Industry Committee on June 11th, 2009

Thank you, Mr. Chair. Thanks for the invitation to come and speak.

My name, as you heard, is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law. I'm also a syndicated weekly columnist on law and technology issues for theToronto Star and the Ottawa Citizen, and I was a member of the national task force on spam that was struck by the Minister of Industry at the time, in 2004. I served on the board of directors of the Canadian Internet Registration Authority, CIRA, for six years. I currently serve on the Privacy Commissioner of Canada's advisory committee. However, I appear today strictly in my personal capacity, representing my own views.

The introduction of Bill C-27 represents the culmination of years of effort to address concerns that Canada is rapidly emerging as a spam haven. I don't think I have to convince you that spam is a problem, whether it's the cost borne by consumers, schools, businesses, and hospitals in dealing with unwanted e-mail, or the shaken confidence of online banking customers who receive phished e-mail. There is a real need to address the problem.

I think we all know that Bill C-27 isn't going to eradicate the problem, but no country can do that alone. But I think it will finally help to clean up our backyard.

Members of this committee have noted that this is broad legislation that extends beyond just spam. I'd like to submit that this is a feature, not a bug. With much talk of the need for a national digital strategy, I think Bill C-27 fits nicely within that framework, providing much-needed consumer protection for electronic commerce. It's fair to say that the spam task force members recognize the need to address the broader issues towards the end of our mandate and that the steps in this bill are consistent with our recommendations.

While the legislation is broad, it's important to emphasize that the exceptions are broad as well. There are three exceptions, in particular, that I want to point to.

The first exception is consent. Under this law consent trumps all. Indeed, any business or any organization can do anything it likes with respect to electronic marketing or software installation as long as it obtains consent. Now, there are some rules around that consent--form requirements for electronic marketing, disclosure requirements for the software--but I don't think it's an onerous obligation. In fact, whenever a potential concern is raised, and I know that some have been, the first question to ask is, “Why is obtaining consent unreasonable in those circumstances?” Is it unreasonable to ask someone to obtain consent before installing a software program on my computer? Or is it unreasonable to obtain consent before sending me a commercial e-mail about a house sale or about a product or a service? I think in almost every instance the answer is no, that consent is a reasonable requirement.

Moreover, it's not an uncommon requirement, as other laws have adopted the same opt-in consent model. Australia and New Zealand both have opt-in models, and Japan actually switched from an opt-out model to an opt-in model when they found that their opt-out model didn't work.

Secondly, there is a business-to-business exception, as you know. I've heard some claims that this legislation will hamper business as it seeks to use e-mail to promote its products and services to other businesses. The reality is that the legislation contains a business-to-business exception, paragraph 6.(5)(b). I think many of those concerns are unwarranted.

And finally, there are the consumer exceptions. These are pretty broad--in fact, arguably too broad. They mirror, for the most part, the exceptions that we find in the national do-not-call list. I think there are many people who argue that those exceptions already go too far.

Consider, for example, the business-to-consumer exception that covers eighteen months for existing customers and six months for non-customers who merely make an inquiry. So think about what that means. Somebody makes an inquiry with a long-distance provider about one of their plans or contacts a hotel to see if they have room availability and they are then subjected to six months of electronic messages under the guise that this is now implied consent. I think it's reasonable to ask why a business should be entitled to contact a consumer for six months without any further consent merely because the consumer has made a single inquiry.

My point here is that the net of the legislation may be broad, but so too are the exceptions that will continue to permit commercial activity. Some businesses may argue that it goes too far, and some consumers may believe it doesn't go far enough. Perhaps that's a sign that an appropriate balance has been struck.

Let me quickly talk about how these principles apply to several of the criticisms that I saw highlighted earlier this week. I know jurisdiction was raised. And jurisdiction, as you know, covers connections with Canada, including the routing of a message through Canada. This approach merely builds on existing jurisdictional law in Canada with respect to a real and substantial connection. If a message fleetingly enters Canada, I suspect that the test would not be met of a real and substantial connection and it's a non-issue from a liability perspective.

With respect to software updates, as I referenced earlier, it seems perfectly reasonable to expect a software vendor to obtain consent from an end user before installing anything on their personal computer and to tell them what they are about to install. To suggest otherwise would be to surrender control over their personal computer and to face the prospect of security breaches, as occurred in the fairly infamous Sony rootkit case.

Then there's the issue of real estate agent e-mails. As I'm sure many of you are aware, real estate scams are among the most common, with references to swampland in Florida being almost shorthand for the notion of fraudulent offers. Do we really want to exempt an entire area that suffers significantly from spam concerns?

Fourth, there's the issue of tough penalties, including the private right of action. I'd argue this is another feature of the legislation. The bill has tough penalties. The experience in countries such as Australia has been that anti-spam law only works if the penalties are sufficiently tough that you create some economic risk for spammers. Otherwise, they simply keep on doing what they're doing. In fact, there have been some lawsuits launched against Canadian spammers, but they've been launched elsewhere because Canadian law didn't measure up. I think we ought to fix that.

Are there any changes needed? I think there are at least two amendments I can point to. The first--and it was raised by this committee--is the prospect of a review provision. I think it's a fast-moving area, and mandated reviews make sense. The second involves the computer software consent provision. In the main, I think the provision gets it right. However, there may be a limited number of instances--the use of Java script on web pages comes to mind--where the provision could prove problematic. It's not easy to craft a rule that targets all the harms, the botnets, spyware, surreptitious installations, keystroke logging, while leaving behind the benign activities.

I'd suggest a small addition. I'm not a legislative drafter, but I would suggest essentially a subclause 10(3) that would allow for implied consent for certain types of computer programs where the person has consented to the installation of that type of program by way of their preferences in their web browser. In other words, if they've checked their preferences in their browser that will allow that form of program, then we ought to be able to take that as implied consent. That would cover off programs like Java and Java script, as those are typically addressed within web browser preferences.

Let me conclude with a warning against what I see as some lobbying efforts to water down what I see as reasonable standards found in this legislation. I'd note that we have seen this before; it's what took place with the do-not-call list. That bill started with good principles, faced intense lobbying and I think some scare tactics, and by the end of the process Canadians were left with a system that I think is now widely recognized as a failure, with some estimates saying that more than 80% of the calls that used to come continue to come, and with security breaches around the do-not-call list itself.

I think we must avoid a similar occurrence with respect to anti-spam legislation. Change in some business practices might be scary to some, but we can't allow scare tactics to dissuade you from moving forward with this much-needed legislation.

I look forward to your questions.

I wouldn't have described the exceptions as narrow, actually, but quite the opposite. I believe the exceptions are very broad, and that's perhaps an attempt to strike the right balance.

Sure.

With respect to Australia, respectfully, my reading is different. I have the Australian act in front of me, and it refers to commercial electronic messages in much the same way. I don't see a significant difference on the definitional side.

Part 2, subsection 16(1), of the Australian act says:

A person must not send, or cause to be sent, a commercial electronic message that...has an Australian link...and...is not a designated commercial electronic message.

Then you go into the definitions.

It frankly mirrors a lot of what we've done. I think it was noted by my colleague here that it's pretty clear Canada borrowed fairly heavily from the legislation you find in other countries. So I actually don't see the first premise; I don't see that focus on direct marketing the way that you suggested. I see statutes that talk about commercial electronic messages in much the same way we do.

Then you get into this other basket. As I mentioned off the top, everything is permitted; there's nothing that you can't do. The only question is whether or not you have to get someone's consent in order to do it. The exceptions we're talking about—the notion of a business, for 18 months after they have an actual relationship, or six months after an enquiry, or political parties, or charities, and all these other exceptions—are exceptions to the notion that they don't even need to get that.

That strikes me as providing pretty wide latitude. All a business has to do in every one of these circumstances is get consent from the customer; then they're okay.

Then you get into the second basket, where you say “I don't want to get consent from the customer”, and we're still giving them quite a wide berth to continue to market to consumers.

I know that under “do not call”, educational institutions have fallen under charitable organizations, so they might well fall under the same here.

That's right, but our bill—I'll try to find the specific section—contains an exception for, I believe, registered charities. To my knowledge, just about every single university, for example, that might want to contact an alumnus is a registered charity. I know that's the approach under “do not call” that's being taken by all of those organizations.

That's right.

I think that direct marketing is a part of that, maybe a subset of electronic commerce, direct marketing being more by way of an e-mailed, targeted conversation with an individual and electronic commerce looking more into social networking, IM, and voice over IP. It's a portion of, rather than the whole.

My understanding is that in Utah you had widespread abuse or attempted abuse of that provision. I think it was prisoners who were sending messages and then hoping to use that as an opportunity to file suit.

While I recognize that this seems like a concern, the experience we've seen in Canada is that our litigation environment is quite different from that in the United States. Things such as costs are different. Filing frivolous suits under a private right of action could well leave someone facing some of their own court costs, if they were to do that. We already have some disincentives built into the process.

When we look at the overall picture and at the number of large players who have wanted to target some of the Canadian-based spammers we have heard about, we see that they have been clearly unable to do so in Canada. Indeed, in the Facebook example—and we have seen it in other cases too—they have had to sue under U.S. law against Canadian-based spammers, because of the absence of legislation to deal with it here.

No, and I'm sorry if I wasn't sufficiently clear. I'm supportive of Bill C-27. My concern lies with the potential to water down the legislation. I think it does a pretty good job of striking the balance, and my fear is that some of the concerns, many of which I think are not valid once you take a look at the legislation, will result in a weakening of the legislation itself.

So I'm supportive, and supportive in much the form in which we see it now.

It's a great question. I think in some ways there are already frameworks in place to deal with many of these international issues. Canada has been a participant in them. Even dating back to when we were sitting as a spam task force, groups called the London Action Plan were bringing together various countries in an effort to deal with it. In fact, in many ways, that really highlighted how Canada was trailing behind many of our trading partners in our peer countries in not moving forward with legislation.

In some ways, we already have some of that framework in place, whether it's through the OECD or the London Action Plan or some of the groups these gentlemen are involved with. There are already those linkages. What has been missing is the legislative piece. One would hope that some of the people who through Industry Canada and otherwise have been actively involved would continue to be involved, because we already have many of those linkages with similarly placed authorities in other countries.

My sense was that the minister recognized it was still early days and that there perhaps have been some growing pains with respect to the do-not-call list. I think it's more serious than that. There are more than six million numbers registered on the do-not-call list. There have been well-publicized incidents in which those numbers have been put out in the clear, and people have been misusing those numbers.

There are so many exceptions within this legislation. And note that when the do-not-call legislation was introduced, there were no exceptions. After much of the lobbying and scare tactics about what this would mean for business, we ended up with so many exceptions that now, as I say, estimates are that at least 80% of the calls that were permitted before are still permitted today.

We have also had huge enforcement problems. According to the CRTC, they have not yet lodged any formal complaints, other than warning letters, under any of the complaints that have been filed against spammers, despite the fact that we have seen thousands of complaints under the do-not-call list. By my definition, that, at least to date, counts as a failure.

It's my understanding that Bill C-27 follows the money. Most domestic spammers or Canadian spammers today tend to e-mail offshore, to get around blocking techniques and other laws that might be out there. But in general, the way I interpret the law—and Matthew might want to also make a comment on this—it follows the money. So even if we have spammers who are Canadian-based, who are attempting to get away from the law, trying to get away from blocking techniques, the bill itself will follow up with them through the illicit profits they would make.

Matthew?

I would agree that the way we've understood it and the way we've interpreted it is that the party being advertised is equally responsible for the sending of the message and therefore under the law would be considered responsible and therefore actionable.

Sure, and I think that's absolutely right. Quite frankly, we experienced the concern as a task force ourselves. It was a year-long process. When we started the focus was almost exclusively on spam, and by the end of the 12 months, issues around spyware and phishing had really emerged as key concerns. Even just within that 12 months we saw just how rapidly this was moving, and of course that has continued to happen over time.

If you take a look at what the successful forms of legislation are with respect to anti-spam legislation, they necessarily try to be as neutral as possible in terms of casting somewhat of a wide net. The way you counter that, to preserve the concerns of business, is to create sufficiently broad exceptions. As I've tried to argue, if anything, these exceptions may be overly broad on the business side. When a business can simply ask for consent and is still accepted in a whole slew of other areas, I don't think there ought to be any kind of concern that legitimate business is going to be significantly impeded.

I think I'm quoted in that same piece.

Another one of the concerns was that someone might want to buy software from a software vendor, and if it was outside of the 18 months, the person they're buying from might report the consumer as a spammer, which I didn't think was a particularly significant concern.

I frankly don't think many of those other concerns are realistic either. The truth of the matter is, if the concern is around the definition of a computer program—and I alluded to that in my opening—I think we have the ability to address the very narrow concerns that may be raised by that broad definition. So there's the issue, for example, of Java script, where if someone is accessing a web page, it runs automatically. In that sense, yes, you'd need to obtain consent. If we can exclude that kind of automated program where someone has effectively already provided consent by virtue of their preferences on their web browser, I think we actually deal with that.

For other instances, when we are talking about software programs that are downloaded, then absolutely you ought to obtain consent. The whole premise of spyware is that this stuff is inserted surreptitiously into people's computers without their notice or consent. The whole problem with the Sony rootkit case was when someone went to put a music CD into their program, it installed things on their computer without their knowledge and engaged in surreptitious activity. That's precisely what we're trying to stop, and the legislation tries to do exactly that.

With respect to problems, here are two that I think highlight why in fact Bill C-27 does a pretty good job of dealing with these issues. The first problem is on this issue of whether it's opt-in or opt-out. I'm a strong supporter of our move towards an opt-in model here. As I think the minister noted, it could potentially serve as the model for the do-not-call list down the road. That's obviously embedded in this legislation as well.

If you take a look at what the Japanese did, they started with an opt-out. They started by saying you get a kick at the can and can send all the e-mails you like, and if someone says they don't want to receive your e-mail any more, you have to take them off the list. They quickly found that does not work. The better or friendlier approach from a consumer perspective, from a privacy perspective, and frankly from a good business perspective and confidence perspective is an opt-in model. They switched to the opt-in model.

The other country I'd point to is actually the United States. In this instance, they were one of the first off the mark with their CAN-SPAM Act. They were very narrow in it; they dealt just with spam. A lot of people feel they didn't deal with it that well, even within CAN-SPAM. But what we have seen in the U.S. since CAN-SPAM are successive state laws that try to deal with spam, and federal laws that try to deal with spyware, specifically because they didn't cast the net broadly enough. So they have continually tried to play catch-up with new legislation, either at the federal level or state level.

The way to deal with this is actually to learn from those lessons, and I think that's what Bill C-27 tries to do.

I will admit, it's something I haven't much seen in legislation. I found it was a surprising inclusion in this bill, having worked through 68 pages, to find at the very end provisions that would effectively kill the do-not-call list and replace it with this legislation.

My own view, given the challenges and problems we've seen with the do-not-call list, is that this would actually be a better approach. Rather than facing the kinds of security issues we've seen around the do-not-call list, this would eliminate that by setting a stronger standard, so we don't have lists of six million numbers literally being floated around the world, with people getting all of these calls they don't want.

So the theory behind this is good. Now, the practice of it is rather awkward, because it says, on the one hand, that it's excluded, and then, as I think this committee heard on Tuesday, this is basically creating the prospect at some point in time in the future of pulling the plug on the DNCL and having this in its place. It's nice to know that it's in its place. If it were up to me, I would say pull the plug now and have this apply universally to both electronic communications and telemarketing.

I'm loath to read into what exactly the full thought process was in terms of making that choice, although I might guess that it is, admittedly, early days. The do-not-call list has only been up for a year, although I think there's enough evidence to suggest that changes are needed.

Perhaps given both the time and investment that's gone into this, some would be of the view that it is premature to take that step to say we're going to change course just months after we started with, at long last, this do-not-call list. So I can understand that thinking, although at the same time—and I thought the minister actually acknowledged this—the reality is that we're making distinctions where they increasingly don't exist. The notion that it's telemarketing or it's text-messaged spam or it's e-mail spam I think for many people is all part of the same basket.

I think this is foreshadowing making, at the end of the day, a choice, and the choice is the opt-in approach that we've seen within ECPA. I think we do better by making that choice right now, though, and just saying, “We've seen what has happened with the do-not-call list. There are too many Canadians right now who are getting unwanted calls. Let's switch to something we think is going to be more effective and is going to deal with both telemarketing and electronic communications.”

There's no attempt to fix anything within the do-not-call list in this legislation. It's merely to say that at some point in time we almost have this poison pill where we can stop the do-not-call list and replace it with the ECPA.

I would say that if the decision to stick with that approach, that almost two-track approach, is maintained, it's incumbent to address the problems that we right now have within the do-not-call list. I think it's astonishing to think that we have had what must rank as one of the largest security breaches in this country's history, when you think about six million Canadian phone numbers just out there, with people getting all sorts of phone calls, unwanted now, that they never used to get, and nothing has happened. It's astonishing when we look at the thousands of complaints that are being launched and we have had no investigations beyond complaint letters by the CRTC, when we look, frankly, at the exceptions....

I launched an access-to-information request where I literally got thousands of pages of the complaints that have been filed about the do-not-call list. I'll tell you that it's a lot of the big everyday companies. Canadians have registered their numbers and don't think they're going to get calls any more, and they continue to get calls, many of which are now still permitted under this legislation. I'm deeply worried that we're going to replicate that kind of approach in this law, where Canadians are going to have the expectation that at least legitimate marketers in Canada are going to stop, and yet there are going to be new loopholes here that are going to allow them to continue.

No, I was thinking of a legislative review. I do think that is obviously necessary. Reporting requirements to get a sense of how effective this legislation is on a regular basis and what we're doing internationally are the sorts of things I think we ought to be doing, and they surely ought to be baked into the rollout. At the same time, my experience in some of the other areas is that by including some sort of mandated review, it provides that opportunity to ensure that we get it right.

If new issues have emerged that the net perhaps wasn't cast as widely as it should have been, it creates that opportunity to try to address those issues, whereas if there isn't that mandated review directly in the legislation it sometimes can be hard to get the necessary attention.

I must say that's the first time I've heard that particular complaint. I believe there is an exception for law enforcement. If there isn't an exception for law enforcement dealing with that, then there ought to be.

That was my understanding as well, sir, that there's an exception in there. I'd have to go back and check, unfortunately.

I think the idea behind address harvesting, as well, is more for the purpose of building a list to send e-mail to. It's a case of going to websites and looking for people who have published addresses and then subscribing them to a list and, in theory, just spamming to them.

It's not, and it's not a problem under this bill. If I purchase a car seat for my daughter and send in the warranty card and give them consent to send me regular updates, as I no doubt would, because I'm going to be concerned about the prospect of safety recalls, then they can continue—and I would hope that they would—to send me any of that information. All they have to do is to obtain the necessary consent. It's open to the consumer in every instance to ensure they get that warranty information.

I'm saying that if it is outside the 18 months and the consumer didn't give consent for that warranty information to be sent to them, then I suppose, yes, it might be.

Well, if they didn't fill it out, I'm not sure how the business would contact the individual.

Right. At the time the person has made that purchase.... We all fill out these cards all the time for production information and the like. But all they have to do, any time they're obtaining that information in the first place, is to obtain consent. If they've never obtained my personal information, then they're not going to be able to send me any of that product or warranty information in the first place. So all we're doing is asking a business at the time they collect that information in the first place to get the consent.

If we're talking about business-to-business, it's excluded.

If you're talking about business-to-consumer, then, yes, exclude it.

As I mentioned to one of your colleagues, there is an exception for charities. So if you're registered, I think it's section--

Right. I think if the gist of the overall message is that it's coming from a university, let's say, which is a registered charity, and within it there's an opportunity to get a university-branded credit card, or something like that—which we often see—I think it would still be permitted within this particular exception.

If it's strictly a commercial message and it falls outside of this exception, so we're dealing with something that's clearly commercial, then you have to obtain consent.

Our company, Eloqua, is a company that helps other companies generate lists and prospects. We do that by enticing or giving technology to our customers to entice other people to come and register and actually take an action—to put in their name, e-mail address, and a phone number. They basically opt into a newsletter, and sometimes even opt into being tracked. What we try to do from a product standpoint is to tell companies who is visiting their website, and who is interested in what's going on. In most ways, I don't really consider cookies spam, especially from the standpoint that we are very clear about what the information is going to be used for, especially in our privacy policy at our company Eloqua, or even within our own customers' privacy policies. So I do not consider cookies spam.

I'll take 15 seconds just to supplement that. The issue of cookies has come up in discussion, not so much as to whether it's spam but as to whether it's a computer program that's being inserted on someone's personal computer. I think the consensus is that it is not.

If you take a look at standard definitions for what a cookie is, it is simply a text file that is inserted onto a personal computer, at the user's request; they have the ability not to have it there. It doesn't run anything, and if you take a look at the definition of software programs referred to here, they require something more than just being a text file itself.

Yes, I think it does.

First of all, I think this is a good-news story for business, not a bad-news story. There are many businesses that want to rely upon electronic communication and have been undermined by the extent that spam has become a problem in this country. This, I think, will go a long way towards dealing with that issue. Think, for example, of the Canadian banking industry, which has invested very heavily in electronic banking only to find that the phishers have sent out a lot of messages purporting to come from the banks, which are suddenly now sending out messages to their customers warning them not to respond to these messages. That's not good for business and for the huge investments that have been made in that industry. So I think this is good news for business.

Unquestionably, there are going to be some sectors that in the past have been able to send out all sorts of messages—I think ultimately undermining confidence for others—which are going to face a problem. I believe your colleague Mr. Wallace, on Tuesday, recognized that in the context of real estate agents. If I want a real estate agent, I'll contact a real estate agent. I think specifically that when someone is selling a house, what they don't want is twenty spam messages from every real estate agent in town. That's a feature of this legislation; it's not a problem with it.

The task force report was a unanimous report that included representation from the marketing community, from the business community, from the consumer community. We're talking about as broad a cross-section as I think you could get on this issue. It's unanimous that Canada needs to do a number of things—not just legislation, for there are other things needing doing, but legislation was a key component. It is now the last piece of the puzzle yet to be implemented.

I think what we see with Bill C-27 is consistent with what a unanimous task force report envisioned, which was broad, tough, anti-spam legislation to finally bring us up to how people are dealing with this on the world stage.

If I may interject here, I'm representing, combined, several hundred marketers as well. Under the policies and practices that our clients are already working within, they are collecting consent. They are falling already within the legislation, under the implied definitions or under the expressed definitions we already are seeing.

What we are looking at and what Mr. Geist has implied already is that those people who are already doing the bad things that we want to stop are undermining the channel of communications. For every legitimate e-mail you're getting, you may be getting five that you don't want. That's what we want to stop. It's the legitimate marketers who are doing the right things already, working with this law and already taking these actions.

The concern is that there are any number of subject matters that you find with respect to spam. The presentation referenced some of them, whether it's body part enlargement or otherwise. But fake real estate scams, property in some country, are included in that list. People send out spam messages, preying often on seniors and others, to suggest that they have a once-in-a-lifetime real estate deal, in the hope that they might lure them in.

My concern here was to recognize some of the concerns that may have been expressed from some in the legitimate real estate community. I'm not trying to suggest in any way that anyone involved in the legitimate real estate community is sending out these messages, but simply that if there is any thought of carving out that notion of real estate, you have to be awfully careful, because suddenly you're opening the door potentially to full legalization for what is a known area for fraudsters to operate in.

There are also scams on things such as “Craigslist” around apartments for rent. They'll have a too-good-to-be-true, large apartment for rent at a very affordable price. People will send first and last months' rent from out of city, show up, and there's no apartment. This is something else that supports the idea behind real estate kinds of scams that are perpetrated on the Internet.

Not at all; if you have an active relationship with your antivirus provider and give them consent—because of course what you want is for them to send you updates every month, so you give them the consent, saying “send me updates every month”—and they do that, this can continue until you decide to withdraw your consent.

In talking about the 18 months, or the six months, we're talking about instances in which you haven't provided consent; instead, what we are doing is implying that you would agree to having this sent, even though you never really said that you would. For something like antivirus software, though, surely the whole point of it is having regular updates as new viruses emerge. Surely the consumer is going to consent to those regular e-mails.

With respect to the do-not-call list, you've highlighted a big problem. You're right, the big problem is that Canadians can register their phone number on a Canadian list, but once someone exits the jurisdiction, the ability of the regulator to do very much about it is very limited. In fact, it gets even worse in Canada, because people register their numbers, the list exits the country, and suddenly you're getting phone calls back into Canada.

I've argued in a couple of pieces that Canada ought to be talking, at a minimum, with the United States about creating what would effectively be a North American do-not-call list, or perhaps even better, just some sort of mutual recognition. The U.S. faces precisely the same problem: that an operator may put their number on a U.S. do-not-call list, but somebody comes up to Canada and tries to call into the United States. It seems to me, since we share the same calling numbers, that at a minimum we ought to think about creating some sort of situation whereby Canada and the U.S. will jointly enforce, so that you can't easily escape to the U.S.

On the issue of spam, you're right again. There are jurisdictional challenges. That's why I mentioned right off the bat, from the beginning, that this will not solve all spam problems. There are still going to be people spamming from other countries. But at a minimum it's going to clean up our own backyard; it's going to address the Canadian-based, homegrown spam, and I think that step is long overdue.

You say it's the only difference as if that's a small thing; it's an enormous thing. First off, there is the ability, in some instances, to ask to not receive certain unsolicited “real space” mail as well, although admittedly, lots of it still seems to make it through the door. There is a huge difference, because in the case of direct mail, physical marketing, the costs are being borne by the sender, and those are sizeable costs. They are not going to send out billions of pieces of paper, because the cost is too great, for a very low return. They really require some kind of legitimate return.

In the case of electronic messages like spam, it actually flips: the cost is almost costless from the perspective of the sender. Indeed, as they use things such as botnets and the like to send out their messages, in many instances it truly is costless. We bear the cost.

We bear the cost sometimes just in delayed time, but it's more than that. Our Internet service providers almost uniformly subscribe to various filtering services, costs that are ultimately borne by the consumer. Almost all network providers have to maintain additional equipment just to deal with the excess spam that isn't the legitimate stuff. We ultimately pay the price.

And it's not just network providers. Think of the schools, think of the hospitals that set up their own networking infrastructures, which at the end of the day are being forced to pay for this. I'd argue it's not an “only” here; it's a pretty significant cost that's being borne, and it's a clear cost shift from the person doing the marketing to the person who's on the receiving end, even though they never ask for it and in many instances don't want to have anything to do with it.

Well, it's not the only difference; it's one reason there needs to be some action here. But there are other areas too, and in some ways they are related to cost. Think again about the success rates that are needed. Almost any legitimate business, if we're going to talk about businesses, is going to need some kind of reasonable return rate in order to enter into the venture. If no one ever comes into my store, the store is going to go bankrupt. If no one ever responds to my physical marketing, or if I get a very low return rate, I'm going to stop that marketing.

That's not what happens here. Here, you can send and send and send. You just need to grab that one person, that gullible senior citizen who gets this message and is told that someone desperately needs help and there's a pot of gold at the end of the rainbow, and suddenly the life savings are gone. We laugh, because we wonder who is ever going to be silly enough to fall for this, but people do. We haven't had the legislation in place to deal with these kinds of scams, much less the unwanted marketing, now going on for years.

I think you asked me the same question when I appeared before you in the ethics committee around the Privacy Act. So it's not always about copyright with me.

Oh, oh!

In this instance, I really don't think there's a parallel. What we're talking about here is, in some instances, clear criminal activity. It's activity that undermines the confidence in the legitimate market for many Canadians, and the extent to which it arises.... The only copyright connection is with respect to the Sony rootkit case, where there was that spyware, that stuff that was put into somebody's computer. That's an area where there was a bit of spillover from copyright.

But copyright, as we all know, is complicated; there are interests from the user's side and the creator's side and the industry's side, and we're trying to sort out that balance. There isn't really a balancing act here, when we're talking about scamming e-mails that are preying on individuals, or spyware that takes over your personal computer and uses it for all sorts of nefarious purposes.

I think that misstates my perspective on copyright. My perspective on copyright—and hopefully we'll have a chance to talk about copyright sometime down the road too—and I think the view of tens of thousands of Canadians who have spoken out on this issue, is that it's not about a free-for-all. It's rather about a fair-for-all and about striking the right kind of balance.

In fact it's about, when somebody does buy a CD or a DVD, that becoming their property, and their having a certain ability and right to use it without its being locked down or their being labelled a criminal if they want to play it on their iPod or want to display it in a classroom, or a range of other kinds of activities.

I don't think those who are arguing for a fair copyright are arguing for another free-for-all, Wild West online. Actually, I think they're arguing for staying truer to the notions of balance within copyright.

I want to see rules that apply online too. I want to make sure they're balanced and fair, so that we can see the kind of innovation that takes place today from a technology perspective as well as the kind of creativity that we see taking place using these kinds of tools, using nothing more than this to speak out and engage in all sorts of exciting things. That requires some rules. It just requires rules that don't try to lock everything down.

I don't have the numbers with me, but yes, there is a justified cost to what spam will cost a business, and it's somewhere in the range of $300 or more per year per individual employee, as an overall cost to businesses.

That includes additional hardware, it includes lost time from hitting the delete button or hitting the report spam button; it includes the productivity loss. It also includes just the infrastructure needed—extra bodies of support for that infrastructure, if you need an additional IT resource, or something like that. So there are justifiable costs.

I don't know what the number would be, but I would think it would be relatively small to say, “You have given us consent to communicate with you”. In many cases, it's a database update that takes five minutes on your website to say, “Check this box. Now you've given us consent”, or “Reply to this e-mail to say you've given us consent”.

That's the point I was going to make. A lot of them are already doing this today from a best practices standpoint. My experience in the U.S. with CAN-SPAM, when we were working on the law back in 2003, was that a lot of concerns just like that were brought up, and what we have found out over the last several years is that being in this business has now become a bit easier, because now we have a better grasp on the data flows that we have, either in our own companies or from what other marketers are doing today, because they're doing the right things. They're basically flipping the model from quantity over quality to quality over quantity, when it comes to data that's coming in—the opt-in aspect of it—so we have found that it's much better for us right now.

I was just going to say that I find it amazing that more than ten years after we introduce private sector privacy legislation we're still acting as if obtaining appropriate consent from their customers is something new for business. I mean, please.

PIPEDA, the private sector privacy legislation, was introduced in 1998. It didn't take effect until several years later. We all thought that would provide everybody with plenty of time to get used to this, just as with the do-not-call list, and now with this. Businesses have been operating in an environment where obtaining the consent of your customer has been in place for the better part of a decade. Making sure that your customers are agreeable to hearing from you is not something that is so new.

I can't answer the resourcing question because I don't know how much money has been allocated.

I do know that one of the recommendations that came out of the spam task force was on the resource side. One of the barriers that we consistently encountered was that there were agencies or enforcement agencies that were willing to take action, or said they were willing to take action, but there was a resource problem.

Are the enforcement provisions deficient? I think on paper they are. I will tell you that throughout the process of the anti-spam task force, we consistently looked for action from some of these enforcement agencies, and frankly we had a hard time getting it. In fact it hasn't come up, but I launched the first anti-spam privacy complaint under PIPEDA with the Privacy Commissioner's office. It was a successful complaint in the sense that it was found to be well founded, but it didn't really get much further than that.

I realized from that, and I think other people realized throughout that process, that it's going to take a clear mandate so that enforcement agencies understand that this is a priority of government. It became very clear that the way you do that is you pass legislation that really targets it, and then you resource it appropriately. That's clearly what Bill C-27 is trying to do.

I'll give you some views from my perspective and then pass it over.

I think we've recognized and been talking for the better part of a decade as well that electronic marketing represents a huge opportunity. It is obviously lower cost. The one thing we have seen happen over the last ten years is this huge migration of the public into the online environment as well. So I think everybody recognizes that this is a great way to go. It seems everybody but the newspapers were happy with this. The newspapers weren't so happy, of course, because we are moving into this online environment more and more. So it's obvious that there's great commercial potential there.

