Evidence of meeting #82 for Industry, Science and Technology in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was casl.
A recording is available from Parliament.
11:40 a.m.
Conservative
Jim Eglinski Conservative Yellowhead, AB
Okay. Thank you.
Have you and Interpol worked with any cases in Canada or with any of our agencies, say the CRTC?
11:40 a.m.
Digital Crime Officer, Cybercrime Directorate, INTERPOL
Our main concern is cybercrime, the actual crime that arises from spamming, and we have organized a number of international conferences to address this issue.
In the conference we held in Madrid, in June, Canada was one of the countries that expressed a concern about business emails being compromised. We sat together and discussed how we could deal with this situation. That is all the involvement we had with Canada.
We know Canada is keen to work further with Interpol and with other countries to tackle the problem of businesses being compromised. We are now working on a number of follow-up operations.
11:40 a.m.
Conservative
Jim Eglinski Conservative Yellowhead, AB
Mr. Lewis, you told us your background. It's quite impressive, and you have been involved in the industry for a long time.
Since this legislation came out in 2012, do you think it has hindered industry and businesses, or do you think it has helped them? Do you think it is complicated? We've heard from some witnesses that it's complicated and costly. I'd like to know your opinion.
11:40 a.m.
Chief Scientist, Spamhaus Technology Ltd.
I was part of the FASTF deliberations back in 2005-2006. I consulted when they brought it in, and I have watched industry follow it. It has surprised me that some of the companies seem to be going a little overboard with compliance.
I have to think that various people are making more of it than they need to, perhaps because it's legislation rather than best practices. I don't see this as being any different from basic industry practices. We can see that the EU has regulations almost as strong as ours, as does Australia, and the European ones are about to get a lot stricter. We have to consider where things are going elsewhere. It has always struck me that people have gone overboard.
Currently, when I give my email address to a Canadian entity, I know it's not going to get sold. This has changed. It used to be that they just it spread all over the place, and there was no way of controlling it. It is much better now than it used to be.
11:40 a.m.
Conservative
Jim Eglinski Conservative Yellowhead, AB
Ms. Arsenault, we had a witness a couple of meetings back who gave us a cost breakdown. You also gave us a cost breakdown, which was pretty loose—$10,000 to millions of dollars. That's not what we heard before. I wonder how you justify those amounts, because we were told that in some smaller companies it was $600 to start up with the advice and information and then $200 to $300 a year to continue it and check it out. Could you clarify what you said earlier?
11:45 a.m.
Senior Director, Client Services, Inbox Marketer
Yes, I can. We work with a lot of financial and insurance companies and some big global brands. A big financial institution might have upwards of 40 different CRM databases, and the law states that you have to track down to the individual every single communication they receive and what they subscribe to and unsubscribe from. If you have upwards of 40 CRM databases across a global company, that does not cost $1,000 to integrate.
Companies we have advised and spoken to have told us they have had to invest over $5 million in technology to update their systems so that they can track the level of permission that CASL has asked for—implied versus express, six months versus two years. Then, of course, smaller organizations have smaller databases. They don't have as many CRM databases, so the cost to them is a lot less.
There is also the cost to train employees and the cost of the time this takes. A lot of clients and brands have had to seek legal counsel because they're not confident in their interpretation of the law, and it's costly to seek legal advice.
11:45 a.m.
Conservative
Jim Eglinski Conservative Yellowhead, AB
It grows as the cost of business is growing, as a firm grows.
I think I'm almost out of time.
11:45 a.m.
Voices
Oh, oh!
11:45 a.m.
Liberal
The Chair Liberal Dan Ruimy
We're going to move to Mr. Masse, who I believe will be submitting a notice of motion.
Go ahead, please.
11:45 a.m.
NDP
Brian Masse NDP Windsor West, ON
Thank you, Mr. Chair.
It's a simple notice of motion to allow this committee to participate in a process. I'll just read it, and I understand that it will be for future business.
Since there have been new and recent revelations of massive tax evasion in Canada through several media reports and since there is a government bill currently in the Senate that offers an opportunity to immediately implement specific measures that would improve Canada's ability to address tax evasion and money laundering, the motion to the industry committee is:
That the House of Commons Committee on Industry, Science and Technology develop amendments to be referred to the appropriate Senate committee through correspondence that will review Bill C-25, An Act to amend the Canada Business Corporations Act, the Canada Cooperatives Act, the Canada Not-for-profit Corporations Act, and the Competition Act, that would address issues of fiscal transparency in Canada, including tax policy, beneficial ownership, and banking regulations.
Essentially, this is for future business. It could be a letter that this committee sends to the Senate, for example.
Thank you, Mr. Chair. I'll go to questions when appropriate.
11:45 a.m.
NDP
Brian Masse NDP Windsor West, ON
Thank you, Mr. Chair.
Mr. Lau, one of the things we're studying with CASL here is—and I come at this from the perspective that especially when it comes to your own personal devices, be it your mobile phone or your computer, you pay for the service and the physical device, and you take your own time to administer that—that sending unsolicited email and information to someone is a privilege and not a right somebody should have, given that it involves a cost to someone else.
I'm concerned about the additional cost of spam to people's personal privacy and security.
