Canada’s new anti-spam legislation (CASL) marks a huge shift from previous government efforts to deal with spam and that is a good thing, according to industry experts. But while they are optimistic about new powers granted to authorities under CAL, privacy and security analysts believe a spam reporting centre (SRC) dubbed “The Freezer” wouldn’t be much of a threat to spammers.
What began as Bill C-28, CASL covers substantially more ground than previous anti-spam legislation this country has and is even more comprehensive that the United State’s CAN-SPAM Act of 2003, according to John Lawford, counsel for the Ottawa-based Public Interest Advocacy Group. For instance, CAN-SPAM is business-centric, it allows marketers to e-mail almost anyone at least once unless the recipient unsubscribes. It does not require “express consent” from the recipient. By contrast, CASL compels businesses to obtain express consent from recipients and requires businesses to provide an opt-out mechanism for people who do not want to receive further messages from them.
The Freezer gets a cold shoulder
Both Lawford and Claudiu Popa, principal of security consultancy firm Informatica Corp., however, agree that the spam reporting centre (SRC) or Freezer being planned by the government is mostly about media hype.
The government recently put out an invitation for businesses to bid on a $700,000 project that will enable people to report spam to authorities. The Freezer will be staffed by employees who will evaluate the complaints. The gathered data will also be used as evidence in case of legal proceedings against the alleged offender, according to Stéfanie Power, representative of Industry Canada.
The data will be shared among the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner of Canada. These are the three government bodies that will work together to enforce CASL. The Competition Bureau is a law enforcement agency under Industry Canada.
“This is just window dressing, a total distraction from the main issue,” Lawford said of The Freezer.
Lawford doubts if much of the data received by the SRC will be used for prosecution purposes. “At best, if the SRC is implemented properly, the data can be used for research purposes.”
For example, he said, information collected by the SRC can be used to established spam trends such as how what vectors spammers are gravitating towards. ”Let’s hope this is what they do with the SRC and that it doesn’t end up as a boondoggle,” said Lawford.
Popa of Informatica says the SRC is a useless duplication of anti-spam efforts. “The browsers are already doing a good job of filtering spam. The spam we receive on our inbox represents a small number that get past the filter.”
Asking people to transmit this spam message one more time to the SRC only ads to additional Internet traffic and becomes a burden that will tie down researchers in the facility from accomplishing anything substantial, he said. “This simply adds another step to the process and ironically enables spam to be transmitted over the Internet one more time.”
“A better way of dealing with spam is to educate marketers about what consent means and to make it compelling for them to follow Internet rules and respect people’s rights,” said Popa.
“Most of the servers generating spam are outside the government’s jurisdiction, how can this bill be effective against companies based outside Canada?” asked Popa.
Bradley Freedman, technology law specialist at the Toronto-based law firm Borden Ladner Gervais LLP said the bill has two provisions that make it exceptional. “One is that Bill C-28 allows individuals who have appropriate intent to commence a civil lawsuit against a party for breach of the law. This could include class action lawsuits.”
On the other hand, the bill also has a self-reporting component. This provision, modelled after a similar contained in the U.S. CAN-SPAM Act, allows individuals or businesses that have inadvertently breached the anti-spam law to report their actions to the appropriate enforcement authority, said Freedman. “If they confess they have breached the law and correct their practices there will be no issuance of violation and this will preclude civil action.”
Lawford said the CASL might best be looked at as something similar to the do-not-call list. The registry of people who did not want to receive marketing calls had been called ineffective and costly in the beginning but years later has managed to curb unwanted marketing calls and has made people happy.
SRC not meant as enforcement tool
ITBusiness.ca contacted three government bodies involved in the SRC to get their view on the argument that the “The Freezer” would just be duplicating security measures already conducted by browsers and ISPs.
The CRTC was not able to provide an interview as of press time. Industry Canada sent an email response explaining that the SRC was not meant as an enforcement tool.
The SRC’s primary role is data collection and analysis, Industry Canada explains. When operational, the SRC will accept various types of unsolicited electronic messages forwarded by individuals and organizations in Canada. These will include, but not be limited to, spam, malware, spyware, SMS and false and misleading representations involving the use of any means of telecommunications.
“The SRC will not have any role in enforcement of the legislation other than collecting information and making it available to the three enforcement agencies as required for their own enforcement activities,” a spokesperson writes. “The centre will be responsible for identifying and analyzing trends in spam and other related threats to electronic commerce.”
Privacy amendments lack teeth, critics say
Basically, he said, all three bodies have access to the SRC’s database and will use the information they obtain to pursue their distinct mandate.
In the case of OPC, it has assembled a team comprised of investigators, technologists, policy analysts and in house legal counsel, said Hutchinson. The commission will focus on two types of violations:
* The collection of personal information through illicit access to other people’s computer systems; and
* Electronic address harvesting, where bulk e-mail lists are compiled through mechanisms that include the use of computer programs to automatically mine the Internet for addresses.
The CRTC will be responsible for investigations regarding the sending of unsolicited commercial electronic messages, the alteration of transmission data and the installation of software without consent.
The Competition Bureau will address false or misleading representations and deceptive marketing practices in the electronic marketplace.
“We are reviewing our existing investigative process in light of potential complaints under CASL, and collaborating closely with our colleagues at the CRTC, the Competition Bureau and Industry Canada to ensure everything from public education to enforcement will be handled in a coordinated manner,” he said.