Lift12 Workshop: Lots of Clouds, Stormy Weather for Information Privacy? [en]

[fr] Je suis à la conférence Lift12 à Genève. Voici mes notes de sessions.

Live-blogging from Lift12 conference in Geneva. These are my notes and interpretations of Michel Jaccard’s workshop — best effort, but might be imprecise or even wrong! Hoping I don’t mangle things like last year

Cloud computing, data protection, etc… With Sylvain Métille of @idestavocats.

Know what you do, why, what are the risks and best practices. You have the choice to use the cloud or not. But it can be very difficult a few years down the road to know where the data is, but ou remain liable for that date.

Analysis limited to privacy issues. As close to real-life experience gets for lawyers: real agreements 🙂

Risks?

  • losing control of the data: not a specific risk, but reinforced with cloud computing — makes it harder to enforce your rights over multiple entities and jurisdictions
  • non-compliance with the law: headache. You end up in lawyer ping-pong or chess game. Have spent days or weeks in negotiations just about who is taking what kind of risks in connection with cloud storage of certain data, to reach an agreement. “Sorry, I can’t do anything on my side, strict compliance with the laws I refer to” — lawyer in the middle, ends up drafting something like what follows: Party A shall be liable and responsible under whatever law might apply to that party… blah blah. Idem for Party B. If there is a disagreement, parties should in good faith try to reach an agreement. Difficult!
  • Vendor lock-in (same, non-specific but reinforced)
  • Access requests by law enforcement authorities. State police is now very keen to have access to data that is on their soil. So as a Swiss company, if you don’t know where your data is stored… You could get sued outside your country, and the data center be asked to hand over the data. Example: sensitive data, third party locates where the data is physically and attacks (legally) there.

If keeping control over your data, and exclusive ownership, is critical to your business, important to know that this is extremely difficult to ensure if you use cloud computing. Eg. you might want to keep HR stuff in-house.

US Law: if you’re aware of a potential security breach, that is, that somebody not authorized might access the data, then you have to proactively disclose it to the market (even without a real data leak!)

Information privacy:

  • CH: Data Protection Act (easy to understand)
  • EU: directives/regulations apply to data treated in the EU or related to residents
  • US: state laws and sectorial

Two important ideas:

  • Data
  • Consent (is king)

Consent has to be voluntarily given and based on adequate information.

Different types of clouds. (1) locally, cloud = data transferred to a server. 10a DPA. steph-note: lost here, sorry.

(2) distant cloud. Accessible abroad. 6 DPA.

Swiss banking privacy cannot be guaranteed to customers who consult their accounts remotely (typically, from abroad).

(3) very very distant cloud (India, US)… Those countries do not provide “adequate protection”. Instead of legal protection, safeguards can be granted in a contract (official models). Safe Harbor Framework (USA) for data of private persons. Careful, need to be safe harbor compliant for Switzerland! Consent in the specific case.

Storing in the cloud also means that there is no 4th amendment protection under US law (because the data is accessible by a third party).

Means the FBI (eg) can actually pretty much know everything before the indictment.

lift12 1100307.jpg

Questions around a sample privacy policy. steph-note: photo above is the beginning, it goes on…

  • Your information: what is it? what I provided? what you know about me from my usage?
  • Personal information: what is it? taste in food? name of my mistress? Very subjective!
  • Carefully selected: how?
  • On our behalf: legal wording, finally.
  • Hosting for our servers: cloud providers.
  • Email distribution partners: spammers?
  • Delivery fulfillment services: another politically correct term for… mass e-mailing?
  • Customer service agencies: telemarketers.
  • Does not say how I consent. Just by clicking? You could sue under Swiss law and say “consent was not given”. You don’t know what you’re consenting to.

Companies tell their lawyers: please draft a privacy policy to make sure I can do everything I want to do, now and forever. Don’t try and cover everything!

Means the minute you enter the online world, you consent to anything that can be done to your data (unrealistic).

Personally identifiable information: anything that might identify you. Popular concept in the US. In CH, IP addresses as such are personal data.

steph-note: dissection of privacy policy with Michel, entertaining

Conclusion: with this kind of agreement the company can do pretty much anything. (It’s a B2B agreement.)

If you want to delete your data we will make it permanently inaccessible (we won’t delete it!)

steph-note: question that’s nagging me… what to think of companies who do not want to use Google Apps or let their employees use Google Docs? Are they right to worry, or not?

Best practices:

  • don’t hurry, prepare charts
  • align marketing/business/IT/legal
  • know what your company will do with the database down the road
  • force your providers to show you their own subcontracting agreements
  • be transparent in your legal terms
  • always have a plan B…

Conclusion: legal compliance is great but it’s quickly a headache. Cheaper pricing is not always the best solution.

The Trap of Happiness: Big Things and Small Things, Outside and In [en]

[fr] La clé, pour être heureux, n'est pas dans les événements ou circonstances extérieurs, mais dans nos activités. En nous, et non au dehors de nous. Ce n'est pas très intuitif, d'où le piège. ("Quand ceci ou cela arrivera, alors je serai enfin heureuse.")

I realized today that many of the things I agonize over, the big things of life, are probably not worth spending so much energy on.

These big things of life — work, relationships, where to live — are just the measly circumstantial 10% component of our happiness (50% is due to our happiness “set point”, and the remaining 40% depends on certain intentional activities).

If I’m agonizing over whether to pursue a relationship or not, whether to keep my current line of work or change it, stay put or move to another continent, I’m doing so because at some level, I believe those decisions hold the fate of my happiness. But they don’t.

This is not to say that major life changes have no impact on how we feel. Of course they do. And of course bad decisions can lead to pain and anguish. But if things are going reasonably well and the drive is to be happier, the research presented in The How of Happiness (which I’ve already blogged about) tells us that these major changes will probably have way less long-term effect on how happy we are than certain more modest-looking intentional activities that have been show to reliably increase happiness.

Major events give us a “happiness high”, which is maybe one of the reasons we keep on looking to them as the solution to our lasting happiness. Hence the trap of happiness:

We think that big important things like being in a relationship, having a great job, having kids or living in our dream city are going to make us happy, when in fact it is small day-to-day activities that make use happy.

So when we’re unhappy, we yearn for big changes and stay stuck on “if onlys” rather than doing something that will actually make us feel happier.

For me, there is an important corollary to this:

The key to our happiness is inside of us, and not in exterior events.

This is nothing new under the sun, but I think that today I have really understood it.

You see, in addition to agonizing over “big decisions”, I spend a lot of energy hoping or waiting for things to happen which I expect will make me feel happier. Things that are outside my control or depend on other people. Without getting into details, this energy sometimes pushes me down alleys where I do things which I know are doomed to failure, which I know are a bad idea (and I can even explain why), but I have a very hard time stopping myself from doing them.

And I have understood today that the way to fight these “dysfunctional” urges is to remember where they come from: they come from feelings of unhappiness that I’m trying to address in the wrong way. I’m trying to make big things happen outside of me, rather than certain small things that involve only me — the “happiness activities” or “intentional activities” Sonja Lyubomirsky describes in her book.

Not surprisingly, some of them are already part of my “toolkit” for making myself feel better. Before reading The How of Happiness, however, I think I just hadn’t measured how important they were. And now I have extra stuff to add to my happiness toolkit. Yay!

So I’m making a note: to fight my gosh-I-wish-I-wasn’t-heading-for-that-wall-again urges, pick an activity out of my happiness toolkit. And I’m putting “working on being happier through daily activities” above my big “existential issues” on the priority list.

I find it ironic, in a way, that something as important as how happy we are (I mean, a huge amount of what we do, we do because in some way we’re trying to be happy) can be influenced by so small and seemingly trivial things.

It does explain, though, how we can tumble from “happy” to “not happy” in just a few clicks, and climb back to “happy” by answering two e-mails and cleaning the bathroom sink.

It’s not rocket science.

Lift11: Michel Jaccard, Governances of multi-author and open source collaboration projects (best practices and legal tips) [en]

Lift11 Workshop notes. I do my best but all this is filtered through my sometimes imperfect brain.

Practical and legal issues. First, defining the scope.

Common question faced in their practice: what do I do with my employees who are spending paid time on Facebook? Can I run commerce online?

What are we talking about? Open collaborative projects. Two types:

  • OSS (software)
  • R&D and knowledge-sharing projects (Wikipedia, standard-setting bodies, consortiums, WTO, etc)

We’re going to focus on Software projects.

Basic question: is there a necessity to think differently in the online world compared to the offline world? Most of the time, in regulation, it’s not needed. Most legal rules can be applied, with some subtleties.

