Archive for the 'Cloud Computing' Category

Apple’s Liability for the Xcode Hack

.

By Richard Stobbe

I don’t think I’m going out on a limb by speculating that someone, somewhere is preparing a class-action suit based on the recently disclosed hack of Apple’s app ecosystem.iphone6_34fl_3_color_spaced_homescreen_landing.jpg

How did it happen? In a nutshell, hackers were able to infect a version of Apple’s Xcode software package for iOS app developers. A number of iOS developers – primarily in China, according to recent reports – downloaded this corrupted version of Xcode, then used it to compile their apps. This corrupted version was not the “official” Apple version; it was accessed from a third-party file-sharing site. Apps compiled with this version of Xcode were infected with malware known as XcodeGhost. These corrupted apps were uploaded and distributed through Apple’s Chinese App Store. In this way the XcodeGhost malware snuck past Apple’s own code review protocols and, through the wonder of app store downloads, it infected millions of iOS devices around the world.

The malware does a number of nasty things – including fishing for a user’s iCloud password.

This case provides a good case study for how risk is allocated in license agreements and terms of service. What do Apple’s terms say about this kind of thing? In Canada, the App Store Terms and Conditions govern a user’s contractual relationship with Apple for the use of the App Store. On the face of it, these terms disclaim liability for any “…LOSS, CORRUPTION, ATTACK, VIRUSES, INTERFERENCE, HACKING, OR OTHER SECURITY INTRUSION, AND APPLE CANADA DISCLAIMS ANY LIABILITY RELATING THERETO.”

Apple could be expected to argue that this clause deflects liability. And if Apple is found liable, then it would seek the cover of its limitation of liability clause. In the current version of the terms, Apple claims an overall limit of liability of $50. Let’s not forget that “hundreds of millions of users” are potentially affected.

As a preliminary step however, Apple would be expected to argue that the law of the State of California governs the contract, and Apple would be arguing that any remedy must be sought in a California court (see our post the other day: Forum Selection in Online Terms).

Will this limit of liability and forum-selection clause hold up to the scrutiny of Canadian courts if there is a claim against Apple?

Calgary – 07:00 MT

No comments

Court of Appeal Upholds Injunction Against Google (Equustek Solutions Inc. v. Google Inc.)

.
By Richard Stobbe

Apparently Google does not appreciate being ordered by a Canadian court to remove worldwide search results. In Update on Injunction Against Google (Equustek Solutions Inc. v. Google Inc.) we reviewed a 2014 decision in which Google was ordered to de-index certain offending websites which were selling goods that were the subject of an intellectual property (IP) infringement claim (that decision was Equustek Solutions Inc. v. Jack, 2014 BCSC 1063 (CanLII)). Google appealed that decision to the B.C. Court of Appeal.

Last week, in Equustek Solutions Inc. v. Google Inc., 2015 BCCA 265, the B.C. Court of Appeal upheld the original order.

In the underlying action, Equustek alleged that Mr. Jack and Datalink Technologies designed and sold product which infringed the IP rights of Equustek. The original lawsuit was based on trademark infringement and misappropriation of trade secrets. Equustek successfully obtained injunctions prohibiting this original infringement. The infringement, however, continued through a variety of websites, and relying on search engines (such as Google) to attract customers. Equustek obtained another injunction prohibiting Google (“the world’s most popular search engine” – those are the court’s words) from delivering search results which directed customers to the offending websites.

Google appealed, arguing that this injunction was overreaching since it was beyond the Canadian court’s jurisdiction. After all, Google has no employees, business offices, or servers within British Columbia. The appeal court observed that Google’s “activities in gathering data through web crawling software, in distributing targeted advertising to users in British Columbia, and in selling advertising to British Columbia businesses are sufficient to uphold the chambers judge’s finding that it does business in the Province.” The court, therefore, was entitled to assert jurisdiction over Google even though it was not a party to the underlying litigation. Put another way, “the underlying litigation clearly has a “real and substantial connection” to British Columbia. Equally, Google’s services, which provide a link between the defendant’s products and potential customers, are substantially connected to the substance of the lawsuit.”

The court drew a parallel with a recent English case, Cartier International AG v. British Sky Broadcasting Limited, [2014] EWHC 3354 (Ch.), where Cartier sought an injunction against a number of ISPs in the UK in order to block access to the offending websites which sold counterfeit Cartier products. The court granted the order in that case.

The B.C. court rejected a creative free-speech argument (the argument that the injunction may have the effect of stifling freedom of expression from the blocked websites). (“There is no evidence that the websites in question have ever been used for lawful purposes, nor is there any reason to believe that the domain names are in any way uniquely suitable for any sort of expression other than the marketing of the illegal product.”)

The court also gave short shrift to the argument that the injunction should be restricted to “Canadian” results from google.ca as opposed to an injunction with worldwide effect (“…an order limited to the google.ca search site would not be effective.”)

If Google successfully appeals this decision, it will undoubtedly attract even more intervenors and will provide an opportunity for Canada’s top court to clarify the law in this area.

Need assistance with intellectual property disputes and internet law? Get advice from experienced counsel.

Calgary – 07:00 MDT

No comments

Outsourcing by Canadian Companies after the USA PATRIOT Act

capture2.JPGBy Richard Stobbe

Wondering about outsourcing your data to the U.S.? What follows is an update to one of our most popular posts: Outsourcing by Canadian Companies: Another Look at the USA PATRIOT Act, originally written in January 2013.

In that post, we discussed the concern that U.S. government authorities may use the provisions of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (“PATRIOT Act”) to access the personal information of Canadians where that information is stored in the United States in the context of outsourcing or cloud-computing.

We also noted that for private sector businesses there are no specific legal prohibitions on outsourcing to the United States in light of the PATRIOT Act, provided (1) reasonable safeguards are built into the outsource contract (including confidentiality, use-restrictions, security, and provisions to meet monitoring and audit requirements), and (2) customers are notified in a clear way when their personal information will be stored or handled outside Canada. The only exceptions to this are within the public sector, as reviewed in our earlier post.

What Has Changed and What Remains the Same

This is a complicated area of law. Starting in June 2013, Edward Snowden’s revelations about N.S.A.’s pervasive warrantless surveillance programs triggered a broader debate about privacy, as well as the specific risks of outsourcing to U.S. companies.

