Galexia

  Research

Article - NOIE proposes anti-spam legislation (May 2003)


[ Galexia Dots ]

Related Galexia services and solutions

Published

A report by the National Office for the Information Economy (NOIE) recommends that the Government introduce legislation to prohibit the sending of unsolicited commercial email (spam).

The NOIE report proposes a multi-level approach to attacking spam, including:

  • The introduction of national legislation banning the sending of commercial electronic messaging without the prior consent of end users unless there is an existing customer-business relationship (i.e. an opt-in approach);
  • The requirement for all commercial electronic messaging to contain accurate details of the sender’s name and physical and electronic addresses;
  • Collaboration with industry bodies to implement codes of practice to ensure the compliance of their members with national legislation;
  • Requirement for ISPs to make available to clients filtering options from an approved schedule of spam filtering tools at reasonable cost, and evaluate and publicise spam filtering options and products;
  • Australia working together with international organisations such as OECD and APEC to develop global guidelines and cooperative mechanisms to combat spam;
  • The development of a major information campaign to raise awareness of the nature of spam, provide simple technical advice and a basic guide to anti-spam products.

The Government has accepted the report’s recommendations, noting that ‘the report provides a blueprint for government, industry and users to start making inroads against the problem. The report makes it clear that there is no silver bullet against spam, but there are many roles that all parties can play in dealing with the issue.’[1]

The report is available online at: http://www.dcita.gov.au/__data/assets/pdf_file/21064/SPAMreport.pdf

The following text summarises the key findings and recommendations of the report.

Introduction

‘Spam’ is the term now generally used for unsolicited and unwanted electronic messaging, particularly email. In February 2002 Senator the Hon Richard Alston, Minister for Communications, Information Technology and the Arts, requested the National Office for the Information Economy (NOIE) to review the extent of problems caused by spam, the adequacy of current measures to counter the problem and possible additional measures that may be necessary.

This initiative by the government occurs at a time when spam is seen in most countries as moving quickly from a nuisance to a serious problem. Email is now a significant communications channel and anything which affects its functionality is of concern. Australians, like Internet users around the world, have real concerns about the content of much spam, particularly pornography, financial scams and dubious products. Many people find spam an unwelcome intrusion into their personal lives and are unhappy about the way in which their personal details, including email addresses, are collected and used without consent.

In its review of spam NOIE has consulted widely with technical experts, industry associations, service providers and Internet users, through direct submissions and by commissioning AC Nielsen consult to undertake a survey of Australian Internet Service Providers. An interim report of NOIE’s findings was published in August 2002.

Key findings

Spam is a significant and growing problem. It represents at least 20% of all email traffic and this proportion appears to be growing rapidly. It is creating significant productivity costs for business and the community, threatening IT systems and network integrity and significantly increasing the task faced by regulatory authorities because of its content.

The biggest single factor leading to spam growth is the low cost of sending such material. This is the result of complex infrastructure and service pricing arrangements and is unlikely to be easily resolved. Nevertheless there may be some scope for the industry to address this on a commercial basis.

There is a growing demand for some form of specific legislation by the Commonwealth with regard to spam. Legislation can limit the sending of Australian-sourced spam and enhance user rights, and may facilitate agreements with other countries to limit spam. However, national legislation per se is not a comprehensive answer to the problem because of the difficulties in identifying spammers, lack of jurisdiction over offshore offenders and competing priorities faced by law enforcement and regulatory agencies. Rather, national legislation should be seen as an important component which complements and reinforces other elements of a comprehensive response to the problem of SPAM as set out in this report.

Australia should therefore pursue a spam reduction strategy which balances regulatory, self-regulatory, technical and consumer information elements.

The global nature of spam requires any Australian spam reduction strategy to be supplemented by cooperation with other countries at both the policy and operational levels.

Recommendations from the NOIE report[2]

Legislation

1. National legislation be introduced with the following key features:

a. No commercial electronic messaging to be sent without the prior consent of the end user unless there is an existing customer-business relationship;
b. All commercial electronic messaging to contain accurate details of the sender’s name and physical and electronic addresses;
c. A co-regulatory approach with industry including recognition of appropriate codes of practice;
d. Appropriate enforcement sanctions.

Industry

2. Industry bodies such as the Internet Industry Association (IIA), the Australian Information Industries Association (AIIA) and their members should:

a. Build on existing work done by the IIA and implement codes of practice to ensure compliance with national legislation (i.e. preclude spam being sent where there is no existing customer-business relationship), prohibit use of members’ own facilities for sending spam and provide clear complaint procedures for end users;
b. Develop better practice guidelines which provide a resource for both members and end users to combat spam;
c. Require ISPs to make available to clients filtering options from an approved schedule of spam filtering tools at reasonable cost, and evaluate and publicise spam filtering options and products;
d. Configure servers appropriately and take action to close down identified open relay servers.