I think not just in this country, but particularly in this country, given the absence of legislation, the potential and the promise of using electronic marketing has been undermined by consumer confidence, by the amount of spam that you get and the overzealous spam filters that weed out legitimate mail from the illegitimate mail so you never actually get the messages that you want to get. You get people who ignore just about anything that's commercial, because suddenly they think it's all that spam stuff, even when it's something they might otherwise want to hear about--for instance, when the banks have to warn their customers to ignore the messages that purport to come from them, because they're not going to send those messages. That's harmful. That's harmful to a bank, clearly, but it's harmful generally to businesses who see a real opportunity and who in many ways might have a customer base and a demographic that would respond to electronic messaging yet are facing an environment where there's just a flood of the unwanted stuff with no way to try to stop it.

I think for those who are doing legitimate business, this is really going to be a ray of sunshine, where suddenly now there is an opportunity to legitimize this form of marketing.

I would fully agree, and that is something we have experienced working with both direct mail marketers and electronic mail marketers. There is a significant shift because of cost, especially in a down economy. People are looking at how they can save their budget. Online marketing budgets are getting larger. Offline marketing budgets are starting to shrink accordingly, because of the cost, because of the return on investment.

The Direct Marketing Association saw a $45 or $48 return on investment for online electronic e-mail communications with consumers, so what you're seeing, even with the direct mail piece, is that if you send 10,000 messages and 100 people respond, that is considered successful. If you send 10,000 e-mails and 100 people respond, you've failed at what you're doing, because the response rates and the interactions of people are such a significant thing that businesses are relying more and more on electronic commerce because of the cost, because of the cost savings, and because of the high returns and the measurable, tangible results, which they can see through how many people are opening, how many people are buying, and how many people are interacting with their messages. There are the tangibles that will help business in this regard.

Just to add to that, I was saying earlier that, at least in America with the CAN-SPAM Act, we've seen improvements in marketing. From Eloqua's standpoint, it is the same thing. Especially in this down economy we've seen people go from the postal side to the online side mostly because it is cheaper, but we've also found we can send a more relevant message to people. We can better segment people so we can say that this one group of people have not gone as far into the buying process or the education process of buying, let's say, anti-spam software, whereas this group might have, so let's send them kind of a different message. Let's send them a more targeted message so they are happier. They're unwilling to unsubscribe or complain about it, and again, you're continuing to educate this person, so, again, you get a better understanding of what is really going on in your marketing and sales groups now versus just batching and blasting out the same postal mailer over and over and wasting your time with it.

My view is that it is an issue that has evolved. At the time when we were on the spam task force, the Federal Trade Commission spam centre--fridge or freezer or whatever it was called--was seen as a useful tool for investigative purposes, and there was the sense that we ought to create a Canadian equivalent. I think it was the fridge, and we were going to be called the freezer. Today I'm not sure that is as necessary, but what I think is necessary is empowering Canadians generally with something to do. I get this a lot in some of the other areas I'm involved with. People get these spam messages. They know there is spam legislation out there. They want to do something. Creating a spam reporting centre that can engage in some analysis and that can actually track incidents of spam and perhaps try to identify where some of those Canadian sources are would be of some value.

To give the parallel on the do-not-call situation, in my office I have literally 2,000 pages obtained under access to information that show four months' worth of the complaints that have been filed with the CRTC under do-not-call. They go by date, and you can actually see the telemarketing campaigns as they wave through the country. All of a sudden, over a week, you will get--I won't bother naming the companies--a particular company about which there are suddenly dozens of complaints in a segmented time. That could be very valuable to someone for investigative purposes if we were dealing with something that was illegal.

Creating that kind of spam reporting centre has some of those benefits and also gives people a bit of empowerment in terms of having something they can do when they receive these messages.

We have even higher numbers.

I would say what you're seeing is over 90%. I believe there was a study that came out last year that said it was 95% of traffic, and even the difference of a 1% increase represents billions of messages, as opposed to thousands, so the significance of a single percent of increase is very huge.

As I mentioned, I recognize the potential for parallels, but I actually don't think that the concern within the Canadian legal system is as great. As I mentioned, there are reasons for that, including the fact that it is tougher to even get a class action status in Canada than it is in some states in the United States. There are court costs often to be paid in Canadian actions that are not paid, in terms of the losing party in Canada, and that doesn't exist in the United States. So we have some disincentives already in place in Canada against these kinds of frivolous lawsuits.

I would note, though, that in a Canadian context we have had--and it was stunning, frankly, to me as a member of this spam task force to learn this--a series of large Canadian-based spamming organizations. We knew who they were, we knew where they were, and yet we weren't doing anything about it. And we also knew that there were organizations out there that were anxious to try to launch private actions against them and felt that they couldn't do so in Canada.

The private right of action was a recommendation, as I say, from the unanimous spam task force report, which included some of the same kinds of members you've just referred to. The business community was there. I think we had members who came forward and said if they had that kind of power here, they might do it. If you refer to the Facebook lawsuit that was brought up earlier, you'll see that Facebook sees a Canadian-based spammer that's wreaking havoc on its social network. Canadians are huge users of Facebook--there are more than seven million Canadian-based accounts on the Facebook network--and yet they couldn't look to Canadian law to try to deal with the problem. Private right of action holds the promise of doing that.

What I'm saying is that I don't anticipate the flood of lawsuits in Canada, in part because our court system is somewhat different from that of the United States. The fact that Utah was a leader in this regard isn't by accident. There was a very well-known spammer who was Utah-based, which is why the state felt that it was incumbent upon them to try to take action. You had other states that were of the same view, and then Congress jumped in to say okay, we're going to try to pre-empt all of those state laws, because now we're getting this patchwork, and that's making it difficult for business.

If there was a concern around spam laws at that time in the U.S., it was more that businesses were being faced with different regulatory systems in different states, not with the notion of complying with some sort of basic anti-spam legislation.

I think the legislation already includes.... There is an enforcement arm. The goal of the task force, I assume, by virtue of this legislation, was to try to find a number of tools to go after this.

Certainly there is within this legislation, as you know, a number of enforcement agencies that can go after spamming activity. It can result in pretty sizable penalties. I'm not about to go out and launch any of these lawsuits, but we heard consistently from certain businesses who are deeply affected by this that if we had a private right of action in place, they'd be inclined to try to use it. In some instances, they grew so desperate about the Canadian situation they filed suit, but were forced to do so elsewhere.