Certain provisions of the PATRIOT Act expired under a sunset clause on June 1, 2015. The U.S. Congress passed the USA FREEDOM Act on June 2, 2015 (in keeping with the American penchant for legislative acronyms, the full name is “Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection and Online Monitoring Act“).

The USA FREEDOM Act restores many of the expired provisions of the PATRIOT Act through 2019. Some provisions of the Foreign Intelligence Surveillance Amendments Act will expire in 2017 (including Section 702, a provision which underpins some of the N.S.A.’s bulk surveillance of online communications). Under the FREEDOM Act, certain sections of the Foreign Intelligence Surveillance Act of 1978 were amended in an effort to delimit the NSA’s mass data collection programs. However, the restrictions on bulk data collection don’t take effect for 6 months after the USA FREEDOM Act is enacted. There is also a carve-out to permit the government to obtain FISA orders during this 180-day period. The effect of this is unclear, but commentators have speculated that during this 6-month grace period the N.S.A. can continue bulk collection, and obtain FISA orders which are not constrained by the requirement for a “selection term”.

Furthermore, bulk collection of phone data is not necessarily coming to an end – arguably, it is merely being delegated to the telecoms: “The Freedom Act does take the bulk collection of Americans’ telephone records out of the hands of the National Security Agency and leaves those records with the phone companies; it sets up procedures for the NSA to get access to those records when it wants to.

The new law does introduce reforms for oversight of government surveillance. In a nod to transparency, some FISA Court opinions may become available, and technology companies will have the ability to publicly report the number of government surveillance requests or investigation inquiries they receive. Previously, companies were prohibited from reporting that such requests had been received.

Generally, under the FREEDOM Act, indiscriminate bulk data collection is to be reformed by requiring the use of “specific selection terms”. In other words, government agencies such as the NSA must use a search term – the name of a specific person, account, address, or personal device, or any other specific identifier – to limit the scope of data collection “to the greatest extent reasonably practicable”.

In 2004, after the initial flurry of anxiety about US government surveillance under the PATRIOT Act, the Privacy Commissioner of Canada noted: “The [PATRIOT] Act is simply one example of a law that can give the United States government or its agencies access to personal information about Canadians that has been transferred to the United States. Research done by the Office of the Privacy Commissioner and discussions with the Department of Justice suggest that the USA PATRIOT Act is not likely in the normal course of events to be used to obtain personal information held in the United States about Canadians.” (Emphasis added)

In light of the 2013 Snowden revelations (and the 2007 Mark Klein disclosures), we now know that, in fact, the bulk collection of phone and internet data by the N.S.A. would have resulted in a lot of personal information about Canadians being collected by the N.S.A. in the United States through the N.S.A.’s PRISM, ECHELON and related surveillance programs.

Data access by Canadian or American government authorities in the course of investigations is not new. Don’t forget that the PATRIOT Act itself was merely an amendment and expansion to a series of existing government investigation tools which were already part of U.S. law, such as the Electronic Communications Privacy Act, Computer Fraud and Abuse Act, Foreign Intelligence Surveillance Act, Money Laundering Control Act and the Bank Secrecy Act. Going back even further, NSA’s cooperation and information-sharing with Canadian security agencies actually dates to the 1940s (see: the UK-USA Agreement). However, the sheer scope, breadth and depth of surveillance was new.

The Americans are not the only ones who carry on surveillance. There are a number of Canadian laws that enable police, security agencies and government investigators to obtain access to information held in Canada in the course of an investigation. And as in the U.S., Canadian security agencies have also been caught exceeding the legal limits on their online surveillance (see X (Re), 2013 FC 1275; aff’d 2014 FCA 249, where the Federal Court and Federal Court of Appeal decided that CSIS breached the duty of candour owing to the Court in seeking and obtaining search warrants fro surveillance on Canadians outside Canada).

Canadian police and security agencies can also obtain information held in the U.S., just as American security agencies can obtain records held in Canada through information-sharing agreements, protocols and a bilateral treaty between the United States and Canada known as the Mutual Legal Assistance Treaty (the “MLAT”). Other countries have similar investigative powers.

While the Americans are making some modest reforms to their surveillance laws, Canadian authorities are actually expanding their reach; the Anti-terrorism Act, 2015 (Bill C-51) was passed on June 9, 2015, and is awaiting royal assent. This new law expands the information-gathering powers between CSIS, police investigators and other Canadian government agencies.

Further, the effect of so-called “boomerang routing” means that online information flowing between a Canadian sender and Canadian recipient is still often routed through the US. (See: IXMaps.ca) Thus, even where data is not physically stored in the US, it may be caught by ongoing N.S.A. surveillance at the point the data traverses through an internet exchange point located within the United States.

Conclusion

As a matter of risk-assessment for Canadian companies outsourcing data to cloud-computing service providers, should you be concerned that your (or your customers’) Canadian online data will be subject to access by the U.S. government?

1. We know that for Canadian private sector businesses there are still no legal prohibitions against outsourcing data to the United States (note that the public sector is treated differently);

2. Best practices still dictate that (a) reasonable safeguards should be built into the outsource contract (including confidentiality, use-restrictions, security, and provisions to meet monitoring and audit requirements), and (b) customers should notified in a clear way when their personal information will be stored or handled outside Canada.

3. There can be no doubt that surveillance practices under the (old) PATRIOT Act resulted in the mass indiscriminate collection of internet and phone data for many years (and very likely continues within the 6-month period after enactment of the FREEDOM Act). It appears very likely that Canadian data outsourced to the U.S. was subject to bulk collection by the N.S.A. Due to “boomerang routing”, it appears likely that even data stored on servers located within Canada often flows through internet exchange locations within the U.S., and therefore would be susceptible to bulk collection by the N.S.A. The USA FREEDOM Act (which is really the PATRIOT Act 2.0) does impose some mild but important reforms on the scope of N.S.A. surveillance. If bulk data and phone-record collection is actually curtailed, the ongoing risk is associated with “targeted” or “selection term” access, in situations where government security and law enforcement agencies exercise rights of accessing and monitoring online data in the course of investigations of a “specific person, account, address, or personal device” in the U.S. It is worth noting that this ongoing risk of access is similar on both sides of the Canada/U.S. border, since Canadian security and law enforcement agencies have similar powers of investigation, and the two governments can rely on MLAT requests and other information sharing protocols to share data.

When you weigh the issues and risks associated with outsourcing Canadian data to the U.S., consider these points and seek advice from experienced IT and privacy counsel.

Further reading: Law, Privacy and Surveillance in Canada in the Post-Snowden Era.

Calgary – 07:00 MDT

No comments

Reverse Engineering Cloud-Based Software

.
By Richard Stobbe

Let’s say you provide web-based software in a SaaS subscription model. What if your reseller or strategic business partner works against you to redesign and reverse engineer your software so they can launch a competing product?

This is what happened to Warehouse Solutions (WSI) in the recent U.S. case Warehouse Solutions, Inc. v. Integrated Logistics, LLC (May 8, 2015, Fed. CA 11th Cir.). WSI developed and sold a web-based software product known as “Intelligent Audit” which interfaced with UPS and FedEx tracking systems to allow companies to track and manage packages. Integrated acted as a reseller of “Intelligent Audit”, but was also a competitor to WSI, in the sense that Integrated sold its own package-tracking software. The reseller relationship between WSI and Integrated, however, was never documented in a written agreement. The parties had verbal discussions about the confidential and proprietary nature of the “Intelligent Audit” software.

Although Integrated never had access to the source code for “Intelligent Audit”, it had high level administrator access rights to the software, and therefore had much broader insight into the features, functionality and structure of the software, compared to the typical end-user.

On the side, unknown to WSI, Integrated developed its own web-based package-tracking software product that was visually and functionally similar to “Intelligent Audit”. Integrated even went so far as to give its own software developer access to “Intelligent Audit”. Eventually, Integrated dropped “Intelligent Audit” and began selling its own competing product under the ShipLink brand name.

WSI then sued Integrated for reverse engineering and copying its software, and through various court proceedings, the claims came down to the issue of trade secrets. The court drew a distinction between a software program’s underlying source code, which may be a trade secret, and the program’s “look and feel” and “functionality,” which cannot be protected as a trade secret, since these features are readily apparent to any user. Since WSI did not enter into a written confidentiality agreement with Integrated, the trade secret claim failed, and WSI’s claim was dismissed.

Lessons for business?

1. It’s worth noting that this case turns largely on U.S. concepts of “trade secret” protection under the Trade Secrets Act, and there is no equivalent legislation in Canada. Canadian software vendors are frequently bound by local U.S. laws in their dealings with American customers, resellers and strategic partners, so this case is an important one for Canadian SaaS providers, even though it involves U.S. law.

2. There are situations – such as in AirWatch, LLC v. Mobile Iron, Inc., (Unpublished) No. 1:12-cv-3571 (N.D. Ga. Sept. 4, 2013) – where a software licensor can protect its software as a trade secret, where it uses written agreements to clearly preserve the secrecy of the program’s functions and specifications.

3. Overall, the message for software vendors and SaaS providers is that clear written agreements will always be preferable to handshake deals and verbal warnings about confidentiality.

Calgary – 07:00 MDT

No comments

CASL 2.0: The Computer Program Provisions (Part 3)

By Richard Stobbe

The CRTC has released guidelines on the implementation of the incoming computer-program provisions of Canada’s Anti-Spam Law (CASL). Software vendors should review the  CASL Requirements for Installing Computer Programs for guidance on installing software on other people’s computer systems. Remember, the start-date of January 15, 2015 is less than 2 months away. Here are a few highlights:

  • CASL prohibits the installation of software to another person’s computing computer – which includes any device, laptop, smartphone, desktop, gaming console, etc.) in the course of commercial activity without express consent;
  • Downloading your own app from iTunes or Google Play? CASL does not apply to software, apps or updates that are downloaded by users themselves; 
  • Maybe you still use a CD to install software? CASL does not apply to “offline” installations by a user;
  • Where implied consent cannot be relied upon, then express consent is required. The guidelines state the following:

“When seeking consent for the installation you must clearly and simply set out:

  1. The reason you are seeking consent;
  2. Who is seeking consent (e.g., name of the company; or if consent is sought on behalf of another person, that person’s name);
  3. If consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is being sought;
  4. The mailing address and one other piece of contact information (i.e., telephone number, email address, or Web address);
  5. A statement indicating that the person whose consent is sought can withdraw their consent; and
  6. A description in general terms of the functions and purpose of the computer program to be installed.”  

 

Calgary – 07:00 MST

No comments

Two Privacy Class Actions: Facebook and Apple (Part 2)

Courtesy of Apple

By Richard Stobbe

In Part 1, we looked at the B.C. decision in Douez v. Facebook, Inc.

Another proposed privacy class action was heard in the B.C. court a few months later: Ladas v. Apple Inc., 2014 BCSC 1821 (CanLII).

This was a claim by a representative plaintiff, Ms. Ladas, alleging that Apple breached the customer’s right to privacy under the Privacy Act (B.C.), since iOS 4 records the location of the “iDevice” (that’s the term used by the court for any Apple-branded iOS products) by surreptitiously recording and storing locational data in unencrypted form which is “accessible to Apple”. The claim did not assert that this info was transmitted to Apple, merely that it was “accessible to Apple”. This case involved a different section of the Privacy Act (B.C.) than the one claimed in Douez.

The Ladas claim, curiously, referred to a number of public-sector privacy laws as a basis for the class action, and the court dismissed these claims as providing no legal basis. The court did accept that there was a basis for a claim under the Privacy Act (B.C.) and similar legislation in 3 other provinces. However, the claim fell down on technical merit. It did not meet all of the requirements under the Class Proceedings Act: specifically, the court was not convinced that there was an “identifiable class” of 2 or more persons, and did not accept there were “common issues” among the proposed class members (assuming there was an identifiable class).

Thus, the class action was not certified. It was dismissed without leave to amend the pleadings.

Apple’s iOS software license agreement did not come into play, since the claim was dismissed on other grounds. If the claim had proceeded far enough to consider the iOS license, then it would surely have faced the same defences raised by Facebook in Douez. As the judgement noted: Apple argued that “every time a user updates the version of iOS running on the user’s iDevice, the user is prompted to decide whether the user wants to use Location Services by accepting the terms of Apple’s software licensing agreement. Apple relies on users taking such steps in its defence of the plaintiff’s claims. The legal effect of a user clicking on “consent” or “allow” or “ok” or “I agree” would be an issue on the merits in this action.”