3. The Internet industry should develop and use a list of known spammers so that Internet Service Providers (ISPs) can make better informed decisions about dealing with customers who have a record of spamming.

International Co-operation

4. Australia should work with the OECD, APEC and other relevant multilateral bodies, and bilaterally where appropriate, to develop international guidelines and cooperative mechanisms which:

a. Aim to reduce the total volume of spam;
b. Apply the opt-in principle where practicable;
c. Minimise false or misleading subject lines and header information;
d. Provide end users with information on anti-spam measures.

5. Australian Government agencies should work with partner country agencies to counter spam within appropriate legislative mandates. The International Consumer Protection and Enforcement Network, in which Australia participates through the ACCC, is one model for such cooperation.

Partner Agencies and other legislation

6. Regulatory agencies, in particular the Australian Competition and Consumer Commission (ACCC), the Australian Securities and Investment Commission (ASIC) and the Office of the Federal Privacy Commissioner should ensure that relevant legislation is fully applied to spam

7. The current review of Schedule 5 to the Broadcasting Services Act 1992, which regulates access to hosted pornographic and highly offensive Internet content in Australia, should consider whether additional steps should be implemented to minimise exposure of Internet users, particularly minors, to pornographic and other offensive spam.

8. The creation of a new offence of using a carriage service to commit any Commonwealth offence should be considered further by the Attorney-General’s and Treasury Departments.

9. The application of the Privacy Act 1988 to spam should be considered further by the Attorney-General’s Department and the Federal Privacy Commissioner in the context of ongoing administration of that legislation.

Information

10. An information campaign on spam should be conducted for an initial period of twelve months, to raise awareness of the nature of spam and to provide resources for anti-spam measures by businesses and end users. This should be co-ordinated by NOIE in conjunction with relevant government and non-government bodies. It should include a clear guide to avenues of complaint available under existing legislation, simple technical advice and a basic guide to anti-spam products.

11. NOIE should continue to monitor and publicly report on spam volumes and characteristics, and developments in spam counter-measures.

Conclusion

Spam may well have few obvious redeeming qualities, but this does not of itself mean that it is an issue of public policy. However, the significant growth in spam volumes and the consequential user resistance do make the issue a legitimate one for government. The problems raised do not fall neatly into any one category, but involve, with regard to the distribution of spam, aspects of telecommunications, privacy and the general utility of the Internet; and, with regard to the content of spam, aspects of law enforcement, consumer protection and generally offensive material.

The recommendations in this report address both distribution and content aspects of spam, proposing additional measures and better international coordination. Ultimately, like most policies involving regulation of Internet-based activity, the issue is best be dealt with by a range of measures involving governments, business, users and technical experts.

Spam - Frequently Asked Questions - from NOIE[3]

What is spam?

An agreed definition is important in making any anti-spam provisions effective. Internet service providers (ISPs) and regulatory authorities need to be reasonably confident of this definition before they enforce their terms and conditions or any regulations or laws against spammers, as do legitimate direct marketers who want to ensure their activities remain both legal and ethical.

For the purposes of the NOIE report, spam is defined as unsolicited electronic messaging, regardless of its content.

What content does spam contain?

The table below is taken from the AC Nielsen.consult survey commissioned by NOIE, and suggests that pornography and ‘get rich quick’ schemes are the most dominant categories of spam.

  • Pornography
  • Illegal content
  • Health
  • Pharmaceuticals
  • Get rich quick / work from home
  • Financial products/assistance offers
  • Casinos

What major problems are caused by spam

Spam poses several challenges to both Internet users and regulatory agencies. It is typically anonymous, indiscriminate and global. With these characteristics spam has become a popular vehicle for promotions that may be illegal, unscrupulous or use tactics that would not be commercially or legally viable outside the virtual environment. A report to the US Federal Trade Commission (FTC) estimates that roughly half of all unsolicited commercial email contains fraudulent or deceptive content. Some of the key issues raised by spam include privacy, illegal/offensive content, misleading and deceptive trade practices and burdensome financial and resource costs.

