The Paris court of appeals has decided that a suggested search query generated by the Google Suggest function defamed the company whose name was first entered into the search box. This feature works by displaying the most popular searches performed by other Google searchers associated with the text typed into the search box. So Google doesn’t decide what is displayed; its machines just count and show.

Turns out that one of the most popular associations with the name of the plaintiff company was ‘escroc’, which in French means crook or swindler.

Is this a kind of ‘crowd-sourced’ defamation? What can Google or any search engine realistically do about it? Can the company program its suggestion feature to avoid any words in any language that may have a defamatory meaning? (I guess defamation by context or innuendo may be harder to demonstrate in this process.)

Would it be defamatory if a search for Company X turned up, as an ‘auto-suggest’, CompanyXSucks.com?

The damages were pretty stiff, it seems to me – 50,000 euros.

So: is there a problem here, in your view? Would Canadian law produce the same result? How would you advise your client, the search engine? What about your client Company X, in my hypothetical?

The EU privacy directive (1995 version – I gather that it is being revised, though I don't know on what timetable) provides that member countries may not release personal information outside the EU unless the recipients are bound by equivalent safeguards for privacy.

While the US has a 'safe harbor' agreement with the EU about criteria for judging when the protections are equivalent, Canada does not. On the other hand, we have a generally applicable privacy law (PIPEDA) and some provincial equivalents, plus personal health information laws in most provinces. Are they enough to permit the personal information to come here, or are there problems?

I think for example of a provision like Article 8 of the Directive, about processing of 'special categories of data', like heath care data. This is not to be released without consent of the individual concerned. However, there is an exception for data released for diagnostic or health care reasons, if the person to whom the PI is released is subject to safeguards under the applicable law. (Arrticle 8(3))

Are the provincial health information protection acts (I think of the Personal Health Information Protection Act in Ontario, but most provinces have them, as noted) considered adequate protection for such disclosure from the EU? If there is no official EU-level pronouncement on the topic, have you or your clients run into any problems in getting information transferred from EU countries that would rely on this legislation for authority? Do the transferors (or their lawyers) distinguish between PIPEDA and the specific obligations of the provincial laws in discussing such transfers?

In short, how is this working in practice, given the variety of EU laws implementing the Directive and the variety of laws that apply to the potential recipients?

Are any of the likely revisions to the Directive going to affect operations on this practical level, or are they just aimed at updating for new technology or practices, like data storage in the cloud?

'Tis the season for law firms (and no doubt others) to send out season's greetings by email, most often accompanied by the usual wordy and sometimes bilingual notices that the content of the email may be confidential, privileged and subject to diverse prohibitions that we are more or less politely admonished to comply with.

Here's a typical, though polite, version (French omitted):

CONFIDENTIALITY NOTICE: The contents of this electronic mail message are confidential and strictly reserved for the sole use of its intended recipients. This message may contain information protected by the solicitor-client privilege. If you receive this message in error, please notify the sender immediately and delete the original message as well as all copies. Any disclosure, copying, distribution or reliance on the contents of the information is strictly prohibited. Thank you.

This year I have seen one that despite its economy of expression has an element that's new to me: a copyright claim. It's in an email whose subject line is "Happy Holidays from Your Friends at [Big Law firm]" and besides the medium-tech 'e-card' to which it links, its only content is this (I omit the French):

"This e-mail message is privileged, confidential and subject to copyright. Any unauthorized use or disclosure is prohibited."

The usual question arises whether it is helpful to claim privilege in something that is clearly not privileged, or whether that undermines one's assertion of privilege when the content really is privileged.

The new question, for me, is why one asserts copyright. Copyright arises automatically in our law, though possibly protecting it internationally would be helped by an assertion – but doesn't the Berne Convention require the use of © to do that, and a date?

Is the idea to prevent recipients from borrowing/pirating/emulating the firm's finely honed expression of its legal work (assuming charitably that it did not insert the copyright claim solely into its holiday greetings)? Given the amount of borrowing from long-standing and widely-distributed precedents in legal drafting, does that really hold water anyway? I suppose emails are not usually drafted using the forms books…

Is it an attempt to prevent people from posting online cease-and-desist notices that law firms send out to people who their clients think have defamed them? It is becoming common for such letters to show up on the recipients' web sites, partly to expose what the recipients perceive as bullying, and partly to laugh at the pomposity of some of the writers. (Drafters of such letters, take note.)

Is there a new problem that this new notice is aimed at resolving, or is it just another cautionary note from a profession that is good at detecting risk and trying to avert it? Or is it a bit of overkill?

We read from time to time that Internet defamation is worse than that in other media because of its global reach and persistence over time. Thus the Ontario Court of Appeal in Barrick v Lopehandia 2004 CanLII 12938 issued an injunction against further defamation, in part because of the Internet’s character as “potentially a medium of virtually limitless international defamation” (the Court quoted Matthew Collins, The Law of Defamation and the Internet.) The court (by majority) also increased fivefold the damages awarded at trial, for similar reasons.

Recently the British Columbia Supreme Court granted ex parte injunctions against publication of defamatory material. Nazerali v Mitchell 2011 BCSC 1581 (CanLII) (and against any transfer of domains or material that might facilitate the spread of the libel). See a comment on the case here.

On the other hand, the Ontario Superior Court recently held in Baglow v Smith 2011 ONSC 5131 (CanLII) that comments on a blog should not necessarily give rise to a claim in defamation, when the person alleging defamation has a right of reply in the same blog. The readers are expecting a reply, not a lawsuit, said the Court. It was not appropriate for a participant in a comment thread to go off to court, dropping out of the debate. One can ‘remove the sting’ by responding. The judgment quotes Justice Binnie in the SCC’s WIC Radio decision on fair comment, that public controversy can be a rough trade, and the law needs to accommodate its requirements.

Are the rules about what one can or should say online different from those that apply in print? Should one be compelled to defend oneself online? Are insults less defamatory there (here)?

The British Columbia Supreme Court has recently given judgment for Century 21 Real Estate company against a company (affiliated with Rogers Communications) that scraped real estate listing information from the Century 21 sites and repackaged it on its own site: Century 21 v Rogers Communications 2011 BC 1196 .

The court thoroughly reviewed US and Canadian law on the topic and recited a number of factors that might support a finding that a ‘browsewrap’ contract (i.e. one that did not depend on any active assent to its terms, but that operated by mere use of the web site) would be enforceable. The list is much like that generated by US courts in similar cases, and summarized in a very useful article in The Business Lawyer in 2003.^*

A similar result was given in Quebec on similar facts inCanadian Real Estate Association v Sutton Realty2003 CanLII 22519 (QC CS). (The decision was cited in the BC case.)

It seems to me that the common element of almost all the US cases and all the Canadian cases where a browsewrap ‘contract’ has been upheld is that the defendant was doing something that was obviously illicit, namely taking content from a website in order to use it in competition with the owner of the source website. Courts just don’t take kindly to that, and if they have to invent an agreement to shut it down, they will. It’s what the French courts would call ‘parasitism’, which is an extra-statutory remedy they have devised for activity they don’t like where someone is profiting from somebody else’s efforts in a way not foreseen by the Code of Intellectual Property.

The plaintiff in the BC case also won on a copyright argument. It did not persuade the court, however, that Rogers had committed ‘trespass to chattels’. The court was not prepared to import that notion into BC law, at least not on the facts in the case.

Do you find the result acceptable? The reasoning? Would it be better for courts not to invent contracts in such circumstances and find some kind of unjust enrichment or other equitable remedy for the behaviour to be sanctioned?

(I find it somehow satisfying that Rogers lost this one, given that company’s ‘success’ in arguing (in Kanitz v Rogers Cable Inc  2002 CanLII 49415 (ON SC) also cited in the BC case) that its customers had to live with the way the web worked, and burying a notice of a change in a contract five levels deep on a website was perfectly acceptable commercial dealing. Rogers won that one in an Ontario court, but lost it in the legislature when the type of change they made was banned in the (then) new Consumer Protection Act, 2002.)

___________________________________

* C. Kunz, J, Ottaviani, E. Ziff, J. Moringiello, K. Porter and J. DeBrow, “Browse-Wrap Agreements: Validity of Implied Assent in Electronic Form Agreements”, 59 The Business Lawyer 279 (2003)

[hat tip: Blakes Bulletin]

A U.S. court has decided that a bank whose client lost money because someone hacked into its account and transferred funds out of it, was not liable to the client because the bank had used ‘commercially reasonable’ security. The case is described on the Goodwin Proctor website. The lengthy decision of the Judge Magistrate in Patco Construction v People’s Bank, later upheld, is available online. .

Is this the right standard of care for negligence? Does it matter that the bank is regulated strictly under the Bank Act? Does it matter that the U.S. bank could rely on Article 4A of the Uniform Commercial Code (on electronic funds transfers), which has no equivalent in Canada?

‘Commercially reasonable’ security clearly does not mean unbreakable security. How else should one draw the line to set a fair allocation of risk between bank and client?

Canadian and American courts (and others) have been making pronouncements about the reliability of electronic documents for various purposes, not all of them equally persuasive, and the Canadian ones more sceptical than the American courts — perhaps only because of the facts before them.

Comments welcome on any of these cases: were they rightly decided? Do they suggest gaps in legislation?

1. In Waterloo (City) v. Townsend (Ontario Small Claims Court April 26/11), the Deputy Judge, J.Sebastian Winny (i.e. practitioner acting as judge), refused an application to serve documents on a defendant by email. Here is the relevant extract from the reasons:

From a reliability standpoint, email is in an entirely different and inferior category [to regular mail]. Many people have multiple email addresses, which may or may not be checked with any particular regularity, and may be checked only when the individual accesses a specific electronic device. Many people read only email from recognized senders. Most computers have virus and spam protection which may be triggered by attachments or by the mere fact that the sender’s address is not recognized. Incoming emails may be diverted to a junk email folder which may never be read simply by virtue of the volume of junk. Email accounts may be deleted from time to time, or even automatically deleted by reason of inactivity, without notice to potential senders of emails. I could go on.

As for attachments, again these are in a different and inferior category compared to paper documents. Attachments may or may not open, and may or may not open in the same format as was transmitted by the sender or in a legible or intelligible format. These are matters of software and device compatibility.

