Thanks very much.
Good morning. My name is Michael Geist. I'm a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law. I served as a member of the national task force on spam and appeared before this committee in the development of CASL. As always, I appear in a personal capacity, representing only my own views.
The hallmark of fraudulent spam, from get-rich-quick schemes to body-part enlargement promises, is that while it contains something that seems unlikely, people still often want to believe the claims. Over the last several years we've experienced something similar with respect to anti-spam legislation, in which the claims of doom often just don't add up.
A perfect example is the frequent suggestion that somehow the neighbourhood lemonade stand would be affected by CASL. Now, stop and think about this for just a moment. Politicians admittedly might be an exception to this, but how many of us have email addresses for all of our neighbours? How many would think to actually not only collect all of those email addresses, but then email the entire neighbourhood about a lemonade stand? Like spam, it takes a claim with a kernel of truth—the need for consent to send commercial messages—and then moves into a world of fantasy. Long-standing scare tactics, ones that pre-date even the drafting of the legislation, are not the way to assess this law.
In my view, there are really three questions that lie at the heart of the assessment of CASL: Is there a harm or risk that needs to be addressed? Does CASL help solve the problem? And even if the answers to one and two are yes, is the law still too onerous?
Let me try to answer all three.
First, is there a harm or risk to be addressed? I think the answer to that is obvious: absolutely. Let me point to three examples. First, malware, spyware, and phishing attempts have emerged as exceptionally important cybersecurity issues and they are caught squarely by CASL. Today these efforts may be state-sponsored or simply criminal. Consider the impact of phishing attempts in the last U.S. election that successfully gained access to thousands of emails at the DNC and may have helped change the course of U.S. political history; or the massive malware cases such as WannaCry, which have affected millions, caused millions or even billions in damages, and put hospital and banking systems at risk. We need effective laws to counter these threats, and they are unquestionably part of CASL's ambit.
Second, I think we all recognize the importance of e-commerce. The success of e-commerce depends on trust, trust that our information will be used appropriately, and trust that online sellers will deliver what is promised. The concerns associated with fraudulent spam extend beyond just the losses that can occur from those individual messages. They undermine the potential success of all e-commerce activities by undermining trust more broadly.
Third, the public is increasingly aware and, I would argue, concerned with their privacy and the use of personal information. Our major trading partners, particularly the EU, have tried to address these concerns through tough new laws. CASL isn't separate and apart from PIPEDA; it is a foundational part of the legislative response to the risks of misuse of our personal information. At its heart is the need for informed consent, a standard the establishment of which is long overdue.
Now, does it work? I would start by saying I wish we had more data. I think the failure to collect extensive data is a serious mistake by officials who should have been working with the spam research centre, Internet providers, email service providers, and law enforcement to collect data. The need for more data provides a reminder that the work of policy-makers doesn't end just because the legislative process concludes. There are, however, several studies and reports that provide valuable data on the impact of CASL.
The committee already heard from Mr. Fekete about the 2015 Cloudmark study, which found significant declines in spam, with 29% less email in Canadian inboxes, and a 37% reduction in spam originating from Canada. I'd be happy to debate and explain why that's actually a good thing.
Further, one of the core concerns about Canada's anti-spam framework before CASL was our inability to co-operate actively with global enforcement actions. Our task force heard that without a comparative spam law, Canada risked becoming a spam haven, without the legal ability to assist partner countries in investigations and enforcement. CASL has unquestionably addressed this issue, ensuring that Canada is no longer an island in the fight against spam. We have international enforcement agreements with four countries, and MOUs with 12 agencies in eight countries. But perhaps most telling—and I don't believe the committee has heard about this yet—is the ROKSO list, the register of known spamming organizations, which is maintained by an organization known as Spamhaus. The ROKSO list identifies the top 100 spamming organizations, which are responsible for 80% of the spam worldwide. I have to tell you that the existence of this kind of list came as a surprise to me and to many other spam task force members, as it confirmed, surprisingly I think, that we actually know where the leading spammers are.
Further, we learned that Canada was a notable home for these spamming organizations.
When CASL took effect in 2014, Canada was home to a disproportionate number of spamming organizations, with seven of the top 100 spamming organizations in the world located in Canada. Today, three years later, there are only two remaining. There may be several factors behind the decline in the top spamming organizations in Canada, but the existence of a tough anti-spam law with real penalties is surely one of them.
This data confirms CASL's effectiveness, and in this regard it should be emphasized that the goal of the law was never to eliminate all spam from our inboxes. No law can do that, just as no technology can eliminate spam or fully protect us from malware, spyware, and phishing. Rather, the goal was to reduce the spam that originates in Canada with the hope that other countries would do their part. In that regard, the law has been a success.
Finally, is the law overbroad? I have to say that CASL complaints have always struck me as a bit odd. The complaints typically focus on the many exceptions in the law, claiming they are too narrow, restrictive, or difficult to interpret. The real narrowness has often come from the interpretations that have been provided.
Consider the issue of charities. ISED Minister Navdeep Bains stated the following in the press release announcing the decision to delay the private right of action: “Canadian businesses, charities and non-profit groups should not have to bear the burden of unnecessary red tape and costs to comply with the legislation.” But the CASL regulations state that section 6 of the act does not apply to a commercial electronic message sent by or on behalf of a registered charity, which has as its primary purpose raising funds for the charity. In other words, charities already enjoy a broad exemption under the law.
Similarly, the committee has already heard from others about the supposed need for a business-to-business exception, yet the law already states that this section does not apply to a commercial electronic message sent to a person engaged in a commercial activity consisting solely of an inquiry or application related to that activity. That exempts legitimate business-to-business commercial electronic messages.
I'd say that even this focus on exceptions is misplaced. Businesses rely on exceptions where they don't want to comply with the foundational obligation that is in the law: consent. The law is clear: if you get informed consent, there is no need to go searching for an exception to apply to your activities. When you hear complaints about narrow exceptions or calls for more, that complaint is fundamentally about the ability to use that personal information without informed consent by leveraging an exception. I'd say that's bad policy and bad for privacy.
To conclude, these remarks aren't meant to suggest we can't do better. We need better data; we need better awareness of the Spam Reporting Centre; we need the agencies to engage more directly with businesses about the true requirements of the law; and we need better enforcement, including the private right of action. I would also suggest that we need a strong anti-spam law with real penalties that is based on informed consent to deal with a very real threat. That law is CASL.
I look forward to your questions.