As people spend more time on Web-connected computers and mobile devices, "malware" is an increasing concern. The latest provision of Canada's anti-spam legislation (CASL), which comes into effect on Thursday, will attempt to crack down on that.
Malware is not just a concern for consumers; who want to protect their smartphones, laptops and tablets. Since it is a culprit in online advertising fraud, malware – malicious software that can infect those devices and perform actions without their users' knowledge – is also a preoccupation of the global advertising industry.
At the current rate, observers have estimated ad fraud will sap legitimate businesses of $6.5-billion (U.S.) this year. Malware is a key fraud tool, because infected computers can be used as "bots," pretending to click on ads and luring advertisers to spend money on dubious websites – often, websites that no human actually visits.
"We are brainstorming how we can address the question of fraud," said Bob Reaume, vice-president of policy and research with the Association of Canadian Advertisers. "This can only help. Part of the formula is enforcement."
A complication for the Canadian law is that, as with spam e-mails – the first activity that CASL began to police when it came into effect in July – the worst malware that affects Canadians often comes from overseas. The Canadian Radio-television and Telecommunications Commission, which oversees the law along with other government agencies, has been working with counterparts in countries such as the United States and Britain, as well as with the International Criminal Police Organization (Interpol).
The legislation also has an effect here at home.
Advertising on mobile devices is of particular concern as more marketers create mobile applications to connect with consumers in new ways. Starbucks Corp.'s app lets people earn loyalty rewards and pay with their devices, for example. Nike Inc. has created apps to help people through their workouts (and build connection to the brand along the way).
When customers choose to install apps or other programs themselves, there is no concern under CASL (as long as they are not infected with malware). However, when apps take actions automatically – such as updating the software, installing programs on other devices, or collecting personal information – their creators will need to ensure that users know about it.
"If they are collecting personal information, they have to state that when they seek consent, and explain what the impact of that is on the operating system of the device," said Manon Bombardier, the CRTC's chief compliance and enforcement officer.
Many apps collect personal information, sometimes to sell advertising within the app to brands that want to target specific audiences. User consent is an continuing issue: increased transparency from app makers is something Canada's Privacy Commissioner has also called for.
"That can be tricky because in most cases, you are acquiring them through a third-party program, such as Google Play or the [Apple Inc.] App Store, and they control how all apps get marketed and sold," said David Elder, a lawyer with Stikeman Elliott LLP who has advised the Canadian Marketing Association on the impacts of the law.
"You've got a defined amount of space, and a format ... In a lot of those cases, information like this, including privacy information, is way down. You have to scroll quite a way to find it. They would have to do better than just having a link you follow."
Lawyers point out that there are certain characteristics of malware that can also apply to legitimate programs: it is common, for example, for apps to automatically send information about glitches to their creators. More transparency about these functions is required, and the devil is in the details.
"If there is invasive functionality that is contrary to the reasonable expectations of a user, there are additional consent requirements," said Adam Kardash, a partner and expert in privacy and data management at Osler, Hoskin & Harcourt LLP and special counsel to the Interactive Advertising Bureau (IAB) Canada. "… One of the invasive functions that is listed is the collection of personal information. Many apps collect personal information. Is it contrary to reasonable expectations? At minimum, marketers are going to have to be very careful, even in the self-install context, to make sure they're very transparent, and open and clear, at least in the installation phase."
As with CASL's rules against sending unsolicited e-mail messages, the CRTC has said punishments will fall on the worst offenders. Others may be given notice that they are not in compliance with the law, and a chance to change that.
"Our approach is going to be measured and proportionate," Ms. Bombardier said. "We're there to encourage compliance. We're not there to punish."