In this episode of the ‘For The Love Of Emails’ podcast, we’re honored to host Steven Harroun, Chief Compliance and Enforcement Officer at the Canadian Radio-television and Telecommunications Commission (CRTC), alongside our esteemed host Matthew Vernhout, VP of Deliverability at Netcore. With Steven’s wealth of experience in compliance and enforcement, particularly in telecommunications and electronic commerce, we delve into how the CRTC safeguards Canadians from digital threats, including email and SMS, while exploring the nuances of Canadian anti-spam legislation.
Intro (00:06):
You are listening to the ‘For The Love of Emails’ podcast, powered by Netcore, a weekly show dedicated to helping email marketers, marketing enthusiasts, and professionals of all walks engage, grow, and retain customers through reliable, smart, and effective email communication and engagement. Discover actionable ways to increase ROI and deliver value through email innovations, personalization, optimization, email deliverability, and email campaigns. No fluff. Tune in to hear best practices and tactical solutions from the best thought leaders and practitioners. Master your email communication now.
Matthew Vernhout (00:39):
Hello, and welcome to another episode of the ‘For the Love of Emails’ podcast. This is our first episode of 2024, and I am very excited that we have a wonderful guest with us today. As usual, I’ll be your host, Matthew Vernhout, vice president of deliverability for Netcore Cloud. Today, I am thrilled to welcome Steven Harroun, Chief Compliance and Enforcement Officer at the Canadian Radio-television and Telecommunications Commission, AKA the CRTC. Steven has a background in compliance and enforcement, specializing in telecommunications and electronic commerce, and Steven has played a pivotal role in upholding the Canadian communication regulation portfolio, covering everything from radio broadcasts on TV right on through to telephone and email regulation. So we’re gonna spend time today talking about how Steven and his team help keep Canadians safe from online digital threats involving email and other fun things related to mostly the Canadian anti-spam legislation. But, Steven, there’s an opportunity to talk about other things that fit in as we go. So, thank you very much for joining me on the show today.
Steven Harroun (01:53):
Oh, thank you very much, Matt, for the invitation. I’m happy to do this. I always like spreading the spam gospel, and I appreciate the opportunity.
Matthew Vernhout (02:03):
Well, we have a big international audience, so one of the things I spend a lot of time with on my day-to-day is helping people understand some of the regulations and some of the things they have to pay attention to when they’re emailing internationally. So, hopefully, this fits right in with all the things that you want to see as well when it comes to digital marketing on the internet, specifically digital marketing in Canada. So, let’s start with that, right? Can you give a brief discussion about, or a brief description, of the CRTC role and how it operates within the digital space, especially digital advertising?
Steven Harroun (02:42):
Absolutely. So, as you said, I’m the chief compliance and enforcement officer here at the CRTC, so I’m responsible for the compliance and enforcement sector. Among many other things, I’m responsible for the unsolicited telecommunications rules, which include the national Do Not Call list, the telemarketing rules, and our automatic dialing announcement rules. So the rules also include the Voter Contact Registry, which is a federal election kind of registry where people have to register if they’re making phone calls to Canadians. And probably more important for you and your audience is Canada’s anti-spam legislation. So, let me focus a little bit on that. So, under Canada’s anti-spam legislation, for those who don’t know, it focuses primarily on commercial electronic messages, obviously. At the end of the day, the castle prohibits the descending of unsolicited commercial electronic messages.
Steven Harroun (03:38):
So, in other words, you need to give consent. I am very fortunate, and I would suggest Canadians are very fortunate in that ‘Castle.’ So, we affectionately call our family legislation Castle. We’re very fortunate. The Castle is very robust. So, on top of your basic emails and SMS text messages where you have to provide consent, it also expands to include things like malware, phishing, viruses, and those types of things. Another provision of Castle is about the installation of software without consent. So that’s where we actually get into the cool dark web stuff, the more nefarious activities, if you will. If people are putting, are trying to put phishing kits on your computer, there’s no good reason for them wanting to do that, but we’ll talk about that a little bit later.
Steven Harroun (04:27):
So, we are very lucky, and I think Canadians are very lucky that Castle is so robust. If I were just doing your traditional kind of company X or retailer X emails and consent, it would be a pretty boring space in which we work. So I’m blessed that we have robust legislation like that. CRTC is Castle’s primary enforcement agency. I do have partners, so that is actually just indicated in Castle, the Competition Bureau, and the Office of the Privacy Commissioner. They have small pieces of castle that they enforce. On the competition bureau side, it’s misleading advertising. Obviously, on the privacy commissioner’s side, it’s the privacy of information for Canadians. But we ultimately are the primary enforcement agency for Castle.
Matthew Vernhout (05:15):
Awesome. Thanks very much. I’ve been involved in Castle probably longer than most people in Canada, being originally on the task force on spam way back in the early 2000s, and sort of the initial, what would a law look like? So yeah, I’ve seen the evolution. I find it hard to believe that the legislation’s already gonna be 10 years in enforcement this year. That’s a huge milestone. And it makes me feel really old.
