cybersecurity Archives - IPOsgoode /osgoode/iposgoode/tag/cybersecurity/ An Authoritive Leader in IP Mon, 21 Nov 2022 17:00:35 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 44th Global Privacy Assembly Leads To Resolutions On Facial Recognition Technology And Cybersecurity /osgoode/iposgoode/2022/11/21/44th-global-privacy-assembly-leads-to-resolutions-on-facial-recognition-technology-and-cybersecurity/ Mon, 21 Nov 2022 17:00:35 +0000 https://www.iposgoode.ca/?p=40273 The post 44th Global Privacy Assembly Leads To Resolutions On Facial Recognition Technology And Cybersecurity appeared first on IPOsgoode.

]]>

M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on on November 16, 2022.


On October 28, 2022, the Office of the Privacy Commissioner of Canada (the OPC)that data protection authorities around the world endorsed resolutions on facial recognition technology (FRT) and cybersecurity at the 44th Global Privacy Assembly (GPA) in Istanbul, Türkiye.

The GPA is an international forum where data protection and privacy authorities from more than 130 countries meet to discuss privacy matters of interest and coordinate efforts on an international scale. The theme of the public portion of the event was, “A matter of balance – Privacy in the era of rapid technological advancement”.

During the conference, the GPA members adopted a resolution on the use of, which outlined a series of principles and expectations that they would promote to external stakeholders, assess the real-world application therein, and report back on. These principles require an organization to do the following:

  1. Lawful basis: have a lawful basis for collecting and using biometrics;
  2. Reasonableness, necessity and proportionality:demonstrate the reasonableness, necessity, and proportionality of their use of FRT;
  3. Protection of human rights:assess and protect against unlawful interference with privacy and other human rights;
  4. Transparency:ensure that the use of FRT is transparent to affected individuals and groups;
  5. Accountability:include clear and effective accountability mechanisms for the use of FRT; and
  6. Data protection principles:ensure that FRT is used in a way that respects all data protection principles.

The GPA also saw the adoption of afor international cooperation in improving cybersecurity regulation and understanding the harms that results from cyber incidents. As part of this resolution, the endorsing GPA members would take steps to understand the responsibilities of data protection authorities regarding cybersecurity, and explore possibilities for international cooperation amongst members to avoid duplication in investigations and other regulatory activities.

The post 44th Global Privacy Assembly Leads To Resolutions On Facial Recognition Technology And Cybersecurity appeared first on IPOsgoode.

]]>
OSFI Releases Final Version Of Guideline B-13: Technology And Cyber Risk Management /osgoode/iposgoode/2022/08/15/osfi-releases-final-version-of-guideline-b-13-technology-and-cyber-risk-management/ Mon, 15 Aug 2022 16:00:00 +0000 https://www.iposgoode.ca/?p=39894 The post OSFI Releases Final Version Of Guideline B-13: Technology And Cyber Risk Management appeared first on IPOsgoode.

]]>

M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on on July 27, 2022.


On July 13, 2022, the Office of the Superintendent of Financial Institutions (OSFI)its final Guideline B-13: Technology and Cyber Risk Management (Guideline B-13), which describes OSFI’s expectations for how federally regulated financial institutions (FRFIs) should manage technology and cyber risks.

OSFI views the large increase of cyber incidents in Canada as an urgent call for FRFIs to bolster their technology and cyber risk management practices. Guideline B-13 is OSFI’s answer to this call and provides a flexible, principle-based regulatory framework for FRFIs to strengthen their cybersecurity posture with strategies that account for their size, nature, scope, and complexity.

Guideline B-13 is the final result of an extensive consultation process that started in September 2020 and included an initial draft Guideline B-13 in November 2021, as previously reported by the E-TIPS® NewsletterԻ. The final Guideline B-13 takes a more streamlined approach than the previous iteration and is organized around three “domains” as opposed to the first draft’s five-domain structure. Each domain sets out specific outcomes for FRFIs to achieve in order to align with OSFI’s expectations:

  1. Governance and Risk Management: Technology and cyber risks should be governed by clear accountabilities and structures, and comprehensive strategies and framework.
  2. Technology Operations and Resilience: The FRFI has a technology environment that is stable, scalable, and resilient. The environment should remain current and supported by technology operating and recovery processes that are “robust and sustainable”.
  3. Cyber Security: Guideline B-13 requires the FRFI to implement a technology posture that maintains the confidentiality, integrity, and availability of its technology assets.

Guideline B-13 is set to come into effect on January 1, 2024, which gives FRFIs time to review the framework and ensure that they meet compliance.

The post OSFI Releases Final Version Of Guideline B-13: Technology And Cyber Risk Management appeared first on IPOsgoode.

