Teresa Scassa - Blog

 

Note: My paper The Surveillant University: Remote Proctoring, AI and Human Rights is forthcoming in the Canadian Journal of Comparative and Contemporary Law. It explores a necessity and proportionality approach to the adoption by universities of remote proctoring solutions. Although the case discussed in the post below addresses a different set of issues, it does reflect some of the backlash and resistance to remote proctoring.

In 2020, the remote AI-enabled exam proctoring company Proctorio filed suit for copyright infringement and breach of confidence lawsuit against Ian Linkletter, a BC-based educational technologist. It also obtained an interim injunction prohibiting Linkletter from downloading or sharing information about Proctorio’s services from its Help Center or online Academy. Linkletter had posted links on Twitter to certain ‘unlisted’ videos on the company’s YouTube channel. His tweets were highly critical of the company and its AI-enabled exam surveillance software. He responded to the suit and the interim injunction with an application to have the underlying action thrown out under BC’s Protection of Public Participation Act (PPPA). This anti-SLAPP (strategic litigation against public participation) statute allows a court to dismiss proceedings that arise from an expression on a matter of public interest made by the applicant. On March 11, 2022, Justice Milman of the BC Supreme Court handed down his decision rejecting the PPPA application.

Linkletter first became concerned with Proctorio (a service to which the University of British Columbia subscribed at the time) after a University of British Columbia (UBC) student had her chat logs with Proctorio published online by the company after she complained about the service she received during an exam. In order to learn more about Proctorio, Linkletter developed a ‘sandbox’ course for which he was the instructor. This enabled him to access Proctorio’s online Help Center and its ‘Academy’ via UBC. These sites provide information and training to instructors. The Help Center had a number of videos available through YouTube. The URLs for these videos were unlisted, which meant that they were not searchable through YouTube’s site, although anyone with the link could access the video. Mr. Linkletter posted some of these links to Twitter, expressing his concerns with the contents of the videos. The company disabled the links, and created new ones. Linkletter also posted a screenshot of the Academy website with a message indicating that the original links were not available.

Justice Milman did not hesitate to find that the applicant had expressed himself on a matter of public interest. He noted that the software adopted by UBC “has generated controversy, there and elsewhere, due to concerns about its perceived invasiveness and what is thought by some to be its disparate and discriminatory impacts on some students.” (at para 3). The onus shifted to the respondent Proctorio to demonstrate the substantial merit of its proceedings, the lack of a valid defence by the applicant, and the seriousness of the harm it would suffer relative to the public interest in the expression. The threshold to be met by Proctorio was to demonstrate “that there are grounds to believe that its underlying claim is legally tenable and supported by evidence that is reasonably capable of belief such that the claim can be said to have a real prospect of success” (at para 56).

Proctorio’s lawsuit is essentially based on three intellectual property claims. The first of these was a breach of confidence claim relating to the unlisted YouTube video links. To succeed with this claim, the information at issue must be confidential; the circumstances under which it was communicated must give rise to an obligation of confidence; and the defendant must have made unauthorized use of the information to the detriment of the party communicating it. Justice Milman found that the respondent met the threshold of ‘substantial merit’ on this cause of action.

What Linkletter posted publicly on Twitter were links to videos. Proctorio claimed that it was these videos (along with a screen shot of a message on its Academy website) that were the confidential information it sought to protect. Although there are a number of factors that a court will take into account in assessing the confidentiality of information, the information must have a confidential nature and the party seeking to protect it must have taken appropriate steps to protect its confidentiality.

Unlisted YouTube video links are not publicly searchable, yet anyone with the link can access the content – and YouTube’s terms of service permit the sharing of unlisted links. However, Justice Milman found that Linkletter accessed Proctorio’s videos (and their links) via Proctorio’s website, which had its own terms of service to which Linkletter had clicked to agree. Those terms prohibit the copying or duplication of the materials found in their Help Centre – although they do not identify any of the content as confidential information. Canadian courts have found users of websites to be bound by terms of service regardless of whether they have read them; it is not a stretch to find that Linkletter had a contractual obligation not to share the contents. However, when it comes to taking the steps necessary to protect the confidentiality of information, one can question whether terms of service buried in links on a website – and that do not specifically identify the material as confidential – constitute a confidentiality or non-disclosure agreement. There was evidence that much of the material could be found elsewhere on the internet. It was also available to tens of thousands of instructors who were given access to the site at the discretion of university clients, not Proctorio. Justice Milman noted that “none of the videos stated on their face that they were commercially sensitive or should be kept from public view” (at para 64). He also found that “the choice to make them available on a public platform like YouTube when more secure options could have been used, dilutes the strength of Proctorio’s case” (at 64). In these circumstances, the court’s ruling that the confidential information claim had sufficient merit seems generous. In order to make out a claim of breach of confidence, it is also necessary for the plaintiff to show that the defendant made use of the information to the company’s detriment. Although the information was used to criticize the company, it is hard to see how Proctorio suffered any real damage particular to this breach of confidence. Much of the content was available through other sources, and the court described the company’s assertions that the videos could permit students to game their algorithms or could reveal their algorithmic secrets to competitors as ‘speculative’. Nonetheless, Justice Milman found enough here to satisfy the Proctorio’s onus to repel the PPPA application.

The copyright infringement argument depended upon a finding that the sharing of a hyperlink amounted to the sharing of the content that could be accessed by following the link. In spite of the fact that there is Canadian case law that suggests that sharing hyperlinks is not copyright infringement, Justice Milman was prepared to distinguish these cases. He found it significant that the materials were not publicly available except to those who had access to the links; sharing the links amounted to more than just pointing people to information otherwise available on the internet. Having found likely infringement, Justice Milman next considered available defences. He found that Linkletter did not meet the test for fair dealing as set out by the Supreme Court of Canada in CCH Canadian. It was conceded by Proctorio that Linkletter passed the first part of the fair dealing test – that the dealing was for a purpose listed in ss. 29, 29.1 or 29.2 of the Copyright Act. Presumably it was for the purposes of criticism or comment, although this is not made explicit in the decision. In assessing the fair dealing criteria, however, Justice Milman found that Linkletter’s circulation of the links on social media mitigated against fair dealing, as did the fact that anyone who followed the link had access to the full work.

On ‘alternatives to the dealing’, Justice Milman noted that rather than share the videos publicly, Linkletter could have reported on what he saw in the videos (although he earlier had found the videos (or the links to the videos – it is not entirely clear) to be confidential information). He could also have referred to other publicly available sources on the contents of the videos to make his point. On the issue of the nature of the work, Justice Milman found that the works were confidential (thus working against a finding of fair dealing) “even if most of the information in the videos was already available elsewhere on the internet”. Oddly, then, the fair dealing analysis not only underscores the fact that the material was largely publicly available, it suggests that an alternative to providing links to the videos was to discuss their contents freely. This suggests that the issue was not really the confidentiality of the content, but the fact that Linkletter had breached contractual terms of service in order to provide access to it.

On the final fair dealing criterion, the effect of the dealing on the work, Justice Milman found that by making the videos available through their links, “Mr. Linkletter created a risk that Proctorio’s product would be rendered less effective for its intended purposes (because students could more easily anticipate how instructors can configure the settings) and its proprietary information more readily available to competitors.” (at para 112). He conceded that this risk was ‘speculative’ given the amount of information about Proctorio’s services already in the public domain. Justice Milman found that, on balance, the fair dealing defence was not available to Linkletter. He also found that the defence of ‘user-generated content’ was not applicable.

Justice Milman declined to find that there had been circumvention of technical protection measures by Linkletter. He found that Linkletter had gained access to the materials by legitimate means. His subsequent copyright infringing acts were carried out without avoiding, bypassing, removing, deactivating or impairing any effective technology, device or component as required by s. 41.1 of the Copyright Act.

The final element of the test under the PPPA is that the interest of the plaintiff in carrying on with the action must outweigh its deleterious effects on expression and public participation. Justice Milman found that this test was met, notwithstanding the fact that he also found that the “corresponding harm that Proctorio has been able to demonstrate is limited” (at para 124). He found that the risks identified by Proctorio of students circumventing its technology or competitors learning how its software worked were “unlikely to materialize”. Nonetheless, he found that Linkletter’s actions “compromised the integrity of its Help Center and Academy screens, which were put in place in order to segregate the information made available to instructors and administrators from that intended for students and members of the public” (at para 126). He credited the interim injunction for limiting the adverse impacts in this regard. However, he was critical of the broad scope of that injunction and narrowed it to ensure that Linkletter was not enjoined from sharing or linking to content available from public sources. Justice Milman also noted that Linkletter remained free to express his views, as have been others who have also criticized Proctorio online.

