Malicious advertising catches two business under CASL

On July 11, 2018 the Canadian Radio-Television and telecommunications Commission (CRTC) issued a notice and summary of their most recent actions under CASL. For those just joining us, CASL stands for “Canadian Anti-Spam Law” and is exactly what it sounds like. The allegations outlined against Datablocks and Sunlight Media focus on violations committed under sections 8 and 9 of the Act.

According to the summary, Angler malware was distributed via the Datablocks Real-Time Bidding (RTB) solution and the Sunlight Media Ad network. What makes the Angler malware dangerous? Simple. Other than the simple fact it is malware, this particular breed acts as a backdoor to install further malware on an already-infected computer, such as cryptolocker (ransomware), key-loggers to steal sensitive passwords or information, and other types of popular (and terrible) malware.

As a quick refresher, section 8 involves the installation of computer programs on an individual’s computer without their consent. In this case, the allegations refer to malware served via an ad network installed on a computer located in Canada without the user consenting to it. Section 9 deals with the concept of “aiding and abetting,” also known as being complicit, in a violation of sections 6 through 8.

The companies allegedly violated Canada’s anti-spam law in the following ways:

  • Sunlight Media allowed unverified, anonymous clients to use their services to distribute malware.
  • Datablocks provided Sunlight Media’s clients with the necessary infrastructure and software to compete in real-time for the placement of their ads, which contained malware.
  • Neither Datablocks nor Sunlight had:
    • Written contracts in place with their clients that would bind them to comply with Canada’s anti-spam law;
    • Monitoring measures in place governing how their clients use their service, or;
    • Written corporate compliance policies or procedures in place to ensure compliance with Canada’s anti-spam law.
  • After being alerted to reports by cybersecurity researchers in 2015, and explicitly made aware by the CRTC in 2016, neither company implemented basic safeguards well-known to the industry.

Steven Harroun, CRTC’s chief compliance and enforcement officer, said, “As a result of Datablocks’ and Sunlight Media’s failure to implement basic safeguards, simply viewing certain online ads may have led to the installation of unwanted and malicious software. Our enforcement actions send a clear message to companies whose business models may enable these types of activities. Businesses must ensure their commercial activities do not jeopardize Canadians’ online safety.

Datablocks and Sunlight Media are required to pay $100,000 and $150,000 (CAN) in penalties, respectively, and have 30 days to file formal written responses to the CRTC, or else they are required to pay the penalties associated with the report.

What should we be learning from this? Let’s break it down:

  • Your network is responsible for the actions that occur on it.
  • Failure to act on credible information about inappropriate activity could make you legally liable for the behavior. Don’t be complicit, be proactive.
  • Having a plan in place for bad behavior and then actually following it could avoid a violation of your own

Do you want to exchange ideas, network and educate others on compliance issues and regulations affecting email marketers, I encourage you to join the eec Advocacy Subcommittee and be part of the eec community.

By: Matthew Vernhout
Vice-Chair, eec
Director, Privacy and Industry Relations at 250ok
Originally posted here: 7/11/18