E LAW - MURDOCH UNIVERSITY ELECTRONIC JOURNAL OF LAW
ISSN 1321-8247
Volume 11 Number 1 (March 2004)
Copyright E Law and author
ftp://law.murdoch.edu.au/pub/elaw-issues/v11n1/quo111.txt
http://www.murdoch.edu.au/elaw/issues/v11n1/quo111.html
________________________________________________________________________
Spam: Private and Legislative Responses to Unsolicited Electronic Mail in
Australia and the United States
Shirley Quo
Deakin University School of Law
Contents
* Introduction
* Definition of Spam
* Technical Solutions
* Commonwealth Best Practice Model
* Industry Codes
o Australian Direct Marketing Association ("ADMA")
o Internet Industry Association ("IIA")
* NOIE Report
* Australian Position
o Spam Act
o Existing Australian Legislation
+ Commonwealth Criminal Provisions
+ Trade Practices Act 1974 (Cth)
+ Privacy Act 1988 (Cth)
o Australian Case Law
+ R v Hourmouzis
+ ACCC v SkyBiz.Com Inc
+ ACCC v Chen
+ ACCC v Internic Technology Pty Ltd
* United States Position
o Federal Anti-Spam Legislation
+ Anti-Spam Act of 2003
+ Ban on Deceptive Unsolicited Bulk Electronic Mail Act of
2003
+ REDUCE Spam Act of 2003
+ Criminal Spam Act of 2003
o State Anti-Spam Laws
+ Washington
+ California
+ Illinois
+ Virginia
+ Delaware
o US Case Law
+ CompuServe Inc v Cyber Promotions Inc ("CompuServe")
+ America Online Inc v IMS
+ Hotmail Corporation v Van Money Pie
+ Intel Corporation v Hamidi
* Jurisdiction and Enforcement
* Policy Considerations
* Conclusion
* Glossary
* Bibliography
o Articles/Books/Reports
o Case Law
o Legislation
* Notes
Acknowledgement: I would like to thank Elspeth McNeil, Assistant
Lecturer, Law Faculty, Monash University for her feedback and
comments. Any errors are my own.
Introduction
1. According to Brightmail, a provider of anti-spam technology, it
filtered over 91 billion electronic mail messages ("email") in
February 2004, of which 62 per cent were identified as spam, up from
50 per cent six months ago.[1] In Australia, the time and bandwidth
lost to spam is estimated to cost business up to $2 billion a year.[2]
2. The National Office for the Information Economy ("NOIE") has estimated
that spam accounts for approximately 50 per cent of world-wide emails
and is growing rapidly.[3] The Internet service provider, America
Online ("AOL"), has reported that it blocks approximately two billion
spam emails per day.[4] That equates to about 7[5] spam emails per
customer. According to a report released by the All Party Internet
Group ("APIG") in October 2003, about half the overall email volume
globally was spam that is, 10 billion spam emails were sent per day.5
Statistics vary partly because of how spam is defined but it is clear
that spam is a significant and growing problem.
3. This paper will propose a definition of spam and discuss the problems
caused by spam. Both private and legislative approaches, which have
been used to address the spam problem will be reviewed, that is,
technical measures, regulatory and self-regulatory strategies,
litigation under existing legislation and common law theories.
Anti-spam legislation in the United States ("US") that specifically
targets spam will also be examined.
4. The Australian Spam Act 2003 (Cth) ("Spam Act") and the current
legislative regime relevant to spam control will also be discussed.
This will be followed by a summary of relevant Australian case law.
5. Lastly, problems of enforcement and jurisdiction will be raised
followed by policy considerations.
6. It is concluded that current measures to counter the spam problem are
inadequate and an international approach is necessary because spam is
generally impervious to national boundaries and the largest source of
spam in Australia comes from overseas, particularly the US.
Definition of Spam
7. Spam is generally used to refer to unsolicited or unrequested junk
emails over the Internet, unsolicited commercial emails ("UCE"), or
unsolicited bulk emails ("UBE"). The two most common definitions of
spam are UCE and UBE.[6] Spam is unsolicited if there is no prior
relationship between the parties and the recipient has not explicitly
consented to receive the communication. The main problem with spam
lies in the volume of email messages, not their content.[7] This is
supported by the statistics on spam volume. However it should be noted
that there is an overlap between UCE and UBE.
8. If one accepts that the main problem with spam is volume, the UBE
definition seems to make more sense. Whatever definition of spam is
used, there are likely to be significant problems in defining
precisely what is meant by 'commercial' or 'bulk' email and these
definitional problems may serve as a barrier to effective responses to
the spam problem.[8]
9. Similarly, the NOIE notes that an agreed definition of spam is
important in making any anti-spam provisions effective. Internet
service providers ("ISPs") and regulatory authorities need to be
reasonably confident of this definition before they enforce their
terms and conditions or any regulations or laws against spammers, as
do legitimate direct marketers who want to ensure their activities
remain both legal and ethical.
10. The NOIE defines spam as unsolicited electronic messaging, regardless
of its content.[9] This definition takes into account bulk email and
is deliberately technology neutral insofar as is possible to take into
account the convergence of technologies and media. This definition of
spam would include not only email but also other forms of online and
mobile messaging. This is broader than the more common definition of
spam.
11. Spam is defined by the Internet Industry Association ("IIA") as
electronic mail that is unrequested by the recipient and is of an
advertising or promotional nature, except where the predominant
purpose of the email is that of a contractual, operational or other
service-related customer notice.
12. The Spam Act does not explicitly define spam however it prohibits the
sending of unsolicited commercial electronic messages. An unsolicited
commercial electronic message is defined in section 6 of the Spam Act.
Relevantly paraphrased, a commercial electronic message is an
electronic message the purpose of which is to advertise, promote or
offer to supply goods or services; to advertise or promote a supplier
of goods or services; to advertise, promote or offer to supply land or
an interest in land; to advertise or promote a supplier of land or an
interest in land; to advertise, promote or offer to provide a business
opportunity or investment opportunity; or to advertise or promote a
provider of a business opportunity or investment opportunity.
13. For the purposes of this paper, spam is defined as unsolicited emails,
which are generally commercial in nature, usually transmitted to a
large number of recipients. The word 'commercial' is generally used to
refer to advertising, promoting or offering to supply goods or
services. This definition encompasses the majority of spam with the
exception of other forms of online and mobile messaging which are
beyond the scope of this paper.
Technical Solutions
14. Despite the development of filtering mechanisms, it is estimated that
the cost of spam to Australian businesses in lost productivity is $960
per employee, per year, and the situation is unlikely to improve in
the near future.[10] The advocacy group, Electronic Frontiers
Australia has estimated, that spam filters are 80 to 90 per cent
effective.[11]
15. There are several types of technical tools that will assist in
filtering or blocking spam. Filters are programs that block access to
email based either on a list of banned sites or keywords and phrases.
Some also stop search engines from searching on unsuitable topics and
block access to newsgroups, chat rooms and email. However, as well as
blocking inappropriate sites or content, they may also block valuable
and inoffensive sites.
16. Filtering, anti-virus and firewall products use strategies including
Bayesian logic to intercept spam. These products may be applied either
by ISPs or corporate networks at the level they receive mail or by end
users.
17. Whitelists and blacklists are forms of filtering used to manage spam
by focusing on certifying legitimate email sources. This option
includes the use of approved sender lists or do-not-email lists. They
allow businesses and individuals to set permissions that allow email
only from approved sources or may be used in conjunction with a
filtering option.
18. System administrators can also close open relays to avoid having their
email server used to send spam. A mail system should accept only
incoming mail that it delivers locally, based on email addresses; and
it should deliver only outgoing mail that originates locally, based on
Internet Protocol ("IP") addresses, to be secure from being used as a
relay.
19. The technical solutions to deal with spam can provide a significant
reduction in the amount of spam individuals receive but it is at best
an imperfect solution, and in no way alleviates the load of spam on
the Internet 'backbone' before it reaches the recipients' ISP. They do
not address the fundamental aspects of the problem as they only deal
with spam once it has arrived in-country and therefore do not deal
with the problem of the stress spam is causing the Internet
infrastructure.
20. Another problem with technical approaches is the deleterious effects
they can have on legitimate communications that is, false
positives.[12]
21. Technical approaches are unlikely to completely eradicate spam because
of the inherent openness of the Internet and email protocols. Some
technical approaches have also been criticised because of lack of
transparency and accountability for example, blacklists.[13] Further,
spammers are constantly finding new ways to circumvent the filtering
software, such as deliberately misspelling words in the subject field
of the email to avoid word recognition software.[14]
Commonwealth Best Practice Model
22. In 2000, the Australian Government released Building Consumer
Sovereignty in Electronic Commerce: A Best Practice Model for Business
("Best Practice Model").[15]
23. Clause 23 of the Best Practice Model provides that businesses should
not send commercial email except to people with whom they have an
existing relationship; or to people who have already said they want to
receive commercial email; and businesses should have simple procedures
so that consumers can let them know they do not want to receive
commercial email.
