It’s funny how inured we’ve become to spam, the bane of our digital lives, in less than a generation.
We’ve learned to be on guard not just for the equivalent of the junk that clogs our front-door snail-mailbox but also for cunningly disguised malware, akin to getting a envelope full of anthrax through the mail slot each day.
It’s taken almost a decade for government to implement legislation designed to reduce it at least a little, but even the enforcers say it’s still up to us to police our own computers, smartphones and other vulnerable devices.
Canadian anti-spam legislation (CASL) came into effect last July, two years after it passed Parliament, which was preceded by nine years of work. The two-year gap gave the Canadian Radio-television and Telecommunications Commission (CRTC) time to prepare for its new role as an Internet cop and for businesses using the web to figure out how to comply.
So far the CRTC has concluded only two investigations, both announced in March. Compu-Finder, a Quebec firm, was fined $1.1 million for email spams pitching its training courses. The unsubscribe link in the emails apparently didn’t do anything.
The CRTC said Compu-Finder accounted for a quarter of the 250,000 complaints its spam reporting centre received since beginning operation last summer. Compu-Finder, which did not respond to Yahoo Canada News’ request for comment, has until April 5 to challenge the penalty.
Then in late March, the CRTC announced a settlement with Plentyoffish Media Inc., the popular Vancouver-based dating site, to pay a $48,000 fine – much lower because the company moved quickly to bring itself into compliance, Lynne Perrault, the CRTC’s director of electronic commerce enforcement, said in an interview.
Other complaints are being investigated but Perrault wouldn’t say how many or what type.
Given the scope of the spam problem, Perrault’s team is relatively small; between 20 and 25 staff members throughout the CRTC doing enforcement, providing legal resources and support services. Not all are in place yet, she said.
“That’s why it’s so important for us to prioritize our cases and ensure we effect the greatest impact, if you will, compliance impact in the market place,” said Perrault, adding she doesn’t expect reinforcements.
Anti-spam provisions phased in over three years
CASL’s implementation has been phased. Most of the requirements, such as marketers ensuring they have opt-in permission to send you emails, took effect last summer.
Last January, provisions covering the unauthorized installation of software on your device (like malware) came into force, adding to the scope of the CRTC’s duties.
And in July 2017, the section allowing you to sue someone for damages connected with spam or malware takes effect. But that part, known as the private right of action, is not the CRTC’s department.
“It is literally there for those who think they’ve been victimized as a result of violations that are accounted for under CASL,” said Perreault. “They can bring their class-action suit or their individual suit.”
So, is it too early to say how well the legislation is working? Probably. For one thing, the CRTC hasn’t yet established baselines to measure success, Perrault said. In any case, the law was never intended to eliminate all spam, she said.
“We’re hoping to deter the most damaging and deceptive e-messaging, malware, proliferation, etc.,” she said.
Cutting out all spam, however welcome that that might be, is a tall order since the lion’s share comes from other countries.
“I don’t think spam is a problem that can be addressed by going after Canadian businesses,” said lawyer Ryan Black, who co-wrote with Andrew Aguilar a guidebook on CASL. “We all know spam comes from a whole bunch of places outside of Canada.”
Black, who practices information technology law with McMillan LLP in Vancouver, told Yahoo Canada News that Canada once had a spammy reputation, even making Kaspersky Lab’s top 20 list in 2013.
But since then it’s dropped firmly into the report’s “other category.” Kaspersky’s report for last year had the U.S. as the top source of spam, at almost 17 per cent, with Russia and China, 2013 leader, trailing well behind at 5.93 and 5.53 per cent.
“Canada isn’t really a large-scale spammer,” said Black, who’s not optimistic the CRTC can suppress foreign-sourced spam.
“I don’t know if you can legislatively address a problem that originates from a place where they don’t care about Canada’s laws,” he said.
CRTC works with foreign regulators to combat non-Canadian spam
Perrault said CASL allows the CRTC to share information and co-operate with foreign agencies.
With help from U.S. regulators, the agency has had success extracting monetary penalties from U.S.-based telemarketers under legislation similar to the new anti-spam law, David Elder, a communications lawyer with Ottawa’s Stikeman Elliott, said via email.
“The issue is more one of enforcement,” he said. “If the perpetrator has no physical presence or assets in Canada, the CRTC has to rely on the co-operation of its foreign counterparts.
“The CRTC has been hard at work in this regard, forming partnerships with spam regulators around the world.
Black said he hasn’t noticed a drop in his personal spam emails since the law came into effect.
“On the other hand it did encourage me when the law came out to go through my email and start unsubscribing from things or being a little bit more careful about what email address I use when I sign up for things,” he said.
If nothing else, the law has caused legitimate businesses to re-evaluate their marketing, said Black. They’re moving away from mass-email blasts to more targeted messages based on more precise customer profiles.
Kaspersky’s 2014 report bears that out, noting the worldwide percentage of spam-containing email traffic fell to 66.76 per cent last year, down, 2.84 percentage points from 2013, reflecting a steady decline since the peak of 85.2 per cent in 2009. Purveyors of legal goods and services are abandoning email in favour of more effective legal advertising platforms, the report said.
If that includes mobile texting and social media, it will also be covered by CASL, Perreault pointed out. Among the top recommendations of the 2004 task force report that lead to the law was the need to ensure it was “nimble” enough to respond to changing threats in cyberspace, she said.
“The legislation was drafted to be technology neutral,” she said. “The language is in fact geared towards the evolution of this space.”
There have been hiccups, Black said. Some businesses still aren’t clear on how the law effects them.
“If you try to read it, there’s vagueness in some place,” he said. “It’s not entirely clear in some cases what you can and can’t do.”
Microsoft victim of uncertainty over anti-spam law’s impact
On the eve of the CASL’s July 1 implementation, for instance, Microsoft briefly stopped issuing security notices about upcoming patches, worried they’d be hit with spamming complaints.
“They very quickly learned that the law has a path to allow you to do that,” Black recalled. “But their initial gut reaction was we don’t want to send this very valuable message.”
Perreault said the CRTC and other federal institutions have provided a wealth of guidance information through various channels, including cross-country tours and meetings with business sectors.
“The legislation has a number of different levels of nuances and complexities, there’s no doubt,” she conceded.
“There’s always going to be some who may need some extra assistance and we always encourage them to provide those questions so we can draft new guidance material to help clarify.”
Ultimately, said Perreault, the way the way CASL is enforced and precedents that are set will provide the clarity for business.
Another question that remains is what impact the private right of action will have after it takes effect in two years. While the CRTC has been “triaging” complaint investigations, will the courts be inundated with suits filed by aggrieved spam recipients?
Elder said he isn’t sure spam suits will clog the courts but expects a wave of class-actions grounded on CASL’s provision for minimum $200 statutory damages (where the plaintiff doesn’t have to prove actual harm as long as the judge finds a CASL violation). Damages can range up to $1 million a day for each violation, though Elder said awards likely will be much lower.
“I think the main beneficiaries of such lawsuits will be the class action lawyers bringing such suits,” said Elder. “Very little will trickle through to aggrieved consumers.”
The right to sue was originally included to allow Internet service providers and similar groups to recover the costs of added network bandwidth and filtering software spam traffic necessitates, he said. Fair enough, said Elder, but consumers are well protected by the substantial penalties the CRTC can impose.
What does seem certain is, regardless of CASL, the person at the keyboard remains the first line of defence for all his or her web-linked devices.
Technology, regulation and changes to marketing strategy may diminish the amount of commercial spam we get but malicious spam will keep coming, if not in email then via text or social media.
“The Internet’s a very wild and dangerous place sometimes,” said Black. “You also have to bear in mind that there is just risk in conducting activities online and there is virtually no way to eliminate that.”
Perreault echoed Black’s advice to keep anti-virus and spam-filtering software up to date to block dodgy communications and forward spam to the CRTC’s reporting centre at firstname.lastname@example.org. A lot of consumer-oriented information is available at fightspam.gc.ca, she said.
Perrault is buoyed by the volume or reports the centre has received so far.
“This tells us Canadians have faith,” she said.