Privacy
There are significant privacy issues surrounding the manner in which email addresses and personal information are collected and handled. It is not uncommon for address collectors to covertly harvest email addresses from the Internet, as users visit certain sites, and buy and sell them in bulk without the knowledge or consent of the owner.
Content - pornography, illegal online gambling and unlawful trade practices
There are obvious community and regulatory agency concerns with the illicit content of a considerable amount of spam - including those that promote pornography, illegal online gambling services, pyramid selling, get rich quick schemes or misleading and deceptive business practices. The indiscriminate method of distribution is of particular concern as it is common for minors to receive spam that is pornographic, illegal or offensive.
Deceptive practices - ‘spoofing’
Spoofing is the forgery of an email header so that the message appears to have originated from an entity or location other than the actual source. Spammers may use spoofing to route spam through a reputable organisation in an attempt to entice recipients to open and respond to their messages. There are significant costs to the victims in terms of damage to commercial reputation as well as time and resource costs in rectifying this damage.
Financial costs
The dollar cost of spam is inherently difficult to estimate, but the following provides some appreciation of the orders of magnitude involved.
A European Union study in 2001 estimates that the worldwide cost of spam to Internet subscribers could be in the vicinity of €10 billion (A$18.4bn) per year. A recent study from Ferris Research estimates that US companies alone lost US$8.9 billion (A$15.2bn) in 2002 and estimate that the cost of spam in Europe was US$2.5 billion (A$4.3bn). According to figures from Star Internet, a large Internet service provider in the UK, the cost to business in lost productivity is estimated at £326 (A$915) per employee each year. Erado’s 2002 white paper on spam, viruses and other unwanted content estimates that annual cost of spam per employee is around US$1000 (A$1709).
These sorts of costs are usually borne by Internet users (and/or employers), through increased download times and lost productivity. Spammers themselves, on the other hand, bear relatively small costs in sending these messages. Email costs do not scale like sending surface mail or making telephone calls - the cost of sending out a million emails is not significantly more than the cost of sending out a hundred. IBM’s Almaden Research Centre in 1998 estimated that it cost between $0.000082 and $0.000030 to send a single email, and data from the Global Internet Project site suggests that that it only costs the sender of spam 0.00032 cents to obtain one email address. The extremely low cost of sending spam, meaning that even a ‘hit rate’ of below 1% can be profitable, is the biggest single factor leading to its growth.
Resource costs
Spam being received by ISPs is using significant amounts of bandwidth. Assuming that the average email size is 5 kilobytes, a gigabyte of spam represents over 200,000 individual messages. Based on these estimates, the table above indicates that even the small ISPs surveyed may be receiving more than 4 million spam messages a month, and that the medium-sized ISPs surveyed may be receiving up to six times as many.

What percentage of emails are spam?

Data released by Brightmail Inc, a business specialising in anti-spam software and managed anti-spam services, indicates that spam accounts for 20% of all email. Recently the Gartner Group has estimated that 35% of all inbound business messages are currently spam, and that this percentage will reach 50% by 2005.

Where is spam coming from?

The majority of spam received by Australian ISPs originates from the United States. However, the actual percentages shown may be misleading. Research from the University of Maryland presented at the INET conference in June 2002 suggests that the US may be over-represented as a spamming origin because Eastern European and Asian spammers may be taking advantage of ‘open relays’ in the United States. Open relays are essentially non-secure email servers through which large volumes of spam can be routed, typically without the owner’s knowledge.

A 1999/2000 survey by the Australian based Coalition Against Unsolicited Bulk Email (CAUBE) estimated that Australia accounted for about 16% of all spam sent globally. In recent discussions CAUBE has suggested this percentage (although not the total volume) may have decreased significantly in recent years as the volume of spam from other regions, such as Asia and Eastern Europe, has increased.

Western Europe was not regarded by any Australian ISP as being the primary source of spam, possibly because of relatively strong European privacy laws which are currently being reinforced through an EU directive requiring a qualified opt-in for commercial email.

How quickly is the volume of spam in Australia growing?

Whilst users will receive different quantities of spam depending on the availability of their email addresses, Internet use and security awareness, there is evidence to suggest that the average incidence of spam received by Australian Internet users is growing rapidly. CAUBE tracked the amount of spam received at their survey email address and found that spam grew in volume by a factor of six in 2001. Brightmail is reported to have detected a 300% increase in spam from 2001 to 2002.

Apart from indicating an increasing population of spammers, or more aggressive spamming, this growth may be partly attributable to increasing Internet penetration in Australia, as well as a possible increase in the duration and frequency of online sessions and consequently greater exposure of Internet users to spamming.

This is certainly reflected across Australia’s business sector. According to the Australian Bureau of Statistics (ABS) Business Use of Information Technology Survey, Internet connectivity levels reached 72 % of all businesses at June 2002. This was an increase of 167% since June 1998.

Data from the previous year’s ABS survey estimated that 26% of all online businesses in Australia reported using the Internet for marketing purposes. This was a 221% increase over the June 1998 estimate and indicates that the demand for the specialist services of direct marketers will also increase as more and more businesses seek assistance in maximising the benefits of the Internet as a relatively inexpensive mass-marketing tool.



[ Galexia Dots ]


[1] <http://www.agimo.gov.au/media/2003/04/3241.html>

[2] <http://www.dcita.gov.au/ie/publications/2003/04/spam_report>

[3] <http://www2.dcita.gov.au/ie/trust/improving/spam_home>