Mr. Speaker, it is a pleasure to speak to Bill C-28, the fighting Internet and wireless spam act, better known as FISA. It is designed to curb the flow of spam, unwanted installations of unauthorized and sometimes malicious software and the unauthorized collection of personal information. In other words, it aims at stopping spam emails. With spam emails, we do not always give prior consent and that is what makes them so obnoxious.
I have been listening to a lot of the speeches and going through the bill and it really is a dry topic. It is something that, unless one is really into the technical side of things, does not excite people until it hits our computers or our homes. That is when we really feel the impact that spam has on individuals.
I want to do a bit of a history. In 2004-05 the Liberal government of the day established an anti-spam task force and recommendations for actions were put forward. The Liberal recommendations called for the government to introduce legislation to prohibit four things: first, the sending of spam without prior consent of recipients; second, the use of false or misleading statements that disguise the origins or true intent of the email; third, the installation of unauthorized programs; and fourth, the unauthorized collection of personal information or email addresses.
I would like the members to remember these four points because they will be showing up again and it is important that we finally get there. Of all the G8 countries, Canada is the only one that does not have legislation in place yet. When we look at something like this, we have to ask why Canada has really lagged behind.
Had the government continued under a Liberal government back in 2005, we would have had legislation. However, unfortunately the NDP leader decided that in 2005, it was time to stop supporting the Liberal government of the day. I think history will look back and see where progressive thought really slowed down, if not stopped, for a number of years. It will not be pretty when people look back and see what was lost. Whether it was legislation on spam, child care or first nations rights, it will not be viewed positively.
Let us get back to Bill C-28. It was originally introduced by the Conservative government as Bill C-27, which died in prorogation. Prorogation normally is not something we speak of positively. I look at prorogation and it really was something Canadians did not want, it was something Parliament did not really want and it caused a lot of problems. However, one thing it caused was the death of Bill C-27.
Prior to the prorogation, many flaws were exposed in the bill and when it came back, the good thing was that many changes were made. Bill C-28 was introduced after the return from prorogation, with the changes to correct many flaws identified. I am pleased to see the Conservative government decided to act on the recommendations of our Liberal task force and the recommendations of the industry, science and technology committee.
Legislation in a fast moving area such as technology must be monitored closely to ensure it does not stifle legitimate electronic commerce in Canada, while accomplishing its intended purpose.
The real test of Bill C-28 will be in its implementation. How diligently will it be reinforced? What resources will be allotted? How serious is the government in protecting Canadian citizens? Those are the questions we will have to look at and really look to see how strong the legislation will be.
One of the things that the legislation calls for is periodic review of the legislation. I talked about how fast electronic media changes and how fast technology changes. That is why the legislation in particular has to be reviewed on a regular basis so it keeps up with what goes on.
In its main provisions, Bill C-28 introduces a new regulatory scheme and monetary penalties for spam and related threats such as identity theft, phishing, spyware, viruses and botnets, and it extends the rights of civil action of their victims. I know a lot of us have heard these terms, but I thought I would take the time to go through them because they are not always well understood and I want to clarify them.
I went on the Internet itself, to Wikipedia, and got some definitions of the individual terms, because I know there are people listening at home wondering, “This is wonderful, but what exactly does it mean and what effect does it have on me?” We all know about spam, which I will define at the end, but spam is just one part of it.
We hear about identity theft. Identity theft is a form of fraud or cheating of another person's identity in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name. The victim of identity theft can suffer adverse consequences if he or she is held accountable for the perpetrator's actions. Organizations or individuals that are duped or defrauded by identity theft can also suffer adverse consequences and losses, and to that extent, they are also victims.
Again, identity theft is one of the points that this legislation takes on. We look at the fraud in it. Someone spoke earlier and asked about the Criminal Code. This identifies it, and fraud is covered under the Criminal Code.
The other term that comes up quite often is phishing, not fishing with an “f”, but phishing with a “ph”. Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social websites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.
Phishing is typically carried out by email or instant messaging and often directs users to enter details to a fake website that looks and feels almost identical to a legitimate one. When we go somewhere on the web and see something saying it is a certain company, we want to make sure that it is real, that it is what it says it is.
Phishing basically sets up a fake facade that people think they can trust. People input information and then the information is harvested and used to hurt individuals. Whether it is taking their money or identity or causing problems for those individuals, we can see where the problem would come.
The one we hear about often is spam. That seems to be the generic one that covers everything. Spam is the use of electronic messaging systems to send unsolicited bulk messaging indiscriminately.
While the most widely recognized form of spam is email spam, the term is also applied to similar abuses in other media, including instant messaging spam, Usenet newsgroup spam, web research engine spam, spam in blogs, wikispam, online classified ad spam, mobile phone messaging spam, Internet forum spam, and junk fax transmissions.
People who have faxes in their offices have had junk fax transmissions come to them. It uses up trees by using paper, it uses up resources by using ink, and it uses up copies that the individual receiving it has to pay for. Sometimes when these transmissions are received in large number, it becomes an expense that hurts.
Social networking spam is something that people are aware of, as well as television advertising and file-sharing network spam.
We have all heard the word “spyware”. Not many people really realize what spyware is. It is a type of malware that can be installed on computers and collects little bits of information at a time, without the user's knowledge. The key is “without the user's knowledge”. Users do not know that this spyware is in their computers and it constantly transmits little bits of information. The presence of spyware is typically hidden from the user and it can be difficult to detect.
