I love storytelling, and helping organizations share their truth with the world. From non-profit media outlets to for-profit boutique agencies to one of Canada's great universities, I've been connecting institutions and stakeholders for a while, and enjoying both the journey and seeing great ideas find great audiences.
"Wheat Field with Cypresses" by Vincent Van Gogh. This was probably not the painting in question, but is kind of typical of the paintings that were in this exhibition -- known paintings, but not Top Five like Starry Night, Sunflowers or What The Hell Happened To My Ear.
So Back in the Day I lived in Sherbrooke, Quebec, which has a better-than-you’d-expect art gallery, the Musée de Beaux-Arts de Sherbrooke. A converted really huge three-story mansion.
There was a touring exhibit of impressionist painters that was hitting all the big Canadian galleries that year. You got your Monets, you got your Van Goghs, like one or two lesser paintings from a bunch of the big names. And for some reason, it gets a week at MBAS as well as all the bigger-city galleries. This didn’t get a ton of fanfare: an article in the local French papers and in the sole local English paper.
This is partly because MBAS building would be really big for a house, but it was pretty small for a gallery. I don’t think they had a budget for marketing or promotion at all. The total staff count in there at any point would usually be two people: somebody at the front desk / coat check who would also dash over if somebody was in the tiny gift shop, and a wandering security person.
So this travelling exhibition is up on the third floor of MBAS, and as a frequent visitor, I know a few things:
You just walk into the gallery. It costs I think $5 as a suggested donation. Nobody checks your ID or anything.
The fire escape, which you can access through a normal screen door leading to a small balcony from the always-open third-floor break room, is a set of stairs running right down to beside the gallery. It is always unlocked and unalarmed. I’ve seen enough people ducking out there for a smoke over time that I’m aware of that.
There’s one security person; on the day I drop by to see the Impressionists, it’s a women in I’d guess her 70s. They walk every floor, very slowly, so once they leave the third floor to walk downstairs and start over at the first, you’ve got probably a 20-minute window before they get back to the third floor.
Faced with the Impressionists, I also realize:
They’ve just, like, hung the paintings. Like you or I would. They don’t seem to be super affixed to the walls with some sort of weird backing systems, they aren’t locked or behind glass. They’re just there, wire on a nail style.
There are, at least to my ability to see them, no security cameras or anything. I’d never really cared to look before, but I’m suddenly motivated by the realization that
I can totally steal a fucking Van Gogh.
Spoiler: I didn’t. But man, I thought real hard about it. Not to keep, but just, you know, take it down, wander down the fire escape, loop the block and drop it back off. Or take it home for the night and drop it off in the morning.
Do I regret not stealing a Van Gogh? Hell yeah. I wish to this day I’d nutted up and temporarily stolen a Van Gogh. Maybe I was missing something and an alarm would have gone off and I would have been charged with attempted theft of a Van Gogh, but if you’re gonna crime, what a crime to crime.
And maybe I wasn’t missing something! Maybe I could have 100% stolen a Van Gogh. And for the rest of my life been dining out on The Time I Stole the Van Gogh.
But I didn’t. So instead all I have is The Time I Could Have Stolen A Van Gogh And Didn’t. Which is what you’re getting here.
For those of you not deeply steeped in arch geekery, an Illithid is a species in Dungeons and Dragons, colloquially known as a “Mind Flayer.”
They are basically squid-headed jerks that eat brains.
As the long-running campaign I’m part of (12th level Warlock/Paladin, thanks for asking) winds toward a summer break and we get into the final approach for a seasonal Big Bad, our GM asked what Illithid-themed flair would work for us, so I set about creating this monstrosity.
Horror fans that don’t know much about south-eastern Ontario likely don’t know that Pontypool is a real place — in fact, I went to high school one town over, and spent a fair bit of time in Caesarea and Nestleton with friends, a short hop away.
Caesarea is even name-checked in the movie, and is the title of the third of a three-book trilogy by the author of the novel that Pontypool the movie was adapted from.
Visiting my folks last weekend, I thought I’d swing by the town to take some pictures for Evan Dorkin and Paul M Yellovich, the podcast’s hosts.
The Pontypool sign, with a quick best-efforts “Tear Them Apart” podcast call-out. I took it down after. I was really angering all the goats in the weird-ass half-farm next to the sign so I had to make it quick.
“Downtown” Pontypool, facing north. Note the telephone pole “TAKE BACK CANADA” sign. People think Ontario / Canada is pretty progressive, but it’s more like New York State: once you’re out of the cities, you’ll find a lot of the same regressive racist yahoos you find in any rural place. This was the part of the drive to my folks’ place where farms have STAY OFF MY LAND GUBBERMINT signs, and vaccine conspiracy lawn signs sprouted like weeds during COVID.
Grant Mazzy would probably be more at home here as a shock jock than the station staff would like to believe.
Same position, turning south:
That’s it. That’s Pontypool. The streets stretch out about a kilometre in all directions with mostly two-story houses of a mid-19th-century vintage.
The sign on the left of this photo is for the town’s only gas station (with integrated Tim Horton’s naturally; there’s nothing more faux Canadian than this foreign-owned chain that’s somehow convinced people it’s a Canadian icon, and that its coffee doesn’t taste like battery acid that briefly had a coffee bean dipped in it).
Tim Horton’s has grown in my mind in recent years to really represent the rise of the right in Canada: symbols are more important than reality, and being “Canadian” is more important than being Canadian. It’s not a Canadian chain any more, and the coffee and food are terrible, but it’s “Canadian,” so Doug Ford shills for Smile cookies and — okay, I’m getting off-topic. Tim Hortons sucks.