Any test of Apple’s license agreement will have to wait for another day.

Calgary – 07:00 MST

No comments

Two Privacy Class Actions: Facebook and Apple

By Richard Stobbe

Two privacy class actions earlier this year have pitted technology giants Facebook Inc. and Apple Inc. against Canadian consumers who allege privacy violations. The two cases resulted in very different outcomes.

First, the Facebook decision: In Douez v. Facebook, Inc., 2014 BCSC 953 (CanLII), the court looked at two basic questions:

  1. Do British Columbian users of social media websites run by a foreign corporation have the protection of BC’s Privacy Act, R.S.B.C. 1996, c. 373?
  2. Do the online terms of use for social media override these protections?

The plaintiff Ms. Douez alleged that Facebook used the names and likenesses of Facebook customers for advertising through so-called “Sponsored Stories”.  The claim alleges that Facebook ran the “Sponsored Stories” program without the permission of customers, contrary to of s. 3(2) of the B.C. Privacy Act which says:

“It is a tort, actionable without proof of damage, for a person to use the name or portrait of another for the purpose of advertising or promoting the sale of, or other trading in, property or services, unless that other, or a person entitled to consent on his or her behalf, consents to the use for that purpose.”

Interestingly, this Act was first introduced in B.C. in 1968, even before the advent of the primitive internet in 1969 .

Facebook argued that its Terms of Use precluded any claim in a B.C. court, due to the “Forum Selection Clause” which compels action in the State of California. The court accepted that, on its face, the Terms of Service were valid, clear and enforceable. However, the court went on to decide that the B.C. Privacy Act establishes unique claims and specific jurisdiction. The Act mandates that claims under it “must be heard and determined by the Supreme Court” in British Columbia. This convinced the court that Facebok’s Forum Selection Clause should be set aside in this case, and the claim should proceed in a B.C. court.

The class action was certified. Facebook has appealed. Stay tuned.

Next up, the Apple experience.

Calgary – 07:00 MST

No comments

CASL 2.0: The Computer Program Provisions (Part 2)

By Richard Stobbe

In Part 1 we looked at some basic concepts. In Part 2, we look at “enhanced disclosure” requirements.

If the computer program that is to be installed performs one or more of the functions listed below, the person who seeks express consent must disclose additional information. This disclosure must be made “clearly and prominently, and separately and apart from the licence agreement”. In this additional or enhanced disclosure, the software vendor must describe the program’s “material elements” including the nature and purpose of the program, and the impact on the user’s computer system. A software vendor must bring this info to the attention of the user. This applies if you, as the software vendor, want to install a program that does any of the following things, and causes the computer system to operate in a manner that “is contrary to the reasonable expectations of the owner”. (You have to guess at the reasonable expectations of the user.) These are the functions that the legislation is aimed at:

  • collecting personal information stored on the computer system;
  • interfering with the owner’s or an authorized user’s control of the computer system;
  • changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the owner or an authorized user of the computer system;
  • changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the owner or an authorized user of the computer system;
  • causing the computer system to communicate with another computer system, or other device, without the authorization of the owner or an authorized user of the computer system;
  • installing a computer program that may be activated by a third party without the knowledge of the owner or an authorized user of the computer system.

If the computer program or app that you, as the software vendor, want to install does any of these things, then you need to comply with the enhanced disclosure obligations, as well as get express consent.

There are some exceptions: A user is considered to have given express consent if the program is

  • a cookie,

  • HTML code,

  • Java Scripts,

  • an operating system,

  • any other program that is executable only through the use of another computer program whose installation or use the person has previously expressly consented to, or

  • a program that is necessary to correct a failure in the operation of the computer system or a program installed on it and is installed solely for that purpose; AND

  • the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation.

Remember: These additional provisions in CASL which deal with the installation of software come into effect on January 15, 2015, in less than 3 months. An offence under CASL can result in monetary penalties as high as $1 million for individuals and $10 million for businesses.

If you are a software vendor selling in Canada, get advice on the implications for automatic installs and updates, and how to structure consents, whether this is for business-to-business, business-to-consumer, or mobile apps. There are already more than 1,000 complaints under the anti-spam provisions of the law. You don’t want to be the test case for the computer program provisions.

Calgary – 07:00 MST

No comments

CASL 2.0: The Computer Program Provisions (Part 1)

By Richard Stobbe

It’s mid-October. Like many businesses in Canada, you may be weary of hearing about CASL compliance. Hopefully that weariness is due to all the hard work you did 3 months ago to bring your organization into compliance for the July 1st start-date.

If you’re a software vendor, then you should gird yourself for round two: Yes, there are additional provisions in CASL which deal with the installation of software, and those rules come on stream in 3 months on January 15, 2015.

Section 8 of CASL ostensibly deals with spyware and malware. Hackers are not the only problem; think of the Sony Rootkit case (See our earlier post here) as another example of the kind of thing that this law was designed to address.

This is the essence of Section 8: “A person must not, in the course of a commercial activity, install …a computer program on any other person’s computer system… unless the person has obtained the express consent of the owner …” This applies only if the computer system is located in Canada, or if the person either is in Canada at the relevant time or is acting under the direction of a person who is in Canada at the time when they give the directions.

This relatively simple idea – get consent if you want to install an application on someone else’s system in Canada – has far-reaching implications due to the way the legislation draws the definitions of “computer program” and “computer system” from the Criminal Code. As you can guess, the Criminal Code definitions are extremely broad. So, what does this mean in real life?

