Industry Committee on Oct. 24th, 2017

I can talk about one specific outreach initiative where we thought we would do some reaching out to organizations that may not know they're implicated with respect to address harvesting—address harvesting being the collection of addresses through electronic means. Some organizations that use address lists may think that doesn't have anything to do with them, that they just purchase the lists and use them in order to do their marketing. However, if you've purchased a list that's been compiled without the adequate consent of the individuals through address harvesting, then you're also potentially on the hook for a violation of the act.

For part of our outreach, at least in that specific area, we thought it was highly valuable to say to these organizations, which are broadly across sectors, that if they are using lists, they must ensure that they ask the right questions of the list providers to ensure the list has been compiled with the consent of those people on that list.

That's a good example of what we've done in the area of outreach, at least for organizations.

I'm afraid the question is a bit too broad for me to get my head around it.

Legislation about social media generally...?

Do you have a view on that, Brent?

Well, I can tell you how it can be related.

If you look at the recent case with respect to Wajam, you'll see that one of the features of this adware is that it was coupled with social media interactions and delivered to individuals. Social media could be leveraged by organizations that are carrying out some of these other activities, such as in the Wajam situation, in order to facilitate those activities.

In this situation an organization was coupling the adware with the understanding of the contacts related to social media. It wasn't just social media that was spamming, no. It was this organization that was installing this adware along with other free adware. Social media was a component, but it was not the avenue by which it was delivered.

The adware would take a look at social feeds and deliver and identify advertisements related to the social feeds. It was making use of the social network.

It was Compu-Finder. Because address harvesting harvests many electronic addresses, it can obviously facilitate an excessive number of communications to consumers who do not wish to receive these communications. That's the link we're making. It's excessive from the perspective that numerically many people are affected and receive communications that they never asked for, and address harvesting results in that conduct among other things. Address harvesting can also, in the worst case, be used to disseminate malware and can lead to other privacy risks.

This case was intelligence-driven. It pointed out with respect to these threats, address harvesting and spyware, it's more unlikely that individuals will know that they've been affected and impacted by that. Right from the outset with respect to the coming into force with CASL, we expected to take a more proactive approach. The Wajam case was a result of identifying potential threats and risks out there in the marketplace and knowing that and surveying that there were issues and concerns related to this specific type of adware and its installation and its difficulty with respect to de-installing as well.

People noticed it was intelligence-based when they tried to reinstall the system and were unsuccessful. Some of them made their views known, but the start of this was intelligence-based.

Yes.

There was more collaboration with the CRTC with regard to the Compu-Finder investigation because two agencies were carrying out the same investigation. Our office was looking at the collection of addresses whereas their office was looking at the dissemination of messages. To that extent the issue was very complementary. That was where there was closer sharing of information, and just keeping each other apprised of the status of investigations.

With respect to Wajam, there wasn't any specific collaboration, but we also have certain working groups and certain opportunities where we get together and talk and are aware of what each other is doing to see whether there might be an opportunity to collaborate, or to know that we've seen this, is this something of interest to the others or not, and that way we can make a more informed decision about who's best placed to pursue our matter.

It would have been mentioned at certain meetings that we were pursuing this.