]]>
Bill C-27: Canada Introduced Its First Legislation on the Development and Use of Artificial Intelligence in the Private Sector /osgoode/iposgoode/2022/08/11/bill-c-27-canada-introduced-its-first-legislation-on-the-development-and-use-of-artificial-intelligence-in-the-private-sector/ Thu, 11 Aug 2022 16:00:00 +0000 https://www.iposgoode.ca/?p=39902 The post Bill C-27: Canada Introduced Its First Legislation on the Development and Use of Artificial Intelligence in the Private Sector appeared first on IPOsgoode.

]]>

HeadshotTianchu Gao is an IPilogue Writer and a 1L JD Candidate at Osgoode Hall Law School.


On June 16, 2022, the Canadian government tabled “An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts.” The Bill aims to strengthen the privacy framework for the private sector in Canada through the enactment of three pieces of legislation—the Digital Charter Implementation Act (DICA), the Consumer Privacy Protection Act (CPPA), and the Artificial Intelligence and Data Act (AIDA).

Bill C-27 is the successor to the, the Digital Charter Implementation Act, which was introduced in November 2020. Unfortunately, it got at the Second Reading stage despite strong support from the business community. Bill C-27 is largely a re-working of Bill C-11, as a significant portion of the Digital Charter Implementation Act (DICA) and the Consumer Privacy Protection Act (CPPA) remains intact. A detailed comparison between the two bills can be found .

An entirely new section of Bill C-27 is the Artificial Intelligence and Data Act (AIDA). This section aims to regulate the development and use of artificial intelligence systems in the private sector. If AIDA is enacted, Canada would be the only jurisdiction, besides the , to draft legislation that directly addresses the regulation of AI.

AIDA is very broad in scope, with respect to both the definition of AI and the range of people obliged to abide by the Act. It does not set out specific prohibited practices and seems to contemplate a distinction only between high-risk systems and all other AI systems. Compared to EU’s 2021 proposal for Artificial Intelligence Act, AIDA is “considerably less elaborate” and “proposes to leave many salient matters to regulation,” according to cybersecurity professionals at .

The legislative purposes of AIDA are, per s. 39.4:

(a) to regulate international and interprovincial trade and commerce in artificial intelligence systems by establishing common requirements, applicable across Canada, for the design, development and use of those systems; and

(b) to prohibit certain conduct in relation to artificial intelligence systems that may result in serious harm to individuals or harm to their interests.

AIDA aims to protect people from any potential harm brought by biased AI output, which is the output of AI systems that differentiate people based on prohibited grounds of discrimination.

AI systems identified as “high-impact” will undergo mitigation measures and ongoing monitoring for compliance. Despite the preliminary guidance from the federal , it is largely the persons responsible for an AI system—including designers, developers, providers, and managers—who are responsible for these assessments and measures. There will also be higher transparency in both the intended and actual use for high-impact AI systems. Any material harm should be reported to the Minister of Innovation, Science and Industry. Under this act, an Artificial Intelligence and Data Commissioner will assist the Minister in monitoring company compliance.

Bill C-27, if passed, is sure to be a milestone in the development of legal regulations for AI. Many law firms are closely monitoring this legislation’s progress since it was released. There are, of course, still many questions to be investigated, such as the potential chilling effect on innovation and the design of administrative penalties. The legislation will become more clear upon the second and third readings in the House of Commons and subsequent regulations.

The post Bill C-27: Canada Introduced Its First Legislation on the Development and Use of Artificial Intelligence in the Private Sector appeared first on IPOsgoode.

]]>
Government Of Canada Introduces Bill C-26 That Proposes To Enact The Critical Cyber Systems Protection Act /osgoode/iposgoode/2022/08/03/government-of-canada-introduces-bill-c-26-that-proposes-to-enact-the-critical-cyber-systems-protection-act/ Wed, 03 Aug 2022 16:00:31 +0000 https://www.iposgoode.ca/?p=39873 The post Government Of Canada Introduces Bill C-26 That Proposes To Enact The Critical Cyber Systems Protection Act appeared first on IPOsgoode.

]]>

M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on on June 29, 2022.


On June 14, 2022, the Government of Canada introduced,An Act Respecting Cyber Security, which would enact theCritical Cyber Systems Protection Act(the CCSPA) to establish a regulatory cyber security framework and improve baseline security for vital public systems and services.

The CCSPA will apply to certain classes of federally regulated entities (Designated Operators) that are involved in four priority sectors: finance, energy, telecommunications, and transport. It is proposed to address outstanding gaps in the current regulatory environment by allowing the Government to (i) designate critical Canadian services and systems and the parties responsible for their protection; (ii) ensure regulated parties are adequately protecting cyber systems and compel action in response to cyber threats; (iii) mandate the reporting of select cyber incidents; and (iv) ensure a cross-sectoral approach to cyber security.

