shep.ca

This is part nine of a multi-part series reviewing Canada’s Anti-Spam Legislation in practice since its introduction in 2014 and the beginnings of enforcement in 2015. Crosslinks will be added as new parts go up.

Part 1: Terminology

Part 2: Parameters

Part 3: Big Numbers

Part 4: Case File – Compu-Finder

Part 5: Case File Anthology, 2015-2016

Part 6: Case File – Blackstone Education

Part 7: Case File Anthology, 2017-2018

Part 8: Case File – Brian Conley/nCrowd

Part 9: Case File Anthology, 2019-2022

Core resources:

The Act

Enforcement Actions Table (CASL selected)

December 12, 2019

A $115,000 AMP issued for violations of s9 of CASL against John Paul Revesz and Vincent Leo Griebel, partners, Orcus Technologies.

This is one of the rarer cases of malware under CASL; in this case the Orcus Remote Administration Tool (RAT) found by the CRTC’s Chief Compliance and Enforcement Officer to be a remote access trojan, a type of malware, confusingly also with the acronym RAT.¹I don’t know if Orcus was being cute with the name, or this is just a coincidence.

This, in combination with the sale of a DDNS (dynamic domain name server) service to hackers to allow them to communicate with RAT-infected computers, resulted in two NOVs for Revesz and Griebel²Nerd note: if you’re going to be a villain, take a hard look at your last name, put the word “Darth” in front of it, and see how it sounds. If it’s credibly somebody who would wear all black and whack at people with a lightsaber, reconsider your whole deal. resulting in $115,000 in penalties — $100,000 for developing, selling and promoting malware, and an additional $15,000 for the DDNS service.

A news story on this, from Krebs on Security, a security consultant’s site.

And a short summary in Slaw.

It’s pretty open and shut: clear evidence of what the RAT did, clear evidence of both Revesz and Griebel bragging on hacking forums about its ability to steal information and passwords.

Note that at the time this AMP was issued, it was for section 9 of CASL:

It is prohibited to aid, induce, procure or cause to be procured the doing of any act contrary to any of sections 6 to 8.

Canada’s Anti-Spam Legislation, s9

Per the NOV, an investigation was still underway to determine if the RAT actually been installed without consent on systems, which would be a violation of section 8:

8 (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless

(a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsection 11(5); or

(b) the person is acting in accordance with a court order.

Canada’s Anti-Spam Legislation, s8

…and unlock penalties up to $1,000,000.

The Orcus RAT seems to be alive and well as an open-source piece of software for jerks to try to use.

Some mysteries here:

The NOV has a February 2020 update that states that the time for response expired, so the issued AMP becomes enforceable:

Update 17 February 2020: Pursuant to section 24(1) of CASL, the deadline to make representations with respect to either the amount of the penalty or the acts or omissions constituting the alleged violations was February 3, 2020. Given that no representations were made, pursuant to section 24(2) of CASL, John Paul Revesz is deemed to have committed the violations and must pay the administrative monetary penalty as set out in the notice.

Where’s Griebel? Per this news story, he’s German, so that might be why he was dropped.

Stranger still: where’s the criminal charge?

$115,000 in penalties should be the least of Revesz and Griebel’s worries (if Griebel is still in play). Cybercrime is a thing, and the abovementioned news stories mention criminal charges filed by the RCMP. But the links in the stories to the 2019 RCMP press release go to a 404 page. It’s not a broken link; searching their news, there’s nothing for Revesz, Griebel or Orcus.³Testing the search function, by comparison, there’s 4,385 results for “Grand Falls,” which I used as a test because it was mentioned in the top story – now I’m deeply worried about what in God’s name is going on in Grand Falls.

There’s nothing in CanLII showing any court action: nothing relevant for the search terms Revesz, Griebel, or Orcus. Similarly nothing in WestLaw or Lexis.

When I hit the Wayback Machine, I can find an archive of the news release.

But – despite it saying Revesz will appear in provincial court on December 5 – again, nothing in the legal databases about the court appearance. Nothing in an Ontario court case search for all Toronto jurisdictions, either.

The Orcus RAT was first outed as malware in July of 2016, with Revesz and Griebel posting openly about its utility to hackers. It even looks like Krebs did the heavy investigative lifting for the government.

A 30-month delay between this becoming public knowledge and action being taken to stop it by Canadian authorities – and then, seemingly only $115,000 in penalties – is worrisome. The lack of any charges – or delay in bringing charges – is worrisome.

If CASL is the only mechanism taken against a Canadian promulgating hacking tools, that’s troubling. The scope of these is CASL, and I don’t want to go too far down a rabbit hole about how cybercrime is prosecuted, but a scheme designed at its heart to deal with spam shouldn’t be our first and last line of defense against malware created and propagated here in Canada.

And – finally – the fact that this is only $15,000 more than Conley and nCrowd is an eyebrow-raiser as well. In the latter case, a very scammy cluster of shady companies sent out a lot of spam emails to try to get people to buy deal coupons of very limited utility. In this case, malware was unleashed on the Canadian public and promoted to hackers globally. The consequences of buying a bad coupon from a deals site versus giving hackers total access to your computer, which could easily extend to identity theft and all your banking information, is a huge gulf.

This doesn’t feel like a $15,000 swing to me, but that might be attributable to the fact that this is only a s9 violation and an investigation is still, per the NOV from almost four years ago, underway to see if Revesz also violated s8.

If nothing else, this has convinced me to keep my antivirus and malware checkers up to date.