Matthew Vernhout (05:50):
It makes me feel really old to think back that far. So, you know, dealing with digital marketing and dealing with email and SMS and whatnot. One of the things that I actually find very interesting about Castle is the sort of foresight that was put in to say it’s not a specific channel like CAN-SPAM, which is very email- and SMS-focused. It specifically calls out just those two pieces of communication. Whereas Castle talks about any type of electronic address, and it’s sort of more technology-neutral in that space. I do get these questions a lot, like when it comes to social media. What about WhatsApp messaging and those types of things and Castle’s impact on those messaging channels as well for people? Are there common trips that people are missing that would be beneficial for them to understand? Or is it following the rules, and you should be okay?
Steven Harroun (06:50):
I was going to say that following the rules should be okay. But I’m gonna take that from a couple of different places. Yeah, I think you’re right. And I hadn’t thought about that from that perspective, is that if you are trying to sell things to Canadians online, Castle applies, which I think is most important like for folks to understand. We get about 7,000 complaints a week, Matt, which is a lot. And I say it, and people might say, well, that doesn’t seem like very many. There’s, you know, 40 million Canadians, etc. But we know those numbers are low people under report, right? So the fact that we get 7,000 a week is pretty significant, but we also have lots of other sources of information for complaints. But you know what, I’m fascinated by the fact that, even if we stuck with seven, and maybe we’ll round it up to 10, you know, and just to, you know, as for a nice number, you know, 75% of those complaints are about kind of legitimate companies not following the rules.
Steven Harroun (07:47):
I continue to be amazed. I’ve been sitting in this seat for six or seven years now, which is fascinating and amazing. I’m still learning all kinds of cool stuff every day. But I’m amazed that, like, our number one complaints are still about consent and unsubscribing, and they don’t have permission to email me. I’ve tried to unsubscribe 18 times, but the unsubscribe button doesn’t work. I’ve reached out to them and asked people about an internal do-not-call list. All those types of things I’m fascinated by seem like the bread and butter, the basics of the castle. If you want to market to Canadians, get their consent, which I can’t be clearer and more specific. I feel like we do a tremendous amount of outreach to stakeholders, organizations, marketers, and associations across the country; I feel like every better Business bureau possible, Chamber of Commerce, and all those types of folks.
Steven Harroun (08:45):
We target real estate associations, automobile associations, and marketing companies and go to things like the email summit and all kinds of things in Canada. But I feel like it fascinates me still that the biggest complaint is still about consent and unsubscribing. Now, legitimately, even if we’re rounding up to 10, a lot of those, you know, complaints may not necessarily be valid. I may have gotten 10% off 18 months ago. I gave them my email, and I just scrolled through my, yep. Tick, tick, tick, tick. I just want my 15% off at the cash, whatever. They’ve got two years from that point to actually technically email me. And they’re still within the law, you know? So that actually is going to take me kind of to my next point.
Steven Harroun (09:28):
You know, me, Matt, I just ramble on. So tell me when you want me to stop. But that kind of brings me to my next point, right? So we have those complaints, we investigate complaints, yes, it’s those 7,000 complaints a week that we get from the spam recording center, but we also get intelligence from open source data. We also get organizations actually bringing US intelligence, and there’s all kinds of information available to us. We purchase intelligence, if you will. So, we look at these complaints, and we say, okay, but are they valid? So, you know, so one of the, if all of a sudden we have an influx on company X, we may go to company X and say, okay, we’re seeing a lot of consent issues here. And, they will be required to, you know, under legislation to go back and say, well, we have, you know, we have Consent 18 months ago.
Steven Harroun (10:15):
You know, Mr. Bern Hub gave his consent at the cash register. We’re still within our timeframe if you will. So, back to what marketers need to do. So one, get the consent; two, make sure your unsubscribe works; three, keep good records right At the end of the day, because if I’m investigating one of these complaints and I say, okay, but I’ve got, you know, 82 Canadians this week saying that, they shouldn’t, you shouldn’t have been emailing them. You need to be able to go back and prove that within the last two years, you’ve had their consent, right? At the end of the day, say, ah, I’m still within the rules. And then I say, okay, thanks. Case closed. Those are nice, easy ones, right? You give me the information. And I go, yep, these all seem valid.
Steven Harroun (10:56):
Next, move on. So, I think it’s a couple of different things. Good record keeping, but it’s a good process, and we all get those reminders, right? Like, oh, do you still want emails from us? Etc. When Castle came into force in 2014, our inboxes were flooded, right? With like, we need your consent. We need your consent. I’m amazed now that companies still reach out to me and go, “oh, we haven’t; we miss you. We haven’t seen you in a while. You know, in order for us to keep, you know, emailing you, you have to let us know”. But that’s just good marketing practices. If I were a marketer, that would be really smart. I was gonna say I’d automate that every year, but I get, you have two years, but like by month, 18th, go back and like, put that in the system and say, oh, we should send out that refresher, if you will. Most people will tick, tick, tick if they like your website, and if they don’t, then they’re out anyway. Okay. Well, you didn’t have much time left anyway to do it. Yeah.
Matthew Vernhout (11:49):
There have been some big changes; just at the beginning of February, Yahoo and Google both mandated some changes to email technology. If you’re gonna send them an email for any sort of bulk or commercial reasons that you now need to support, you know, one-click list on subscribe, you need to be able to support proper authentication and alignment and make sure that, you know, your messages are properly using SPF properly using DIKIM. And you know, even now, DMARC is being used as a requirement. So, not only do we have the legislative side of doing things the right way, but now we’re actually seeing pushback from some of the biggest mailbox providers on the planet saying it’s time. You know, we’ve waited, it’s time. You now have to do this. So I kind of like pressure from one side, pressure from the other, and we’re starting to figure out that piece in between, like you’re saying, those people that got lost in the cracks, those people that have a broken process somewhere that need to find and identify.
