, before a balance was restored.)

This risk has been faced frequently in immigration cases, where the political climate of a refugee claimant's homeland can be critical to the determination of refugee status. Tribunals have been sceptical of Wikipedia entries in this context, whether used by claimants or by adjudicators. Jahazi v Canada (Citizenship and Immigration) , 2010 FC 242 (CanLII) para 60, but cf Moiseev v Canada (Citizenship and Immigration) , 2008 FC 88 (CanLII) para 24. In a non-judicial context, Professor Vermeys mentions an incident where a student made extensive changes to Wikipedia's page on the novel Brave New World in order to cover up his plagiarism of the original material on the page.

Sometimes Wikipedia articles seem to be submitted as a kind of principal evidence, but often they are an appeal to judicial notice. Judicial notice may be taken of facts that are so well known as not to be disputed, or so amenable to clear proof from readily accessible and authoritative sources that direct proof in the courtroom may be dispensed with. While online texts may well have such a character, it is far from clear that Wikipedia is among them. A well-known study comparing Wikipedia's reliability favourably to that of the Encyclopedia Britannica has been doubted in later reviews.

It is probably appropriate to take Wikipedia's disclaimer at face value. "DO NOT RELY UPON ANY INFORMATION FOUND IN WIKIPEDIA WITHOUT INDEPENDENT VERIFICATION. "

Limits and Protections

Given these widely-known concerns, why is Wikipedia used so often? Clearly its accessibility and the very large number of articles work in its favour. In many cases it is arguable that the content used is quoted more for its economy of expression than for any novelty in the meaning. In other words, the court or tribunal knows the commonly accepted meaning and used Wikipedia only as a confirmation and expression of it. If the Wikipedia entry ran contrary to the court's prior understanding, it would almost certainly not be used. For this purpose, its use is fairly safe.

Again, this kind of use provides background information, it sets the context for the principal dispute. It seems much riskier to rely on Wikipedia for the decisive point in a legal proceeding. Again in its own words, “If you need specific advice (for example, medical, legal, financial, marital or risk management) please seek a professional licensed or knowledgeable in that area.”

Vermeys and Gingras also point out the usefulness of the references to source material set out in Wikipedia articles. Wikipedia's editors do check that the references are independent of the contributor, and of serious reputation. Thus the site is a good starting point for finding the type of authority that it is safe to rely on, and it may help orient the search for the material too.

It appears in some cases that administrative tribunals have allowed themselves more latitude about the strict rules of evidence, including proof of reliability of their sources, than would courts. The Commission notes this distinction on another point in the Landry decision and has relied on it in other decisions. That seems a hard distinction to generalize, however. People's rights are decided in both types of body, and the parties should be able to rely on the decisions being made on a credible basis.

At the very least, anyone thinking of giving legal effect to a Wikipedia article should be aware of the 'metadata' of the article, namely the Discussion page in which differences of interpretation are sometimes debated by contributors or editors, and the History page that shows when changes have been made to the article and by whom. It is sometimes possible to know the actual author of an amendment, and sometimes only the IP address from which the amendment came. Further research can sometimes track down a likely author, but with more effort and resources than a court or tribunal, or the parties to a proceeding, may wish to devote to the effort. The need to refer to these pages is mentioned by the Montreal Municipal Court in R. v Cianfagna 2007 CanLII 25904 (QC C.M.)(reversed on appeal on other grounds). (Wikipedia's Risks page cited earlier mentions these steps as well.)

CONCLUSIONS

The admissibility of information from Facebook seems common across Canada. The types of questions faced by the Commission in Landry may need to be disposed of in individual cases, as examples of more general principles of evidence like authentication and hearsay. Whether the presumption of reliability of 'technological documents' provided by the Quebec legal framework statute is appropriate invokes a wider debate than that of the present article.

As for Wikipedia, the Commission in Landry skated over the big issues, though arguably without doing any harm in that case. The characteristics of Facebook relied on by the Commission are themselves widely known and might qualify for judicial notice without the intermediary of Wikipedia. The challenge to any particular description of Facebook may come from the frequency with which Facebook itself changes its features and terms of use, rather than from any potential amendments to the Wikipedia article on it.

