Podcast How Canada’s Telecom Regulator Fights Phishing and Spam By MailChannels | 84 minute read In this insightful and comprehensive conversation, Ken Simpson, CEO of MailChannels, engages Steven Harroun, Chief Compliance and Enforcement Officer at the CRTC, on a range of critical topics surrounding Canada’s digital landscape. Harroun elucidates on the CRTC’s role in protecting Canadians from online abuse, providing an in-depth overview of Canada’s Anti-Spam Legislation (CASL) and the types of complaints received since its inception. He sheds light on their enforcement strategies, with a particular focus on spam, phishing, and other forms of cyber abuse, including the emerging challenges posed by artificial intelligence. The discussion also ventures into the CRTC’s recent policies, its proactive approach towards telecom regulation, and its strategies for managing new threats such as botnet traffic. Harroun delves into the CRTC’s efforts to maintain net neutrality, foster transparency, and promote public education on CASL, while also highlighting the complexities of navigating the evolving terrain of technology and communication platforms. Listen here: Watch here: Steven: So just in April this year, you know, we did this coordinated, um, takedown and, and I love the name. They call it, it’s Operation Cookie Monster. Um, so, but with the FBI and domestic law enforcement across Canada, but international law enforcement, we’re able to shut down a worldwide marketplace. Ken: Like I had no idea that the CRTC could execute a search warrant. Ken: That is news. Steven: Yeah. You know, I’m very fortunate to have such robust legislation, which does include that, right? Ken: Today, I’m excited to bring you my conversation with Stephen Haroun. Chief Compliance and Enforcement Officer with Canada’s telecom regulator, the CRTC. In today’s conversation, Stephen describes Canada’s anti spam legislation and how the CRTC enforces it to protect Canadians and people outside of Canada from really bad email practices. Ken: I think that a lot of people in the email industry would share my opinion that CASL has improved the game for legitimate email senders while making it harder for the bad guys to hide from enforcement actions. Ken: In today’s discussion, Stephen and I also talk about the future of telecom regulation in Canada and how the CRTC is carefully balancing the interests of Canadians against the threats that are being posed online. Ken: I really hope you enjoy this conversation with Stephen Haroun of the CRTC. Ken: So Stephen, what is the CRTC’s role in protecting Canadians? from online abuse? Steven: That’s a really great question, Ken, and I appreciate the opportunity to kind of participate in this podcast. It’s great. Um, so as a Chief Compliance and Enforcement Officer, um, I like to say I’m responsible for everything Canadians like to complain about, which is telemarketers and spammers. Steven: Um, specifically, you know, I’m responsible for the unsolicited telecommunications rules, um, which includes Canada’s national do not call list, um, also responsible for Canada’s anti spam legislation. Um, as well as the voter contact registry. Um, so we kind of have a nice kind of suite of tools that, uh, that rely on us to look after Canadians in this space. Steven: Right. So I, so I think it works out really well in that perspective. Um, I think one of the, one of the important things to recognize is that, right, and a lot of these situations is that, you know, Canadians don’t have a lot of control over this, so they do, you know, they do need particular pieces of legislation. Steven: They do need a regulator. They do need an industry. Which will help kind of support them in this space. Ken: Got it. Um, Uh, So what is Canada’s anti spam legislation? Steven: Yeah, so we affectionately call it CASEL because it’s a really long title and actually in the legislation it has like a three sentence title or something like that. Steven: So we shortened it to CASEL. Um, so in CASEL it’s, it’s kind of twofold and I, and I feel very blessed actually as a regulator to have such robust legislation. Um, so kind of the first piece, if you will, focuses on commercial electronic messages, which is really about the fact that Canadians should not receive commercial electronic messages in their email, in their spam, with, or in their SMS without their consent. Steven: You know, that’s kind of the fundamental principles. Section six of CASEL relies on that. Um, where I get really excited and where my folks get really jazzed up is CASEL’s really broad in that it covers, um, areas like malware and botnets and viruses and that, you know, that unknown, if you will, uh, addition of software to your email where you haven’t provided consent, you know, and we say software and yes, that applies to, to you. Steven: Obviously, you know, any antivirus software or any other updates from your software company, but, you know, software also, you know, pertains to that virus and malware and stuff. So that’s where we really focus a lot of our enforcement energy is kind of in that space, because as you know, at the end of the day, as the CCEO, I need to look at how can I protect Canadians the most? Steven: Where is there the most harm? If you will being affected on Canadians, and it’s actually really in this more malicious space, I’ll provide a point of clarity if it’s helpful in that, you know, both the telemarketing rules and and and the castle legislation. I mean, I operate under a civil regime, right? So at the end of the day, you know, it’s a it’s a civil process. Steven: You know, the federal regulator says you’ve been bad. You know, we may issue a citation, a warning letter, we may issue a notice of violation, uh, which would often include an administrative monetary penalty. We may do an undertaking with you, which is, you know, if you will, a little more friendly, where we say, okay, we are seeing this activity, we know, you know, this is happening. Steven: The company says, yeah, that probably shouldn’t have happened, or perhaps it’s a little bit offside. But on the rules, how do we fix that? So we’ll do an undertaking, which would provide the opportunity for them to say, okay, we’ll enter into an agreement with you. We’ll fix the problem. So we’ll have a compliance program to show we fixed the problems and we will pay an administrative monetary penalty kind of, if you will, for the errors of the past. Steven: So, you know, so that’s, you know, it’s a, it’s a nice little framework in that perspective in that, you know, that’s the civil regime piece, which is. I was going to say, which is very civilized, um, but you know, it’s, it’s, it’s a nice common approach to how we approach things. The challenge, you know, um, on the castle side of the house, of course, and on the telemarketing side too, there’s a whole, if you will, scam, fraud, criminal related element, right? Steven: And you know, I will often get told, you know, um, by, by lawyers in the industry, by my own lawyers sometimes, um, you know, like, oh, well you’re the civil peace. Someone else has to take care of the criminal piece. You don’t, you know, you don’t have that authority. But you know what? Canadians don’t care. When I speak out and about and Canadians say, can you stop the calls? Steven: Can you stop the emails? Can you stop the SMS texts saying, can you collect your money here? Can you click here? Always just to steal Canadians financial information, et cetera. They don’t care that I’m civil regime. They say, well, you’re responsible. Can you stop it? Right? So one of the beauties of For me, being, you know, I’m an, I run an enforcement team embedded within the communications regulator. Steven: And one of the key pieces, and I’m sure we’ll get to it later, uh, in our discussion, is the benefit of that is, if I can’t enforce it, I’ll regulate it. Um. Because it’s, I’ve got domestic legislation, I’ve got a global problem. So, you know, so we spend a lot of our energy kind of on a policy space is what if the call, you know, never happens? Steven: So what if Canadians don’t get the call? What if Canadians don’t get that email? What if they never receive that SMS text message? Um, I’ve, I feel like we’ve done our job in protecting Canadians because if the phone doesn’t ring, they can’t fall victim. If they don’t get that SMS message, then they can’t accidentally You know, click and go, Oh, wait a minute, maybe I shouldn’t have done that. Steven: Maybe that wasn’t my tax refund. Maybe that wasn’t my CERB benefit. All those types of things. Ken: things. And, and that’s certainly a problem that everyone is familiar with, you know, on a, on a regular basis. You know, speaking of, uh, of this sort of ongoing abuse, uh, that you oversee, uh, can you give an overview of the kinds of complaints that CRTC has received? Ken: from Canadians since CASEL went into effect. Steven: One of the biggest things I think is to understand and people look at it and go, Oh, but your CASEL complaints have gone up. So part of that is I think I’ve done a good job because the more people become aware about how to file a complaint and tell us what’s wrong, then our numbers should go up. Steven: Five years ago, we were getting 5, 000 complaints a week. Now we get about 6, 800 a week, um, which, you know, you say, okay, that’s a lot. That’s probably 1 10th, maybe 1 20th, maybe 1 100th of what’s really happening. Like we all know anyone working in this space that, you know, citizens consistently under report, right? Steven: It’s only people who are really infuriated, maybe have more time in their hands who have fallen victim. Right. And, you know, want to make sure that they’re doing something about it and make sure that, you know, someone else, their neighbor, their family member, whatever, doesn’t fall to the same scam. So even at, you know, 6, 800 a week, that seems like a big number. Steven: Um, my concern is that it’s just a tip of the iceberg when it comes to that. Um, so it’s, it’s robust. I’m not short of complaints. Absolutely. Um, and we are intelligence based enforcement right at the end of the day. Um, so yes, I have, you know, those, you know, 6800 complaints. We also do, we look at open source information. Steven: We look at providing information or getting information from our telecom service providers, from other private sector folks. And, you know, there’s, I’m, I’m blessed with lots of research and data in this space. You know, my folks take all of that and kind of slice it and dice it. And, you know, we’re actually able to look at where campaigns are and stuff. Steven: But you know what? Surprisingly enough, and I’m amazed and I’ve been sitting in this seat for five years, is The, the basic of complaints still exist, which is about consent, you know, and that’s that, which, which I find astonishing because I feel like we do such a great job at education and outreach. I feel like, you know, we spend a lot of time with the industry on this is how you need to comply, you know, with the rules. Steven: And, you know, and, you know, I’ll step off a bit and say, you know what? I truly believe 99% of legitimate companies want to comply with the rules. They just need to know how. Okay. Right. And