May 30, 2019

Canadian government regulators are using the country’s powerful new anti-spam law to pursue hefty fines of up to a million dollars against Canadian citizens suspected of helping to spread malicious software.

In March 2019, the Canadian Radio-television and Telecommunications Commission (CRTC) — Canada’s equivalent of the U.S. Federal Communications Commission (FCC), executed a search warrant in tandem with the Royal Canadian Mounted Police (RCMP) at the home of a Toronto software developer behind the Orcus RAT, a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015.

The CRTC was flexing relatively new administrative muscles gained from the passage of Canada’s Anti-Spam Legislation (CASL), which covers far more than just junk email. Section 7 of CASL deals with the alteration of transmission data, including botnet activity. Section 8 involves the surreptitious installation of computer programs on computers or networks including malware and spyware.

And Section 9 prohibits an individual or organization from aiding, inducing, procuring or causing to be procured the doing of any of the above acts.

CRTC Director Neil Barratt said this allows his agency to target intermediaries who, through their actions or through inaction, facilitate the commission of CASL violations. Businesses found to be in violation of CASL can be fined up to $10 million; individuals can face up to a $1 million fine.

“We’re dealing with a lower burden of proof than a criminal conviction, and CASL gives us a little more leeway to get bad actors off our networks in Canada and to ultimately improve security for people here and hopefully elsewhere,” Barratt said in an interview with KrebsOnSecurity.

“CASL defines spam as commercial electronic messages without consent or the installation of software without consent or the intercepting of electronic messages,” Barratt said. “The installation of software is under Section 8, and this is one of the first major investigations under that statute.”

Barratt added that the CRTC also was counting on CASL to help tidy up the reputation of the Canadian Web hosting industry.

“We’ve been trying to make sure that service providers operating in Canada — whether or not they are Canadian — are not unduly contributing to the infection of machines and hosting malware,” Barratt said. “We have great power in CASL and Section 9 makes it a violation to aid in the doing of a violation. And this extends quite broadly, across email service providers and various intermediaries.”

The enforcement division of the CRTC recently took action against two companies — Datablocks Inc. and Sunlight Media Network Inc — for having violated CASL section 9 by disseminating online ads that caused malicious computer programs to be downloaded onto the computers of unsuspecting victims.

Under CASL, and for the purposes of verifying compliance or determining whether any of sections 6 to 9 were violated, the CRTC may compel individuals and organizations to provide any information in their possession or control, and ask a justice of the peace to issue a warrant authorizing entry into a place of residence.

It’s good to see a civil anti-spam law being used to go after people involved in selling malware couched as legitimate software, as seems to be the case with the Orcus RAT investigation. A relatively competent remote access trojan author can earn a tidy income selling their wares, but CASL may give Canadians interested in this line of a work a reason to reconsider if the end result is a million dollar fine.

More to the point, Canada (anecdotally at least) seems to have far more than its fair share of computer criminals, and yet unfortunately far less appetite than many other western countries for prosecuting those individuals criminally. In this regard, CASL offers a welcome alternative.

“One of the key takeaways of CASL was that it wasn’t just about emails that were annoying people, but also the use of email as a vector to mislead or defraud people and cause harm to computers and computer networks,” Barratt said. “Our parliamentarians decided to ensure the legislature covered a broad ambit. The search warrant executed in this case was a great example of criminal and civil law enforcement working together by using our unique tools and powers under the act to achieve the greatest good we could.”

33 thoughts on “Canada Uses Civil Anti-Spam Law in Bid to Fine Malware Purveyors

  1. The Sunshine State

    Great informative article . Now take off Eh!

  2. Dave

    “We’re dealing with a lower burden of proof than a criminal conviction”

    Not sure this could work for the FCC. Our constitution may get in the way. At any case, good for Canada for stepping up to the plate. Maybe they can add spoofed email addresses and phone numbers/scams to the agenda.

    1. Well Actually

      Actually, Canada is working on that. By next December, measures should be in place to reduce *some* of the nuisance calls.

