• As for anything close to “law for online fraud”, there is only one section in the Canadian Criminal Code: Section 380.

    • Subsection (2) says that anyone who, by deceit, falsehood or other fraudulent means affects the stocks, shares, merchandise or anything that is offered for sale to the public is guilty of an indictable offence and liable to imprisonment for a term not exceeding fourteen years.

    • Subsection (1) is also valid in this case:

      380 (1) Every one who, by deceit, falsehood or other fraudulent means, whether or not it is a false pretence within the meaning of this Act, defrauds the public or any person, whether ascertained or not, of any property, money or valuable security or any service.

  • It surprised me to know that there is only 1 applicable law to prevent online fraud such as Mass Marketing Fraud and even cybercrime. Also, note how all of the items which the criminal deceives the other person of is physical.

  • So, then, there must be something else, right? Well, of course, look at the heading of this webpage!

Canadian Anti-Spam Legislation

  • One can think of CASL as a policy that is an addendum to Section 380.

  • We will take a look at Sections 6 and 8 of this policy. It is a subset of most other Sections.

    • 6 (1) says it is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless the person who the message has been sent to consented to receiving it.

    • Section 6, subsection 2 says that an unsubscribe method must be in place so that anyone can opt-out at any time.

    • 8 (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system.

  • What happens to a person who has, indeed, violated these sections?

    • He or she will get a Notice of Violation as per Section (22)(1).

    • In this Notice, the following things will be included:

      • Every act or omission for which the notice is served.

      • The monetary penalty that the person has to pay.

      • You have a chance to oppose it, but representations to the Commission may be made within 30 days of receiving the notice.

      • No representation means you implicitly agree to pay the fine.

  • Section 20 deals with penalties that one can face for violating aforementioned sections.

    • (20)(2) The purpose of a penalty is to promote compliance with this Act and not to punish.

    • (20)(4) The maximum penalty for a violation is $1,000,000 in the case of an individual, and $10,000,000 in the case of any other person.

  • In order to prove the claim that the defendant has actually commit the crime, there are sections requiring telecommunication companies to give them data.

    • Section 15 and 17 say that a telecommunications provider must preserve and submit data that comes into possession related to the case. However, it also says that this data may only be used to verify that Sections 6 - 9 have been contravened.

    • This goes with Charter 8, which says everyone has the right against unreasonable search or seizure.

    • Failing to do so triggers the non-compliance clause in the Act:

      • Section 42 says that anyone who fails to comply commits an offence. Section 43 says anyone who willingly provides false evidence also commits an offence.

      • 46 (1) Every person who commits an offence under section 42 or 43 is guilty of an offence punishable on summary conviction and is liable

        (a) to a fine of not more than $10,000 for a first offence or $25,000 for a subsequent offence, in the case of an individual; or

        (b) to a fine of not more than $100,000 for a first offence or $250,000 for a subsequent offence, in the case of any other person.

  • As for the actual hearing, if it is found that person or persons have violated the Act, they must pay:

    • A compensation equal to the actual loss (Section 51(1)(a)).

    • A maximum of $200 if Section 6 is violated and a maximum of $1M/day for Section 7 or 8.

    • The 1M/day fine also applies if another act is violated. It is called PIEDA or Personal Information Protection and Electronic Documents Act. For our purposes, it says that you can’t misuse the personal information entrusted to you by someone who uses your service. Section 7 of this Act says that you can only collect personal information without consent for the purposes of investigating a contravention or that the consent cannot be obtained in a timely manner.

    • There are others, but in the interest of time, only the most important points are presented.

Cases

  • CompuFinder v. Canada (Attorney General), 2020:

    • The appellant conducted three advertising campaigns between July and September 2014 during which it sent 317 CEMs to various recipients.

    • A CEM is an electronic message delivered to someone.

    • These CEM’s promoted Canada. Inc’s educational and training programs, helping their business. It was given a Notice of Violation under CASL in 2015. The notice said the appellant had violated Section 6 of the Act. Consent was not obtained prior and some of the CEM’s didn’t contain an unsubscribe feature. The fine due was $1.1M.