Issued penalty: $115,000

Final penalty: $115,000

Total issued AMPs: $2,782,000

Total imposed AMPs/monetary penalties: $1,068,250

Differential: $ 1,713,750

September 21, 2020

What is it with not-quite-education companies in this space? Compu-Finder, Blackstone, and now a $100,000 penalty levied against OneClass, a service that connects students with user-generated study guides, lecture notes and video tutorials. Decision here, plus a press release.

This seems open and shut: OneClass sent CEMs without recipient consent, and (allegedly) installed a Chrome extension that harvested personal information including usernames and passwords on students’ computers. U of T still has a news piece up instructing students of the phishing email: in essence, it looks like it would access the user’s Blackboard class lists to send emails to all classmates inviting them to join OneClass. The U of T item also has instructions on how to remove it. As phishing goes, this is on the spammy but not super harmful end of things.

Issued penalty: $100,000

Final penalty: $100,000

Total issued AMPs: $2,882,000

Total imposed AMPs/monetary penalties: $1,168,250

Differential: $ 1,713,750

March 29, 2021 / January 4, 2022

A 2021 notice of violation and $75,000 AMP for Scott William Brewer, later reduced to $75,000 in payment in 2022.

Brewer committed violations in two categories – affiliate marketing, earning a commission from CEMs sent without consent to recruit people to an online gambling site, casinoonlinesoftware.com, and direct web marketing for his own online marketing and web business.

The CRTC apparently only investigated three of Brewer’s campaigns, topping 600K emails, despite

Corroborating information reviewed during the investigation indicated that Brewer may have been responsible for sending, causing or permitting to be sent, several million non-compliant CEMs. During a sample period in the investigation, approximately 11 million emails were sent from Brewer’s IP address over a 24 day period.

This, called a “hailstorm campaign,” prompted a press release from the CRTC claiming this as the “largest ever penalty to an individual for sending messages without consent”. Which seems odd, as Brian Conley was subject to $100,000 under vicarious liability for similar violations two years before. Key quote from the Chief Compliance and Enforcement Officer from that release:

“Spam campaigns, such as those carried out by Mr. Brewer, are disruptive to Canadians and undermine their confidence in electronic commerce. Obtaining consent is a fundamental principle of Canada’s anti-spam legislation. The penalty issued today demonstrates that individuals are just as accountable as businesses and must respect this principle.”

And then, 10 months later, it’s no longer a $75,000 penalty, but one for 10% of that amount. The final undertaking says:

Brewer cooperated with the CCEO, provided new information not previously available to the designated person, and has voluntarily agreed to resolve the CCEO’s outstanding concerns regarding compliance with the Act and the Regulations (CRTC).

And later, that the $7,500 penalty

…fully and completely resolves all outstanding issues between the Commission and Scott William Brewer with respect to his compliance with the Act and the Regulations (CRTC) in relation to the CCEO’s investigation into the sending of CEMs during the period of 1 December 2015 to 23 May 2018 and up to the effective date of this undertaking.

Scott seems to be doing fine, with a business pivot to site-building for SEO and sales conversions, per his LinkedIn profile.

Issued penalty: $75,000

Final penalty: $7,500

Total issued AMPs: $2,957,000

Total imposed AMPs/monetary penalties: $1,175,750

Differential: $ 1,781,250

December 6, 2021

A $200,000 imposed AMP to the Gap, for a marketing campaign including its subsidiaries Banana Republic and Old Navy – CEMs without consent and without an unsubscribe mechanism.

Gap seems to have agreed with the CCEO, agreed to pay, and implement a compliance program.

No specifics in the NOV, unlike previous decisions that articulated a number of campaigns or messages; here’s the decision in full:

Straightforward.

And here, for the last time (as of August 2023, with the Brewer decision in 2022 being the final one reported⁴It’s been 19 months since the last reported CASL enforcement decision, which is the longest gap in its history.), is the tally:

Issued penalty: $200,000

Final penalty: $200,000

Total issued AMPs: $3,157,000

Total imposed AMPs/monetary penalties: $1,375,750

Differential: $ 1,781,250

The difference between the imposed and issued penalties is greater than the penalties imposed, which is interesting. We’ll get a bit into that when we move into the wrap-up of this whole thing, coming next.

• 1
  I don’t know if Orcus was being cute with the name, or this is just a coincidence.
• 2
  Nerd note: if you’re going to be a villain, take a hard look at your last name, put the word “Darth” in front of it, and see how it sounds. If it’s credibly somebody who would wear all black and whack at people with a lightsaber, reconsider your whole deal.
• 3
  Testing the search function, by comparison, there’s 4,385 results for “Grand Falls,” which I used as a test because it was mentioned in the top story – now I’m deeply worried about what in God’s name is going on in Grand Falls.
• 4
  It’s been 19 months since the last reported CASL enforcement decision, which is the longest gap in its history.

This is part eight of a multi-part series reviewing Canada’s Anti-Spam Legislation in practice since its introduction in 2014 and the beginnings of enforcement in 2015. Crosslinks will be added as new parts go up.

Part 1: Terminology

Part 2: Parameters

Part 3: Big Numbers

Part 4: Case File – Compu-Finder

Part 5: Case File Anthology, 2015-2016

Part 6: Case File – Blackstone Education

Part 7: Case File Anthology, 2017-2018

Part 8: Case File – Brian Conley/nCrowd

Part 9: Case File Anthology, 2019-2022

Core resources:

The Act

Enforcement Actions Table (CASL selected)

In April 2019, a $100,000 decision was imposed on Brian Conley (as an individual) for violations committed by the company he was CEO of, nCrowd, in a pair of identically dated decisions: first, a NOV, and second, a compliance and enforcement decision, both from April 23, 2019. You’ll recall this from our 2015-16 anthology post, where we saw the AMP issued (but not imposed) in December of 2016.¹Confusingly, in the table of enforcement actions, the 2016 Brian Conley entry doesn’t link to the issued AMP, but directly to the 2019 decision, so we can’t see the issued notice, only the final decisions.

The introduction of vicarious liability

This is the first time vicarious liability has been named in a decision: “Background,” final paragraph:

As a result of the circumstances cited above, specifically the fact that the companies involved were operational then dissolved or otherwise ended, any enforcement actions directed towards such companies would have no deterrent effect nor effectively promote compliance. Therefore, Commission staff pursued the corporate directors through vicarious liability in order to encourage future compliance with the Act.

It’s also in the title of the NOV itself, “Notice of Violation: Investigation into non-compliant emails sent by Couch Commerce Inc. and nCrowd, Inc. including the vicarious liability of corporate directors.”

Vicarious liability is part of the Act, as is the responsibility of directors and officers, in [s31-32] of the Act:

Directors, officers, etc., of corporations

31 An officer, director, agent or mandatary of a corporation that commits a violation is liable for the violation if they directed, authorized, assented to, acquiesced in or participated in the commission of the violation, whether or not the corporation is proceeded against.²Note the “whether or not” here — in theory, although it hasn’t happened yet, the CRTC could double-dip with both an institution and an individual being liable. Also — this is past the limit of my understanding, but this only applying to “corporations” seems unnecessarily narrow, but there may be a legal definition of “corporation” that differs from my understanding of the word.

Vicarious liability

32 A person is liable for a violation that is committed by their employee acting within the scope of their employment or their agent or mandatary acting within the scope of their authority, whether or not the employee, agent or mandatary is identified or proceeded against.³See above note re. this allowing the CRTC to penalize individuals across management and labour tiers.

And if the name Couch Commerce seems familiar, it should – these Couch Commerce investigations resulted in an earlier NOV against Ghassan Halazon (“in his individual capacity”) in 2017, as covered in our 2017-2018 anthology.  The CRTC states in  its September 2019 Activity Summary that this is its first vicarious liability finding. Halazon was the first finding to be resolved, but remember that Conley was first issued the AMP in December of 2016, prior to Halazon being penalized.

But nCrowd and Couch Commerce were only the tip of a massive, scammy iceberg: the web of companies connected to those two (and many, many brand names as well) was extensive, and kudos to whoever put the leg work in to pull it all together, resulting in this truly impressive chart that accompanies the NOV:

While the graphic design may be questionable, it’s quite a labyrinth of companies.

Where it lands is almost 3.5 million email addresses promoting what the CRTC doesn’t call, but I feel pretty free in describing, as a massive series of bait-and-switch deal scams; from the “Background” section of the NOV:

The key assets acquired in the chain of transactions listed in the chart were intangible, essentially the email distribution list, domain names and trademarks. These ownership changes allowed a new company to continue on the business with an ever larger email distribution list without the assumed liabilities of the former company. However, the continuity of service was damaged: as merchants ceased being paid for their products, they refused to ship products ordered by customers. As a result, both merchants and customers ended up losing money, since the voucher business closed or entered into bankruptcy proceedings before merchants and customers were fully compensated for their transactions.

Since these companies seem to launch and disappear rapidly (see the diagram above), the vicarious/director liability makes perfect sense. Tracking the person or people responsible, rather than the corporate entity, keeps the legislation viable when you’re dealing with MBAs who are shuttling through companies like three-card monte.

What’s not clear is how this is decided – why is Conley (and previously, Halazon) selected here, but in other instances, companies (Kellogg, Blackstone) are the recipients?

I have so many questions after seeing how Conley and Halazon, and nCrowd and Couch, are almost symbiotic through the life of these companies, their practically identical infractions, and the literally fractional penalty levied against Halazon as compared to Conley. Halazon was the executive vice-president of nCrowd while Conely was the CEO, for Pete’s sake.

The investigation alleged that commercial electronic messages (CEMs) were sent or caused or permitted to be sent by Couch Commerce to recipients without a compliant unsubscribe mechanism during the period of 2 July 2014 to 9 September 2014, while Mr. Halazon was CEO of Couch Commerce. More specifically, it was alleged that the unsubscribe mechanism did not function, or could not be readily performed, or unsubscribe requests were not given effect until more than 10 business days after a request has been sent. It was also alleged that Mr. Halazon was personally liable for this violation pursuant to section 31 of the Act. ⁴Undertaking: Mr. Halazon and TCC; “Acts and omissions covered by the undertaking and provisions at issue,” para. 2

In the Conley NOV:

Commission staff alleged and the Commission found in Decision 2019-111 that between 25 September 2014 and 1 May 2015, nCrowd, Inc. sent CEMs or caused or permitted any of its subsidiaries, namely nCrowd Commerce, Inc. and nCrowd Limited, to send CEMs to electronic addresses, without consent and without a functioning unsubscribe mechanism contrary to paragraphs 6(1)(a) and 6(2)(c) of the Act.

Commission staff also alleged and the Commission found in Decision 2019-111 that Brian Conley acquiesced in these violations, while he was the President and Chief Executive Officer (CEO) of the nCrowd companies. As CEO, Brian Conley took no action and turned a blind eye to the practices being employed at his companies in terms of the acquisition and use of email distribution lists, despite the fact that in this line of business, an email distribution list is one of the most important assets through which to generate revenues. Protecting such an asset, including ensuring continued ability to use it, under CASL, should therefore have been important to the nCrowd group and its CEO. However, the nCrowd group’s email distribution and consent-tracking lists were largely inaccurate, incomplete, and altered.