What makes open collaborative projects different from more traditional creative work efforts? IP laws have been designed around the idea of a single creative mind (Shakespeare and Mozart), but today, most projects result from a collective effort. Mismatch.

Issues — practical and legal.

Practical: massive number of participants, continuous updates for long-term projects, hard to keep track of all contributors (case of company unable to contract with a US company because they’d outsourced part of their work to an ill-defined community and it had become impossible to get back to the various participants), lack of control in cross-border projects, funding/sale of project (who does it?), enforcement of rights.

Legal: international => different legal regimes, no unified set of rules applicable to the project, numerous legal fields (IP, contract, corporate)

Multi-author (=> joint work, article 6 Swiss Copyright Act or “joint works” pursuant to section 101 of the US Copyright Act) — does each author detail a copyright on the joint work? Which law is applicable? you can’t claim ownership of part of the work. Default system in copyright law is unanimous agreement of all co-authors for what you’re going to do with the work… tricky. (This means it’s a little dangerous to launch into a collaborative project without some kind of agreement.)

Private international law: which is applicable, which jurisdiction, special local protection rules, privacy issues?

Contract law: who is party, is there a contract law relationship? Who is accountable of what towards whom?

When it comes to businesses you can put pretty much what you want in an agreement, not so with individuals.

Is having a “lead person” sufficient an agreement to interface with other parties?

Not securing the IP aspects of a software project can negatively impact the valuation of the company. Have agreements in place before anybody starts writing a single line of code…

IFOSS Law Review — took them 2 months to figure out a name, and 3 months to get funded, and the editorial board is a bunch of experts on the topic — couldn’t open a bank account! They ended up being funded by the Mozilla Foundation.

Needs: centralization of rights on the project to overcome some legal issues, minimum quality standards, governance on the general project.

What can be done?

Do everything beforehand. Governance. Make an agreement, but do you have the authority to do so? Everything need not be negotiated — acceptable rules for contributors, can be 3-4 pages. Just to say that the rules governing the community will be those the community comes up with.

*steph-note: sorry, going a bit fast and the topic is “out of my jurisdiction”, having trouble following*

3 types of governance rules (access, …, …)

  • access (no legal access regime by default)
  • assign IP to the community (= sale) — vs. license, which is very difference

Under Swiss Law, ToS that are 34 pages long are not enforceable, even if you make people click “I read and agree”. Will not stand in court. It needs to be concise. Good faith: if I don’t understand, I am not bound. It’s up to the person making you agree to make sure you understand what you are agreeing with. Swiss market is a bit difficult for online purchasing — often the terms are just in German! *steph-note: this sounds too good to be true, not 100% I understood this completely correctly*

Important to set up governance that will allow an exit.

WIPO. Approved “Open collaboration projects and ip-based models” project in nov 2010. Will analyze and compile existing models of Open Collaboration projects.

In 90% of situations Creative Commons works, but what’s missing is something similar to CC but which includes governance.

Badmouthing (with authorization): Business Model Generation, co-created with 470 ppl, but copyright Alexander Osterwalder and Yves Pigneur, and designed by a third guy. Trick question: who owns the IP? On the online platform, it says copyright Alexander. Now that they’re starting to be famous with the book, they’re pretty suable. It’s a total mess in terms of ownership. Would be problematic for derivative works where you need consent of all authors. But actually they even made people pay to be co-creators, and told them they’d get credit and receive a free copy. Nothing however about IP…

Wikipedia: another nightmare. user-generated and user-controlled. 5 pillars, but any user can modify the policies. Foundation reserves certain legal rights. They realized that the consensus stuff didn’t work and had to put in place committees etc. — would have been less trouble if they’d put it in place at the very start. *(steph-note: @anthere disagrees — might also be me not understanding well what was said, so take with a big grain of salt)*

Other example: Mozilla project. Governed as a “meritocracy”. Policies. 3 aspects: definition of roles and responsibilities, transparency, reciprocity.

Websites and Blogs, Where Does One Start? [en]

[fr] Petite prise de tête (j'aime bien ça!) au sujet du site pour Going Solo et l'entreprise (pas encore existante légalement) qui est derrière. Quel nom de domaine utiliser? (J'en ai enregistré toute une série autour de cette idée de conférences, ça m'a d'ailleurs coûté un saladier.) Il va me falloir une identité visuelle. Que bloguer où? Créer déjà un site pour l'entreprise? Bienvenue dans les méandres de mes questionnements.

