Frozen. Canada’s Anti-Spam Reporting Centre: 5 Reasons Why The Fed’s Latest Flight of Fancy is Dead on Arrival

The most counterintuitive, surprising, and impactful new stories delivered to your inbox every Thursday.

Have a quick read of available coverage and you might be tempted to think “The Freezer”, the Canadian government’s plan for a national Anti-Spam Reporting Centre is a great initiative whose time has come. Headlines already abound with such emphatic language as “crack-down” and “getting tough on spammers” with ‘how-to’ guides for businesses and individuals to avoid being ‘frozen’. On the surface, it has three of the necessary ingredients to deal with a problem that has been tormenting Internet users for the better part of two decades:

Spam is something that bothers people, it really is. Unsolicited messaging is evolving as it tries to efficiently reach broader audiences. It carries security and privacy risks from tracking user preferences to carrying malicious payloads.

It has the support of three intrepid government agencies. The Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner of Canada

Finally, a budgeted $700,000 a year says that this is the right approach to enforce legal requirements and gain international acclaim for efforts to support global anti-spam mandates.

What’s the problem you ask? It’s all wrong.

At the time of this writing, Bill C-28 or CASL (Canada’s Anti-Spam Law) or FISA (Fighting Internet and Wireless Spam Act) had passed into law and an RFP for Anti-Spam Centre solutions has concluded. Fortunately, implementation has been delayed until at least mid-year to deal with miscellaneous issues.

The Anti-Spam Centre aims to piggyback onto the new law to be a funnel for all organizations’ and individuals’ reports of spam and misleading communications across any medium, including mobile text messaging, social media sites and instant messaging. Reports submitted by individuals and organizations will be channeled to the agency responsible for the medium and method used by the offending messages. Once inside the Freezer, they will be stored, analyzed and ostensibly, acted upon swiftly and categorically.

Here’s why this is – at best – entirely unrealistic (but wait, don’t be offended just yet).

It is an obsolete idea, initially proposed in 2005 and likely thought of long before that. 7-8 Internet years being akin to some 250 years of regular time, this means we’re talking about an entirely different generation of activists, a different Internet user maturity level and a whole new set of controls in place now.

Today most of the millions of spam messages floating around the Internet are due to botnets, and these are being shut down on a regular basis. What’s left is very effectively filtered by webmail anti-spam and ISPs (over 98%). Then they’re further eradicated by company spam-filters at work and email clients themselves. The insignificant numbers of unsolicited messages that come through are dwarfed by other daily undesirables, such as those from friends and family whose urgent requests to just check out the latest hoax, forward an old chain letter, review a slideshow or scroll through to read the punchline to a stale joke.

It is based on a large number of misleading statements, two of which are assertions that Canada is a hotbed for spam activity (remember the assertions that it was also a nest of terrorists?) and that all this spam is spooking innocent Canadians away from e-commerce sites and the Internet as a whole. Clearly, the last statement is baseless and should be summarily dismissed, while the former is plain wrong, since Canada was a small player in the spam game then (accounting for less than 3% of global “spam” in 2005 when the Freezer’s original plan was concocted) and it’s an even smaller player now that spam volumes have decreased by 1/3 (according to Symantec’s 2011 figures).

In our company, almost 100% of all spam originates in other geographic jurisdictions. This means that close to 100% of all reports will be of foreign origin and pretty much 100% of the agencies’ work will be a complete waste of time and resources, since this system will do little to nothing in the way of punishing international emailers, fraudulent Facebook posters, spimmers, spitters or any other overzealous marketers.

What about legitimate spam? Oh yes, that kind does exist and is indeed local but guess what? It’s exempt! While Bill C-28 used Austin Powers-like numbers to come up with astronomical penalties of $1M per violation for individuals and $10M (that’s TEN MILLION DOLLARS PER EMAIL) for Canadian businesses, it was quick to point out that exceptions include (but are likely not limited to) political parties (don’t you just love getting those automated phone calls?), charities (oddly, not including fraudulent ones, but it’s probably up to you to investigate and prove their legitimacy as you’re embarking upon the reporting process), general surveys and oh… businesses that have legally acquired your information. But go ahead and report that unsolicited contact if it makes you feel better! Just don’t expect its therapeutic benefit to exceed that of a crosswalk button’s.