24. Any business or industry association engaging in business to consumer
("B2C") electronic commerce is encouraged to adopt the Best Practice
Model. However, as the name suggests, the Model is not mandatory and
there are no sanctions for non-compliance.
Industry Codes
25. The NOIE has suggested that a co-regulatory model, involving industry
participation and codes of practice working in concert with
underpinning legislation where needed could be effective in countering
spam.[16] Codes of practice developed by industry bodies can be
submitted to the Australian Communications Authority ("ACA") for
registration.[17] Once a code is registered, the ACA will be able to
direct industry participants to comply.
26. Although there are no registered industry codes of practice dealing
with spam, two industry-based voluntary codes of practice aimed at
preventing spam are discussed below.
Australian Direct Marketing Association ("ADMA")
27. The ADMA is a self-regulatory body for the direct marketing industry.
It has a Code of Practice developed in consultation with the
Ministerial Council of Consumer Affairs, the Australian Competition
and Consumer Commission ("ACCC") and consumer and business groups. The
ADMA has put in place a series of self-regulatory mechanisms to ensure
that organisations, which are members of ADMA, use electronic
marketing techniques responsibly.[18] These measures include:
o Compulsory opt-out on email messages, even to existing customers
o Clear privacy policies
o Online marketing guidelines that explain responsible use of email
o Consumer advice on avoiding spam
o Data Management Guidelines on securing and maintaining customer
data.
28. An independent Code Authority was established to monitor compliance
with ADMA's Code of Practice. The Code Authority receives complaints
and can sanction ADMA members in a range of ways, the ultimate of
which is the revocation of membership.
29. While the Code of Practice appears to be effective for those
organisations that are members of ADMA, it imposes no restriction on
those organisations or individuals that are not members.
Internet Industry Association ("IIA")
30. The IIA is the national Internet industry organisation in Australia.
The Internet Industry Privacy Code of Practice (draft) provides that
its members and code subscribers must not spam and must not encourage
spam with exceptions in the case of pre-existing relationships
(acquaintance spam).[19] IIA members and code subscribers who do use
acquaintance spam must provide recipients with the capability of
opt-out and must include opt-out instructions in the email. The
Privacy Code provides that members should have an Acceptable Use
Policy that prohibits spam and services that depend on spam and
install relay protection on their mail servers to prevent spammers
from using the relay to evade detection.[20]
31. The Privacy Code[21] prohibits IIA members, including ISPs, from
sending direct marketing messages without the recipient's
permission.[22]
32. As with ADMA, IIA codes only apply to its members and code
subscribers.
NOIE Report
33. The NOIE recommended that the Australian Government enact legislation
to prohibit dissemination of unsolicited commercial email. It also
suggested that Australia pursue a spam reduction strategy, which
balances regulatory, self-regulatory, technical and consumer
information elements. In summary, the NOIE proposed that:[23]
1. National legislation should be introduced with these features:
+ No commercial electronic messaging to be sent without the
prior consent of the end user unless there was an existing
customer-business relationship;
+ All commercial electronic messaging to contain accurate
details of the sender's name and physical and electronic
addresses;
+ A co-regulatory approach with industry including recognition
of appropriate codes of practice;
+ Appropriate enforcement sanctions.
2. Industry bodies should:
+ build on existing work done by the IIA and implement codes
of practice to ensure compliance with national legislation;
prohibit use of members' own facilities for sending spam and
provide clear complaint procedures for end users;
+ develop better practice guidelines to combat spam;
+ require ISPs to make available to clients filtering options
from an approved schedule of spam filtering tools at
reasonable cost and evaluate and publicise spam filtering
options and products;
+ configure servers appropriately and take action to close
down identified open relay servers.
3. Australia should work with the OECD and other multilateral bodies
to develop international guidelines and cooperative mechanisms
which would:
+ aim to reduce the total volume of spam;
+ apply the opt-in principle where practicable;
+ minimise false or misleading subject lines and header
information;
+ provide end users with information on anti-spam measures.
+ Australian Government agencies should work with partner
country agencies to counter spam within appropriate
legislative mandates.
+ Regulatory agencies like the ACCC, Australian Securities and
Investments Commission ("ASIC") and the Office of the
Federal Privacy Commissioner should ensure that relevant
legislation is fully applied to spam.