The affidavit evidence in this case, as in similar motions I have seen, is silent on these issues. That means that on a mechanical level, there is no evidence that if the order requested were granted, the defendant would be able or likely to receive, open and read the emailed document. The moving plaintiff effectively asks the court for leave to press send and hope for the best.

Whether I approach the analysis with or without reference to my own knowledge of email apart from the evidence, the result is the same.

[case noted in the IT.Can newsletter for May 5, 2011 at page 3 and in Laws of .com May 2011]

2. Similarly, the BC Court of Appeal declined to admit email evidence of negotiations between an insurance company and the insured about the time limit of coverage under an employer’s policy. In McGarry v. Co-operators Life Insurance Co., 2011 BCCA 214 (CanLII), the Court held that there was no evidence on the authenticity of the emails tendered, since there was no statutory support in BC for rules of authentication, unlike the case in other provinces,

There is no evidence in the record which is capable of establishing the authenticity of the emails as that issue was not addressed at the summary trial. Therefore, the issue cannot be resolved on appellate review and the admissibility of the email from BBD to Mr. Hewitt (exhibit C) and the email exchange discussing the COLA provision amendment (exhibit G) cannot be determined. (para.77)

The language of the court is a bit odd on the need for authentication. Here is the preceding paragraph:

Authenticity is a concern addressed by the statutes of other provinces when dealing with electronic records and while there is no statutory requirement in this province to consider authenticity, it is a legitimate concern that should be addressed in determining whether an electronic document is sufficiently reliable to be admitted under s. 42.

I would have thought it was very basic evidence law that any document needs to be screened for authentication and hearsay, as well as satisfying the best evidence rule. The Uniform Electronic Evidence Act says how to apply the ‘best evidence’ rule (which normally requires an original document, or a good explanation for the absence of the original) to electronic documents. The Court was right that BC has not adopted it, as have many other jurisdictions. The Court was wrong in saying that the Canada Evidence Act does not touch the subject, though. Section 31.1 of the CEA is almost the same as the Manitoba statute quoted by the Court.

In any event the Court was correct in finding that foundation evidence for authenticity was needed, though if the evidence is not in dispute, then very little evidence is actually needed for the purpose — only evidence on which a trier of fact can find that the document is what it purports to be. Oral evidence under oath by the sender of the email that the printouts submitted as evidence are printouts of emails that were sent to the insurer, or received from the insurer, would be sufficient, unless challenged. Fortunately the case did not turn on the emails one way or the other.

[case also noted in the IT.Can bulletin of May 5/11 at page 1]

3. A Massachusetts court faced a challenge to the authenticity, or at least authorship, of emails in a prosecution for keeping a bawdy house. In Commonwealth v. Purdy, 2011 WL 1421367 (Mass.; Apr. 15, 2011). The defendant admitted that the emails came from his computer but said that someone else might have sent them. The court said this about emails:

While emails and other forms of electronic communication present their own opportunities for false claims of authorship, the basic principles of authentication are the same. Evidence that the defendant's name is written as the author of an email or that the electronic communication originates from an email or a social networking website such as Facebook or MySpace that bears the defendant's name is not sufficient alone to authenticate the electronic communication as having been authored or sent by the defendant. There must be some "confirming circumstances" sufficient for a reasonable jury to find by a preponderance of the evidence that the defendant authored the emails.

The court found that there was enough other evidence in this case for the question to go to the jury. (Emphasis added. Is this the law in Canada?)

[case noted by Venkat in Eric Goldman’s blog on May 21, 2011. h/t Barry Sookman]

4. An Arkansas court had to deal with the basics lately: may electronic communications satisfy a statutory writing requirement? In Barwick v. Government Employee Insurance Co., Inc., 2011 Ark. 128 (March 31, 2011), the court properly held that the state’s version of the Uniform Electronic Transactions Act disposed of the question in the affirmative. The court’s inquiry was probably made easier by the fact that the person who had completed an application for insurance online tried to say that her waiver of extra liability coverage was invalid because not ‘in writing’, while trying to affirm the insurance coverage itself. Not a sympathetic party, in other words. The court did not have to get to the estoppel argument because the ‘not in writing’ argument failed so completely.

[case discussed by John Ottoviani in Eric Goldman’s blog on May 26, 2011. h/t Barry Sookman]

5. Speaking of authenticating social media, and in the light of the current controversy about identifying participants in the Vancouver riots after the Stanley Cup final last week by that means, a Swiss court recently convicted someone of 'insult' through her posts on Facebook. The person had an account in her own name and admitted the posting (for which she apologized, with no effect on her criminal liability.) Others who had been more effusive against the ‘victim’ (who had complained about the noise of parties in which the insulters had participated) had used false identities or had put ‘emoticons’ (the write-up does not say which ones) after their threats and had not been charged. The authorities had not gone to the social media companies to try to find out the identities of the posters who did not self-identify. Apparently calling someone an idiot (or the popular Swiss German equivalent) on Facebook is a crime in Switzerland. (It’s such a polite country.)

[case discussed by the firm Wengner Plattner on the International Law Office IT newsletter on June 21, 2011.

Is the legal world unfolding as it should, to the extent that these cases are evidence?

A group of US politicians are concerned that the President has not properly signed a law, a step described in the US Constitution, if his signature is applied to the relevant piece of paper by an auto-pen — whether or not the President authorized the application of the pen (being out of the country when the bill came up for signature, and things being rather urgent.)

Do you think this is right? I think it’s ludicrous, myself. My signature can be made by anyone I authorize to make it — or by a machine. Signatures made for me by other people or by machines may present problems of proof but not problems of *being* my signature or of the document being signed *by* me. A signature is just evidence of a link between a person (or some kind of legal entity) and a document. The purpose of the link or its legal effect cannot be determined by the form of the signature, whether handwritten, mechanical, or electronic, but only by the content and context of the signed document, or extrinsic evidence.

I suspect that some of the not-so-learned members of Congress have been in office long enough to have received their pay by mechanically signed cheques (no doubt spelled checks) and they just cashed them, rather than insisting that they be hand-signed.

Perhaps it is just possible that this expression of concern was motivated less by constitutionally founded doubt than by a desire to embarrass the President. That does not change the legal merits of the argument.

The President's action was founded on a legal opinion done under President G.W. Bush in 2005, which in turn goes back to legal opinions from the early 19th century and case law back to Coke.

Would it be any different if the President had signed with the ‘long pen’, which transmits his actual hand motion of signing to a stylus marking a piece of paper at a distance?

[hat tip: Wise Law Blog]

One of the interesting elements of Google’s StreetView program was that its camera crews picked up and recorded the location of wireless hotspots that were not secured. This information was not, so far as I recall, published by Google, but its collection made some news. It seems to me, however, that one hears less often about ‘war-driving’ and other forms of cruising about looking for unsecured wireless signals in order to piggyback onto the Internet with them. Is that because there are so many public wireless access spots available nowadays, or because broadband access has become so cheap that one doesn’t have to go to the trouble of looking for someone else’s hotspot, or because more people are securing their home signals?

One also hears of these borrowed signals being used for illicit purposes: online gambling, spamming, downloading copyrighted materials, accessing child pornography, etc. (I don’t say ‘stolen’ signals because it’s not clear that there is any theft involved. Consider the issue of exclusory vs non-exclusory taking of an intangible. If I use your broadband signal, I probably don’t deprive you of anything – though if I take so much that you run into your billing cap, the analysis might change. On the other hand maybe the activity is contrary to the Criminal Code’s prohibition on unauthorized access to a computer system, even if the unauthorized user does not look at the contents of the router owner’s computer.)

Would it be a step in the right direction if broadband routers were required to be sold with security enabled, rather than counting on their purchasers to take the time and trouble to set up a secured signal? Would that help prevent illicit use of the signals – and I don’t mean just the use without permission, but the use in actual unlawful communications activity such as mentioned above? Or would that be too much of a technical burden on unsophisticated buyers who would not know how to make their computers talk to their new router or vice versa?

Would that make sense as a free-standing harm-prevention measure or would it be better in a package of Internet security provisions that could require, for example, default security settings on browsers or on hardware as well? Is there other IT security that should be a matter of legal obligation?

I know that privacy law requires personal information to be kept secure, whether or not it’s in electronic form, and as a practical consequence of this duty, privacy commissioners want personal information on mobile devices to be encrypted. Is there something else?

And there’s the usual Canadian question: would such a measure or set of measures be a matter for federal or provincial jurisdiction?

In short: are unsecured wireless routers a problem, and would a ‘sell routers with security turned on’ law help resolve it?

The Ontario Superior Court recently released a judgment about recovering domain names, South Simcoe Railway Heritage Corporation v. Wakeford 2011 ONSC 1234, in this case a .com name rather than .ca domain name.

Someone who had been active in a voluntary organization registered a domain name for the organization and later transferred it into his own name. He also changed all the registration information settings to private so no one, including the organization, could track who was responsible for the site.

The plaintiff organization brought actions in ‘detinue sur trover’ (a new cause of action for me after all these years, though I had heard of each of the components), wrongful conversion, misappropriation of intellectual property rights, and breach of trust. The first three failed because they were out of time. The Court went through what the plaintiff knew when, and thus when it had knowledge of a complete cause of action that started time running.

However, the limitation period applicable to breach of trust was less clear and needed a trial of issues of mixed fact and law.

What other legal means do you use to get back a domain name (recognizing that you would not miss a limitation period…)?

The court finished on a note that is mysterious to me. It refers to the ICANN Uniform Domain-Name Dispute-Resolution Policy that applies to .com names. Apparently the defendant argued that the existence of the UDRP ousted the jurisdiction of the Superior Court. My understanding of the UDRP is that it does not do so. However, the court refers to a statute – maybe the judge thought that the URDP had statutory backing. If this text makes sense to you, perhaps you can explain it [at para. 24]:

Although this was not part of the moving party’s motion, the final point argued by the parties was whether this court has jurisdiction to grant the declaration sought in the claim with respect to ownership of the domain name and the intellectual property rights, as well as a mandatory order directing the defendants to convey the domain name to the plaintiffs. While the plaintiff may be correct that this claim is not within the jurisdiction of the Uniform Domain Name Dispute Resolution Policy prescribed by the Internet Corporation for Assigned Names and Numbers, this court is not convinced that this aspect of the claim should be dismissed for want of jurisdiction pursuant to rule 21.01(3)(a). The actions of the defendants may have to be measured in relation to that statute, to which this court was not referred, that governs the ownership of domain names if such legislation exists. It may be that proprietary rights in a domain name, like copyright and trademark, is a creature of statute as opposed to tort and property law, but the appropriate material was not placed before this court to make a determination of the question at issue.

