Last week the Guardian and New York Times ran stories claiming that NSA and its UK counterpart GCHQ have developed or employed means to crack the security being used to protect the privacy of personal data, online transactions, e-mails and other internet communications. According to the reports, the intelligence agencies have, among other things, collaborated with technology companies and ISPs to insert secret vulnerabilities – known as backdoors or trapdoors – into commercial encryption software, computer chips, and devices, covertly influenced their product designs, and introduced weaknesses into security standards. Intensive efforts have been made to crack security in widely used online protocols in Canada such as HTTPS, voice-over-IP, Secure Sockets Layer (SSL), virtual private networks (VPNs), and the protection used on 4G smartphones. Reportedly, companies have collaborated voluntarily or by being legally compelled to do so.
Last week I was contacted by a reporter from Canadian Business who was exploring whether companies selling products or services in Canada could be liable for selling products or services which had compromised security. I immediately thought about breach of implied warranties of fitness for purpose which have been found to apply to software and which under various consumer protection laws cannot be disclaimed.[i] I also thought about the possibility of express warranties which vendors may have given and tort actions such as negligence. I also considered the potential claims in Quebec where under the Civil Code the regime of extra-contractual civil liability does not require proof of a breach of a specific duty of care between a party and its victim where the act complained of is one of fault by omission. A civil fault may exist where one does something that is not reasonable in light of the circumstances and is likely to cause damages to another.[ii]
Over the weekend I started thinking about whether if Canada’s much maligned anti-spam/spyware law (CASL) was in force it would have provided a remedy to aggrieved Canadians against those businesses and even against the NSA or GCHQ for electronic spying enabled by these programs. It is possible CASL would have applied in certain circumstances.
Under CASL “A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless (a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsection 11(5); or (b) the person is acting in accordance with a court order.” (s.8.1)
CASL has a two tiered approach to obtaining express consents as applied to the computer program prohibitions. In general, a person who seeks express consent, when requesting consent must describe, in clear and simple general terms, the function and purpose of the computer program that is to be installed if the consent is given. (s8.3)
However, if the computer program that is to be installed performs one or more of certain listed “malware” or “spyware” functions, the person who seeks express consent must, when requesting consent, clearly and prominently, and separately and apart from any licence agreement (a) describe the program’s material elements that perform the function or functions, including the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the computer system; and (b) bring those elements to the attention of the person from whom consent is being sought in the prescribed manner. (s10(4)) The listed “malware” and “spyware” functions include any of the following functions that the person who seeks express consent knows and intends will cause the computer system to operate in a manner that is contrary to the reasonable expectations of the owner or an authorized user of the computer system:
(a) collecting personal information stored on the computer system;
(b) interfering with the owner’s or an authorized user’s control of the computer system;
(c) changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the owner or an authorized user of the computer system;
(d) changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the owner or an authorized user of the computer system;
(e) causing the computer system to communicate with another computer system, or other device, without the authorization of the owner or an authorized user of the computer system;
(f) installing a computer program that may be activated by a third party without the knowledge of the owner or an authorized user of the computer system; and
(g) performing any other function specified in the regulations
It is not hard to imagine how a company that voluntarily cooperated with the NSA, or did so under any compulsion of law other than a court order, to insert backdoor or trapdoor computer code into commercial encryption software, computer chips, or devices and then sold such products to Canadians without making required discloses might have violated CASL.
A computer company would not necessarily have needed to have physical operations in Canada in order to violate the CASL’s spyware provisions. This is because the prohibitions apply if the users’ computer systems onto which the spyware is installed are located in Canada, even if the server from which the installation is done is outside Canada. (s.8(2))
NSA and GCHQ could also have had potential liability under CASL’s very wide vicarious liability provisions. CASL’s computer program prohibitions only apply to persons who in engage in prohibited conduct in the course of a commercial activity. However, CASL casts a much wider net to extend liability to any person who aids, induces, procures or causes to be procured any of the acts. In accordance with established conflicts of laws precedents, a person outside of Canada can be liable for inducing or procuring acts which take place in Canada. Thus, even if the NSA and GCHQ did not induce acts from Canada and even though their activities may not have been in the course of a commercial activity, there might have been a basis to find them liable under CASL.[iii]
CASL provides for a variety of remedies that could potentially have been invoked in the circumstances. The Commission which enforces the computer program prohibitions has broad powers to require the production of documents. The Act also permits a justice of the peace to issue search warrants. Courts can also issue injunctions. The penalties for contravening CASL are severe. A business that contravenes CASL can be liable for a fine of up to $10,000,000. A person who aids, induces, or procures in the violation can be liable for a fine of up to the same amount. CASL also subjects offenders to private suits including potentially class actions. The damages can be as high as $1,000,000 per day for the offender with the same cap for those who aid, induce, or procure in the violation.
