The Canadian Radio-television and Telecommunications Commission (CRTC) is fining two companies $250,000 for their involvement in installing malicious software through online advertisements, a first under Canada’s anti-spam law.
Sunlight Media Network Inc. and Datablocks Inc. are facing charges from the CRTC after a two-year investigation that alleges they were involved in allowing the installation of malware through their clients’ online advertisements.
In a press release earlier this month the CRTC issued the Notice of Violation, stating that “Commission staff found evidence that ads distributed through Sunlight Media and Datablocks’ services, using their proprietary infrastructure, resulted in the installation of malicious programs from a notorious exploit kit named Angler, which exploited a vulnerability in Adobe Flash.”
Sunlight Media operates an ad network that used Datablocks real-time bidding system to distribute its online ads.
The CRTC alleges that the companies violated the Canadian Anti-Spam Legislation (CASL) by:
- Accepting “unverified and anonymous” clients;
- Not having written contracts that bound those clients to Canadian law;
- Failing to implement fundamental safeguards and lacking monitoring measures to prevent malware; and
- Not having corporate compliance policies in place in accordance with the anti-spam law.
The release stated that after being alerted in 2015 by the Canadian Cyber-Incident Response Centre (CCIRC), and after being made aware in 2016 by the CRTC, neither company implemented basic safeguards to solve the issue.
However, Datablocks president John Mayor told ITBusiness.ca that the CRTC did not directly notify the company of anything.
“We received one notification in 2015 and three notifications in 2016 from CCIRC. The one in 2015 pointed us towards an online article which alleged malware,” said Mayor. He said at that point Datablocks was already aware of the issue and had tracked down and banned the offending advertiser before receiving the notifications.
Mayor also said that, while the company is taking the matter very seriously and has been discussing it with the CRTC for several years, he feels that “Datablocks is a small company relative to the rest of the industry and we are now facing a David versus Goliath situation with the government.”
“We had the option to settle with the CRTC with an undertaking which would of allowed us to pay a fine without any admission of guilt and avoid much of the limelight. We chose to move forward with the notice of violation. We are choosing to exercise our rights to fight the allegations first with the appointed commission at the CRTC and then up to the supreme court if warranted,” said Mayor.
Mayor argues that his St. Catherines-based company has always vetted their clients, operates according to written and signed agreements and has internal policies to detect and deal with malware right away.
The report from the CRTC alleges that because of actions by Sunlight and Datablocks, their clients were able to make repeated violations of the anti-spam law between February 8th to May 31st 2016.
The notice issued a fine of $100,000 to Datablocks and $150,000 to Sunlight Media. Both companies have 30 days to either file written representations or pay the penalties.