This week has been eventful on the CASL front with the CRTC providing guidance on how it is likely to interpret CASL’s computer program provisions. Monday evening the CRTC published a new guideline on the interpretation of CASL. This was followed by a presentation given to IT.Can members by Andy Kaplan Myrth of Industry Canada and Dana-Lynn Wood and Lynne Perrault of the CRTC. The presentation was a follow-up to an earlier IT.Can meeting where the CRTC asked for and received a list of questions for which guidance is being sought by the public. This information session was part of a cross country tour by the CRTC to provide information to the public about CASL.
The CRTC guideline has some pleasant surprises in it. The interpretation of the program provisions attempts to reach pragmatic solutions to complex problems created by CASL. However, to reach solutions it considers acceptable, the CRTC, in some cases, has had to introduce creative interpretations of CASL to overcome its impractical and over encompassing structure and enigmatic drafting.
At the IT.Can meeting the CRTC provided an overview of the new guideline. It did so using slides, which are not yet, but which will eventually be, posted on the CRTC’s web site. The CRTC also attempted to answer other questions that had been posed to it before and during the meeting not covered in the guidance document.
In this post, I summarize some of the more important guidance provided in the new guideline. Another post will address some of the information and opinions provided by the CRTC not in the guideline.
What acts constitute “installation” of a computer program?
The CRTC is interpreting CASL’s computer program provisions to apply only to “push” applications – programs that automatically install software on someone’s computer. Here are some extracts from the guideline that make this point.
For example, under CASL, it is prohibited for a website to automatically install software on a visitor’s computer without getting consent, or for software to be updated without first obtaining consent…
CASL does not apply to programs or apps owners or authorized users download themselves to install on their own computer or device, or updates they install for those programs….
First off, don’t panic. CASL does not apply to owners or authorized users installing software on their own computer systems (e.g., personal devices such as computers, mobile devices or tablets)…
CASL only applies when you install or cause the installation of software on another person’s device in the course of commercial activity.
In general the CRTC interprets CASL as not applying to self-installed software. The guideline states:
No, self-installed software is not covered under CASL.
For example, the owner of a mobile device goes to an app store to purchase and download an app. As the owner is installing the app on their own personal device, CASL does not apply.
Other examples include the following, if the programs are installed on your own device:
- You buy software on a CD and install it on your computer.
- You download software from a website and install it on your device.
- A small business installs software on business devices used by its employees.
- A previously installed app offers an update, and the individual installs the update. (However, if the app installs the update in the background, without prompting or informing the user, then CASL would apply. More information about updates and upgrades is available in part 5 of this guidance.)
The CRTC also interprets CASL as not applying to offline installations of software e.g., a CD/DVD that is purchased at a store.
The CRTC gives these examples, however, of computer programs which are “caused to be installed” for which an express consent is required:
Sometimes, malicious software (malware) is installed along with other software. For example, a free Tic Tac Toe app may include concealed malware that is not disclosed to the user. In this situation, the user would be installing the Tic Tac Toe app, so CASL would not apply. However, CASL would apply to the installation of the malware since the software developer would be causing it to be installed.
A consumer purchases a music CD and inserts it in their computer to listen to music or copy songs. However, the CD includes concealed software that is automatically executed when the CD is inserted into the computer. In that case, the distributor or developer would have caused the software to be installed.
In the above examples, the CRTC does not explain why the installation of malware in a “pull”/ “on-demand” or self-install situation would have been “caused to be installed” by the software provider given its interpretation of Section 8 appears otherwise to be limited to push transmissions. One might have expected that the term “caused to be installed” was intended to make a person vicariously liable for the actions of others that it directed or procured. The CRTC appears to be giving the term an extended meaning in order to close a gap in coverage for some programs downloaded by a person which contains malware or spyware.
What are operating systems, cookies and TSPs?
The Commission has provided guidance on how it will interpret terms not defined in CASL.
It defines a “cookie” and “operating system” which are subject to a partial exemption from consent under s.10(8) of CASL as follows:
Cookies are non-executable computer programs that cannot carry viruses and install malware. As described above, under CASL, a person is considered to consent to the installation of a cookie if the person’s conduct is such that it is reasonable to believe that they consent.
Computer systems are composed of physical components (hardware) and computer programs (software). Operating systems are a type of computer program that have special access to the hardware of a computer system, and act as a platform to allow other computer programs to make use of the hardware.
Examples of operating systems include Microsoft Windows, Mac OS/iOS, Linux, Android, Unix and Blackberry OS, among others. They also include operating systems in your car (e.g., that control braking systems).
How to interpret some of the exceptions in the IC regulations
The CRTC provided an interpretation of the term telecommunications service provider (TSP). This term is used both in the anti-spam portion of the Act as well as in the IC regulations. Helpfully, and consistent with the interpretation of the term by Industry Canada in the RIAS, the CRTC confirmed that the term should be given a wider meaning than it is given in the Telecommunications Act.
Although ‘TSP’ may be defined differently in other laws, in CASL a ‘TSP’ means any business or person who, independently or as part of a group or association, provides telecommunications services. Unlike other definitions, such as that in the Telecommunications Act, CASL doesn’t require the TSP to own or lease the equipment or software used to provide the service.