we spend a lot of time with industry folks. We spend a lot of time with lawyers. You know, we spend a lot of time kind of traveling the country in any way that we can, um, whether it be the conference or a chamber of commerce or whatever, to kind of get our message out. Steven: Because my biggest, um, the biggest message I always want to send is that, There’s no one way to comply right at the end of the day. Big companies, teams of people, they can do this and they know how to do it well. But I often meet, you know, small business owners who will legitimately tell me, I’ve got 15 minutes a week to make sure I deal with you CRTC. Steven: So what do I need to do? Right? And so while there may be a great big team for a big conglomerate company, you know, I’ve got someone’s, you know, daughter in law who works in the office and says, Okay, what do I need to do for consent? Okay. And it doesn’t have to be a big database. It doesn’t have to be a big program. Steven: It can be a handwritten note beside the phone that says so and so says I can email them at this address, you know, and like that’s your due diligence. Um, so, you know, people always think it’s a big thing. I think some of the very basics of the rules on how to comply. Can be very simple if you’re a small operation, but they recognize that they have obligations. Steven: So I think, you know, for me, that’s a big piece. And I’ll pull you back to where we’re going, but you know, I think for me, that’s a really big piece. Um, so I still am amazed at the end of the day that consent is an issue. Cause I feel like I’ve talked about this forever to everyone, you know, if you want to send someone an email, then at the end of the day, just get their permission and you’re good to go, you know, and there are lots of parameters around that. Steven: I mean, that’s, you know, if you will, the initial kind of email contact to say, yes, I can and et cetera. But, you know, obviously if you purchase a product, then you kind of have that existing business relationship, you know, so then they do have two years to eat, you know, to. Interact with you via email if you provided your email address because you’ve purchased something, right? Steven: Um, which is great that it’s part of the rules and you know, but you can always opt out of that, right? And so a I didn’t give them consent Um, or b they’re unsubscribed doesn’t work You know, and these to me seem like such fundamental things and, um, but it’s, you know, it should be easy. It should be one click. Steven: I want to, you know, get out of this. Yes, I’ll come back later. And, you know, and then some people have done it really well and really fun and creatively like, Oh no, you’re leaving, et cetera, which I appreciate, you know, but at the end of the day, it should be easy for Canadians because I’m, you know, I’m all about. Steven: This should be super easy, getting their consent should be easy. Can we email you and having them leave should be as equally as easy. So, so I always remain amazed that that is still our number one complaint is about is actually about consent. Um, I would say, you know, in even in just in the last five years or even less than 10 in the last 10. Steven: Our, our complaints have changed, right, at the end of the day. And I, you know, and that is part of, Castle is a very young program. It’s less than 10 years old. And so it’s a very young program. But early days, it was about, I didn’t tell company X they could email me. And, you know, and there was, of course, you know, there was, I was going to say, I feel like everyone’s inboxes got flooded when, you know, when Castle came into force. Steven: Because everyone all of a sudden needed to say, do we have consent to email you? Exactly. Um. So, you know, so I think those were our early day complaints, you know, at 5, 000 a week and people saying, you know, it doesn’t work. They won’t let me, you know, they’re still sending me messages after everyone subscribed, et cetera, et cetera. Steven: Now a good 25, even more percentage is all about phishing scams. Ken: So really one of the successes that you’ve had since casual legislation came out is to sharpen the dividing line between. Good companies and bad companies, right? By making it so that, uh, you know, the most of what Canadians experience in their electronic communications is consensual. Ken: Uh, and, and so the stuff they’re complaining about now, that 25% of complaints is most, you know, it’s the really bad guys. And I think maybe. Uh, the fact that the number of complaints has only increased from 800 a week is a sign of amazing success. Steven: Well, I will, I will take that and, you know, and it’s, we often get compared, right? Steven: In, you know, I will sit, uh, at industry events, I will sit in front of parliamentarians, you know, a couple times a year and they say, well, how are things going? And of which, of course, their constituents have lots of things to say, which would suggest maybe not so well. Um, but I, I like you interpret complaints the same way, right? Steven: Like the, the, even just the caliber and the quality of the complaints has changed, right? You know, people all of a sudden now do screenshots and they will, you know, email stuff to us and, you know, which to me is great. That means we’re doing our job a little bit better. And I, and I do take that. Um, but yeah, I think that I, I, I support that theory because I think for me, it’s always been about early days of castle was. Steven: If everyone’s following the rules, a legitimate company is kind of like, you know, if you will, the curdled cream rises to the top, which is maybe the more nefarious actors. So if you’re getting an email from a company that you don’t recognize, well, you know, definitely treat that as suspect, you know, and if you’re getting an SMS message that maybe it seems too good to be true, you know, treat that as suspect. Steven: Um, I, you know, I don’t, I, I’ve, I’ve, I go back and forth on this, right? I, I feel like it’s not fair to put the onus on Canadians to have to make these decisions, you know, and we could talk on, you know, on the telephony side where we’ve tried in multiple things. And, you know, I often hear from carriers, um, well, you know, if someone doesn’t know who’s calling, they shouldn’t pick up the phone, you know, they should, you know, and I said, maybe that works. Steven: Maybe it does. Right. And, and we are all, you know, uh, And Uh, have the advantage of call display, et cetera, you know, but I always go to my 80 year old mother who will pick up the phone and it won’t matter if her call display says, do not answer. This is not, you know, you should never, you know, the phone could be burning hot red. Steven: She will still pick it up because it’s ringing. You know, so I go to that de facto place of, I appreciate the fact that there’s probably a whole generation of folks who never answers the phone. My, you know, my 32 year old son doesn’t answer the phone half the time when I call, but you know, maybe that’s, you know, you know, I’m always leaving him a voicemail and he calls back because he just doesn’t answer any calls. Steven: That is not indicative of Canadian population, and that is not indicative of everyone’s behaviors when it comes to that, right? So, so to me, I, I struggle with… Yes, I tried, I want to provide as many tools as I can and, you know, and there are lots of great tools in the toolkit and we can, we can chat about that. Steven: But for me, it’s not enough to say that it’s, you know, Joe and Jane Canadian’s responsibility. You know, I think I have a responsibility. I take, if you will, my, you know, my protection piece of my job very, very seriously and I want Canadians, you know, to be aware that. This is a, a, a space that we’re working in, that we’re working hard in, that we’re working with industry on so that we can provide them as much information as we can. Steven: And I look forward to talking about a whole education piece later on if we have time. Um, but you know, where we can give them the information they need to make decisions. But I, my de facto place always goes to my 80 year old mother who will answer that call even if the phone was on fire because it’s ringing, which, which it might be, uh, you know, given the smoke season that we’re in. Ken: Ken: Um, so, uh, what are the, what are the sort of main categories of complaints that you, uh, that Canadians report to you? Steven: Yeah, so, and, you know, I think I’ve touched on it a bit. It really is about, oh, I’m getting like 33 emails a day from this company and, and it’s, it’s funny, I didn’t realize that actually either. Steven: Um, probably till the most recent holiday season and I was out shopping with my, my nephews and they’re like 9 and 11 and, uh, out shopping with them and I’m at, you know, a store that they like to shop in and of course I get the whole spiel of like, Oh, get 10% off, sign up for our emails. It’s not a place I normally shop and, you know, and, you know, I’m, I’m a really bad shopper when it comes to that. Steven: Cause I’m like, well, what does it mean? What are all these, what does all these words mean that you’re asking me to click and they just go, Oh, just tick, tick, tick and sign at the bottom. You know, you’ll get our emails. I tend to push a little bit just because of my job. And I want to know if the, you know, the, the cashier has been educated, but typically no, they just want you to sign at the bottom to get 10%. Steven: I’ll take the 10%. It’s okay. Um, but I was fascinated at some of these stores, you know, who do like, I’ll use Christmas or I’ll use Boxing Day or whatever. It’s like four hours left, three hours left, two hours left, one hour left of our sale. Like, you sure you got to go online? You got to buy. Like, that is annoying. Steven: That was annoying for me, you know, from a store I don’t normally shop at, so that was an easy unsubscribe. That was just, you know, I was with my nephews. Um, but we hear that a lot from folks, like, yes, I said they could send me a message. I didn’t tell them they could send me one every hour on the hour, every day. Steven: You know, that’s, that’s a big thing for us. Um, and the other side, of course, and we, we, we started touching on this is the pure phishing scams, right? And the pure, um, how to, um, Get money from people, right? You know, we hear a lot about, you know, government impersonation scams, which are huge on the rise and real, a big challenge. Steven: And, you know, it’s, we just finished tax season, which is always a big deal, right? Oh, click here for your tax refund. Click here for your GST check. You know, if I look at, um, the COVID situation, right, and the government of Canada put in lots of really great measures for Canadians so that, you know, they could pay their rent and they could buy their food because they couldn’t go to work. Steven: Um, but it was astonishing to me how nimble and how creative the fraudsters are, right? And I’ve, you know, I’ve joked on more than one occasion that, you know, once, I was gonna say, once I’ve given them a notice of violation and they’ve paid an app, I want to hire them. Because they are so nimble and they’re so