Industry Committee on Nov. 7th, 2017

Thank you, Mr. Chairman and fellow members. Thanks for inviting me to this statutory review of Canada's anti-spam legislation.

I am Louis Lau, police officer from Hong Kong, seconded to Interpol. I was invited to perform the function of digital crime officer under the cybercrime directorate of Interpol. My work station is the Interpol—

Let's try again.

My work station is the Interpol Global Complex for Innovation in Singapore. In fact, I am in Singapore right now.

The role of the cybercrime directorate is to provide operational support to member countries in the area of cybercrime investigations. The main functions of the cybercrime directorate include assisting member countries in coordinating and facilitating investigations into transnational crime and focusing on pure cybercrime—botnets, malware, and high-end cybercrime enablers, such as bulletproof hosting services, professional remittance services, or DDoS.

I understand that we are here to discuss the anti-spam legislation. Please be aware that from the perspective of the cybercrime directorate of Interpol, we do not focus much on anti-spam activities. Instead, we focus on criminal investigation. However, I can provide details in the context of cybercrime, since a lot of cybercrime originates from spam emails.

Among these, one of the most typical examples is the business email compromise, the BEC fraud. Email fraud spamming is one form of normal commercial spamming activity. Of note is that we are not talking about normal and commercial spam emails, which only contain commercial messages and do not contain any attachment or malware. Most BEC fraud, which we sometimes call the “CEO fraud”, starts with spam emails.

Before going further into these emails, we need to understand the modus operandi of such crime. For most situations, the CEO, or any high official of the company, receives spam emails with a malicious attachment. If someone executes such an attachment from the spam email, it allows their computer to be compromised. The culprit, after being able to access the email account of the CEO, through reading the emails studies the operation of the company, the way the company spends money, and even the style of email writing of that CEO. The culprit will then choose optimum timing—for example, during the vacation of the CEO—to send fraudulent emails on behalf of the CEO to order payment to specific bank accounts.

This modus operandi that I mentioned was further confirmed from the BEC cases provided by member countries who asked for assistance from Interpol. It can also be confirmed from a proactive investigation that Interpol participated in. In 2016, with the assistance of experts from external companies, we carried out reverse engineering on some malware samples that we found on common spam emails. We found that the attachment of the spam email, after being executed, would equip the function of capturing the email log-in credentials from the victims. With detailed analysis of the behaviour of the malware, we were able to dig out some of the clues that led to the identification of the suspect who controlled the malware. Eventually, we were able to fully identify the suspect through open-source investigation. The same information was passed to the law enforcement agency in the country where the suspect was situated. At last, in June of 2016, the suspect was arrested.

After the arrest, our unit was further asked to assist in the examination of the notebook computer seized from the suspect. The sending of spam emails in order to phish for compromised email accounts from victims was further confirmed. Evidence suggested that the suspect downloaded millions of email addresses and used specific software to send out bulk junk emails in an automated manner. The content of the email was very simple:

Good day,

Final invoice copy attached.

Best regards,

xxx

A file named “invoice” was attached to the email. We carried out further analyses on this attachment file and confirmed that it was malware. It had the capability to steal email credentials from victims.

After stealing email log-in credentials, the suspect logged in to victims' computers and their email accounts and breached their email. There was evidence that suggested the suspect logged in to some of the accounts over 200 times within a few months, and hundreds of emails were compromised.

There was also evidence to suggest that the suspect modified invoices that he very likely obtained from the compromised email accounts. In his computer, he amended the bank account details of the original document, with a view to deceiving the financial staff into depositing money into malicious accounts.

Interpol did not collect crime figures from member countries, and I'm afraid that I cannot give you detailed quantitative statistics. However, Interpol got feedback from member countries that the issue of BEC has been one of the types of crime of most concern recently.

Interpol has organized two international conferences recently, one in Spain in June and one in France in October, both concerning BEC fraud. A total of 60 participants from 30 countries participated in the meetings and raised concerns about BEC.

That's all.

Thank you, Mr. Chairman. Bonjour and good morning.

My name is Chris Lewis. I'm the chief scientist at Spamhaus Technology, which is part of Spamhaus, one of the largest and most well-respected sources of Internet threat intelligence in the world. While most of you may not have heard of us, more than half of the Internet is using our data in one way or another, whether it's branded as Spamhaus or not.

Unlike most of the people speaking to you on the subject of Canadian spam, I work deep inside the technology itself. To me, this is a 24-7 effort, and with the technology we use, I am seeing on the order of 750 million to a billion email spams a day through systems I administer to try to analyze what's going on and come up with solutions to stop it.

I worked in Ottawa first as senior security architect for Bell Northern Research, which later of course became Nortel, from 1991 through to 2012. I've been working on spam in one way or another since about 1993. By the time the 1997-1998 time frame rolled around, it became obvious that email was the battlefront that needed to be saved for the Internet to prosper and email to continue.

Since that time, I have focused primarily on spam, malware, and botnets, as opposed to the deliberate sending of email that did not have permission, but specifically on the technical side of stopping some of this. In 2003, I developed a new technology that greatly increased the effectiveness of our filtering at Nortel, which required vast amounts of data from all over the Internet. I would analyze this data coming in from partners and people who contributed this data, turn it around, and give it back to the Internet for free. That's how that continued for many years. Then late in 2012, Nortel downsized to the point where they no longer needed me to run a mail server for 50 people, and so I transferred to Spamhaus the next day.

I am one of the founding members of the Coalition Against Unsolicited Commercial Email, CAUCE. I have been invited to speak at the Federal Trade Commission spam panel; advised on the U.S. CAN-SPAM Act, am a founding member of the NCFTA- FBI Project SLAM-Spam; won an award from the FBI for my efforts in helping secure U.S. government networks; was invited to be a senior technical adviser for the Messaging, Malware and Mobile Anti-Abuse Working Group, or M3AAWG; belong to many technical working groups targeting specific spam and malware; have trained and assisted with many law enforcement regulatory groups around the world, including the CRTC and organizations in the Netherlands, Australia, the United States, and many other countries; and am a member of the London Action Plan, which is now called UCENet. Don't ask me what that means, because I've forgotten.

Currently Spamhaus is supplying to Public Safety's CCIRC, free of charge, a very large dataset of spam attacking Canadian email addresses, which they use for a number of purposes, including prosecutions through the RCMP and the CRTC. They're also using it as a way of alerting Canadians to infections of their systems, and they periodically give out reports telling providers, and in some cases individuals, that they have been infected with something and how to resolve it.

I'm speaking here primarily on spam, though other forms of online abuse are just as big, if not bigger, and more dire. The malware fraud and phishing scenario, as has already been somewhat alluded to before, is as big a problem, and they're all getting worse.

Of particular interest here is that much of my time as an adviser to M3AAWG was spent with the email sender community—with Inbox Marketing, and so on—helping to come up with best current practices on how to manage subscriber lists, when you have permission and when you do not, and I was heavily involved in drafting part of the M3AAWG sender best common practices, BCPs, which are still being updated and published. The BCPs are considered to be one of the industry's most important set of guidelines that most of the large sender community is already complying with. In fact, a sender organization can't be a member of M3AAWG unless they comply with it.

It raises the question that if most of the industry is complying with the M3AAWG BCPs—which to a very real extent are mapped directly on CASL, with the very same principles and the very same things—why is there such a concern about compliance?

I'm going to go on to some specific facts and details from the last few years.

We operate email sensors that monitor, in one sense or another, billions of emails per day via arrangements with providers. We also run our own infrastructure to receive email that is being sent to people who no longer exist on the Internet. A particularly good example is some email addresses that were at Nortel many years ago. Public Safety's CCIRC now owns those domains, and they have asked us to operate them as if there were still a user base there. We can see what spam comes out, see where it's coming from, identify correlations, and publish information to our customers—in many cases for free—on how providers and so on can protect their users from this stuff.

Over the past seven years, there was a peak in 2011 of 10 billion spams per month, with peaks to 750 million per day on our own servers. This was not the big cloud of contributed data, but the stuff we run ourselves. Most of this was the Rustock botnet, which was infamous for high volume, with fake pills and fake brand name watches. The latter is just fraud, but the first one is dangerous, because many of these pills were analyzed by people we know in the industry and found to contain, literally, street sweepings and so on. Whatever they could squeeze together and dye blue, they would sell.

For a few years after that, the volume averaged around three billion spams per month, because the Rustock botnet was taken down by efforts from a number of organizations on the Internet, as well as the FBI. Over the past year, the volume has climbed almost all the way back up to 10 billion per month. Instead of fake pills and watches, it's ransomware from the Necurs botnet and Russian dating spam. Also from the Necurs botnet, which is even more disturbing, is the ransomware we hear about on the news, the type that encrypt hospitals' entire datasets so that they cannot get them back or have to spend an enormous amount of money to get them back.

Still, within those enormous volumes of that sort of dangerous material, there are very high volumes of affiliate spam advertising legitimate, semi-legitimate, and outright fraudulent companies and products from people who have no concept of privacy—those who hire hackers to steal and provide them with email addresses, phishing, and so on.