For example, automobile manufacturers are TSPs for the purposes of CASL when their vehicles include wireless telecommunications functionality.
In addition, the Act only regulates the installation of software in the course of a commercial activity, the definition of which excludes public safety, among other purposes
The CRTC also explained how it will interpret what is meant by the phrase to “correct a failure” in the IC regulations:
‘Correcting a failure’ includes taking steps to ensure the safe and proper functioning of the computer programs and the systems they operate. This includes, for example, both reactive and proactive steps, so long as they are consistent with consumer expectations.
As an example, to ‘correct a failure’ may include a patch designed to fix a security vulnerability or a software error, flaw, failure or fault in a computer program or system that causes it to produce an incorrect or unexpected result or to behave in unintended ways.
It is unclear what the statutory basis is for the CRTC’s assertion that “correcting a failure” in a computer program must be limited to doing so in a way that is “consistent with consumer expectations”.
What constitutes the ‘owner or authorized user’ of a computer system?
The CRTC also clarified who it views as the owner and authorized users of a computer system as follows:
1. In the context of an employment relationship, the employer would be the owner and the employee would be the authorized user.
2. If an individual owns a computer but provides it to their child, spouse, or other relative for their sole use, the child, spouse or other relative is the authorized user of the computer.
3. If someone leases a device, the lessor will retain ownership of the device for the purposes of CASL and the lessee is the authorized user.
4. If a device is sent out for repair, the person conducting the repair would be considered an authorized user under CASL, but only to the extent that they perform the agreed-upon repairs to the device.
The 4th example is a useful one. Previously, there were questions as to how a person doing repair on a computer or other device could get the necessary consents to install programs. This has been finessed by the Commission by considering such a person to be an authorized user. However, it is not clear that such a person would cease to be an authorized user merely because he/she goes beyond making the agreed repairs. The 2nd example does not explain how considering a child an authorized user of a device will enable the child to give a valid consent to the installation of a program.
What functions require enhanced disclosure?
The Commission states the following in interpreting Sections 10(4) and 10(5) of CASL:
If the computer program performs one or more of the following functions that would normally not be expected by the user, then you must disclose additional information when seeking consent, as outlined below.
- Collects personal information;
- Interferes with the user’s control of the device;
- Changes or interferes with the user’s settings, preferences or commands without their knowledge;
- Changes or interferes with the data stored on the device in a way that obstructs, interrupts or interferes with the user’s access to the data
- Causes the computer system to connect to or send messages to other computer systems without the user’s authorization
- Installs a program that may be activated by a third party without the user’s knowledge.
The above guidance appears to disregard the lead in wording in Section 10(5) which only makes enhanced disclosure necessary when “the person who seeks express consent knows and intends will cause the computer system to operate in a manner that is contrary to the reasonable expectations of the owner or an authorized user of the computer system” by doing one of the things listed in the section. This guidance is, however, consistent with the position of the CRTC taken in its Guidelines on the interpretation of the Electronic Commerce Protection Regulations.
Are updates and upgrades covered by CASL?
The CRTC says the following in respect of updates and upgrades.
What is an update or upgrade?
An update or upgrade is generally a replacement of software with a newer or better version, in order to bring the system up to date or to improve its characteristics. Usually the update or upgrade will have new features. Common software updates or upgrades include changing the version of an operating system, an office suite, an anti-virus program, or various other tools.
An update or upgrade makes changes to or replaces previously installed software. Retrieving current information and displaying it within a program is not considered to be updating the program within the context of CASL. For example, updating or refreshing information displayed in a program, such as refreshing the weather forecast in a weather app, or refreshing television listings in an electronic programming guide are not updates or upgrades for the purposes of CASL.
The above definition does not specifically address other programs such as bug fixes that do not fit within the described functionality. This leaves them in a uncertain place under CASL, even though in the computer industry these programs are generally regarded as an update.
Do I need consent for upgrades or updates and, if so, how do I get it?
Yes, you need consent to install updates or upgrades. There are several options to obtain consent:
- When you get the initial consent to install the original computer program, you can also seek consent for all future updates and upgrades.
- Consent can be assumed for updates and upgrades to the specified computer programs discussed above (listed in section 10(8) of CASL, e.g., cookies and operating systems)
- If the program was self-installed by the device owner or authorized user and you didn’t get consent for updates or upgrades at the time of original installation, you will need to seek consent to install any updates or upgrades. You can do this in the same way that you would generally seek consent to install software.
- You can update or upgrade computer programs until January 15, 2018 if the program was installed on the device or computer system prior to January 15, 2015. (See more details later in this guidance.)
For example, if a person installs an app from an app store on their own device, CASL would not apply. As a result, their consent for future updates may not have been requested by the app developer. If the software developer wishes to install an update to the app at a later date, they must obtain the person’s consent to do so. Alternatively, when the user self-installs the app, the developer can use that opportunity to request consent to automatically install future updates.
In another post, I will address some of the information and opinions provided by the CRTC not in the guideline.