To accomplish the Government’s goals, the CCSPA will impose new compliance and reporting duties on Designated Operators which, among other things, require them to:

  • establish a cyber security program that documents the protection plan for a critical cyber system;
  • mitigate supply chain and third-party service or product risks;
  • report cyber security incidents to regulators; and
  • keep compliance records.

The CCSPA provides the Governor in Council with enforcement powers to issue Cyber Security Directions (CSDs) that require Designated Operators to take certain suggested actions regarding the protection of a critical cyber system. CSDs may be accompanied by specific deadlines and failure to comply may lead to administrative monetary penalties or regulatory offences resulting in fines or imprisonment.

The post Government Of Canada Introduces Bill C-26 That Proposes To Enact The Critical Cyber Systems Protection Act appeared first on IPOsgoode.

]]>
Cybersecurity Attacks—War of a New Era /osgoode/iposgoode/2022/05/11/cybersecurity-attacks-war-of-a-new-era/ Wed, 11 May 2022 16:00:00 +0000 https://www.iposgoode.ca/?p=39538 The post Cybersecurity Attacks—War of a New Era appeared first on IPOsgoode.

]]>
Tianchu Cybersecurity

Photo by Michael Dziedzic ()

HeadshotTianchu Gao is an IPilogue Writer and a 1L JD Candidate at Osgoode Hall Law School.

Cybersecurity has become a major battlefield in the war between Russia and Ukraine. Even before Russia invaded Ukraine on February 24th, it had launched waves of cybersecurity attacks on a range of important social sectors of Ukraine. The attacks in January focused on governmental websites. According to Ukraine officials, Russia had taken down around Ukraine government websites, including the central institutions such as the Cabinet of Ministers and the Security and Defense Council.

By February, brought down the websites of Ukraine’s defense ministry, army, and two largest banks: Ի. Russia used a sophisticated that reached hundreds of computers from different organizations in Ukraine, including the defense, aviation, finance, and IT service sectors. Although Russia never officially admitted it, believe that the Russian government is behind the groups that launched these attacks.

Quad9, a domain name system platform, detected attacks against computers and phones in Ukraine on March 9th alone. According to cybersecurity expert , Ukrainians are experiencing increasing numbers of phishing and malware attacks during the war.

The Ukraine government responded to the attacks with support from and . The NATO Cooperative Cyber Defense Center of Excellence at Tallinn, Estonia, collaborates with Ukraine to strengthen its national cyber security. The EU had deployed a rapid-response team of ten cybersecurity experts from six different countries to help Ukraine mitigate the effects of the cyberattacks.

In addition to state actors, large private companies have lent Ukraine critical support. For instance, is helping Ukraine with cybersecurity. announced on April 7th that it had disrupted cyberattacks from Russia targeting Ukraine and organizations in the United States and Europe. Its representative claims that Microsoft can observe Russia’s attack on the Ukraine government and infrastructure since the beginning of the invasion. Microsoft works closely with the Ukrainian government and other organizations to help them defend against the onslaught. Another example is , a space exploration tech company. It provides civilians and tech companies in Ukraine access to the Internet via satellite in rural or disconnected areas.

Private companies, especially tech giants, have been unprecedentedly active in interstate warfare. As cybersecurity becomes an increasingly important part of national security, big tech companies are likely to have more power and a higher level of involvement in global conflicts. While this change may benefit the public interest, it inevitably calls for more scrutiny and regulation.

The post Cybersecurity Attacks—War of a New Era appeared first on IPOsgoode.

]]>
Hackers aren't only in Movies?! The Rise of Ransomware Incidents in Canada and what Canadians can do about it /osgoode/iposgoode/2022/03/17/hackers-arent-only-in-movies-the-rise-of-ransomware-incidents-in-canada-and-what-canadians-can-do-about-it/ Thu, 17 Mar 2022 16:00:59 +0000 https://www.iposgoode.ca/?p=39290 The post Hackers aren't only in Movies?! The Rise of Ransomware Incidents in Canada and what Canadians can do about it appeared first on IPOsgoode.

]]>
Emily Xiang is an is an IPilogue Writer, President of the Intellectual Property Society of Osgoode (IPSO), and a 2L JD Candidate at Osgoode Hall Law School.

Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLPwhopractices in the areas of intellectual property and information technology law.

This article was on the OBA’s Information Technology and Intellectual Property Law Section’s .

The threat of cyber attacks is no longer restricted to TV shows and movies, with cyber security incidents like ransomware attacks becoming far more frequent in daily life. While the COVID-19 pandemic may have slowed many aspects of society, ransomware has seen a marked increase in recent years around the globe – and Canada is no exception.

