Professor Michael Geist (Canada Research Chair, Internet and E-commerce Law, University of Ottawa, As an Individual):
Thank you, Mr. Chair. Thanks for the invitation to come and speak.
My name, as you heard, is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law. I'm also a syndicated weekly columnist on law and technology issues for theToronto Star and the Ottawa Citizen, and I was a member of the national task force on spam that was struck by the Minister of Industry at the time, in 2004. I served on the board of directors of the Canadian Internet Registration Authority, CIRA, for six years. I currently serve on the Privacy Commissioner of Canada's advisory committee. However, I appear today strictly in my personal capacity, representing my own views.
The introduction of Bill C-27 represents the culmination of years of effort to address concerns that Canada is rapidly emerging as a spam haven. I don't think I have to convince you that spam is a problem, whether it's the cost borne by consumers, schools, businesses, and hospitals in dealing with unwanted e-mail, or the shaken confidence of online banking customers who receive phished e-mail. There is a real need to address the problem.
I think we all know that Bill C-27 isn't going to eradicate the problem, but no country can do that alone. But I think it will finally help to clean up our backyard.
Members of this committee have noted that this is broad legislation that extends beyond just spam. I'd like to submit that this is a feature, not a bug. With much talk of the need for a national digital strategy, I think Bill C-27 fits nicely within that framework, providing much-needed consumer protection for electronic commerce. It's fair to say that the spam task force members recognize the need to address the broader issues towards the end of our mandate and that the steps in this bill are consistent with our recommendations.
While the legislation is broad, it's important to emphasize that the exceptions are broad as well. There are three exceptions, in particular, that I want to point to.
The first exception is consent. Under this law consent trumps all. Indeed, any business or any organization can do anything it likes with respect to electronic marketing or software installation as long as it obtains consent. Now, there are some rules around that consent--form requirements for electronic marketing, disclosure requirements for the software--but I don't think it's an onerous obligation. In fact, whenever a potential concern is raised, and I know that some have been, the first question to ask is, “Why is obtaining consent unreasonable in those circumstances?” Is it unreasonable to ask someone to obtain consent before installing a software program on my computer? Or is it unreasonable to obtain consent before sending me a commercial e-mail about a house sale or about a product or a service? I think in almost every instance the answer is no, that consent is a reasonable requirement.
Moreover, it's not an uncommon requirement, as other laws have adopted the same opt-in consent model. Australia and New Zealand both have opt-in models, and Japan actually switched from an opt-out model to an opt-in model when they found that their opt-out model didn't work.
Secondly, there is a business-to-business exception, as you know. I've heard some claims that this legislation will hamper business as it seeks to use e-mail to promote its products and services to other businesses. The reality is that the legislation contains a business-to-business exception, paragraph 6.(5)(b). I think many of those concerns are unwarranted.
And finally, there are the consumer exceptions. These are pretty broad--in fact, arguably too broad. They mirror, for the most part, the exceptions that we find in the national do-not-call list. I think there are many people who argue that those exceptions already go too far.
Consider, for example, the business-to-consumer exception that covers eighteen months for existing customers and six months for non-customers who merely make an inquiry. So think about what that means. Somebody makes an inquiry with a long-distance provider about one of their plans or contacts a hotel to see if they have room availability and they are then subjected to six months of electronic messages under the guise that this is now implied consent. I think it's reasonable to ask why a business should be entitled to contact a consumer for six months without any further consent merely because the consumer has made a single inquiry.
My point here is that the net of the legislation may be broad, but so too are the exceptions that will continue to permit commercial activity. Some businesses may argue that it goes too far, and some consumers may believe it doesn't go far enough. Perhaps that's a sign that an appropriate balance has been struck.
Let me quickly talk about how these principles apply to several of the criticisms that I saw highlighted earlier this week. I know jurisdiction was raised. And jurisdiction, as you know, covers connections with Canada, including the routing of a message through Canada. This approach merely builds on existing jurisdictional law in Canada with respect to a real and substantial connection. If a message fleetingly enters Canada, I suspect that the test would not be met of a real and substantial connection and it's a non-issue from a liability perspective.
With respect to software updates, as I referenced earlier, it seems perfectly reasonable to expect a software vendor to obtain consent from an end user before installing anything on their personal computer and to tell them what they are about to install. To suggest otherwise would be to surrender control over their personal computer and to face the prospect of security breaches, as occurred in the fairly infamous Sony rootkit case.
