Defeat cyber risks, use the Force

Cyber risks are a real and present danger. They are often hidden and misunderstood so I wrote this article just for you. I’m also a Star Wars fan and couldn’t resist the Force.

When I think of the words “cyber risks”, I don’t think of anything immediately tangible nor anything immediately threatening. What those words, (especially together) mean to me is far more ethereal and a lot more entertaining…

My thoughts digress to a Jedi fighting a Sith, Ewoks and Jabba the Hutt. I think of Darth Vader – the famous “I am your father” scene. All very “other wordly” and “galactic”. Something a true Star Wars fan can fully and truly appreciate. But this is not Star Wars and I am no Princess Leia.

“Luke, I am your father”

Just like the “Luke I am your father” scene inevitably shocked Luke into a new reality, growing Cyber Risks are doing the same for businesses across the Globe. And that is actually my point – Is Cyber Risk really in a “Legality” far, far away or is it closer to home than we think?

What do I mean? Well I will give you some examples.

In the Price Waterhouse Cooper’s January 2016 Top Issues publication, the following was outlined

“The biggest challenge for insurers is that cyber isn’t like other risks. There is limited publicly available data on the scale and financial impact of attacks and threats are very rapidly changing and proliferating. Moreover, the fact that cyber security breaches can remain undetected for several months – even years – creates the possibility of accumulated and compounded future losses.”

And

“Cyber risks are increasingly frequent and severe, loss contagion is hard to contain, and risks are difficult to detect, evaluate, and price.”

On the Freshfields, Bruckhaus, Deringer website, a world-wide legal practice on their “Cyber crime can derail your company” page, they state the following:

“Whatever your industry, cyber security is a worldwide concern. As you hold more data, and your staff use their own devices, you can become more vulnerable to security breaches.

Those breaches can have significant legal and reputational effects upon companies. As shown by recent data breaches, and related litigation, this is not just an IT issue.”

There has even been a full article written on the Hedgeweek website entitled “Cyber security – a Global Persceptive” ,(the title alone has a sense of doom and seriousness about it). This article sets out the lengths the US Legislature is taking to ensure the protection of companies against cyber-crime, which includes the House of Representatives passing a new cybersecurity bill –

“the Protecting Cyber Networks Act (PCNA) – to allow file sharing between government intelligence agencies and private companies and raise the overall awareness of hacking.”

Cyber Risks – a clear and present danger

If it is not clear already, let me spell it out for you – cyber risks are here. It is a risk that is not only very real but one that can be truly devastating to a company should their systems and data be hacked thereby revealing company trade secrets. Can anyone say “huge liability claim”?

boss-fight-free-stock-images-image-photos-photo-photography-pie-cafe-coffee-milk-cream
Source: Boss Fight

Speaking of huge liability claims, Insurers and Re-insurers are discovering that there is a growing and real need to insure Companies across all industries against these potentially devastating risks and that means increased premiums for those Insurers and Re-insurers eager to tuck into a slice of the proverbial cyber pie. According to PWC –

“Cyber insurance is a potentially huge but still largely untapped opportunity for insurers and reinsurers. We estimate that annual gross written premiums will increase from around $2.5 billion today to $7.5 billion by the end of the decade.”

But thats Insurance and therefore inevitably a safety net should things go awry but where Law is concerned, prevention is often better than the cure.

Understanding leads to prevention

In order to even start combating Cyber Risk, we first need to understand what it actually entails. According to Kennedy’s “Cyber risks – an insurance perspective” article  cyber risks can be understood quite simply:

“Two of the most common forms of cyber risks are Cyber-attacks and data breaches. Cyber-attacks can take many forms:

Hacktivism – where a company’s website is hacked into and used as a platform to promote views.

Denial of service attacks (DoS) – when a site is bombarded with millions of emails from a bogus source, thereby blocking access to the site by legitimate users. This happened to the Amazon and PayPal sites recently, when they were forced to stop online trading as a result of DoS attacks by people protesting against the arrest of Julian Assange.

Cyber-extortion – where attackers threaten to carry out a DoS attack or to implant viruses in a company’s website or network.

Data breaches can occur as a result of human error – for instance, unencrypted data is lost or sent to the incorrect recipient – or by hackers, employees or others stealing or otherwise gaining access to sensitive data.”

