Science

Anti-spam law targets software starting January

Companies will soon have to get consent before installing a program on a person's computer if the software has the ability to covertly send electronic messages or has other functionality outlined in the legislation.

Law could make legitimate software makers pull products out of Canada, critic says

The law targets malware and spyware, but is controversial because it will also affect those who make or deal with legitimate software. (CBC)

Canada's controversial anti-spam law has already forced businesses to change how they communicate with consumers by email.

Early next year, the law will also start targeting software makers.

Starting on Jan. 15, 2015, companies will have to get consent before installing a program on a person's computer if the software has the ability to covertly send electronic messages or has other functionality outlined in the legislation.

There's no other law in the world that I'm aware of that comes close to regulating computer program installations as broadly.- Michael Fekete, lawyer

While the law has been framed as an attack on the creators of malware and spyware, it also affects legitimate software companies, which face fines of up to $10 million for non-compliance.

"We are regularly installing, or being asked to install, huge numbers of software programs — sometimes on a daily basis — and very often we are unaware of what is happening," says Michael Geist, a professor at the University of Ottawa and the Canada Research Chair in Internet and E-commerce Law, who supports the legislation.

"Consumers are putting a plethora of stuff on their systems often without knowing much about it. This raises the bar in terms of consumer awareness when they're installing software, better awareness about what that software will do, and greater disclosure requirements on the part of businesses seeking to install those programs."

The first part of the law targeting programs that can send electronic messages from a user's computer will allow the CRTC to go after malware or spyware makers that use infected computers to surreptitiously distribute spam.

Disclosure required

Companies must also clearly disclose to users if its software could collect personal information, interfere with the normal operation of a computer, alter settings or preferences or data on a computer, or allow a third party to access a computer.

The law states that the disclosure must be described "clearly and prominently and separately and apart from the licence agreement."

Exemptions are given for operating systems, web cookies, HTML and JavaScript code, and software updates or upgrades if a company can prove a user had previously consented to installing its program.

Michael Fekete, a lawyer with the Toronto-based Osler, Hoskin and Harcourt law firm, says the law is overreaching and should have focused specifically on malware and spyware.

"There's a mismatch between the stated purposes of the legislation as found in the regulations and the scope of the legislation," says Fekete.

"There is really no question that malware and spyware are things that should be prohibited ... but there's a very broad range of programs that are regulated regardless of whether the software will have a negative impact."

Tech companies could keep products out of Canada

He says the law could lead to technology companies deciding to keep their products from the Canadian market.

"There's no other law in the world that I'm aware of that comes close to regulating computer program installations as broadly," Fekete says.

"The question will be whether some distributors of computer programs will ultimately decide to geofence Canada and preclude the download of products in Canada because they haven't made the investments that would be necessary to change the interfaces. We don't know just yet what the ultimate impact on consumers would be from that standpoint, but that remains a possibility."

He also says he's concerned that the law appears to cover not only computers but mobile devices and virtually any other device that works with software code.

"The rules apply to virtually any computer program, even computer programs embedded on devices that do not have a user interface. And so if you look at the ubiquity of computer programs in not just consumer devices but with just about any device that can be wirelessly connected these days, we're introducing to Canada this unique set of rules that don't exist anywhere else and cover the broadest possible scope of computer programs," Fekete says.

"I think it's fair to say it's a grey area and there remains a lot of uncertainty. There's a lot of interpretation issues that remain unsettled and that's just one of them."

But Geist thinks complying with the law won't be onerous and Canadians will support the change.

"I don't think it's so unreasonable to tell people what it is you're installing and why you're installing it," Geist says.

"If someone thinks that's overly onerous to provide that level of disclosure and to obtain an appropriate consent I suspect that many Canadians would say perhaps that's not something I want on my system."