Hearings on the proposed federal anti-malware legislation will likely start next month, according to the chairman of the parliamentary committee overseeing the bill, and it could be enacted into law by the end of the year.
“I sense that there’s broad support for this legislation amongst all parties in the House,” Michael Chong, the chair of the Industry, Science and Technology committee, said in an interview Friday. “I think it’s because when you look at third parties surveys of spam origination around the world, Canada’s in the top 10 and this is not something we should be proud about.
“We’re also hearing from domestic companies that they’re having trouble maintaining their networks because of all the spam coming down the pipe. A high percentage of it – 75 to 90 per cent, we’re being told – of all e-mail traffic in Canada is spam. So we’re hearing from all quarters that this is long overdue.”
Chong’s optimism that the bill can be dealt with relatively quickly was echoed by the Liberal’s Industry critic, who said some wording only needs to be “tightened up,” and by the head of an association representing independent Internet providers, who said his group has no concerns.
Bills are sent to a committee for review and possible amendments, after which Parliament has the final say. The Industry committee will decide June 2 on its agenda for the rest of the month, and Chong believes the anti-malware law will be on the schedule.
While Chong hasn’t heard major complaints yet from the opposition or the private sector, he doesn’t believe the bill can receive royal assent by the time Parliament takes its annual summer break. The House is expected to adjourn during the third week of June. However, he’s hopeful the bill will be law before the end of the year.
Introduced four weeks ago, Bill C-27, officially called the Electronic Commerce Protection Act, forbids anyone in Canada from sending unsolicited e-mail or installing a program on a computer without permission. The maximum penalty for an organization is $10 million, and for an individual, $1 million.
What it won’t do is stop malware – which includes viruses, worms, Trojan Horses, e-mail pitches for phony investments and denial of service attacks – that originate in other countries. However, Chong said that a year after Australia passed similar legislation in 2004 it was no longer one of the world’s top 10 originating countries for spam.
C-27 closely follows legislation proposed in 2005 by a government-appointed Spam Task Force, which may be the reason why little opposition to the law has surfaced so far despite its hefty penalties and the authority it gives the Canadian Radio-television and Telecommunications Commission (CRTC) to get a warrant and enter buildings. The Privacy Commissioner and Industry Canada also have some authority.
The task force included Tom Copeland, who heads the Canadian Association of Internet Providers, which represents independent ISPs, and Suzanne Morin, assistant general counsel for Bell Canada. Although it has been disbanded, an Industry Canada official briefed task force members on May 19 on the fine points of the proposed bill. “By and large there really weren’t any significant concerns,” recalled Copeland in an interview.
“There were several comments regarding enforcement and whether the appropriate agency had been chosen, but we’ve been assured that with the monetary penalties that will be available to all three enforcers they are quite enthusiastic about enforcing the bill, should it pass.”
Industry Canada will oversee the legislation and the crucial yet-to-be seen regulations, which could include significant definitions. “They have promised us that they will hold the enforcement bodies’ feet to the fire to ensure they enforce (C-27) vigorously,” Copeland said.
Copeland’s members, small and medium-sized ISPs, could be the targets of investigators as the middlemen, or transporters, of malware. But he said the focus should be on “fraudulent spammers” and not “mom-and-pop organizations” who “made an honest mistake in an e-mail campaign.”
Bell lawyer Morin, who represents one of the biggest Internet providers in the country, noted that 60-page C-27 is a complex document. “I think all the players who are reading the legislation every day come up with new questions about how it’s going to apply in every day life. We just want to make sure it doesn’t have unintended consequences on legitimate businesses in Canada” particularly because of the stiff penalties.
“I think it needs some tweaking,” she added. “There could be negative impact on just very day software upgrades and Web browsing activity because of the consent requirements for putting software on an individual’s computers,” she said. There also could be overlap between the CRTC and the federal privacy commissioner over e-mail marketing, she said. “We wouldn’t want just standard business practices to come under the same regime and penalties as players who are really trying to do harm.”
Liberal Industry critic Marc Garneau said his party supports the bill, but “the devil’s in the details.” The bill “will no doubt need to be tightened up, needs to be clarified in a number of areas.”
For example, the definition of a computer program is too broad, he said, and might cover legitimately downloaded code. In particular, Section 6 of the act, which sets the prohibitions and exemptions, may suppress legitimate business communications, he said.
“It’s clarity that we’re talking about,” the Montreal MP and former astronaut added. “Is there anything we don’t like? No. It’s purpose is good, but we need to be clear to make sure we’re achieving what is intended.”
Chong, the Conservative MP for the southern Ontario riding of Wellington-Halton Hills, has had intimate experience with spam as the former CIO of the National Hockey League Players Association and an IT manager of two investment dealers. At least once in his career he’s had to deal with e-mail servers that were so clogged with spam they were “effectively non-functional,” he said.
Malware impairs the public’s trust in the Internet, he said, and therefore it’s value as a business platform. He believes C-27 will change that.
Understanding how IBM Spectrum Protect enables hybrid data protection
Abdicating your company’s data protection responsibilities to the first cloud solution provider you encounter is just as unwise as doing nothing at all to leverage the cloud. On the other hand, it can be a wise decision to investigate what results you might achieve by choosing a backup technology that is capable of supporting a hybrid protection approach capable of covering both on-premises technology and offsite cloud capabilities.