On December 3, 2015, the CRTC issued a release announcing its first-ever execution of
a warrant under the Canadian anti-spam law (commonly known as
"CASL"), as part of a coordinated international effort to
disrupt a major botnet family.
The effort also involved law enforcement and cybersecurity
authorities in the U.S., Europe, and Asia, as well as Microsoft and other private sector actors
The target botnet family, known as "Dorkbot", can be exploited to capture
personal information (particularly passwords) from users of
compromised PCs, to send out spam, or to participate in distributed
denial of service (DDOS) attacks, as well as to propagate other
The Dorkbot malware, which has been observed and studied by
security researchers since 2011, is available in "kit"
form, allowing relatively unsophisticated actors to establish and
control their own botnets. This has led to wide distribution;
Microsoft reports that there are more than 1 million infected PCs
in over 190 countries, worldwide.
The recent take-down effort appears to have targeted the so-called
"command and control" servers which coordinate the
infected PCs. One such server, located in Toronto, was apparently
the target of the CRTC action.
The CRTC release does not explain the scope of the warrant or
how its statutory powers were invoked to "take down" the
The CRTC has the authority under s. 19 of CASL to obtain a
warrant from a Justice of the Peace to "verify
compliance" with CASL or to "determine whether" the
CASL provisions relating to sending Commercial Electronic Messages
or installing software without consent have been contravened. The
same provision also expressly provides for warrants to "assist
an investigation or proceeding in respect of a contravention of the
laws of a foreign state that address conduct that is substantially
similar to conduct prohibited under any of sections 6 to
The CRTC's authority under such a warrant can include
seizure of "anything found in the place", subject to
conditions specified in the warrant.
The Dorkbot malware family has been a persistent and pervasive
threat to individuals and businesses alike in recent years. It
poses precisely the kind of serious risk that Canadians would
expect CASL's anti-malware provisions to address.
Internationally-coordinated action to disrupt these botnets is
However, Canadian businesses and other organizations should also
take note that the same search and seizure powers could apply,
subject to judicial approval, to investigations of commercial
To date, the CRTC has not used its warrant power in that
context. It has instead relied on its separate Notice to Produce procedure to obtain
But, as the release notes, the Commission has "a number of
enforcement tools at its disposal". This incident demonstrates
that it is ready to apply these tools in novel ways as it continues
to ramp up its CASL enforcement efforts.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).