Legislation and Regulation

Many online threats are covered by existing civil and criminal law in Canada and other countries. In addition, many countries have specific legislation to deal with online crime. This section looks at Canadian and American laws that apply to cyber security.

Canadian Legislation and Regulation

The Criminal Code

Section 184: Interception of Communications

Section 184 of the Criminal Code makes it illegal to intercept a private communication. This section states that every person who “intercepts a private communication” by means of “an electro-magnetic, acoustic, or mechanical device” is guilty of an indictable offence and can receive a prison sentence of up to five years (Criminal Code, 1985). Exceptions are made if the person originating the communication has given consent, if the interception is necessary to maintain the service, if the person is a peace officer and has been granted a warrant, or if the person is acting on behalf of the government to identify an unauthorized transmission or prevent an unlawful act or bodily harm.

Section 342: Theft, forgery, etc. of credit cards and unauthorized use of a Computer

Section 342 of the Criminal Code makes it illegal to steal, copy or falsify a credit card (whether online or off, though much online fraud does fall into this category) as well as to get access to a computer in order to commit a crime. This section states that:

  • Every person who steals, forges or falsifies, possesses, uses or traffics in a credit card they know to be obtained, made, or altered is guilty of either an indictable or summary offense.
  • A person who is found to have made, bought or sold “any instrument, device, apparatus, material or thing” that has been used or is intended for the use of copying credit cards in order to commit an offence could face up to 10 years in prison.
  • Obtaining any computer service or gaining access to a computer system with the intent to commit an offence may also receive a prison term of up to 10 years. A similar sentence will result if a person uses, possesses or permits another to gain access to a computer password with the intent of committing a crime.

Sections 402 and 403: Identity Theft and Identity Fraud

These sections address the issue of identity theft [hyperlink to “identity theft” in Spam, Scams and Frauds section] and identity fraud [hyperlink to “identity fraud” in Spam, Scams and Frauds section], both of which are fairly common risks online. Section 402.2 of the Criminal Code states that everyone commits an offence “who knowingly obtains or possesses another person’s identity information” to be used to commit an indictable offence such as fraud, deceit or falsehood. Offering or selling such information is equally punishable by law and liable to a prison sentence of up to five years. Section 403 of the Criminal Code deals specifically with identity fraud and punishes the “fraudulent personation” of another person with a sentence of up to 10 years.

Fighting Internet and Wireless Spam Act

The Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, more widely known as the Fighting Internet and Wireless Spam Act (FISA) was implemented on December 15 of 2010.

The act consists of amendments to the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Telecommunications Act and the Personal Information Protection and Electronic Documents Act to strengthen provisions for fighting identity theft, phishing and spyware. [1] A more detailed look at the legislation as well as tips on how both Canadian individuals and business can fight spam is available at the government of Canada’s Fightspam website (http://fightspam.gc.ca/eic/site/030.nsf/eng/home).

Personal Information Protection and Electronic Documents Act

PIPEDA, as it is generally known, sets out the rules under which any organization may collect personal information in Canada, as well as their obligations to protect any data they collect from being acquired by others. This Act only applies to private businesses and organizations (the Privacy Act covers how the federal government collects and handles personal information). Under PIPEDA each person has five key rights: to see what information an organization has collected about you; to correct any incorrect information; to file a complaint with the organization or an industry association such as the Canadian Marketing Association; to file a complaint with the Office of the Privacy Commissioner; and, in certain cases, to take a complaint to the Federal Court of Canada.

Bills C-50 and C-51

Two bills that are being tabled in Parliament at the time of writing (May 2012), C-50 (The Improving Access to Investigative Tools for Serious Crimes Act) and Bill C-51 (The Investigative Powers of the 21st Century Act) will, if passed, significantly change the ways in which Canadian police forces can investigate computer crime. These acts give peace officers more leeway to intercept electronic communications without a warrant and give judges more power to force telecom providers, Internet service providers and search engines to monitor, store, retain and disclose email, Internet and telephone communications.  

American Legislation and Regulation

Like the Internet, online crime is not limited by borders: in many cases scammers are active in more than one country. Like the Criminal Code, American law also deals with cybersecurity issues, but there are some significant differences in how they approach it.

Computer Fraud and Abuse Act (United States Code, Title 18, Part 1, Chapter 47, s. 1030)

Title 18 of the United States Code, which deals with crimes and criminal procedure, does not give as much attention to cybersecurity as the Criminal Code of Canada: only one section deals specifically with computer crime. Part 1, Chapter 47, section 1030 looks at fraud and related activity in connection with computers, prohibiting all unauthorized access of computers where the purpose of such access is to obtain information that is either restricted or confidential. Unauthorized access of any computer that is either in use by a government agency, belongs to a financial institution or contains material that could harm the United States is illegal, as is accessing a computer in order to damage it or to commit fraud or extortion. [2]

Electronic Communications Privacy Act

This act makes it illegal for governments or their agents to intercept or store electronic communications without a warrant or similar authorization. It also forces Internet Service Providers to make it possible for governments to perform electronic surveillance of their users, though this still requires a warrant. [3]

Cyber Security Enhancement Act

This act allows ISPs to hand over their customers’ personal data to police and government agencies if they choose to do so and believe that the information relates to a crime. This means that if the ISP is willing to co-operate, police or government agencies may not need a warrant to get personal data. [4]

Federal Trade Commission’s OnGuard Online       

OnGuardOnline.gov is the U.S. federal government’s website to help people be safe, secure and responsible online. The Federal Trade Commission manages OnGuardOnline.gov, which provides information to help avoid scams and secure computers as well as tips to be smart and protect kids online.


[1] Industry Canada, (2011). Bill C-28: Canada’s Anti-Spam Legislation. http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/h_gv00567.html
[2] May, M. (2004). Federal Computer Crime Laws http://www.sans.org/reading_room/whitepapers/legal/federal-computer-crime-laws_1446
[3] Ibid.
 [4] Ibid.