With Canada’s Anti-Spam Legislation (CASL) set to come into force on July 1, many companies have been hard at work overhauling the ways they send commercial emails and messages to their customers.
Yet while people are taking CASL seriously, there’s another component to it that hasn’t drawn as much attention – and that’s CASL’s decrees on computer software installations, said Michael Fekete, a privacy and IT lawyer at Osler, Hoskin and Harcourt LLP in Toronto at an event organized by IT World Canada.
Speaking from a workshop on CASL on Thursday, Fekete said CASL’s computer software regulations will set ground rules on installing programs on other people’s devices.
While CASL’s anti-spam regulations come into force in July, the ones on computer software will be enforceable starting Jan. 15, 2015. There will also be a three-year transition period following that date.
These computer software rules will apply to anyone who installs a computer program on another person’s computer system, as well as anyone who causes an electronic message to be sent from a computer system where he or she installed a computer program. A program is defined as any executable code, Fekete said.
The rule goes for anyone located in Canada, or for any computer system in Canada – for example, it applies to a person who is physically in Canada but is installing a program on someone’s computer in the U.S. It also applies to a person who is based in the U.S. but is installing something on a computer in Canada.
Plus, it applies to not just desktops, but to mobile devices – in a world where more and more devices are coming online and becoming connected to each other, these are “very broad, prescriptive rules,” Fekete said.
For someone to be able to install a program on another person’s computer, and still be in compliance with CASL, he or she will have to get express consent. Similar to CASL’s anti-spam rules, this means getting either oral or written confirmation of permission to install software.
The person or business installing the software will need to disclose the general function and purpose of the computer program, as well as whether there will be “invasive” functions like collecting personal information stored on the computer system, interfering with control of the system, changing settings, preferences, and commands, and so on. The full list of invasive functions is available here.
And besides those requirements, the installer will need to ensure end users know these invasive functions may cause their devices to operate in a way “contrary to reasonable expectations.” That means divining what those reasonable expectations might be.
Finally, installers need to provide contact information so device owners can contact them to say they want a program to be removed.
“This is a scary and interesting topic …When you look at how these rules have an impact on so many different types of software installations, that weren’t contemplated when the legislation was drafted, you go, well, what are we getting ourselves into?” Fekete said, adding the laws were out of step with modern software practices.
“[That was] before software became as ubiquitous as it is today, before just about every device that we touched was wirelessly connected, whether it be your automobile, or your smartphone, or your laptop, or all other types of similar products … Everything is capable of being updated remotely.”
This is a concern for Jeremy MacBean, director of business development at IT Weapons Inc., a managed services provider based in Brampton, Ont. As IT Weapons provides user support, it will have to ask its customers for consent to provide upgrades and updates that will keep their environments secure, creating some extra headaches, he said.
“We’re not the bad guys. We’re installing software and some of it may count as ‘invasive’ functions, because it’s going to go on there, it’s going to monitor, it’s going to provide updates in the background … but it’s there to protect these people,” MacBean said. “There hasn’t been a lot of awareness, especially in the industry … I wish there was more info earlier about this.”
However, he adds that app developers may have even more trouble with CASL’s new regulations, as they will have to build their code with the regulations in mind – especially with the Jan. 15 deadline coming up.
Canada’s rules on software updates might also affect whether foreign companies want to do business here, Fekete said.
“It certainly creates a disincentive for tech companies to set up their help desk operations in Canada, and even you can say that cloud service providers will have an incentive to set up shop elsewhere because of the extraterritorial impacts,” he said.
“And that’s been a real concern as to what the legislation might mean for the technology sector in Canada. These impacts are of course, unintentional, but nonetheless, businesses have to take them into account when deciding where to put their operations.”
There are still a lot of questions on exactly how the rules will work, and hopefully the Canadian Radio-Television Telecommunications Commission will clarify some of them by this fall, he added.