    • Canada Inc. argued didn’t argue against the claims, but rather against the policy. They said it violates paragraph 2(b) of the Charter. This paragraph says “everyone has the right to freedom of expression, including press and other media of communication.

    • The appeal was dismissed by the Federal Court of Appeal on the basis that it is justified under Section 1 of the Charter (which says rights can reasonably be restricted).

    • It is also worth nothing that, originally, the fine was $2.1M. However, if you recall, the purpose of CASL was to promote compliance of the act. This fine was reduced to $200K.

  • Brian Conley & nCrowd:

    • From 2014 to 2015, the Spam Reporting Centre or SRC recorded 246 complaints against nCrowd. The campaign started at Sept. 15, 2014. Once again, it was in violation of Section 6 of the Act.

    • In his representations, Mr. Conley did not deny these elements of the investigation report. nCrowd failed to show evidence that they had consent, and were only able to circumvent the question by saying they obtained all the 1.5M email addresses and starting sending CEM’s to them a day after they switched to another email service provider.

    • The evidence also shows that, on 24 September 2014, Mr. Conley personally signed an Agreement of Purchase and Sale whereby nCrowd acquired Couch Commerce’s assets, including its email distribution list.

    • Section 31 of the Act provides that an officer, director, agent, or mandatary of a corporation that commits a violation is liable for the violation if they directed, authorized, assented to, acquiesced in, or participated in the commission of the violation, whether or not the corporation is proceeded against.

    • Section 44: An officer, director, agent or mandatary of a corporation that commits an offence is a party to and liable for the offence if they directed, authorized, assented to, acquiesced in or participated in the commission of the offence, whether or not the corporation is proceeded against.

    • Mr. Cronley was fined $100K pursuant to Section 31. This case set precedent as being the first where the fine was against the individual, not the company.

    • It appears Section (20)(3), has, in this case, overridden Section 46 (1) which says that a fine of not more than $10K for a first offence.

Comparison with the US

  • We will talk about the case of Matthew Philbert. He has been charged with unauthorized use of computers to commit fraud, specifically to install malware.

  • One small business lost $15K to this mischief and it almost let to their liquidation. His crimes have more than a thousand victims.

  • He was being tracked by the RCMP, FBI and Europol starting from January 2020. He was caught in Canada, but indicted in the US.

  • Some of the US charges are for forfeiture, but we will only focus on the online fraud ones. In Canadian law, this would be Section 8.1 of CASL. For the US, it is 18 U.S.C. § 1030 and 18 U.S.C. § 371.

  • 18 U.S.C. § 371 says that any person that conspires to commit fraud against the US or to defraud the US is an committing an offence. Canada has no such clause for conspiring to commit an online fraud.

  • 18 U.S.C. § 1030 is for fraud and related activity with computers. The subsections applicable in this case are:

    • 18 U.S.C. § 1030(a)(5)(A):

      Knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.

    • 18 U.S.C § 1030(a)(5)(B):

      Intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage.

    • 18 U.S.C. § 1030(c)(4)(B)(i):

      A fine under this title, imprisonment for not more than 10 years, or both, in the case of an offence under (a)(5)(A).

    • There’s also (i)(2) which allows the US government to seek forfeiture of any personal property. This would include his seized harddrives, Bitcoin seed phrase, any personal information, the domain name of the criminal enterprise, etc.

    • If he’d only violated 1030(a)(5)(B), instead of 10 years, it would be 5 years.

  • The US laws specified duration of sentence, but there isn’t a subsection in CASL for sentencing pursuant to Section 8.

Other

  • Besides CASL, the government has recently signed the Council of Europe’s Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence.

  • Only a very small amount of reported cybercrime is leading to prosecutions because of the exertion required. This protocol allows international, joint collaboration.

  • It also allows a country to seek information directly from an ISP. Basically, instead of a telecommunications provider, now it will include the Internet.