CRTC Imposes Penalties On Two Companies For Distributing Malware Online
Defence + Indemnity
Recently, the Canadian federal government publicized anti-spam legislation, generally referred to as “CASL” (An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23)
CASL was promulgated to combat the sending of unwanted commercial messages. Section 3 of the statute provides:
Purpose of Act
3. The purpose of this Act is to promote the efficiency and adaptability of the Canadian economy by regulating commercial conduct that discourages the use of electronic means to carry out commercial activities, because that conduct
(a) impairs the availability, reliability, efficiency and optimal use of electronic means to carry out commercial activities;
(b) imposes additional costs on businesses and consumers;
(c) compromises privacy and the security of confidential information; and
(d) undermines the confidence of Canadians in the use of electronic means of communication to carry out their commercial activities in Canada and abroad.
Section 20 creates an administrative process and infrastructure that allows for “administrative penalties” to be assessed against an organization which sends out a “commercial electronic message” unless the CASL requirements are met.
CASL’s measures against unwanted spam also include a prohibition against distributing malware online. Section 8 of the legislation provides as follows:
Installation of computer program
8. (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless
(a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsection 11(5); or
(b) the person is acting in accordance with a court order.
(2) A person contravenes subsection (1) only if the computer system is located in Canada at the relevant time or if the person either is in Canada at the relevant time or is acting under the direction of a person who is in Canada at the time when they give the directions.
Recently, the Canadian Radio-television and Telecommunications Commission imposed penalties on two companies for distributing malware through online ads. Datablocks and Sunlight Media were assessed penalties of $100,000 and $150,000 respectively on the following grounds:
- Sunlight Media accepted unverified, anonymous clients who used their services to distribute malware.
- Datablocks provided Sunlight Media’s clients with the necessary infrastructure and software to compete in real-time for the placement of their ads, which contained malware.
- Neither Datablocks nor Sunlight had:
- Written contracts in place with their clients that would bind them to comply with Canada’s anti-spam law;
- Monitoring measures in place governing how their clients use their service; or
- Written corporate compliance policies or procedures in place to ensure compliance with Canada’s anti-spam law.
- After being alerted in 2015 to reports by cybersecurity researchers, and made aware in 2016 by the CRTC, neither company implemented basic safeguards, which are well known to the industry.
See: CRTC issues $250,000 in penalties to combat malicious online advertising (News Release), 11 July 2018, Canadian Radio-television and Telecommunications Commission; Investigation into the installation of malicious computer programs through online ads, File Number 9094-2015-00417, Canadian Radio-television and Telecommunications Commission.