By K. Latham (CC BY-NC-SA 2.0) https://flic.kr/p/edVdXR

By K. Latham (CC BY-NC-SA 2.0) https://flic.kr/p/edVdXR

News

Enforcing CASL: How To Report Spam Violations

With Canada’s anti-spam law now in effect, many are starting to ask about enforcement of the law. While no one should expect the law to eliminate spam, the goal much more modest: target the bad actors based in Canada and change the privacy culture by making opt-in consent the expected standard for consumer consents. The CRTC, the lead regulatory agency, has made it clear that the fear-mongering of million dollar penalties for inadvertent violations is not going to happen. Chair Jean-Pierre Blais recently stated:

punishment is not our goal. We are not going to go after every indie rock band that’s trying to sell a new release to its fans. We have much bigger fish to fry. The CRTC will focus on the most severe types of violations. This means you may still receive the occasional spam message after July 1st. Our principal targets are abusive spammers and interlopers involved in botnets and, come January, malware and malicious URLs. Our responses to complaints will range from written warnings up to financial penalties or court actions. Our objective is to secure compliance and prevent recidivism. I believe the best enforcement approach should be determined by the facts surrounding each particular case.

How will the CRTC identify abusive spammers? The government has established a Spam Reporting Centre that is currently accepting reports of commercial electronic messages sent without consent or with false or misleading content. Initial reports indicate that hundreds of complaints have been filed daily. The Centre clearly states that it will not investigate all submissions, but rather use the information to identify enforcement targets. The information will be retained for at least three years (or up to ten years if the subject of an investigation). Canadians can use a web-based form to file their report or simply forward their spam email directly to spam@fightspam.gc.ca.

9 Comments

  1. Thanks for the quote. I hadn’t seen that and it’s nice to know that they aren’t going to go after inadvertent / accidental transgressors like my site.

  2. Kid Ordinn says:

    Instead of letting the government manage your life and the life of all internet users, why not learn how to use the internet instead?

    There are tons of tools available to protect one from spam and phishing. First off, use a Google account. Google has the best anti-spam program of them all. Forget about hotmail BTW.

    Then use DuckDuckGo.com as your search engine. It does not track you to send you “personalized” ads that you never requestest. Then use add-ons like DNT, DoNotTrackMe at dnt.abine.com. With this plug-in, you can mask your email address for free, and with Premium, your tel # and credit card numbers.

    There are also a pletora of other add-ons like Ghostery, etc. all explained on the DuckDuckGo link.

    No need for the government to run (ruin) your life. Live free of spam or die.

  3. > We are not going to go after every indie rock band that’s trying to sell a new release to its fans.

    Then why give themselves that power?

    There are other ways to get this done. New laws are not needed.

    I don’t believe this for a moment. Today it will be “the most severe types of violations” but that’s no guarantee that tomorrow will be the same. Given the way government reach continually expands (eternal mission creep), we can pretty much expect this new law to be abused later on. The only question is “when?”

  4. concerned says:

    We have been a legitimate online business since 1996. From day one we always followed a proper spam policy. We simply never sent any unless we had consent. Ok, so here is my biggest beef with this huge CASL mess. During all these years bad bots or spiders have been harvesting our legitimate email accounts then faking our email and sending spam in our name. It’s a very common practice and I’ll bet that at least 90% of business have had this happen to them. So how is the general (one that is not tech savvy enough to use proper filter protection) public going to know if our company sent this spam or some bot net sent it disguised at us. We could get reported. Then we have to trust that the CRTC is smart enough to know the difference. Which I highly doubt since these spammers and hackers outweigh in numbers and intelligence in the millions.

    • > During all these years bad bots or spiders have been harvesting our legitimate email accounts then faking our email and sending spam in our name.

      “Joe Jobs”, or spoofing email addresses, are simple to do. I’ve written software to do it, and it takes no time at all. But it’s easily foiled by using SPF or TXT DNS records.

      I’ve been screaming for years that email is broken. It was never written for the kind of environment that we use it in. Email requires trust, and that simply doesn’t exist.

      The legislators passing this kind of legislation are completely ignorant of what email is and why it is broken. There are already laws on the books to deal with it, and this legislation isn’t needed.

      > Then we have to trust that the CRTC is smart enough to know the difference.

      Given the legislation, I wouldn’t count on them being that smart.

      The problem isn’t something that can be solved by legislation.

      Public key cryptography can certainly help though. An example can be found in Bitmessage – https://bitmessage.org/. However, that’s not an appropriate replacement for email at the moment.

      An email extension to the RFC could define a PKI standard for digital signatures that could be used to validate email sources. All it would take is for the largest email providers to implement and others would quickly follow. (It would still be a “tack-on” to a broken system though.)

    • “We could get reported. Then we have to trust that the CRTC is smart enough to know the difference. Which I highly doubt since these spammers and hackers outweigh in numbers and intelligence in the millions.”

      Numbers? Yes. Intelligence? No. Most spammers are, at best, garden-variety “script kiddies” – people don’t turn to spamming because they’re evil geniuses, more likely it’s because they’re too stupid & lazy to hold down a legitimate IT job.

  5. Except that at least as of a few days ago, the email reporting address was spitting back reports as undeliverable because, wait for it… they contained spam. Imagine the shock… people are sending spam to a spam reporting email address.

    So clearly some wiesenhiemer needs to disable the spam detection filters on that particular email address. I wonder how this particular detail escaped the go live plan. Didn’t anyone actually test this? Somebody want to let us know when they have done that?

  6. Pingback: Monday Pick-Me-Up « Legal Sourcery

  7. Pingback: Canada’s Anti-Spam Law: Enforcement Discretion and Guidelines | Paul Daly