Locky ransomware: payment by Christiaan Colen (CC BY-SA 2.0) https://flic.kr/p/SNGSzc

Locky ransomware: payment by Christiaan Colen (CC BY-SA 2.0) https://flic.kr/p/SNGSzc

Columns

Now More Than Ever, Canada Needs a Strong Anti-Spam Law

Canada’s anti-spam legislation has long been the law that Corporate Canada loves to hate. Months before it was slated to take effect in 2014, there were ominous warnings about how regulation would bring commercial e-mail to a screeching halt, banning everything from large-scale business marketing efforts to emails promoting a neighbourhood lemonade stand.

My regular Globe and Mail technology op-ed notes that nearly three years later, e-mail marketing is alive and well in Canada as many have adjusted to the tougher privacy standards that require informed consent prior to sending commercial electronic messages. Moreover, in a world where malware and ransomware have become serious cybersecurity threats touching millions of Internet users, the inclusion of antimalware provisions has proven prescient since they give authorities the legal tools to participate in global enforcement efforts.

Yet despite ample evidence that the law has had a positive impact – Cloudmark, a U.S.-based anti-spam company, found a noticeable decline in spam originating from Canada after the law took effect – the business community has engaged in a behind-the-scenes lobbying campaign to reverse some of its core provisions.

The top target has been a new private right of action that opens the door to lawsuits over harmful spam. The provision is scheduled to take effect on July 1, but groups have been urging the government to postpone its implementation. Officials have quietly consulted some stakeholders on the issue (I was contacted in my capacity as a law professor and former member of the National Task Force on Spam), but have not conducted a broader public consultation.

If the government caves to the lobbying pressure and delays the new rule, the move would signal a major shift in Canada’s approach to fighting spam and cybercrime. Recent reports have concluded that two-thirds of all email is spam and that as much as 10 per cent of global spam can be classified as malicious. Weakening the legal rules designed to combat spam would therefore be at odds with the country’s increasing emphasis on confronting cybercrime.

The law is only three years old, but it has already played a significant role in countering all forms of spam. There have been enforcement actions against anti-spam violations, including failures to obtain appropriate consent or respect rules governing opting-out of future email correspondence. Moreover, the law was used in 2015 to shut down a malware command and control centre in Toronto as authorities worked with law enforcement agencies from around the world to stop a malware network that affected more than a million computers.

While the business community fears a proliferation of lawsuits once the private right of action takes effect, the experience of other countries suggests that it will be used in limited circumstances. The law allows for private actions based on commercial emails sent without consent, alteration of transmission data that disguises the source of the email, and the surreptitious installation of malware or other computer programs.

The law could come in handy in combatting several serious harms, including instances of  ransomware victims paying the ransom fee and other frauds. For general business emails, the possibility of lawsuits may provide a helpful incentive to promote compliance.

Notwithstanding the fear mongering, compensation for spam violations is commonly available in many other countries. For example, private anti-spam lawsuits have been launched by large Internet providers for years in the United States with multi-million dollar judgments used to shut down known spamming operations. In fact, the National Task Force on Spam unanimously recommended implementing a private right of action in Canada.

Innovation, Science and Economic Development Minister Navdeep Bains has said little about the future of Canada’s anti-spam law. Given the ongoing proliferation of spam and the mounting concern over the dangers of malware, delaying the full implementation of Canadian law would represent a significant step backward at a time when other countries are prioritizing the fight against online harm.

6 Comments

  1. There are some legitimate fears, especially by older companies who would need legal advice to even know what spam is, but it’s insanely easy to implement.

    It takes 11 lines of pseudo-computer-language to explain in
    https://github.com/davecb/CASL

  2. Spoken like a true academic, unfortunately.

    The real spam problem hasn’t even been in the least affected, as the primary sources of the worst kind of spam are Africa, Asia and Russia. What has been affected is the ability of small- and medium-sized Canadian businesses to conduct honest and affordable marketing campaigns to an appropriate list of prospects who currently don’t know about their businesses. Like the U.S., all that is required is an opt-out if such an email mis-targets. If the opt-out is disregarded, then punitive action can be taken.

    I find CASL to be one of the most uninformed pieces of legislation that I have ever had the misfortune to be affected by. I have no doubt that those who crafted it never had to grow sales of a real business in their lives. They should try that first, then set down to figuring out how to balance privacy with fairness.

    • Devil's Advocate says:

      “What has been affected is the ability of small- and medium-sized Canadian businesses to conduct honest and affordable marketing campaigns to an appropriate list of prospects who currently don’t know about their businesses.”

      In other words, you think it’s okay to send marketing e-mail to people who don’t even know you. Hmmm, that doesn’t fit the very definition for “spam” at all, now does it?!

  3. Typo in the URL behind my name. Here corrected…

  4. Spam has always been a difficult problem to solve, not just Canada, China also need.

  5. Pingback: Monday Pick-Me-Up « Legal Sourcery