Behind the grocery store across the street you can see a little red sign; that’s the pharmacy on the first floor of a house. Facing the pharmacy, the only grocery/convenience store, and the only restaurant:
That’s it. That’s Pontypool. The streets stretch out about a kilometre in all directions with mostly two-story houses of a mid-20th-century vintage.
Not pictured is the town arena, which if you live in Ontario and I say “small town arena,” you’re already picturing.
The most unrealistic thing about Pontypool (the movie) is that it has a radio station that employs at least three people full-time. The most realistic thing about Pontypool (the movie) is the syndicated news break at the beginning that mentions a major drug bust in Caesarea. That 100% checks out.
The above probably sounds like I’m dunking on Pontypool; I kind of am, because I’m a bit triggered by the TAKE BACK CANADA garbage and have less than fond memories of COVID-area rural lunacy.
I grew up in a town about this size, and I’m sure it’s as much a mixed bag as that town was.
Anyway, that’s Pontypool-the-town, if anyone is watching the movie (it’s really, really good!) and wants to see what the real-deal place looks like.
Chess photo by Vlada Karpovich: https://www.pexels.com/photo/chess-pieces-on-the-chess-board-6114952/
Catching my breath after my first week in my new role as Executive Director of the Chess Institute of Canada; onboarding in Toronto while meeting the Board, the staff and many of the instructors.
I’m really excited to be joining CIC at a pivotal moment in their history. “Chess for life” is their mission: imparting valuable and lasting life skills through the medium of the world’s greatest game. There’s so much you can learn from the “gymnasium of the mind” — strategy, forethought, patience and planning, yes; also good sportspersonship, how to deal with adversity, creative problem-solving and perseverance through setbacks.
Student enrichment was dramatically altered over COVID, and while this is an organization built on excellence from a firm footing based on the vision of its founder, Ted Winick, in many ways this is also a new era for CIC in terms of how it instructs, where it reaches, and who it benefits. Chess is for everyone, and I’m incredibly excited to be working with a dedicated, passionate and innovative team in making sure everyone can benefit from what it brings.
I’m still drinking from the fire hose, as they say — lots to learn, lots to do — but honoured and thrilled to be entrusted to lead this organization from greatness to… even more greatness. Super greatness.
I’m sure I’ll have many incredibly apt chess metaphors at the tip of my tongue very soon, but for now, I’m just very happy to be here, and especially to be working with a visionary and committed board, incredibly dedicated and passionate staff, and immensely talented and compassionate instructors.
Background photo by Vlada Karpovich: https://www.pexels.com/photo/chess-pieces-on-the-chess-board-6114952/
Lots going on in my life these days; most folks who know me know this, but my last day at Smith Engineering was February 9, 2024. This also represents a step away from higher education marketing career-wise; big news coming, but not until March.
“Coming down” from a job you’ve put a lot of your brain and identity into for years is a process. I was fortunate to be asked by friends of friends to house-sit / dog-sit for this very good, very silly boy for a week:
…which gave me a week of decompressing, partly getting ready for the Next Thing, lots of dog-walking, etc.
I’ve never really listened to Taylor Swift, but both of my nieces are bananas for her. Big Swifties. And there’s nothing wrong with that! I just run my own music server / support soma.fm, so my listening doesn’t generally include stuff I don’t intend it to. And while I’m trying to be less snobbish than I used to be, the culture around Swift wasn’t one where I felt compelled to seek it out and listen to her music.
But — time on my hands, and looking to reset my brain in some significant ways — I challenged my nieces that if they would make me playlists of up to 15 songs, I would give them an earnest listen.
And they did (their mom said it was “the hardest she’d ever seen them work on something like homework”). So I did!
I’m a big fan of my reMarkable, so I used it to write while I gave these songs a Whole Listen. I have no idea why anyone would be interested in these, but my wife suggested I post them for posterity, so if you’re looking for a 50-year-old man’s perspective on lists of Taylor Swift songs compiled by two teens, here y’go:
I can’t say I’d be lining up for tickets (especially at these prices), but I have to say I liked it a lot more than I thought I would. And that it’s a lot more maudlin than I expected! I was thinking it was all pop bangers — “Look What You Made Me Do” is the only Taylor Swift song I can summon to memory — but there’s a whole subcategory of Swift songs I now call the “piano sads”.
Really impressed with the songwriting, the lyrics. Would be more enthused if she seemed to have any way of positioning herself and her life other than the present state of whatever relationship she’s in (but maybe, again, this is just a reflection of where my nieces are at in their song choices).
I’ve also been thinking a bit about why I’ve been so out of the Swift orbit; the fair question for myself, I think, is to ask why I’ve been quasi-avoiding this very popular, very successful female singer/songwriter, and would I duck out on male pop stars the same way?
And… having given it some thought, I feel okay. I can think of a number of Very Big acts that I’ve also never really made time for, across a number of spectrums, so I don’t think there’s anything there. But it’s good to ask yourself periodically where the “I’m not interested in what this person has to say” instinct comes from. In this case I think it’s just the form, and if I’m honest a bit of New Country stink in the background, that drove the disinterest.
On the whole, a really worthwhile exercise. I feel like I have a better understanding of a big piece of the zeitgeist right now.
Krog St., Atlanta, by Lee Coursey (CC 2.0). Without explicit permission, Coursey could be committing copyright violations by reproducing this graffiti -- and now, so could I. If that little shark-lookin' fella is also a trademark, there's a whole other layer of things to unpack here.
In the category of “interesting things I’ve never thought much about,” Gerald Kerr-Wilson and Kiera Boyd (Fasken) popped up in a Google alert I have set up recently with a short piece on whether graffiti is protected by copyright. It’s short and cogent.
the Copyright Act doesn’t require that work be lawful to have copyright protection;
issues may arise if graffiti is reproduced, including in the background of other works, and that partial destruction of graffiti may infringe the author’s moral rights.
Challenges when using graffiti are partially answered in the first case by incidental use (s30.7 of the Act) and whether the graffiti could be considered permanent “artistic craftsmanship” (s 32.2(1)(b)). In the second case, it’s possible (no case has ever come up) that protection may exist but in a limited form, like for obscene materials (Aldrich v One Stop Video Ltd, [1987] BCJ No 1035).
Fair dealing isn’t much of a defense; it’s highly contextually specific, but it would be rare(ish) for something to be covering graffiti in an academic/analysis context that gets to the point where it’s worth pursuing a claim. Plus, attribution is part of the consideration — impossible with most graffiti, which I get into below.
They don’t address two questions I think are really compelling, though.
First, that to claim authorship you’d have to in many cases confess to a crime; in Canada, this would be “mischief”, per s 430(1) of the Criminal Code:
Mischief
430 (1) Every one commits mischief who wilfully
(a) destroys or damages property;
(b) renders property dangerous, useless, inoperative or ineffective;
(c) obstructs, interrupts or interferes with the lawful use, enjoyment or operation of property; or
(d) obstructs, interrupts or interferes with any person in the lawful use, enjoyment or operation of property.
Criminal Code, s430(1)
Generally, assuming that most graffiti results in <$5K of damage, this would make you liable to imprisonment for a term not exceeding two years, or punishable on summary conviction (s 430(4)).
There’s a six-month limitation to most cases of mischief (s 786(2) of the Code), so depending on how rapacious you are as a tagger* and how far in the past you bombed*, your comfort level in coming forward may vary.
Second question: how do you prove you’re the author of graffiti? Clearly, you’re not going to register it. I can only imagine that in many cases, the artist has taken steps _not_ to be identified. On a cursory search, I can’t find much in terms of court cases that have hinged on authors proving authorship over pseudonymous work. The one thing — a 2014 story about Alexandre Veilleux, a Montreal graffiti artist who sued Radio-Canada (French-language CBC) for $45,000 for using buildings tagged with his graffiti under the name “Alex Scaner” in a TV show called 30 Vies. Article here (in French). Nothing seems to have reached to the point that it’s captured in CanLII, so either it was dropped or settled pre-court.1Also, Quebec is a civil law jurisdiction, so YMMV in the rest of Canada.
It’s also worth noting the the latter article includes a photo of somebody in the gallery, looking at the photos that reproduce the graffiti — I’d assume that “Patanne“, the photographer there as credited in this other article, is now also subject to the same complaints as Karp, the Moore Gallery artist. It’s turtles all the way down.
Banksy, the world’s most famous graffiti artist, has failed to assert copyright over his work in the past – in part because he wanted to preserve his pseudoanonymity.
Fun woolgathering, but without much to hang a hat on. A little woolgathering on a Sunday morning is never a bad thing, though.
*Am I qualified to use graffiti lingo? Well, I did subscribe to Juxtapoz magazine for, like, two years in the mid-aughts, so I have exactly $72 worth of cred.
Music:
Various Artists, “The Faithful: A Tribute to Marianne Faithfull”
Sick Boss, “Businessless”
Various Artists/Tycho, “Back to Mine: Tycho”
1
Also, Quebec is a civil law jurisdiction, so YMMV in the rest of Canada.
2
An aside: bitrot has eaten some of the above articles, and I can’t say enough how much I appreciate the good people at archive.org and the Wayback Machine for archiving things like this. If you have a few bucks this holiday season, consider supporting them.
Look, I've avoided making this dumb visual pun 10 times now, give me a break. Photo by Pixabay, via Pexels.com. CC0.
This is part eleven of a multi-part series reviewing Canada’s Anti-Spam Legislation in practice since its introduction in 2014 and the beginnings of enforcement in 2015. Crosslinks will be added as new parts go up.
I’ve been taking various runs at a wrap-up of almost 10 years of CASL being on the books, and keep kind of bouncing off this summary. In part because it’s hard for me – as somebody who needs to interpret the regime, but who is also interested in looking at its effects over time – to get a firm grip on how it is implemented and practised based on the last 9-and-a-bit years of enforcement.
I’m going to break this down into a few components:
Useful things to know, that are in the Act but may not jump out at a user;
Specific observations based on notices of violation and CRTC rulings;
A general overview of how I feel about CASL. Spoiler: conflicted.
General rules:
CASL isn’t just for “spam”. Frankly, they should rename it. “Anti-Spam legislation” is a snappy phrase but causes more confusion than is warranted. The conventional understanding of spam is junk email, but this legislation applies to texts, intrusive software (malware), browser extensions… essentially, if it’s delivered digitally, it falls into the remit.
ALL Commercial Electronic Messages (CEMs) are prohibited. By default. Assume any commercial message is not allowed to be sent, and CASL carves out exceptions to the general prohibition.
ANY CEM contaminates a non-CEM. Even if a message is 99% non-commercial, any inclusion of any content that – from the Act:
having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that
(a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;
(b) offers to provide a business, investment or gaming opportunity;
(c) advertises or promotes anything referred to in paragraph (a) or (b); or
(d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.
Requests for consent are also CEMs per s1.3 of the Act. This results in a Catch-22 – you can’t market without permission, but asking for permission is marketing. Added value is therefore key – or couching a consent request in an otherwise legitimate communication. I can’t email you out of the blue (except under a certain set of circumstances) asking you to opt into my newsletter, but I can post on LinkedIn telling people I’ve created a free white paper on best practices in Z, and require people to sign up for my newsletter to download that white paper.
