this product is unavailable for purchase using a firm account, please log in with a personal account to make this purchase.

Cleaning up the spam problem

Feature Articles

Cite as: (2004) 78(3) LIJ, p. 34

Next month federal legislation will come into effect which will attempt to address the scourge of spam emails.

By Gordon Hughes and Ian Oi

Early last year, then Communications, Information Technology and the Arts Minister Richard Alston pronounced that “spam is clogging the arteries of the Internet, polluting the medium with pornography and scams and stealing bandwidth from ordinary Australians”.

Around the same time, the Australian Competition and Consumer Commission (ACCC) announced that it was joining forces with the law enforcement agencies in the US, Japan, Chile and Canada “to put a stranglehold on the sources of spam”, with operators of 1000 (open ports) across the world receiving letters from enforcement agencies asking them to close down, thereby reducing the opportunities for spammers.

On 18 September 2003, anti-spam legislation was tabled in the House of Representatives in the form of the Spam Bill 2003 (Cth) and the Spam (Consequential Amendments) Bill 2003 (Cth). The legislation subsequently received royal assent on 12 December 2003 (No 129 of 2003) and will come into effect on 11 April this year.

The second reading speech noted that the extremely low cost of sending spam, coupled with the ease of sending large volumes, has led to hundreds of millions of spam messages being sent around the world each day. It had reached the point where there was as much, if not more, spam email than legitimate email. The cost to business was estimated at being $900 per employee per year, arising out of lost productivity, damage to reputation and loss of customers and business opportunities.

NOIE report on spam

The National Office for the Information Economy (NOIE) published the “Spam: Final report of the NOIE review of the spam problem and how it can be countered” (the report) on 16 April 2003 in which anti-spam laws were first proposed.

Senator Alston requested in February 2002 that NOIE review the extent of problems caused by spam, the adequacy of current measures to counter the problem and possible additional measures that may be necessary. NOIE consulted widely and published an interim report in August 2002.

Overview
The report identified spam as a “significant and growing problem”. There was a need for national legislation but there were limitations on the extent to which legislation could be effective because of the difficulty in identifying spammers and the lack of jurisdiction over offshore offenders. It was therefore important to promote a spam reduction strategy through industry bodies, while working with international organisations such as the OECD and APEC to develop international guidelines and cooperative mechanisms.

Defining spam
The report noted the difficulties in defining “spam”. In simple terms, the report chose to define spam as “unsolicited electronic messaging, regardless of its content”. In broader terms, the report noted that these unsolicited electronic messages usually had a commercial focus and shared one or more of the following characteristics:

  • untargeted and indiscriminate communications often by automated means;
  • illegal or offensive content;
  • collection or use of personal information in breach of the Privacy Act 1988 national privacy principles (NPPs);
  • dispatch in a manner which disguised the originator; and
  • absence of a valid and functional address to which recipients could send messages opting out of receiving further unsolicited messages.

The report emphasised that not all bulk emails should be regarded as spam, specifically in circumstances where:

  • recipients had previously dealt voluntarily with the sender before and, on the basis of that existing relationship, could reasonably be assumed by the sender to be prepared to accept messages of that type;
  • there was absence of illegal or deceptive content; and
  • there was compliance with the NPPs.

Major problems posed by spam
The report noted that spam caused problems to both Internet users and regulatory agencies, especially as it was typically anonymous, indiscriminate and global. It could be used as a vehicle for promoting illegal activities. There were significant privacy issues surrounding the manner in which email addresses and personal information were collected and handled.

Other problems included:

  • indiscriminate distribution of pornographic, illegal or offensive material, much of which confronted minors;
  • spoofing (forgery of an email header so that the message appeared to have originated from another entity or location); and
  • expense associated with increased download times and lost productivity.

The report quoted a study which suggested that spam accounted for 20 per cent of all emails.