A call to arms

black-and-white-sport-fight-boxer
Source: Pexels

What is abundantly clear is that this is not just an IT issue, something you can “dial a nerd” for and consider your job done. What this is, is a global risk. Something as legal practitioners we need to get ahead of. It is all well and good to have the insurers and reinsurers making their mark in this currently untapped risk market but we need to prevent the risk from happening in the first place. A seemingly daunting and almost impossible task to be sure. However with everything, you can tackle this “one bite at a time”.

With that in mind, how do we fight Cyber Risks?

  1. Identify the specific risks to the business and what needs the most protection. For example, in a company like Coke, intellectual property might be the most important asset which is vulnerable to cyber attack. For Bid or Buy, the stability of online platforms and the security of customers’ personal data may be paramount.
  2. Assess the potential consequences of the various types of possible attack. Essentially, what would the impact to the company’s reputation be, to its share price, to its goodwill? What is the litigation risk? What would be the impact on the business be if its activities were disrupted for a short or for a sustained period of time? How much risk can the business accept? This is a really important balancing act and from a legal perspective will need some risk management. For example, ensure senior management in all areas of the business are fully aware of the IT security and all the risks that potentially exist.
  3. Devise a strategy to address the identified cyber risks. This is likely to involve preparation of both a cyber risk management plan and an incident response plan. A cybersecurity review is vital.
  4. Ensure that the systems and security measures are properly and regularly tested (here you can most certainly get a hold of “dial a nerd”),
  5. Implement appropriate staff training and education. Many attempts to compromise information involve what is known as “social engineering”, which is effectively the skilful manipulation of people and human nature to trick information out of a company. Online social media platforms need to be properly monitored and staff trained here according to what they can say and what they can’t say with regards to the company online. A social media policy will most definitely be needed. Proper training can help reduce or prevent completely this type of risk.

Clearly, cyber-security is more than just tightly worded policies and endless procedures. It is a legal risk management exercise which undoubtedly entails keeping your eyes wide open, ears to the ground and your paper trail well and truly up to date -if there is any significant attack, the legal team needs to be properly armed with their trail of governance to ensure real combative steps are taken.

“May the force be with you” indeed does come to mind.

Featured image credit: Paul Jacobson, licensed CC BY NC SA 2.0

MTN’s misleading uncapped data bundle fine print

MTN’s uncapped data bundles are not what consumers think they are. They are complicated packages with rules that limit them dramatically.

EWN published a surprising story titled “The terms of MTN’s uncapped data explained”, in which MTN’s Chief Customer Experience Officer, Eddie Moyce, explains MTN’s activation requirement for its time based uncapped data bundle. Here is the radio segment:

The surprise is that this uncapped data offer doesn’t work the way you may expect. Consumers should pay careful attention to the fine print avoid being caught out, potentially at a substantial cost. Essentially, even though you have paid for the bundle, you still need to activate it by dialling a short-code which you receive by a SMS. If you don’t activate the bundle, you will use data at normal data rates and could wind up with a larger bill than you expected.

Two aspects of this story are problematic:

1. Why offer this sort of “uncapped” bundle that the customer still needs to activate in order to use it, even after paying for it?

This is really misleading. Most data bundles activate automatically when you have paid for them and the changes propagate across the network, don’t they?

The mechanism suggests that MTN intentionally created this activation mechanism knowing that many customers won’t actually realise they need to do it and will wind up paying far more. I checked the terms and conditions that apply to this package (I think – the MTN site is not exactly designed to find information easily) and it says the following:

  1. Activation of the MTN 1 Day Uncapped Internet Bundles

5.1 Customers may purchase an MTN 1 Day Uncapped Internet Bundle by dialing *141*2#.

5.2 Customers must activate the MTN 1 Day Uncapped Internet Bundle after purchase, by dialing *141*5#. The MTN 1 Day Uncapped Internet Bundle does not automatically activate .

5.3 Customers may only activate the MTN 1 Day Uncapped Internet Bundle if they have sufficient airtime in their airtime account or using their usage limit (for My MTNChoice customers). This excludes MTN Loyalty 1–4–1 Loyalty Points and any promotional airtime.

Data bundle details

These data bundles are typically “valid for a period of 24 (twenty four) hours”, although only “after [they are] activated”. I also wonder how many people are aware of when the data bundle kicks in? How many people assume (and reasonably so) that the package kicks in automatically and they start using the data right away?

The seemingly reasonable SMS from MTN with activation instructions is challenging. Many people ignore SMS messages they receive for various reasons and may not notice the significance of an activation message until long after their bill has hit triple digits.