• The type of consent is listed for each and every one of the 1,928,015 entries as “explicit” consent although a significant number of email addresses on this list were generic or belonged to institutions or governments, including police services and hospitals (some of which were available online).
• The date at which the consent was allegedly obtained and the legal person who allegedly sought and obtained the consent were obviously inaccurate or altered. For example, on numerous occasions consent was obtained for more than 3,000 addresses in just one day, and more than 80% of all parties provided consent (1,566,114) on the same day.
• nCrowd, Inc.’s non-compliant unsubscribe mechanism was a broad and recurring issue that Brian Conley ought to have known about over the time, and the appropriate steps to fix the unsubscribe process were never taken. The non-compliance continued for almost a year and evidence shows that even when the nCrowd group’s employees informed customers that they had been unsubscribed, they had actually not been.
• No evidence was found that Brian Conley ever verified or required the conducting of any audit of the consent list provided by the Couch Commerce group or other lists purchased by the nCrowd group to ensure its validity and accuracy.
• Brian Conley instituted no policies or procedures relating to the nCrowd group’s compliance with the Act.⁵Notice of Violation: Investigation into non-compliant emails sent by Couch Commerce Inc. and nCrowd, Inc. including the vicarious liability of corporate directors, “Investigation of nCrowd Inc. and its director Brian Conley,” paras. 1-3.

There’s clearly a gap there – Halazon/Couch doesn’t seem to have a problem with consent (or at least, consent goes unremarked on in the decision). Conley/nCrowd was clearly lying about consent, while having arguably identical unsubscribe issues. The email volume attributed to Couch Group (1.9M) and stated above for nCrowd (1.9M) seems to be the same.

Is this a $90,000 gap? The CRTC seems to think so.

This underscores one of the things I find unsettling about CASL: “The maximum penalty for a violation is $1,000,000 in the case of an individual, and $10,000,000 in the case of any other person.” [Act, s20(4)] But under that (to date never imposed) threshold, the purpose of the penalty is “to promote compliance with this Act and not to punish,” and factors for penalty are broad and very discretionary, and rely as much on comportment and ability to pay as they do on what is actually done in violation of the Act:

Philosophically, I understand this. But in practice, this results in published decisions that have such big swings, with no share information as to why, that it makes the entire scheme seem very arbitrary in its application and enforcement.

Which may be a feature and not a bug – I’ll address that in my wrap-up.

Issued penalty: $100,000

Final penalty: $100,000

Total issued AMPs: $2,667,000

Total imposed AMPs/monetary penalties: $953,250

Differential: $ 1,713,750

Up next: the 2019-2022 anthology. Technically there’s only one 2019 decision after Conley, and it’s only the issuing and not imposition of an AMP, so this will be a smidge broader than the previous anthologies.

• 1
  Confusingly, in the table of enforcement actions, the 2016 Brian Conley entry doesn’t link to the issued AMP, but directly to the 2019 decision, so we can’t see the issued notice, only the final decisions.
• 2
  Note the “whether or not” here — in theory, although it hasn’t happened yet, the CRTC could double-dip with both an institution and an individual being liable. Also — this is past the limit of my understanding, but this only applying to “corporations” seems unnecessarily narrow, but there may be a legal definition of “corporation” that differs from my understanding of the word.
• 3
  See above note re. this allowing the CRTC to penalize individuals across management and labour tiers.
• 4
  Undertaking: Mr. Halazon and TCC; “Acts and omissions covered by the undertaking and provisions at issue,” para. 2
• 5
  Notice of Violation: Investigation into non-compliant emails sent by Couch Commerce Inc. and nCrowd, Inc. including the vicarious liability of corporate directors, “Investigation of nCrowd Inc. and its director Brian Conley,” paras. 1-3.

This is part seven of a multi-part series reviewing Canada’s Anti-Spam Legislation in practice since its introduction in 2014 and the beginnings of enforcement in 2015. Crosslinks will be added as new parts go up.

Part 1: Terminology

Part 2: Parameters

Part 3: Big Numbers

Part 4: Case File – Compu-Finder

Part 5: Case File Anthology, 2015-2016

Part 6: Case File – Blackstone Education

Part 7: Case File Anthology, 2017-2018

Part 8: Case File – Brian Conley/nCrowd

Part 9: Case File Anthology, 2019-2022

Core resources:

The Act

Enforcement Actions Table (CASL selected)

March 9, 2017

March of 2017 comes in like a lion, with a $15,000 decision against William Rapanos, the creator of flyers for distribution via Canada Post.

The decision is rare in that it articulates the complaints the CRTC received, and recreates a message in the decision:

It’s hard to parse where the CRTC / CASL takes action on these. 50 individuals and 58 submissions doesn’t seem like much, ranked against the 218,000:1 ratio that leads to financial penalties. Without understanding the day-to-day workings of CASL – chiefly, how submissions cluster (maybe 58 is a very high number for a single organization?), it’s difficult to say whether 58 submissions is an eyebrow-raising amount. If not, it’s hard to know why Rapanos was selected.

But – as far as violations go, Rapanos batted the circuit: his messages sent without consent, without contact info or an unsubscribe mechanism.

I love this case, because it has an an awe-inspiring legal Hail Mary by Rapanos, who claimed somebody pirated his Wi-Fi and sent the messages without him knowing, and that he had no connection to a business he very clearly owned [s26-29]: “The suggestions that Mr. Rapanos was potentially the victim of identity theft or that someone unknown to him accessed his unsecured home Internet connection are not persuasive, since they were not supported by any other indicators of fraud or of evidence that his identity had otherwise been used for malicious purposes. Neither Mr. Rapanos, nor any of the other individuals who were asked to do so through notices to produce, provided to the investigator any documentation to support the claim that boarders had resided in Mr. Rapanos’ house or accessed his Internet connection.”

There is never a bad time to drop a reference to what I think is one of the greatest comedy sketches of all time, and I thank Mr. Rapanos for this opportunity:

[s27-29] rebuts this at length, and essentially boils down to “oh, come on.”

As seems common, postalflyers.club is no longer in operation – the domain has no current owner and is available for registration per a WhoIs search. The Wayback Machine has never archived the page, possibly because it’s a redirect to another site that doesn’t exist any more, per [s14], http://firstunitedpartners.com, which also is defunct, available on a WhoIs search, and per the Wayback Machine was only a “domain for sale” notice as of October 2015.¹Side note: It’s curious that William Rapanos is a “Toronto-area” man at the time of filing, and there’s a 2014 investigation against a Sharon Rapanos of Bowmanville, in the GTA. I can’t find an evident connection between the two, but it’s not a common last name. The NTP for Sharon Rapanos was a demand to produce the names of anyone who had access to her Internet from July 2014 to June 2015, and given William’s reliance on “I was hacked” as his defense above, there seem to be some dots that can be connected. Or not. The universe is big and full of coincidences.

Issued penalty: $15,000
Final penalty: $15,000
Total issued AMPs: $2,207,000
Total imposed AMPs/monetary penalties: $813,000
Differential: $1,378,000

June 12, 2017

$10,000 monetary compensation paid by Ghassan Halazon “in his individual capacity”.

Short and sweet: it looks like he was the CEO of several deals sites, now bankrupted, but still responsible for CEMs sent by Couch Commerce, and “agreed to make a monetary payment of $10,000 to the Receiver General of Canada”.

If Couch Commerce Inc. was a company, why was Mr. Halazon pursued as an individual / the CEO under the Act? Other actions have been taken against companies — both previous, such as Kellogg and Blackstone, and even just below, with 514-BILLETS. Vicarious liability, which is not detailed in this action, but will come up soon when we look at Brian Conley and nCrowd.

Issued penalty: $10,000
Final penalty: $10,000
Total issued AMPs: $2,217,000
Total imposed AMPs/monetary penalties: $823,000
Differential: $1,378,000
Kiss of Death: Dead as Doornail ²I get curious about things, so looked up “Ghazan Halazon” on LinkedIn, and found two profiles — the first, “dealfindingghazanhalazon” is the CEO of Couch Commerce, still lists Ghazan Halazon as its CEO, but there’s a second Ghazan Halazon, with an identical education background, but who mysteriously doesn’t mention Couch Commerce at all. Does this count as two?

March 15, 2018

Monetary compensation of $100,000 from 9118-9076 QUÉBEC INC. and 9310-6359 QUÉBEC INC. (514-BILLETS) (https://crtc.gc.ca/eng/archive/2018/ut180315.htm)

First of all, that’s a pretty sweet phone number. 514 is the area code for Quebec, and BILLETS is a 7-digit combination that’s French for “Tickets”.

Second, while previously there didn’t seem to be a distinction between “monetary compensation” (paid to the Receiver General) and AMPs (generally “paid in accordance with the instructions contained in the notice of violation”) in the past, there’s a big swing here. As often, this is brief enough that we can put it in an accordion, but I’ll ask you to pay attention to the bit at the bottom, about payment:

So the published $100,000 was actually a $25,000 financial penalty, and $75,000 issued in discounts… to, one assumes, the very same people they were spamming to become customers in the first place.

Remember recently, how Tim Hortons engaged in egregious privacy violations and proposed that it give customers a free coffee and a donut rather than any, shall we say, meaningful penalty?

That seems to be where the Tim Hortons matter landed, per this Superior Court of Quebec decision of September 2022.

Of note in that decision is what I’d say is some extremely valid criticism of these kinds of arrangements – [s50]: “It has been said that they provide benefits to the companies being sued which runs afoul of the objective to deter harmful behaviour. Other objections include the low take-up rate of coupons, the fact that compensation may be tied to a purchase obligation, undue restrictions on the use of coupons and the high fees claimed by class counsel.”

This is enumerated in a series of factors that the court should consider with coupon-based compensation schemes:

Other than that, this is a pretty open-and-shut violation: spam texts, with little sender and no unsubscribe / consent withdrawal information, clearly violating Section 4 of the regulations.

The decision seems… inexplicable in isolation, but with other prior decisions, such as the Blackstone one that AMPs should be lowered arbitrarily for small businesses, it does seem like the CRTC / CASL has the ability to adjust decisions in ways that may seem baffling to the casual observer. It’s hard to figure out what $75,000 in issue coupons is “worth” in terms of tallying penalties. It’s definitely not a $75,000 loss to the company. If I use an admittedly pretty arbitrary sourced redemption rate of 7%, it comes out to $5,250 out of pocket, which I’ll go forward with.

Issued penalty: $100,000
Final penalty: $30,250
Total issued AMPs: $2,317,000
Total imposed AMPs/monetary penalties: $853,250
Differential: $ 1,463,750

July 11, 2018

$250,000 in AMPs against Datablocks Inc. and Sunlight Media Network, Inc. (rescinded)

At this point, I’ll admit it:

I’m lost.

Part of the point of this was to track what the CRTC is saying it’s done, and what it’s actually done, because the announced penalties under CASL seem to be staggeringly high compared to the totals. I’m’a carry on, but situations like this one make it very challenging to keep track of what the CRTC claims has been done and what it’s tallying toward the “score.”

