Canada’s first anti-spam legislation will empower authorities to fine aggressive spammers. But while cyber security experts welcomed the bill on Wednesday, they say it may not dramatically reduce the volume of unsolicited emails we receive.
Bill C-28, the new Fighting Internet and Wireless Spam Act, is a misnomer for that reason, said David Poellhuber, the chief operating officer of the Montreal-based managed security firm ZeroSpam.
"It’s not going to have a bit of an effect on the total volume of spam," he told CBC News.
"The spam we receive is sent mostly from botnets, which account for 70 per cent of spam worldwide. That’s spam coming from your mother-in-law’s computer that’s infected. It’s coming from victims’ computers."
Canada is not known as a source that originates a lot of outgoing spam, but the botnets — collections of hijacked or "zombie" computers that unwittingly attack vulnerable networks — are able to target us from afar.
Canada only G8 nation without spam law
The new legislation cannot stop that bulk of potentially harmful electronic messages coming from foreign countries, Poellhuber said.
Bill C-28 Penalties:
- The CRTC will have powers to impose AMPs (Administrative Monetary Penalties of up to $1 million for individuals and $10 million for businesses, including statutory damages of $200 for each violation.
- Company officers and directors can be held personally liable if they knowingly infringe the law.
- The new law also creates a new private right of action allowing individuals to seek damages through civil procedures.
- Furthermore, C-28 will amend the Canadian Competition Act to prohibit false or misleading representation of the sender or subject of a message, which would then constitute a criminal offence.
"But it’s a good thing to have an anti-spam law in Canada," Poellhuber said. "Because it will allow prosecution of cases such as the likes of Mr. [Adam] Guerbuez, the guy who was sued by Facebook for some $873 million."
Guerbez, from Montreal, was sued along with his company under the U.S. Can-Spam Act, after Facebook users were flooded with offers for marijuana and male-enhancement drugs.
Prior to Bill C-28 passing on Wednesday, Canada was the only G8 country without specific spam legislation, according to the Consumers Council of Canada.
What the legislation will drastically change is local email practices, particularly for businesses, according to Poellhuber.
"Truly established businesses that have very lax practices on email will find themselves at risk," he said.
"It will no longer be tolerated [for companies to spam] by CD-ROM, using 100 million addresses and user-preferred mail agents to send these emails."
ZeroSpam filters roughly 12 million emails a day for Canadian organizations, with much of that coming from companies firing off ads for sales and new merchandise.
'Truly established businesses that have very lax practices on e-mail will find themselves at risk.'—David Poellhuber, ZeroSpam
"So you have those organizations with very aggressive practices, but you also have some small businesses that just want to better serve their clientele and serve out mail to their rolodex of 500 [people]," Poellhuber said. "It might be your corner book store or flower shop."
It’s these companies that might find themselves at risk of facing hefty fines into the millions of dollars once C-28 is enacted in the coming months.
Clean up email lists
All it would take is for a recipient to file a complaint with the Canadian Radio-television and Telecommunications Commission. The CRTC could them impose penalties of up to $1 million for individuals and $10 million for businesses, including statutory damages of $200 for each violation.
Individuals would also have the private right to sue spammers.
Poellhuber advised Canadian businesses to review their emailing lists and make sure they win consent from recipients to receive commercial email.
"They have to clean their lists," he said. "If they don’t have an existing business relationship, they have to get consent before the law is enacted in the next weeks or months."
Impact on Canadian businesses involved in e-mailing activities
Canadian businesses should revise their emailing lists and make sure that consent to receive commercial email was given or that a business relation exists with recipients. This will drastically reduce the size of many lists, but probably in favour of better qualified and more receptive contacts.
But, he warned, the burden of proof lies with the email senders, who would have to keep copies of web pages, responses and confirmation emails from the prospective clients agreeing to receive the ads. Many email lists are expected to be reduced in size as a result.
Rather than using an in-house mailing system, companies could outsource their email campaigns.
"What we recommend is to use a third-party organization who will do it for you, because should it be blacklisted, the third party will be blacklisted, not yourself," Poellhuber said. "It’s transferring risk to another party, and those trustworthy third parties will make sure they’re handling things correctly."
ZeroSpam is organizing training sessions on the impact of Bill C-28 for small businesses, to be held in Montreal in February.