A majority of spam received by Australian Internet service providers (ISPs) originated from the US. The incidence of spam received by Australian Internet users was growing rapidly, with one study concluding that there was a 300 per cent increase in spam from 2001 to 2002.

Legal issues
The report considered that the primary areas of focus for anti-spam legislation and regulation internationally were:

Consent and privacy

  • has a recipient chosen to receive email from this source?;
  • can the recipient effectively choose not to receive any further emails from this source?;
  • is there implied consent through a pre-existing business relationship?;
  • was the email address obtained without the owner’s consent or knowledge?; and
  • has the email address been traded without the owner’s consent or knowledge?

Content

  • does the email contain offensive, inappropriate, damaging or illegal content? This can include scams, viruses, unapproved or unprescribed medicines, pyramid schemes, and chain-mail;
  • does it contain pornography (or links to pornographic sites) which is likely to be sent to minors?; and
  • does the email promote websites which are illegal in the jurisdiction where the email is being sent or received? For example, a number of jurisdictions ban sites which offer online gaming facilities.

Transparency

  • does the email contain the sender’s valid address, a valid “unsubscribe” option, and accurate header information?

Misuse/abuse of computing resources

  • has the sender misused third-party computer resources such as open-relay servers?

Breaches of contracts or codes

  • has a contract, code of conduct or code of practice been breached? This can include, for example, the contract between a spammer and an ISP or the code(s) of conduct and code(s) of practice to which a company may have agreed to adhere. Breaches would often include the behaviours described above such as privacy breaches or offensive content.

Inadequacy of existing Australian laws

The report concluded that:

  • there is no existing legislation in Australia which expressly addresses spam;
  • the distribution of spam is not a specific criminal offence under any Australian criminal legislation;
  • there is no privacy legislation specifically requiring a sender to obtain the recipient’s consent before sending spam to that individual. To the extent that the Privacy Act 1988 (Cth) contains principles which could impact on spammers’ activities, they are either routinely ignored or prove ineffective in addressing the activities of overseas spammers or spammers which do not trade in personal information;
  • with respect to the distribution of pornographic images or links, the Broadcasting Services Act 1992 Schedule 5 establishes a scheme to control illegal and highly offensive online content but the public complaints process administered by the Australian Broadcasting Authority in this context does not extend to normal email messages, including spam messages;
  • various criminal offences could be involved (for example, under the Criminal Code 1995) where spammers suborned third-party computing resources but prosecution is difficult due to the generally transnational nature of the offences; and
  • industry self-regulation – such as the Internet Industry Association (IIA) draft code of practice on privacy, the Australian Direct Marketing Association and the Australian Communications Industry Forum codes of practice – is limited to participating entities.

NOIE recommendations
The report recommended the following legal and regulatory measures:

  • legislation with the following features:
    • commercial electronic messaging should be sent without the prior consent of the end-user unless there is an existing customer-business relationship;
    • commercial electronic messaging should contain accurate details of the sender’s name and physical and electronic addresses;
    • co-regulatory approach with industry should be adopted with appropriate codes of practice; and
    • sanctions should apply, determined in accordance with the existing guidelines;
  • a new offence of using a carriage service to commit any commonwealth offence;
  • Australia to work with the OECD, APEC and other relevant multilateral bodies, and bilaterally where appropriate, to develop international guidelines and cooperative mechanisms which:
    • aim to reduce the total volume of spam;
    • apply the opt-in principle where practicable;
    • eliminate, to the greatest extent practicable, false or misleading subject lines and header information; and
    • provide end-users with information on anti-spam measures;
  • the application of the Privacy Act to spam to be considered further by the Attorney-General’s Department and the Federal Privacy Commissioner, in the context of ongoing administration of that legislation;
  • regulatory agencies, in particular the ACCC, ASIC and the Federal Privacy Commissioner, to fully apply existing commonwealth laws to spam. Appropriate resources to be allocated for this task;
  • review of Schedule 5 to the Broadcasting Services Act 1992, which regulates access to hosted pornographic and highly offensive Internet content in Australia, to determine whether additional steps should be implemented to minimise exposure of Internet users, particularly minors, to pornographic and other offensive spam; and
  • at the operational level, Australian government agencies to work with international agencies to counter spam within appropriate legislative mandates.

Industry bodies
The report noted that many service providers and responsible ISPs prohibited spam activity as part of their “terms of use”. In addition, Internet business and ISPs were increasingly turning to technical solutions, using a variety of tools which assisted in filtering or blocking unwanted email messages.

The report recommended that industry bodies and their members should:

  • build on existing work done by the IIA and implement codes of practice to ensure compliance with national legislation, prohibit use of members’ own facilities for sending spam and provide clear complaint procedures for end-users;
  • develop best practice guidelines which provide a resource for both members and end-users to combat spam;
  • require ISPs to make available to clients filtering options from an approved schedule of spam filtering tools at reasonable cost, and evaluate and publicise spam filtering options and products;
  • configure servers appropriately and take action to close down identified open relay servers; and
  • maintain a self-regulated list of known spammers so that ISPs could make informed decisions about dealing with customers who have a record of spamming.

Public awareness
The report urged the implementation of an information campaign to enable users to minimise spam and pursue complaints. The campaign should be conducted for an initial period of 12 months, to raise awareness and to provide resources for anti-spam measures by business and end-users. This should be coordinated by NOIE in conjunction with relevant government and non-government bodies. It should include a clear guide to avenues of complaint available under existing legislation, simple technical advice, and a basic guide to anti-spam products.

Spam legislation

Overview
As set out in the second reading speech, the key features of the Spam Act (the Act) include:

  • a consent-based or “opt-in” basis for commercial electronic messaging;
  • a recognition of existing customer-business relationships;
  • a restricted, and appropriate, recognition of implied consent, where people advertise their electronic address;
  • a requirement for accurate sender’s details and a functional unsubscribe facility;
  • a support for the development of complementary industry codes; and
  • a flexible and scalable civil sanctions regime for breaches.

The Act will ban the supply, acquisition and use of addresses harvesting and address list generation software for the purpose of sending spam, as well as the lists produced using that software.

Courts will also be able to compensate businesses which have suffered at a spammer’s hands, and the courts will be able to recover the financial gains made from spammers.

Main effect of legislation
In summary, the Act regulates:

  • the sending of certain commercial electronic messages with an Australian link; and
  • the dissemination and use of address-harvesting software and electronic address lists directly or indirectly produced using that software (harvested-address lists).

A person who contravenes the Act may have to pay civil penalties (of up to $1,100,000 for repeat offender companies) and may be the subject of an injunction.

The commercial electronic message rules and exceptions

Under the Act, the three basic rules for commercial electronic messages with an Australian link are:

  • unsolicited commercial electronic messages must not be sent (unless the recipient consents);
  • all commercial electronic messages must include accurate sender information; and
  • all commercial electronic messages must contain a functional unsubscribe facility.

Consent can be given expressly or it can be reasonably inferred from the conduct, business and other relationships of the recipient of the message. Consent is not to be inferred from publication of the recipient’s email address. It can be inferred if the email address was conspicuously published and:

  • the email address was a work-related address;
  • it would be reasonable to assume that the address was published with the addressee’s consent; and
  • the publication does not specifically exclude consent.

The unsolicited commercial electronic messages rules do not apply if:

  • the message is (with some qualification) only factual;
  • it is sent under a reasonable mistake of fact; or
  • the person authorising the sending of the message is (with some qualification):
    • a government body;
    • a registered political party;
    • a religious organisation;
    • a charity or charitable institution; or
    • an educational institution.

