Industry Committee on June 11th, 2009

It's my understanding that Bill C-27 follows the money. Most domestic spammers or Canadian spammers today tend to e-mail offshore, to get around blocking techniques and other laws that might be out there. But in general, the way I interpret the law—and Matthew might want to also make a comment on this—it follows the money. So even if we have spammers who are Canadian-based, who are attempting to get away from the law, trying to get away from blocking techniques, the bill itself will follow up with them through the illicit profits they would make.

Matthew?

I would agree that the way we've understood it and the way we've interpreted it is that the party being advertised is equally responsible for the sending of the message and therefore under the law would be considered responsible and therefore actionable.

Sure, and I think that's absolutely right. Quite frankly, we experienced the concern as a task force ourselves. It was a year-long process. When we started the focus was almost exclusively on spam, and by the end of the 12 months, issues around spyware and phishing had really emerged as key concerns. Even just within that 12 months we saw just how rapidly this was moving, and of course that has continued to happen over time.

If you take a look at what the successful forms of legislation are with respect to anti-spam legislation, they necessarily try to be as neutral as possible in terms of casting somewhat of a wide net. The way you counter that, to preserve the concerns of business, is to create sufficiently broad exceptions. As I've tried to argue, if anything, these exceptions may be overly broad on the business side. When a business can simply ask for consent and is still accepted in a whole slew of other areas, I don't think there ought to be any kind of concern that legitimate business is going to be significantly impeded.

I think I'm quoted in that same piece.

Another one of the concerns was that someone might want to buy software from a software vendor, and if it was outside of the 18 months, the person they're buying from might report the consumer as a spammer, which I didn't think was a particularly significant concern.

I frankly don't think many of those other concerns are realistic either. The truth of the matter is, if the concern is around the definition of a computer program—and I alluded to that in my opening—I think we have the ability to address the very narrow concerns that may be raised by that broad definition. So there's the issue, for example, of Java script, where if someone is accessing a web page, it runs automatically. In that sense, yes, you'd need to obtain consent. If we can exclude that kind of automated program where someone has effectively already provided consent by virtue of their preferences on their web browser, I think we actually deal with that.

For other instances, when we are talking about software programs that are downloaded, then absolutely you ought to obtain consent. The whole premise of spyware is that this stuff is inserted surreptitiously into people's computers without their notice or consent. The whole problem with the Sony rootkit case was when someone went to put a music CD into their program, it installed things on their computer without their knowledge and engaged in surreptitious activity. That's precisely what we're trying to stop, and the legislation tries to do exactly that.

With respect to problems, here are two that I think highlight why in fact Bill C-27 does a pretty good job of dealing with these issues. The first problem is on this issue of whether it's opt-in or opt-out. I'm a strong supporter of our move towards an opt-in model here. As I think the minister noted, it could potentially serve as the model for the do-not-call list down the road. That's obviously embedded in this legislation as well.

If you take a look at what the Japanese did, they started with an opt-out. They started by saying you get a kick at the can and can send all the e-mails you like, and if someone says they don't want to receive your e-mail any more, you have to take them off the list. They quickly found that does not work. The better or friendlier approach from a consumer perspective, from a privacy perspective, and frankly from a good business perspective and confidence perspective is an opt-in model. They switched to the opt-in model.

The other country I'd point to is actually the United States. In this instance, they were one of the first off the mark with their CAN-SPAM Act. They were very narrow in it; they dealt just with spam. A lot of people feel they didn't deal with it that well, even within CAN-SPAM. But what we have seen in the U.S. since CAN-SPAM are successive state laws that try to deal with spam, and federal laws that try to deal with spyware, specifically because they didn't cast the net broadly enough. So they have continually tried to play catch-up with new legislation, either at the federal level or state level.

The way to deal with this is actually to learn from those lessons, and I think that's what Bill C-27 tries to do.

I will admit, it's something I haven't much seen in legislation. I found it was a surprising inclusion in this bill, having worked through 68 pages, to find at the very end provisions that would effectively kill the do-not-call list and replace it with this legislation.

My own view, given the challenges and problems we've seen with the do-not-call list, is that this would actually be a better approach. Rather than facing the kinds of security issues we've seen around the do-not-call list, this would eliminate that by setting a stronger standard, so we don't have lists of six million numbers literally being floated around the world, with people getting all of these calls they don't want.

So the theory behind this is good. Now, the practice of it is rather awkward, because it says, on the one hand, that it's excluded, and then, as I think this committee heard on Tuesday, this is basically creating the prospect at some point in time in the future of pulling the plug on the DNCL and having this in its place. It's nice to know that it's in its place. If it were up to me, I would say pull the plug now and have this apply universally to both electronic communications and telemarketing.

I'm loath to read into what exactly the full thought process was in terms of making that choice, although I might guess that it is, admittedly, early days. The do-not-call list has only been up for a year, although I think there's enough evidence to suggest that changes are needed.

Perhaps given both the time and investment that's gone into this, some would be of the view that it is premature to take that step to say we're going to change course just months after we started with, at long last, this do-not-call list. So I can understand that thinking, although at the same time—and I thought the minister actually acknowledged this—the reality is that we're making distinctions where they increasingly don't exist. The notion that it's telemarketing or it's text-messaged spam or it's e-mail spam I think for many people is all part of the same basket.

I think this is foreshadowing making, at the end of the day, a choice, and the choice is the opt-in approach that we've seen within ECPA. I think we do better by making that choice right now, though, and just saying, “We've seen what has happened with the do-not-call list. There are too many Canadians right now who are getting unwanted calls. Let's switch to something we think is going to be more effective and is going to deal with both telemarketing and electronic communications.”

There's no attempt to fix anything within the do-not-call list in this legislation. It's merely to say that at some point in time we almost have this poison pill where we can stop the do-not-call list and replace it with the ECPA.

I would say that if the decision to stick with that approach, that almost two-track approach, is maintained, it's incumbent to address the problems that we right now have within the do-not-call list. I think it's astonishing to think that we have had what must rank as one of the largest security breaches in this country's history, when you think about six million Canadian phone numbers just out there, with people getting all sorts of phone calls, unwanted now, that they never used to get, and nothing has happened. It's astonishing when we look at the thousands of complaints that are being launched and we have had no investigations beyond complaint letters by the CRTC, when we look, frankly, at the exceptions....

I launched an access-to-information request where I literally got thousands of pages of the complaints that have been filed about the do-not-call list. I'll tell you that it's a lot of the big everyday companies. Canadians have registered their numbers and don't think they're going to get calls any more, and they continue to get calls, many of which are now still permitted under this legislation. I'm deeply worried that we're going to replicate that kind of approach in this law, where Canadians are going to have the expectation that at least legitimate marketers in Canada are going to stop, and yet there are going to be new loopholes here that are going to allow them to continue.

No, I was thinking of a legislative review. I do think that is obviously necessary. Reporting requirements to get a sense of how effective this legislation is on a regular basis and what we're doing internationally are the sorts of things I think we ought to be doing, and they surely ought to be baked into the rollout. At the same time, my experience in some of the other areas is that by including some sort of mandated review, it provides that opportunity to ensure that we get it right.

If new issues have emerged that the net perhaps wasn't cast as widely as it should have been, it creates that opportunity to try to address those issues, whereas if there isn't that mandated review directly in the legislation it sometimes can be hard to get the necessary attention.

I must say that's the first time I've heard that particular complaint. I believe there is an exception for law enforcement. If there isn't an exception for law enforcement dealing with that, then there ought to be.