Matthew Vernhout (12:54):
But, I’m still amazed at the number of people that I talk to, even US marketers, that, oh, you’re sending me an email without a postal letter in it. It’s been the legislation in the US for a long time. It can vote, and the legislation in the US can vote. It’s 21 years at this point. And another 10, 14, technically, if you think about when the legislation was passed here in Canada, right? It’s well over a decade. Either way, that has been a requirement. And you were talking a bit about that consent piece. I see a lot of people these days talking about cold email or business-to-business email, which is cold outreach. They don’t have a business relationship, but they’re trying to establish one; they’re reaching out. And, they’re relying maybe on some of that gray business-to-business outreach piece. That’s not maybe as clear in the legislation as a lot of people would like it to be. What are your thoughts on cold outreach for business relationship building, sort of sitting under the purview of the castle?
Steven Harroun (14:08):
I was going to say I won’t comment on the white, black, or gray piece of the castle. You know, like at the end of the day, I sit in front of parliamentarians, all the time, but twice last week even, you know, and I’m always like, just gimme something I can enforce, and I will, that’s my job. My job isn’t to comment on the legislation, you know, B2B, and to be perfectly honest, we don’t do a lot of B2B cases ’cause you know, in my mind B2B, you get one chance, like, that’s just me as the C-C-E-O. Like you get your one chance for cold outreach and, you know, and try and make that happen and try and make that establishment, you don’t actually get that when you’re, you know, Joe and Jane Canadian, you don’t actually get that.
Steven Harroun (14:49):
You don’t get a free pass the first time, right? But for B2B, in my mind, you get a free pass for one. You know, someone says, oh, well, they email me, they try to make a connection, whatever, I will be bold and blatant and say, I will never go investigate that. Like, I will never hold anyone to account for that. If you persist, then that’s another issue, right? And then, and I think that’s the point I would wanna make, it’s, you’re right. There is no exemption. There is, like, it’s a bit, it is fuzzy, and I like that, somewhere, the 50 shades of gray somewhere. But, at the end of the day, you know, you get kind of one chance in my mind on the B2B ’cause it is gray after that if you consistently dog someone because you mentioned that.
Steven Harroun (15:32):
Now, I’m gonna go back to something I should have mentioned before, and you’re talking about marketers and what they should do. You know, one of the other complaints we get all the time and, then we can move on, but just, just reminded me as we were talking about B2B is one of the things people complain about, and I get it, it’s a numbers game, is that people complain about getting too many emails in a day, right? All of a sudden, it’s like, like, they’re getting like 50 emails a week, or you know, it might be Black Friday, or it might be Boxing Day or whatever. It’s like, you got eight hours left, you got six hours left, you got 42 minutes left, you got blah, blah, blah. People complain about that, and whether you’ve given them consent or not, they’re like, just stop.
Steven Harroun (16:08):
So, you know, I’m not the marketer, I’m not in the marketing game, but I think, you know, to me, if I was to get at it from a different lens, I’d be like, okay, where’s our sweet spot of reminding them enough? And you don’t want them all unsubscribing on Boxing Day at 5:00 PM because they’re tired of getting your emails. So I think that would be the other piece for me, which is one that we see a lot of, and I’m like, well, I actually can’t do much about volume. Right? I can do whether or not you, they can or they can’t. But if you’re asking me anecdotally what people complain about, that’s certainly one of them. It’s just the volume of emails that they get.
Matthew Vernhout (16:44):
No, actually, that’s good. I spend a lot of time on both examples. You recently talked about one in the, I have, you haven’t heard from us, or we haven’t heard from you in a while type scenario. I like to look at them. They’re either called like a re-engagement or a warmup or sunset program, right? So you’re either basically saying, come back and talk to us again, or if you don’t talk to us, we’re gonna stop emailing you. So you kind of have that dynamic in regards to, absolutely, there’s a touch point for some reason you want to, you want to tell somebody we’re gonna stop emailing you. Because you’re paying to talk to somebody who’s not listening. You’re paying somebody who potentially is gonna impact your reputation for delivery. You’re paying for somebody who potentially is gonna complain even if they have consent to send those messages, which might then result in your office calling.
Matthew Vernhout (17:32):
And then, they have to spend time and money to figure out why we are still emailing that person. So there are a lot of reasons to sunset. But at the same time, yeah, I spend a lot of time talking about recency frequency. Are you overmailing? And yes, some people drastically, in my opinion, over mail. Like, you know, I find retailers tend to be on that end where they’re, seven days a week, they’re sending you today’s our daily offer, and then on weekends they’re nailing you with “and our weekend deal and our extra and our extra.” So, all of a sudden, you go from seven emails a week to 10, which is exactly the reason. And, I might be guilty of complaining about that not to you but to the retailer now if we could do something about all the other complaints I’ve sent you haha.
Steven Harroun (18:23):
Exactly, give me your list, Matt
Matthew Vernhout (18:26):
I will. Don’t worry. I’m gonna start CCing you. No, I’m kidding. Talking about enforcement and investigations, you guys have the CRTC, which has a great list of past enforcements, but is there any sort of interesting recent enforcements you can talk about or tell us about that would be beneficial for marketing people to hear?