This activation mechanism looks a lot like the dodgy tactics mobile content providers used to use before they were banned: automatically subscribing consumers to expensive content (think R5 or R7 per day until cancelled) subscription services without clear double opt-in mechanisms and pricing information. You wouldn’t expect major network operators to use misleading tactics such as these.

2. Why impose a “fair use value” cap of 150MB on an “uncapped” data bundle? That is tiny.

Then, to add to this, the notion that a bundle with a “fair use value” cap of 150MB is somehow an “uncapped” data bundle is ridiculous. That is a tiny amount of data when you consider that, as Eddie Moyce put it, people tend to buy these packages for specific reasons. One of those reasons would be that the customer needs to use a lot more data than his or her usual bundle allows (at least, cost effectively) in a short time period.

Here is an extract from the terms and conditions dealing with the “Fair Use Policy”:

9.1.4 Customers with an active MTN 1 Day Uncapped Internet Bundle shall be able to generate uncapped data usage, however, a fair use value/threshold as detailed in the table in clause 4 above will apply for the duration of the Validity Period.

9.1.5 Should the Customer exhaust the fair use value, as detailed in the table in clause 4 above, before the end of the Validity Period, the Customer’s data speeds will be reduced to 128kbps for the remainder of the Validity Period and the Fair Use Policy shall detailed in this clause 9 shall apply.

9.1.6 MTN further reserves the right to implement other measures and controls to ensure that the integrity of its systems is maintained, including but not limited to measures such as DPI (Deep Packet Inspection). DPI:

9.1.6.1 allows MTN to monitor aspects including, but not limited to, non-compliance with its Fair Use Policy and restricted protocols, prevent attacks from computer viruses/worms and identify SPAM. Such usage may be blocked or re-routed;

9.1.6.2 also allows MTN to throttle certain usage, such as peer to peer traffic;

9.1.6.3 shall also allow MTN to prioritize/filter certain activities, such as VoIP traffic, over other activities which are burdensome on the MTN network (such as video streaming);

9.1.6.4 in essence, this allows MTN to alleviate network congestion and improve service to all MTN customers.

9.1.7 This Fair Use Policy may be amended by MTN, whether by clarifying, modifying, adding to or deleting certain terms and conditions. This is subject to the Modification of Terms and Conditions, including notice being provided to you, as detailed in clause 16 below.

Not only does the available data speed slow to 128kbps when you hit that measly 150MB but MTN also imposes a series of restrictions on how you can use the data and when. The end result is that your “uncapped” data bundle is more like a “you can’t do much with this ISDN-like connection but thanks for paying anyway” bundle.

But wait, there’s more:

  • MTN hides all these restrictions and qualifications in terms and conditions which few consumers will ever read, and
  • these restrictions are couched in fairly dense language and presented in pale text on a white background that no-one over 45 can read without squinting says a lot too.

MTN terms

One more thing – no business use for you

Oh, by the way, this package isn’t available for “commercial use” so don’t think you are allowed to use this package to give your small business a little boost either:

9.2 The MTN 1 Day Uncapped Internet Bundles are intended for consumer use only. This means that the MTN 1 Day Uncapped Internet Bundles may not be used for commercial use (which includes, but is not limited to the intention of promoting, enabling, subscribing to, selling (directly or indirectly) the goods, services or image of any person pursuing a commercial, industrial, craft, religious, charitable or political activity or exercising a regulated profession).

9.3 The MTN 1 Day Uncapped Internet Bundles exclude use of the following services:

9.3.1 Least Call Routing (LCR);

9.3.2 Routing devices; and/or

9.3.3 Commercial use.

9.4 Use of the above services shall be deemed abuse and/or fraudulent use of the MTN 1 Day Uncapped Internet Bundles and shall entitle MTN to immediately suspend and/or deactivate the Customer’s access to the MTN 1 Day Uncapped Internet Bundles.

So if you are a small business owner and you happened to buy this bundle and use it as part of your business (you could have sent a data message to a client telling them about your services, for example), you would be committing a fraud in addition to breaching the terms and conditions of the bundle. Talk about hostile to small business!

K.I.S.S MTN!

When I think about what is available outside South Africa, MTN’s approach to mobile services and pricing just doesn’t make sense to me. My current mobile service includes 5 000 minutes of calls, 5 000 SMS messages, 10GB of data a month and 500 minutes of calls to my family in SA (landlines in SA) for the equivalent of about R200 per month. It wasn’t always like this but regulatory changes and increased competition improved the situation for Israelis.

Instead of obfuscating an overly complex service, why not offer a simpler option that just let’s people pay their R40 for either a fixed amount of data or a realistic “fair use value” cap? Drop this silly activation mechanism and the ridiculous fine print. In other words, give people what they think they are getting or, if that is more than you want to offer, offer them something you are comfortable with and that makes sense to consumers.

Image credit: Pixabay

No, you can’t unilaterally opt out of Facebook’s terms and keep using it

Facebook has updated its terms of service and data use policy recently and the changes have upset many people. I’ve started seeing more declarations of users’ intention to opt-out of provisions of Facebook’s terms and conditions. These sorts of declarations seem to be legally binding with their fairly legalistic language but they don’t work except to help you feel better.

The only way to limit what Facebook can do with your content and your personal information is to stop using Facebook and to delete your profile. Unilateral declarations of your intention to opt-out of provisions you don’t agree with don’t make those provisions less binding on you.

If you use Facebook, you do so on Facebook’s terms. If you don’t want to be bound by those terms and conditions, stop using Facebook.

Facebook Messenger is not the privacy threat you should be concerned about

Many people are focused on the permissions they give Facebook when they install Facebook Messenger and are concerned that they are giving Facebook excessive access to their devices. This isn’t necessarily the case and this growing panic may be more a function of how Android permissions have to be obtained than a real privacy threat which many have read into those permissions.

Facebook _Messenger_iOS_6_RGB smallI found myself listening to a discussion on 94.7 this morning about Facebook Messenger. The breakfast team was talking about these permissions that have attracted so much attention as if installing Messenger instantly compromises users and leaves them exposed to all sorts of privacy invasions when microphones and cameras turn on at someone else’s behest.

The panic level rose a few more notches when the breakfast team received a call from an anonymous listener who told the team that part of his work involves remotely accessing people’s devices (presumably part of lawful investigations) and exploiting these sorts of permissions. It wouldn’t be unreasonable to draw the conclusion that giving Facebook these permissions to access your phone’s microphone, camera and other features somehow makes all of those features available to anyone wishing to exploit that level of access and spy on you.

Fortunately it isn’t as simple as that. Leaving aside the risk that Facebook, itself, grants access to your devices to 3rd parties without your knowledge or that its apps have vulnerabilities which are not patched and are exploited by unscrupulous 3rd parties, Facebook isn’t the threat. I spoke to Liron Segev, an IT Consultant and one of the first people I think about when I need some help with the technical aspects of IT security. He explained that the threats to consumers come from various sources and that poor security awareness on consumers’ part is a contributing factor.

To begin with, it is possible for a 3rd party developer to introduce apps to app stores that appear to have a particular functionality but, below the surface, these apps will scan installed apps on your device, attempt to impersonate or even supplant those apps and exploit the access permissions you gave to the legitimate app. These trojan apps would then take advantage of the sorts of permissions you grant Facebook Messenger to access your device microphone, camera and other features. Avoiding this risk largely comes down to only installing apps you trust and how well the app marketplace is regulated and protected from this sort of malware. More and more security experts recommend installing anti-virus software on your mobile devices to help protect you from these sorts of attacks.

A hidden threat few people outside the security industry are aware of comes from the mobile networks we use every day. Mobile networks have the technical ability to gather data from our devices and even remotely install applications without us being aware of this in order to use that data and access to our devices’ features for a variety of reasons ranging from network performance management to remote surveillance and law enforcement. On the one hand, there are good reasons for networks and governments to have the capability to monitor criminal threats (for example, the somewhat misunderstood capability Google has to monitor Gmail for child porn using an existing database of problematic images). We live in a world where the bad people use advanced encryption and digital tools to plan and conceal their activities. On the other hand, there is also scope for governments and companies to use these capabilities to spy on citizens, infringe their rights and exploit their personal information for profit. As I mentioned in my htxt.africa article “Much ado about Facebook Messenger privacy settings, but is it nothing?” –

Whether you use Messenger should be informed by the extent to which you trust Facebook, not by the very explicit and informative permissions Facebook seeks from you in order to use Messenger. If anything, Facebook is just proving that it has come to a long overdue realisation that there is no benefit in deceiving users.

It is possible that Facebook may turn on your phone’s camera and microphone while you are getting dressed in the morning but highly unlikely. What is more likely is that Facebook requires those permissions to enable Messenger to do what you want and expect it to do. That said, you can’t be complacent and install every app on your device that seems amusing. Take the time to satisfy yourself that the app is from a credible source and look into anti-malware software for your devices. As for mobile networks and governments, there is little you can do except reconsider your device choices if you are concerned about this. Segev pointed out that Blackberry devices are still secure options and Blackberry 10.x is a flexible option even if it isn’t popular media’s darling.

