McCarthy Tétrault Advance™ Building Capabilities for Growth Canada’s Anti-spam Law (CASL): Navigating the Computer Program Provisions April 30, 2014 McCarthy Tétrault LLP / mccarthy.ca #13392852 Daniel G. C. Glover, Partner Direct Line: (416) 601-8069 E-Mail: [email protected]
28
Embed
McCarthy Tétrault Advance™ Building Capabilities for Growth Canada’s Anti-spam Law (CASL): Navigating the Computer Program Provisions April 30, 2014 McCarthy.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
McCarthy Tétrault Advance™Building Capabilities for Growth
Canada’s Anti-spam Law (CASL): Navigating the
Computer Program Provisions
April 30, 2014
McCarthy Tétrault LLP / mccarthy.ca #13392852
Daniel G. C. Glover, PartnerDirect Line: (416) 601-8069E-Mail: [email protected]
Question:
What countries have anti-malware/spyware laws that are similar to those in CASL?
McCarthy Tétrault LLP / mccarthy.ca / #13392852 2
McCarthy Tétrault LLP / mccarthy.ca / #13392852
3
3
CASL = MORE THAN MALWARE/SPYWARE
• Applies to “computer programs” as meaning “data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function”.
• Broad definition
• Includes apps and updates
McCarthy Tétrault LLP / mccarthy.ca / #13392852 4
CASL = MORE THAN MALWARE/SPYWARE
• Applies to installation of programs on another person’s “computer system” = “a device that, or a group of interconnected or related devices one or more of which, (a) contains computer programs or other data, and (b) pursuant to computer programs, (i) performs logic and control, and (ii) may perform any other function”.
• Could include servers, PCs, smartphones, tablets, ebook readers, the “Cloud”, websites and web services, industrial machines, appliances, smart medical devices, autos, thermostats and other consumer products.
McCarthy Tétrault LLP / mccarthy.ca / #13392852 5
WHAT ACTS DOES CASL APPLY TO?RIAS: CASL will only apply to the installation of computer programs on another person’s computer system. CASL will not apply to installations carried out by persons on their own computing devices.
¬A consumer buys a program on disc and installs it on a home computer?
¬ Fairly clear, but need express consent for update/upgrade
¬A manufacturer pre-installs a program on a device and sells the product to consumers?
¬ Need express consent for update/upgrade¬ How to get express consents for smart devices?
McCarthy Tétrault LLP / mccarthy.ca / #13392852 6
WHAT ACTS DOES CASL APPLY TO?RIAS: CASL will only apply to the installation of computer programs on another person’s computer system. CASL will not apply to installations carried out by persons on their own computing devices.
¬A retailer offers computer services such as to install software or to repair or configure computers or installs updates?
¬ How is it possible to disclose?
¬A person goes to a website to download a program?
¬ Who is installing the program:
¬ the user?¬ the site operator?¬ both acting in concert?
McCarthy Tétrault LLP / mccarthy.ca / #13392852 7
McCarthy Tétrault LLP / mccarthy.ca
CASL REACHES ACROSS BORDERS (s. 8(2))
Computer program provisions apply:
¬if the computer system is located in Canada at the relevant time or
¬if the person either:
¬ is in Canada at the relevant time or
¬ is acting under the direction of a person who is in Canada at the time when they give the directions
THE PROHIBITIONS (s. 8(1)) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless:
(a)the person has obtained the express consent of the owner or an authorized user of the computer system and complies with [the disclosure requirements of] subsection 11(5); or
(b)the person is acting in accordance with a court order. [Rare]
McCarthy Tétrault LLP / mccarthy.ca / #13392852 9
DEEMED “EXPRESS” CONSENT (s. 10(8))A person is considered to expressly consent to the installation of a computer program if:
a)the program is:
i. a cookie,ii. HTML code,iii. Java Scripts,iv. an operating system,v. any other program that is executable only through the use
of another computer program whose installation or use the person has previously expressly consented to, or
vi. any other program specified in the regulations; and
b)the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation.
RIAS: Insofar as cookies are not executable computer programs, and they cannot carry viruses and cannot install malware, and are simply lines of text or data that are read from a web browser, they are not computer programs for the purposes of CASL
RIAS: In addition, the software on some computer dedicated systems in automobiles may be “operating systems”, such as computers that operate specific functions like braking. There is deemed consent to update that as operating systems under the Act.
¬Where is the dividing line between an O/S and other functions?
GETTING EXPRESS CONSENTS TO COMPLY WITH “MALWARE” AND “SPYWARE” PROVISIONS
Obtaining consent: s. 10(1): A person who seeks express consent must, when requesting consent, set out clearly and simply the following information:
(a) the purpose or purposes for which the consent is being sought;
(b) prescribed information that identifies the person seeking consent and, if the person is seeking consent on behalf of another person, prescribed information that identifies that other person; and
“Minimum disclosure” applies to computer programs generally:
A person who seeks express consent, must when requesting consent, also, in addition to setting out any other prescribed information, must clearly and simply describe, in general terms the function and purpose of the computer program that is to be installed if the consent is given.