  • Certain types of specified programs require “enhanced disclosure” by the software vendor. (I am saying ‘software vendors’ as those are the entities most likely to bring themselves into compliance. Of course, hackers and organized crime syndicates should also take note of the enhanced disclosure requirements);
  • Express consent, under this law, means that the consent must be requested clearly and simply, and the purpose of the consent must be described;
  • The software vendor requesting consent must describe the function and purpose of the computer program that is to be installed;
  • The software vendor requesting consent must provide an electronic address so that the user can request, within a period of one year, that the program be removed or disabled;
  • Note that if a computer program is installed before January 15, 2015, then the person’s consent is implied. This implied consent lasts until the user gives notice that they don’t want the installation anymore. Or until January 15, 2018, whichever comes first. I’m not making this stuff up, that’s what the Act says.
  • One more thing: Enhanced disclosure does not apply if the computer program only collects, uses or communicates “transmission data”. Transmission data is what you might call envelope information. The Act defines it as data that deals with “dialling, routing, addressing or signalling” and although it might show info like “type, direction, date, time, duration, size, origin, destination or termination of the communication”, it does not reveal “the substance, meaning or purpose of the communication”. So there is effectively a carve-out for the tracking of this category info.

Don’t worry, Canadian anti-spam laws are kind of like Lord of the Rings: Sequels will keep coming whether you like it or not. Once we’re past January 15, 2015, you can look forward to July 1, 2017, which is the day on which sections 47 to 51, 55 of CASL come into force. These provisions institute a private right of action for any breach of the Act.

If you are a software vendor selling in Canada, get advice on the implications for automatic installs and updates, whether this is for business-to-business, business-to-consumer, or mobile apps. There are already more than 1,000 complaints under the anti-spam provisions of the law. You don’t want to be the test case for the computer program provisions.

Calgary – 07:00 MST

No comments

Drafting IT Agreements: Oct. 14-15

By Richard Stobbe

I will be speaking next week at the 10th Essentials of Commercial Contracts Course in Calgary, Alberta (Download PDF) on the subject of IT contracting. This session will discuss key considerations in IT licensing and service agreements including:

  • Key clauses in IT agreements and common mistakes
  • Various models for licensing software
  • Overlap between licenses and service agreements
  • Service level metrics and remedies for non-compliance
  • Statements of work in IT consulting and the lawyer’s role
  • Other issues: privacy, vendor lock-in, third party and open source software.

If you want additional information, please contact me.

Calgary – 07:00 MST

No comments

What, exactly, is a browsewrap?

By Richard Stobbe

Browsewrap, clickwrap, clickthrough, terms of use, terms of service, EULA. Just what are we talking about and how did we get here?

In Nguyen v. Barnes & Noble, Inc., 2014 WL 4056549 (9th Cir. Aug. 18, 2014) the US Ninth Circuit wades into the subject of online contracting. Law professor Eric Goldman (ericgoldman.org) argues that these terms we’re accustomed to using, to describe ecommerce agreements, only contribute to the confusion. The term “browsewrap” derives from “clickwrap”, which is itself a portmanteau derived from the concept of a shrinkwrap license. As one court described it in 1996: “The ‘shrinkwrap license’ gets its name from the fact that retail software packages are covered in plastic or cellophane shrink wrap, and some vendors… have written licenses that become effective as soon as the customer tears the wrapping from the package.”

The enforceability of a browsewrap – it is argued – is based not on clicking, but on merely browsing the webpage in question. However, the term browsewrap is often used in the context of an online retailer hoping to enforce its terms, in a situation where they should have used a proper click-through agreement.

In Nguyen, the court dealt with a claim by a customer who ordered HP TouchPad tablets from the Barnes & Noble site. Although the customer entered an order through the shopping cart system, Barnes & Noble later cancelled that order. The customer sued. The resulting litigation turned on the enforceability of the online terms of service (TOS). The court reviewed the placement of the TOS link and found a species of unenforceable browsewrap - the TOS link was somewhere near the checkout button, but completion of the sale was not conditional upon acceptance of the TOS.

There is a whole spectrum upon which online terms can be placed. At one end, a click-the-box agreement (in which completion of the transaction is conditional upon acceptance of the TOS) is generally considered to be valid and enforceable. At the other end, we see passive terms that are linked somewhere on the website, usually from the footer, sometimes hovering near the checkout or download button.  In Nguyen, the terms were passive and required no active step of acceptance. The court concluded that: “Where a website makes its terms of use available via a conspicuous hyperlink on every page of the website but otherwise provides no notice to users nor prompts them to take any affirmative action to demonstrate assent, even close proximity of the hyperlink to relevant buttons users must click on —without more — is insufficient…”

This leaves open the possibility that browsewrap terms (where no active step is required) could be enforceable if the user has notice (actual or constructive) of those terms.

In Canada, the concept was most recently addressed by the court in Century 21 Canada Limited Partnership v. Rogers Communications Inc., 2011 BCSC 1196 (CanLII). In that case, there was no active click-the-box terms of use, but the “browsewrap” terms were nevertheless upheld as enforceable, in light of the circumstances. Three particular factors convinced the court that it should uphold the terms: 1. the dispute did not involve a business-to-consumer dispute (as it did in Nguyen). Rather the parties were “sophisticated commercial entities”. 2. The defendants had actual notice of the terms. 3. The defendants employed similar terms on their own site.

The lessons for business?

The “browsewrap” is a passive attempt to impose terms on a site visitor or customer. Such passive terms should not be employed where the party seeking to enforce those terms requires certainty of enforceability. Even where there is a “conspicuous hyperlink” or “notice to users” or “close proximity of the hyperlink”, none of these factors should be relied upon, even if they might create an enforceable contract in special cases. Maybe it is time to retire the term “browsewrap” and replace it with “probably unenforceable”.

Now, do you still want to rely on a browsewrap agreement?

Related Reading: Online Terms – What Works, What Doesn’t

Calgary – 07:00 MST

1 comment

Update on Injunction Against Google (Equustek Solutions Inc. v. Google Inc.)

By Richard Stobbe

Last summer, Google was ordered by a Canadian court to de-index certain offending websites which were selling goods that were the subject of an intellectual property (IP) infringement claim (Equustek Solutions Inc. v. Jack, 2014 BCSC 1063 (CanLII), see our earlier post: Court Orders Google to Remove Site from Worldwide Search Results).

The underlying dispute involved a trade-secret misappropriation and passing-off claim by a manufacturer against a rival company. Google appealed the lower court decision. In Equustek Solutions Inc. v. Google Inc., 2014 BCCA 295 (CanLII), the BC Court of Appeal has rendered a decision.

Google applied for a stay of the original injunction on a number of grounds, including the argument that the original order was “unprecedented in Canadian law”, the order was “overly broad”, and that the order will have a “direct and irreversible impact” on Google. Google argued that it would suffer “irreparable harm” for two reasons: first, Google customers would be impacted, although it was not clear how exactly; and second, Google argued that this Canadian court order would open the floodgates to other similar orders against Google in other jurisdictions.

The appeal court acknowleged the importance of the case, musing that “the order of the court below raises profound issues as to the competence of Canadian courts to issue global injunctions that affect what content users around the world can access on the Internet.”

However, after balancing the arguments, the Court of Appeal did not grant the stay, so the injunction remains in place.

There are a few interesting points about this decision:

  • Although Google was not a party to the original lawsuit (remember, it was an IP dispute between two rival manufacturers) and no-one claimed anything against Google itself, Google took the extraordinary step of undertaking to pay damages to Equustek, for damage it might suffer if the injunction was lifted. Google said it would track traffic to the offending websites (which it is supposed to de-index) and disclose that information to Equustek. If Equustek lost profits as result of traffic to these sites, then Google would make good the damages.
  • Equustek counter-argued that this was cold comfort, asking: “What value is it to have the right to sue Google for damages?”  If access to the offending websites was not blocked by Google, said Equustek, then Equustek would still face the burden of proving damages, and then suing Google for those damages, and in the meantime its intellectual property would continue to be devalued.

The appeal will go ahead, and while the appeal is underway, the order against Google will remain. This is one to watch.

Calgary – 07:00 MST

    No comments

    Confidentiality & Sealing Orders in Software Disputes

    By Richard Stobbe

    Two software companies wanted to integrate their software products. The relationship soured and one of the parties – McHenry – purported to terminate the Software Licensing and Development Agreement and then launched a lawsuit in the Federal Court in the US, claiming copyright infringement and breach of contract. The other party – ARAS – countered by invoking the mandatory arbitration clause in the software agreement. The US court compelled the parties to resolve their dispute through arbitration in Vancouver. After the arbitration, the arbitrator’s decision was appealed in the BC Supreme Court. In that appeal, McHenry sought a “sealing order” asking the BC court, in effect, to order confidentiality over the March 26, 2014 Arbitration Award itself. This is because ARAS, who prevailed at arbitration, circulated the arbitration award to others.

    In the recent decision (McHenry Software Inc. v. ARAS 360 Incorporated, 2014 BCSC 1485 (CanLII)) the BC Supreme Court considered the law of “sealing orders” and confidentiality in the context of a dispute between two software companies.

    The essence of McHenry’s complaint was that the arbitrator’s award should be treated confidentially, since it contained confidential and sensitive information about the dispute, which could harm or disadvantage McHenry in its negotiations with future software development partners.

    The court reviewed the legal principles governing sealing orders. A “sealing order” is simply court-ordered confidentiality over court records or evidence. While there is a presumption in favour of public access in the Canadian justice system, there are times when it is appropriate to deny access to certain records to prevent a “serious risk to an important interest” as long as “the public interest in confidentiality outweighs the public interest in openness”. (To dig deeper on this, see: Sierra Club of Canada v. Canada (Minister of Finance), 2002 SCC 41 (CanLII), 2002 SCC 41.)

    If you were hoping for a handy three-part test, you’re in luck:

    1. First, the risk in question must be real and substantial, and must pose a “serious threat” to the commercial interest in question.
    2. The interest must be tied to a public interest in confidentiality. The SCC said: “a private company could not argue simply that the existence of a particular contract should not be made public because to do so would cause the company to lose business, thus harming its commercial interests.” Courts must remember that a confidentiality order involves an infringement on freedom of expression, so it should not be undertaken to satisfy purely commercial interests.
    3. Third, the court must consider whether there are any reasonable alternatives to a confidentiality order, or look for ways to restrict the scope of the order as much as possible in the context.

    Ultimately, the BC Court was not sympathetic to McHenry’s arguments for a sealing order. If McHenry was so concerned about the confidentiality of these proceedings, the court argued, then McHenry would not have launched a lawsuit against ARAS in the US Federal Court, where there is no confidentiality. In pursuing litigation, McHenry filed numerous documents in the public record, including its Arbitration Notice, its Statement of Claim in the Arbitration and its petition in the BC Court proceedings, some of which contained potentially sensitive information.

    “Moreover,” the court continued, “there is no general principle that the confidentiality of arbitration proceedings carries over to court proceedings when the arbitration is appealed. On the contrary, such court proceedings are generally public.”

    This case serves as a reminder of the confidentiality issues that can arise in the conext of a dispute between software companies, both in arbitration proceedings and in the litigation context. Make sure you seek experienced counsel when handling the complex issues of confidentiality, sealing orders and licensing disputes.

    Calgary – 07:00

    No comments

    Online Terms – What Works, What Doesn’t

    By Richard Stobbe

    The online fine print – those terms and conditions that you agree to when you buy something online – it really does matter where those terms are placed in the checkout process. A recent US case illustrates this point. In Tompkins v. 23andMe, Inc., 2014 WL 2903752 (N.D. Cal. June 25, 2014), the court dealt with an online checkout process for DNA testing kits sold by 23andMe. When completing a purchase, customers were not presented with any mandatory click-through screen for the transaction to complete. There was a passive link at the footer of the transaction page, something the court dismissed as a “browsewrap”, which was ineffective to bind the customers. In other words, the Terms of Service were not effective at that point in the transaction.

    In order to obtain test results, however, customers were obliged to register and create an account with 23andMe. In this (post-sale) registration process, a mandatory click-through screen was presented to customers, not once but twice. The court decided that this second step was valid to bind the customers who purchased the DNA testing kits.

    While this shows that courts can take a position that is sympathetic to online retailers, this should not be taken as an endorsement of this contracting process. In my view, the better approach would be to push customers through a mandatory click-through screen at both stages. This is particularly so in a case like 23andMe, where the first transaction is for sale of a product (the kit) and the second step relates to a service (processing test results). The two, of course, are intertwined, but the double click-through reduces risk and plugs the holes left by the single click-through. For example, a customer may buy a kit and never create an account, or use a kit without have purchased it. As the court notes: “it is possible for a customer to buy a DNA kit, for example, as a gift for someone else, so that the purchasing customer never needs to create an account or register the kit, and thus is never asked to acknowledge the TOS.”

