On December 3, 2015, the CRTC issued a release announcing its first-ever execution of a warrant under the Canadian anti-spam law (commonly known as “CASL”), as part of a coordinated international effort to disrupt a major botnet family.
The target botnet family, known as “Dorkbot”, can be exploited to capture personal information (particularly passwords) from users of compromised PCs, to send out spam, or to participate in distributed denial of service (DDOS) attacks, as well as to propagate other malware.
The Dorkbot malware, which has been observed and studied by security researchers since 2011, is available in “kit” form, allowing relatively unsophisticated actors to establish and control their own botnets. This has led to wide distribution; Microsoft reports that there are more than 1 million infected PCs in over 190 countries, worldwide.
The recent take-down effort appears to have targeted the so-called “command and control” servers which coordinate the infected PCs. One such server, located in Toronto, was apparently the target of the CRTC action.
The CRTC release does not explain the scope of the warrant or how its statutory powers were invoked to “take down” the server.
The CRTC has the authority under s. 19 of CASL to obtain a warrant from a Justice of the Peace to “verify compliance“ with CASL or to “determine whether” the CASL provisions relating to sending Commercial Electronic Messages or installing software without consent have been contravened. The same provision also expressly provides for warrants to “assist an investigation or proceeding in respect of a contravention of the laws of a foreign state that address conduct that is substantially similar to conduct prohibited under any of sections 6 to 9”.
The CRTC’s authority under such a warrant can include seizure of “anything found in the place”, subject to conditions specified in the warrant.
The Dorkbot malware family has been a persistent and pervasive threat to individuals and businesses alike in recent years. It poses precisely the kind of serious risk that Canadians would expect CASL’s anti-malware provisions to address. Internationally-coordinated action to disrupt these botnets is commendable.
However, Canadian businesses and other organizations should also take note that the same search and seizure powers could apply, subject to judicial approval, to investigations of commercial electronic messages.
To date, the CRTC has not used its warrant power in that context. It has instead relied on its separate Notice to Produce procedure to obtain documentary evidence.
But, as the release notes, the Commission has “a number of enforcement tools at its disposal”. This incident demonstrates that it is ready to apply these tools in novel ways as it continues to ramp up its CASL enforcement efforts.