Ian Scott to the “International Regulatory Responses” panel at the International Institute of Communications’ (IIC) Telecommunications and Media Forum
December 4, 2018
Ian Scott, Chairperson and Chief Executive Officer
Canadian Radio-television and Telecommunications Commission
Check against delivery
It’s a pleasure to be here with you today and to be taking part in this panel discussion.
The CRTC is well-known as an administrative tribunal that oversees Canada’s communication system in the public interest. We have been active participants at the IIC since its creation nearly 50 years ago, often sharing our perspective on broadcasting and telecommunications matters at conferences such as this one.
So it’s understandable that you may be less familiar with the role we have taken on over the last decade in the areas of privacy and cybersecurity. Since 2008, the CRTC has overseen Canada’s National Do Not Call List and worked to ensure telemarketers respect Canadians’ choice not to be bothered by unwanted calls.
And since 2014, we have promoted and enforced compliance with Canada’s anti-spam legislation.
Our CASL responsibilities
CASL, as it’s known, was born out of concerns expressed by Canadians about the quantity of spam that was flooding their inboxes at the time. They told legislators that something needed to change. Our government responded with a law that protects Canadians against spam, malware and other insidious online threats.
In broad strokes, CASL prohibits companies from sending commercial electronic messages—emails, social media and text messages—without recipients’ consent. It creates an opt-in regime. This means that companies that wish to send commercial electronic messages to consumers, or install software, must first obtain consent to do so. And all commercial electronic messages must provide the sender’s identification and contact information, as well as contain an unsubscribe mechanism that is easy to find and easy to use.
The notable thing about CASL is the fact that it is technology neutral. Recognizing the changing nature of online threats, legislators created a flexible and forward-looking law that empowered the CRTC and our enforcement partners to target not only spam emails, but also other online threats such as malware and botnets.
Although we share responsibility for enforcing CASL alongside two other agencies of the Government of Canada—the Competition Bureau and the Office of the Privacy Commissioner— the CRTC is the primary CASL enforcement agency. The law gives us the tools to investigate, act against and set monetary penalties for those violations, and others, that I just mentioned.
The cybersecurity ecosystem
Since CASL came into force four years ago, we’ve hit the ground running. I’ll speak in just a moment about the specific inroads we’ve made, but there’s a bigger-picture lesson that we’ve learned, and which is important to outline. It’s this: cybersecurity is an ecosystem.
Delivering cybersecurity isn’t a matter of zeroing in on email marketers or web hosting providers in isolation. These companies don’t act alone. They’re part of a much larger group of actors that includes technology, infrastructure and service providers. That’s what I mean when I say this is an ecosystem. Everyone and everything is interconnected and interdependent.
So, to make an impact in the cybersecurity world, we have to consider all players. We have to look across the entire landscape. We have to identify the touchpoints where we can reduce victimization and protect Canadians. Because when one player in the system fails to pull its weight, when it fails to do its part to keep out the bad actors, the door opens for those bad actors to move in and harm businesses and consumers.
The good news is that there’s another ecosystem in this landscape. That’s another lesson we’ve learned. There’s an ecosystem of cooperation and collaboration in which partners—regulators such as ourselves, private-sector actors, law enforcement agencies, domestic government agencies and foreign governments—work together to share information and best practices in an effort to protect consumers from harm.
It has to be that way. Cyber threats aren’t local or national. They’re global. They’re pervasive. Cybersecurity can not only impact individual privacy and people’s finances, but also national security, critical infrastructure and even democracy itself. And these threats are constantly changing. That’s why our enforcement approaches to counter them are evolving.
Evolving our enforcement approach
When CASL came into force, we focused on responding to Canadians’ needs—on cutting down the number of spam emails they received. A key part of our strategy to achieve that goal was ensuring that legitimate actors respected Canadians’ wishes to opt out of their commercial electronic messages.
More recently, we investigated two companies that were not sending spam emails to consumers, but spam text messages. That case was a first for us, and it demonstrated the extent to which CASL is flexible to respond to a wide variety of unsolicited commercial electronic messages.
While our early focus targeted unsolicited commercial emails, our approach has evolved since. We have not lost sight of spam emails and text messages, but we are shifting our attention to more egregious issues—botnet activities and malware installation—that represent significant threats to Canadians’ online safety.
This is a big issue to address. It’s a global issue that ignores borders. Wrong-doers can carry out their work half a world away. The good news is that, though it takes time to go directly after these actors where they live, we can take steps to shut down their activities in Canada today. To do so, we’re taking action to clean up the infrastructure in Canada that underpins the internet.
Specifically, we’re reaching out to companies that have not traditionally fallen within the CRTC’s regulatory purview: web hosting providers, email service providers and other infrastructure providers. We’re letting these companies know that they have a role to play to know who their customers are, to recognize their responsibilities under CASL, and to make sure they understand that they can’t turn a blind eye to bad actors.
In July, the CRTC’s Chief Compliance and Enforcement Officer took action against two companies that allegedly facilitated the installation of malware on consumers’ computers through online advertising. One of these companies accepted unverified and anonymous clients who used their ad network to distribute malware. Neither company had written contracts in place with clients that would bind them to comply with CASL, nor did they monitor how their clients were using their services. The companies were issued notices of violation with a total of $250,000 in penalties. The companies have since filed representations to contest these notices.
The Commission also recently issued an information bulletin to service providers and intermediaries about their responsibilities under CASL. In this document, we made it clear that companies that provide technology or services that underpin electronic commerce can be liable if they don’t do their due diligence or take appropriate measures to prevent violations.
We’re telling these businesses that it’s not enough to just collect their clients’ money every month and ignore their activities. They have to know who they’re working with, and put processes in place to prevent, report and stop abuses on their networks. These companies have responsibilities and liabilities that go beyond the simple profit motive—and we’re making sure they understand those obligations loud and clear.
At the same time, we’re showing the public that we’re serious about protecting their online safety, and we’re demonstrating transparency in our activities without compromising current and future investigations.
As I said a moment ago, cybersecurity is an ecosystem. We all contribute to its health.
Global solutions for global problems
I’ve spent a bit of time focusing on the specific work the Commission is doing to combat cyber threats in Canada. That’s not all we’re doing. We’re also collaborating with governments, enforcement bodies and the private sector around the world to make the global online ecosystem safer.
For example, the CRTC has signed a number of agreements with the Federal Communications Commission and the Federal Trade Commission here in the United States, and with our counterparts in the United Kingdom, New Zealand and Australia, among others. We use these agreements to share information and to learn best practices and new approaches that can help strengthen enforcement work worldwide.
The CRTC is also an active member of the Unsolicited Communications Enforcement Network—UCENet—which is a group of public- and private-sector entities that promotes spam enforcement and addresses telemarketing and spam-related problems, such as fraud, phishing and the spread of viruses. As a result of our membership in this network, we have signed memoranda of understanding with 12 enforcement agencies from eight countries. If you would like to get involved in this group, I strongly encourage you to do so.
In 2016, we collaborated with the IIC to organize a workshop on spam and other forms of nuisance communications during the Communications Policy & Regulation Week in Bangkok, Thailand. The report we issued following that workshop highlighted many of the same themes I just outlined to you. That cybersecurity is a global issue that requires global solutions. That part of the solution to protecting citizens in the online world is to engage in regular policy discussions, to leverage partnerships between the public and private sectors, and to work with groups like UCENet to address to promote cross-border enforcement cooperation.
I’d like to publicly acknowledge the IIC for recognizing the importance of these issues, and for taking the leadership to help address them. I know some of you here today participated in these discussions.
More than this, we hold regular conversations with major technology platform providers, cybersecurity vendors and researchers, and other groups that are working to eliminate online abuse. These private-sector organizations are critical to success. They’re key contributors to the ecosystem. They’re on the cutting edge of technology deployment and security issues. Just as significantly, they can be more agile than government.
I’ve spoken a fair bit about the cybersecurity ecosystem, and how everyone involved in this environment has a role to play in promoting security across this landscape. Online threats know no boundaries. They’re their own ecosystem: fluid, sophisticated and interconnected. It's a mistake to think that any one of us actors—regulators, legislators or even private businesses—can combat the problem on our own.
The good news is that even though the ecosystem of threats is connected across platforms and services, the ecosystem of solutions is just as robust. Every one of us in this room needs to work together across boundaries to combat online threats, minimize safe havens for malicious actors and increase security for the citizens we serve.
Toll-free: 1 (877) 249-CRTC (2782)
TTY: (819) 994-0423
Ask a question or make a complaint
Report a problem or mistake on this page
- Date modified: