Canada's new anti-spam law: Can it really clean up your inbox?

Canada's new anti-spam legislation comes into effect today and carries hefty penalties – up to $1 million for individuals and $10 million for businesses. But some observers wonder how effective it can actually be in the borderless world of the internet.

Legislation is considered tough, but some observers question how effective it will be

Canada's new anti-spam legislation comes into effect today, but it may not completely clear inboxes of annoying, unsolicited messages. (Shutterstock)

The recent anticipation around the arrival of Canada's anti-spam law today had a rather ironic impact. It actually increased the amount of email in your inbox.

As businesses braced for the new legislation, which has taken on the acronym CASL, they were firing off a torrent of email requests asking people for permission to keep sending emails.

It's all part of ensuring they comply with a law that carries hefty penalties — up to $1 million for individuals and $10 million for businesses.

But some observers wonder how effective it will actually be.

"It's a total waste of money or time. The only payoff is one [the government] didn't intend," says David Skillicorn, a professor in the school of computing at Queen's University in Kingston, Ont.

That payoff, he says, comes from those permission requests from legitimate businesses that have been filling up inboxes and are giving recipients a chance to opt out of further electronic communication if they wish.

Otherwise, Skillicorn says, those unsolicited and unwelcome emails that junked up inboxes just aren't the consumer problem they once were.

"Ten years ago it was, but it's not any more because if anyone has got a decent [email program] and is willing to spend 10 seconds a week saying, 'This is spam, this is spam,' [they] won't really see very much spam after the first half an hour."

Others are more optimistic about the legislation, which will also deal with threats posed by the installation of malware on computers or unlawful collection of email addresses.

'Significant effect'

Peter Murphy, a privacy and technology lawyer at Gowlings in Toronto, thinks the legislation can be quite effective.

"It’s going to establish some significant enforcement rights for the CRTC to help combat spam," he says.

How to stay safe online

  • Protect yourself and your devices with anti-spam software, anti-virus programs and firewalls
  • Never surf while using a public wi-fi network without enabling a firewall
  • Don't use the @ symbol when you post your email address to a website; spell it out like this: jane at myDomain dot com.
  • Don't reply to a message if it looks suspicious.

Other tips are available here.

Source: Government of Canada

"To the extent this law is targeting major spammers, it should have a significant effect at reducing that kind of spam. Those kind of major spammers will likely look to other places to carry on their activities."

That's not to say, however, that the legislation has been getting a rousing welcome, particularly from Canadian businesses trying to figure out how to comply with the legislation and keep up the electronic flow of communication with potential customers or clients.

"There has been criticism of the legislation from much of the business community because it is complicated legislation and it does create a burden on honest, non-spamming businesses to comply," says Murphy, who is co-leader of his firm's CASL group.

In the lead-up to the new law coming into effect, he recommended that businesses consider the types of commercial emails they send and whether they had the express consent of the recipients, or if some implied consent existed. If not, then they should send emails to obtain it. 

It's also important, he says, for businesses to offer an "unsubscribe mechanism" that allows people to opt out in a simple and easy way if they wish.

Late to the table

Canada's law, which was passed in December 2010, comes into effect years after other countries ranging from Australia to the United Kingdom and the United States enacted anti-spam legislation.

"Canada's rather late to the table and maybe that's why Canada's enacting such a strong and in some ways harsh law," says Murphy.

What's in a title?

Maybe it's easy to understand why everyone's calling it Canada's anti-spam law, or CASL.

The full title of the act passed in 2010 is a bit of a mouthful: An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act

"But that said, I don't feel that technology had made this irrelevant in any way."

While legitimate businesses are wrestling with how to ensure they comply with the legislation, those directly affected by the law are less likely to be too worried about it.

"The more legitimate the business, the more likely it is that they are going to be following the rules, but of course the people who are not following the rules already aren't going to follow the new rules," says Skillicorn.

And there are a lot of those folks out there in cyberspace, even if email programs and spam filters have become more effective at keeping offers to enlarge body parts or requests to help a destitute Nigerian prince out of inboxes.

Gary Davis, the chief consumer security evangelist at global computer security giant McAfee in Santa Clara, Calif., says the amount of spam circulating worldwide hit a record in the third quarter of 2013, when there were almost 8.5 trillion — yes, trillion — messages sent.

That number has fallen — marginally — to 7.5 trillion in the first quarter of this year. Legitimate emails, or emails that aren't spam, were considerably less: slightly more than two trillion.

Trying new things

Davis says the number of spam messages does vary a bit from time to time.

"The people that use these types of activities are always trying new things, so if for some reason spam isn't having the desired effect, they're going to try other techniques to either scam you or do something malicious."

Globally as well as in Canada, the rate has been going down the last four years.- Kevin Haley

According to an annual internet security threat report released in April by Symantec, 63 per cent of emails sent to Canadians last year were spam, a decrease from 65 per cent in 2012 and down from 80 to 90 per cent in the early 2000s.

"Globally as well as in Canada, the rate has been going down the last four years," says Kevin Haley, director of Symantec Security Response.

One major incident helped drive that decline.

"Two of the largest companies involved in pharmaceutical spam actually… got into a business dispute and instead of hiring lawyers, they hired hackers and they hacked each other out of business," says Haley.

But a lot of other spammers are still out there, and the international nature of their activities could make it harder for any one country to effectively stamp out spam at home.

"It will definitely help when you find your own homegrown hackers and cyberthieves, but you'll have a challenge when those people are out of the country," says Haley.

Getting around the rules

Davis says professional spammers know how to get around legislation.

"They'll create it from a country outside of Canada, where it's almost impossible for anybody to litigate against or adjudicate against."

Sex sells

According to Symantec's annual internet threat report issued in April, adult spam dominated in 2013, with 70 per cent of all spam sent related to adult content.

"These are often email messages inviting the recipient to connect to the scammer through instant messaging [IM], or a URL hyperlink where they are then typically invited to a pay-per view adult-content web cam site. Often a bot responder, or a person working in a low-pay, offshore call centre would handle any IM," Symantec said.

Spamming activities are also moving to other platforms such as social media, although the new legislation is supposed to address that, too.

Of course, the best defence against spam would be if those receiving it just didn't click on it.

But even with widespread awareness around it, temptation and human nature, along with more sophisticated spamming techniques, still seem to take people in. They click and end up spending money in many cases they didn't intend — and would be hesitant to admit they fell prey to.

"These techniques work and obviously because the barrier to entry is so low, it really has no distribution cost," says Davis.

Spammers refine their art and figure out what can grab somebody's attention.

"A lot of this is that they're getting better," says Davis.

"It used to be you could tell something was spam because it had a lot of bad grammar and just a lot of awkward … URLs.

"But they're getting very good at making it look like it's actually coming from a bona fide company." 

Davis says there's nothing spammers won't try.

"What makes them really good at their art is that they can spin these up and spin them down so quickly it's almost impossible to legislate against them or take an action against them because they can move around so quickly. They're very nimble."