Then there's the issue of real estate agent e-mails. As I'm sure many of you are aware, real estate scams are among the most common, with references to swampland in Florida being almost shorthand for the notion of fraudulent offers. Do we really want to exempt an entire area that suffers significantly from spam concerns?
Fourth, there's the issue of tough penalties, including the private right of action. I'd argue this is another feature of the legislation. The bill has tough penalties. The experience in countries such as Australia has been that anti-spam law only works if the penalties are sufficiently tough that you create some economic risk for spammers. Otherwise, they simply keep on doing what they're doing. In fact, there have been some lawsuits launched against Canadian spammers, but they've been launched elsewhere because Canadian law didn't measure up. I think we ought to fix that.
Are there any changes needed? I think there are at least two amendments I can point to. The first--and it was raised by this committee--is the prospect of a review provision. I think it's a fast-moving area, and mandated reviews make sense. The second involves the computer software consent provision. In the main, I think the provision gets it right. However, there may be a limited number of instances--the use of Java script on web pages comes to mind--where the provision could prove problematic. It's not easy to craft a rule that targets all the harms, the botnets, spyware, surreptitious installations, keystroke logging, while leaving behind the benign activities.
I'd suggest a small addition. I'm not a legislative drafter, but I would suggest essentially a subclause 10(3) that would allow for implied consent for certain types of computer programs where the person has consented to the installation of that type of program by way of their preferences in their web browser. In other words, if they've checked their preferences in their browser that will allow that form of program, then we ought to be able to take that as implied consent. That would cover off programs like Java and Java script, as those are typically addressed within web browser preferences.
Let me conclude with a warning against what I see as some lobbying efforts to water down what I see as reasonable standards found in this legislation. I'd note that we have seen this before; it's what took place with the do-not-call list. That bill started with good principles, faced intense lobbying and I think some scare tactics, and by the end of the process Canadians were left with a system that I think is now widely recognized as a failure, with some estimates saying that more than 80% of the calls that used to come continue to come, and with security breaches around the do-not-call list itself.
I think we must avoid a similar occurrence with respect to anti-spam legislation. Change in some business practices might be scary to some, but we can't allow scare tactics to dissuade you from moving forward with this much-needed legislation.
I look forward to your questions.
Mr. Dennis Dayman (Secretary Treasurer, CAUCE North America, Inc.):
Good afternoon, ladies and gentlemen.
My name is Dennis Dayman.
I'm the secretary treasurer of the Coalition Against Unsolicited Commercial E-Mail, or CAUCE. With me today is Matthew Vernhout, one of CAUCE's directors at- arge, who's on the anti-spam task force as well.
CAUCE is a group representing computer users in Canada and the rest of North America. CAUCE thanks you for the opportunity to speak to Bill C-27, the Electronic Commerce Protection Act.
As you can probably tell by my accent,
I am not Canadian; I am American.
And I regret that I do not speak French.
So why is an American here today addressing this esteemed committee? Well, reflecting the way in which spam is a global problem, some years ago CAUCE Canada merged with its American counterparts to better serve our constituents. Spam respects no borders, and to best represent computer users on both sides of our mutual border, we decided to mount a coherent Can-Am front against the blight of Spam 2.0.
Spam 2.0 might be a new phrase to you. At the turn of the millennium, virus-makers, hackers, spyware producers, phishers, and spammers joined forces in a blended threat, and spam is a distribution mechanism for their evil. It's now not merely a conveyance of illicit marketing, but also of malware of all shapes and sizes. Phishing, spyware, viruses, and spam are all now the products of the same criminals. Spam isn't just in e-mail any more. It comes to us by text messaging, voice over IP, our social networking sites, and instant messaging.
Bill C-27 recognizes this, and we in the consumer advocacy and marketing community thank the drafters of this bill for having taken a smart, open-minded, broad approach to current and future threats.
You heard me correctly, ladies and gentlemen. CAUCE, once the exclusive domain of the computer geek anti-spammers, has openly embraced the marketing community for a decade now. It counts among its members and executives many individuals and companies who have an enlightened view as to why anti-spam laws work in our favour.
