4 December 2002

Summary – Labor’s Policy Objectives

General Objectives

Legislative Objectives

Public Education Objectives

Co-operation with the Internet Industry

International co-operation

Introduction

Unsolicited, “junk” email, or “spam” has been a feature of the internet at least since it became a commercial medium.  The first recorded incidence of spam occurred in 1994 when US law firm, Canter and Siegel, put out a mass advertisement for an immigration advocacy service they offered.

Broadly “spam” refers to an electronic mail message that is:

Spam is also called Unsolicited Bulk Email (UBE).

For the purposes of managing this issue, developing a workable definition of spam is very important.  This is discussed in further detail in Appendix A.

As the internet has grown in terms of numbers of users, so has the incidence of spam.  Once an occasional irritation, that many users could overlook, spam has now become the source of much frustration for many internet users.  Some individuals put up with dozens of unsolicited bulk emails each day.

The most recent figures from the National Office of the Information Economy suggest that the Internet is available to a large number of Australians, with around 72% of the adult population having access (mostly at home or at work)[1], as well as 80% of small to medium enterprises.[2]

Certainly, as Internet take-up increases spam is being discussed both in the information technology, and the mainstream media. As the number of Australians establishing themselves online increases, so will the impact and relevance of spam.

As well as the perceived rise in spamming being reported in surveys and anecdotally in the media, a specific incident gave this issue prominence.  That was the court case between Perth-based marketing firm, T3 Direct and Joseph (Joey) John McNicol.  This will be discussed below, but the case highlights that the position of spam under the law is unclear.  The legality of an resident of Australia to take steps to prevent “spammers” from undertaking what they find to be expensive and frustrating activity is uncertain.

In spite of these issues, the Coalition has been slow to address this problem.  Until August 2002 the totality of the response had been to issue some voluntary guidelines relating to online direct marketing, and to assert that the incidental operation of existing Australian laws were enough to combat spam.  Clearly this has not been the case, but it has been left to internet industry groups like the Internet Industry Association to try and develop their own codes of practice.

In June the Coalition’s credibility in this area was further damaged when the Office of the Federal Privacy Commissioner announced a formal investigation into a Government website for sending spam.[3]  The investigation has yet to be concluded, but for an issue which requires co-operation with individuals, the internet industry and the international community, this does not help the Government’s standing.

In August the National Office for the Information Economy (NOIE) released an interim report on spam.  That, almost four months after it was announced, the report was only an interim report was disappointing, and can be seen as more prevarication by the Coalition.

The report contained 15 draft recommendations on spam.  These mainly involved encouraging internet industry bodies to take action and co-operating with the international community.  These are not bad suggestions, but there is an argument that legislative change also needs to be implemented.  The paper’s position on this was to better enforce the existing legislation, and to recommend the Government consider further legislation.  Clearly more needs to be done in this area.

The costs of spam are hard to quantify, but they include the bandwidth and network costs of the transmission of spam, as well as productivity costs to businesses caused by time taken to open, read and react to such messages.

It should be noted that unlike normal “junk” mail, email “spam” costs nothing for the spammer to send.  Instead the cost is borne by the receiver, either directly, as the longer download times, and higher download rates result in a larger bill from ISPs, or indirectly, as ISPs pass on the costs they pay for spam to their customers.

Therefore spam is being paid for by every internet user, whether or not they personally are receiving it.

This is on top of the frustration internet users face in receiving large amounts of unwanted, and sometimes offensive, email.  Especially when this email overflows their mailboxes, causing legitimate emails to be “bounced” back to the sender.

While the exact figures in terms of extent and cost of spam may vary, it is clear that effective steps have to be taken to address the problem – something that has not occurred so far.

This discussion paper on spam will outline the extent of the spam problem, discuss existing measures that attempt to deal with spam, including the flaws in the current regime, and it will suggest alternative policy approaches to improve the effectiveness of the problem.

Outlining the spam problem

Extent of the problem

It is difficult to get accurate figures for the extent of spam (partly for issues relating to the definition of spam), but most accounts indicate that the incidence of spam is significant and increasing.

The NOIE interim report on spam cites figures which indicate that for 54% of US email users, spam accounted for 20% or more of all the email they received.[4]  The Coalition Against Unsolicited Bulk Email in Australia (CAUBE) states that at the 1991 email addresses they surveyed, spam increased by a factor of 6 in 2001, equating to a doubling every four-and-a-half months.[5]

CAUBE also cites a Korean study that estimated that spam made up over one half of the average user’s mail each day.[6]  While these figures may not be precise, the support the impression that in countries with a high number of internet users, spam is an increasingly significant issue.