Industry leaders such as SenderBase Talos, which is actually part of Cisco, have long been sources of reliable, “on the wire”, real statistics, and they generally tend to agree with our numbers. We don't expect them to agree exactly, because everybody's spam sample is different—it is surprising how differently it can vary from one place to another—but the trends, spikes, and everything else, we coincide with exactly.

I've had the opportunity to monitor the volume of email and spam received by some of Nortel's old domains for almost 20 years. I built and ran the mail servers that handled them when they were in service and for the 18 years they have been defunct. As I mentioned earlier, those domains are now owned by CCIRC as a national threat resource, and they have requested that we operate those domains for them.

By 1997, Nortel decommissioned these domains and moved all users to the main email domain that Nortel was using at the time. In 1997, there were three million emails per month, of which 40% were spam; by 2001 there were four million, all of which were spam; by 2003 there were seven million spam messages, and by April 2016 there were 150 million. Today it is 350 million per month. This is a 350-fold increase over 20 years.

You're asking yourself, “Did my spam volume go up by that much?” No, it hasn't, but it is only because of efforts by your ISPs and organizations such as ours that it has lessened.

The volumes keep growing. Spammers game our systems, and it's very difficult to continue.

I'm being waved at, so I'm going to cut this a little short.

One of the issues with CASL is the private right of action. One of the things we want to be able to deal with is a situation of individuals getting very high volumes. An associate of mine had an email domain for himself and his wife, and one day it started receiving a million email spams a day. We don't know why. I have some suspicions, but we have no solid information as to why that happened. The volume was so high that he couldn't even run his own server anymore, because it was costing too much. PRA gives him a chance to deal with this.

To finalize, spam is not a technical problem but a human problem, and it has to be dealt with from both aspects.

I think from the efficiency standpoint, it has enabled marketers to look at their email community and take out any of the addresses that were unknown. As we were consulting with a lot of companies, we had to audit their database and inquire about where they got permission for all the records. For anybody they didn't have permission for or for whom they didn't know the source of the opt-in, we recommended that they take the conservative approach and just suppress.

What we found is that when CASL came into force, marketers and brands were forced to remove email addresses that were maybe not of good quality. In the email marketing space, some brands go for quantity over quality, and it forced marketers to drop their list sizes. Some list sizes went from a million records to 200,000 records, but those 200,000 records are now engaged, relevant people who want to be in the database. Now their email marketing programs are working a lot harder for them, so it's more efficient, because all of their practices are getting them a higher return on investment at this point.

It has been efficient in that way, and we agree that there have to be regulations on how we use email. There have to be restrictions on it. However, CASL has been way too onerous and costly for organizations, and it's too complex. A law like this shouldn't be that complex, and three years later we shouldn't have companies coming to us asking what the difference between “implied” and “express” is.

Informally, there have been some discussions. Naturally, for example, since I have been consulting directly with CRTC, they are evolving. What they are dealing with is evolving. They themselves are learning. There's a very steep learning curve in trying to deal with this, so they are getting better at it.

One of the things that struck me when I first saw the draft CASL back in 2012, I guess it was, was that it covered everything, and it was written in a way that it could be extended as necessary for the technology.

I do not think that the law itself is too narrow or too restrictive. It's more a matter of education and deciding when this particular area becomes a problem and where you allocate your resources.

No. Once CASL came into force, the task force wasn't actively involved. We've let the legislation ride and are waiting for the three-year post-opportunity.

I believe protection is built into the law about the private right of action. For example, there's the CRTC, the Privacy Commissioner, and the competition branch's ability to override an individual lawsuit. The laws in Canada are fundamentally different in this regard from the United States. Some of the abuses that we have seen in the States—and indeed they have been abuses—are not likely to be an issue here. It gives individuals a chance to deal with things that the CRTC, the Privacy Commissioner, and the competition branch may not be able to tackle because it doesn't meet the statutory requirements for the number of complaints or the number of people being attacked, and so on. The situation I was referring to in a nutshell was he could do something about it in law, but it would cost him $10,000 to get a lawyer to be interested.

We don't have many studies about this. I'm not sure I can share some of my experiences with you, but as I mentioned, we focused mainly on the criminal investigation. As I said, spamming is one of the major sources of a lot of cybercrime, especially BEC or the ransomware that we mentioned before.

Anti-spam legislation is still not being enforced in some countries, especially developing countries. I'm not able to comment on the Canadian legislation in a very professional manner. I have done a lot of assessment of different countries—for example, some of the developing countries—and anti-spamming legislation is not very common in that part of the world. I think it's a good move to have the implementation of anti-spam law, and I also support the consulting process that we are having here right now.