My colleague Matthew Vernhout and I work for large international e-mail service providers. I work for Eloqua Corporation, and Matthew is at ThinData, Canada's largest e-mail service provider. Both of our companies were founded and continue to operate in Toronto. Our companies provide sending infrastructure for marketing e-mail on behalf of such companies as Fidelity, Air Canada, American Express, and literally hundreds of small and medium-sized companies. We are very much in favour of this law.
By now, you have received many letters supporting Bill C-27 from others in our community, such as Matthew Blumberg, the CEO of Return Path Inc. Return Path certifies commercial marketing e-mail into such places as Hotmail, Yahoo!, Telus, Bell Canada's Sympatico, and literally hundreds of other large and medium-sized Internet service providers.
It is our understanding that some have been spreading what we in the Internet community call FUD--fear, uncertainty, and doubt--about this bill. We cannot understand why anyone is doing so. Perhaps it's an adversarial relationship with some of the enforcement agencies in this country. Perhaps it is to create a hostile business environment for competitors. Some, perhaps, benefit financially from providing connectivity to those bad actors.
What we do know is that this bill has a long tail. It directly intersects with American and Canadian marketers and consumers. And we are here to assure you that from the standpoint of legitimate international and Canadian-based marketing companies, the bill is well crafted. We have no worries about our clients' e-mail or our professional activities.
Bill C-27 has broadband support on both sides of the equation--sending ESPs and receiving ISPs.
Bill C-27 draws from the experience and builds on the success of laws elsewhere, cherry-picking the best aspects of laws in, for instance, New Zealand, America, and Australia. Australia, for example, has had great success with the private right of action aspect of the law. Legitimate businesses continue apace, while bad senders have suffered the consequences, much to the benefit of good players.
Some might tell you that the law is complicated. CAUCE does not disagree. Yet the portions dealing with the problem of spam are simple and direct. They are already industry best practices, and many have already been implemented. Necessarily complicated are those aspects specifying the new Canadian enforcement regime. It would be folly for the one G-8 country without anti-spam legislation, Canada, to wait for agency reform prior to passing what is long overdue. Hence, we concur with this bill's approach of giving increased powers to existing enforcement agencies.
Canada must do its part to deal with homegrown spammers. Despite what you might have heard, Canada, with solid and inexpensive broadband infrastructure, is home to some of the most expansive spamming networks.
Canada has the highest per capita membership on the social network site Facebook, which is why a Lachine, Quebec, resident took advantage of their systems. He was successfully sued under the American CAN-SPAM law for three-quarters of a billion dollars. The spammer is now claiming to have zero assets, yet his blog indicates that he dines at some of Montreal's finest restaurants. Clearly, he has some pocket money. It is our understanding that Facebook is very actively investigating options in terms of getting a judgment here to seize what he does have.
Another example of Canadian spam is a man who lives near Montreal. His company has spammed for ten years, unabated, to promote the Canadian government subsidy directory. Despite repeated complaints to the Office of the Privacy Commissioner, the spam continues to this day, hitting the inboxes of virtually all CAUCE directors, and I imagine yours as well.
And let us not forget our west coast. There is a company whose scheme is more complicated. It produces herbal concoctions designed to attempt to get around the health laws of the country. Their snake oil promises to help you stop smoking, lose weight, or, alternatively, grow larger in certain areas. They have been successfully sued in the United States under a class action lawsuit because, not surprisingly, this stuff does not work. The company is owned by two brothers. Their substances are produced in the Caribbean and shipped to a British Columbia distribution centre, and their marketing e-mail originates from there as well. They don't spam on their own behalf, apparently. Rather, they have what they call “affiliate programs” where people, real or imagined, sign up to earn a commission and send promotional e-mails—spam—to drive those sales. The spam is sent from all over the world. The company maintains a veneer of false legitimacy and clean hands.
Thankfully, here too Bill C-27 does bring a remedy. The beneficiary who profits from illicit activities is on the hook. Such a company would be shut down were this bill to become law. The infamous Canadian pharmacy spam gang got its start in Montreal and has points of presence in eastern Europe, with major ties to organized crime.
For these reasons, ladies and gentlemen, CAUCE speaks for tens of thousands of Internet end users and legitimate companies with a horse in this race when we respectfully encourage you to pass this law as quickly as possible to help clean up the Internet for the benefit of all. Canada must do its part, and Bill C-27 is a significant solution to that spam problem.
