News

CRTC Stands By New Disclosure Requirement on Software Installs Over Objections From ESAC, RIM

The CRTC has finalized its anti-spam regulations, retaining some notable new disclosure requirements for some software installations. The requirements were opposed by the Entertainment Software Association of Canada and Research in Motion, who both asked for the requirements to be either dropped or significantly changed. The regulation requires:

A computer program’s material elements that perform one or more of the functions listed in subsection 10(5) of the Act must be brought to the attention of the person from whom consent is being sought separately from any other information provided in a request for consent and the person seeking consent must obtain an acknowledgement in writing from the person from whom consent is being sought that they understand and agree that the program performs the specified functions.

The functions listed in 10(5) of the Act are:

(a) collecting personal information stored on the computer system;
(b) interfering with the owner’s or an authorized user’s control of the computer system;
(c) changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the owner or an authorized user of the computer system;
(d) changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the owner or an authorized user of the computer system;
(e) causing the computer system to communicate with another computer system, or other device, without the authorization of the owner or an authorized user of the computer system;
(f) installing a computer program that may be activated by a third party without the knowledge of the owner or an authorized user of the computer system; and
(g) performing any other function specified in the regulations.

While this is obviously designed first and foremost at spyware, it targets many other possibilities including the infamous Sony rootkit case and other attempts by software or app developers to unexpectedly collect personal information or interfere with a user’s computer. It could also have an impact on some digital rights management systems, raising interesting questions about the interaction between these requirements and the digital lock rules in Bill C-11.

The ESAC objected, recommending:

section 5 be removed and replaced with a general requirement that  material elements that perform the specified functions be brought to the attention of the user “clearly and prominently”. Both the separate consent requests and enhanced disclosure, along with the requirement to obtain a written acknowledgement, will create significant problems, generate unnecessary paperwork  and result in further disruptions of the user experience.

Similarly, RIM stated:

We recommend that this section be removed or modified to read as follows:
5.    A computer program’s material elements that perform one or more of the functions listed in subsection 10(5) of the Act must be brought to the attention of the person from whom consent is being sought in a clear and prominent manner.

The CRTC rejected the recommendations from ESAC and RIM, concluding:

With respect to parties’ submissions that the requirements contemplated by section 5 of the draft regulations are excessive, unclear, and not practicable, the Commission is of the view that the invasive nature of the computer programs in question warrant the requirement to identify the material elements of the computer programs separately from the request for consent and to seek written acknowledgement of the programs’ functions. Accordingly, the Commission is not persuaded that it would be appropriate to amend the requirement contemplated in section 5 of the proposed Regulations.

The regulations do not take effect until the entire anti-spam law is operational. Industry Canada has yet to release its revised regulations, which may spark another round of consultations and further delays.

Tags: / /

16 Comments

  1. Devil's Advocate says:

    Wow!… Wait a minute…
    On the one hand, it’s about time to try to address the unwarranted and malicious interference of users’ computers that seems to have become an actual point of entitlement with many companies.

    On the other hand, written consent may be a tremendous piece of overkill on BOTH the companies, and the users who may actually need to get such an install accomplished in a reasonable amount of time. (In most of these cases, a program is usually launched and used immediately after the install.

  2. Interesting. On one hand, it would be nice to know what things are collecting without having to read through a long, lengthy and rather opaque legal document, and being able to agree to it or not. On the other hand, written consent may be a bit overboard.

  3. Let the market decide!
    Hopefully this will force the developers to find ways to “fix” problems without slipping rootkits, drm or spyware in at the same time. The language in there is still pretty flexible though.

  4. Chris Brand says:

    Interesting to know who objected
    Everything on that list is something that I want to know about and actively consent to. Essentially, they’re all things where the software is trying to do something that could be underhanded.
    As such, it’s definitely useful to know who objected to getting my consent to do those things!
    Hopefully they’ll react by removing that functionality rather than actually getting the required consent.

