Canada's anti-spam law ("CASL")
outlines violations, enforcement mechanisms, and penalties aimed at
protecting online consumers against spam, electronic threats, and
misuse of digital technology. CASL's anti-spam rules came into
effect on July 1, 2014. CASL's software update and installation
rules came into effect on January 15, 2015. The latter rules are
often referred to as malware/spyware computer program rules. Under
these rules, CASL applies when a person, in the course of a
commercial activity, installs or causes to be installed a computer
program on any other person's computer system, unless the
person has obtained the express consent of the owner or an
authorized user of the computer system.
The Canadian Radio-television and Telecommunications Commission
(the "CRTC") has the primary enforcement
responsibility under CASL. Under CASL, the CRTC has various
enforcement mechanisms, including obtaining a warrant with respect
to a suspected CASL violation. On December 3, 2015, the CRTC
announced that it served its first-ever warrant under CASL to take
down a command-and-control server located in Toronto, Ontario. A
command and control servicer is a centralized computer that issues
commands to a botnet and receives reports back from the co-opted
computers. A botnet is a set of computers that have been
compromised through the installation of malware and which can be
instructed to send spam, install additional malicious programs,
and/or steal passwords, among other illicit activity.
The malware in this case was Win32/Dorkbot malware, which has
infected more than one million personal computers worldwide by
spreading through social networks, instant messaging programs, and
USB flash drives. Once a computer becomes compromised, it can be
instructed to steal passwords used for online banking and payments,
download and install dangerous malware, and join other infected
computers in sending multiple requests to a specific server in the
hopes of overwhelming its capacity to respond (known as a
distributed denial of service attack).
According to the CRTC, agencies from around the world, including
the Federal Bureau of Investigation, Europol, Interpol, Microsoft
Inc., the Royal Canadian Mounted Police (the
"RCMP"), Public Safety Canada, and the
Canadian Cyber Incident Response Centre, are working together on
the investigation of Dorkbot. The warrant in Canada was granted by
a judge of the Ontario Court of Justice and was carried out with
assistance from the RCMP. No further details have been provided by
the CRTC yet regarding the details of the warrant or the execution
The ability of the CRTC under CASL to obtain a warrant is quite
broad. The CRTC may obtain a warrant authorizing entry to a place,
including a dwelling-house, if a Justice of the Peace is satisfied
that entry to the place is necessary to verify compliance with
CASL, determine whether CASL has been contravened, or assist an
investigation or proceeding in respect of a contravention of
foreign state laws that address conduct that is substantially
similar to conduct prohibited by CASL. Subject to any conditions
specified in the warrant, the person executing the warrant may do
the following: examine anything that is found in the place; use any
means of communication found in the place or cause it to be used;
use or cause to be used any computer system found in the place to
examine data contained in, or available to, the system; prepare or
cause to be prepared a document based on the data; use or cause to
be used any copying equipment to make copies of documents; remove
anything found in the place for examination or copying; and
prohibit or limit access to all or part of the place.
Businesses should be aware that the CRTC has indicated that it
will continue to collaborate with its domestic and international
partners to aggressively pursue investigations of alleged
violations under CASL to protect Canadians from online threats.
Although the first warrant under CASL was issued in relation to the
installation of malware on computer systems, the software update
and installation rules are broad in that they apply to the
installation of unwanted software that is not malware or spyware.
In order to comply with these rules and to avoid investigation by
the CRTC, businesses should seek express consent, as required by
CASL, prior to installing computer programs on another person's
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).