The CRTC is investigating Norton for pushing crypto-mining software onto Canadians’ computers

OTTAWA – The CRTC is investigating leading cybersecurity software company NortonLifeLock whether it violated anti-spam laws when it installed cryptocurrency mining software on Canadians’ computers without their “express consent” in 2021.

Last August, the CRTC launched an investigation into the US software giant, now called Gen Digital, which owns the “Norton 360” cyber security suite.

At issue are allegations that NortonLifeLock (NLL) “had installed, or caused to be installed, Norton Crypto on the computer systems of some of its Norton 360 customers without consent,” according to a compliance agreement between the regulator and the company signed last month and obtained by the National Post.

Norton Crypto was a controversial program launched by NortonLifeLock in July 2021 that turned users’ computers into “low-volume” cryptocurrency mining machines when the device was idle. Cryptocurrency such as bitcoin can be “mined” by computers that perform complex, time-consuming calculations that can unlock small amounts of currency. Norton Crypto users kept their income, minus a 15 percent commission to Norton.

But users and privacy watchdogs quickly became concerned when they noticed that the software was automatically downloaded as part of the Norton 360 cybersecurity installation package.

In August, the CRTC opened an investigation into the company because it was concerned that the company installed the crypto program without users’ informed consent, thereby violating the spyware sections of Canada’s anti-spam legislation.

In the weeks following the launch of the investigation, and with NLL already under fire in the US over Norton Crypto, the company told the CRTC it wanted an “early resolution to the investigation.”

The company admitted that Norton Crypto was “downloaded as part of the Norton 360 installation package, and installed at the same time as Norton 360,” according to the agreement.

But in both the agreement and a statement issued on Monday, the company – now called Gen – denied it had broken any laws and claimed clients always had to “opt in” to use the crypto service.

“Gen takes compliance with all laws and regulations extremely seriously and voluntarily extended its full cooperation to the CRTC. We reiterate that we dispute any allegation that our practices violated” federal anti-spam laws,” Jenna Torluemke, senior public relations manager at Gen, said in an email.

But privacy lawyer David Fraser says the CRTC would not have pursued that investigation and compliance agreement if it didn’t believe NLL was breaking the law.

“It’s pretty clear that the CRTC was of the view that this violated our anti-spam law, and specifically the spyware installation of software provisions in the anti-spam law,” said Fraser, a lawyer at McInnes Cooper.

In the agreement with the software company, the CRTC’s compliance and enforcement officer, Steven Harroun, noted that the issue at the heart of his investigation was whether “NLL installed or caused to be installed, in the course of a commercial activity, a computer program in the form of Norton Crypto on the computer systems of Canadian consumers without their consent’ between July and December 2021.

It was not until January 2022 that the company changed the Norton 360 installation process so that it sought express user consent for the installation of the cryptocurrency mining software.

In the agreement, the CRTC’s chief enforcement officer noted that the company was trying to “address the issue arising from the lack of express consent for the installation of Norton Crypto … likely in response to concerns raised by the public.” He also stated that the change came before the regulator started its investigation.

The company officially killed Norton Crypto in September, and it hasn’t been installed alongside Norton 360 for long.

But as part of the settlement with the CRTC, the company promised to take “all reasonable steps” to guarantee that all the software it sells and installs complies with Canada’s anti-spam laws. It also promised to appoint a senior corporate office to update the company’s compliance program to ensure it reflects Canadian law.

The company also promised not to install any programs on clients’ computers without first obtaining express consent that would cause the device to “operate in a manner contrary to the owners’ reasonable expectations.”

Fraser said this is the first time he has seen a well-known brand company vexed by the spyware sections of the federal anti-spam legislation.

“I’m aware that these parts have been used in the past, but mainly to go after the really bad actors, like botnets and things that take over your computer and turn it into a spam machine in the background,” he said.

“So this might be a little bit more eye-opening because this is classified as spyware, and a lot of companies say ‘hey, I don’t do spyware’. But it’s much broader than that.”