On July 11, 2018, the Canadian Radio-television and Telecommunications Commission (CRTC) issued notices of violation under Canada’s Anti-Spam Legislation (CASL) and monetary penalties totalling C$250,000, against two companies for allegedly aiding in the installation of malicious computer programs (or malware) through the distribution of online advertising. These fines mark the first time the CRTC has taken enforcement action to combat the installation of malware under CASL.
The decision indicates the CRTC’s willingness to impose fines on businesses that do not have adequate safeguards in place to prevent infringement of CASL’s malware provisions and underscores the importance of companies implementing the appropriate internal policies and procedures to ensure that they comply with CASL.
CASL’S COMPUTER PROGRAM PROVISIONS
While many are familiar with CASL’s anti-spam provisions, which apply to commercial electronic messages, CASL also contains provisions relating to the installation of computer programs. CASL makes it illegal to install, cause the installation of a computer program on another person’s computer without his or her express consent, or to aid in such an act. While these prohibitions are contained in sections often referred to as CASL’s malware or spyware provisions, they apply to almost any program installed on a computing device (including mobile phones) as part of a commercial activity.
Datablocks, Inc. (Datablocks) and Sunlight Media Network Inc. (Sunlight Media) operate in the online advertising industry, by providing networks to online advertisers to distribute their advertisements on websites. Sunlight Media uses Datablocks’ bidding platform to operate as a broker between advertisers and publishers.
The CRTC determined that advertisements prepared by third parties and distributed through Sunlight Media and Datablocks’ services resulted in the installation of malicious programs on the devices of users who viewed the advertisements. Once installed, the malware enabled third parties to lock the user’s system, steal users’ data, or use the victim’s computer resources for illicit monetization.
Sunlight Media is alleged to have accepted unverified, anonymous clients who used its services to distribute this malware. Datablock is alleged to have provided the necessary infrastructure and software for Sunlight Media’s clients to distribute the malware. Following its investigation, the CRTC determined that both companies could have prevented the distribution of malware, but omitted to implement the necessary safeguards to do so, thus violating CASL. Consequently, the CRTC fined Datablocks and Sunlight Media C$100,000 and C$150,000, respectively.
The CRTC’s decision reminds businesses of their CASL compliance requirements:
- A failure to act or to have the appropriate safeguards in place can render a company susceptible to penalties under CASL, even in the absence of any willful violation of the law
- Companies must implement appropriate internal policies and procedures to ensure Canadians’ online safety, such as:
- Concluding written contracts with clients that bind them to comply with CASL
- Implementing monitoring measures governing how clients use a company’s services
- Implementing written corporate compliance policies or procedures to ensure compliance with CASL
- Companies that are in a position to allow or enable CASL violations by others must take action to prevent such violations
- Policies and procedures designed to ensure compliance with CASL must take into consideration that the law applies not only to commercial electronic messages, but to the installation of computer programs on another person’s computing device as well.