On Dec. 3, 2015, the Canadian Radio-television and Telecommunications Commission (CRTC) announced that it had served the first warrant under Canada’s Anti-spam Law (CASL).
The warrant was intended to bring down a server located in Toronto, Ontario, that had been identified in an international investigation as a command and control server for the distribution of Win32/Dorkbot malware. Dorkbot compromises infected computers to allow the theft of usernames, passwords and other information, creating a risk of identity theft, can cause the computer to participate in distributed denial of service attacks, and can also download additional malware that may further compromise the device. Manon Bombardier, the CRTC’s Chief Compliance and Enforcement Officer commented that “These are very egregious botnets that are used for illicit activities and can lead to identity theft and fraud.”
In the course of the investigation leading to the warrant, the CRTC collaborated with law enforcement agencies and partners around the world, including the RCMP, the Canadian Cyber Incident Response Centre, the Federal Bureau of Investigation, Interpol, and Microsoft.
The warrant represents the first time the CRTC has used the provisions in CASL that permit an ex parte application to a justice of the peace to seek a warrant that permits a designated person to enter a place, examine anything found there, including using any computer found there, and remove anything found for further examination. It is also the first use of CASL to target the distribution of malware.
While Canadians will no doubt rightly welcome the use of CASL to target malware, entities doing business in Canada should also note that the CRTC continues to actively enforce the provisions of CASL pertaining to the sending of commercial electronic messages. In late November, the CRTC entered a compliance undertaking with Rogers Media, in which Rogers agreed to pay $200,000. The CRTC alleged that Rogers had sent commercial emails that used an unsubscribe mechanism that did not function correctly, or that could not be “readily performed”. Rogers also allegedly failed to honour unsubscribe requests within 10 business days.
With the enforcement of CASL in full swing, all entities that send commercial electronic messages in or into Canada must ensure that they are taking appropriate actions to ensure they are in compliance with CASL, and that they can evidence their compliance if faced with a CRTC investigation.