ARCHIVED—Network and Technology Working Group: Beyond Best Practices
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
Views from the Task Force
- Lori Assheton-Smith, Senior Vice-President and General Counsel, Canadian Cable Telecommunications Association
- Tom Copeland, President, Canadian Association of Internet Providers
Views from the Stakeholders
- Gerry Miller, Executive Director, University of Manitoba
- Alex Leslie, Vice President, Technology, AOL Canada Inc.
- Mary Carman, Chief Information Officer, Industry Canada
- Glenn Ward, Vice President, Customer Service Assurance, Bell Canada
Views from the Task Force
Lori Assheton-Smith, Senior Vice-President and General Counsel, Canadian Cable Telecommunications Association
Lori Assheton-Smith thanked everyone involved for their work in recent months to put together a working document so quickly, including input from industry members from the last 12 to 18 months, well before the Task Force was undertaken. ISPs undertook discussions on these issues with their competitors, knowing it is in their own and their customers' best interests to do so. "They did not do it because anyone told them to." She acknowledged that most of the recommended practices will make sense for some providers, but not all practices will make sense for all providers. She emphasized that the best practices are by no means a mandatory prescription for ISPs. Instead, she said, the working group tried to provide guidance for the community while leaving room for flexibility. These best practices are only one element of a multi-faceted approach to spam. Spam is about more than technology and so will the solution be.
Tom Copeland said there is a concept floating around that perhaps the industry isn't doing enough to prevent spam from reaching customers. It may be specific to each individual ISP, but providers are using many of the tools available. "We're identifying up to 80% of our traffic as spam," and that's what is getting caught in the spam traps. For his own ISP business, Mr. Copeland said the spam-filtering costs amount to the salary for one full-time position. As much as he'd prefer to keep that money here and employ someone, he needs to provide that service. Many ISPs in the market have already adopted many of these practices. The document will be reviewed to keep pace as technology evolves. Mr. Copeland said it is underlying principles that the group wants to promote, and he thanked "the folks in the trenches" who worked to solve some of these issues around how practices are adopted.
Views from the Stakeholders
Gerry Miller said universities and colleges are a kind of ISP and have similar restrictions and constraints. Spam was a huge problem, so his university adopted measures that include a bulk mail filter, a grey mail filter that requires sender verification, and a desktop virus filter. Mandatory use of virus software and mandatory patch management, both controlled centrally, were also implemented. In a university, Mr. Miller said, the words "mandatory" and "central control" were not popular concepts, but spam went nearly to zero and "I've had no grievances from the faculty union." In this case, perhaps a legal framework is needed as backup, but that framework cannot hinder the technical solutions. Things like SPF and e-mail blocking have a different reception in an educational environment than in business. Spam costs a lot of energy and time, and in a public institution that is unable to pass the cost along to the consumer, it is a major problem. Time spent dealing with spam is time taken away from teaching a nd research.
Alex Leslie said his main message is "we cannot stop here." It may have proved more difficult to get to some agreements than anticipated, but it got done. Whether agreement is needed among ISPs, or between ISPs and government, it is a necessary step. Speaking for AOL, he said the company is fully compliant already, and the processes implemented will have a greater impact if shared than if only implemented internally.
AOL has seen a steep year-over-year decline in spam delivered to AOL which we believe is on account of the success of our five-pronged anti-spam strategy. AOL Canada's five-prong strategy focuses on Anti-spam tools provided to Subscribers, server-based filters and other host technology, litigation of Spam Kingpins, support for aggressive legislation against spammers, and industry collaboration and information sharing. We also provide a special AOL Postmaster site (http://postmaster.aol.com) for other ISPs to receive information about spam reports from AOL subscribers about that ISP, and bulk e-mailers to register for AOL's Whitelisting (and receive feedback about spam reports from AOL subscribers about them).
Mr. Leslie said AOL Canada is constantly on the lookout to try technologies that others have created as another tool in the arsenal of methods for effective filtering, including looking at third-party commercial certification organizations in the next year. Putting user tools in place is another approach to counter spam, and he said AOL Canada has seen a decline in spam reports from users over last year-an indication that the company is doing things right. Mr. Leslie recommended the formation of a society to "deal with issues among ourselves," saying that providing mechanisms for people to communicate with each other quickly in order to alert others to problems and with an agreement to act quickly to counter it would be helpful. "We have not arrived, we're on a trip" and need ways to work with each other and become more flexible than ever before. "As much as we're glad to solve the problems of AOL, we'd be overjoyed to help solve the problem for all of you."
