The Standing Committee on Industry, Science and Technology is conducting a review of CASL, Canada’s anti-spam law. While the usual critics are out in full force, I had the opportunity to appear before the committee yesterday to explain why there is real harm, why CASL has helped solve the problem, and why claims that the law is overbroad are overstated. Of particular note was the discussion involving the significant decline in the number of major spamming organizations operating in Canada since the law took effect. Three years ago, Spamhaus’ Register of Known Spamming Organizations listed Canada as home to 7 of the top 100 spamming organizations worldwide (who are responsible for 80% of global spam). Canada’s presence on the ROKSO list has been dramatically reduced with only two Canadian-based organizations remaining on the list, suggesting that spam originating in Canada has experienced a significant decline. My full opening remarks are posted below.
Appearance before the House of Commons Standing Committee on Industry, Science and Technology, October 17, 2017
Good morning. My name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-commerce Law. I served as a member of the National Task Force on Spam and appeared before this committee in the development of CASL. As always, I appear in a personal capacity representing only my own views.
The hallmark of fraudulent spam – from get rich quick schemes to body part enlargement promises – is that it contains something that seems unlikely but people often still want to believe the claims. Over the last several years, we’ve experienced something similar with respect to anti-spam legislation, where the claims of doom just don’t add up.
A perfect example is the frequent suggestion that somehow the neighbourhood lemonade stand would be affected by CASL. Stop to think about this for a moment. Politicians may be an exception, but how many of us have the email addresses for all our neighbours? How many would think to find them and then email the neighbourhood about a lemonade stand? Like spam, it’s claim that takes a kernel of truth – the need for consent to send commercial messages – and then moves into the world of fantasy.
Yet longstanding scare tactics are not the way to assess legislation.
In my view, there are really three questions that lie at the heart of the assessment of the law: (1) Is there a harm or risk that needs to be addressed? (2) Does CASL help solve the problem – ie. does it work? (3) Even if the answers to 1 and 2 are yes, is the law overbroad or too onerous?
1. Is there a harm or risk to be addressed?
Absolutely. Let me point to three. First, malware, spyware, and phishing attempts have emerged as exceptionally important cyber-security issues and are caught squarely by CASL. Today, these efforts may be state sponsored or simply criminal. Consider the impact of the phishing attempts in the last U.S. election, which successfully gained access to thousands of emails at the Democratic National Committee and may have helped change the course of U.S. political history. Or the massive malware cases such as WannaCry that have affected millions, caused billions in damages and put hospital and banking systems at risk. We need effective laws to counter these threats and this is unquestionably part of CASL’s ambit.
Second, I think we all recognize the importance of e-commerce. The success of e-commerce depends on trust – trust that our information will be used appropriately and trust that online sellers will deliver what is promised. The concerns associated with fraudulent spam extend beyond just the losses that may occur from those messages. They also undermine the potential success of all e-commerce activities.
Third, the public is increasingly aware – and concerned with – their privacy and the use of their personal information. Our major trading partners – particularly the EU – have tried to address these concerns with tough new laws. CASL is a foundational part of the legislative response to the risks of misuse of our personal information. At its heart is the need for informed consent, a standard whose establishment is long overdue.
2. Does it work?
I should start by saying that I wish we had more data. The failure to collect extensive data is a serious mistake by officials, who should be working with the Spam Research Centre, Internet providers, email service providers, and law enforcement to generate data. The need for more data provides a reminder that the work of policy makers does not end just because the legislative process concludes.
There are, however, several studies and reports that provide valuable data on the effect of CASL. The committee has already heard about the 2015 Cloudmark study, which found significant declines in spam with 29% less email in Canadians’ in-boxes, and a 37% reduction in spam originating from Canada.
Further, one of the core concerns about Canada’s anti-spam framework before CASL was our inability to actively cooperate in global enforcement actions. The Task Force heard that without a comparable anti-spam law, Canada risked becoming a spam haven without the legal ability to assist partner countries in investigations and enforcement. CASL has unquestionably addressed this issue ensuring that Canada is no longer an island in the fight against spam. We now have international enforcement agreements with four countries and MOUs with 12 agencies in 8 countries.
Perhaps the most telling is the ROKSO list – the Register of Known Spamming Organizations maintained by an organization known as Spamhaus. The ROKSO list identifies the top 100 spamming organizations, who are responsible for 80% of spam worldwide. The existence of the list came as a surprise to me and many other Spam Task Force members as it confirmed that we know where the spammers are. Further, we learned that Canada was a notable home for spammers. In fact, when CASL took effect in 2014, Canada was home to a disproportionate number of spamming organizations with 7 of the 100 located in Canada. Today, after three years of CASL, there are only 2 left. There may be several factors behind the decline in the number of top spamming organizations in Canada, but the existence of a tough anti-spam law with real penalties is surely one of them.
So there is data that confirms CASL’s effectiveness. In this regard, it should be emphasized that the goal of the law was never to eliminate all spam from our inboxes. No law can do that just as no technology can eliminate spam nor fully protect us from malware, spyware, and phishing. Rather, the goal was to reduce spam that originates in Canada with the hope that other countries will also do their part. In that regard, the law has been a success.
3. Is it too onerous or overbroad?
The CASL complaints have always struck me as a bit odd. The complaints typically focus on the many exceptions in the law with claims that they are too narrow or restrictive. I think that the real narrowness has come from interpretations of the law. Consider the issue of charities. The ISED Minister Navdeep Bains stated the following when announcing the decision to delay the Private Right of Action:
Canadian businesses, charities and non-profit groups should not have to bear the burden of unnecessary red tape and costs to comply with the legislation.
But the regulations state:
Section 6 of the Act does not apply to a commercial electronic message that is sent by or on behalf of a registered charity as defined in subsection 248(1) of the Income Tax Act and the message has as its primary purpose raising funds for the charity
In other words, charities already enjoy a broad exemption under the law.
Similarly, the committee heard about a supposed need for a business-to-business exception. Yet the law already states the following:
This section does not apply to a commercial electronic message that is sent to a person who is engaged in a commercial activity and consists solely of an inquiry or application related to that activity;
In other words, the law already exempts legitimate business-to-business commercial electronic messages.
But even this focus on exceptions is misplaced. Businesses rely on exceptions where they do not want to comply with the foundational obligation in the law. Consent. The law is clear: if you get informed consent from Canadians, there is no need to rely on exceptions. When you hear complaints about narrow exceptions or calls for more, understand that the complaint is fundamentally about being able to use personal information without informed consent by leveraging an exception.
That is bad policy and bad for privacy.
To conclude, these remarks are not meant to suggest that we can’t do better. We need better data, we need more awareness of the Spam Research Centre, we need agencies to engage more directly with businesses about the true requirements under the law, and we need better enforcement, including the private right action.
But what we also need is a strong anti-spam law with real penalties based on informed consent to deal with a very real threat. That law is CASL.
I look forward to your questions.