Private sector organizations following federal privacy law will have to provide breach notifications to customers and the privacy commissioner where it is reasonable to believe that the breach creates a “real risk of significant harm,” under long-awaited proposed regulations to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
Intellectual property
-
Ottawa finally proposes regulations on data breach notifications
-
Canadian financial regulators provide guidance on cryptocurrency offerings
Canadian financial regulators, in lockstep with a growing number of jurisdictions, has put the cryptocurrency world on notice after confirming the potential applicability of Canadian securities laws to virtual currencies and related trading and marketplace operations. -
Quebec financial watchdog raids offices of man prohibited from promoting PlexCoin
Read More
The Quebec financial watchdog raided last week the offices of Dominic Lacroix, a Quebec City man who has been prohibited by a tribunal to promote and solicit investors for a new virtual currency called PlexCoin. -
Quebec financial watchdog considering its options over PlexCoin
Quebec’s financial watchdog is considering handing over the case involving Dominic Lacroix and his companies, who have been prohibited by a tribunal to promote and solicit investors for a new virtual currency called PlexCoin, to police authorities. -
New virtual currency targeted by Quebec financial watchdog
The Quebec Financial Markets Administrative Tribunal issued a series of expansive ex parte orders prohibiting Dominic Lacroix and several of his companies from promoting and soliciting investors for a new virtual currency set to be launched. -
Monetizing data, without consent
You can still download the application if you want. But if you believe what Kyle Zak has to say about it, it’s not something you would do. Not unless you don’t mind the trade-off between ease-of-use and the reams of information you will allegedly provide to the popular audio maker Bose Corp. -
Legal profession concerned about algorithmic bias
Algorithms, the set of instructions computers use to carry out a task, have become an integral part of everyday lives, and it is immersing itself in law. In the U.S. judges in some states can use algorithms as part of the sentencing process. Many law enforcement officials in the U.S. are using them to predict when and where crimes are likely to occur. They have been used for years in law firm recruitment. And with advancements in machine learning they are also being used to conduct legal research, predict legal outcomes, and to find out which lawyers win before which judges.
Most algorithms are created with good intentions but questions have surfaced over algorithmic bias at job hunting web sites, credit reporting bureaus, social media sites and even the criminal justice system where sentencing and parole decisions appear to be biased against African Americans.
And the issue is likely to gain traction as machine learning and predictive coding become more sophisticated, particularly since with deep learning (which learn autonomously) algorithms can reach a point where humans can often no longer explain or understand them, said Nicolas Vermeys, the assistant director at Cyberjustice Laboratory in Montreal.
AlphaGO is a case in point. When AlphaGO, Google’s artificial intelligence system, defeated the 18-time world champion in the complex and highly intuitively game of the ancient Chinese board game GO, it was not just a demonstration of yet another computer beating a human at a game. GO, a game with simple rules but profound complexity, has more possible positions than there are atoms in the universe, leading some to describe it as the Holy Grail of AI gaming. It was a remarkable feat because AlphaGO was not taught how to play Go. It learned how to play, and win, by playing millions of games, using a form of AI called deep learning, which utilizes neural networks that allow computer programs to learn just like humans. More than that, the victory showed that computers are now able to rely on its own intuition, something that was thought only humans could do.
Another example is Deep Patient. The brainchild of a research group at Mount Sinai Hospital in New York, it is a machine learning tool that was trained to detect illness from data from approximately 700,000 patients. Deep Patient turns out to be good at detecting hidden patterns in the hospital data that indicate when people are becoming ill. It also appears to be really good at anticipating the onset of schizophrenia, a very difficult disease for physicians to predict. But the people behind Deep Patient do not yet understand why Deep Patient seems to be good at predicting schizophrenia and do not understand how it works.
“We have no idea how algorithms arrived at their decision and therefore cannot evaluate whether the decision has value or not,” said Vermeys, whose research institution is studying the issue of algorithmic bias. “There is a risk to relying completely on machines without necessarily understanding its reasoning.”
No human is completely objective, and so it is with algorithms as they have been programmed by programmers, noted Ian Kerr, a law professor at the University of Ottawa and the Canada Research Chair in Ethics, Law and Technology. Programmers operate on certain premises and presumptions that are not tested by anybody else which leads to results based on those premises and presumptions which in turn gives rise to bias, added Kerr.
On top of that it is very difficult to challenge such decisions because “whoever owns the algorithms has trade secrets, isn’t likely to show you the source code, isn’t likely to want to talk about the secret source and what makes the algorithm work,” said Kerr. “What justifies the algorithm is its success or perceived success which is very different from whether or not it operates in biased ways.”
Aaron Courville, a professor with the Montreal Institute for Learning Algorithms, shares those concerns. “We are really in a phase where these algorithms are starting to do interesting things, and we need to take seriously the issues of responsibility,” said Courville.
Europe is taking a serious look at these issues. Under the European Union’s new General Data Protection Regulation (GDPR), automated individual decision-making that “significantly affect” users will be restricted, argue Bryce Goodman of the Oxford Internet Institute and Seth Flaxman of the University of Oxford’s Department of Statistics in a paper. Expected to be in force in 2018, the GDPR will also effectively create a “right to explanation,” according to the authors. In other words, users can ask for an explanation of algorithmic decision that was made about them.
“This is where Europe and the U.S. go wild in their disagreements,” explained Kerr, who has also written about the issue of a right to explanation. “Europe starts with this principled approach that makes sense. If a decision is about me and it has sort of impacts on my life chances and opportunities, I should be able to understand how that decision was made. It invokes large due process concerns.
“The due process idea is that no important decision should be made about me without my own ability to participate. I have a right to a hearing. I have a right to ask questions. So all of these kinds of rights are kind of bound up in this notion of the duty to an explanation. And the hard thing is that an algorithm isn’t in the habit of explaining itself, which means that if that kind of law prevails then people who use algorithms and design algorithms will have to be a lot more forthcoming about the mechanisms behind the algorithm.”
Further reading:
Machine bias: There’s software used across the country to predict future criminals. And it’s biased against blacks by ProPublica, an American independent, nonprofit news organization.
Chief Justice John Roberts is a Robot by University of Ottawa law professor Ian Kerr.
European Union regulations on algorithmic decision-making and a “right to explanation” by researchers Bryce Goodman and Seth Flaxman.And for the technologically-inclined:Mastering the Game of Go with Deep Neural Networks and Tree Search by David Silver, the lead researcher on the AlphaGo project. -
Montreal AI chatbot helps people immigrate to Quebec
Days after U.S. President Donald J. Trump issued a controversial executive order that barred refugees and temporarily suspended immigration from several predominantly Muslim countries, Amir Moravej and his team decided to lend a helping hand and launched an artificial intelligence immigration chatbot months ahead of schedule.
The sweeping executive order, since rescinded by the courts, led to global chaos as it barred many passengers from flights to the United States, including one of Moravej’s team members. “He had an interview scheduled but couldn’t go to the U.S.,” explained Moravej. “And there were other students who planned to continue their studies in the U.S. but because of the policy changes had to stay here. So we decided to accelerate the launch to help students who are currently in Quebec to get their permanent residency.”
The AI-driven chatbot uses machine learning to assist people through the complicated process of putting together an immigration application. Immigration into Canada and Quebec (which has different programs in place) is a laborious three-step process. Applicants must determine if they are eligible, then must provide supporting documents, and finally fill out an application form, which in itself can be tricky.
That’s where the web-based application at Botler.ai can come into play. It automatizes much of the process. After an applicant answers questions about their qualifications and circumstances, Botler assesses if they are eligible for the immigration program. If so, the applicant can then upload the documents which the AI tool reads and reviews. If all goes well, Botler automatically fills out the application form based on the information the applicant has provided.Botler does more. If for whatever reason the applicant does not meet the immigration eligibility requirements, the AI tool can provide the applicant with “feedback and insights” and steps the candidate can take to take to become eligible, noted Moravej. And it learns and becomes “smarter” as it goes along because it uses deep learning, particularly for document reviews. The machine learns through recognized patterns based on the data it previously “saw,” explained Moravej. That is particularly useful as Botler has the potential of recognizing forged documents.
