Hefty Fines for CASL Violations

Canadian citizens suspected of spreading malicious software could be facing fines in the millions of dollars for their criminal activities. The passage of Canada’s Anti-Spam Legislation (CASL) covers much more than just mail.  It also covers altered transmissions of data, botnets, and the installation of known malware and spyware software.

Under the CASL, businesses found to be in violation can be fined up to $10 million; individuals can face up to a $1 million fine. This includes any individual or organization that is found to be “aiding, inducing, procuring, or causing to be procured the doing” of any of the acts covered under the law.  The fines may give new malware developers pause to consider whether the proceeds from selling a new virus is worth the hefty fine in the end.   And the Canadian Radio-television and Telecommunications Commission (CRTC) is having no problem flexing their new-found muscles.

“We’re dealing with a lower burden of proof than a criminal conviction, and CASL gives us a little more leeway to get bad actors off our networks in Canada,” said Neil Barratt, director of CRTC in an interview with KrebsOnSecurity, “and to ultimately improve security for people here and hopefully elsewhere.”

Barratt went on to say, “We’ve been trying to make sure that service providers operating in Canada — whether or not they are Canadian — are not unduly contributing to the infection of machines and hosting malware. We have great power in CASL and Section 9 makes it a violation to aid in the doing of a violation. And this extends quite broadly, across email service providers and various intermediaries.”

In March of this year, the CRTC and Canadian Mounted Police executed a warrant to search the Toronto residence of a software developer suspected of creating the Orcus RAT, a malware used in numerous attacks over the last three years. The CRTC also took recent action against Datablocks Inc. and Sunlight Media Networks Inc. for also violating the CASL by causing malicious programs to be downloaded by victims via their online ads.

“One of the key takeaways of CASL,” Barratt told KrebsOnSecurity, “was that it wasn’t just about emails that were annoying people, but also the use of email as a vector to mislead or defraud people and cause harm to computers and computer networks.” He continued to say that the execution of the Orcus RAT search warrant was “a great example of criminal and civil law enforcement working together by using our unique tools and powers under the act to achieve the greatest good.”