Mary Carman said the role of an information officer in government may be different than at an ISP. Her tasks include maximizing the use of public funds, so affordability is a consideration at every step. She reviewed where the department hopes to be by 2008. Complaints from department staff indicate that work on spam filtering that has continued since 2003 has not been as effective as expected and the department had clearly reached the limits of the capability of the product in use. The filters blocked 6 million spam messages, but 21 million had not been filtered and were causing an increased demand on storage, server capacity and bandwidth. Spam was named as the number one harassment issue among departmental staff, and the annoyance factor is an element as well. "It was clear we needed to change now."
Ms. Carman said the anti-spam approach was a leading issue raised in a computing workshop, and now the department has obtained the Secure Channel spam solution, provided through Public Works and Government Services Canada (PWGSC). The product has been modified to meet the specific needs of the department and "we intend to go forward with it." There will be two tiers, and it will include a grey mail element. Once the anti-spam tool is in place, Industry Canada will also have an element to track outgoing mail that may not have been delivered. Rollout at Industry Canada is planned for January 8, 2005. Treasury Board is also preparing for a similar roll out, but Industry Canada grabbed the headlines and "we were in the paper" as spending $5.5 million "because we had already quantified our business case." Ms. Carman said this is an affordability solution for every department.
Glenn Ward, who is responsible for the sympatico.ca, bell.ca, and bellnet.ca systems, said Bell strongly supports the work done by the Task Force over recent months. These are not new procedures suddenly implemented, and "we strongly believe we need to be active within the ISP community" to face this challenge. "From today, I can see we're making good progress."
Profiling some of the specific things Bell has done to combat spam, Mr. Ward said the company was in a crisis situation in 2001, facing the prospect of being blacklisted by some American ISPs. The spam blocking that Bell implemented then has proven to be of great benefit over the last three years. In July of 2004, Bell implemented a 24/7 help desk as a single point of contact for ISPs to report problems in development, and for Bell to work with the ISPs through this and other more formal forums. Mr. Ward said this is often a bilateral discussion with ISPs to act quickly to shut down an attack.
At one time Bell noticed that "40% of our mail was being sent by 25 customers." The company shut down service to those customers, and in many cases it turned out to be unintentional spam from infected machines. During another outbreak, Bell quarantined dozens of customers in one day and contacted them proactively to address the situation. Mr. Ward said Bell has also seen a reduction in the number of complaints from customers, as well as a reduction in the amount of spam, and he credited both to the blocks Bell has put in place. He commented on other ISPs that are also being proactive and said that while spam is up and complaints are down, "it is not nearly over." Mr. Ward said Bell is looking forward to working with Industry Canada and the Task Force in "continuing to fight the fight."
The floor opened to questions, and one participant referred to earlier comments that the Australian and Canadian codes are similar. He said the difference is that the Australian code is instituted by ISPs but requires compliance bylaw, and he called the difference significant. Mr. Peter Coroneos said the code of practice in Australia has two parts. The main body is mandatory, but page 21 of the code sets out some best practice guidelines that are not intended to be mandatory. "We set out things many ISPs are already using" like blocking port 25 or limiting the rate at which subscribers can send out e-mail. The legislation doesn't have any technological stipulations in it because as soon as you include technological rules it becomes outmoded and then there is no benefit to requiring industry compliance.
Mr. Coroneos said one mandated stipulation requires having a law enforcement authority contact reside in each organization. Spam filters or services are required and mandated, although he said most ISPs are providing these things anyway. A customer complaints mechanism is also mandated to ensure complaints are dealt with and "don't just fall into a black hole." He said when regulators say blocking port 25 sounds like a good idea and ask why it is not mandated, his association argues it is untenable for providers to require that. "We're pushing back." The code is due for registration before Christmas 2004 and will go through a consultation process. Mr. Coroneos said the code is there to foster best practices as they evolve.
