Identity Theft Archives - IPOsgoode /osgoode/iposgoode/category/identity-theft/ An Authoritive Leader in IP Mon, 28 Jul 2014 14:18:06 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 MedEdge 2014 -- New Medical Innovations Bring Privacy Dangers /osgoode/iposgoode/2014/07/28/mededge-2014-new-medical-innovations-bring-privacy-dangers/ Mon, 28 Jul 2014 14:18:06 +0000 http://www.iposgoode.ca/?p=25278 The 2014 MedEdge Summit was a resounding success. Academics, innovators, entrepreneurs, and practitioners filled the auditorium and networking booths. As one of the lucky attendees, I zoomed in on Dr. Cafazzo’s talk about the significant lack of human use considerations (“reverse human engineering”) in the design of traditional medical products, and the introduction of new […]

The post MedEdge 2014 -- New Medical Innovations Bring Privacy Dangers appeared first on IPOsgoode.

]]>
The was a resounding success. Academics, innovators, entrepreneurs, and practitioners filled the auditorium and networking booths. As one of the lucky attendees, I zoomed in on ’s talk about the significant lack of human use considerations (“reverse human engineering”) in the design of traditional medical products, and the introduction of new innovations that correct these, . However, these new innovations bring a set of privacy challenges that can also have dire consequences.

 

To Err is Human

Dr. Cafazzo stressed that theinaccurate use of medical innovations is a widespread and serious problem. The traditional approach is to blame the patients for this problem, as they the ones who make usage errors. [1]

In contrast,Dr. Cafazzo argues that the cause of many misuse problems can be .The reality is that humans err, thus the expectation that the patients will use the products perfectly each time should be abandoned. Instead, during the creation and design stages, medical innovators must assess and compensate for the degree of usage errors.This view is supported by the U.S.’s [2], which recommends and sometimes requires manufacturers to perform a risk analysis in human misuse of a product before releasing it to the market. However, I am unaware of any Canadian policies that require the same.

 

I have to pay how much for my own health data?

Traditional medical innovations fail to provide the patients with easy access to their own health data.Under the[3],health information custodians (including physicians) have exclusive control of the patients’ medical records. Although the custodians are obliged to provide the patients with their own data, they may charge a fee to “reasonably recover” the cost spent in preparing this information. However, in practice, the , as in the case ofawho, reportedly, was asked to pay $600 to access her own data.

 

Proposed Solution: Self-Management Internet Platforms and Mobile Apps

To correct these flaws, most health innovations introduced at MedEdge focuses on being simple and user-friendly, and on giving the users fast and efficient access to their health information.

 

Dr. Cafazzo’s developed , an innovation that encourages asthma patients to understand and self-regulate their health. This mobile application allows the users to access their health information at any place and time. Breathe employs easy-to-read, attractive graphics to display daily and weekly health assessments to users. It encourages the users to take an active role by developing action plans and by competing with other patients to see who best regulates their health.Similar self-management tools introduced at MedEdge includes .

 

Privacy Dangers

Although these new innovations do fix many problemsassociated withold medical products, they also bring a set of privacy dangers with them. Whereas traditional medical processes like paper files guard patients’ medical records strictly, some new innovations may be more easily hacked and abused.

 

My concern for privacy issues particularly in mobile health apps and internet platforms comes from two sources. First, the current state of security features in electronic devices is not sufficiently sophisticated. In a recent study conducted by the, it was found that 86% of mobile apps do not have basic security defenses. Last year, the, a mobile device manufacturer, for its lack of security features in applications on smartphones and tablets.These security vulnerabilities enabled malware to be installed without users’ knowledge or consent, allowing hackers to gain access to all of a user's information. HTC settled the case and delivered security patches.

 

Nevertheless, I do acknowledge that significant global efforts have been made towards better privacy protections.In 2013, the [4] that requires its member states to assess and manage privacy risks in the information systems under their control. In the same year, the U.S. passed the , which facilitates the sharing of cyber threat intelligence in order to increase cyber security.In 2012, [5], which seeks to promote cyber-security and co-operation. The problem is that despite these efforts, [6].Therefore, while better cyber security and privacy features are possible,they have not yetbeen achieved.

 

Additionally, the information involved in health mobile apps is extremely sensitive. For instance, gives users (i.e. anyone who has log in information or has deployed malware to gain access) information about the patient's symptoms, the triggers that cause those symptoms, the patient's past and current medications, and the locations that the patient has been to every time they do a self assessment.The consequences of leaked health information can be severe. Some medical conditions, such as [7]. Also, unauthorized access to this information will likely [8].

 

Conclusion

It is true that many traditional medical products are problematic as theycan becomplicated to use and do not provide users with easy access to their own health data. However, I remain unconvinced that health mobile apps and internet platforms are the best replacements for these products, at least for now.We still remain in an era where cyber security is fragile and medical information is extremely sensitive.

 

Sabrina Ding is an IPilogue Editor and a J.D. Candidate at Osgoode Hall Law School.

 

[1] Dr. Joe Cafazzo, "Finding Empathy: Navigating Past The Dark Side Of Health Technology Design" (Health Innovation Design Lecture delivered at the Richmond Hill Centre for Performing Arts, 19 June 2014), [unpublished].

[2]US, Food and Drug Administration, Draft Guidance for Industry and Food and Drug Administration Staff - Applying Human Factors and Usability Engineering to Optimize Medical Device Design,(2011) at ss. 1, 11.

[3]Personal Health Information Protection Act, SO 2004, c 11, s.54(1).

[4] Katherine Ritchey et al, "Global Privacy and Data Security Developments" (2013) 69 Business Lawyer

[5] Supra note 3.

[6] Supra note 3.

[7] Gregory Herek, "AIDS and Stigma" (1999) 42 American Behavioral Scientist

[8] Khaled et al, "Evaluating Common De-Identification Heuristics for Personal Health Information" (2006) 8 Journal of Medical Internet Research

The post MedEdge 2014 -- New Medical Innovations Bring Privacy Dangers appeared first on IPOsgoode.

]]>
An Interview with James Williams and Michael Power: Putting Privacy and Data Protection Under the Lens /osgoode/iposgoode/2013/12/06/an-interview-with-james-williams-and-michael-power-putting-privacy-and-data-protection-under-the-lens/ Fri, 06 Dec 2013 17:14:43 +0000 http://www.iposgoode.ca/?p=23707 The course Comparative Law: Privacy and Data Protection is offered this coming term at Osgoode Law School. IP Osgoode interviewed the course co-professors, James Williams (Osgoode site, personal site) and Michael Power (Osgoode site, personal site) for their insight on the exciting contemporary debates in the field. Whether you’re a law student interested in public […]

The post An Interview with James Williams and Michael Power: Putting Privacy and Data Protection Under the Lens appeared first on IPOsgoode.

]]>
The course Comparative Law: Privacy and Data Protection is offered this coming term at Osgoode Law School. IP Osgoode interviewed the course co-professors, James Williams (, ) and Michael Power (, ) for their insight on the exciting contemporary debates in the field.

Whether you’re a law student interested in public sector law, regulated industries like banking or healthcare, technology trends or information management, this course is for you. IP Osgoode extends a warm thank you to Williams and Power for their time for the interview as well as their passion for the study of privacy and data protection.