Address-harvesting software rules and exceptions
Under the Act, the three basic rules for address-harvesting software and harvested-address lists are:

  • a person must not supply or offer to supply address-harvesting software and harvested-address lists (or rights to use them);
  • a person must not acquire address-harvesting software and harvested-address lists (or rights to use them); and
  • a person must not use address-harvesting software and harvested-address lists.

Exceptional situations where the rules do not apply:

  • the “must not supply or offer to supply rule” is not broken if:
    • the supplier had no reason to suspect that the supplied address-harvesting software or harvested-address lists would be used in connection with sending unsolicited commercial electronic messages; or
    • the supplier did not know (and could not with reasonable diligence have ascertained) that the customer had a relevant Australian connection;
  • the “must not acquire rule” is not broken if the acquirer of the address-harvesting software or harvested-address lists did not intend to use them in connection with sending unsolicited commercial electronic messages; and
  • the “must not use rule” is not broken if the use of the address-harvesting software or harvested-address lists is not in connection with sending unsolicited commercial electronic messages.

However, it is up to the alleged rule-breaker to prove that the above exceptions apply.

Necessary Australian nexus
The legislation expressly extends to acts, omissions, matters and things outside Australia. However:

  • the “commercial message rules” only operate if the message has an Australian link, such as:
    • the message originating in Australia;
    • the sender being physically in Australia or an organisation centrally managed and controlled in Australia;
    • the message being accessed by a computer, server or device in Australia;
    • the message being received by an addressee physically in Australia or which is an organisation centrally managed and controlled in Australia; or
    • a message sent to a non-existent address, it being reasonably likely that (if the address existed) the message would have been accessed using a computer, server or device in Australia; and
  • the address-harvesting software rules only operate if there is a relevant Australian nexus, such as the rule breaker being physically in Australia or a body corporate or partnership carrying on business or activities in Australia. For the “must not supply rule”, the Australian nexus may also include the acquirer being physically in Australia or a body corporate or partnership carrying on business or activities in Australia.

Basic Spam Act concepts at a glance

Spam
Despite its use in the title of the Act, the term “spam” is not defined. Instead, the Act regulates “unsolicited commercial electronic messages”.

Electronic messages
Are messages sent using an Internet carriage service to an electronic address. However, voice calls from a standard phone service are specifically excluded from being electronic messages.

Commercial electronic messages
Are “electronic messages” which, having regard to their content, the way in which they are presented and the type of content which can be accessed via links or other contact information, are designed to achieve one of a number of specified commercial purposes, for instance:

  • offering to supply/provide, advertising or promoting goods, services, land, business opportunities or investment opportunities;
  • advertising or promoting suppliers or prospective suppliers/ providers of the above; and
  • assisting or enabling a person, by a deception, to dishonestly obtain a financial advantage or obtain a gain from another.

The complete list of these commercial purposes is set out in cl 6 of the Act.

Unsolicited commercial electronic messages
Although not defined, they are in effect commercial electronic messages that have an Australian link, are not “designated commercial electronic messages” and do not otherwise fall within an exception set out in the legislation.

Designated commercial electronic messages
Are defined in Schedule 1 of the legislation and are restricted to factual information which may include information about how the recipient can readily identify the sender.

Ancillary contraventions
Apart from the primary rule-breaker, the Act also makes the following people liable to civil penalties:

  • a person who aids, abets, counsels or procures a contravention;
  • a person who induces a contravention;
  • a person in any way, directly or indirectly, knowingly concerned with, or party to, a contravention; and
  • a person who conspires with others to effect a contravention.

Other protections and exemptions
The Act contains some protections for innocent intermediaries. For instance, a person supplying a carriage service is not taken to have “sent” an electronic message (or caused it to have been sent) and does not commit an ancillary contravention merely because they supplied a carriage service that enabled the message to be sent. Similarly, the rules for determining who authorised a message to be sent will protect, to some extent, personnel of an organisation from personal liability for messages sent as part of their work.

Further, the Act expressly does not apply to the extent that it would infringe any constitutional doctrine of implied freedom of political communication.