  5. I expect the onerous requirement of written consent is really meant to have the designers of such systems not try to slip these tactics by in the first place. Yes it will “create significant problems”, so don’t do it 0_o

    Kudos, CRTC. I’m liking some of the fresh thinking coming from them lately … did I really just say that ?!

  6. >The requirements were opposed by the Entertainment Software Association of Canada and Research in Motion, who both asked for the requirements to be either dropped or significantly changed.

    If they got nothing to hide why would be they objecting to it? Oh wait the ball is in the corporations court now so its not acceptable but they sure want to make Software License Agreements enforceable.

  7. Written consent is a very bad problem. I can only imagine mandatory signatures before buying a phone, product or services that covers all those categories but the sales rep says it’s for reason A… w/o necessarily they can later add B and C….

    I would much rather have wording that says something along the lines of Active permission is required before every and any of the following scenarios.

    So if I have an iphone for example, and I need a program to work… and for it to work i need to give it my location data, fine. But that does not necessarily mean i want to be giving it all the time.

    It’s good stuff. Just obviously from people who are still stuck in the pen and paper world.

  8. Finally something good.
    The CRTC just earned a little bit of my respect back.

    There is a big need for better information and disclosure (ex labeling) around licensing terms, DRM, privacy policies, and tinkerer-friendly products (“hacker-friendly”, in the positive meaning).

  9. EULA
    So can this “written acknowledgement” and disclosure be buried in the EULA of software programs as they are now? Or must it be broken out and clearly visible?

    This disclosure is usually already present – it is just on page 186 of 200 in the EULA, with a generic “I agree” acknowledgement of the terms.

  10. I deeded you my firstborn son !?
    @Ryan “This disclosure is usually already present – it is just on page 186 of 200 in the EULA, with a generic “I agree” acknowledgement of the terms. ”

    Studies have shown that if everyone took the time to read every EULA in its entirety that the cost in lost time and productivity would be in the high BILLIONS. As this is unreasonable, the practice of companies burying all their ‘gotchas’ in the fine print should be revisited.

    Its about time the end user took some of the ground back.

  11. Provision 10(5), subsections (c) and (d) would appear to target actions such as Sony retroactively removing Linux support from the PS3, and more recently, recalling some downloadable games for the Vita in which “jailbreak” exploits had been found. No wonder the ESAC is against them…

  12. AWJ – While that may be true, I don’t believe those sections will change anything. Sony does not hide what they are doing – again it is in the terms that you are agreeing to before you update.

    Even though Sony gets consent, the issue is Sony “blackmails” you into it by basically saying agree to these new terms, or else we will kick you off our network. And if you are not on the network, you can’t take advantage of several features such as watching netflix, playing online games, downloading new content etc.

    I don’t see in the bill that this blackmail is now illegal – which is the main issue.

  13. Jack Robinson says:

    Digital Democracy Is Already Dumpstered
    Whilst I find the labyrinthian convulusions of the Big Syndicate Content Owners, the New Rome North-muzzled CRTC’s Survival Mode toothless and ineffectual blatherings the trip-wired Time Bomb of Bilge C-11 certain to send a Red Bearded ol’ pirate like meself to the Brig… I can only do a Jack Benny (whad-duh-whazzit #!?) Slow Burn over that fact that, malevolent bar-coded miscreant that I am… both my laptop and custom-built PC have been rudely digital lock-drilled and codec-hijacked for the crime of attempting to share my paid-for stash o’ Billy Joel and da B-52s to a coupla In-Dire Straits sleeper cell Fellow Travellers…

  14. ….
    So what is RIM into that they don’t want us to know?

  15. Written consent is an excellent idea, it will discourage app developers from installing BS on our systems!!

  16. facebook fans says:

    facebook fans
    I am impressed with the blog writer. The author really needs an appreciation. Amazing work done by the author. Keep it up.

    href=”http://www.friendrise.com/facebook-fans” title=”facebook fans”>facebook fans http://www.friendrise.com/facebook-fans