On July 11, 2018 the Canadian Radio-Television and telecommunications Commission (CRTC) issued a notice ad summary of their most recent actions under CASL. Allegations against Datablocks Inc and Sunlight Media Inc focus on the violations committed under sections 8 and 9 of the act.

According to the summary written about this case the Angler malware was distributed via the Datablocks Real-Time Bidding (RTB) solution and the Sunlight Media Ad network. What makes the Angler malware dangerous is that it acts as a backdoor to install further malware on an already infected computer such as cryptolocker (ransomware), key-loggers to steal sensitive passwords or information, and other types of popular malware.

As a quick refresher section 8 deals with the installation of computer programs on an individual’s computer without their consent, in this case the allegations refer to malware served via an ad network being installed on a computer located in Canada. Section 9 deal with the concept of ‘aiding and abetting‘ in a violation of section 6 through 8.

The companies allegedly violated Canada’s anti-spam law in the following ways:

  • Sunlight Media accepted unverified, anonymous clients who used their services to distribute malware.
  • Datablocks provided Sunlight Media’s clients with the necessary infrastructure and software to compete in real-time for the placement of their ads, which contained malware.
  • Neither Datablocks nor Sunlight had:
    • written contracts in place with their clients that would bind them to comply with Canada’s anti-spam law
    • monitoring measures in place governing how their clients use their service, or
    • written corporate compliance policies or procedures in place to ensure compliance with Canada’s anti-spam law.
  • After being alerted in 2015 to reports by cybersecurity researchers, and made aware in 2016 by the CRTC, neither company implemented basic safeguards, which are well known to the industry.

Steven Harroun, Chief Compliance and Enforcement Officer, CRTC had this to say “As a result of Datablocks and Sunlight Media’s failure to implement basic safeguards, simply viewing certain online ads may have led to the installation of unwanted and malicious software. Our enforcement actions send a clear message to companies whose business models may enable these types of activities. Businesses must ensure their commercial activities do not jeopardize Canadians’ online safety.

Datablocks and Sunlight Media are required to pay $100,000 and $150,000, respectively, in penalties and have 30 days to file formal written responses to the CRTC or pay the penalties associated with the report.

Lessons from this finding include:

  • Your network is responsible for the actions that occur on it
  • Failure to action on information showing that there is a warning potentially grounds for aiding in the illicit activity
  • Having a plan in place and following it when you identify or are made away of an ongoing violation could cause a violation of your own