Proceedings of the Standing Senate Committee on
Transport and Communications
Issue 2 - Evidence, April 28, 2009
OTTAWA, Tuesday April 28, 2009
The Standing Senate Committee on Transport and Communications is met this day, at 9:31 a.m., to study Bill S- 220, an Act respecting commercial electronic messages.
Senator Lise Bacon (Chair) presiding.
[Translation]
The Chair: This morning, we have on our agenda, a study of Bill S-220, an Act respecting commercial electronic messages. Our witness is the Honourable Senator Goldstein, who is sponsoring this bill.
Senator Goldstein, you are used to committees. First we will hear you, and then my colleagues will have questions for you. You have the floor.
Hon. Yoine Goldstein, sponsor of the bill, Senate of Canada: Thank you, Madam Chair, and I thank my colleagues and friends.
[English]
There seems to be only one screen. We have the deck in both English and French. Will anyone be offended if I show only the English? You have both languages in the written presentation.
Let me start by telling you what Bill S-220 does, or intends to do. It cracks down on spam by making it an offence to send any unsolicited commercial messages to anyone in Canada without first getting that person's permission.
The bill includes provisions to fight a series of abusive practices such as email address harvesting, dictionary attacks or phishing.
Phishing is a unique Internet and email term. It is the practice of some fraud artists to pretend that they are sending a message from a respected retailer or other person, usually a bank, with a view to obtaining a social security number, a credit card number or a bank account number so that a fraud can be committed. Phishing is endemic; in fact, it is an epidemic around the world. I am sure we have all received those messages.
The intent of the bill is to create a liability for those who are the beneficiaries of these various products and services that are promoted in spam messages. For example, if someone sends me a message suggesting that I buy Viagra — why they would choose me I do not know, but they do — and the vendor of that product is a Canadian, then the vendor is jointly and severally liable with the person who has sent that spam for the fines, which are significant in the proposed bill. The bill itself empowers citizens and especially Internet service providers to take legal action against spammers and to seek damages without having to wait for authorities to intervene or to do so.
What is the term ``spam''? It refers to electronic messages that are commonly transmitted to a large number of people, in fact millions of people, without their prior consent. They usually, but not necessarily, have a commercial focus of some kind to promote selling either products or services. They share one or more of the following characteristics. First, they are sent in an untargeted and indiscriminate manner, usually by automated means. Second, they include or promote illegal or offensive content. Third, their purpose is fraudulent. Fourth, they collect or use personal information, which is called a phishing scam. Fifth, they are sent in a manner that disguises the originator so the receiver does not know who is sending the message. Sixth, they do not offer a valid and functional address to which recipients may send messages opting out of receiving further solicited messages.
The bill defines ``spam'' in a simple way. The bill is intended to regulate only ``commercial messages'' — nothing more — such as promotion of goods, services and land, business, investment and gambling opportunities or similar types of promotions. This choice was made to protect freedom of speech. There is always a difficult balance in statutes of this nature between trying to suppress abuse on the one hand, and respecting the right of citizens to communicate with each other in a free way. That balance is sometimes hard to achieve.
I have tried to achieve that balance by suggesting that messages between citizens and their governments are exempt to ensure the ability of citizens and governments to communicate with each other. These communications, therefore, should not be inhibited in any way. The definition of ``electronic message'' employed in the bill applies not only to spam messages sent via email, but also to those using what has become more frequent and usual; instant messages services and mobile phones.
You may recall perhaps the problems, which arose a short while ago when one of the mobile phone service providers indicated that it would apply a charge to spam messages that were received on telephones. Fortunately, the provider withdrew from that position.
Let us talk about the growth of spam and the kind of problem it is. The volume of spam has risen sharply in recent years increasing from 10 per cent of total email traffic in 2000 to approximately 95 per cent of email traffic today. Only 5 per cent of emails on the Internet on any given day are emails other than spam, that is, emails that have value. Ninety-five per cent are emails that have no value and are spam.
Some of this increase in volume has come from legitimate businesses that view email as a new marketing tool. However, the bulk of the increase has come from those marketing phoney products or engaged in criminal activity. A typical example is an email that we have all received from an operation that calls itself the Canadian Drug Company. In fact, the email emanates from the Ukraine. There is no such thing as the Canadian Drug Company, yet it advertises prescription products at prices significantly lower than those available in Canada.
Although there are no statistics, one can well imagine that an infinite number of Canadians would be taken in by this advertising. They would send their credit card information to that operation in Ukraine, which would use it to obtain money; and, of course, the sender never receives the product.
What is the content of spam messages? The advertisements vary enormously, from goods and services to pornographic material, to information on illegal copies of software, to fraudulent advertising attempts to solicit money. Spam emanates from a variety of sources. Regrettably, Canada is the fourth largest originator of spam, but by far the largest originator is the United States, followed closely by Turkey and Russia. We rank fourth in this very bad list of transgressors. Although we are fourth and our percentage of contribution to spam is 4.7 per cent, the 2008 annual report from Cisco indicated that in terms of global spam, Canada accounted for 9 billion messages daily. That is an incredible amount of spam.
The economics of spam are interesting. Spam is an attractive advertising medium for both legal and illegal businesses because there is virtually no cost to the sender. Spam's low costs provide the potential for large profits. A study by a team of computer scientists at the University of California at Berkeley and in San Diego showed that a response rate of less than .00001 can be profitable when using email. The Berkeley team waged its spam campaign and sent out almost 350 pieces of junk mail over 26 days. By the end of their trial study, they had netted 28 sales with one response for every 12.5 million emails sent. One would think that response rate is insignificant but the profit for this operation, had it been extended for one year, would have been US $3.5 million.
