Targeting the “Middle-Man”: Intermediaries Face $250,000 in Penalties for Aiding “Malvertising” under CASL

By Miranda Lam, Charles Morgan, Jade Buchanan and Gianluca Mazzanti

CASL compliance has turned to a new group of actors: the service and infrastructure providers that spammers and fraudsters utilize to perpetrate CASL offences. Two advertising services providers, Datablocks, Inc. (“Datablocks”) and Sunlight Media Network Inc. (“Sunlight”), are facing a total of $250,000[1] in administrative monetary penalties (“AMPs”) for allegedly violating CASL due to malware that was installed without consent. The catch? Sunlight and Datablocks did not install any malware (but their clients did). In a first for CASL enforcement, Sunlight and Datablocks are accused of aiding in the installation of a computer program without consent, and that aiding is itself a CASL violation.

The Case

In its summary of investigation, the Canadian Radio-television and Telecommunications Commission (“CRTC”) alleges that Datablocks and Sunlight enabled their clients to install malware on users’ computers without consent. Datablocks and Sunlight each supplied components of an online advertising network. Their clients used that advertising network to publish malicious advertisements (known as “malvertising”) on legitimate websites. The published malvertisements directed users to the client’s website, which installed the initial malware that was ultimately used to install ransomware.

Datablocks/Sunlight’s unnamed clients are alleged to have violated section 8, which prohibits installing a computer program without consent from the owner or an authorized user. The CRTC is alleging that Datablocks/Sunlight aided those clients and, in doing so, violated section 9 of CASL:

9. It is prohibited to aid, induce, procure or cause to be procured the doing of any act contrary to any of sections 6 to 8.

The CRTC cited a range of acts and omissions in alleging that Datablocks/Sunlight aided their clients’ CASL violations, which go beyond being an unsuspecting intermediary. Sunlight offered an ad network – which is vulnerable to malvertising. It offered its services to known malware distributors and supported the anonymity of its clients, including “accepting unverified aliases and suspicious signups, as well as using cryptocurrency payment methods”. “Datablocks maintained its business relationship with Sunlight Media, disregarding their non-compliant practices.” Both companies ignored warnings that their services were used by malicious actors, including a notice from the Canadian Cyber-Incident Response Centre. Both companies also failed to take other steps to prevent and monitor for abuse by malvertisers.

This story may evolve because the CRTC has only issued Notices of Violation. Datablocks and Sunlight have the opportunity to respond and, if they do, the CRTC has to issue a written decision on whether or not a violation occurred and, if so, whether the AMP should be maintained, reduced or waived.

What This Means for Service/Infrastructure Providers

CASL enforcement is a real threat to online intermediaries, including organizations that provide advertising networks, infrastructure, or mailing services. While it is to be seen how broad the CRTC will read the word “aid” in section 9 of CASL, it is safe to say most intermediaries are an easier target than clandestine malicious actors. If you provide services that could be used to violate CASL (for example, by spreading malware or sending spam) you need a CASL compliance strategy that includes:

• Robust monitoring and early detection/warning systems;
• A formalized process to allow reporting of abuse; and
• Strong internal governance processes that bring notices of potential violations and warnings to the attention of the appropriate personnel and escalates accordingly.

The risks of non-compliance include:

• Administrative monetary penalties – The Datablocks/Sunlight cases suggests these can easily be $150,000 (and up to $10,000,000);
• Investigation costs – As in previous cases, the CRTC has shown it is not shy about using its powers to produce evidence and obtain and execute search warrants. These investigations are disruptive and costly; and
• Reputational damage – No matter the outcome, Datablocks and Sunlight may be linked to malware, potentially harming their relationship with legitimate customers (and suppliers for that matter).

Finally, when CASL was first introduced, the government stated that CASL’s goal was to curb “the most harmful and misleading forms of online threats” by prohibiting “damaging and deceptive spam, spyware, malicious code, botnets, and other related network threats”.  Nevertheless, the CRTC’s initial CASL-related notices of violation, undertakings and decisions all related to alleged violations of Section 6 of CASL (which is unrelated to misleading or deceptive spam, spyware or malicious code).  With the issuance of these two notices of violation to Datablocks and Sunlight Media, it would appear that the CRTC has begun to focus its attention on giving effect to the initially stated purpose of the law.

If you need help with your CASL compliance program, or to learn more about our firm’s Cybersecurity, Privacy, and Data Management expertise, please visit our group’s page.

[1] $150,000 to Sunlight and $100,000 to Datablocks