      This will only stop nuisance calls where the criminals are spoofing numbers that don’t exist. I expect that the baddies will just eliminate those from their set.

      Despite what some say below about whether this is right or wrong, at least we’re *doing* something about it instead of arguing about the rights of criminals to harass their victims.

    2. Anon404

      “Section 7 of CASL deals with the alteration of transmission data, including botnet activity.”

      It sounds like this section addresses exactly that. Spoofed email or phone numbers I think would be considered alteration of transmission data.

    3. Well Actually

      We’re actually already working on spoofed phone numbers (link below). It’s not perfect because it will only prevent spoofing numbers that don’t exist; the crooks can still spoof real numbers. But it’s a start.

      I guess this is a big cultural difference between Canada and the USA but I don’t understand why USA-ers get so hot and bothered about protecting the rights of people to be criminals. You can have free speech but you must also have an obligation to not erode the rights and freedoms of others. Otherwise you’re just being a d**k.

  3. MattK

    If you’re fining someone a million dollars and searching their homes then you should have to meet the same burden of proof as a criminal conviction. This law gives way too much power to the state.

    1. nobody

      As much as I want to stop spammers too, MattK is right. Being falsely accused and fined would be quite disastrous.

      1. Anon404

        How is that any different than your civil suits in the US, where someone can be found not guilty of a crime, but still found liable in civil court to the tune of millions?

    2. JimV

      Same as a criminal warrant, perhaps — there are (and should be) no threshold so high as “conviction” for a judge to issue a lawful warrant.

    3. Proud Canadian

      Lower burden of proof essentially means that under this regulatory regime, and unlike the requirements of criminal law, it is not necessary to prove intent to establish that a violation has occurred.

      The expectation is that folks abstain from engaging in certain types of antisocial behavior.

      Where that is found to not have been the case, it is then up to the individual or corporation under investigation to show that they took all reasonable steps to prevent the violation from happening.

    4. Armada

      Although the CRTC is not incorrect.
      The burden of proof is nothing like the Criminal courts. Something that seems to have gone unstated is, intent still has to be proven.

      Did I intend for Orcus to be used maliciously, or was it abused without intent?
      If I intended to Orcus to be used maliciously, why would we implement so many fail safes to stop malicious use?

      Something I presume my authorities are discovering after pilfering through my hard drives data. Orcus has/had way more fail safes than anyone knew about other than Sorzus and Myself.

  4. Emily Booth

    About time. Thievery on the internet goes unabated on a daily basis.

  5. bill

    “CASL defines spam as [among other more obvious things] the intercepting of electronic messages”

    The devil is in the details… i.e. the interpretation of the words… I wonder if they know how the internet works… i.e. one computer passing the message along to another, then to another, then to another, etc…. Every message on the whole internet is therefore by nature arguably “intercepted” many times, as a basic function of the internet… Of course you could just define this to mean out-of-the-ordinary handling of the interception, not regular ordinary interception that is part of the communication protocol… but is this really what it says? And how would one then define ordinary? Overly broad wording in laws is a bit scary.

  6. JCitizen

    WHAT!!! No more Canadian Pharmacy drivel!! What will we do?? — What W-I-L-L we do???

  7. Readership1

    A few predictions.

    This law will fail in courts where defendants have enough money to fight back. It’s just too broad and unbalanced to favor government.

    I expect it will be struck down as a violation of due process, especially searching and seizing property without suspicion of an intentional crime.

    This law will also fail on political grounds, as it empowers Canadian bureaucrats to interfere with international commerce. It is already causing an increased regulatory compliance cost for businesses in Canada and will eventually act as a barrier to entry for businesses outside Canada.

    Eventually, no one will want to do internet business with Canadians for fear of having offices and homes raided, and fines levied.

    1. Anon404

      LMAO, this isnt the US. Also how is it already causing an increase in regulatory compliance cost any more than GDPR?

      1. Readership1

        The majority of North American companies are neither large enough to attract attention and penalties from European fascists, nor do they have an interest in establishing European clients. Thus, GDPR is of no consequence to most North American companies.

