Appeared in the Toronto Star on October 5, 2013 as Ottawa Pushing ISP Code of Conduct
With the cost of cybercrime in Canada on the rise - a new report
released last week by Symantec, a security software vendor, pegged the
cost at $3.1 billion annually - the Canadian government is quietly
working behind-the-scenes to create a new Internet service provider code
of conduct. If approved, the code would be technically be voluntary for
Canadian ISPs, but the active involvement of government officials
suggests that most large providers would feel pressured to participate.
The move toward an ISP code of conduct would likely form part of a
two-pronged strategy to combat malicious software that can lead to
cybercrime, identity theft, and other harms. First, the long-delayed
anti-spam legislation features new disclosure requirements for the
installation of software along with tough penalties for non-compliance.
Recent comments from Industry Minister James Moore suggest that the
government is ready to bring that law into effect. Second, the code of
conduct would require participants to provide consumers with assistance
should their computers become infected.
The proposed code, which is modeled on a similar Australian initiative
dubbed the iCode, has been placed on a policy fast-track, with officials
hoping to create a final version by the end of the year. The Australian
version features a standardized notification system that requires ISPs
to alert customers that their computer or electronic device may be
compromised by malicious software (often referred to as botnets). The
notification may include sending the customer to an information webpage
advising them of the threat and the steps needed to address the problem.
Repeated notifications may result in the customer having their Internet
The Australian iCode also involves the creation of a comprehensive
resource for ISPs on new cybersecurity threats and a reporting mechanism
from ISPs to a centralized agency that gathers threat information. The
approach has garnered support from other countries. South Africa adopted
the iCode last year, while both Japan and Germany have implemented
Yet not everyone is convinced that the iCode system actually works. When
the U.S. began considering the Australian system in 2011, experts
questioned its effectiveness. For example, the SANS Institute looked at
the Australian results and concluded that the reduction in botnets was
"insignificant." Moreover, Symantec highlighted the danger of fraudulent
notifications, arguing that they could "aggravate the problem rather
than alleviate it."
Notwithstanding the concerns, the Canadian government appears convinced
that an ISP code of conduct is long overdue. According to government
documents, Industry Canada quietly gathered the major Canadian ISPs in
late July to present the concept of an industry code and the experience
in other countries. The presentation noted that unlike current Canadian
initiatives that do not include direct consumer support, the proposed
code would require consumer assistance in addition to the creation of
education programs, information sharing, and reporting requirements.
Last month, stakeholders were brought back for a follow-up meeting where
government officials presented an ambitious timeline that envisions
final approval on the code within the next three months.
One way to speed up the process appears to be the exclusion of any
public participation. The government timeline offers several
opportunities for ISPs and other stakeholders it has identified to
comment on the draft code, but does not feature any public consultations
or opportunities for feedback.
Despite the active government involvement, officials have worked hard to
emphasize that the code would be voluntary, claiming that the approach
will demonstrate industry consensus and that "the regime is not being
imposed on the sector by the government." However, with the public
excluded from the process and industry fears that the code could
gradually expand into other issues, the rushed effort for a Canadian ISP
code of conduct may need to slow down and give way to a more open,
inclusive and transparent initiative.
Michael Geist holds the Canada Research Chair in Internet and
E-commerce Law at the University of Ottawa, Faculty of Law. He can
reached at firstname.lastname@example.org or online at www.michaelgeist.ca.
TagsShareTuesday October 08, 2013
On the same day that revelations
about CSEC spying on the Brazilian government for economic purposes
generated headlines around the world, the Canadian government rejected
the proposed acquisition of MTS Allstream's Allstream division by
Accelero Capital Holdings, a company co-founded by Naguib Sawiris, an
Egyptian billionaire who first captured Canadian telecom attention by
backing the entry of Wind Mobile. Industry Minister James Moore indicated
that the rejection of the proposed deal involved the national security
provisions of the Investment Canada Act. Both companies expressed
disappointment with the decision, as MTS Allstream noted its surprise and disappointment and Accelero described it as an "unfounded and unexpected decision."
While the decision sends a disturbing signal about the government's
willingness to block foreign investment just months after indicating
that it was open to such investment, it is worth noting that the change
in telecom foreign investment policy was publicly opposed by the Public
Safety Canada. In 2011, Public Safety responded to Industry Canada
questions about changes to the foreign investment restrictions with the following:
It is important to fully appreciate the scope of the potential impact
of reducing or removing restrictions on foreign investment in Canada's
telecommunications sector. The lessening of current restrictions could
create new, and increase existing vulnerabilities in our
telecommunications networks, further exposing them and the users and
services that rely on them, to an increased threat of cyber espionage
and denial of service attacks. It could also impede law enforcement and
national security investigations by further challenging the ability of
authorities to execute judicially authorized warrants to intercept
telecommunications. As options are considered to maximize Canada's
competitiveness in the telecommunications sector, Public Safety
officials will work with Industry Canada to further develop options to
help ensure that any change to the telecommunications market will be
accompanied by necessary security safeguards.
When the Public Safety submission first came to light last year, the
potential application of the national security provisions in the
Investment Canada Act was discussed.
In light of the MTS Allstream decision, it would seem that Public
Safety may have lost the battle to retain foreign investment
restrictions, but has won the war to keep out many potential
competitors. TagsShareTuesday October 08, 2013