“There are two things the machine can learn,” explained the Iranian-born developer. “First of all, it learns the profile of the user such as his experience and his educational background – all these things the machine can understand. And the machine can understand the rules of immigration and can determine if you are eligible or not. All these things are basically a decision-making process, and computers are very good at making decisions because they can calculate way more possibilities than us as humans. And it will get smarter as it sees more immigration cases.”
Moravej, who developed Botler out of personal necessity, maintains that the chatbot will not replace lawyers. Indeed, Nonimo A&A Technologies, the nascent firm behind Botler, are working with Montreal law firm Campbell Cohen. Nonimo trains the machine, and the lawyers test it to ensure that Botler covers all cases and captures all of the exceptions.“Botler can augment what lawyers are doing and make their lives easier as it automates many things that lawyers are doing manually right now,” Moravej told me. “As a result, lawyers can process and can represent more clients because many of the tasks that they have to do manually can be automated using Botler. At the end of the day, a lawyer needs to represent a client before the government so Botler can in no sense replace a lawyer.”
At present, Botler can handle only a single immigration program – the Programme de l’expérience québécoise (PEQ) for foreign workers and students residing in Quebec. As of the beginning of April, 1,752 applicants used Botler to assess their eligibility, and Moravej said that 438 applicants will either be eligible or will become eligible to apply for PEQ, if they can resolve minor issues with their cases. In the near future, Moravej intends to adapt the technology to encompass other federal and provincial immigration programs.
Across the Atlantic, a Stanford University student in Oxford, England Joshua Browder has embarked on a similar venture. The London-born developer and creator of DoNotPay, a chatbot that has overturned 160,000 parking fines in England, recently turned his sights on helping refugees claim asylum. The chatbot, which uses Facebook Messenger, helps refugees fill in immigration applications in the U.S. and Canada, and it helps those in the United Kingdom apply for asylum support. Like Botler, the chatbot asks applicants a series of questions to determine which application the refugee needs to fill out and assesses whether the refugee is eligible for asylum protection under international law.
Both Moravej’s and Browder’s chatbot are the latest examples of online AI-powered tools that can expedite access to justice, an issue that has befuddled the legal profession for decades. “These tools that are now coming online are such a great opportunity to unlock access to justice, which is such a prevalent need in our society,” said Matthew Peters, national innovation leader at McCarthy Tétrault LLP in Toronto. “You have this whole huge swath of people in the middle class and all sides who quite frankly have (been the subjects of) a disservice from our profession who have not provided proper access to justice. We should be focusing on how fast can we get some of these solutions out.”
Jin Ho Verdonschot, a justice technology architect at HiiL Innovating Justice too believes that AI holds much promise at providing greater opportunities for access to justice. “Artificial intelligence is a very good example of one of the many innovations now happening in the legal services world,” Verdonschot said at a conference held in Montreal last fall. “There are so many tools that (that are) emerging and being developed that will have real value and can really empower our citizens. And I think AI will have a place in that future.”
-
A third of large law firms hacked
Large law firms, though commonly perceived to have stringent cybersecurity procedures in place due to large in-house Information Technology staff and devoted legal IT budgets, are in fact more vulnerable to cyber-attacks than smaller ones, with one in three the target of a cyber-attack over the past year, according to a legal benchmarking report on law firms from the United Kingdom.
The report by NatWest reveals that 24 per cent of all U.K. law firms suffered a cyber-attack over the past year, 16 per cent of whom were small firms (generating fees of less than $3.75 million), 31 per cent large ones (generating fees between $3.75 million and $8.3 million), and 28 per cent very large firms (generating over $8.3 million in fees).
“The fact that a quarter of law firms have been hit by a cyber-attack or fraud over the last 12 months is bad,” noted Steven Malone, Director of Security Management at Mimecast, an IT consultant. “But what is worse is that this is only half the story. Our research reveals that 20 per cent of UK organizations have experienced impersonation attacks (which involve hackers assuming the identity of executives) from their legal departments last year.”
These findings somewhat echo those yielded by the American Bar Association’s latest Legal Technology Survey Report. It found that 26 per cent of firms with 500 or more lawyers reported security breaches in the past year, followed by 25 per cent of law firms with 10-49 lawyers, 20 per cent of law firms with 100-499 lawyers, and 11 per cent of law firms with two-to-nine employees. Solos are the least likely to experience security breaches, with only eight per cent reporting that they have been breached.
