Printer Friendly

The international war on spam: governments, businesses, and consumers worldwide agree that unsolicited e-mail advertising, or spam, must be controlled, but their methods of doing so differ.

Currently, analysts estimate, unsolicited bulk e-mail advertisements--"spam"--accounts for almost 50 percent of all e-mail sent worldwide--up dramatically since 2001 when the sometimes offensive, deceptive, and fraudulent e-mails comprised just 8 percent of all e-mails. The U.S. Chamber of Commerce estimates that businesses lose about $10 billion a year in time and productivity, bandwidth costs, and money spent on anti-spam tools. Ferris Research estimates that spam costs European Union (EU) businesses $2.5 billion annually.

Worldwide, businesses and individuals are spending an increasing amount of time and money to clean up e-mail boxes. In addition, spam threatens to stifle some of the major benefits of services such as e-mail and e-commerce, as well as reduce consumer confidence in the Internet.

"Spam: The Silent ROI Killer," a report by independent firm Nucleus Research, found that spam costs businesses $874 per employee annually. The figure is based on an hourly pay of $30 and a work year of 2,080 hours. Interviews with employees and IT administrators at 76 U.S. companies also revealed that

* Companies lose approximately 1.4 percent of each employee's productivity each year due to spam.

* The average employee receives 13.3 spam messages each day.

* Employees spend, on average, 6.5 minutes per day managing spam.

* For every 72 employees, companies are losing the productivity of one due to spam.

The cost of spam is high and is expected to get higher. The Radicati Group estimates that a company with 10,000 users and without anti-spam protection will spend an average of $49 per e-mall box annually processing spam messages in 2003. The research firm's study "Anti-Spam Market Trends, 2003-2007" predicted that dealing with spam e-mails will cost companies around the world $20.5 billion this year and $198 billion by 2007.

Spam producers use databases of e-mail addresses collected from public Web sites, create mail lists, or purchase subscriber lists. "Spammers" modify subject lines, insert hidden text into the message body, and hide their true e-mail address to elude anti-spam filters. Traditional technology is more effective at blocking previously sent messages but it is more difficult to identify new spam or viruses.

While governments, businesses, and consumers worldwide agree that fraudulent spam e-mails must be eradicated, their methods of solving the problem differ. The United States is seeking "opt-out" legislation, while the European Union has established "opt-in" laws. However, their goal is the same and, therefore, the global nature of the problem means that cooperation is imperative.

U.S. Anti-Spam Action

Federal legislators have favored an "opt-out" approach to spam, meaning that when recipients request to be removed from mass e-mail lists, marketers must delete their e-mail addresses and not send them any further messages or face fines or jail time. Under most of the adopted and proposed legislation, legitimate businesses may still send bulk e-mail advertisements to customers.

U.S. businesses have a First Amendment right to distribute unsolicited e-mail advertisements, but state and federal governments, responding to consumer complaints, now are investigating anti-spam laws that will help reduce the daily torrent of fraudulent e-mail sent to consumers. Thirty-eight states now have laws regulating some aspect of spam. In Virginia, for example, the penalty for sending more than 10,000 unsolicited e-mail messages in one day is a prison sentence ranging from one to five years along with the relinquishment of any profits and assets related to those fraudulent activities.

In June, the Senate Committee on Commerce, Science, and Transportation passed S. 877, Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM), introduced by Sen. Conrad Burns (R-Mont.). The bill would allow consumers to opt-out of unwanted commercial e-mail messages and impose penalties on those who violate the act by deliberately falsifying their identities or the content of their messages. Once notified, marketers would be prohibited from sending any further messages to the consumer. The measure would require all unsolicited marketing e-mail to have a valid return e-mail address so recipients can opt-out.

In addition to making it easier for consumers to be removed from mass e-mail lists, the bill would enable Internet service providers (ISPs) to bring action to keep unlawful spam from their networks. The legislation contains strong enforcement provisions allowing the Federal Trade Commission (FTC) to impose up to $3 million in civil fines on those who violate the law. State attorneys general would be given the ability, to bring suit on behalf of citizens who have been victimized by unscrupulous marketers.

The bill calls for increased penalties for certain techniques commonly used by spammers, including "dictionary attacks" (the establishment of numerous e mail accounts to make spam more difficult to track and block) and the hijacking of other computers or computer networks to send or relay spam. Another provision clarifies that when a recipient asks to be removed from a sender's mailing list, the sender may not share or sell that recipient's e-mail address to a third party. The measure includes a modified preemption rule to allow states to continue to impose and enforce strong laws against falsity and deception in spam, while still ensuring national standards for compliance with the law.

The committee also adopted an amendment offered by Sen. John McCain (R-Ariz.) to provide additional enforcement authority for the FTC to hold liable unscrupulous businesses that employ spammers to fraudulently promote their businesses.

An anti-spam bill in the House of Representatives--H.R. 2214, the Reduction in Distribution (RID) of Spam Act--would allow consumers to opt-out of receiving commercial e-mail, prohibit the sending of a message containing a false sender identity, and provide criminal and civil penalties to fight fraudulent spam. In July, the House Subcommittee on Crime, Terrorism, and Homeland Security held a hearing to examine H.R. 2214, which also would require e-mail marketers to label messages as advertising and permit state and federal law enforcement officials and ISPs to prosecute and sue spammers.

Rep. Heather Wilson's (R-N.M.) H.R. 2515, the Anti-Spam Act of 2003, also has been discussed in subcommittee. H.R. 2515 would also allow consumers to opt-out of unwanted commercial e-mail, while requiring senders to comply promptly with that request.

But H.R. 2515 also prohibits companies from sending "sexually oriented messages" with fraudulent header information or subject lines. Wilson's legislation would require sexually oriented commercial e-mail to include an opt-out link that would not require recipients to view the e-mail contents. H.R. 2214 requires businesses to only include an "ADT" (adult) label with adult messages.

H.R. 2515 would also allow consumers to opt-out of messages from a company and its affiliates, while the RID Spam Act would require consumers to opt-out of e-mail from each business entity. Backers of the Wilson bill objected to the RID Spam Act's definition of spam as e-mail that has as its primary purpose a commercial message because they said the H.R. 2214 definition of spam would allow marketers to send unsolicited e-mail with a commercial message buried inside of it.

Pep. Rick Boucher (D-Va.) argued that any spam legislation must contain three elements: "vigorous enforcement," a "workable definition of spam," and "strong consumer protections." Boucher and Pep. John Dingell (D-Mich.) expressed their opinion that legislation should allow consumers to opt-out of messages from the company sending the e-mail as well as its affiliates. Dingell said that the bill "should contain a sufficiently broad definition of 'affiliate' so that consumers are not required to opt-out of each affiliate within a giant corporation."

In assessing congressional attempts to curtail spam, Howard Beales, director of the FTC's Bureau of Consumer Protection and head of the agency's anti-spam efforts, identified three primary issues that effective spam legislation must address

* the ability to accurately identify the source of spam transmissions

* civil penalties and criminal sanctions as an effective deterrent to those wishing to send spam

* appropriate standards for non-deceptive, unsolicited, commercial e-mail

Although both bills are still being considered by the House Judiciary Committee and the House Energy and Commerce Committee, anti-spam activists have gone on record as saying that neither H.R. 2214 nor H.R. 2515 goes far enough to fully address the problem of spam. Energy and Commerce Committee members have delayed a vote on the issue as they hammer out a compromise between two competing bills.

Consumers Union said Americans should have the right to block all advertising e-mail, including legitimate business e-mail, but U.S. legislators feel differently. Rep. Bob Goodlatte (R-Va.), a co-sponsor of H.R. 2214, has called the inclusion of an "opt-in" clause--whereby consumers would not receive spam unless they sign up to receive it--along with the inclusion of a private right of action a "nightmare for legitimate business." Rep. Robert Scott (D-Va.) recently indicated his desire to distinguish between legitimate and illegitimate e mail business communications, saying that legitimate businesses have "First Amendment rights that must not be infringed."

The EU Example

The EU has a different perspective. One in eight e-mails sent in Britain is spam, compared with one in 200 at the beginning of 2002. And it's the same story across Europe. As a result, EU lawmakers have passed regulations that seek to ban spam in any form and stipulate that consumers must opt-in, or sign up, before receiving e-mail advertisements.

In 2002, the EU adopted a directive addressing unfair commercial practices that could dramatically alter the practice of sending unsolicited e-mail marketing in EU nations while granting controversial rights to member states to monitor Web surfers' activities. The regulation may result in a ban on spam in Europe. Article 13 of the directive specifies that e-mail marketing is only allowed with prior consent, meaning that unsolicited e-mail is illegal unless there is a preexisting business relationship between sender and receiver or the receiver has agreed to receive it.

Member states also can ban unsolicited commercial e-mails to businesses. Member states must apply and effectively integrate this rule into their national legislation by October 31, 2003--a process that often can take years. These rules would replace the patchwork of national rules and court rulings on commercial practices across Europe. Because the directive ensures EU-wide standards of protection, businesses will have to comply with the EU requirements when marketing to EU consumers. The directive prevents other member states from imposing additional requirements. Member states will have a duty to ensure the rules on unfair commercial practices are enforced and that businesses in their jurisdiction that break them are punished.

The directive establishes two general conditions to apply in determining whether a commercial practice is unfair: (1) the practice is contrary to the requirements of professional diligence, and (2) the practice materially distorts consumers' behavior. The directive will ban unfair advertising, marketing, and other commercial practices used by businesses. Practices that are misleading or aggressive, such as spam, also will be banned. In short, businesses will be able to advertise and sell to all consumers in the EU based on one set of EU-wide rules. Consumers will have access to a greater range of offers and the same rights whether they buy from a local store or from another EU country online.

The directive's spam clauses establish opt-in as the default rule for commercial e-mail, but the ban on unsolicited e-mail doesn't apply to existing customer relationships. In addition, all commercial e-mails must have an opt-out feature and Web surfers must be told about sites' cookie procedures up front, allowing consumers to refuse cookie-based data collection. The directive also specifies that users must give explicit permission for their personal data to be included in public directories.

