Canadian Government Quietly Pursuing New ISP Code of Conduct

With the cost of cybercrime in Canada on the rise – a new report released last week by Symantec, a security software vendor, pegged the cost at $3.1 billion annually – my weekly technology law column (Toronto Star version, homepage version) reports that the Canadian government is quietly working behind-the-scenes to create a new Internet service provider code of conduct. If approved, the code would be technically be voluntary for Canadian ISPs, but the active involvement of government officials suggests that most large providers would feel pressured to participate.

The move toward an ISP code of conduct would likely form part of a two-pronged strategy to combat malicious software that can lead to cybercrime, identity theft, and other harms. First, the long-delayed anti-spam legislation features new disclosure requirements for the installation of software along with tough penalties for non-compliance. Recent comments from Industry Minister James Moore suggest that the government is ready to bring that law into effect. Second, the code of conduct would require participants to provide consumers with assistance should their computers become infected.

The proposed code, which is modeled on a similar Australian initiative dubbed the iCode, has been placed on a policy fast-track, with officials hoping to create a final version by the end of the year. The Australian version features a standardized notification system that requires ISPs to alert customers that their computer or electronic device may be compromised by malicious software (often referred to as botnets). The notification may include sending the customer to an information webpage advising them of the threat and the steps needed to address the problem. Repeated notifications may result in the customer having their Internet access suspended.

The Australian iCode also involves the creation of a comprehensive resource for ISPs on new cybersecurity threats and a reporting mechanism from ISPs to a centralized agency that gathers threat information. The approach has garnered support from other countries. South Africa adopted the iCode last year, while both Japan and Germany have implemented similar programs.

Yet not everyone is convinced that the iCode system actually works. When the U.S. began considering the Australian system in 2011, experts questioned its effectiveness.  For example, the SANS Institute looked at the Australian results and concluded that the reduction in botnets was “insignificant.” Moreover, Symantec highlighted the danger of fraudulent notifications, arguing that they could “aggravate the problem rather than alleviate it.”

Notwithstanding the concerns, the Canadian government appears convinced that an ISP code of conduct is long overdue. According to government documents, Industry Canada quietly gathered the major Canadian ISPs in late July to present the concept of an industry code and the experience in other countries. The presentation noted that unlike current Canadian initiatives that do not include direct consumer support, the proposed code would require consumer assistance in addition to the creation of education programs, information sharing, and reporting requirements.

Last month, stakeholders were brought back for a follow-up meeting where government officials presented an ambitious timeline that envisions final approval on the code within the next three months.

One way to speed up the process appears to be the exclusion of any public participation. The government timeline offers several opportunities for ISPs and other stakeholders it has identified to comment on the draft code, but does not feature any public consultations or opportunities for feedback.

Despite the active government involvement, officials have worked hard to emphasize that the code would be voluntary, claiming that the approach will demonstrate industry consensus and that “the regime is not being imposed on the sector by the government.” However, with the public excluded from the process and industry fears that the code could gradually expand into other issues, the rushed effort for a Canadian ISP code of conduct may need to slow down and give way to a more open, inclusive and transparent initiative.


  1. This systems for malware required to be installed are dual use tech. I have sources within the security industry in Canada working on the hardware and software. I haven’t been given any documentation, but these systems set up to detect malware and malicious software have the ability to detect and learn patterns, and profile network data. They will be basically monitoring all data throughout the networks. This technology can potentially monitor and store all digital communications from end users.

  2. “Fast track…..”
    …. to failure.

    Trying to rush everything results in a system that doesn’t work. Don’t the Cons know this by now?

  3. drivebyCommentor says:

    Symantec has a bias & excluding the public means there is some thing they don’t want to tell us….
    Most big security firms greatly inflate the numbers for online fraud to help ‘hard sell’ more security software and if the Government wants to exclude the public it is because there is some kind of back room dell that we are not supposed to know about.

    Of course this is just my opinion after watching Antivirus firms grow up under Wall Street guidance. And as for the Government history and the daily paper (and that Snowden fellow) have taught us how far they can be trusted.

  4. @drivebyCommentor
    As my time as a private tech consultant 98% of my calls for support were based on malware and spyware infections. In fact Snowden hinted at this in an online Q+A with respect to the ends of the networks are not at all secure, and that’s also how the NSA gains access, through malware. Malware and spyware is a HUGE problem and security risk right now on the networks. Basically what this will do is take antivirus and hard code it at the beginning of the networks and cut off infected machines. It’s needed on a national security level to tighten up our network infrastructure because companies like Symantec are not keeping up with the pace. Technology and software has greatly improved on this since the Australians put this into place, and it should be Canadian security companies providing that hardware/software here to the ISPs.

    What I don’t agree with, is that like any security software/hardware it records all data going through it so it can learn about new threats. That can be turned into a system that can also be used to monitor all your data going to and from your machine and store it. There needs to be public oversight on these dual use systems.

  5. @drivebyCommentor
    Also from the information I have most ISPs already have this installed. Tax payers are fronting the bill for it. Want any telecom provider (including indie) to co-operate, throw money at them.

  6. Why didn’t they direct the CRTC to do this, by way of public consultation? Isn’t that kind of the whole point of the CRTC?

  7. Austin Williamson says:

    Let’s blame the users, not the providers
    Imagine if gas stations were forced to repair your bloody flats, or your blown transmission. That’s roughly analogous, and still as ridiculous.

    The government has no experience in the technical sector, and as we’ve seen from other countries, these systems will not perform the intended operations. Instead, they’ll just serve as very effective, NSA-like internet traffic siphoning tools. The best part? CSIS won’t even have to do the legwork!

    You want people not to get viruses? Give them an OS that’s secure… or an education.