Québec’s Own French Language Open Source Licenses

While doing some work as to open source, I recently came across a section of the list of officially accredited open source license and that includes 3 licenses Made in Québec. These were apparently created by Québec authorities for its own purposes. Not too surprisingly, the original version of these 3 open source licenses is in French, contrary to most others of this kind.

The official site www.opensource.org now lists these 3 licenses, which I’m linking below to a micro-site created by the Centre de services partagés du Québec called Forge gouvernementale”. The presentation of the documents on this site is much easier to read than the version posted on opensource.org (that presents the text of each license in a single block of text):

The OSS licenses at issue were created with the government’s software development efforts in mind and (initially) presented in French, though an English translation is available. As with other open source licenses, the goal here is to free source code in the manner that maximizes the users’ rights and the ease with which it may be used and redistributed down the line. If you’re curious (I was), the Québec government published the following FAQ about these licenses.

The first license (LiLiQ-P) is akin to the Apache open source license and, thus fairly permissive. The code released under this license may be included in other software that is then distributed without having to make it available with the source code and without being required to distribute it through an open source license.

The other 2 licenses (LiLiQ-R and LiLiQ-R+) are relatively similar to somewhat more restrictive licenses such as the MPL license and the LGPL license, requiring that resulting software be made available, including as source code, through a LiLiQ-type license. Another feature of the licenses at issue resides in their reciprocity provisions, generally allowing the combination of LiLiQ code with code made available pursuant to most other open source licenses.

Is anyone really surprised that Québec would want to express how different it is from the rest of Canada (and the world) by creating its own version of an open source license? Eh, why not?

Right to Repair: Yes… Perhaps… Someday

The BBC had a good article on Friday about the right-to-repair movement, starting with the story of a Canadian student turned cellphone repairman, first for himself and then his classmates. It’s worth reading.

We’re hearing more and more about the right to repair, or in any case about a will to try and get manufacturers of electronics to stop the planned obsolescence of their products. Although the movement is starting to make some headway, the trend remains for manufacturers to produce goods as cheaply as possible without giving any thought to allowing for eventual repairs. Today, as it’s been since the 1950s, smart manufacturers want a product that customers are satisfied with and then replace, ideally with the same make. The goal is to create products that are good enough to get good reviews (and accompanying sales) which the typical consumer will not mind upgrading not too far down the line.

Of course, this trend is doing nothing to help the planet, notably because of the natural resources extracted at great cost and quickly sent to landfills once the product gets discarded, often after only 2 or 3 years. Suffice it to say we can do better.

Proponents of the right to repair are pressuring the industry to start changing its model, so as to start making products designed to make repairs easy, but also that CAN be repaired. In practice, this requires making information and parts available to customers who’d rather repair their product than replace it outright.

Europe is making some progress in enacting laws that will start nudging companies in that direction, but we’re seeing little movement on this front in North America. Though Canada briefly contemplated a private bill about the right to repair (in 2019), not much is happening since, notwithstanding the growing demand from consumers.

Finally, on a related note, a friend recently shared a good piece in Wired about the Taylor ice cream machine at McDonald’s restaurants. It seems the machine at issue is imposed on franchisees who wish to offer the McFlurry desert, along with an onerous maintenance contract and little or no information allowing them to maintain the machine. It seems that franchisees are now attempting to diagnose and better control the machines (including by relying on third-party custom products to do it) which the franchisor’s not too happy about. It’s another good read.

Alleged Flaws in Cellebrite UFED May Allow Throwing Out of Locked Smartphones Evidence

It is inevitable in today’s world that law enforcement sometimes be faced with mobile devices that suspects locked prior to their seizure by authorities. Locking your devices is good common sense security, which goes for you and I and, yes, for criminals. As a result, the police will sometimes need to break encryption on such mobile devices, in order to get to the data within, either for investigative or evidentiary purposes. That’s when tools such as Cellebrite UFED come into play. By using UFED, law enforcement can break into otherwise secure devices, such as iPhone smartphones, and get to the data within.

Unfortunately for the prosecution side, someone recently obtained access to UFED and analyzed its security features which were found to be, shall we say, lacking. Indeed, according to Moxie Marlinspike (creator of the Signal app), ironically, cybersecurity isn’t exactly UFED’s strong suit. In fact, according to his report, after looking at the product, he believe this tool’s security is so weak that even scanning a boobytrapped device may result in alteration of the data that was or is later exacted using UFED.

In short, in their efforts to secure some evidence, it seems some police forces are using a tool the reliability of which may be called into question. Indeed, if the tool at issue cannot be counted on to provide data that is a reliable record of what really was found in a particular device, should such evidence not be thrown out?

