1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Canada’s role in international botnet takedown

The Canadian Radio-television and Telecommunications Commission (CRTC) has served its first warrant under Canada’s Anti-Spam Law (CASL) to take down a Toronto-based command and control server.  The malware family Win32/Dorkbot had reportedly infected more than a million personal computers in 190 countries.

The CRTC has repeatedly stated that it is working together in close collaboration with other countries to address spam, malware and other “online threats”.  In this case, the CRTC collaborated with the FBI, Europol, Interpol, Microsoft, and the RCMP, among others.  The CRTC Chief Compliance and Enforcement Officer, Manon Bombardier, has said that “partnerships between domestic and international law enforcement agencies are key in the fight against transnational cyber threats”.  CASL expressly provides for sharing information among the Government of Canada, various Canadian enforcement agencies, and the government of a foreign state or international organization, for the purpose of administering and enforcing CASL’s anti-spam and malware provisions.

For more information on CASL’s application to malware, see CASL – Software, Apps and other Computer Programs.

, ,

Canada’s role in international botnet takedown

Canadian Privacy Compliance: Time for your Online Checkup

In a previous post on online behavioural advertising (OBA), we wrote about the Office of the Privacy Commissioner’s “call to action” to stakeholders in the advertising industry on OBA, and we discussed the industry’s response to that call: self-regulation.

2012 – Call to Action: the Privacy Commissioner’s Expectations 

In its 2012 Policy Position on Online Behavioural Advertising, the Office of the Privacy Commissioner (OPC) stated that it “may” be acceptable to rely on implied or opt-out consent when tracking and targeting individuals for OBA purposes, “provided that”:

  • Individuals are made aware of the purposes for the practice in a manner that is clear and understandable – the purposes must be made obvious and cannot be buried in a privacy policy. Organizations should be transparent about their practices and consider how to effectively inform individuals of their OBA practices, by using a variety of communication methods, such as online banners, layered approaches, and interactive tools;
  • Individuals are informed of these purposes at or before the time of collection and provided with information about the various parties involved in OBA;
  • Individuals are able to easily opt-out of the practice – ideally at or before the time the information is collected;
  • The opt-out takes effect immediately and is persistent;
  • The information collected and used is limited, to the extent practicable, to non-sensitive information (avoiding sensitive information such as medical or health information); and
  • Information collected and used is destroyed as soon as possible or effectively de-identified.

2013 – Industry Response: Self-Regulation

In response, the industry developed and launched the Canadian Self-Regulatory Program for Online Behavioural Advertising (the “Ad Choices program”), an initiative tailored to meet the requirements of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), as well as the OPC guidelines.  The initiative is led by the Digital Digital Advertising Alliance of Canada (DAAC), and is monitored and administered by the non-profit industry body Advertising Standards Canada (ASC). A growing number of brands and media companies have registered for the program.

We noted in our previous post that the OPC would no doubt be watching to see whether and how industry self-regulation meets its expectations under PIPEDA and its OBA guidelines.  We also noted, however, that the self-regulatory solution was not designed to cover all OBA activities.  For example, certain types of activities are expressly excluded from the Ad Choices program, such as “online advertising of entities within a web site they own or control” and “contextual advertising”, including ads based on the content of a web page being visited, a consumer’s current visit to a web page, and a search query.

Ongoing OPC Guidelines, Investigations and “Sweeps”

The OPC is not staying on the sidelines – it continues to take a keen interest in OBA and online consent more broadly.  For example, in January 2014, the OPC found that Google ads triggered by web surfing on health sites violated privacy rights.  As a result, Google committed to several measures, including closer monitoring of potential violations by advertisers.  In May 2014, the federal, British Columbia and Alberta Privacy Commissioners issued new guidelines for online consent, calling for transparent and dynamic privacy notices, and greater protections for personal information belonging to children and youth.

In 2015, the OPC is investigating websites visited by Canadians for compliance with OBA requirements.

The OPC has in past years conducted investigation and enforcement “sweeps”.  In 2013, the OPC led and participated in the first annual Global Privacy Enforcement Network (GPEN) Internet Privacy Sweep.  The sweep targeted privacy policies, and the OPC published the initial results of its investigations under the headings “The Good, the Bad, and the Ugly“. In 2014, the OPC again participated in the GPEN Sweep, investigating the transparency of privacy practices for 151 mobile apps that were made in Canada or frequently downloaded by Canadians.  The Results of the 2014 Global Privacy Enforcement Network Sweep are an overall, anonymous mobile app “report card”, ranking transparency to users, ease of access/reading on the small screen, and whether privacy information is available before download.

An OPC “report card” on OBA is expected to be released sometime in the Spring.

 

In the news:  see the recent Globe & Mail article “Watchdog to study ‘privacy compliance’ among Canadian advertisers” 

 

Canadian Privacy Compliance: Time for your Online Checkup

Canada’s Anti-Spam Law (CASL) applies to Software January 15

Earlier this year we told you that Canada’s Anti-Spam Law (CASL) is not just for Canadians.

CASL is also not just about spam.  Effective January 15, 2015, CASL applies to the installation of “computer programs” – software, apps and other programs – on the computer or device of another person.  This affects software vendors, app developers, gaming and entertainment companies, and others that are in the business of providing software to businesses and individuals in Canada.

Like CASL’s spam provisions:

  • the software provisions apply where a Canadian is the recipient – in this case, the recipient of the software, app, or other program;
  • the regime is based on “express consent”, as defined by the legislation; and
  • significant administrative monetary penalties (maximum $10 million) can be levied for non-compliance.