In its most recent enforcement snapshot, it states:

Payments and Penalties Under CASL

Since CASL came into force in 2014, compliance and enforcement efforts have resulted in administrative monetary penalties⁹A person who is served with a Notice of Violation has the opportunity to make representations to the Commission with respect to the amount of the penalty or the alleged violations. As such, any case brought to the Commission is subject to a review. (footnote theirs) and undertakings totalling over $3.6 million. (emphasis mine)¹⁰“Enforcing Canada’s Anti-Spam Legislation, Actions carried out by the CRTC between October 1, 2022 and March 31, 2023,” https://crtc.gc.ca/eng/internet/pub/20230331.htm

I’m not caught up yet – there’s still a few decisions from 2019-22 left to go – but I’ll tell you right now it’s not going to be even a fraction of $3.6 million in imposed penalties. Spoiler alert: we’re barely going to crack a million.

I’m going to keep gamely tracking decisions like this as part of the overall tally which theoretically will lead to that $3.6 million, but the math behind these pronouncements is getting increasingly baffling.

Anyhow.

The Datablocks/Sunlight Media decision is highly complex, and unlike all CASL enforcement to date orients around subsection 8.1 of the Act:

The gist of it is an accusation that Sunlight Media (operating an online ad network) and Datablocks (software/routing infrastructure), ran domains that redirected Government of Canada computers to a site that used Adobe / Shockwave Flash ¹¹now there’s a specific nostalgic hit for nerds of a certain age exploits to install malware on the Government of Canada computers.

The infected computers were all promptly re-imaged without collecting any data on the malware, so there was no evidence of this after the fact [s39-47, 51]; further, the Commission noted that given IT processes it was plausible that the Flash files would have been blocked prior to installation [s69].

So it was dropped.

One thing of note is the clarification that malware must be successfully installed for a violation to occur – an attempt to install malware apparently doesn’t trigger CASL 8.1:

[s53] The Commission notes that subsection 8(1) of the Act refers to the installation of a computer program, not an attempt to install one. If the intent of Parliament in writing the Act had been to cover attempts to install, it likely would have included that language in subsection 8(1) of the Act. Furthermore, contrary to certain arguments made on the record, the issue is not necessarily about the infection, or compromise, of a computer system, since those actions or consequences are not referred to in the Act.  The question is whether there is sufficient evidence on the record of the proceeding to conclude, on a balance of probabilities, that the Shockwave Flash Files listed in the NOVs were installed. (emphasis mine)

Issued penalty: $250,000
Final penalty: $0
Total issued AMPs: $2,567,000
Total imposed AMPs/monetary penalties: $853,250
Differential: $ 1,713,750

• 1
  Side note: It’s curious that William Rapanos is a “Toronto-area” man at the time of filing, and there’s a 2014 investigation against a Sharon Rapanos of Bowmanville, in the GTA. I can’t find an evident connection between the two, but it’s not a common last name. The NTP for Sharon Rapanos was a demand to produce the names of anyone who had access to her Internet from July 2014 to June 2015, and given William’s reliance on “I was hacked” as his defense above, there seem to be some dots that can be connected. Or not. The universe is big and full of coincidences.
• 2
  I get curious about things, so looked up “Ghazan Halazon” on LinkedIn, and found two profiles — the first, “dealfindingghazanhalazon” is the CEO of Couch Commerce, still lists Ghazan Halazon as its CEO, but there’s a second Ghazan Halazon, with an identical education background, but who mysteriously doesn’t mention Couch Commerce at all. Does this count as two?
• 3
  Abihsira c. Stubhub inc., supra, note 10, paras. 45 b) and d); Hurst c. Air Canada, 2019 QCCS 4614, para. 29; C. PICHÉ, supra, note 11, pp. 38 and 39.
• 4
  Abihsira c. Stubhub inc., supra, note 37, para. 44 h).
• 5
  Ibid, para. 44 a); Preisler-Banoon c. Airbnb Ireland, 2020 QCCS 270, paras. 34 to 35 (closing judgment 2021 QCCS 15); Gosselin c. Loblaws inc., 2019 QCCS 3941, para. 24; Jacques c. 189346 Canada inc. (Pétroles Therrien inc.), supra, note 12, para. 15.
• 6
  Picard c. Ironman Canada inc., supra, note 28, para. 55; Abihsira c. Stubhub inc., supra, note 10, para. 44 j); Preisler-Banoon c. Airbnb Ireland, supra, note 39, para. 33.
• 7
  Hurst c. Air Canada, supra, note 37, para. 33; Gosselin c. Loblaws inc., supra, note 39, para. 30.
• 8
  Abihsira c. Stubhub inc., supra, note 10, para. 44 f).
• 9
  A person who is served with a Notice of Violation has the opportunity to make representations to the Commission with respect to the amount of the penalty or the alleged violations. As such, any case brought to the Commission is subject to a review. (footnote theirs)
• 10
  “Enforcing Canada’s Anti-Spam Legislation, Actions carried out by the CRTC between October 1, 2022 and March 31, 2023,” https://crtc.gc.ca/eng/internet/pub/20230331.htm
• 11
  now there’s a specific nostalgic hit for nerds of a certain age

This is part six of a multi-part series reviewing Canada’s Anti-Spam Legislation in practice since its introduction in 2014 and the beginnings of enforcement in 2015. Crosslinks will be added as new parts go up.