The NatWest report does not put a dollar figure to the losses incurred by law firms following a security breach, but it suggests that some of the law firms incurred financial losses and potentially reputational damage. “There is huge pressure on firms to be ever more diligent and to ensure that they have a disaster recovery plan in place,” said the report.
The Solicitor’s Regulation Authority (SRA), which regulates solicitors in England and Wales, revealed recently that approximately $11.5 million of client’s money were siphoned last year thanks to cyber-attacks on law firms. The majority, three-quarters, of cybercrimes reported to the SRA involved some form of “Friday afternoon” fraud where criminals modified emails directly, usually by hacking into the email system of a lawyer. Criminals aim to alter bank details in order to redirect completion funds to the criminal rather than the client. Such scams usually take place on Fridays because that is the time when completions take place, and it buys the fraudster some time before the crime is detected.
Law firms, as custodians of confidential information, are also increasingly becoming targets by those looking for competitive intelligence, according to experts. The case of three men charged with insider trading based on information they hacked from prominent US law firms “should serve as a wake-up call for law firms around the world”, said Preet Bharara, the former US Attorney for the Southern District of New York. “You are and will be targets of cyber hacking because you have information valuable to would-be criminals.”
Part of the problem is that law firms are not laying the basic groundwork to prevent security breaches, according to consulting firm ALM Intelligence. There are three fundamental stages of data security – assessment, planning and testing. That involves understanding data security needs and risk-profiling data accordingly, then implementing solutions on needs and profile, and finally – and critically — testing to ensure an effective response in case of breach. While 77 per cent of law firms have conducted a formal security assessment and 66 per cent have a data breach plan in place, a scant 46 per cent have tested their cybersecurity plans.
“Many firms’ confidence in their own cyberattack preparedness seems misguided,” said Daniella Isaacson, co-author of the report. “Our research indicates that most remain surprisingly unprepared for the threat. Many, for example, never test their cybersecurity protocols. This means that on the day of a breach, those firms are using an unproven response plan.”
But pressure from clients to deal with cybersecurity is mounting. Some 70% of law firms surveyed by ALM Intelligence said they are under pressure from their clients to beef up internal data security. If law firms shrug off pressure from clients, it will be much more difficult to ignore impending changes to Canada’s privacy legislation.
The Digital Privacy Act, which amends the Personal Information Protection and Electronic Documents Act (PIPEDA), came into force in June 2015. But regulations regarding breach reporting, notification, and record keeping have yet to come into force. They are however expected to come into force sometime this year, said Imran Ahmad, who heads the cybersecurity law practice at Miller Thomson LLP.
The impending changes will require custodians of data, including law firms, to report information security breaches where an organization “reasonably believes” that a breach of its security measures” creates a real risk of “significant harm” to an individual, said Ahmad. This assessment hinges on the sensitivity of the personal information that was compromised, the probability that the personal has been, is being or will be used as well as “any other prescribed factor,” added Ahmad.
Organizations such as law firms should therefore conduct a review of their existing protocols and policies to ensure that they have the ability to detect, respond and report data breach incidents. And they should also assess the types of information they hold, be it personal information, intellectual property or supplier data.
“Organizations should take steps to ensure compliance and make sure to document them appropriately,” said Ahmad.
-
Ashley Madison agrees to US$1.7 million settlement
A month after the parent company of the controversial adult dating website Ashley Madison settled a complaint with the U.S. Federal Trade Commission and state charges over the 2015 data breach that exposed the personal data of more than 36 million users and highlighted the site’s unfair and deceptive practices, the firm is now trying to thwart 20 class actions against it by invoking online arbitration agreements the plaintiffs signed when they subscribed to its matchmaking services. -
Early days for fintechs in Canada
It was an engrossing week, and the latest evidence that the Canadian world of finance was being upended by the emergence of nimble players using new technologies to offer cutting-edge financial products and services.