Yes. I was actually taking a look at a statistic I did a couple of years ago. Back in July of 2004, the United Nations actually estimated that spam cost the global economy around $25 billion annually. Obviously since that time it's heavily increased.

That's one of the numbers I've been able to work from.

I would imagine it's double now--

It's way higher now.

--if not more than that, mainly because of the industry, almost, that came up to prevent spam. People have heavily invested in it, and the services are not cheap. The price for some of these services is somewhere in the area of $50 a month per mailbox. If you times that by 10,000 employees, that's a pretty hefty anti-spam bill you're fighting annually.

Those types of services and costs are based not only on what it costs to prevent spam but also on what it costs in employee time. We had briefly touched on that earlier with one of your colleagues. It would cost easily $300 a year per employee for just the time it takes to hit the delete button or to move it to a junk folder. That's significant time that you're breaking someone's work flow.

Yes.

If I may, Jay Thomson, the former head of the Canadian Association of Internet Providers, estimated that the average cost to consumers was $5 a month. That cost that has since jumped up.

What's interesting, though, is that the amount of spam you see today in your inbox is probably only 10%. The other 90% is actually being taken care of either by the government or by Hotmail or whatever organization that hosts your e-mail. So you can imagine the amount of e-mail that's coming in.

AOL, about four years ago, noted that they had blocked about half a trillion messages. That was only four years ago. Again, we would look at that and say it's probably doubled, if not tripled, to that extent. Once you start adding in that $5 on their side of it.... It's going up.

I think it's almost impossible to overstate the effect that this has on consumer confidence.

I can recall, actually, that when we launched the spam task force, there was a press conference. I remember one of the reporters turned to the task force members and asked--I happened to be the one who responded--what would make this a success. I noted that when e-mail first arose back in the mid-nineties, people started popularly using it. You used to follow up with a phone call to make sure that the person got the message. Then there was a period of time when we stopped doing that. We just assumed that the message had been received.

We're back to making that phone call. If you don't hear back from the person within a day or so, you almost assume that you either have to pick up the phone or re-send the message because it's been caught in the spam filter. It has rendered what is otherwise an exceptionally important tool for communication into one that is simply not reliable any more.

It's taken four years to get from the point of a unanimous task force report that included everybody across the spectrum to finally just getting legislation tabled, and there were a couple of false starts along the way. The notion that we're going to go back to zero I think would be enormously problematic, particularly at a time when we've seen, from across the spectrum, all parties—this is clearly a bipartisan issue—industry, and consumers saying that Canada is quickly falling behind from a digital perspective. We need a digital strategy, otherwise we're going to fall further and further behind.

From my perspective, this forms a part of that digital strategy. And if we're unable to see this get through, and get through quickly, it represents a setback not just for this particular piece of legislation but for the larger Canadian digital environment more generally.

As I think we've mentioned, the experience elsewhere is that unless you have strong penalties, this doesn't work. I think there were even some quotes in the press from one Canadian-based spammer, who was laughing when told about the prospect of Canadian anti-spam legislation and indicated they figured they could just keep on going.

There's obviously a certain kind of profitability that a spammer or a fraudster is going to have. The only way to counter that is to make the risk far greater than it is today, that there are real financial penalties at stake. This legislation has that.

We keep bringing up Australia, but Australia is the one place where they brought in penalties that at the time were seen as unprecedented. The reports coming out of that country were that many of the spammers were either picking up and going elsewhere or finding a new line of work. It really did have the effect of increasing the risk of engaging in that business to the point that they went and did something else or did it somewhere else.

There are provisions that discuss that ability for information-sharing and coordination between agencies. Obviously the provisions themselves, in some instances, are targeted to a specific agent, one or the other, and one would hope that, properly resourced, there will be the ability to carry out that mandate. And as I mentioned, the fact that this legislation will come, and one would hope would come in a unanimous fashion from the House, from across all sides, I think sends the strongest signal possible that this is a priority and the time to act is now.

I think there are still a lot of options in this regard. In fact, when I'm asked to make a connection with someone in this kind of context or other sorts of contexts, my approach, partly because I'm concerned about the privacy of the individual, is to send the person who's made that request the contact information and say, “You ought to contact this person.” I often might send a similar e-mail to the person who they might be contacting, saying, “Keep an eye out for a message from my friend who might be contacting you.”

In that case, the person who wants to make that connection with the real estate agent is making the contact directly. There are no issues whatsoever. I actually think that's the healthier way of approaching this. I'm not handing out my friend's e-mail to all sorts of commercial entities. Instead, the person is able to contact them directly.

Of course, there are still other ways to market or to get that initial consent from that individual. That real estate agent can pick up the phone, assuming the individual is not on the do-not-call list, and make a phone call if they want. However, because we've seen people's personal information misused at times, I think the better approach in terms of how we make those kinds of business connections is to actually put the control in the hands of the individual who wants that service. Let them reach out to your real estate agent and let me provide them with the information they need to be able to do that.

Yes.

Well, I actually think the legislation does deal with this in part, because there is, as I mentioned, the business-to-business exception. I'll tell you that when I launched my spam complaint, it also happened to be against a sports team. It was against the Ottawa Renegades, the old CFL team, not that they were spammers, but they kept sending me these messages. They lifted my address off the university's directory.

I found it interesting to note that the university took the position that this was the university's commercial e-mail address. Now, there is an exception for true business-to-business e-mail, where it is directly related to the business itself. If someone was trying to send Mr. Lake a message that was about a hockey trade, tickets, or something like that, that's directly related, and you're okay. When they're trying to sell something else entirely, the business-to-business exception doesn't apply and that would be a violation.

I actually think the law does a pretty good job, especially when we're dealing with businesses and publicly available addresses, of trying to address the instances when there is legitimate business-to-business e-mail, which can continue to happen, as opposed to the spam or the outside messages, which would now fall into the spam category.

No. There's been an ongoing issue in Canada as to whether or not e-mail addresses are themselves personally identifiable information. At a provincial level, there actually have been some attempts to exclude that, but federally, until we change the law, they are treated as personally identifiable and thus subject to the same kinds of privacy protections as other personal information.

I'm going to repeat this. As long as you understand that there's a huge, massive exception, get consent. All of this is permitted as long as you obtain consent. We are now only in that basket where someone hasn't actually obtained the person's consent in the first place. They don't really know whether the person wants to get this information. In every other instance where the person has actually given them consent, it's fair game, and they can do whatever they like. So we're only in that particular basket.

