Ron Livingston Sues Wikipedia over Orientation

By: Omar Ha-Redeye · December 6, 2009 · Filed Under Entertainment Law, Media Law, Privacy, Technology · 2 Comments 

The most recent controversy around Wikipedia, and there are plenty to come I’m sure, surrounds Ron Livingston, an actor in Office Space who starred briefly in Sex in the City.  Well it’s Livingston’s sex, or rather his sexual orientation, that is at the center of a current dispute with Wikipedia.

Livingston married Rosmarie DeWitt last month, and yet his Wikipedia entry has been repeatedly vandalized to say that he is gay and living with a Lee Dennison.  He also claims that the same individual made Facebook pages for himself and Dennison and showed the the two in a relationship together.

TMZ states,

Livingston is suing for libel, invasion of privacy and for using his name and likeness without his permission.

Unlike blogs, which go through minimal editing and scrutiny, Wikipedia has a vigorous review process which includes questioning sources and the neutrality of a point of view.  The system seems to have worked, as the references to Livingston’s sexuality were repeatedly omitted.  The problem is that the reference was repeatedly re-entered.

Wikipedia does have controls for this as well, including how to deal with vandals and locking pages that have repeat problems.  We don’t know if this occurred yet, but Livingston could have contacted a Wikipedia editor to invoke these stronger protection mechanisms.  Any court reviewing the case should closely scrutinize the options that were available.

Blogs face a more difficult challenge.  We often try to ensure our accuracy by linking to our sources, and searching as best we can for conflicting opinions.  But especially in the field of law, information does change with new legal development and judicial decisions.  Posts are really only valid for the time-stamp when they are published.We do not benefit from the continuous and ongoing scrutiny of editors the way Wikipedia does.

For this reason, I rely on my readership to inform me when information needs to be updated.  In fact bloggers often depend on that, and most of us are usually willing to make necessary changes.  In case of litigation, we might find sanctuary under the evolving ‘public interest responsible journalism defence‘ described in the 2007 Ontario case of Cusson v. Ottawa Citizen and the 2006 House of Lord’s decision, Jameel v. Wall Street Journal Europe.

The wonderful thing about Wikipedia for the purposes of litigation is that everything is meticulously documented on the revision history and the talk page, including when and what changes were made, by whom, and the corresponding IP addresses.  Issues surrounding the pending litigation are even raised on the talk page among the editors, including the location of the IP addresses making the changes, and news stories about the issue.

One of the IP addresses involved in the Livingston changes also made similar revisions on December 2, 2009 to the page of Sheikh Rashid bin Mohammed Al Maktoum of the royal family of Dubai, adding,

…as well as president for UAE LGBT conference as he is a known homosexual!.

Not that there is anything wrong with that.  But there’s no need to add personal information to Wiki entries, especially if they cannot be substantiated with an independent source, and may cause the person involves some personal harm.

In cases where the control features described above do not work, it may be appropriate to pursue litigation, possibly including the site in order to compel them to provide further information.

But the best strategy for celebrities, corporations, politicians and professionals, as I told a group of marketing professionals at a seminar earlier this week, is to mitigate any adverse impact by establishing a social media strategy yourself.

Online Reputation Management

View more presentations from Omar Ha-Redeye.
Post tags: , , , , , , , , ,

Protecting internet anonymity: the case for providing notice to anonymous defendants in defamation cases

By: Matthew Nied · November 9, 2009 · Filed Under Privacy, Privacy Law, Technology, Torts · 1 Comment 

An open issue in Canadian internet defamation law is whether courts should require that anonymous defendants be given notice of, and an opportunity to oppose, applications to compel the disclosure of their identities by third parties such as websites and internet service providers (“ISPs”). Because applications to compel disclosure are generally left unchallenged by third parties who would rather evade the costly cross-fire of litigation, courts have tended to review such applications ex parte. The concern in these cases is that anonymous defendants may be stripped of their anonymity – and thereby subjected to embarrassment, social stigma, or harm to their career prospects – all without an initial opportunity to anonymously submit a written response or retain counsel to oppose the application. This post discusses the status of a notice requirement in Canadian, American, and English law and evaluates the different approaches.

