Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Canada Prohibits Installation of Software, Updates Without Consent

A new provision in Canada’s Anti-Spam Legislation (CASL) prohibiting the installation of software without consent from the device’s owner came into effect on Thursday.

A new provision in Canada’s Anti-Spam Legislation (CASL) prohibiting the installation of software without consent from the device’s owner came into effect on Thursday.

According to the Canadian Radio-television and Telecommunications Commission, the new rule applies when someone installs or causes the installation of software on another individual’s device in the course of commercial activity.

One example provided by the commission involves websites that automatically install software on visitors’ computers without their consent. This likely refers to websites that serve malware and adware. However, the law also prohibits software updates and upgrades without getting consent from the owner or authorized user.

Software “caused to be installed” can include the installation of malware bundled with apparently legitimate applications, or the installation of concealed software from music CDs, the commission said.

“Usually, CASL requires you to obtain consent from the owner or another authorized user of the computer or device prior to the installation of a computer program. However, in some circumstances, you are considered to already have consent without having to request it” read the requirements for the new rules.

The list of programs that can be installed without requesting consent consists of cookies, HTML, JavaScript, operating systems, applications that are executable through a piece of software that was already consented to, and updates designed to fix bugs. Telecoms service providers can also install software to protect their infrastructure against security threats, and updates/upgrades for their network.

However, companies are warned that these types of programs can only be installed if the user’s conduct indicates that they consent to it. For instance, if JavaScript and/or cookies are disabled by the user in the Web browser, it indicates that they don’t agree with the installation of such elements.

As far as updates and upgrades are concerned, software providers need consent from the device’s owner before installing them if the program was self-installed by the user. However, companies can seek consent for all future updates and upgrades when they request the initial consent to install an application.

Advertisement. Scroll to continue reading.

For software installed before January 15, 2015, updates and upgrades are allowed without seeking consent until January 15, 2018. Until this date, the user’s consent is implied, unless they specifically state that they no longer agree to the installation of future updates.

The consent request must include the reason for seeking consent, the company’s name, contact information, and a general description of the program. Users must also be informed that they can withdraw their consent. In addition, the provider must clearly specify if the application is designed to collect personal information, if it interferes with the user’s control of the device, if it changes settings or preferences, if it obstructs, interrupts or interferes with the user’s access to data, if it installs third-party programs, or if it causes the device to send messages to other computers.

Canada’s anti-spam legislation came into effect on July 1, 2014. For serious violations of the law, penalties can be as high as CAD$ 1 million for individuals and CAD$ 10 million for businesses.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights