#CyberFLASH: CRTC launches Niagara malware investigation

crtc_logoThe warrant was obtained as part of an ongoing investigation relating to the installation of malicious software (malware) and the alteration of transmission data. The CRTC launched its investigation following a lead from FireEye Inc., a vendor specializing in cyber threat protection and forensics.

“We are working to protect Canadians from online threats by pursuing those individuals and entities who violate Canada’s anti-spam legislation,” Manon Bombardier, CRTC’s chief compliance and enforcement officer, said in a news release. “We are grateful for the assistance that FireEye Inc. provided which led to the execution of this warrant, and we will continue to work closely with our domestic and international partners in the fight against cyber threats.”

Canadians are encouraged to report spam, malware and other electronic threats to the Spam Reporting Centre. The information sent to the Centre is used by the CRTC, the Competition Bureau and the Office of the Privacy Commissioner to enforce Canada’s anti-spam legislation.

The CRTC does not comment on active investigations, nor does it name the individuals or companies under investigation.

Read more here

#CyberFLASH: Why Canada’s Telecom Regulator Is Suddenly Acting More Like the Cops

crtc_logo“If you abide by the law, you have nothing to fear.”

These might sound like the words of a police chief or FBI official, but they were actually spoken in 2014 by Jean-Pierre Blais, the buttoned-down head of Canada’s equally buttoned-down telecommunications regulator, the Canadian Radio-television and Telecommunications Commission. At the time, Blais was announcing the CRTC’s role in enforcing Canada’s newly introduced anti-spam legislation, or CASL.

The message was clear: the CRTC is ready to get its hands dirty. And now it finally has.

In November of 2015, CRTC inspectors executed the first search warrant in the regulator’s nearly 50-year history. They entered a building in Brampton, Ontario to retrieve documents as part of a telemarketing investigation. Less than a month later, the CRTC executed yet another warrant, this time under CASL, shutting down a botnet server in Toronto as part of an international operation involving multiple agencies.

So far, it looks as though the CRTC is living up to Blais’ tough talk in 2014. And yet, knocking on doors and executing warrants seems a lot like something the cops would do, not a federal regulator in Canada.

The CRTC’s new attitude has its roots in the passing of Bill C-37 in 2005. This amended the Telecommunications Act to give the regulator new powers to enter and inspect businesses and places of interest, seek warrants to inspect people’s homes, and levy fines against telemarketers. The bill also created the National Do Not Call List (DNCL).

Read more here

#CyberFLASH: CRTC settles alleged CASL violation

crtc_logoOn November 20, 2015, the Canadian Radio-television and Tele-communications Commission (“CRTC”) announced that Rogers Media Inc. paid $200,000 as part of settlement of alleged violations of Canada’s anti-spam legislation (commonly known as “CASL”). The alleged CASL violations included the sending of commercial electronic messages containing a deficient unsubscribe mechanism.


CASL creates a comprehensive regime of offences, enforcement mechanisms and potentially severe penalties designed to prohibit unsolicited or misleading commercial electronic messages (“CEMs”), the unauthorized commercial installation and use of computer programs on another person’s computer system and other forms of online fraud.

For most organizations, the key parts of CASL are the rules for CEMs. Subject to limited exceptions, CASL prohibits the sending of a CEM unless the recipient has given informed consent (express or implied in limited circumstances) to receive the CEM and the CEM complies with prescribed formalities (including an effective and promptly implemented unsubscribe mechanism) and is not misleading.

CASL and its regulations require that a regulated CEM “clearly and prominently set out” an unsubscribe mechanism that is “able to be readily performed”. CRTC guidance explains that an unsubscribe mechanism must be accessible “without difficulty or delay” and “simple, quick and easy” for a consumer to use. CASL requires that a CEM sender give effect to an unsubscribe request “without delay” and in any event no later than 10 business days after the unsubscribe request has been sent, all without any further action on behalf of the unsubscriber.

CASL and its regulations also require that a regulated CEM “clearly and prominently” set out prescribed information, including the name and contact information of the CEM sender, that remains valid for a minimum of 60 days after the CEM is sent.

Read more here

#CyberFLASH: CRTC needs stronger warnings on privacy

phone.jpg.size.xxlarge.letterboxHave you ever been bugged by unwanted calls?

Canada’s telecom regulator is looking at technical solutions to protect Canadians from telemarketing calls, especially those from overseas using caller ID spoofing to disguise their origin.

The CRTC posts comments at its website, along with the contact information of the person submitting them — including the name, address, email address and, yes, the phone number.

“Hope these folks are aware their ‘interventions’ are posted for all to see,” said Jay Dell-Mah, who alerted me after following a link in my previous column about threatening calls from fraudulent tax collectors.

“Too bad the CRTC didn’t consider the irony of having the protectors of our privacy publishing the very material of interest to the pirates.”

I asked the CRTC why it posted contact information when you submitted a comment. Couldn’t it collect information to verify your identity without exposing it online?

I also got in touch with a number of people who contacted the CRTC about unwanted calls, picking them at random from the 139 comments posted so far. The consultation ends Jan. 11, 2016.

Here are my conclusions:

  • The CRTC should warn people in bold print that every contact detail they submit will appear online.
  • People who complain about telemarketers blocking their phone numbers should make sure to shield their own phone numbers from the CRTC.

Read more here

#CyberFLASH: CRTC fines two home improvement companies $170,000 for violating telemarketing rules

crtc_logoManon Bombardier, CRTC Chief Compliance and Enforcement Officer, is laying down the law once again. Two home improvement companies have been fined for violating telecommunications rules and have been ordered to pay a hefty sum.

