Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Canada Prohibits Installation of Software, Updates Without Consent

A new provision in Canada’s Anti-Spam Legislation (CASL) prohibiting the installation of software without consent from the device’s owner came into effect on Thursday.

A new provision in Canada’s Anti-Spam Legislation (CASL) prohibiting the installation of software without consent from the device’s owner came into effect on Thursday.

According to the Canadian Radio-television and Telecommunications Commission, the new rule applies when someone installs or causes the installation of software on another individual’s device in the course of commercial activity.

One example provided by the commission involves websites that automatically install software on visitors’ computers without their consent. This likely refers to websites that serve malware and adware. However, the law also prohibits software updates and upgrades without getting consent from the owner or authorized user.

Software “caused to be installed” can include the installation of malware bundled with apparently legitimate applications, or the installation of concealed software from music CDs, the commission said.

“Usually, CASL requires you to obtain consent from the owner or another authorized user of the computer or device prior to the installation of a computer program. However, in some circumstances, you are considered to already have consent without having to request it” read the requirements for the new rules.

The list of programs that can be installed without requesting consent consists of cookies, HTML, JavaScript, operating systems, applications that are executable through a piece of software that was already consented to, and updates designed to fix bugs. Telecoms service providers can also install software to protect their infrastructure against security threats, and updates/upgrades for their network.

However, companies are warned that these types of programs can only be installed if the user’s conduct indicates that they consent to it. For instance, if JavaScript and/or cookies are disabled by the user in the Web browser, it indicates that they don’t agree with the installation of such elements.

As far as updates and upgrades are concerned, software providers need consent from the device’s owner before installing them if the program was self-installed by the user. However, companies can seek consent for all future updates and upgrades when they request the initial consent to install an application.

Advertisement. Scroll to continue reading.

For software installed before January 15, 2015, updates and upgrades are allowed without seeking consent until January 15, 2018. Until this date, the user’s consent is implied, unless they specifically state that they no longer agree to the installation of future updates.

The consent request must include the reason for seeking consent, the company’s name, contact information, and a general description of the program. Users must also be informed that they can withdraw their consent. In addition, the provider must clearly specify if the application is designed to collect personal information, if it interferes with the user’s control of the device, if it changes settings or preferences, if it obstructs, interrupts or interferes with the user’s access to data, if it installs third-party programs, or if it causes the device to send messages to other computers.

Canada’s anti-spam legislation came into effect on July 1, 2014. For serious violations of the law, penalties can be as high as CAD$ 1 million for individuals and CAD$ 10 million for businesses.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Compliance

Web scraping is a sensitive issue. Should a third party be allowed to visit a website and use automated tools to gather and store...

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...