Industry Committee on June 16th, 2009

As we mentioned in our remarks, we are very supportive of the bill in principle. We're also very supportive of the objective of dealing with spam and harmful or malicious computer programs that could have detrimental effects. We agree with the approach of opting in as opposed to opting out in the United States. As Mr. Courtois said, the issue is really recalibrating it to remove the inadvertent potential problems. There are several ways in which that can be dealt with. Some people will have different views on the best way to do this, because although there are certain common elements internationally, there are still variations from country to country. There needs to be discussion and debate on the appropriate approach for Canada to do this right.

As a matter of general principle in talking about spam, if the definition of the electronic commercial message were targeted at the real subject matter that's of concern to the country--these direct marketing types of messages that are the focus internationally--that scope would get the 17 bad companies that everybody's concerned about and not inadvertently catch the Canadian businesses that are just trying to hang on in these tough economic times.

On consent, if we move from express consent to the international standard of further implied consent, there is no way the 17 bad apples could ever prove they had implied consent. We would be able to catch the entities we're really concerned about without inadvertently catching legitimate Canadian businesses.

On the exceptions, if we didn't try to be very specific and identify every exception in advance, but left it to a flexible and realistic principle, we'd be far advanced.

On spyware, many countries simply rely on their criminal code provisions to deal with it. Canada has several provisions that would be applicable today, such as mischief in relation to data, and the unauthorized use of a computer. So there isn't necessarily a case that we need it. But if we were going to do it there are models in other states, particularly the United States, that have spyware legislation. They deal specifically with malware and define what it is. If we moved in that direction we would have a bill that everyone around the table would accept in principle.

No, actually a lot of the unsolicited commercial e-mail that you were probably getting in your inbox really would have fallen into the category of truly unsolicited messages, as they would have been using some kind of dictionary tag or software to harvest your e-mail address on the Internet. They're using another element where they're clearly not even trying to rely on implied consent or any other form. They're using methods to collect these e-mail addresses, and then they go off to any other vendor who's willing to sell their wares and they will send the e-mails for you.

I would still see most of that, actually, as something that should be caught by ICPA, and is caught by ICPA. I know “legitimate business” may be difficult to explain, but legitimate businesses in Canada are subject to privacy legislation, and it's proven to be useful, because these individuals that both Professor Geist and I referred to hadn't sent one or two e-mails; they had actually sent out hundreds of e-mails on their lists, and they just happened to hit two people who were on the task force, so it was their bad day.

There would be more than 17.

Thank you.

It's true, we all get irritating e-mails. Some of them we even get from people we like, with whom we have a personal and family relationship. So there's nothing we're going to do here to avoid getting e-mails that we don't all want to get. The issue is how you properly distinguish between the good ones and the bad ones, and that's where the debate is. I don't have any disagreement with you that all of those e-mails that clog up our e-mail inboxes from people we don't know and have never dealt with are ones that should be covered, and they'd be covered both by PIPEDA and by the ECPA. And they'd be covered even with the kinds of suggestions we were making to recalibrate the bill. Those e-mails that are clogging up our inboxes from people we don't know, they would not fall within the definition of implied consent or from a relationship we had. So I think we could deal with your clogged mailboxes--and they're all clogged mailboxes--even with a more flexible implied consent regime.

I think that best practices can be reflected in the legislation. If I, for example, have downloaded a program that enables me to open certain applications or see videos or hear sounds, that's what I see now. When there's an update ready, I am asked if I want that update. The best practices are that while the updates are being downloaded, I just reduce them to the bottom of the screen, and I can go on using the computer.

It's very different when you're talking about some security patches or applications that really have to be downloaded automatically. That also includes certain types of transactions during which it's not quite clear that there's an actual program being downloaded. That's where I say we have to talk to our technical people and ask how many transactions like that don't really represent the format of “Do you want an update to this particular program you've installed? Click yes.” And you know exactly what it's for. For some of them, if they are trying to fix some vulnerabilities in your computer, there's a timing factor and a complexity. There's a question of explaining what they're for, whereas conversely if you want to go after malware, you can write down the five or six things that constitute malware. They include modifying settings of other programs, collecting personal or financial information of the computer's owner, activating keystroke logging software to collect personal information, attempting to block or uninstall existing anti-spyware, collecting browser history and bookmark list, or preventing the user from removing spyware programs.

You could run down the list and make them subparagraphs in the definition of spyware, and you would get pretty much universal agreement to them. By regulation, any other similar thing could be equally prohibited, and you've covered the universe. You're trying to cover the universe of downloads, but what's the downloading of an applet or JavaScript? Is that a program? Does that lend itself to approval or requesting approval? Does it make the functioning of the Internet a lot more cumbersome?

That's where you really would have to get a group of people around the table, and you would never be totally comfortable that you'd covered all the cases of things that are good that you don't want to prohibit. That's why it's so easy to write down the bad things. Just list them and you've done what you've tried to achieve.

