ARCHIVED—2. Clarifying The Rules

Stopping Spam: Creating a Stronger, Safer Internet
Report of the Task Force on Spam
May 2005

---

The Challenge

Traditional markets for physical goods and services operate in the context of laws and regulations designed to promote fair competition and protect consumers. To work effectively, e-commerce markets need similar rules to guide commercial behaviour. As discussed in the previous chapter, spam presents a significant threat to the development of e-commerce by imposing costs, creating inefficiencies, causing harm and undermining the confidence of business and consumers alike.

Some of the threats posed by spam can be dealt with by enforcing existing legislation, raising business and consumer awareness, and promoting public education. However, these measures are unlikely to succeed against the truly bad who are found among spammers – those whose intent is to commit fraud, steal personal identity, violate privacy, gain unauthorized access, or cause harm to computers and network equipment. Clearer laws prohibiting illegitimate behaviour, strong penalties and rigorous enforcement are needed to deal with these kinds of threats, and to underpin Canada's toolkit approach to fighting spam.

A strong domestic framework will become even more crucial as spam increasingly becomes the vehicle for activities such as phishing, and technology such as spyware, viruses and botnets, which pose a serious threat to the Internet as an economic platform by undermining trust. The Internet has become part of our nation's critical infrastructure and we must, as a country, be able to effectively address these threats to its security.

A strong domestic framework is also needed if we are going to play our part in fighting spam worldwide. The vast majority of spam reaching Canadian citizens and businesses originates outside Canada. However, with a clear, solid legislative framework in place, and with effective enforcement capabilities and efforts, Canada would be well positioned to work towards internationally harmonized approaches and cooperative enforcement actions.

One of the first questions facing the Task Force on Spam was how well Canada's current legal and enforcement framework measured up to the challenge of combatting spam.

When An Anti-Spam Action Plan for Canada was being developed, many stakeholders expressed the view that improving the enforcement of existing Canadian laws could significantly reduce the flow of spam. Specifically, the Personal Information Protection and Electronic Documents Act (PIPEDA), the Competition Act and the Criminal Code of Canada were cited, on the following grounds, as tools that could help address the problem of unsolicited email.

• PIPEDA, designed to protect personal information in the electronic age, prohibits the collection, use or disclosure of personal information, including email addresses, without consent. This law also specifies that personal information can only be used for the purpose for which it was collected, and that consent is required for any further secondary use. Thus, any unsolicited email sent to the email address of an individual who did not consent to receive that email could be in violation of this federal Act and, possibly, other substantially similar provincial legislation.
• The Competition Act contains provisions dealing with deceptive and misleading representations. These have frequently been used to deal with misleading advertising in traditional media. The application of this Act to misleading claims made in email solicitations clearly merited examination.
• The Criminal Code of Canada contains specific provisions dealing with unauthorized access to computer systems and networks, mischief to data and more general fraud provisions. Since many email abusers send "Trojan" programs embedded in email messages, which can then be activated by spammers to relay spam, the Criminal Code could possibly be used to address these spam-related offences. Its provisions include substantial fines and even imprisonment.

Although these existing acts were identified as having provisions that could potentially be used in the fight against spam, the Task Force noted that their effectiveness remained an open question, since most had not yet been used in spam-related cases.

The first challenge facing the Task Force, therefore, was to determine the adequacy of Canada's current legal and enforcement framework in the fight against spam. To respond to this challenge, the Task Force decided to work with other government departments and agencies to examine existing laws and enforcement mechanisms to see if there were any gaps that could prevent them from being useful parts of the anti-spam toolkit.

Since this proved to be the case, the second challenge facing the Task Force was to determine what measures would be required to fill these gaps, so that Canada would have an effective legal framework and a coordinated, national enforcement approach for dealing with spam and related activities.

Task Force Actions

Raising Awareness and Catalyzing Action by Enforcement Agencies

The Task Force initially focused on facilitating discussions among private companies and the federal enforcement agencies responsible for legislation that could be used to address spam. These agencies included the Competition Bureau, the Office of the Privacy Commissioner of Canada and the RCMP (Royal Canadian Mounted Police). The intention was to evaluate how effective the individual statutes would be in prosecuting offences related to spam.

First, all federal statutes that could apply to elements of spam were identified. The Task Force decided to focus its efforts on those elements of spam that had the clearest links to provisions in existing statutes. A number of smaller task groups were established to discuss the requirements of different situations involved in pursuing cases under each statute. As of the release of this report, three complaints had been settled under PIPEDA, and one under the Competition Act (see Box 1: Recent Spam-Related Cases).