Typically, spyware is secretly installed on the user's personal computer, and while the term “spyware” suggests software that secretly monitors the user's computing, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of personal information such as Internet surfing habits and sites that have been visited, but it can also interfere with the user's control of the computer in other ways, such as installing additional software and redirecting web browser activity.
Spyware is known to change computer settings, resulting in slow connection speeds, different home pages, or loss of Internet functionality and other programs.
We have all come across that, where we are working on something and it seems that everything is going along really well, and suddenly everything stops. What happened? There is a piece of spyware that went in there and changed things around. There is a frustration and a cost to the individual.
If someone sitting at home, likely retired, working on a computer, has a fixed income and suddenly he or she has to expend dollars to get the computer running again, there is a direct effect there.
There may be those who ask how that affects them. We have all had the frustration. We have had to bring someone in to fix the problem, if he or she can fix the problem. When the individual gets it running again, that individual has money out of pocket. On a limited income, if one is retired, it really hurts individuals directly.
Computer viruses are something that we hear of a lot. A computer virus is a computer program that can copy itself and infect a computer. A true virus can spread from one computer to another when its host is taken to a target computer, for instance because a user sent it over a network or the Internet or carried it on a removable medium such as a floppy disk, CD, DVD or USB drive.
We see a lot more of that now where we have people coming in with USB drives, collecting the information and then going to another computer. It is a perfect way to spread viruses.
I have a 13-year-old daughter who works on her computer. She brings her homework back. She will input the information and take it to school. She might be bringing back something from the school or someone else might be bringing it to the school. So we can see where a virus can cause a lot of problems for many people.
Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by other computers.
One that we do not hear much about is botnets. That is covered under this legislation. A botnet is a collection of software agents or robots that run autonomously and automatically. The term is most commonly associated with IRC bots.
The best way to describe IRC bots is when we go to a website or even an email and think we are interacting with another individual but we are not. With an IRC bot, we are basically interacting with another machine. We think that person is there responding to us. We can see the problems that could cause: someone going to one site, getting answers, building up a trust, and then suddenly finding out it is a machine on the other side.
The other thing that happens with the IRC bots is that one can access a number of people, all interacting with this one machine, so the individual is not duping people, a machine is, and the spread can cause a lot more damage because it is so pervasive.
As well, it does spread some malicious software and it can also refer to a network of computers using distributed computing software.
Anyone who has used a computer can relate to the kind of frustration that this malware can cause in some of these unwanted infiltrations into one's computer.
It is not only frustration. As I mentioned earlier, there can be a real financial loss to the individual who is using that computer and connecting and who will be affected by some of these issues.
Let us take a look at Bill C-28 again, now that we know what some of the definitions are.
Bill C-28 contains four main thrusts. It prohibits the transmission of commercial messages, basically spam, without express consent. The only conditions under which express consent is not required are those where family or prior recent business relationships exist. Messages requesting consent have to provide the names of the sender and the client on whose behalf the message is being sent, contact information for both, and a way to unsubscribe.
Quotes and estimates that are requested are not covered by this, nor are emails or follow-ups on business previously transacted.
There is one loophole or one barrier in this legislation that I would like to talk about. That is in regard to people who are in sales, such as financial advisers, real estate agents, or stockbrokers. What often happens is that they will do business with someone, and at some point, using real estate as an example, the person they are doing business with will say, “My brother, John, is looking for a house. Give him a call or get hold of him. I am sure you can help him out. You have done a great job for me, and John, who is my relative, could use your help”.
This legislation unfortunately does not allow the real estate agent to send an email to that person. He has to get express consent from the individual to whom he will be sending that email.
I was talking about how this legislation has to be reviewed on a regular basis. I think this is one of the areas we are going to have to look at and ask if it really allows business and e-commerce to continue and to flourish. We can see the barriers that are set up and the problems it would cause to people who earn a living in the sales field.
As we see this going on, I think it is important that we monitor some of the effects of this legislation. Maybe in about a year or so we should review it, see what is going on, and see what the unintended effects of this legislation will be.
The bill attempts to curtail phishing, with a prohibition on false or misleading information on the source of an email. The bill also prohibits the installation of programs to operate another's computer or the dissemination of messages on a computer without the individual's consent, and there is the option to withdraw the consent.
As we can see, it goes back to malware, the spam that we spoke about earlier and how this bill will block that.
The bill includes provisions that halt the collection of personal information, by amending PIPEDA, the Personal Information Protection and Electronic Documents Act, to include a ban on collecting or using electronic addresses obtained through a computer program designed for their collection, as I mentioned earlier, the phishing program.
So this legislation does come into play, and there are additional provisions that specify that a tougher regime under FISA take precedence over the existing Personal Information Protection and Electronic Documents Act and all the legislation that could apply.
The bill's provisions extend not only to those who violate it, but also to the agents or directors of the corporations who aid, authorize or acquiesce to the violations. The bill follows the money. That is the key right here, because when we look at a lot of this, the infractions and the invasion, it comes right back to money. It follows the money, stripping protection for those who hide behind a corporate shield.
When we look at some of the fines that are out there, the fines could go as high as $1 million for individuals and $10 million for corporations. The bill aims to accomplish ending the practice of spamming.
Will this bill end it completely? I think when there is something illegal going on, it just keeps going and going. What this does is minimize it and at least offer some protection to Canadians when it comes to spamming, phishing and the rest of the electronic malware that exists around the world and on the Internet.