Home / Blogs

Canadian Government Quietly Pursuing New ISP Code of Conduct

Michael Geist

With the cost of cybercrime in Canada on the rise — a new report released last week by Symantec, a security software vendor, pegged the cost at $3.1 billion annually — my weekly technology law column (Toronto Star version) reports that the Canadian government is quietly working behind-the-scenes to create a new Internet service provider code of conduct. If approved, the code would technically be voluntary for Canadian ISPs, but the active involvement of government officials suggests that most large providers would feel pressured to participate.

The move toward an ISP code of conduct would likely form part of a two-pronged strategy to combat malicious software that can lead to cybercrime, identity theft, and other harms. First, the long-delayed anti-spam legislation features new disclosure requirements for the installation of software along with tough penalties for non-compliance. Recent comments from Industry Minister James Moore suggest that the government is ready to bring that law into effect. Second, the code of conduct would require participants to provide consumers with assistance should their computers become infected.

The proposed code, which is modeled on a similar Australian initiative dubbed the iCode, has been placed on a policy fast-track, with officials hoping to create a final version by the end of the year. The Australian version features a standardized notification system that requires ISPs to alert customers that their computer or electronic device may be compromised by malicious software (often referred to as botnets). The notification may include sending the customer to an information webpage advising them of the threat and the steps needed to address the problem. Repeated notifications may result in the customer having their Internet access suspended.

The Australian iCode also involves the creation of a comprehensive resource for ISPs on new cybersecurity threats and a reporting mechanism from ISPs to a centralized agency that gathers threat information. The approach has garnered support from other countries. South Africa adopted the iCode last year, while both Japan and Germany have implemented similar programs.

Yet not everyone is convinced that the iCode system actually works. When the U.S. began considering the Australian system in 2011, experts questioned its effectiveness. For example, the SANS Institute looked at the Australian results and concluded that the reduction in botnets was "insignificant." Moreover, Symantec highlighted the danger of fraudulent notifications, arguing that they could "aggravate the problem rather than alleviate it."

Notwithstanding the concerns, the Canadian government appears convinced that an ISP code of conduct is long overdue. According to government documents, Industry Canada quietly gathered the major Canadian ISPs in late July to present the concept of an industry code and the experience in other countries. The presentation noted that unlike current Canadian initiatives that do not include direct consumer support, the proposed code would require consumer assistance in addition to the creation of education programs, information sharing, and reporting requirements.

Last month, stakeholders were brought back for a follow-up meeting where government officials presented an ambitious timeline that envisions final approval on the code within the next three months.

One way to speed up the process appears to be the exclusion of any public participation. The government timeline offers several opportunities for ISPs and other stakeholders it has identified to comment on the draft code, but does not feature any public consultations or opportunities for feedback.

Despite the active government involvement, officials have worked hard to emphasize that the code would be voluntary, claiming that the approach will demonstrate industry consensus and that "the regime is not being imposed on the sector by the government." However, with the public excluded from the process and industry fears that the code could gradually expand into other issues, the rushed effort for a Canadian ISP code of conduct may need to slow down and give way to a more open, inclusive and transparent initiative.

By Michael Geist, Chair of Internet and E-commerce Law. More blog posts from Michael Geist can also be read here.

Related topics: Access Providers, Internet Governance, Malware, Policy & Regulation, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

BRAVO Fred Showker  –  Oct 09, 2013 11:10 AM PST

I was so happy to read this article, I just had to comment.

In 2000 I published the "ISP Self Regulatory Initiative" in preparation for the FCC Spam Forums held in Washington D.C. 

What's more unfortunate is that the Canadians are the first to realize it, and nobody else has . . . and it took them almost two decades to catch up.

> the Canadian government appears convinced that
> an ISP code of conduct is long overdue.

But maybe Canada doesn't have any crooked ISPs.  They charge so much, there are probably no "hungry" ISPs either.  But we found that so many, mainly the BIGGEST are already making so much money leaving all the gates open, that they don't dare rock the boat or upset the status quo.

Unfortunate too that Canadians appear to be building a big band-aid instead of going after the root of the problem.  My initiative would still be far cheaper, immediately deployable and ultimately more effective.

When presented to Microsoft, Earthlink, AOL, Google and some of the other big providers, zero were interested in doing anything. "Cost too much" they said.  Even after we showed them it could cost a 10th of what it was costing at the time, they said not interested.

A shame. We could have been ten years ahead of where we are today.

Thank you very much for the article. 

f

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Domain Name .Africa Faces Hurdles - Q&A with Sophia Bekele

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

3 Questions to Ask Your DNS Host About DDoS

Afilias Director Wins ICANN's 2014 Leadership Award

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

DotConnectAfrica Contributes at the 9th IGF in Istanbul, Turkey

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Video Interviews from ICANN 50 in London

ICANN London Recap Webinar

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

Neustar to Launch usTLD Stakeholder Council

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

Sophia Bekele Weighs in on Obama's August US-Africa Leader Summit at the NYF Africa

Sponsored Topics

dotMobi

Mobile

Sponsored by
dotMobi
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
Verisign

Security

Sponsored by
Verisign
Afilias

DNSSEC

Sponsored by
Afilias