14. … in order to meet the requirement of seeking consent separately, the person seeking consent must identify and obtain specific and separate consent for each act contemplated by the sections of the Act...
15. For example, … persons must be able to grant their consent for the installation of a computer program while refusing to grant their consent for receiving CEMs. However, the Commission does not consider it necessary for consent to be sought separately for each instance of the acts listed in paragraph 13 above...
REQUESTS CAN’T BE SUBSUMED OR BUNDLED WITH TERMS & CONDITIONS
16. The Commission considers that requests for consent contemplated above must not be subsumed in, or bundled with, requests for consent to the general terms and conditions of use or sale. The underlying objective is that the specific requests for consent in question must be clearly identified to the persons from whom the consent is being sought. For example, persons must be able to grant their consent to the terms and conditions of use or sale while, for instance, refusing to grant their consent for receiving CEMs.
¬ Implied consents cannot be relied upon. Only express consents are valid, assuming compliance with the disclosure requirements.
¬ The CRTC suggests that written agreements or click-wraps will comply if the consent is not bundled in the agreement. Enhanced consent requires a specific acknowledgement from the person consenting.
CRTC Reg s. 4. For the purposes of ss. 10(1) and (3) of the Act, a request for consent may be obtained orally or in writing and must be sought separately for each act described in ss. 6 to 8 of the Act and must include …
(e) a statement indicating that the person whose consent is sought can withdraw their consent.
Problem: How can consent be withdrawn for a program that is already installed?
24. … the term “in writing” includes both paper and electronic forms of writing.
25. The Commission considers that the requirement … is satisfied by information in electronic form if the information can subsequently be verified.
26. Examples of acceptable means of obtaining consent in writing include checking a box on a web page to indicate consent where a record of the date, time, purpose, and manner of that consent is stored in a database; and filling out a consent form at a point of purchase.
McCarthy Tétrault LLP / mccarthy.ca #13392852 20
If the computer program meets a “malware” or “spyware” criterion, the person must “clearly and prominently, and separately and apart from the licence agreement,
(a)describe the program’s material elements that perform the function or functions, including the nature and purpose of those elements and their reasonably foreseeable impact on the operation of the computer system; and
(b)bring those elements to the attention of the person from whom consent is being sought in the prescribed manner”.
DISCLOSURE REQUIREMENTS TO COMPLY WITH “MALWARE” AND “SPYWARE” PROVISIONS
McCarthy Tétrault LLP / mccarthy.ca / #13392852
21
21
ENHANCED DISCLOSURE (S. 10(4))
The enhanced disclosure standard applies where the program performs functions that the person knows and intends will cause the computer system to operate in a manner that is contrary to the reasonable expectations of the owner or authorized user of the computer…
¬Imports a subjective intent element (for installer) and an objective standard (for user)
DISCLOSURE REQUIREMENTS TO COMPLY WITH “MALWARE” AND “SPYWARE” PROVISIONS
McCarthy Tétrault LLP / mccarthy.ca / #13392852
22
22
ENHANCED DISCLOSURE TRIGGERS (s. 10(5))
¬ collects personal information; ¬ interferes with control of the computer; ¬ changes or interferes with settings preferences or
commands; ¬ obstructs, interrupts, or interferes with access to data; ¬ causes the computer to communicate with another
computer without authorization;¬ installs a program that can be activated by a third party;¬ installs a bot; or ¬ performs any other function set out in the regs; [none yet]
but not if the function only collects, uses or communicates transmission data or performs an operation set out in the regs
DISCLOSURE REQUIREMENTS TO COMPLY WITH “MALWARE” AND “SPYWARE” PROVISIONS
McCarthy Tétrault LLP / mccarthy.ca / #13392852
23
23
LISTED FUNCTIONS (s. 10(5)-(6))
McCarthy Tétrault LLP / mccarthy.ca #13392852 24
•
EXCEPTIONS FOR SOFTWARE UPDATES, UPGRADES AND PATCHES (s. 10(7))
Formalities for obtaining express consent (ss. 10(1) and (3)) not required to install an update or upgrade so long as the installation or use of the computer program being updated was expressly consented to and the person who gave the consent is entitled to, and does receive the update under the terms of the express consent.
Problems:
¬No explicit exception that permits installation of an update or upgrade without consent.
¬The original consent to install a program must include a consent to install updates or upgrades or they cannot be installed without requesting and obtaining a new consent.
Exemptions available only if “the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation”. (s. 10(8)(b))
¬ To be dealt with by Michael Fekete and Howard Fohr in the next presentation
s. 67: If a computer program was installed on a person’s computer system before section 8 comes into force, the person’s consent to the installation of an update or upgrade to the program is implied until the person gives notification that they no longer consent to receiving such an installation or until three years after the day on which section 8 comes into force, whichever is earlier.