THE GROWING RANSOMWARE THREAT

Ransomware incidents involve threat actors infiltrating an organization’s defenses and deploying malware to prevent the company from accessing its information. Though the specific tactic may differ between threat actors, users will ultimately find themselves unable to access vital data and key systems unless the organization pays a ransom to the threat actors, usually in the form of digital currency. During the incident, threat actors may also extract data from the company’s network, which can have serious privacy consequences for the organization and its customers. Not only will their data be in the hands of an unknown party, but in many cases, threat actors may threaten to publish the exfiltrated information online if the organization refuses to provide them with payment.

Ransomware saw record-breaking numbers last year. By the end of the first half of 2021, global ransomware attacks hadby 151% as compared to the previous year, with ransom payments of up to CAD$48.4M being paid out to hackers. In Canada, the Canadian Centre for Cyber Security (the Cyber Centre) has knowledge of at leastthat occurred over the course of 2021 (though, it is important to note that the majority of ransomware attacks go unreported). Out of the known ransomware incidents that were reported to the Cyber Centre, more than half involved critical infrastructure providers. However, the Office of the Privacy Commissioner of Canada (the OPC) stressesfrom an attack, as incidents of ransomware have occurred indiscriminately since 2020 in not-for-profit, professional, financial, transportation, manufacturing, and retail sectors.

The increase in ransomware incidence and scope in recent years is partly attributed to the growing sophistication with which cyberattacks may now be conducted. A number ofin ransomware have arisen, and are rapidly changing the cybercrime landscape. For instance, ransomware-as-a-service (RaaS) is a model that allows developers to sell and/or lease ransomware to cybercriminals whilst being paid a percentage of the profit. These kinds of schemes allow an increased number of unskilled threat actors to get a hold of sophisticated ransomware technology, while providing skilled attackers the opportunity to profit from the mass distribution of their work. The world has also seen an increase in victims of high-impact targeting, wherein more targeted attacks are being launched at supply chains and essential services in order to maximize potential victims and profits. For instance, many threat actors have leveraged the COVID-19 pandemic to aim at high-impact targets that have become especially vital in current circumstances, such as emergency medical services and law enforcement agencies. As stated by chief information officerat UTHealth in Houston, “[a]ttackers [targeting hospitals] understand that we’re talking about life and death. There’s a great incentive to just pay and get the thing unlocked so we can treat patients.” In finding more opportune ways to breach vulnerable organizations, threat actors are demonstrating that their targeting schemes are becoming increasingly sophisticated, as well as strategic.

SEVERE FALLOUT FROM ATTACKS

Ransomware attacks may have far-reaching implications on company operations. On May 7th, 2021, American oil companyfell victim to a ransomware attack that immobilised several of its computerized equipment systems. As a result, operations for the largest fuel pipeline in the US were temporarily suspended, resulting in price spikes and fuel shortages for millions of Americans. Even more recently, global human resources company Ultimate Kronos Groups (UKG) was also hit with a ransomware attack on December 11th, 2021, resulting in a worldwide shutdown of their cloud services. The incident impacted millions of users, with employees who relied on UKG’s cloud system reporting paychecks short by, as their employers struggled to find alternative means for managing payroll. Kronos is known totens of thousands of organizations – including half of the Fortune 100 – and more than 40 million people in over 100 countries everyday, including businesses in Canada.

A CALL FOR ACTION

The Cyber Centrethat ransomware will continue to pose a threat to national security and economic prosperity in 2022. They also predict that threat actors utilizing ransomware will likely become increasingly aggressive in their operations and targeting schemes. Similarly, the OPCthe potential harm that can result from this type of attack and considers such incidents to meet the real risk of significant harm threshold under thePersonal Information Protection and Electronic Documents Act. As part of an ongoing, national effort to mitigate the effects of ransomware and related cyber threats, theto take this matter seriously and address it head-on through adopting proper security measures.

PREPARING FOR RANSOMWARE ATTACKS

Cyber Security Preparations

To assist organizations in their cybersecurity preparation, the Cyber Centre recently released a(the Playbook) with guidance on how to defend against and recover from cyberattacks. It recommends that businesses implement cyber defence planning strategies, such as preparing multiple backup systems ahead of time. Backup systems provide organizations with a copy of their data, which can then be used for restoration activities in the wake of a ransomware attack. When developing a plan for implementing backup systems, it may be useful to contemplate the frequency and extent that the data should be backed up and storage considerations for the backup systems. The Cyber Centre advises that backups stored online within the organization or on a cloud platform are more commonly susceptible to ransomware attack, while backup systems stored offline, in a separate physical location from the main business site and disconnected from its networks, offer the most protection against ransomware incidents.

