For the London Free Press. March 21, 2011
Read this on Canoe
The anti-spam bill — Bill C-28 — was passed in December and is expected to be in force later this year. The main goal of the Act is the prevention of spam, but it also contains anti-spyware provisions.
Canadian software creators — indeed any entity selling software to Canadians — will need to review the Act, given the significant potential fines and consequences to directors and officers if there is a violation.
The goal is to eliminate the spyware, malware, and other malicious software which has essentially gone unregulated.
You might recall the Sony copy protection rootkit scandal which occurred in 2005 where Sony music CD’s automatically installed digital rights management software on users’ computers without their knowledge or consent. This software made operating systems more vulnerable to third-party attacks and could be used to collect and transmit information about computer use back to Sony. Under the act, such practices will be prohibited.
The Act applies to all software — good or bad — installed on someone’s computer. The definitions include any electronic instructions that execute to perform a function on any device capable of executing them.
That is extremely broad. It will include software installed on things such as smart phones, tablets, e-book readers and– since almost everything includes some kind of computing power these days — even things such as PVR’s and cars.
The Act prohibits the installation of computer programs and the transmission of electronic messages from a computer program unless the creator of the software has the express consent of the owner or authorized user of the computer system.
Express consent may only be obtained if there is a notice to the user containing prescribed information about the software, and clearly and simply describes the function and purpose of the program or program update to be installed.
In addition, if a program performs certain undesirable functions then more prominent and explicit disclosure is required. The Act contains a list of undesirable functions often found in spyware, malware, and other types of malicious software, including:
Collecting personal information stored on the computer;
Interfering with the authorized user’s control of the computer;
Unknowingly changing or interfering with data;
Unknowingly changing or interfering with settings, preferences or commands;
Causing the computer system to communicate with another computer system; and
Installing a program that may be activated by a third party without the user’s knowledge.
If software contains one of these functions, the program distributor must clearly and prominently bring to the attention of the user the reasonably foreseeable impacts of these functions.
Software vendors will have to consider how their software works, how the Act might come into play, and what permissions are required. They may need to amend their end user license agreements (EULAs) to comply. Some circumstances will require specific permission with full disclosure before the change can be made, regardless of the contents of a EULA.
Software vendors may want to consider whether changing from a traditional installed software model to a hosted SAAS or cloud model will avoid some of these issues.