Steven Harroun (18:50):
Yeah, and we have a lot of things on our list, and you know, we talked a lot about kind of commercial electronic messages, you know, and in my intro, I talked just about the fact that, you know, we do malware and phishing and, and botnets and there are no good botnets. Don’t let anyone tell you otherwise. That’s what I keep telling people anyway.
Matthew Vernhout (19:09):
“Promise me I’d get free wifi if I signed up.” haha
Steven Harroun (19:13):
Exactly. We’ve talked to wifi folks about that. But yeah, like, just to kinda give you a little bit of a flavor just on the other side of the house, right on that more nefarious stuff, right? People are all very familiar with the phishing scams, right? And, you know, it’s your bank telling you like, you need to update your credit card info, or you need to update your password, or, we see a lot of government impersonation, you know, from that perspective on, you know, like where the CRTC, pay us $20 and we’ll get you a low internet price, or more importantly, we at CRTC ourselves have seen like, oh, you may have noticed in the news the CRTC is reducing prices. Here’s your $25 refund. Like, we’ve seen that impersonation, right? And then people go and click on it and go, oh, I want my $25 internet refund and put in all their banking information and then realize, oh, wait a minute. That wasn’t the CRTC asking, right?
Matthew Vernhout (20:01):
Oddly enough, my dentist, when I went to see him recently, talked to me about that exact thing.
Steven Harroun (20:06):
Oh wow.
Matthew Vernhout (20:08):
Yeah. I got an SMS that was like Rogers is returning $25 because of the legislation change from the CRTC. Just click here, give us your banking info, and we’ll deposit the money right away. Luckily, he didn’t fall for it. He’s a pretty smart guy when it comes to that kind of stuff, but I’ve yet to receive that scam. I get all kinds of other.
Steven Harroun (20:26):
But there’s the whole thing, like your Netflix password, your payment didn’t go through all those very common things for Canadians, right? Those are just traps. And you know, and if we have time, you know, we’ll talk about it. My whole goal is to educate Canadians a bit more on these scams. The more they’re educated, the less they’ll fall victim. That’s not a whole piece of my world, but I think that’s, you know, important for folks to understand as well, right? Even from an email marketing perspective, even from a, oh, we’ve received your return if you’re a retailer or, oh, you know, you’re owed a credit or something like that, careful how you send that, right? That’s, the problem is that people will either delete it or, you know, think it’s a scam or, someone will notice that people are actually, you know, people are legitimately doing that in the industry, so they will turn around and, and mimic that, right?
Steven Harroun (21:15):
So that impersonation piece is really huge because, you know, the more nefarious actors, if you will, they’re paying attention, right? They know what’s working and what’s not, and they see who’s issuing things how, and they just copy it, right? You know, five years ago, I used to tell folks when they got like a thing from their bank, I used to be like, okay, but when you open that email, like, check the to and from, okay, that was an easy one. But then I’d be like, okay, but that looks legitimate. Like, click on the links, like, the about us for, bank acts or the contact us here, like in, I was gonna say the old days, and that’s like five years ago. Those would never work, right? Those links were never legit. And then you’d be like, okay, well then, that’s not really your bank, right?
Steven Harroun (21:57):
But now they’re all really good, right? Like, they’re all so sophisticated, they’re so advanced. And you know, I say all the time, I wish I could, like, you know, shut down these guys and then hire them because they’re super smart, right? They’re super techie; they’re super innovative. Like, you know, these are the people I want working for me. I have amazing people working for me, don’t get me wrong, who are cool techie experts and know all kinds of things that I could never even describe, let alone understand. But I think that’s the really cool thing. Is it not cool, but cool in a dangerous way? It’s that they’re getting so good. It becomes more and more difficult to inform Canadians. Like, okay, but that could be a scam. And, people actually get, I was gonna say, scammed out, believe it or not, and then they go, oh, it must be the bank. ’cause Who else would be calling me at this number or whatever? Like, they get, you know, scam fatigue; I guess maybe I need to come up with a new word. Something like that.
Matthew Vernhout (22:52):
That’s interesting because there are so many different scams, too; in the news, we’ve seen romance scams and pig butchering scams, which is crypto, targeting people. And it’s amazing that people see these all the time and still sort of fall; they either believe they’re smarter than the scammer and they’re gonna win something in the end, or they’re maybe lonely, and a romance scam just comes at the right time. You know, I’ve seen people recently. I bought something, and I got a shipping notice that looked so legit, but it just happened to be well-timed, unfortunately. But yeah, you’re right. This is why the changes that Google and Yahoo have made around authentication are so much more important for brands and marketers: you need to be able to distinguish your brand and protect your domains from people.
Steven Harroun (23:50):
Absolutely. I couldn’t agree more, and I know we’re getting off-topic, but even just last week, you know, CBC marketplace actually did a really fantastic piece on pig butchering. I found out about pig butchering like maybe a year ago, and I was kind of like, what are you guys putting in front of me, like my team? And I’m like, are you serious? I was giving a speech or something. And then, once they explained it, I understood. It was kind of like, okay, I’m not sure I’m a big fan of the title, but, you know, CBC marketplace just had a really good feature on it last week. You know, the whole, you’re right. I think they are crimes of opportunity, right? I think that is, you know, that is the one, the one, you know, right place, right time, right? Emotional state of the person that you’ve managed to tackle. And you know, when I say crime, and I use that actually very, very legitimately and clearly. ’cause, one of the things I should have pointed out at the.
Steven Harroun (24:07):
In front of this, although many of your listeners are probably aware, we’re the government. I’m a civil regime. I have no criminal authority. Like I, you know, so on the scam side of the house, there’s not a whole lot I can do. I can tell you some cool stuff that we have done to disrupt this space. But, like, we don’t do criminal charges. We don’t put people in jail. But we use our civil abilities to the greatest extent we can to disrupt this place and space and stop, you know, stop activities from happening even for 18 minutes. You know, believe it or not, that would make a huge difference, you know, maybe 18 days, but sometimes it could be as short as 18 minutes when you’re actually talking in the digital space.
Steven Harroun (24:46):
But you know what, that one little intervention could actually protect thousands of Canadians. Yeah. So anyway, I digress. You know, recent enforcement stuff, and we’ve done some really cool stuff. I encourage all your listeners to go to CRTC.CA. Every six months, we publish a Castle dashboard, which is a really cool opportunity for folks to kind of go and say, okay, what’s the CRTC been up to in this space? And you get a flavor of the cases that we’ve been pursuing. More specifically, I guess the closed cases are because we don’t ever talk about open investigations very rarely. But you get an idea of just how many complaints are coming in, what types of cases, whether that’s against, you know, a retailer or, you know, a particular type of industry in Canada, or if it’s a particular type of activity like phishing and, the dark web and botnet and all that cool stuff.
Steven Harroun (25:36):
But it’s a really good opportunity, and it’s reasonably up to date. I say that we’re the government, and we try to be fast, but, you know, we publish it every six months, and it’s literally six weeks after the end of that period. So, for example, we’ll have one coming up at the end of March, which is our six-month window. By early May, we’ll have our dashboard up to tell you what we didn’t last six months of the fiscal year, which, to me, is great. It’s a great turnaround. And it just provides Canadians with a really attractive, friendly way to see what’s going on in the spam space. But it’s really good for us as well. And we actually talk about a lot of our outreach activities there as well.
Steven Harroun (26:16):
We will probably actually mention this podcast, so it would be really great if we could just give you a little plug. But just that, that we’ve been out there trying to educate the industry, but also out there trying to educate Canadians on these types of scams so they don’t fall victim. And, one of the things before we, because we’re talking about Canadians and scams, you know, I always say that, you know, I love March, it’s fraud prevention months. And you know, I love October; it’s cybersecurity awareness month. Like, I wish every month was one of those months, and that sounds awful, but in March and in October, like a lot of journalists, a lot of reporters, a lot of broadcasters, they bring to light all these horrible stories that we’ve been referencing, right? And back to, if Canadians are where they’re less likely to fall victim. So in those two months, you see lots of stories about what happened to person X, this happened to Jane and Novaccotia, and this happened to Johnny in DC. So we hear all those stories, and to me, the more that spreads, the better. So, I keep trying to figure out a way to add a few more months to the calendar where we can talk about this type of stuff.
Matthew Vernhout (27:21):
I mean, nothing’s stopping you from doing it. Take a month and pick a day. It’s CRTC education month in June.
Steven Harroun (27:28):
Absolutely. It’s because we do it all the time, so I don’t wanna limit it to a month there or a day even. Sure. We’ve done some of the things about the dashboard, which talks about all the things we’ve done, but it also gives you a bit of insight into how we’re trying to be innovative and creative, right? So we’ve done some, what I would call horrible cases, you know, where we’ve disrupted a dark web marketplace in Canada. You know, we’ve got like four young guys in a particular province in Canada who’ve been doing really bad things. Part of our negotiated deal with them was because we investigated them and issued them a notice of violation. We, you know, did an undertaking with them and said, okay, here’s what you’re gonna have to do.
Steven Harroun (28:09):
A there’s an administrative monetary penalty. ’cause, you know, that often comes with the more serious infractions under a civil regime. But b, it’s like, you know, you’re gonna allow us access to devices for, you know, a period of time so that you can’t, you know, re-offend, you know, and, see, we’re actually gonna, you know, make you do some heavy lifting. And, you know, we’ve gotten some creative solutions like doing some community service and volunteering at youth centers and explaining to youth about the dangers of falling into this kind of space, right? It’s really attractive if you’re 17 years old, and someone says, oh, if you can go do some hacking over here, install some fishing kits over there. And, I say it like, it’s so easy peasy, but, a lot of young kids, it probably is.
Steven Harroun (28:55):
But it’s very attractive for them. Like a hundred bucks a pop if you go do this for me, right? And it’s so, it’s, you know, it’s, they’re getting cash in their hand, and they don’t think they’re doing anything wrong, right? And, you know, one of the big dark web cases that we had about a year ago or so was exactly that. And part of our messaging was that, you know, younger Canadians need to realize that you’re not invisible, right? People think that if they’re behind their computer, in their bedroom, in their basement, in their home office or whatever, doing this type of thing and using whatever identity blockers and VPNs and all that kind of stuff, these cases prove that actually, you know, you still do leave a trail and we still can come find you.
Steven Harroun (29:37):
They may say the CRTC is just a government department or whatever, but if we can find you, that also means criminals and law enforcement can find you. And many of the cases that we kind of touch on, if you will, are criminal behavior. I always say Castle in this space is adjacent to criminal law enforcement, if you will, right? We can get it from, oh, you shouldn’t have installed those bad things. And then, the law enforcement, should this be a case they decide to pursue, say, oh, but you’ve also defrauded Canadians, and you’ve stolen information, and there can be criminal charges as a result of that, right? Yeah. So if we can find you, if I’m the civil spam guy, then it is guaranteed that law enforcement can find you, right?
Steven Harroun (30:15):
So don’t kid yourself in some ways. And we’ve had great success with that. Like we’ve had folks, and we’ve had, you know, we’ve had individuals come back to us and say, you know, that was actually it really eye-opening for me, you know, as an offender, which is really great. Hopefully, they never re-offend, see the error of their ways, and realize that there’s a better way to do things. But, in that more nefarious space, it is difficult under a civil regime to do much. But if we can disrupt and stop a few key players, that kind of takes me to, like, you know, some of the stuff we’ve done with international collaboration, right?
Steven Harroun (30:55):
I often talk a lot, and I say, you know, okay, I’ve got domestic legislation, but I’ve got an international problem, right? I mean, at the end of the day, it can be someone in another country; it can be someone around the world. It can be someone next door; it can be someone across the street, right? So it becomes much more challenging, right? If it’s someone outside Canadian borders targeting Canadians, then it falls under, if you will, Canadian legislation. So they have to follow the rules. So, for lots of your international marketers, like you said, you spend a lot of time and effort in this space. You know, it’s like, well, how do I market to Canadians? What are the rules around that? Even though I’m from the UK or whatever, and my wife likes Harrods.
Steven Harroun (31:40):
So, you know, it’s interesting to see their emails come in and how they approach a Canadian consumer because she purchased from them online. So, it’s always interesting to me when I look at that from a retailer perspective. But anybody, obviously, is in this space targeting Canadians, so Castle applies, right? Because You’re targeting Canadians. Enforcement is the challenge, right? So that’s where, you know, it’s a real challenge for us, which is the enforcement piece. Yes, the legislation applies, but how do I get someone in another country? How do I tackle that type of activity? So we’re involved in all kinds of MOUs with other countries around the world, so like-minded, if you will, government agencies, regulators, or law enforcement partners around the world where we can share information.
Matthew Vernhout (33:30):
Can you explain an MOU for people?
Steven Harroun (33:02):
Yeah. So, memorandum of understanding. So, one of the good things about the Castle legislation is that it allows me to talk to other partners around the world. Suppose I enter into what we call a memorandum of understanding, which basically kind of lays out the terms of what we will do. So, we may share some best practices, and we may share some intelligence if necessary. We may confirm information back and forth. We’ve also seen it on the other side. Oh, you know, we’re way over here on the other side of the world, and we think there’s a Canadian guy who’s behind all of this. Can you go, you know, do you have any intelligence on this particular individual or this type of activity? You know, can, you honestly, at the end of the day, it could be as simple as you going to serve this request for information for us or whatever.
Steven Harroun (33:13):
Because that’s more effective if it’s in person, right? And someone from the government, oh, by the way, here’s from the government of whatever, they need some information from you kind of thing. So it’s, so those memorandums of understanding which are permissible under Castle allow us to do much more collaborative work around the world, which is really great. We had a recent case just last year where we were involved with the FBI, but 17 other countries around the world were also involved in this same case. It’s affectionately known as Operation Cookie Monster. So, if your folks are really interested, they can just Google that operation Cookie Monster. You at least get the press releases and some cool links. But, you know, so where some of the main, you know, I guess suspects at the end of the day, I don’t know that charges have been finalized, but some of the main suspects were, in a particular Canadian province we were able to assist kind of local law enforcement, we were able to assist the FBI in that, my folks have a lot of technical training.
Steven Harroun (34:14):
When we looked at this case, and they brought it to us, we’re like, oh, there are lots of Castle violations here as well. So we’re actually able to kind of take a Castle piece or a castle, you know, sideline to this and be okay, you know, here’s what they’re doing. Castle behavior, you know, the FBI, local, provincial law enforcement, and municipal law enforcement can also execute search warrants on their side and look for criminal behavior. And yeah, so it’s, it is really, I mean, it’s really fascinating and really cool. And we are able to, you know, assist; I shouldn’t say we’re a good compliment, I guess, if you will. I shouldn’t say assist. We’re a good compliment to law enforcement; at the end of the day, law enforcement in Canada, I don’t think it matters what city, province, and countrywide are, they probably have way too many cases that they could ever investigate, and things move to the top of the pile for different reasons.
Steven Harroun (35:08):
So a lot of times things like this, if you will defrauding, I was gonna say Canadians are, if you will, installing software without permission, but these types of activities are not necessarily high on the radar of law enforcement, and especially if it’s another country saying, oh, but they’re defrauding our citizens, right? And so if we can provide some level of assistance be that technical support, be that, you know, opening up a council investigation for that type of behavior, ’cause we realize they’re actually doing it in Canada as well, we just might not have been aware, all the better we can disrupt in this space, we can insist our we can assist our international partners, and we can all achieve some success.
Matthew Vernhout (35:53):
That’s great. Yeah. I love the idea of working together, and honestly, as I have been in the industry a long time, I know a lot of people, and there is a lot of collaboration that happens between mailbox providers, ESPs, possibly regulators, possibly higher education to share best practices, to share education, to you were saying I would never think about calling the local police force here and being like, well, my computer’s acting funny, maybe I have malware on it because they would laugh at me. They’d be like, we don’t have anyone that can investigate that. Good luck. Right? That’s where I think you are right in regard to the types of crimes that are impacting individuals. Local law enforcement either has too many other priorities, or it’s not something you even know where to start investigating outside, but they’re
Steven Harroun (36:50):
No resources for this type of work, right? They’re just not. Right.
Matthew Vernhout (36:52):
A very few limited jurisdictions I know, like Toronto Police Services, have a very big digital crimes unit, but I don’t know what Smith Falls, Ontario services.
Steven Harroun (37:08):
You raised a good point. And, when I talked about the fact that we do a lot of outreach and collaboration, you know, we’ve talked to a lot of the local police associations, provincial police associations, and to that point, you know, we’ve worked closely with Calgary police actually, who have a very strong forensic unit. You know, we’ve been asked for assistance in the city of Ottawa. Like, oh, you can help us while we set up our unit. What should we be? What type of skills do we need? What kind of tech people should we be hiring? So, you know, I think it is unfortunately becoming more prevalent across the country because more and more, back to my fraud and cyber prevention month, there are more and more horrible stories.
Steven Harroun (37:52):
You hear in the news about your neighbor who’s lost all their life savings, who’s lost whatever, who’s lost their pension, etc, through these types of scams. So, local law enforcement is required to step it up a little because I am certain they feel horrible that they can do nothing, right? Without the right experts, the right technology, and the right innovation within their organizations, it is nearly impossible to find, even with all the best equipment. So, you know, if you’re just trying to do this off the side of your desk, it’s challenging at best. Right?
Matthew Vernhout (38:27):
So, what’s next then, right? Like, you do all this outreach, and you’ve been doing outreach for years. I know I appreciate it. You know, we’ve collaborated on several projects over the years together, but what’s next when it comes to enforcement and AI? Because I can’t not talk about AI these days. Recently, with the FTC coming out with the AI impersonation legislation in the US, I’m assuming that we’re gonna get something soon from our government around the same thing probably very shortly, and you’ll be tasked with enforcing it. But so what’s next? What’s next on the horizon, do you think, from the CRTC’s point of view when it comes to digital communication?
Steven Harroun (39:31):
It’s a really good question. I was going to say I wish I had a crystal ball. You know, but I’ll go back to some of the basics, right? At the end of the day, there are a couple of things. A – I have a small team, right? It’ll be of no surprise to you. We’re a small organization overall. I have a small piece of that organization, the CRTC. About 10% of the CRTC probably works not only on Castle but also on the telephony side. So, all the telemarketers: Intel and systems team, obviously, a tech team, etc. So, a small group of people is doing a tremendous amount of work. So, for me, 7,000 complaints a week, 10,000 complaints a week in another two years, or whatever that may look like.
Steven Harroun (40:21):
It’s about how can we have the biggest impact on Canadians, right? So it’s, believe it or not, this will sound like a really boring answer. So I’ll come up with something else as well. But it’s how I can have the biggest impact on Canadians. So, how do we select strategic cases? So, that could be one retailer in Canada or one e-marketer in Canada or targeting Canadians who are driving them all crazy, and we can figure out how to bring them into compliance swiftly and effectively and ensure that they’re following the rules. But, the other side of that is the more nefarious activities; if we can disrupt the phishing scans and the malware and the viruses, you know, that is huge as well.
Steven Harroun (41:08):
Perhaps the most sensational thing I’ve ever said since I sat in this chair is that I will never stop all the telemarketing calls. I will never stop all the spam emails. I just won’t. Right? And that’s not me looking for job security. It’s just impossible to stay ahead, right? So we need to look for creative ways, right? So, creativity is about strategic case selection. Sounds like a boring answer. But I’m also lucky, and I’ll give a small little pitch for regulatory policy. I’m lucky I’m at the compliance and enforcement branch that sits within the communications regulator. You know, so we’ve had some success on the regulatory policy side in that we can direct telecom service providers to stop certain types of traffic so, you know, for example, on the telephony side, (123) 456-7890, that’s not a valid phone number that should never ring on your phone, that should never show up in your call display. We have given TSPs permission to block that type of behavior. So that’s fantastic. So you don’t see those calls anymore, which is really great. Which is like, believe it or not, probably like a million calls a year that never reach Canadians.
Matthew Vernhout (42:20):
I must get all the ones that don’t make it through a million.
Steven Harroun (42:22):
There you go. Well, we’ve gotta direct them somewhere, Matt.
Matthew Vernhout (42:25):
I guess, yeah, yeah, sure.
Steven Harroun (42:26):
So we have been very successful on the telephony side, right? We’ve also worked with TSPs who come up with creative solutions like using AI, for example, to look at the call patterns and go, okay, this is a scam, and we work with the specific TSPs in this space and go, okay, yes, you can block that type of scam. And the way the Telecom Act is constructed, just so everyone knows why I’m talking like this, is that they need our permission to block traffic, to interfere with traffic, so to speak, and they’ve stopped billions of calls in the last three or four years, which is fantastic. The phone never rings; nobody can fall victim to spam. On the email side, we are looking back. I was talking about botnets, and there are no good botnets.