ENDNOTE on Jurisprudential Solitudes

This article relies heavily on reasoning and sources assembled by a handful of Quebec jurists who have produced a remarkably broad and deep literature on electronic communications and the law, principally in that province but with a good understanding of other Canadian sources and international thinking.

Besides the article mentioned above about the Landry decision and Wikipedia, one may note as a mere selection of recent sources:

1. Vermeys and Gingras, 'La Preuve issue des médias sociaux : Capture, préparation, présentation ' (Legal IT, April 2011)
2. Gingras and Vermeys, Technologies de l'information En bref (No. 1, May 2012), notably 'Qu'est-ce que Facebook? Plaidoyer pour une qualification juridique des médias sociaux'
3. Vermeys and Gingras, 'Je tweet, tu clavardes, il blogue : les aléas juridiques de la communication électronique' (Barreau du Québec 2011). The second half deals with admissibility of evidence from social media.
4. Gingras and Vincent Gautrais, La preuve des documents technologiques (2010) 22 Les Cahiers de la propriété intellectuelle, num. 2, updated in 2012 for the Barreau du Québec.

Professor Gautrais, Pierre Trudel and several colleagues have just launched a web site devoted to the Act to provide a Legal Framework for Information Technology on its tenth anniversary, setting out interpretation and case law. The site promises to be of great interest. The differences between Quebec law and that of the rest of Canada on these topics would support an additional article or series of articles.

Does this strike you as a reasonable result? What would happen in Canada, under our various access statutes, one of the most extensive of which is the Accessibility for Ontarians with Disabilities Act? Governments tend to have standards about the accessibility of their own publications – certainly the federal and Ontario governments do, but they can’t be alone. That may require them to close-caption their YouTube and other videos.

Do we have standards applicable to broadcasters? To the Internet, or at least to content providers within Canada (and are the jurisdictional issues of interest?) Would standards applicable to the Internet have to be federal rather than provincial? What’s out there? How can it be made to work, if it should (and why should it not?)

For an overview of US law on this topic, including the Netflix case, see William Goren's blog on the ADA. Canadian sources welcome.

The story of the commercial, professional and administrative uses of electronic communication is a search for trust. Who are we dealing with? How do we know? How certain can we be – or do we need to be? I have reviewed the basics in my column on Authentication and Trust .

Trusted technology

Sometimes the search focuses on the technology that purports to offer trust. This can be described in terms of a specific technology, such as dual-key encryption in the framework of a public key infrastructure (PKI ), for example. At other times the focus attempts to be technology-neutral, setting out the characteristics of the trust-creation techniques (often a method of signature, though a signature is only one of many methods of authenticating an electronic record.)

A common formulation of the technology-neutral description is a four-part test originally developed by the National Institute of Science and Technology in the US and reproduced in essence in statutes around the world. Here is the version used in the United Nations Model Law on Electronic Signatures of 2001:

Article 6.3. An electronic signature is considered to be reliable for the purpose of satisfying the requirement referred to in paragraph 1 [to be as reliable as appropriate in the circumstances] if:

(a) The signature creation data are, within the context in which they are used, linked to the signatory and to no other person;

(b) The signature creation data were, at the time of signing, under the control of the signatory and of no other person;

(c) Any alteration to the electronic signature, made after the time of signing, is detectable; and

(d) Where a purpose of the legal requirement for a signature is to provide assurance as to the integrity of the information to which it relates, any alteration made to that information after the time of signing is detectable.

It is sometimes alleged that despite the functional description of this method, the requirement can be met only by a PKI system, one that uses a mathematical transformation (or 'hash function' ) of the signature data to allow the testing of the integrity of the signature and potentially of the signed text as well, i.e. to meet the last two criteria here.

Legal systems that set out these requirements generally describe a legal result for meeting them. Thus the UN Model Law rules above are part of a description on how one satisfies electronically a legal requirement that information be signed. If one has those characteristics, one satisfies the requirement (unless the contrary is shown). Meeting similar requirements for an 'advanced electronic signature' in the EU Electronic Signature Directive makes the signature the legal equivalent of a handwritten signature (Article 5). Using a 'secure electronic signature' under PIPEDA creates a presumption that the person purporting to sign the document did sign it. (See the Canada Evidence Act s. 31.4 for the ability to create presumptions by regulation, and the Secure Electronic Signature Regulations s. 5 for the presumption.)

