Ottawa finally announces anti-malware legislation

Almost four years after a national task force tabled its recommendations for attacking spam, Ottawa has introduced legislation it claims will protect consumers and businesses from the most dangerous and damaging forms of malware.

However, an industry analyst doubts the law on its own will have much effect.

The Electronic Commerce Protection Act, tabled in Parliament on Friday morning, would give the Canadian Radio-Television and Telecommunications Commission (CRTC), which regulates Internet and wireless providers, and the federal Competition Bureau the right to charge Canadian-based senders of malware with breaking the law and face up to $10 million in fines for an organziation or $1 million for an individual. The wording, which would cover system builders, forbids anyone from installing a comptuer program on a computer for sale that would send an electronic message without the consent of the owner or user.

The two departments and the federal Privacy Commissioner will be given the power to share information and evidence with their counterparts in other countries to help enforce similar laws internationally.

The proposed act also would give businesses and consumers the right to sue Canadian-based senders of malware.

Canada is one of the few developed nations not to have some sort of anti-malware legislation, so the move is bound to be welcomed. However, the legislation is 68 pages long, so some Internet providers and experts weren’t willing to give detailed opinions Friday until they had gone through it.

The goal is to “boost confidence in online commerce by protecting the privacy and personal security concerns that are associated with spam, counterfeit websites and spyware,” the government said in a press release. “Our government knows how damaging spam can be to Canadians and Canadian businesses and that is why we are cracking down on Internet fraud and other forms of malicious activities,” said Industry minister Tom Clement.

An Industry Canada official who spoke on a not-for-attribution basis stressed that there’s a sizable domestic malware business to go after. “One of the big problems we have is that there are a lot of spammers operating in Canada that are sending spam overseas,” he said, “so it’s working in both directions: We are getting foreign spam but also there’s a problem of our exporting spam.”

“Spam’s a real challenge because a lot of it comes from offshore,” acknowledged Shawn Hall, a spokesman for Telus, one of the biggest Internet providers in the country. “It’s going to take a unified effort to fight spam.”

However, he added, “we’re pleased with the legislation that’s been tabled today … it provides a legal framework to stop Canadian-based spammers from bombarding Canadians with unsolicited messages and potentially dangerous malware.”

If passed, the legislation will add another tool on top of the anti-spam efforts of Canadian service providers, police in this country and international law enforcement agencies, Hall said.

However, David Senf, a security analyst with IDC Canada, doubts the law will have much effect. “It is, I’m sorry to say, not going to make a dent in the amount of trash entering your inbox,” he wrote in an e-mail interview. “This is because a global response is required – and one is not forthcoming.

“The problem is much larger than legislation. We need enforcement. We need China and Russia to step up too. Spammers need to feel real monetary pain. Schemes have been hatched before such as charging everyone micro-pennies per e-mail sent. For the average person, that’s a pittance. For a spammer, that puts them out of business. Better authentication such as through CAPTCHAs [a challenge-response test aimed at blocking spam, such as having a person type a randomly-generated series of letters and numbers on a screen] have been proposed as well. But in either case – and for others schemes too – there is some cost in time or money to the average user which will never fly.

”The Internet wasn’t designed with security in mind,” Senf added. “spam proves that. There is no silver bullet. But there is anti-spam software. Expect to renew your subscription for some time to come …”

[For more on the problems of malware, see here.]

One of those on the task force on spam four years ago that urged Ottawa to act was Tom Copeland, who runs a southern Ontario Internet provider and is also chair of Canadian Association of Internet Providers (CAIP), which represents ISPs across the country.

On Friday he said his association is pleased with the legislation, although he hadn’t read it all the way through. But he said to his understanding the government has adopted most of the task force recommendations. (For a summary of what the task force recommened for ISPs, see here. To see the task force’s final report, see here.)

Briefly, the way the government wants to attack spam is

–By declaring that no one [in Canada] can send or cause to be sent a commercial message to an electronic address unless the receiver has consented. A commercial message is defined as one whose content or hyperlinks includes offers to sell, barter or lease goods and products, or promotes a person who offers to sell things.

–The message has to identify who sent it or on whose behalf it was sent, with contact information valid for 60 days;

— It also has to have an unsubscribe mechanism to enable message recipients to say they don’t want to recieve any commercial messages from that sender;

–There is an exception for commercial messages relating to product or job inquiries;

–Altering the destination of a message is forbidden, except for service providers who do it for the purpose of network management. This would appear to be an anti-phishing measure;

— To attack spyware, the legislation forbids installing an application on another person’s computer that sends an electronic message without consent.

In terms of jurisdiction, the CRTC would charge those who threaten the integrity of public networks, such as authors of denial of service attacks. The Competition Bureau would charge those who make misleading representations, such as e-mail that includes fake Web sites of banks or pushing phony products.

“It certainly has the capacity to have some impact given the fines that we’re talking about,” said security specialist James Quin of Canada’s Info-Tech Research. The law covers not only malware that originates in Canada but also terminates here, which covers material sent from outside the country but routed though a computer based here.

“It’s also noting provisions that target ISPs and telecommunications providers, who have to provide records or they can be fined as well, which is also a worthwhile inclusions because it makes it easier for enforcing the law. Now you can grab the records and see where the spam is coming from.”

Michael Geist, a university of Ottawa privacy law professor who was also on the 2005 anti-spam task force, said the law’s effectiveness depends on what Internet users want. “If the expectation is that anti-spam legislation is going to clear their inbox of spam, I think most people are going to be disappointed,” he said in an interview. “The goal of the legislation ought to be [stopping] Can

Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now