The Canadian Radio-television and Telecommunications Commission (CRTC)’s recent enforcement action serves as a reminder that organizations can be liable under Canada’s Anti-Spam Legislation (CASL) for failing to take appropriate steps to prevent abuse of their services by malicious actors.
To minimize the risks of non-compliance with CASL, organizations should take steps to appropriately vet their clients, follow current industry best-practices, and develop and implement CASL compliance programs.
On July 11, 2018, the CRTC issued a notice of violation to Sunlight Media Network Inc. (“Sunlight Media”) and Datablocks, Inc. (“Datablocks”). The CRTC levied a penalty against each company for “aiding” in the commission of an offence under CASL. In particular, they were cited as having helped execute a “malvertising” attack.
In this blog, we set out the context for the violation, review the law and comment on the possible implications of this decision.
The Technology: How Does Malvertising Work?
In internet parlance, “malvertising” refers to a scheme that uses advertising networks to deliver what would be colloquially identified as “viruses” but more accurately described as “malware.”
The scheme operates in the following way. A malicious party enlists the service of a (presumably) unwitting advertising service to place an advertisement online. The ads are scattered across the internet. When clicked – or sometimes, simply viewed – the ad secretively installs malware, called an “exploit program,” on the user’s computer. From there, the exploit program is able to install additional and far more destructive malware that might steal sensitive information, spy on the user or lock up the computer’s data and hold it ransom.
The Law: How Does CASL Address Malvertising?
Malvertising poses a significant risk to the safety, security and privacy of the public at large. To help mitigate this risk, CASL was equipped with provisions to deter and disrupt malvertising schemes.
Section 8 of CASL forbids a person from, among other things, installing “computer programs” on another person’s computer without his or her consent. A “computer program” is understood to be any data representing instructions or statements that causes the computer to perform a function. Even the most basic programs, like the “exploit program” referred to above, are thus caught by CASL.
For added protection, section 9 of CASL provides that any person who aids another person in commiting an offence under section 8 is liable for that same offence.
The CRTC is responsible for the investigation and enforcement of CASL. Enforcement may be done through, among other things, the assessment of an administrative monetary penalty of up to $1 million in the case of an individual offender or $10 million in the case of other persons (e.g. corporations).
Currently, private actions for CASL are unavailable. We discussed the indefinite delay of these provisions in a past blog post.
With the technological and legal context in mind, we may now turn to the CRTC’s recent enforcement measures taken against Sunlight Media and Datablocks.
The Parties
Sunlight Media and Datablocks are both in the online advertising business. Sunlight Media operates an advertising network. It accumulates ad space across a number of online publishers, and then connects advertisers to those publishers. This is accomplished by way of an auction that enables advertisers to bid on advertising space available on the network. Datablocks facilitates the auction process.
The Allegations
Reports issued by the University of California – Berkeley and cybersecurity companies Zscaler and FireEye had alleged that Sunlight Media and Datablocks were involved in disseminating malicious computer programs.
The CRTC investigated the claims, and found evidence that Sunlight Media and Datablocks’s technology had been used in the commission of a malvertising scheme.
How Was CASL Applied?
In the CRTC’s view, Sunlight Media and Datablocks had “aided” the malicious actor in executing the malvertising scheme within the meaning of section 9 of CASL.
The CRTC pointed to a number of acts in support of its position:
- Providing the technical means to execute the malvertising scheme
- Actively working to attract non-CASL compliant clientele
- Promoting services that “foster” violations of section 8
- Doing business with clients publicly known for facilitating section 8 violations and “other non-recommended practices”
- Facilitating anonymous use of the advertising network by allowing suspicious sign-ups and accepting cryptocurrency as payment
The CRTC also cited specific omissions to support its view that Sunlight Media and Datablocks had “aided” the malicious actor.
In particular, the CRTC noted a failure to take action following alerts from the Canadian Cyber-Incident Response Centre indicating that Sunlight Media and Datablocks’s services had been used to distribute malware as early as 2015.
The CRTC identified specific industry practices that Sunlight Media and Datablocks ought to have taken, including:
- Implementing written contracts with clients, binding them to comply with CASL
- Implementing monitoring measures governing clients’ use of services
- Developing and implementing CASL compliance policies
Administrative Penalty
The CRTC considered Sunlight Media and Datablocks as having financially benefitted from the malicious actor’s scheme.
This appears to have been based on no more than their business model of selling advertising generally. No evidence was cited indicating active co-operation on the part of Sunlight Media and Datablocks. A penalty of $100,000 was assessed against Datablocks, and a penalty of $150,000 was assessed against Sunlight Media.
For further reading on administrative penalties levied under CASL, see Nathan Schissel’s post on the “First Significant Penalty issued Under Canada’s Anti-Spam Law.”
Takeaways
It is significant that advertising companies have now been penalized for “aiding” malvertising schemes. Also of significance is the way in which the CRTC established liability.
Interestingly, a review of the “acts” cited by the CRTC indicates that the main act Sunlight Media and Datablocks were engaged in was operating their respective businesses. The other “acts” are arguably better characterized as omissions, particularly omissions relating to vetting their clientele. This matter seems, then, to be more about steps Sunlight Media and Datablocks didn’t take, rather than ones they did.
The CRTC’s summary report indicates that a failure to follow industry best practices may contribute to a finding that an advertising company has “aided” a malvertising scheme in the CASL context.
This represents a need for organizations in the business of online advertising to actively engage with industry best practices like the ones singled by the CRTC and otherwise to prevent the abuse of advertising services by malicious actors.
More broadly, there is every reason to believe that CASL violations outside the online advertising context may well be established in a way similar. The digital landscape is highly fragmented, with multiple actors routinely involved in the delivery of end-user digital services. If one actor fails to prevent a CASL violation, following the reasoning in Sunlight Media and Datablocks, that actor may be subject to an administrative penalty.
The technology group at MLT Aikins has the expertise to assist your business in navigating CASL and other tech law issues. Please contact us for further information.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.