quick, right? Steven: We would, you know, programs would be announced at noon and by five in the afternoon, people were already getting the SMS scams and the email scams, fill out this form, put your banking information here. Like it was just, it was phenomenal how fast they could be. And even on the telephony side, you know, we’d have the prime minister standing up and there’d be like, you know, 1 800 number flashed below his name and they were spoofing that phone number before that phone number was even live. Ken: Wow. Like it was just So they’ve got their telecom set up before the government does. Steven: Exactly. Which was incredible, right? Because then all of a sudden, you know, when I go, you know, I go back to, you know, vulnerable Canadians and you look at it and they go, they’re getting this phone call, they’re looking at their TV, like, oh yeah, that is them and oh, I am eligible and yeah, here’s my banking information so you can deposit that. Steven: You know, like it’s, so it’s, we put a lot of onus on Canadians, which just isn’t fair in my mind. So we need to figure out how to educate more. We need how to figure out how to give them the tools, but we hear a lot about the government impersonation stuff and, and, you know, in certain circles, even in my own organization, it is about the, you know, the email from your boss scam, which, uh, you know, probably, you know, hopefully a lot of your folks are familiar with, which is like, you know, your boss sends you an email. Steven: It looks like it’s from their email. Like, Oh, I’ve got an urgent situation. Can you go buy 1000 worth of gift cards? You know, international delegations coming, you know, my admins off today, like whatever. And it’s easy to get caught up in that vortex because sometimes things do happen that fast and something, you know, it’s in depending on the organization you’re in. Steven: Someone’s got them bought and sent and gone before someone says, what do you mean you didn’t ask me to do that? Like, you know, um, we see in the government of Canada and back to just the knowledge of, you know, of scammers is, you know, March is kind of our year end in government, right? So March 31st. And we’ve seen a whole lot of scams now go through our finance department, um, because, you know, we’re a public government institution and they can look and say, Oh, who works in finance at the CRTC? Steven: And they email all these finance people and say, Oh, here’s my invoice. You’re, you know, someone was waiting for it. Can you pay it? Whatever. And depending on the scramble of, you know, a year end exercise, depending on, you know, if there’s new staff, casual staff are often hired at year end to kind of, you know, help with all the last minute invoice processing, that invoice could potentially get processed, you know, and before someone says, well, wait a minute, where, where was that on the books? Steven: But the payment’s gone and try and get it back. Ken: So one of, essentially one of the customers for, for your enforcement branch is the Canadian government itself. Steven: Yeah, exactly. You know, which is, which is fascinating, right? And, but it just goes to show the, the nimbleness and the Uh, and the creativity I like, I have to give it to them my creativity. Steven: Yeah. Like they’re just so fast and so quick and they figured out the seasons right. And I, you know, I was talking about tax time. You know, when we get to, when we get to kind of the fall, it’s like the vacation season if you will. All of a sudden a little few snow flurries and people are booking their, their winter vacations. Steven: We see a whole scam process go there like it. It is. It is quite fascinating to me. So there’s the cyclical stuff, which we can almost plan now, which is helpful because we can send out the right messaging at the right time from a public relations perspective. And then the other side of that piece is, is just like all the other gap fillers that they have. Steven: Right. And just how quick they can be like, who knows what happens tomorrow that all of a sudden someone says, Oh, well, we could probably get, you know, Try this campaign with folks and see if that works and, you know, and I wanted to get back to, you know, just kind of, you know, the definition of vulnerable Canadians and, and people often think about that as like, well, he’s talking about vulnerable Canadians, he’s talking about low income or whatever, but it’s not just about that, right? Steven: Yes, there are, there are folks who are low income Canadians who when they see an SMS text message saying, Oh, your 400 is ready. That’s a lot of money, right? At the end of the day, and if you need that money to pay your rent next week, or you need that money to go to the grocery store because you’re, you know, your three year old’s hungry, then you’re very, you know, you go, oh, thank goodness, like, you know, and oh, I forgot I was getting that. Steven: Whatever credit, you know, whatever. And that’s a vulnerable Canadian. But seniors, and I’ve talked about my mom, like, they’re vulnerable Canadians because they are, you know, they’re not on Twitter, they’re not on the internet, they’re not, you know, and if they are, they’re, you know, they’re not following the tweets from the CRTC saying, worry about this scam, or from the hydro company who’s tweeting it out. Steven: That doesn’t help my mom, who’s not on a computer, right? So, you know, so there’s the seniors, but then there’s new immigrants to Canada. Right. Who don’t speak English or French and who don’t know the rules. Right. And, you know, we have the CRA, you know, tax scam, which I say is like, collect your refund here. Steven: You know, the one we often hear about and, um, is, you know, it’s just like, oh, you owe taxes and you’ll be deported. And if you don’t know English or French and you’re just trying to cobble together and someone says you’re going to be deported if you don’t pay, you know, 500, you know, dollars in Apple gift cards. Steven: Right. That’s a huge concern and a huge worry and a huge risk, right? So they’re going out finding 500 and they’re sending off those Alpha iCards because they’re concerned about the fact that they’ve just landed in Canada and they’re trying to navigate their way through, through an immigration system, you know, so it’s, you know, so it is a whole broad swath of folks, you know, across Canada who can potentially, you know, fall victim, perhaps more readily than others, you know. Steven: I feel super lucky. I work in this space. So I am very familiar. I am suspect of everything, you know, and, you know, and, you know, and I tell my wife and my son and my family or whatever, like, if you don’t understand it, don’t click on it, you know, call me, email it to me, whatever. But, you know, like, but I’m lucky, right? Steven: I’m in a very privileged position that I work in this space and I understand the scams and I understand what’s going on. And. You know, um, it’s ironic, you know, even, even the space that I’m in, you know, um, my wife had entered into this email exchange with this guy about it. You know, oh, you know, someone says birthday’s coming up. Steven: I need to get a gift. I don’t get paid to next week. And it was from literally from her sister’s email. Wow. And and I was looking at a guy. Okay, it’s a little abrupt, but whatever. So she starts emailing back and forth. Kind of like, like, sure. What do you need? Like, how can I help? Like, you know, whatever. Um, and all of a sudden the person said, well, I needed to go, like, buy a 500 gift card for this store. Steven: And my wife’s like, there is no way my sister’s buying a 500 gift card for an eight year old’s birthday. Yeah. Thanks. I mean, you know, and then she told me after the fact, but, you know, but it was interesting, like, even that, because, and even, you know, very intimately aware about this space, but it was, she looked at a, you know, we have, you know, everyone’s trained, look at the email address, whatever, but it had come from her sister’s email. Steven: Somehow. Yeah, exactly. They’ve copied it. And then, you know, of course, then she calls her sister and says, I think you’ve got a problem. She calls the service provider and they go in and look behind the scenes and say, Oh, basically they’re redirecting. Everything that’s coming to your email to them. Oh, yeah. Ken: You got to think of all the implications. Steven: Well, exactly. You know, all the implications. And all of a sudden she’s trying to send out Facebook messages and calling people and saying like, I’m not asking for anything, right? Like, so it’s, it’s fascinating to me, like they become more success, more successful because they’re becoming more savvy, right? Steven: You know, we keep telling everyone, Oh, look at the email header, look at whatever. So now they make it look real and you know, even just the evolution over the last little bit. I used to tell my friends and stuff like, Oh, if it looks like it’s from your bank, right? And banking is obviously another big issue. Steven: I’m like, go click on the bottom links, which say, you know, ask about us, contact us, whatever. And that’s where you’d click on them and it would fail, right? And I’d be like, there’s a good indicator. But now the newscams, they’ve fixed all that. They still, they, they, they still send you, and it looks like the real page again. Ken: I mean, I got to say like recently the kinds of SMS phishing I’ve been getting are very sophisticated. They have a captcha at the beginning. So, you, you couldn’t automate the crawling of that website with a, you know, any kind of cloud service tool. Uh, and then you, you click through and it’s, it’s like Royal Bank’s website and it’s, it’s perfect. Ken: It’s pixel perfect with the real thing. Absolutely. I’ve never fallen victim to it. Because I work in this space, but, uh, you know, my parents probably would, uh, and, and this is happening all the time. Steven: Yep. I look at, uh, you know, I, I talk about my mother, I’ll look at my mother in law, who’s a little more tech savvy, who has an iPad and whatever, but, you know, if, I was going to say, if she gets an email from her bank saying, oh, you’re overdrawn or whatever, she would be trying to navigate on the iPad. Steven: How do I transfer money? How do I, you know, and, and all those things, because it would be such a concern to her, you know? And without asking any of us, because she, well, it came in her email. It must be true, right? You know, and you know, you know, and she is, you know, over 80 and that is a concern. You’re like, you know, because she, you know, she’s mastered what she needs to do. Steven: She can get the photos from her grandkids and she can get, you know, when we’re traveling, we’ll probably send her pictures, you know, from here while we’re away. But all the other stuff, she just assumes it’s real, because why else would they have my email address? Why else would they, you know? So it’s, it’s really quite fascinating and concerning, right? Steven: Obviously, at the same time. Ken: Yeah, and, and, and these are, these are your problems. Like, you’re the regulator and, you know, Canadians are expecting you to somehow solve what you said