CASL Goes Medieval on Software January 1

Canada Anti-Spam Law Bill C-28On July 1st of this year, the Canadian Anti Spam Legislation (CASL) grew up from an ethereal entity into a law that, assuming it could be enforced, is the toughest of its kind in the world. With stiff penalties and a decidedly stiffer take on who could invade your inbox with spammy messages, CASL promised to be Canada’s response to the war on spam in a most righteous way. Of course, intentions aren’t reality and time decides what’s what, and nearly six months later, the Canadian Radio-television and Telecommunications Commission (CRTC), the independent body tasked with enforcing the law, has received more than 120,000 complaints. So far, it’s ‘enforced’ only one case, that of an Internet provider in Saskatchewan whose servers were unwittingly infected with the Windigo exploit. No fines were levied in that investigation, and much ado about something really wasn’t.

It should have been obvious to anyone watching the launch of CASL in July that all the big talk was just that. While companies in Canada, from very small to very large businesses, scrambled to ensure that they would be compliant, people wondered exactly how international compliance would work. After all, the law is very clear: whether you’re based in Canada or elsewhere, you need implicit consent if you want to send email to Canadian users. In addition, the CRTC itself has expressed hesitation that it will be able to effectively enforce the law.

With all its issues, things are about to get even dicier as CASL prepares to move to phase two on January 15th, when it begins its enforcement of software installations. According to the CBC, “starting on Jan. 15, 2015, companies will have to get consent before installing a program on a person’s computer if the software has the ability to covertly send electronic messages or has other functionality outlined in the legislation.” And if you think that enforcing errant spammers is a tall order, imagine what will happen when software enters the mix.

Think about it. Every smartphone, every tablet, every PC. Every game console, every set-top box, every smart TV. Every device that relies on an Internet connection to routinely update its firmware will be affected by the software rule. Exemptions will be given for operating systems, cookies, HTML and executable code like JavaScript, and software updates if a company can prove a user previously consented, but how that consent will be established remains to be seen.

And lest you think that this applies to malware makers only, as the CBC points out, “While the law has been framed as an attack on the creators of malware and spyware, it also affects legitimate software companies, which face fines of up to $10 million for non-compliance.”

Michael Geist, a professor at the University of Ottawa and the Canada Research Chair in Internet and E-commerce Law, points out that “consumers are putting a plethora of stuff on their systems often without knowing much about it. This raises the bar in terms of consumer awareness when they’re installing software, better awareness about what that software will do, and greater disclosure requirements on the part of businesses seeking to install those programs.”

There’s little grey area in what companies need to do in order to be compliant. “Companies must also clearly disclose to users if its software could collect personal information, interfere with the normal operation of a computer, alter settings or preferences or data on a computer, or allow a third party to access a computer. The law states that the disclosure must be described ‘clearly and prominently and separately and apart from the licence[sic] agreement.’”

Things get even more interesting when you consider Apple’s recent woes as they thought giving the world a dose of U2 wouldn’t have any repercussions. According to Huffington Post, the CRTC got an earful from Canadians over the sudden appearance of U2’s new album “Songs of Innocence.” Apple, of course, got an earful from the world when they spent $100 million in what was meant to be a massive goodwill campaign. Instead, people were either Googling U2 to find out exactly what that was, or hitting the Twitterverse to beat up on Apple for invading their iTunes collections. But it raised an interesting question when Canadians decided to lodge complaints with Canada’s spam watchdog.

According to HufPost, the CRTC’s “not so sure if U2’s move would have been legal under new, expanded regulations coming into force in January.” It’s probably safe to say that there will be much confusion in the ensuing months over how this is going to play out.

Let the games begin.