        Next point…

        Canada has laws regarding seizures, searches, and due process, just like the US. They’re also susceptible to political concerns, lobbying, and business pressures. And, just like the US, success in Canada is dominated by those who value freedom.

        This law will fail for those reasons.

        1. Anon404

          Thats one of the silliest and most ignorant responses Ive ever heard. European fascists? Well, that says a lot about you, and not good things, at all. And ahh, “freedom loving”, you mean like those jackboots in Charlottesville? You comment reads like a dogwhistle to white supremacists and those who dont understand what fascist actually is. This law will stand for the same reasons OJ was found not guilty and yet still lost the civil suit. And, like I said in my first comment, this isnt the US we’re talking about.

  8. Mike

    I think this law will be upheld, because in civil law it the prepnderance of evidence, rather than beyond a reasonable doubt. I think it would be legal here and is a good idea. They are only doing it for the money, it is not a free speech issue.

    How is it a freedom of commerce issue to foist unwanted software on unsuspecting customers and to cheat them with shoddy merchandise or by failing to deliver as promised??????

    There is line between liberty and license which seems to be forgotten by some and these fraudsters are clearly on the wrong side of the line. They should be relieved of their fraudulent gains.

  9. Davis Masha Leah

    One unintended consequence is that it may drive them to set up business here in the US where our laws are not as tough.

    1. Anon404

      So the criminal enterprises feel the need to not operate in Canada… sounds like a good thing to me, no?

  10. vb

    I doubt the result of this law is going to be million, or multi-million dollar fines. One result might be dragging some dark people into the sunlight. I think that will be the result in the Orcus RAT case. The searching and seizing is not for criminal prosecution, as we’re used to seeing, but under the guise of levying fines for ill-gotten gains. The investigation alone is a form of punishment.

    However, this law can and will surely be abused. If a big business makes a CASL accusation against a startup, they can get the startup crushed. The startup will have all it’s internal workings and documents exposed, including trade secrets. It won’t matter if the accusation is false, the investigation alone is a form of punishment.

    1. Armada

      Trust me on this one, they got no problem threatening to levy a 10 Million fine.

  11. parabarbarian

    So, will it stop the forced updates of Windows 10?

  12. Do The Crime

    If you DO THE CRIME, you must PAY THE FINE or DO THE TIME!

    Spam and cyber crime causes severe harm and costs individuals and businesses millions each year. It is the duty of government everywhere to protect its citizens from attack. Full Stop!

    If the US can claim that a foreign radical activist living in a foreign country is intent on causing harm to US citizens to the extent that it can authorize the release of a multi-million dollar guided weapon on the building that person resides in, then those sending out malware with intent to cause damage or extort US citizens shouldn’t be treated any more lightly – regardless of where they live!

    The two major problems with cyber crime is attribution and law enforcement. It takes months to accurately attribute an attack to an attacker (like Not Petya to the Russian GRU for example), and we currently lack international treaties, and common agreed-upon legal language to define a “cyber-crime”, with effective international law enforcement, which means perps can act blatantly criminally in parts of the world beyond legal redress or effective policing.

    We need more countries like Canada to put in place a comprehensive collection of national cyber-laws and international treaties. Only then will there be sufficient international inertia to prosecute cyber-criminals.

    1. Big Brother

      “It is the duty of government everywhere to protect its citizens from attack. Full Stop!”

      No, it isn’t.

      1. weinerdog43

        In the US, actually, it is. You can find it in the Preamble to the US Constitution.

          1. vb

            “…provide for the common defense” could be interpreted as including cyberattacks upon citizens of the US.

            State sponsored cyberattacks are well established. “Cyberwarfare” is a well known term. I have no doubt that the US government has considered some nationwide cyber defense programs.

            1. Readership1

              Thanks for replying, vb.
              I disagree a bit, but I’m too lazy to elaborate, so you win. 🙂

  13. Bob

    In reference to the phishing article, I wonder if falling for a phishing attack could get you in trouble with this, since this could result in the installation of malware.

Comments are closed.