Legally, the fact that a tool used to extract information is prone to tampering may not bode well for convictions obtained on the basis of the resulting evidence at issue, at least if the vulnerabilities reported by Moxie Marlinspike can be substantiated. Some American defense attorneys intend to argue against convictions that were secured by the authorities based on evidence extracted from locked smartphones. This could, for example, require new trials in some cases, etc.

UFED is apparently used by many law enforcement agencies throughout the world. We don’t yet know how many convictions this inconvenient revelation may eventually allow defense attorneys to call into question.

This is yet another good example of the perpetually problematic relationship between cybersecurity and the law.

Québec Court Rejects Privacy-related Class Action Filed After Loss of Laptop

The Québec Superior Court recently rendered judgment in the matter of Lamoureux c. Organisme canadien de réglementation du commerce des valeurs mobilières (2021 QCCS 1093), further to a class action resulting from the loss of a portable computer containing personal information.

Contrary to what often happens with such class actions, this one did make it through the whole process, up to and including an actual judgment on the merits of the case. In the end, the Québec Superior Court rejects the claims, including those for ordinary damages as well as the claim for punitive damages. In doing so, however, the court does provide us with some principles that seem worth remembering.

This case stems from the loss of a portable computer by an employee of the defendant, a non-encrypted device which contained sensitive information about certain individuals. Even though these individuals may have worried and have been somewhat anxious at the thought of having their identities stolen, the court held that this was, in and of itself, insufficient to qualify as a real prejudice at law. As often happens is such cases, the judge found that more was required before the legal system would be required to intervene, including by awarding monetary compensation.

The class representative in this case was also alleging that certain attempts had been made to steal his identity, something more likely to deserve redress by the court. However, the plaintiff was unable to demonstrate causation between the fault of the defendant (in handling his data and the incident at issue) and such attempted identity theft. Given this absence of a causal link between the fault and the alleged damages, the court also rejected this portion of the claim.

Interestingly enough, this case provides us with a good example of the steps taken by an organization faced with a loss of data and which the court validates as appropriate under the circumstances. The defendant organization here performed an adequate inquiry, hired a specialized consultant, notified the privacy authorities, and notified potential victims. The organization also paid for credit-report surveillance services for these individuals, all of which lead the Superior Court judge to also reject this final claim (for punitive damages), given that the steps taken were adequate under the circumstances.

Online Censorship: Chloé Zhao’s and Nomadland’s Academy Awards Zapped from the Chinese Web

The New York Times reported this week that China recently tweaked its Great Firewall, systematically blocking and deleting any mention of Chloé Zhao’s win of an Academy Award, along with any mention of her movie Nomadland also winning an Oscar.

As everyone now knows, China has implemented technological measures that allow the country to control what its citizens see when looking at the Web, at search engines or social media. This allows China to sanitize the Internet, ensuring that Chinese citizens are not shown content contrary to the country’s and society’s interests as determined by the Chinese government.

According to The New York Times, Internet users who type a query about Zhao or Nomadland and Oscars in the Chinese search engine Weibo are simply shown a message that reads: “According to relevant laws, regulations and policies, the page is not found.”

The reason Chloé Zhao is thus targeted may relate to a 2013 interview during which she criticized her home country as one where lies were widely circulated.

This is another example of the perils of a country implementing any system allowing the control of information. Once a regime starts in such a direction, for example by eliminating information from enemies of the state, it’s virtually impossible not to keep going until, one day, you’re zapping news about a citizen winning the most prestigious award in cinema based on one interview she gave almost a decade earlier, in which she obliquely referred to this government’s questionable informational practices.

By the way, I saw Nomadland and encourage you to do so as well, not only for the quality of its direction but also for Frances McDormand’s performance.

Canadian Government Angling to Control Content Placed Online, including UGC and Even Apps

As you may recall, since last fall, the Canadian government has been working toward getting its bill C-10 enacted. The bill aims to allow taxing streaming services such as Netflix. Though this may have been the initial impetus behind the introduction of the bill, we’re now seeing that C-10 may also go so far as to allow the regulation of content placed online, including user-generated content, computer games and apps of all kinds. Yes, Canada seems to have decided to shed its laissez-faire attitude toward what’s placed on the Internet.

Indeed, it would now seem that the Liberal government may be trying to broaden bill C-10 so as to grant the CRTC additional powers to regulate whatever is placed online, including (the latest twist in this little legislative soap opera), apps—yes, you read this right: apps. This story is being disseminated by Michael Geist, further to a statement seemingly made by mistake by an MP while commenting on an amendment that has yet to be formally introduced. Apparently, the government may be in the process of making changes to C-10 that would allow the CRTC to regulate not only streaming services, but also some content itself, such as apps made available on the Internet.

Though the government stated it did not intend to try and regulate computer games, it now appears C-10 may, on the contrary, end up allowing the CRTC to regulate software made available through the Internet, a prospect that has many cringing.

