Canadian businesses should be wary of the proposed federal anti-malware law, says a Toronto intellectual property lawyer. Bill C-27, formally known as the Electronic Commerce Protection Act “needs some real re-thinking or amendment,” Barry Sookman of the firm McCarthy Tetrault said in an interview. “It has some fatal flaws in it.”
Introduced last month and about to go before Parliament’s Industry committee for detailed examination, the bill forbids anyone from installing a program on a computer that could send an electronic message without the consent of the owner or user. It also forbids anyone in Canada from sending a commercial message to any electronic address unless the receiver has consented. An exception is if the person sending the message has had a business transaction with the recipient in the previous 18 months. Penalties range from up to $1 million for individual violators to up to $10 million for organizations.
The legislation has the backing of a number of IT organizations, such as the Canadian Association of Internet Providers (CAIP) and the Canadian Advanced Technology Alliance (CATA).
But Sookman said Ottawa has drafted the legislation backwards and it may actually harm IT companies. For example, he said, it could be unlawful for a Web site to automatically install Javascript or Flash applets or HTML code on the computers of visitors without getting express – and not implied – consent. Similarly, the law suggests automatic software updates would be illegal, he said. It would be unlawful for a company sending an e-mail to buy more software licences from a vendor if the last business contact it had was more than 18 months before, Sookman said. Even fledgling software developers sending e-mail queries to distributors they’ve never had a commercial relationship with could be caught, he added.
To comply with the law, he suggested, companies would have to overhaul their Web sites to force users to click on a button agreeing to every download, signifying their express consent.
“It’s just overkill,” Sookman complained. “The bill as currently drafted would actually ban the use of the Internet by Canadians unless a person with a Web site had written consent from a consumer to use it.” Instead of demanding consent for certain activities, he said, Ottawa should define activity that’s bad – for example, creating misleading e-mail headers.
“There’s a huge gap here [in logic] that doesn’t work,” retorted Michael Geist, a University of Ottawa law professor who specializes in e-commerce and Internet law and was a member of the 2005 Task Force on Spam whose recommendations frame C-27. He agrees the proposed legislation could make it illegal to install Java or Flash applets on computers, but that can easily be fixed. It’s a change he billed as “tweaking.”
But he couldn’t understand Sookman’s other arguments. Spam, he said, is an unwanted message making a pitch to sell something to the reader. What business would object to e-mail asking to buy something – such as an increase in the number of licences – from the company? “Get real,” Geist said. Those who oppose C-27 want “opt-out” legislation, such as the federal do-not-call telephone registry aimed at defeating telemarketers, said Geist. However, he argued that strategy not only doesn’t work, it is “completely inconsistent” with Canadians’ privacy expectations.
C-27’s “opt-in” strategy – people only get messages or have programs put on their computers with consent – is “absolutely essential,” he said.
The proposed law “is really e-commerce consumer protection that is likely to facilitate confidence in the online market,” he said, “and finally remove the stain of Canada being seen as a haven for spammers.”
It isn’t clear yet whether next month’s hearings on C-27 will see a fight between those who want major revisions to the proposed law and those who want minor revisions. While Sookman said he’s heard some businesses and organizations oppose the law, he couldn’t cite any names. The Canadian Federation of Independent Businesses, which represents small and medium-sized companies, said it hasn’t looked at the legislation in depth yet. A spokesman for Microsoft Canada said the company is waiting to see the results of the parliamentary committee meetings before commenting.
Ross Allen, vice-president and general manager of McAfee Canada, a major anti-malware software maker which delivers anti-virus software updates automatically to subscribers, said the company hasn’t asked for a legal opinion on C-27. In an interview he acknowledged not knowing whether the legislation will hurt the company, However, he did note that Canada is the only G8 country that hasn’t enacted an anti-malware law.