Steven Harroun (43:10):
We kind of have a preliminary view out there on a framework to block botnets, but also other indicators of compromise like malware and viruses and stuff like that, where we’ll be looking to in the coming months to actually authorize the TSPs for these types of things. You know, you can also block those so they never land in your inbox, right? They never land in your text messages, right? If you get a text message saying you deposit your refund here, I can, with 99.99% accuracy, say, don’t click on that. Like, no one is giving you a refund that way, you know? So you know, but if that never lands in your text message or your email, then it is a greater good for Canadians. But that, you know, I’ll get away from my, my regulatory policy at Kick. I’ve been at the regulator too long, clearly, but it is another tool in the toolkit, right? Sure. So it’s, we’ll be continuing, you ask what’s next? We’ll be continuing to look for ways to empower the TSPs to protect Canadians in this space. And it also protects their networks at the end of the day, right? If they can cut it off at the stores, it’s also not bouncing around their network somewhere, which could possibly do harm as well, right? At the end of the day.
Matthew Vernhout (44:12):
Yeah. Well, like all the legitimate ESPs that I work with and talk with on a regular basis, you know, we spend a lot of time looking at outbound, what’s happening, what shouldn’t we allow out the network? What shouldn’t we allow on the network? You know, and if we do happen to find something that’s been, we get compromised in regards to ESPs, right? Account takeovers are a thing, right? How do you identify and shut them down as fast as possible? So all of those things are happening from the email side, right? But from the, I don’t have any insight into sort of the telephony, SMS side of those things. I assume they’re doing all the same things we are. And I certainly hope they are, but you know, it’s a very wide mandate, if you will.
Matthew Vernhout (45:00):
Telecommunications is the future, right? So we’re moving to satellite, we’re moving to remote access from all over Canada, Northern Canada, high speed, right? That’s on the mandate to get all of that taken care of. So it is sort of where the world is moving, and you guys have a big footprint to cover, like you said, with a relatively small organized team. But I want to thank you for being on the show. I want to thank you for your time. I know you’re a very busy person. We had to reschedule several times between your schedule and my schedule. I’m glad we were finally able to connect. I also want to come up to Ottawa this summer and definitely experience the capital. I used to live there. So I want to come up and see the city a bit. And definitely, we’ll drop by your office and say hello. And any final thoughts from you? And, if somebody wants to either find out more information about the CRTC or Castle specifically or reach out to your team for questions or help with any places you’d want to send them or pitch.
Steven Harroun (46:15):
Absolutely. Yeah, and that was actually gonna be exactly what my final thought was; at the end of the day, we spend a lot of time doing stakeholder outreach, ensuring people know how to comply with the rules, and knowing what the rules are. We are going to see us focus on a lot of Canadians in the upcoming months on just getting that information out to Canadians in the formats and in the languages that make sense to them; back to the more they understand, the less they fall victim. But for the industry, it really is; I would like to think I could be everywhere. I can’t, but with podcasts like this, I can. But it really is. If you have any questions, reach out to us.
Steven Harroun (46:52):
At the end of the day, go to our website. I’m easy to find, click on the links, and you’ll find me pretty quickly. But reach out to us and ask your questions, right? We’re constantly updating our website. If you type in Castle when you get to the CRTC webpage, just, you know, go to the search box and type Castle, you’ll end up on our kind of enforcement page, you’ll end up on kind of the information surrounding Castle. There are lots of FAQs there, and we update them constantly. It’s not like we put them there in 2014 and we’ve never revisited them. As, you know, as we’ve done enforcement cases, as we’ve done compliance outreach, you know, we are continually updating those FAQs. So A, your answer might already be there, but B, there are ways to reach us. Just click on those links and, by all means, email me directly. Call me directly, it’s all good. And we’ll find you the right answer because I think that’s the most important. Right? And I have always said since day one that legitimate companies want to comply. They just need to know how. And we’re happy to provide those options that are available to them to make sure that they’re complying with the rules.
Matthew Vernhout (47:56):
Yeah. And fightspam.gc.ca is still a good resource.
Steven Harroun (48:00):
Absolutely. If you’re aware of any you know, I’d say they’re really good. If you’re aware of anyone getting those scams and spam emails or whatever, it’s going to fight spam.gc.ca. I was gonna say that’s a great portal to file your complaints, and all the links there will take you back to us at the CRTC or to my colleagues at the OPC and the Competition Bureau, depending on what your issue is. So absolutely.
Matthew Vernhout (48:24):
All right, well, thanks again for joining us. You know, I had a really great time talking to you today, and it’s always a pleasure to connect and spend some time chatting with you. I always learn something I think whenever we talk, so
Steven Harroun (48:39):
Well, hopefully, you will learn something today. That’s awesome. But yes, we’ll talk soon, and we’ll see you in the spring, no doubt.
Matthew Vernhout (48:45):
All right, well, thank you.
Steven Harroun (48:47):
Thanks a lot, Matt.
Outro (48:48):
You’ve been listening to the ‘For The Love of Emails’ podcast powered by Netcore. Hit subscribe in your favorite podcast player to make sure you never miss an episode. To learn more about effective email communications and engagement through AI-powered email solutions, visit netcorecloud.com. The only global email engagement leader delivering marketing ROI and value to 25+ global unicorns and 6,500+ brands for over two decades.
