Section 8(1) of Canada’s Anti-Spam Law (CASL) prohibits the installation of a computer program on another person’s computer system without express consent. Compliance and Enforcement Decision CRTC 2022-132 dated May 19, 2022, indicates that this analysis is very technical and may in some circumstances require forensic computer evidence to make out a prosecution under this section of CASL.
In 2015, CRTC enforcement staff identified five Canadian Internet Protocol (IP) addresses linked to 1882914 Ontario Inc., operating as Datablocks Inc. and 2348149 Ontario Inc., operating as Sunlight Media Networks Inc. that appeared to be redirecting users to webpages hosting exploit kits.
In the course of its investigation, CRTC staff issued a Notice of Violation to each of Sunlight and Datablocks under CASL. The Notices of Violation alleged that there were reasonable grounds to believe that between 8 February 2016 and 30 May 2016, the two companies had each committed a violation of section 9 of CASL, by aiding, through their acts and omissions, in seven contraventions of section 8(1) of CASL, namely the installation, by an unknown person, of a computer program on another person’s computer system without express consent.
The Notices of Violation specified a penalty of $150,000 for Sunlight Media and $100,000 for Datablocks.
The companies responded to the Notice of Violations denying that the evidence proved the alleged installation of malicious computer programs. Their responses included providing an expert report that they commissioned. The CRTC also commissioned its own forensic examination which confirmed that of the companies.
The CRTC assessed the evidence and found that the Flash files were computer programs, and assessed whether those computer programs were installed for the purposes of CASL. The CRTC noted that CASL does not define what constitutes the “installation” of a computer program.
The CRTC noted that CASL does not prohibit an attempt to install a computer program.
The CRTC noted that the investigator had not obtained access to the computers alleged to have been compromised. Upon review of the evidence, the CRTC concluded that the report’s conclusion about the installation of the Flash files were based on an indirect analysis and did not show if or where the computer programs were installed. There were alternative scenarios that could not be disproved without the direct forensic evidence.
In its conclusion, the CRTC concluded that there was no direct proof to prove beyond a balance of probabilities that the Flash files were installed on the subject computer systems. Without a violation of S. 8(1) of CASL then CRTC also noted that could be no violation of S. 9 of CASL.
In the absence of proof of a violation of CASL the penalties set out in the Notice of Violation were not imposed.