The breach of copyright and breach of confidence claims in this case are weak, although their consideration is admittedly superficial given that this is not a decision on the merits. The court found just enough in the copyright and breach of confidence claims to keep them on the right side of the PPPA. Clearly Proctorio objects to the provision of direct public access to its instructional videos beyond the tens of thousands of instructors who have access to them each year – and who are apparently otherwise free to discuss their content in public fora. In this case, Proctorio quickly mitigated any harm by changing the links in question. It could also deny Linkletter access to its services on the basis that he breached the terms of use, and can better protect its content by no longer providing it on as unlisted content on YouTube. The narrowed injunction leaves Linkletter free to criticize Proctorio and to link to other publicly available information on the internet. In the circumstances, even if the underlying lawsuit is not a SLAPP suit, as Justice Milman concludes, it is hard to fathom why it should continue to consume scare judicial resources.

Published in Copyright Law
Tuesday, 17 April 2018 08:50

New Study on Whistleblowing in Canada

Earlier this year, uOttawa’s Florian Martin-Bariteau and Véronique Newman released a study titled Whistleblowing in Canada. The study was funded by SSHRC as part of its Knowledge Synthesis program. The goal of this program is to provide an incisive overview of a particular area to synthesize key research and to identify knowledge gaps. The report they have produced does just that. Given the very timeliness of the topic (after all, the Cambridge Analytica scandal was disclosed by a whistleblower), and the relative paucity of legal research in the area, this report is particularly important.

The first part of the report provides an inventory of existing whistleblower frameworks across public and private sectors in Canada, including those linked to administrative agencies. This on its own makes a significant contribution. The authors refer to the existing legislative and policy framework as a “patchwork”. They note that the public sector framework is characterized by fairly stringent criteria that must be met to justify disclosures to authorities. At the same time, there are near universal restrictions against disclosure to the broader public. The authors note that whistleblower protection in the private sector is relatively thin, with a few exceptions in areas such as labour relations, health and environmental standards.

The second part of the report identifies policy issues and knowledge gaps. Observing that Canada lags behind its international partners in providing whistleblower protection, the authors are critical of narrow statutory definitions of whistleblowing, legal uncertainties faced by whistleblowers, and an insufficient framework for the private sector. The authors are also critical of the general lack of protection for public disclosures, noting that “internal mechanisms in government agencies are often unclear or inefficient and may fail to ensure the anonymity of the whistleblower” (at p. 5). Indeed, the authors are also critical of how existing regimes make anonymity difficult or impossible. The authors call for more research on the subject of whistleblowing, and highlight a number of important research gaps.

Among other things, the authors call for research to help draw the line between leaks, hacks and whistleblowing. This too is important given the different ways in which corporate or government wrongdoing has been exposed in recent years. There is no doubt that the issues raised in this study are important, and it is a terrific resource for those interested in the topic.

Published in Privacy

 

The Federal Court has released a decision in a case that raises important issues about transparency and accountability under Canada’s private sector privacy legislation.

The Personal Information Protection and Electronic Documents Act (PIPEDA) governs privacy with respect to the collection, use and disclosure of personal information by private sector organizations. Under PIPEDA, individuals have the right to access their personal information in the hands of private sector organizations. The right of access allows individuals to see what information organizations have collected about them. It is accompanied by a right to have incorrect information rectified. In our datified society, organizations make more and more decisions about individuals based upon often complex profiles built with personal information from a broad range of sources. The right of access allows individuals to see whether organizations have exceeded the limits of the law in collecting and retaining personal information; it also allows them the opportunity to correct errors that might adversely impact decision-making about them. Unfortunately, our datified society also makes organizations much more likely to insist that the data and algorithms used to make decisions or generate profiles, along with the profiles themselves, are all confidential business information and thus exempt from the right of access. This is precisely what is at issue in Bertucci v. Royal Bank of Canada.

The dispute in this case arose after the Bertuccis – a father and son who had banked with RBC for 35 and 20 years respectively, and who also held business accounts with the bank – were told by RBC that the bank would be closing their accounts. The reason given for the account closure was that the bank was no longer comfortable doing business with them. Shortly after this, the Bertuccis made a request, consistent with their right of access under PIPEDA, to be provided with all of their personal information in the hands of RBC, including information as to why their bank accounts were closed. RBC promptly denied the request, stating that it had already provided its reason for closing the accounts and asserting that it had a right under its customer contracts to unilaterally close accounts without notice. It also indicated that it had received no personal information from third parties about the Bertuccis and that all of the information that they sought was confidential commercial information.

RBC relied upon paragraph 9(3)(b) of PIPEDA, which essentially allows an organization to refuse to provide access to personal information where “to do so would reveal confidential commercial information”. On receiving RBC’s refusal to provide access, the Bertuccis complained to the Office of the Privacy Commissioner. The OPC investigated the complaint and ultimately sided with RBC, finding that it was justified in withholding the information. In reaching this conclusion, the OPCC relied in part on an earlier Finding of the Privacy Commissioner which I have previously critiqued, precisely because of its potential implications for transparency and accountability in the evolving big data context.

In reaching it conclusion on the application of paragraph 9(3)(b) of PIPEDA, the OPC apparently accepted that the information at issue was confidential business information, noting that it was “treated as confidential by RBC, including information about the bank’s internal methods for assessing business-related risks.” (At para 10)

After having their complaint declared unfounded by the OPC, the applicants took the issue to the Federal Court. Justice Martineau framed the key question before the court in these terms: “Can RBC refuse to provide access to undisclosed personal information it has collected about the applicants on the grounds that its disclosure in this case would reveal confidential commercial information” (at para 16)

RBC’s position was that it was not required to justify why it might close an account. It argued that if it is forced to disclose personal information about a decision to close an account, then it is effectively stripped of its prerogative to not provide reasons. It also argued that any information that it relied upon in its risk assessment process would constitute confidential business information. This would be so even if the information were publicly available (as in the case of a newspaper article about the account holder). The fact that the newspaper article was relied upon in decision-making would be what constituted confidential information – providing access to that article would de facto disclose that information.

The argument put forward by RBC is similar to the one accepted by the OPC in its earlier (2002) decision which was relied upon by the bank and which I have previously criticized here. It is an argument that, if accepted, would bode very ill for the right of access to personal information in our big data environment. Information may be compiled from all manner of sources and used to create profiles that are relied upon in decision-making. To simply accept that information used in this way is confidential business information because it might reveal how the company reaches decisions slams shut the door on the right of access and renders corporate decision-making about individuals, based upon the vast stores of collected personal information, essentially non-transparent.

The Bertuccis argued that PIPEDA – which the courts have previously found to have a quasi-constitutional status in protecting individual privacy – makes the right of access to one’s personal information the rule. An exception to this rule would have to be construed narrowly. The applicants wanted to know what information led to the closure of their accounts and sought as well to exercise their right to have this information corrected if it was inaccurate. They were concerned that the maintenance on file of inaccurate information by RBC might continue to haunt them in the future. They also argued that RBC’s approach created a two-tiered system for access to personal information. Information that could be accessed by customers whose accounts were not terminated would suddenly become confidential information once those accounts were closed, simply because it was used in making that decision. They argued that the bank should not be allowed to use exceptions to the access requirement to shelter itself from embarrassment at having been found to have relied upon faulty or inadequate information.

Given how readily the OPC – the guardian of Canadians’ personal information in the hands of private sector organizations – accepted RBC’s characterization of this information as confidential, Justice Martineau’s decision is encouraging. He largely agreed with the position of the applicants, finding that the exceptions to the right to access to one’s personal information must be construed narrowly. Significantly, Justice Martineau found that courts cannot simply defer to a bank’s assertion that certain information is confidential commercial information. He placed an onus on RBC to justify why each withheld document was considered confidential. He noted that in some circumstances it will be possible to redact portions of reports, documents or data that are confidential while still providing access to the remainder of the information. In this case, Justice Martineau was not satisfied that the withheld information met the standard for confidential commercial information, nor was he convinced that some of it could not have been provided in redacted form.

Reviewing the documents at issue, Justice Martineau began by finding that a list of the documents relied upon by the bank in reaching its decision was not confidential information, subject to certain redactions. He noted as well that much of what was being withheld by the bank was “raw data”. He distinguished the raw data from the credit scoring model that was found to be confidential information in the 2002 OPC Finding mentioned above. He noted as well that the raw data was not confidential information and had not, when it was created, been treated as confidential information by the bank. He also noted that the standard for withholding information on an access request was very high.

Justice Martineau gave RBC 45 days to provide the applicants with all but a few of the documents which the court agreed could be withheld as confidential commercial information. Although the applicants had sought compensatory and punitive damages, he found that it was not an appropriate case in which to award damages.

Given the importance of this decision in the much broader big data and business information context, RBC is likely to appeal it to the Federal Court of Appeal. If so, it will certainly be an important case to watch. The issues it raises are crucial to the future of transparency and accountability of corporations with respect to their use of personal information. In light of the unwillingness of the OPC to stand up to the bank both in this case and in earlier cases regarding assertions of confidential commercial information, Justice Martineau’s approach is encouraging. There is a great deal at stake here, and this case will be well worth watching if it is appealed.

 

 

 

 

Published in Privacy

Citizen science is the name given to a kind of crowd-sourced public participatory scientific research in which professional researchers benefit from the distributed input of members of the public. Citizen science projects may include community-based research (such as testing air or water quality over a period of time), or may involve the public in identifying objects from satellite images or videos, observing and recording data, or even transcribing hand written notes or records from previous centuries. Some well-known citizen science projects include eBird, Eyewire, FoldIt, Notes from Nature, and Galaxy Zoo. Zooniverse offers a portal to a vast array of different citizen science projects. The range and quantity of citizen science experiences that are now available to interested members of the public are a testament both to the curiosity and engagement of volunteers as well as to the technologies that now enable this massive and distributed engagement.

Scientific research of all kinds – whether conventional or involving public participation – leads inevitably to the generation of intellectual property (IP). This may be in the form of patentable inventions, confidential information or copyright protected works. Intellectual property rights are relevant to the commercialization, exploitation, publication and sharing of research. They are important to the researchers, their employers, their funders, and to the research community. To a growing extent, they are of interest to the broader public – particularly where that public has been engaged in the research through citizen science.

What IP rights may arise in citizen science, how they do so, and in what circumstances, are all issues dealt with by myself and co-author Haewon Chung in a paper released in December 2015 by the Commons Lab of the Wilson Center for International Scholars in Washington, D.C. Titled Best Practices for Managing Intellectual Property Rights in Citizen Science, this paper is a guide for both citizen science researchers and participants. It covers topics such as the reasons why IP rights should be taken into account in citizen science, the types of rights that are relevant, how they might arise, and how they can be managed. We provide an explanation of licensing, giving specific examples and even parse license terms. The paper concludes with a discussion of best practices for researchers and a checklist for citizen science participants.

Our goal in preparing this report was to raise awareness of IP issues, and to help researchers think through IP issues in the design of their projects so that they can achieve their objectives without unpleasant surprises down the road. These unpleasant surprises might include realizing too late that the necessary rights to publish photographs or other materials contributed by participants have not been obtained; that commitments to project funders preclude the anticipated sharing of research results with participants; or that the name chosen for a highly successful project infringes the trademark rights of others. We also raise issues from participant perspectives: What is the difference between a transfer of IP rights in contributed photos or video and a non-exclusive license with respect to the same material? Should participants expect that research data and related publications will be made available under open licenses in exchange for their participation? When and how are participant contributions to be acknowledged in any research outputs of the project?

In addition to these issues, we consider the diverse IP interests that may be at play in citizen science projects, including those of researchers, their institutions, funders, participants, third party platform hosts, and the broader public. As citizen science grows in popularity, and as the scope, type and variety of projects also expands, so too will the IP issues. We hope that our research will contribute to a greater understanding of these issues and to the complex array of relationships in which they arise.

Note: This research paper was funded by the Commons Lab of the Wilson Center and builds upon our earlier shorter paper: Typology of Citizen Science Projects from an Intellectual Property Perspective: Invention and Authorship Between Researchers and Participants. Both papers are published under a Creative Commons Licence.

 

Published in Copyright Law

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law