It’s 7:00am. You crawl out of bed, groggy, stretch and then stumble your way downstairs to brew a pot of Columbia’s finest. It was hot last night, so you slept naked to stay cool. Thinking nothing of it, you walk into the kitchen completely nude to make said coffee, only to see a woman and her son walking across your yard on their way to school. The woman freaks upon seeing you naked inside your own house, and has you arrested for indecent exposure.

Such was the fate of one Eric Williamson last week, a victim of the law gone wild. Williamson is alleged by the local police to have “wanted to be seen naked” for his nude-brew escapade. While the safety of brewing and drinking coffee at the same time while naked may be debatable, there is no disputing that doing so while inside your own home is an entirely plausible endeavour. Ultimately, the concept of private property implies that what transpires on that property is protected from condemnation so long as the actions are not adversely affecting others’ well being.

This case raises obvious flags, even for a fledgling Law 1 student such as myself. Williamson’s personal conduct may be questionable on normative grounds, but not as a legal matter. The woman and her child — it will undoubtedly be argued in Williamson’s defense — forfeited any right to allege “indecent exposure” by entering onto Williamson’s property, by peering through Williamson’s windows and by then going so far as to allege they were then offended as such by the conduct they witnessed therein.

Interestingly, the Williamson case follows with one of the first cases presented to Law 1′s here at Windsor Law. In R. v. Clark, a man was convicted of indecent exposure for being spotted masturbating in his own living room by neighbour’s over 100m away. The accused was charged under ss. 173(1)(a) and 173(1)(b) of the Criminal Code.  Section 173(1) makes it an offence to wilfully do an indecent act (a) “in a public place in the presence of one or more persons”, or (b) “in any place, with intent thereby to insult or offend any person”.

The question thus becomes: since when is a man’s private kitchen considered a public space? At what point did Williamson’s actions (merely standing nude in his own kitchen) supersede as the legal issue the woman’s imposition of her ‘peeping’ on Mr. Williamson? Is Mr. Williamson not entitled to the privacy of his own home? Should not the woman and her son have immediately looked the other way upon seeing Mr. Williamson and continued walking to school out of respect for Mr. Williamson’s privacy?

In a critique of this case, Michele Catalano at PajamasMedia offers an interesting hypothetical role reversal of the Williamson case. Her article is a great read and is recommended for insights superior to my own. As Catalano surmises, “The sanctity of our house is the last bastion many of us have.” If we cannot do something as harmless as brew coffee in the nude without the fear of being peeped on by a nosy neighbour, is there any realm of privacy left untouched by the law of the land?

Catalano goes further, suggesting an endemic bias against men for situations involving indecency. She suggests the following role reversal, “What if the tables were turned? What if Williamson were a woman and a man walked by the house instead of a woman? What if that man happened to look into the window, staring long enough to see that the woman inside was naked? Would he call the cops to say he was flashed? Probably not, because he would end up in handcuffs for being a peeping Tom. A woman looks in on a naked man and thinks he is committing a crime. A man looks in on a naked woman and she thinks he is committing a crime. Weird how that works.”

Indeed Catalano’s hypothetical presents the law with confounding and plainly hypocritical standards by which men are often held. Certainly there could be statistics to suggest men are more prone to offensive indecent acts, but is not the law supposed to rule without prejudice to such statistics? This is not to suggest the ignorance of precedent, which is completely different and entirely applicable in specific cases. But if Williamson here is considered guilty to be proven innocent, the burden of reverse onus must be proven as such. In this case, there is no such grounds.

The law is running wild. The lesson here is to put your boxers on before you hit “Brew”. Otherwise you just might be feeling the cold sting of handcuffs instead of the warm jolt of caffeine.

– Robert Onley –

Introduction (Surprise!)

I got a new iPod Touch today and one of the first things I did was fire up wi-fi and launch google maps. I noticed a button that allowed the system to automatically zoom in to my “current location”. Because the iPod does not have a GPS chip, I was expecting it to use my IP to narrow me down to a city or even a province. Imagine my surprise when it narrowed me down with an accuracy 30 meters (~100 feet)!

The first time I tried this, I was at the university. I was not too surprised by this because I know that the university has static IPs that may well be in some geo-locator database. I was more surprised (and concerned) when this worked at home. My IP is dynamic, so there is no way it could be stored in a central database. For curiosity, I looked my current IP up in a geo-locator database and it pointed me to Kingston, ON, which is 500km off, but it makes sense because my ISP operates all over Canada.

Technical Explanation (With Limited Amounts of Geekiness)

So how did the iPod do it? A few minutes of googling took me to a company called Skyhook Wireless. Without getting too technical, what this company does is it sends out about 200 cars in all cities in North America and they do what is known as “wardriving”. Essentially, they take a unique ID (MAC address for the technically inclined) from all wireless routers and log the physical location of those routers in a central database. The MAC address is freely available, even from protected networks. To be perfectly clear: you do not need to connect to a network (and thus do not need any passwords) in order to get a MAC address.

