Security Hero Rotating Header Image

Canadian Parliament considers anti-malware law

Canadian Parliament considers anti-malware law

The Canadian House of Commons is considering bill C-27, the Electronic Commerce Protection Act. In addition to providing civil penalties for unsolicited commercial e-mail (spam) and the unauthorized interception of e-mail (man in the middle attacks), it provides for similar penalties for the unauthorized installation of software.

The specifics of the software installation section of the bill are interesting. (Disclaimer: I’m not a lawyer, this isn’t legal advice, etc.)

  • The law would only apply to software installed "in the course of a commercial activity." Commercial activity is defined broadly (and circularly, with reference to activity of a "commercial nature"), but I think I understand the meaning.
  • The law would require "express consent" of software installation, which is explicitly stated to include "clearly and simply" describing the "function, purpose, and impact of every computer program that is to be installed." (Note that this is similar to section IIA of our badware guidelines, though it does not explicitly include the part about potentially unwanted behaviors.)
  • A party responsible for installing (or presumably distributing for installation) a piece of software would be required to provide contact info, valid for at least a year, through which someone could request the removal of the software. If the request is due to an inaccuracy in the disclosure, the installing/distributing party must assist in removing or disabling the software from the user’s computer.
  • All penalties are in the form of fines, intended to be commensurate with the extent of the violation. Maximum fines are CDN$1,000,000 for an individual and CDN$10,000,000 for any other party.

 This legislation seems pretty good, and I particularly like that it focuses on a simple, clear expectation of informed consent. Of course, much of the badware problem is global, so this won’t be a panacea, but at least it will help the Canadian government go after certain types of badware that originate within their borders. Still, a few questions about the legislation:

  • Why is installing software without consent only an offense when it occurs "in the course of a commercial activity?" Stalking, espionage, mischief, and politics are all non-commercial motives to install spyware or malware without consent.
  • Who is/are the party/parties responsible for installing software via a drive-by download? Is it only an offense if the drive-by occurs on a commercial website?
  • Why no criminal penalties (e.g., prison sentences) for egregious cases where there is a clear intent to cause harm?
  • I found the section about providing contact information unclear. What, exactly, is a company supposed to do when someone calls to say, "I want this software removed from my computer?" The company is only expected to assist with removal if the disclosure was inaccurate, so what about when the user wants to remove the software for some other reason?

I think this legislation could be valuable even without answering these questions, but it would be really nice to know how these questions will be addressed. Do you have thoughts on this legislation? Let us know in the comments!


Leave a Reply

Your email address will not be published. Required fields are marked *