What drew you into the privacy and big data field of law?

MP: While with the Department of Justice in the 1990s I served as Coordinator of the Department’s Electronic Commerce Secretariat. I was one of the principle authors of the Electronic Documents Act. When that bill was merged with the then Personal Information Protection Act, literally at the last minute, I had to learn about that statute. Later, when I left government for private practice, the information security aspects of my law practice found me explaining privacy obligations to clients and the privacy law practice evolved from there. Privacy law represents the legal side of a juxtaposition of consumer/human rights/civil liberties law with technological innovation, which I find fascinating. You can literally “wait a moment” and see new legal issues arise as the consequences of technology deployment play out.

JW: I became interested in this area through taking a privacy law course with David Loukidelis and Murray Rankin. Privacy is a very broad (and to some degree nebulous) concept that has attracted attention from a wide variety of disciplines, including psychology, philosophy, economics and computer science. In addition to being notoriously difficult to define, it is intertwined with other areas of law, including constitutional and commercial law. There are some very deep problems in this area, both in terms of theory and practice. It also turns out that privacy is very fertile ground for computer scientists. There is a rapidly expanding body of work in both industry and academia that presents techniques to address privacy risks posed by data aggregation, data mining, ubiquitous computing, social networks and other technologies. While some areas (e.g., anonymization methods for data) have advanced rapidly, a lot of work remains.

How do you feel Canada is doing compared to US/EU re: data privacy?

MP: In terms of law, generally I think we’re in a better position that the US in that our comprehensive approach can deal with evolving issues. The American “sectoral” approach may or may not be able to address something new. However there are aspects of American law — genetic privacy, for example, that are further ahead of Canada. I also think the European approach, while also comprehensive, is more regulatory in nature and more problematic in operational terms. In some respects, governments in Canada think “privacy” as a legislative issue is “done” and I don’t see that in Europe or the US. I think the future evolution of privacy law in Canada will occur at the provincial level because of the constitutional limitations of the federal government in this area. For example, “revenge porn” can’t easily be dealt with under a PIPEDA/PIPA framework aimed at commercial exploitation of personal information.

JW: That’s a tough question. Canada has really drawn inspiration from the US, not only from its jurisprudence but also for some of the fair information practices. Nevertheless, our data protection regime was really crafted in response to developments in the EU. As Michael mentioned, we have a comprehensive approach that is applicable across industries. There are some gaps and weaknesses in our law, of course. Select sectors in the US are definitely ahead of their Canadian counterparts, and I think that the FTC likely inspires more terror than our privacy commissioners. Comparing the two systems is difficult, and perhaps fertile ground for a paper.

Is "big data" hype all it's cracked up to be? Do we have the person-power capacity in Canada to properly utilize it?

MP: Data analytics, which is what “big data” is all about, is fine in theory, with a lot of benefits both at the institutional and individual level. However, we’re far from achieving those benefits in that organizations in Canada, whether large or small, have immature data management regimes. I suspect those benefits will come but not before a lot of time, effort and money is wasted figuring out how best to get them. The “cloud”, as a concept, first arose in the 90s and is only gained traction in the last few years. Data analytics may follow a similar timeline.

JW: One has to be careful with buzzwords. Data aggregation and analysis has been around for decades, and a brief look at the work of Arthur Miller and Alan Westin shows that legal scholars have been concerned about these activities since the late 60’s. Since then, computing power and availability has improved significantly, the amount of data collected has grown, and there are some novel techniques that complement traditional methods of statistical inference.

I do think large-scale data analytics is going to be very useful as a tool for disciplines like medical research, materials science, biology, urban planning and ecology. However, a lot of the techniques are not easy to deploy. There are major issues with data acquisition, data quality/cleansing, choosing appropriate methods, and validating the resulting models. Some techniques work best with massive amounts of data and computing power.

The firms that have the requisite resources (both human and computational) and tacit knowledge have a major advantage. As a result, most of the people with the background for large-scale, distributed machine learning and data analysis are being drawn to the US.

I think it will be difficult for Canada to compete. Innovation is unlikely to arise from those large firms (e.g., banks and insurance companies) or government agencies that have experience with traditional data analytics. Startups in Canada don’t have access to the scale of funding available in the US, and it doesn’t make sense for promising ventures to stay. This also affects human resources; while Canada has a few world-class statistics and computer science departments, the small number of industry-oriented PhD graduates from those programs will likely be lured south.

How effectively are federal and provincial privacy commissions protecting Canadians' personal data? What are some of their challenges?

MP: The effectiveness of Privacy Commissioners is constrained by the legislation we have in Canada, which defines their roles, and their budgets. I think they do the best they can but there are limitations and we should ask ourselves whether we our expectations are too high and whether we should rely too much on them. As for challenges, I suspect the answer varies depending whether you’re speaking about the public, private or healthcare sectors. Each has their own issues.

JW: I think they have had a lot of influence, but their effectiveness is circumscribed by their legal powers and budget. Given their limited resources, I think they have been quite effective at promoting awareness of privacy issues and investigating complaints. The federal commissioner has been particularly active in sponsoring relevant research. Apart from obvious challenges like resourcing, it is difficult to keep up with advances in technology. Another challenge arises from the fact that they have fairly limited powers to make orders or impose monetary penalties.

"Young people don't care about privacy" is a common retort to proponents of ethical and contentious data collection. Do you believe this to be true?

MP: True? Not at all. That is a general statement concerning a complex subject. How I define my “privacy interests” may be different from that of a 16-year-old. “Young people” may have different, more nuanced notions of privacy but they are there. And for both of us, our requirement/need for privacy evolves as we age. I tend to believe that privacy — in all its forms — is an inherent aspect of the human condition. If we don’t have it when we need it, we’re somehow less than human.

JW: A fair amount of empirical research has been done on this issue, and while there are some pessimistic results, it is clear that young people do care about privacy. However, privacy is ultimately a social norm that is expressed through a variety of practices in a surrounding social context. The way that people interpret and achieve privacy differs according to such factors as culture, communication modalities and individual preferences. I don’t think young people care less about their physical privacy, but they do differ from older generations in the way that they think about online privacy.

Denise Brunsdon is an IPilogue Editor, a Western University JD/MBA Candidate, and researcher for GRAND (Graphics, Research and New Media) Centre and Commercialization Engine.

The post An Interview with James Williams and Michael Power: Putting Privacy and Data Protection Under the Lens appeared first on IPOsgoode.

]]>
Dating Sites Scrape Internet for Women’s Photos, Including Those of Deceased /osgoode/iposgoode/2013/12/05/dating-sites-scrape-internet-for-womens-photos-including-those-of-deceased/ Thu, 05 Dec 2013 15:30:13 +0000 http://www.iposgoode.ca/?p=23123 Dubious and likely illegal image scraping is alive and well. And outside of particularly public, harmful cases like Rehtaeh Parsons’ photo ending up on a dating site, few organizations or governments seem to be effectively coordinating to stop the practice. The internet is not a lawless wild west. Images on the internet are not automatically […]

The post Dating Sites Scrape Internet for Women’s Photos, Including Those of Deceased appeared first on IPOsgoode.

]]>
Dubious and likely illegal is alive and well. And outside of like photo , few organizations or governments seem to be effectively coordinating to stop the practice.