The costs of spam are hard to quantify, but they include the bandwidth and network costs of the transmission of spam, as well as productivity costs to businesses caused by time taken to open, read and respond to such messages.  The National Office for the Information Economy (NOIE) believes that:

Even allowing for some over-estimation of these figures, the cost of spam to the economy is still a significant issue.

It should be noted that unlike normal “junk” mail, email “spam” costs nothing for the spammer to send.  Instead the cost is borne by the receiver, either directly, as the longer download times, and higher download rates result in a larger bill from ISPs, or indirectly, as ISPs pass on the costs they pay for spam to their customers.

Specific problems raised by spam

Spam has several characteristics which specifically make it undesirable to internet users.

·        Illegal or offensive content

Owing to the ease of concealing an email’s origin, spam is the advertising medium of choice for advertisers of illegal (including criminal) activities, such as deceptive advertising, or even confidence tricks, or offensive content (such as pornography).  Thus, the mass, undiscriminating distribution of this kind of anti-social material to the population at large is a problem.

·        Damage to e-commerce

Spam creates a bad reputation amongst people who might otherwise use the internet for commercial purposes.  Stories of email scams generate the belief that e-commerce is unsafe, and by association trust in legitimate online vendors is eroded.

·        Cost

As discussed earlier, spam is having a significant cost on the internet economy.  The vast majority of this cost is borne by receivers of spam, not spammers themselves.

·        Inconvenience

Even to people who routinely delete unwanted email, the constant bombarding of an email address by spam can be a nuisance.  For some, spam outnumbers legitimate email.  The time taken to sort through and delete such mail is added the time taken to download it, which on a dial-up connection can be significant.

Additionally, to those people who have limits on the amount of mail their email provider will hold for them, spam can often mean a full mailbox – meaning desirable emails get rejected.  At this stage the value of having email at all is destroyed

·        Privacy

Privacy has a different relationship to spam than do the other issues raised here, because spam does not necessarily cause breaches of privacy, rather the widespread incidence of spam tends to represent a lack of good, enforceable privacy regulations.

Basically, spammers are only able to send unsolicited bulk email if they have lists of email addresses.  This usually means that the spammer has obtained the email addresses, often through an unspecified method.  The user is often unaware of how to remove their details from the spammer’s list, and may well be concerned that a purveyor of pornography or other offensive material may hold other personal details about them.

Often email addresses are collected and sold without the knowledge or consent of the owner.  This usually indicates an in-principle breach of privacy for the owner of the address.  Thus, as will be discussed later, a strong privacy regime can inhibit spam.

An example of this is the European Union, where Directive 95/46/EC of 24 October 1995 provides that personal data (which, crucially, includes email addresses) may not be processed unless it is collected fairly and for specified and legitimate purposes.[8]  As a result, European email addresses tend to be less troubled by spam, because the trade in email addresses never occurs.

·        Email vigilantism

Frustration with spam has caused many internet users to strike out against spammers on their own.  In fact, there is an argument that internet activists are mainly responsible for what little respite in spam has occurred.  A common tool of the anti-spammer is the “blacklist” – a website which compiles lists of known spammers which others may then adopt to block all mail from those senders.

While useful in theory, these can have a number of flaws, the least of which being the unintended damage to innocent victims who appear on the list, despite not being spammers.  This exact circumstance gave rise to the Joey McNicol case, where a direct marketing company took legal action against an individual who it alleged wrongly caused it to be blacklisted by such a site.

T3 Direct v Joseph John McNicol[9]

Perth based direct marketing company, T3 Direct, alleged that Mr McNicol sent an unfounded complaint to an online spam “blacklist”[10], claiming that T3 was sending spam.  The company alleged that Mr McNicol “procured, induced, incited, persuaded, encouraged, organised, facilitated and/or advised” the owners and users of the blacklist to block emails from T3 Direct.  Presumably, as a direct marketer this was detrimental to the business’s interests.

The case raised an important question for the law, which despite a ruling falling in Mr McNicol’s favour has yet to be resolved – is it unlawful for a resident of Australia to take steps to prevent what they find to be expensive and frustrating activity undertaken by senders of unsolicited bulk email?  Currently there is no firm statement in the law one way or another, and this legal uncertainty raises a potentially difficult situation.