Once the location is in a central database, it is available for triangulation. Say I’m walking down the street with my iPod and press the “locate me” button. The Wi-Fi radio on my iPod sends Skyhook the MAC addresses of all the routers around me in a 80-200 meter radius. If three of those are in Skyhook’s database, I am triangulated, and skyhook knows where I am (give or take a few meters). The data is sent back to me and I get a google map of my surroundings.

Implications (Why You Should Turn Off the Wi-Fi on Your Cell Phone/iPod)

The negative implications of this can be quite clear. What if, for example, you’re not the one who requested your location? What if it was done by a virus/trojan or spyware (brings a new meaning to the term, eh?)? But your location is probably of little use to petty hackers and virus-writers. It’s also not precise enough for someone to physically walk up to you, especially if you’re in a dense place such as any city center. 30 meters worth of error downtown Toronto (or even downtown London) is enough for someone to never find you.

But what if your location is wanted by someone who knows you personally? Let’s say a spouse/significant other who thinks you’re cheating. Then your location with a 30 meter margin of error becomes more than enough for that person to know what you’re doing.

Legal Issues (This is a Law Blog, right?)

I can’t definitively say whether any of this is an invasion of privacy. Skyhook’s technologies does not circumvent any security systems and uses only information that is publicly available. I am not sure whether posting a location of a MAC address constitutes invasion of privacy (an enterprising “enthusiast” found a way to query Skyhook’s database to get Lat/Lon coordinates associated with MAC addresses). There’s an argument to be made both ways and of course none of this has been tested by a court.

What’s more concerning is that router owners cannot opt out of this. Furthermore, once a router’s MAC address is in the database, it cannot come out. The company’s stance on the issue is the following:
“we cannot remove individual access points…every access point by
definition broadcasts a radio beacon …The only way to stop an access point from broadcasting its
presence is to unplug it….we don’t actually identify the location of access points, just the signals
that they create”
That statement is technically true, but misses the point entirely. “The signals” (MAC address broadcasts) can be definitively associated with the physical router because every router has a unique MAC address (otherwise their system wouldn’t work). So, yes, they are tracking the location of access points. It is true though that once that access point (router, switch, etc.) is no longer broadcasting, it cannot be identified. This is the same thing that was said by computer security experts back in the 1980′s:
“…the only truly safe computer system is one that is disconnected from the network, switched off and buried six feet under ground…and even then I’m not sure.”
Mitigating Factors (Why You Should Not Lose Sleep Over This)

I have already alluded to some of the mitigating circumstances. Some of them are social (i.e. your location within 30 meters is useless to 99.999999% of the population) others are more technical. For example, most devices that are not laptops shut off wi-fi connectivity when their screens turn off in order to conserve their batteries. This is certainly true for iPods and iPhones and is also true for every Windows Mobile device I ever owned. Also, an internet connection is not needed to establish your coordinates (unconnected wi-fi is enough), but an internet connection IS required in order to do anything with those coordinates (i.e. send them to someone).

Also note that there need to be at least three known broadcasting access points within at most 200 meters, which likely means that this positioning system will not work in rural areas.

Lastly, and perhaps most importantly, I did not find any evidence of this system being misused. So far, there has not been any malware written that would take advantage of Skyhook’s database to track people. That doesn’t mean it cannot happen, it just means that it is not something to worry about today.

For More Info…

For the more technically inclined, you can check out my source material:

http://thebmxr.googlepages.com/Don_t_Locate_me.pdf (Background and tricking the system, very technical)
http://en.wikipedia.org/wiki/Skyhook_Wireless (Wikipedia entry on skyhook. Describes the technology)
http://en.wikipedia.org/wiki/Wifi (Wikipedia entry on wifi. Look at “Reach” for wifi service ranges)

A triumphant Jennifer Stoddart, Canada’s Privacy Commissioner came out this morning and said that Facebook agreed to make changes to its privacy policy within a year. The following changes are being touted:

• Denying third-party application developers access to user information without the user’s express consent in each of the categories the applications wants to access (currently, a user clicks just one button and the application can access all info regardless of whether or not it needs it);
• Giving users the opportunity to provide meaningful consent to retain profile pages after their death (currently there is no such provision that I know of);
• Add information about the privacy of non-users;
• Allow users the option of deleting accounts and all information associated with the account from Facebook’s databases (currently, a user may “deactivate” their account, meaning that the info still stays on Facebook’s servers).

This is indeed a meaningful victory. However, it does raise some interesting questions. Facebook is not the only platform out there that indefinitely maintains the information of its users. Other platforms such as Myspace, twitter, countless small(er) sites such as meetmeinto and the ever expanding vacuum of information called Google.

Are the laws on privacy clear? How do they apply to non-Canadian companies? How can they be meaningfully enforced, especially outside borders? I see Facebook’s agreement to comply with laws as largely a goodwill measure. If the company wanted to dig in its heels and refuse to make any changes, what could the Privacy Commissioner have done? Let’s see if someone can answer this question.

Source

Cross-posted on LawIsCool