A transparent approach to privacy policies

Transparent definition

Richard Beaumont’s article “Transparency Should Be the New Privacy” echoes a point I’ve also been making recently: data protection or privacy is mostly about transparency and trust. Sure, compliance is essential but from a data subject or consumer’s perspective, how transparent you are about how your process the data subject’s personal information and whether your activities engender trust are arguably as important. Achieving that requires a varied approach to data protection and one of the key elements is the document you publish about this, namely the privacy policy (also known as a “data protection policy”, “privacy statement” and other titles).

As Beaumont points out:

The website privacy policy is the basis on which organisations can claim they have received consent from customers/visitors to collect whatever data they want and do what they like with it. In a data-driven world, they are important documents. Expensive lawyers are often paid large sums of money to write them in the full knowledge that they will rarely be read. Of necessity, it is written in legalese that most people won’t fully understand, and it is long because it has to cover all eventualities.

Of course, hardly anybody reads them. In the vast majority of cases, it would be a colossal waste of time.

I don’t agree with an approach that obscures privacy policy wording by using legalese and complex language but privacy policies are typically not read and understood before data subjects share their personal information. On the other hand, Beaumont makes a number of good points about the purpose of most privacy policies:

However, the problem is not really with the privacy policy itself as a document; it is the fact that it has been mis-sold to us. We are led to believe its purpose is to inform. We are told this because consent relies on us being informed about what we are consenting to. It is the basis of almost all privacy law throughout the world.

However, if that were true, it wouldn’t be buried in a link at the bottom of the page and written in dense text that is often also in a smaller font than the rest of the site. Website designers and copywriters know how to inform people online. The privacy policy is the document on any website least likely to inform the visitor in any meaningful way.

The reality is that the privacy policy is designed to protect the owners in the case of a dispute—which is what most legal documents are designed to do. There is nothing wrong with this—these documents are necessary in certain circumstances. It’s just that they don’t fulfil the more common need for accessible information about privacy practices at the company.

He goes on to propose a “transparency policy” as an alternative to a conventional privacy policy. I don’t think we need a new term for the document except where using a new name shifts our perception of the document’s role. I’ve been reading a lot more about more visual legal documents and I like Beaumont’s suggested approach, at least in part:

The transparency statement will be short, clear and simple to understand. It might borrow from the “layered” privacy policy model and would almost certainly involve a strong visual element. It will be easily accessible and you will be encouraged to look at it, especially on a first visit. It will be the basis on which the website will set your expectations for how you and your data will be treated.

His model involves a transparency statement operating alongside a privacy policy which would give the transparency statement important “legal weight”. I don’t think this is necessary, though. I prefer some lawyers’ approach of publishing a “privacy statement” rather than a privacy policy. Although privacy policies are frequently framed as documents you, as a data subject, agree to, they can function just as well as statements of what personal information is being collected; how it is being processed and under what circumstances that personal information may be disclosed and to whom.

When I prepare privacy policies, I usually pair them with a website’s terms and conditions which invoke the privacy policy as an explanation of what personal information is processed and how. The terms and conditions then reference the privacy policy and provide the “legal weight” Beaumont refers to. In that model, a privacy policy could be reframed as a streamlined privacy statement along similar lines to Beaumont’s suggested transparency statement and lawyers. Inferring agreement with a privacy statement becomes largely unnecessary and it would only really be important to establish that data subjects agreed to the terms and conditions themselves which, in turn, would point to the privacy statement for information about personal information processing.

A streamlined privacy statement would also be better suited to more visual representations of its contents which makes them far more intelligible and, by extension, a company’s data processing activities more transparent. With more transparency comes more accountability and trust. In addition –

Because the transparency statement is also more likely to be read, commented on and engaged with, it will likely improve over time, and accepted standards might emerge. This would potentially create a virtuous circle that further improves clarity for consumers.

Emerging standards have further benefits which I find really exciting. The bottom line, though, is Beaumont’s conclusion:

Transparency statements could be the vehicle to enable the majority of people to make better-informed choices than they currently do and use a truly market-driven approach to online privacy practice.

Why you may want to reconsider that co.za domain name

If you are thinking about registering a co.za domain name, you may want to consider your possible liability to ZA Central Registry NPC (formerly called Uniforum), the organisation which administers the co.za namespace. It could be substantial.

If you are thinking about registering a co.za domain name, you may want to consider your possible liability to ZA Central Registry NPC (formerly called Uniforum), the organisation which administers the co.za namespace. It could be substantial.

The starting point are the warranties you give when you apply to ZACR to register a co.za domain:

Applicant hereby irrevocably represents, warrants and agrees that:

  1. its statements in the Application are accurate and complete;
  2. it has the right without restriction to use and register the Domain Name;
  3. it has a bona fide intention to use the Domain Name on a regular basis on the Internet;
  4. the use or registration of the Domain Name by Applicant does not or will not interfere with, nor infringe the right of any third party in any jurisdiction with respect to trade mark, service mark, trade name, company name, close corporation name, copyright or any other intellectual property right;
  5. it is not seeking to use the Domain Name for any unlawful purpose whatsoever, including, without limitation, unfair competition, defamation, passing off or for the purpose of confusing or misleading any person;
  6. at the time of the initial submission of the Application, and at all material times thereafter, it shall have an operational name service from at least two operational Internet servers for the Domain Name. Each server is and will continue to be fully connected to the Internet and be capable of receiving queries relating to the Domain Name and responding thereto;
  7. it has selected the Domain Name without any input, influence or assistance from UniForum.

Of these warranties, points 4 and 6 could be problematic:

Warranty 4

In order to comply with this warranty, you should ideally conduct an exhaustive search of all jurisdictions in order to confirm that your proposed domain name “does not or will not interfere with, nor infringe the right of any third party in any jurisdiction”, whether that right be rooted in “trade mark, service mark, trade name, company name, close corporation name, copyright or any other intellectual property right”. That is very, very broad.

You can’t possibly know every brand, company or trading name which you could possibly be stepping on when you register your domain. Trade marks tend to be somewhat geographically and thematically limited but copyright is pretty universal and “any intellectual property right” is a really broad catchall.

Every time you register a domain name, you take the chance that it may correspond with a brand, company or trading name and someone may contend that your domain name infringes his or her rights. If that happens, you are in breach of your warranty and it doesn’t matter whether you intentionally infringed anyone’s rights. The inquiry is a factual one.

Warranty 6

This warranty can be tricky because you not only require two operational name servers to register the domain (name servers map the domain name to IP addresses associated with actual servers) but you have to warrant that “[e]ach server will continue to be fully connected to the Internet and be capable of receiving queries relating to the Domain name and responding thereto”.

This is simply not in your control. You may register with an ISP, use its name servers to register your domain and your ISP’s servers could go offline temporarily or the ISP could go out of business without you being aware of it. Even if you are aware of this, you may have parked the domain for future use and you may forget to migrate it to another ISP in your rush to move all your other data off.

What could go wrong?

All this may not seem particularly problematic until you read a little further:

Pursuant to the above warranties, Applicant hereby agrees that it shall defend, indemnify and hold harmless UniForum, its directors, officers, members, employees and agents, for any loss, damage, expense or liability resulting from any claim, action or demand arising out of or related to a breach of the aforementioned warranties or the use or registration of the Domain Name, including reasonable attorneys fees on an attorney and own client basis. Such claims shall include, without limitation, those based upon trade mark infringement, copyright infringement, dilution, unfair competition, passing off, defamation or injury to reputation. UniForum agrees to give Applicant written notice of any such claim, action or demand within reasonable time of becoming aware thereof. Applicant agrees that UniForum shall be defended by attorneys of UniForum’s choice at Applicant’s expense, and that Applicant shall advance the costs incurred in such litigation, to UniForum on demand from time to time.

This indemnity is very broad. For starters it requires you to not only cover ZACR for any costs it incurs if you breach the warranty, you are also required to “defend” ZACR from “any claim, action or demand arising out of or related to a breach of the aforesaid warranties or the use or registration of the Domain Name”. It goes on to cover “reasonable attorneys fees on an attorney and own client basis” which is not reasonable at all. The “attorney and own client” scale of legal costs is used as a punitive costs scale in court proceedings. The attorneys who would defend ZACR from the envisaged claims will be “attorneys of [ZACR’s] choice at [your] expense, and … [you] shall advance the costs incurred in such litigation, to [ZACR] on demand from time to time.” It is a lot of text but the upshot is that you will be required to pay for ZACR’s lawyers, upfront, if there is a claim flowing from –

  • breach of your warranties (which I listed above);
  • “the use or registration of the Domain Name”;
  • “without limitation, those based upon trade mark infringement, copyright infringement, dilution, unfair competition, passing off, defamation or injury to reputation”.