Little progress was made with respect to the Criminal Code of Canada, because of a lack of prioritization and jurisdiction, since primary responsibility for prosecution rests with provincial governments and local law enforcement agencies. However, the Task Force worked with these groups to advance the issue. In addition, the Task Force worked with the Department of Justice Canada and the RCMP's Technological Crime Branch to identify the general evidentiary requirements that would be involved in bringing cases forward under specific provisions of the Criminal Code.

Following discussions with the Canadian wireless communications industry, the possibility was raised of applying existing provisions of the Telecommunications Act to spam sent to wireless handsets. The passage of Bill C-37 (for the creation of a national do-not-call list) may provide an opportunity to strengthen the Canadian Radio-television and Telecommunications Commission's (CRTC's) ability to address wireless spam – specifically, emailing of SMS (Short Message Service) spam to mobile handsets. Of particular importance would be the CRTC's fining authority. Until Bill C-37 is passed, it may be too early to judge the role that the Telecommunications Act could play.

The Problem of Enforcement

The initial stages of the Task Force on Spam's work served to educate both enforcement agencies on the extent and severity of the spam problem; and private companies on the legal requirements, including evidentiary requirements, for the successful pursuit of cases. Parallel with this work, some enforcement agencies have taken direct action against spammers (see Box 1 above). Nevertheless, the overall effectiveness of enforcement efforts to date has been limited.

The enforcement agencies face a number of challenges related to the use of their legislation to address all the various elements of the spam problem. Limited resources and competing priorities are significant factors hindering the two regulatory bodies involved, as well as the RCMP and local law enforcement agencies. A further impediment to effective enforcement is the frequent lack of specialized technical expertise needed to track down, investigate and prosecute spammers. Finally, in many cases, existing enforcement powers have not yet been used, and the legislative tools to attack particular elements of spam are either too uncertain in their application or simply missing.

The Task Force strongly believes in the need to strengthen the enforcement process. This should begin with a clear policy commitment to curbing spamming and spam-like activities by not only responding to complaints but also proactively investigating and prosecuting spammers.

While increasing resources, both in the form of funding and technical expertise, is essential, increased support for enforcement agencies should also take the form of better mechanisms for collecting, coordinating and processing information on spam, including that which is received from user complaints. Chapter 7 of this report discusses these mechanisms. Last, but not least, we must fill the gaps that exist in the legal and regulatory regime governing spam and other threats to the Internet, such as spyware.

Legal Research

As background to its deliberations, the Task Force researched spam legislation in other countries, with a particular focus on the United States, the United Kingdom and Australia, in order to benchmark Canada's current situation in relation to these jurisdictions. Box 2: International Anti-Spam Legislation highlights the legislation in place in a number of key countries.

The Task Force also commissioned a study examining the issue of a private right of action for spam in Canada, including the existing legislative framework, the key elements of building such a right and the views of Canadian companies on the need for such a right.

Identification of Legislative Gaps

After reviewing existing legislation and enforcement activities, taking into account the experience of other countries that have already enacted broad-based anti-spam laws, and reviewing the results of the cases triggered by the Task Force and the resulting lessons learned, a number of gaps in existing Canadian legislation and enforcement became evident.

The existing provisions of the three relevant acts, while applicable to some elements of spamming activity, could not be used with sufficient certainty to effectively address many of the methods and means used by spammers. Nor could they be used against some of the more aggressive and invasive forms of spamming, or to counter the new threats to Internet security that are emerging. Agencies are limited in their enforcement powers by the scopes and purposes of their acts, and, as the laws are currently written, many spamming and spam-related activities fall outside these boundaries.

An additional gap was identified related to deterrence. Where the acts did apply, the question remained "Are the penalties appropriate to deter spamming activities?" The Task Force determined that, while existing mechanisms may be adequate when used against legitimate companies who have spammed in error, it is not clear whether they would deter truly bad actors. Even when significant penalties are available, as through the Criminal Code, the practicality of applying them in spam-related cases is limited.

A Framework for Spam Legislation and Enforcement

After fully assessing the adequacy of existing legislation and enforcement capabilities in light of the threats posed by spam and spam-related activities, the Task Force came to the following conclusions:

• While existing laws address specific aspects of spam, they are not, separately or together, sufficient to achieve the overall goal of deterring spammers in Canada.
• A stand-alone, technology-neutral law that clearly addresses spam, spam-related offences and emerging threats (e.g. botnets, spyware and keylogging) is required. Amendments to existing laws may also be required.

