The CRTC has finalized its anti-spam regulations, retaining some notable new disclosure requirements for some software installations. The requirements were opposed by the Entertainment Software Association of Canada and Research in Motion, who both asked for the requirements to be either dropped or significantly changed. The regulation requires:
A computer program’s material elements that perform one or more of the functions listed in subsection 10(5) of the Act must be brought to the attention of the person from whom consent is being sought separately from any other information provided in a request for consent and the person seeking consent must obtain an acknowledgement in writing from the person from whom consent is being sought that they understand and agree that the program performs the specified functions.
The functions listed in 10(5) of the Act are:
(a) collecting personal information stored on the computer system;
(b) interfering with the owner’s or an authorized user’s control of the computer system;
(c) changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the owner or an authorized user of the computer system;
(d) changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the owner or an authorized user of the computer system;
(e) causing the computer system to communicate with another computer system, or other device, without the authorization of the owner or an authorized user of the computer system;
(f) installing a computer program that may be activated by a third party without the knowledge of the owner or an authorized user of the computer system; and
(g) performing any other function specified in the regulations.
While this is obviously designed first and foremost at spyware, it targets many other possibilities including the infamous Sony rootkit case and other attempts by software or app developers to unexpectedly collect personal information or interfere with a user’s computer. It could also have an impact on some digital rights management systems, raising interesting questions about the interaction between these requirements and the digital lock rules in Bill C-11.
The ESAC objected, recommending:
section 5 be removed and replaced with a general requirement that material elements that perform the specified functions be brought to the attention of the user “clearly and prominently”. Both the separate consent requests and enhanced disclosure, along with the requirement to obtain a written acknowledgement, will create significant problems, generate unnecessary paperwork and result in further disruptions of the user experience.
Similarly, RIM stated:
We recommend that this section be removed or modified to read as follows:
5. A computer program’s material elements that perform one or more of the functions listed in subsection 10(5) of the Act must be brought to the attention of the person from whom consent is being sought in a clear and prominent manner.
The CRTC rejected the recommendations from ESAC and RIM, concluding:
With respect to parties’ submissions that the requirements contemplated by section 5 of the draft regulations are excessive, unclear, and not practicable, the Commission is of the view that the invasive nature of the computer programs in question warrant the requirement to identify the material elements of the computer programs separately from the request for consent and to seek written acknowledgement of the programs’ functions. Accordingly, the Commission is not persuaded that it would be appropriate to amend the requirement contemplated in section 5 of the proposed Regulations.
The regulations do not take effect until the entire anti-spam law is operational. Industry Canada has yet to release its revised regulations, which may spark another round of consultations and further delays.