CASL Shines Light on Malware

In the last few weeks, you have probably read a headline or two about the CRTC’s CASL warrant. This articles aims to fill in some of the details.

Section 8(1) of CASL states that “a person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system” unless that person has:

  1. Obtained the express consent of the owner or an authorized user of the computer system (and such consent has not been withdrawn); or
  2. Is acting in accordance with a court order.

The CRTC's Canada's Anti-Spam Legislation Requirements for Installing Computer Programs clarified that “computer system” should be interpreted as “computing device,” so as to include laptops, smartphones, desktops, gaming consoles, etc. Furthermore, certain programs, like Cookies, HTML, JavaScript and operating systems, will be viewed as having the requisite consent if the owner’s conduct is such that it is reasonable to believe that they consent. 

The Warrant

On December 3, 2015, the CRTC announced that it served the first-ever warrant under CASL to take down a Toronto-based server. This warrant was issued as part of a coordinated, international effort, involving the Royal Canadian Mounted Police, the Federal Bureau of Investigation, Europol, Interpol, Microsoft Inc. and other Canadian authorities, to disrupt what the CRTC’s Manon Bombardier calls a “very egregious” botnet.

CASL gives a justice of the peace the power to issue a search warrant where he/she is satisfied that the warrant is necessary to verify compliance with CASL, to determine whether CASL has been contravened, or to assistant an investigation in respect of the laws of a foreign state.

For more information, please see the CRTC News Release.

The Malware

The CRTC has characterized the Toronto-based server as a “command-and-control” point for the Win32/Dorkbot malware, which has reportedly infected more than one million personal computers in over 190 countries.

The Win32/Dorkbot malware is part of a botnet, a network of computer worms, which are connected through USB keys, instant messaging services and social networks. Once a computer has been compromised, the botnet can steal usernames and passwords by monitoring online activity. It uses the personal information it collects to transmit malware and spam, and to launch targeted attacks, by crippling and subsequently disabling other servers (“the distributed denial of service attack”).

To learn more about the CRTC’s activity under CASL, please see An Even Bigger Fish for CASL: Rogers on the Hook for the Largest Settlement Yet, CASL Update: $1.1 Million to Spare? and Canada’s New Anti-Spam Law: CASL.

How Momentum Can Help

A notorious malware family was the CRTC’s target on this occasion. However, to date, most of the CRTC’s enforcement efforts have targeted reputable Canadian companies, which have inadvertently contravened CASL (usually through non-compliant communications practices). Give us a call today to ensure that your corporate privacy policies are CASL-compliant.