1. Canadian Law

Only one Canadian case has commented on the appropriateness of a notice requirement. In York University v. Bell Canada Enterprises, [2009] O.J. No. 3689 (S.C.J.) (“York University”) a plaintiff sought pre-action discovery by way of an equitable bill of discovery known as a Norwich Order. The Ontario Superior Court of Justice granted the Norwich Order, which required ISPs to disclose information necessary for the plaintiff to obtain the identity of the anonymous author of allegedly defamatory emails and web postings. Justice G.R. Strathy noted that it might be appropriate to impose a notice requirement, but declined to do so without providing reasons:

[I]t may be appropriate, in a given case, to require that the unknown publisher of the offending material be given notice of the proceedings. It does not appear to have been done as a matter of course in other Norwich order cases and I did not consider it necessary to do so in this case.

York University was discussed by other commentators in two excellent blog posts on Slaw: the first generally outlining the case, and the second commenting on specific points including the notice issue.

2. English law

The appropriateness of a notice requirement has received more attention in English law. In Totalise plc v The Motley Fool, [2001] E.M.L.R. 29 (H.C.), [2002] 1 W.L.R. 1233 (C.A.) (“Totalise”), the English Court of Appeal described the rationale for a notice requirement. In that case, Justice Owen of the English High Court first granted a Norwich Order that compelled a website operator to reveal the identifying information of an anonymous defendant that posted allegedly defamatory statements about the plaintiff. When the case was appealed on the issue of costs, Justice Aldous noted in obiter that it would have been desirable to require the third party to give the anonymous defendant notice of the application and then allow the anonymous defendant to make written submissions through the third party in order to better inform the court’s decision:

It is difficult to see how the court can carry out this task [i.e. whether to grant the requested order] if what it is refereeing is a contest between two parties, neither of whom is the person most concerned, the data subject; one of whom is the data subject’s prospective antagonist; and the other of whom knows the data subject’s identity, has undertaken to keep it confidential so far as the law permits, and would like to get out of the cross-fire as rapidly and as cheaply as possible. However the website operator can, where appropriate, tell the user what is going on and to offer to pass on in writing to the claimant and the court any worthwhile reason the user wants to put forward for not having his or her identity disclosed.  Further, the court could require that to be done before making an order.  Doing so will enable the court to do what is required of it with slightly more confidence that it is respecting the law laid down in more than one statute by Parliament and doing no injustice to a third party, in particular not violating his convention rights.

Although the obiter from Totalise is compelling, English courts have yet to impose a notice requirement. In the recent case of Sheffield Wednesday Football Club Ltd v. Hargreaves, [2007] EWHC 2375 (Q.B.) a justice of the English High Court dealt with a similar case and, after considering Totalise, concluded in the absence of reasons that

It did not seem to me that this was a case where I should require that the website users [i.e. the anonymous defendants] be contacted before making an order.

3. American law

American law, by contrast, strongly supports a notice requirement. In the leading case of Dendrite International, Inc. v. John Doe No. 3, 775 A.2d 756 (N.J. App. Div. 2001) (“Dendrite”), a New Jersey appellate court articulated a series of requirements for plaintiffs to meet before a court would order disclosure. The first of these requires that the plaintiff make efforts to notify the anonymous defendant that they are the subject of an application for an order to disclose their identities so that the defendants have a reasonable opportunity to respond:

We hold that when such an application is made, the trial court should first require the plaintiff to undertake efforts to notify the anonymous posters that they are the subject of a subpoena or application for an order of disclosure, and withhold action to afford the fictitiously-named defendants a reasonable opportunity to file and serve opposition to the application. These notification efforts should include posting a message of notification of the identity discovery request to the anonymous user on the ISP’s pertinent message board.

Several notable American cases have adopted the same or similar notice requirements post-Dendrite: Doe No. 1 v. Cahill, 884 A.2d 451 (Del. 2005); Mobilisa, Inc. v. Doe 1, 170 P.3d 712 (Ariz. Ct. App. 2007); Krinsky v. Doe 6, 72 Cal. Rptr. 3d 231 (Ct. App. 2008) (“Krinsky”); Solers, Inc. v. Doe, 977 A.2d 941 (D.C. 2009) and Swartz v. Does (“Swartz“) (Swartz, the most recent of these cases, was discussed in a previous post).

4. Analysis

Although both English and American jurisprudence supports a notice requirement, the approaches differ: while Totalise advocates imposing the requirement on third parties, Dendrite and subsequent American cases have consistently imposed the burden on plaintiffs. The problem with the later approach is that plaintiffs are generally in a relatively poor position to give reliable notice because, unlike third parties, they lack access to the defendant’s contact information. As a result, Dendrite and subsequent American cases have merely required plaintiffs to provide indirect notice by posting on the ISP’s pertinent message board, by posting on the same website or medium used by the anonymous defendant to publish the statements at issue, or, if the statements originated in an email, by sending notice to the anonymous defendant’s email address. The concern with these types of notice is their unreliability. There is no guarantee that a defendant will check these sources, or that the website or medium will still exist by the time the plaintiff commences action. And, in the case of email, a similar concern still exists due to the increasingly common use of disposable email accounts that defendants may abandon after sending allegedly defamatory statements.

Yet, imposing the burden of notice on plaintiffs may have some notable benefits. Unlike the approach advocated in Totalise wherein third parties would directly notify anonymous defendants, plaintiffs under the Dendrite approach generally have no choice but to provide indirect notice by posting in a publicly accessible forum. The public nature of a plaintiff’s notice will expose the matter to the oxygen of publicity and may affect the extent of the plaintiff’s reputational harm, depending on the context. In some cases, public scrutiny might result in further reputational harm if the public perceives the plaintiff to be unjustifiably attempting to silence the anonymous defendant. In other cases, however, public scrutiny might serve to alleviate the existing reputational harm by calling into question the veracity of the statements. Third parties might even be persuaded to mount a defence against a plaintiff’s application in cases where there is significant public support in favour of an anonymous defendant but they lack the resources to defend their anonymity.

Another option is to require both the plaintiff and the third party to provide notice. Although this approach would increase the reliability of notice and preserve the beneficial qualities of plaintiff-based notice, the approach seems redundant in the absence of evidence to suggest that the benefits of dual notification outweigh the costs. This is likely one of the reasons why the California appellate court in Krinsky rejected the notion of requiring a plaintiff to provide notice where a third party had already voluntarily done so:

When ISPs and message-board sponsors (such as Yahoo!) themselves notify the defendant that disclosure of his or her identity is sought, notification by the plaintiff should not be necessary.

In summary, a notification requirement imposes a relatively light burden on plaintiffs or third parties while providing defendants with the valuable opportunity to defend their anonymity and better inform the courts’ decision. Although a plaintiff-based approach may have some ancillary benefits, a third party approach provides more reliable notice and should be preferred because it best furthers the primary rationale underlying notice requirements.

Originally posted on Defamation Law Blog

Post tags: , , , , , , , , , , , , , , , , ,

See-through body scanners are not as bad as they sound

By: Pulat Yunusov · October 30, 2009 · Filed Under Privacy, Privacy Law · Comment 

According to media reports on Friday, the federal privacy commissioner approved the see-through airport body scanners. These machines show your naked body in Casper-the-ghost 3D on the security officer’s screen. Although the officer can easily see if you are a bikini model or a beer belly, the procedure is subject to restrictions and rules that create a good balance between security and privacy. Don’t be afraid of see-through scanners unless we hear some bad news about their health effects down the road.

Dave Thompson/Press AssociationThe scanners are supposed to speed up and improve that irritating extra screening at the airport. So the first rule is they will scan you only if security officers select you for extra screening. The second rule is you still have the option of a physical pat-down. The scanners give travellers a choice between physical touching and having your x-ray nude body on the screen. If this is the case, then scanners don’t make your life more miserable. You are already in humiliating extra screening, where the officers had had the right to strip-search you even before the scanners were proposed.

The Canadian Air Transport Security Authority promised the privacy commissioner that the officer viewing your body on the screen will be in a separate room. That’s another restriction on security to protect your privacy. But it works only if that officer can’t learn your name or store the image of your body. Unless you have a gun on you or some plastic explosive in your shoes, the officers should not connect your personal information to the image or retain the image in their computers.

Airport see-through body scanners can speed up the humiliating extra screening. They give people who don’t like pat-downs a choice. And scanners seems to be an excellent security tool. As long as they are not required in addition to pat-downs and as long as officers can’t keep your personal information and images without probable cause, scanners seem to balance privacy with security well. Hopefully, you won’t need to go through extra screening, but if you do, the scanners may be just the way to breeze through it, especially if you are late for your flight.

AdviceScene

Post tags: , , , , ,

See a Drug Deal on Google Street View – Well, Maybe

By: Omar Ha-Redeye · October 25, 2009 · Filed Under Privacy · Comment 

Simon Fodden predicted that the privacy complaints would begin once Google Maps Street View was launched.  The maps have proven popular in Canada, with over 150 million views of other countries by Canadians in 2009 alone.

Google recognizes privacy concerns, but claims to address them through their collection and processing approach:

  • public access images, no different than what would normally be seen walking down the street
  • not in real time, so images can be months old before going live
  • blurring of license plates and faces
  • allowing removal requests, through the “Report a Problem” option in the bottom-left of all images

Assistant Privacy Commissioner Elizabeth Denham raised these concerns Thursday to MPs in the House of Commons privacy and ethics committee, pointing out that at times Colonel Sanders‘ face was blurred in ads, while people were not.

She said that Google’s collection may fall under an exception of the Personal Information Protection and Electronic Documents Act, 2000, c. 5 (PIPEDA,),

Collection without knowledge or consent
7. (1) …an organization may collect personal information without the knowledge or consent of the individual only if

(c) the collection is solely for journalistic, artistic or literary purposes;

However, she notes that if other providers use the same argument to start collecting street-level information under the same exception, they might try to disseminate it without blurring technology, thereby posing a risk to children by predators.

Jonathan Lister of Google Canada claimed that they offer more privacy controls than mainstream-media,

If I’m inadvertently captured on the front page of a newspaper, the same way I might be inadvertently captured on Street View, I don’t have the recourse that Google offers if I’m captured in a pan shot on broadcast news. I don’t have my image blurred and I don’t have the ability to have that image taken down. So I think Google is really trying to lead by example and set the industry standard on privacy-protection practice.

Minutes from the meeting are not yet available, nor are documents from the Jan. 26, 2009 study on the implications of camera surveillance such as Google.   Maybe they’re considered too private.

Meanwhile, some Canadians are wondering how many bloopers are in the new Street View maps.  It’s become a popular past-time in America, where the maps were launched May 2007.

The only thing I’ve been able to find so far is Robert Jago of A Dime A Dozen Blog claiming this shot of East Hastings Street in Vancouver is a drug deal caught on camera.  I have to squint really hard to see it, and use a bit of my imagination, but if that’s the extent of privacy concerns with Google Street View, frankly, I’m not that concerned.

Cross-Posted from Slaw


View Larger Map

Post tags: , , , , , , , , , , , , ,

Have a Wi-Fi Device in Your Pocket? You Can Be Tracked!

By: Vitali Berditchevski · September 28, 2009 · Filed Under Privacy, Technology · 2 Comments 

Introduction (Surprise!)

I got a new iPod Touch today and one of the first things I did was fire up wi-fi and launch google maps. I noticed a button that allowed the system to automatically zoom in to my “current location”. Because the iPod does not have a GPS chip, I was expecting it to use my IP to narrow me down to a city or even a province. Imagine my surprise when it narrowed me down with an accuracy 30 meters (~100 feet)!

The first time I tried this, I was at the university. I was not too surprised by this because I know that the university has static IPs that may well be in some geo-locator database. I was more surprised (and concerned) when this worked at home. My IP is dynamic, so there is no way it could be stored in a central database. For curiosity, I looked my current IP up in a geo-locator database and it pointed me to Kingston, ON, which is 500km off, but it makes sense because my ISP operates all over Canada.

Technical Explanation (With Limited Amounts of Geekiness)

So how did the iPod do it? A few minutes of googling took me to a company called Skyhook Wireless. Without getting too technical, what this company does is it sends out about 200 cars in all cities in North America and they do what is known as “wardriving”. Essentially, they take a unique ID (MAC address for the technically inclined) from all wireless routers and log the physical location of those routers in a central database. The MAC address is freely available, even from protected networks. To be perfectly clear: you do not need to connect to a network (and thus do not need any passwords) in order to get a MAC address.

Once the location is in a central database, it is available for triangulation. Say I’m walking down the street with my iPod and press the “locate me” button. The Wi-Fi radio on my iPod sends Skyhook the MAC addresses of all the routers around me in a 80-200 meter radius. If three of those are in Skyhook’s database, I am triangulated, and skyhook knows where I am (give or take a few meters). The data is sent back to me and I get a google map of my surroundings.

Implications (Why You Should Turn Off the Wi-Fi on Your Cell Phone/iPod)

The negative implications of this can be quite clear. What if, for example, you’re not the one who requested your location? What if it was done by a virus/trojan or spyware (brings a new meaning to the term, eh?)? But your location is probably of little use to petty hackers and virus-writers. It’s also not precise enough for someone to physically walk up to you, especially if you’re in a dense place such as any city center. 30 meters worth of error downtown Toronto (or even downtown London) is enough for someone to never find you.

But what if your location is wanted by someone who knows you personally? Let’s say a spouse/significant other who thinks you’re cheating. Then your location with a 30 meter margin of error becomes more than enough for that person to know what you’re doing.

Legal Issues (This is a Law Blog, right?)

I can’t definitively say whether any of this is an invasion of privacy. Skyhook’s technologies does not circumvent any security systems and uses only information that is publicly available. I am not sure whether posting a location of a MAC address constitutes invasion of privacy (an enterprising “enthusiast” found a way to query Skyhook’s database to get Lat/Lon coordinates associated with MAC addresses). There’s an argument to be made both ways and of course none of this has been tested by a court.

What’s more concerning is that router owners cannot opt out of this. Furthermore, once a router’s MAC address is in the database, it cannot come out. The company’s stance on the issue is the following:

“we cannot remove individual access points…every access point by
definition broadcasts a radio beacon …The only way to stop an access point from broadcasting its
presence is to unplug it….we don’t actually identify the location of access points, just the signals
that they create”

That statement is technically true, but misses the point entirely. “The signals” (MAC address broadcasts) can be definitively associated with the physical router because every router has a unique MAC address (otherwise their system wouldn’t work). So, yes, they are tracking the location of access points. It is true though that once that access point (router, switch, etc.) is no longer broadcasting, it cannot be identified. This is the same thing that was said by computer security experts back in the 1980’s:

“…the only truly safe computer system is one that is disconnected from the network, switched off and buried six feet under ground…and even then I’m not sure.”

