Thank you very much, Chris. Thank you, Mr. Chair.
I would like to reiterate the CIPC's support for the objectives of the bill. The Minister of Industry has clearly signalled that strengthening Canada's digital economy is a top priority for Canada and that encouraging reliance on electronic commerce by addressing issues such as spam, phishing, and malware is an important component of it. However, the broad scope of the current bill, the absence of exceptions for many socially and commercially valuable business practices, and unwieldy consent requirements collectively capture an array of legitimate activity. When coupled with massive administrative monetary penalties and statutory damage provisions, both of which impose a tremendous level of potential liability on businesses for any breach of the bill, the bill may actually have the opposite effect, actively discouraging electronic commerce in Canada and impeding the development of our digital economy.
Over the course of the committee's study of Bill C-27, a general consensus has emerged among the business and legal community that the bill should be amended so that it properly addresses the egregious and harmful forms of spam, phishing, and malware that it's intended to target while at the same time limiting its impact upon legitimate activity. To this end, as Chris mentioned, we have submitted a series of recommended amendments to the bill for your consideration. However, in the interests of time, I'm going to focus my own remarks on two key issues, namely address harvesting and anti-malware.
In terms of address harvesting, the ECPA seeks to ban the collection or use of electronic addresses obtained through address harvesting programs, as well as the collection and use of personal information obtained by telecommunications. However, the new prohibition is so broad as to prevent the collection and use of electronic addresses and other information, such as IP addresses, for legitimate purposes such as law enforcement, which will undoubtedly have very serious consequences on the ability to fight such computer crimes as child pornography and identity theft. This would also prevent the collection and use of information for legitimate private purposes, such as collecting information online to investigate instances of defamation or of potential trademark or copyright infringement or to send messages in connection with the protection of such rights.
Consequently, the address harvesting provisions should be limited to collecting address information or personal information for the purpose of sending unsolicited commercial messages, and at a minimum, the exceptions under PIPEDA for collection and use of personal information should also apply.
Regarding anti-spyware, the provisions in the bill make it illegal for anyone to install a computer program on another's computer system without express consent. While the intent of this is to prohibit installation of such malicious software as viruses, worms, and Trojan horses on individuals' computers, the definition of “computer program” is so broad as to capture any form of data, be it text, software, code, or otherwise, that causes a computer to perform a function when executed.
Consequently, it applies to the installation of an entire operating system, to the addition of a single feature in an individual piece of software, and to everything in between, including firmware updates, patches, upgrades, add-ons, etc. It applies regardless of the circumstances under which the program is installed—either installed by a professional technician, by an end-user, or via automatic update—or how it might be delivered, either being pre-installed on the device, purchased or retailed or delivered by electronic transmission, or of whether it's malicious or beneficial.
Further, it applies to any computer system, which not only includes personal computers, but also any form of consumer electronics, such as mobile phones, digital audio and video recorders, video game consoles, even most modern appliances in automobiles. If the intention is to prohibit forms of malware that discourage the reliance on electronic means of carrying out commercial activities—