Mr McNicol won the case because the marketing company could not prove that Mr McNicol was responsible for its presence on the blacklist.  The question of whether or not such an act would be unlawful does not appear to have been dealt with by the court.

It is clear that the law cannot remain silent on the issue of spam.  Unless adequate legislation covering spam is put into place, blacklists will continue to operate unregulated, and spammers may be able to use the law to protect their activities in the face of outrage from the online community.

Existing responses to spam

Government responses

NOIE Interim Report

In August 2002, NOIE released an interim report on spam[11].  The report is a welcome step as it at least shows that the Government is attempting to address the problem.  The report contained some useful new research and collated 15 draft recommendations on addressing the issue of spam.

The report is only an interim document.  It does not reflect any final position by the Government.  A final report is to be released for consideration by the Government at some time in January 2003.

The recommendations include internet industry self regulation, the education of internet users, and cooperation with the international community.  These are positive steps that a Commonwealth Government can take.

However, the report arguably under-emphasises the potential of legislative reform.  It suggests that existing criminal and consumer protection laws should be more proactively applied and enforced, but it is more hesitant about introducing new legislation.  The relevant recommendations on this point are as follows:

“6. Regulatory agencies, in particular the Australian Competition and Consumer Commission (ACCC), Australian Securities and Investment Commission (ASIC) and the Office of the Federal Privacy Commissioner (OFPC), should be encouraged to fully apply existing laws to spam. Appropriate resources need to be allocated for this task. For example, section 52 of the Trade Practices Act includes provisions with potential to operate against spam that is misleading or deceptive such as spoofing and misleading privacy statements.

[…]

9. The current application of the National Privacy Principles (NPPs) to spam should continue to be clarified, in straightforward publicly available advice, as cases evolve.

10. The application of the Privacy Act to spam should be considered. The proposed review of private sector amendments of the Privacy Act may be an appropriate vehicle for this.

[…]

12. The Government should consider anti-spam legislative options in further detail, consulting with all interested parties, and focussing at this stage on the following options:

·         An outright prohibition on the sending of unsolicited bulk electronic messaging;

·         A requirement for greater transparency in the nature and origin of bulk electronic messaging;

·         The creation of a new offence of using a carriage service to commit any Commonwealth offence.”[12]

The report correctly states that legislation is “no silver bullet”. However, this does not mean there would be no benefit to a well developed legislative structure that addresses spam and ensures that, where possible, the practice is discouraged.  Legislation is a tool to inhibit a culture of spamming that clearly exists.

Addressing spam through the Privacy Act would be a good way to do this, but the mechanism for doing this following the foreshadowed review of the Act in December 2003[13], or 16 months after the publication of the report.

Guidelines

In May 2000, the Minister for Financial Services and Regulation, Joe Hockey, launched “Building Consumer Sovereignty in Electronic Commerce: A best practice model for business”. The document is intended to serve both as guidelines for businesses, and for industry codes. It states that

“23. For commercial e-mail:

23.1 Businesses should not send commercial e-mail except:

23.1.1 to people with whom they have an existing relationship; or

23.1.2 to people who have already said they want to receive commercial e-mail; and

23.2 Businesses should have simple procedures so that consumers can let them know they do not want to receive commercial e-mail.”

This is the only set of guidelines, regulations or legislation that specifically lays down instructions about email marketing.  While it labels unsolicited commercial email as being unacceptable, it represents a “soft touch” approach; the actual extent that these guidelines act as a deterrent to spammers, and the impact that it has had on spam is unclear.

Legislation

Currently, there is no legislation specifically enacted to target spam.  However, according to NOIE there are six Acts which can apply to spam[14]:

·        Privacy Act 1988 – Privacy Regulations

The Guidelines to National Privacy Principle 2(c), relating to direct marketing, states:

“This [privacy principle] allows organisations to use non-sensitive personal information for direct marketing where, among other things, it is impracticable to seek the individual's consent and where the individual is told that they can opt out of receiving any more marketing from the organisation.

[…]

As the cost of emailing is negligible, ordinarily it will not be 'impracticable' to seek consent where an organisation chooses on-line methods of contact or communication. This means that generally an organisation could not rely on NPP 2.1(c) for techniques such as email marketing or SMS marketing.”[15]

The implication of this is that spam to an individual’s email address would not be permitted unless it is impractical to seek an individual’s consent, and the individual is given the choice to “opt out” of the arrangement.