Even in the unlikely case in which you do come up with a message sent by an unfortunate local that happens to not be exempt, spam is largely a function of people’s behaviour and is directly related to the way they navigate the Internet. Most of us don’t even remember when we opt-in for regular updates from a site that was appealing on an initial visit. To therefore expose a legitimate local vendor to scrutiny that could be accompanied by a $10M financial hit is irresponsible at best and a complete waste of taxpayer resources in the failing case. Especially since most spammers be exempt by virtue of the above or simply the fact that messages are sent from abroad. In no case does it support the law’s stated purpose of “protecting Canadians while ensuring that businesses can continue to compete in the global marketplace”? Sure, if by that they mean scaring the bejesus out of them and introducing untold delays in their – already privacy-compliant – marketing plans.

Finally for the pièce de résistance: Given the law’s stated goal to “deter the most damaging and deceptive forms of spam, such as identity theft, phishing and spyware, from occurring in Canada and to help drive spammers out of Canada.”, having users actually open messages to see if they’re misleading, unauthorized or malicious, exposing themselves to phishing, social engineering, identity theft and malware attacks seems counterintuitive (read: ignorant). As if rallying people around an increasingly irrelevant annoyance wasn’t enough, the pompous language cements its resolve with an intention to “establish a regulatory framework to protect electronic commerce in Canada.” Clearly.

To be entirely unfair in the interest of comic relief (as if the above wasn’t sufficient) one of the ‘experts’ often-quoted on the matter and a vocal proponent of the scheme supplied the following dubious justification: “There are spam gangs in Canada. There are absolutely spammers here.”

How should we report spam? Are there alternatives to this misguided approach?

You bet there are! Here is a comprehensive list that would satisfy even the most jaded email abuse victim. Spam is a part of all Internet traffic and so anti-spam efforts have evolved over the past two decades to include a workable system of layered protection that starts with Internet service providers (ISP) and webmail providers such as Gmail, Yahoo and Hotmail. These organizations hate spam even more than Internet users do because it amounts to a waste of computing, storage and access resources. So they all have invested heavily in very effective ways to combat it and have implemented mechanisms for reporting it.

This means that what we see is only a small fraction of the spam that floats around the Internet. Our own computers do a lot of the work too, from anti-virus suites to email readers, chances are, the software on your computer is already doing a good job of eliminating some spam from annoying you. On top of that, additional functionality is available through filtering functions (within Outlook and all other major clients) that allows users to create and infinitely customize filters. Good third-party add-on software is only a Google search away and if you really must report it, different countries have established measures for receiving submissions by email. Two of the most mature and effective systems available for dealing with spam are KnujOn and SpamCop. They will receive complaints and report them to the right authorities, adding them to blocklists that are available to ISPs worldwide. If the messages contain malicious payloads that include phishing attempts, send them to the US-CERT group for tracking. In short, the Internet is replete with overlapping efforts to effectively deal with spam, and they work. The last thing we need is to add to the confusion with an expensive new system that is clearly going to be ineffective from the start. Can we use an email address where malicious unsolicited email from local sources can be received for use in future prosecution? Sure. Is the whole ‘Freezer’ circus necessary? Absolutely not.

All it takes to avoid the “threat of unsolicited messaging” is to hold down CTRL (or Command on your Mac), select the obviously unsolicited messages and deleting them all with a single click. This takes little more than 5-10 seconds per day for a grand total of 20 minutes per year! Unless you’re spending an inordinate amount of time looking for legitimate emails misfiled as spam – which can and does happen – your productivity should be relatively intact. Relative to what? Contrast that with the time taken to report the issue once you’ve exposed your computer to the potential of infection. Or take a look at the big picture. How long do you spend looking through the unsolicited coupons in your mailbox? What about the hours of TV commercials that bombard your senses each year? Time spent in traffic? Do the math. This is an ill-conceived idea with no rational or professional insight, introduced by parties whose agenda has little to do with solving the problem for consumers. Instead of entertaining this expensive exercise, the allotted $700k would most certainly be better spent on infinitely more important global issues.

Despite the initial fanfare, the Freezer faces even bigger ‘image’ issues as the original domain name now belongs to – you guessed it – a refrigerator company and every flavour of the word has been taken, even by anti-spam products. Without a spunky brand and any valid claims, the Freezer is all but doomed given that it pre-eroded its own chance at gaining the public’s trust. If this albatross is to ever get off the ground, it will have to be significantly different from what we have seen to date.

Either way, don’t give spam a second thought. Enjoy your day and go back to dealing with unsolicited messages the way you did before: by simply ignoring or erasing them. Avoiding the Freezer will not only preserve your productivity but it may save you from infecting your own computer.

The most counterintuitive, surprising, and impactful new stories delivered to your inbox every Thursday.