Canada's New Anti-Spam Law: Businesses Beware
By Julie King | April 2, 2012
Welcome to "the freezer", an era of protection from unsolicited messaging that will see spammers frozen out with penalties that can go as high as $1 million for individuals and $10 million for corporations.
Introduced in 2010, the new legislation took one step closer to coming into full effect last week with the publishing of its final regulations.
The idea of protecting Canadians online while also targeting spammers is laudable.
Yet as information security expert Claudiu Popa tells CanadaOne, when it comes to fighting spam the government has gotten things "all wrong".
Popa is the president of Informatica and co-author of the book The Canadian Privacy and Data Security Toolkit for Small and Medium Enterprises. When it comes to the new anti-spam legislation, his insight raise the question: is the new law good politics, but bad policy?
Here are five key areas of concern that Popa has about the new anti-spam legislation.
An obsolete idea
Popa explains that the idea for this law was first proposed in 2005, yet as the Internet has evolved so have a) the spammers, b) the controls in place to address spam, and c) the knowledge of Internet users.
He notes that the majority of spam messages are generated by botnets (a collection of compromised computers) that are regularly being shut down. "What's left is very effectively filtered by webmail anti-spam and ISPs (over 98%). Then they're further eradicated by company spam-filters at work and email clients themselves."
Law based on misleading statementsWhen justifying its anti-spam legislation in 2005, the government cited two concerns: that Canada was a hotbed for spam and that spam is scaring Canadians away from both e-commerce and the Internet as a whole.
The first assertion, Popa says, is hooey. Even in 2005 when the law was first proposed, junk email in Canada accounted for less than three per cent of global spam.
Popa's second point is ironic: It is not Canadian consumers, but Canadian businesses who are reluctant to adopt e-commerce. Canadian consumers are voracious consumers of everything Internet, but businesses are not.
Combine high penalties in the anti-spam law with nervousness over using new technology seems to be a great recipe for encouraging businesses to stick with the status quo.
The really "bad guys" aren't in Canada
Are there small businesses that send out the occasional annoying, unsolicited email pitching products or services?
Yet there is typically an "innocence" to this spam, which usually comes from a business that is genuinely trying to understand how to use e-marketing but just doesn't "get it".
What is much more dangerous - and frustrating - is the deluge of emails promoting money scams, malicious software programs and all kinds of ways to "make the impossible come true", from get rich quick schemes and radical weight loss programs to sexual enhancements.
That is the group that needs to be dealt with aggressively. But are the located in Canada?
According to a SecureList analysis of spammers, the United States and Canada combined had the second lowest level of spam by region globally in the first half of 2011, accounting for less than 2 per cent of all spam (a number that was just slightly higher than Australia and the Pacific Islands).
"In our company, almost 100% of all spam originates in other geographic jurisdictions," says Popa. "This means that close to 100% of all reports will be of foreign origin and pretty much 100% of the agencies' work will be a complete waste of time and resources, since this system will do little to nothing in the way of punishing international emailers, fraudulent Facebook posters, spimmers, spitters or any other overzealous marketers."
Meanwhile, the more innocent group risk facing administrative penalties so high that a complaint related to a single email could potentially wipe out a company.
Complainants often forget opting-in
The way people use the Internet, where they surf, skim and occasionally (or not so occasionally) pop their email into this or that subscription list creates a danger for legitimate businesses.
"Most of us don't even remember when we opt-in for regular updates from a site that was appealing on an initial visit," says Popa. "To therefore expose a legitimate local vendor to scrutiny that could be accompanied by a $10M financial hit is irresponsible at best and a complete waste of taxpayer resources in the failing case."
"In no case does it support the law's stated purpose of "protecting Canadians while ensuring that businesses can continue to compete in the global marketplace"? Sure, if by that they mean scaring the bejesus out of them and introducing untold delays in their - already privacy-compliant - marketing plans."
Law encourages dangerous behaviour
Popa saves the pièce de résistance in his criticism of the law for last.
To get email into the freezer, consumers will need to follow a process that will put them at risk.
Popa explains, "Given the law's stated goal to: "… deter the most damaging and deceptive forms of spam, such as identity theft, phishing and spyware, from occurring in Canada and to help drive spammers out of Canada.", having users actually open messages to see if they're misleading, unauthorized or malicious, exposing themselves to phishing, social engineering, identity theft and malware attacks seems counterintuitive (read: ignorant).
In other words, the steps a user will need to take to guide their decision in reporting spam could possibly put that user at risk.
Teeth of this law could be better used in other areas
It seems ironic, really, because there are other areas where laws with a good bite from substantial administrative penalties and an ability to unveil hidden companies could really help.
For example, the laws that govern reporting of privacy breaches in Canada are light in comparison to the anti-spam law.
Similarly, businesses that operate within the letter of the law can often get away with manipulating human behaviour for deceptive purposes. We have seen many examples of businesses that trick people into buying things that are either not what they seem (like the Yellow-Page-Canada misleading directory invoices) or that they don't even realize they are buying because it's buried in the fine print (and often has recurring monthly or annual fees).
What's more, these companies are often very difficult to track down: there is no right or mechanism for affected consumers to find out who sent them the invoice or is charging their credit card.
Meanwhile, a single email could result in administrative penalties so high that the government might as well have made them $1 billion dollars per incident.
Which takes us full circle.
In government a law sometimes makes for good politics, but bad policy.
Spam is frustrating and it is laudable to take steps to protect consumers and businesses alike.
Yet the anticipated results from Canada's new anti-spam law seems to diverge wildly from the stated goals of the government.
For businesses there is really only one option: protect yourself.
Otherwise you could find your company on the unwelcome end of an investigation and administrative penalties that could literally put your business out of business.
To learn more about the new anti-spam legislation, visit fightingspam.gc.ca.
Anti-spam law facts
- The law will come into effect when it receives a Governor in Council order.
- The definition of spam applies to all electronic messages, including those sent thorugh social media and text messages sent to a cell phone.
- Private citizens and corporations will be able to bring a "a private right of action in court" against companies alleged to have broken the law and will let them seek actual and statutory damages. (If a Notice of Violation has been served on the defendant, statutory damages may not be pursued.)
- The law does not just target spammers. The government website, fightspam.gc.ca, notes that the law will also address "… violations including:
- sending of unsolicited commercial electronic messages,
- the unauthorized alteration of transmission data,
- the installation of computer programs without consent,
- false and misleading electronic representations online (including websites),
- the unauthorized collection of electronic addresses; and
- the collection of personal information by accessing a computer system in contravention of an Act of Parliament. "
- The law has the support of three government agencies - the CRTC, Competition Bureau and the Privacy Commissioner of Canada - as well $700,000 a year budgeted for enforcement.