34. As a result of the NOIE Report, the Australian Government introduced
the Spam Act, which is discussed below.
Australian Position
35. The Federal Government's anti-spam legislation, the Spam Act and the
Spam (Consequential Amendments) Act 2003 (Cth),[24] received Royal
Assent on 12 December 2003 and comes into effect on 10 April 2004.
This legislation will target spammers and the techniques they use to
send Australian consumers unsolicited and offensive electronic mail,
while protecting the right to free speech. It will also play an
important role in the Federal Government's multi-layered approach to
the global nuisance of spam.
36. Prior to the introduction of the Spam Act, no existing legislation was
explicitly drafted to address the issue of spam.
Spam Act
37. The Spam Act sets up a scheme for regulating the sending of commercial
electronic messages. Subsection 16(1) of the Spam Act prohibits the
sending of unsolicited commercial electronic messages but the Act also
contains rules regulating the sending of general commercial electronic
messages, regardless of whether or not they are unsolicited.[25]
38. According to the Explanatory Memorandum, the Spam Act is aimed at
reducing Australia as a source of spam, minimising spam for Australian
end-users and extending Australia's involvement in worldwide anti-spam
initiatives.
39. The Australian Government has acknowledged that legislation alone will
not result in an immediate or dramatic reduction of the spam problem.
Spam is an international problem that can only be fully addressed
through international cooperation and coordinated action.[26]
40. The main elements in the Spam Act are summarised below:[27]
o A prohibition on sending unsolicited commercial electronic
messages which have an Australian link;[28]
o A prohibition on sending commercial electronic messages which
have an Australian link unless they include accurate information
about the individual/organisation who authorised the sending of
the message;[29]
o A prohibition on sending commercial electronic messages which
have an Australian link unless they include a functional
unsubscribe facility;[30]
o A prohibition on the supply, acquisition or use of
address-harvesting software or a harvested-address list;[31]
o A civil sanctions regime (not criminal offences) where breach of
a civil penalty provision may attract a substantial monetary
penalty;[32]
o A tiered enforcement regime, which provides for a range of
enforcement measures to be initiated by the ACA, depending on the
seriousness of the breach of a penalty provision.[33]
41. The legislation and the ACA would also facilitate and support the
development of industry codes, which complement and are consistent
with the legislation as suggested by the NOIE.
42. The Spam Act establishes an 'opt-in' system such that commercial email
may be sent to existing customers provided that the recipient has the
ability to 'opt-out'.[34] The proposed legislation is not intended to
adversely impact online marketing to bona fide existing customers.
However, this still gives considerable scope for the sending of junk
email because businesses would be able to lawfully send emails on
behalf of other businesses or to promote very different products or
services than the one that formed the original relationship.[35]
43. Exceptions will also apply to protect currently accepted government,
business and commercial practices, such as government to consumer
messages, and commercial messages to publicly advertised addresses
where the approach is specifically related to the addressees'
employment function. The Australian Government has come under
criticism for exempting government bodies, political parties,
charities, religious organisations and educational institutions from
the proposed legislation.[36] The fear is that this may prove to be a
loophole if these organisations interpret the legislation as meaning
that sending spam would be acceptable.[37]
44. The Australian Government proposes to review the legislation two years
after the commencement of the penalty provisions. The effectiveness of
any legislation can be judged either by its capacity to prevent the
targeted behaviour/activities or by the extent to which it enables
predictable, cost-effective prosecution of the offending individual or
organisation.[38] While it is too early to gauge the effectiveness of
the legislation, it has been recommended by the APIG that Australia
adopt rules that run as closely as possible along the lines of the
European Directive on Privacy and Electronic Communications
(2002/58/EC).[39] The basis of this recommendation is to ensure an
entirely consistent anti-spam regime in every country.
45. As an 'opt-in' law, the Spam Act should be more effective than the
'opt-out' legislation passed by the US Congress[40] that requires
Internet users to request that they be taken off mailing lists.