In particular, it is not true to say, is it, that "proprietary rights in a domain name, like copyright and trademark, is [sic] a creature of statute as opposed to tort and property law"?

[hat tip: Tim Rattenbury]

As mentioned earlier this month on Slaw, the UNCITRAL Secretariat has published WP.107 for its meeting next month, setting out the first draft of a set of rules for procedure in online dispute resolution (ODR). That document is available online. With the same link you will find the report of the first meeting of the Working Group on ODR, from December 2010, to see how the group got to where it is now.

The principle of the draft rules is that they should apply readily to low-cost, high-volume disputes, so they should be simple and accessible and allow for cheap fast resolutions. For this purpose the commentary asks if their application should be limited to certain kinds of dispute (“simple fact-based disputes and basic remedies”), or should have certain kinds of dispute excluded from their scope (e.g. personal injury, intellectual property, taxation, privacy).

While the rules would apply to online transactions, would it be necessary to restrict the dispute resolution processes to those conducted online too? Some basic rules about sending and receiving e-messages may be included in the rules, or those considerations could be left for other law (like UNCITRAL’s Electronic Communications Convention) or left to ODR providers to prescribe for proceedings that they facilitate.

Essentially the rules provide for a negotiation or consultation stage, a mediation stage and a decision-making stage. It is hoped that most disputes would be resolved early. They set out what the notice of dispute is to include, including of course the grounds for the dispute and any suggested resolution, and what the response should have, including any other solutions.

After a time (should there be a time limit?), a neutral facilitator is appointed under the rules. That person represents in accepting appointment that he or she has enough time available to do a good job. The need for speed might have this person serve as arbitrator as well, if the facilitation/mediation did not succeed. Details of procedure, evidence and production of the award are left to the parties or the neutral, though a tight time limit would likely be imposed on the award itself.

The paper raises the possibility of consolidating like claims. That could make for an equivalent to a mediated class action. Is that an attractive prospect?

What do you think? Is this going in a useful direction? Do you have answers to any of the questions here, most of which are from the Secretariat, or to any of the other questions raised in the text of WP.107? It would be helpful to more than one delegation to the Working Group to have your views.

The report notes that the procedural rules will probably not be the only product of the Working Group. A set of “guidelines for ODR providers” will deal in more detail with setting up an ODR platform and making it work. The WG will discuss these guidelines at future meetings, as nothing has yet been drafted.

Note as well that the Secretariat has assembled a number of online (and other) resources about ODR, including existing systems’ rules and principles, and proposals for new systems.

A number of Facebook users in Quebec tried to begin a class action against FB for alleged infringements on their privacy. A Quebec court has now refused certification as a class action and dismissed the case: St Arnaud c. Facebook Inc. 2011 QCCS 1506.

One ground for dismissal was that FB users sign an agreement that all disputes must be adjudicated in Santa Clara County, California.

A more interesting element of the decision was that the 'contract' with FB was not a consumer contract within the meaning of Quebec law, since there was no payment and no obligation on the users, who could quit at any time without financial consequence.

A brief writeup of the case (en français) is here.

Would a court in common-law Canada have any difficulty arriving at the same result? Quebec’s consumer protection laws, and laws protecting the jurisdiction of Quebec courts to hear cases involving local consumers, are as strong as or stronger than any others in the country. If it won’t fly in Quebec, it seems not likely to have wings elsewhere in the country. Do you agree?

Complaints to privacy commissioners have made more mileage, but they don’t allow the complainants to dip their buckets into FB’s deep and wide revenue stream the way a successful class action might …

We have mentioned before the recent work of the United Nations Commission on International Trade Law on online dispute resolution (ODR) and a colloquium held to review the potential future work of UNCITRAL on e-commerce issues.

ODR

The UNCITRAL Secretariat has produced a working paper for the meeting next month of the ODR Working Group. Working Paper 107 is a draft set of procedural rules that might apply to ODR processes. Along with it, you'll find WP.106, the provisional agenda for that meeting.

Will this work? Is it likely to be useful? Or is it too high-level to provide real instruction for businesses or consumers looking to resolve their disputes online across national borders? Is there anything in the draft that would be particularly helpful or harmful to Canadians who want to engage in ODR?

Future work in e-commerce

The colloquium held in New York in February of this year looked at several topics that be dealt with productively at the international level: identity management, mobile e-commerce, transferable electronic records and ‘single window’ systems for border crossing or shipping documents. The Secretariat has now produced a report of the discussions at the colloquium, in two parts: Documents A/CN.9/716 and A/CN.9/716 Add. 1. They are available as documents in preparation for the 2011 annual meeting of the Commission.

Does this report cover the main issues relating to these topics? Does it suggest that one or more of the topics are more ripe for international guidance or lawmaking than the others? What should UNCITRAL’s priority be?

(The documents and slide presentations for the colloquium itself are collected here: http://www.uncitral.org/uncitral/en/commission/colloquia/electronic-commerce-2010.html.)

The European Union has begun a public consultation on online authentication in the context of its review of its Electronic Signature Directive of 1999.

An early assertion in the press release is this: “difficulties in verifying people's identities and signatures are a significant factor holding back the development of the EU's online economy.”

Is this true, in your view or in your experience? How often is identification of the other party to a transaction, or authentication of an identity one already knows, a concern, compared to, for example, the solvency of the party, the quality of the goods offered, the reliability of the services offered, or the availability of a remedy if something goes wrong?

For B2C e-commerce, most of the useful authentication is done through credit cards. The issuers of the cards provide all the authentication needed. In North America, the ability to charge back to the merchant the amounts paid on a failed transaction is a useful consumer remedy. That practice is not widely available elsewhere in the world.

I suspect, but would welcome knowledgeable input, that B2B transactions have means of authenticating that work in practice, but have the issues mentioned above without the credit card remedy.

I had thought that the review of the E-Signature Directive was prompted by a widespread failure to follow it, in that its ‘advanced electronic signature’ was not being much used, because it’s too complicated. It is easier in practice and for legal purposes to prove who one is dealing with (i.e. to authenticate) than it is to prove that one has complied with the technological standards required to qualify as an advanced electronic signature.

An additional problem is that qualifying as an AES only gets you to being the equivalent of a handwritten signature, i.e. there is no presumption of identification or of consent of the party that has created the AES. (By contrast the statute and regulations about Canada’s secure electronic signatures give a presumption of attribution and of admissibility as evidence to the signed document.)

How important is this consultation? Is it more important to make the AES rule more flexible than to worry about large scale authentication?

I can see an argument that communications with the public sector – in either direction – may have more demanding authentication rules. Would you agree with that?

The European Union has been thinking about the disharmony of its consumer laws and the disincentive that this can pose to cross-border commerce, particularly e-commerce. This disincentive may be greater because the Rome Treaty requires that consumer disputes be resolved in the courts of the consumer’s residence according to the law of that place. B2C e-commerce among EU countries is not expanding along with domestic B2C e-commerce.

The EU has come up with a proposal to have a ‘28th law’ (in addition to the law of the 27 member states), being a common consumer law that could be opted into by parties to a transaction. There’s a a description on OutLaw.com.

This is consistent with some discussion at the UNCITRAL Working Group on Online Dispute Resolution (ODR) in December, which focused on resolving disputes over high-volume, low-value transactions. It was thought that having a common, simply stated and short set of rules might cover and help resolve a big majority of B2C disputes. A large number of B2C disputes involve only a small number of scenarios: goods not delivered, goods not paid for, goods broken or otherwise unsuitable … points on which most legal systems will produce very similar results.

The report of the UNCITRAL December meeting is here (and if that doesn’t work, go through here). Future work (para 115) includes “describing substantive legal principles, including equitable principles, for deciding cases and making awards”.

A German panellist at the UNCITRAL colloquium on ODR last March described the common standard as a ‘blue button’ approach, meaning that a merchant’s web site could have an icon or button in EU-blue, clicking on which would amount to a choice of this common set of legal rules rather than the national law of either party. (That might require law reform to permit a consumer to make such a choice effectively.) A report of the colloquium is here (or via the 2010 Commission documents, Doc A/CN.9/706). The description is at para 16.

The UK government has now come out against any such common standard, finding it confusing and not helpful. (The UK did not have a delegate at the ODR Working Group meeting, as I recall.) See OutLaw.com for the story and for the official response. (The British call the proposal one for the “29th law”, since with Scottish civil law and English and Welsh common law, they have two of their own.)

What do you think? Is it reasonable to expect people to be able to come up with a simple, fair, consumer-accessible statement of law that might apply to all online contracts, or at least consumer contracts – worldwide?

Would it be good enough if that ‘law’ could resolve 75% or 80% of disputes, leaving the rest either unresolved or to a heavier procedural process (which probably amounts to leaving them unresolved, given the low value of most such transactions)?

And for advanced students (and ultimately for delegates to the Working Group): should consumers be able effectively to opt out of legal rules in their home jurisdictions (such as Quebec) that currently invalidate any provision that would prevent a consumer from having resource to his/her local courts? Or would it be acceptable to merchants to have an ODR system based on the ‘common’ legal rules that nonetheless allowed the consumer who did not like the resolution through that process to then go to his/her local courts? Maybe having a system that would get compliance most of the time would be enough of an incentive for international B2C e-commerce that having the occasional case slip out to the courts would not matter.

Is this the way forward for international ODR, or a dead end?

Bruni v. Bruni, 2010 ONSC 6568 (CanLII), a recent decision of the Superior Court of Justice in a family matter, noted (literally, in a footnote (23)):

In recent years, the evidence in family trials typically includes reams of text messages between the parties, helpfully laying bare their true characters. Assessing credibility is not nearly as difficult as it was before the use of e-mails and text messages became prolific. Parties are not shy about splattering their spleens throughout cyberspace.