-
The sharing economy: A Pandora box for legal protection insurers
The practice of law is under duress. Legal service innovations driven by digitalization and globalization are propelling seismic change. So too is the emergence of the sharing economy model which has taken the world by storm. Novel ways of delivering new products and services are seemingly materializing daily to satisfy increasingly demanding and fickle consumers. The rapidly evolving landscape is putting a strain on traditional business models, while governments and regulatory authorities are scrambling to keep up with the dizzying pace of change. But with change comes challenges – and opportunities – for legal service providers and legal protection insurers alike, all of which was explored at a conference held in Montreal recently by the International Association of Legal Protection (RIAD).
Categories: Business, Features, Financial services, Internet, Legal business, Legal Practice ManagementTags: sharing economy -
Quebec financial watchdog warns consumers over P2P insurance
Stung by criticism that it has at times acted too late to stop unsound practices, Quebec’s financial watchdog recently warned consumers to be wary of peer-to-peer insurance offerings even though the digital sharing platform has yet to make a formal entrance in Canadian soil. -
Quebec plans to order ISPs to block unlicensed gaming sites
A controversial bill tabled by the Quebec government that will compel Internet service providers to block unlicensed gambling websites is an expensive, futile, and unconstitutional endeavour that raises concerns about the neutral role of Internet providers, according to gaming and telecommunication experts.
The proposed legislation, tabled last November, will amend the province’s Consumer Protection Act and require Internet service providers (ISPs) to “block access” to a list of “unauthorized gambling sites” that will be drawn up by Loto-Québec, a government agency that operates and develops lotteries in the province. Internet service providers face steep fines — up to $100,000 and twice that amount for subsequent offences — if they fail to comply.
“It is absolutely urgent that anyone looking at this oppose this,” remarked Bram Abramson, the chief legal and regulatory officer at TekSavvy, an independent Canadian ISP. “Clearly it would establish precedence. It would be the first time that any Canadian government has ordered ISPs to routinely block content and to engineer our networks in such a way as to be able to block content in this routine manner. That’s not the kind of Internet that Canadians want.”
The contentious plan is being closely watched by other provinces who have, with the exception of Saskatchewan, online gaming offerings. Like Quebec, British Columbia, Manitoba and Ontario offer a full slate of online casino-style gambling while the Atlantic Lottery Corp. which oversees gaming for New Brunswick, Newfoundland and Labrador, makes lottery tickets and sports betting available on the Internet. Much is at stake. H2 Gambling Capital, a leading supplier of gambling data and market intelligence, predicts that the value of the global online casino and bingo market will surge to approximately US$13.5 billion by 2018, representing a compound annual growth rate of more than 10 per cent from 2014. The Quebec government predicts that by directing online gambling to its own website, Espacejeux, that it will bring in an additional $13.5 million in revenues in 2016-17, and $27 million annually after that.
“The landscape for gaming in Canada is going to change very shortly,” predicted renown Montreal gaming lawyer Morden Lazarus. “The provinces have decided that they want to get into online gaming and they want to be able to generate these revenues for their own benefit. The Quebec government is leading the charge.”
The Quebec initiative however will likely end up before the courts, according to legal observers. Quebec is moving forward under the guise of improving public health. According to the 2015-16 Quebec budget, “illegal websites do not apply the same responsible gaming rules as Espacejeux,” and that poses a risk to the population, especially young people. Since it will enact the new provisions under the Quebec Consumer Protection Act, the provincial government is also expected to argue that establishing a firewall to prevent online gaming competitors is a matter of consumer protection, which falls under the jurisdiction of provinces.
But industry observers don’t buy that reasoning. The Quebec bill clearly breaches federal jurisdiction over telecommunications, pointed out Chris Tacit, a telecommunications lawyer based in Ottawa. It also appears to infringe s. 36 of the federal Telecommunications Act, which prevents Canadian carriers from controlling the content or influencing the meaning or purpose of telecommunications, added Tacit. “What is an ISP supposed to do it if it is ordered to block unlicensed gambling websites by the Quebec government which under s.36 of the Telecommunications it is prohibited from doing,” asked rhetorically Tacit. “It is an untenable situation. This can only lead to litigation.”
