In a previous post, Evaluating the Industry Canada CASL regulations: why they are needed, I suggested that close scrutiny needs to be given to Industry Canada’s new draft Electronic Commerce Protection Regulations. CASL’s “ban all” structure makes it imperative that generous regulations be adopted to ensure that the goal’s of Canada’s new anti-spam/anti-malware law (CASL) are met. In another post, Evaluating the Industry Canada CASL regulations: how to assess them, I proposed a framework for assessing the regulations.
I then evaluated the proposed family and personal relationships exception in the post, Evaluating the Industry Canada CASL regulations: family relationships and personal relationships, finding them very troubling and concluding that without rectification CASL would adversely and surprisingly impair the ability of ordinary Canadians to communicate with extended family, friends and acquaintances and people who know each other from being members of the same clubs and associations, from going to school or engaging in recreational activities together, or from business, professional or other settings.
In the post, Evaluating the Industry Canada CASL regulations: the B2B exception (Part I-SMEs), I examined the proposed new business to business exception, focusing on its failure to remedy CASL’s impairment on the start-up and growth of small and medium sized enterprises. In my last post, Evaluating the IC CASL regulations: the B2B exception (Part II-Non-business entities), I showed how the regulations fail to address the harsher burdens CASL places on not-for profit organizations like charities, hospitals, and educational institution than on businesses, even though they have the least resources or wherewithal to bear those burdens.
In the post Evaluating the Industry Canada CASL regulations: jurisdictional overreach, I focused on the regulations failure to correct CASL’s jurisdictional overreach. I focused on two issues. First, CASL’s extra-territorial reach over foreign organizations and compliance with principles of international comity. Second, that CASL’s territorial reach will threaten high paying service jobs, research, development and technological innovation in Canada.
In the post,Evaluating the Industry Canada CASL regulations: defining commercial electronic message, I addressed the vexing problems posed by CASL’s extra-ordinarily broad definition of commercial electronic message (CEM) and its implications for organizations and individuals.
In this post I examine the failure of the regulations to address some of the problems with the computer programs prohibitions in CASL, prohibitions which if not addressed could impact cyber-security in this country.
Cyber-security is a major challenge. Organizations around the world face new and different threats daily, as the recent attacks on the New York Times illustrate. See, Chinese Hackers Infiltrate New York Times Computers. Vulnerable organizations and their forensic and cyber-security experts increasingly have to use defensive counter measures to prevent, investigate, and stop these attacks.
Yet, their use could become illegal in Canada if CASL is proclaimed into force without regulations to prevent this. The problem is that CASL will make it illegal to install a computer program in the course of any commercial activity on any computer system without obtaining prior consent following disclosure of the function of the computer program, including a detailed description of the program in case the program falls into one of the categories one would ordinarily consider “malware” or “spyware”. Under CASL an organization installing a program on a computer of a cyber-thief or criminal in self defence such as to investigate an attack could be illegal.
During the consultations this problem was raised by various organizations. The Government acknowledged the problem and proposed a new regulation to exempt telecommunication service providers (TSPs) from the consent and disclosure requirements to prevent an activity that the TSP reasonably believes is a contravention of an Act of Parliament and presents an imminent risk to the security of its network. The exception is narrow and could leave many Canadian organizations powerless to defend themselves against cyber-threats; in fact it could make them into lawbreakers for using best practices in the course of their business operations to address the myriad of threats they face every day.
- Only TSPs are eligible for exemption. Yet, computer systems and computer networks are used ubiquitously by organizations throughout the country. Many would likely not be a TSP, even though that term is broadly defined.
- There are many threats that require combatting besides those involving breaches of security. Some unauthorized access to or unauthorized uses of a computer will involve a breach of security, but not every breach necessarily will.
- The legality of stopping attacks will be dependant on the innocent victim reasonable believing that the perpetrator imminently will commit a violation of Canadian law. Not every cyber-threat will necessarily meet this standard. Moreover acting to prevent an attack which is reasonably expected but not imminent could be illegal as would attempting to investigate the source of past attacks, unless the victim can reasonably conclude that one attack will imminently lead to another one to its network.
- Many Canadian organizations operate cross boarder networks. CASL applies to programs installed from Canada on foreign computers. Accordingly, a Canadian based organization could be unable to employ cyber-counter measures from Canada to protect their foreign networks from attack even if the cyber attack was a violation of the foreign law.
Even more fundamentally, the exemption proposed by Industry Canada would be subject to a condition that the victim of the cyber security threat must reasonably believe that the cyber criminal consents to the installation of the counter measure program. As this condition would be unlikely ever to be met, the new exemption does little to solve the problem which the Government recognized needed to be addressed.
It may be that the Government believes that there is unlikely to be a problem because CASL only applies if the program installation occurs as part of a commercial activity. This will raise important questions of interpretation. If defending against cyberthreats becomes part of an organization’s normal business, is it caught? What about consultants and businesses that specialize in combatting cyber menaces and security threats? Would their work for victims of cybercrime be part of a commercial activity and thereby become illegal? When businesses like Microsoft take down or disrupt botnets, is this part of a commercial activity? See, Inside Microsoft botnet takedowns. Are they all acting for the purposes of public safety, which is another exception?
CASL’s ban all approach to the installation of computer programs without consent will produce many other inadvertent negative consequences as well. For example, it could be illegal for an organization to install a program on another computer to comply with law (other than an order). (There is an exemption for law enforcement.) it is also unknown how an express consent can be obtained for software that is pre-installed before a device is sold.
There are at least a dozen other problems that have been identified. For example, the prohibitions don’t only apply to the program manufacturer or publisher. They apply to every dealer, distributor, retailer and intermediary that does repair, maintenance, back up or reinstallation services, even though they all would likely not have the relevant information to make the necessary disclosures or be in a position to get express consents. The prohibitions aren’t limited to PCs, but apply to a program installed on any computer system which is defined broadly enough to include programs installed on smartphones, motor vehicles, appliances and other devices that contain electronics that run using software. That is practically everything today except pillows. Is it really Government policy to make every intermediary who works on any device that contains software as part of any commercial activity vicariously liable for the malfeasances of the program developers or publishers and require them to get express consents, or is this an inadvertent policy choice resulting from CASL’s ban all approach to regulating electronic commerce involving commercial electronic messages and computer programs?
CASL was intended to foster confidence in using electronic means of doing business. Ensuring that organizations do not lose the ability to defend themselves from cyberthreats should be a key goal. The Government should ensure that Canadian organizations will not become lawbreakers when they, like the New York Times, are hacked and need to investigate and terminate threats. It should also consider whether CASL was really intended to apply to everyone in the business ecosystem that provides any services in relation to computer programs.