Text: Small Text  Normal Text  Large Text  Larger Text
  • Columns

Blog Archive

PrevPrevOctober 2013NextNext

Canadian Government Quietly Pursuing New ISP Code of Conduct

Appeared in the Toronto Star on October 5, 2013 as Ottawa Pushing ISP Code of Conduct

With the cost of cybercrime in Canada on the rise - a new report released last week by Symantec, a security software vendor, pegged the cost at $3.1 billion annually - the Canadian government is quietly working behind-the-scenes to create a new Internet service provider code of conduct. If approved, the code would be technically be voluntary for Canadian ISPs, but the active involvement of government officials suggests that most large providers would feel pressured to participate.

The move toward an ISP code of conduct would likely form part of a two-pronged strategy to combat malicious software that can lead to cybercrime, identity theft, and other harms. First, the long-delayed anti-spam legislation features new disclosure requirements for the installation of software along with tough penalties for non-compliance. Recent comments from Industry Minister James Moore suggest that the government is ready to bring that law into effect. Second, the code of conduct would require participants to provide consumers with assistance should their computers become infected.

The proposed code, which is modeled on a similar Australian initiative dubbed the iCode, has been placed on a policy fast-track, with officials hoping to create a final version by the end of the year. The Australian version features a standardized notification system that requires ISPs to alert customers that their computer or electronic device may be compromised by malicious software (often referred to as botnets). The notification may include sending the customer to an information webpage advising them of the threat and the steps needed to address the problem. Repeated notifications may result in the customer having their Internet access suspended.

The Australian iCode also involves the creation of a comprehensive resource for ISPs on new cybersecurity threats and a reporting mechanism from ISPs to a centralized agency that gathers threat information. The approach has garnered support from other countries. South Africa adopted the iCode last year, while both Japan and Germany have implemented similar programs.

Yet not everyone is convinced that the iCode system actually works. When the U.S. began considering the Australian system in 2011, experts questioned its effectiveness.  For example, the SANS Institute looked at the Australian results and concluded that the reduction in botnets was "insignificant." Moreover, Symantec highlighted the danger of fraudulent notifications, arguing that they could "aggravate the problem rather than alleviate it."

Notwithstanding the concerns, the Canadian government appears convinced that an ISP code of conduct is long overdue. According to government documents, Industry Canada quietly gathered the major Canadian ISPs in late July to present the concept of an industry code and the experience in other countries. The presentation noted that unlike current Canadian initiatives that do not include direct consumer support, the proposed code would require consumer assistance in addition to the creation of education programs, information sharing, and reporting requirements.

Last month, stakeholders were brought back for a follow-up meeting where government officials presented an ambitious timeline that envisions final approval on the code within the next three months.

One way to speed up the process appears to be the exclusion of any public participation. The government timeline offers several opportunities for ISPs and other stakeholders it has identified to comment on the draft code, but does not feature any public consultations or opportunities for feedback.

Despite the active government involvement, officials have worked hard to emphasize that the code would be voluntary, claiming that the approach will demonstrate industry consensus and that "the regime is not being imposed on the sector by the government." However, with the public excluded from the process and industry fears that the code could gradually expand into other issues, the rushed effort for a Canadian ISP code of conduct may need to slow down and give way to a more open, inclusive and transparent initiative.

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.

Share: Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShare

Public Safety Foreshadowed Rejection of MTS Allstream-Accelero With 2011 Foreign Investment Concerns

On the same day that revelations about CSEC spying on the Brazilian government for economic purposes generated headlines around the world, the Canadian government rejected the proposed acquisition of MTS Allstream's Allstream division by Accelero Capital Holdings, a company co-founded by Naguib Sawiris, an Egyptian billionaire who first captured Canadian telecom attention by backing the entry of Wind Mobile. Industry Minister James Moore indicated that the rejection of the proposed deal involved the national security provisions of the Investment Canada Act. Both companies expressed disappointment with the decision, as MTS Allstream noted its surprise and disappointment and Accelero described it as an "unfounded and unexpected decision."

While the decision sends a disturbing signal about the government's willingness to block foreign investment just months after indicating that it was open to such investment, it is worth noting that the change in telecom foreign investment policy was publicly opposed by the Public Safety Canada. In 2011, Public Safety responded to Industry Canada questions about changes to the foreign investment restrictions with the following:

It is important to fully appreciate the scope of the potential impact of reducing or removing restrictions on foreign investment in Canada's telecommunications sector. The lessening of current restrictions could create new, and increase existing vulnerabilities in our telecommunications networks, further exposing them and the users and services that rely on them, to an increased threat of cyber espionage and denial of service attacks. It could also impede law enforcement and national security investigations by further challenging the ability of authorities to execute judicially authorized warrants to intercept telecommunications. As options are considered to maximize Canada's competitiveness in the telecommunications sector, Public Safety officials will work with Industry Canada to further develop options to help ensure that any change to the telecommunications market will be accompanied by necessary security safeguards.

When the Public Safety submission first came to light last year, the potential application of the national security provisions in the Investment Canada Act was discussed. In light of the MTS Allstream decision, it would seem that Public Safety may have lost the battle to retain foreign investment restrictions, but has won the war to keep out many potential competitors.
Share: Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShare