This article talks about things in the Anti-Spam Act that are not directly related to spam.
This is the third of a series of 5 articles that will introduce the Act, describe what spam is and is not, talk about collateral provisions, what we can do now, and some of the challenges going forward.
The Act contains anti-spyware provisions – the goal being to eliminate spyware, malware, and other malicious software.
You may recall the Sony copy protection rootkit scandal from 2005 where Sony music CD’s automatically installed digital rights management software on users’ computers without their knowledge or consent. This software made operating systems more vulnerable to third-party attacks and could be used to collect and transmit information about computer use back to Sony. Under the Act, such practices will be prohibited.
The Act applies to all software installed on someone’s computer. The definition of computer program and computer system is very broad. It includes software installed on smart phones, tablets, e-book readers and – since almost everything includes some kind of computing power these days – even things such as PVR’s and cars.
The Act prohibits the installation of computer programs and the transmission of electronic messages from a computer program unless the creator of the software has express consent from the owner or authorized user of the computer system.
Express consent may only be obtained if there is a notice to the user containing prescribed information about the software, and if it clearly and simply describes the function and purpose of the program or program update to be installed.
In addition, if a program performs certain undesirable functions then more prominent and explicit disclosure is required. The Act contains a list of functions often found in spyware, malware, and other types of malicious software, including:
- Collecting personal information stored on the computer;
- Interfering with the authorized user’s control of the computer;
- Unknowingly changing or interfering with data;
- Unknowingly changing or interfering with settings, preferences or commands;
- Causing the computer system to communicate with another computer system; and
- Installing a program that may be activated by a third party without the user’s knowledge.
If software contains one of these functions, the user must be told the reasonably foreseeable impacts of these functions.
Software vendors may need to amend their end user license agreements (EULAs) to comply. Some circumstances will require specific permission with full disclosure before the change can be made, regardless of the contents of a EULA.
Software vendors may want to consider whether changing from a traditional installed software model to a hosted SAAS or cloud model will avoid some of these issues.
Canadian software creators – indeed any entity selling software to Canadians – will need to review the Act, given the significant potential fines and consequences to directors and officers if there is a violation.
Telecommunications service providers, meaning an ISP or anyone providing telecommunications services, can be ordered to preserve transmission data for 21 days to facilitate investigations under the Act.
The Act also includes provisions where anyone can be ordered to produce documents to facilitate investigations, and allows warrants to be issued to enter a premises to facilitate investigations.
PIPEDA, (The Personal Information Protection and Electronic Documents Act) has been amended to make it a privacy breach to harvest email addresses by electronic means.
New deceptive marketing practices have been added to the Competition Act, including:
- sending a false or misleading representation in the sender information or subject matter information of an electronic message
- sending in an electronic message a representation that is false or misleading in a material respect
- make or cause to be made a false or misleading representation in a locator (eg a url)
The next article will discuss things we can do now to prepare for the Act.