Dan glover casl computer software_mc_t_lexpert


Published on

Dan glover casl computer software slides

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Dan glover casl computer software_mc_t_lexpert

  1. 1. McCarthy Tétrault Advance™ Building Capabilities for Growth Canada’s Anti-spam Law (CASL): Navigating the Computer Program Provisions April 30, 2014 McCarthy Tétrault LLP / mccarthy.ca #13392852 Daniel G. C. Glover, Partner Direct Line: (416) 601-8069 E-Mail: dglover@mccarthy.ca
  2. 2. Question: What countries have anti- malware/spyware laws that are similar to those in CASL? McCarthy Tétrault LLP / mccarthy.ca / #13392852 2
  3. 3. McCarthy Tétrault LLP / mccarthy.ca / #13392852 3 3
  4. 4. CASL = MORE THAN MALWARE/SPYWARE • Applies to “computer programs” as meaning “data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function”. • Broad definition • Includes apps and updates McCarthy Tétrault LLP / mccarthy.ca / #13392852 4
  5. 5. CASL = MORE THAN MALWARE/SPYWARE • Applies to installation of programs on another person’s “computer system” = “a device that, or a group of interconnected or related devices one or more of which, (a) contains computer programs or other data, and (b) pursuant to computer programs, (i) performs logic and control, and (ii) may perform any other function”. • Could include servers, PCs, smartphones, tablets, ebook readers, the “Cloud”, websites and web services, industrial machines, appliances, smart medical devices, autos, thermostats and other consumer products. McCarthy Tétrault LLP / mccarthy.ca / #13392852 5
  6. 6. WHAT ACTS DOES CASL APPLY TO? RIAS: CASL will only apply to the installation of computer programs on another person’s computer system. CASL will not apply to installations carried out by persons on their own computing devices. ¬A consumer buys a program on disc and installs it on a home computer? ¬ Fairly clear, but need express consent for update/upgrade ¬A manufacturer pre-installs a program on a device and sells the product to consumers? ¬ Need express consent for update/upgrade ¬ How to get express consents for smart devices? McCarthy Tétrault LLP / mccarthy.ca / #13392852 6
  7. 7. WHAT ACTS DOES CASL APPLY TO? RIAS: CASL will only apply to the installation of computer programs on another person’s computer system. CASL will not apply to installations carried out by persons on their own computing devices. ¬A retailer offers computer services such as to install software or to repair or configure computers or installs updates? ¬ How is it possible to disclose? ¬A person goes to a website to download a program? ¬ Who is installing the program: ¬ the user? ¬ the site operator? ¬ both acting in concert? McCarthy Tétrault LLP / mccarthy.ca / #13392852 7
  8. 8. McCarthy Tétrault LLP / mccarthy.ca CASL REACHES ACROSS BORDERS (s. 8(2)) Computer program provisions apply: ¬if the computer system is located in Canada at the relevant time or ¬if the person either: ¬ is in Canada at the relevant time or ¬ is acting under the direction of a person who is in Canada at the time when they give the directions Will foreign clients consider geo-blocking? McCarthy Tétrault LLP / mccarthy.ca #13392852 8
  9. 9. THE PROHIBITIONS (s. 8(1)) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless: (a)the person has obtained the express consent of the owner or an authorized user of the computer system and complies with [the disclosure requirements of] subsection 11(5); or (b)the person is acting in accordance with a court order. [Rare] McCarthy Tétrault LLP / mccarthy.ca / #13392852 9
  10. 10. DEEMED “EXPRESS” CONSENT (s. 10(8)) A person is considered to expressly consent to the installation of a computer program if: a)the program is: i. a cookie, ii. HTML code, iii. Java Scripts, iv. an operating system, v. any other program that is executable only through the use of another computer program whose installation or use the person has previously expressly consented to, or vi. any other program specified in the regulations; and b)the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation. McCarthy Tétrault LLP / mccarthy.ca / #13392852 10
  11. 11. DEEMED EXPRESS CONSENT QUESTIONS ¬ Is disclosure still required? ¬ What is a “cookie”? RIAS: Insofar as cookies are not executable computer programs, and they cannot carry viruses and cannot install malware, and are simply lines of text or data that are read from a web browser, they are not computer programs for the purposes of CASL ¬ How can you measure the person’s “conduct”? ¬Does “conduct” = “reasonable expectations”? ¬How does one document proof of “conduct”? McCarthy Tétrault LLP / mccarthy.ca / #13392852 11
  12. 12. DEEMED CONSENT FOR SMART DEVICES? RIAS: In addition, the software on some computer dedicated systems in automobiles may be “operating systems”, such as computers that operate specific functions like braking. There is deemed consent to update that as operating systems under the Act. ¬Where is the dividing line between an O/S and other functions? ¬What other kinds of devices could qualify? McCarthy Tétrault LLP / mccarthy.ca / #13392852 12
  13. 13. McCarthy Tétrault LLP / mccarthy.ca #13392852 13 •
  14. 14. GETTING EXPRESS CONSENTS TO COMPLY WITH “MALWARE” AND “SPYWARE” PROVISIONS Obtaining consent: s. 10(1): A person who seeks express consent must, when requesting consent, set out clearly and simply the following information: (a) the purpose or purposes for which the consent is being sought; (b) prescribed information that identifies the person seeking consent and, if the person is seeking consent on behalf of another person, prescribed information that identifies that other person; and (c) any other prescribed information. McCarthy Tétrault LLP / mccarthy.ca / #13392852 14
  15. 15. MINIMUM DISCLOSURE (s. 10(3)) “Minimum disclosure” applies to computer programs generally: A person who seeks express consent, must when requesting consent, also, in addition to setting out any other prescribed information, must clearly and simply describe, in general terms the function and purpose of the computer program that is to be installed if the consent is given. McCarthy Tétrault LLP / mccarthy.ca / #13392852 15
  16. 16. CONSENT MUST BE “SOUGHT SEPARATELY” 14. … in order to meet the requirement of seeking consent separately, the person seeking consent must identify and obtain specific and separate consent for each act contemplated by the sections of the Act... 15. For example, … persons must be able to grant their consent for the installation of a computer program while refusing to grant their consent for receiving CEMs. However, the Commission does not consider it necessary for consent to be sought separately for each instance of the acts listed in paragraph 13 above... McCarthy Tétrault LLP / mccarthy.ca / #13392852 16
  17. 17. REQUESTS CAN’T BE SUBSUMED OR BUNDLED WITH TERMS & CONDITIONS 16. The Commission considers that requests for consent contemplated above must not be subsumed in, or bundled with, requests for consent to the general terms and conditions of use or sale. The underlying objective is that the specific requests for consent in question must be clearly identified to the persons from whom the consent is being sought. For example, persons must be able to grant their consent to the terms and conditions of use or sale while, for instance, refusing to grant their consent for receiving CEMs.McCarthy Tétrault LLP / mccarthy.ca / #13392852 17
  18. 18. DIFFICULTIES OF CONSENT ¬ Implied consents cannot be relied upon. Only express consents are valid, assuming compliance with the disclosure requirements. ¬ The CRTC suggests that written agreements or click-wraps will comply if the consent is not bundled in the agreement. Enhanced consent requires a specific acknowledgement from the person consenting. ¬ Web wrap agreements will likely not comply. McCarthy Tétrault LLP / mccarthy.ca / #13392852 18
  19. 19. GETTING EXPRESS CONSENTS TO INSTALL PROGRAMS CRTC Reg s. 4. For the purposes of ss. 10(1) and (3) of the Act, a request for consent may be obtained orally or in writing and must be sought separately for each act described in ss. 6 to 8 of the Act and must include … (e) a statement indicating that the person whose consent is sought can withdraw their consent. Problem: How can consent be withdrawn for a program that is already installed? McCarthy Tétrault LLP / mccarthy.ca / #13392852 19
  20. 20. WHAT IS WRITTEN CONSENT? 24. … the term “in writing” includes both paper and electronic forms of writing. 25. The Commission considers that the requirement … is satisfied by information in electronic form if the information can subsequently be verified. 26. Examples of acceptable means of obtaining consent in writing include checking a box on a web page to indicate consent where a record of the date, time, purpose, and manner of that consent is stored in a database; and filling out a consent form at a point of purchase. McCarthy Tétrault LLP / mccarthy.ca #13392852 20
