McCarthy Tétrault Advance™ Building Capabilities for Growth Canada’s Anti-spam Law (CASL): Navigating the Computer Program Provisions April 30, 2014 McCarthy

McCarthy Tétrault Advance™Building Capabilities for Growth

Canada’s Anti-spam Law (CASL): Navigating the

Computer Program Provisions

April 30, 2014

McCarthy Tétrault LLP / mccarthy.ca #13392852

Daniel G. C. Glover, PartnerDirect Line: (416) 601-8069E-Mail: [email protected]

Question:

What countries have anti-malware/spyware laws that are similar to those in CASL?

McCarthy Tétrault LLP / mccarthy.ca / #13392852 2

McCarthy Tétrault LLP / mccarthy.ca / #13392852

3

3

CASL = MORE THAN MALWARE/SPYWARE

• Applies to “computer programs” as meaning “data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function”.

• Broad definition

• Includes apps and updates


CASL = MORE THAN MALWARE/SPYWARE

• Applies to installation of programs on another person’s “computer system” = “a device that, or a group of interconnected or related devices one or more of which, (a) contains computer programs or other data, and (b) pursuant to computer programs, (i) performs logic and control, and (ii) may perform any other function”.

• Could include servers, PCs, smartphones, tablets, ebook readers, the “Cloud”, websites and web services, industrial machines, appliances, smart medical devices, autos, thermostats and other consumer products.


WHAT ACTS DOES CASL APPLY TO?RIAS: CASL will only apply to the installation of computer programs on another person’s computer system. CASL will not apply to installations carried out by persons on their own computing devices.

¬A consumer buys a program on disc and installs it on a home computer?

¬ Fairly clear, but need express consent for update/upgrade

¬A manufacturer pre-installs a program on a device and sells the product to consumers?

¬ Need express consent for update/upgrade¬ How to get express consents for smart devices?


WHAT ACTS DOES CASL APPLY TO?RIAS: CASL will only apply to the installation of computer programs on another person’s computer system. CASL will not apply to installations carried out by persons on their own computing devices.

¬A retailer offers computer services such as to install software or to repair or configure computers or installs updates?

¬ How is it possible to disclose?

¬A person goes to a website to download a program?

¬ Who is installing the program:

¬ the user?¬ the site operator?¬ both acting in concert?


McCarthy Tétrault LLP / mccarthy.ca

CASL REACHES ACROSS BORDERS (s. 8(2))

Computer program provisions apply:

¬if the computer system is located in Canada at the relevant time or

¬if the person either:

¬ is in Canada at the relevant time or

¬ is acting under the direction of a person who is in Canada at the time when they give the directions

Will foreign clients consider geo-blocking?McCarthy Tétrault LLP / mccarthy.ca #13392852 8

THE PROHIBITIONS (s. 8(1)) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless:

(a)the person has obtained the express consent of the owner or an authorized user of the computer system and complies with [the disclosure requirements of] subsection 11(5); or

(b)the person is acting in accordance with a court order. [Rare]


DEEMED “EXPRESS” CONSENT (s. 10(8))A person is considered to expressly consent to the installation of a computer program if:

a)the program is:

i. a cookie,ii. HTML code,iii. Java Scripts,iv. an operating system,v. any other program that is executable only through the use

of another computer program whose installation or use the person has previously expressly consented to, or

vi. any other program specified in the regulations; and

b)the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation.


DEEMED EXPRESS CONSENT QUESTIONS

¬ Is disclosure still required?

¬ What is a “cookie”?

RIAS: Insofar as cookies are not executable computer programs, and they cannot carry viruses and cannot install malware, and are simply lines of text or data that are read from a web browser, they are not computer programs for the purposes of CASL

¬ How can you measure the person’s “conduct”?

¬Does “conduct” = “reasonable expectations”?

¬How does one document proof of “conduct”?


DEEMED CONSENT FOR SMART DEVICES?

RIAS: In addition, the software on some computer dedicated systems in automobiles may be “operating systems”, such as computers that operate specific functions like braking. There is deemed consent to update that as operating systems under the Act.

¬Where is the dividing line between an O/S and other functions?

¬What other kinds of devices could qualify?


McCarthy Tétrault LLP / mccarthy.ca #13392852 13

•

GETTING EXPRESS CONSENTS TO COMPLY WITH “MALWARE” AND “SPYWARE” PROVISIONS

Obtaining consent: s. 10(1): A person who seeks express consent must, when requesting consent, set out clearly and simply the following information:

(a) the purpose or purposes for which the consent is being sought;

(b) prescribed information that identifies the person seeking consent and, if the person is seeking consent on behalf of another person, prescribed information that identifies that other person; and

(c) any other prescribed information.


MINIMUM DISCLOSURE (s. 10(3))

“Minimum disclosure” applies to computer programs generally:

A person who seeks express consent, must when requesting consent, also, in addition to setting out any other prescribed information, must clearly and simply describe, in general terms the function and purpose of the computer program that is to be installed if the consent is given.


CONSENT MUST BE “SOUGHT SEPARATELY”

14. … in order to meet the requirement of seeking consent separately, the person seeking consent must identify and obtain specific and separate consent for each act contemplated by the sections of the Act...

15. For example, … persons must be able to grant their consent for the installation of a computer program while refusing to grant their consent for receiving CEMs. However, the Commission does not consider it necessary for consent to be sought separately for each instance of the acts listed in paragraph 13 above...


REQUESTS CAN’T BE SUBSUMED OR BUNDLED WITH TERMS & CONDITIONS

16. The Commission considers that requests for consent contemplated above must not be subsumed in, or bundled with, requests for consent to the general terms and conditions of use or sale. The underlying objective is that the specific requests for consent in question must be clearly identified to the persons from whom the consent is being sought. For example, persons must be able to grant their consent to the terms and conditions of use or sale while, for instance, refusing to grant their consent for receiving CEMs.


DIFFICULTIES OF CONSENT

¬ Implied consents cannot be relied upon. Only express consents are valid, assuming compliance with the disclosure requirements.

¬ The CRTC suggests that written agreements or click-wraps will comply if the consent is not bundled in the agreement. Enhanced consent requires a specific acknowledgement from the person consenting.

¬ Web wrap agreements will likely not comply.


GETTING EXPRESS CONSENTS TO INSTALL PROGRAMS

CRTC Reg s. 4. For the purposes of ss. 10(1) and (3) of the Act, a request for consent may be obtained orally or in writing and must be sought separately for each act described in ss. 6 to 8 of the Act and must include …

(e) a statement indicating that the person whose consent is sought can withdraw their consent.

Problem: How can consent be withdrawn for a program that is already installed?


WHAT IS WRITTEN CONSENT?

24. … the term “in writing” includes both paper and electronic forms of writing.

25. The Commission considers that the requirement … is satisfied by information in electronic form if the information can subsequently be verified.

26. Examples of acceptable means of obtaining consent in writing include checking a box on a web page to indicate consent where a record of the date, time, purpose, and manner of that consent is stored in a database; and filling out a consent form at a point of purchase.


If the computer program meets a “malware” or “spyware” criterion, the person must “clearly and prominently, and separately and apart from the licence agreement,

(a)describe the program’s material elements that perform the function or functions, including the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the computer system; and

(b)bring those elements to the attention of the person from whom consent is being sought in the prescribed manner”.

DISCLOSURE REQUIREMENTS TO COMPLY WITH “MALWARE” AND “SPYWARE” PROVISIONS


21

21

ENHANCED DISCLOSURE (S. 10(4))

The enhanced disclosure standard applies where the program performs functions that the person knows and intends will cause the computer system to operate in a manner that is contrary to the reasonable expectations of the owner or authorized user of the computer…

¬Imports a subjective intent element (for installer) and an objective standard (for user)



22

22

ENHANCED DISCLOSURE TRIGGERS (s. 10(5))

¬ collects personal information; ¬ interferes with control of the computer; ¬ changes or interferes with settings preferences or

commands; ¬ obstructs, interrupts, or interferes with access to data; ¬ causes the computer to communicate with another

computer without authorization;¬ installs a program that can be activated by a third party;¬ installs a bot; or ¬ performs any other function set out in the regs; [none yet]

but not if the function only collects, uses or communicates transmission data or performs an operation set out in the regs



23

23

LISTED FUNCTIONS (s. 10(5)-(6))


•

EXCEPTIONS FOR SOFTWARE UPDATES, UPGRADES AND PATCHES (s. 10(7))

Formalities for obtaining express consent (ss. 10(1) and (3)) not required to install an update or upgrade so long as the installation or use of the computer program being updated was expressly consented to and the person who gave the consent is entitled to, and does receive the update under the terms of the express consent.

Problems:

¬No explicit exception that permits installation of an update or upgrade without consent.

¬The original consent to install a program must include a consent to install updates or upgrades or they cannot be installed without requesting and obtaining a new consent.


NEW EXEMPTIONS – IC REGS, s. 6

• network security

• updates and upgrades to a network

• correcting computer program failures.

Exemptions available only if “the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation”. (s. 10(8)(b))

¬ To be dealt with by Michael Fekete and Howard Fohr in the next presentation


THREE-YEAR TRANSITION

s. 67: If a computer program was installed on a person’s computer system before section 8 comes into force, the person’s consent to the installation of an update or upgrade to the program is implied until the person gives notification that they no longer consent to receiving such an installation or until three years after the day on which section 8 comes into force, whichever is earlier.


VANCOUVERSuite 1300, 777 Dunsmuir StreetP.O. Box 10424, Pacific CentreVancouver BC V7Y 1K2Tel: 604-643-7100 Fax: 604-643-7900 Toll-Free: 1-877-244-7711

CALGARYSuite 4000, 421 7th Avenue SWCalgary AB T2P 4K9Tel: 403-260-3500 Fax: 403-260-3501 Toll-Free: 1-877-244-7711

TORONTOBox 48, Suite 5300Toronto Dominion Bank TowerToronto ON M5K 1E6Tel: 416-362-1812 Fax: 416-868-0673 Toll-Free: 1-877-244-7711

MONTRÉALSuite 25001000 De La Gauchetière Street WestMontréal QC H3B 0A2Tel: 514-397-4100 Fax: 514-875-6246 Toll-Free: 1-877-244-7711

QUÉBECLe Complexe St-Amable1150, rue de Claire-Fontaine, 7e étageQuébec QC G1R 5G4Tel: 418-521-3000 Fax: 418-521-3099 Toll-Free: 1-877-244-7711

UNITED KINGDOM & EUROPE125 Old Broad Street, 26th FloorLondon EC2N 1ARUNITED KINGDOMTel: +44 (0)20 7489 5700 Fax: +44 (0)20 7489 5777

McCarthy Tétrault LLP / mccarthy.ca #13392852

Documents

McCarthy Tétrault Advance™ Building Capabilities for Growth Canada’s Anti-spam Law (CASL): Navigating the Computer Program Provisions April 30, 2014 McCarthy