Industry Committee on Nov. 7th, 2017

Thank you, Mr. Chairman and fellow members. Thanks for inviting me to this statutory review of Canada's anti-spam legislation.

I am Louis Lau, police officer from Hong Kong, seconded to Interpol. I was invited to perform the function of digital crime officer under the cybercrime directorate of Interpol. My work station is the Interpol—

Let's try again.

My work station is the Interpol Global Complex for Innovation in Singapore. In fact, I am in Singapore right now.

The role of the cybercrime directorate is to provide operational support to member countries in the area of cybercrime investigations. The main functions of the cybercrime directorate include assisting member countries in coordinating and facilitating investigations into transnational crime and focusing on pure cybercrime—botnets, malware, and high-end cybercrime enablers, such as bulletproof hosting services, professional remittance services, or DDoS.

I understand that we are here to discuss the anti-spam legislation. Please be aware that from the perspective of the cybercrime directorate of Interpol, we do not focus much on anti-spam activities. Instead, we focus on criminal investigation. However, I can provide details in the context of cybercrime, since a lot of cybercrime originates from spam emails.

Among these, one of the most typical examples is the business email compromise, the BEC fraud. Email fraud spamming is one form of normal commercial spamming activity. Of note is that we are not talking about normal and commercial spam emails, which only contain commercial messages and do not contain any attachment or malware. Most BEC fraud, which we sometimes call the “CEO fraud”, starts with spam emails.

Before going further into these emails, we need to understand the modus operandi of such crime. For most situations, the CEO, or any high official of the company, receives spam emails with a malicious attachment. If someone executes such an attachment from the spam email, it allows their computer to be compromised. The culprit, after being able to access the email account of the CEO, through reading the emails studies the operation of the company, the way the company spends money, and even the style of email writing of that CEO. The culprit will then choose optimum timing—for example, during the vacation of the CEO—to send fraudulent emails on behalf of the CEO to order payment to specific bank accounts.

This modus operandi that I mentioned was further confirmed from the BEC cases provided by member countries who asked for assistance from Interpol. It can also be confirmed from a proactive investigation that Interpol participated in. In 2016, with the assistance of experts from external companies, we carried out reverse engineering on some malware samples that we found on common spam emails. We found that the attachment of the spam email, after being executed, would equip the function of capturing the email log-in credentials from the victims. With detailed analysis of the behaviour of the malware, we were able to dig out some of the clues that led to the identification of the suspect who controlled the malware. Eventually, we were able to fully identify the suspect through open-source investigation. The same information was passed to the law enforcement agency in the country where the suspect was situated. At last, in June of 2016, the suspect was arrested.

After the arrest, our unit was further asked to assist in the examination of the notebook computer seized from the suspect. The sending of spam emails in order to phish for compromised email accounts from victims was further confirmed. Evidence suggested that the suspect downloaded millions of email addresses and used specific software to send out bulk junk emails in an automated manner. The content of the email was very simple:

Good day,

Final invoice copy attached.

Best regards,

xxx

A file named “invoice” was attached to the email. We carried out further analyses on this attachment file and confirmed that it was malware. It had the capability to steal email credentials from victims.

After stealing email log-in credentials, the suspect logged in to victims' computers and their email accounts and breached their email. There was evidence that suggested the suspect logged in to some of the accounts over 200 times within a few months, and hundreds of emails were compromised.

There was also evidence to suggest that the suspect modified invoices that he very likely obtained from the compromised email accounts. In his computer, he amended the bank account details of the original document, with a view to deceiving the financial staff into depositing money into malicious accounts.

Interpol did not collect crime figures from member countries, and I'm afraid that I cannot give you detailed quantitative statistics. However, Interpol got feedback from member countries that the issue of BEC has been one of the types of crime of most concern recently.

Interpol has organized two international conferences recently, one in Spain in June and one in France in October, both concerning BEC fraud. A total of 60 participants from 30 countries participated in the meetings and raised concerns about BEC.

That's all.

Thank you, Mr. Chair and committee, for the opportunity to be here today. My name is Kim Arsenault. I'm senior director of client services at Inbox Marketer.

We are a data-driven email marketing services and technology solutions company, and we've been leaders in the email marketing space for over 15 years, servicing clients across North America and into Europe. We've been at the forefront of CASL for over eight years, working closely with the Canadian Marketing Association as part of the 2005 federal task force on spam as well as with Industry Canada to help educate companies on what it means to be CASL compliant.

The good news is that three years post-CASL, the clickstream data that we have reviewed from a cross-section of our clients compared to one year pre-CASL indicate that email metrics have improved overall in terms of engagement rates, bounce rates, unsubscribe rates, and deliverability into the inbox. This is largely due to senders adopting better list hygiene practices that have resulted in better-quality email lists and less sending to unsolicited or invalid email addresses.