  21. 21. If the computer program meets a “malware” or “spyware” criterion, the person must “clearly and prominently, and separately and apart from the licence agreement, (a)describe the program’s material elements that perform the function or functions, including the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the computer system; and (b)bring those elements to the attention of the person from whom consent is being sought in the prescribed manner”. DISCLOSURE REQUIREMENTS TO COMPLY WITH “MALWARE” AND “SPYWARE” PROVISIONS McCarthy Tétrault LLP / mccarthy.ca / #13392852 21 21 ENHANCED DISCLOSURE (S. 10(4))
  22. 22. The enhanced disclosure standard applies where the program performs functions that the person knows and intends will cause the computer system to operate in a manner that is contrary to the reasonable expectations of the owner or authorized user of the computer… ¬Imports a subjective intent element (for installer) and an objective standard (for user) DISCLOSURE REQUIREMENTS TO COMPLY WITH “MALWARE” AND “SPYWARE” PROVISIONS McCarthy Tétrault LLP / mccarthy.ca / #13392852 22 22 ENHANCED DISCLOSURE TRIGGERS (s. 10(5))
  23. 23. ¬ collects personal information; ¬ interferes with control of the computer; ¬ changes or interferes with settings preferences or commands; ¬ obstructs, interrupts, or interferes with access to data; ¬ causes the computer to communicate with another computer without authorization; ¬ installs a program that can be activated by a third party; ¬ installs a bot; or ¬ performs any other function set out in the regs; [none yet] but not if the function only collects, uses or communicates transmission data or performs an operation set out in the regs DISCLOSURE REQUIREMENTS TO COMPLY WITH “MALWARE” AND “SPYWARE” PROVISIONS McCarthy Tétrault LLP / mccarthy.ca / #13392852 23 23 LISTED FUNCTIONS (s. 10(5)-(6))
  24. 24. McCarthy Tétrault LLP / mccarthy.ca #13392852 24 •
  25. 25. EXCEPTIONS FOR SOFTWARE UPDATES, UPGRADES AND PATCHES (s. 10(7)) Formalities for obtaining express consent (ss. 10(1) and (3)) not required to install an update or upgrade so long as the installation or use of the computer program being updated was expressly consented to and the person who gave the consent is entitled to, and does receive the update under the terms of the express consent. Problems: ¬No explicit exception that permits installation of an update or upgrade without consent. ¬The original consent to install a program must include a consent to install updates or upgrades or they cannot be installed without requesting and obtaining a new consent. McCarthy Tétrault LLP / mccarthy.ca / #13392852 25
  26. 26. NEW EXEMPTIONS – IC REGS, s. 6 • network security • updates and upgrades to a network • correcting computer program failures. Exemptions available only if “the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation”. (s. 10(8)(b)) ¬ To be dealt with by Michael Fekete and Howard Fohr in the next presentation McCarthy Tétrault LLP / mccarthy.ca / #13392852 26
  27. 27. THREE-YEAR TRANSITION s. 67: If a computer program was installed on a person’s computer system before section 8 comes into force, the person’s consent to the installation of an update or upgrade to the program is implied until the person gives notification that they no longer consent to receiving such an installation or until three years after the day on which section 8 comes into force, whichever is earlier. McCarthy Tétrault LLP / mccarthy.ca / #13392852 27
  28. 28. VANCOUVER Suite 1300, 777 Dunsmuir Street P.O. Box 10424, Pacific Centre Vancouver BC V7Y 1K2 Tel: 604-643-7100 Fax: 604-643-7900 Toll-Free: 1-877-244-7711 CALGARY Suite 4000, 421 7th Avenue SW Calgary AB T2P 4K9 Tel: 403-260-3500 Fax: 403-260-3501 Toll-Free: 1-877-244-7711 TORONTO Box 48, Suite 5300 Toronto Dominion Bank Tower Toronto ON M5K 1E6 Tel: 416-362-1812 Fax: 416-868-0673 Toll-Free: 1-877-244-7711 MONTRÉAL Suite 2500 1000 De La Gauchetière Street West Montréal QC H3B 0A2 Tel: 514-397-4100 Fax: 514-875-6246 Toll-Free: 1-877-244-7711 QUÉBEC Le Complexe St-Amable 1150, rue de Claire-Fontaine, 7e étage Québec QC G1R 5G4 Tel: 418-521-3000 Fax: 418-521-3099 Toll-Free: 1-877-244-7711 UNITED KINGDOM & EUROPE 125 Old Broad Street, 26th Floor London EC2N 1AR UNITED KINGDOM Tel: +44 (0)20 7489 5700 Fax: +44 (0)20 7489 5777 McCarthy Tétrault LLP / mccarthy.ca #13392852