Non-repudiation

Sometimes, however, the people devising the law, and particularly the technology, are more ambitious. There is a tendency among some engineers and marketing staff of e-signature vendors to call this result 'non-repudiation'. If a record has the characteristic of non-repudiation, so it is said, the person alleged to have signed it or originated it will not be able to deny having done so. (In some cases the term is used to mean that the apparent sender cannot deny sending the message, or even that the intended recipient cannot deny receiving it.) It is easy to understand the attractiveness of such a characteristic for many legal documents, among others. Even the International Standards Organization (ISO) has its rules for non-repudiation services and principles

Some system designers went so far as to include in their coding for a digital signature a single bit that could be – like any binary object – turned on or off. (The concept has been part of the X.509 certificate that is a central part of many PKI models.) The principle was that turning the bit on would signify an intention to be bound by the digital signature that included it. The bit became known as the 'non-repudiation bit' or 'NR bit'. In combination with dual-key encryption that tied the document created with one element of a key pair to the document opened with the other element of the pair, and a hashing function to ensure that the messages had not changed between signing and reading, this was thought to make the whole message non-repudiable.

We have here to some extent the divergence between engineers' philosophy and lawyers' reasoning that I explored last year in Lawyers, Engineers and Technology: A Case Study . Lawyers see different kinds of things at issue, or more things that can go wrong. It must be said that some of the technologists are getting the picture. A recent Request for comments (RFC), the expression of many of the technical standards applicable to e-communications, published by the Internet Engineering Task Force (IETF) distinguishes between 'technical non-repudiation' and 'legal non-repudiation'.

"Technical non-repudiation": Refers to the assurance a relying party has that if a public key is used to validate a digital signature, then that signature had to have been made by the corresponding private signature key.

"Legal non-repudiation": Refers to how well possession or control of the private signature key can be established.

Technical challenges

It is clear that the mathematical integrity of dual-key encryption is complete. It still works. Theoretical breaches have been made on some hashing algorithms, but not to the point of a practical attack. But even from a technical non-repudiation standpoint, that does not get one very far. One needs more than the math. Consider the factors as set out in the Model Law:

The signature creation data (the signing key and the reading key) are linked to the signatory (the purported signer) and to no other person. How do we know the link? Maybe the signatory told us. Maybe there is a 'certificate' attesting to the link. How trustworthy is the certificate? While its text may be reliable (being itself digitally signed), do we know how the certification authority issued it? How thoroughly did they test the assertions of identity and of control of the signing device? The Model Law sets out some criteria for trustworthiness of a certifier, but they are all in ranges of reliability.

The signature creation data were, at the time of signing, under the control of the signatory and of no other person. How can a person seeking to avoid repudiation by the signatory prove that? How effective is the 'control'? Does the signatory know if his or her system has been hacked? Access to the mathematically secure system is usually by user-ID and password, much more vulnerable methods than the signatures themselves.

The last two conditions, about detectability of alterations to the signature or the signed information, are 'easier' to satisfy, if one has a good hashing method.

A lawyer might question the 'technical definition' on its use of the word 'assurance'. How sure does one have to be before one has assurance? The question is similar to that posed to legal duties to 'ensure' that something happens. How sure must one be before one has 'ensured' something? (Ultimately for legal purposes it is a judge who has to be sure, or who has to be persuaded that the degree of assurance attained was reasonable.) Information security systems are frequently expressed as attaining particular levels of assurance, which is to say that some assertions are more sure than others. This is not surprising or problematic, except when one uses terminology that suggests certainty.

Thus when faced with a 'technical' assertion of non-repudiation based on the presence of an NR-bit, one might respond, 'I did not create that bit', or 'The bit did not come from my machine', or 'I was not using my machine at the time', or 'I did not know that my machine would create that bit'. The presence of the bit does not deal with any of these challenges.

Some statutes went down that path for a while too. Utah's Digital Signature Act (1995) was a pioneer. It provided that the use of a digital signature from an approved system created a presumption that the person identified in a certificate as associated with that signature intended to be bound by the document (s. 46-3-401(3)). This presumption drew criticism on the ground that many computer users would not know if their system was working well, and might lose control of it. The nightmare headline: 'grandma chooses weak password, loses house'. The Utah statute was later repealed in favour of the less demanding but more flexible Electronic Transactions Act.