However, the legislation would have no effect on the amount of spam
Australian Internet users received from outside Australia, the source
of most spam.[41]
46. Another criticism of the Spam Act is that it defines spam as a message
sent without the recipient's consent. However, consent does not need
to be express, it can be inferred.[42]
47. It is unlikely that the legislation will have any impact on fraudulent
or offensive spam without legitimate sender information or
non-commercial UBE but it should cause a substantial reduction in
other types of spam.[43]
Existing Australian Legislation
48. Current legislation which may assist in countering the spam problem
include:
Commonwealth Criminal Provisions
49. The most recent Commonwealth legislation relating to criminal laws and
privacy is the Cybercrime Act 2001 (Cth) ("Cybercrime Act"). The
Cybercrime Act amended the Criminal Code 1995 to include new offences
such as virus introduction and denial of service attacks and is aimed
specifically at Internet activity.[44]
50. The Cybercrime Act has a very wide jurisdiction and covers offences
where the conduct constituting an offence occurs partly in Australia,
where the conduct occurs on board an Australian ship or aircraft and
where the person committing the offence is an Australian citizen or an
Australian company.[45]
51. Section 85ZE of the Crimes Act makes it an offence to use email in a
manner that is menacing, harassing or offensive.[46]
52. There are similar provisions under various state Crimes Acts.[47]
Trade Practices Act 1974 (Cth)
53. The consumer protection provisions in Part V of the Trade Practices
Act 1974 (Cth) ("TPA") prohibit false and misleading claims about
goods and services. This legislation can also potentially apply to the
issue of transparency in terms of falsified headers and false opt-out
options.[48]
54. The ACCC has taken action in a number of cases where email was used as
a vehicle to promote pyramid selling schemes.[49] The ACCC has also
filed proceedings in relation to domain name renewals containing
misleading and deceptive information which were sent via a number of
channels, including email.[50]
55. Like the Spam Act, the TPA is technology neutral and capable of
addressing all commerce in both the online and offline environments.
56. Subsection 52(1) of the TPA relevantly provides that a corporation
shall not, in trade or commerce, engage in conduct that is misleading
or deceptive or likely to mislead or deceive. This could be utilised
in some contexts where disclosing information would be involved. For
example, a website that sells information on customers to others,
notwithstanding that it has a privacy policy, could be liable for
misleading and deceptive conduct.
Privacy Act 1988 (Cth)
57. It is unclear whether there is a common law right to privacy in
Australia. The High Court decision in Victoria Park Racing &
Recreation Grounds Co Ltd v Taylor ("Victoria Park")[51] indicated
that there was no such right of privacy.[52] This issue was
reconsidered by the High Court in Australian Broadcasting Corporation
v Lenah Game Meats Pty Ltd ("Lenah")[53] The Court found that, on the
facts, it did not need to decide the issue of whether a right of
privacy existed at common law in Australia. It did not however rule
out the possibility.[54] Subsequently, in Grosse v Purvis[55] the
District Court of Queensland reviewed Lenah and noted that Gummow and
Hayne JJ, with whose reasons Gaudron J agreed, rejected the suggestion
that the High Court's decision in Victoria Park in fact stood for such
a proposition. The District Court held that there can be a civil
action for damages based on the actionable right of an individual
person to privacy.
58. The Privacy Amendment (Private Sector) Act 2000 (Cth) which amends the
Privacy Act 1988 (Cth) ("Privacy Act") makes certain acquaintance spam
illegal as of December 2001. Businesses covered by the provisions must
obtain permission from their customers in some situations prior to
using their email addresses for anything that can be construed as
spam.[56]
59. There are significant privacy issues surrounding the manner in which
email addresses and personal information are collected and
handled.[57] It is not uncommon for address collectors to covertly
harvest email addresses from the Internet, as users visit certain
sites, and buy and sell them in bulk without the knowledge or consent
of the owner.[58]
60. At present, there is no legislation specifically requiring a sender to
obtain a recipient's consent prior to sending spam to that individual,
either initially or on an ongoing basis. Under the Privacy Act, the
collection of personal information from public sources may require an
individual's explicit consent, but this aspect of the legislation has
not yet been tested.[59]
61. The National Privacy Principles ("NPP") do not prevent a business from
using personal information for the primary purpose for which it is
collected.[60] Accordingly, if a spammer collects personal information
from an individual or from anywhere else for the primary purpose of
spamming the Privacy Act may not prevent the spammer from using this
information in that way. Also in these circumstances the spammer is
under no legal obligation to give the recipient an opportunity to opt
out, or to comply with such a request. However this is subject to the
fair and lawful requirement in NPP 1.[61] Collection of personal
information includes gathering, acquiring or obtaining personal
information from any source and by any means. Collection is necessary
for the purposes of NPP 1 if an organisation cannot effectively pursue
a legitimate function or activity without collecting that information.
