Virginia spam law takes effect; Canada still sorting it out

Compared to the antispam legislation Virginia enacted last week, Canada’s laws regarding spam are lax and ineffective, according to one antispam organization.

The U.S. state’s new law focuses on spammers, people who send unsolicited bulk e-mail through deceptive or fraudulent means. The new law enforces criminal charges against those who take part in common spamming practices such as forging the return address line of an e-mail message.

In Virginia, the penalty for sending more than 10,000 unsolicited e-mail messages in one day is now a prison sentence from one to five years along with the relinquishment of any profits and assets related to these fraudulent activities.

“Oh boy, I wish we had a law like that,” said Neil Schwartzman, chairperson of the Canadian Coalition Against Unsolicited Commercial E-mail (CAUCE) in Montreal.

Schwartzman said that Canadian laws dealing with unsolicited bulk e-mails are non-existent, and that the most effective way to deal with spammers would be to take any government agency out of the loop with regards to launching antispam initiatives on a legal basis.

“In other words what we support is private right of action so that the people who are getting hit by spam – be it the consumer, an educational institution, a company or an ISP – can launch a lawsuit on their own and we won’t have to wait around for the RCMP or an obviously over-swamped Industry Canada (IC) or Canadian Radio-Television Commission (CRTC) to look after this problem,” Schwartzman said.

Compared to the new Virginia law – which attacks spammers specifically and applies strict penalties to their actions – Canadian policies are very broad. While Canadian Acts detail what organizations can and can’t do with an individual’s private information and who has the right to view or use this information, they don’t address spam directly, nor do they lay out firm consequences to the sometimes-fraudulent activities of spammers.

According to the office of the Privacy Commissioner of Canada, the government is currently protecting the privacy of Canadians in two ways: with the Privacy Act which took effect in July 1983, and with the Personal Information Protection and Electronic Documents Act, or Bill C-6, which is being implemented in three stages. The first stage began in January 2001, and the act will be fully implemented in January 2004.

According to the office of the Privacy Commissioner of Canada, the Privacy Act imposes obligations on 150 federal government departments and agencies to respect the privacy rights of Canadians by placing limits on the collection, use and disclosure of personal information. This Act gives Canadians the right to access and correct personal information about themselves held by these federal government organizations. The Act also says that permission is required from the individual before information can be made available to a third party.

Stage one of Bill C-6 determines ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities. In stage two, the personal health information collected, used or disclosed by these organizations also becomes covered. The final stage of Bill C-6 will cover the collection, use or disclosure of personal information in the course of any commercial activity within a province including provincially regulated organizations.

Unlike Virginia, these laws don’t come with concrete prison sentences given to those who violate Canadian laws. Instead there is an investigation by the Privacy Commissioner of Canada who will then determine if the complaint should be taken to the federal court of Canada.

An individual dissatisfied by the actions of the privacy commissioner or with the results of the investigation can apply to the federal court for a hearing. The court can award damages to an individual – including damages for humiliation – and can order an organization to correct its practices. Punitive damages in these cases may not exceed an amount of $20,000.

According to Industry Canada, computer mischief offences could apply in cases where spamming would interfere with or obstruct a person’s access to data or use of a computer system, and the sender was reckless in that he or she understood that this would likely occur. Mischief is punishable by up to ten years imprisonment.

Schwartzman said that with the introduction of Virginia’s new law, Canada has a very dire problem on the horizon, which is that all these U.S. spammers are going to turn around and set up shop here.

“We have great connectivity and extremely lax banking laws. It’s only a matter of time. In fact, I wouldn’t be surprised to see that they have already laid down some of their infrastructure. I would be shocked if they hadn’t,” Schwartzman said.

In July 1999, IC released a report entitled Internet and Bulk Unsolicited Electronic Mail (SPAM) which said that spam is considered a form of expression, meaning that any attempt by the government to control it, regardless of the means, would have to be consistent with section two of the Charter of Rights and Freedoms.

Section two of the Charter covers fundamental freedoms including the freedom of thought, belief, opinion and expression, including freedom of the press and other media of communication.

Chris Lewis, a security architect at Nortel Networks Canada Ltd. in Ottawa said that he would like to see a balancing act that allows both commerce and freedom of speech on the Net, but not at the expense of filling people’s e-mail inboxes with unwanted messages.

“In the end you have to consider that unsolicited bulk is unsolicited bulk and your mailbox is going to be filled with penis enlargement scams or dental adhesive [advertisements] or vote for Joe and it’s all the same thing to the recipient,” Lewis said.

According to the 1999 IC report, the government “believes that Canada has the right mix today [to deal with unsolicited e-mail] but will continue to monitor developments and consider changes if they are required.”

Over three years later unsolicited e-mail again became a concern for the government and was highlighted in a report released in January 2003 entitled E-mail marketing: Consumer choices and business opportunities.

According to the report, 31 billion messages were sent over the Internet in 2002, and that number will reach or surpass 60 billion in 2006.

The report states that because the sender of spam only incurs minimal costs for sending hundreds of thousands, or even millions of e-mails in a totally indiscriminate fashion, abusive electronic mailing may remain an issue for some time.

According to IC one of the biggest problems in legislating spam is that Canada doesn’t have a concrete definition of what spam is. The closest Canadians are to a working definition is borrowing a definition from the Australian National Office for the Information Economy (NOIE) which states that spam e-mail is a communication that could not be reasonably assumed to be wanted or expected by a recipient.

Lewis said that although spam could simply be defined as “stuff you don’t want,” the same thing could be said about e-mails from relatives.

“I suppose the most important thing to say is that when your mother sends you something, yes you may define it as spam but it’s certainly not something you want the police to get involved with,” Lewis said.

He added that what the definition of spam boils down to is “primarily unsolicited commercial e-mail where the sender has no prior business relationship with [the recipient] at all.”

Peter Szabo, a messaging specialist at Canada’s National Research Council (NRC) in Ottawa said that although it would be nice if Canada would take a more active approach in criminalizing the fraudulent activities of spammers, he doesn’t think it is going to happen because many spammers are sending the unsolicited e-mail outside of Canada’s jurisdictions.

“Since 99 per cent of the spam we are receiving, we aren’t receiving from inside Canada, [government legislation] wouldn’t make a real dent. Half of the spam that I see originated in the Far East…from Korea and China,” Szabo said.

According to IC, spammers have found ways of identifying and using facilities that are not configured appropriately and to use them as relays for distributing their communications. This could result in a spammer in North America being able to use an improperly configured server in Asia to relay one million or more e-mails to U.S. customers.

Ed Cartwright, director of communications for the Canadian Marketing Association (CMA) in Toronto said that his organization is concerned that if spam isn’t addressed it could block out legitimate e-mails. In a submission to IC, the CMA suggested a couple of options for dealing with unsolicited e-mails.

“As far as legislation is concerned, that’s certainly an option in Canada provided it’s harmonized with legislation in other countries. We support the need for more advanced spam filtering technology…provided it doesn’t block out legitimate e-mails,” Cartwright said.

Lewis said that although it would seem that Nortel would be in favour of spam because it would increase the company’s hardware sales, in actual fact Nortel “strongly believes that the massive increases in unsolicited commercial e-mail is discouraging its growth.”

“And there are lots of people that are being turned off the Internet completely because they get on the Internet and all they have in their inbox is junk. And when you are turning customers off like that it can’t be good for the industry,” Lewis said.

CAUCE Canada can be found online at Government reports regarding unsolicited e-mail can be found online at