The internet is not a lawless wild west. Images on the internet are not automatically public property – copyright, personality rights and all other aspects of the law apply. This article will list out the most relevant areas of the law and then analyze the situations of international dating using Canadian headshots for dating or porn site advertisements according to the each legal point.

Relevant Canadian Law to Date – A Primer

Scraping in the Law

The issue of general material scraping arose in the 2011 Supreme Court of British Columbia case . The court struggled with defining scraping in order to apply the law to it. The judgment included the opinion of law Professor and copyright expert in explaining that scraping content was allowable if it was indexed and transformative. Indexing is a broad term for the interconnectedness of the internet through hyperlinks and meta data that web crawlers use for searching and organizing internet material. Because the judge found the scraping in the Century 21 case qualified as a form of indexing, the issue of whether scraping was transformative was not relevant to his decision. Professor Trosow’s comment directly quoted in paragraph 53 of the judgment remains helpful,

“The relevant question in my view is whether the materials are being utilized in a transformative manner in order to provide a usable and informative aid for the end-user searching for information about listings.”

The judgement includes a thorough legal summary of the concept of transformation – which I will summarize as any change that adds something new to the original expression, thus creating a new work. The concept is used primarily in American law, but was also referenced and described in the 2002 Supreme Court of Canadsacase, .

International Servers and the Law

The Supreme Court confirmed copyright liability for servers outside Canada. 2004’s stated, “A content provider is not immune from copyright liability by virtue only of the fact that it employs a host server outside the country.” This is a digital extension of of the ,

27. (2) It is an infringement of copyright for any person to […](b) distribute to such an extent as to affect prejudicially the owner of the copyright. […] a copy of a work, sound recording or fixation of a performer’s performance or of a communication signal that the person knows or should have known infringes copyright or would infringe copyright if it had been made in Canada by the person who made it. [emphasis mine]

Responsibility Regardless of Intent

The Small Claims Court of Yukon disregarded the “accident” defence in a 2012 digital website photo theft case that closely mirrors the Rehtaeh Parsons one at hand. A tour operator photo ended up on the website of its direct competitor. As stated by the Court in paragraph 12 of ,

“At the end of the day, it remains unclear how the plaintiff’s aurora photo found its way onto the defendant’s computer and website. However, it is not a defence to the present action that the copyright infringement was inadvertent. The plaintiff is still entitled to damages equal to the loss he suffered from the infringement."

Personality Rights and a Person’s Image

Identity exploitation is also a tort that is potentially relevant to photos on the internet. As I’ve outlined in a prior about a recent digital extension of personality rights,

The Ontario Court of Appeal’s 1997 decision outlined that the two requirements to satisfy the tort are identity exploitation for commercial purposes, and exploitation that clearly captures the personality of the plaintiff. The test for commercial purpose was solidified in 1996 in , which outlined the need for the likeness to be predominantly connected with the sale of the consumer merchandise.

At the root of this issue is the principle from the 1977 Ontario Supreme Court Decision that stated

". . . it is clear that Mr. Athans has a proprietary right in the exclusive marketing for gain of his personality, image and name, and that the law entitles him to protect that right, if it is invaded."

Photo Privacy in Quebec

is not within the digital sphere, but it is applicable as with regards to personality rights issues. Here in 1998, the Supreme Court confirmed, using the Quebec Civil Code and the Quebec Charter, that there is privacy infringement whenever an image is published without consent if the person is recognizable. It is unclear if such a ruling would hold Canada-wide, but it is a possibility.

Fair Dealing

The Canadian law provides for copyright violation in cases of fair dealing in .Research, private study, education, parody or satire, criticism or review, and news reporting are all justifications for works use that do not infringe copyright. Some recent court interpretations of fair dealing law were recently released by the Supreme Court in, and. Taken as a whole, they confirm a generous interpretation of fair dealing that asserts the user right as a defence. This is particularly true of the enumerated education principle, which has now been broadly expanded to more closely match the US’ fair use exemptions for academic institutions.

User Waivers from 3rd Party Photo Hosting

Some social media sites from which the photos are scraped require users to give up their personality or photo rights. There has yet to be a common law case in Canada or the US on the issue of personal social media site waivers. There are two closely related cases, decided divergently.

The 2012 US case , determined that website waivers are most valid when they require an affirmative acknowledgment of the contract. Conversely, in the 2011 Canadian case the Supreme Court of British Columbia determined that where there was an industry standard as such, proceeding into a website without express agreement could constitute a contract.

Application to Cases Like Parsons’

In my opinion, I don’t think dating or porn sites that use images of Canadian women have a strong legal case to defend themselves from potential legal action. Using the prior list of relevant legal issues, I will make a cohesive argument in favour of the Canadians whose images are used in these advertisings.

Scraping and the Law

The photos may be scraped off a prior website, but they are likely not indexed or hyperlinked to that prior website. The creators of these advertisements likely want there to be little link between the original source photo and the eventual advertisement featuring the photo. Thus, by the definition presented in Century 21, the photo reuse is a new type of non-indexed scraping.

Without indexing, the only remaining argument is transformative. The advertisement creators could argue that by adding in additional text – in the example of the Parsons case “"meet Canadian girls and women for friendship, dating or relationships” – that the addition is significantly transformative. I would argue that because the advertisement doesn’t change the photo, but just adds or overlays texts, the advertisement is arguably drawing attention to the original work rather than creating a new work.

International Servers and the Law

The Supreme Court statement from is helpful because it keeps open the possibility that Canadians whose photos are in circulation on any server around the world can potentially use the Canadian legal system to defend their rights. In the case of the Parsons dating site, which was based out of Vietnam, it means that Canadian courts could go after the Vietnamese infringers.

Responsibility Regardless of Intent

The case is an indicator of the direction courts might take in response to plaintiffs claiming ignorance. This is immensely important in regards to technology-based conflict. It’s important for court judges to demand parties in a conflict demonstrate a reasonable amount of understanding of and responsibility for their actions. In the case of dating site administrators, it’s my strongly held opinion that “I didn’t know it wasn’t okay to take photos of young women off the internet and put them in my Facebook ads” will not protect these parties as it is consistent with the general legal axiom that ignorance of the law is an unacceptable defence.

Personality Rights

Identity exploitation also presents a strong tort for Canadian victims of image scraping. To have one’s photo used in an advertisement without consent meets the Krouse and Gould threshold because the dating or porn site garners a commercial purpose. The advertisement facilitates traffic for new member signups on the porn or dating site. In the advertisement at hand, Parsons likeness is clearly captured; it is unmistakably her face.

Photo Privacy

Similarly there is a strong case when the precedent is considered. That said, there is a chance it might not hold for victims outside Quebec, as indicated by the use of Quebec-specific law in the judgment.

Fair dealing

It’s my opinion that image scrapers would be hard-pressed to find any fair dealing justification for their activities in either the Copyright Act or even Supreme Court decisions expanding user rights via fair dealing.

I don’t believe companies trolling the internet for photos – with software or by hand – have the protection of a fair dealing defence. Writ large, I feel the culmination of all recent, major copyright cases in Canada makes clear this principle of application; whether the fair air dealing exception is applied broadly or narrowly based on the public good or commercial profits accrued. The more public good provided, the more broad the fair dealing exception. The more commercial profits provided, the more narrow the fair dealing exception. By this broad, over-arching principle, the use of Canadians' images by dating and porn sites provide us little public good but do provide the site administrators profits. Instinctively, the companies using these images would face a more narrow application of the fair dealing exceptions.

But this conceptual analysis is insufficient to discard fair dealing altogether. To dig into the heart of this legal matter, the companies engaging in this behaviour would have to prove that their dealing falls within one of the enumerated principles of fair dealing, and then would have to prove, by a contextual analysis of the facts, that their dealing is fair in accordance with the six factors as elicited in :

  • the purpose of the dealing;
  • the character of the dealing;
  • the amount of the dealing;
  • the alternatives to the dealing;
  • the nature of the work; and
  • the effect of the dealing on the work

It is my opinion that it is unlikely for the analysis to surpass the first stage of the fair dealing test, as the dealing does not fit into any of the (research, private study, education, parody, satire, criticism or review, and news reporting). However, if it were to pass this stage of the fair dealing analysis, it is my opinion that a contextual analysis of the facts would result in a finding that no fair dealing exists in this case. I would arrive at this conclusion by arguing that there are legitimate alternatives to the dealing (models could be hired and photoshoots done by the advertisers), that the amount of the dealing is unfair (pictures are being substantially reproduced), that the character of the dealing does not support fair use (pictures are being used for commercial gain), and that the effect on the work is prejudicial (the images and the reputation of those pictured are potentially harmed).

User Waivers from 3rd Party Photo Hosting

Dating and porn sites may have a strong argument if they only scrape Canadians’ images from third party websites or social media networks with sign-up contracts that ask users to waive rights to their likeness. This legal reality may be unpopular in the court of public opinion. concerns about the tension between consumer rights and lengthy digital contracts. A movement is burgeoning to demand more proactive and legible terms to be disclosed to consumers. Services to of these contracts and rumours of apps in development to provide layperson translations to contract legalese showcase the problems that these contracts pose.

I would tend to agree. In my opinion, these contracts are unreasonable because they are extremely lengthy and overly legalistic. The majority of users are not able to understand these agreements, which is a big problem. It also points to potential invalidity due to the unconscionability doctrine.

To start, there are many seminal “ticket cases” in the UK that call into question contracts where one party does not adequately appreciate the terms of the contract such as the 1970 case . 


Similarly, Canadian contracts can be set aside for inadequacy of consideration or unequal bargaining power ( and ). contains a lengthy list of factors to consider in order to properly assess bargaining power: a plaintiff’s ignorance of business, illiteracy, ignorance of language of the bargain, blindness, deafness, illness, developmental disabilities, and other similar challenges. is another foundational case in Canadian unconscionability law. A more holistic approach to bargaining inequality, recently emerged in , where the Supreme Court said there is no definitive list of factors; courts should be alive to conditions of the parties circumstances, unique pressures and situational vulnerabilities. Meanwhile, focused on the “distress of the weaker”, and used the word “disparity” in its analysis of unconscionability.

Whether the highest ranking or recent cases lay out a definition of unconscionability that would cover third party website waivers is uncertain. I do believe – for some more-vulnerable users – our growing reliance on the largest social media sites and their ubiquity in our day-to-day lives may meet the power imbalance threshold required for unconscionable bargaining. The more users depend on a service for the function of their day-to-day lives, the more the potential for imbalance and disparity in bargaining power. Dependancy creates bargaining weakness.

Two Systemic Criticisms: Statutory & Social Failure

In my opinion, lack of political action and social concern are failing young Canadians who don’t want to show up in an advertisement for an online dating or porn site.

I. The Statutory Problem: Not Going After the Scrapers

There exist easy alternatives to image scraping. There are to access free images. Governments should take steps to protect individuals – both by demanding websites only accept advertising from companies who agree to ethical photo sourcing standards and by establishing a regime to police and crack down on scrapers. Scrapers operate with software and servers from countries around the world, so it would likely be necessary to create a global framework of international agreements to combat this activity. It would be onerous, but I believe it’s worth the work involved.

II.The Social Problem: Blaming the Photo Posters

In observing the aftermath, the Rehtaeh Parson’s case has caused a rash of victim blaming mirrored by that seen in many cases of sexual violence. For instance, the of the Parsons image scandal ended with an inappropriate call-to-action for increased conservatism in photo posting. A media professor from Queen's University says the unfortunate use of Parsons' image in an ad could be a "teachable moment" for parents trying to instruct their children to be vigilant about uploading photos to the internet.

"We are in a new day where people think that if they find something on the web it's free to use, and that's not necessarily the case," she says. "In this case, we're seeing the hurt that that can cause."

In another instance, the included a similar warning from the Ontario Privacy Commissioner.

"Ann Cavoukian, Information & Privacy Commissioner of Ontario, described what happened with Parsons’s image as a 'strong reminder that we can rarely control the use of our pictures once we share them online.[']

'The unfortunate reality is that people give out far too much information about themselves, believing that their information is ‘private’ and they are safe behind their screen. You are not!' Cavoukian said in an email statement to the Star.

'We all need to take steps to protect ourselves online, especially on social networks,' she added. 'Young people must be especially careful to consider the potential risks, and make it a practice to only post photos that they want everyone to see, including strangers and prospective future employers.[']

'If not, don’t post it!'"

Given that Canada has not acted to regulate against scraping of its citizens’ photos, it’s disappointing to me that the go-to response to the Parsons photo misuse was to tell people to be more careful about what they post online rather than condemn and go after the wrong-doers. I believe it’s a particularly insensitive approach when you consider the root of the Parsons case. Rape culture tells young women to avoid walking alone, to watch what they wear, and to restrict their own liberties in order to avoid sexual violence. Rarely does it focus on .


Here, where we should have a vigorous call to go after those social media sites and scrapers who expropriate and commoditize photos of young women, we are instead turning to young women and telling them to restrict the images they put online.

I conclude this post with , Rehtaeh’s mother, written in response to uncovering the dating site photo. It makes the link between photos and human rights better than I can.

"It is disgusting that even in death, my daughter's image is still being exploited. When I see these violations, whether it be the singles ad stealing Rehtaeh's photos -- or the people who contact me and to say negative things such as she should not have been drinking, she was a troubled teen, she was in the wrong crowd -- I sit back and reflect on the reality of who Rehtaeh truly was. Then I think: So what if someone is a troubled teen or was drinking -- as if their behavior or emotional state somehow give permission for others to abuse them."

Denise Brunsdonis an IPilogue Editor, a Western University JD/MBA Candidate, and researcher for GRAND (Graphics, Research and New Media) Centre and Commercialization Engine. She is also the social media volunteer at Sexual Assault Centre London.

The post Dating Sites Scrape Internet for Women’s Photos, Including Those of Deceased appeared first on IPOsgoode.

]]>
EA Loses Battle to Put Athlete’s Likeness in Video Game /osgoode/iposgoode/2013/08/13/ea-loses-battle-to-put-athletes-likeness-in-video-game/ Tue, 13 Aug 2013 14:32:39 +0000 http://www.iposgoode.ca/?p=22074 In a victory for athletes specifically, and proponents of personality rights generally, the US Ninth Circuit Court of Appeal has ruled against Electronic Arts (EA) in its use of former college quarterback Sam Keller’s likeness in the NCAA Football video game series. This news has costly implications for EA. EA’s primarily posited two arguments that […]

The post EA Loses Battle to Put Athlete’s Likeness in Video Game appeared first on IPOsgoode.

]]>
In a victory for athletes specifically, and proponents of personality rights generally, the US Ninth Circuit Court of Appeal has (EA) in its use of former college quarterback ’s likeness in the NCAA Football video game series. This has costly implications for EA.

EA’s primarily posited two arguments that the court ultimately found dissuasive. EA relied on the in terms of its basic right to create and distribute the video game. In response to Keller’s assertion of common law and civil code protection against the tort of appropriation of likeness – also known as the right of publicity – EA argued that the video game met the transformative use test, which allows the First Amendment to supersede publicity rights. Second, EA leaned on (“Strategic Lawsuits Against Public Participation”), claiming that Keller’s suit qualified as an attempt to punish EA for exercising its political rights. The court rejected these arguments.

Right-of-Publicity vs. First Amendment
California’s right-of-publicity is based in common law on , which supports a claim with these four conditions: use of the plaintiff’s identity, appropriation of that name or likeness to the defendant’s advantage, lack of consent and resulting injury. California validates this and adds that, in addition to “all the elements of the common law cause of action,” there must also be a "knowing use by the defendant as well as a direct connection between the alleged use and the commercial purpose.”

EA argued the transformative allowance, which allows the First Amendment to trump publicity rights if sufficient transformation has occurred between the original inspiration and the new work. EA argued that it had added significant creative change so that the players’ likenesses within the game were transformed to surpass existing as a simple imitation. In arguing this, they relied not on the transformation of the likeness per se, but in the concept of the game as a whole as sufficiently transformative. One judge dissented from the majority, agreeing with the "game-as-a-whole" transformation argument. The remainder, however, didn’t agree.

The majority argued that there was simply too much direct copying of Keller’s likeness to meet the transformation threshold. Indeed, there were many direct comparisons.

“In the 2005 edition of the game, the virtual starting quarterback for Arizona State wears number 9, as did Keller, and has the same height, weight, skin tone, hair color, hair style, handedness, home state, play style (pocket passer), visor preference, facial features, and school year as Keller.” (p. 7-8)

As was emphasized by Judge Jay Bybee, upholding the lower court decision,

“Keller is represented as ‘what he was: the starting quarterback for Arizona State’ and Nebraska, and ‘the game’s setting is identical to where the public found [Keller] during his collegiate career: on the football field’.” (p. 16)

Outside of the transformation argument, EA also posed the related argument that because the game maker included numbers but not thelast names on the in-game jerseys, the likeness threshold was not met. This argument received little traction. As the verdict found - and as one succinctly pointed out - EA “intentionally designs its sports games to allow gamers to circumvent this formality, providing a means to easily upload entire rosters of actual player names, after which player jerseys contain both the player’s number and name. Although EA could easily block this feature (as they do for profanity), they choose not to.”

The Anti-SLAPP Statute
California anti-SLAPP law is best summarized as an attempt to prevent suits that “masquerade as ordinary lawsuits but are brought to deter common citizens from exercising their political or legal rights or to punish them for doing so” ().

By siding with Keller’s publicity rights, the court inherently rejected the idea that Keller’s suit was a frivolous attempt to trample EA’s constitutional rights.

Canadian Application
Though there are many in Canadian appropriation of personality jurisprudence, our domestic requirements would have been met handily in Keller v EA.

The Ontario Court of Appeal’s 1997 decision Krouse v Chrysler Canada Ltd. outlined that the two requirements to satisfy the tort are identity exploitation for commercial purposes, and exploitation that clearly captures the personality of the plaintiff. The test for commercial purpose was solidified in 1996 in , which outlined the need for the likeness to be predominantly connected with the sale of the consumer merchandise. One example given in the verdict directly correlates to Keller v EA,

As a result, Elvis Presley posters, pewter replicas of a statue of Elvis Presley, a “Howard Hughes” game which included Hughes’ name and other biographical information, and a board game utilizing the names and biographies of famous golfers, have all been found to infringe the right of publicity: see Presley, supra, p. 1358. All were found to be commercial products which were not vehicles through which ideas and opinions are regularly disseminated. (para 21) (Emphasis author's own.)

Thus, there isnot much doubt that in a Canadian context, the case would have been similarly decided.

Analysis and Opinion
There are two particularly unsettling components of this case: that it took the courts so long to come to this fair decision, and that even with it, there was still a dissenting judge who supported the transformation argument.

This decision is fair based on the reasons argued, but it is also intuitively fair in my opinion because of the lack of options afforded to the individual players. NCAA bylaws prevent college athletes from receiving compensation for their skill or status. This means they can’t sign endorsement deals or barter away their likenesses, even if they wanted to do so. Yet, at the same time, the NCAA is signing exclusive rights deals with video game makers like EA in order to create these profitable NCAA league video game franchises. The likeness appropriation is clear, as is the commercial motivation. Quite simply, the system was designed to exploit the players. Keller and the co-plaintiffs made the right decision in suing.

Finally, arguing that the game was sufficiently transformative in its whole so as to override the individual identity infringement is a difficult pill to swallow. Yes, it is a video game. Yes, there are ways to alter and change certain characteristics of the game. Yes, there are no last names on the jersey. Yes, there are many potential arguments that amplify the differences between IRL (in-real-life) Keller and video game Keller. But at the end of the day, they are all attempts to create legal loopholes to avoid the ultimate truth: a company does not have the right to profit from a person’s identity without permission. The transformation allowance is meant to be more substantive and rights-protective in its application. It is gratifying to see the court reject EA’s attempt to use the First Amendment’s transformation allowance to override personality rights, because to do so would have been an insult to both crucial legal concepts.


Denise Brunsdon is an IPilogue Editor and a JD/MBA Candidate at Western University.

The post EA Loses Battle to Put Athlete’s Likeness in Video Game appeared first on IPOsgoode.

]]>
Are Instagram Users Starting to See the Big Picture? /osgoode/iposgoode/2013/01/14/are-instagram-users-starting-to-see-the-big-picture/ Mon, 14 Jan 2013 20:49:24 +0000 http://www.iposgoode.ca/?p=19643 What follows is a cautionary tale, reminding users that it might be wise to read the terms presented on your computer screen before clicking “I Agree”. Instagram, Twitter, Pinterest and Facebook. All 4 are some of the world’s largest social media services. These services, and others like them have been gaining more and more traction […]

The post Are Instagram Users Starting to See the Big Picture? appeared first on IPOsgoode.

]]>
What follows is a cautionary tale, reminding users that it might be wise to read the terms presented on your computer screen before clicking “I Agree”.

Instagram, Twitter, Pinterest and Facebook. All 4 are some of the world’s largest social media services. These services, and others like them have been gaining more and more traction as the number of internet users increases worldwide. However, as Instagram users, users might be unwittingly allowing these services to use not only the information they post but the content they share using these services. In December, Instagram proposed changes to their Terms of Use policy that seemed to give Instagram the ability to use and sell users' posted content and information without additional compensation to the user in question.

