Background and Decision

On July 11, 2018, the Canadian Radio-television and Telecommunications Commission (CRTC) issued a pair of significant Notices of Violation (NOVs) to Datablocks Inc. (Datablocks) and Sunlight Media Network Inc. (Sunlight) for violations of Canada’s anti-spam legislation (CASL) relating to the installation of malicious computer programs through online ads.

The CRTC issued the NOVs to these two companies on the basis that they violated section 9 of CASL, which can extend CASL liability to any person who is found to “aid, induce, procure or cause to be procured” the violation of various sections of CASL, including, as relevant in these cases, section 8. Section 8 of CASL essentially prohibits any person from installing a software program on another person’s electronic device without that person’s consent. These NOVs are significant as they mark the first time in the legislation’s history that the CRTC has enforced CASL against any person under section 9, and that it has cited a violation of section 8.

In its investigation, the CRTC alleged that the two companies, which are involved in the online advertising industry, knew that their clients were installing software onto internet users’ devices without the users’ consent and allowed such installations to continue. Datablocks owns a Real Time Bidding (RTB) software and network infrastructure that displays ads on various websites that are customized to visitors of those websites. Sunlight operates an ad network and acts as a broker that connects clients looking to advertise their products with websites or other publishers of advertisements via Datablocks’ RTB network. The CRTC noted that Datablocks and Sunlight are closely connected through corporate ownership, office location, and the fact that Sunlight is a “top user” of and “pays significantly discounted rates” for Datablocks’ services.

The CRTC identified that the organizations’ clients were harming users’ computers through a practice called “malvertising,” as they used the RTB network to covertly install various types of malware on internet users’ computers, including ransomware and Trojan viruses. The clients were able to do this by using Sunlight’s and Datablocks’ proprietary infrastructure to exploit a vulnerability in Adobe Flash (which is commonly used in advertisements to display various types of graphics).

Acts and omissions which violated CASL

The issue of central concern for businesses aiming to comply with CASL is the fact that Datablocks and Sunlight Media did not actually install programs themselves but rather, in the view of the CRTC, “aided” their clients in doing so. The CRTC was careful to emphasize that the NOVs were issued as a result of the companies’ acts and omissions, which include:

  • Providing the technical means and infrastructure that were necessary for their clients to “malvertise” to unsuspecting users
  • In the case of Sunlight, actively promoting services that foster section 8 violations, forming business relationships with clients “publicly known” for section 8 violations and other non-recommended practices, and adopting procedures which permitted (and encouraged) anonymity (allowing the use of aliases by clients, suspicious signups, and cryptocurrency payment methods)
  • Not acting upon a warning by the Canadian Cyber-Incident Response Centre (a government agency) that their services were used to disseminate malware

Notably, the CRTC did not name any of the clients that it alleged are “publicly known” for violating section 8.

In the result, the CRTC levied administrative monetary penalties (AMPs) of $100,000 to Datablocks and $150,000 to Sunlight, for acts and omissions taking place over a period spanning just under four months in 2016. Based on the CRTC’s release, it appears that the CRTC considered Sunlight more culpable for the installations as it was more directly responsible for soliciting clients and permitting these installations, despite its knowledge of their nature. However, the CRTC also alleged that Datablocks acquiesced to the installations, stating that both it and Sunlight “were in the best position to prevent the prohibited acts from occurring.”

Lessons learned

The CRTC elaborated on the notion that Datablocks and Sunlight could have prevented the installations by claiming that they failed to implement “fundamental basic safeguards, which are well known to the industry.” It listed a few of these safeguards as:

  • Having written contracts with clients that contain provisions that mandate compliance with CASL
  • Instituting measures for monitoring how clients use these types of services
  • Establishing internal corporate compliance policies or procedures to ensure compliance with CASL

However, the CRTC did not provide details about the extent to which these safeguards must be implemented. The CRTC also implied that this is not an exhaustive list, which raises questions and leaves organizations some flexibility about what other steps may be appropriate in a given context.

The issuance of the NOVs against Datablocks and Sunlight further reinforces the CRTC’s willingness to enforce all provisions of CASL, not only the messaging provisions, against a wide range of organizations, including smaller and medium sized business.