In addition to preparing backups, the Playbook has details on different cyber security controls that can be implemented as part of the organization’s defenses. For example, having multi-factor authentication (MFA) in place on company devices may assist in thwarting off threat actors. It may also serve to hinder threat actors from gaining full access to target systems in the event thattheyaresuccessful in getting past initial IT defenses. In addition to MFA, businesses may want to consider having a system that can continuously monitor their network and establish an acceptable baseline of activity. This can be used to flag anomalies in activity patterns and sound the alarm when there is a potential risk to the organization.

Planning Ahead

Apart from having technical controls, it may be prudent to consider creating plans that serve as reference guides during ransomware incidents. The Cyber Centrecreating an incident response plan that is geared towards cyber defense strategy, including detecting and responding to an attack. The incident response plan can include the objectives, stakeholders, responsibilities, communication methods, and escalation processes that are involved in the response strategy. To formulate this plan, organizations may want to conduct a risk assessment of their assets and identify the potential consequences that would result from them being compromised, so as to discern the business’ response priorities. When drafting the incident response plan, it may be beneficial to keep the plan simple and flexible, so that it can be easily adapted to the circumstances of the actual event.

To compliment the incident response plan, businesses could consider developing a disaster recovery plan that focuses on resuming operations after a ransomware incident. The Cyber Centrethat an effective plan should identify the entity’s critical information (e.g. financial records, proprietary assets, etc.), their most essential systems that are required for business continuity, and their most vital business functions. Once a plan is formulated, multiple trial runs should be conducted to determine potential areas for improvement.

More Options

In addition to the above ransomware-specific guidance, themay offer insight for organizations looking to improve their cybersecurity foundation. This program is mainly aimed at small and medium-sized businesses, but welcomes enrolment from all organizations in Canada. As part of the program, businesses are required to adopt measures in certain baselinethat reflect industry-accepted best practices and target key considerations for the organization’s systems and employees. Furthermore, implementing these controls has the added benefit of fulfilling prerequisites for the Government of 䲹Բ岹’s. The certification is valid for two years and can beat the organization’s physical location and on its website to let others know that their business has met the standard.

CYBER INSURANCE

When preparing for ransomware attacks, organizations may want to consider how they would fund response efforts in the event that a threat actor manages to get through their defences. Though a business is already insured, traditional insurance policies may provide limited or no coverage for cyber attacks. Reviewing one’s current insurance policy and acquiring adequate cyber coverage where it is lacking is a crucial step that should not be left out of any discussion on ransomware preparation.

MOVING FORWARD

In our current technological landscape, ransomware attacks and other cyber security incidents have unfortunately become a daily reality of doing business in Canada and around the world. In light of the rising threat, organizations are encouraged to approach the matter with equal tenacity. By taking the appropriate proactive measures, we can better safeguard our activities and mitigate the impact of ransomware attacks on our businesses.

The post Hackers aren't only in Movies?! The Rise of Ransomware Incidents in Canada and what Canadians can do about it appeared first on IPOsgoode.

]]>
The U.S. Department Of The Treasury’s Office Of Foreign Assets Control Releases Updated Advisory On Sanctions Regarding Ransomware Payments /osgoode/iposgoode/2021/10/14/the-u-s-department-of-the-treasurys-office-of-foreign-assets-control-releases-updated-advisory-on-sanctions-regarding-ransomware-payments/ Thu, 14 Oct 2021 16:00:12 +0000 https://www.iposgoode.ca/?p=38414 The post The U.S. Department Of The Treasury’s Office Of Foreign Assets Control Releases Updated Advisory On Sanctions Regarding Ransomware Payments appeared first on IPOsgoode.

]]>
M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on on October 13, 2021.

Ransomware attacks are on the rise, with the Federal Bureau of Investigation reporting a nearly 21% increase in reported ransomware cases and a 225% growth in associated losses from 2019-2020. On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued anto highlight the sanctions risks associated with ransomware payments to malicious cyber actors and proactive steps that companies can take to mitigate those risks.

OFAC has designated some malicious cyber actors in its cyber-related sanctions program and other sanctions programs to discourage payments of cyber ransom or extortion demands to these parties.

According to the advisory, U.S. persons are generally prohibited from engaging in transactions with those on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by country or region embargoes. Furthermore, any transaction that may violate the International Emergency Economic Powers Act (IEEPA), including a transaction by a non-U.S. person that causes a U.S. person to violate an IEEPA-based sanction prohibition, is also banned.