Once this became widespread knowledge online, the was almost unanimous. In an attempt to mitigate the public relations backlash, Kevin Systrom – co-founder of Instagram – attempting to clarify what the new terms meant and stating that the particularly offending terms would be removed when the new Terms of Service and Privacy Policy document came into effect on January 19th, 2013.

A news story such as this brings to the forefront a number of issues that have economic, legal, technological, and privacy-related implications. An in-depth discussion on these topics would provide enough material for a term paper (or two), so the following will be a brief outline on the major discussion points that law makers, service providers, and users should keep in mind as they move into the future.

The first consideration is that consumer contracts, such as the Terms of Service (also seen in forms such as the End User Licence Agreement), have been held as valid contracts by the US and Canadian courts in such cases as and . These cases dealt with shrink-wrap licensing – a practice used by a number of software manufacturers in the past in which a person opening the product packaging would be found to have agreed to the terms of use contained therein. While most social networking sites such as Instagram have users agreeing to terms by the use of click-wrap licensing (users agree to the terms by clicking “I Agree”), the same principles apply and courts have found these consumer contracts equally valid in most circumstances.

While consumer contracts like Terms of Use and End User Licence Agreements are ubiquitous in the digital age, how many people actually read and understand them before accepting is an interesting question. Typically, creation of a contract requires a “meeting of the minds”. In the context of these types of contracts, having the opportunity to understand the terms but failing to do so will still result in a valid, binding contract if the terms are agreed to. While this hardly seems to be the “meeting of the minds” that is normally required, taking this approach allows for efficient contracting between the public and corporations. Some could argue that the beneficial economic reasons for finding these agreements enforceable validates the approach and that individuals must take responsibility for the agreements to which they agree. However, the reality is that the majority of the public accepting these contracts would not understand the terms even if they took the time to read them (an action that is unlikely to happen in the first place). Many that click “I Agree” are crossing fingers with the other hand and hoping for the best.

In a way, this approach to contracting relates to the privacy issues that these types of social media services represent to the public. Many of these services are free and for many of them, the way they obtain revenue is through the information its users provide. Facebook has a page detailing – for example, the service can use your personalinformation to determine age-appropriate or interest-directed advertising. While some may be ok with this kind of a use, there are many that worry of the implications it has on their personal information. What if it is sold to companies that abuse it? What if it is stored in an unsecured manner and accessed by hackers (as happened to a number of Sony Online Entertainment users )? More importantly, if users are given a click-wrap licence that sign away their rights to privacy without exceptional notice to what the information they provide can be used for, we can begin to see why some may not agree that the current system is workable.

If nothing else, stories like these should show the general populace that it is important to read and understand the terms that computer software programs and online services offer to you, and as the age-old saying goes: if it’s free, it’s probably too good to be true.

Adam is a JD Candidate at Osgoode Hall Law School.

The post Are Instagram Users Starting to See the Big Picture? appeared first on IPOsgoode.

]]>
Defriend: Privacy Concerns are back in the Newsfeed /osgoode/iposgoode/2012/12/03/defriend-privacy-concerns-are-back-in-the-newsfeed/ Mon, 03 Dec 2012 14:25:06 +0000 http://www.iposgoode.ca/?p=19412 An Austrian student studying law in Silicon Valley has raised serious flags about Facebook’s lack of adherence to privacy law and disclosure regulation. Max Schrems usedEU privacy and personal data statuteto request his personal user data from Facebook international headquarters in Ireland. The first round of disclosure from Facebook wasvoidof much of the detailed information […]

The post Defriend: Privacy Concerns are back in the Newsfeed appeared first on IPOsgoode.

]]>
An Austrian student studying law in Silicon Valley has raised serious flags about Facebook’s lack of adherence to privacy law and disclosure regulation.

Max Schrems usedto request his personal user data from Facebook international headquarters in Ireland. The first round of disclosure from Facebook wasof much of the detailed information that the social network tracks. But more concerning was that when Facebook provided fuller user data,that Schrem had deleted from his profile, such as automatic tags or chat messages; this was information that Facebook was legally required to remove from its database.

Schrem then successfully encouraged thousands of other Europeans to demand their user records and launched the organizationto raise awareness of and funds for his fight to demand greater privacy and disclosure from Facebook.

Facebook responded with – or coincidentally announced – proposed updates to its Data Use Policy and governance procedures under a letter posted in the Facebook Newsroom from Elliot Schrage, VP Communications, Public Policy and Marketing.

The letter, titled “”, allowed for user comments until 9 AM PST on November 28, 2012. In terms of privacy, the letter calls out pro-privacy and pro-disclosure changes like their new “Ask the Chief Privacy Officer” page, Facebook “Live Events” to answer privacy questions and additional Data Use Policy updates such as reminders “about what’s visible to other people on Facebook.” In terms of governance, the proposed changesuser voting rights.

Both sets of changes stimulated backlash. The privacy changes inspired aof pseudo-legalese that users seemed to believe would protect them from privacy and copyright breaches by Facebook. The removal of member voting rights sparked uproar byandalike.

Putting aside the red herring that is disenfranchisement (a right that few people used anyway), the lack of substantive privacy and disclosure remains troubling.

The privacy changes put forward by Facebook are cosmetic and unnecessarily security-centric. In short, they are retail politics. As Schrems and those coalescing around him will tell you, users don’t need Facebook to protect them from privacy breaches by other citizens, they need governments to protect them from privacy breaches by Facebook.

The question for Canadians is whether, like the EU, we are entitled to request access to the full gamut of information collected about us, and whether sites like Facebook are obligated to purge information that we have chosen to delete.

Though slow andfreedom of information acts andgenerally guarantee that government organizations provide information to citizens on demand. Private institutions like Facebook are not subject to these requests.

The(PIPEDA) was constructed in a pre-Facebook world and focuses more on preventing an organization from releasing information about a citizen than it does laying out the depths to which an organization is obligated to provide information to citizens about their individual profiles on request.

Similarly, S.9 of PIPEDA prevents the release of personal information if doing so would reveal personal information about a third party. In the world of social networking, how many degrees of separation in Facebook data sufficiently satisfies this requirement, and could Facebook lawyers use this as a shield to prevent requests by Canadians to view their profile information?

PIPEDA establishes the Privacy Commissioner as the ombudsperson for complaints and concerns, but the Privacy Commissioner’s office seems slow to grasp the technologies of and data amalgamated by Facebook.from the office shows they remained distracted by the same shiny security and retail politics material that populated the recent Facebook Newsroom post from VP Schrage.

Luckily, the Information and Privacy Commissioner is decidedly more in tune with privacy and disclosure needs, as evidence by last month’s white paper.

Unfortunately, no wealth of suggestions from either privacy commissioners will fill the gap between the EU and Canada in terms of legal tools available to hold Facebook to account for what personal information it retains, for how long or how much it should disclose to users.


Denise Brunsdon is a JD/MBA Candidate at Western University.

The post Defriend: Privacy Concerns are back in the Newsfeed appeared first on IPOsgoode.

]]>
Bullying and Balancing Rights in AB v Bragg Communications /osgoode/iposgoode/2012/11/16/bullying-and-balancing-rights-in-ab-v-bragg-communications/ Fri, 16 Nov 2012 19:50:44 +0000 http://www.iposgoode.ca/?p=19311 Recently Canada is engaged in national dialogue about online bullying in the wake of Amanda Todd’s suicide. One aspect being discussed is what role the law should play in protecting victims of bullying. Should new legislation be enacted, like the NDP’s proposal for a national anti-bullying strategy or should changes to the law be left […]

The post Bullying and Balancing Rights in AB v Bragg Communications appeared first on IPOsgoode.