ISPs are “content neutral” utilities that simply provide access to a service, and are not in the business of picking and choosing what Canadian consumers should have access to, added Abramson. If the Quebec initiative goes unchallenged, Abramson fears that other provinces may follow suit and would be emboldened to establish different telecommunication regulatory rules that would likely differ from one province to another. “I have no doubt that if this were allowed to proceed, other provinces will follow,” said Abramson.
Critics also point out that the proposed legislative scheme amounts to censorship, likely infringes the Canadian Charter of Rights and Freedoms, and sets a dangerous precedent. The bill would unlikely be able to survive a freedom of expression challenge, and Quebec would have a hard time arguing that compelling ISPs to block unlicensed gambling websites is a reasonable limitation. “Just imagine it wasn’t about gambling,” observed Timothy Denton, a CRTC commissioner from 2008-2013. “Suppose it was about being unable to reach controversial political websites, people would be up and screaming about it. But because it concerns the vice of gambling, it’s more defendable in public.” Or as Tacit pointed out, if the Quebec government can get away with blocking online gaming websites, “what lays next?”
The lack of clarity in the bill also poses problems, said gaming lawyer Stuart Hoegner. Bill 74 does not define what wagers and bets are. Nor does it spell out whether the definition will be identical to the one found in the Criminal Code of Canada or whether the Quebec government will forge ahead and establish a new definition of wagers and bets. And while the bill plainly states that an ISP may not “give access” to an online gambling site whose operation is not authorized under Quebec law, it does not define what the term access means, added Hoegner. “The term access is pretty broad,” remarked Hoegner. “What if an ISP makes good faith efforts to block but a customer circumvents it? Have they violated that provision or is there a safe harbour? We don’t know.”
Forcing ISPs to establish firewalls on unauthorized online gambling sites would also be very expensive because it would require “wholesale changes” to telecommunication networks, said Abramson. “It’s very difficult to do what is being asked because in many cases telecommunication networks do not treat Quebec as a distinct network. That would require some re-architecture – and that’s expensive,” explained Abramson. It would also be for naught, given the porous nature of the Internet. Growing numbers of Canadians are becoming increasing familiar with virtual private networks (VPNs) to skirt around intellectual property protections governing websites such as Netflix, and gambling aficionados will not hesitate to dodge restrictions the Quebec government may try to impose on them, added Abramson.
A working group that studied the issue of online gambling for the Quebec government already provided the framework that would allow the Quebec government to recoup more monies from online gambling, without having to resort to ISPs, remarked Lazarus. Ironically the 2014 “Report of the Working Group on Online Gambling” does not recommend the “systematic filtering of illegal websites.” Instead it recommends either the creation of a portal through which private operators can offer online gambling to Quebecers or establishing a licensing system, which is favoured by many jurisdictions around the world.
Under the portal model, the Quebec government would be held responsible for the management of online gambling offerings by establishing standards and precise rules in order to comply with s. 207(4)(c) of the Criminal Code, which allows only for provinces to set up and operate a lottery or game of chance on or through a computer. Under the portal model the government would also have to define gaming compliance rules, the rate of returns, the types of games offered, and security measures pertaining to fraud and money laundering. “Going the ISP route will cause more anguish and more issues more than anything else,” said Lazarus. “They should focus on the creating a process where online gaming providers provide managed services to the province, and all of the activity will go through the provincial government’s portal.”
In the meantime, the Quebec government can expect ISPs to fight back if they follow through with their controversial proposal. “This has not made the Quebec government popular among a lot of telecommunication providers,” said Abramson. “It is just a very surprising initiative, especially one that is so clearly outside their jurisdiction, that is so expensive, and likely to be ineffective.”
-
Quebec intends to introduce new sign regulations following appeal court decision
In a major victory for international retailers such as Best Buy, Costco, Gap, and Wal-Mart, the Quebec Court of Appeal confirmed that the Charter of the French Language allows for the use of non-French trademarks on storefront or public signs and advertising in the province, so long as no equivalent French trademark has been registered.A five-judge Court of Appeal panel held, without even hearing arguments from retailers or interveners, that the Charter and its regulations clearly allow the use of a trademark in a language other than French, even if the trademark name is being used as a business name.