Our overview presentation walks through CASL’s application to computer programs.

Other resources published by the Canadian Radio-television and Telecommunications Commission (CRTC):

, , , , , , ,

Canada’s Anti-Spam Law (CASL) applies to Software January 15

Canada’s Anti-Spam Law – not just for Canadians

Canada’s Anti-Spam Law (CASL) enters into force on Canada Day, July 1. It was passed in 2010 as a “made-in-Canada” solution to “drive spammers out of Canada“.

Are you outside Canada? It’s important to know that this law reaches beyond Canada’s borders. CASL is already affecting businesses in the United States, Europe and elsewhere as they change their communications practices to send emails and other “commercial electronic messages” into Canada.

As we described in our presentation Comparing CASL to CAN-SPAM, the new law applies to messages that are accessed by a computer system in Canada. That means that messages sent by a person, business or organization outside of Canada, to a person in Canada, are subject to the law.

CASL expressly provides for sharing information among the Government of Canada, the Canadian CASL enforcement agencies, and “the government of a foreign state” or international organization, for the purposes of administering CASL’s anti-spam (and other) provisions. The MOU among the Canadian CASL enforcement agencies (see also our earlier post) similarly references processes to share and disseminate information received from and provided to their foreign counterpart agencies.

In a speech yesterday, the Chair of the Canadian Radio-television and Telecommunications Commission, Jean-Pierre Blais, emphasized the CRTC’s cooperation with its international counterparts to combat unlawful telemarketers, hackers and spammers that “often operate outside our borders“. The Chairman specifically named “the Federal Trade Commission in the U.S., the Office of Communication (OFCOM) in the U.K., the Authority for Consumers and Markets in the Netherlands, the Australian Communications and Media Authority and others”, and noted that the CRTC has led or participated in many international networks on unlawful telecommunications.

Companies should also take note that a violation of CASL might also result in the CRTC exercising its so-called “name and shame” power, by posting the name of the offender and the violation on its online compliance and enforcement list. The CRTC has for years published notices of violation with respect to its “Do Not Call List”, and is expected to take a similar approach for CASL notices of violation as well.

Companies that are working on their CASL compliance programs should take note of the CRTC’s recently published Anti-Spam Compliance and Enforcement Guidelines.

,

Canada’s Anti-Spam Law – not just for Canadians

Copyright v. Privacy: Voltage Pictures LLC v. John Doe and Jane Doe

The recent Federal Court of Canada decision in Voltage Pictures LLC v. John Doe and Jane Doe (2014 FC 161) has already received considerable attention for its approach to deterring so-called “copyright trolls”: plaintiffs with “improper motives” who file multitudes of infringement lawsuits to extort quick settlements.  While less headline-worthy, the decision is also important for its practical approach to weighing copyright against privacy rights.  The central question was: are individuals who are suspected of engaging in illegal P2P downloading entitled to expect that their ISP will shield their identity from the copyright owner?

In the result, the Court ordered Ontario-based ISP TekSavvy to disclose the names and addresses of some 2,000 subscribers suspected of unauthorized copying and sharing of Voltage’s movies, including The Hurt Locker.  To arrive at this result, the Court had to balance two competing rights that are sometimes considered to be “proprietary” by those who assert them:  copyright and privacy.

The Court’s legal balancing act engaged provisions of the Copyright Act and the Personal Information Protection and Electronic Documents Act (PIPEDA).  On the copyright side, the provisions at issue were sections 35 and 38, which the Court characterized as “a complete code for the recovery of damages for copyright infringement”.  Under the 2012 amendments to the Copyright Act, statutory damages for infringement range from $100 to $5000.  On the privacy side, the Court considered subsection 7(3) of PIPEDA, which (among other things) permits an organization to disclose personal information without knowledge or consent where the disclosure is required to comply with a court order or otherwise required by law.

The Court addressed the issues in two parts.  First, it determined that the plaintiff Voltage had established a bona fide claim, and that enforcement of its rights as a copyright holder outweighed the privacy interests of the subscribers.  Second, the Court considered how to ensure that privacy rights would be “invaded” as little as possible in the circumstances.  To do this, the Court considered case law in the United Kingdom and the United States.  One of the Court’s observations was that

[w]ith respect to privacy concerns, the cases in both jurisdictions suggest that such issues are of secondary importance as the law generally does not shield wrongdoing for reasons of privacy.

The Court concluded that it should give consideration to principles gleaned from Canadian cases, notably, the P2P file-sharing case BMG Canada Inc. v. Doe (2005 FCA 193), as well as cases from the U.S. and UK:

to weigh and balance the privacy rights of potentially innocent users of the internet versus the right of copyright holders to enforce their rights.  The Court ought to balance these rights in assessing the remedy to be granted.

Having determined that an order would be made to obtain subscriber contact information, the Court “built in” important qualifications “to protect or minimize the invasion of the privacy interests of internet users”.  Therefore, the order provides that:

  • disclosure is limited to the names and addresses associated with IP numbers (and not telephone numbers or email addresses);
  • the released information will remain confidential and may be used only in connection with the claims in the present action; and
  • the plaintiff may not disclose any of the information obtained to the general public by making or issuing a media statement.

For an interesting counterpoint on the balance between disclosure and privacy for ISP subscribers, see also our earlier post, The Fake Facebook Profile and the Veiled Victim.

, ,

Copyright v. Privacy: Voltage Pictures LLC v. John Doe and Jane Doe