On January 27, 2016, the Canadian Radio-television and Telecommunications Commission (CRTC) announced that it executed a warrant under Canada’s Anti-Spam Legislation (CASL). The CRTC raided two facilities in the Niagara region of Ontario as part of an ongoing investigation relating to the installation of malicious software (malware) and the alteration of transmission data1. The CRTC launched its investigation further to a lead from FireEye Inc., a vendor specializing in cyber threat protection and forensics.
Although CASL came into force in 2014, provisions prohibiting the installation of software, including malware, on an individual’s computer without consent, only came into effect in January 2015. This is the second time a warrant has been executed since CASL came into force.
The CRTC previously executed its very first warrant on December 3, 2015, as part of a coordinated international effort of law enforcement agencies, including the RCMP, FBI, Europol, Interpol. The aim of the warrant was to take down a command and control server in Toronto, in order to disrupt the malicious software called Win32/Dorkbot, a malware responsible for infecting more than one million personal computers in over 190 countries.
The CRTC has a range of investigative powers available under CASL. With judicial authorization, it may obtain injunctions against suspected offenders2 and execute search warrants to enter premises to investigate and verify compliance with the Act3, as well as to seize anything found on the premises4. In the event of a violation, the CRTC has the power to issue “administrative monetary penalties” of up to $1 million for an individual and up to $10 million for a company5. As of July 1, 2017, individuals and organizations affected by a contravention of CASL will be able to take court action to seek actual and statutory damages,6 although entering into an undertaking with the CRTC could eliminate the possibility of a private lawsuit.7
Canadian businesses have previously expressed concern that the CRTC may direct its enforcement powers against legitimate domestic companies rather than cyber threats and intentional spammers. This announcement however indicates that the CASL enforcement regime is likely to target the most damaging and deceptive forms of spam and malware.