]]>
Recently Canada is engaged in national dialogue about online bullying in the wake of . One aspect being discussed is what role the law should play in protecting victims of bullying. Should new legislation be enacted, like the NDP’s proposal for a or should changes to the law be left to the courts?

In late September the Supreme Court of Canada released AB v Bragg Communications Inc,, rev’d , rev’d in which a teenager sought to unmask her cyberbullies in order to pursue a defamation action, while preserving her own anonymity. At issue was the appropriate balance between the freedom of the press and open court principles on the one hand, and privacy and protecting children from cyberbullying on the other. This case is a good overview of what legal recourses are currently available to victims of online bullying and outline some of the difficulties they face in pursuing them.

In 2010, at age 15, A.B. discovered someone had created a fake Facebook profile of her, with a modified version of her name, a picture of her and other identifying details. On the profile were disparaging comments on her physical appearance as well as intimate and sexually explicit remarks. Within the month, the profile was taken down (interestingly, none of the judgments explain how this was done).

A.B., along with C.D., her father as litigation guardian, brought an application under Nova Scotia’s Civil Procedure Rules, NS Reg 370/2008 for an order for the internet service provider Eastlink to disclose the identity associated with the IP address which had created the fake profile in order to bring an action for defamation. Facebook had already supplied the IP address that created the profile and A.B. now sought to link it to an individual. This type of discovery mechanism is similar to the common law order outlined in Norwich Pharmacal Co v Comrs of Customs and Excise, [1974] AC 133 (HL) (discussed by IP Osgoode and ). For the order to be granted, the plaintiff must establish a prima facie defamation case.

In addition to the disclosure order, A.B. also requested a publication ban on the contents of the profile and her name. Eastlink, which is owned by Bragg Communications, did not oppose the motion at any level of trial. However, the publication ban caught the attention of The Halifax Herald and Global Television who intervened in opposition of the publication ban on the basis of the open court principle and freedom of expression. The trial judge found that A.B. had established a prima facie defamation case but he stayed the disclosure order until A.B. used her real name or an appeal allowed her to proceed anonymously. He reasoned that a publication ban would limit public awareness about the bullying that occurs on social networks and only an informed public can demand an issue be addressed. Furthermore, A.B. did not show that she would be specifically harmed by publication, especially since the profile had since been taken down [31-37]. The Court of Appeal agreed and focused on how defamation is an action for damage to the plaintiff’s reputation and the public nature of the action is part of how a reputation is restored and anonymity would be incompatible with this process [80-85].

Justice Abella, writing for a unanimous Supreme Court, found that when balancing between the open court principle and the privacy rights of A.B., harms to children can be determined objectively in the context of sexualized cyberbullying. This overturned the previous rulings which required that A.B. discharge the onus to demonstrate she would be specifically harmed by publication. The court had no trouble inferring that cyberbullying is harmful [20]. In doing so, the court lowered the burden of a plaintiff trying to unmask a bully. Having found that preserving A.B.’s anonymity was minimally intrusive upon freedom of expression, the Supreme Court did not find it necessary to keep the contents of the Facebook profile from publication provided it was not linked to A.B.

On balance, the court focused on the special circumstances of children who are bullied anonymously online and made it slightly easier for them to unmask their tormentors without fear of having to relive the bullying through the media coverage linked to their name. The court rightly focused on how the ability to proceed anonymously would increase the likelihood of a child protecting him or herself using the court system [25].

Even though the court lightened the burden of a young plaintiff seeking redress against cyberbullying, this case highlights the limits of the law. To respond to a Facebook profile created in minutes, the victim has no recourse to unmask their tormentor faster than the court system, which gets there, but not quickly—in this case about two and a half years.

Kalen Lumsdenis a JD candidate at Osgoode Hall Law School and is currently enrolled in Osgoode’s Intellectual Property Law and Technology Intensive Program. As part of the program requirements, students are asked to write a blog on a topic of their choice.

The post Bullying and Balancing Rights in AB v Bragg Communications appeared first on IPOsgoode.

]]>
Sony's New Terms Of Service Seek To Eliminate Class Action Threat /osgoode/iposgoode/2011/10/03/sonys-new-terms-of-service-seek-to-eliminate-class-action-threat/ Mon, 03 Oct 2011 18:24:11 +0000 http://www.iposgoode.ca/?p=13944 Brent Randall is a JD candidate at the University of Ottawa. After a very difficult summer regarding the security of the personal information of Sony customers, the technology company has chosen to protect itself from class action litigation in the future. In the Terms of Service (TOS) for the company’s Playstation Network, which is where […]

The post Sony's New Terms Of Service Seek To Eliminate Class Action Threat appeared first on IPOsgoode.

]]>
Brent Randall is a JD candidate at the University of Ottawa.

After a very difficult summer regarding the security of the personal information of Sony customers, the technology company has chosen to protect itself from class action litigation in the future. In the Terms of Service (TOS) for the company’s Playstation Network, which is where the much-publicized security breaches began, Sony has included a clause waiving a user’s right to file a class action lawsuit.

At the end of April of this year, it was that may have compromised the personal information of up to 77 million users. Over the , Sony stated that Sony Online Entertainment, Sony Ericsson customers, and the Sony Pictures website all were victims of hackers as well, increasing the amount of sensitive data that was potentially stolen. A class action lawsuit was , with the possibility of costing the company billions of dollars. In an attempt to prevent such major litigation from happening again, .

The terms appear when a user attempts to access the Playstation Network to play games online or purchase media from Sony. The new TOS to users as a means of settling disputes. If a user wants to opt out of the binding arbitration and , they must send a letter to Sony headquarters stating their intention.

The important aspect of this situation is whether this new TOS is completely enforceable if people . There are many classic contract law cases that speak to alleged parties to an agreement not adequately appreciating the terms as seen in “ticket cases” like The Supreme Court of British Columbia on September 2, 2011 also recently took on a sort of “modern ticket case” in . In that case, the Court decided that simply accessing a website can automatically bind a user to the site’s terms of use ( of that case).

Whether Sony’s new terms are adequately expressed and what difference the digital context may have are questions that will surely be considered by a court or government body soon. As the “ticket cases” show, the amount of notice expected to be given is proportionate to how onerous the provisions are. How onerous is a clause forcing all disputes to be brought to arbitration rather than by class action? If another mass security breach were to hit Sony, this question may be answered differently than if only a few people encounter rare problems.

When it comes to the enforceability of Sony’s TOS, the company is relying heavily on the behaviour of AT&T. On April 27, 2011, the United States Supreme Court decided the case of . In a 5-4 decision, the Court ruled that AT&T’s cell phone contract excluding class action lawsuits was acceptable under the , despite state laws specifically finding such clauses unconscionable. A that the change to its TOS was made based on the Supreme Court decision, stating that the new TOS “is designed to benefit both the consumer and the company by ensuring that there is adequate time and procedures to resolve disputes.”