Is that your experience? Does a multiplicity of informal electronic communications help or hurt assessment of credibility? Is there some risk that the ‘reams’ of messages just become confusing?

Note, however, that finding the email is not enough; it has to be admitted. The British Columbia Supreme Court gave little weight to email evidence in another family dispute, Hamilton v Jackson 2009 BCSC 538 (CanLII), because it conflicted with oral testimony in court about what had happened and what had been said about it at the time, and, as the judge said (para 17):

Neither party tendered the electronic version of the email or any metadata relating to it. As this was not done in this case, I am left with conflicting versions as to what Ms. Galloway emailed to Mr. Jackson. It is possible to alter the text of an email. Ordinarily such alteration can be detected by a forensic review or simply by viewing the metadata of the email. Given the way in which emails are created and sent, I must exercise great caution in considering what they purport to contain.

The metadata might show when the message had been sent. How easy is it to alter that kind of information after the message has been sent? Presumably this support of the integrity of the message argues in favour of getting emails in ‘native format’, i.e. in electronic form, not just a print-out.

Have you had problems finding or using email evidence? How did you resolve them, or what will you do next time?

P.S. The Bruni case is interesting for the number of personal comments, many of them very caustic, that the judge permits himself in the text and especially in the footnotes. I am not entirely sure that it is appropriate, though I have a good deal of sympathy for judges who have to sit through and decide disputes like the one(s) described in this case. I suspect that they should vent in the robing room and not in the reasons for judgment.

People have expressed concern about behavioural advertising, in which advertisers watch what one does online in order to send out ads that are likely to appeal to the person watched. A number of big online services are now developing a ‘do not track’ command to allow their users to prevent their information from being collected for that purpose.

A more interesting, and more intrusive, usage of behavioural information collected online is by insurance companies that may decide whether someone is a good risk to insure based on that information. Fans of XXX’s double-cheese-and-bacon deep-dish pizzas may find themselves having a harder time getting life insurance, or paying more for it, than fans of YYY’s brown rice or ZZZ’s aerobics.

A note on some of the legal implications in the US of this trend has been published in the ABA Cyberspace Committee’s newsletter [PDF].

Would PIPEDA be an effective block — or at least a legal impediment — to the collection and use of such information for such purposes in Canada? The information is said to come to the insurers from data aggregators. The Federal Court has held that the Privacy Commissioner of Canada has at least theoretical jurisdiction over the activity of US-based aggregators who collect information in Canada on Canadians. Is this a help?

At some level this is another manifestation of the ‘reasonable expectation of privacy’. How private does one expect that kind of information to be, and does one have to ‘expect’ data aggregation of pieces of information that are on their own harmless but when aggregated may be meaningful in prejudicial ways?

Looked at another way, it suggests that ‘personal information’ for privacy purposes is much less about substantially significant pieces of information – credit card number, medical record (though these are still important) – and more about collections of data points that can be made to be significant for different purposes.

Is PIPEDA or its provincial equivalents up to the task of dealing with these new forms of personal information? If not, how could they be adapted?

What are the pressing topics on which international law should be developed regarding electronic commerce? Are your clients running into difficulties, or areas of uncertainty, that could be resolved by a harmonized approach among our trading partners?

The United Nations Commission on International Trade Law (UNCITRAL) is asking these questions. UNCITRAL has been the source of much innovation in e-com law over the years, notably with its Model Law on Electronic Commerce (1996) [PDF] that is the basis of Canadian, American and much other law on that topic.

UNCITRAL is holding a colloquium in New York next month (Feb 14 – 16) to discuss several topics that have been proposed over the years as ripe for further collaborative development. The details can be found online. Note that the meeting is open to anyone who wants to attend, though one must register with UNCITRAL.

The four topics for particular examination are these:

• Identity management – the meeting will hear about an ABA initiative on ‘federated identity management’, an attempt to set legal standards for authentication practices and policies that can be shared among different authenticators. It’s not necessarily a public key infrastructure, but a PKI would be an example of federated ID management.
• Mobile commerce – what can’t you do on a mobile phone (‘device’) these days? In some countries you can do your banking, in most you can buy things … and people can track where you are. Lots of good legal issues.
• Transferable records – the problem has long been stated, but not yet resolved: how does one replicate electronically a document of title or negotiable instrument, where the document itself has value, when electronic documents are so readily copied. One can prevent copying by immobilizing the document – locking it down with encryption etc – but then it loses transferability. Similar functions are performed by registers of entitlement, but is there a solution on the document (or system) level?
• ‘Single window’ systems – single windows are consolidated communications portals for import/export purposes, to put through a single communications channel the information and clearances required from a multitude of authorities. The World Customs Organization is interested, and the United Nations technology body (UN/CEFACT), and in particular some Asian cooperation bodies (ASEAN, APEC). UNCITRAL has looked at the topic. A deeper look at the shared legal challenges will be part of the colloquium.

Which of these do you or your clients run into most often? Which do you think is most ready for law reform? What have they left out that should be on the agenda? Cloud computing?

If you have ideas, or would like some, you could participate in the colloquium. New York sounds like a nice place to spend Valentine’s…

A lawyer with the City of Ottawa was active in community activities, and with permission of his employer spent some time on those activities at the office. His email to and from one of the charities became the subject of an access to information request under the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). He resisted disclosure of the emails on the ground that they had nothing to do with government business, the disclosure of which was the purpose of the Act.

The Information and Privacy Commissioner held in April 2009 that the emails must be disclosed: Order MO-2408 [PDF] dated April 9, 2009.

The Divisional Court has now reversed that decision, holding that MFIPPA did not extend to personal communications just because they were stored on a government computer. City of Ottawa v. Ontario, 2010 ONSC 6835. The court held that the documents were not in the custody or control of the City, even though they were on its computer. Further, subjecting personal documents (electronic or paper-based) to access requests would hurt the privacy rights of the employees.

This seems right to me. Otherwise community organizations and charities would not want public-sector directors or even volunteers if their private communications were subject to disclosure by what I think is a collateral attack through access to public information laws.

Do you agree? What’s the other side?

The Florida Bar Association has recently published a professional ethics opinion on the duty of lawyers to 'sanitize', i.e. erase the memory of, storage media such as printers, copiers, scanners and fax machines.

The opinion explains why such devices even have memories; some of the older among us may not think of them as that smart! It also notes a duty to supervise staff whose job it may be to clear out the memories of these devices before the devices are returned to lessors, or sold, or even just scrapped.

I see that the Law Society of Upper Canada's 'technology' section in its practice management advice mentions clearing computer hard drives before disposal, but it is silent on those spies in the mail room.

Do Canadian lawyers have a similar obligation to that of their warm-weather colleagues, just flowing from the usual duty of confidentiality about clients' matters? Should this element of the obligation be specially underlined? Does it need this much detail?

The Federal Trade Commission in the US published – as part of a much larger report on privacy – a fascinating chart on the various routes that various kinds of personal information take from the individual to end users of all kinds.

There is a note on the website of the Centre for Democracy and Technology about the chart.

 
The chart itself is in PDF.

There is a lot of information on the chart, so you will have to blow it up at least to double size to see it clearly (if your eyes are no better than mine…). It shows very nicely the flow of data, and how it can be aggregated and redistributed to unforeseen places. (The aggregation layer is one of the more impressive features of the chart, in my view.)

It is interesting to contemplate the degree to which Canadian (or any) privacy law might prevent or at least prohibit some of the data flows that the Americans take for granted. Of course just because the transfer of data is mentioned on an FTC chart does not mean that the transfer is legal or acceptable or free of oversight by the FTC or other bodies. Consider it a politically neutral ‘state of nature’ chart, with a ‘social contract’ or governmental regulation to be applied over top.

What do you think? Accurate? Disturbing? Routine?

A court in Illinois has recently held that showing a credit card number on a computer screen did not constitute printing that number: Kelleher v. Eaglerider, Inc., 2010 WL 4684037 (N.D.Ill., Nov. 10 2010). Internet Cases has the story.

The Fair and Accurate Credit Transactions Act of 2003 [PDF] (FACTA) says that a merchant must not print out a receipt with more than the last five digits of a credit card number. Someone who did a transaction saw his full number on the screen, and sued for damages for breach of the statute. He lost.

In my view, I’m pleased to see that the courts will not be the dupe of people who want to distort the clear intent of the statute in order to collect damages that they have not suffered.

FACTA is clearly intending to prevent full credit card info (including expiry date) that someone could use to buy things, from falling into the hands of someone other than the cardholder. Showing the information on the screen to the cardholder hardly presents the same risk. There is no reason to assume that FACTA intended to reduce the risks from shoulder-surfing (and it's not clear that the numbers were displayed in a form that anyone not right in front of the screen could see).

The more interesting case would be if someone were claiming that the screen shot validated the transaction, because printing was necessary, rather than being the ground for collateral attack ('collateral' because the issue in this case and the one cited had nothing to do with the transaction itself.) Could a court find a way past the Kelleher decision when the transaction deserved validation? (What about all those cases holding that electronic messages were the equivalent of writing? Can they be the equivalent of printing? Does it matter if there is a way for the computer user to print the information? Does our e-commerce/e-transactions legislation help? Is there a useful difference between printing and writing for these cases?)

A recent English court case, Football Dataco Ltd et al. v Sportradar GmbH [2010] EWHC 2911 (Ch), has held that at least for some purposes, the jurisdiction of a court over Internet content should be based on where the server was located, and not where the information online was read or used.

This seems to me to be half right. Jurisdiction should not be based on where the information was read or received, unless there is some separate activity going on there. But the location of the server should be irrelevant too. It is the location of the business that transmits the disputed information, or the controlling minds of the transmitter, that counts.

The court went on about the parallel to jurisdiction over satellite broadcasts, which have been the subject of an EU directive. The directive does not make the jurisdiction outer space, however… The point is to get at the people responsible for the bad activity, where they actually are.