Along the lines of rediscovering some aspects of blogging, I’m rediscovering some tricky online presence questions which I’m more used to hearing in the mouths of my clients than in my head.

Questions like: do I create a separate blog for my company? for my event? how? when? who will blog on them? what will we blog on them?

To be honest, those questions aren’t actually all that tricky. For example, of course I’m going to create a site-blog (website with a blog) for Going Solo. Is it too early to create a site for the company, though? I’ve got a good mind for the moment to hold off incorporating it until the first event is done. I mean, not to be pessimistic, but if Going Solo doesn’t work out as well as I hope, and I decide to leave the event business at that, it will have saved me the trouble and grief of setting up the company “for nothing”, right? Other opinions on the topic?

A few weeks ago, I booked a pile of domain names (my poor credit card can testify). For the company, for Going Solo, for other events I already have in mind. I got .nets, .coms, .orgs, and even .co.uks. You don’t want a porn site as a neighbour, right? And if you’re going to build a name or a brand, who knows what you might want to do with the other TLDs 3 years from now? Better have them handy. Well, this isn’t really the topic of this post, but gosh, does it add up to a pile of money.

Of course, to make things easy, one of the .coms I didn’t manage to get is going-solo.com (it’s an insulin pump, so not much to do with what I’m plotting). Which leaves me with a choice of .co.uk, .ch, .net, .org. I’d say .org is out, as this is a commercial venture. As the event is going to take place in Switzerland, .ch would make sense, but then what happens when we reproduce the event in other countries? (I’ve actually already been talking about that with a few people — and can you imagine: the first event hasn’t even happened yet that they are already showing interest…)

Leaves us with .net and .co.uk, the latter making sense if the mother company is indeed incorporated in the UK as I plan, but as it hasn’t actually happened yet, it could change. So, I guess for the moment I’d go with going-solo.net and set up a blog there, to start with.

I don’t have any visual identity yet so that means it would be pretty bland at first. (This is where I really regret not being a bit of a designer myself.) I’m half-tempted to try and recruit Bread and Butter (look at the beautiful art they did for Adsclick), but they’re already doing LIFT (maybe a bit of a conflict) and as they’re already nicely established, I’m a bit afraid about the price tag. My more realistic idea is to try to find a small design shop in Lausanne which could use the visibility (local and international) Going Solo will bring them, or see if anything could be set up involving students from the ECAL.

As for the company, should I set up a website already, even if it doesn’t “legally” exist? (God, I wish I were a lawyer and understood all this stuff.) I’ll need a visual identity (at least a logo) and some content. I guess there will be a lot of cross-posting between the Going Solo blog and this one, at least at the start.

Also, languages! Oh my! Actually, no. Going Solo will be held in English, therefore the site will be in English. I’ll provide some French content for local sponsors to dig through, but I’m not going to do the whole multilingual space thing yet for it. Could be an idea in the long run, though… hmm.

Well, thanks for following my thought process. I’ll be setting up going-solo.net soon and cross-posting relevant content there so that we can all start linking to it! 🙂

Blogging 4 Business: Panel on User-Generated Content [en]

Panel: Euan, Struan, Mark, Lisa

Engaging with the consumer.

Blogging 4 Business

Struan: lawyers hate risk, and also really bad at blogging. Law firm in New Jersey which was told not to blog. Works for big law firm. Been advising clients about blogs and online stuff for the last 12 months. Problems with user-generated content, or staff which might be blogging. Risk-management perspective. Caution.

Mark: short war between Israel and Lebanon. Photographs discovered by bloggers. Wake-up call about how powerful blogging and user-generated content can be. Reuters in Second Life: what journalist ethics in a virtual world? steph-note: hate it when “virtual” is used to describe digital spaces, because it sounds like “unreal”. Global Voices Online.

Lisa: worked for eBay. Hard to give all power to users, keep some control. Yahoo.

Euan: “branding”, “customers”, event terms like “web2.0” etc., vocabulary indicating hordes of people piling onto something that was previously small, maybe fragile. Real danger of killing it in the process. How do you influence (rather than “control”) these environments? steph-note: let me add “engage with your brand” and “user-generated content” to that list, just mentioned in the moderator’s question.