You can’t obfuscate the source of emails by generating different “from” identities or sender identities. Swapping out domain names, or who the email appears to be sent from, is immaterial. The owner of the domain(s) is at issue, not the sending domain itself [29-30]
Reported initial decisions are not final. It is always, always worth working with the CRTC, if you are one of the very rare organizations that gets to the point of having an AMP levied (see “CASL is your Old Testament God,” below). Explaining your context, pleading small-company-will-fail, and working with them to put a program in place to prevent future violations seems to be a foolproof way of getting AMPs reduced, sometimes very dramatically.
Stating the obvious, but this is a little trifecta of consent, contact info, and unsubscribe functionality – all three have to be in place for you to be compliant with CASL. You can’t mix and match.
A campaign is a violation, not an individual email. [2]
There is no conspicuous difference in the scope of campaigns, given Blackstone and later Conley/nCrowd. One send of 100 emails is “as bad” as one send of 10,000 emails on the surface; there’s no pattern evident in the decisions that show scope-based penalties.
You don’t need a price to have a CEM: if you’re offering a service and implying it costs something, that’s enough to pass a threshold of “commercial electronic message” [18]
Somebody simply publishing an email address on the Internet isn’t enough to invite solicitation; if you are pulling addresses to create a list, keep records, as you still have to make a case-by-case justification of how consent is implied. As they say in the Act, ”the onus… rests with the person relying on it.” [25-28]
As an example – and this is me extrapolating, not the legislation – I am on the Smith Engineering higher ed website as the Director, Marketing and Communications, with my email published. That makes me contactable as somebody you can email if you’re offering a product that impacts marketing and communications in higher education, but you’ll want a spreadsheet somewhere that captures that information as the reason you’re reaching out to me.
I would argue that the “in higher education” component above is relevant and important, but given the overall pattern of how legislation is enforced (see again below) I think this is in the ‘jaywalking’ category of a distinction without a difference – it’s a fine point that could be argued pushes someone into the “spam” category, but likely too minor to be meaningfully enforced. That said, please don’t spam me.
People can be pursued as individuals, which is detailed in the Act [s 32]. There is no clear line via decisions of when vicarious liability will be imposed; the Act states that explicitly in s 31:
An officer, director, agent or mandatary of a corporation that commits a violation is liable for the violation if they directed, authorized, assented to, acquiesced in or participated in the commission of the violation, whether or not the corporation is proceeded against.
To date there has been no “double dipping” where a corporation and a leader figure has been found in violation, but that doesn’t mean it will never happen.
The CRTC has been open, at least once, to alternate compensation schemes; rather than cutting a cheque to the Receiver General, 514-BILLETS issued coupons for 75% of the imposed penalty.
While rarely, s 8.1 of the Act is enforced – it’s not clear on whether the relative scarcity of enforcement is because infractions are more rare, or cases are much, much more complex and harder to investigate and pursue.
To wit, this “malvertising” case seems pretty damning on the evident facts, but poor documentation and an aggressive malware response policy within the Government of Canada made this not pursuable.
This is obviously not an open invitation to do nefarious things with computers, but a user-level caution that if you intend to file reports on malware / intrusion software / etc., be slow and cautious about how you capture information and document it.
Again reading into the tea leaves of how the Act is enforced but it feels like vicarious liability is the recourse when it seems like companies aren’t going to be around long enough to pursue / there’s an evident pattern of MBA-style shell games.
There are large and seemingly arbitrary gaps in penalties without much rationale provided for the differing amounts by the CRTC (see, again, the next section)
Vicarious liability [s 32 of the Act] is growing in use over time; either reflecting a greater focus on ephemeral companies, or an evolution in the CRTC’s understanding of what penalties will stick.
There seems to be an awkward marriage between CASL and criminal penalties for cybercrime – CASL itself expressly does not have a criminal component, and the hand-off from the CRTC investigation to the RCMP / OPP seems to only, possibly, be resulting in a criminal process four years on.
When I tabulate all issued penalties from decisions to date, I arrive at $3,163,000. Imposed penalties – admittedly with fuzzy math around coupon redemption rates for the 514-BILLETS issue – come in at $1,185,750.
The differential is $1,977,250 – about 63% of issued penalties wound up not being imposed. We’re also assuming that all imposed penalties were, in fact, paid – in several cases the companies that had imposed penalties then seem to have gone out of business, so the likelihood of the Canadian Government having seen that money is dim.
I also can’t account for about $500,000 that CRTC summaries say were imposed; more on that under “CASL as a marketing exercise,” below.
CASL as your Old Testament God
This kept running through my head as I tried to look at decisions and figure out if there was any clear logic to an external user regarding:
Who was investigated and penalized; was there a consistency in terms of numbers of complaints, egregiousness of the action, or public visibility of the offender?
When penalties were imposed, was there a clear line to draw regarding the severity of the penalty compared to the actual actions taken in violation of CASL?
As somebody raised in the church, the more I poked at it the more I felt I understood the terror of the, I don’t know, Hittites: there’s a baseline set of behaviours you’re expected to follow, but it’s impossible to know when the eye of judgment will fall upon you, and when it does, there’s no real way to predict the extent of your punishment.
Blackstone somehow finds its way to a $590,000 reduction in penalty, despite Blackstone’s only engagement as described in the decision being to complain about a deadline, file an appeal to entirely the wrong court, and then not cooperate – the CRTC actually calls them out specifically for this in the final decision [s55].
Beyond those examples, it’s hard to know how evenly the law is applied – or even what the specific triggers and determinants of a penalty are. It doesn’t feel entirely random, but since most decisions are posted without the number of campaigns or scope of sends, there’s no way to draw a line from the violation to the penalty in a way that makes sense in terms of whether it’s being evenly applied.
CASL as a marketing exercise
The other thing is that the pattern of CASL actions – from the perspective of somebody that works in marketing – seems to be more about creating the impression of enforcement than consistently and rigorously applied penalties.
Since CASL came into force in 2014, compliance and enforcement efforts have resulted in administrative monetary penalties and undertakings totalling over $3.6 million.