earlier is really a global problem. Right. Uh, you know, Canadians are not just being targeted from within Canada. They’re being targeted by foreign actors, even, you know, potentially foreign governments with misinformation campaigns and attempts to steal their information. Ken: Um, so, you know, are, are there, uh, are there particular industries, uh, or sectors of the economy that tend to generate higher complaint rates? I mean, off the top of my head, I’m thinking, you know, Uh, email marketing in particular would probably be Steven: a source of complaints. You know, it would definitely be our retail and services sector, by far, it’s probably over 60%. Steven: Right. Um, you know, when it comes to, I was going to say, I’ll call them legitimate complaints, but legitimate concerns about company X is not supposed to email me anymore. Company X is emailing me too much. Company X unsubscribe doesn’t work, you know, et cetera, et cetera. So it’s, I think we’re at over 60% probably retail and services sector. Steven: Absolutely. For sure. Ken: Yeah. And the balance of, you know, the other 40, you know, it’s kind of a mix, right? Steven:So, you know, sometimes it’s Joe Handyman that you’ve hired for a particular service or something like that. Um, you know, we do get, we don’t get as our complaints about the banking industry, for example, are actually more about the fishing side of things and stuff like that. Steven: Right. But legitimate is definitely a retail side. Yeah. For sure. Ken: Kind of doesn’t surprise me. Steven: No, exactly. Yeah. And we all do that, right? We all, like I said, I, you know, I gave the example of me and my nephews, sure, I’ll take 10% because all of a sudden these clothes cost a lot that, you know, my son’s in his thirties now. Steven: That’s, you know, it’s not the same price as clothes anymore when you’re nine. Yeah. Ken: Yeah. Yeah. Totally. So, so, um, shifting over to the enforcement side, I mean, uh, Castle obviously has a lot of power, uh, gives the government a lot of power relative to what other countries have been able to establish through legislation. Ken: So water. Some of the notable enforcement activities, um, that, that, uh, your branch has been, uh, taking part in recently. Steven: Absolutely. Um, and we’ve, we’ve been doing some amazing work, you know, and I was gonna say I can probably put it in a couple, a couple different, You know, buckets, if you will, categories of stuff, you know, are more traditional enforcement, are more traditional investigations, you know, are back to that, you know, commercial electronic message, right? Steven: You shouldn’t be emailing me. You shouldn’t be doing this. Um, you know, I think we’ve done like five notice of violation in, in the last little bit, um, with administrative monetary penalties assigned to that. We’ve got some undertakings related to that, you know, really good one, uh, as an example. Um, you know, we did an undertaking with the Gap before Christmas last year, which is like, you know, it was kind of the, the broader Gap range of companies, right? Steven: You’ve got the Gap, Old Navy, Banana Republic, or whatever, where they’re unsubscribers just clearly not working. Like, you know, hundreds of thousands, exactly. And hundreds of thousands of complaints of like, you know, people saying like, it’s not working and instances of where this is not working. Um, and they were really great, you know, uh, you know, we kind of said. Steven: Um, and we saw this huge influx of complaints and then all of a sudden my folks go looking and then we, you know, we talked to the gap and we say, we think you’ve got a problem. Um, and they were really great. They worked really well with us as, you know, as the regulator kind of like, Oh, we think we’ve identified the problem. Steven: It’s, you know, some subcontractor of a subcontractor for one of their very particular brands. Um, but they recognize the fact that, yeah, this shouldn’t have happened right at the end of the day. Um, you know, so the undertaking piece, so that’s kind of that negotiated settlement piece. You know, if you. If we come to you and say we think you’ve got a problem and, you know, people go, Oh, you’re right, we do, um, they’re willing to fix it. Steven: They’re willing to enter into a compliance program. You know, life is pretty good. Um, you know, our notice of violation tend to be a little more egregious in that people don’t agree. Like, Uh, we think we disagree with your definition or whatever. Um, they’re often willing to, you know, pay an administrative monetary penalty or not. Steven: Um, or they can challenge it. They have the right to do that, you know, uh, whether it’s to the CRTC itself or to federal court if they, if they truly disagree, uh, which I welcome, right? You know, if the federal courts hold up a decision that we’ve, that we’ve made, then, then that’s great. That’s good precedent, right? Steven: We are administrative tribunal at the end of the day. The, the, the more decisions out there that kind of support our thinking and, and, and what is the violation and what is not, the better. Ken: Do, do they ever, do they ever sort of try to make the argument that it’s their charter freedom of speech right to be sending out these emails? Steven: Absolutely, and, and certainly under Castle, three or four years ago now, someone actually did take it to the Supreme Court and say, you know, this is not fair, you know, people can, should have the right to get whatever they want, you know, we should have the right to send people whatever they want, um, but it failed. Steven: Um, you know, so it’s upheld by the charter, so, which is great, um, from that perspective. Um, but I think one of the things I want to focus on, on some of the kind of traditional undertakings and the traditional investigations we have is that we’ve tried to be creative, right? You know, if it’s not been clear in this discussion, you know, I take the compliance piece really big. Steven: Like we do a lot of education and outreach, um, on the enforcement side, you know, I like to say we’re innovative, right? It’s hard to imagine at the end of the day, you say, Okay, well, at the end of the day, they broke the rules. They should, you know, pay a penalty for that. Um, but we look at other ways in which we can. Steven: Um, get the messaging out, if you will. So we are very creative sometimes in our, uh, in our enforcement actions in that we ask folks, or I shouldn’t say ask, we get them to commit to certain things like, you know, in a recent investigation, uh, with lots of what I will call young folks, cause I’m old. Um, but younger folks who think that they can do bad things on the internet and not get caught, you know, these guys get caught and we can talk about this dark web case in a minute. Steven: Um, but one of the things we asked them to do at the end of the day, once they realized they were caught, is one of your conditions, if you will, I talked about big companies have to do compliance programs, when we deal with individuals, we said, okay, well we want you to educate kids, you know, at a youth network or something about the bad things on the internet or how not to get trapped into kind of these things or how there is no quick money scams. Steven: You know, so, you know, things like that, you know, we ask them, you know, we want to make sure they’re not, you know, repeat offenders, if you will. So we say, okay, for the next three years, we’re going to reserve the right to look at your devices anytime we ask, you know, so we try to be innovative and when we look at big companies, it’s not just about. Steven: The administrative monetary penalty that gets paid to his majesty, right? It doesn’t come to me. It goes to the government of Canada writ large, you know, it’s also okay I’ll take that penalty of 150, 000, you know to the government of Canada But then I want you to spend 100, 000 over here to a charity which supports, you know things in this space like educating Canadians educating youth That type of thing. Steven: So we’ve tried to be very creative, if you will, in the enforcement space, because I think, you know, I’m, I’m, as I said, I benefit from legislation that is very. Broad allows me to do a lot of things, so why not, why not, you know, if you will make them give back, like, because for me, I think that’s just equally important, you know, I, I’m the first to admit, I guess if I was a cost recovery program, I might think differently, um, but I think I can do way greater good if I’ve got a 25 year old in a room with a bunch of teenagers saying, you know what, this might seem like a good idea at the time, but you know, I paid a 50, 000 fine. Steven: You know, I’m here talking to you guys, you know, and now every time someone Googles my name, they’re going to find out that I did this at the end of the day. That’s, you know, maybe the good and bad of the internet is there forever. Right. And maybe I’ll say that, you know, when I see this video, perhaps, but, but at the end of the day, right, it’s, you know, I think that’s important for them to kind of get that message out, you know, to their peers and to others. Steven: And if we can have any role in that, I see that as such a huge win. Ken: Fantastic. I love the, Uh, the idea that you have the flexibility to be creative, uh, you know, instead of just sort of being a, uh, a, um, a fine issuing agency, which would, uh, which would create more of an adversarial. Steven: Absolutely. Right. You know, I, I joke all the time, uh, um, you know, when I, when I’m at speaking events or I’m industry events, it’s like, you know what? Steven: It’s the age old adage, right, if I’m, I’m from the government, I’m here to help. And, and I, and we really are, right, at the end of the day. And even when I’m talking to my, you know, to my, to my team, uh, you know, I’m always like I want people to see correspondence from the CRTC, a letter from the CRTC, an inquiry from the CRTC. Steven: I want them to want to open it. Right. Right. I don’t want them to look at it and go, Ooh, that’s from the government and I want to look at that and I’ll wait till later. Right. Ken: Or to complain about it to CASEL and say I never subscribed for this type of notification. Steven: Exactly. You know, so, so I want them to, I want them to have faith in the regulator. Steven: Yeah. And I realize that’s an uphill battle. Um, but I think the more work we do in this space, the more positive impacts we have, you know, when Canadians can see the fact that we’re, you know, we’re doing our best, you know, and, you know, people’s definition of best may, may differ. Um, but we’re trying to give them the tools and tips and tricks and we’ll, we can talk about that later, but, um, I know, you know, and I, I alluded to it in, in my, in my intro to this question. Steven: But, you know, we’ve done some really cool work on the dark web and, you know, and, and I talk about the commercial electronic messaging, if you will, that’s kind of the bread and butter of our work, if you will, right? That’s where a lot of the violations occur. Um, as I said, protecting Canadians in this more nefarious space is really important to me. Steven: It’s really important to my team. Um, So last year, um, we did an investigation where we’re able to kind of connect three or four people, um, who had stolen Canadian’s financial information, who were making it available for sale on a dark web marketplace. Um, you know, and it’s kind of four people in very similar jurisdiction of Canada. Steven: Um, but we’re able to kind of investigate this through a bank, believe it or not. Um, one of the challenges we have, and I talk about being civil and being criminal. Um, One of the benefits of my legislation is, you know, what? It sounds like a very, a very nuanced condition, but people can bring me a case on a platter and basically say, I’m seeing this. Steven: Can you help me? You know, because I say we’re complaint space for intelligence space, but we can also have someone say, Hey, I think this is a problem. So we actually had banks coming to us saying, you know, we are seeing a huge, you know, they’re taking lots of losses, obviously, right? People are being scammed out of their money. Steven: Their bank accounts are being drained. Um, you know, I think the financial sector is trying to wrap their heads around what’s, you know, how do they protect their own interests, but protect their customers interests. And, you know, and a lot of that comes down to dollars, right? A lot of that comes down to money. Steven: Um, so we had the banks coming to us saying, We know this is happening. We think we even know where it’s happening. We think we know where the vector is. Um, but law enforcement doesn’t have time, right? And that’s, that’s fair, right? And you know, I won’t comment on the priorities of law enforcement agencies across the country. Steven: We just have to watch the news every night to know that there’s a lot of conflicting priorities, right? At the end of the day. Um, so we took this case on the back and said, okay, well, let us investigate and see where we are. Okay. So we landed on four individuals who were doing this horrible work. Um, we executed like two search warrants, you know, got devices, got computers, whatever, looked at all that information that was available, you know, and, and landed on, you know, notice of violation for these individuals, which will now be forever, like I said, Googleable, you know, if you will. Steven: Um, and we shut down the, the largest Canadian dark web marketplace. And, you know, 18 days, eight days, 18 minutes, maybe. Cause let’s be realistic. I talk about how tech savvy these folks are. Um, but you know, millions of Canadians information was available like for 4 and 50 cents, right? You, me, anybody in this building, you know, it’s cheap. Steven: You did that. You did that through civil action. So our team was able to shut down that marketplace because as soon as they, you know, we’ve got the four principles, if you will. And then it all goes dark, right? Cause it’s like, we basically pull the plug and, you know, so I, I don’t pretend that that lasted long within, within minutes, within hours, within days, it was back up and running under a different name under, I was going to say, I’m not the techie guy, but under different technical scripts and whatever, but at least for a moment in time, Canadian’s information was not available. Steven: And, you know, and we were able to, we were able to just stop that. Which is just, it’s fascinating to me that we can have that kind of impact, you know, um, and it’s impact that’s not seen, right? Like Canadians can’t see that. They don’t know that we’ve stopped someone from stealing their information and creating a whole new identity or, you know, taking out loans in their names, et cetera. Steven: But the fact that we can have that impact, the fact that we knew that that information was out there and we had to do something with it, you know, and obviously as investigators and as, you know, I, you know, I’ll say uber techie guys who work for me, they are just, they are ecstatic to be able to have that kind of, to have that kind of impact, you know, right. Steven: And more recently, even, you know, and I’ll go, I’ll go to an even more recent case, you know, um, just like a couple months ago, like we do lots of international collaboration, obviously, um, you know, you know, domestic problem, you know, international, you know, you know, it’s just crazy. Um, but you know, but because of that dark web. Steven: Bank phishing case, you know, we recently had the FBI knocking on our door saying, Oh, we think we have a guy who is responsible. You know, one of the key primaries in this global network. Um, and, and we said, you know, obviously we have to figure out where our pieces in that. Right. So I’m still castle. I’m still civil. Steven: You know, I only have so many authorities, um, but when they come to us and say, you know, we think we’ve got a guy, he’s doing similar work like you did last year, maybe you can help us out, you know, we’re, you know, we’re blessed with having the opportunity to work with law enforcement, I have MOUs with countries and law enforcement all around the world, so that we can get work done together, that’s important, um, so just in April this year, you know, we did this coordinated, um, takedown, Uh, in a particular jurisdiction in Canada. Steven: Um, and, uh, yeah, so it’s called, and, and I love the name, they call it, it’s Operation Cookie Monster. Um, so, you know, you can go Google Operation Cookie Monster and you’ll find out some details about this case. Um, but with the FBI and domestic law enforcement across Canada, but international law enforcement, you know, again, we’re able to shut down a worldwide marketplace, uh, for the dark web. Steven: Which is, it’s just incredible and, you know, the, the achievements we’re allowed to have, you know, uh, we get to get out of that is, is huge, you know, and just that partnership and collaboration and people realize, like, it doesn’t have to be always law enforcement to law enforcement, they have to be creative even, you know, with my regulatory colleagues around the world and kind of like, Oh, what kind of, what piece of, you know, spam or what piece of SMS or what piece of whatever do they have under their jurisdiction? Steven: Thank You know, to try and get that creative, you know, coordination, because I get it. Every law enforcement around the world has priorities, and it’s not always what’s the priority that, whether it be a company within your own country needs you to focus on, or an international company may come, you know, an international law enforcement like the FBI may come knocking and say, like, you know, we don’t have time to do that. Steven: You want to do that in three weeks. You know, we don’t have time to do that. Whereas you can, you know, come to the regulator and I’ll be honest, it was a short time frame. It wasn’t three, but it was probably six weeks. Which almost seemed impossible, and when, you know, when we were briefed by the FBI, I’m like, I really want to help you, I just don’t know if I can do it, in that kind of a time frame. Steven: But we pulled it off and, and yeah, just, just such huge benefits and just to show, you know, that the internet has no borders, the enforcement piece shouldn’t have any borders either. Right. And if we can all play a small little piece of that, you know, one of the little side notes and, you know, is, uh, for my folks, because this is, Really cool work that they’ve become very skilled at and are becoming very known at, you know, being able to do really well, um, is the FBI brought in a cyber dog and, you know, and, and I was like, okay, I don’t understand what a cyber dog does. Steven: At first I thought it was a robotic dog. And I’m like, was that a robot dog? Like what’s a cyber dog? And what I never knew, and I’ve worked in this space a long time, is that in all electronics. They’re, they use a particular type of glue in every cell phone, laptop, tablet, or whatever these particular type of glue. Steven: So the dog is trained on the glue. So you bring in a cyber dog because, you know, we executed search warrants into particular suspects homes. So you bring in the cyber dog to find the devices. Wow. Ken: So if they’re, they’re hidden behind a couch. Steven: Absolutely. Right. So, you know, so, you know, as As a search team, you don’t have to start ripping up all the floorboards in someone’s house, but really cool, like just a really cool tool to use, right? Steven: And you know, and And it’s interesting because I even had, you know, I had some legal advice that suggested like, Oh, that might be a breach of privacy, whatever. But at the end of the day, when you’re executing a search warrant, it’s for the whole property. And actually what the cyber dog did in this case, it actually meant we could be focused on where we’re focusing our attentions, right? Steven: So you’re actually being less privacy infringing. We’re actually being less, exactly right? The ones that are on the desktop, the ones that are on the coffee table, that’s easy. But she pointed stuff out in a closet. She pointed stuff out in some weird little, you know, cubby or whatever. Which was just fascinating. Steven: And, and for me, it was really cool. Now I came back and told my boss, I need to buy a cyber dog, but then I got the price tag, which is a little pricey. Um, and he was going to walk it anyway, but, um, but just cool to have those tools available to us, right? Like cool that the FBI was, you know, I was going to say coming to town, we’re going to help them execute, you know, these search warrants. Steven: Um, but they could enhance our game, right? We have, you know, I’m. I’m very fortunate that we have really great tools that we use to be able to do our job. So something like a CyberDog, which seems very, you know, if you will, traditional almost, but the, the effects that that can have, and, and it’s, it was really super cool. Steven: Sorry, I had to share that story because I mean, it’s all about the CyberDog. Ken: Yeah, you don’t feel like the one thing you don’t think about when you think about the CRTC is executing a search warrant. Like I had no idea that the CRTC could execute a search warrant. That is news. Yeah. Uh, for civil enforcement. Ken: Yeah. Absolutely. You think about that in, in the context of criminal. work, but I’m not, not generally civil. That’s very interesting Steven: . No, and, and I often say all the time, I am, you know, I’m very fortunate to have such robust legislation, which does include that, right? Yeah. Because otherwise it becomes very challenging, right? Steven: Sure. My folks can only do so much behind their desk. Right. You know? But if we can actually… Take those devices. I have no seizure powers, but I can take them temporarily. I can image those devices, and then I have to hand them back, which is fine. Um, but I’ve got all the information I need, right? I have all the intelligence, if you will, to secure our case, right? Steven: Right. You know, to take any actions going forward. So. Yeah. It’s a really, it’s a really great power to have. Absolutely. Yeah. I have, I have law enforcement colleagues who go, I wish it was that easy for us just to go to a judge. You know? Uh, no, there’s a lot of work, right? You still need an ITO. You still