Canadian law is largely consistent with the idea that the location of the server is not important. The Canadian Human Rights Commission decided it could hear a case against Ernst Zundel based on his web site, though the site was hosted in the United States. The Alberta Securities Commission decided it could hear a case against the World Stock Exchange though it was hosted in Antigua. The Supreme Court of Canada (I suppose I should start with them!) decided in a copyright case that one had to look at a real and substantial connection between the defendants and the jurisdiction of the court – or administrative tribunal – but not at where the server happened to be.

So it was fair enough for the English court not to take jurisdiction over some of the disputed activities of the Swiss and German defendants. IMHO it should have declined to hear the case not because the server was not in England, but because the defendants were not. (The court did allow some of the claims to proceed in England.) Servers are too mobile, and in any case are irrelevant to the activities. No one interested in the content of the Internet cares where the servers are.

Two qualifications:

1. Tax law may care where the servers are in deciding if a business has a permanent establishment in a country. Physical assets – like a server – count as such assets for this purpose. But that is not a matter of the content that is distributed by, or even held in, the server.
2. One may be interested in finding the server to enforce a judgment, if one could stop propagation of content by seizing or ordering the alteration of the server. (The server may be an asset to be seized and sold, for that matter.) But servers and content distribution systems are so readily moved that enforcement of content restrictions against them is unlikely to be very effective.

Other views?

An American magistrate judge (sort of like a master) has ruled that a plaintiff suing a company for improperly sending a takedown notice under the DMCA has waived a number of heads of attorney-client
privilege by discussing the details of her legal case too broadly by email and on a blog (Eric Goldman blog (per Venkat))

So it's not just lawyers who have to worry about waiving privilege - the clients can do so too. It's not that the media of communications were insecure in themselves, it's that they left traces that could be
found (not surprising, for a blog, or in an exchange with a reporter).

The decision is under appeal. I would have thought that the principle is right, and would be the same under Canadian common law, whether the particular communications in this case justified the result or not.

Do you advise your clients to restrict their discussions of their case? If not, would you do so after seeing this decision?

1. Following the example of the UN Model Law on Electronic Commerce, the UN E-Communications Convention [PDF] contains a provision on when electronic messages are received. They are received when they are capable of being retrieved by the addressee at an electronic address designated by the addressee. (Article 10) An electronic message is presumed to be capable of being retrieved by the addressee when it reaches the addressee's electronic address.

The explanatory note to the Convention explains at para 180 that this presumption of retrievability may be rebutted, for example, if the security filters of the addressee's system prevent the message from being retrievable.

This is consistent with the UECA s. 23 and the provincial implementing laws, almost all of which have a presumption of receipt, rather than a rule.

Professor Goldman says that 'my filter prevented receipt of your message' is becoming the lawyer's version of 'the dog ate my homework'. But sometimes it works, anyway. Here is his note on a recent case where a party was allowed to file an appeal a month after the deadline for doing so had passed, on the ground that the party's spam filter had prevented it from having notice of the date of the original order.

Note the discussion of the several other cases where the excuse had not been accepted — mainly those in which counsel did not otherwise appear very competent either. So it's at least a fact-based excuse, and the fact has to be proved.

What would a court do in Canada? We don't do much e-filing yet — except in BC, I think. The Ontario e-filing rules of a decade ago depended on proprietary and dedicated software provided by the Ministry, so spam filters were not, I think, a problem. The late, quasi-lamented Integrated Justice Project intended to use Internet-based e-filing, but that system never really got into use, so its response to filtering — or the courts' response to filtering as an excuse — never got tested.

Under the Ontario Rules, e-service of documents among counsel in actions requires consent of all participants, and an acknowledgement of receipt before the message can be considered received. So filters are not an issue there either.

2. An Ontario judge recently allowed service by Facebook in a family case. From the write-up in The Law Times, it appears as if service was made first and approved by the court afterwards. The judge gave a paper at a conference in favour of this kind of flexibility.

Would such a service be done on someone's wall, or by private message? Should one have to demonstrate that the owner of the FB site was using it regularly, i.e. there was someone home? In the instant case, the person served responded, which helped persuade the judge that the service method was good…

Service by FB has been done in Australia, and I believe in an unreported case in Alberta earlier this year. Should it become common, at least as a substitute method of service? If not, why not?

If one did purport to serve someone by posting the legal notice on the target's wall, would the target have any legally recognizable complaint about violation of privacy? Defamation?

The Uniform Arbitration Act (1990), in force in six provinces (and passed years ago in PEI but never proclaimed in force), sets out what were then modern rules for the conduct of arbitrations, with powers of arbitrators spelled out in default of agreement by the parties, and with restrictions on court intervention in the proceedings, as well as enforcement provisions. So far as I know, it works fairly well. (Ontario had a bit of controversy a few years ago about its application to family arbitrations conducted under religious law, and the statute was amended to better harmonize with family law principles generally.)

BC has a modern statute of its own similar to the Uniform Act, and the other common law provinces have something based on the English Act of about 1890.

All the provinces in Canada, and I think the territories, have implemented the UN Model Law on International Commercial Arbitration and the New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards.

What happens to the arbitration statutes when the arbitrator is a machine? Is online dispute resolution provided in a mechanized way still an arbitration for the purposes of these statutes? Is the jurisdiction of an arbitrator the same? Should the courts show the prescribed deference to a computer? Should the grounds for review be the same, and the ease of enforcement of an award?

I would think that online DR that simply makes a human being available by remote communications, as does the ADR Chambers, for mediation at least, would not be a problem, except of course to decide whose law applies. But if there is a greater degree of automation than this, and some part of the argument + decision process is done via computers, is it the same?

I ask on the eve of the Vancouver conference on ODR in consumer disputes, in part because consumer disputes will have to be resolved in automated ways if the resolution is to be economical, assuming that they are generally for smallish amounts. (The UNCITRAL/Pace/Dickinson colloquium on ODR in March 2010 heard that the average consumer dispute was worth between $100 and $150.) Maybe those fortunate enough to attend that conference will let us know what they say on the point…

UNCITRAL has decided to consider ODR as a new topic for a working group, which will meet for the first time in December. The background paper on the topic does not discuss my question, but the meetings will eventually have to do so, surely.

Any ideas? Will statutes need to be amended? Will courts and parties muddle through?

Is anybody – any international body – studying the legal basis for jurisdiction over personal information as it crosses national borders, or considering the law that should be applicable to such PI?

This could be thought of as ‘law applicable to the cloud’ in these days of cloud computing, though I don’t think it’s limited to that.

The Hague Conference on Private International Law in April 2010 noted [PDF p.18] as an ‘additional subject’ for work, more I think in the lines of a watching brief:

The Council invited the Permanent Bureau to continue to follow developments in the following areas –
a) questions of private international law raised by the information society, including electronic commerce, e-justice and data protection;

Is the phenomenon of cloud computing sufficiently fixed that it makes sense to talk about international agreements on applicable law? I know that one of the first legal issues that comes up in discussing cloud computing is where the data are (business and personal data) and whose law applies to the operator of the cloud – meaning often what governmental authorities might have a right to get access to the data.

It is also a commonplace that entities that hold personal data are always responsible for complying with their own local laws about its treatment. Cloud computing raises the question is whether having the data in the cloud could prevent them from complying with those laws, or exposes the data to contrary laws.

From there to having a topic that an international body can usefully talk about may be quite a step … or not. What do you think? Is it time some body started a project on this, or should people be content to watch, for the time being?

Some email programs automatically delete old emails after a fixed time. Most come with a function that allows the owner of the system to set up a time after which old emails are automatically deleted (unless they have been moved to particular storage folders, probably). This function seems useful to avoid clutter. It’s like a record destruction schedule.

Is there a standard time at which such auto-delete functions should be set, or should there be? What’s a safe time, legally as well as practically? It is clear enough that without such a function, some people (most?) would never get around to deleting their old emails, and the system would require a lot of storage. Is the setting up of an auto-delete system any different from setting up a record destruction schedule for any other record, paper or electronic?

What happens when an operation (business or government) runs into a situation of probable or actual litigation, such that the principles of (electronic) discovery would require a ‘litigation hold’ on relevant records? Should auto-delete on the email system be turned off? Is there a way of turning such functions off for particular users or particular subjects? (My office mail now deletes my Sent Mail after two months – a practice instituted perhaps a year ago without any notice to users so far as I know) – but does not delete my Inbox ever.)

Is this any different from instructing the record managers (assuming a big enough organization that such people exist) to hold off from destroying other records on the normal schedule for the same reasons?

Do you know of a good guide to such practices, beyond the general level of the Sedona Principles? Would the best practices vary according to the limitation periods of the relevant jurisdictions? I can’t think of a reason to distinguish emails from any other records, except for the automation feature on their deletion, which is a practical hazard not a justification for a legal difference.

What do you advise?

It remains a continuing problem as to how to destroy digital data. In some instances one may have to destroy the storage medium itself.

Lately the Florida State Bar published a proposed advisory ethics opinion to the effect that lawyers have an obligation to ensure that confidential data — personal information but also client data generally — must be effectively erased from any storage medium before that medium is disposed of. This extends beyond computer drives to cell phones, digital fax machines and copiers (which have memories that keep the data), and even to third-party service providers’ equipment. The opinion does not say how the media are to be "sanitized".

Is there any reason why a Canadian lawyer would not have the same obligations? We have an obligation to understand the implications of the technology we use. Is this not just another such implication?

From the Florida Bar News report (emphasis added):

If a lawyer chooses to use these devices that contain storage media, the lawyer has a duty to keep abreast of changes in technology to the extent that the lawyer can identify potential threats to maintaining confidentiality,” the proposed opinion said. “The lawyer must learn such details as whether the device has the ability to store confidential information, whether the information can be accessed by unauthorized parties, and who can potentially have access to the information. The lawyer must also be aware of different environments in which confidential information is exposed, such as public copy centers, hotel business centers, and home offices. The lawyer should obtain enough information to know when to seek protection and what devices must be sanitized, or cleared of all confidential information, before disposal or other disposition. Therefore, the duty of competence extends from the receipt, i.e., when the lawyer obtains control of the device, through the device’s life cycle, and until disposition of the device, including after it leaves the control of the lawyer.

Although not covered by an ethics opinion, the proposed opinion also noted that a lawyer could face legal issues if disposed equipment or memory devices have personal information, such as medical records, Social Security numbers, or criminal arrest records.

Besides the lawyer’s own action, the lawyer must supervise nonlawyer personnel who use computers and computerized equipment to protect confidential matters.

The opinion also said the lawyer must get “adequate assurances” that discarded or leased machinery has been stripped of sensitive records.

“The lawyer has an affirmative obligation to ascertain that the sanitization has been accomplished, whether by some type of meaningful confirmation, by having the sanitization occur at the lawyer’s office, or by other similar means,” the opinion said.

In other words, a contractual promise to delete the information is not satisfactory.

The New York State Bar Association has decided that it is ethical for lawyers to gather information on adverse parties in litigation from publicly accessible social media pages of those parties. Lawyers are not allowed to ‘friend’ the adverse parties, or have anyone else do so. (This is consistent with the Philadelphia Bar opinion from last year.)

A story about the Philadelphia Bar view is here (the Bar’s own site is currently down for maintenance).

Here’s how the press characterized the NY State ruling: “Lawyers may comb social media for dirt”. Does that strike you as fair?

What would we say? There are cases dealing with discovery of private pages on social media sites, and there is at least some authority that courts can consider privacy issues as well as relevance issues. However, those cases did not deal with how lawyers might find out what is on the sites in the first place.

Does the NY State Bar view accord with Canadian principles of ethics? If not, how and why not?

A member of the ULC-ECOMM email list pointed us to a post on the blog Apophenia about Craigslist's decision to censor its 'erotic services' category in the United States. (News stories here tell us that the RCMP and a zealous Toronto city councillor are also pressing Craigslist to do the same for its Canadian equivalent.)

See "How Censoring Craigslist Helps Pimps, Child Traffickers, and Other Abusive Scumbags," by danah boyd, a fellow at the Berkman Center, a post the list member describes as "at the intersection of censorship, transparency, moral outrage, and harm reduction." One line in the post particularly caught his attention and raised a concern in his mind about privacy:

Craigslist is not a pimp, but a public perch from which law enforcement can watch without being seen

I have two questions (and my usual number of answers, i.e. none) provoked by the blog entry he refers to:

1. Is there a risk, or is it demonstrable one way or the other, that increasing opportunities for advertising an activity will increase the level of the activity itself? Ms. Boyd's argument is that prostitution and its concomitant abuse of women is going on in any event, and having it openly advertised makes it easier to recognize it, find and help its victims, and enforce the laws against it. The reason for banning it is that politicians (think they) can win votes by making distasteful things disappear, rather than that banning the advertising will affect the prevalence of the phenomenon. But if it were clear, or even probable, that reducing the advertising shrinks the market and thus the level of activity, then the ban has some positive impact and might be more defensible (subject to arguments about the responsibility of intermediaries).
2. In response to the list member's concern about privacy, is it not true that whatever restrictions are appropriate for law enforcement agencies' access to personal information online will remain in place, whether or not advertising of one particular kind of undesirable activity is banned? So having the ads out there, rather than suppressed, does not increase the vulnerability of our privacy interests. The police still need whatever authority they need in the absence of advertising (which may not be much, according to some Canadian cases… but all is not yet lost. And banning or not banning does not affect the risks). And let's face it, we are talking about advertising. How reasonable an expectation of privacy can one have in information that one puts online as an advertisement? If one is advertising an illicit activity, should the law ever protect one's privacy interests in doing so?

A member of the Uniform Law Conference – Electronic Commerce (ULC-ECOMM) email list points out that the electronic version of the Ontario Reports is announced by an email to members with a link to the latest edition and that states:

This communication is intended for use by the individual(s) to whom it is specifically addressed and should not be read by, or delivered to, any other person. Such communication may contain privileged or confidential information.

He asks, given that the material in the ORs is all likely available on library shelves or elsewhere: "Does this make any sense?"

Presumably the Law Society claims copyright in the contents of the Ontario Reports, though its claim to copyright in judicial decisions themselves is negligible, or laughable, or otherwise not worth taking seriously. (Now the Crown, OTOH, …. but we don’t have to go there!) The copyright in the rest of the contents is not really debatable.

But is it an element of the exercise of copyright to say that one cannot pass on a printed version of a copyrighted text, if one does not copy it?

Is that different from forwarding an electronic version, if one does not keep a version for oneself? And why should the Law Society or LexisNexis care if I pass on the e-version even if I keep one myself? Is there an actual commercial market for this material outside the Ontario Bar, which already gets the reports?

It would make sense to prevent people from stripping out content and republishing it commercially, e.g. setting up online classified ads populated by material from the Ontario Reports. That could be prevented (or at least made subject to appropriate civil liability) by a simple copyright notice.

Why is not the electronic notice quoted above ‘excess copyright’, as a certain fellow blogger might call it?

The Court of Appeal for England and Wales has recently decided, in Flood v Times Newspapers Ltd [2010] EWCA Civ 804 that the 'responsible journalism in the public interest' defence to defamation requires that an online archive of a story must be updated to take account of exculpatory developments.

Since the Canadian version of that defence ('public interest responsible communication') expressly applies to blogs and other non-mainstream-media publications, will bloggers have to update their stories too? Will they have to go back and amend or annotate the original posting? Does the usual blogging software allow for that?

(In Flood, the CA held that the original story did not qualify for the responsible journalism defence, as the High Court had held. The journalists had just repeated allegations in a report without checking them independently. Will bloggers ever do more?)

Should Canadian courts follow this decision?

The Utah Supreme Court this week held that electronic signatures gathered through a web site were valid signatures for the purpose of nominating a person to run for elected office: Anderson v Bell 2010 UT 47 June 22, 2010.

To run for governor in Utah, one needs a nomination document signed by one thousand people. The would-be candidate submitted a nomination form with a combination of hand-written and electronic signatures, the latter appearing on the form only as a list of typewritten names. The state election authority refused to accept the electronic signatures, thus reducing the number of signatures to less than one thousand.

The state Supreme Court said that the electronic signatures were valid. It relied on the Utah version of the Uniform Electronic Transactions Act (UETA) to do so. It had to get through three arguments against validity under that statute:

• The signatures were not part of a 'transaction': the court held that the relationship between the nominator and the would-be candidate was a transaction.
• There was no consent to doing the transaction in electronic form: the court held that the relevant consent was between the nominator and the candidate, not between the candidate and the state election official.
• UETA allows a government to set rules about transactions that it will not conduct electronically: the court held that this language referred to detailed rule-making processes under the usual administrative law principles, and the state had not gone through those processes to bar the use of signatures such as those in this case.

The first of these challenges would not be relevant under the Uniform Electronic Commerce Act (UECA) in Canada. No 'transaction' is required. The second, about consent, would probably be decided the same way, our statute being in more general terms about what is consented to.

The third could well be fatal here, since 'government bodies' (some provinces have used the term 'public bodies') are allowed to impose their own 'information technology requirements' for electronic documents and signatures submitted to them. We do not have the same elaborate restrictions on 'rule-making' as American law. The UECA was designed for these rules to be informal, so long as they are communicated to the people who need to know about them. (A government body may be any part of a government; the requirements do not have to be government-wide. They could be set by one department or agency for some or all of its own purposes.)

The question could come down to whether it would be fair to disqualify an electronic submission after it was submitted based on rules that one makes up after seeing it, rather than ahead of time. One of the main purposes of the government-body restriction was to ensure system compatibility between the government's system and what comes in. However, there is probably a good argument that the government's IT requirements can be directed at ensuring an appropriate level of reliability of the documents submitted.

This reasoning rests on the appropriate principle that an electronic document or signature does not have to be more reliable than its paper equivalent. If it is relatively easy to forge handwritten signatures, the fact that it might be just as easy to forge electronic signatures is not a barrier to using the latter.

It is fascinating, though, that the candidate invented his own security or authentication system (i.e. he decided to use it — who thought of it, I don't know) to link the e-signature with the individual who purported to sign. Apparently he required people signing the nomination petition online to provide the last four numbers of their driver's licence. It would be possible to check whether a person at a particular address had a particular driver's licence number, if one had access to public records (which a state agency might do. Privacy laws would prevent private citizens from doing so. Of course one can ask someone if he or she has a licence number ending in particular numbers, but if one has personal contact with the person, one can also just ask directly if he or she had signed the nomination form.)

The decision illustrates (again) that there is a difference between the questions 'is it signed?' and 'who signed it?', and the answer to the first question may be more important in some circumstances. In this case, at least, there was a way to get from the first question to the second, though having a name and address was almost as good a way as the driver's licence method. (According to a CBS News report, Utah law does not require that petition/nomination signatures be 'verified' but signatures on initiative and referendum proposals must be. So authentication questions are just beginning…)

The court may have been influenced by the policy consideration that the election rules should be read to favour more popular participation rather than less. The only drawback of letting someone run with fake nomination signatures is that the candidate waste's voters' time without much real support. That is probably less important than letting people use modern communication technology to demonstrate genuine support, and thus to broaden public participation in a democratic process. (See para 12 of the decision.)

The decision seems right to me, though it would not necessarily go the same way in Canada. Is that a problem for you?

This decision is nevertheless a long way from running an election on the Internet, where a number of other factors are in play: eligibility to vote, secrecy of vote, independence of vote, correctness of tabulation, and others. Is it a first step in that direction? Should it be?

[h/t to the InformationLawGroup's blog]

Bill C-32, the Act to amend the Copyright Act, has a lot of provisions, mostly aimed at balancing the interests of creators of copyrightable content with those who consume (or work with) that content.

Probably the most controversial provision involves 'digital locks', i.e. technical protection measures that are designed to prevent people from using the works in ways that the owner does not want. The Act makes it an offence to 'break' those locks for any purpose at all.

Some of the attacks on the locks rule have been a bit exaggerated, claiming that there should be no protection — so anyone could break anything at any time. However, some of the defences have seemed to me to be equally exaggerated. There was a letter in the Globe and Mail on Thursday from someone who should have known better, and probably does, essentially saying that without locks, there is no effective protection for copyright.

The right balance in principle seems to me to be that someone should be able to break the locks if the locks prevent him or her from doing what he or she has a legal right to do.