I can’t account for these numbers: even the $3.6 million is $0.5M higher than a manual tally of NOVs from the CRTC site (I’ve made a spreadsheet).
My own numbers land at $3,163,000 in issued penalties, but only $1,185,750 in imposed penalties – about 37% of the issued penalties wound up being actually imposed.1The imposed penalties number does include a bit of my own math, as the 514-BILLETS case resulted in the issuing of $75,000 worth of rebates, which I calculated at far less than that value in terms of what the ultimate cost to the company would have been.
But there’s also a pattern of big shock-and-awe announcements that get quietly walked back after the fact, or that lead to follow-on penalties much smaller than the initial ones:
A national-headline-grabbing $1.1M penalty for Compu-Finder, later reduced to $100,000.
Similarly, significant hay made about Brian Conley being issued an NOV as “vicarious liability”, at $100,000, but then much smaller amounts for a similar breadth of issue by fellow traveller Ghassan Halazon and the completely unrelated William Rapanos.
The “malvertising” case with Datablocks and Sunlight Media, which dropped a $250,000 penalty to nothing, while narrowing the scope of its investigation from the broad issuing of malvertising across the Internet to a lack of proof on specific Government of Canada computers.
A journey through CRTC CASL “Snapshots” show a pattern of reporting actions that weren’t actually taken under CASL – things done by the CRTC as a whole, but as far as I can tell unrelated to CASL or its enforcement.
Large-scale Bank Phishing Investigation – a criminal investigation, following reports to CASL
Using social media to warn Canadians – essentially, CRTC posted and retweeted about frauds
In the previous snapshot, the headlines are all about various CRTC activities – a CRTC decision regarding botnet blocking (its development being the sole headline of an earlier snapshot), a report on a Canadian “dark web marketplace” (actually a reference to the previous snapshot, and not new news) and vigilance over malware called QAKBOT.
And so on. I won’t blow-by-blow this, but if you go back through the snapshots, the bulk of reporting isn’t actually about CASL, but other CRTC activities.
This makes perfect sense from a certain perspective. If you’re a parent, or a teacher, or have ever run a volunteer organization, there are times when you have a rule that you can’t practically enforce, and for whatever reason the common good isn’t enough to get people to follow it. Telling people there is a rule, and enforcing it sporadically, but with harsh enough penalties that it scares everyone into compliance, makes a lot of sense.
Starting with the assumption that the CASL team is smart, works hard, and is just not adequately staffed to provide perfect enforcement nationally at all times (which would take a preposterous scaling-up), big penalty announcements with quiet walkbacks, trumpeting non-CASL achievements in a way that makes CASL look vast and vigorous, is a good move. In the day to day, risks of getting caught are relatively low (see below), but when $1M+ penalties are making the headlines, the idea of getting caught in that net is scary.
establishing whether or not the overall rate of spam is going down
gaining some understanding of the likelihood of a significant action being imposed on an organization
What have we learned?
Is spam going down?
On the first front, the answer is clearly that complaints are not going down.
Arguably there are many reasons for this – including CASL’s own effectiveness in sensitizing the public to spam and fraud, driving reporting numbers up.
But – given the sporadic nature of enforcement, and the amount of fuzziness around what CASL is claiming, both in terms of penalties and its own vs. taking credit for other CRTC activity in its snapshot – I don’t have a great feeling about it.
Maybe it can’t “work”. Maybe the digital world is too big, and too global, and evolving too fast, for us to “beat” online fraud in any meaningful and lasting way, and stemming the tide is the best we can ever hope for. I don’t have the time or resources to really meaningfully compare CASL to other national spam protection regimes, so there aren’t any comparators out there I can easily index against.
It’s possible that looking at CASL through the same lens as other public-service organizations and criteria – is crime going down, as a measure of police effectiveness; wellness and death rates, as a measure of public health effectiveness – is a fool’s errand.
This leaves me with an aggregate shrug. Does CASL work? Shrug. Could it be doing better? For sure. Should we, as a society, allocate the kinds of resources to it that it would take to do better? Shrug.
But if my read of CASL actions, and their own snapshot headlines, is correct and the slow pivot is from enforcement to awareness, and there’s been a general slide from “we can stop this” to “our best chance is to educate the public, focus only on the worst offenders, and rely on private enterprise to develop better detection and protection algorithms,” that’s a big change over the last 10 years that’s never been explicitly acknowledged.
What’s the likelihood of specific action being taken?
Low. Like, real low. The math remains 218,465 complaints per eventual financial penalty. The “lowest” threshold of effort CASL imposes, a notice to produce, still only happens once per 1000 complaints. That’s not a threshold, I’m not saying “nothing happens until you get to 1000 complaints,” that’s just how it averages out.
But, as detailed in the “Old Testament” section above, also horrifyingly arbitrary.
If I step back and squint and try to make sense of this decade of decisions, the pattern that seems to come through the fog is that getting CASL to focus on you is rare, and best-effort attempts to follow the rules seem to buy a lot of, if not absolute, forgiveness.
CASL decisions tend to land on unequivocal wrongs. There’s not a lot of stuff in the archives that suggests that they penalize innocent mistakes, or even grey-area decisions. There’s never been a decision that has come down on a public service organization, charity, or non-profit. Not to say there won’t ever be, but the focus seems to be on parties that are clearly doing wrong, should have known better, and did scammy, spammy things anyway.
Don’t break the law! Never break the law!
In principle, CASL is a good thing. It’s reasonably clear. We would all live in a better world if everyone followed these rules. So we should.
But… if you make an inadvertent mistake, or you look back at a campaign and say “oh, we should have done X,” or “I don’t know if we were in full compliance with Y,” I wouldn’t let it ruin your lunch. Learn, pull up your socks, and do better on the next one.
