Working Group on Legislation and Enforcement
Task Force on Spam
May 2005
Conclusions
1. While existing laws address specific aspects of spam, they are not, separately or together, sufficient to achieve the overall goal of deterring spammers in Canada.
The Competition Act deals with the deceptive content of email, the Personal Information Protection and Electronic Documents Act (PIPEDA) can cover unsolicited email, and the Criminal Code covers fraudulent activity or activity that brings down servers. Through the examination of test cases and through Working Group discussions, it has become evident that there are limitations on the scope and enforcement of these acts as they relate to spam offences.
2. A stand-alone, technology-neutral law that clearly addresses spam and related offences is required. Amendments to existing laws may also be required.
What has been made clear by enforcement agencies and administrators of other applicable legislation is that the creation of any new offences or changes to existing offences must be done within the context of that law's particular purpose and scope. For example, Working Group on Legislation and Enforcement members from the Competition Bureau have stated that non-deceptive spam is beyond the reach of the Competition Act. That would include spam that clogs systems and spam that delivers spyware, adware, and other malware.
A new law would have the benefit of a new purpose that addresses the specific issue more clearly, and would contain new provisions that would augment those remaining in place under existing legislation.
Any new provisions should include exemptions for those activities carried out for legitimate purposes (e.g. security testing by authorized third parties or by organizations on their own systems).
Nature of Offences and Remedies/Penalties
3. The failure to abide by an opt-in regime for sending unsolicited commercial email should be made an offence in a stand-alone, technology-neutral spam statute.
There are two sides to the anti-spam legislative toolkit — provisions that target fraudulent or deceptive spammer conduct, and provisions that target spam as an abuse in and of itself. The former is addressed by the provisions discussed below. The latter must be addressed by way of a clear, direct prohibition against the offending activity — the sending of unsolicited (commercial) email. While PIPEDA addresses the issue of consent for the collection, use and disclosure of personal information such as email addresses, the Working Group has found that there are limitations in the ways in which the legislation can respond to the problem of spam. Given the transitory nature of spam, and the continuous evolution in the ways in which these spammers work, it is important that a new law allow for timely reaction and responsive, agile, quick enforcement.
4. In order to address some of the emerging threats related to spam (e.g. spyware), the Task Force on Spam should consider addressing the issue of personal consent and user control in a broader context.
Spyware, keylogging and botnets are emerging as very serious perils in Internet usage, and are dangers to the Internet as a critical commercial infrastructure. While there are provisions in the Criminal Code that may address certain aspects of these activities, enforcement challenges are such that the Criminal Code is an inefficient vehicle for fully addressing the issue. A general provision dealing with consent and user control, carefully worded, could provide a much-needed new tool for capturing these surreptitious activities.
5. The use of false or misleading headers or subject lines (i.e. false transmission information) designed to disguise the origins, purpose, or contents of an email should be made an offence. This should be the case whether the objective is to mislead recipients or to evade technological filters.
False transmission information and the accuracy of headers are not specifically addressed under existing legislation. The misleading and deceptive trade practices provisions under the Competition Act deal with the misleading content of messages, but may not address header information, and the pursuit of such an offence would currently be unlikely to lead to successful prosecution. Header offences related to misleading consumers would be best addressed in an amendment to the Competition Act, if they could be brought within the scope and purpose of that Act - that is, related to the promotion of a product or business interest. The Act would need to be amended to deem as material a misleading header that induces the recipient to open an email message.
Within a stand-alone law, header offences could be given a broader context covering more than what is addressed in the scope and purpose of the Competition Act. The stand-alone act should give guidance on what is "misleading," as the Competition Act does. It should also contain a definition of "materially misleading," to cover conduct such as simply opening an email, stopping short of making a purchase, or concluding a business proposition. This will aid enforcers when they are determining whether or not a breach of a new provision has taken place. The definition should include the practice of inserting nonsensical or obfuscated words or statements in subject lines.
Forging the names or addresses of real individuals or companies ("spoofing") should be a new, separate offence, and subject to higher penalties because of the aspects of these offences as they relate to intent. Not only does such conduct mislead consumers, it can be a serious threat to competition.
6. Constructing false or misleading URLs and websites for the purpose of collecting personal information under false pretences or for engaging in criminal conduct (or to commit the other offences listed) should be made an offence.
Phishing is a form of fraud, so, when there is a victim of phishing, a case could be pursued under the fraud provisions in the Criminal Code. However, phishing is directly related to spam, in that the spam is the vehicle for delivering the fraud. Any new prohibitions against spam or spamming-related activities could be used to catch phishing attempts also. To the extent that false or misleading URLs and websites fall outside the scope and purpose of the Competition Act, they would have to be dealt with in stand-alone legislation. However, if this conduct undermines competition, no amendments to the Competition Act would be required. It is important that such an offence be drafted so as not to capture parody sites, thereby preserving this aspect of freedom of expression.
It was noted that the issue of identity theft may be outside the scope of the work of the Task Force. Furthermore, the Department of Justice Canada is reviewing the issue of identity theft and may come to legislative conclusions of its own. The Task Force should consult with Justice Canada on this issue.
7. The harvesting of email addresses without consent, or the supply, use, or acquisition of such lists, should be made an offence.
"Address harvesting" is conduct that would currently be captured in PIPEDA, which prohibits the collection, use or disclosure of personal information (email addresses) without consent. However, as noted above, there is some concern that PIPEDA may not be the appropriate avenue for dealing with conduct that can be harmful to the Internet and its use, in addition to personal privacy. Address harvesting for spamming purposes has consequences that call for strong deterrence and punitive effects. In addition, address harvesting must be dealt with in a timely way, because the effects of supplying or using harvested lists can grow exponentially. In order to address the economic impacts and the injury to the Internet as critical commercial infrastructure, such conduct should be covered in a stand-alone law.