    We can speculate on why the click-through appeared at the second account-creation step, and not the first kit-purchasing step. Sometimes, the purchasing process is modified over time due to changes in marketing or sales strategies. Perhaps the company broke a unified transaction process, which ended with account-creation, into two separate steps after market research or customer feedback. When something like this happens, it is important to repeat the legal review, to ensure compliance with e-commerce best practices.

    Calgary – 07:00 MST

    No comments

    Supreme Court of Canada on Internet Privacy

    By Richard Stobbe

    The Supreme Court puts it mildly in its opening line: “The Internet raises a host of new and challenging questions about privacy.”

    One of those questions is whether an IP address can be considered personal information. An internet protocol (IP) address is the unique numeric identifier of a particular computer and, in a wider sense, can be any node or point in the internet generally. In the recent case of R. v. Spencer, 2014 SCC 43, the Supreme Court of Canada (SCC) considered whether there is a reasonable expectation of privacy in ISP subscriber information including IP address information.

    In this case, police identified the IP address of a computer that someone had been using to access child pornography.  Police approached the ISP and obtained the subscriber information associated with that IP address. At this point, no warrant was issued. This led them to the accused  and a warrant was issued for a search of his residence. The accused was charged and convicted. The SCC indicated that in this case, there was a reasonable expectation of privacy in the subscriber information, including the IP address.

    Since the search of the subscriber info was obtained without a warrant, the search violated the Charter. While a warrant was eventually issued for a search of the accused’s residence, that warrant could not have been obtained without the original (warrantless, unconstitutional) search of the ISP subscriber information. Since the original search was unconstitutional, it follows that the search of the residence was also unconstitutional. This all leads to the exclusion of the evidence found at the residence.

    Nevertheless, the SCC said that, even in light of all of the above points, the “police conduct in this case would not tend to bring the administration of justice into disrepute.”  The court concluded, in essence, that excluding the evidence would be worse than allowing that unconstitutional search. The admission of the evidence was therefore upheld.

    A few key points to note:

    • Terms of Use and Privacy Policies are carefully reviewed and taken into account by the court in these cases.
    • In this case Shaw was the ISP. Shaw’s Privacy Policy said that “Shaw may disclose Customer’s Personal Information to: . . . a third party or parties, where the Customer has given Shaw Consent to such disclosure or if disclosure is required by law…”  The initial warrantless search by the police was not “required by law” (in the sense that it was merely a request and police had no way to legally compel compliance). This contributed to the court’s conclusion that there was a reasonable expectation of privacy on the part of the accused.
    • This contrasts with the decision by the Ontario Court of Appeal in R. v. Ward 2012 ONCA 660, where the court held that the provisions of PIPEDA were a factor which weighed against finding a reasonable expectation of privacy in subscriber information. That was another child pornography case. In that case, the ISP was Bell, whose terms said “[Bell Sympatico will] offer full co-operation with law enforcement agencies in connection with any investigation arising from a breach of this [Acceptable Use Policy].” There was no reference to disclosures “required” by law.  In that case, the accused has a subjective expectation of privacy, but that expectation was not objectively reasonable in light of his criminal activities.
    • Consider reviewing your privacy policies and your organization’s ability to disclose subscriber information in light of these decisions.

    Calgary – 07:00 MST

    No comments

    API Copyright Update: Oracle wins this round

     
    By Richard Stobbe

    The basic question “are APIs eligible for copyright protection?” has consumed much analysis (and legal fees) during the lawsuit between Oracle and Google, which started in 2010. (For more reading on our long-running coverage of the long-running Oracle vs. Google patent and copyright litigation, see below.)

    The basic premise of Oracle’s complaint against Google is that the wildly popular Android operating system copied 37 Java API packages verbatim, and inserted the code from those APIs into the Android software. This copying was done without a license from Oracle. Therefore, says Oracle, copyright infringement has occurred. In a 2012 decision, the district court decided that the Java APIs were not subject to copyright protection. Therefore, said the lower court, there was no infringement. The US Federal Court of Appeals has reversed that finding.

    In a 69-page decision released on May 9, 2014, the appeal court has decided that these Java APIs are subject to copyright protection, and concluded as follows: “Because we conclude that the declaring code and the structure , sequence, and organization of the API packages are entitled to copyright protection, we reverse the district court’s copyrightability determination with instructions to reinstate the jury’s infringement finding as to the 37 Java packages . Because the jury deadlocked on fair use, we remand for further consideration of Google’s fair use defense in light of this decision.”In short, Google has infringed Oracle’s copyright, and the question to be determined now is whether Google has a “fair use” defense to that infringement.

    The EFF has called the decision dangerous since it exposes software developers to copyright infringement lawsuits. However, for software vendors, it may help strengthen the controls they place on developers to maintain standards and cross-compatibility through licensing. After all, that was (in theory) one of the complaints raised by Oracle – that its “write once, run anywhere” Java principle was violated when Google mis-used the Java APIs to essentially bring Android out of compatibility with the Java platform.
    Related Reading:

    Calgary – 07:00 MDT

    1 comment

    Patent Infringement Lawsuits Against Software End-Users

    Are you a Canadian software vendor with customers in the USA? Let’s say your US end-user customer is sued for patent infringement in the US based on use of your software, but the lawsuit avoids naming your company. In other words, your customers are sued, but you are not.

    Ok, so you avoided a lawsuit. However, for business reasons you may want to be “in the ring” to assist your end-user customers to defend the infringement claims. One of the defences to infringement is to challenge the validity of the patent in question. But if your company is not named, how do you raise that defence? In order to seek a “declaratory judgment” that the patent is invalid, you need something called “standing” – a right to make your case in court. If you are defending an infringement allegation (if you are named in the lawsuit), you have that standing as a defendant. But if not, you have to ask the court for standing… sound complicated?

    This is what happened to Microsoft, when its end-users were sued for patent infringement by Datatern. Datatern, not wanting to lock horns with Microsoft (for obvious reasons) just named the software end-users in the patent infringement lawsuit. In Microsoft Corporation v. Datatern, Inc. (Fed. Cir. 2014), Microsoft sought standing to have the patents declared invalid.

    The Federal Circuit Court of Appeals in the US said that Microsoft does not have the “right to bring the declaratory judgment action solely because their customers have been sued for direct infringement”. To bring an invalidity declaratory judgment action against DataTern, Microsoft needed something more. The court indicated that:

    • Microsoft would need to show a controversy between Microsoft and the patent holder as to Microsoft’s liability for:
      • induced infringement, or
      • contributory infringement,

      based on the alleged acts of direct infringement by the end-user customers; or

    • Microsoft would have standing if it had a contractual obligation to indemnify its customers against the infringement claim. In this case, there was no indemnity obligation.

    The use of Microsoft-provided documentation by Datatern in the patent infringement lawsuit was enough to establish standing for Microsoft, since this implied that Microsoft encouraged (or “induced”) the infringing use. However, this only applied to some of the patents in question.

    Wherever Datatern used third-party (non-Microsoft) documentation to evidence the alleged infringement, Microsoft was too far removed from the controversy and there was no implied assertion that Microsoft induced the infringement. Microsoft could not establish the necessary controversy between it and Datatern, the patent holder. In connection with that particular patent, Microsoft lacked standing and its declaratory judgment action to challenge the validity of the patent could not proceed.

    Remember this is a US case, but Canadian software vendors should review these patent infringement issues with counsel (including the costs and benefits of IP infringement indemnity clauses) to ensure that their end-user license agreements manage the risks in light of this decision.

    Calgary – 07:00 MDT

    No comments

    Unilateral Changes to Online Terms: do they work?

    Consumers wonder what exactly has changed when they are confronted with a new set of online terms, in a cloud-based service, website terms or software license. We reviewed this issue in an earlier post, which looked at changes to online terms in the middle of the product lifecycle. Amendments are often introduced due to changes in the law or changes in product functionality.

    Instagram amended its terms of use in early 2013. In Rodriguez v. Instagram , CGC-13-532875 (San Francisco Sup. Ct. Feb 28, 2014), a US court reviewed a complaint alleging that Instagram’s new terms consituted a breach of good faith and fair dealing. The court noted that: “The New Terms modified the original terms in three allegedly material respects:

    1. in the Original Terms, Instagram disclaimed any ownership rights in content users post on Instagram, whereas in the New Terms Instagram disclaimed ownership of content users post on Instagram;
    2. in the Original Terms, Instagram was afforded a non-exclusive limited license to use, modify, delete from, add to, publicly perform, publicly display, reproduce, and translate content users posted on Instagram, whereas under the New Terms Instagram has a transferable and sub-licensable license to use the content users post, with the two allegedly material aspects being (i) the addition of sublicensing authority; and (ii) removal of any limitations on the scope of the license; and
    3. the New Terms add a liability waiver.”

    The New Terms were structured so that users accepted the terms by continuing to use Instagram after the effective date. A user could decline acceptance by ceasing all use of Instagram. The plaintiff in this case did continue use of Instagram after the New Terms were introduced. This opened up the argument for Instagram that this user consented to be bound by the New Terms. The lack of a click-through was not fatal to Instagram’s case. As a result, this decision seems like a bright spot for cloud service providers and software licensors – after all, it seems to permit unilateral amendment clauses in online terms without forcing users into a mandatory click-through screen. The court also seems to accept that the new terms can apply retroactively to user-generated content that pre-dates the New Terms. However, a note of caution should be sounded for cloud computing providers and software vendors:

    • unilateral amendments to online terms should always be handled carefully;
    • consider in advance whether amendments are permitted under the current terms before imposing new terms;
    • due to the facts of this particular plaintiff, the court did not address the question of what would be done with user content if the user had ceased use of the service – i.e. if the user had not impliedly consented by continued use;
    • consider how to log or track user consent (either active consent or implied “continued-use” consent) by users.

    Calgary – 07:00 MDT

    Incoming Anti-Spam Software Regulations

    Most Canadian businesses will have heard of the incoming Canadian Anti-Spam Law (referred to as CASL, which joins the Canadian pantheon of legislative acronyms like PIPEDA and PIPA). The consent requirements for sending commercial electronic messages (CEMs) is covered elsewhere (See here, and see this upcoming event on March 18 and 20, 2014). Those requirements come into effect July 1, 2014.

    The software-related regulations are getting less press. Why? Possibly because CASL is being implemented in phases, and the software-related rules are not expected to be in full force until January 15, 2015. And possibly because the software-related regs are complicated and at times confusing.

    This element of CASL is designed to control surreptitious installation of software, particularly “invasive software”. Generally, express, clear consent is required. Installation of invasive software imposes additional requirements. Implied consent (or “deemed express consent”) may be relied upon in other cases:

    • cookies, HTML code, Java scripts;
    • upgrades for telecom network security;
    • “reasonable” installs – where it is reasonable to expect that the user would consent.

    Software vendors should take note of these incoming obligations, to assess and plan for any updates that will be required for CASL compliance. Get advice on how these regulations apply to your software products.

    Calgary – 07:00 MST

    No comments

    Who is Liable: App Stores or App Developers?

    The app economy is, by most estimates, equivalent in size to the GDP of a small country: $15 billion in 2012, projected to mushroom to $74 billion by 2016. All that economic activity inevitably breeds litigation. In what appears to be a case of first impression in the US, a federal court looked at the issue of whether the app store is liable for the apps it distributes, or the app developer.

    The case of Evans v. Hewlett-Packard Co., 2013 WL 4426359 (N.D. Cal. Aug. 15, 2013), the court looked at the liability of Hewlett-Packard for a third-party app which allegedly infringed trade-mark rights.

    This case hinges on an interpretation of Section 230 of the Communications Decency Act (47 U.S.C. §230), 1996 legislation which provides immunity for providers of an “interactive computer service”, such as ISPs and website operators. The court decided that HP, as the operator of the app store, does qualify for immunity under this legislation, putting the app store into the same category as ISPs.

    Remember, the Communications Decency Act  is US legislation, not Canadian. However, Canadian app developers should take note of this decision, as most Canadian developers seek to market and sell their apps in the US.

    Other app case are pending, such as this claim (Pirozzi v. Apple, Inc., 12-cv-01529-JST (N.D. Cal. Aug. 3, 2013)) which is proceeding against Apple, for violation of privacy rights. Stay tuned.

    Calgary – 07:00 MDT

    No comments

    « Previous PageNext Page »