CASL is not yet in force, so it is premature and unnecessary to form any conclusive opinion on whether and to what extent its provisions could have been applicable. However, if you operate a business that depends on encryption to maintain the confidentiality, privacy, or privileged nature of communications or are an individual with similar concerns and were searching for a possible way to obtain a remedy, then you may wish that CASL was in force. It’s not, however, because its many flaws have delayed its proclamation. However, if you believe that the acts of the NSA and GCHQ and the companies that collaborated with them were reasonable and justified because of threats from terrorists, cyber-criminals and others, then you may have opposite views. Or if you are surprised that a company collaborating with the NSA could be liable under CASL even if it did so under compulsion of law (other than a court order), then you may want to see that recitfied before CASL becomes law.
The recent disclosures do, however, advert attention to the possible usefulness of CASL in combating the proliferation of cybecrime and cyber espionage. According to a report released this summer by the Center of Strategic and International Studies (CSIS) the cybercrime losses to the global economy was between US$100 billion and US$500 billion.
When CASL was enacted the gargantuan problems of cybercrime and cyber espionage were probably not fully understood. Had Parliament known then what it surely must know now, it might have taken a much different approach to fighting malware, spyware and computer crime than it did. For example, it might have more carefully focused its attention on true malware and spyware. It might also have addressed the authority of businesses and ISPs to disable or block access to, or to apply for and to obtain court orders to disable or block access to, known cybercrime or cyber espionage sites or to take other countermeasures to combat these threats.
However, rather than focusing on real problems or potential problems like real malware or spyware, Parliament chose under CASL to make it illegal to install any computer program in the course of any commercial activity on any computer system without obtaining prior express consent following disclosure of the function of the computer program. It thus created a structurally unsound regime so broad that it would make almost every business that deals in computer programs, either as pure software or in an embedded system incorporated in any consumer or industrial products, have to comply with a law that in many instances is either onerous or practically impossible to comply with.
As I pointed out previously, “the prohibitions don’t only apply to the program manufacturer or publisher. They apply to every dealer, distributor, retailer and intermediary that does repair, maintenance, back up or reinstallation services, even though they all would likely not have the relevant information to make the necessary disclosures or be in a position to get express consents. The prohibitions aren’t limited to PCs, but apply to a program installed on any computer system which is defined broadly enough to include programs installed on smartphones, motor vehicles, appliances and other devices that contain electronics that run using software. That is practically everything today except pillows.”
Yet, not all potentially liable entities can comply with the law. CASL has the potential to make every intermediary who works on any device that contains software as part of any commercial activity vicariously liable for the malfeasances of the program developers or publishers and requires them to get express consents and to disclose information they most often do not have or could not be expected to have. CASL’s extra-territorial application to activities outside of Canada also will have the inadvertent consequence of making Canada an undesirable place to invest in to conduct software, network, or systems support for foreign operations.
Going back to the alleged activities of the NSA and its alleged corporate collaborators, one would suppose that CASL’s liability regime would have been limited to those entities and not unwitting dealers and distributors of products that contain the security vulnerabilities. However, under the Commission’s interpretation of CASL, as set out in a CRTC’s guideline, it appears that the heightened disclosure obligations with respect to computer programs that contain “malware” or “spyware” functions must be performed by any person who installs the program, even if such persons have no idea that the programs contain backdoors or trapdoors. This regulatory breadth runs the risk of making the entire ecosystem of distributors, dealers, suppliers, resellers, and computer repair facilities liable even when they are completely in the dark about what the software they install actually does or does not do.[iv]
Moreover, as Industry Canada has acknowledged, under CASL’s current computer program prohibitions it could have been illegal for telecommunication service providers to prevent fraudulent or unauthorized uses of their systems due to security vulnerabilities including to prevent illegal activities that present an imminent risk to the security of their networks.
CASL took the same flawed structural approach in regulating unwanted commercial electronic messages as it took with the computer program prohibitions. In contrast to taking a targeted approach to address harmful forms of spam, CASL took the unprecedented approach of making it illegal to send any commercial electronic message without express consent unless the message falls into a closed set of categories. The type of messages covered are very broad. In fact, they fall into an indeterminate and vague class of messages that makes it impossible to predict what is caught. The closed categories of “implied” consent are narrow, unreasonable, and inflexible and taken together with the other litany of drafting problems will give rise to a swath of unintended consequences. It is no wonder that just about every non-profit, charity and business, small, medium, and large – across all sectors, has reached the conclusion that CASL is unworkable in its current incarnation.
Just as when CASL was adopted Parliament could not have appreciated the huge challenges of cybercrime, when CASL was adopted Parliament did not recognize how effective technology could be in combating unwanted commercial electronic messages. SPAM simply is not the mammoth problem it was considered to be when the legislation was being conceived that today can justify the huge red tape and competitive disadvantages it would place Canadian businesses under internationally. Had those things been known, CASL would likely have been structured differently.
The reality is that CASL has not been proclaimed into force because it’s ban all structure is antithetical to fundamental principles of Internet regulation and would cause more harm than good in its current form. An approach that attempts to lock-down the Internet as CASL does is bound to have numerous unintended consequences. Many of these consequences have now been identified and without significant amendments or regulatory re-shaping its structural flaws would frustrate rather than fulfil the Government’s goals of promoting the use of electronic networks for safe and secure electronic commerce. Much time has been lost because the approaches proposed to date to fix CASL through regulations have been piecemeal and would not have solved the well known problems with the legislation. If Canadians are to have a spam/spyware bill that works, it is time to rethink its structure so that today’s real problems are addressed in a focused and effective manner.
[i] Western Engineering Service Ltd. v. Canada Malting Co.,  O.J. No. 2026 (Gen. Div.) (Sale of Goods Act held to apply to engineering software package); Gam-masonics Institute for Medical Research Pty Ltd. v. Comrad Medical Systems Pty Ltd.,  NSWSC 267 (Plaintiff purchaser of software was entitled to a common law implied term that the software was fit for its purposes and of merchantable quality.); London Borough of Southwark v. IBM UK Ltd.  EWHC 549 (17 March 2011) (Software a “good” but a license of software was not a “sale” thereof. In the U.S. packages of software have been considered “goods” to which the UCC applies. See, Step-Saver Data Systems, Inc. v. Wyse Technology, 939 F. 2d91 (3rd Cir. 1991), In Re C Tek Software Inc., 117 B.R. 762 (D.N.H. 1990), Aubrey’s R.V. Ctr., Inc. v. Tandy Corp., 731 P.2d 1124 (1987), Advent Systems Ltd. v. Unysis Corporation, 925 F.2d 670 (3rd Cir. 1991), M.A. Mortenson Company Inc. v. Timberline Software Corp. & Softworks Data Systems, 970 P.2d 803 (Sup. Ct. Wash. 2000), I. Lan Systems, Inc. v. Netscout Service Level Corp., 183 F.Supp.2d 328, (D. Mass. 2002).
[iii] CASL contains an exemption for the installation of certain types of computer programs such as a cookie, HTML code, Java Scripts, an operating system, and any other program that is executable only through the use of another computer program whose installation or use the person has previously expressly consented to. However this exemption may not apply because it is conditioned on the users’ conduct being such that it is reasonable to believe that they consent to the program’s installation, if the program at issue is a backdoor or trapdoors which makes encryption software vulnerable.
[iv] See paragraph 17 of the Guideline “The Commission considers that if the acts listed in section 8 of the Act (installation of a computer program) are necessary for the use or proper functioning of a product or service, and consent is not otherwise exempted or deemed by the Act or its associated regulations, the necessary nature of the act (e.g. collecting personal information stored on the computer system) must be indicated in the consent request. Consent for the necessary acts must be obtained before the product or service is used or sold.”