A relatively cheap example is a company sending ZACR a deregister a domain name and transfer it across because the company believes your domain name infringes one or more of its rights. ZACR briefs its lawyers to consider the claim and charges, say, R1 500 (very conservative, probably more) an hour to review the demand, formulate a response, discuss the response with ZACR and send it along to the company. That exercise could cost, as a guess, R4 500 if the lawyers are working very efficiently. That cost could be passed along to you to pay. There could, of course, be further costs ZACR could pay to its lawyers for follow up communications, meetings and other action down the line. This is before you take into account possible losses the company may claim from ZACR and be awarded down the line.

<

p>Suddenly the domain you pay R50 to R60 could be much more expensive. What you should ask yourself is whether you can afford to take a chance (or have a truly unique domain name)?

Your email providers don’t require a warrant to read your email

Our email providers give themselves much more convenient access to your data through their terms of service or privacy policies. On one hand, this is level of access may be necessary to prevent disruptions and limit liability but, on the other hand, these permissions we, as users, grant providers like Microsoft, Google, Yahoo and others pretty broad access to our data without requiring them to obtain court orders or satisfy any external legal requirement.

The Verge recently published disturbing news about Microsoft’s respect for its users’ privacy:

It came out yesterday that the company had read through a user’s inbox as part of an internal leak investigation. Microsoft has spent today in damage-control mode, changing its internal policies and rushing to point out that they could have gotten a warrant if they’d needed one. By all indications, the fallout is just beginning.

Your provider is watching you

As disturbing as this is, there is a bigger picture. As The Verge’s Russell Brandom goes on to point out –

But while Microsoft is certainly having a bad week, the problem is much bigger than any single company. For the vast majority of people, our email system is based on third-party access, whether it’s Microsoft, Google, Apple or whoever else you decide to trust. Our data is held on their servers, routed by their protocols, and they hold the keys to any encryption that protects it. The deal works because they’re providing important services, paying our server bills, and for the most part, we trust them. But this week’s Microsoft news has chipped away at that trust, and for many, it’s made us realize just how frightening the system is without it.

People following the Oscar Pistorius trial in the last week would have discovered that private chats can become very public if law enforcement authorities believe they are relevant to an investigation.

Although law enforcement authorities are required to follow various procedures to gain access to messaging and social media users’ communications, the companies operating the chat and email services we use daily don’t have this hurdle in their way if they deem it necessary to access their users’ communications.

The right to privacy in the South African Bill of rights includes the right not to have the “privacy [your] communications infringed”. This right is not absolute and can be (and is) limited by various laws including the Regulation of Interception of Communications and Provision of Communication-related Information Act which is how local law enforcement can obtain access to your communications. What this means is that, for law enforcement at least, there are checks and balances in place to protect our communications both thanks to laws as well as service providers’ requirements.

Unfortunately, those same providers give themselves much more convenient access to your data through their terms of service or privacy policies. On one hand, this is level of access may be necessary to prevent disruptions and limit liability but, on the other hand, these permissions we, as users, grant providers like Microsoft, Google, Yahoo and others pretty broad access to our data without requiring them to obtain court orders or satisfy any external legal requirement.

Microsoft

As The Verge pointed out, if you use Hotmail/Outlook.com, you have granted Microsoft permission to access your data. Microsoft’s Privacy Statement includes these permissions:

We may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the services; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers or the public.

Because you agree to the Privacy Statement as a condition of your use of Microsoft’s services, you have consented to these uses of your personal information. These consent enable Microsoft to circumvent any questions about privacy infringement because your legitimate expectation of privacy does not extend to these particular activities. This is the key rationale for a privacy policy and it is the same principle applies to the permissions you grant to other providers (I’ve referred to a couple more below).

Google

Google operates an enormously popular email service, Gmail, which is also probably one of the most secure from the perspective of external surveillance and attacks. While Google holds itself out as its users’ protector from external threats, it also has the option of accessing your data because you have agreed to this when you agreed to its Privacy Policy which includes these provisions:

We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users.

We may combine personal information from one service with information, including personal information, from other Google services – for example to make it easier to share things with people you know.

We will share personal information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:

  • meet any applicable law, regulation, legal process or enforceable governmental request.
  • enforce applicable Terms of Service, including investigation of potential violations.
  • detect, prevent, or otherwise address fraud, security or technical issues.
  • protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.

These three sections are drawn from different parts of Google’s Privacy Policy and, between them, they give Google permission to share fairly comprehensive information it has about you with law enforcement authorities as well as to use that information itself to, among other things, “protect” its services, itself and its users. This is a fairly broad term and this is likely intentional. When you write these sorts of policy documents, you don’t want to be too prescriptive if you anticipate requiring fairly broad consents for a wide range of foreseeable risks and to cater for unforeseen risks.

Yahoo

Yahoo’s webmail service is still very popular. While Yahoo’s privacy policy tends to be pretty good about handling users’ personal information, it also retains fairly broad permissions in its Privacy Policy (I added some emphasis):

Yahoo does not rent, sell, or share personal information about you with other people or non-affiliated companies except to provide products or services you’ve requested, when we have your permission, or under the following circumstances:

  • We believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Yahoo’s terms of use, or as otherwise required by law.

Apple

Although not as popular as the other providers, Apple’s tight service and software integration makes its iCloud email service a convenient option, especially because its possible to create an email account on iCloud without requiring another email account first (which is increasingly rare). When you use Apple’s products and services, your consents include the following:

How we use your personal information

  • We also use personal information to help us create, develop, operate, deliver, and improve our products, services, content and advertising, and for loss prevention and anti-fraud purposes.

  • We may also use personal information for internal purposes such as auditing, data analysis, and research to improve Apple’s products, services, and customer communications.

Where this leaves you

<

p>Public events like the Oscar Pistorius trial and, before it, the ongoing revelations about state surveillance programs over the last year or so, have reminded us that our private communications are not quite as private as we may have hoped. Our privacy is protected more by obscurity and because our communications, for the most part, are not the sorts of things others would be terribly concerned about.

Our trust and the possibility of severe reputational harm keep the likes of Google, Yahoo, Microsoft, Facebook and others generally honest although, as we have seen with Microsoft, they may be prepared to break that trust if the reason is compelling enough to them. They will invariably point to the permissions we give them in our contracts with them and they’ll be quite right. We have agreed to this and we’ll continue being in agreement with them having this level of access to our data because the alternatives are not nearly as convenient.

Smarter design for more efficient legal service delivery

The more I think about this challenge, the more I believe it is becoming a design challenge. In particular, I am really interested in how interaction design can be applied to digital risk management to revolutionise our legal and compliance interactions.

Alex Hamilton published a terrific post on the radiant.law blog about addressing legal service delivery inefficiencies. His post is titled “Creating Standards” and, although it is probably aimed more at lawyers, he touches on an important aspect of risk management:

Standard documents are a necessary, if not sufficient, start to fixing the inefficiencies of legal service delivery. For in-house teams in particular, pulling standards together, whether form agreements, playbooks or other tools, can be a real challenge; especially as the day to day reality of “more-for-less” overwhelms long term projects.

I’ve maintained for some time now that effective risk management is more than just about documents. The real value is in the insights that go into how legal frameworks are structured and how they function. Lawyers whose business models depend on selling contracts are going to find it pretty difficult to survive (if they aren’t already). I keep seeing new services popping up online which offer more and more sophisticated legal document assembly options (one of my clients is doing some very interesting work in this space) which are becoming easier to use and much more affordable than conventional legal services.

Developing smarter legal frameworks has a lot more to do with knowledge and information management with an emphasis on smarter solutions. radiant.law is part of a new wave of legal services firms which place more emphasis on value and discarding convention that exists for its own sake. I think my eyes roll involuntarily every time I hear a lawyer object to something I propose merely because what I suggest runs contrary to “the way things have always been done”.

Many lawyers are stuck in mind-numbing ruts. They resort to laborious workflows and document models with little thought about whether they are still relevant or whether there are more effective solutions for clients’ solutions. One of the other blogs I subscribe to is Adams on Contract Drafting through which Ken Adams challenges legal writing conventions and approaches. I find myself reading contracts I receive from other lawyers to review and even many of my older document models and becoming increasingly frustrated with convoluted and repetitive language. One of my mantras at the moment is “simplicity” and each time I work through a legal document, it becomes an opportunity to simplify the wording and structure.

It doesn’t stop there. The process of simplifying your digital risk management extends to technologies you use to manage your resources. I like Hamilton’s suggestions to use search to index and organise; wikis to constantly improve your framework models; treat your legal framework development model like an open source development model and “release early, release often” and, of course, create better standard document models.

Inefficient legal service delivery is increasingly a design challenge. In particular, I am really interested in how interaction design can be applied to digital risk management to revolutionise our legal and compliance interactions. This video titled “Connecting“, below, blew my mind about a year ago. I think it hints at a possible future for the work people like Hamilton and I do.