Role of ACA
Enforcement of the legislation will be undertaken by the Australian Communications Authority (ACA). The ACA was chosen on the basis of its understanding of the telecommunications sector, prior experience in conducting investigations and enforcing legislation, and experience in working with industry to develop appropriate codes of practice.

To ensure that the ACA has the means to effectively enforce the legislation, it will be able to issue formal warnings, seek injunctions and seek investigative and monitoring warrants from the courts. At the lower end of transgressions, an infringement notice scheme will provide an efficient and cost-effective way of providing a fast and fair decision. For those organisations that choose to ignore the law, the penalties could be significant as the courts can award damages of up to $1.1 million dollars per day, in the most severe circumstances.

Commencement of penalty provisions
The Act provides that the penalty provisions will come into force 120 days after receiving royal assent. This will coincide with the commencement of significant educational and public awareness programs coordinated by NOIE and involving new representative organisations.

Spam (Consequential Amendments) Act
The Spam (Consequential Amendments) Act makes amendments to the Telecommunications Act 1997 (Cth) and the Australian Communications Authority Act 1997 (Cth) to enable the effective investigation and enforcement of breaches of the Spam Act.

Parliamentary debate
The legislation was the subject of considerable debate in the Senate although proposed amendments were ultimately rejected in the House of Representatives.

The Australian Labor Party (ALP) sought to amend the Spam Bill and the Spam (Consequential Amendments) Bill by:

  • limiting the provisions which allow the ACA to search and seize an individual’s computer without their knowledge or consent, and without a warrant;
  • including trade unions and not-for-profit political lobby groups among the exemptions;
  • protecting individuals and organisations which send single commercial emails to a recipient who they genuinely believe would be interested; and
  • requiring all commercial emails, including those otherwise exempted from the regime, to contain a functional unsubscribe facility.

The Australian Democrats described the ALP’s proposed amendments as “tokenistic”. The Australian Democrats were particularly critical of the failure of the Bills to apply to non-commercial spam of any kind. In their view, if any special exemptions were to be allowed, then such groups should be required to provide an “opt-out” clause in their spam so that recipients could exercise their right not to receive it in future.

In rejecting the proposed amendments late last year, current Communications, Information Technology and the Arts Minister Daryl Williams emphasised that the legislation had been a “balancing act” and that to acquiesce in the suggested changes would “undermine the fundamental policies guiding the legislation, provide the potential for adverse consequences or abuse [and] substantially dislocate existing provisions”.

He added that if there were issues “worthy of further exploration” which became apparent in the first years of the legislation’s operation, these could be considered in the scheduled review.


GORDON HUGHES is a partner with Blake Dawson Waldron, practising in the area of IT and e-commerce law. He is a former president of the Victorian Society for Computers and the Law and a former Law Institute and Law Council of Australia president.

IAN OI is a special counsel with Blake Dawson Waldron. His practice focuses on IT and IP law, particularly Internet-related matters.

The authors acknowledge the assistance of Kent Davey, a senior associate in the Melbourne office of Blake Dawson Waldron.


“Issues in Privacy – SPAM Legislation” Lecture

You’ve read the article, now attend the CPD (Continuing Professional Development) lecture and earn CPD units.

1 cpd unit

All lawyers can earn one CPD unit by attending the Young Lawyers’ Annual 2004 Lecture Series presentation “Issues in Privacy – SPAM Legislation”. The lecture, presented by Blake Dawson Waldron senior associate Kent Davey (who assisted in preparing the article above), develops areas covered in the article, dealing mainly with the key issues faced by organisations complying with new federal and Victorian privacy legislation.

> The lecture is on 6 April from 5.30-6.30pm at the Law Institute.

To register online, go to http://www.cpd.liv.asn.au and type in Spam in the Search function or tel 9607 9387.

Comments




Leave message



 
 Security code
 
LIV Social
Footer