From a bill initially justified as a way to simply allow the taxation of streaming services (such as Netflix) in Canada (to level the playing field vs. other ways of making content available to Canadians), we’re now faced with a bill that seems to be transmogrifying into a bill meant to empower the government (through the CRTC) to control what is placed or made available by and to Canadians online. This may end up being extended and/or applied to computer games, content placed on social networks, blog posts, podcasts, etc. Hmm, so much for the CRTC’s 2000 position that it wouldn’t mess with the Internet.

Is it just me or are we faced with a slight drift in the federal government’s recent efforts to try and better control the Internet in Canada? Hmmm—to be continued, unfortunately.

Canada Opts for New Digital Services Tax

The media is reporting that Canada’s 2021 budget which was recently made public includes the idea of implementing a digital services tax (“DST”) that will be imposed on foreign businesses providing digital services to Canadians. This tax will, of course, apply to companies and services such as Netflix, Spotify and Amazon Prime, but also to other businesses that generate revenues through matching sellers with buyers online, dealing with user-generated content, advertisements through online platforms, and selling or licensing user data.

The rate of this new tax would be set at 3% of the income these businesses generate from digital services provided to Canadians. This, the Canadian government believes, will allow Canada to obtain its fair share of the revenues being generated from streaming and online services, which are often provided to Canadians by foreign (usually American) companies.

This new tax will come into effect on January 1, 2022, and is expected to bring in about 500 million dollars per year for the Canadian government. With figures like these, one has to admit it may be hard to resist for a country like Canada.

European Law Makers Targeting AI

The media are reporting this week that Europe’s Parliament tabled legislation yesterday proposing to impose a legal framework to the use of artificial intelligence (“AI”) by businesses. The announcement introduces yet another bill that innovates far beyond what most (if not all) other jurisdictions are currently doing, in this case to regulate AI, which is somewhat akin to Europe’s adoption of the GDPR, on the privacy side, two years ago.

This time around, the proposed legislation seeks to constrain what businesses may do with AI by dividing such systems in 4 categories, based on the level of risk that any such system may carry for the rights and safety of individuals. Even though we can all agree that AI brings with it a great potential to increase efficiency, it also involves substantial risk, in particular as regards violating the rights of individuals, including as to privacy but also as to their security, human rights, etc. Because of these risks, the new European statute proposes a framework meant to curb potential abuses by imposing rules, limits and prohibitions on the worst kinds of AI systems, with a view to avoiding a nightmare scenario in which citizens’ existence comes to be ruled through AI systems that individuals can no longer really control or understand.

In short, Europe wants its citizens to retain confidence in AI, which it proposes doing by imposing a framework over the use of those types of systems. For example, the proposed regulation would prohibit the use of AI systems by organizations which represent an “Unacceptable risk,” while allowing but restricting those that represent a “High risk,” and imposing limited rules and restrictions over those systems that represent merely a “Limited risk” or a “Minimal risk.”

To give you an idea, according to the announcement: “AI systems considered a clear threat to the safety, livelihoods and rights of people [i.e. “Unacceptable risk”] will be banned. This includes AI systems or applications that manipulate human behaviour to circumvent users’ free will (e.g., toys using voice assistance encouraging dangerous behaviour of minors) and systems that allow ‘social scoring’ by governments.”

The proposal would then constrain “High-risk” AI systems, namely “AI technology used in:

Critical infrastructures (e.g., transport), that could put the life and health of citizens at risk;

Educational or vocational training, that may determine the access to education and professional course of someone’s life (e.g., scoring of exams);

Safety components of products (e.g., AI application in robot-assisted surgery);

Employment, worker’s management and access to self-employment (e.g., CV-sorting software for recruitment procedures);

Essential private and public services (e.g., credit scoring denying citizens opportunity to obtain a loan);

Law enforcement that may interfere with people’s fundamental rights (e.g., evaluation of the reliability of evidence);

Migration, asylum and border control management (e.g., verification of authenticity of travel documents);

Administration of justice and democratic processes (e.g., applying the law to a concrete set of facts).”

Again according to the proposal, “High-risk AI systems will be subject to strict obligations before they can be put on the market:

Adequate risk assessment and mitigation systems;

High quality of the datasets feeding the system to minimize risks and discriminatory outcomes;

Logging of activity to ensure traceability of results;

Detailed documentation providing all information necessary on the system and its purpose for authorities to assess its compliance;

Clear and adequate information to the user;

Appropriate human oversight measures to minimize risk;

High level of robustness, security and accuracy.”

Though I am not aware of any similar legislative initiative in Canada at the moment, I think we can safely assume something like this will creep up here as well at some point. As with the GDPR initiative (as to privacy), it is more than likely Europe’s new proposed legislation is going to be imported abroad eventually, including in Canada, to a certain degree.

If you’re curious, this draft legal framework includes 85 articles spread over something like 50 pages—yeah, light reading for the beach this summer, if you see what I mean.

Statutory Damages Awarded for Copyright Infringement Through Summary Proceedings

The Federal Court recently provided us with a decision, in Patterned Concrete Mississauga Inc. v. Bomanite Toronto Ltd. (2021 FC 314), awarding both an injunction and damages through summary proceedings rather than the more complex (and costly) type of pleadings before this court. The decision at issue stems from the alleged copying by a competitor of certain forms used to contract with customers. Faced with the apparent copying of its forms by a competitor, the plaintiff requested that the Federal Court not only enjoin such copying but also that it grant the petitioner statutory damages. Fortunately for the plaintiff, it successfully proved its employee’s creation of the original forms, coupled with the transition of a long-time employee to the defendant’s organization, which explained how the documents were likely passed between the businesses at issue. Faced with such facts, the judge accepted the plaintiff’s position that its copyrights in those works had been adequately demonstrated, as was the copying by the defendant. The judge did so in the context of summary proceedings which may allow resolution of a claim, before the Federal Court, in months rather than years, at a fraction of the cost. It seems worth mentioning that the judge did so notwithstanding an attempt by the defendant to set aside the registration certificates obtained by the plaintiff immediately prior to its filing of legal proceedings. Indeed, the judge held such certificates could be taken into consideration upon ascertaining the copyrights of a plaintiff, even in cases where they were obtained concomitantly with the filing of proceedings, especially in the absence of evidence by the defendant contradicting ownership of copyright by the plaintiff, as had been the case here. The court in this case also easily concluded that the forms at issue qualified as works protected by copyright owned by the plaintiff, notably because of testimony from the actual creator of the original forms. This allowed the court to find infringement, including by side-by-side comparison of the documents at issue, which showed clear acts of reproduction. This allowed the court to award an injunction coupled with statutory damages of $24,000, namely $8,000 for each work that had been copied. This case is part of a trend showing a growing willingness by the Federal Court to award both injunctions and damages in matters of copyright, even through summary proceedings.

Québec Copyright Infringement Decision About the Photograph of a Sculpture Serves Valuable Lesson Regarding Risk of Relying on a Mere Permission from the Author

A Québec court issued a copyright infringement decision this week which seems worth mentioning even though it’s merely a small claims court decision. Not too surprisingly, the decision at issue, Gadbois v. 2734-3540 Québec Inc. (2020 QCCQ 11186), concludes that a photograph circulated by email did infringe the copyright of the author of the sculpture shown therein. Even though we’re dealing with a small claims decision and a simple fact pattern, the decision seems worth discussing a little this morning, if only for the lesson it serves us as to copyright-related permission.

This decision stems from the holding of a 1995 art exhibition which the organizer then sought to promote through email messages that included a photograph of one of the sculptures shown at the event. Twenty-five (yes, 25) years later, the sculptor sues the organizer of the exhibition for copyright infringement based on the alleged failure of the organizer to obtain his authorization to circulate photographs of his work.

Before the court, the organizer of the event claimed that the sculptor had given his permission, even though the company was unable to produce a copy of the writing through which such an authorization had allegedly been given. Unfortunately for the defendant, this prompted the judge to refuse to even entertain the possibility that permission had been given, something the judge may have been somewhat harsh about.

At any rate, this case illustrates that even though the Copyright Act does not require that reproduction permission be granted in writing (as opposed to assignments), relying on an authorization that was not documented in writing may prove hazardous once in front of a judge. Even though legally it does works, in principle, if litigation occurs, you may not be able to demonstrate adequately that sufficient permission really was granted by this particular author in those particular circumstances.

Even though this decision isn’t exactly revolutionary nor precedent-setting, it does serve as a good reminder that getting copyright permission in writing is a useful precaution, and may well avoid unnecessary litigation later. Failing to do so may well the author to later claim they had not in fact consented to whatever was done (such as sending photographs by email) and, thus, that they’re allowed damages because of the copyright infringement.

As to such writings, one should note that they need not be complicated or lengthy documents to prove effective for this purpose. Heck, a simple paragraph (or even one sentence) may sometimes be all you need to show that permission did exist. Contrary to what some may think, such permission need not be described in long-winded documents with numerous complicated provisions. What you want to avoid is simply being involved in eventual litigation where you end up having to testify that the author did authorize you to do X, where the author himself testifies to the contrary—this is not something that will normally require producing complex documentation.

Even though, in the case of Mr. Gadbois’s sculpture, we’re dealing with a fairly insignificant damage award ($1,000), the defendant may well have been better off retaining a writing showing the author’s permission. This decision also shows that such problems may materialize years after the events, like here, with events dating back to 1995. Given how long copyrights remain protected for, failing to document permission may come back to haunt you years and years later—one more reason to avoid this problem, especially through something as cheap and easy as a written permission.