Home / Blogs

New Fear, Uncertainty and Doubt about Canada's Anti-Spam Bill C-28

Neil Schwartzman

(Canada's Anti-spam Bill C-28 is currently going through the legislative process, and will be given 3rd reading and a final house vote before being sent to senate, sometime this week.)

From time to time, we see unenlightened comments about the efficacy of laws in the fight against spam. "Laws won't stop spam" being the most common.

No, they won't. What laws do is dissuade some people from undertaking shoddy mailing practices or even outright spam campaigns. Laws don't stop murder, rape and robbery either, but for those un-dissuaded who undertake such heinous crimes, we, as a society, have laws for punitive effect. They pay the price society exacts for their actions. C-28 will attenuate spam in Canada, and help us to fight spam internationally.

Recently, a press release from a small anti-spam company crossed my desk. It was filled with self-serving assertions like the one above, 'laws won't stop spam' and other incorrect facts.

I'd like to take a moment to dispel some rumours, and fear, uncertainty, and doubt (F.U.D.)

FUD #1: Canada is not a leading originator of spam

False. There have been credible reports over the past six months that indicate that there are webhosting companies in this country that host command & control nodes of some of the most pernicious botnets in the world. Spamhaus, at the time of this writing, lists Canada as the eighth — worst country in the world in terms of SBL (Spamhaus BlockList) entries, with 212 of them. See for yourself here

Abuse.ch, who track ZeuS, the largest phishing botnet, has an interactive map which clearly shows activity north of the 49th parallel

Or perhaps the anti-spam company, despite being self-proclaimed 'leading experts' is unaware of one Adam Guerbuez, who recently was found liable for a second time to having spammer millions of Facebook users illegally. We suggest a quick Google search to inform themselves might be in order.

FUD #2: C-28 will have no impact on extra-jurisdictional criminal spammers

False. A careful reading of bills C-28 & C-29 show that they make long overdue provision for law enforcement in this country, including creating a Spam Reporting Centre, teams to work to investigate spam, and most importantly, the ability of Canadian LEA to share information with agencies in other countries, something they are ironically prevented from doing under PIPEDA at present time.

FUD #3: The CRTC is charged with enforcing the law, and their Do-Not-Call list didn't work, so neither with C-28

Apples & Oranges. The application of Canada's new anti-spam bill is entirely different on any number of levels, for one, because it will be applied by not one, but three government agencies, initiatives coordinated under the rubric of a spam-reporting centre. Furthermore, the law has a private right of action, allowing private citizens to launch their own cases against spammers.

FUD #4: Businesses will be negatively impacted.

False. Businesses, both big and small have been repeatedly and consistently consulted under the C-28 development process starting as far back as The Federal Task Force on Spam in 2005. Business concerns have testified to parliament, and their comments incorporated into the revision between C-28 and its predecessor, C-27.

The Federal privacy legislation, PIPEDA, has been in place for a decade dictates that Canada is an opt-in régime. If a company is emailing now and is legal, they will very likely be legal under C-28, with some possible minor clarifications to their sending practices, such as header veracity (the subject line and From: addresses should not be falsified) and including a proper unsubscribe mechanism (most companies do this, anyway). C-28 will require explicit consent from businesses. That is a simple preventative measure and good practice, which they should be undertaking now, under PIPEDA. Otherwise, they could not prove to the Office of the Privacy Commissioner of Canada that they had in fact gathered an address in a legitimate fashion, were there an investigation launched.

FUD #5: The Anti-spam company implies that companies are unaware of C-28.

False. I can't understand how that could be unless company marketers don't read newspapers, are not on the Internet (and if they aren't on the Internet how could they possibly be sending email?), or seen nor heard numerous TV and radio pieces devoted to the subject. I've personally been interviewed any number of times in this regard.

Perhaps there are still some businesses that have not been made aware of C-28, or if they are aware that there are some small changes, they may need to make to their practices.

CAUCE has addressed both these concerns, by partnering with ThinData, Return tweaks and the law office of Kris Klein to release a simple-to-understand C-28 compliance guide. Since October when it was released, the guide has had tremendous uptake, having been publicized to the literally several thousands of email sender clients of ThinData and Return Path.

There is nothing sneaky, or underhanded nor difficult about C-28 compliance, but if a sender does have a particular need, the guide also provides ample pointers to additional resources including marketing and legal consulting services to help them ensure everything in order.

Lastly, once the law is passed, a series of regulations will be published in the Canada Gazette which will explain in specific detail how the law will be applied, and how it impacts esoteric issues such as address book uploads, or other emailing practices.

Clarity (in both official languages) has been a long-standing fundament of the entire C-28 development process, CAUCE would not have had it any other way and to imply differently is completely, totally wrong.

We will be sending a copy of the C-28 Compliance Guide (available for free, here), to that anti-spam company, so they too can ensure they are up to speed with the (soon to be) law.

In the interests of transparency: CAUCE directors Neil Schwartzman, Matt Vernhout, and Shaun Brown work for Return Path, ThinData, and The Law Offices of Kris Klein, respectively.

By Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCE. More blog posts from Neil Schwartzman can also be read here.

Related topics: Cybercrime, Internet Governance, Law, Malware, Privacy, Spam

 
   

Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

IP Addressing

Sponsored by Avenue4 LLC

Cybersecurity

Sponsored by Verisign

DNS Security

Sponsored by Afilias

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

US Court Grants DCA Trust's Motion for Preliminary Injunction on .Africa gTLD

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

Best Practices from Verizon - Proactively Mitigating Emerging Fraudulent Activities

Neustar Data Identifies Most Popular Times of Year for DDoS Attacks in 2015