Canada’s new anti-spam law


John Levine

Taughannock Networks, USA
Editor: Helen Martin


With the passage of bill C-28 in December, Canada became the last of the G-8 countries to make spamming illegal. John Levine, who was involved in the development of the bill, outlines the new law and its implications.

With the passage of bill C-28 in December, Canada became the last of the G-8 countries to make spamming illegal.

Background of C-28

For many years, Canada has had a privacy law called PIPEDA, which is similar to EU privacy laws. While this should have made most kinds of spam illegal (since it’s illegal to trade in people’s email addresses), in practice it had little effect – partly because its application to email was only implicit, and partly because the role of the Privacy Commissioner isn’t designed to deal with uncooperative people. Ottawa professor Michael Geist successfully used a PIPEDA complaint to get a local sports team to stop sending him spam, but Montréal spam expert Neil Schwartzman has been unable to get a local spammer to stop sending advertisements for a worthless Canadian Subsidy Directory. (Neil tells me that the spammer dodged the Privacy Commissioner for at least a year by recognizing the Caller-ID and not answering the phone.)

In 2004, the government convened a Federal Anti-Spam Task Force (FAST-F). The task force filed its report in May 2005 [1], recommending among other things that Canada should pass a law that would clearly make spam illegal. The report received broad support, but for various political reasons it wasn’t until April 2009 that a bill (C-27) was introduced.

C-27 incorporated most of the recommendations included in the 2005 report, and had made most of its way to passage – including the key committee hearings – when Parliament was prorogued in December 2009.

In May 2010, a new bill, C-28, was introduced [2]. This was almost identical to C-27 and moved easily through the committees until it was passed and signed into law on 15 December 2010.

The law is due to come into force around September 2011.As is typical in Canadian law, many details are left for the relevant ministry, Industry Canada, to write in regulations during the coming months. The law is quite long: 80 pages in the official bilingual version. Its length is largely due to a complex enforcement scheme which is spread among several existing agencies, as well as to carefully worded definitions and rules that attempt to draw a clear line between the allowed and the forbidden, and to some minor special case language added to placate various commercial constituencies. The authors of the bill were quite familiar with spam laws in other countries, and attempted to craft it to avoid the pitfalls that have been seen elsewhere.

Unlike CAN SPAM and other laws, C-28 has no snappy abbreviation, or any moniker shorter than its official title: ‘An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act’. Early versions had a short title which was deleted in committee (one of the few changes they made) so we’ll just call it C-28.

The consent rule

The basic rule of C-28 is that commercial email may only be sent to people who have given their consent to receive it. Needless to say, the definitions of ‘commercial’ and ‘consent’ are not brief.

The definition of a commercial electronic message includes, along with the expected email advertisements, any text or voice ads – the intent being to cover instant messaging and other online media that are not SMTP email. It also includes any request for permission to send commercial messages (so there’s no ‘may I send you this spam?’ loophole) and the installation of software on another person’s computer. It specifically excludes live telephone calls, faxes and voice mail, which are regulated separately under telemarketing laws.

The law states that a sender must have either explicit or implied consent to send mail. Explicit consent is what it sounds like – the recipient must have said it was OK to send them that kind of message. When requesting consent, the purpose for which consent is requested must be set out clearly, and it must be clear who is asking.

Consent to receive commercial email is implied under certain conditions: for example, an existing business or non-business relationship, or a message sent to someone who’s published his address without a no-spam notice and the message is ‘relevant to the person’s business, role, functions or duties in a business or official capacity’. An existing business relationship is defined as having done business within two years, or sent an inquiry within six months.

‘Business’ is defined in some detail and includes barter and any kind of written contract. A 'non-business relationship’ covers some special cases. It includes any political party, candidate or charity to whom one has made a donation, for whom one has done volunteer work, or attended a meeting, within the past two years. It also includes any club or organization to which one has belonged in the past two years.

Messages must include a means by which to withdraw consent, i.e. unsubscribe, by the same route the message arrived (typically return email), as well as via a web link. The method must continue to work for at least 60 days after the message was sent, and the unsubscription must be effective within 10 business days.

Section 10 of the bill lays out the rules for obtaining express consent. The rules for downloads (which I helped develop) are quite long, due to the need to distinguish among various different types. Reasonable downloads, such as updates to software the user has already purchased, are allowed, and unreasonable ones, like toolbars hidden in packages with other software, are not. Any software can be installed with express consent. For downloads, the consent process must describe what the software does, what effect it will have on the computer, specifically including the collection of personal information, interfering with the owner’s control of the computer, changing system settings, interfering with access to data on the computer, contacting other computers, and installing remote control software. Descriptions must be clear – no hiding the important parts in page 27 of an impenetrable boilerplate. Express consent is implied (yes, this is a bit tortured) if the download is a cookie, HTML code, JavaScript, an operating system, or a script executable by a previous download, so long as ‘the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation.’

Transitional rules apply for the first three years after the law comes into force, grandfathering previously existing business or non-business relationships. (Or, to put it another way, businesses have three years to reconfirm their mailing lists.)

Other odds and ends

The act regulates some other online activities that don’t have much in common with spam other than the fact that they’re only acceptable if done with the user’s consent.

For example, Section 7 forbids altering of ‘the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender’ without the express consent of the sender or recipient, or a court order, or for network management. This plugs a gap in wiretap law. The consent rules are the same as for mail, but with express consent only, no implied consent.