With text-based phishing and malware and online casinos and a whole planet of scammers, the top-of-mind analogy is the city’s on fire and there are riots in the streets. Jaywalking is still wrong, but if you forget to check the traffic lights at 2 a.m., you’re not the kind of problem the CRTC is looking for.
Wow, this went long
I didn’t mean for this to hit 3,000 words! I’ll stop here.
Next up, stepping a bit outside the review mandate, but bringing it back to my own interests: poking at whether or not students and academic institutions can be considered to be in a “business relationship,” which has a heavy impact on CASL but a lot of other things too. This might take a while. Expect more quick observations on IP, privacy and marketing in the interim while I chip away.
1
The imposed penalties number does include a bit of my own math, as the 514-BILLETS case resulted in the issuing of $75,000 worth of rebates, which I calculated at far less than that value in terms of what the ultimate cost to the company would have been.
This is part ten of a multi-part series reviewing Canada’s Anti-Spam Legislation in practice since its introduction in 2014 and the beginnings of enforcement in 2015. Crosslinks will be added as new parts go up.
A quick late 2023 update: the CRTC has published an NOV for Sami Medouini for what appears to be text-based phishing campaigns; NOV below:
File No.: 9110-2021-00606
File No.: 9110-2021-00606
To: Sami Medouni
Issue Date of Notice: 11 July 2023
Summary of investigation
The Canadian Radio-television and Telecommunications Commission (CRTC) is responsible for the administration of sections 6 to 46 of Canada’s Anti-Spam Legislation (the Act), and the Electronic Commerce Enforcement (ECE) division of the Commission investigates potential violations pursuant to the Act.
In March 2021, CRTC staff launched an investigation into a series of high-volume phishing campaigns and potential violations of paragraph 6(1)(a) of the Act.
Paragraph 6(1)(a) of the Act states that it is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message (CEM) unless the person to whom the message is sent has consented to receiving it, whether the consent is express or implied.
Pursuant to section 22 of the Act, a notice of violation has been served on Sami Medouni for committing six violations of paragraph 6(1)(a) of the Act.
Between 22 December 2020 and 14 January 2021, Sami Medouni sent or caused or permitted to be sent at least 31,925 phishing Commercial Electronic Messages (CEMs) without the consent of recipients, from fraudulently obtained telephone numbers.
Specifically, Sami Medouni sent the following commercial electronic messages without express or implied consent by using six different telephone numbers:
13,285 CEMs on 22 December, 2020;
18,138 CEMS between 22 and 23 December, 2020; and
502 CEMS on 14 January 2021.
In accordance with section 13 of the Act1Section 13 – Burden of proof: A person who alleges that they have consent to do an act that would otherwise be prohibited under any of sections 6 to 8 has the onus of proving it., the person who sends a CEM has the onus of proving that consent was obtained. There was no evidence obtained during the investigation to indicate that Sami Medouni obtained the necessary consent to send CEMs.
Information and evidence to support this investigation were gathered from multiple sources, including Notices to Produce pursuant to section 17 of the Act, and provided reasonable grounds to believe that, by using six separate phone numbers, Sami Medouni sent 31,925 CEMs without consent, representing six violations of paragraph 6(1)(a) of the Act.
Based on the information gathered in the investigation, the Director of the Electronic Commerce Enforcement division has issued a Notice of Violation, imposing an administrative monetary penalty of $40,000 to Sami Medouni.
Violations are connected to the number of phone numbers used — a “campaign” is a violation, not an individual message, so if Medouni allegedly bought a phone and used it to send CEMs until there were enough spam reports for carriers to block it, each phone would therefore represent a “campaign”. Ergo: six campaigns, comprised of 31K messages.
These are identified as phishing messages in the NOV itself; the CASL violation is strictly consent, but phishing is fraud under s380(1) of the Criminal Code. Unlike with Orcus, the CRTC does not mention investigations or criminal charges here.
This is only an NOV — I’ll update my overall stats when time allows, but this doesn’t change the math on final decisions (the differential between issued and imposed penalties is of interest, but I can’t update it until we get to the “imposed” part.
We’ll stay tuned on this, and move on to our wrap-up.
Section 13 – Burden of proof: A person who alleges that they have consent to do an act that would otherwise be prohibited under any of sections 6 to 8 has the onus of proving it.
Noted in passing — a PIPEDA-related FCA decision (2023 FCA 189) validating a Federal Court ruling of a “stalemate” (2023 FC 166, [102]) that gives more standing to bodies that refuse information requests because the requesting party cannot provide adequate identity verification. In this case it’s Amazon, a password reset and its identity verification steps not being followed.
I’m not a huge fan of Amazon, but on its face this seems correct. I don’t have an issue with this decision per se, but it does raise questions about what kinds of structures a company (or organization; you can see my interest in FIPPA and higher ed institutions here) can put in place to verify a user’s identity, and at what point those systems become burdensome to the point of being unreasonable for the end user.
In the FC decision, there’s an interesting point made about Amazon requiring new terms of service to be accepted as part of the verification process — again, I don’t think Amazon was in the wrong here, but the idea that terms of service can be revised, and that a user is forced to accept them to access data established under the former terms of service, doesn’t sit entirely well.
This is part nine of a multi-part series reviewing Canada’s Anti-Spam Legislation in practice since its introduction in 2014 and the beginnings of enforcement in 2015. Crosslinks will be added as new parts go up.
This is one of the rarer cases of malware under CASL; in this case the Orcus Remote Administration Tool (RAT) found by the CRTC’s Chief Compliance and Enforcement Officer to be a remote access trojan, a type of malware, confusingly also with the acronym RAT.1I don’t know if Orcus was being cute with the name, or this is just a coincidence.
