This is part ten of a multi-part series reviewing Canada’s Anti-Spam Legislation in practice since its introduction in 2014 and the beginnings of enforcement in 2015. Crosslinks will be added as new parts go up.
A quick late 2023 update: the CRTC has published an NOV for Sami Medouini for what appears to be text-based phishing campaigns; NOV below:
File No.: 9110-2021-00606
File No.: 9110-2021-00606
To: Sami Medouni
Issue Date of Notice: 11 July 2023
Summary of investigation
The Canadian Radio-television and Telecommunications Commission (CRTC) is responsible for the administration of sections 6 to 46 of Canada’s Anti-Spam Legislation (the Act), and the Electronic Commerce Enforcement (ECE) division of the Commission investigates potential violations pursuant to the Act.
In March 2021, CRTC staff launched an investigation into a series of high-volume phishing campaigns and potential violations of paragraph 6(1)(a) of the Act.
Paragraph 6(1)(a) of the Act states that it is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message (CEM) unless the person to whom the message is sent has consented to receiving it, whether the consent is express or implied.
Pursuant to section 22 of the Act, a notice of violation has been served on Sami Medouni for committing six violations of paragraph 6(1)(a) of the Act.
Between 22 December 2020 and 14 January 2021, Sami Medouni sent or caused or permitted to be sent at least 31,925 phishing Commercial Electronic Messages (CEMs) without the consent of recipients, from fraudulently obtained telephone numbers.
Specifically, Sami Medouni sent the following commercial electronic messages without express or implied consent by using six different telephone numbers:
- 13,285 CEMs on 22 December, 2020;
- 18,138 CEMS between 22 and 23 December, 2020; and
- 502 CEMS on 14 January 2021.
In accordance with section 13 of the Act1Section 13 – Burden of proof: A person who alleges that they have consent to do an act that would otherwise be prohibited under any of sections 6 to 8 has the onus of proving it., the person who sends a CEM has the onus of proving that consent was obtained. There was no evidence obtained during the investigation to indicate that Sami Medouni obtained the necessary consent to send CEMs.
Information and evidence to support this investigation were gathered from multiple sources, including Notices to Produce pursuant to section 17 of the Act, and provided reasonable grounds to believe that, by using six separate phone numbers, Sami Medouni sent 31,925 CEMs without consent, representing six violations of paragraph 6(1)(a) of the Act.
Based on the information gathered in the investigation, the Director of the Electronic Commerce Enforcement division has issued a Notice of Violation, imposing an administrative monetary penalty of $40,000 to Sami Medouni.
Violations are connected to the number of phone numbers used — a “campaign” is a violation, not an individual message, so if Medouni allegedly bought a phone and used it to send CEMs until there were enough spam reports for carriers to block it, each phone would therefore represent a “campaign”. Ergo: six campaigns, comprised of 31K messages.
These are identified as phishing messages in the NOV itself; the CASL violation is strictly consent, but phishing is fraud under s380(1) of the Criminal Code. Unlike with Orcus, the CRTC does not mention investigations or criminal charges here.
This is only an NOV — I’ll update my overall stats when time allows, but this doesn’t change the math on final decisions (the differential between issued and imposed penalties is of interest, but I can’t update it until we get to the “imposed” part.
We’ll stay tuned on this, and move on to our wrap-up.
- 1Section 13 – Burden of proof: A person who alleges that they have consent to do an act that would otherwise be prohibited under any of sections 6 to 8 has the onus of proving it.