Thank you, and we will be happy to take any questions you may have at this time. Merci.
Prof. Michael Geist:
With respect to Australia, respectfully, my reading is different. I have the Australian act in front of me, and it refers to commercial electronic messages in much the same way. I don't see a significant difference on the definitional side.
Part 2, subsection 16(1), of the Australian act says:
|| A person must not send, or cause to be sent, a commercial electronic message that...has an Australian link...and...is not a designated commercial electronic message.
Then you go into the definitions.
It frankly mirrors a lot of what we've done. I think it was noted by my colleague here that it's pretty clear Canada borrowed fairly heavily from the legislation you find in other countries. So I actually don't see the first premise; I don't see that focus on direct marketing the way that you suggested. I see statutes that talk about commercial electronic messages in much the same way we do.
Then you get into this other basket. As I mentioned off the top, everything is permitted; there's nothing that you can't do. The only question is whether or not you have to get someone's consent in order to do it. The exceptions we're talking about—the notion of a business, for 18 months after they have an actual relationship, or six months after an enquiry, or political parties, or charities, and all these other exceptions—are exceptions to the notion that they don't even need to get that.
That strikes me as providing pretty wide latitude. All a business has to do in every one of these circumstances is get consent from the customer; then they're okay.
Then you get into the second basket, where you say “I don't want to get consent from the customer”, and we're still giving them quite a wide berth to continue to market to consumers.
Mr. Anthony Rota (Nipissing—Timiskaming, Lib.):
Thank you, Mr. Chair.
Thank you for being here today.
I'm looking at the areas of resourcing and enforcement of the law. In 2002 the Utah legislature passed an anti-spam bill in an attempt to stem spam from being in the inbox of its citizens. The law classified spam as unsolicited e-mail sent to someone who was without a prior business relationship with the company, and the definition is very similar to that in Bill C-27, from what I understand. In their bill, they provided for a right to civil action for violation, much as clauses 47 and 51 of Bill C-27 do. Any spam sent to a person gave that person the right to file a civil suit against the company.
Although damages were limited to $10 per e-mail, the law also allowed for attorney's fees to be paid if the spam recipient was successful in court. Utah's anti-spam law resulted in a flood of anti-spam suits in the court. By the end of 2003, two Salt Lake City attorneys had filed more than a thousand lawsuits under Utah anti-spam law against companies such as Verizon, eBay, and Columbia House. These are clearly larger corporations.
In December of 2003 the U.S. Congress passed the federal anti-spam law, the CAN-SPAM Act, which trumps the state law, and in 2004 Utah's anti-spam law was repealed, but not before the Utah courts were basically clogged with anti-spam lawsuits. Many legal experts have said that it was because of the civil action for violations that this particular law was struck down.
That concerns me when I look at our legal system, and how backed up it is. When I look at this, I see this mad influx of civil lawsuits against companies that normally wouldn't be sued and that seemed to be doing the right thing. As Bill C-27 includes that private right-of-action clause, how do you see this affecting our legal system?
Mr. Mike Lake:
Thank you again, Mr. Chair.
I'm going to just revisit the business side of things and the cost of doing business.
Prior to getting elected in 2006, I worked for the Edmonton Oilers hockey club. At one point, I was the director of ticket sales back in the late nineties. I thought it would be a good idea, as director of ticket sales, to post my e-mail address on the website. People would e-mail requests for season tickets and I could pass them on to the sales staff.
It didn't turn out to be such a great idea. I got a tremendous volume of many of the types of e-mails you've talked about. Of course, this was back in the days before we had the spam filters to the extent that we have them now.
In the end, I had to eventually change my e-mail address and of course change all my business cards. All the people who would have had my e-mail address couldn't use it any more. They couldn't reach me, because there is no way to fix that. I couldn't just have the e-mails forwarded, because I'd get all the spam again, right?
We had to hire an extra staff person to clean up the spam. I remember we had to invest some fairly significant dollars into technology software to filter out the spam. If you multiply that cost business by business, across the country, you start to see some pretty enormous costs of doing business.
That's enough said on that. That's a little bit of a speech, I guess.
Do you have a sense of how high the cost is to business?
Maybe I'll give the fellows on the right side of the table a chance to answer that. I sense that you do have some numbers you can attach to this.