Another participant asked if the Australian Communications Authority (ACA) has been an active regulator in requiring an mandate for the codes. Coroneos said this code would be the only one for spam, but there are other online regulations for children. Although the codes prompt headlines saying the Australian government censors the Internet, they are really regulations for ISP filtering. Further action is instituted only if the regulations are not implemented voluntarily. In order for such regulations to apply evenly across an industry, a regulator must go out and make it happen. He said Australia created a standard that would have called for fresh regulations if word got out that application was uneven and the process failed.
Another participant questioned the need for registration if it is indeed voluntary. Mr. Coroneos said it is a voluntary part within a mandatory code. "It's a workaround."
One participant restated his earlier comments on concern in industry about working toward voluntary codes in a quasi-regulatory environment-that something voluntary should suddenly become regulated. He said the many comments about money and effort in stopping spam and possible consequences to an ISP, including being blacklisted if they are not onside, will never lead to the resolution and co-operation Mr. Binder mentioned in his earlier presentation if the focus remains on legislation.
One other participant said blocking will not only reduce Canadian spam, it will drive peer pressure globally. He said, "I presented port 25 at Messaging Anti-Abuse Working Group (MAAWG)," and a telecom provider in Finland has completed implementation of port 25 blocking-and others are starting. Measuring the source of messages will also bring about a substantial drop and will guarantee mail delivered by users. He said his company receives only about 25 complaints per 1 million customers-a good reason to put spam procedures in place.
Michael Turner, ADM of the Information Technology Services Branch at PWGSC, said his division provides outbound services and connects directly into the main trunks of suppliers on the Internet. As an internal service provider, his division is also seeing the kind of concern around spam that Ms. Carman described. It is also implementing approaches for all departments, including PWGSC through the Secure Channel initiative, and looking into the possibility of putting the solution right on the server.
Regarding phishing, Mr. Turner said the Government On Line (GOL) program also falls under the responsibility of PWGSC, and staff in his department work closely with other departments and Treasury Board on this issue. He said the major challenge to getting clients and citizens online is the issue of public trust. PWGSC concluded some time ago that to guarantee this level of trust for sensitive transactions-financial or personal information-meant moving to a full Public Key Infrastructure-based (PKI) system throughout. Mr. Turner said this solution is far too expensive for commercial e-mail, and the government is only using it for sensitive e-mail. However, it is still one of the largest PKI environments in the world.
PWGSC will be following some of the best practices laid out today, but all the technical solutions for blocking spam aren't enough. Blocking will not be a full deterrent that requires a multi-pronged solution. "Let's not forget at the end of the day that we have a group of politicians backed by a group of angry citizens" that will be looking to public servants to implement a solution. Mr. Turner said when government staff are called upon to speak to the Minister on this issue, he wants to have the best solution possible in place for that. "Sooner or later we'll have to address that legislative agenda."
Ms. Lawson said she heard a lot of people at table cautioning against technology solutions and saying it is inappropriate for government to mandate technology solutions, but she said she didn't hear anyone say that government should, or would, go that route. "I want to distinguish between the legislation that may be proposed" and what many are cautioning against.
Another participant said most of what he'd wanted to say had already been mentioned, but speaking as a lawyer, "the train is coming" and Canada needs to be on board with the best experience. He said he had received seven spam and two phishing e-mail messages on his Blackberry just during this meeting. In spite of the thousands of dollars his firm has spent to address the issue, "it is clear it is not enough."
Mr. Copeland said "we've heard some common threads today," some implied, some explicit in terms of fear. But when the Senate and House of Commons start working on this project, they won't have the same working knowledge that this group does, so they will be looking to industry for explanation and assistance. Their reality is what they see every day as users and customers.
Regarding earlier comments that no one is complaining about spam, it is a perception issue that needs to be addressed. "Even the big guys" can't dent this unless all levels are working together. Cost is an issue and neither government nor industry has the ability to recoup that cost. He said Internet service is one of the most competitive industries there is, and costs don't increase incrementally year to year. If businesses can enjoy some better utilization of networks, that's great but cost recovery is difficult to realize. For ISPs, Mr. Copeland said the key to the Australian law is that technology is not mandated. Activities are, but technology continues to be a business decision. "We are making progress with the Task Force," he said, and he thanked the co-ordinators for bringing the group together.
Another participant clarified an earlier remark that technology shouldn't be mandated, but it is all right to mandate the principles. The participant stated that the issue in question is mandating anything on industry, technology or otherwise. The chair thanked all the presenters, speakers and participants for their input throughout the day.
- Date modified: