Sophos Cloud Optix
A few days ago, a Naked Security reader sent us a spammy-looking email that he assumed was some sort of phish, or at least the start of some kind of social engineering exercise intended to induce him to visit an unwanted website.
You may have received something much like it yourself:
WE REQUIRE YOUR CONSENT
You rely on Xxxxxxx for direct-from-source news, product announcements, media advisories and other relevant communications sent on behalf of companies across Canada, the US and worldwide. Canadian e-communications laws are changing on July 1, and we want to ensure your uninterrupted receipt of the news and information that is important to you.
New Canadian legislation requires you to take immediate action.
Please click the 'Say Yes Now' button below and confirm your consent to continue receiving news releases and communications from Xxxxxxx. If you do not take this step before June 30, you will no longer receive company information and breaking news from us.
It was from a Canadian company he didn’t recall ever having done business with, or having agreed to receive emails from, and it was leaning on him pretty heavily to SAY YES NOW.
We didn’t think too much more about it until a couple of days later, when we received our very own copy of this message.
It seems that the message is legal and true, if mightily unconvincing. (How do they know we “rely on” their service when we have never interacted with them in any way we can recall?)
Canada goes opt-in
Canada is indeed finally switching over to opt-in spam laws, as we wrote about in upbeat hope back at the end of 2010, and again with mild dismay last year.
It’s been a long, long, long time coming, but Canada really does go “strictly opt-in” on this year’s Canada Day, 01 July 2014.
Eleven years after Australia led the way, Canada will finally require that consent in respect of spam actually means consent in some meaningful way, so that:
- You can spam me only if I give you permission to do so first.
- You have to identify yourself, and the company on whose behalf you are sending your spam.
- You have to give me reliable way to withdraw my consent (i.e. to unsubscribe).
Notably, as the Canadian government’s FAQ makes abundantly clear, consent means “express consent,” so that you can’t be sucked into consenting as some kind of default:
Silence or inaction on the part of the end-user also cannot be construed as providing express consent. For example, a pre-checked box cannot be used, as it assumes consent.
Rather, express consent must be obtained through an opt-in mechanism, as opposed to opt-out.
Not that the Canadians are in any real hurry now that this regulatory change has finally worked its way through the Canadian legislative system.
“Knowing that people and businesses may need to change their practices,” the Canadian public service cheerily reminds us, “the legislation includes a transitional provision that relates to the consent requirement.”
In short, at least by our reading (please correct us in the comments if we have misinterpreted this part of the law), if you already have someone on your email list…
…you have three more years to get their express consent before you actually have to take them off your list.
Unless they opt out within that three year period, of course.
So the new spam law doesn’t get any real teeth until 01 July 2017, as we lamented might happen exactly a year ago today.
One of the ways a lot of this could be made easier is if organisations used good “domain hygiene”. Thus if you are going to use “Mxxxxxxx” to send newsletters, surveys, spam etc. on your behalf you should have a note to that effect on your website (probably on a page – “Third parties”? – linked to the footer like “Legal” “Contact us”, “About”, “Privacy” etc. )
Then when I get an unexpected email from “Mxxxxxxx” who seem to know me, if “Mxxxxxxx” includes a clue in the email subject as to who they are sending the email on behalf of, I can then go off to that *known* website and check their third party page and get some idea *if* the email *may* be legit. It should be in organisations best interests to do this as it will increase the likelihood of such emails not ending up in the spam bin.
Whilst doing this I would also like to see organisations declare other internet addresses that they use. So I know open.ac.uk as a legit reputable university in the UK where I have studied – but what about open.edu or openuniversity.com? I could (and probably should) do whois type enquiries but if the main website (open.ac.uk) listed all valid websites it would make life much easier. I took this up with safecomputing.open.ac.uk (their internet security “Safe Computing Bulletin” team) many years ago after they had recommended being suspicious of familiar but slightly different domains!
And whilst I am at this let’s get the other gripe (in this area) off my chest:
Can all websites indicate which third party sites they use to assemble their webpages and why. Like many I use noscript but have to allow some sites to make certain pages work.
wordpress.com wp.com – fairly obvious, but
d7x5nblzs94me.cloudfront.net ? (Shift clicking is not that illuminating!)
twitter.com – do I have to allow this? etc.
gripe off
You’ll find the information you’re looking for on our cookies and scripts page
http://nakedsecurity.sophos.com/cookies-and-scripts/
If we’ve missed anything please contact tips@sophos.com
Thanks – this is the sort of page that is useful – although it is a bit worrying how long it needs to get to explain everything that is going on! Are some web-developers just trying to be a bit “too clever”?
The add-in suggestions are useful as well.
d7x5nblzs94me.cloudfront.net?
As the internet is global does this prevent a non-Canadian company from spamming Canadians?
Haven’t received my notice from SOPHOS yet 🙂
If you have already given someone consent to
spam yousend you useful and informative electronic messages (and I am pretty sure Sophos has always been opt in worldwide, whether the law required it or not), then the new Canadian law clarifies that there is no “timeout.”As long as you can unsubscribe at will, and the company spamming you doesn’t try to hide its identity, “explicit consent” never expires.
…and reputable companies don’t sell their mailing lists. Thank you for this meaningful update.
consent is useless, all sites will do is what they do with cookies and say if you want to use this site you consent to cookies and spam!
I haven’t read the law, but I don’t think that would meet the definition of “express consent”.
Cookies are stored on your computer. You can delete them at your discretion, and even if you don’t, they only come back into play when you later browse back to the same site that set them.
So they are very different to consenting to spam, which authorises a company to keep sending you email from their servers, when they choose. There is nothing on your end you can delete to stop them sending the spam.
This law therefore says that simple click-through consent is not “express consent” when it comes to spam. (Check the FAQ I linked to above. It makes this clear.)
The article talks as if SPAM includes all commercial email, this is pretty scary from the business end. To me, SPAM constitutes UNSOLICITED email – as in someone buys my address as part of a list and I have never had any contact with the business sending the email.
If I’m reading this right it’s one more reason to wish very bad things on the true spammers as they have shifted their costs onto legitimate business who was already compliant.
This law will only shift costs onto legitimate business that still send you emails without getting permission up front.
The days of “asking for forgiveness not permission” to spam you are over.
Where do you get “the new spam law doesn’t get any real teeth until 01 July 2017”?
The law was passed in Dec 2010 and comes into effect July 01, 2014. So people have in fact had 3.5 years to get ready. If they had until 2017 we would have the flurry of activity we have now.
The only other date I saw was Jan 15, 2015 when the Act related to the unsolicited installation of computer programs or software come into force.
From the FAQ linked to above:
“Under section 66, consent to send commercial electronic messages (CEMs) is implied for a period of 36 months beginning July 1, 2014, where there is an existing business or non-business relationship that includes the communication of CEMs.”
You might equally well explain the current flurry of CEMs on these grounds:
“The EBR or Non EBR must be created prior to the coming into force of section 66 (i.e. 1 July 2014) in order to rely on the 3 year transitional provision.”
My non-lawyerly eyes read that to imply that as long as I’ve spammed you before Canada Day 2014, I can keep spamming you, including spamming you to ask you to opt in for ever, for a further three years. But if I haven’t spammed you before Canada Day 2014, you enjoy the protection of the new law from that day forward, so I can’t spam you at all, not even to ask you once, politely, if you want to be spammed again.
Paul, to my understanding, spamming someone does not constitute initiation or renewal of EBR/non-EBR. So no, your last paragraph wouldn’t apply. That’s why everyone wants so bad for you to opt-in, otherwise they could soft-pedal it a bit more knowing they can always ask later.
At least that’s how I interpret things.
OK, perhaps I was a little facetious above…but the FAQ seems perfectly clear to me that if you already have an EBR/non-EBR (which does not need “renewing”, but an effort to do so would surely count as some sort of evidence than a relationship existed – and as you pointed out elsewhere, the onus of proof is on the sender), then *you have another three years to get your house in order.*
The FAQ even explicitly mentions that it is OK to use the three-year “sunrise” period to invite people already on your mailing list to opt-in for good – which means, yes, you *can* always ask later.
If I had to guess, or at least hope, I’d suggest that most of the organisations now sending a flurry of “please opt in” messages are the ones who are reputable enough to fit in with the spirit and the letter of the law from 01 July 2014, but who were unwilling to start complying voluntarily and proactively back in 2010.
I’m glad for this, although it does mean I have a bunch of extra work to do at my organization, in terms of tracking the consents, the timeouts, and logging each and every time we send a “commercial electronic message”.
The headline for this article is a bit misleading. The law generally has a two year “implied consent” window and the transition is to extend it to “three years”. As of next Tuesday though, all such emails will have to have an Unsubscribe link that must kick in within 10 days. That is, implied or express consent can be withdrawn whenever you choose.
As well, as of July 1, 2014, any email you get from a company you’ve really had no interaction from will have to be able to prove they have your implied consent or they will be in violation of the law.
The potential penalties are steep: $1M for individuals and $10M for organizations.
It will be really interesting to see the first penalty applied.
Perhaps the word “comply” in the headline is the wrong word. As you sugest, you can _comply_ with the letter of the law even if you don’t switch your entire email operation to “opt in” on 01 July 2014.
I am trying to think of another word to mean that the law is pretty much all about consent and “blanket opt-in”, but will not actually enforce opt-in as a universal rule for three more years. (Yes, you will have to have a proper opt-out now in every email, but only from 01 July 2017 will there finally be no-one left to email on an opt-out basis.)
I replaced the word “comply” in the headline with the term “grace period.” I think that’s a bit clearer.
Three years is still an absurdly long time – don’t get me wrong here – but I think you could, if you wanted to, be in compliance with the letter of the law despite not having adopted opt-in throughout your business.