·        Broadcasting Services Act 1992 – Content Regulation

The Broadcasting Services (Online Services) Amendment Act 1999 amended the Broadcasting Services Act 1992 to include an online content regulation scheme.  Although the scheme covers web sites rather than email, any offensive internet content (that is, content classified R, X or Refused Classification (RC)) that is available at a web site to which spam directs recipients, may be the subject of complaint under the scheme.

Under the Act, anyone may complain to the Australian Broadcasting Authority (ABA) if they believe Australians can access prohibited or potentially prohibited online content using an Internet carriage service or that such material is being hosted in Australia by an Internet content host.

NOIE claims that the Act can be applied to a spammer who advertises pornography sites by requiring the ABA to issue a “take down” order for those sites.  Presumeably the reasoning is that after the take down order is issued the pornography spammer would have no sites remaining to advertise.

·        Interactive Gambling Act 2001 – Online Gambling Regulation

According to section 61EA of the Interactive Gambling Act 2001, Interactive gambling service advertisements are not to be broadcast or datacast in Australia.  Specifically, a person is guilty of an offence if:

“the person broadcasts or datacasts an interactive gambling service advertisement in Australia”[16]

In effect, this Act prohibits most email advertisements for online gambling which target Australian internet users.  Complaints about such emails can be made to the ABA which manages a complaints mechanism.

·        Trade Practices Act 1974 – Deceptive and Misleading Conduct

Where email is used to make misleading claims about products, promote pyramid trading, or to induce payment for a non-existent good or service it is being used to breach the Trade Practices Act 1974 (TPA).

The Australian Competition and Consumer Commission (ACCC), responsible for enforcing the Act, is focussing some attention on electronic commerce, including (but not limited to) spam that breaches the TPA.[17]

·        Crimes Act 1914 – Menacing or harassing email

According to NOIE,

“section 85ZE of the [Crimes Act] makes it an offence to intentionally use an Internet carriage service to menace or harass another person or in such a way as would be regarded by a reasonable person as offensive. While Internet content is excluded from this provision, it would apply to all other uses of a carriage service such as e-mail.”[18]

·        Corporations Law – Unlicensed Financial Advisors

According to NOIE,

“Under the Corporations Law it is illegal to provide financial advice without a licence. ACCC evidence suggests that spam is currently being used to proffer financial advice often from unlicensed persons.”[19]

Industry responses

The internet industry has not always placed a high priority on combating spam, but as the incidence of spam, and the internet, has grown it has made an effort to discourage the practice.

For example, at one time, the Internet Industry Association (IIA) contained in its industry code of practice several provisions relating to spam. These included:

Unfortunately, the IIA has abandoned its general draft Code of Practice in favour of a number of codes which cover specific issues. None of these include spam. However, the IIA has suggested that spam will be covered in it forthcoming Cybercrime Code of Practice, to be finalised this year.[20]

In the mean time, the legacy of the original effort is that several ISPs developed, and retain, AUPs that prohibit spam (see APPENDIX B). This demonstrates some industry commitment to spam, however, in terms of widespread industry participation, as well as the creation of minimum standards, there is room for improvement.

Flaws in the current legislative regime

Legislation

The principle flaw in the current legislative regime is that this legislation does not deal specifically with spam.  Instead, it deals with some of the content contained in spam – pornography, gambling, and deceptive trade practices, or when spam breaches privacy requirements relating to the National Privacy Principles (specifically with National Privacy Principle 2(c) relating to direct marketing).

While there are limitations to what legislation can do to enforce any kind of practice on the internet, as far as spam is concerned it can still have its place as part of a holistic approach to addressing the problem.  A strong legislative regime specifically addressing spam would be necessary for three reasons.

First to control spam where it is possible – in Australia.  Obviously this would have no effect on spam arriving in Australia from overseas, but it would impact on Australia’s contribution.  CAUBE estimates that 16% of global spam originates in Australia[21], and NOIE’s interim report suggests that 20% of large Australian ISPs receive the majority of their spam from within these shores.[22]

Conversely, Western Europe, which has very strong privacy and anti-spam legislation is not regarded as being the source of the majority of spam for any ISP. [23]

A strong legislative regime could also act as the basis for negotiations with the international community.  The more global such legislation is, the more effective it would be.

Second, it would give spam a clear status under the law.  This can lead to a court using existing principles of common law to decide that an individual who has acted to stop an organisation from spamming can be sued under third party torts law. This possibility will soon be explored in the Joey McNicol case.

Finally, legislation would also make it clear that spam, however it is defined (see Appendix A), is unacceptable conduct. As long as there is no firm legal statement on spam, the most recalcitrant spammers can ignore the protestations of the growing internet community, and claim that there is nothing wrong with spam. Strong legislation would make this claim unrealistic.

Specific failings of the existing legislation

·        Privacy Act 1988

National Privacy Principle 2(c) specifically states that “it will not be 'impracticable' to seek consent where an organisation chooses on-line methods of contact or communication”, leading to the conclusion that this principle does not allow direct marketing by email.

However, email direct marketers can argue that spamming is allowed under NPP 2(b), which states that

“This [principle] allows an organisation to use or disclose personal information for a secondary purpose if it has the individual's consent. Consent to the use or disclosure can be express or implied. Implied consent arises where consent may reasonably be inferred in the circumstances from the conduct of the individual and the organisation. For example, it may be possible to infer consent from the individual's failure to opt out provided that the option to opt out was clearly and prominently presented and easy to take up.”

The conclusion to be drawn from this is that a spammer who receives a individual’s email address can use it for a “secondary purpose” if consent can be implied by “the individual's failure to opt out” as long as “the option to opt out was clearly and prominently presented and easy to take up” – for example the spam email contains a clear statement offering the ability to unsubscribe.

Unfortunately, the prevalence of spam has led many people to become suspicious of any kind of direct marketing.  It is commonly accepted that to respond to spam in any way – even to “opt-out” – risks confirming to unscrupulous spammers that one’s email account is active, and therefore inviting more spam.  This prevailing attitude could reduce the effectiveness of legitimate “opt-out” schemes.

In any case, the penalties for breaching Privacy Principles are hardly a deterrent.  An investigation by the Federal Privacy Commissioner may take up to six months and may only result in an apology.  In some cases compensation may be ordered.

·        Broadcasting Services Act 1992

The Broadcasting Services Act does not deal with spam at all.  In so far as a person is sent unsolicited email referring to a pornographic site they can make a complaint about the site to the Australian Broadcasting Association.  If the site is located in Australia ABA might then order the site to be taken down if it is found to contain objectionable material.  However this would do nothing to prevent the site administrators from sending spam email.

·        Interactive Gambling Act 2001

This Act has a very narrow focus, only prohibiting email that advertises online gambling on an Australian web site, delivered to Australians.  It would not apply in other situations.

·        Trade Practices Act 1974

As far as the issue of spam is concerned, the Trade Practices Act also suffers from having a narrow focus – only covering spam that is used to make misleading claims about products, promote pyramid trading, to induce payment for a non-existent good or service, or otherwise breach the Act.  The ACCC, which enforces the Act, specifically states on its web site that it is not interested in unsolicited email “unless it involves conduct mentioned above” (ie breaches of the Trade Practices Act).

Addressing the Problem of Spam

Clearly there is no single solution that will solve a complicated, cross-jurisdictional issue like spam.  A mix of complimentary policies is required.  Part of the problem will be determining what that mix should be.  Broadly there are three directions that can be taken:

It is clear that the third option is the most acceptable because the first is no solution, and the second is very difficult to implement.

Following are some suggested policy mechanisms that can be employed to combat spam.  They are discussed under four major headings:

 Legislative Changes

Whilst any legislative regime will have its flaws, particularly relating to the international incidence of spam, it nonetheless plays a crucial role in addressing the problem.  It is important to have a strong regime in place to make it clear to the community that spamming is not good commercial conduct.  Legislative reform could examine four possible outcomes:

·        Cut down the trade in email addresses.  Basically the key driver for spam is the ease of obtaining email addresses.  If some spam itself is to be believed, a CD with over 1 million email addresses can be bought for $US10.  Measures which prevent the unregulated trade in email from occurring would go some way to nip the problem in the bud, and should be the basis of any anti-spam regime.

·        Establish a basic legal presumption that individuals are entitled to be free from spam.  This issue can be contentious, given that it can be interpreted as being opposed to the principles of freedom of expression.  Often analogies are drawn between unsolicited email (ie spam) and unsolicited “real” mail (ie junk mail).  However, this analogy does not hold, because the cost of junk mail is borne by the distributor of the mail, whereas the cost of spam is eventually borne by the user.  Hence the user is entitled to take measures to prevent being spammed without fear of reprisal from spammers.