The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Canada’s Anti-Spam Law is coming – and will affect US businesses

Canada’s Anti-Spam Law (CASL) is now expected to enter into force in 2013.  Don’t expect things to sit idle until then, however. 

3 Next Steps for CASL in 2012

Following are three next steps for 2012, ranked in order of importance to industry stakeholders:

1.  Industry Canada to issue new set of regulations for comment

While businesses had hoped that regulations would clarify key terms and obligations under the Act, and lessen the Act’s impact on certain types of communications, many stakeholders were disappointed.  Many businesses considered that neither the draft Industry Canada regulations, nor the Canadian Radio-Television and Telecommunications Commission (CRTC) regulations as finalized, went far enough to clarify obligations.  Moreover, neither set of regulations provided the exemptions many businesses have called for, to exclude certain categories or types of messages from the application of CASL consent requirements. 

A glimmer of hope is in sight:  Industry Canada is expected to publish a new set of regulations for comment in the coming weeks.  These regulations are expected to contain some exemptions from the application of CASL requirements.  In the comment period, businesses will have the opportunity to comment on the regulations, and seek further changes to make CASL more workable. 

2.  CRTC to issue a series of information bulletins for industry

Anyone who has tried to read through CASL’s provisions and the accompanying CRTC regulations knows that they tend to raise at least as many questions as they answer. 

The CRTC is expected to issue information bulletins in the coming weeks and months to help clarify what is meant, and required, by some key elements of the regulations.  These bulletins may include matters relating to what it means to get consent “in writing” online, and how far businesses must go to make information accessible in “commercial electronic messages”. 

3.  Spam Reporting Centre

The government is currently reviewing bids by third-party service providers to operate the The Spam Reporting Centre.  The Centre will act as a liaison between the public and the government agencies (CRTC, Office of the Privacy Commissioner, Competition Bureau) on spam complaints and monitoring.  The government states that:

“When operational, the Spam Reporting Centre will accept various types of electronic messages from individuals and organizations in Canada. Reporting spam and related electronic threats will not stop such threats completely; however, the data sent to the Spam Reporting Centre will help it identify trends, and try to find out who is sending the spam and other threats and from where. This will aid in the future prosecution and civil proceedings against those responsible for electronic threats in Canada and internationally.”

The final line of the above quote – “future prosecution and civil proceedings”, and “threats in Canada and internationally” – is a stark reminder of two important points. 

First, the government means business.  Its objective is to “drive spammers out of Canada” (then Minister of Industry Tony Clement, 2010).  Second, CASL is designed to reach beyond Canada.  It is designed to capture commercial electronic messages that may be sent from other countries, and also to provide the framework for international monitoring and enforcement. 

3 Things to do while you “wait” for CASL in 2013:

  1. Participate in the comment process on the coming draft Industry Canada regulations
  2. Remind yourself of the differences between the U.S. CAN-SPAM requirements, and CASL
  3. It’s strongly recommended that businesses use the lead time before CASL’s entry into force to get their operations in order.  Prepare your organization’s  CASL audit, checklist, and Compliance Policy.  The CAN-SPAM vs. CASL presentation can help explain the basics. 

Leave a comment

LinkedIn Passwords Leaked by Hackers

Social networking website LinkedIn is investigating claims that over six million users’ passwords have been leaked onto the Internet. The BBC News reports that hackers posted a file containing encrypted passwords onto a Russian web forum. According to SecurityWeek, the website Dangens IT reported that the lists were uploaded in an effort to crowd-source their cracking, i.e., the hacking community was invited to participate in the decryption. Presently, some 300,000 passwords have been cracked. While it is unclear how many of those passwords are associated with LinkedIn accounts, many cracked codes that have been publicly posted contain the phrase "LinkedIn" in some fashion. LinkedIn has confirmed on its blog that "some" of the compromised passwords correspond to LinkedIn accounts. According to its blog, those passwords are no longer valid and affected users would be receiving further email instructions.

The news comes at the heels of yesterday’s discovery by security researchers of a privacy flaw in LinkedIn’s mobile app. According to Skycure Security, the mobile app was automatically sending unencrypted calendar entries to LinkedIn servers without users’ knowledge or consent. The information included meeting notes, which often contain personal information such as dialing numbers and passcodes for conference calls. Skycure reported that the names and email addresses of the meeting organizer and attendees were being collected even for those who did not have a LinkedIn account. This practice arguably violates Apple’s privacy guidelines that prohibit apps from transmitting personal data without users’ informed consent. In response, LinkedIn issued a statement that it would no longer send data from the meeting notes section of users’ calendar, and that it would include a new "learn more" link to provide greater transparency in LinkedIn’s data collection and use practices.

As a precautionary measure, security experts advise that all LinkedIn users immediately change their passwords.