I have to admit that I'm not expert enough to know that, but I know that if the kinds of attacks and the kinds of problems that can occur were predictable, then obviously all the software would do it. You might want to be doing something to the program other than to say broadly up front that we can put in any updates that help better protect your computer.

Is that going to fit the definition of what we have here in terms of what the consent complies with? Are there other cases where you're downloading things that wouldn't necessarily be seen as a particular program or wouldn't necessarily be seen as being the kind of thing you bought in the first place? They might be additions to how it works technically as opposed to simply having a new functionality or something like that.

Yes, I was going to make a point. It's really that since we've had a chance to review the bill, we've been able to identify some situations in which the installation of a computer program might be problematic, either because it's not practicable to get an express consent in every case, or because there are situations where it's not possible to comply with the form of the consent because in order to get it there have to be certain disclosures. There have been difficulties in terms of how one would comply with the obligation to provide information about every single update in advance when you're contracting today for updates that may occur over the course of a year.

But if I could make one last point, it is this. We really have to recognize that computer programs today are used in every digital device. This is not only about computers and the Internet. It's about computer programs that are loaded into cameras and into every device that is networkable today. There's a real issue about being able to define in advance a new regulatory regime to deal with computer programs on digital devices.

There's been debate since at least prior to the year 2000 about the appropriate form for getting consent with respect to the use of people's information, which would include address information. People had that debate back in 2000 when we were debating PIPEDA and what form of consent should be used for privacy legislation.

I think everybody sitting at this table has the highest regard for the need to respect privacy and personal information. At the time that was debated, there was a consensus that the privacy legislation would still be effective if it had a mix of both express and implied consent. At the end of the day, what was accepted as part of the CSA model code was that for very sensitive personal information, as a practical matter, only express consent was sufficient, and for less sensitive information, it would be appropriate in certain cases to use implied consent, which is part of PIPEDA. That's what Canadian business operates under today: this standard that can vary from information to information.

Now, many companies will use express consent. Many companies, where they have the opportunity to deal with individuals, have consent as part of their privacy policies. I have no doubt that those companies will continue to do that whether we're dealing with PIPEDA or the ECPA. So for those I think there is not going to be a change.

The issue, though, is when we move to a regime that basically says “thou shalt not send to anyone an e-mail that has any commercial purpose”. There are going to be many situations in which people will want to receive e-mails from others. It would almost go without saying that they would want to receive e-mails from others. By imposing that express consent where there hasn't been that opportunity, what we do is take away from the usefulness of the medium.

For example, in many cases we can make telephone calls to others. I could call you, tell you I'd like to sell my boat, and ask you if you would be interested in buying it. Maybe you're not my friend or a family member, but maybe you're a friend of my friend or you're my sister's friend. In that situation, there's a great likelihood that I couldn't do that if this bill were enacted in this way.

So again, I think there are pragmatic reasons why implied consent would be useful.

I would just like to add some practical examples. Since the bill was put forth, I have observed that a couple of people who I've known for many, many years have left, say, the government or another firm and started a business on their own. I've never had a contract with these people, but I am very happy to see their coordinates now and that they've started a firm, and if we ever.... I would never feel shocked. Actually, I find it useful to find this.

The other thing is, suppose I bought a product three years ago and I get a product recall notice or safety information. That's more than 18 months ago. Surely we don't want to prevent that.

So what we're talking about is not to open up a flood of unwanted commercial e-mails, but just to define it so that we don't capture in the definitions things that everybody would say, oh, yeah, we don't want to prevent that.

I don't think it will, because I think we'll have a mixture of express and implied consent. When you look at the notion of implied consent, we can still put some words around it, as they've done internationally, so that implied consent arises from something—from a business relationship or some other relationship—to make sure it's not completely open-ended. But again, that's very different from saying I can only send an e-mail to someone who has bought something from me in the last 18 months—which is exceptionally narrow—or I can only send an e-mail to someone who is an immediate family member, as opposed to someone else.

Thank you.

The do-not-call program has only been in operation for about eight months now. Our feeling is that it's important to give that program an opportunity to run for a reasonable period of time so that it can be properly evaluated. The original legislation provided for a report back to this committee on the operation of the do-not-call list. We'd be very concerned about including in this legislation, as almost an afterthought, a provision that would effectively allow the government, at the stroke of a pen at some later and not-defined date, to eliminate the program without the kind of discussion we feel would be warranted.

Even now, having heard of these provisions in the bill, we have members asking us, is it true? Is this program going to be pulled out or turned off? We think it creates uncertainty for the business community to have this kind of a trigger placed in the legislation. We just feel it's not necessary to the thrust of the Electronic Commerce Protection Act.

Granted the minister's argument that convergence may at some point yield an argument to make some changes, but I think at that time we would suggest that legislation be brought back and the situation be looked at then.