Lisa: Quality? depends what the objective is. Asking users to provide photos of sunsets which match the one in the film. Ad contest, winning one (Doritos) cost 12$69 or something. Doritos: is it going to be good? Five finalists (with which D. were all OK) were so keen on winning they actually did their own campaigns, sending the videos to their friends, etc.

Mark: social media providing an alternate way of judging which photos are best for illustrating a subject.

Struan: as soon as you encourage the community to produce stuff, you need to be prepared to what might come back your way. steph-note: stuff will come back your way whether you ask for it or not; it’s already out there!

Lisa: when there is product attacking a product which has positive to it, there are often many positive comments which come to its defence.

Euan: flamewars etc. Law struggling to keep up with what’s happening. Jonathan Schwartz who wants to blog financial information, but it’s illegal to do so for the moment.

Struan: there is nothing to stop the information getting out through an unofficial channel.

Moderator: July 2006, Reuters brought to task by some bloggers. What was the internal response to that? (We know the public one…)

Mark: very quickly issued a classic release for news organisations in which they thanked the blogger for the photograph. Hasn’t happened again. Been continuous dialogue with professional photographers and bloggers.

Moderator: need for vetting UGC? Editorial decisions that journalists take all the time but that the public may not be familiar with.

Struan: YouTube, MySpace, not in their interest to check the content (if they did, more liability!) as long as they react quickly in case of content. Guardian: comments not approved — Time: comments approved => higher risk, because involves judgement call. steph-note: I think this is with UK law, not sure it would work like that in CH.

Euan: if you try to sanitise the conversation it will move somewhere else.

Lisa: guidelines. Help community moderate itself.

Question to Euan: what are the rules to “keep it pure”, when consulting? (re: fears of “commercialisation”)

Euan: authenticity. It’s not anti-advertising, or anti-commercialism. steph-note: not sure I got that Q&A right.

Struan: biggest problem for companies getting into blogging is finding something interesting to write about, and somebody who is capable of writing it. steph-note: I agree, but it’s often because they don’t think of looking in the right places.

Question: legal implications if you have bloggers and you let them do it, and they say things that are not necessarily the view of the company?

Struan: company won’t be really able to distance itself from the bloggers. Need to trust the people who are blogging. Posts don’t need to go through the legal department, but some guidelines are in order. When can they blog, how much? Do they understand the basics of trademark and copyright law (to avoid silly lawsuits), do they understand what is and is not confidential? Manageable risks, not something to panic about. Plain English is OK. Encourage bloggers to get a second opinion if they have doubts about what they’re posting. Fair use.

Euan: BBC blog policy (wiki page, developed by existing BBC bloggers). Much more conversation than if just the legal dept. had taken care of it.

Struan: blogger who wrote some potentially offensive political stuff on his blog, somebody googled him, found he worked for Orange, he was suspended (later reinstated). Petite Anglaise story (well recounted). The employer should have had guidelines to protect itself (not nice for bloggers, but better for the company).

Harvard Law in Second Life [en]

[fr] Un cours de la prestigieuse Harvard Law School est en train d'avoir lieu en partie à l'intérieur de Second Life. Quand je parle de Second Life comme outil/média éducatif, c'est à des choses comme ça que je pensais. Je suis allé y faire un tour, j'ai parlé avec une des instigatrices du projet, et je compte bien essayer de suivre en tous cas une partie de ce cours, qui a lieu les lundis et mardis.

By chance, I picked up a link to today’s RocketBoom in the #wordpress IRC channel (thanks, twidget). I don’t often watch RocketBoom, but the new presentator (en?) had a nice British accent, so I watched the whole thing.

A Harvard Law course in Second Life caught my attention. I watched the trailer, and decided to hop in and see for myself. I’ve been telling people around me that Second Life provides opportunities for education that we can barely yet imagine. I’m glad to see that it’s starting to happen. Watch the trailer for yourself [10.5Mb].

Inside the Second Life lecture hall (a replica of the real Harvard one, from what I understood) I chatted a while with Rebecca (one of the instigators!) and a student, LZ.

I learnt that the class was open to “public” (“at large”, they call it), and I’m very tempted to participate. I missed the first classes though, yesterday and today, but the wiki contains a lot of information and is supposed to give links to the lecture videos (haven’t found those, I’d be glad if somebody can point me to them). A lot of reading material is online. They also have a 20-minute introduction to Second Life but Flock can’t find the missing plugins I need to view it. Damn!

So, anyway, had to let you know about this. I think it’s exciting!