Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Canada Prohibits Installation of Software, Updates Without Consent

A new provision in Canada’s Anti-Spam Legislation (CASL) prohibiting the installation of software without consent from the device’s owner came into effect on Thursday.

A new provision in Canada’s Anti-Spam Legislation (CASL) prohibiting the installation of software without consent from the device’s owner came into effect on Thursday.

According to the Canadian Radio-television and Telecommunications Commission, the new rule applies when someone installs or causes the installation of software on another individual’s device in the course of commercial activity.

One example provided by the commission involves websites that automatically install software on visitors’ computers without their consent. This likely refers to websites that serve malware and adware. However, the law also prohibits software updates and upgrades without getting consent from the owner or authorized user.

Software “caused to be installed” can include the installation of malware bundled with apparently legitimate applications, or the installation of concealed software from music CDs, the commission said.

“Usually, CASL requires you to obtain consent from the owner or another authorized user of the computer or device prior to the installation of a computer program. However, in some circumstances, you are considered to already have consent without having to request it” read the requirements for the new rules.

The list of programs that can be installed without requesting consent consists of cookies, HTML, JavaScript, operating systems, applications that are executable through a piece of software that was already consented to, and updates designed to fix bugs. Telecoms service providers can also install software to protect their infrastructure against security threats, and updates/upgrades for their network.

However, companies are warned that these types of programs can only be installed if the user’s conduct indicates that they consent to it. For instance, if JavaScript and/or cookies are disabled by the user in the Web browser, it indicates that they don’t agree with the installation of such elements.

As far as updates and upgrades are concerned, software providers need consent from the device’s owner before installing them if the program was self-installed by the user. However, companies can seek consent for all future updates and upgrades when they request the initial consent to install an application.

Advertisement. Scroll to continue reading.

For software installed before January 15, 2015, updates and upgrades are allowed without seeking consent until January 15, 2018. Until this date, the user’s consent is implied, unless they specifically state that they no longer agree to the installation of future updates.

The consent request must include the reason for seeking consent, the company’s name, contact information, and a general description of the program. Users must also be informed that they can withdraw their consent. In addition, the provider must clearly specify if the application is designed to collect personal information, if it interferes with the user’s control of the device, if it changes settings or preferences, if it obstructs, interrupts or interferes with the user’s access to data, if it installs third-party programs, or if it causes the device to send messages to other computers.

Canada’s anti-spam legislation came into effect on July 1, 2014. For serious violations of the law, penalties can be as high as CAD$ 1 million for individuals and CAD$ 10 million for businesses.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Madhu Gottumukkala has been named Deputy Director of the cybersecurity agency CISA.

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.