Canada’s Bill C-28 is just what the country needs to keep spam-crazy companies in line but a $700,000 spam reporting centre may be nothing more than
Canada’s new anti-spam legislation marks a huge shift from previous government efforts to deal with spam and that is a good thing, according to industry experts. But while they are optimistic about new powers granted to authorities under Bill C-28, privacy and security analysts believe a spam reporting centre (SRC) dubbed “The Freezer” wouldn’t be much of a threat to spammers.
Bill C-28, also known as the Candian Anti-Spam Legislation (CASL) covers substantially more ground than previous anti-spam legislation this country has and is even more comprehensive that the United State’s Can-Spam Act of 2003, according to John Lawford, counsel for the Ottawa-based Public Interest Advocay Group.
For instance, Can Spam is business-centric, it allows marketers to e-mail almost anyone at least once unless the recipient unsubscribes. Can Spam does not require “express consent” from the recipient. By contrast, Bill C-28 compels businesses to obtain express consent from recipients and requires businesses to provide an opt out mechainism for people who do not want to receive further messages from them.
The Freezer gets a cold shoulder
Both Lawford and Claudiu Popa, principal of security consultancy firm Informatica Corp., however, agree that the spam reporting centre (SRC) or Freezer being planned by the government is mostly about media hype.
The government recently put out an invitation for businesses to bid on a $700,000 project that will enable people to report spam to authorities. The Freezer will be staffed by employees who will evaluate the complaints. The gathered data will also be used as evidence in case of legal proceedings against the alleged offender, according to Stéfanie Power, representative of Industry Canada.
The data will be shared among the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner of Canada. These are the three government bodies that will work togther to enforce the CASL. The Competition Bureau is a law enforcement agency under Industry Canada.
“This is just window dressing, a total distraction from the main issue,” Lawford said of the Freezer.
Lawford doubts if much of the data received by the SRC will be used for prosecution purposes. “At best, if the SRC is implemented properly, the data can be used for research purposes.”
For example, he said, information collected by the SRC can be used to established spam trends such as how what vectors spammers are gravitating towards. ”Let’s hope this is what they do with the SRC and that it doesn’t end up as a boondoggle,” said Lawford.
Popa of Informatica says the SRC is a useless duplication of anti-spam efforts. “The browsers are already doing a good job of filtering spam. The spam we receive on our inbox represents a small number that get past the filter.”
Asking people to transmit this spam message one more time to the SRC only ads to additional Internet traffic and becomes a burden that will tie down researchers in the facility from accomplishing anything substantial, he said. “This simply adds another step to the process and ironically enables spam to be transmitted over the Internet one more time.”
“A better way of dealing with spam is to educate marketers about what consent means and to make it compelling for them to follow Internet rules and respect people’s rights,” said Popa.
“Most of the servers generating spam are outside the government’s jurisdiction, How can this bill be effective against companies based outside Canada,” asked Popa.
Bradly Freedman, technology law specialist at the Toronto-based law firm Borden Ladner Gervais LLP, agrees. He said enforcement of the bill only applies to instances where the alleged perpetrators can be identified and are located in Canada. “From a practical perspective, if the alleged perpetrators are outside Canadian jurisdiction this law will not apply.”
Freedman said the bill has two provisions that make it exceptional. “One is that Bill C-28 allows individuals who have appropriate intent to commence a civil lawsuit against a party for breach of the law. This could include class action lawsuits.”
On the other hand, the bill also has a self-reporting component. This provision, modeled after a similar contained in the U.S. Can Spam Act, allows individuals or businesses that have inadvertently breached the anti-spam law to report their actions to the appropriate enforcement authority, said Freedman. “If they confess they have breached the law and correct their practices there will be no issuance of violation and this will preclude civil action.”
Lawford, however, countered arguments over spam jurisdiction saying “we can’t know majority of spam received in Canada, comes from outside the country.”
“In fact surveys indicate that Canada is among the top three or four sources of spam in the world,” he added. Lawford said the CASL might best be looked at as something similar to the do-not-call list. The registry of people who did not want to receive marketing calls had been called ineffective and costly in the beginning but years later has managed to curb unwanted marketing calls and has made people happy.
SRC not meant as enforcement tool
ITBusiness sought contacted three government bodies involved in the SRC to get their stand on the argument that the “The Freezer” would just be duplicating security measures conducted by browsers and ISPs.
The CRTC responded to our call but was not able to provide an interview as of press time. Industry Canada sent an emailed response explaining that the SRC was not meant as an enforcement tool.
The SRC’s primary role is data collection and analysis, Power of Industry Canada explains. When operational, the SRC will accept various types of unsolicited electronic messages forwarded by individuals and organizations in Canada. These will include, but not be limited to, spam, malware, spyware, SMS and false and misleading representations involving the use of any means of telecommunications.
“The SRC will not have any role in enforcement of the legislation other than collecting information and making it available to the three enforcement agencies as required for their own enforcement activities,” Power said.
“The centre will be responsible for identifying and analyzing trends in spam and other related threats to electronic commerce,” also she said.
While CASL received Royal Ascent in December last year, it appears that finer details of how the Competition Bureau, the OPC and CRTC will coordinate efforts to enforce the legislation and their respective use of the SRC are still being worked out.
“The RFP (request for proposal) for the centre just closed recently. We are still determining how process and coordination will work out in practice,” Scott Hutchinson, senior spokesperson for the OPC, said in a phone interview.
Basically, he said, all three bodies have access to the SRC’s database and will use the information they obtain to pursue their distinct mandate.
In the case of OPC, the commission will focus on two types of violations:
•The collection of personal information through illicit access to other people’s computer systems; and
•Electronic address harvesting, where bulk e-mail lists are compiled through mechanisms that include the use of computer programs to automatically mine the Internet for addresses.
The CRTC will be responsible for investigations regarding the sending of unsolicited commercial electronic messages, the alteration of transmission data and the installation of software without consent.
The Competition Bureau will address false or misleading representations and deceptive marketing practices in the electronic marketplace.
In preparation for the coming into force CASL and the activation of the SRC, the OPC has assembled a team comprised of investigators, technologists, policy analysts and in house legal counsel, said Hutchinson.
“We are reviewing our existing investigative process in light of potential complaints under CASL, and collaborating closely with our colleagues at the CRTC, the Competition Bureau and Industry Canada to ensure everything from public education to enforcement will be handled in a coordinated manner,” he said.