need all that. Steven: And, you know, we’ve spent, uh, my folks have done a lot of really great job in just educating, you know, um, magistrates on this, like on this type of work and what you’re trying to do and what you’re trying to accomplish. Right. Because it’s like anything. You said you didn’t know, you know, I think the first time we took a search warrant to a judge, you know, uh, I think she respectfully is like, I don’t understand this. Steven: You’re going to have to take me back to Castle 101 here to help me understand what we’re trying to do, what you’re trying to get, you know, I always, I was gonna say I travel everywhere with lawyer, but, you know, but it’s also like, okay, show me where your legal authorities are, help me understand. So, you know, obviously they want to make sure they’re making the right decision too. Steven: Um, we, you know, we’ve been, I mean, obviously our offices are in a particular, uh, spot in Canada. So we’re lucky we can often go back to the same judge or the, you know, at least the same court where they go, Oh yeah, I remember we did that. You know, so you actually start educating even on that side, right? So that they go, Oh great, you know, we’re going to do another, you know, almost like we’re going to do another one. Steven: Yay. Like, you know, cause they see the value in that too, right? You know, we’ve had magistrates say, Oh, please come back and tell me what happened. Which is, you know, when it’s, you know, it’s difficult to get 22 minutes with anyone. It’s, it’s nice when they say, oh, can you please come back and tell me what, how this worked out for you, which is great. Ken: Amazing. So, the complete, you’re educating everyone, even behind the bench. Nope. Absolutely. Very interesting. You know, it’s fair to say, um, I think that the CRTC has been one of the more proactive telecom regulators in the world. Uh, And I say that as a bit of a lay person, you know, I’m not really steeped in the regulatory world, but certainly, you know, reading the news, uh, you hear about frustrations in other countries where the regulator, the government seems to be toothless in the face of all of this stuff. Ken: But in Canada, uh, I mean, the, the, the word casual strikes fear into. Many, uh, many marketers, you know, even in other countries, uh, what, what is on the CRTC’s radar, uh, for the future? What’s coming around the corner that you guys Steven: are thinking about? No, absolutely. And it’s a really great question. You know, one of the things I often say is I’m, I’m fortunate, and I think I mentioned it earlier, um, you know, being an enforcement arm within the communications regular is really helpful. Steven: Um, because at the end of the day, if I can’t enforce it, I’ll regulate it, which, you know, if I was in a room with telecom service providers right now, they just, they just roll their eyes at me or, or get very, give me very angry eyes. Um, but that goes back to that civil criminal piece, right? So I can’t, you know, I can’t enforce a criminal action. Steven: But what if the phone never rang like what if the email never landed in your inbox? What if that you never got that SMS text message? Um, so one of the things we’ve really focused on in the last five years, um, is bringing that regulatory policy piece in because it’s actually really helpful because if I can enable. Steven: Telecom service providers to stop the phone from ringing and to block that botnet, if you will, like block that malware before it ever lands in your email, um, then I’ve also done my job, you know, so on the telephony side, and I know we’ve been talking a lot about Castle, but on the telephony side, we’ve sort of introduced a bunch of different tools, um, you know, universal call blocking, for example, which is now like Three or four years old. Steven: It’s been since December, 2019, I guess, where you should never get a phone call that from (123) 456-7890, for example. Right. Or a, or a number. That’s all zeros. Right? That just ’cause it’s not, it doesn’t conform to normal numbering standards. Right. You know, 1, 6, 7, whatever. Um, so we empower the TSP to say like, you can block those right. Steven: And telecom service providers, you know, it should be very important to know like they can’t stop traffic unless they have our permission, right? And I should back that up a little, you know, without the CRTC permission, basically they have to let every call go through every email go through, you know, if you will, they’re just the pipe, right? Steven: They just, you know, they get that. message to you, be it telephone, email, SMS, because that’s their job. They provide the conduit to do that, um, and for them to, if you will, interfere or stop a certain call or block a certain email, they have to have CRTC authority. So we started out with that. That seemed easy, right? Steven: Because that if you’re getting zero, zero, zero, zero, zero, zero. That’s a scam call. No matter what, like, just don’t answer it. So block that. So that was kind of the easy stuff. Um, and then we introduced like, uh, stir shaken, which is a, a, a technology at the end of the day, which is about authentication and verification. Steven: Um, because we live in a world of call display. Um, and you know, at the end of the day, you know, Oh, it’s Ken calling me. That’s great. Um, as we know, Um, I think it’s over 40% and it could be over 50% now of our telephone side of the house complaints are all about spoofed calls. Whereas it looks like Ken is calling me, but then I pick up the phone and it’s actually not Ken, right? Steven: It’s somebody else. And they’re trying to sell me lawn services or deck cleaning services or roofing services or whatever. Or they’re telling me I’m in trouble or whatever. Ken: Or a really popular one seems to be you get a, you get a phone call and it’s got the same first six digits as your neighborhood. Ken: You answer it because you’re like, well, it looks like it’s my cell phone number. Steven: It’s, you know. Absolutely. Right. And I was going to say, I was going to say, I feel like the telephone guys got a little better at, for at one point it looked like you were calling yourself. So then all of a sudden people were like, Oh, we did that wrong. Steven: They went a little too far on that one. Um, but what stir shaking does and what we’ve allowed, what we’ve mandated the providers now to do you will. Steven: Now, it only works on voiceover IP right now. So, I mean, that’s a lot of our mobile networks, which is great. Um, you know, it’s still a small percentage of, uh, if you will, our landline networks because, you know, the landlines at the end of the day are still old TDM, traditional, you know, whatever, but they’re all evolving. Steven: Networks will evolve, right? But one of the mandated things is you must be stir shaking compatible on your IP business, piece of business. And what it does in a nanosecond of time, and my real easy explanation is at the end of the day. You call me, it goes through, obviously, the telecom, you know, provider, and they authenticate that on, on the other side. Steven: So if we happen to be on different providers, that call comes in to my provider, and in a nanosecond, they go, Yep, that’s Ken from his house. Green checkmark. Go ahead. Or, yes, this is Ken, or whatever they decide to use, and that’s all evolving. So when it lands, you know, when the phone rings instantaneously, but when the phone rings, it says, Yep, you can answer it, it’s Ken. Steven: Yeah. But if they can’t make that authentication, right, if they can’t do that, then at least it will come in and it’ll say, likely a scam. Yeah. I see that sometimes. Because it says it’s Ken, but it doesn’t look like it’s coming from Ken’s house. Yeah. So we don’t think it’s Ken. So then it’s like likely scam or suspect or something like that. Steven: And what that does is, you know. I talked about giving Canadians lots of tools, you know, and maybe that still won’t work for my 80 year old mother who I talk about often, but at the end of the day, at least Canadians know to treat that call with caution. Right? At the end of the day, when they pick up the phone, it looks like the bank, but the call display says, probably not your bank. Steven: At least, you know, when they say, Oh, we just need to verify your credit card number, you can be like, No, thanks. Click, you know, at least it provides that extra level where, you know, probably a 10%, you know, take up at this point because just because of the networks, you know, the, the TSP providers are getting themselves ready, which is great. Steven: Um, and even they’re figuring out kind of that check mark X, like fraud, like least scam. They’re even just figuring out that language amongst themselves of what to use. Yeah. But it’s, it’s one more tool, you know, and like I said, you know, I’ll probably never stop all the calls, I’ll probably never stop all the emails, I’ll probably never stop all the text, but the more tools I can give folks, the more information I can get, the better. Steven: Also on the telephony side, and I’ll move back to CASEL, I’m sorry, I’m very passionate about all the work we do, you know, on the telephony side, um, is, During COVID, uh, one of our major providers came to us and said, Oh, we’re seeing this scam. We know, uh, we know it’s a scam. We can tell, you know, I always say by the techie piece because I’m not the techie guy, but they can identify this particular type of, of call as being a scam. Steven: Can we have permission doing this through AI, which is fascinating to me. And, you know, I’ve heard you talk about AI recently, and I was gonna say, I feel like we’re all behind. So, you know, in that space from a, if you will, from a regulator’s perspective, we’re all behind. Um, Anyway, they were going to use the AI to kind of identify these calls and they wanted to block them back to my, they needed our permission. Steven: We said, okay, try it. And you know, I’ll be honest, it took us a little while. They did a pilot. And then they come back and say, can we do it forever and whatever? Um, but, you know, in two years, you know, and they started during COVID, um, they’ve blocked over 2 billion calls billion billion as in B with zero false positives, you know, because as the regulator, of course, we said, okay, you can block it. Steven: We need to disclose publicly how you’re going to do it, and we need a public process if, if you block a call by mistake, right? And that’s always the biggest concern, right? You know, or that might have been the hospital calling, or that might have been someone else calling, and whatever, or, and it’ll be the same on the email side. Steven: Um, but they’ve had zero false positives and two billion calls. So for me, that’s two billion calls that I’ve never rang. I mean, Ken: in a way, you just want to make it so that, at the very least, Canada is a bad target for these guys, right? Steven: Absolutely, right. You know, oh, and I think you’re absolutely right. You know, I think the… Steven: You know, you know, not, I was gonna say, not that I want to push the bad actor somewhere else, but if they see we’re putting all these measures and all these tools in place, it may