In response to sanctions violations, OFAC may hold such persons civilly liable even if they were unaware that the transaction was prohibited under sanctions laws and OFAC’s regulations at the time. The OFAC’s Economic Sanctions Enforcement Guidelines describe the department’s enforcement policies, as well as mitigating factors that may be considered by OFAC, including:

  1. meaningful measures taken to improve cybersecurity practices and reduce the risk of extortion by sanctioned actors; and
  2. the reporting of ransomware attacks to government agencies and cooperation with law enforcement.

If those factors are present, OFAC’s resolution could be limited to a “no action” or a “cautionary” letter, rather than a public response. Businesses that fall under OFAC’s regulation should aim to revise their cybersecurity incident response plans to better align with the recommendations in the updated advisory.

The post The U.S. Department Of The Treasury’s Office Of Foreign Assets Control Releases Updated Advisory On Sanctions Regarding Ransomware Payments appeared first on IPOsgoode.

]]>
Privacy Plight: Apple’s Proposed Changes & Consumer Pushback /osgoode/iposgoode/2021/09/07/privacy-plight-apples-proposed-changes-consumer-pushback/ Tue, 07 Sep 2021 16:00:19 +0000 https://www.iposgoode.ca/?p=38164 The post Privacy Plight: Apple’s Proposed Changes & Consumer Pushback appeared first on IPOsgoode.

]]>
Apple logo over people carrying screens

Photo by Jimmy Jin ()

Natalie BravoNatalie Bravo is an IPilogue Writer and a 2L JD Candidate at Osgoode Hall Law School.

In August, Apple made headlines by . These new features are purported to expand protections for children through modified communication tools, on-device algorithm learning within , , and , and Search . Although protecting children as a vulnerable group should be of utmost importance to all, many security experts find some of these proposed changes troubling as they may undermine the company’s longstanding reputation in privacy preservation and enable future security .

Over the years, Apple has cultivated a strong reputation as a One of their core values and s is that After all, their security and privacy designs are so powerful that Apple allegedly can’t access encrypted user data—. In 2015, Apple CEO Tim Cook that while issues such as national security are important, Apple would not implement any technology which malicious actors could misuse as a backdoor to encrypted user data. Now, in 2021, Apple’s ironclad encrypted system has one exception.

As one of the changes, Apple intends to introduce photo-scanning technology for all users to identify any Child Sexual Abuse Material (CSAM). This well-intentioned technology is already widely used online to identify known explicit materials, including terrorist propaganda and other violent content. Some consumers worry that all their private images will be scanned in search of illegal content; however, Apple is not proposing that. The technology scans for the “” of a file and matches it to a known hash. If a certain threshold of known CSAM is found, barring false positives, then law enforcement is contacted. Strangely enough, Apple has noted that users can opt to disable photo uploads to iCloud, expressing that CSAM is only identified within their servers, and not on users’ devices. Some experts interpret this as

Some security experts expressed strong s over modified communication tools for children. Apple alleges that device software will detect any explicit content (not hashes) within a minor’s Messages conversations—a feature that can be turned on or off by a guardian. This will alert a parent if their minor has received any image that is flagged as explicit. This seems appropriate to allow some supervision to protect vulnerable children from online predators; however, the algorithms currently used to detect explicit images are . It is widely known that benevolent, non-sexual content, particularly , is consistently To add to this, child advocates worry about the possibility of minors in abusive households being monitored by such a faulty and algorithm.

Though is not a new concept, these changes will suddenly affect billions of consumers. It’s been reported that when a child, like any other user, experiences negative behaviour online, they . However, there is currently no way to report messages within Apple’s Messages application. . After causing a tremendous stir in both the privacy and child advocacy communities, Apple that Messages scanning would only apply to those under 13, not teenagers, and have attempted to offer limited clarity on the new technologies.

Despite the changes, . Children need to be protected and prioritized in terms of technology experience, but their privacy matters too. It will be interesting to see the roll-out of Apple’s polarizing changes, particularly how they will affect Apple’s reputation and ecosystem security and if Apple will introduce any more changes moving forward as it responds to community concerns.

The post Privacy Plight: Apple’s Proposed Changes & Consumer Pushback appeared first on IPOsgoode.

]]>
Cyber Horrors: Ransomware and You /osgoode/iposgoode/2021/08/12/cyber-horrors-ransomware-and-you/ Thu, 12 Aug 2021 16:00:34 +0000 https://www.iposgoode.ca/?p=37997 The post Cyber Horrors: Ransomware and You appeared first on IPOsgoode.

]]>
Photo by: (Unsplash)

Natalie BravoNatalie Bravo is an IPilogue Writer and a 2L JD Candidate at Osgoode Hall Law School.