What problems are associated with spam? First, and perhaps foremost, is the loss of business productivity. Estimates show that when employees spend 15 minutes per day dealing with spam, that time can cost businesses $3,200 dollars per employee per year in lost productivity. The Organization for Economic Co-operation and Development has estimated that spam cost the global economy US$20.5 billion in 2003. Updated to 2008, one can well imagine that the figure is considerably higher. According to data supplied by Ferris Research, spam will cost a total annually of $130 billion worldwide by the end of 2009. The problem is mammoth.
Spam causes increased costs for Internet services. The global cost of filtering spam was estimated to be almost US$674 million in 2004, three quarters of a billion, and is projected to rise to $2.6 billion this year, taking away resources that could be spent on new and improved services for businesses.
The environmental impact is huge as well. The annual energy use to transmit, process and filter spam worldwide totals 33 billion kilowatt hours — an amount equivalent to the electricity used in 2.4 million homes — considering that 62 trillion spam email messages were sent worldwide in 2008. The single spam message produces the equivalent to the greenhouse gas emissions associated with driving a vehicle three feet. That amount in itself is small but multiplied by 62 trillion, it becomes a mammoth production of greenhouse gas.
From a purely commercial perspective, spam significantly reduces consumer confidence. There is distrust among Internet users about the digital economy. This distrust creates a threat to the growth of e-commerce, which is a valuable process within the economy. A 2005 study from Consumer Reports found that concerns about identity theft had made 25 per cent of respondents either wary of shopping online or had caused them to stop shopping online; and 29 per cent had reduced online purchases. According to Statistics Canada, only one in three Canadians aged over 16 has made an online purchase in 2007.
What action has Canada taken to date? In May 2004, Industry Canada launched An Anti-Spam Action Plan for Canada. The main objective of the action plan was to create a task force on spam that would bring together government, academics, Internet service providers, businesses that use email legitimately and consumers in order to develop a comprehensive and inclusive strategy. The task force completed its work in May 2005 and issued a series of 22 recommendations in respect of how Canada should tackle the problem of spam. The blue ribbon task force made a number of significant recommendations in its report, which is excellent. The report is all embracing and points to specific directions in terms of Canadian legislation. The task force made it clear that Canada's laws are insufficient to address the issue of spam, and that law enforcement agencies lack the resources to address spam in a meaningful way. The task force strongly recommended the creation of a new legislative framework to prohibit spam and other new threats to the viability of the Internet.
For some time, Canada remained the only G7 country without anti-spam legislation. Bill S-220 is intended to fill this legislative void, and the provisions in the bill are based primarily on the report from the National Task Force on Spam. The provisions draw on various elements of anti-spam legislation from the United States, the State of California, the European Union and Australia.
Last Friday or Monday, the government introduced an anti-spam bill. If this committee wants me to do so, I will speak briefly to that later and respectfully make a suggestion as to how this committee might consider this bill, Bill S- 220, and the government bill.
I will describe somewhat technically, but in a way that everyone can understand, the provisions in Bill S-220. There are two different general approaches to anti-spam legislation across the world. The first is the opt-out approach, whereby regimes permit the sending of unsolicited commercial email as long as the senders follow certain guidelines and allow recipients the opportunity to unsubscribe from a mailing list, should they want to do so. That approach puts the onus on the recipient to take action when the recipient is bombarded by spam. A bill in the U.S. entitled Controlling the Assault of Non-Solicited Pornography and Marketing Act, CAN-SPAM, of 2003 adopts the opt-out approach and, by all accounts, has failed.
The second is the opt-in approach, which prohibits the blanket sending of spam to Canadians of unsolicited commercial emails. This approach permits commercial emails to be sent only in the context of an existing business relationship or with the prior consent of the recipient. There are some exceptions. Political messages are not covered, and people are free to send any such messages they so choose. However, a provision permits people to opt out of those messages. Those of us who have received an excessive number of emails with respect to, for instance, the seal hunt, would be permitted to advise the senders by a click of the computer key that they do not wish to receive any more messages from them on that particular subject.
Polling and charitable activities are exempted. In other words, the attempt is made to protect legitimate email contact, but to suppress illegitimate email contact.
I said earlier that the American CAN-SPAM bill compliance never went above 7 per cent in the two-year period from 2004 to 2005, and that compliance is described as a failure.
The opt-out approach is also an invitation to spammers to continue spamming. Most spammers send their emails indiscriminately, millions of them, to addresses that the computer creates, so they are not necessarily real addresses. However, when the recipient responds and says, Do not send me spam, that response tells these people that they have hit a live one, so to speak, and from then on, the recipient receives tremendous amounts of spam. The opt-in approach precludes that possibility. Bill S-220 and, incidentally, the government bill opt for the opt-in approach.
Bill S-220 provides for something called an ``unsubscribe'' facility, which requires all commercial messages to have a functional unsubscribe facility that users can use to notify the sender that they do not wish to receive further messages. Email senders are required to identify themselves and to honour these requests, giving Internet users the choice not to be bothered even by messages that they had initially consented to receive.
The unsubscribe facility must be conspicuously included in the message; it must allow the recipient to respond using the same communication method in which the original message was sent; it must be capable of receiving unsubscribe requests for 30 days; and, it must not require the recipient to pay a fee to unsubscribe.
Senders are obliged to honour unsubscribe requests within seven days. That length of time was chosen to allow four to five business days to process the request.
I said earlier there are certain exceptions in Bill S-220 to respect freedom of speech and certain political activities. Firms, for instance, that have a pre-existing business relationship with a recipient are exempt. Email has become an important tool in legitimate commerce, and it would be unfortunate if this bill were to hamper in any way the continuation of business relationships that are useful to the economy.
The bill provides for certain content regulations in emails. Three things must be included in every email. The first is the identity of the sender or the person who authorized the sending of the message; the second is an accurate header and routing information on the top of the message so people know where the message came from; and, the third is the contact information for the sender or the person who authorized the sending in order to be able to stop that sending.
There is a prohibition in the bill of bulk email lists and dictionary attacks. Dictionary attacks are mammoth sendings of emails to every imaginable permutation and combination of names and numbers; namely, millions or perhaps billions of emails sent by spammers in the hope that 10, 20 or 100 of those emails will hit a real email address, and that the owners of those email addressees will find themselves in the unfortunate position of being defrauded.
There is an anti-phishing provision so that when recipients receive a note from Visa saying that Visa needs their social security number to update their records, they will know that someone is trying to phish them, and that becomes a criminal offence.
Importantly, there is liability to third parties. If the message is authorized by someone other than the sender, then the person who authorized the sending is liable jointly and severally with the sender. In other words, the commercial beneficiary of these emails, that is, the person whose product or services are being promoted by the email, is liable for the penalties envisaged in the act, even though it was not that person who sent the email but a commercial spammer who was engaged by that person to send it.
An important element of the bill is extraterritoriality. Generally speaking, the common law principle is that laws should not have extraterritorial effect; they should be limited to the territory that has passed the legislation in question. One must somehow overcome the problem that over 95 per cent of spam emails received in Canada are sent from abroad. This bill proposes to overcome the problem with a deeming provision; by saying that if the recipient of an email is in Canada, then the sender is deemed to have sent it in Canada.
The commercial beneficiaries also have an obligation. They have the duty to take action or to contact law enforcement agencies if they become aware of the fact that their products or services are promoted using spam. Large penalties are envisioned in the legislation; up to $500,000 for a first offence and $1.5 million for a second offence.
We also tried to target the proceeds of spam. The bill allows for a court to order that the person convicted of an offence under the bill pays an additional fine equal to the amount that the person is believed to have gained by committing the offence, as a further deterrent to spammers.
Telecommunications providers, the people who are the gateway to our receiving email such as Bell Sympatico and a host of legitimate email providers, find themselves in the invidious position of having to buy more and more equipment to try to filter out more and more spam. In my conversations with some of these providers — not all of them but with the president of the organization — I was requested to include in the bill, which I have done, a provision that the legitimate Internet service providers, ISPs, be permitted to stop spam, filter it, and stop the sending or the receipt of spam messages from any other ISP who is the host for the spam.
That provision puts the Internet service providers in Bulgaria, Ukraine and Russia in a position where Canadian ISPs can stop all the messages from those people who include spam in their services, as a result of which those providers must be particularly careful about whether to continue forwarding spam messages.
I draw your attention to this particular point. May I have another five minutes, madam chair?
The Chair: Yes, a short five.
Senator Goldstein: Thank you. The volume of spam arising in inboxes around the world suddenly plummeted on November 12, 2008, by at least 25 per cent after McColo, a major web hosting firm engaging in spam activity, was taken offline by two American providers. Canadian ISPs must be given a similar legal framework to isolate cybercriminals. The sudden drop on the graph there speaks for itself.
When and if Internet service providers can stop spam coming from abroad, the amount of spam will diminish significantly. Individuals are also given a right to go after spammers and to sue them as an individual right of action. Therefore, simply passing legislation to outlaw spam is not sufficient; however, legislation is a key part of the solution to curtailing the flow of spam.
This bill has received support from Tom Copeland, Director of the Canadian Association of Internet Providers; Michael Geist, Canada Research Chair in Internet and E-commerce Law at the University of Ottawa; and a number of others.
[Translation]
The Chair: Senator Goldstein, you mentioned Bill C-27 that was tabled by Minister Clement last week and that has to do with electronic trade. Do you know about this bill?
Senator Goldstein: We are engaged in a very interesting process. The minister was aware of the fact that I was about to table this bill. He requested that we get in touch and informed us that he was about to introduce a bill himself.
I told him to go ahead, but if he did not introduce it before a given date, then I would do it myself. Given that he did not introduce the bill before the given date, I went ahead. Perhaps you might remember a minor incident that happened one Thursday in the House of Commons, when there was a kind of. . . I would not call it a collision, but quite a lively discussion between Senator Comeau and myself.
In any case, the bill was introduced. Afterward, I agreed not to ask for the bill to be sent to the committee before the 28, or that the committee would not start studying it before the 28, just in case he had not introduced his bill.
The date for my appearance was set today, and he introduced the bill last week.
His bill is similar to mine. As the saying goes, imitation is the sincerest form of flattery. Both bills contain interesting and important features.
The Chair: Do you find any elements of Bill C-27 in your bill? Or any elements from your bill in the government's bill?
Senator Goldstein: We should draw some distinctions. The bill introduced by the minister is addressed to three levels of government intervention: the Competition Commission, the Privacy Act and the CRTC. With all due respect for the minister, I think that the excessive regulation brought in by the three levels of government is a flaw, but it will be up to you to decide.
The minister's bill does not contain an element of liability for the person who authorizes spam, it does not give any protection to Internet service providers who block the spam, and I think that they need this protection. There is no presumption to the effect that spam received in Canada has been sent by Canadians in Canada, and in my opinion, this is a fatal flaw.
On the other hand, I presume that the department would certainly say that some elements in my bill should not be there. The minister's bill was introduced on the sly so that the French and English versions do not necessarily correspond.
I believe that the committee will have the opportunity to choose the best elements in both bills and to amalgamate them in order to protect Canadians.
The Chair: With regard to the formal requirements for the content of commercial electronic messages, have you told the people at Advertising Standards Canada as well as the government people in charge, about the need to adopt standards for regulating commercial email?
Senator Goldstein: I was in touch with many stakeholders, including government representatives. I had a long conversation with a government representative who is very active on the operational side of the working committee. Unfortunately, he was transferred to another position and he is no longer with Industry Canada.
I had significant consultations with all kinds of people. It was all above board. I told these people about what I intended to include in the bill so that the government bill and my bill would be identical.
The Chair: Have you discussed this with Internet service providers? If you have, did you speak of the impact that Bill S-220 would have on their clients?
Senator Goldstein: Yes. I had the opportunity to meet Mr. Tom Copeland, the Director of the Canadian Association of Internet Providers, who greatly helped me in conceiving certain features that I included in my bill.
Quite probably, the government also discussed this with Mr. Copeland because some of the same concepts are also included in the government's bill. Besides, I had asked the minister to introduce his bill in the Senate instead of the other place, which would have been much more efficient. Unfortunately, for reasons that I do not know, he did not do it.
[English]
Senator Wallace: Senator Goldstein, first, I congratulate you on your efforts in bringing this bill forward. We had a personal discussion a few weeks ago when you took the time to explain the rationale of your bill to me. I appreciate that discussion. The work you have done here is to deal with a scourge on our society today, so I compliment you for that work.
Senator Goldstein: Thank you.
Senator Wallace: I want to come back to Bill C-27 that was introduced in the house, the Electronic Commerce Protection Act. I gather from your comments that you have had an opportunity to review that bill. My understanding is that the bill is a comprehensive approach to this serious problem.
After reviewing Bill C-27, are there critical elements in that bill that you see missing in your bill, and in some ways would you consider Bill C-27 to be more comprehensive and perhaps in some ways better able to address some of the key issues? Obviously you have covered many of the issues, but how do you compare Bill S-220 to Bill C-27? Are there examples of what we would see in Bill C-27 that are not present in your bill?
Senator Goldstein: Thank you for the question, senator, and for your kind comments.
I am always suspicious of bureaucracy, and I suppose many people around the table are also a bit suspicious of bureaucracy. The government bill provides for three levels of bureaucracy to be involved. My experience with multiple levels of bureaucracy has been frequently that each takes the position that any particular problem belongs to the other. With great respect, I do not think those levels of bureaucracy are necessary.
The bill I put forward has no bureaucratic content. I was expecting, in large measure, citizens, citizen groups and ISPs to be sur le qui-vive, and I was assured by ISPs that if they had the immunity to do so, they would take care of it for us. I think the best way to take care of a problem is for the marketplace to take care of it instead of the government. I am spouting a bit of your philosophy, Senator Wallace, but I do not disagree; it is a good philosophy.
There are broader elements here. There is an element of injunctive relief in the government bill. A variety of other elements could be useful. I think the bills can be dissected and the best of both taken, and we can come up with a superbill for the protection of Canadians. For example, the government bill does not impose in its terms an obligation on the commercial beneficiary of the spam message. The bill provides that the person on whose behalf the message is sent may be liable.
In a previous life Senator Wallace was a lawyer. ``On somebody's behalf'' provides a mandate or agency, and these relationships are not agency relationships. These relationships are master and servant relationships, to use our terminology, and I think that is a problem in the government bill.
The absence of a presumption that spam has been sent from Canada if it is received in Canada makes it impossible for us to filter out 96 per cent of the spam that we receive. I think that absence is a problem.
On the other hand, elements of the government bill can be incorporated properly, and should be, in the private bill. I do not have any pride of authorship. I think it is important for Canadians to have the best legislation possible, and I think this committee can provide it.
Senator Wallace: Thank you, senator. You are a strong advocate for your bill, which I would expect. Your level of knowledge and background in all this area certainly exceeds my own. Can you provide us with anything that might indicate the elements of Bill C-27 that you feel are particularly useful and not present in your bill? That information might be helpful as we sort through this bill. I realize there has not been much time but have you had the opportunity to compare in detail Bill C-27 to your own, and compare the points, issues, strengths and weaknesses of each?
Senator Goldstein: No, senator, I have not. I saw the bill for the first time yesterday at 10:40 p.m., so I have not had much of chance to do so.
I think the government bill must be looked at more carefully. By way of example, clause 2(4) of the government bill — you do not have it which is why I want to read it — says:
An electronic message described in subsection (2) or (3) that is sent for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada.
[Translation]
The French version says, ``N'est pas considéré comme un message électronique commercial . . . .''
[English]
This is one area where the English and French simply do not correspond. The bill was perhaps written in a hurry and we have to look at that.
If you consider it useful, honourable senators, I will undertake to give you some brief summary of the distinctions between the two bills and the features of each one that are not necessarily contained in the other and that you may want to incorporate in an omnibus bill. It will make your work easier.
If you want to do that, I suggest you have people more expert than me to come before this committee, specifically Professor Michael Geist of the University of Ottawa who is, by far and away, the leading Canadian, probably the leading world, expert on email spam. I am sure he could do a better job, but I will still undertake to supply that information to you.
Senator Wallace: Regardless of how we may use it, I think having your analysis in that regard would be helpful. Thank you once again, senator.
Senator Goldstein: Thank you, sir.
Senator Mercer: First, thank you, colleague, for introducing this greatly needed legislation. Whether it is this bill or Bill C-27 that makes it through the process, the legislation is greatly needed. I continue to be disappointed that my $5.5 million has not arrived from Nigeria. I know thousands of other people are concerned about that situation as well.
I want to talk about the exemptions. In Bill S-220, under clause 8, you talked about political parties, registered charities, candidates for nomination, educational institutions, et cetera. As someone who has worked in the charitable field all my life, one thing needs to be clear. Where you talk about educational institutions, you say that ``the recipient is, or has been, enrolled as a student at that institution.'' That means the student or an alumni. I understand that. Then you go on to say ``a member or former member of the recipient's household is, or has been, enrolled as a student at that institution.'' I receive emails from the University of Ottawa where my son used to be a student, so I understand that.
However, you have not been clear on, and have skipped, hospitals. This problem is a major one that happens with hospital charities. There is a hospital-patient relationship. There is difficulty in some provinces, and it is a difficulty in my own province, that the foundations in charge of raising the money for the hospital, for example, the Queen Elizabeth II Hospital Foundation and the Isaak Walton Killam Foundation in Halifax, do not have open access not to patients' medical files but to the information that is required for the foundation to interact with those people. The interaction is required to solicit not only their money, because that is important, but also their support and their stories that can be used to promote the institution.
I do not see any reference to hospitals in here. Saying registered charities ``within the meaning of subsection 248(1) of the Income Tax Act'' is one thing. You need to be more specific in the discussion of health charities.
I will ask both my questions at the same time. When you talk about phishing, which is an interesting term, where does phishing fit?
In the last presidential campaign in the United States, then-candidate Senator Barack Obama did the following on a number of occasions. When speaking to thousands of people he said, I want you to ask me some questions; and projected on the screen behind him was his email address or his telephone number at which people could send him text messages.
Somewhere behind the scene, someone was monitoring the questions that were coming in by the thousands from people in the audience. Then, a question was chosen from someone in the audience, and he read it and answered it.
The politics was effective, but what else did he do? He mined the audience. He now had their email address and perhaps their cellphone number. Soon, on whatever device they communicated to him with, there was a message saying, ``Thank you for coming to our rally this evening. I appreciate your participation. I appreciate the fact that you posed the question, and I hope you will support my candidacy. By the way, campaigns cost money,'' and he would ask the individual for money.
Where does that activity fall in here? You say political parties are exempt but then you talk about phishing. This campaign was one of the biggest and most successful phishing expeditions in political history. I like the idea. I encourage Michael Ignatieff to do the same thing this Saturday in Vancouver when he speaks to thousands of people. However, where does that activity fall into the scheme?
Also, please respond to my question on hospitals.
Senator Goldstein: Thank you for both questions, senator. Both are extremely important.
I will start with health foundations. As far as I am aware, all hospital foundations enjoy the benefit of an income tax number. If they do enjoy that benefit, all their messages are exempt under paragraph 8(3)(c), which covers registered charities. Any registered charities, which includes hospital foundations, are covered by this provision in any kind of message they send. It may be ``come and volunteer;'' it may be ``give me some money;'' or it may be both, but any kind of message emanating from these exempt people is an exempt message.
With respect, I think that situation is probably covered. However, if it is not, and if any problems arise with respect to other types of agencies, people or institutions that should be exempt, there is an additional saving provision at paragraph 8(3)(h), which says ``any other person prescribed by regulation.'' That situation, by the way, is also covered in the government bill. It allows for the making of regulations to exempt certain people.
Two provisions cover the Barack Obama phishing situation. The first is in clause 9(b), which says what consent is, because if someone consents to receiving a message, then they can receive the message. Clause 9(b) reads:
it would be reasonable to assume that the electronic address was published with the knowledge of the individual or person concerned.
The individual who provided their email address in asking President Obama a question has necessarily consented to this message. The government bill is somewhat different. The government bill speaks of ``tacit consent.'' I used to teach law, and I taught that tacit consent is never consent, because we do not know what tacit consent is. Tacit means a passive lack of activity. I do not know what tacit consent is, and I do not think Senator Wallace, who is also learned in the law, would be prone to use words like ``tacit consent.''
Both these issues are covered, but if better coverage is required, Senator Mercer, by all means make the suggestion and change it. I will try to be helpful with that suggestion.
Senator Mercer: Paragraph 8(3)(h) says:
any other person prescribed by regulation.
The devil is in the detail. I am not a big fan of the Canadian Radio-television and Telecommunications Commission, CRTC. They have a habit of not administering legislation. They have a habit of making legislation outside of Parliament and sometimes ignoring what parliamentarians say directly or indirectly.
Who will propose these regulations? Will it be the minister? You mentioned in your presentation the CRTC and other agencies. I would be much more comfortable if regulation comes from Industry Canada than if it comes from the CRTC. I can get at Industry Canada, and the Canadian people can get at Industry Canada. They can defeat the government and the minister in that post. We cannot get at the people of the CRTC, and they sometimes do not seem to respond to common sense.
Senator Goldstein: Bill S-220 does not involve the CRTC or any other government agency. The Ministry of Industry would make the regulations.
The government bill involves three agencies. If your concern about agencies continues to motivate you, you may want to consider deleting the role of agencies, which I do not think is essential to the government's bill. Frankly, I do not understand why the government included those three agencies.
A year ago, the Privacy Commissioner appeared before another committee on which I sit and was asked to assume an additional burden of some kind. She said she does not have the personnel to assume an additional burden, and she would not do it; not because she did not want to, but because she could not. I do not think she has been given additional personnel, so I do not see how logically she can be involved in a spam bill if she cannot do anything about it, nor do I see why she should be involved. After all, all of this is the protection of privacy.
Senator Mercer: That should be a heads-up to the government officials that I will be looking for CRTC if that bill comes our way.
Senator Zimmer: President Obama went beyond even what Senator Mercer described. He held up his phone and said, ``Email me your address,'' and he scooped the whole audience. That approach was innovative, but costly.
This issue is out of control. It is an invasion of privacy; it is costly; and it is downright annoying.
Bills of this sort were introduced in Parliament on many previous occasions and typically have not proceeded past second reading. The government also established a task force on spam, which issued a report and then, nothing further was done.
Why do you suppose nothing has been done, and what do you presume is different this time that will entice this bill to go further?
Senator Goldstein: I have learned in my relatively brief stay in this institution that, indeed, private members' bills frequently suffer the fate of perdition in that they float off somewhere in the distance never to be seen or heard of again. I have four bills pending at the moment. I make the difference in my own mind between hope and illusion, and there is a significant difference.
This bill is different. The government has reacted. By the way, it is not a political issue because the Liberal government did not do a darn thing about spam, either. What I am saying is not a partisan remark. I think both governments have been equally guilty of ignoring a serious problem.
However, this government has reacted, and if I wanted to be self-congratulatory, I would say that I forced them to do so. If I wanted to be more realistic, I would say that they got around to it. They have a large agenda and they got to this part of the agenda, and that is fine.
I do not look at this bill as being necessarily one that should be adopted. I think elements in this bill are useful, and elements in the government bill are useful. I think this committee is uniquely suited and able to take the best of both bills and make a super piece of legislation out of them.
Senator Zimmer: How do you see this process working? Will you wait now until Bill C-27 comes to the Senate, use that bill as a framework, take the best parts of your bill and incorporate them into their bill as amendments? Do you see it working that way or in the reverse?
Senator Goldstein: When Minister Clement tabled the bill, he did so with a press release that indicated that the government was committed to fast-tracking this legislation. I will speak to the leadership of the Liberal Party at tomorrow's caucus in the hopes that we can aid the government to fast-track the bill; move it here as quickly as possible, have it referred to this committee as quickly as possible and let you do your work on this bill and that bill simultaneously.
Senator Zimmer: Thank you, Senator Goldstein, for taking the leadership and initiative to push this issue further.
The Chair: In the press release, the minister mentioned both you and Senator Oliver, who has already put a lot of work into this issue.
Senator Eyton: Senator Goldstein, thank you for your presentation. Except for the fact that the government has now introduced Bill C-27, I would have spent more time on the detail and facts that you outlined, which I found interesting.
There is one probably significant difference for me, and that is the happy assumption that those parties that should be exempt are charities, political parties and polling companies. I would have said that they are exactly the people who should be covered by the legislation, referring to an opt-in process as opposed to an opt-out process. They are there, they are ever-present and generally they bother me, but I will leave that matter because of the intervention of Bill C-27.
For the record and for Senator Mercer, a few have referred to Obama's slick phishing expedition, the resulting information that came from it and the dialogue that emanated from it. You should know, as a matter of record, that the platform in that process was designed by a proud, newish-but-growing Toronto company that has the unique skill in developing an Internet platform that allows, in effect, people to speak to each other. It is called M30 Communications, and it was retained by the Obama organization to help in that effort. The company may be an interesting witness for us because they are at the leading edge of that function using the Internet.
For the record, and partly responding to Senator Zimmer, the anti-spam legislation is part of the Conservative platform. Following on that platform, the Prime Minister announced that the government would proceed with anti- spam legislation, I think in September of last year. Now they have come through with Bill C-27, which was introduced last week, or recently, in any event. There is a pattern, it is consistent and the government appears to be performing according to that commitment.
It is the government's view, having had now an early look at both bills, Bill S-220 and Bill C-27, that Bill C-27 is more effective than Bill S-220; that Bill C-27 has low-to-medium Charter risk — the implication is that Bill S-220 may have greater Charter risk; and that Bill C-27 has an enforcement scheme admittedly involving three organizations. The question is whether the three organizations, the CRTC, the Competition Bureau and the Office of the Privacy Commissioner, will work harmoniously and effectively together. Finally, Bill C-27 provides for international cooperation and information sharing with enforcement counterparts worldwide. The government has been consistent and it believes that Bill C-27 is a better bill than Bill S-220.
Picking up on Senator Zimmer's point, the choice is considering both bills in combination, which seems to me is complicated; considering Bill S-220 with amendments that we might suggest; or considering Bill C-27 with amendments that we might suggest. Those points are the broad outlines.
I think, and I want your response to this, we are better to climb on a moving train where the engineer is the government and where there is natural momentum. It may be a simpler and easier process politically and process-wise to deal with Bill C-27 as opposed to your bill, which may pose more complications in processing, and politically. Can you comment on that?
Senator Goldstein: That question was a fulsome one, Senator Eyton. Let me start with a small part. You were encouraged by the fact that polling is an exempt commercial message. That exemption exists in Bill S-220 but not in Bill C-27. There are a dozen — I have not counted them, but many — pieces of Bill S-220 that are not in Bill C-27. For example, the CAN-SPAM legislation in the United States has failed. No one disagrees with that judgment. The primary reason for its failure, according to the experts — and I am not an expert — is that the legislation relies on international cooperation to diminish the quantity of spam. Bill C-27 also relies on international cooperation to diminish the quantity of spam.
I tried to avoid that problem, which I think is fatal to anti-spam legislation, by putting forward a deeming provision that says that all spam that is received in Canada is deemed to have been sent in Canada. That provision avoids the entire argument of extraterritoriality; it avoids the entire issue of who has jurisdiction over what; and it frankly avoids the necessity of relying exclusively on international cooperation.
If someone sends a piece of spam from the Ukraine on behalf of some commercial beneficiary in Canada, the commercial beneficiary in Canada will pay the price of that spam. Otherwise, if we do not have that kind of deeming provision, people who want to promote their products through the use of spam in Canada will have the spam sent from the Ukraine, Nigeria, Morocco or wherever. I think that is one of the problems with the government bill.
That having been said, when I introduced this bill in second reading, I said that I have no pride of authorship. If the government bill is to be adopted, hopefully with amendments that make it more effective, that suits me fine. I am perfectly happy for that to happen.
I do not care whether this bill or that bill is adopted, so long as we take the elements that are best for Canadians from one bill and put them in the other. That is, I do not care if that is the government bill or this bill. This bill seems to be a bit faster because we are already in committee with it and it will be simple to go to third reading once the committee finishes with it, and then we are back in the other place, if that is what the government wants to do. I prefer to fast-track the government bill and send it to this committee quickly, hopefully within the next two weeks. That approach will give this committee the opportunity to listen to experts and to take what is best in both bills, and to give Canada the best of all possible worlds.
[Translation]
Senator Pépin: Senator Goldstein, according to subsection 3(2) of your bill, you absolve telecommunications service providers from all liability with regard to spam.
Is there any kind of obligation for service providers to help people who are victims of spam to trace the spam back to its senders?
When we look at section 25 under ``Civil action'', we see that when a person who wants to prosecute cannot identify the sender of the spam, the service provider could help a great deal to try to get in touch with the person who sent the spam.
Senator Goldstein: Here is how the bill is structured: every email message must contain, within the message itself, sufficient detail to identify the sender of the message. Non-compliance in including this information is an offence that makes the offender liable to a fairly serious fine.
However, if the identification is included in the email message, it is fairly simple to stop that person from sending spam.
We presume that the Royal Canadian Mounted Police or an individual or the service provider can stop this spam from landing in our email inbox.
The Chair: So, could the service provider put a stop to it?
Senator Goldstein: Yes he could. And a service provider acting in good faith cannot incur any liability. The bill explicitly provides that there is no liability for ``a telecommunications service provider acting in good faith. . .''.
Subsection 26(1) provides that a telecommunications service provider may refuse or cancel service or access to any person if the provider has reasonable grounds to believe that the commercial electronic messages are sent in contravention of this act. This provision was made upon request by service providers who asked me to include it. The federal bill, in fact, has no such provision.
[English]
Senator Housakos: I congratulate you on the initiative. Spam is both a huge problem and a growing one. The problem is complicated because we are in uncharted territory. I look at Bill S-220 and Bill C-27 and I am concerned with a couple of things. I agree with you: If we put the two together, I think we are probably moving a step forward. I think other amendments can be made even after that, but, when it comes to the categorization of spamming, there is a lot. We can break it down to different types of spamming that are taking place, in my opinion. There is illicit false marketing spamming, phishing, identity theft and spyware. In both bills, I find there is no breakdown of the different categories of what is taking place, which would be useful because it is coming at us from different directions with different objectives.
I also want to echo what Senator Mercer said. I see a government bill. Obviously, the bill is pushing the monitoring of all this activity to the CRTC and Industry Canada. I have not been impressed with these organizations, especially Industry Canada and how they deal with some of the commercial complaints side of things in the business world. I agree with Senator Mercer on the CRTC. They take legislation and craft it and adjust it to their needs, depending on how they see fit.
I want your comment on your bill and on the government's bill: Do you think the categorization is clear enough? Is a mandate being given to the CRTC, or to whom will we give the mandate to police this legislation?
Senator Goldstein: That question is important, and I thank you for asking it.
I think it is important that the statute define what we are talking about. Phishing should be defined, as should dictionary attacks and all the terms that the people who know a lot about this subject throw around among themselves. The terms are shorthand for concepts that they understand and that ordinary mortals like me do not.
Your first point is clearly valid. Neither bill adequately defines all the spam — that is, all the types or classes of spam that we seek to avoid. I tried to avoid that definition in my bill on the theory that if we try to take in too much, we are left with not much. Perhaps that approach is wrong. In the course of your study, you may consider it appropriate to include some definitions; that is perfectly fine.
With respect to your second observation, the thrust of Bill S-220 is radically different than the thrust of Bill C-27 in terms of enforcement. Bill C-27 puts enforcement in the hands of currently existing government agencies. I said earlier that these agencies are marvellous and they do their best, but sometimes their best may not be good enough for special purposes. Some people are critical of some of those agencies. That enforcement, however, is the thrust of the government bill.
The thrust of Bill S-220 is to place responsibility for enforcement in the hands of people who want to do the enforcement, namely, the ISPs. These people must invest millions upon millions of dollars — and they complain about it every day — to become better and more sophisticated, with greater capacity bandwidth and greater capacity machinery, equipment and complex electronic supplies and machinery in order to block the billions, not millions, of spam messages that come across the ether virtually daily. These people want to stop spam in their own best interests. That situation is different from the CRTC, the Competition Bureau or the Privacy Commissioner stopping spam. We have all had experience, in Canada and elsewhere, with people who act in their own self-interest. Commerce acts efficiently and effectively in its own best interests. By giving the ISPs, in clause 26, a relative immunity, if they are in good faith, they will stop the bulk of spam.
I gave you a slide in the middle of the deck, page 27. One spammer was stopped last August by ISPs, not by government, and the volume of spam worldwide went down 25 per cent in two days. That is because it was ISP- enforced. The CAN-SPAM bill, which is the American statute, puts enforcement in the hands of the government agency and it has done nothing to stop spam.
What message does that situation give us? It tells us that private enterprise is the best place and person to stop spam. That is what Bill S-220 does and that is what, with respect, Bill C-27 does not do.
Senator Housakos: How do you connect them with a police force in order to start breaking down some of the illicit operations that are taking place now?
Senator Goldstein: It is a criminal offence. We have both provincial and federal police forces to enforce criminal offences.
Senator Housakos: The problem now, with the lack of legislation, is that the police obviously have not had the capacity. My follow-up question concerns the need for more resources in order that police forces can have the capacity to execute on this type of legislation.
Senator Goldstein: I cannot answer that question because I do not know. What I do know is a basic law of nature: Any time any enforcement activity is assigned to anyone, it requires more resources. Should it be assigned to the Competition Bureau? Should it be assigned to the Privacy Commissioner? Should it be assigned to the CRTC? Should it be assigned to the RCMP?
Senator Housakos: My view is this enforcement perhaps requires an agency in its own right.
Senator Goldstein: Perhaps.
Senator Housakos: If we look at the magnitude of the problem, this enforcement will be tougher than policing drug trafficking in this country.
Senator Goldstein: That could be. However, if we have the ISPs on our side, if we have the providers on our side, some of them are powerful people. I am talking about Rogers and Bell. If they can say, now I can stop spam, now I am allowed to stop the ``damn spam'' that is coming through — and they call it ``damn spam'' — then maybe we will not need more enforcement. However, I do not know, senator. Your question is valid and perhaps the question has to be put to these three agencies and to the RCMP.
Senator Zimmer: This question is supplementary to the previous question by the senator. Canada is the only G7 country that does not have anti-spam legislation. As we know, and as you mentioned, bills are passed and sit for years unenforced. Referring to slide 27, as you did, two American ISPs removed a couple of websites and there was a spike down but it came right back up.
I have two questions. First, was the vacuum, like mercury, refilled? Second, do you have any empirical evidence of other countries that have legislation and have been policing this matter; the penalties that have been enforced and how effective they have been?
Again, senator, it is the follow-up; it is fine to pass the bill, but if it is not effective or we do not have feedback and empirical evidence of it being successful, then the legislation is worthless.
Senator Goldstein: We have the empirical evidence of two ISPs in the United States having stopped McColo and the volume of the spam has been lower ever since. If you look at slide 27, the volume went down significantly for six months and then it went back up again. It went back up because the ISPs were afraid to take McColo out again. However, in this legislation, my proposed legislation, under clause 26 the ISPs are protected, if they are in good faith, if they take out the McColos. The ISPs have told me that if they have that weapon, they do not need any further enforcement.
That having been said, individuals also are given a right of action under my bill and under the government bill to stop spam. If individuals receive a gazillion pieces of spam asking them to do whatever they are asked to do and they decide they do not want to receive these pieces any more, and they write them to stop and the senders do not, then the individuals, themselves, can sue for the damages that have been suffered. Alternatively, the individuals can lay complaints, provincially or federally, under the Criminal Code and the fines are significant.
I believe the RCMP is the logical place to provide the enforcement. There is a commercial fraud section within the RCMP, which is effective. I have worked with them. I have not for the past five years because I changed careers. When I was practising law and specifically bankruptcy and solvency law, I worked with them on bankruptcy frauds, and they are an effective group of people. They work hard, they understand commercial aspects of the law and they are effective people. If they provide the enforcement, that is fine. It may be that others can provide the enforcement too. I do not care; I only want it enforced.
[Translation]
Senator Pépin: It seems to me that for Bill S-220, you were inspired by Australia's Spam Act 2003. Why did you choose to refer to Australia rather than to other countries? Is there any proof of the efficiency of this legislation in Australia?
Senator Goldstein: My answer will also partly answer the question that our two colleagues put earlier. Australia adopted legislation based on a principle similar to the principles that inspired Bill S-220. There was a significant decrease in spam, without introducing any special agencies into the field, without any CRTC nor any competition commission or any government agencies. The structure of that bill, which is similar to the structure of our bill, effectively eliminated a substantial amount of spam.
It is purely wishful thinking to say, as Bill C-27 says, that we hope for cooperation at the international level.
Senator Pépin: Therefore, we must enforce Bill S-220 in the way you described?
Senator Goldstein: Indeed.
The Chair: Thank you, Senator Goldstein.
[English]
We appreciate your presence here with us. Thank you for inspiring us with the dealings with Bill C-27 and your bill also.
(The committee continued in camera.)