On July 11, 2018, the Canadian Radio-television and Telecommunications Commission issued notices of violation under Canada's Anti-Spam Legislation (commonly known as "CASL") against two online advertising businesses for allegedly aiding the installation of malicious computer programs through the distribution of online advertising. It is the first enforcement action against an organization for aiding CASL violations committed by its customers.
CASL creates a comprehensive regime of offences, enforcement mechanisms and potentially severe penalties designed to prohibit unsolicited or misleading commercial electronic messages ("CEMs"), the unauthorized commercial installation and use of computer programs on another person's computer system and other forms of online fraud.
For most organizations, the key parts of CASL are the rules for CEMs. Subject to limited exceptions, CASL creates an opt-in regime that prohibits the sending of a CEM unless the recipient has given consent (express or implied in limited circumstances) to receive the CEM and the CEM complies with prescribed formalities (e.g. information about the sender and an effective and promptly implemented unsubscribe mechanism) and is not misleading. See BLG bulletin Canada's New Anti-Spam and Online Fraud Act Some Frequently Asked Questions.
CASL also prohibits, in the course of a commercial activity and subject to limited exceptions, the installation and use of a computer program on another person's computer system without the express consent of the owner or authorized user of the computer system. The computer program rules apply to almost any computer program (not just malware, spyware or other harmful programs) installed on almost any computing device (including mobile phones) as part of a commercial activity (regardless of expectation of profit). For more information, see BLG bulletins CASL Rules for the Installation and Use of Computer Programs and CASL Regulatory Guidance for Computer Program Installation Rules.
CASL imposes liability not only on an organization that directly violates CASL (e.g. by sending a prohibited CEM or installing a prohibited computer program) but also on an organization that causes or permits a CASL violation, or who aids, induces or procures a CASL violation. CASL also provides that an organization is vicariously liable for CASL violations by its employees and agents (e.g. digital marketing service providers) within the scope of their employment or authority, and corporate directors and officers are personally liable if they direct, authorize or assent to, or acquiesce or participate in, a CASL violation. Organizations, directors and officers might avoid liability if they establish that they exercised due diligence to prevent the violation.
CASL violations can result in potentially severe administrative monetary penalties up to $10 million per violation for an organization and $1 million per violation for an individual in regulatory enforcement proceedings. CASL includes a private right of action, which is not in force. For more information, see BLG bulletin CASL Government Suspends Private Right of Action.
The Canadian Radio-television and Telecommunications Commission ("CRTC") is responsible for enforcing CASL's rules regarding CEMs and computer program installation, and has various enforcement tools for that purpose. Since CASL came into force in 2014, CRTC has taken enforcement action against organizations and individuals who have violated CASL's CEM rules, and has issued enforcement decisions and accepted voluntary undertakings (settlements). For more information, see BLG bulletins CASL Year in Review 2017, CASL Year in Review 2016 and CASL Year in Review 2015.
In December 2017, the House of Commons Standing Committee on Industry, Science and Technology issued a report titled Canada's Anti-Spam Legislation: Clarifications are in Order, which recommends some changes to CASL. In April 2018, the government released an official response to the report. For more information, see BLG bulletin New Committee Report on CASL Highlights Need for Clarification and Education.
On July 11, 2018, CRTC announced the issuance of notices of violation against Datablocks, Inc. and Sunlight Media Network Inc. alleging that they violated CASL by aiding their clients to distribute online ads that installed malicious computer programs in violation of CASL's computer program rules. CRTC's announcement and investigation summary explain as follows:
- Online advertisements are a main method for distributing malicious software by serving "malvertising" advertisements that are "booby-trapped" to cause the unauthorized installation of exploit programs that permit the installation of secondstage malware (e.g. ransomware and Trojans) to conduct malicious activities.
- Datablocks and Sunlight Media are closely connected companies involved in the distribution of online ads. Datablocks owns and operates a real-time bidding system for the distribution of customized ads to website users. Sunlight Media operates an ad network and serves as a broker between advertisers and publishers (website operators) using Datablocks' system.
- Sunlight Media's anonymous clients used the services of Datablocks and Sunlight Media to distribute malvertising that installed malicious computer programs in violation of CASL's computer program rules.
- Datablocks and Sunlight Media, by their acts and omissions, allegedly aided their clients to commit CASL violations. In particular:
- Datablocks and Sunlight Media provided the technical means and services used to distribute malvertising.
- Sunlight Media actively promoted its services used for malvertising distribution, formed relationships with clients known for distributing malvertising, and adopted practices that permitted and encouraged anonymity by its clients.
- Datablocks maintained its relationship with Sunlight Media notwithstanding Sunlight Media's non-compliant practices.
- Datablocks and Sunlight Media were warned by the Canadian Cyber-Incident Response Centre in 2015 and CRTC in 2016 that their services were being used to distribute malvertising, but they did not implement safeguards to prevent those activities.
- Datablocks and Sunlight Media did not implement any fundamental and well-known basic safeguards to prevent their clients from distributing malvertising, such as written contracts with clients to require CASL compliance; monitoring how clients used their services; and written corporate CASL compliance policies and procedures.
- Datablocks and Sunlight Media financially benefitted from their clients' CASL violations because their fees depended on a pay-per-click business model.
As a result of the investigation, CRTC's Chief Compliance and Enforcement Officer issued notices of violation imposing administrative monetary penalties of $100,000 on Datablocks and $150,000 on Sunlight Media.
CRTC's Chief Compliance and Enforcement Officer explained: "As a result of Datablocks and Sunlight Media's failure to implement basic safeguards, simply viewing certain online ads may have led to the installation of unwanted and malicious software. Our enforcement actions send a clear message to companies whose business models may enable these types of activities. Businesses must ensure their commercial activities do not jeopardize Canadians' online safety."
CRTC's enforcement action illustrates how CASL imposes liability on an organization that aids another person to commit a CASL violation. CRTC has encouraged organizations to develop and implement a credible and effective CASL compliance program as a risk management strategy to reduce the likelihood of CASL contraventions and to help establish a due diligence defense and ameliorate potential sanctions if a CASL contravention occurs. For more information, see BLG bulletin CASL Compliance Programs Preparing for Litigation.