The question is whether in that basket this is more narrowly constructed than PIPEDA, and the answer is yes. I would argue that is an absolutely good thing. What we have seen not just here, but in other countries as well where you adopt what is effectively an opt-out approach--one where you can imply consent in a broad number of situations--is that doing so opens you up to a torrent of potential abuse and misuse of what is seen to be consent. Here's where the rubber hits the road. When we went to various enforcement agencies and said we wanted them to take on a case, they were only going to take on a case that they thought was a slam-dunk case. If there was any kind of doubt about this, they were worried about taking that kind of case on.

Leaving aside the fact that we have this big huge honking “express consent” that covers everything, if you expand that so that almost anything is “implied”, you're going to hamstring the regulators and enforcers who are going to look at this and say the other side is saying “we think we could have implied consent in that circumstance” and you're left with no action at all.

I admit that I think there's ample reason for some skepticism as to whether it will be enforced as effectively as it can be, at least on paper. I think that's one reason why a private right of action is a good thing, because it actually does allow the private sector to pick up the slack if we don't get the kind of action we want from the enforcement agencies.

I think the other thing is that one would hope that putting in the right resources and having very clear legislation would send a very strong message.

But you're right. At least with respect, in my view, to the CRTC and the do-not-call list, the track record isn't great, and once again we are putting a lot of responsibility on their shoulders to enforce this law.

There's the potential for that. The concern has actually been the opposite. My understanding is that there have been a number of instances in which there have been international investigations with a Canadian component, and there have been concerns as to whether or not Canadian authorities could cooperate and hold up their end of the bargain. It's been less about trying to go after true Canadian-based spammers and more about ensuring that Canada doesn't ultimately become a barrier to international spam investigations because the agencies that have certain information aren't empowered to share it with their counterparts in other countries.

I think we could attempt to do that.

Go ahead.

I do.

Outside of the governments of the world coming together, I think you're starting to see organizations such as the Messaging Anti-Abuse Working Group, with ISPs, ESPs, and private anti-spam organizations working together to really sort of push the envelope and ask how they as organizations can raise the bar where government falls short, and how can they prevent abuse from their own networks, or abuse coming into their networks. They're really working from the business side on how we can prevent that.

With the help of government, obviously, they're going to be able to take action. What you'll see then is that the cottage industry spammer, the small guy sitting in his basement sending SPAM, will disappear. That's what Australia saw. They'll disappear overnight because they're worried about huge lawsuits.

Where you have the problem is with these large organizations. There's the Canadian Pharmacy spamming, where the Canadian organization has now moved out of Canada but still spams in Canada, still uses the Canadian Pharmacy branding, and still sends products that don't work. But there's no action. We can't do anything about it, because they've moved to other countries or they've moved outside of the borders where this stuff's enforceable because they're worried about the types of actions that can be taken against them.

Right.

Why don't you guys answer this too?

My own view is that we often try to get away from some of these definitional issues because early on we would have some of these discussions and spend half a day talking about what your definition is. It wasn't particularly productive, because the real focus was on where the harms are and what kinds of standards we want to set for what's acceptable and appropriate commercial marketing.

The legislation is obviously focused exclusively on the commercial side, and there's good reason for that from a constitutional perspective, I believe, but in terms of trying to ask if this is spam or unsolicited commercial e-mail, you could get a dozen people in here and everyone would give you a different answer in terms of how they define it.

There is an exception in here as well for that sort of consumer-to-consumer personal correspondence. The issue is whether this now rises up to the level of clear commercial activity. I think there's some question as to whether or not it rises to that level. There is also, though, realistically, the question as to whether we are talking about any kind of real risk. I mean, is your buddy going to file an anti-spam complaint against you for telling him that your boat's for sale?

I don't think there are many individuals who are going to look at that and think twice before they send out a message to their friend saying--

Let me just give you the specific provision, because I think it will cover most of what you're talking about. It's paragraph 6(5)(a): “This section does not apply to a commercial electronic message...that is sent by an individual to another individual with whom they have a personal or family relationship...”. So if you're talking about anyone with whom.... That's as defined by the regulations, so it can be a commercial message, but so long as you have a personal relationship with that person, it's outside the--

There's a patchwork of laws. Typically, in the U.S. we've always kind of broken down laws almost by industry type, such as in the case of the telecommunications act and the health act. It's a patchwork either by federal law or by state law. The Utah one that keeps popping up is a state law. There are privacy issues as well. A lot of states have different privacy legislation as well to control exactly what you can do with that. Yes, there is a breakdown by state.

To supplement that, it's essentially shared responsibility. You can get federal law and state law. Under pre-emption rules in the United States, if the federal law wades into an area, it will pre-empt the state law, which, as we mentioned, is what happened when they brought in CAN-SPAM. They had a multiplicity of different standards, and CAN-SPAM was used as an attempt to try to create a uniform standard.

Subsequent to that, we've now heard a number of states say that CAN-SPAM doesn't do a good enough job. We're starting to see state-based anti-spyware legislation and even state-based anti-spam legislation that has attempted to address what they saw as holes within CAN-SPAM. Sometimes there's been litigation as to whether or not it is a valid state law in light of the fact that there is a federal statute with CAN-SPAM. Thankfully, we don't have to deal with quite that complexity.

That's correct.

Yes.

I think the realtor would be comfortable, assuming they had asked the person if they had permission to send it on to the friend.

We've had a couple concerns, and we've sent them in in separate documentation.

The first one is about forwarding to a friend. It's similar to the idea that you were just talking about in regard to introducing a friend to a product or to another individual. The way the “forward to a friend” traditionally works is that if I'm on a website, and I like the news article that Mr. Geist wrote, and I want to send it to my privacy person at work, then I enter his e-mail address and name on the form, and I type, “you should read this article” and I hit “send”. There's no clarification concerning who the original sender is because the message didn't originate from my local computer. It originated from another server, which is managed by a website.

I think the idea behind this is that if the message is delivered and the address is not kept or recorded--it's just used to deliver a link that says go read this article with my message included--then it's not really clearly defined who the sender of the message is. I initiated the message, but it was delivered through another network. That's something we have mentioned that should potentially be clarified in the act.

There's also the identification of a sender. What's clarified as an identification? Is it the logo in a message? Because if it's an image, a lot of e-mail clients block images. That's something that needs to be looked at. You can't spam-address stuff by using a postal address, by putting a clear text postal address in a message.

Regarding the idea behind anti-spam filters, there was wording around changing the content of the message during transmission. A lot of spam filters will put headers in that say “we suspect this is spam”. Those types of things need to be clarified as well.