The CRTC has overturned a 2018 staff finding that two online advertising intermediaries aided an unknown party with respect to the installation of malware on Canadian government computers, contrary to s. 9 of Canada’s Anti-Spam Legislation (CASL).
In Compliance and Enforcement Decision CRTC 2022-132, the Commission determined that neither Datablocks Inc. (Datablocks) nor Sunlight Media Networks Inc. (Sunlight Media) violated s. 9 and that accordingly, no administrative monetary penalties (AMPs) would be imposed – effectively nullifying a July 2018 Notice of Violation (NOV) issued by CRTC staff, which imposed penalties of $150,000 on Datablocks and $100,000 on Sunlight Media.
CASL confers a range of investigative and enforcement powers on a “designated person” (in this case, the Chief Compliance and Enforcement Officer, a senior member of CRTC staff), including the ability to issue NOVs and to impose AMPs. Decision 2022-132 is the result of a kind of appeal mechanism in CASL, whereby the recipient of an NOV issued by CRTC staff may make representations to the Commission itself (i.e. the appointed members of the CRTC), following which the Commission must determine, on a balance of probabilities, whether that person committed the violation.
The case concerned malware that was installed through online advertisements that had been altered by unknown third parties so as to redirect users that clicked on such ads to sites through which malware could be installed. Section 8 of CASL, which is targeted at malware and spyware, prohibits the non-consensual installation of a computer program on any other person’s computer system. CRTC staff was unable to identify the persons responsible for the installation of malware.
Instead, staff focused its attention on Datablocks (which provided an automated real-time advertising exchange platform) and Sunlight Media (which operated a small online ad network, connecting advertisers and publishers using Datablock’s platform), finding them to be liable under s. 9 of CASL for aiding the unknown parties in the installation of the malware, by serving the small number of malicious ads that were included in the billions of ads that were automatically served through the Datablocks exchange platform. Section 9 prohibits anyone from ‘aiding, inducing, procuring or causing to be procured’ the doing of any act contrary to any of the core provisions of the Act respecting electronic marketing, computer program installation and transmission data alteration.
Unfortunately, for industry observers, the CRTC review decision turns on narrow technical evidentiary findings as to whether computer programs were actually installed without consent, contrary to s. 8. The Commission concluded that there was insufficient evidence to demonstrate that the 7 malware files identified by the Chief Compliance and Enforcement Officer were actually installed on the government computers in question, meaning there was no violation of s. 8 of CASL. As such, the review decision avoids consideration of the thornier aspect of the case: the proper application of the “aiding and abetting” prohibition in s. 9.
After Datablocks and Sunlight Media challenged their NOVs, the Commission issued guidance respecting its approach to applying s. 9 of CASL, taking what many saw as an aggressive approach. In that guidance, as well as letters sent to a large number of internet service providers and online platforms, the Commission controversially suggested that organizations could be found to have “aided” another party’s CASL violation simply be providing enabling services, technical or otherwise, such as by providing access to the tools or equipment necessary for a third party to violate the law. This approach has not been considered by the courts, nor have there been any CRTC decisions to date that have interpreted and applied s. 9. The Datablocks review decision fails to provide any additional guidance to digital intermediaries as to the circumstances in which they may be found liable for the CASL violations of others.
The CRTC decision brings to an end a lengthy investigative and enforcement process that, for the companies, commenced in January 2016, when CRTC staff executed a search warrant against Datablocks.