CircleID

(Canada's Anti-spam Bill C-28 is currently going through the legislative process, and will be given 3rd reading and a final house vote before being sent to senate, sometime this week.)

From time to time, we see unenlightened comments about the efficacy of laws in the fight against spam. "Laws won't stop spam" being the most common.

No, they won't. What laws do is dissuade some people from undertaking shoddy mailing practices or even outright spam campaigns. Laws don't stop murder, rape and robbery either, but for those un-dissuaded who undertake such heinous crimes, we, as a society, have laws for punitive effect. They pay the price society exacts for their actions. C-28 will attenuate spam in Canada, and help us to fight spam internationally.

Recently, a press release from a small anti-spam company crossed my desk. It was filled with self-serving assertions like the one above, 'laws won't stop spam' and other incorrect facts.

I'd like to take a moment to dispel some rumours, and fear, uncertainty, and doubt (F.U.D.)

FUD #1: Canada is not a leading originator of spam

False. There have been credible reports over the past six months that indicate that there are webhosting companies in this country that host command & control nodes of some of the most pernicious botnets in the world. Spamhaus, at the time of this writing, lists Canada as the eighth — worst country in the world in terms of SBL (Spamhaus BlockList) entries, with 212 of them. See for yourself here

Abuse.ch, who track ZeuS, the largest phishing botnet, has an interactive map which clearly shows activity north of the 49th parallel

Or perhaps the anti-spam company, despite being self-proclaimed 'leading experts' is unaware of one Adam Guerbuez, who recently was found liable for a second time to having spammer millions of Facebook users illegally. We suggest a quick Google search to inform themselves might be in order.

FUD #2: C-28 will have no impact on extra-jurisdictional criminal spammers

False. A careful reading of bills C-28 & C-29 show that they make long overdue provision for law enforcement in this country, including creating a Spam Reporting Centre, teams to work to investigate spam, and most importantly, the ability of Canadian LEA to share information with agencies in other countries, something they are ironically prevented from doing under PIPEDA at present time.

FUD #3: The CRTC is charged with enforcing the law, and their Do-Not-Call list didn't work, so neither with C-28

Apples & Oranges. The application of Canada's new anti-spam bill is entirely different on any number of levels, for one, because it will be applied by not one, but three government agencies, initiatives coordinated under the rubric of a spam-reporting centre. Furthermore, the law has a private right of action, allowing private citizens to launch their own cases against spammers.

FUD #4: Businesses will be negatively impacted.

False. Businesses, both big and small have been repeatedly and consistently consulted under the C-28 development process starting as far back as The Federal Task Force on Spam in 2005. Business concerns have testified to parliament, and their comments incorporated into the revision between C-28 and its predecessor, C-27.

The Federal privacy legislation, PIPEDA, has been in place for a decade dictates that Canada is an opt-in régime. If a company is emailing now and is legal, they will very likely be legal under C-28, with some possible minor clarifications to their sending practices, such as header veracity (the subject line and From: addresses should not be falsified) and including a proper unsubscribe mechanism (most companies do this, anyway). C-28 will require explicit consent from businesses. That is a simple preventative measure and good practice, which they should be undertaking now, under PIPEDA. Otherwise, they could not prove to the Office of the Privacy Commissioner of Canada that they had in fact gathered an address in a legitimate fashion, were there an investigation launched.

FUD #5: The Anti-spam company implies that companies are unaware of C-28.

False. I can't understand how that could be unless company marketers don't read newspapers, are not on the Internet (and if they aren't on the Internet how could they possibly be sending email?), or seen nor heard numerous TV and radio pieces devoted to the subject. I've personally been interviewed any number of times in this regard.

Perhaps there are still some businesses that have not been made aware of C-28, or if they are aware that there are some small changes, they may need to make to their practices.

CAUCE has addressed both these concerns, by partnering with ThinData, Return tweaks and the law office of Kris Klein to release a simple-to-understand C-28 compliance guide. Since October when it was released, the guide has had tremendous uptake, having been publicized to the literally several thousands of email sender clients of ThinData and Return Path.

There is nothing sneaky, or underhanded nor difficult about C-28 compliance, but if a sender does have a particular need, the guide also provides ample pointers to additional resources including marketing and legal consulting services to help them ensure everything in order.

Lastly, once the law is passed, a series of regulations will be published in the Canada Gazette which will explain in specific detail how the law will be applied, and how it impacts esoteric issues such as address book uploads, or other emailing practices.

Clarity (in both official languages) has been a long-standing fundament of the entire C-28 development process, CAUCE would not have had it any other way and to imply differently is completely, totally wrong.

We will be sending a copy of the C-28 Compliance Guide (available for free, here), to that anti-spam company, so they too can ensure they are up to speed with the (soon to be) law.

In the interests of transparency: CAUCE directors Neil Schwartzman, Matt Vernhout, and Shaun Brown work for Return Path, ThinData, and The Law Offices of Kris Klein, respectively.

By Neil Schwartzman, Executive Director, CAUCE North America. Visit the blog maintained by Neil Schwartzman here.

Related topics: Cybercrime, Internet Governance, Law, Malware, Privacy, Spam