Do you ever get weird emails that are poorly-veiled attempts? Strange requests for payments? These phishing attempts are occurring more frequently, but they are just the tip of the ransomware iceberg. Cybersecurity breaches are a serious concern and the ever-evolving technological landscape is an endless playing field for dedicated malicious actors. Widespread breaches exemplify the need to updated software and security policies across all sectors which use online services. With the pandemic and many working from home, these attacks are on the rise. The Canadian Centre for Cybersecurity reported that ransomware is an and

Many Canadians have not heard of , a malicious software (“”) that attacks computers by user files so that malicious actors can request monetary ransom to decrypt or unlock the files. These are typically, though not always, carried out by an unauthorized or unknown transfer of a Users may download and/or open a file that appears legitimate and unknowingly infect the operating system with malware. Accompanying ransom demands are usually requested in the form of Bitcoin due to the presumed anonymity of the transactions. The use of Bitcoin is rampant in these types of attacks – so much so that they have impacted (“K۰”) . Sometimes hackers . In a recent report, McCarthy Tétrault’s Cyber/Data Group estimated that Canadian organizations . Ransomware attacks damaging more than finances as they can disrupt operations and corrupt or destroy sensitive data. During the pandemic, hospitals are of utmost concern. The click of an ad, a visit to a website, or a simple file download could risk your data.

In 2017, a high-profile ransomware attack named devastated various organizations worldwide. The automatically spread throughout networkers and did not require users to open or download any files. It encrypted user files and demanded Bitcoin ransom payments to decrypt them. WannaCry targeted “end of life” or outdated versions of and exploited certain vulnerabilities within the software. Operating systems must frequently be updated to implement security patches that prevent such exploits. However, updates for older computers are usually discontinued as technology progresses. Microsoft quickly released further following the mass attack. The international event was and reported to have impacted more than 200,000 computer systems and caused an estimated hundreds of millions to billions of dollars in damage. The WannaCry attack affected organizations such as factories, telecommunication companies, hospitals, governments, and delivery systems. Years later,

WannaCry was terrifying when it happened, but many more concerning high-profile cybersecurity attacks have occurred within the past year . Just imagine . Some alarming events in the past three months include the following:

  • In May 2021, the largest petroleum pipeline in the United States, Colonial Pipeline is reported to have been hacked via a . The password had access to the company’s internal network and was also unfortunately leaked on the dark web. The hackers utilized the credential to attack and extort Colonial Pipeline. The systems started to shut down and the ransom demanded was $4.4 million in payment. The company stated they had no choice but to
  • In June 2021, one of the largest meat producers in the US, JBS made the difficult decision to pay the $11 million USD ransom in Bitcoin to resume plant operations.
  • On July 4th, 2021, the ‘,’ allegedly conducted by Russian-associated hackers REvil, hit during the US holiday weekend. Kaseya, a software firm, was targeted in the . Supply-chain attacks, in brief terms, involve compromising a trusted supplier therefore sabotaging the distribution system. The Kaseya attack largely affected US businesses, but Canada was also impacted. Between 800 and 1,500 organizations across the globe were impacted and essentially paralyzed. They demanded from affected users/companies and expressed some willingness to .

It is difficult to know what will happen next with technology, computers, and software. It is best to be proactive and cautious. I have compiled some tips, supported by and the , to help keep your data and your employer’s networks safe:

  • Check your computer(s) for updates frequently, and make sure your operating system is still receiving new updates.
  • Back up your data periodically and preferably offline. If you are targeted and your data becomes inaccessible, you will feel so much better knowing you had a back-up or two handy.
  • Make sure you are running a trusted anti-virus program, sometimes they are installed on your computer.
  • Understand how to your data in the event of a breach and practice the recovery methods.
  • Keep your passwords safe and unique - reusing passwords is never a good idea.
  • Familiarize yourself with common types and methods of malware. You can find a handy list .
  • Contact your organization’s IT department whenever you see anything suspicious, just in case.

Stay safe, don’t interact with strange emails, and always update and backup if possible! Feel free to comment below any tips or advice you may have.

The post Cyber Horrors: Ransomware and You appeared first on IPOsgoode.

]]>
Intellectual Property of Software: Laws and Protections for Developers /osgoode/iposgoode/2021/07/05/intellectual-property-of-software-laws-and-protections-for-developers/ Mon, 05 Jul 2021 13:00:45 +0000 https://www.iposgoode.ca/?p=37665 The post Intellectual Property of Software: Laws and Protections for Developers appeared first on IPOsgoode.

]]>
Photo Credits:

Shannon Flynn is a Guest Writer and the Managing Editor of Rehack Magazine.

You may subscribe to the idea that after you craft something, creatively or professionally, it is automatically yours by right. That is not always the case; at the heart of legal ownership is intellectual property rights. IP is thrown around a lot in business, especially as it relates to software development and creative projects. But how do IP rights apply to software? In this article, I will explore what software engineers and developers need to know to protect their work in both the U.S. and Canada.