Mitigating Factors (Why You Should Not Lose Sleep Over This)

I have already alluded to some of the mitigating circumstances. Some of them are social (i.e. your location within 30 meters is useless to 99.999999% of the population) others are more technical. For example, most devices that are not laptops shut off wi-fi connectivity when their screens turn off in order to conserve their batteries. This is certainly true for iPods and iPhones and is also true for every Windows Mobile device I ever owned. Also, an internet connection is not needed to establish your coordinates (unconnected wi-fi is enough), but an internet connection IS required in order to do anything with those coordinates (i.e. send them to someone).

Also note that there need to be at least three known broadcasting access points within at most 200 meters, which likely means that this positioning system will not work in rural areas.

Lastly, and perhaps most importantly, I did not find any evidence of this system being misused. So far, there has not been any malware written that would take advantage of Skyhook’s database to track people. That doesn’t mean it cannot happen, it just means that it is not something to worry about today.

For More Info…

For the more technically inclined, you can check out my source material:

http://thebmxr.googlepages.com/Don_t_Locate_me.pdf (Background and tricking the system, very technical)
http://en.wikipedia.org/wiki/Skyhook_Wireless (Wikipedia entry on skyhook. Describes the technology)
http://en.wikipedia.org/wiki/Wifi (Wikipedia entry on wifi. Look at “Reach” for wifi service ranges)

Cross-Posted at Lawyerling.ca

Facebook Agrees to Comply with Canada’s Privacy Laws

By: Vitali Berditchevski · August 27, 2009 · Filed Under Media Law, Privacy, Privacy Law, Technology · 2 Comments 

A triumphant Jennifer Stoddart, Canada’s Privacy Commissioner came out this morning and said that Facebook agreed to make changes to its privacy policy within a year. The following changes are being touted:

  • Denying third-party application developers access to user information without the user’s express consent in each of the categories the applications wants to access (currently, a user clicks just one button and the application can access all info regardless of whether or not it needs it);
  • Giving users the opportunity to provide meaningful consent to retain profile pages after their death (currently there is no such provision that I know of);
  • Add information about the privacy of non-users;
  • Allow users the option of deleting accounts and all information associated with the account from Facebook’s databases (currently, a user may “deactivate” their account, meaning that the info still stays on Facebook’s servers).

This is indeed a meaningful victory. However, it does raise some interesting questions. Facebook is not the only platform out there that indefinitely maintains the information of its users. Other platforms such as Myspace, twitter, countless small(er) sites such as meetmeinto and the ever expanding vacuum of information called Google.

Are the laws on privacy clear? How do they apply to non-Canadian companies? How can they be meaningfully enforced, especially outside borders? I see Facebook’s agreement to comply with laws as largely a goodwill measure. If the company wanted to dig in its heels and refuse to make any changes, what could the Privacy Commissioner have done? Let’s see if someone can answer this question.

Source

Cross-posted on Lawyerling.ca

Post tags: , , ,

Passwords are the new guns

By: Pulat Yunusov · August 24, 2009 · Filed Under Civil Rights, Criminal Law, Privacy · 1 Comment 

Your password is a gun. It can’t shoot but at least the government treats it like a gun. In the UK, they made it a crime to refuse to give up your password to the government. The US long considered encryption an armament. It means encryption has military uses like weapons, infra-red goggles, plutonium, and armoured cars. When the government forces you to give up your password, it can read your data. Then you can’t hide anything from the government. It can get what it wants by demanding your password. In the UK, you can go to prison for years if you say no. In this information age, there is a real public interest in giving the government electronic investigation powers. But the UK is doing it the wrong way. They breach your right not only to privacy but also to due process. If gun rights didn’t sound so silly today, I would call the encryption rights the new gun rights.Courtesy of barjack @ Flickr

The UK government recently disclosed that two people had been convicted for refusing to give up their encryption keys. There is no word on the sentence, but the prison term for this offence can stretch to five years. The UK government has had a power to take passwords by force since October 2007. This is how it works. If the government believes it needs your password for national security, crime prevention, or for economic well-being of the UK, it can give you a section 49 notice, named after the authorizing section of the Regulation of Investigatory Powers Act. A permission of the court is not necessary for this notice. You have only “reasonable” time to comply. After that, prosecutors can charge you with a criminal offence if you “knowingly” fail to give up the password.

