Industry Committee on Sept. 26th, 2017

In terms of the complaints we've received in the spam reporting centre, I can't say there's a clear trend out of those numbers. It really does touch a lot of different industries and businesses of all different sizes.

I'm not sure that's always obtainable based on the information that's filed with the complaint.

We've relied on a number of third party reports to be able to get an assessment of the degree to which spam makes up the email flows of Canadians. We get it in two ways. One is the degree to which we can rely on the senders to understand their practices, for instance, working with folks on the “Canadian Digital Marketing Report” or others that tell us about senders as well as some information related to recipients.

One year after CASL's implementation, for instance, there was 29% less email in Canadians' inboxes, and a 37% reduction in spam originating from Canada. That came from an organization called Cloudmark, in a 2015 study.

We have data from CIRA and Ipsos that indicates that 84% of Canadians who knew about CASL took advantage of the coming into force to triage the emails coming into their inboxes. The spam reporting centre has received just over 1.1 million submissions. We're trying to triangulate multiple sources of data to be able to get at the issue.

On the sender side, Litmus and others have told us, for instance, that 49% said that CASL had no impact on their email marketing program; they were continuing to market through email because they felt they could be compliant. Twenty-three per cent said that CASL had minimal impact, so clearly there were some shifts. Twenty-seven per cent said that it had a significant or dramatic impact, which means that, potentially, they were significantly addressing their current practices.

The data is third party, and by and large, as we say, we try to get it from a number of sources, to really get at the root of the issue.

Canada is no longer in the top 10, and according to some sources, since CASL came into effect, it is no longer a top 20 spam-producing country.

Again, we have to triangulate lots of information to get at that, but by rankings, we're not in the top 10 and maybe not even in the top 20.

Causality is always challenging in these situations, but I think the fact that we have a robust anti-spam legislation that has significant compliance requirements for all senders is a useful mechanism to be able to highlight that spam is important and that we want to cut it down. It's not directly attributable, but one can see that pre-CASL and post-CASL there has been significant progress.

On international enforcement, we have had some success in the international space. I'll turn to my colleagues in a second and they can tell you their own success stories. The enforcement agencies that are empowered by CASL have the capacity to work in the international zone with their peers. That has included the taking down of a botnet server, which I'm sure the CRTC may want to suggest as their own victory, so I'll turn it over to my colleagues.

As I mentioned in my opening remarks, we were afforded by Parliament great information-sharing privileges with our international jurisdictions, which is fantastic. We've executed MOUs with various different countries. We are a member of UCENet, which we talked about. It is an international unsolicited communications network of enforcement agencies. That allows us to call on those specific agencies and countries whose spam legislation falls within...to execute warrants and get information for us. We do the same for them. It is a back and forth, so we're able to help them, and they are able to help us. I think that's probably been the most successful piece from an international perspective.

I think the committee is right in pointing out that it's domestic legislation for a global problem.

One of the things I mentioned in my opening remarks, since you're asking, is that I am required to collaborate and co-operate with my partners at the Privacy Commissioner and the Competition Bureau, but my domestic sharing is actually rather limited. It's difficult for me, within Canada, to actually share with my colleagues at the RCMP, Public Safety, or wherever to move forward on cases. I made a point of that in my opening remarks, so I'll make it again. That's probably where we find the biggest challenge. Internationally, I can share more easily than I can across the street with my RCMP colleagues.

Absolutely, from an enforcement perspective.

From an enforcement perspective, the act is written as technology neutral, which is helpful. We are certainly seeing different types of spam. You're right. I think it's moving faster than we can keep up.

I have a team of technical experts and forensic analysts who are constantly challenged by the next thing. As soon as we think we understand one form of spam or one form of malware, we are challenged by yet another new form.

We can ponder this when we return perhaps, but at this time, I would suggest that the way the act is written—it's technology neutral—we have the flexibility to move. I would argue that trying to keep pace is our challenge. It's not the act.

We've conducted several investigations, more than 30.

Investigations aren't always closed the moment a warning letter or a notice of violation is issued. A big part of our job is ensuring that companies remain in compliance after they've been the subject of an investigation. For instance, we have several investigations where, after we issue a warning letter, we'll do some follow-up to ensure compliance is achieved and monitor their activities, check in on their compliance programs.

I believe that, to date, we've issued about a half a dozen notices of violation. We've issued more than 10 warning letters and several other kinds of enforcement actions. Undertakings, especially, are quite helpful. We have the ability to engage in a negotiated discussion with the subject of an investigation when it wishes to voluntarily come into compliance. That's a particularly effective tool for us. We can negotiate the terms with the party involved and ensure part of that includes a robust compliance program going forward.

When we learn of information, when we receive information in the spam recording centre that relates to a criminal violation, we share it with the RCMP. Our colleagues at the bureau have the ability to pursue violations, either civilly or criminally. They would be the best people to talk to about that.