In our opinion, since the implementation of CASL in 2014, Canadian email marketers have become more disciplined in their email operations, and legitimate marketers in Canada have taken CASL very seriously. Responsible marketers have adapted by being more diligent. We have seen them create task forces and appoint individuals to actively manage CASL compliance through regular spot checks, technology integrations, and organizational training.

With that said, we do have a few concerns we want to bring forth to the committee today.

The first is the economic burden that CASL compliance is placing on many Canadian businesses. It is costing them anywhere from tens of thousands of dollars to millions of dollars, depending on the size of the organization, to properly be able to update their processes and technologies to be CASL-compliant. These are just process and technology costs. You also have to factor in the resource costs of continually training and educating staff on corporate compliance.

A related concern is that even when businesses have implemented corporate compliance programs and updated their processes and technology, it's still very unclear what exactly is required in terms of record-keeping, which is very problematic for organizations that are attempting to comply with the law. The CRTC has issued general guidance with respect to compliance, but has also repeatedly stated that companies are free to interpret how to apply effective record-keeping to their situation.

The fact is that companies are having to invest a lot of money and resources into setting up their systems and processes based on their interpretation and educated assumptions, only to risk finding out that these may not be acceptable in the event of a CASL challenge. It would be very helpful if the government could provide clear guidance and specific examples on exactly what type of record-keeping practices would be acceptable in order to provide assurance to organizations that the time and resources they are expending are bringing them into full compliance with the law.

Second, we are still seeing that many organizations do not view CASL as a straightforward or intuitive piece of legislation. It's confusing for many companies, and for those who are not deeply familiar with it, it becomes a nebulous beast to try not only to understand it but also to consistently train their employees on what they think is correct.

Three years later, we are still consulting companies that are seeking clarification on what the difference is between implied and express consent. Due to the ambiguity and lack of clarity and guidance that has come from the government, we have seen some organizations eliminating the email channel as of way of communicating with their customers and prospects. We've heard from various financial and insurance companies, for example, that before CASL, they had sales teams and advisor teams that were using the email channel as a way of communicating offers and valuable content to their existing customers. With CASL fully in force, the fear and anxiety experienced by some organizations because of the lack of clarity and inaccurate information out there has inevitably caused them to eliminate email as a communications channel.

The email channel, for many years, has proven to give a 40:1 return on investment. Numerous studies continue to show that consumers prefer the email channel as a way for brands to communicate with them, so when a large organization eliminates the email channel for fear of not being compliant, it can have a very large impact on an organization.

Our third concern is that the regulators took years to write the CASL legislation. It started in 2004, and as we all know, it came into force in 2014. Technology moves at a very different pace. Marketing, for example, has changed more in the past five years than it has in the past 50 years, and the next five years are unpredictable in terms of how fast technology and digital media are going to evolve. We cannot have Canadian businesses in today's day and age relying more on vehicles like the phone, which are more expensive and less efficient than email and social media, because they're too afraid of what might happen when they use email. That's exactly the scenario that some Canadian businesses are in today.

CASL's objective is to promote the efficiency and adaptability of the Canadian economy. Having organizations eliminate the email channel or deciding not to market into Canada is not supporting this objective.

Many ask what the regulators are doing to keep up with the pace of technology and social media. The guidelines around how CASL applies to social media are extremely vague, yet social media are evolving rapidly. For example, more than half of the world's population is now online, which includes 2.7 billion active social media users. The fact is that digital and social marketing are a central part of a brand's tool kit today.

I have some further recommendations to be considered. The regulators need to allocate time and resources to keep their website updated and provide a lot more clarity on the issues that follow.

First, what constitutes a CEM, a commercial electronic message? This is not clear for many. This could be a newsletter, for example, where the content is focused around the credibility and knowledge of the organization. If the logo in the top left-hand corner links to their website, which then promotes commercial activity, does that make the newsletter commercial? It's unclear. Additionally, the fact that purely transactional-type emails are being considered a CEM under subsection 6(6) is extremely confusing, difficult to implement, and unnecessary. The recommendation is to remove subsection 6(6) entirely from the act.

Second, the regulators should provide more clarity on what is and is not allowed on social media so businesses can properly leverage those channels as part of their tool kit.

Third, the regulators should provide full transparency on what is required for proper record-keeping. Organizations should have comfort in knowing if their $4-million solution is going to be one that the CRTC will accept.

Last, the regulators should remove the confusion and requirement around six-month versus two-year implied consent. They should clearly define what express versus implied is and remove the time frame of six months and two years. It's a big challenge for many companies, both small and large, to properly maintain this level of detail that can be constantly changing and updating. Not all technology solutions out there are equipped to properly document this.

If you think of a large enterprise company that has multiple lines of business—multiple customer relationship management systems, multiple CRM systems—and they all have a business need to communicate with their customers, many of these customers are going to cross over the various lines of business. To expect that all messages are going to be managed and controlled in one central spot is not realistic for many organizations today.

It is also very confusing for many organizations regarding what scenarios allow for six-month versus two years implied, so what we've seen is that some organizations only allow express consent to communicate. The impact of this is that organizations are losing out on opportunities to grow their business because they don't fully understand how to rely on implied consent. There's too much fear, risk, and uncertainty for them.

Thank you again, Mr. Chairman and the committee, to have the opportunity today to share with you some of the impacts CASL legislation has had on Canadians and Canadian businesses.

Thank you, Mr. Chairman. Bonjour and good morning.

My name is Chris Lewis. I'm the chief scientist at Spamhaus Technology, which is part of Spamhaus, one of the largest and most well-respected sources of Internet threat intelligence in the world. While most of you may not have heard of us, more than half of the Internet is using our data in one way or another, whether it's branded as Spamhaus or not.

Unlike most of the people speaking to you on the subject of Canadian spam, I work deep inside the technology itself. To me, this is a 24-7 effort, and with the technology we use, I am seeing on the order of 750 million to a billion email spams a day through systems I administer to try to analyze what's going on and come up with solutions to stop it.

I worked in Ottawa first as senior security architect for Bell Northern Research, which later of course became Nortel, from 1991 through to 2012. I've been working on spam in one way or another since about 1993. By the time the 1997-1998 time frame rolled around, it became obvious that email was the battlefront that needed to be saved for the Internet to prosper and email to continue.

Since that time, I have focused primarily on spam, malware, and botnets, as opposed to the deliberate sending of email that did not have permission, but specifically on the technical side of stopping some of this. In 2003, I developed a new technology that greatly increased the effectiveness of our filtering at Nortel, which required vast amounts of data from all over the Internet. I would analyze this data coming in from partners and people who contributed this data, turn it around, and give it back to the Internet for free. That's how that continued for many years. Then late in 2012, Nortel downsized to the point where they no longer needed me to run a mail server for 50 people, and so I transferred to Spamhaus the next day.

I am one of the founding members of the Coalition Against Unsolicited Commercial Email, CAUCE. I have been invited to speak at the Federal Trade Commission spam panel; advised on the U.S. CAN-SPAM Act, am a founding member of the NCFTA- FBI Project SLAM-Spam; won an award from the FBI for my efforts in helping secure U.S. government networks; was invited to be a senior technical adviser for the Messaging, Malware and Mobile Anti-Abuse Working Group, or M3AAWG; belong to many technical working groups targeting specific spam and malware; have trained and assisted with many law enforcement regulatory groups around the world, including the CRTC and organizations in the Netherlands, Australia, the United States, and many other countries; and am a member of the London Action Plan, which is now called UCENet. Don't ask me what that means, because I've forgotten.

Currently Spamhaus is supplying to Public Safety's CCIRC, free of charge, a very large dataset of spam attacking Canadian email addresses, which they use for a number of purposes, including prosecutions through the RCMP and the CRTC. They're also using it as a way of alerting Canadians to infections of their systems, and they periodically give out reports telling providers, and in some cases individuals, that they have been infected with something and how to resolve it.

I'm speaking here primarily on spam, though other forms of online abuse are just as big, if not bigger, and more dire. The malware fraud and phishing scenario, as has already been somewhat alluded to before, is as big a problem, and they're all getting worse.

Of particular interest here is that much of my time as an adviser to M3AAWG was spent with the email sender community—with Inbox Marketing, and so on—helping to come up with best current practices on how to manage subscriber lists, when you have permission and when you do not, and I was heavily involved in drafting part of the M3AAWG sender best common practices, BCPs, which are still being updated and published. The BCPs are considered to be one of the industry's most important set of guidelines that most of the large sender community is already complying with. In fact, a sender organization can't be a member of M3AAWG unless they comply with it.

It raises the question that if most of the industry is complying with the M3AAWG BCPs—which to a very real extent are mapped directly on CASL, with the very same principles and the very same things—why is there such a concern about compliance?

I'm going to go on to some specific facts and details from the last few years.

We operate email sensors that monitor, in one sense or another, billions of emails per day via arrangements with providers. We also run our own infrastructure to receive email that is being sent to people who no longer exist on the Internet. A particularly good example is some email addresses that were at Nortel many years ago. Public Safety's CCIRC now owns those domains, and they have asked us to operate them as if there were still a user base there. We can see what spam comes out, see where it's coming from, identify correlations, and publish information to our customers—in many cases for free—on how providers and so on can protect their users from this stuff.