be less attractive to try and scam Canadians, right? Right. Because it may just be, you know, it may not be worth their effort, right? Steven: Because presumably, obviously we’re on the opposite side of this, but if we’re on that side, there’s got to be a return on the investment somewhere, right? They’ve got to know that one one hundredth of the person will fall for the scam and, you know, like there’s good, there’s a business model there, clearly, right? Steven: But if we can stop 2 billion calls, and that’s innovation from the TSPs, you know, I won’t even take credit for that other than, you know, you know, I guess holding them accountable for, uh, from a regulatory perspective on, on the process and who and what and how and what’s the recourse mechanism and all that, you know, type of thing. Steven: But, you know, with stir shake and, you know, I think that’s another tool, universal call blocking. You know, I was doing math the other day. I was doing an interview and I said, you know, even if it was one call a week for every Canadian, that’s like 790 million calls a year. Right. That’s not happening. That call is not going through, uh, which is, which I, for me, they’re just huge wins. Steven: Right. And, you know, I can’t quantify that from I’ve done an investigation. I’ve taken enforcement action. I’ve collected administrative and monetary penalties, but if I can stop billions of calls from ever happening. That’s a huge win for me. That sounds pretty good. And then I’ll go, you know, and then I’ll, I’ll take us back to the castle side because, you know, we’ve been, uh, I was gonna say, it’s been a little slower on the policy side on the castle side because it’s also very young, right? Steven: A very young space. Um, so once we’re having all this success on the castle side of my, on the telephony side of my house, I went to my castle folks and like, okay, so how do we stop the emails? You know? And they’re like, well, you can’t stop all the emails, right? You know, my folks, you know, keep me honest at least. Steven: Um. And they’re like, well, you know, like if we could identify the malware, if we can identify the botnets, if we can identify the viruses, and if we can find a way to do that. And, you know, we could give the service providers the ability to block those types of, of things. Um, so, you know, we’re actually sort of midway through that process and we started this last year and so we’ve come up with kind of a preliminary framework where we will do exactly that. Steven: We will give TSP’s permission to block the emails that contain particular types of botnets and viruses and malware, all the bad things, let’s be honest. The TSP’s. Yeah, exactly. Interesting. Um, so we will allow them to stop that email from ever landing in your inbox, you know, because it’s interesting for me because this one’s a hard one, right? Steven: Like a call is easy, right? People can pick up the phone and they go, Oh, I got called by whoever. It doesn’t matter. I wasn’t supposed to get that call. It’s easy for them to make that complaint. You know, if I look at it. Like a malware or a virus or whatever if it’s coming in through your email at the end of the day. Steven: I’ve got two problems, right? I’ve got a jurisdictional problem because you know, I think I was talking to my folks at SpamHouse recently, you know And I think it’s like the US, China, Russia, you know Where the top three countries right now where all the botnets malware viruses are coming from Okay. So I’m a domestic regulator in Canada. Steven: That’s hard for me to fix, right? It’s way outside my jurisdiction and probably I don’t have those tools. I’ve got a lot of tools, probably don’t have those ones. And the other side of that for me is that, Canadians are completely unaware, right? You’ve clicked on that email, and you went, Oh, that was just junk email, or I don’t know what that was, and, Oh, I thought that was supposed to be a funny video, and nothing happened on their computer. Steven: But their computer is now compromised. Their computer is now stealing their financial information. Their computer is actually, in some cases, you know, true botnets, or it is now a vector to steal other people’s information. Right. And to email your contacts, and all those types of things, right? But Canadians don’t even know that’s happening. Steven: Right, like they’ve clicked on that button and they’ve now turned their computer into a vector, you know, for bad things by someone else who’s controlling it. And they don’t even know that’s going on. So for me, if we can, I can say, if we can stop one of those emails a day, but if we can stop, you know, inboxes. Steven: Then I think we’ve done really great things, you know, and I think that for me will be a huge win on the castle side of the house where I can say, but you’re getting fewer of those, right? Ken: So in the email space, I think one of the things that definitely complicates the situation for the regulator is the fact that a lot of people’s mailboxes are hosted with. Ken: foreign providers, uh, and they may have a presence in Canada. So you may be able to give them, you know, you may be able to give their mailbox provider some permission to do things, uh, so that they have that flexibility. Is that your focus? Are you sort of looking at, at like enabling big mailbox providers to do stuff in Canada that they might have hesitated from doing in the past because of concerns about privacy or concerns about freedom? Steven: It’s definitely the latter. Right. Yeah. The more tools I can give them, you know, I want. You know, and I say we’re mid process, we’ve given our preliminary views on what we want the framework to look like. We’ve gotten some advice recently that says, Oh, you might have a problem here. You might have a problem there. Steven: Um, I want the broadest, most robust system possible, right? Because at the end of the day, back to my TSPs can’t block anything without permission. If I tell them block botnet 724, then that’s all they can block is botnet 724. If I say block something with the characteristics of 7. 2. 4, you know, then they can block a suite of things, right? Steven: But if I give them 7. 2. 4 and 7. 8. 7 comes up, they actually have to come and ask my permission again as the regulator. Well, can we block 7. 8. 7? It looks the same as 7. 2. 4. So I want the broadest possible framework that allows them, you know, I mean, obviously, You know, accuracy would be important. You know, just the transparency about what are you going to block? Steven: You know, the only reason you can block it is for cybersecurity reasons. You know, there will be a whole criteria on around what they can block and why. Um, but I want it to be nice and broad, um, for two things, a cause I think everything is so discreet, you know, just blocking one particular type, then they’ll just do something different, right? Steven: The back to how nimble, you know, the, the fraudsters are. The other piece of that for me is it’s. It’s big telcos versus little telco, right? So if I make it as broad as possible, you know, the big telecommunications company, it’s going to be like, Oh, we’ve got whole teams on this. And we can, you know, we can probably block a hundred things a day. Steven: I may have a small TSP who’s like, I can block one. I’m okay. Yeah. I’m okay if you can just block one. Because at least for your small, regional, whatever service or whatever, if you have the ability to identify one thing that looks like this. That’s 100 emails somebody didn’t get. And if the big guy has, you know, the ability to block a whole bunch more, well, that’s 1, 000 emails that someone didn’t get. Steven: So I want it to be, it has to be transparent, obviously, and we have to have, back to that kind of false positive, we have to have a recourse mechanism and all that things, and I want it all to work smoothly and, you know, it’ll take us another few months to figure out what that looks like and, you know, but, Steven: It’ll be, to me, from a regulatory policy perspective, and I sound like a true regulator now, but that, you know, that’s one more way, right? So, you know, to me, that’s enforcement. Even though there hasn’t been an investigation, you know, we haven’t searched anyone’s, you know, computer, we haven’t, like, that is true enforcement if we stop the calls, stop the emails, stop the SMS text, and I know we’re running out of time, but, you know, obviously SMS is just proliferous now, and if anyone’s, you know, I was going to say, if anyone’s listening, but if anyone’s listening, 99% of the time, if someone sends you a random SMS, text message, collect your money here, it’s probably fraud, right? Steven: Because you know, at the end of the day, if your friend is sending you money, if you’re, you know, your parents are sending you money, if you’re expecting a gift, if you’re expecting a refund, you know where that’s coming from. So if it’s random and the amount is like, Oh, it’s more than I thought. There’s a reason for that. Steven: Yeah. Ken: Yeah. It’s almost like you need to advise people to verify. Absolutely. Like if you, you get a suspicious I’m not even suspicious, but if, if anyone ever asks you for money or to click on something, verify it in, in your own way, whatever that is like, go find your bank’s website. See if they’ve announced anything about this, you know, call the bank yourself before you take action. Ken: You know. Uh, because the, the variety of, uh, of these communications is endless. The, the, the bad guys are going to find different ways to talk about it. It’ll, it’s, you know, they’ll always find ways to escape the filters. There’s probably a mathematical theorem that says that that’s always possible until the end of time. Ken: But, but if you have that way of verifying a generic message, you should just trust but verify. Absolutely. That might be, go some way towards helping the problem. Absolutely. Yeah. I know one of the things that we, as a, as an email sender who, uh, are, are doing our best to detect bad stuff and block it, we’re always, you know, uh, challenged by, uh, the risk that we block something inappropriately. Ken: Mm hmm. Uh, and I know. from our experience that having a regulator tell us, it’s okay to block this kind of thing would be very helpful because I have a team who are very enthusiastic about blocking everything. And if they know at least some of their activities are totally legit and blessed by the government, that would be very helpful. Ken: And I think there’s lots of organizations where people want to do the right thing and they’re just waiting for the go ahead. Steven: And you know, and I think, you know, pure government speak, I think that policy cover is important, you know? And… You know, and I respect the fact, you know, uh, that providers and email marketers and whatever, all are very cognizant of the fact that they can’t block things and they, you know, it’s not within the rules. Steven: So if, if one of the tools I can give the industry is like, well, you have permission to block this stuff, we know it’s bad, right? You know, you know, I, you know, I think my folks. told me once like there are no good botnets like don’t you know, don’t