Two arguments against this occur to me:

i) The locks are usually accompanied by some user agreement or terms of licence that prohibit doing what the law might otherwise allow. If the person wishing to use the copyrighted content agrees not to exercise a fair dealing right, for example, then he or she has no such right, and breaking the locks would be improper in principle. My own view is that licensing rights should not be allowed to go that far. Copyright is public law to a large extent, and protects interests beyond those of the creator of the work. The law should limit the ability of people to contract out of their public-interest rights. (One can debate what those limits should be.)

ii) Most people will not have the skills to break the locks. They will rely on people with skills to make the digital tools available. However, if those tools are available, many people, perhaps most people, will use them to break the locks and thus to access and use content beyond what the law allows. In short, there are a disproportionate number of infringing uses of the lock-breaking tools compared to non-infringing uses, and thus the possibility of breaking the locks for non-infringing purposes must be foreclosed by law.

Is this right? Is reason (ii) persuasive? (For that matter is reason (i) persuasive?) Is there some reasonably effective way to permit lock-breaking (and the availability of tools to that end) only for non-infringing uses?

What should be done?

One of the big issues that Canada’s e-commerce / e-transactions / etc. legislation in the past decade was intended to resolve was the legal status of electronic signatures. At least that was the popular impression. A lot of people (not necessarily lawyers) referred to the legislation as ‘the e-signature bill’. (The Law Commission of England and Wales concluded that no legislation was needed to make e-signature valid in that country / those countries, however, and I suspect that conclusion was valid here too.)

Have there been any cases in any jurisdiction in Canada on the legal status of electronic signatures under the e-commerce / etc legislation? If there are a lot of them (and I can’t think of any at the moment), is there a good collection?

The Ontario Divisional Court is going to hear an appeal of the Warman v Wilkins-Fournier case, in which the issue is whether an internet intermediary (here a blog site) must disclose the names of people alleged to have defamed someone.

The Ottawa Citizen has the story.

The trial decision requiring disclosure is at 2009 CanLII 14054 (ON S.C.)

Both sides are suitably apocalyptic in their predictions of disaster if they lose. (Canadian Civil Liberties Association and CIPPIC intervened against disclosure.)

Those opposing disclosure (on court order) say that whistleblowing and populist activism will be chilled or will dry up if the names of the people who post accusations can become public.

Those promoting disclosure say that it will be completely open season on reputations and civil discourse if people can say anything they want and not be held to account for it.

It seems likely that the law is that the court asked to order disclosure has to consider how reasonable disclosure is, which in part means looking at how serious the allegations against the anonymous speakers/writers are, how serious the damage may be that they are alleged to have caused, and possibly any likely privacy interests they have. That may depend on the context for the remarks.

Does that seem a likely statement of the law to you? Is it reasonable? Is it too vague to permit the kind of speech that should be allowed in Canadian law? Or does it allow too much irresponsible vilification? The SCC has held that reputation is worth defending — and there is no question that some kinds of attacks on reputation can make it very difficult for the person attacked to participate fully in public life. OTOH not all chill is justified, and not all reputations are deserved.

Where would you draw the line? At (credible) threats? Only at language that would be criminal, e.g. incentive to harm, or incitation of hatred? At general defamation?

Note that we are talking here of finding out the identity of the actual speakers, and not dealing with potential liability of the intermediary for the speech.

Do we or should we draw the line in a different place from cases where law enforcement officials ask for, and often get, IP addresses from ISPs when they are investigating a crime, a topic that we have discussed on this list before? Is privacy a higher value in a civil dispute than in a criminal one, or vice versa?

The Supreme Court of Canada has granted leave to appeal to the plaintiff in the British Columbia case of Crookes v Newton 2009 BCCA 392.

The Court blog has a summary of the facts and of the appeal judgment.

Basically, the question is whether someone who posts a link to a defamatory publication has him/her/itself published a defamation. The BCCA held 2:1 that in some circumstances the link could be defamatory — but only if in context the poster of the link called particular attention to it and indicated agreement. The majority held (as had the trial court) that the defendant in this case had not done so. (The link was part of a blog entry about the plaintiff’s efforts to suppress someone else’s stories about him.)

The minority (Prowse JA) held that the defendant had done enough for his posting of the link to be defamatory in itself.

My tentative view is that Prowse JA is WAY too strict, and that linking would be extremely hazardous, whether or not one had any capacity to know whether the document to which one linked was defamatory.

Views, in anticipation of the SCC’s decision in a year or so?

Interesting, by the way, that the SCC gave leave with costs in the cause. Often in test cases where the parties have unequal resources, the respondent is not put at risk of costs even if the appeal succeeds. No such mercy for the blogger here. Does that make sense, or does it foreshadow a court that is unsympathetic to the blogger/linker on the merits?

The Uniform Law Conference has asked for model legislation to implement the UNCITRAL Convention on the use of Electronic Communications in International Contracts (the E-Communications Convention, or the ECC). In order to prepare this legislation, one needs to answer a number of policy questions — and then some drafting questions.

I have done an issues paper outlining the questions that have occurred to me. I would very much like your views on the right answers.

Here are the questions, to pique your interest:

1. Should Canada accede to the Convention?

My proposed answer is Yes. Each province and territory can make its own choice, though.

2. Application of the Convention: how is it triggered?

The law applicable to the contract is the Convention, by diverse routes. I think we should not take any exceptions to what is in the Convention.

3. Application of the Convention: what other conventions?

The Convention can apply to communications about contracts subject to any other convention to which a contracting state is a party. I think that Canada should extend it to all such conventions.

4. Application of the Convention: international and domestic contracts?

The Convention applies on its face only to international contracts, but we could amend our domestic law so the same rules apply to both levels of contract. Some other countries — notably Australia and Singapore — are likely to take this approach. Some considerations each way are set out in the paper.

5. Attach the Convention or rewrite the UECA?

The ULCC often does implementing legislation that just annexes the full text of the convention as a schedule. Which way we go for the ECC may depend on the answer to the previous question on applying the Convention’s rules to domestic law as well as to international contracts.

6. Application of the Convention: exclusions and permissions

We need to figure out what to do with our exclusions compared to those in the Convention, if we harmonize our domestic law with it. Ditto for the places where our law (the UECA, for the common law provinces) is more permissive than the Convention: do we need to restrict it? Have I got the dynamics right in this discussion?

7. Compatibility with existing Canadian law

Two studies were done for the ULCC in 2008 on compatibility of the Convention with Canadian common law and civil law. The common law study found general compatibility. The civil law study found general compatibility except on a key issue, the functional equivalent of ‘writing’, on which point the study said the Convention’s solution would not work in Quebec law. That study concluded that Quebec, and indeed Canada, should not adopt the Convention as a result. The issues paper comments briefly on the issues.

Comments on any of these issues would be welcome, in case a discussion is necessary, or to me directly. I would like to have a good idea of the optimal approach by, say, the middle of April.

Feel free to send on the questions or the link to the issues paper to anyone you think would be interested. I can make a Word version available, but did not want to impose on people’s bandwidth. (It’s only 11 pages long including a page of sources.) Is there someone who should be consulted more formally?

Thanks for your ideas and your help.

Internet Law News today reports on the arrest of four people in the US for fraud and unauthorized access to computers — at least I think that’s what’s going on. Here’s the story:

Four Men Charged In Computerized Online Ticket Scam
Four men accused of using a network of computers and automated software to buy up online tickets to concerts and sporting events and selling them at a profit were indicted on fraud, conspiracy, and computer hacking charges, federal prosecutors said on Monday. They allegedly made more than $25 million by re-selling more than 1.5 million of the "most coveted tickets.” [CNET]

The accused figured out a way to create a computer network or networks, some or all based in Bulgaria, that dialled in massively when tickets would go on sale and enter the Captcha code that is supposed to defeat automated buying. So they bought hundreds or more of the best tickets to a large number of concerts and sporting events, and of course resold them at a large profit.

Is it fraud to violate the terms of service of the ticket sellers (usually but not always Ticketmaster) that would limit the number of tickets per buyer? Is that kind of purchase unauthorized access to a computer? Otherwise what have they done that is illegal?

The story is not clear — and I have not read the indictment, which no doubt I should… — whether the computer networks were created voluntarily rather than by malware. I am not sure how a botnet could defeat Captchas; that’s why one would want to recruit real people. If they created networks by malware, presumably the creation itself may be an offence in the places where it happened — if the law applicable in those places prohibited it — but not necessarily where those networks produce their effects.

Or am I wrong about that? Is it an offence here to create malware that affects only computers somewhere else, if the effect of those computers is to have an impact here? Or must the Canadian impact itself be illegal for the creation of the malware to be illegal?

P.S. The men are not charged with reselling tickets for a profit, since that is not illegal in most of the US (or in most of Canada, where only Ontario and Manitoba prohibit it).

According to a report by Richard Liebrecht of the QMI Agency:

Alberta Musing Online Election Voting
New election rules have cleared the way for Internet and electronic voting, which could come to Alberta as early as 2013. “Obviously that online voting is something that’s on the forefront of people’s minds … people say, ‘I can do my banking online, but I can’t do my voting online’,” said Brian Fjeldheim, Alberta’s Chief Electoral Officer.

The Chief Electoral Officer went on to say “Once it has been proven to be effective, that the votes can be certified, all that security stuff can be looked after, I certainly see that as something that’s coming.”

How easy is looking after “all that security stuff”?

Is the parallel between e-voting and e-banking valid?

A few years ago ("Electronic Voting and the Law") I suggested (unofficially, of course) a few reasons why Internet voting is not like Internet banking. Was I unduly pessimistic? Or are people in fact a bit too blasé about the security of e-banking?

[via Internet Law News]

Apparently, according to Boing Boing, a high school in Pennsylvania supplied students with laptop computers … with the unusual and unannounced feature that the school could remotely turn on the webcams installed in the computers and watch the students away from the school, such as at home, without the students knowing about it.

A lot of people find this very offensive – but what is the offence, exactly, as a matter of law?

Is it the unauthorized use of the computer? It’s the school’s computer. Does that make a difference? Does it make a difference if the terms of use that the students had to sign before getting the computer (normally no doubt without reading them) said that the school could check on the student’s behaviour, without saying how?

