Speech by Andrea Rosen, Chief Compliance and Enforcement Officer Canadian Radio-television and Telecommunications Commission to the Canadian Telecom Summit Panel on “Privacy and Security”, Toronto, Ontario, June 1, 2011
I’m pleased to be here today to speak with you about the CRTC’s planned efforts to enforce Canada’s anti-spam legislation.
CRTC is gearing up
Spam is a big problem—one to which Canada is neither immune, nor unwelcoming. In fact, as a result of the length of time it took for Canada to enact legislation, we have the dubious reputation of providing a safe haven for spammers.
The annual global economic impact of spam—measured as losses that result from fraud and privacy breaches—is estimated to be around $100 billion. Canada’s share of that figure is about $3 billion. Spamhaus, an independent organization that tracks spam operations worldwide, recently ranked Canada ninth among the ten worst countries in the world for the proliferation of spam. And everyone in this room knows how many dollars are necessarily allocated to protecting an organization’s infrastructure, rather than putting those funds to more efficient, productive and profitable use.
For most people, spam is merely unsolicited, nuisance messages that clutter their inbox. In fact, we in this room all know it’s much more sinister than that. Spam e-mails are one of the main agents that miscreants use to deliver harmful applications such as spyware and malware. Once these programs are installed on a computer—usually without warning—they help spammers steal personal data, defraud individuals and corporations, and disrupt the legitimate flow of information across electronic media. Your pipes are full of e-mails from these spammers and it’s time we dealt with it—and I do mean WE!
The CRTC, the Competition Bureau and the Office of the Privacy Commissioner now have the necessary powers to pursue the people who use spam and other forms of malicious software to steal data, disrupt legitimate business and ultimately erode the public’s trust in electronic commerce.
When Bill C-28, Canada’s anti-spam law, comes into force, it will give us new tools to track down and pursue spammers. And through its newly minted Compliance and Enforcement Sector, the CRTC in particular will play a prominent role in identifying wrongdoers and reducing the harm they cause. The new law gives the Commission powers to address three principal problems:
spam, which is the indiscriminate delivery of commercial electronic
messages without consent,
botnets, which are applications that alter the transmission of data in
electronic messages via networks of infected computers than have been
taken over by hackers, and
malware, which are programs installed on a computer without a user’s
consent and that are designed to disrupt or deny operations, delete or
steal information or otherwise cause abusive behaviour.
Today, I will share with you my vision of the effective enforcement of this law, and how my team intends to get the job done. My attention is focused in three main areas:
1. We are ramping up to conduct investigations. We have spent the last few months hiring staff and setting up a specialized computer laboratory. We are now open and ready for business. As our first priority, when the law is in force, we will be targeting the most egregious violators: the high-volume spammers, the 6,000 malicious URLs and the 20 botnets currently located in Canada.
2. We are establishing partnerships to gather intelligence and expedite results. I will have more to say on this topic in a moment.
3. We are developing specific deterrence measures and compliance options that will produce measurable results.
Spammers not welcome
How will the Act work and how will we use it to track down and deal with violators?
Enforcement of Bill C-28 is based on an opt-in consent regime. Unlike the U.S., where consumers have to indicate that they do not want to receive e-mails from marketers, Canada’s anti-spam law stipulates that people must prior consent to receive commercial electronic messages.
This means that, save for a few exceptions, anyone who distributes unsolicited commercial e-mails to consumers without their prior consent will be violating the law.
The new law gives the CRTC a variety of investigative and enforcement tools, such as the power to obtain search warrants and restraining orders. We also have the ability to seek injunctions and issue undertakings and notices of violation. And we have streamlined procedures to cooperate internationally in order to take cross-border action. In other words, we have the tools at our disposal to find spammers wherever they’re hiding and the powers to shut down their operations.
We will act in two ways. First, we will impose administrative monetary penalties of up to $1 million for individuals and as much as $10 million for businesses. These are the largest penalties of their kind under any anti-spam legislation in the world, and one of the clearest messages that we can send to spammers to let them know that they’re not welcome here.
Second, as appropriate, the law permits consumers, businesses and network providers who have been victimized by spam, botnets or malware to take private action against wrongdoers. That means that some spammers could find themselves before the courts, defending themselves in civil proceedings and ordered to pay significant sums.
A partnership against spam
Although we’re pleased with the extent to which this new law will help us shut down spammers and protect Canadians’ data, we’re not so naïve to think that enforcement will be easy. Spam isn’t a localized problem. It’s not a national problem. It’s a global problem. That means that the CRTC will have to rely heavily on partners in government and business to enforce the provisions of the new act. In fact, we are taking the lead in bringing together various partners to combat spam.
Here at home, the CRTC, the Competition Bureau and the Office of the Privacy Commissioner will coordinate our efforts to deter, identify, pursue and deter wrongful conduct in the electronic marketplace.
We will also continue to participate in the activities of international organizations, such as the Messaging Anti-Abuse Working Group (MAAWG), whose members develop and share best practices to fight spam and other forms of messaging abuse. We are pleased that a number of Canadian companies in the field of information and communications technologies are participating with us at MAAWG, which strengthens our collaborative efforts.
At the same time, we have excellent relationships with our international counterparts and are working closely with the international law-enforcement community to track down spammers.
Finally and perhaps most significantly, we will draw upon the resources and expertise of our private-sector partners—indeed, many of you in this room who are more aware of spam’s reach and effect than anyone else—to further our efforts. We have identified four areas in which we hope to build anti-spam partnerships with industry, while, of course, respecting privacy rights.
One, we hope to work with Internet service providers—ISPs—to identify, prioritize and investigate complaints submitted to them from their customers. Our goal is to make it easy for Canadians to register spam complaints.
Two, we intend to work with the Spam Reporting Centre to issue lists of infected computers to each ISP, with the hope that the ISP will help its customers resolve their spam problems.
Three, we will deliver to ISPs the Internet Protocol addresses of known spammers and malicious URLs with the hope that the ISPs will help shut down their activities.
And four, we will work with ISPs to assist in reducing their exposure to spam or malware.
In the coming months, we will reach out to more of you. Technology companies must also be vigilant and engaged. We will turn to e-mail service providers, as well as application developers, to help us identify the violators and ensure that these companies themselves are not the victims of this kind of electronic activity.
It’s vital that the telecom industry understands that we need its help to succeed. We need your help to track down spammers. Under the anti-spam legislation, a telecommunications service provider will not be held responsible for spam messages merely sent over its network. However, telecommunications providers market, and partner in marketing, their services, and I would hasten to add that willfully turning a blind eye to practices that facilitate abuse is not an excuse, nor a free pass from investigation.
If you have a problem controlling the flow of outbound e-mails from your business, come to us. The CRTC is ready to help you develop a plan to fight back against spammers.
Incentives for violators
A strong and effective enforcement program not only depends on cooperation from the lawful business community, but also from some of those we are pursuing. It is rare that someone is acting alone to send spam or create botnets and malware. There will be times that our efforts will be much more successful if we can secure the cooperation of the people who are engaging in these activities.
Those who walk voluntarily through our doors first will be treated with more leniency than those who wait for us to come to them. To qualify for leniency, however, prospective parties will need to put an end to their activities, and a full and frank exchange will be required for the duration of the investigation, as well as any subsequent investigations.
We are currently developing a predictable and transparent process to deal with those who come to us voluntarily. This will ensure that prospective parties know in advance the rules and possible outcomes, and that they will be treated fairly and equitably.
For now, let me just say that anyone not part of the solution will be considered part of the problem, and we will go after them.
I mentioned earlier that Canada belongs to a dubious club. We’re one of the ten worst nations in the world for the proliferation of spam. I will tell you that’s not going to be the case much longer. Together, we can send a strong message to violators across the world that when it comes to spam, Canada is closed for business.
– 30 –
MediaRelations, Tel: 819-997-9403 begin_of_the_skype_highlighting 819-997-9403 end_of_the_skype_highlighting, Fax: 819-997-4245
Tel: 819-997-0313 begin_of_the_skype_highlighting 819-997-0313 end_of_the_skype_highlighting, TDD: 819-994-0423 begin_of_the_skype_highlighting 819-994-0423 end_of_the_skype_highlighting, Fax: 819-994-0218
Toll-free # 1-877-249-CRTC begin_of_the_skype_highlighting 1-877-249-CRTC end_of_the_skype_highlighting (2782)
TDD – Toll-free # 1-877-909-CRTC begin_of_the_skype_highlighting 1-877-909-CRTC end_of_the_skype_highlighting (2782)
Ask a question or make a complaint