The use or acquisition of address-harvesting software could be made an offence if the purpose of the software or hardware is to generate email address lists without the appropriate consent. To be made an offence, the possession of such software must be tied to the activity that the law wants to eliminate. It is worth noting that harvesting software does have legitimate uses.
8. Dictionary attacks should be made offences.
The collection of email addresses by way of dictionary attacks would not likely be covered under PIPEDA, but the subsequent use or disclosure of lists put together this way would be. Neither are dictionary attacks likely to be covered under the Criminal Code unless a server is brought down, and then it would be covered under mischief to data provisions. Dictionary attacks could be covered under PIPEDA with an amendment, but would not be appropriate under the Competition Act, as they would not fall within the purpose clause and are more related to privacy concerns. While the Criminal Code may be a good vehicle for such an offence, this would then raise issues of having to prove intent as a component of the offence. As a result, this activity may be best addressed in stand-alone legislation.
The possession or acquisition of software for the purposes of dictionary attacks or harvesting addresses (as per Conclusion #7) creates a reverse onus on the accused, who must then show intent was not there. Courts increasingly dislike reverse-onus provisions. Care should be taken as to how or whether the supply of software is made an offence, since such software may have legitimate uses.
9. The new offences created should be civil- and strict-liability offences, with criminal liability open for the more egregious or repeated offences. There should be meaningful statutory penalties for all the offences outlined.
Spam offences should, for the most part, be civil offences (strict-liability, which do not require intent). However, where egregious factors give evidence of intent, enforcement should include the possibility of criminal prosecution. This type of "dual-track" regime exists under the Competition Act. There should be a meaningful penalty applicable, on a per-violation basis and, possibly, for each subsequent violation.
10. There should be an appropriate private right of action available to persons, both individuals and corporations. There should be meaningful statutory damages available to persons who bring civil action.
This issue was well canvassed in a paper commissioned by the Task Force. The Working Group believes that a new private right of action will play an important part in any strategy to combat spam. There may, however, be some limitations to this approach, based on existing rules of civil procedure. These should be addressed.
For those who bring private action, statutory damages would eliminate the need to prove losses or damages. The presence of aggravating factors might also subject the perpetrator to double or triple penalties or damages.
11. The businesses whose products or services are being promoted by way of spam should also be held responsible for the spamming. Responsibility should also rest with other third-party beneficiaries of spam.
Businesses that knew or should have known that their goods or services were being promoted by way of unsolicited commercial email or email that contained the spamming-related offences outlined so far in these conclusions, who did benefit financially, and who took no steps to detect or prevent the spamming must be held accountable for their actions. Opening these vendors up to such liability would reduce the demand for spammers. They should be subject to meaningful penalties, and persons who suffer damages from spamming should be able to recover their losses, by way of a private action, from the business whose products are promoted. Where a third party receives or expects to receive an economic benefit from commercial email that violates a new law, that party should also be liable to penalties. Parties that demonstrate that they have acted responsibly should not be affected by this provision.
Enforcement and Administration
12. Enforcement of new legislative provisions addressing spam should be undertaken by existing agencies. The legislation should include provisions to allow the agencies to use their current enforcement and investigative powers, with updates as required.
It is important to ensure that enforcement of a new spam law will be undertaken by agencies with experience, knowledge and technological know-how in complementary or analogous areas. Investigative powers may need to be updated to include procedures and practices that would address the need for timely and sometimes immediate, real-time action.
The Telecommunications Act (Section 41) may be an additional, albeit limited, tool for use in areas not covered above. Section 41 of the Telecommunications Act addresses unsolicited telecommunications and gives the Canadian Radio-television and Telecommunications Commission (CRTC) authority in this area. While Bill C-37 provides that the CRTC should be given the authority to impose administrative monetary penalties on persons who contravene a prohibition or requirement of the CRTC under Section 41 of the Telecommunications Act, the Bill has not yet been debated at committee, and it is premature to consider this potential power at this time. The Working Group is of the view that other spam offences listed so far in these conclusions could not really be addressed by the Telecommunications Act. The Task Force should continue discussions with the CRTC on this issue, as appropriate.
13. There should be a focal point or central body to undertake administration of a new stand-alone law.
On the other hand, the administration of a new law, the coordination of enforcement efforts and the development of policy and advocacy should be the roles of a separate body. Furthermore, consumers deserve a single point of contact, or a focal point, in respect to issues related to spam. Such a body should assume a proactive role in raising consumer awareness and making education an important tool in the fight against spam.
14. New and existing spam provisions must be accompanied by an increase in dedicated funding and support for the agency or agencies that will enforce them.
Without corresponding funding for investigative and enforcement efforts, a law on spam — and, even, strengthened existing provisions — will accomplish very little on its own, and will be open to immediate criticism. Adequate funding is an investment in trust and confidence in the Internet as the vehicle for e-commerce. The protection of the infrastructure of the e-economy must not be undertaken with strong words and weak action. It is imperative that strong resourcing, appropriate funding and priority policy direction accompany any legislative initiative.
15. Given the fact that spam is a borderless problem, there is a real need for provisions allowing for cooperative international enforcement and investigation. Current provisions should be examined and amended as required to allow for seamless action on spam.
Part III of the Competition Act provides for mutual legal assistance in addressing the civil competition offences that cross borders. These provisions may or may not assist in the fight against spam. Under the Criminal Code, the Competition Bureau or any other enforcement agency has recourse to the mutual legal assistance treaties in order to support cross-border enforcement. Given the resource-intensive nature of this function, appropriate funding must be allocated. PIPEDA makes provisions for disclosure without consent in the course of an investigation.