Not Just for Breakfast Any more: CASL Targets Software Installations

Requirements-and-Enforcement-of-CASL (1)Bill C-28, the Fighting Internet and Wireless Spam Act of 2010, has certainly caused quite a furor since it was introduced in 2009. Canada’s Anti-Spam Legislation (CASL), as it’s more commonly known, first garnered ballyhoo over its severe proposed penalties for organizations that haven’t aligned their marketing strategies with reality, or individuals that think spam is a pretty good alternative to getting a job. Under the original law, businesses that got caught spamming would be subject to fines as much as $10 million, and individuals faced penalties of up to $1 million.

The outcry then morphed into a frenzied lobbying effort by conservative Prime Minister Stephen Harper’s corporate pals, worried that the new legislation would harsh their mellow and cripple their ability to buy that shiny new jet airplane. The law was tweaked and re-tweaked, each time threatening to be the death of the law. And while Canada’s anti-spam legislation risked total collapse, many pointed out that Canada was already the last G-8 country to impose such a law, so it had already failed, in a very real sense.

Then, cynicism and criticism set in. Truthfully, it’s a bit of a miracle that this law ever grew up to be reality, and there’s still doubt that the government of Canada will actually do anything with the law. Nevertheless, it’s set to go into action on July 1st of this year, and the next wave of craziness has ensued. Just Google CASL. Lawyers, marketing agencies and bloggers everywhere are gearing up for the change, advising their clients and interested parties how to comport themselves come July 1.

But with all the mayhem over CASL, we seem to have missed something. Everyone has been so focused on the email and spamming aspects of the law, so they can be forgiven for failing to notice another key mechanism:  the law’s interest in regulating software installations.

According to, Michael Fekete, a privacy and IT lawyer says that “CASL’s computer software regulations will set ground rules on installing programs on other people’s devices.” This particular component of the law won’t come into effect until January 15, 2015, and there will be a three-year ‘transition period,’ but it’s as important as the spamming components of the law. “These computer software rules will apply to anyone who installs a computer program on another person’s computer system, as well as anyone who causes an electronic message to be sent from a computer system where he or she installed a computer program. A program is defined as any executable code, Fekete said.”

Like the rest of the law, the software installation portion applies to anyone located in Canada, or any computer system housed in Canada. One of the sore points of the law, critics have pointed out, is that while CASL promises to be tougher than any other legislation of its kind, enforcement of offshore violators will be difficult at best, impossible at worst. So enforcing what an application coming from, say, south of the border in the US, does to a computer located in Canada, presents obvious legal difficulties.

On the other hand, if a computer in Canada is installing software on a computer in the US, then that counts as a violation under CASL and is subject to harsh penalties. And it doesn’t just apply to desktop systems. In what Fekete calls “very broad, prescriptive rules,” mobile devices are covered as well. One should infer that it could even extend to other connected devices like TVs, set-top boxes, and even refrigerators. So many of these devices run on either a Windows or Linux platform and it’s not inconceivable that rogue software installations can be performed on them.

“For someone to be able to install a program on another person’s computer, and still be in compliance with CASL, he or she will have to get express consent.” Like the spam aspects of the law, that express consent means either written or verbal, and that poses a real problem for legitimate uses of remote software installations. For example, I have a couple of smart TVs, both which connect routinely to the Internet for firmware updates. Same with my XBox, PS3, and PS4. Under CASL, will those vendors have to contact me and get my go-ahead before I can get new firmware? If this is a gray area, then the companies which manufacture these devices will opt for the safest route.

In addition, there are a number of invasive activities like collecting information or interfering with normal operation. So sit back and enjoy the show. This could be fun to watch.

Leave a Reply