In their first enforcement effort under Canada’s anti-spam legislation, the CRTC has taken down a malware-infected server that was sending out millions of spam e-mails a month.
Since the legislation went into effect in July, the CRTC has received over 120,000 complaints and have opened a number of investigations.
According to a CRTC release, in July, the Spam Reporting Centre, a recently created non-governmental agency, began receiving complaints about a high volume of spam coming from Access Communications, a Saskatchewan-based Internet service provider.
The CRTC investigated and found that the messages were coming from a computer reseller whose server had been compromised.
The server had been infected by a package of malware known as “Ebury” or “Windigo” that exploits vulnerabilities in Linux operating systems to send out spam messages. Created by a gang of cyber criminals, the malware has infected tens of thousands of servers around the world.
The CRTC notified the business and Access Communications about the compromised server and the situation was dealt with.
“This investigation illustrates how we can tailor our enforcement actions to the situation at hand,” said Manon Bombardier, chief compliance and enforcement officer for the CRTC, in a press release. “By working together, we were able to stop this malicious spam from continuing to be sent to Canadians.”
The CRTC is one of three enforcement agencies, along with the Competition Bureau and the Office of the Privacy Commissioner, charged with ensuring compliance with CASL.
David Fraser, an Internet, technology, and privacy lawyer with McInnes Cooper, says that this is the first piece of information from the CRTC about how they are implementing the new anti-spam legislation.
“For those who advise clients in this particular area, we’re operating in a bit of an informational vacuum with respect to understanding what the CRTC is doing under its responsibilities under this legislation,” he says.
Fraser hopes that the CRTC will release more specific information about their enforcement activities.
“Are their enforcement priorities going after the really bad actors or the small-and-medium-sized businesses who are technically non-compliant? How do these complaints break down according to industries?” asks Fraser. “It really would be helpful for businesses to understand where things stand so they can make sure that they are focused on the things that are the highest risk.”
According to Fraser, while it’s certainly a good thing that the CRTC informed a company that their server was being used to send spam, that doesn’t actually qualify as an enforcement action under CASL.
“It is not a contravention of the legislation to accidentally have your systems invaded and taken over and exploited for somebody else’s use,” he says.
Instead, Fraser says that the biggest concerns for businesses remain the consent and content rules, for which there still isn’t much information.
“It really would be helpful for businesses to understand where things stand so they can make sure that they are focused on the things that are the highest risk,” he says. “And the highest risk is not just the risk of non-compliance, but also the risk of enforcement action.”
Fraser goes on to say that while it’s good to know that over 120,000 complaints have been filed, it doesn’t actually tell the public much about how many companies are non-compliant.
“It’s stupendously easy for somebody to file a complaint under this legislation,” he says.
Fraser himself says that he’s seen a number of messages come through his inbox, which at first he believed violated CASL.
“But when I communicated with the company that sent them to me, they have provided their justification and in a lot of cases, they were in fact okay to send that message to me,” he says. “So if there are e-mail messages that I have received where I immediately thought were across the line and later discovered they were legit, then the number of complaints that may not be well-founded that could land at the CRTC could be very, very high.”