Don’t say you have nothing to hide because you didn’t do anything wrong. There is a good reason to hide anything you want and still be a good citizen. Governments consist of people, even democratic governments. No matter how much you feel your government represents you, there are two ways in which a government can go rogue. First, you stop being in the majority. Second, a government official figures the majority won’t notice or will forgive him for abusing only you. That’s why many modern democratic countries enshrine human rights in their constitutional law: the US, Canada, and the EU, for example. Our Charter of Rights and Freedoms lets you ask the courts for protection from rogue government officials no matter what the majority thinks. The Canadian Constitution is a curb on both the government and the will of the majority. It presumes that both of them can do bad things. No one is a saint.

There are two ways to protect yourself from the government’s or the majority’s abuse. One is the constitutional law. The other one is physical. Many, many years ago gun ownership was such a physical barrier to government abuse. In the 18th century, it was reasonable to think that if men had guns, the government would not abuse them for fear of an armed response. Today it doesn’t make sense, of course, because no armed band of neighbourhood dads will be a match for the modern state’s professional military machine. But things we want to protect with physical barriers from governments gone astray are different today. It’s not land, or crops, or not even our physical liberty or security (courts do a good job protecting those two from abuse, and if a day comes when they can’t, a higher being will be our only hope).

What we more and more often want to protect today is computer data. Our lives are online or on the hard drive. Emails, records of every website we go to, diaries, mad or creepy thoughts we share with the computer screen, political manifestos, ideas, inventions, art: it’s really anything that can change the world in a perfectly legal way but an official may want to censor, delete or use in some other way to harass you, charge you, or declare that you don’t look like your passport picture when you go abroad. Do we live in a dictatorship? Of course not. Does our government do things like that routinely? No, no, and no. Does it looks like it wants to? Not really. But like the Charter presumes that the government has the capacity for evil, every citizen must have a right to presume the same thing and to build impenetrable walls around his private life. Gun lovers in a certain country south of the border got a wrong target in their sights. They cling to the wrong tools. Guns are outdated, good-for-nothing protection of human rights. Passwords are the new guns.

The UK law wants to take your passwords from you. And like many things in the computer age, passwords are tricky. You can’t rip them from the owner’s arms and break them into pieces. You can’t even know for sure who has them or who the owner of the data they protect is. That’s a huge problem with the UK law. To overcome this problem, the law must make presumptions. First, it must presume that whoever has the hardware, owns the data on it. Unfair. Plug your computer and lots of stuff will land on your hard drive in the first five minutes without your knowledge. Second, the law must assume that whoever has the encrypted data, knows the password. Don’t ever forget passwords that the government wants. It’s may be a criminal offence in the UK. Finally and most scarily, the law must presume that every chunk of random data is encrypted. Without a password, there is no way to tell an encrypted Word document from a piece of an image file. Encryption works by making ordered data appear random. Sadly, much legitimate, unencrypted data on your hard drive looks exactly like that. Experts can even encrypt text by turning it into a jpeg of a cat.

Courtesy of marcman220 @ FlickrThere is a very thin line between enforcing the UK password law and letting cops wade through arbitrary computers under the cover of the today’s hottest flavour of the public interest. There are just too many legal fictions in this criminal offence. For this reason, I think Canadian courts would not let it stand if our Parliament passed a similar law. It’s just not necessary to force people to give up passwords to defend the absolutely legitimate public interest of safety or national security. The government can do its job without breaching human rights this much. Forcing people to surrender passwords will not minimally impair their Charter rights. The offence in the UK law is also too vague because any file with random data is potentially encrypted and subject to investigation. Giving up passwords may also be self-incriminating. No one should be punished for refusing to testify against themselves.

Let’s not kid ourselves. More and more criminals will encrypt the data used to commit crimes. But the way computer networks work makes it easy for that data to end up on an ordinary citizen’s computer. The government shouldn’t have powers to force us to give up passwords to any random heap of data that it believes to be connected to criminal activity. Passwords to our email or computer accounts will not be safe from such investigations either. Spammers bombard our computers with billions of attachments every year. There is a good chance spammers’ networks or computers are implicated in crime. That’s a real connection to our pretty Macs or drab PCs humming in our living rooms or bedrooms. And little can stop the police from suspecting that you know the password. This scenario doesn’t have to be common to cause alarm. It should cause alarm because of its potential for abuse. Making it an offence to refuse to give passwords justifies police involvement that can go beyond reasonable limits. That’s too much for our civil liberties, even in the name of fighting crime.

The UK password law is harsh and unreasonable. It can make too many law-abiding citizens targets of police interest. It will make them potential criminals when they refuse to take down barriers between their private space and the government. Someone said we increasingly lived online. If we take our affairs to the electronic realms, let’s make sure we take our civil liberties there too, even if we have nothing to hide.

AdviceScene

Post tags: , , , , , , , , , , , , , , , , , ,

Taxes are inevitable

By: Law is Cool · August 21, 2009 · Filed Under Privacy · Comment 

Swiss bank UBS to name names

Swiss banking giant UBS AG (UBS-N15.51-0.39-2.45%) agreed Wednesday to turn over to the IRS the details of 4,450 accounts suspected of holding undeclared assets by American customers, piercing Switzerland’s long-standing tradition of banking secrecy.

AdviceScene

Post tags: , , , , , , , ,

Luigi Benetton on Collaboration Systems

By: Omar Ha-Redeye · August 18, 2009 · Filed Under Legal Research, Privacy, Technology · Comment 

In his regular column for Lawyers Weekly Magazine, freelance technology writer Luigi Benetton has a piece in the Aug. 21, 2009 issue on drafting and editing documents in real-time.

He discusses real-time applications like NetMeeting, and asynchronous platforms like wikis and traditional DMS.  He suggests the latter are more appropriate for lawyers who don’t collaborate as smoothly together.

I point out that the efficiencies created by collaboration tools help boost lawyer productivity, which can raise billable hours and improve work/life balance.  The amount of time learning new technologies is minimal compared to the returns over time.

Fostering more collaboration can  help avoid group-think, especially in highly hierarchical cultures like law firms.

Benetton also discusses why security fears may be unfounded, and the flexibility that these systems can provide to users.

Cross-Posted from Slaw

More on jury background checks

By: Law is Cool · July 23, 2009 · Filed Under Criminal Law, Privacy · 1 Comment 

Ontario reveals juries given secret background checks

AdviceScene

Post tags: , , ,

Facebook and privacy

By: Law is Cool · July 17, 2009 · Filed Under Privacy, Privacy Law · Comment 

Ottawa takes on social media giant for violating Canada’s law

AdviceScene

Post tags: , , ,

The privacy of police officers on the witness stand

By: Pulat Yunusov · July 5, 2009 · Filed Under Criminal Law, Privacy · Comment 

If a police officer is a witness in court, can the defence lawyer bring up his disciplinary record? Police forces across the country don’t like this idea at all, fearing that the cop’s integrity will end up on trial (Edmonton Sun article).

I was in a bail hearing on Friday. A proposed surety took the stand. He is apparently a respected member of his community, a hard-working man, and a father. What did the Crown do during the cross-exam? They pulled out his criminal record. The man had been long pardoned, and the other charge had been dropped. It still came up though, and the Crown had easy access to this information.

I guess no privacy issues came up because he is an ordinary citizen. But it was certainly awkward.

(post sponsored by advicescene.com)

Post tags: , , , ,

Next Page »