regulation of internet commerce
class eleven - january 21, 2008
professor michael geist
university of ottawa, faculty of law
special guest appearance by:
Richard Simpson
Industry Canada

The Spam Myths
• spam originates offshore
• the delete key
• the private sector
• law is powerless
• canadian anti-spam legislation

Spam Growth
• Estimated Cost - $10 - 87 Billion/year
• 70-85% of email now spam
• 90% of S. Korean email now spam
• ISPs block billions of spam messages each day
• 75% of spam now uses HTML
• Profitability at response rate under 0.0001%
• Brightmail estimates $250 million in profitability
for spammers in 2003

Canadian Spam
• 10 of the 200 spammers worldwide
(Spamhaus ROKSO list) are Canadian
• Top 200 spammers responsible for 90% of
global spam
• Canada was ranked as top 12 source of
spam, dropped off list after port 25
blocking

The Spam Problem
• Cost shifting
• Privacy
• Intermediary effects
• Deception and fraud
• Lost e-commerce confidence
• Lost e-communication confidence

Phase One - Spam as an Annoyance
• 1995 - 1999
• Anti-spam groups form
• Sporadic legislative initiatives but emphasis on private
sector leadership
• Private sector legal tactics
– Contract
– Criminal
– Trademark
– Trespass
• Private sector technical tactics - MAPS RBL, UDP
• Public sector enforcement - FTC brings first action in
1998
• Spammers fight back with own suits

Phase One - Spam as an Annoyance
The federal government believes that its current policy and legal
frameworks will continue to foster strong Internet growth and
development in Canada while at the same time dealing adequately
with computer abuse and criminal activity. Spam is but one of the
new elements emerging from increased Internet growth and
development. The government believes that an appropriate mix of
policies and laws, consumer awareness, responsible Internet industry
stakeholders and technological solutions is the best and most
appropriate way to deal with behaviour in the new and evolving on-
line environment. The government believes that Canada has this right
mix today but will continue to monitor developments and consider
changes if they are required.
- Industry Canada, 1999

Phase One - Spam as an Annoyance
• Problem -- doesn’t work
– Spam continues grow
– Isolated private sector actions have
limited deterrence value and are
expensive
– Inconsistent legislative proposals

Phase Two - The Three Anti-Spam Pillars
• 2000 - 2003
• Spam problem worsens
• Focus shifts to three pillars
–Technology
–Education
–Legal Solutions

Phase Two - The Three Anti-Spam Pillars
• Technology
– Filters
– Authentication
• Problems:
– Cost
– False Positives (Solution worse than
the problem)
– Privacy
– Spammer technological response

Phase Two - The Three Anti-Spam Pillars
• Education
– Educate businesses via industry codes
– Educate consumers on how to respond to
spam
• Problems:
– Lack of legal weight to codes
– Bad actors
– Inconsistent consumer messaging - opt-
in vs. opt-out

Phase Two - The Three Anti-Spam Pillars
• Legal Solutions
– Global shift toward anti-spam legislation including US, Europe, Japan,
South Korea, and Australia
• Key provisions
o Definitional issues
o Private rights of action
o Significant damages
o Labeling requirements
o Deceptive practices (headers, spoofing, etc.)
o Email harvesting/Dictionary attacks
o ISP immunity
o Opt-out vs. opt-in
o Do-not-spam lists
o Commissioning spam

Phase Two - The Three Anti-Spam Pillars
• Legal Solutions - Canada
• Consider prospect for anti-spam legislation in 2003
• Focus on four main legislative solutions
– PIPEDA
– Criminal Code
– Competition Bureau, Fair Practices Branch
– Telecommunications Act
• Anti-spam legislative proposals

Phase Two - The Three Anti-Spam Pillars
• PIPEDA
– Email addresses as personally
identifiable information
– Respecting opt-outs
– Harvesting email addresses
– Accountability
– Security
• Lack of action from Office of the Federal
Privacy Commissioner

Phase Two - The Three Anti-Spam Pillars
• Competition Act
– Section 74.01 - false or misleading representations for purpose of
promoting product or service
– Significant fines
• Could target:
– False or deceptive headers
– Content of certain email
• FTC exclusively uses deceptive practice legislation
• Lack of action from Competition Bureau, Fair Practices Branch

Phase Two - The Three Anti-Spam Pillars
• Criminal Code
– Section 380 -- fraud
– Section 372(1) -- false messages
– Section 342.1 -- fraudulently obtain computer service
– Section 342.2 -- device for committing 342.1
• Could cover --
– Fraudulent spam
– Unauthorized use of email servers
– Email harvesting
– Email harvesting software
• Lack of action from Justice

Phase Two - The Three Anti-Spam Pillars
• Telecommunications Act
– Section 41 -- CRTC order
prohibiting unsolicited
communications
– No action yet from CRTC but
theoretically section appears to
cover spam