Nature of Offences and Remedies/Penalties

• Failure to abide by an opt-in regime for sending unsolicited commercial email should be made an offence in a stand-alone, technology-neutral spam statute.
• The use of false or misleading headers or subject lines (i.e. false transmission information) designed to disguise the origins, purpose or contents of an email should be made an offence. This should be the case whether the objective is to mislead recipients or to evade technological filters.
• Constructing false or misleading URLs and websites for the purpose of collecting personal information under false pretences or engaging in criminal conduct (or to commit the other offences listed) should be made an offence.
• The harvesting of email addresses without consent, and the supply, use or acquisition of such lists should be made an offence.
• Dictionary attacks should be made offences.
• The new offences created should be civil- and strict-liability offences, with criminal liability open for more egregious or repeated offences. There should be meaningful statutory penalties for all offences outlined above.
• There should be an appropriate private right of action available to persons, both individuals and corporations. There should be meaningful statutory damages available to persons who bring civil action.
• The businesses whose products or services are being promoted by way of spam should also be held responsible for the spamming. Responsibility should also rest with other third-party beneficiaries of spam.

Administration and Enforcement

• The Minister of Industry should be responsible for administering new legislation on spam, and a centre of responsibility should be established for policy oversight and coordination, public education and awareness, and support to enforcement agencies.
• Enforcement of new legislative provisions addressing spam should be undertaken by existing agencies.
• New and existing spam provisions must be accompanied by increases in dedicated resources and support for the agencies that will enforce them.
• Given that spam is a borderless problem, there is a need for provisions allowing for cooperative international enforcement and investigation. Any current provisions should be examined and amended as required to allow for seamless action on spam.

Regulatory Arrangements

Although the main focus of discussions among working group members was the prohibition of spamming and spam-related activities, there was some discussion at the Stakeholder Roundtable meeting in December 2004, as well as among Task Force members, about broader regulatory arrangements. Some argued for a "co-regulatory" approach, based on the Australian model, that would outline responsibilities, primarily for ISPs, in areas such as protecting networks against spam. Others maintained that the Canadian practice of voluntary cooperation and industry peer pressure would prove to be a faster and more effective way of fighting spam than the co-regulatory approach. While there was much debate on this topic, there was general agreement that government should play no role in dictating specific technical solutions, and that the legislative ground rules (including those outlined above) should be technology-neutral.

Although industry efforts to address the problem of spam were already under way, the experience of the Task Force has demonstrated the value of government–industry dialogue in catalyzing private sector action. The Task Force, therefore, considers continued government–industry dialogue in this area essential. The Task Force has also noted that broader questions about Internet regulation should be addressed through the Telecommunications Policy Review announced by the Government of Canada in the federal Budget 2005.

Recommendations

It is clear to the Task Force, from our analysis of the Canadian situation and the experiences of other countries, that Canada will not be able to combat spam effectively within Canada unless its multistakeholder toolkit approach includes a clearer, more comprehensive, and actively enforced set of domestic laws that protect Internet users and facilitate the development of e-commerce.

We therefore recommend the following:

Recommendation 2:

The federal government should establish in law a clear set of rules to prohibit spam and other emerging threats to the safety and security of the Internet (e.g. botnets, spyware, keylogging) by enacting new legislation and amending existing legislation as required.

Recommendation 3:

To this end, the following email activities and practices should be made offences in spam-specific legislation (these provisions may also be reflected, in whole or in part, in existing legislation):

• the failure to abide by an opt-in regime for sending unsolicited commercial email;
• the construction of false or misleading headers or subject lines (i.e. false transmission information) designed to disguise the origins, purpose or contents of an email, whether the objective is to mislead recipients or to evade technological filters;
• constructing false or misleading URLs and websites for the purpose of collecting personal information under false pretences or engaging in criminal conduct (or to commit other offences listed);
• the harvesting of email addresses without consent, as well as the supply, use or acquisition of such lists; and
• dictionary attacks.

Recommendation 4:

For these new offences, the following penalties and remedies should be applicable:

• The new offences created should be civil- and strict-liability offences, with criminal liability open for more egregious or repeated offences. There should be meaningful statutory penalties for all offences listed in Recommendation #3.
• There should be an appropriate private right of action available to persons, both individuals and corporations. There should be meaningful statutory damages available to persons who bring civil action.
• The businesses whose products or services are being promoted by way of spam should also be held responsible for the spamming. Responsibility should also rest with other third-party beneficiaries of spam.

Recommendation 5:

Regarding the enforcement and administration of new legislation:

• the administration of a new stand-alone law should be undertaken by the Minister of Industry, with support from a separate body responsible for policy oversight and coordination, public education and awareness, and support to enforcement agencies; and
• enforcement of legislative provisions addressing spam should be undertaken by existing agencies.

Recommendation 6:

The federal government should place priority on anti-spam enforcement by providing stronger support and dedicated resources to agencies to administer and enforce new and existing anti-spam legislation.

Recommendation 7:

The federal government, in coordination with the provinces and territories, should conclude and implement cooperative enforcement agreements with other countries. These efforts should include examining and amending existing legislative provisions as required to allow for seamless international cooperative investigation and enforcement action.