By Drew Wilson
A recent submission made by a number of corporate organizations in the Canadian anti-spam initiative is raising alarm bells. The groups are demanding that certain kinds of software (like spyware) be exempt from provisions of the anti-spam law that could theoretically be used for the purposes of anti-piracy operations on the personal device level.
Michael Geist, a very well known Canadian law professor whose analysis of Canadian issues has become widely regarded around the world, has been following the Canadian anti-spam legislation for quite some time. While the initiative to stop spam was largely seen as a positive Canadian technology and law story, the story has recently taken a very disturbing twist recently. Language in a submission made by the Coalition of Business and Technology Associations which includes the Canadian Bankers Association, Canadian Chamber of Commerce, Canadian Wireless Telecommunications Association, Entertainment Software Association of Canada and the Interactive Advertising Bureau of Canada appears to open the door to allow spyware to installed on a personal computing device for the purposes of blocking certain kinds of traffic or the blocking of entire websites that major industry types do not approve of which can include anti-piracy operations.
Second, if this recommendation is not accepted, that pursuant to section 64(1)(m), he following computer programs be exempt from section 8 of the Act:
(a) a program that is installed by or on behalf of a person to prevent, detect, investigate, or terminate activities that the person reasonably believes (i) present a risk or threatens the security, privacy, or unauthorized or fraudulent use, of a computer system, telecommunications facility, or network, or (ii) involves the contravention of any law of Canada, of a province or municipality of Canada or of a foreign state;
For clarification, this section is found on page 11 of the PDF file.
Our interpretation of this is pretty much in alignment of Geist’s interpretation. The problematic language is the use of the term “unauthorized” for one. What can it mean? Sure, it can mean stopping people from wardriving a Wi-Fi connection, but it can also mean any p2p traffic such as Skype or BitTorrent regardless if the end use would be legal or not. While some might argue that this seems kind of activity is more theory than anything else and unlikely to ever happen, there is actually some precedent of this occurring. Techdirt noted last week that a program was blocked because it used p2p technology in its data stream. The problem was the fact that the data in question related to the legal service Spotify. The move even sparked objections from the Recording Industry Association of America (RIAA) – ironic in a way given that the organization has developed a reputation over the years for declaring war on p2p technology.
Another problematic part about the language here is the line that reads “involves the contravention of any law of Canada”. This line is extremely broad and could be interpreted as, say, someone downloading a copyrighted song on an unauthorized network to someone accessing a website that a corporation things could be used to download a copyrighted work to accessing a website with an application that could be used to view an unauthorized copy of a copyrighted work. Where is the line drawn and how much collateral damage would this ultimately entail?
What could be more objectionable to a lot of people is the fact that a private entity would wind up making these decisions rather than a law enforcement body. Normally, when someone acts contrary to the law of Canada, there is a legal process to prove that such an individual actually acted contrary to the law written in stone. The exception being requested here bypasses this completely and opens the door to mere accusations being used to, say, block a website with absolutely no oversight. A reasonable question might be “why can Sony decide what I can and cannot see on the Internet even on a device that was not manufactured or produced by Sony?”
To our knowledge, this kind of request on the worldwide stage is quite unprecedented. The only thing that comes close to this kind of permission of spyware would be from France when LOPPSI 2 was proposed back in 2009. That law would have allowed police to install keyloggers and trojan horses for law enforcement purposes. At the time, I was so perplexed that such an idea was being proposed, that I couldn’t even fully believe what I was reading even though I verified the report. The key difference between LOPPSI 2 and the proposal for Canada is the fact that the proposal in Canada goes further by excluding law enforcement altogether from the equation.
What’s more about this proposal is that it might even violate PIPEDA (Personal Information Protection and Electronic Documents Act) because an IP address has been interpreted as personal information. Unless the spyware in question does not send data back to any database, under a lot of circumstances, such spying would need to be disclosed to the customer. How it would even be possible to maintain such software without an IP address being used somewhere along the line in the first place?
Unsurprisingly, these revelations are reminding people of the Sony rootkit scandal of 2005 because such an exception would legalize such software (at the time Sony was taken to court in a number of countries over its use including in Canada).
At this stage, this is only a submission. The Canadian government would have to agree and implement such recommendations first. In the past, according to Geist, the government has rejected such a request. We’ll have to wait and see how the government responds first to assess how real the threat of corporate sponsored spyware will be in Canada.
Welcome Grammar Nazis, jokesters, snarky and other people of Fark, we hope you enjoy your stay and don’t razz us too hard.