Part 1: Terminology

Part 2: Parameters

Part 3: Big Numbers

Part 4: Case File – Compu-Finder

Part 5: Case File Anthology, 2015-2016

Part 6: Case File – Blackstone Education

Part 7: Case File Anthology, 2017-2018

Part 8: Case File – Brian Conley/nCrowd

Part 9: Case File Anthology, 2019-2022

Core resources:

The Act

Enforcement Actions Table (CASL selected)

I had set Blackstone aside because it looked like an education space company, but now that I’m in it, it’s a training company, and on its face looks very similar to Compu-Finder.

This on its own is not necessarily proof of anything – correlation is not causation – but companies that push for-profit training courses seem to come up a lot in CASL decisions. Unlike Compu-Finder, Blackstone Seminars/Blackstone Learning Solutions/Blackstone Professional Development Group seems to be soldiering on. Their online presence doesn’t suggest great health, though: the site looks like it’s been coded to viewports that are only about 800px wide, which suggests it hasn’t been touched since 800×600 was king of the display resolutions, which was, uh, 2005?

I know this is a bit obsessive but I care about UX and accessibility, and for a company that is supposed to be providing training to the government, from whence all accessibility legislation hath come, this seems just ridiculous to me:

Anyway – back in 2014, when pretty much all computer monitors accommodated much wider resolutions than 800px¹sorry, I’ll stop now, Blackstone was served a Notice to Produce (NTP). An initial deadline of November 21 was extended to December 3 at Blackstone’s request, and then – well, let me just flip the entire thing into an accordion here, emphasis in the original:

If you haven’t looked at it, flip that thing open and take a look at that last paragraph, which explicitly lays out how to appeal this decision with the Federal Court of Appeal.

Blackstone instead apparently filed an application for leave to appeal with the Supreme Court of Canada, which is not the Federal Court of Appeal.²I can’t find the Application for Leave to Appeal on the SCC website, but that might be because it didn’t even get heard – per this CRTC decision, s8-12, the SCC Registrar wrote back and copied the Commission that the SCC was not the right venue. This doesn’t seem to exist in any findable online archive.

The Supreme Court replied to Blackstone – wrong venue! – and then Blackstone did not appeal with the Federal Court, for some reason. 

But – while I am not a lawyer (and this is not legal advice) – I’d think that somebody at Blackstone would have very sharp words for their counsel for not understanding the fundamentals of how appeals work, and not even reading the NTP request letter or follow-up directive of January 22. 

So – after an odd digression into inappropriate leaves for appeal – the CRTC issued its decision on October 16, 2016.

Worthy of note:

• A campaign is a violation, not an individual email: [2]”The notice identified nine messaging campaigns totalling 385,668 commercial electronic messages sent by Blackstone between 9 July and 18 September 2014 without the consent of the recipients. As a result, a designated person stated that they had reasonable grounds to believe that Blackstone had committed nine violations of paragraph 6(1)(a) of the Act.”
• You don’t need a price to appear to be selling something: [18] “The cost of these programs was not specifically discussed; however, the nature of the language used, including references to various discounts and group rates, conveyed that these courses were services available for purchase from Blackstone. The Commission thus determines that the messages were sent for the purpose of advertising and promoting services commercially available from Blackstone, and were commercial electronic messages within the meaning of subsection 1(2) of the Act.”
• A bit of unpacking around how publishing an email address on the Internet is supposed to work re. “conspicuous publication” in para. 10(9)(b) of the Act [25-28 of the CRTC decision] – key phrase being “the Act does not provide persons sending commercial electronic messages with a broad licence to contact any electronic address they find online; rather, it provides for circumstances in which consent can be implied by such publication, to be evaluated on a case-by-case basis. Pursuant to section 13 of the Act, the onus of proving consent, including the elements of implied consent under paragraph 10(9)(b) of the Act, rests with the person relying on it.”
• Other than complaining initially about timelines and the AMP amount, and the misguided appeal to the Supreme Court, Blackstone doesn’t appear to have cooperated with the CRTC at all; [55] “Blackstone did not cooperate with the investigation. The company refused to respond to a notice to produce issued under section 17 of the Act, even after a Commission decision requiring that it do so.”

And – despite Blackstone essentially just filing complaints and misfiling appeals and not doing anything that the Commission asks them to do – the CRTC still lowers the AMP from $640,000 to $50,000.

Once again, like with Compu-Finder, there’s what feels like almost a tacit admission that they do this to terrify marketers into compliance: [60] “As stated in the Act, the purpose of a penalty is to promote compliance with the Act, and not to punish. To this end, the penalty set out in the notice of violation places great emphasis on the principle of general deterrence. The Commission accepts that this is a valid principle to be considered in the imposition of an AMP, but considers that the specific circumstances of Blackstone’s case, and the violations that have taken place, require a lower AMP.”

Why the drop to $50,000? Because [61-62] Blackstone is a small business; its belief that it had consent was established before the release of the 2015-published Guidance on Implied Consent; along with the idea that other regimes like the Unsolicited Telecommunications Rules have lower penalties and still result in compliance.

Which — look, I am supportive of the CRTC and CASL. I understand the logic of the stunning amounts announced in terms of their value as deterrents. But there’s a bit of “boy who cried wolf” here — a risk of normalizing the process of not taking large judgments that seriously because you can be certain they’ll be amended downward.³As an aside, an early post-lockdown internal comms issue was mask enforcement. It was mandated and we were announcing that masks must be worn in buildings, with certain exceptions for eating/drinking. But practically, who would enforce those rules during campus open hours, continuously, in all areas? As I was saying at that time, if you can’t meaningfully monitor and enforce rules globally, the second approach is to make punishment so draconian that it is terrifying to anyone that contemplates breaking the rule. But the #1 rule of terrifying punishments is that you kind of have to stick to the terrifying component. “We will announce the iron maiden but walk it back to a brisk tickling” over time is in some respects worse than just appealing to the common good.

This was also in yesterday’s 2015-16 round-up, but just so the tally is close at hand:

Issued penalty: $640,000

Final penalty: $50,000

Total issued AMPs: $2,192,000

Total imposed AMPs/monetary penalties: $908,000

Differential: $1,284,000

• 1
  sorry, I’ll stop now
• 2
  I can’t find the Application for Leave to Appeal on the SCC website, but that might be because it didn’t even get heard – per this CRTC decision, s8-12, the SCC Registrar wrote back and copied the Commission that the SCC was not the right venue. This doesn’t seem to exist in any findable online archive.
• 3
  As an aside, an early post-lockdown internal comms issue was mask enforcement. It was mandated and we were announcing that masks must be worn in buildings, with certain exceptions for eating/drinking. But practically, who would enforce those rules during campus open hours, continuously, in all areas? As I was saying at that time, if you can’t meaningfully monitor and enforce rules globally, the second approach is to make punishment so draconian that it is terrifying to anyone that contemplates breaking the rule. But the #1 rule of terrifying punishments is that you kind of have to stick to the terrifying component. “We will announce the iron maiden but walk it back to a brisk tickling” over time is in some respects worse than just appealing to the common good.

This is part five of a multi-part series reviewing Canada’s Anti-Spam Legislation in practice since its introduction in 2014 and the beginnings of enforcement in 2015. Crosslinks will be added as new parts go up.

Part 1: Terminology

Part 2: Parameters

Part 3: Big Numbers

Part 4: Case File – Compu-Finder

Part 5: Case File Anthology, 2015-2016

Part 6: Case File – Blackstone Education

Part 7: Case File Anthology, 2017-2018

Part 8: Case File – Brian Conley/nCrowd

Part 9: Case File Anthology, 2019-2022

Core resources:

The Act

Enforcement Actions Table (CASL selected)

Following the Compu-Finder penalty levied in early 2015 (to be walked back in 2017), CASL goes on a tear, dropping AMPs left and right. 7 out of the 15 total AMPs issued under CASL come from these two years.

We’re going to set aside one of them as particularly relevant to my interests (education space), and zip through some of the others:

March 25, 2015:

$48,000 AMP levied against “Plentyoffish Media”, a dating site. I’m not sure why people would want to date folks who are plenty offish, but there y’go. There was no question about consent here — CEMs were only sent to registered subscribers — but with no evident, or a non-functional, unsubscribe mechanism. This, along with a compliance program, seems to have passed without any re-evaluation or follow-up.

Issued penalty: $48,000

Final penalty: $48,000

Total issued AMPs: $1,148,000

Total imposed AMPs/monetary penalties: $248,000

Differential: $900,000

June 29, 2015:

$150,000 AMP levied against Porter Airlines, a small carrier. CEMs were sent to people without Porter being able to furnish any proof of consent. Some messages were sent without contact information, and others without “clear and prominent” unsubscribe information. Again, this plus a compliance program seems to have landed with no further appeals or follow-up.

Issued penalty: $150,000

Final penalty: $150,000

Total issued AMPs: $1,298,000

Total imposed AMPs/monetary penalties: $598,000

Differential: $900,000

November 20, 2015:

$200,000 monetary compensation paid by Rogers Media, a telecommunications giant. There were flawed unsubscribe mechanisms in emails they were sending, some unsubscribe requests were not acted upon within 10 days, others did not have an unsubscribe address that was valid for a minimum of 60 days after the message was sent. This, with a compliance program, landed without appeals or follow-up. The financial penalty is framed as “monetary compensation” rather than an “administrative monetary penalty,” with no further explanation.

Issued penalty: $200,000

Final penalty: $200,000

Total issued AMPs: $1,498,000

Total imposed AMPs/monetary penalties: $798,000

Differential: $900,000

September 1, 2016:

$60,000 monetary compensation paid by Kellogg Canada Inc., a food company. It, or authorized third parties, sent email without consent. This, with a compliance program, landed without appeals or follow-up. The financial penalty is framed as “monetary compensation” rather than an “administrative monetary penalty,” with no further explanation.

Issued penalty: $60,000

Final penalty: $60,000

Total issued AMPs: $1,552,000

Total imposed AMPs/monetary penalties: $858,000

Differential: $900,000

October 10, 2016:

$50,000 AMP levied against Blackstone Learning, a seminars/training company.

We’re going to unpack this more in the next post, as I’m very interested in education-space developments here, but in a nutshell, lots of email without proof of consent. The notice of violation (which was issued on January 30, 2015, but doesn’t seem to be available online) sent to Blackstone set out an AMP of $640,000, but the decision lowered it to $50,000.

Issued penalty: $640,000

Final penalty: $50,000

Total issued AMPs: $2,192,000

Total imposed AMPs/monetary penalties: $908,000

Differential: $1,284,000

December 14, 2016:

$100,000 AMP issued against Brian Conley of Couch Commerce/nCrowd, an online deals website. We’ll discuss this in detail when we get to 2019 and the final CRTC decision. Note that the link above goes to the final 2019 decision — Enforcement action 9090-2015-00414 (the 2016 notice) isn’t available, and the CRTC’s table of decisions links to the 2019 CRTC decision rather than the enforcement action.

The timing here is important, for reasons we’ll get into in our 2017-18 anthology including Conley’s case.

We’ll be back to look more in depth at Blackstone, and then get back to reviewing other CASL decisions.