This, in combination with the sale of a DDNS (dynamic domain name server) service to hackers to allow them to communicate with RAT-infected computers, resulted in two NOVs for Revesz and Griebel2Nerd note: if you’re going to be a villain, take a hard look at your last name, put the word “Darth” in front of it, and see how it sounds. If it’s credibly somebody who would wear all black and whack at people with a lightsaber, reconsider your whole deal. resulting in $115,000 in penalties — $100,000 for developing, selling and promoting malware, and an additional $15,000 for the DDNS service.
It’s pretty open and shut: clear evidence of what the RAT did, clear evidence of both Revesz and Griebel bragging on hacking forums about its ability to steal information and passwords.
Note that at the time this AMP was issued, it was for section 9 of CASL:
It is prohibited to aid, induce, procure or cause to be procured the doing of any act contrary to any of sections 6 to 8.
Canada’s Anti-Spam Legislation, s9
Per the NOV, an investigation was still underway to determine if the RAT actually been installed without consent on systems, which would be a violation of section 8:
8 (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless
(a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsection 11(5); or
(b) the person is acting in accordance with a court order.
Canada’s Anti-Spam Legislation, s8
…and unlock penalties up to $1,000,000.
The Orcus RAT seems to be alive and well as an open-source piece of software for jerks to try to use.
Some mysteries here:
The NOV has a February 2020 update that states that the time for response expired, so the issued AMP becomes enforceable:
Update 17 February 2020: Pursuant to section 24(1) of CASL, the deadline to make representations with respect to either the amount of the penalty or the acts or omissions constituting the alleged violations was February 3, 2020. Given that no representations were made, pursuant to section 24(2) of CASL, John Paul Revesz is deemed to have committed the violations and must pay the administrative monetary penalty as set out in the notice.
Where’s Griebel? Per this news story, he’s German, so that might be why he was dropped.
Stranger still: where’s the criminal charge?
$115,000 in penalties should be the least of Revesz and Griebel’s worries (if Griebel is still in play). Cybercrime is a thing, and the abovementioned news stories mention criminal charges filed by the RCMP. But the links in the stories to the 2019 RCMP press release go to a 404 page. It’s not a broken link; searching their news, there’s nothing for Revesz, Griebel or Orcus.3Testing the search function, by comparison, there’s 4,385 results for “Grand Falls,” which I used as a test because it was mentioned in the top story – now I’m deeply worried about what in God’s name is going on in Grand Falls.
There’s nothing in CanLII showing any court action: nothing relevant for the search terms Revesz, Griebel, or Orcus. Similarly nothing in WestLaw or Lexis.
UPDATE: thanks to the incredible assistance and sleuthing of the Queen’s Law Library team, I have been pointed to upcoming court dates for a John Revesz. Whether or not these are related (or even the same John Revesz; no middle name here) isn’t confirmed.
A 30-month delay between this becoming public knowledge and action being taken to stop it by Canadian authorities – and then, seemingly only $115,000 in penalties – is worrisome. The lack of any charges – or delay in bringing charges – is worrisome.
If CASL is the only mechanism taken against a Canadian promulgating hacking tools, that’s troubling. The scope of these is CASL, and I don’t want to go too far down a rabbit hole about how cybercrime is prosecuted, but a scheme designed at its heart to deal with spam shouldn’t be our first and last line of defense against malware created and propagated here in Canada.
And – finally – the fact that this is only $15,000 more than Conley and nCrowd is an eyebrow-raiser as well. In the latter case, a very scammy cluster of shady companies sent out a lot of spam emails to try to get people to buy deal coupons of very limited utility. In this case, malware was unleashed on the Canadian public and promoted to hackers globally. The consequences of buying a bad coupon from a deals site versus giving hackers total access to your computer, which could easily extend to identity theft and all your banking information, is a huge gulf.
This doesn’t feel like a $15,000 swing to me, but that might be attributable to the fact that this is only a s9 violation and an investigation is still, per the NOV from almost four years ago, underway to see if Revesz also violated s8.
If nothing else, this has convinced me to keep my antivirus and malware checkers up to date.
Issued penalty: $115,000
Final penalty: $115,000
Total issued AMPs: $2,782,000
Total imposed AMPs/monetary penalties: $1,068,250
Differential: $ 1,713,750
September 21, 2020
What is it with not-quite-education companies in this space? Compu-Finder, Blackstone, and now a $100,000 penalty levied against OneClass, a service that connects students with user-generated study guides, lecture notes and video tutorials. Decision here, plus a press release.
This seems open and shut: OneClass sent CEMs without recipient consent, and (allegedly) installed a Chrome extension that harvested personal information including usernames and passwords on students’ computers. U of T still has a news piece up instructing students of the phishing email: in essence, it looks like it would access the user’s Blackboard class lists to send emails to all classmates inviting them to join OneClass. The U of T item also has instructions on how to remove it. As phishing goes, this is on the spammy but not super harmful end of things.
Brewer committed violations in two categories – affiliate marketing, earning a commission from CEMs sent without consent to recruit people to an online gambling site, casinoonlinesoftware.com, and direct web marketing for his own online marketing and web business.
The CRTC apparently only investigated three of Brewer’s campaigns, topping 600K emails, despite
Corroborating information reviewed during the investigation indicated that Brewer may have been responsible for sending, causing or permitting to be sent, several million non-compliant CEMs. During a sample period in the investigation, approximately 11 million emails were sent from Brewer’s IP address over a 24 day period.
This, called a “hailstorm campaign,” prompted a press release from the CRTC claiming this as the “largest ever penalty to an individual for sending messages without consent”. Which seems odd, as Brian Conley was subject to $100,000 under vicarious liability for similar violations two years before. Key quote from the Chief Compliance and Enforcement Officer from that release:
“Spam campaigns, such as those carried out by Mr. Brewer, are disruptive to Canadians and undermine their confidence in electronic commerce. Obtaining consent is a fundamental principle of Canada’s anti-spam legislation. The penalty issued today demonstrates that individuals are just as accountable as businesses and must respect this principle.”
