Embed Size (px)
Citation preview
CASL Computer Programs Provisions and Challenges in Specific Vertical Sectors
Michael Fekete (Osler)Howard Fohr (BlackBerry Limited)
April 30, 2014
Key Verticals
2
· Software
· Mobile/Telecom
· Product manufacturing
· Online businesses
Software Vertical - Identifying regulated activities
3
· Pre-installed/embedded software? RIAS: “...the requirements under CASL for the
installation of computer programs only apply to the installation of computer programs on another person’s computer system”
· User initiated installations (e.g., downloads)? RIAS: “CASL will not apply to installations carried
out by persons on their own computing devices.”· Updates and upgrades
What if the installation is carried out by the consumer?
· Installations by IT help desks· Installations on devices in other countries
Identifying Exempt Activities
4
· Law enforcement, protection/defence of Canada, international affairs
· Public safety
Assessing whether the “enhanced disclosure” rules apply
5
· Function listed in s.10(5)
AND
· Knowledge and intent that function will cause the computer system to operate in a manner that is “contrary to the reasonable expectations of the owner or an authorized user of the computer system”
· Operational challenges software products update programs
Applying the knowledge and intent qualifier
6
· Is it reasonable to take into account “reasonableness” overall, including whether:
The function is required for the very services the user signed up to receive?
The function would improve the services? The function would provide some other utility to
the user (outside of the particular software/services at issue)?
The function would have some non-invasive business purpose/utility for the vendor?
· How much information do consumers reasonably want? Do they want to understand the technical details, or do they want it to “just work”?
Deciding whether/when to request consent
7
Reliance on exceptions?
· What “conduct” is required to demonstrate it is reasonable to believe consent has been given
Reliance on 3 year transition provision (s.67)?
Seeking consent to updates and upgrades at the same time as consent for installation/downloading/first use?
Developing strategy for obtaining “CASL-compliant” express consent
8
Can consent be obtained through a licence agreement (if 10(4) not triggered)?
Can consent be obtained through the use of a pre-checked box (e.g., default settings, with user confirmation)?
Can consent be obtained for a “suite” of products?
Can consent to updates and upgrades be mandatory?
Can identity and contact information be provided through links?
Satisfying the Disclosure Rules
9
· Minimum disclosures: Describe the “function and purpose”
· “clearly and simply”· “in general terms”
· Enhanced disclosures:· Describe the “program’s material elements that perform
the function or functions, including the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the computer system”
“clearly and prominently” “separately and apart from license agreement” “separately from any other information provided” “acknowledgement in writing... that they understand and
agree”
Proving Consent
10
· CRTC Enforcement Bulletin (2012-548) “The Commission considers that the requirement for
consent in writing is satisfied by information in electronic form if the information can subsequently be verified.”
“Examples of acceptable means of obtaining consent in writing include checking a box on a web page to indicate consent where a record of the date, time, purpose, and manner of that consent is stored in a database; and filling out a consent form at a point of purchase.”
Satisfying the withdrawal of consent rule (s.11(5))
11
· When does obligation to provide an electronic address apply?
Only if program performs a function regulated by s.10(4)?
Exempt if the program is covered by s.10(8)?
· How must contact information be provided?
“Deemed” express consent (s. 10(8))
12
A person is considered to expressly consent to the installation of a computer program if:a) the program is:
i. a cookie,ii. HTML code,iii. Java Scripts,iv. an operating system,v. any other program that is executable only through
the use of another computer program whose installation or use the person has previously expressly consented to, or
vi. any other program specified in the regulations; andb) the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation.
“Deemed” express consent for network security & updating a network(IC Reg’s, s. 6(a) & (b))
13
· (a) a program that is installed by or on behalf of a telecommunications service provider solely to protect the security of all or part of its network from a current and identifiable threat to the availability, reliability, efficiency or optimal use of its network;
· (b) a program that is installed, for the purpose of updating or upgrading the network, by or on behalf of the telecommunications service provider who owns or operates the network on the computer systems that constitute all or part of the network;
“Deemed” express consent - Questions for both s. 6(a) & (b) of IC Reg’s
14
· Non-definition of a “network”
· How to identify the “end node” of the network?
· Applicability to not just parts of a network that require a 24/7 ‘live’ connection to a telecommunications service?• E.g. What about a program which could be used in some cases
without active/online wireless connectivity?
“Deemed” express consent - Questions for both s. 6(a) & (b) of IC Reg’s
15
· Definition of “telecommunications service provider”
· Broad?
· Not so broad, due to constitutional limitations? (e.g. applicability of CASL’s computer program provisions to intraprovincial communications?)
“Deemed” express consent - Questions for s. 6(a) of IC Reg’s (network security exemption)
16
· Is a “threat to the availability, reliability, efficiency or optimal use” just:
Malware? Viruses? Software bug? Other?
· What is a “current and identifiable” threat? Threats that are not ‘identifiable’ in addition to
being ‘current’? What about ‘future’ security threats?
· “Solely” – is the exemption available if the program has an additional legitimate purpose in addition to just addressing a ‘security’ threat?
“Deemed” express consent (IC Reg’s, s. 6(c) – correcting a failure)
17
· (c) a program that is necessary to correct a failure in the operation of the computer system or a program installed on it and is installed solely for that purpose.
· “Solely” – is the exemption available if the program provided ‘new’, improved or additional functionality or features, and not “solely” bug fixes?
“Deemed” express consent - Questions for each of s. 6(a), (b) & (c) of IC Reg’s
18
· How to assess whether the person’s conduct is such that they consent to the program’s installation (s. 10(8)(b))?
Additional Compliance Challenges and Solutions – Mobile/Telecom
19
Scenario I: · Initial software updates during “Out Of
Box Experience” (OOBE) for a new BlackBerry 10 device
Out Of Box Experience (OOBE) on BlackBerry 10
- First substantive step after user chooses UI language is acceptance of BlackBerry Solution License Agreement, which indicates software may automatically check for updates and that BlackBerry may make required updates available
OOBE on BlackBerry 10 (cont’d)- The last substantive step before completion of initial setup is a user notice regarding software update as part of the OOBE (most current OS available for relevant carrier/region)
22
Scenario II:
· 3rd Party App Submission Process in BlackBerry World
Additional Compliance Challenges and Solutions – Mobile/Telecom
Step 1: Developer
creates a Vendor
account – after
acceptance of
BlackBerry World
vendor terms, etc
various fields made
available for vendor
to complete.
- These include for
vendor identification
and contact info.
3rd Party App Submission Process in BlackBerry World
Step 1 (cont’d):
fields also made
available for
vendor’s support
email, Privacy Policy
url etc.
3rd Party App Submission Process in BlackBerry World (cont’d)
Step 2: App
submission
process:
Vendor creates
the listing for the
app under their
Vendor account.
3rd Party App Submission Process in BlackBerry World (cont’d)
Step 2 (cont’d): Vendor adds Descriptive text which will be seen by the user
when they view the app in BlackBerry World, prior to download.
Substantial space available in “Long Description” – vendor free to provide
information about the function and purpose of the computer program (or to
provide additional disclosures as may be required by s. 10(4) or (5) of CASL if
the vendor so chooses (presumably ‘separate and apart from the license
agreement’ as it is prior to download).)
3rd Party App Submission Process in BlackBerry World (cont’d)
Step 2 (cont’d):
Vendor adds App
icon and screenshots
3rd Party App Submission Process in BlackBerry World (cont’d)
Step 2 (cont’d): Vendor can
limit the availability of their app
by Carrier and or Country
3rd Party App Submission Process in BlackBerry World (cont’d)
Step 3: End user process:
• Once app accepted for distribution in BlackBerry World, it is made available for users to access in BlackBerry World, either through the user browsing or searching for the desired app
3rd Party App Submission Process in BlackBerry World (cont’d)
Step 3: End user process (cont’d):
• Users goes to the app listing in BlackBerry World, to view the information that the vendor had input about the app
3rd Party App Submission Process in BlackBerry World (cont’d)
• Users chooses to download the app
Step 3 (cont’d): BlackBerry World End user process:
• Users presented with any required permissions sought by app prior to using the software
• (Note: outside of BlackBerry World, once the user is in the app the vendor may also provide its EULA or other notice(s) for acceptance etc).
Step 4: App permissions notice to end user
Additional Compliance Challenges and Solutions – Product Manufacturing
33
· Lack of direct interaction with consumers
Express consent
Exceptions to consent
· Obtaining consent for products with no user interface
· Global marketplace challenges
Additional Compliance Challenges and Solutions – Online Business
34
· Cookies
· Java scripts
· HTML code
