On December 4, 2013 - approximately one year ago - Canada's "anti-spam law" (formally known as An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, but informally known as "CASL") finally came into force, with the CASL requirements to be effected in a staged roll-out as follows: the anti-spam provisions to come into force on July 1, 2014; the provisions regarding unsolicited installed programs - including cookies - to come into force on January 15, 2015; and the provisions providing for a private right of action to come into force on July 1, 2017).
This coming-into-force of CASL caused a flurry of compliance activity as organizations scrambled to understand and comply with CASL. However, efforts to so understand and comply with CASL have been hampered by the language of the Act, which is rife with ambiguities. This problem has been further compounded by roadshows conducted by the Canadian Radio-television and Telecommunications Commission (the "CRTC"), the primary regulator under CASL, whose guidance has not only been inconsistent, but also in some cases appears to conflict with the language of the Act. Faced with these uncertainties, those organizations seeking in good faith to comply have awaited with anticipation the first decisions of the regulators, in the hope that the details of these decisions will assist in clarifying their compliance obligations.
Unfortunately, those hopes will likely be dashed if the first report from the CRTC as to a CASL investigation and enforcement action is any indication of the level of content observers of the Act should expect to see in the future.
A. First CRTC Report on Conclusion of a CASL Investigation & Enforcement Action
Since the anti-spam provisions were first brought into force, there have been more than 140,000 complaints made under CASL. Notwithstanding that volume, however, the CRTC only reported - with some fanfare - the conclusion of its first investigation and enforcement action in an October 7, 2014 press release (the "Release").
Unfortunately, so few details were disclosed in the Release that a summary is not necessary. The Release relates how in July 2014, the Spam Reporting Centre - which is used by the CRTC, the Competition Bureau, and the Office of the Privacy Commissioner to enforce CASL - received reports of spam messages routed through Access Communications, an Internet service provider (ISP). During its investigation, the CRTC discovered that the spam messages were actually coming from the server of a small business in Saskatchewan, which used Access Communications as its ISP. This business's server had become infected with malware, which had caused it to join the botnet "Ebury" and then send millions of malicious spam messages without the knowledge of the business or of Access Communications. The CRTC alerted both the small business and Access Communications to the issue, both of whom in due course removed the malware. In short: a small Saskatchewan business had a virus.
B. Lessons Learned?
There are some troubling features to this Release, which we have outlined below.
1. Public Relations Exercise
The report is not a "report" per se, but rather is a press Release. Partially as a result of this, the Release reads more like a dispatch from the frontlines then a useful report on a CASL inquiry. For example, see the CRTC "Quick Facts" summation of the incident:
- The CRTC, a small Saskatchewanbased business and Access Communications worked together to prevent millions of spam messages from being sent to Canadians, as well as the potential harm these messages may have caused.
- The CRTC is working with its partners, both within Canada and internationally, toprotect Canadians from online threats and contribute to more secure online environment.
- Canada's antispam law protects Canadians while ensuring that businesses can continue to compete in the global marketplace.
- Given the circumstances at hand, the CRTC sought the collaboration of both entities to immediately stop the problem and protect Canadians.
In short, in a four paragraph summary the Release expressly references "protect Canadians" three times. The main body of the Release reflects similar language.
- Once alerted to the situation by the CRTC, the small business and Access Communications fully co-operated and removed all traces of spam-ware.
- By working together and acting swiftly on the reports that came into the Spam Reporting Centre, the CRTC, the Saskatchewanbased small business and Access Communications were able to prevent millions of additional and unwanted spam messagesfrom being sent, reducing the potential harm these messages may have caused Canadians.
And the result of all of this drama?
- According to spamrankings.net, the Autonomous Systems (AS21804) for Access Communications, which includes the small business in question, topped the charts for spam activity in Canada in June and July 2014, peaking at approximately 24 million emails sent in June and 73 million in July. After notification from the CRTC and the action taken by the small business and Access Communication, the activity dropped down to the 36th spot on the spamrankings.net list. The Spam Reporting Centre also stopped receiving spam reports regarding this matter.
So in summary, a system which was number one ranked for spam, is now ranked at 36, and the Spam Reporting Centre stopped receiving those reports once the spam-ware was removed.
2. Lack of useful detail for other organizations seeking to comply
By providing their first report on the conclusion of a CASL investigation and enforcement action in the form of a brief, somewhat self-serving press release, the CRTC has missed a real opportunity to detail how CASL will be applied in practice: an opportunity that was also readily available as the CRTC did not name the relevant Saskatchewan business. Thus the following questions remain unanswered:
- Did the organization have any CASL compliance policies in place? The CRTC has emphasized the importance of implementing CASL compliance programs but provided no commentary as to the state of compliance of this business. It is unclear what this omission suggests: That the CRTC will not look at the state of an organization's compliance programs if the cause of the problem is external? That because the organization was a small business, the standard of compliance is less than a larger organization? Or that the CRTC is less concerned with CASL compliance programs than it has suggested? Certainty there are numerous small businesses struggling to comply with the CASL requirements which would have been pleased to have had more details as to the expectations of the CRTC when it comes to small business CASL compliance.
- Is there an expectation that the organization must have implemented a certain level of industry standard anti-virus measures in order to be found blameless (or at least, blameless to the point that the CRTC exercises its discretion to neither fine nor names the business)? Does that standard implicitly vary with the size and nature of the business? Also, CASL provides for a due diligence defence - does the existence/omission of such industry standard anti-malware protections by an organization contribute to the availability or unavailability of that defence?
- Is an unwitting business which has malware, whose servers are hijacked to send spam, even a "sender" of the messages such that it is caught by CASL at all? Similarly, what responsibility does Access Communications have for the spam issue, as the ISP for the business? Any? Presumably they were in the better position to protect against the malware, so should they bear any responsibility?
The CRTC in a recent webinar indicated that they did not intend to make compliance orders public. The challenge is that absent posting the compliance orders, or some form of more detailed report, on a no-names basis, organizations will not have pool of precedents to review for guidance. Contrast that with the approach taken under Canadian privacy legislation, where privacy commissioner findings are generally made public and as a result form a useful resource for organizations seeking to better understand the approach of the regulator to the application of their applicable law.
3. Disconnect from Policy Objectives
While it is true that the net effect of the CRTC bringing malware to the attention of the investigated business was a diminishment of spam, this is a curious choice for the first reported investigation under CASL. It is not clear that by identifying the existence of a virus the CRTC achieved a great policy victory worthy of trumpeting. Where is the prosecution of the foreign senders of spam? Where are the real malfeasors which justify the expense organizations have incurred in order to comply with CASL?
While it is easy to be cynical about the self-congratulatory tone of the Release, unfortunately the bigger issue is the absence of the substantive content which would assist organizations to better understand the CRTC's view of their respective obligations under CASL. While not begrudging the CRTC their opportunity to publicize their enforcement efforts, it is incumbent upon CRTC to provide more detail as to the results and analysis for each investigation and other CASL enforcement action, in order to allow organizations to learn from the CASL experience of others. In short, the level of detail with respect to the particular investigation and enforcement action is, at best, disappointing. Organizations that have spent significant time and resources in complying with CASL deserve better.
However, the CRTC does end the bulletin by noting that 'a number of investigations are under way".