The computer program provisions in Canada’s anti-spam law (CASL) are very hard to apply in practice. One of the most difficult interpretive challenges involves determining what the phrase “install or cause to be installed” means. CASL only applies where a person installs or causes to be installed a program on someone else’s computer. The CRTC released a Guideline that attempts to clarify what CASL means by that phrase. In information sessions last week to IT.Can and ITAC members, Dana-Lynn Wood and Lynne Perrault of the CRTC attempted to provide even further guidance on this issue. However, after fielding a series of questions on the issue, they agreed the issue was still unclear and that it was necessary for them to give further consideration to the issue.
The Guideline and examples discussed at the information sessions included the following scenarios:
- A person downloads a program from a website.
- A person downloads a program from a website. While doing so, the website operator covertly or surreptitiously pushes another program, malicious or not, to a user. This includes additional executable files during the install process that were not disclosed to the user that the user would not reasonably expect.
- The program downloaded by a user from a website contains an undisclosed secondary function including but not limited to a Section 10(5) feature (requiring enhanced disclosure) or a function that the user did not reasonably expect.
- A user installs a program from media like a CD on his/her own computer.
- A user installs a program from media like a CD on his/her own computer. While doing so, the installation program also covertly or surreptitiously installs another program, malicious or not, on the user’s computer. This includes additional executable files added during the installation process that were not disclosed to the user and which the user did not reasonably expect.
- The program self-installed by the user also contains an undisclosed secondary function including a Section 10(5) feature or a function that the user did not reasonably expect.
The CRTC views the download and self-install scenarios contained in examples 1 and 4 to be outside of CASL. In their view, the software vendor or publisher neither installs nor causes these programs to be installed. This is consistent with the statement in the RIAS that said “CASL will not apply to installations carried out by persons on their own computing devices”.
However, the CRTC suggested that in each of the other examples, the vendor or software publisher (and the CRTC is still thinking through which it would be in any given case) has caused the second program or secondary program feature to be installed.
One can understand how, in example 2 above, where a user who intends to download one program gets another one covertly pushed to him or her, the CRTC could say that someone other than the user has caused that program to be installed on the user’s computer. However, the legal basis for all of the positons taken by the CRTC is not immediately apparent and is open to doubt.
The ordinary meaning of the term “install” is to make a machine ready to be used. See, Merriam Webster Online. In the computer program context, making a program ready for use includes at least the act of making the program ready for execution. See, Wikipedia Installation (computer programs). The term “causes” invokes a concept of causation. CASL is not explicit as to whether the term is meant to refer to causing another person to do the act of installation, or refers instead to a person engaging in an act that has a sufficient causal nexus, link, or contribution to the act of installation. The CRTC appears to be interpreting the phrase to include at least the latter type of activity. If so, it would be useful to understand how the CRTC views the concept of “cause to be installed” and how it differs from the term “install” which at least implicitly also connotes acts of causation.
A significant problem with the interpretation of the phrase by the CRTC is that the words “cause to be installed” do not contain any reference to the state of mind of the person receiving the computer program. It is thus hard to understand how the CRTC could read such a requirement into Section 8. Further, the concept of what users may reasonable expect is a feature of Section 10(5) (enhanced disclosure) and Section 10(8) (deemed express consent). It is thus even much more difficult to comprehend how a reasonable expectation or knowledge requirement could be read into the words “install or cause to be installed” in Section 8.
Similarly, the premise that disclosure of secondary functionality is relevant to the question of whether a person has caused to install a program also cannot withstand scrutiny. Section 8 is clear; the only time a disclosure is required is when a program is installed or caused to be installed. Disclosure of a program’s secondary functions does not become relevant (if it ever even becomes relevant if there is no Section 10(5) feature) unless the program has been installed or caused to be installed by a person.
The CRTC, having come to the conclusion that user downloads and self-installs are exempt from CASL, is apparently trying to create several liability windows where it believes CASL should apply. While that may be laudable, contorting the interpretation of CASL to achieve a results oriented enforcement framework, only raises more questions and makes compliance with the Act that much more difficult by those who want to comply with the law, as enacted by Parliament.
For a summary of the CRTC guideline on computer programs, see, CASL computer program guidance from the CRTC.
For more information about CASL, see CASL: the unofficial FAQ, regulatory impact statement, and compliance guideline.