Section 8 regulates spyware and other downloads, discussed in more detail below.

Section 9 prohibits aiding, inducing, procuring, or causing to be procured anything that is forbidden in the earlier part of the bill. This short but important section follows the money, making it clear that the penalties for hiring a spammer are the same as for spamming directly. Other language makes company managers and officers responsible for the actions of their subordinates, thus removing the Casablanca defence (‘I’m shocked, shocked’) that has been effective in several CAN SPAM cases in the US.

Providers of downloads must specify an email address – good for at least a year – to which users can complain, and must assist users in removing the software without charge if the description was inaccurate.

C-28 amends the Competition Act to forbid false or misleading sender information or subject matter in an advertising electronic message, or a false or misleading representation in a ‘locator’, which generally means a URL. The Privacy Act is amended to outlaw address scraping software, the use of scraped addresses, and the collection of personal information via illegal remote access to a computer.


C-28 spreads enforcement among several existing government agencies. Most of it is enforced by the national telecom regulator, the Canadian Radio-television and Telecommunications Commission (CRTC), which is analogous to the Federal Communications Commission in the US or Ofcom in the UK.

The parts about false and misleading advertising are enforced by the Competition Commissioner, which is somewhat analogous to the Federal Trade Commission in the US, or the Office of Fair Trading in the UK. The parts related to privacy are enforced by the Privacy Commissioner, analogous to the Information Commissioner in the UK, and which (unfortunately) has no US analogue.

The act allows undertakings similar to consent agreements, in which someone admits to one or more violations, promises to stop (and perhaps pays a fine), and in return is given immunity to all further action for whatever prior actions he admitted to.

For less cooperative violators, the law gives the CRTC extensive powers to investigate violations, including orders to preserve records, and to conduct hearings that are in effect civil trials. Court injunctions are available, with serious penalties for failure to comply: up to $25,000 for individuals and $250,000 for organizations. The overall fines for one offence – which may include a lot of related violations – can be up to $1 million for individuals and $10 million for companies.

Proceedings must start within three years of the violation, and a demonstration that the violator exercised due diligence to try to obey the law is specifically made a defence.

Unlike in most other countries, individuals who have received spam or been the victim of illegal software download have a private right of action (PROA) to sue violators. The same rules apply as in CRTC actions, such as the three-year time limit, undertaking immunity, and due diligence as a defence.

The court can award $200 per spam, up to $1 million per day. The Competition Act provisions have serious consequences, with penalties of up to $200,000 and years in prison for violations.


Since Canada has a strong privacy law in PIPEDA, another lengthy section of the act describes the rules for disclosing and exchanging information relating to violations and investigations. Anyone can disclose information related to a violation to the CRTC, Competition or Privacy commissioners. The commissioners can disclose information related to an investigation to each other.

They are all allowed to disclose and exchange information with foreign agencies and international organizations (such as Interpol), so long as suitable protections are in place. The information can be related to Canadian cases, or to foreign cases under similar laws.

These provisions are very important, since most significant spam and malware activities are spread across multiple countries. In the past, Canadian investigators had been at a disadvantage due to a lack of certainty about what they were allowed to discuss with their foreign peers.

What it’s likely to mean

Depending on who you ask, C-28 is either the death of online advertising (and, by implication, the end of human civilization), or no big deal. The reality is somewhere in between.

Clearly, anyone who carries out commercial mailing to or from Canada will have to clean up their lists, and reconfirm them some time before 2014 if they don’t have proper documentation that the people on the lists want to be on them. They’ll also have to make sure that their confirmation and opt-out processes actually work. (You might think this would be obvious, but we’ve all seen plenty of evidence to the contrary.)

Anyone who provides downloadable software will similarly have to ensure that their installation time consent process is adequate, that people can remove the software, and that they have a process to receive and handle consumer complaints.

Canada will also be able to cooperate more with international anti-spam efforts – something that many Canadian law enforcement officials are eager to do. Cooperation is still somewhat limited pending the passage of companion bill C-29 [3] which would amend PIPEDA to provide more general privacy exceptions for law enforcement.

One of the biggest open questions is how much effect this will have on mailers and download vendors in the United States. Although Canadian law clearly does not apply in the US, the economies of the two countries are so intertwined that all but the smallest US companies do business in Canada. Their internets are equally intertwined – for example, although I’m in the US, I use a mail hosting company in Toronto for both US and Canadian clients, so all of their mail is subject to C-28.

Some observers think that C-28 makes the much weaker CAN SPAM act in the US obsolete or irrelevant, since US mailers will in practice all have to follow the stricter Canadian law. I’m not sure I’m ready to write off CAN SPAM yet, if for no other reason than that Americans are remarkably ignorant of other countries, even the one next door. There are certainly bulk mailers in the US who skate by with minimal CAN SPAM compliance who will find themselves in legal trouble when their mail inevitably ends up in Canada, and the recipients sue.

For the next six months, the main activity will be the writing of the regulations. After that, Canada will finally join the rest of the developed world and make spam illegal.


[1] Stopping Spam: Creating a Stronger, Safer Internet Report of the Task Force on Spam. h_gv00317.html.

[3] C-29 An Act to amend the Personal Information Protection and Electronic Documents Act (Safeguarding Canadians’ Personal Information Act).



Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…

Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.