Insights For Success

Strategy, Innovation, Leadership and Security

Spam

What is CASL

GeneralEdward Kiledjian

The Canadian Anti-Spam Legislation (CASL) went into effect on July 1st, 2014. Designed to protect Canadians from unwanted commercial electronic messages (CEMs), it applies to all businesses that send CEMs - including emails, text messages, and social media messages.

As a result of the law, CEMs cannot be sent unless the recipient has consented to receive them, and businesses that violate the law may be penalized. Additionally, businesses are required to include their contact information in all CEMs and to provide recipients with a means of unsubscribing from future messages.

For businesses that violate the law, the Canadian Radio-television and Telecommunications Commission (CRTC) can impose significant fines - up to $1 million per violation.

t is intended to protect Canadians from these threats and to help businesses ensure that they only send CEMs to those who have consented to receive them.

Some businesses have complained that the law imposes undue burdens on them. In spite of this, the government has defended the law, stating that it is necessary to protect Canadians from electronic threats.

You can find additional information about CASL on the website of the Canadian Radio-television and Telecommunications Commission (CRTC). It is the responsibility of the CRTC to enforce the law and to provide resources and information to businesses and consumers. The website includes links to relevant legislation, FAQs, and contact information for the CRTC. Consumers and businesses may also file complaints with the CRTC if they believe that a business has violated the law.

Keywords: CASL, Canadian Anti-Spam Legislation, commercial electronic messages, CEMs, consent, unsubscribe, CRTC, fines, spam, spyware, electronic threats, businesses, consumers, complaints

Description: The Canadian Anti-Spam Legislation (CASL) is a law that went into effect on July 1st, 2014 in order to protect Canadians from unwanted commercial electronic messages (CEMs). This law applies to all businesses that send CEMs, including emails, text messages, and social media messages. Some key points of the law are that businesses must have consent from the recipient in order to send them a CEM, businesses must include their contact information in all CEMs, and recipients must be given a way to unsubscribe from future messages. There are significant fines in place for businesses that violate the law - up to $1 million per violation. The CASL was created due to growing concerns about spam, spyware, and other electronic threats. The Canadian Radio-television and Telecommunications Commission (CRTC) is responsible for enforcing the law and providing resources and information to businesses and consumers on their websites. Complaints can be filed with the CRTC if someone believes a business has violated the law.

Locky Ransomware is king of SPAM emails

GeneralEdward Kiledjian

Image by Yuri Samoilov used under creative commons license

We had lower than normal SPAM numbers for the last couple of quarters but the evil scourge of the internet is back with a vengeance. Company CISOs and personal users probably noticed a rise recently of emails containing variants of the locky ransomware (encrypting) malware.

The number of SPAM emails containing malware reached an all time high, according to Proofpoints Q3 2016 report

Proofpoint Q3 email badware statistics

Proofpoint said Locky was found in 96.8% of all malicious SPAM attachments. The vast majority contained a ZIP file containing a JavaScript file. We also saw Office documents containing malicious scripts, HTA files and WSF files.

Definitions:

  • HTA : HTML Application
  • WSF: Windows Scripting File

Other "fun" things found in these malware bundles included:

  • Pony Infostealer
  • Vawtrack banking Trojan
  • Tordal malware dropper
  • Panda Banker banking Trojan
  • CryptFile2
  • MarsJoke
  • Cerber

It's not all bad.... exploit kit activity is down 93% compares to the start of 2016. 

Google deploying SPAM call protection to some Nexus devices

GeneralEdward Kiledjian

Nexus One image by closari used under Creative Commons License

Google's quest to squash SPAM isn't stopping with email. The sultan of search is now pushing an update to some Nexus and Google One devices to warn users when they receive a potentially SPAM call.

The feature allows you to block the number or report it. The Use caller ID & spam protection will be turned on by default. 

The feature was launched with a post on the Nexus Google+ forum.. Yes Google+... Yes THAT Google+.


Spam callers be gone! Today, we’re beginning to update your Google Phone app with spam protection on #Nexus and #AndroidOne devices to warn you about potential spam callers and give you the ability to block and report these numbers. If you already have Caller ID turned on, spam protection will be available on your phone once your app updates to the latest version.
— Google

Canada's Anti Spam Law (CASL) and what it means and CASL 2.0

technologyEdward Kiledjian

Over the last month, I received several emails asking me about CASL (the Canadian Anti Spam Law) which went into effect July 1 2014. The purpose of CASL is to protect consumers from unsolicited email messages.

Nothing in this article should be construed as legal advice. Always check with a qualified legal professional.

What is CASL

There are well written white papers by lawyers that provide the legal perspective on CASL and how it impacts business'. If that applies to you, you should go find and read some of those. The Canadian Anti-Spam Law was designed to protect canadian email addresses (.ca) from receiving unsolicited commercial messages. The main drivers are:

  • Consent  : the sender needs to secure and record detailed explicit consent from the recipient that they want to receive your marketing content
  • Identification : The law required that you clearly identify who is sending the message and who it is being send on behalf of. The recipient must have a way to easily reach you.
  • Unsubscribe :  The recipient must have a simple and clear way to unsubscribe from your mailing list. 

Each message you send must contain Identification and unsubscribe.

Not only email

Legislators made sure CASL protect canadians from multiple mediums of commercial message delivery including emails, instant messaging, social media, etc. 

Assume this applies to all mechanisms you use to contact a customer for marketing purposes.

Does this CASL apply to me?

Let me keep this simple... CASL applies to any entity pushing a marketing message and you should plan on adhering to its standards. 

Does CASL apply to not for profit organizations?

As currently worded, the law provides an exemption for government certified charities performing fund raising through emails. Conversely other revenue generating activities are not exempt. 

The identification and unsubscribe requirements of the law apply to not for profits also.

If you want to add subscribers from one list to another, then you will need explicit consent. 

Non commercial messages (aka regular business type emails) are not covered by CASL. 

You can learn more on the government's website (link)

CASL and email address harvesting

A practice used by some email marketers or resellers of marketing lists is to harvest email addresses using electronic programs to collect email addresses from websites, mailing lists, forums, etc.

CASL amends PIPEDA to forbid the activity of email harvesting.

CASL 2.0

January 15 2015 an additional provision will go into effect called the Computer Program Rules. This new provision will require express consent before the installation of a computer program on someone's PC, smartphone or other electronic device. 

This new wave of CASL comes with very stiff penalties that can reach $10,000,000 for companies. This new wave goes beyond Canadian borders. It applies to organizations (can be located anywhere) installing programs on a computer located in Canada or to Canadians installing program on computers outside of Canada (or under the direction on someone in Canada). 

This section of CASL is fairly complicated so I will let you research the interwebs for additional information if you think it applies to you. 

CASL Best practices

In addition to following the CASL requirements stated above, many organizations are also verifying receiver interest in their messages every 6 months. 

Organizations that can prove that they have an existing business relationship will have 3 years to comply but industry best practice says you should plan to comply immediately.

Facebook to clean your news feed

technologyEdward Kiledjian
Image by Robert Scoble used under Creative Commons License

Image by Robert Scoble used under Creative Commons License

Sure some Facebook black belts have master trimming and caring for their news feed but most of us get some useful info mixed with spam like posts. Paid posts aren't the items Facebook is looking to curb, it is the non-paid posts that are verging on free self-promotion. This starts with posts claim things like  that 1 like = $1 of donation or 1 like = supporting world peace, etc. 

Types of content the social giant will try to control in 2015 is:

  • Like Baiting - trying to get "friends" to like something so it is shown to more people and moved higher on everyone's news feed
  • Frequently circulated content - That religious picture that you see over and over. Or a post like the one above. Facebook says it's users rate these as less valuable and it will work to curb them
  • Spam Links - Links that are designed specifically to mislead readers to take them to spam or ad sites. (We don't know the exact details yet but many of the most popular internet sites that show the same pictures over and over with ads may see a huge hit).

Hopefully this cleans Facebook up a bit and makes it more readable. 

Source: 1