Almost four years after a national task force tabled its recommendations for attacking spam, Ottawa has introduced legislation it claims will protect consumers and businesses from the most dangerous and damaging forms of malware.
However, an industry analyst doubts the law on its own will have much effect.
The Electronic Commerce Protection Act, tabled in Parliament on Friday morning, would give the Canadian Radio-Television and Telecommunications Commission (CRTC), which regulates Internet and wireless providers, and the federal Competition Bureau the right to charge Canadian-based senders of malware with breaking the law and face up to $10 million in fines for an organization or $1 million for an individual. System builders will also be forbidden from installing a computer program on a computer for sale that would send an electronic message without the consent of the owner or user.
Section 8 of the new law covers system builders and software builders or ISVs. The section reads:
“No person shall, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system, or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless the person has obtained the express consent of the owner or an authorized user of a computer system.”
The two departments and the federal Privacy Commissioner will be given the power to share information and evidence with their counterparts in other countries to help enforce similar laws internationally.
The proposed act also would give businesses and consumers the right to sue Canadian-based senders of malware.
Canada is one of the few developed nations not to have some sort of anti-malware legislation, so the move is bound to be welcomed. However, the legislation is 68 pages long, so some Internet providers and experts weren’t willing to give detailed opinions Friday until they had gone through it.
The goal is to “boost confidence in online commerce by protecting the privacy and personal security concerns that are associated with spam, counterfeit Web sites and spyware,” the government said in a press release. “Our government knows how damaging spam can be to Canadians and Canadian businesses and that is why we are cracking down on Internet fraud and other forms of malicious activities,” said Industry minister Tom Clement.
An Industry Canada official who spoke on a not-for-attribution basis said stressed that there’s a sizable domestic malware business to go after. “One of the big problems we have is that there are a lot of spammers operating in Canada that are sending spam overseas,” he said, “so it’s working in both directions: We are getting foreign spam but also there’s a problem of our exporting spam.”
“Spam’s a real challenge because a lot of it comes from offshore,” acknowledged Shawn Hall, a spokesman for Telus, one of the biggest Internet providers in the country. “It’s going to take a unified effort to fight spam.”
However, he added, “we’re pleased with the legislation that’s been tabled today … it provides a legal framework to stop Canadian-based spammers from bombarding Canadians with unsolicited messages and potentially dangerous malware.”
If passed, the legislation will add another tool on top of the anti-spam efforts of Canadian service providers, police in this country and international law enforcement agencies, Hall said.
However, David Senf, a security analyst with IDC Canada, doubts the law will have much effect. “It is, I’m sorry to say, not going to make a dent in the amount of trash entering your inbox,” wrote IDC Canada security analyst David Senf in an e-mail interview. “This is because a global response is required – and one is not forthcoming.
“The problem is much larger than legislation. We need enforcement. We need China and Russia to step up too. Spammers need to feel real monetary pain. Schemes have been hatched before such as charging everyone micro-pennies per e-mail sent. For the average person, that’s a pittance. For a spammer that puts them out of business. Better authentication such as through CAPTCHAs [a challenge-response test aimed at blocking spam, such as having a person type a randomly-generated series of letters and numbers on a screen] have been proposed as well. But in either case – and for others schemes too – there is some cost in time or money to the average user which will never fly.
”The Internet wasn’t designed with security in mind,” Senf added. “spam proves that. There is no silver bullet. But there is anti-spam software. Expect to renew your subscription for some time to come …”
One of those on the task force on spam four years ago that urged Ottawa to act was Tom Copeland, who runs a southern Ontario Internet provider and is also chair of Canadian Association of Internet Providers (CAIP), which represents ISPs across the country.
Today he said his association is pleased with the legislation, although he hadn’t read it all the way through. But he said to his understanding the government has adopted most of the task force recommendations.
Briefly, the way the government wants to attack spam is
By declaring that no one [in Canada] can send or cause to be sent a commercial message to an electronic address unless the receiver has consented. A commercial message is defined as one whose content or hyperlinks includes offers to sell, barter or lease goods and products, or promotes a person who offers to sell things.
The message has to identify who sent it or on whose behalf it was sent, with contact information valid for 60 days;
It also has to have an unsubscribe mechanism to enable message recipients to say they don’t want to receive any commercial messages from that sender;
There is an exception for commercial messages relating to product or job inquiries;
Altering the destination of a message is forbidden, except for service providers who do it for the purpose of network management.
To attack spyware, the legislation forbids installing an application on another person’s computer that sends an electronic message without consent.
In terms of jurisdiction, the CRTC would charge those who threaten the integrity of public networks, such as authors of denial of service attacks. The Competition Bureau would charge those who make misleading representations, such as e-mail that includes fake Web sites of banks or pushing phony products.
“It certainly has the capacity to have some impact given the fines that we’re talking about,” said Canadian security specialist James Quin of Info-Tech Research. The law covers not only malware that originates in Canada but also terminates here, which covers material sent from outside the country but routed though a computer based here.
“It’s also noting provisions that target ISPs and telecommunications providers, who have to provide records or they can be fined as well, which is also a worthwhile inclusions because it makes it easier for enforcing the law. Now you can grab the records and see where the spam is coming from.”
Michael Geist, a University of Ottawa privacy law professor who was also on the 2005 task force, said the law’s effectiveness depends on what Internet users want. “If the expectation is that anti spam legislation is going to clear their inbox of spam, I think most people are going to be disappointed,” he said in an interview. “The goal of the legislation ought to be Canadian-based spammers. And while that won’t eliminate all the spam from Canadian inboxes, or even most of it, it will ensure Canada doesn’t become a spam haven.”
That goal is realistic, he said. “There’s no single government that can eradicate spam. Anyone who things otherwise hasn’t been paying attention to the experience of country after country that has introduced this legislation, sometimes with some effect, sometimes with no effect at all. But what we have seen take place in Canada over the last couple of years is that we have become one of the few developed countries in the world with no anti-spam legislation, and that has had an impact with rankings listing Canada as a source of spam, and that was only going to get bigger as spammers moved out of jurisdictions with tough penalties for spamming and looking for a place to set up without fear of significant repercussions.”
“If I have a concern it’s probably on the enforcement side of things. I think the penalties are significant, and we’ve seen in other countries, notably Australia, that big penalties are needed. That’s what creates the disincentives to spamming, and we’ve got that in this law. But we’ve placed a lot of responsibility at the feet of the CRTC and frankly, if one looks at the CRTC’s enforcement of the [telephone] Do Not Call list to date, I’m not sure that inspires much confidence.”
As for the time it took to get Ottawa to act, Geist said “it’s hard to believe that it took four years for what seemed like a slam-dunk. It’s sometimes hard to understand why politicians from both sides of the aisle were so reticent to move forward with this legislation.” He credits Clement with acting where others didn’t.