Deconstructing Intellectual Property Rights

Intellectual property rights can be broken down into four different types. Copyright protection covers many creative works, including computer programs, databases, technical drawings, and mobile applications. Developers should also consider acquiring software patents and trade secrets. Trademarks may also apply to protect the company’s names, symbols, and brand assets.

Ultimately, intellectual property rights refer to an intangible form of ownership over a creation or finished product (in this case, a software application). Patents, copyrights, trade secrets, and trademarks each offer a specific kind of protection for software.

Software Patents

In the United States, patents offer creators exclusive monopoly to manage an invention. Patent holders are free to produce, use and sell the item as they see fit. The trade-off is that they must describe their product in full detail to the U.S. Patent Office, which publishes this information publicly.

Unfortunately, “there is no legal or conclusive definition for a software patent.” This is because does not allow for the patenting of abstract ideas.

However, software patents can be obtained for systems, methods, algorithms, techniques, display presentations, UI features, and similar mechanics. They must be presented as new ideas with practical use and they must be “non-obvious.”

Copyright Protection

Copyright is probably the most important intellectual property protection for software.

Copyright protection complements patent protection. While patents protect the inner workings of a software application, as well as novel ideas and concepts, copyright protection extends to the manifestation of those ideas. It for literary, artistic, dramatic, or musical works. In other words, it covers the source code, creative elements, and UI and visual elements.

For example, consider if someone creates an application that allows users to rent out items they own to members of their local community. The underlying code and deployment of that application are protected under copyright law, along with the unique UI elements, visuals, and content. However, the idea itself, a rental app, can be copied by others without repercussions, so long as they do not use the same source code and content.

Trade Secrets

A trade secret refers to any medium discovered and maintained by the original owner that remains private and usually provides a competitive advantage. It can include but is not limited to formulas, recipes, patterns, devices, compounds, tools, processes, and mechanisms. There is no federal trade secrets law or statute in Canada. Instead, Canadian trade secret laws are or civil law.

There is no time limit on trade secrets, as they can be kept private forever. The only exception is if another party discovers them on their own, which is possible. Because they are hidden, trade secrets may only be stolen as opposed to being infringed upon.

Cybersecurity events pose a major risk as trade secrets may be stolen or required as collateral by the attackers. Not protecting trade secrets and intellectual property when working with other parties can have serious consequences, like the case with Aerojet Rocketdyne Holdings Inc. and its efense.

With software, trade secrets are kind of tricky. They might include proprietary code and the inner workings or ideas behind it. But if those ideas can be gleaned through reverse engineering, or someone independently discovers them, there is no legal redress.

Trademarks

Trademarks are designed to related to a business or venture. They are “concerned with a company’s need to identify its goods or services among its customers and potential customers.”

Trademarks protect a company’s name, domain, images, and product design elements. They must be registered to activate the legal protections. Some popular trademarks include Nike’s iconic check, Coca-Cola’s logo, and Disney’s Mickey ears.

In the software world, Microsoft’s Windows logo is an excellent example.

Open Source and IP

In the software development world, things can get confusing because of a few different practices. For example, open-source software and agreements can be difficult to navigate. Many open-source projects on depositories, , allow a community of creators to participate.

“When you tap into GitHub [...], you’re free to access any of the files hosted on the platform, and you can even use the content as you wish. You can download the code and use the resulting software, study it to better your own projects, or build upon and improve it to make the existing project better.”

However, releasing an open-source project does not necessarily forfeit intellectual property rights. There are different licenses to choose from, and the permissions granted to umbrella users must be followed closely. They must abide by licensing rules, or they .

Author versus Owner

When it comes to software, the author of various elements like code or visuals isn’t necessarily the legal owner entitled to intellectual property rights. This is a particular concern for employer-employee relationships, where developers work at a large company with dozens or even hundreds of others.

Unless it is otherwise stated, the employer owns what is . Even independent contractors must abide by a legally-binding contract unless they’ve negotiated rights ownership.

Section 13(1) of the "author of a work” is the first owner of the “copyright therein.” In addition, Section 13(3) of the Act stipulates that any works created under a "contract of service" by employees are owned by the employer.

Protecting Your Work

The best way to protect your work, secure intellectual property rights, and lockdown trade secrets, where applicable, is to make sure you understand these concepts and how they apply to your project. If you’re working on a software application by yourself or with a small team, it will be your responsibility to protect your content and systems.

If you’re working for an employer, they likely already have protections in place, and you need to understand where you fit in. For instance, you probably do not own the rights to the content or code you are creating.

The post Intellectual Property of Software: Laws and Protections for Developers appeared first on IPOsgoode.

]]>