Canadian Spam Law- A Student’s Perspective
Computer spam is an unsolicited electronic message used to make money. Spam can be delivered using a variety of media, including emails, instant messages, and many others. Spam may simply be an unwanted advertisement or range in a variety of scamming efforts. In 2012, experts estimated spam costs in the United States at US$20 billion annually.[if !supportFootnotes][endif] The United States has a federal anti-spam legislation called the CAN-SPAM Act enacted in 2003 with criminal penalties that have put some violators in jail.[if !supportFootnotes][endif]
In 2014 Canada’s Anti-Spam Legislation (CASL, formerly bill C-28) came into force.[if !supportFootnotes][endif] CASL regulates commercial electronic advertising and provides a more secure Internet by penalizing cyber-attackers.[if !supportFootnotes][endif] CASL has been used to grant a warrant to take down a Toronto-based server that was the source of malware threatening computer security.[if !supportFootnotes][endif] Critics claim that CASL may be too harsh on business marketers who, under the act, require strict consent to deliver electronic advertisements to consumers.[if !supportFootnotes][endif] Nevertheless, CASL is a logical step forward in an ever growing technological era. How exactly would criminal law interact with CASL? To answer this question it is important to understand how the court generally considers the Internet in criminal circumstances. A brief review of cases below will attempt to shed light on this.
In R v Noble, the accused was convicted of wilful promotion of hatred under section 319(2) of the Criminal Code by posting hateful material on publicly accessible websites.[if !supportFootnotes][endif] In R v AC, the accused was convicted under section 162.1 of the Code for publication of intimate images on publicly accessible websites without consent of the victim.[if !supportFootnotes][endif] In R v Rice, the accused pleaded guilty to luring a child contrary to section 172.1(a) using the Internet.[if !supportFootnotes][endif] In R v Charania, the accused was convicted of mischief in relation to computer data under section 430 (1.1) and unauthorized use of a computer under section 342.1(1) by interfering with his previous employer’s data through unauthorized use of a company owned email address.[if !supportFootnotes][endif] The court has also stated that victims of cyberbullying may seek the identity of persons posting defamatory remarks on publicly accessible websites through the Internet service provider of the cyberbullies with an appropriate court order.[if !supportFootnotes][endif] In general, the identity of an individual who engages in unlawful, abusive, or tortious activity on the Internet may be obtained from the Internet service provider of the accused.[if !supportFootnotes][endif]
These select cases indicate that courts will generally treat offences committed on the Internet as offences committed in real public spaces. In order to anticipate how the courts might perceive spam criminally it is first necessary to define the types of spam.
Spam can generally be categorized as unsolicited advertisements or cyber attacks. Spam advertisements may be offering legitimate services but often offer the sale of cheap knock-off products.[if !supportFootnotes][endif] Individuals marketing counterfeit goods may be charged under section 406 for forging trademarks and/or section 408 for passing off. In some cases the advertisements may be soliciting the sale of illicit drugs, a prima facie trafficking offence under section 5 (1) of the Controlled Drugs and Substances Act.[if !supportFootnotes][endif]
Spam may also be designed as a cyber attack of which many techniques exist.[if !supportFootnotes][endif] Phishing scams are designed to fraudulently induce the consumers into divulging information relating to a legitimate service. For example, spammers may attempt to obtain passwords from their victims by falsely claiming that the security of their victims account has been compromised, requiring them to divulge personal information to the spammers.[if !supportFootnotes][endif] A phishing scam may be classified as fraud under section 380 of the Criminal Code. Depending on the type of information gained by a phishing scam, violators may be charged under sections 402.1, 402.2, and 403 of the Code for identity theft and identity fraud. Another spam cyber attack is the advance fee scam. These scams usually promise a consumer something too good to be true for a small fee in advance. For example, spammers may post advertisements offering a space for rent at an outstanding rate in exchange for a deposit.[if !supportFootnotes][endif] Of course, the deposit never actually applied to anything and is simply stolen. If caught in the organization of this scam, a cybercriminal may be convicted of false pretence under section 362 (1) (c) (ii).
Spammers may be also be able to infect their victim’s computer with various forms of malware. One type of malware is called ransomware, which can lockout a victim from their data until a ransom is paid. The courts may interpret a spammer propagating ransomware as someone guilty of extortion under section 346 (1) and likely mischief as well under section 430 (1). Spyware is another type of malware which gathers personal information without the user’s consent, which may have broad privacy legal issues.
Most Internet service providers also have an acceptable use policy that contractually prohibits a user from engaging in the distribution of a large array of spam.[if !supportFootnotes][endif] If so many criminal sanctions and other prohibitions are in place to eliminate spam then why are there so many spam emails sent (100 billion spam emails were sent in 2013)?[if !supportFootnotes][endif] The likely answer to this issue is that cybercriminals have a plethora of methods to assist in keeping their identity anonymous on the Internet.[if !supportFootnotes][endif] Furthermore, cybercriminal organizations are not well understood among lay people. To investigate this question, computer science researchers developed a method to follow payments made to spammers.[if !supportFootnotes][endif] They found that complex networks of cybercriminals exist that ensure the payment is received from the individual being spammed.[if !supportFootnotes][endif] Notably, the researchers discovered that spam businesses rely on a small number of foreign banks to complete payment transactions which they claim may be an effective target to intervene spam schemes.[if !supportFootnotes][endif]
Ultimately, It may be more feasible to target bottlenecks such as the handful of foreign banks that cybercriminals rely upon to receive payment for their scams, rather than making criminal sanctions even stronger. However, given the availability of decentralized currency such as Bitcoin and others, this is probably a futile attempt. Spam and cybercrime is a complex issues and will likely require future legal practitioners and other experts to develop novel strategies to combat this multi-billion dollar issue.
[if !supportFootnotes][endif] http://pubs.aeaweb.org/doi/pdfplus/10.1257/jep.26.3.87
[if !supportFootnotes][endif] http://laws-lois.justice.gc.ca/PDF/E-1.6.pdf
[if !supportFootnotes][endif] https://lop.parl.ca/Content/LOP/LegislativeSummaries/40/3/c28-e.pdf
[if !supportFootnotes][endif] http://www.newswire.ca/news-releases/crtc-serves-its-first-ever-warrant-under-casl-in-botnet-takedown-560496941.html
[if !supportFootnotes][endif] http://www.chamber.ca/resources/casl/
[if !supportFootnotes][endif] R v Noble, 2008 BCSC 215, 2008 CarswellBC 329.
[if !supportFootnotes][endif] R v AC, 2017 ONCJ 317, 2017 CarswellOnt 8313.
[if !supportFootnotes][endif] R v Rice, 331 Nfld & PEIR 282, 2012 CarswellNfld 479.
[if !supportFootnotes][endif] R v Charania, 2012 ONCJ 637, 2012 CarswellOnt 13265.
[if !supportFootnotes][endif] York University v Bell Canada Enterprises, 2009 CarswellOnt 5206,  OJ No 3689 [York]; AB (Litigation Guardian of) v Bragg Communications Inc, 2012 SCC 46,  2 SCR 567.
[if !supportFootnotes][endif] York, 2009 CarswellOnt 5206,  OJ No 3689 at para 34.
[if !supportFootnotes][endif] https://securelist.com/threats/types-of-spam/
[if !supportFootnotes][endif] Controlled Drugs and Substances Act, SC 1996, c 19.
[if !supportFootnotes][endif] https://www.csoonline.com/article/2616316/data-protection/the-5-types-of-cyber-attack-youre-most-likely-to-face.html
[if !supportFootnotes][endif] http://fortune.com/2017/07/13/email-security-phishing/
[if !supportFootnotes][endif] http://articles.latimes.com/2012/mar/25/business/la-fi-lew-20120325 ; https://web.archive.org/web/20120705075209/http://www.fraudguides.com/internet-craigslist-scams.asp
[if !supportFootnotes][endif] http://www.frontiernetworks.ca/aup/
[if !supportFootnotes][endif] https://www.esecurityplanet.com/network-security/almost-100-billion-spam-e-mails-sent-daily-in-q1-2013.html
[if !supportFootnotes][endif] https://www.csoonline.com/article/2975193/data-protection/9-steps-completely-anonymous-online.html
[if !supportFootnotes][endif] https://cseweb.ucsd.edu/~savage/papers/Oakland11.pdf
[if !supportFootnotes][endif] https://www.nature.com/news/how-to-hack-the-hackers-the-human-side-of-cybercrime-1.19872
 http://cseweb.ucsd.edu/~savage/papers/LoginInterview11.pdf[if !supportFootnotes]