Industry Committee on Nov. 7th, 2017

We do. I'm specifically looking at botnets, but I do see what's going on elsewhere. There is considerably less of what you would call “white spam”, which is somebody making a mistake and sending out stuff they shouldn't have. We're seeing the criminal side. There is more grey. More black is predominating. We are still tracking down people who are running botnets with a Canadian affiliate, and that sort of thing. We're seeing a lot of that. We're tracking back all sorts of stuff to Canadians. We're tracking all sorts of stuff to Canadian hosting, which is where the CRTC has been doing really well in being able to go to a hoster—

An example is advertising fake pills. These are being done by groups of people, many people, who when they send out their spam will have a link on it so that when someone follows that link to the illegal pill site, there's a cha-ching that gives the affiliate a penny. It's that sort of thing.

The other form is when I said hosting—

And that affiliate was Canadian.

They are. I don't know if any of them have gone all the way through yet, but they are looking at that.

The other thing they are working on, at a less than “in front of a judge” level, is dealing with Canadian hosting environments or hosting providers who provide web services to someone when, through one way or another, they take on part of a criminal spamming infrastructure, meaning that the website for pills is there, or a command and control point for malicious botnets—

It's quite good. The CRTC needs more time and experience in dealing with them.

Yes. It's a matter of experience and time and working away at it. Mr. Lau is not seeing it, but I'm seeing how the CRTC is interacting with international organizations, law enforcement, and regulatory bodies.

I'm seeing it. There's a lot more going on than we used to see.

Yes. We talk a lot about the level of risk that organizations are willing to take. A big financial institution with a big brand is going to have a very low level of risk, whereas a smaller organization might be willing to take a little more risk, so its policies and procedures may not be as tight as those of a big corporate brand. We see that a lot of them are following typical industry best practices. Even though they might not be able to do everything as a strict reading of what the law says, they feel comfortable enough if they are following legitimate industry email best practices—sending to people who have expressed interest in receiving email from them, sending relevant content, and suppressing unsubscribes. Then it's a little easier for them to take advantage of the email marketing initiative. For them, the costs are not going to be as high.

Again, with a big brand, they have to have the technology so that if they are called upon, they can actually prove exactly what version of any email has gone out.

Let me give you an example. Some of the large organizations want to send a million different variations of an email. They're beyond the “batch and blast”, in which everybody gets the same message. Some of these big companies are trying to figure out how they are going to set up their system so that if they are called upon, they can prove the exact variation of any email that any customer was given on any day. That's difficult to do. The smaller organizations aren't that sophisticated.

Absolutely.

Spamhaus offers its threat intelligence data to individuals and small organizations for free. It always has. We are all believers in doing that. However, when we get into a big organization, we figure that we are saving them millions of dollars and making their customers happier. It costs us money to run our organization and to buy equipment, so they need to pay for it. All the small guys get it for free, though.

All the country-based incident response teams get our data for free so they can help secure their countries. CCIRC gets our data for free. CRTC gets some of our data for free. We are doing a lot of that. Not very many other companies do that; some do.

In terms of small companies trying to protect themselves, they can use our data as we suggest. They can go with other organizations that have similar data or with software techniques. We tend not to require the user to buy software. They are buying the information and they are using the software they already have to use it, but there are other solutions that do a much better job.

Yes. In fact—as she was referring to with the question about how small organizations do their marketing and whether they are going to worry about trying to do it themselves—there is a burgeoning market of companies that are specifically intended to run mail and marketing campaigns for small companies. Some of them are free, or virtually free. You can use their machinery, their software, and their stuff, and for very small amounts of money you can be pretty sure that you are very close to being fully in compliance with CASL.