Over the past seven years, there was a peak in 2011 of 10 billion spams per month, with peaks to 750 million per day on our own servers. This was not the big cloud of contributed data, but the stuff we run ourselves. Most of this was the Rustock botnet, which was infamous for high volume, with fake pills and fake brand name watches. The latter is just fraud, but the first one is dangerous, because many of these pills were analyzed by people we know in the industry and found to contain, literally, street sweepings and so on. Whatever they could squeeze together and dye blue, they would sell.

For a few years after that, the volume averaged around three billion spams per month, because the Rustock botnet was taken down by efforts from a number of organizations on the Internet, as well as the FBI. Over the past year, the volume has climbed almost all the way back up to 10 billion per month. Instead of fake pills and watches, it's ransomware from the Necurs botnet and Russian dating spam. Also from the Necurs botnet, which is even more disturbing, is the ransomware we hear about on the news, the type that encrypt hospitals' entire datasets so that they cannot get them back or have to spend an enormous amount of money to get them back.

Still, within those enormous volumes of that sort of dangerous material, there are very high volumes of affiliate spam advertising legitimate, semi-legitimate, and outright fraudulent companies and products from people who have no concept of privacy—those who hire hackers to steal and provide them with email addresses, phishing, and so on.

Industry leaders such as SenderBase Talos, which is actually part of Cisco, have long been sources of reliable, “on the wire”, real statistics, and they generally tend to agree with our numbers. We don't expect them to agree exactly, because everybody's spam sample is different—it is surprising how differently it can vary from one place to another—but the trends, spikes, and everything else, we coincide with exactly.

I've had the opportunity to monitor the volume of email and spam received by some of Nortel's old domains for almost 20 years. I built and ran the mail servers that handled them when they were in service and for the 18 years they have been defunct. As I mentioned earlier, those domains are now owned by CCIRC as a national threat resource, and they have requested that we operate those domains for them.

By 1997, Nortel decommissioned these domains and moved all users to the main email domain that Nortel was using at the time. In 1997, there were three million emails per month, of which 40% were spam; by 2001 there were four million, all of which were spam; by 2003 there were seven million spam messages, and by April 2016 there were 150 million. Today it is 350 million per month. This is a 350-fold increase over 20 years.

You're asking yourself, “Did my spam volume go up by that much?” No, it hasn't, but it is only because of efforts by your ISPs and organizations such as ours that it has lessened.

The volumes keep growing. Spammers game our systems, and it's very difficult to continue.

I'm being waved at, so I'm going to cut this a little short.

One of the issues with CASL is the private right of action. One of the things we want to be able to deal with is a situation of individuals getting very high volumes. An associate of mine had an email domain for himself and his wife, and one day it started receiving a million email spams a day. We don't know why. I have some suspicions, but we have no solid information as to why that happened. The volume was so high that he couldn't even run his own server anymore, because it was costing too much. PRA gives him a chance to deal with this.

To finalize, spam is not a technical problem but a human problem, and it has to be dealt with from both aspects.

Informally, there have been some discussions. Naturally, for example, since I have been consulting directly with CRTC, they are evolving. What they are dealing with is evolving. They themselves are learning. There's a very steep learning curve in trying to deal with this, so they are getting better at it.

One of the things that struck me when I first saw the draft CASL back in 2012, I guess it was, was that it covered everything, and it was written in a way that it could be extended as necessary for the technology.

I do not think that the law itself is too narrow or too restrictive. It's more a matter of education and deciding when this particular area becomes a problem and where you allocate your resources.

No. Once CASL came into force, the task force wasn't actively involved. We've let the legislation ride and are waiting for the three-year post-opportunity.

I believe protection is built into the law about the private right of action. For example, there's the CRTC, the Privacy Commissioner, and the competition branch's ability to override an individual lawsuit. The laws in Canada are fundamentally different in this regard from the United States. Some of the abuses that we have seen in the States—and indeed they have been abuses—are not likely to be an issue here. It gives individuals a chance to deal with things that the CRTC, the Privacy Commissioner, and the competition branch may not be able to tackle because it doesn't meet the statutory requirements for the number of complaints or the number of people being attacked, and so on. The situation I was referring to in a nutshell was he could do something about it in law, but it would cost him $10,000 to get a lawyer to be interested.

We don't have many studies about this. I'm not sure I can share some of my experiences with you, but as I mentioned, we focused mainly on the criminal investigation. As I said, spamming is one of the major sources of a lot of cybercrime, especially BEC or the ransomware that we mentioned before.

Anti-spam legislation is still not being enforced in some countries, especially developing countries. I'm not able to comment on the Canadian legislation in a very professional manner. I have done a lot of assessment of different countries—for example, some of the developing countries—and anti-spamming legislation is not very common in that part of the world. I think it's a good move to have the implementation of anti-spam law, and I also support the consulting process that we are having here right now.