Canada recently looked at the enforcement of similar arbitration clauses in telecommunication contracts when the Supreme Court of Canada decided (you can find ). The Court reviewed the arbitration clause in light of consumer protection legislation and stopped short of deciding whether class action waivers were unconscionable.

It is safe to say that we have not heard the last of Sony’s new terms of service. Either a court, consumer protection agency or other body will be considering the impact of the new clauses. Given the US Supreme Court's decision in AT&T Mobility, the last word on the issue may have been said, at least for now. Here in Canada, however, there is still room for the Supreme Court of Canada to weigh in and when it does, it will undoubtedly be informed by the way the issue has unfolded in the United States.

The post Sony's New Terms Of Service Seek To Eliminate Class Action Threat appeared first on IPOsgoode.

]]>
OIPC Annual Report Calls For A “Proactive” Approach To Privacy Protection /osgoode/iposgoode/2011/06/04/oipc-annual-report-calls-for-a-proactive-approach-to-privacy-protection/ Sun, 05 Jun 2011 02:50:19 +0000 http://www.iposgoode.ca/?p=12659 Michael Gilburt is a JD candidate at Osgoode Hall Law School. On May 17, 2011, Ontario’s Information and Privacy Commissioner (OIPC) Dr. Ann Cavoukian released her Annual Report on the state of privacy protection in Canada. The Report articulated a clear message to public and private institutions: “be proactive” in protecting personal information and online […]

The post OIPC Annual Report Calls For A “Proactive” Approach To Privacy Protection appeared first on IPOsgoode.

]]>
Michael Gilburt is a JD candidate at Osgoode Hall Law School.

On May 17, 2011, Ontario’s Information and Privacy Commissioner (OIPC) Dr. Ann Cavoukian released her on the state of privacy protection in Canada. The Report articulated a clear message to public and private institutions: “be proactive” in protecting personal information and online privacy.

Dr. Cavoukian that a reactive approach to privacy protection, which relies on “legislation meant to safeguard privacy,” will not keep pace with “the flow of information and advances in technology.” As such, the Report calls on institutions to embed “default privacy and access within processes and technologies from the outset” in order to avoid privacy breaches and inefficiencies caused by requests for government-held information.

Dr. Cavoukian has characterized her proactive model for privacy protection as The Report suggests that Privacy by Design be used as a standard to assess all new products, technology or services. For instance, the standard would require a firm to request access to customer information and clearly explain how the data will be appropriated. By doing so, it is that firms will mitigate risk and revisit assumptions about how much personal information is necessary for the system to operate effectively. The end result, according to Dr. Cavoukian, will be a “doubly-enabling, positive-sum, win/win relationship."

In support of the Privacy by Design approach, the Report highlights two case examples. The first involves the to embed privacy protection into their smart grid. The Corporation integrated a number of due diligence requirements into the initial planning stage in order to refine what customer information must be gathered and to design systems to protect the data.

A second case example was drawn from the Ontario Lottery and Gaming Corporation, which incorporated a privacy-protecting mechanism into its biometric facial recognition system (which is used to identify individuals who are banned from entering gambling institutions). If no match is found, the facial image is automatically deleted from the database.

The Report also highlights a number of key privacy policies in need of reform. Two salient issues include the protection of personal health information on mobile devices and the issue of standardizing the cost of health record access. The latter issue has been the subject of prior advocacy by Dr. Cavoukian, who has to establish a benchmark for access fees.

It appears that Dr. Cavoukian’s message has extended beyond Canada. The Privacy by Design concept has and was recently adopted as a resolution by the International Data Protection and Privacy Commissioners Conference. This summer, the OPIC intends to release a whitepaper on how a utilities provider in Germany has incorporated Privacy by Design principles into its organizational practices.

The post OIPC Annual Report Calls For A “Proactive” Approach To Privacy Protection appeared first on IPOsgoode.

]]>
Privacy Commissioner and Others Up In Arms about Sony PlayStation Network Hack /osgoode/iposgoode/2011/05/06/sony-playstation-network-hack-prompts-flurry-of-activity-and-response-from-canadian-privacy-commissioner/ Fri, 06 May 2011 17:00:15 +0000 http://www.iposgoode.ca/?p=12083 Matt Lonsdale is a JD candidate at Dalhousie University. On April 20th, 2011, disappointed gamers discovered they could no longer connect to the PlayStation Network. While Sony initially blamed the outage on technical problems, it was later revealed that the service had been deliberately hacked. The incident has sparked a flurry of activity among government […]

The post Privacy Commissioner and Others Up In Arms about Sony PlayStation Network Hack appeared first on IPOsgoode.

]]>

Matt Lonsdale is a JD candidate at Dalhousie University.

On April 20th, 2011, disappointed gamers discovered they could no longer connect to the PlayStation Network. While Sony initially blamed the outage on technical problems, it was later revealed that the service had been deliberately hacked. The incident has sparked a flurry of activity among government officials, law enforcement, politicians and private citizens.

The PlayStation Network is an online service, which allows owners of Sony's Playstation 3 game console to play multiplayer games, stream movies and purchase new content. The perpetrators had gained access to a database containing a wealth of personal information on PlayStation Network's customers. Qriocity, a music and video streaming service owned by Sony, was also affected by the attack.

While the extent of the breach is not known, the database accessed contained the personal information of over 75 million PlayStation Network users. In an dated April 27, 2011, Sony wrote, “we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity password, login, password security answers, and handle/PSN online ID”. Credit card data was encrypted and stored in a separate database. While there is no evidence that this information was accessed, Sony has .

Sony's customers were understandably angry about the breach. In response to this, the US-based Rothken Law Firm has , alleging that Sony “failed to take reasonable care to protect, encrypt, and secure the private and sensitive data of its users”. The lawsuit seeks information about the breach and Sony's data security practices, as well as monetary compensation for affected users.

As might be expected in today's privacy-conscious world, the breach has also received significant attention from government. The attack itself is being investigated by the FBI's cybercrimes unit in San Diego. A US House of Representatives subcommittee, as part of a hearing entitled, “The Threat of Data Theft to American Consumers”, submitted to the Chairman of the Board of Directors of Sony Computer Entertainment America. Britain's Information Commissioner's Office has also been in contact with Sony and is investigating whether the privacy laws of that county have been violated.

In Canada, the office of the Privacy Commissioner was not by Sony. Office spokeswoman Valerie Lawtwon wrote that "We are currently looking into this matter and are seeking information from Sony... [W]e will determine next steps once we have a full understanding of the incident." The does not place an obligation on organizations to report incidents of this kind to the Office of the Privacy Commissioner. However, Schedule 1 of that Act does contain a number of principles which organizations are expected to adhere to, including the implementation of “procedures to protect personal information”. Sony has that all personal information was protected by a sophisticated security system, although unlike credit card data, personal information was not encrypted. On May 4, 2011, just two weeks after the breach, Privacy Commissioner, Jennifer Stoddart, at the Canada 3.0 conference calling for Parliament to grant the Office the ability to levy substantial fines against organizations. She expressed dismay that Sony had not notified her office of the breach, "I have come to the conclusion that the only way to get some corporations to pay adequate attention to their privacy obligations is by introducing the potential for large fines that would serve as an incentive for compliance".

The post Privacy Commissioner and Others Up In Arms about Sony PlayStation Network Hack appeared first on IPOsgoode.

]]>