|
Wednesday November 30, 2005 |
The Sony rootkit story continues to be remarkably resilient as new developments emerge a full month after the story first began circulating in the blogosphere. I covered developments up until about a week ago in a recent column.
Three Business Week stories now shed additional light, raising several points that are worthy of mention and increasing pressure for a Canadian response. First, following the suit by the Texas Attorney General, New York State Attorney General Eliot Spitzer, who this summer extracted a significant settlement from Sony on payola charges, has now turned his attention to the rootkit story. His primary concern? Sony has failed to recall the CDs it promised to recall. Spitzer sent out investigators to several leading retailers over the weekend and they had little trouble locating CDs that were supposed to be off the shelves. Spitzer notes that "it is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves, during the busiest shopping days of the year. . . strongly urge all retailers to heed the warnings issued about these products, pull them from distribution immediately, and ship them back to Sony."
Second, Business Week points to statistics that suggest that the rootkit fiasco is having a devastating effect on the artists themselves. It notes that sales of Van Zant's Get Right with the Man, dropped by 50 to 80 percent over the U.S. holiday weekend, a time when the sales should have been increasing by a similar amount. In fact, the CD has dropped from an Amazon ranking of 882 on November 2nd to 3442 today (not to mention facing many negative reviews).
Third, Business Week also reports that Sony knew about the rootkit problem a full month before the issue appeared on Mark Russinovich' s blog, yet apparently sat on the information, allowing its products to place thousands more computers at risk. Of course, this is apparently par for the course for Sony, given that Alex Halderman has uncovered that the company uses another DRM system (MediaMax) that permanently installs and runs unwanted software, even where the user declines the license agreement.
Given all the prior revelations, Canadian action is now long overdue. There is ample evidence to warrant investigations from both the Competition Bureau and the Privacy Commissioner of Canada. Moreover, with the election campaign now in full swing, the various parties should take a stand on what they intend to do about deceptive use of DRM and whether they support much-needed legal protections from DRM. This fiasco has laid bare the dangers of the recording industry' s support for DRM to consumers, artists, and retailers. With thousands of Canadians likely affected (if you are one, I'd like to hear from you), Canadian authorities can no longer sit on the sidelines.
copyright, michael geist, privacy, security, sony rootkit Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShareWednesday November 30, 2005 |
|
|
Monday November 28, 2005 |
My weekly Law Bytes column (Toronto Star version, freely available version) focuses on the recent Maclean's cover story in which a reporter obtained the personal phone records of Privacy Commissioner Jennifer Stoddart. I argue that in a year dominated by almost daily privacy and security violations that have placed the personal information of millions at risk, that this privacy breach, which affected just one person, ranks as 2005's most shocking incident.
Although major Canadian telecommunications providers such as Bell Canada sought to characterize themselves as "victims" of fraudulent activity and claim that a rapid response to the incident is proof that the Canada' s privacy laws are working as intended, the reality is that Canadian law is simply ill-equipped to deal effectively with such incidents.
In light of the privacy breach, the public might naturally expect that the Privacy Commissioner of Canada has the powers to address the issue. She does not.
The investigation will naturally focus on both the telecommunications providers that disclosed the phone records as well as the U.S.-based data broker that obtained and later sold the information.
The Privacy Commissioner has little recourse against the telecommunications providers. Although she can investigate the incident, without possessing order-making power, the Commissioner is reduced to issuing a non-binding "finding" that must be pursued in federal court in order to levy any financial penalties.
Indeed last week it was the CRTC that was better able to immediately address the issue. Within days of the report, it sent a letter to the telecommunications providers demanding an internal investigation and imposing a strict 10-day deadline to furnish a host of information, including descriptions of the safeguards that were in place when the breaches occurred, explanations of how the companies verify customer identity, and new measures being taken to improve security.
The situation with respect to the U.S.-based data broker is even bleaker. Last week the Privacy Commissioner declined to investigate a complaint against another U.S. data broker, arguing that Canada' s privacy laws do not provide sufficient powers to investigate out-of-country operators.
The implications of that decision are stunning, suggesting that Canadians enjoy no privacy protection for personal information that is disclosed to non-Canadian entities. Although the Commissioner' s interpretation of the limits of the law are subject to challenge - there is a good argument that the jurisdictional limitations on investigation should not act as a barrier to issuing a finding against a foreign entity - it is increasingly clear that Canadian law is not up to the challenge of providing effective privacy protection in a world of global data flows that do not respect national borders.
Tackling this challenge will not be easy, particularly as the Commissioner is asked to address a growing number of concerns including spam, spyware, and the threat of secret disclosures compelled by U.S. law enforcement. A starting point, however, is to provide the Commissioner with order making power, the unquestioned ability to name the names of privacy violators, and the resources necessary to meet her mandate.
While a statutory review of Canada' s national privacy legislation is slated for 2006, there is no need to wait for the review. With an imminent national election call, Canada' s political leaders should be required to answer a simple question - how are they prepared to reform Canadian law to provide meaningful privacy protection in the Internet era?
data brokers, maclean's story, michael geist, pipeda, privacy, security, stoddart Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShareMonday November 28, 2005 |
|
|
Sunday November 27, 2005 |
Bill C-37, the do-not-call bill, is now law in Canada. Much to seemingly everyone' s surprise, the Senate put the bill on the fast track last week and granted it the necessary approvals. Supreme Court Justice Michel Bastarache gave it royal assent late on Friday, minutes before the Senate adjourned. While the Liberals will likely point to the do-not-call legislation as a noteworthy accomplishment, I would argue that it is more realistically an example of how it ultimately caved to a wide range of lobbying interests, leaving behind a statute that will do little to address the problem of annoying telemarketing calls.
The law itself will take effect only once a date is set by the Governor in Council. The statute also includes a mandatory review three years after it comes into force.
c-37, canada, do-not-call legislation, michael geist, privacy, royal assent Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShareSunday November 27, 2005 |
|
|
Friday November 25, 2005 |
The National Post runs a brief masthead editorial today on the Sony debacle and the recording industry's use of digital rights management. The editorial is further evidence that this story remains in the public eye nearly four weeks after it first broke. The key quote (unfortunately the full editorial is behind a paywall - I will never understand why papers restrict access their editorials, which are designed to influence):
"The real scandal of DRM software is that it allows companies to play a law enforcement role that is not rightfully theirs. By meting out punishment for prospective copying crimes, record labels are stepping over the line meant to separate the private sphere from government. They are not just protecting their precious commodities - they are pronouncing sentence (in this case, an infected computer) on those who would take them. That is a job that should be left to judges."
This analysis should obviously extend beyond just using DRM to usurp the role of the judiciary. Since DRM is used to limit privacy and eliminate fair dealing/use rights, the technology should not be permitted to usurp the law itself. It will be useful to remind the Post of this editorial when copyright reform returns as it suggests support for statutory limitations on the use of DRM.
c-60, copyright, michael geist, privacy, sony rootkit Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShareFriday November 25, 2005 |
|
|