Legal challenges

Looking back to RFC 4949, the definition of legal non-repudiation 'refers to how well possession or control of the private signature key can be established.' This sounds like a sliding scale, and so it is. Some systems and configurations establish the control of the signing system better than others. Some cases will have better evidence than others.

However, there is a lot more going on in any attempt to give legal effect to information (say a document) than this. There are many grounds on which people may repudiate the alleged legal consequences of a document that appears to bear their signature or otherwise to be attributed to them – or even if attribution is admitted or proved. Some go to the creation itself, some to the consequences. Consider these examples:

• I did not intend the legal consequences of creating that NR-bit (or that document)
• I was not of full legal capacity at the time;
  • I was under age
  • I was drunk
  • I was mentally incapable of forming a legal relationship
• I was under duress
• The legal consequences of the document are not as alleged
• Some other law (Consumer protection? Form requirements?) invalidates the document
• The transaction is illegal and thus unenforceable
• I made a mistake of law
• I made a mistake of fact.

No technical information, no functional requirement can put a text beyond repudiation. Just as the form of a signature tells you almost nothing about its legal effect, so too the technicalities of its creation or the creation of the text do not produce any automatic legal result. And the reverse is also true: one never has to have 'non-repudiation' in order to get one's evidence of attribution or of effect believed. One needs to persuade a court on a balance of probabilities, or perhaps beyond a reasonable doubt, but those are matters of judgment, not of compliance with a technical standard. And even finding technical compliance requires judgment.

Non-repudiation is a matter of degree. Are some methods of attribution better than others? Of course. Are some compilations of evidence of capacity, intention and action likely to persuade a court that the purported author of a document did create it, send it, receive it, or even be bound by its content? Certainly. But only in hindsight can one say that the document could not be repudiated, because a court has so held. Non-repudiation is not a characteristic that can be built in from the outset; it is not a characteristic at all, it is a goal, a result.

The RFC mentioned earlier has absorbed that note of caution. In what it calls a 'tutorial', it says this:

Non-repudiation service does not prevent an entity from repudiating a communication. Instead, the service provides evidence that can be stored and later presented to a third party to resolve disputes that arise if and when a communication is repudiated by one of the entities involved.

One wonders in the face of this lesson why such an absolute word continues to be used. But one sees the term used to this day. See this security device from Spyrus that 'offers enhanced confidentiality, integrity, and nonrepudiation'. (page 2) Can the non-repudiation be 'enhanced'? If so, what does it mean?

Conclusion

Authentication, confidence and security are all matters of degree. One never has them 100 percent; one has more or less of them, and one needs more or less of them for different purposes. Non-repudiation, while like them in practice, has the disadvantage of being framed as an absolute, and its form often tempts people to use it as an absolute, a characteristic one has or does not have. In this usage, non-repudiation is a myth, and too misleading to leave in lawyers' or engineers' vocabulary.

[The end of this article links to some other useful sources on the topic.]

As the blog entry (by a noted electronic security expert) points out, while consumers have traditionally been protected in dealings with their banks (so the banks have devised a number of security measures to protect against loss), business clients have not had that protection; so banks may not have put in place equivalent security. This case may change that practice.

Is the situation the same in Canada with respect to the usual allocation of risk between bank and customer, whether consumer or business customer? Would a Canadian bank generally be liable in a situation like that of the Patco case?

I know that at least some Canadian banks use two-level authentication, at least for transactions from unknown computers (i.e. they ask a security question as well as for the password and card access number). Some provide extra security software that the customer can download. So even if the bank would ‘normally’ be liable for negligence towards a commercial customer, it may be that standard Canadian business banking practices would be thought not to be negligent.

An article in the July 2012 issue of American Banker expresses concern about the impact of the ruling on small banks that are said to be unable to afford good security. Besides wondering if they are then too small to deserve to stay in business in these days of online banking, one wonders if Canada has any banks that small. Perhaps not.

Is there a manageable way to express the appropriate balance of risks between a bank and its business customer? Both sides need to be careful. What’s the reasonable allocation? Does it matter which party is better able to (afford to) provide preventive measures?

