For the second time the CRTC has publicized the execution of a warrant under the CRTC’s powers under Canada’s Anti-spam law (CASL). The investigation is focused on the installation of malware and the altering of transmission data.
The first such warrant was executed December 3, 2015, where the CRTC acted to take down a command and control server as part of a coordinated international effort directed at the Win32/Dorkbot malware family.
It was reported that the current investigation began after a lead provided by a private sector cyber threat and forensics’ firm, FireEye Inc. As is CRTC practice they did not name the subjects of the investigation nor provide comment on the ongoing investigation.
Manon Bombardier, CRTC’s Chief Compliance and Enforcement Office stated, “We are working to protect Canadians from online threats by pursuing those individuals and entities who violate Canada’s anti-spam legislation. We are grateful for the assistance that FireEye Inc. provided which led to the execution of this warrant, and we will continue to work closely with our domestic and international partners in the fight against cyber threats.”
These enforcement actions show that the CRTC is targeting violations of the malware and the alteration of transmission data provisions under CASL.
An important issue for legitimate businesses under the malware provisions of CASL is that the CASL prohibitions are very broad and may capture some legitimate activity such as bring-your-own-device (BYOD) policies and IT user support activities. Broadly speaking, under CASL, the authorized user or owner of a device (for example, a laptop, smart phone, tablet, etc.) must consent to software installations that are not self-initiated. In certain circumstances, consent will be required even where an installation is self-initiated. Further, the law imposes specific notification and disclosure obligations where such a program is capable of certain “special functions”, defined in CASL to include:
-
collecting personal information;
-
changing or interfering with settings, preferences or commands of the computer system without knowledge of the user;
-
restricting or interfering with access of data;
-
causing a computer system to communicate with any other device without consent of the owner or authorized user; or
-
installing a computer program that can be activated by a third party.
What is noteworthy is that these functions need not be malicious. Many such functions are carried out by many legitimate computer programs. CASL requires that the installer of the program give notice of and obtain a separate express consent from the owner or authorized user of the device for each of these functions. Such special functions must be disclosed and described to the user separately from other consents and may not form part of general terms of use or a license agreement.
In light of these notification and consent requirements under CASL, organizations will wish to review and may need to update their IT policies.
As further details become available on the results of the ongoing CRTC investigative actions we may learn more about the effectiveness of the enforcement under CASL, how provisions are interpreted by the CRTC and any possible impacts for legitimate businesses seeking to ensure compliance in respect of their own operations.