The CRTC’s investigations found that Canadian Choice Home Improvements Inc. was registered but failed to subscribe to the National Do Not Call List (DNCL), while Le Groupe Hydro Hvac Inc. had not registered nor subscribed to the list, making unsolicited calls to Canadians with numbers registered on the DNCL.

Canadian Choice Home Improvements has paid $140,000 in administrative penalties and Le Groupe Hydro Hvac Inc. has paid $30,000. Both companies have now agreed to act in accordance to the telecommunications rules moving forward.

Bombardier stated, “Canadians play an important role in our investigations of unwanted telemarketing calls by providing clear and complete information when filing a complaint. In this case, their information assisted us in bringing these two companies to conform to the Unsolicited Telecommunications Rules. Today’s announcement is another reminder to all telemarketers that compliance with the Rules is not optional.”

Read more here

#CyberFLASH: Mapping Out the CRTC Blueprint for Universal Affordable Internet Access

typing-darkIn the wake of nearly two decades of study, debate, task forces, and government programs, Canada’s telecommunications regulator has begun to unveil its blueprint for ensuring that all Canadians have access to affordable, high-speed Internet services. If the plan rolls out as many expect, Canadians in urban areas will benefit from a more competitive environment for high-speed fibre services, while consumers in rural and remote areas will be guaranteed access through a clear legal commitment to universal broadband service.

My weekly technology law column (Toronto Star version, homepage version) notes that part one of the blueprint was released last week as the Canadian Radio-television and Telecommunications Commission rejected opposition from large cable and telecom providers by ordering them to offer independent Internet providers wholesale access to emerging high-speed fibre networks.

The decision on wholesale access is the latest skirmish in a long-running battle pitting telecom giants such as Bell and Telus against upstart providers like TekSavvy and Distributel. Recognizing the advantages held by incumbent providers who enjoy direct connections to consumers (the so-called “last mile”), Canadian regulations foster a more competitive environment by requiring the incumbents to grant independent providers sufficient access to allow for alternative consumer choice.

The system has succeeded in developing some credible independents, yet the market remains dominated by the larger players. Part of the problem has been the steady stream of technical and regulatory challenges faced by smaller entrants, who seemingly have little choice but to take each dispute to the CRTC, leading to costlier offerings, slower speeds, and less product differentiation.

Read more here

#CyberFLASH: Canada’s Anti-Spam Law Must Be Taken Seriously: The Case Of Porter Airlines

cra-passwords-security_211076204-e1402005190177Last June 29th, Porter Airlines Inc. agreed to pay $150,000 pursuant to an agreement with the Canadian Radio-television and Telecommunications Commission (CRTC), for alleged violations to Canada’s anti-spam law. Porter Airlines was indeed under investigation by the CRTC for these alleged violations.

On January 1st, 2014, the majority of the provisions of Canada’s anti-spam legislation came into force1. These provisions include those governing the transmission of unsolicited electronic messages for commercial reasons to recipients. It is, however, relevant to note that on January 15, 2015, the provisions of the Act dealing with the unsolicited installation of computer software came into force, while the provisions providing for the right to institute a private action against infringers will come into force only on July 1, 2017.

The last 18 months have revealed that the CRTC intends on setting examples to ensure that Canada’s anti-spam law is respected. In this regard, the recent case of Porter Airlines offers a striking example of the broad scope of this law, as well as the possible consequences of breaching its provisions, even unintentionally.

The Anti-Spam Act: Rules and Interdictions

Since January 1st, 2014, a company may not send unsolicited commercial electronic messages without obtaining the consent of the recipient. A commercial electronic message is defined as an e-mail of which the purpose is to encourage the recipient to participate in a commercial activity. This includes advertisement, offers to purchase or sell, as well as business or investment opportunities.

The recipient’s consent may be implicit in certain situations specifically provided for in the Act, such as when an “existing business relationship” exists between the sender and the recipient. If no implicit consent exists, the recipient’s consent needs to be expressed.

A request for consent must include specific information, including the purpose for which the consent is being sought and the information necessary to identify the person soliciting the recipient. Each commercial electronic message targeted by the Act must contain an “unsubscribe mechanism” allowing the recipient to freely express his willingness to stop receiving any commercial electronic messages.

Read more here

#CyberFLASH: Privacy law and anti-spam: Guidance from the Office of the Privacy Commissioner of Canada

images-126Recent enforcement under Canada’s anti-spam legislation (CASL) by the Canadian Radio-Television and Telecommunications Commission (CRTC) is keeping the spotlight on this new legislation, which came into force just last year. While the CRTC is responsible for the bulk of enforcement under CASL, organizations should remember that CASL also brought in changes to Canada’s federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to the collection, use and disclosure of personal information (including individuals’ email addresses).

The federal Office of the Privacy Commissioner of Canada (OPC) is responsible for investigating violations related to the new provisions under PIPEDA that target the practice of address harvesting. Address harvesting generally involves collecting electronic addresses through the use of a computer program, such as through web scraping, spyware, or automatic generation.

The OPC recently issued a guide and tip sheet for organizations on pratical steps to take to avoid contravening the PIPEDA requirements, including:

1. Obtain consent: Organizations must ensure that individuals are informed clearly and accurately at the point of collection about how their email addresses will be used. Just because an email address is posted online, it cannot be assumed that the individuals at the addresses posted have provided consent to receive email marketing. It is also useful to remember that there is no exception for address harvesting of business email addresses; PIPEDA’s definition of personal information includes business addresses.

2. Due Diligence with Service Providers: If an organization buys a list of email addresses from a vendor or employs service providers to conduct email marketing on their behalf, they should take due diligence steps by asking key questions, such as:

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.