In your business, do you see that heightened? Is there a greater threat, through spam, of undermining people's personal privacy or of invading financial records or other things? I'm worried about the continued exposure for consumers and Canadians and those in the rest of the world to illegal activity through spamming.
11:45 a.m.
Digital Crime Officer, Cybercrime Directorate, INTERPOL
Let me clarify a bit. Are you concerned about the effect or about the ability of the spamming emails to cost individuals?
11:45 a.m.
NDP
Brian Masse NDP Windsor West, ON
Is the threat getting more complicated and worse to deal with in terms of stuff that comes through spam that could compromise your privacy and your personal information?
11:50 a.m.
Digital Crime Officer, Cybercrime Directorate, INTERPOL
I think first of all we need to distinguish between two kinds of spamming emails. Some spamming emails focus only on business information, and some spamming emails have documents or files attached to them. We are basically focusing on those spamming emails with attachments. There are a lot of different forms of attachments that can be sent through the emails.
As we mentioned before, some of the emails contained the software called malware, and in my situation, which I explained before, we have evidence regarding the suspect who conducted the business email compromise. The malware he sent was capable of obtaining the log-in credentials of the email accounts. For example, if you accidentally click on that particular email with that attachment, the log-in credentials of your email account would be leaked to the suspect. Then the suspect was able to look into your email account, which you wouldn't notice. He kept on monitoring your email account for a long period of time so that he could find the optimum time for impersonating you and for sending emails to some people from the finance department in order to get some monetary reward. This is only one of them.
We also have some situations involving ransomware. It is also commonly sent through spamming emails. If you execute those files, some of the files in your computer would be encrypted so you would have to decrypt them on your own. You would either have to pay for the decryption tools or use your own means to get the decryption tools. Otherwise, the files will be encrypted permanently. In this respect, Interpol is trying to help victims to get some of the decryption tools.
These are two common activities.
11:50 a.m.
NDP
Brian Masse NDP Windsor West, ON
We have a choice right now. We're reviewing legislation. We can sharpen the legislation, we can keep the status quo, or we can loosen it, which I guess would allow more potential for spam. I'm just trying to boil this down to simple basics.
Right now, if we actually loosen the law.... Do you think the exposure to consumers and people and their privacy on issues like ransomware has grown in the last couple of years? This bill is really three years old, but by the time we actually gazetted it.... It's only been in operation for a couple of years. Has the threat to Canadians and their privacy lessened in the last number of years? If we decide to loosen the rules on it, is that threat essentially going to lessen in the years to come, or is it going to increase?
I know you can't predict the future, but in your professional opinion, what do you think is going to take place?
11:50 a.m.
Digital Crime Officer, Cybercrime Directorate, INTERPOL
I would suggest that we can look at this matter at two different levels. First of all, there are the messages sent from people in the business sectors. They don't have malicious intent when sending out those emails. Maybe those are for a commercial purpose, but they're just abusing the system. This is one form of it.
What we are talking about here are the people who obviously have a malicious intent when sending out those emails, so what I am talking about is focusing on those people. For these kinds of people, I think that even with the most comprehensive legislation, you can't stop them from sending. The most effective way is to do it from the infrastructure level. We do it from either the ISP level or the infrastructure level to block these kinds of emails. This is the most effective way.
When we're trying to understand this situation, we need to understand that those origins are different. These are two totally different types of spamming emails that we're talking about.
11:50 a.m.
Liberal
The Chair Liberal Dan Ruimy
Thank you.
We're going to move to you, Mr. Baylis. You have seven minutes.
11:50 a.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
Thank you, Chair.
I'd like to examine the malicious emails a little more in speaking to you, Mr. Lau and Mr. Lewis.
One of the main objectives of CASL was to help curtail malicious emails. Mr. Lau, in terms of your interaction with Canada, one of the things CASL was supposed to do was facilitate the international sharing of data. Have you come across that issue or that need? Can you speak to that issue about your communications with Canada?
11:55 a.m.
Digital Crime Officer, Cybercrime Directorate, INTERPOL
As I mentioned, Canada participates in some international conferences concerning business email being compromised. They're very keen to work with Interpol and other countries in tackling these issues. I must say that currently we don't have established systems to share case information with Canada or other countries that have the same concern, but—
11:55 a.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
You don't have those systems to share data because you're not set up to receive it or because Canada is not sharing it? Is it because Interpol is not set up yet to receive the sharing of data?
11:55 a.m.
Digital Crime Officer, Cybercrime Directorate, INTERPOL
Yes and no. We don't have the systems to share it. Also, we need to consider how we will work on the shared data even if we eventually, let's say, have the systems to analyze it.
I understand that the situation is a bit different from the European countries. At Europol, they have the systems. Their situation is that the countries in the EU have the systems and the people to do the analysis of the data. Europol is a bit different from Interpol.
11:55 a.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
Thank you.
Mr. Lewis, one of the points that was brought up again in talking about malicious emails and penalties is that some witnesses said there should be stricter penalties if the activity is malicious, as opposed to an inadvertent error. For example, let's say Rogers sends out 100,000 emails by accident and there's no phishing or spyware involved. They say that this should have a type of penalty that would be different from the type of penalty for an email that's malicious in intent. What are your thoughts?