To what extent is it fair to allow banks to allocate the risk to the customer by contract?

Will the picture change with mobile banking? Is there anything in the Canadian Payments Association mobile banking proposals of May 2012 that affects this balance? (The Globe and Mail yesterday had a prominent story on how mobile banking is coming to Canada this year.) Is the different level of security of smart phones (generally not as good as a desktop or even laptop, with the probable exception of the BlackBerry) going to affect banking or business practices, or their legal liabilities?

What will you tell your clients as a result of this case, or these banking developments, if anything?

Ontario law, and most other Canadian common law at least, requires that the person making the affidavit must be "in the presence of" the person commissioning it (notary, lawyer, commissioner for taking affidavits). See Commissioner for Taking Affidavits Act (Ontario) s. 9.

Question: Is one sufficiently "in the presence" of the commissioner if the commissioner can see and hear the affiant/deponent by video link or by videophone link as with Skype video?

Affidavits taken by telephone alone (i.e. voice connection) have been held in a New York court not to have been properly done.

Consider also the language of s. 138 of the Criminal Code of Canada:

Every one who

(a) signs a writing that purports to be an affidavit or statutory declaration and to have been sworn or declared before him when the writing was not so sworn or declared …

is guilty of an indictable offence and liable to imprisonment for a term not exceeding two years

So: not just "presence" but "before him" [no doubt 'or her'] – how virtual may that be?

Second question: If you believe that a video appearance is not sufficient to support commissioning, should it be? Are there safeguards required, and do we want to start fine tuning a well-known requirement to adapt it to the electronic age?

Implementation question: How well would the commissioner have to be able to see the document signed by the affiant in order to know that what he/she later got on his/her desk for commissioning was the same document?

Question for advanced students: what difference would or should it make if the affiant and the commissioner were in different jurisdictions? Would it matter in which jurisdiction the affidavit was to be used?

That decision had held that Tucows.com could bring an action for a declaration of its rights to a domain name in an Ontario court, on the ground that the dispute involved "real or personal property located in Ontario". In this case, Tucows.com was the registrar and the owner of the domain name Renner. com. The other party was a Brazilian company that owned the trade mark 'Renner' (though not apparently in Canada.)

The Court of Appeal had to consider a number of issues to come to its conclusion. It strikes me as well written and well controlled. It dealt with the relationship between a local lawsuit and a proceeding under the WTO's UDRP (since Renner had started a UDRP proceeding before Tucows' action in Ontario)(para 26 – 31), the nature of a licence as property (para 41 – 66), the application of the rules of jurisdiction in a declaratory action (para 34 – 35), and others.

The Court went to first principles about what 'property' is – a number of relationships about which the law will support claims. Which relationships and which claims are discussed in the judgment.

It also decided that when the domain name registrant and the registrar were in Ontario, the property in the name were in Ontario, at least for the purpose of supporting an action under the Ontario rules.(para 67 – 72)

Presumably the decision of the Supreme Court of Canada not to give leave is a strong indication that this reasoning is valid across the country, at least on the property issue and at least in common-law jurisdictions. How the rules of practice may vary is a different question, though the Ontario CA did deal with higher-level issues like 'real and substantial connection' (para 73) as well as with the wording of Ontario's rules.

Does this sound right to you? Does it change the advice you might give to a client about a domain name, and if so, how? Is a dispute in Quebec likely to come to a different conclusion on the property question?

The bill does three things:

i) It repeals the exclusion of land transfers from the E-Commerce Act (paragraph 31(1)(d) of the Act, s. 2 of the Bill).

ii) It requires for a land transfer that is electronically signed, that

in light of all the circumstances, including any relevant agreement, the purpose for which the document is created and the time the electronic signature is made,

(a) the electronic signature is reliable for the purpose of identifying the person; and

(b) the association of the electronic signature with the relevant electronic document is reliable.

It does so by requiring that s. 11(3) of the Electronic Commerce Act (whose text is quoted) applies to these documents. (Bill s. 1)

iii) It removes the exclusion of documents of title from the E-Commerce Act (by s. 2(2) of the Bill).

The Uniform Law Conference last August amended the Uniform Electronic Commerce Act to remove the exclusion of land transfers. In other words, item (i) above is consistent with the action of the ULCC.

What do you think of the other two provisions?