For the second time the CRTC has publicized the execution of a
warrant under the CRTC's powers under Canada's Anti-spam
law (CASL). The investigation is focused on the installation of
malware and the altering of transmission data.
The first such warrant was executed December 3, 2015, where the
CRTC acted to take down a command and control server as part of a
coordinated international effort directed at the Win32/Dorkbot
It was reported that the current investigation began after a
lead provided by a private sector cyber threat and forensics'
firm, FireEye Inc. As is CRTC practice they did not name the
subjects of the investigation nor provide comment on the ongoing
Manon Bombardier, CRTC's Chief Compliance and Enforcement
Office stated, "We are working to protect Canadians from
online threats by pursuing those individuals and entities who
violate Canada's anti-spam legislation. We
are grateful for the assistance that FireEye Inc. provided which
led to the execution of this warrant, and we will continue to work
closely with our domestic and international partners in the fight
against cyber threats."
These enforcement actions show that the CRTC is targeting
violations of the malware and the alteration of transmission data
provisions under CASL.
An important issue for legitimate businesses under the malware
provisions of CASL is that the CASL prohibitions are very broad and
may capture some legitimate activity such as bring-your-own-device
(BYOD) policies and IT user support activities. Broadly speaking,
under CASL, the authorized user or owner of a device (for example,
a laptop, smart phone, tablet, etc.) must consent to software
installations that are not self-initiated. In certain
circumstances, consent will be required even where an installation
is self-initiated. Further, the law imposes specific notification
and disclosure obligations where such a program is capable of
certain "special functions", defined in CASL to
collecting personal information;
changing or interfering with settings, preferences or commands
of the computer system without knowledge of the user;
restricting or interfering with access of data;
causing a computer system to communicate with any other device
without consent of the owner or authorized user; or
installing a computer program that can be activated by a third
What is noteworthy is that these functions need not be
malicious. Many such functions are carried out by many legitimate
computer programs. CASL requires that the installer of the program
give notice of and obtain a separate express consent from the owner
or authorized user of the device for each of these functions. Such
special functions must be disclosed and described to the user
separately from other consents and may not form part of general
In light of these notification and consent requirements under
CASL, organizations will wish to review and may need to update
their IT policies.
As further details become available on the results of the
ongoing CRTC investigative actions we may learn more about the
effectiveness of the enforcement under CASL, how provisions are
interpreted by the CRTC and any possible impacts for legitimate
businesses seeking to ensure compliance in respect of their own
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).