The directive's most controversial clause states that ISPs may allow third parties to access consumers' data without the users' permission only in in the event of criminal investigations or matters of national or public security, or when doing so would be a "necessary, appropriate, and proportionate measure within a democratic society," according to the directive's text. Each EU member state can legislate its own policies on data retention--namely, whether ISPs would be required to retain information on customers' Internet activity in the event of future police investigations or whether such data would only begin to be collected in the event that an investigation is launched.

The European Commission (EC) expects to adopt a communication on spam this fall. It would focus on effective enforcement, notably through international cooperation, technical measures for countering spam, and consumer awareness. The proposed measure would first be tested with member states and interested parties at a workshop in October.

International Cooperation

Because spam is a global nuisance, international cooperation must be a key element in any attack waged against it. During a recent visit with the Federal Trade Commission, European Commissioner for Information Technology and Enterprise, Erkki Liikanen, stressed the need for a global approach to the problem and offered to host an Organisation for Economic Cooperation and Development (OECD) workshop on spam in 2004 to provide a forum for global experts to discuss a solution. To draw more attention to the issue and foster cooperation, the EU also requested that the issue of international cooperation in the fight against spam be included in the action plan to be adopted at the World Summit on The Information Society to be held in December in Geneva.

EU legislation banning unwanted e-mail comes into effect in October, but European leaders say the law will have little effect on the global flood of spam unless other nations enact similar tough laws. Several studies have estimated that as much as one-third of all spam originates in the United States and, according to IT World, French and Belgian data protection officials estimate that 85 percent of all spam in their countries is in English. In the United States the practice is not illegal, but spam has not been totally banned in any country yet.

EU leaders say the opt-out approach favored by U.S. lawmakers and businesses is not sufficient, however, especially when the volume and cost of spam increases each day. According to EU officials, attempts to combat spam would be hampered unless the United States introduces an outright ban. Cooperation with the United States "would be restricted if we end up with an opt-out system in the United States;' said Philippe Gerard, an official in Liikanen's office. "U.S. authorities appear to be focusing only on spam that is deceptive or worse. We, on the other hand, believe that even the harmless spam messages are a serious problem because of the enormous volume of them."

Stefano Rodota, president of the Italian Data Protection Commission, told the United Kingdom's PC Advisor that even if the U.S. government chooses the opt-out route, American businesses may try to stop spam on their own. "A big part of the business community in the U.S. is moving toward opt-in because [large] firms ... view spam as a threat to their abilities to sell their products over the 'Net," he said.

Already, Microsoft has filed lawsuits against 15 alleged e-mail spammers in the United States and the United Kingdom, accusing them of clogging its and its customers' computers with more than 2 billion unsolicited e-mail messages.

Canada's Stance on Spam

While Canadian laws such as the Privacy Act detail what organizations can and can't do with an individual's private information and who has the right to view or use this information, they don't address spam directly, nor do they stipulate punishment for marketers' fraudulent activities. However, in the past two years several Canadian jurisdictions have taken legislative or regulatory action to curtail junk e-mail. None of them prohibits e-mail solicitation, but they are aimed at requiring e-mail marketers to obtain consumer consent.

According to Industry Canada, computer mischief offenses could apply in cases where spamming would interfere with or obstruct a person's access to data or use of a computer system and the sender was reckless in that he or she understood that this would likely occur. Such mischief is punishable by up to 10 years in prison.

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), which came into effect January 1, 2001, e-mail addresses are considered personal information and thus are subject to the provisions of the act. In October 2002, the privacy commissioner found several major organizations that provide communications services at fault for failing to obtain consent from their customers before using their addresses for secondary purposes, such as commercial solicitation.

Editor's Note: For more information on Canada's PIPEDA, see "Protecting Privacy in Canada's Private Sector," in the July/August 2003 Information Management Journal.

Nikki Swartz is Associate Editor of The Information Management Journal. She may be contacted at
COPYRIGHT 2003 Association of Records Managers & Administrators (ARMA)
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2003, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Capital edge: legislative & regulatory update
Author:Swartz, Nikki
Publication:Information Management Journal
Date:Sep 1, 2003
Previous Article:Resurrecting shredded documents.
Next Article:Sony announces PetaSite SAIT-based storage libraries.

Related Articles
Spamming gets a closer look: the U.S. government is taking more action than other countries against unwanted e-mail. (Capital edge: legislative &...
A spam attack. (Stateline).
Monster in your computer: infectious spam weaks inbox havoc. (Spotlight).
Finding the cure: although insurers don't typically target new prospects via e-mail, legal definitions of spam could affect communication with...
Spam rules: will they mean less--or more?
Escalating spam wars: districts need multiple tools to fight the rising tide of junk.
Are associations spammers, too? What you should know about the new CAN-SPAM law before you hit "send.".
Euro spam confusion.
Staying safe online: there are steps you can take to cut down on spam, viruses and spyware.
OFT and EU host international spam summit.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters