The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

Canada’s Anti-Spam Law (CASL) – New Guidance on Providing Apps and Software

Canada’s Anti-Spam Law (CASL) targets more than just email and text messages 

In our previous post, we explained that on July 1, 2014, Canada’s Anti-Spam Law (CASL) had entered into force with respect to email, text and other “commercial electronic messages”.

CASL also targets “malware”.  It prohibits installing a “computer program” – including an app, widget, software, or other executable data – on a computer system (e.g. computer, device) unless the program is installed with consent and complies with disclosure requirements.  The provisions in CASL related to the installation of computer programs will come into force on January 15, 2015.

Application outside Canada

Like CASL’s email and text message provisions, the Act’s ”computer program” installation provisions apply to persons outside Canada.  A person contravenes the computer program provisions if the computer system (computer, device) is located in Canada at the relevant time (or if the person is in Canada or is acting under the direction of a person in Canada).  We wrote about CASL’s application outside of Canada here.

Penalties

The maximum penalty under CASL is $10 million for a violation of the Act by a corporation.  In certain circumstances, a person may enter into an “undertaking” to avoid a Notice of Violation.  Moreover, a private right of action is available to individuals as of July 1, 2017.

CASL’s broad scope leads to fundamental questions – how does it apply?

The broad legal terms “computer program”, “computer system” “install or cause to be installed” have raised many fundamental questions with industry stakeholders.  The CRTC – the Canadian authority charged with administering this new regime – seems to have gotten the message.  The first part of the CRTC’s response to FAQ #1 in its interpretation document CASL Requirements for Installing Computer Programs is “First off, don’t panic”.

New CRTC Guidance 

The CRTC has clarified some, but not all of the questions that industry stakeholders have raised.  CRTC Guidance does clarify the following.

  • Self-installed software is not covered under CASL.  CASL does not apply to owners or authorized users who are installing software on their own computer systems – for example, personal devices such as computers, mobile devices or tablets.
  • CASL does not apply to “offline installations“, for example, where a person installs a CD or DVD that is purchased at a store.
  • Where consent is required, it may be obtained from an employee (in an employment context); from the lessee of a computer (in a lease context); or from an individual (e.g. in a family context) where that individual has the “sole use” of the computer.
  • An “update or upgrade” – which benefits from blanket consent in certain cases under CASL – is “generally a replacement of software with a newer or better version”, or a version change.
  • Grandfathering – if a program (software, app, etc.) was installed on a person’s computer system before January 15, 2015, then you have implied consent until January 15, 2018 – unless the person opts out of future updates or upgrades.

Who is liable?

CRTC staff have clarified that as between the software developer and the software vendor (the “platform”), both may be liable under CASL.  To determine liability, the CRTC proposes to examine the following factors, on a case-by-case basis:

  • was their action a necessary cause leading to the installation?
  • was their action reasonably proximate to the installation?
  • was their action sufficiently important toward the end result of causing the installation of the computer program?

CRTC and Industry Canada staff have indicated that they will be publishing additional FAQs, in response to ongoing industry stakeholder questions.

See:  Step-by-Step: How CASL applies to software, apps and other “computer programs”

See also:  fightspam.gc.ca  and consider signing up for information updates through the site.

Advertisements


Leave a comment

Canada’s Anti-Spam Law (CASL) in force July 1

Canada’s Anti-Spam Law (CASL) enters into force on Canada Day, July 1.  It was passed in 2010 as a “made-in-Canada” solution to “drive spammers out of Canada“. 

Are you outside Canada?  It’s important to know that this law reaches beyond Canada’s borders.  CASL is already affecting businesses in the United States, Europe and elsewhere as they change their communications practices to send emails and other “commercial electronic messages” into Canada. 

As we have described in our presentation Comparing CASL to CAN-SPAM, the new law applies to messages that are accessed by a computer system in Canada.  That means that messages sent by a person, business or organization outside of Canada, to a person in Canada, are subject to the law.

CASL expressly provides for sharing information among the Government of Canada, the Canadian CASL enforcement agencies, and “the government of a foreign state” or international organization, for the purposes of administering CASL’s anti-spam (and other) provisions.  The MOU among the Canadian CASL enforcement agencies similarly references processes to share and disseminate information received from and provided to their foreign counterpart agencies. 

In a speech on June 26, the Chair of the Canadian Radio-television and Telecommunications Commission, Jean-Pierre Blais, emphasized the CRTC’s cooperation with its international counterparts to combat unlawful telemarketers, hackers and spammers that “often operate outside our borders“.  The Chairman specifically named “the Federal Trade Commission in the U.S., the Office of Communication (OFCOM) in the U.K., the Authority for Consumers and Markets in the Netherlands, the Australian Communications and Media Authority and others”, and noted that the CRTC has led or participated in many international networks on unlawful telecommunications.

Companies should also take note that a violation of CASL might also result in the CRTC exercising its so-called “name and shame” power, by posting the name of the offender and the violation on its online compliance and enforcement list.  The CRTC has for years published notices of violation with respect to its “Do Not Call List”, and is expected to take a similar approach for CASL notices of violation as well. 

The CRTC recently published a Compliance and Enforcement Bulletin on its Unsolicited Telecommunications Rules and on CASL, available here.  The CRTC recommends implementing a corporate compliance program as part of a due diligence defence: 

Commission staff may take into consideration the existence and implementation of an effective corporate compliance program if the business presents the program as part of a due diligence defence in response to an alleged violation of the Rules or CASL. Although the pre-existence of a corporate compliance program may not be sufficient as a  complete defence to allegations of violations under the Rules or CASL, a credible and effective documented program may enable a business to demonstrate that it took  reasonable steps to avoid contravening the law.


Leave a comment

Canada’s Anti-Spam Legislation: A road map to “commercial electronic messages”

Let’s take stock of the information currently available on Canada’s Anti-Spam Legislation (CASL).  First, there is the Act itself.  Next, there are:

If you still have questions about the circumstances in which you can send a commercial electronic message (CEM) under CASL, you’re not alone. 

The following one-page overview is intended as a guide to the various scenarios contemplated under CASL.  As an “at a glance” reference, it is not intended as legal advice, and is not a substitute for consulting CASL and the various regulations and bulletins noted above.  It should, however, serve as a high level road-map through the maze.

CASL-Overview-Image


Leave a comment

FTC Issues Consumer Advice re: Hacked Email and Social Networking Accounts

On August 1, the FTC provided consumers with a new resource, Hacked Email,  to help them identify a hacked email or social media account, recover their account from a hack, and prevent it from happening again.  The need for such guidance is highlighted by statistics such as these:

  • Over 60,000 compromised account logins occur every day on Facebook, according to Sophos.  
  • 62 percent of users with compromised email accounts were unaware of how their accounts had been compromised, according to a study by Commtouch, State of Hacked Email Accounts.
  • Of the third of users who noticed their account was compromised, 50 percent did not know until their friends told them. (id)

Given over half of all hacked accounts are used to send spam to promote a product (according to Commtouch) and many others are used to promote scams and spread malware resulting in loss of personal information, security credentials and financial assets, the FTC has a vested interest in protecting consumers from hacked accounts. Here are ways it suggests consumers can start tackling the problem:

  • To identify a hacked account, users should pay attention to:messages they did not send (or social media posts they did not write) but appear to originate from their account; an empty sent-mail folder (indicating a hacker sent multiple emails from the account then deleted the sent-mail folder’s contents or set it to not save emails in order to cover his or her tracks); or email from other accounts, which the user cannot open.
  • To remediate a hacked account, users should ensure their security software is up to date and delete malware; change their passwords (tips for creating strong passwords are included); contact their account service provider for account-specific advice on account restoration; check account settings to ensure messages are not being forwarded to an unfamiliar address or no new “friends” have been added to a social networking account; and inform friends and family so they don’t run the risk of getting hacked themselves by opening emails from the user’s hacked account. By going above and beyond just telling users to change their account password, these tips are likely to be useful to consumers, as, according to Commtouch, most users (42%) do nothing to solve the problem except change their password and 23 percent do nothing at all.
  • To avoid getting hacked again in the future, users should employ unique passwords for financial and other important sites; use two-factor authentication when available; not click on links or open attachments from unknown users; and only download free software from known, trusted sites.  The FTC also gives guidance around using safely using public computers and wi-fi networks.

While the tips are useful to consumers, businesses can also benefit from leveraging the FTC’s consumer-facing tips to educate their employees and customers. For example, given that 29 percent of breaches involved social tactics like phishing (getting employees to click on fake emails) according to the Verizon 2013 Data Breach Investigations Report, one of the FTC’s tips of particular use is that users should avoid clicking on links or open attachments from unknown users.

Hacked Email is one of a series of educational materials consumers can leverage to protect themselves, available at www.onguardonline.gov, which is managed by the FTC in partnership with the Department of Homeland Security and the National Institute of Standards and Technology. Guidance on avoiding identity theft, scams and other issues touching on consumer privacy and security is provided on the site.


Leave a comment

Start preparing for Canada’s anti-spam legislation

Canada’s Anti-Spam Law (CASL) is expected to enter into force in 2013, together with two sets of regulations that will address certain detailed requirements under the Act. Industry Canada Regulations are still underway. The Canadian Radio-television and Telecommunications Commission (CRTC) is further ahead: it enacted its Electronic Commerce Protection Regulations in March 2012.

The CRTC has moreover issued two Information Bulletins on its Regulations. The new guidelines address practical aspects of obtaining consent to send commercial electronic messages (CEMs), and providing an effective unsubscribe mechanism.

1. OBTAINING CONSENT

Specific requests for consent must be clearly identifiable to the user and indicate that the user’s consent can be withdrawn at any time. Consent can be obtained orally or in writing, and must be positive and explicit. In other words, it must be “opt-in”.

Acceptable: an icon or an empty toggle box that must be actively clicked or checked.

Not Acceptable: an opt-out mechanism (i.e. unchecking a pre-checked box); a CEM in the form of a subscription email, text message, or other equivalent form to request express consent

2. UNSUBSCRIBE MECHANISM

The unsubscribe mechanism must be consumer-friendly, simple, easy to use, and must be set out clearly and prominently. Under the Regulations it must be capable of being “readily performed”.

Email Example: a link takes the user to a web page where he or she can unsubscribe from receiving all or some types of CEMs from the sender.

SMS Example: the user should have the choice between clicking a link, or replying to the SMS with the word “STOP” or “Unsubscribe”.

For more information, please see:

Guidelines on the interpretation of the Electronic Commerce Protection Regulations (CRTC)

Guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-spam legislation

Wondering how Canada’s Anti-Spam Law compares to the U.S. CAN-SPAM requirements? Check out http://www.slideshare.net/fmclaw/casl-vs-canspam-canadas-antispam-law


Leave a comment

Class Action Suit Filed Against Google, Alleges Email Interception and Eavesdropping under California’s CIPA

A class action suit has been filed last month against Google in the Superior Court of California. The class is all California residents who are not Gmail subscribers, and who have sent an email to Gmail subscribers using a non-Gmail email account.

The complaint alleges that Google intentionally intercepted emails sent by individuals who are not Gmail subscribers to Gmail subscribers. Google then reviewed the words, the content and thought processes of these emails.

According to the complaint, while Gmail subscribers consented to their emails being reviewed by Google, including their incoming email, senders of these non-Gmail emails have not given Google their consent to intercept emails sent from their non-Gmail accounts. As this interception is done before the email is delivered to the Gmail subscriber, the complaint alleges that it constitutes wiretapping and eavesdropping in violation of California Invasion of Privacy Act (CIPA), Cal. Penal Code § 630 et seq.

Cal. Penal Code § 630 states the intent for CIPA:

The Legislature hereby declares that advances in science and technology have led to the development of new devices and techniques for the purpose of eavesdropping upon private communications and that the invasion of privacy resulting from the continual and increasing use of such devices and techniques has created a serious threat to the free exercise of personal liberties and cannot be tolerated in a free and civilized society. The Legislature by this chapter intends to protect the right of privacy of the people of this state.”

Wiretapping: Cal. Pen. Code § 631 provides for the liability of "[a]ny person who … willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state." The complaint claims that Google violated § 631.

Eavesdropping: If Google conduct is not wiretapping, the complaint states that Google has violated § 632 of Cal. Pen. Code which makes it illegal to engage in eavesdropping on e-mail conversations.

The Complaints seeks an order requiring Google to cease violating CIPA, and also seeks an award of statutory damages for each member of the class.

The case will be interesting to follow, as a California Court held last April that the Federal Wiretap Act does not completely preempt California’s Invasion of Privacy Act, Cindy Leong v.  Carrier IQ Inc et al, Carey Eckert  v. Carrier IQ Inc et al, CV 12-01564, United States District Court, C.D. California. In that case, defendant had filed a notice of removal, arguing that "[c]ourts in both the Central and Northern Districts of California have held that the Federal Wiretap Act, as amended by the ECPA in 1986, comprehensively regulates privacy claims concerning electronic communications."  The Court was not convinced by the arguments, stating that the California law is more restrictive than the Federal law, and that the Federal law supersedes state law only to the extent that state law offers less protection.


Leave a comment

Canada’s Anti-Spam Law is coming – and will affect US businesses

Canada’s Anti-Spam Law (CASL) is now expected to enter into force in 2013.  Don’t expect things to sit idle until then, however. 

3 Next Steps for CASL in 2012

Following are three next steps for 2012, ranked in order of importance to industry stakeholders:

1.  Industry Canada to issue new set of regulations for comment

While businesses had hoped that regulations would clarify key terms and obligations under the Act, and lessen the Act’s impact on certain types of communications, many stakeholders were disappointed.  Many businesses considered that neither the draft Industry Canada regulations, nor the Canadian Radio-Television and Telecommunications Commission (CRTC) regulations as finalized, went far enough to clarify obligations.  Moreover, neither set of regulations provided the exemptions many businesses have called for, to exclude certain categories or types of messages from the application of CASL consent requirements. 

A glimmer of hope is in sight:  Industry Canada is expected to publish a new set of regulations for comment in the coming weeks.  These regulations are expected to contain some exemptions from the application of CASL requirements.  In the comment period, businesses will have the opportunity to comment on the regulations, and seek further changes to make CASL more workable. 

2.  CRTC to issue a series of information bulletins for industry

Anyone who has tried to read through CASL’s provisions and the accompanying CRTC regulations knows that they tend to raise at least as many questions as they answer. 

The CRTC is expected to issue information bulletins in the coming weeks and months to help clarify what is meant, and required, by some key elements of the regulations.  These bulletins may include matters relating to what it means to get consent “in writing” online, and how far businesses must go to make information accessible in “commercial electronic messages”. 

3.  Spam Reporting Centre

The government is currently reviewing bids by third-party service providers to operate the The Spam Reporting Centre.  The Centre will act as a liaison between the public and the government agencies (CRTC, Office of the Privacy Commissioner, Competition Bureau) on spam complaints and monitoring.  The government states that:

“When operational, the Spam Reporting Centre will accept various types of electronic messages from individuals and organizations in Canada. Reporting spam and related electronic threats will not stop such threats completely; however, the data sent to the Spam Reporting Centre will help it identify trends, and try to find out who is sending the spam and other threats and from where. This will aid in the future prosecution and civil proceedings against those responsible for electronic threats in Canada and internationally.”

The final line of the above quote – “future prosecution and civil proceedings”, and “threats in Canada and internationally” – is a stark reminder of two important points. 

First, the government means business.  Its objective is to “drive spammers out of Canada” (then Minister of Industry Tony Clement, 2010).  Second, CASL is designed to reach beyond Canada.  It is designed to capture commercial electronic messages that may be sent from other countries, and also to provide the framework for international monitoring and enforcement. 

3 Things to do while you “wait” for CASL in 2013:

  1. Participate in the comment process on the coming draft Industry Canada regulations
  2. Remind yourself of the differences between the U.S. CAN-SPAM requirements, and CASL
  3. It’s strongly recommended that businesses use the lead time before CASL’s entry into force to get their operations in order.  Prepare your organization’s  CASL audit, checklist, and Compliance Policy.  The CAN-SPAM vs. CASL presentation can help explain the basics.