I can't see how it would contribute to much if any spam. Even if your email is in public whois, that's where they are going to get it from - no auth code request form needed. As long as they don't allow you to attach a message, spammers have nothing to gain by requesting auth codes on your behalf. That's the problem with the CIRA Registrant Contact Form, I occasionally get spurts of spam from that one (offering web design & hosting services), although not much in the past month, so maybe CIRA is monitoring the usage of that form for abusive IP's and email addresses and message content, all of which could be used to identify and block spammers. Or maybe it was too much effort for too little return. In any case, that seems to have subsided for now.
I have 5000 domains and have had more than 10,000 in the past, the vast majority have always had public whois, and I don't get hardly any spam. What I do get is very manageable. I hate the whole "spam" argument for having whois privacy. Based on my portfolio and public email and the amount of spam I get, I call bullshit on the entire spam argument. I would MUCH rather see the transparency of domain ownership. The spam argument is nothing more than a shield for those who want to hide.
As for the security of the new auth code retrieval tool from CIRA, lets discuss that.
At the lowest level of security employed at some registrars, you'd simply have had to hack a user's password at the registrar account level. Registrars that provide the auth code on demand in a web browser, and which have the registrant's email address as the account username, they have the least level of security. Its basically just one level - your registrar account password.
If your registrar's account username is something other than your registrant email address (like Baremetal does), then that adds a second piece of required info, your unique account username. So that's an added level of security.
If your registrar has two-factor-authentication, that adds another level of security required to overcome.
If your registrar only emails out auth codes to the registrant email, then that requires another level of security to overcome (hacking your email account).
You can also add a level of security at your registrar level by utilizing the "lock" mechanism that every registrar has in place, although, if they've already hacked your registrar account, then that lock is useless and adds zero protection.
You can also add a significant level of security by using two-factor authentication on your email account(s).
In the case of the CIRA auth code retrieval tool, it is indeed just the one level of security to circumvent (your own email account), but only if you have public (corporate) whois data. So unless that fits your scenario, there is really zero reason to complain about it. Zero. It's only a benefit to you to be able to complete a transaction without having to beg the usual suspects of registrars who are slow to respond or have their own agendas.
Now if you ARE a corporation with public whois, like myself, yes, you should be ultra concerned about getting your email hacked. Lets face it, if your email gets hacked, they can likely recover your username and password anyways, thus nullifying a couple levels of security listed above. And once that's achieved, the lock and authcode request is easily achieved, whether its through the registrar or CIRA.
So - does this auth code tool ACTUALLY make anything less safe for the domain owner? If you don't take care in choosing your registrar and make good security choices, sure, you can argue that it reduces the level of security down to simply hacking an email account. But as described, in many existing cases, this is all that's needed anyways. Hacking the email account allows you to recover a username, reset the password, unlock the domain, request the auth code, boom its gone. Your email is the primary linch-pin to all of this.
So as
@richard.schreier says, there are various security options available to the Registrar. Renewal prices are certainly a key driver for domainers with large holdings. But other options such as security, domain redemption prices, bulk management tools and general hassle-factor are all involved. Choose wisely.
If you're concerned about security of your .CA domains, your best course of action is to:
1. use two-factor authentication on your email account.
2. use a registrar with good security practices, like two-factor authentication.
3. consolidate ALL your domains to a single preferred and trusted registrar as soon as 60-day holds are released.
4. consolidate all your domains and registrar accounts to a single registrant & email account.
No single course of action will secure your domains. The responsibility is on you to practice safe domaining.