By Denis Carmel
OTTAWA – Last week, on May 19, the CRTC issued a decision to reverse a previous decision and cancel penalties worth $250,000 against two companies delivering ads on computers without the consent of their owners, contrary to the Anti-Spam Act.
In 2015, investigators from the Commission identified five IP addresses linked to Datablocks and Sunlight Media Networks “that appeared to be redirecting users to webpages hosting exploit kits.”
“An ‘exploit kit’ is a collection of multiple exploits that affect unsecure software applications. Each exploit kit is customized to search for specific vulnerabilities and execute the corresponding exploit for the vulnerability it finds,” reads the decision.
The investigators sent a notice to produce documents in June 2016 to Shared Services Canada to obtain information and data regarding traffic directed to or from Government of Canada (GC) IP addresses and the five IP addresses of interest to obtain all network packet capture files and malware samples.
That evidence allowed the CRTC’s chief compliance and enforcement officer to issue, in July 2018, a notice of violation “that in seven instances, Sunlight Media’s domain provided direct instructions to a GC computer system to connect to a server, which in turn installed a malicious computer program on the GC computer system without express consent,” read the CRTC decision. The notice set out a monetary penalty of $150,000 for Sunlight Media and $100,000 for Datablocks.
The two companies, as provided for in the Act, submitted an expert report, and challenged the ruling, arguing the evidence provided did not conclude that they had violated the Act.
In 2019, the Commission contracted an external computer forensics expert who produced a report, which the CRTC added to the record of the proceeding along with the response of the CRTC chief compliance and enforcement officer to the report.
The record closed in February 2021.
Conclusion
“The digital evidence confirmed that the Government of Canada [GC] computer systems visited landing pages hosting Angler exploit kits, a specific type of exploit kit, which sent back Flash exploit programs to take advantage of a vulnerability found in the computer systems’ version of Adobe Flash Player,” the decision states.
But the “the physical GC computer systems were not available for examination of post-infection indicators because compromised computers are usually reimaged [i.e., cleaned by being restored to a previous state] fewer than three days following infection.”
This allowed the Commission to conclude that “since network packet capture files samples are a snapshot of travelling data packets over a given period of time, they allow for the observation and analysis of data travelling on a network between hosts. However, a network packet capture files sample does not demonstrate what happens at the endpoint. The Commission notes that this observation was supported by the Companies’ expert, as well as the external specialist, both of whom indicated that the digital evidence provided in support of the NOVs is insufficient to prove whether installation actually occurred.”
Sunlight Media ceased operating in 2018.
Earlier this month, the CRTC’s issued a report called Enforcing Canada’s Anti-Spam Legislation (CASL) Actions Carried Out by the CRTC between October 1, 2021 and March 31, 2022 with colour charts and illustrations, which provide a picture of anti-spam enforcement in the country.