let anyone tell you otherwise right and you know, I’m like, Okay, that’s good to know, right? Steven: Because you know, um, but if we can provide the tools, you know, to the industry, then I think that’s important that policy cover. Ken: Yeah. If I might make a humble suggestion, absolutely. No, take it or leave it. But one of the other things that we, uh, you know, we struggle with is, is it okay to share this piece of Intel intelligence that I’ve collected with somebody else? Ken: Just because it’s sort of like, well. You know, I couldn’t have gotten that intelligence unless I processed the email and that seems kind of private, you know, but I know it’s phishing or I know it’s like stolen credentials or something like that from a phishing website. I want to share it, but I’m really scared because I don’t want to be accused of violating someone’s privacy. Ken: I think that’s an area where the regulator, you know, could, uh, give comfort in, in certain, in some ways, at least. Steven: Absolutely. And I know when we embark on this path, you know, the metrics will be important to me, right? Because that intelligence is gold. Yeah. Right? That is, you know, and, you know, like I said, we have Canadians who report to us, you know, we look at data from around the world, from open source. Steven: We go to our TSPs and say, what kind of, you know, things are you seeing? You know, but even that aggregate level right back to that privacy piece, but even the aggregate piece is huge, you know, so I can assure you when we look at the principles, uh, for, you know, if you will, this bot botnet blocking, um, you know, it will come with a reporting. Steven: Right. And, you know, and tell us that an aggregate level, what types of campaigns you’re seeing, tell us that an aggregate level, you know, what types of, you know, things you’re blocking, because that will be critical, right? It’d be critical for transparency perspective. But I have an entire intelligence team that is going to slice and dice that up so fast that, you know, it’s going to make them really, really happy. Steven: And it helps us focus our investigation efforts. It really does. You know, it helps us know where to focus our energies. I could have the entire communications commission working on spam and telephony files. Absolutely. Right. You know, I’ve got 1 10th of that. So I need to use my resources wisely. Of course. Steven: The more intelligence we have, the better. And, you know, and I will, so it’s about giving, you know, the industry, those tools. And I think that’s where the regulatory policy piece comes in. And if you will, I’ll, you know, I’ll land on, you know, one of the things you said, what’s next? So those policy pieces are important to me, you know, one of the things I’m really focusing on now over the next year is, you know, is that prevention piece, right? Steven: And, you know, there’s probably, there’s no prevention in my title, but when I look at from a protecting Canadians perspective, which is in my mandate. You know, the more people know, the more people they’re aware, they’re less likely to fall victim, right? So, I am embarking on, and I challenged my folk this year, is, you know, we really need to amp up our prevention game. Steven: And I think we do a really great job. I think we could do an amazing job. And we’re really trying to focus on, I talked about the vulnerable communities earlier, but it’s like, you know, I was asking, you know, I was asking my team, I said, okay, like, what other languages should we be publishing information in, right? Steven: Because, you know, we’re the government of Canada, we do everything in English and French, but back to that immigrant who may not speak English or French, I’m sure there’s a stats can survey out there will tell me. You know, the mother tongue of most Canadians, if we can put information out there in those languages, people become aware that that, you know, that immigration slash tax slash whatever scam, oh, that’s a scam, right? Steven: But if no one’s ever told them, and even if they have told them in English, they may not quite understand or French, they may not quite understand. So if we can put it in their mother tongue. And say, these are the scams we see and you should not fall victim to that. That is helpful. You know, I, you know, I, I’m looking at, you know, I look at my 80 year old mother and I was sitting on a plane recently beside a senior citizen and she was asking what I was doing and, and she was like, you know, she was like, Oh, she goes, I don’t understand why my grandkids don’t tell me about this. Steven: And I said, Oh my gosh, you’ve given me the most brilliant idea. How do I get young Canadians educating their grandparents? Yeah. Like on like, you know, grandma, like I’m, you know, I’m never going to be in jail where they’re going to be asking me for money to get me out of jail. You know, like grandparents scams are horrible. Steven: Yeah. They are just horrible. Uh, you know, cause they play on that, you know, a grandparent will always help you out no matter what. And they play on the secrecy. Oh, you can’t tell anyone, you know, but. You know, Jennifer is going to lose her job if they find out she’s been arrested. So you can make this all go away if you just, you know, bring us 5, 000. Steven: And, you know, like, like, they’re just horrible scams. But I was like, Oh, wait a minute. It’s true. How do I get, you know, the young Canadians to educate the more senior Canadians who may not be as savvy in this space, but they are the. You know, I forget the recent snap, but over 40% of Canadians now are over the age of 55 or 60 or something like that. Steven: So they are the ones who may not be as savvy and they are the ones who will fall victim. So, you know, I need, I was going to say, I need the teenagers who never answer the phone and never answer, you know, would never fall victim because they’re, you know, they’re probably way more educated in this space or they know more about it just from their friends. Steven: How do I get them to educate senior citizens? How do I get that out there? And how do I even get back to basics from a media perspective, right? There are lots of community newspapers out there, there are lots of local radio stations out there, you know, where we could be talking about, you know, the scam of the week or the scam of the month, or are you aware that this has happened? Steven: You know, I always say I love in Canada, we have, you know, March is like anti fraud month and October is cybersecurity awareness month, and I love these months. The stories are horrible, horrible, horrible, horrible, because, because the media goes, Oh, it’s, you know, fraud prevention month and they go out and talk to Joe and Jane Canadian and say, well, have you ever fallen victim? Steven: Well, yeah, let me tell you what happened to me or my friend or my neighbor or whatever. So these stories happen a couple months a year. I want every week to be one of those, like, you know, so it’s, you know, it’s a big undertaking and we’ll take baby steps, but you know, I really am trying to focus on, we’re doing lots of really great work on enforcement activities, on compliance activities, on giving, you know, the industry the tools that they need. Steven: I now need to prepare Canadians even better, even more, just because. Everything moves so quickly Ken: and I think, uh, you know, with that, um, generative AI just entered the room. Exactly. I mean, I think before November of last year, the technology behind, uh, things like GPT was such a. nerdy research area and, you know, it didn’t affect everybody’s lives. Ken: But then November 30th, you know, ChatGPT comes out, has a million users within seven days, a hundred million users by, by February or something. And then in March, they released GPT 4, which for all intents and purposes is, is intelligent. Uh, and, uh, I just, Ken: you know, I’m now this week at the, at the MOG conference in Dublin. Everybody seems to be talking about the use of generative AI in phishing attacks, um, social engineering, uh, and, uh, misinformation generally. Has this yet reached your desk? Are people starting to report, uh, generative AI based attacks or are there discussions going on about that? Steven: No, I’m not seeing it, you know, and which is, uh, and touch wood and I won’t, knock on the table, but, um, No, I’m not seeing that, but that’s the next thing, right? And, you know, if I look at artificial intelligence and, you know, and part of me is like, are you going to use it for good or use it for evil? Um, we’re going to see both, right? Steven: You know, and if I look at, you know, I talked about one of our service providers, they’re blocking 2 billion calls. In my mind, they’re using AI for good, right? They’re trying to look at algorithms, et cetera, and whatever. We will get the opposite of that, so, you know, invite me back in a year and that’s probably what I’ll be talking about is, you know, now the complaints I’m seeing are about this, which are going to be more difficult, right? Steven: They’re going to be more difficult to slice and dice. They’re going to be more difficult to investigate. They’re going to be more difficult to put any kind of rules or regulations around so yeah, you start Ken: thinking about the possible combinations of AI like, you know, use Something like GPT to write the script and then you use a text to speech Generator to make the voice happen now You’re you know Your spam call is lifelike and it and it understands what you’re saying and it engages in a nice Conversation and then you end up, you know sending money for some Uh, terrible product that you’d never wanted to buy. Ken: Yeah. Steven: Uh, you know, I think, uh, that’s gotta be just wrong. Or, you know, donating to a charity or, you know, you, I think you’re right. You’re going to have that voice simulation where they’re simulating known voices and all that kind of stuff. And you’re going to feel like you’re doing this great thing and I can’t believe that this person called me and, you know, it’s back to if it’s, you know, it’s, it sounds very, you know. Steven: Very classic. It’s too good to be true. Maybe. It probably is. Ken: Probably. Yeah. I think that’ll never change. Yeah. Right. That’s, that’s why when you, you know, you’re talking to, uh, Senior citizens, if they get a call and it seems either too good or too terrible to be true, find a, find a way to verify it, right? Ken: Because, uh, no, no amount of AI is going to dupe you if you call your granddaughter and she says, what? No, I’m fine. I’m sitting at home. I haven’t been kidnapped, right? Steven: Yeah. I’m going to steal that line. If it’s too good or too terrible to be true, verify. I like it. Thank you. Ken: Absolutely. Yeah. Thank you very much for the conversation, Stephen. Ken: It’s been wonderful. Uh, and, uh, I do look forward to seeing what the CRTC has to say in the coming year about the email space, uh, you know, stopping email scams. Um, that will be much appreciated by millions of people if you succeed. Steven: Well, thank you very much for having me. And by all means, I hope you’ll invite me back sometime. Steven: Absolutely. Ken: Thanks, Steven.