There is a class action going on, or seeking permission to be launched, in Pennsylvania, in part at least under the Computer Fraud and Abuse Act, which deals with unauthorized access to computers. Here the computers are having unauthorized access to the students (except that the issue is the school authorities’ access….). Would a court have any trouble finding that images captured by the webcam were data, access to which was unauthorized, even by the owner of the computer?

Is there a privacy offence in the provinces that do not have private-sector privacy laws? Assume that the school is not making commercial use of the images of the students, so PIPEDA would not apply.

What other ground of civil liability do you see?

Is there another criminal offence going on? Would it matter if any of the images seen (and capable of storage, whether or not routinely stored) could have some sexual content, if only seeing someone undressing? Would that create a child pornography offence?

Is it wiretapping (or illegal interception of communications)?

Stephen Mason and Nicholas Bohm have an interesting article, "Identity and its verification", published in Computer Law & Security Review, Volume 26, Number 1, January 2010, 43 – 51. (Professor Stephen Mason has written a book on electronic signatures and runs a journal on similar topics. Nicholas Bohm is a security expert.)

It's available on Science Direct [PDF] and also on Stephen Mason's website [PDF].

Abstract:

The European Commission’s eJustice Strategy seems to contemplate that all lawyers will be issued with an ‘identity card’ card, perhaps intended to include a key for making digital signatures. The Council of Bars and Law Societies of Europe (CCBE) is proposing to introduce such a card. The purpose of this article is to clarify what ‘identity’ is and what is involved in verifying it, and to offer some general observations about identity cards. Although written with the eJustice proposals in mind, nevertheless the purpose of this article is to address the topic in its widest sense, which means it affects identity and its verification, whatever the circumstances.

Soundbite:

Those faced with the problem of how to verify a person’s identity would be well advised to ask themselves the question, ‘Identity with what?’ An enquirer equipped with the answer to this question is in a position to tackle, on a rational basis, the task of deciding what evidence will be useful for the purpose. Without the answer to the question, the verification of identity becomes a sadly familiar exercise in blind compliance with arbitrary rules.

Ontario has issued digital signatures to its lawyers who practise real estate law for many years. Have there been any issues with identification? The ‘identity’ in Ontario is between person asserting status as a lawyer and the Law Society’s list of lawyers in good standing.

What authentication is done in order to get a digital certificate from Teranet in Ontario?

What about other law societies that do something similar: what security, what authentication, what ‘identity’?

Certainly in Ontario the dig sigs (digital signatures) are used only with the certification authority (Teranet) being the relying party (the land register). Lawyers can’t use the digital credential in corresponding with other lawyers or with their clients.

Is that a proper limit to ensure the system is secure, or at least less vulnerable than a more open use? (Or is it designed to avoid liability of the certification authority who issues the credential?)

Out-law.com reports a recent decision of the Court of Appeal for England and Wales, R. v. Sheppard and Whittle, upholding a conviction for publishing hate literature though the material was stored on servers in California.

The connecting factor was that a “substantial measure of the activities” of the accused took place in England.

This is consistent with the Canadian decision in Citron v Zundel (Canada Human Rights Commission), where the material was also on a California server.

The English (and Welsh) Court held that the material could be held to be published without evidence that anyone actually read it.

It also held that the material was written despite its electronic form.

Any matter for controversy there?

If one has a weak password for one’s web-based personal information, is it reasonable to conclude that one has a reduced expectation of privacy with respect to that information?

(Here’s an English list (from 2006) of the 10 most common password and a list of the 500 worst ones, from the point of view of security.)

If someone uses “password” as his or her password, should he or she really be able to claim some privacy interest in the information behind it?

What about file sharing? If one has files or folders or most of one’s computer accessible to peer-to-peer sharing, does one still have some expectation of privacy in the contents somewhere?

Does it matter that unauthorized use of computer resources is illegal? In a prosecution for that offence, one cannot claim authority because of a weak password. After all, it is illegal to trespass on property if there’s a plain, non-threatening sign saying ‘do not trespass’ or ‘keep off’, even without a fence. (For that matter, many trespass laws bar trespass if the trespasser ought to have known the property was private, even without a sign or fence.) Is trespass a good analogy for privacy infringement?

Presumably one does not sacrifice one’s privacy by using P2P just because some uses of P2P may violate copyright (and some don’t).

Enough speculation: do you know of any case law or privacy officer decisions based on such reasoning? I don’t, but maybe I haven’t looked hard enough.

I know that the various governors of the legal profession (law societies, bar associations etc) tend to say that use of email generally or even unencrypted email does not waive any expectation of privacy, and, more important (perhaps), does not negate any privilege in the documents communicated by this method. Lawyers are advised to discuss communications security with their clients (and the subtle advisors warn that the clients may not be very knowledgeable about that topic, and one can’t hide behind that ignorance to establish a permission); but the general rule is that ordinary, unencrypted email is OK. VPNs and Extranets are generally considered OK too — which takes us back to the first question: does it matter how secure the password protection is for such networks?

Any relevant case law on the legal profession’s share of the question?

An English court has refused an injunction against the publication of the story of an alleged affair between a well-known football player and a teammate’s girlfriend: Terry v. Persons Unknown [2010] EWHC 119 (QB).

English law has recently given a good deal of protection to the privacy of celebrities, so some people have wondered if that protection is being reduced by this decision. Out-law.com says No.

One of the reasons (among several) for refusing the injunction in this case was that the application appeared to aim at protecting the player’s commercial sponsorships, rather than in protecting his feelings (which are described as ‘robust’). The court distinguished between protecting privacy, which is OK because mentioned in the European Convention on Human Rights, and protecting reputation, which was not entitled to the same deference.

Given PIPEDA’s focus on commercial use of personal information, is this a distinction that would prevail in Canada? Does it make sense anyway?

And should the court have cared about the privacy or reputation of the other party to the alleged affair, though she was not a party to the application for an injunction?

The government of South Australia has recently adopted a law that requires people commenting on the forthcoming state election to use their real names, and media will have to retain the names and addresses for six months. The requirement appears to apply to bloggers and comments on blogs etc.

Unsurprisingly, not everyone likes this.

Is it fair to say that requiring people to give their real names is a “gag” on debate?

Would the Canadian Charter of Rights and Freedoms prevent such a law in this country? In other words, does the freedom of expression protect anonymous speech?

According to a piece on Out-Law.Com, Nominet, the UK domain administrator, is allowing domain registrars for dot.uk domains to shut down web sites if there are credible allegations of criminal activity on those sites.

This is not supposed to happen with allegations of civil wrongs, such as copyright infringement (though if infringement is an offence under the Copyright Act, does that count as criminal?).

Registrars are cautioned not to lock someone out of their domain on the allegation of a commercial or personal rival . . .

Apparently this policy has been developed in association with the police. Nominet itself closed down 1200 sites in December for illegal activity, but now wants to delegate at least the authority for those decisions. (It is interesting that among the 'crimes' listed to justify this direct closing was failing to supply goods to consumers who had ordered them. (Would that not be a civil rather that criminal problem, or would it depend on the intent of the non-supplier?)

No word in the article about remedies for those who see their web sites blocked though they are not engaging in criminal activity — or even for those who are but who would have preferred due process of law to judging and execution by a domain registrar. If Nominet or the registrar were not liable (would they be? should they be?), the person who alleged the criminal activity might be — or would that be an occasion of qualified privilege?

Canadian experience has been that taking down some web sites often sideswipe others — so blocking a server will affect all sites on the server. Maybe targeting the domain names would avoid that unpleasantness (not that anyone ever apologized to the folks whose sites were sideswiped, so far as I know).

Name owners will have 90 days to resolve the ‘investigation lock’ or they will lose their names.

So: is this a good idea to fight cybercrime? Should CIRA do the same for Canadian registrars? Would the Charter of rights enter into it at all, or would it be entirely a private action outside the scope of the Charter?

There is lots of advice around, addressed to the young and innocent but probably applicable to the old and jaded as well, to be cautious about what one puts online about oneself, since it could be there for a long time and influence people whose interest you have not yet thought about — future employers and mates being two of the main classes.

The French are now pondering a legal ‘right to forget’ (un droit à l’oubli) — or at least a right of a person to get old information about him/herself taken down. The BBC has the story.

Is this: (a) a good idea, and (b) even remotely possible, even by force of law? What about Internet archives, and mirror sites, and viral messages?

I had thought that there was already such a legal rule in French law, though not perhaps enforceable against a host of a web site. Does that sound familiar to anyone else, or did I just make it up?

Should we have something similar here?

Dominic Jaar has an interesting article in the droit-inc blog (en français) suggesting that a printed document may have less legal impact than the electronic original, because the printout does not reproduce all the information in the original, notably not the metadata. And these days, pretty well all documents start in electronic form, in a word processing program of some sort. Who has a typewriter any more?

This is a particular issue in Quebec because of the terms of the Act to provide a legal framework for information technologies — Loi concernant le cadre juridique des technologies de l'information, L.R.Q. c. C-1.1. That Act provides that information can have the same legal effect regardless of its medium (the ‘support’). This was originally conceived to promote digitization of printed documents, but as Dominic points out, the logic works in both directions. The Act goes into considerable detail about how the integrity of a document must be maintained in moving from one medium to another, and in how the integrity should be provable (though there is a presumption of integrity, so it does not have to be proved in every case).

It has long struck me that the Quebec Act could be a kind of user’s guide to the Uniform Electronic Commerce Act and its implementing statutes across common-law Canada. Its principles are largely the same, where the subject matter overlaps (the Quebec statute touches on a number of topics that the UECA does not), but the Quebec Act goes into much more detail. It shows (in my view) that a technology-neutral statute does not have to be minimalist!

But here: is the additional detail problematic, in raising questions that should not be raised? Or does the Quebec Act (and Dominic’s observation about it) signal an important element of documentary integrity that we have been overlooking and that we should not ignore?

It is certainly well known that requests for electronic discovery generally specify that documents are to be produced in their native format, in order to capture the metadata. Is this a sign of the direction that legal analysis will go in other areas as well, that having a paper document will simply not be good enough for legal purposes? Will people have to keep the electronic original of anything that is created, even if only to be used in printed form?