And then, 10 months later, it’s no longer a $75,000 penalty, but one for 10% of that amount. The final undertaking says:
Brewer cooperated with the CCEO, provided new information not previously available to the designated person, and has voluntarily agreed to resolve the CCEO’s outstanding concerns regarding compliance with the Act and the Regulations (CRTC).
And later, that the $7,500 penalty
…fully and completely resolves all outstanding issues between the Commission and Scott William Brewer with respect to his compliance with the Act and the Regulations (CRTC) in relation to the CCEO’s investigation into the sending of CEMs during the period of 1 December 2015 to 23 May 2018 and up to the effective date of this undertaking.
Scott seems to be doing fine, with a business pivot to site-building for SEO and sales conversions, per his LinkedIn profile.
Issued penalty: $75,000
Final penalty: $7,500
Total issued AMPs: $2,957,000
Total imposed AMPs/monetary penalties: $1,175,750
Differential: $ 1,781,250
December 6, 2021
A $200,000 imposed AMP to the Gap, for a marketing campaign including its subsidiaries Banana Republic and Old Navy – CEMs without consent and without an unsubscribe mechanism.
Gap seems to have agreed with the CCEO, agreed to pay, and implement a compliance program.
No specifics in the NOV, unlike previous decisions that articulated a number of campaigns or messages; here’s the decision in full:
Undertaking: Gap Inc., File No.: 9110-2021-00605
Undertaking: Gap Inc.
File No.: 9110-2021-00605
Effective date of undertaking: 6 December 2021
Monetary payment amount: $200,000
Under section 21 of An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, C. 23 (CASL, or the Act)
Person entering into an undertaking
Gap Inc.
Acts and omissions covered by the undertaking and provisions at issue
Gap Inc. has voluntarily entered into an undertaking with the Chief Compliance and Enforcement Officer (CCEO) concerning alleged violations of paragraphs 6(1)(a) and 6(2)(c) and subsections 11(1) and 11(3) of the Act.
Following an investigation, the CCEO alleged that commercial electronic messages (CEMs) were sent or caused to be sent by Gap Inc., between 7 January 2018 and 11 August 2021 to promote sales for Gap Inc. as well as for subsidiaries Banana Republic and Old Navy, without consent from recipients and/or not including an unsubscribe mechanism which could readily be performed,.
Amount owing and summary of other conditions
During the course of the investigation, Gap Inc. has cooperated with the CCEO. Gap Inc. has voluntarily undertaken, pursuant to section 21 of the Act, to resolve the CCEO’s outstanding concerns regarding Gap Inc.’s compliance with the Act and the Electronic Commerce Protection Regulations (CRTC), SOR/2012-36 (the Regulations (CRTC)), including undertaking to comply with, and ensuring that any third party authorized to send a CEM complies with the Act and Regulations (CRTC).
As part of this undertaking, Gap Inc. agreed to make a monetary payment of $200,000 to the Receiver General for Canada in accordance with subsection 28(3) of the Act.
In addition to the monetary payment, and in order to promote compliance with the Act and the Regulations (CRTC), Gap Inc. undertakes to update its compliance program addressing the sending of CEMs. This compliance program has included or will include:
corporate compliance policies and procedures;
training and education for employees of Gap Inc.; and,
monitoring, auditing and reporting mechanisms.
In addition, Gap Inc. will monitor and review its policies and procedures to determine whether any have the effect of providing incentives for employees to violate the Act and the Regulations (CRTC) and, if so, Gap Inc. undertakes to eliminate such incentives.
Gap Inc. will also develop and provide periodic training programs, which include compliance procedures and processes to comply with Act, for employees involved with commercial electronic messages and related compliance.
Finally, Gap Inc. will register and track CEM complaints and the subsequent resolution of those complaints. Gap Inc. will also implement effective corrective measures for compliance failures and within six months of the effective date of the undertaking will supplement the information it has already provided to the CCEO of the corrective measures already implemented to date, as well as information supporting any updates to its Compliance Program.
This undertaking fully and completely resolves all outstanding issues between the Commission and Gap Inc. with respect to Gap Inc.’s compliance with the Act and the Regulations (CRTC) in relation to the CCEO’s investigation into the sending of CEMs for the period up to and including the effective date of this undertaking.
Straightforward.
And here, for the last time (as of August 2023, with the Brewer decision in 2022 being the final one reported4UPDATE: This is no longer true; there is a July 2023 AMP, reported in late October 2023: 18 months since the last reported CASL enforcement decision, which is the longest gap in its history.), is the tally:
Issued penalty: $200,000
Final penalty: $200,000
Total issued AMPs: $3,157,000
Total imposed AMPs/monetary penalties: $1,375,750
Differential: $ 1,781,250
The difference between the imposed and issued penalties is greater than the penalties imposed, which is interesting.
A quick stop off with a relatively recent NOV, and then we’ll sum all this up.
I don’t know if Orcus was being cute with the name, or this is just a coincidence.
2
Nerd note: if you’re going to be a villain, take a hard look at your last name, put the word “Darth” in front of it, and see how it sounds. If it’s credibly somebody who would wear all black and whack at people with a lightsaber, reconsider your whole deal.
3
Testing the search function, by comparison, there’s 4,385 results for “Grand Falls,” which I used as a test because it was mentioned in the top story – now I’m deeply worried about what in God’s name is going on in Grand Falls.
4
UPDATE: This is no longer true; there is a July 2023 AMP, reported in late October 2023: 18 months since the last reported CASL enforcement decision, which is the longest gap in its history.
