Written by Martin P.J. Kratz, QC
Canada’s anti-spam law (CASL) addresses much more than unwanted commercial messages. CASL also prohibits, among other things, installation of software onto a person’s computer without consent. The Canadian Radio-television and Telecommunications Commission (CRTC) exercises enforcement powers in respect of the software provisions of CASL.
The CRTC reported on July 11, 2018, that their chief compliance and enforcement officer has issued Notices of Violation to Datablocks and Sunlight Media for allegedly aiding in the installation of malicious computer programs through the distribution of online advertising. This is the first time the CRTC has taken action against the installation of malicious software through online ads under CASL.
Datablocks and Sunlight Media operate in the online advertising industry. The CRTC advised that online advertisements are a leading means for the distribution of malware. The CRTC reported that Sunlight Media, the ad network, uses Datablocks’ bidding platform to operate as a broker between advertisers and publishers.
The CRTC action included penalties of $100,000 for Datablocks and $150,000 for Sunlight Media. The alleged violations of CASL that the CRTC asserted were that Sunlight Media accepted unverified, anonymous customers who used their services to distribute malware. Then the CRTC alleged that Datablocks provided those anonymous customers of Sunlight Media’s clients with the necessary infrastructure and software to compete in real-time for the placement of their ads. Those ads, however, contained malicious computer programs.
The CRTC identified a number of CASL compliance deficiencies in both Datablocks and Sunlight Media’s operations including that their agreements with customers did not require compliance with CASL, they did not monitor how customers used the service and they did not have CASL compliance policies or procedures in place. The CRTC also alleged that it notified both companies about the cybersecurity issues in 2016 but neither company implemented basic industry cybersecurity safeguards.
Datablocks and Sunlight Media may choose to dispute the penalties and so we may learn more about the details of this case in due course.
The lessons from this enforcement action include that all businesses using online commercial communications should implement CASL compliance policies. That is especially the case for participants in the online advertising industry.
Another important lesson for online service providers is to seek to know your customers and monitor their use of your service. This allows remedial action to be taken should the customers violate the terms of such services and may both protect the service and infrastructure from misuse but also enhance regulatory compliance by the online service provider.