For the purposes of NPP 1 'fair' means without intimidation or
deception. In general, collection without the individual's knowledge
for example, through the use of cookies will not be considered
fair.[62]
62. Where spammers are subject to the Privacy Act and they collect
information about an individual indirectly, they will be required to
take reasonable steps to make the individual aware of the details
collected.[63]
63. Most of the obligations imposed by the NPPs relate to personal
information. 'Personal information' is defined by the Act as:
Information or an opinion (including information or an
opinion forming part of a database), whether true or not;
and whether recorded in a material form or not, about an
individual whose identity is apparent, or can reasonably be
ascertained, from the information or opinion.[64]
64. An email address may be considered to be personal information when it
contains a user's name or when it can be used in conjunction with
other information sources to identify the person.[65]
65. Although the Privacy Act has the potential to significantly lessen the
incidence of spam, there are some loopholes. The Privacy Act requires
companies to seek permission before sending advertising material to
individuals. However this is qualified by the words 'where it is
reasonable and practicable' to do so.[66]
66. The Guidelines to the NPPs also require that the consumer must opt-in
to any spam schemes as opposed to an easier standard where they might
be included unless they opt-out. However, in practice this rarely
occurs either through ignorance or deliberate avoidance. In any event,
there is limited enforcement of the responsibilities under the Privacy
Act.
67. The Privacy Act currently does not extend to many spammers including
those that send spam from overseas and small businesses that do not
trade in personal information.[67]
68. Because the amendments to the Privacy Act only commenced in December
2001, some of the NPPs only apply to information collected after that
date and not to information that was collected and retained by
organisations before the commencement of the amendment.[68]
Australian Case Law
69. These cases illustrate the limited range of existing legislation with
potential applicability to spam. As none of the existing legislation
was specifically intended to address spam, they are rarely used to
prosecute spammers, other than where there is a breach of consumer
protection legislation.
R v Hourmouzis [69]
70. Hourmouzis sent approximately four million spam emails to addresses
around the world intended to induce purchase of stock in a US company,
Rentech. He pleaded guilty to charges including interference with,
interruption of or obstruction of the lawful use of file server
computers operated by various companies by means of a telephone
facility operated by Telstra.[70] Hourmouzis also pleaded guilty to
making a statement or disseminating information that was false and
misleading and likely to induce the purchase of securities of Rentech
in breach of the Corporations Law.[71]
ACCC v SkyBiz.Com Inc [72]
71. The case involved the dissemination of false and misleading
information via unsolicited emails. The ACCC successfully alleged that
SkyBiz.Com, a US company, promoted a pyramid selling scheme in breach
of the TPA. In a settlement with the ACCC, SkyBiz.Com consented to
orders of the Federal Court.[73]
ACCC v Chen [74]
72. The ACCC filed proceedings against the operator of the website
"www.sydneyopera.org" for various breaches of the TPA including s 52.
It was alleged that Chen, a foreign resident, misrepresented to the
Australian public via unsolicited emails that his site was the
official booking site of the Sydney Opera House. Interlocutory
injunctions granted by the Federal Court required Chen to remove the
site from being accessible to Australian users.
ACCC v Internic Technology Pty Ltd [75]
73. In conjunction with the US Federal Trade Commission ("FTC"), the ACCC
alleged that Internic Technology, had been involved in misleading and
deceptive conduct as it had established a website that was deceptively
similar to a site owned by a US company known as InterNIC. InterNIC
provided a global register of second level domains and owned the
domain name internic.net. Internic Technology set up a business with
the same purpose. It effectively acted as an intermediary between
consumers and InterNIC but charged consumers significantly more for
the service. The ACCC alleged that consumers would be misled into
believing that they were dealing with the US company when they were
not. Internic Technology gave undertakings to the court that it would
no longer use the name 'internic' or any similar name and agreed to
refund consumers.
74. The case may prove to be a precedent in dealing with similar issues in
relation to spam which seeks to mislead the recipient as to the
identity of the sender, and its association with others. However,
whether or not simply using a false identity which has no direct or
implied association with another person or product falls within the
scope of the TPA is uncertain.[76]
United States Position
In general there is a stronger distinction drawn in the US between
commercial and non-commercial spam because of potential constitutional
barriers to any anti-spam legislation due to freedom of speech
concerns about the latter.[77]
Federal Anti-Spam Legislation
75. The Controlling the Assault of Non-Solicited Pornography and Marketing
Act 2003 ("CAN-SPAM Act") was signed by the US President on 16
December 2003 and took effect on 1 January 2004. The CAN-SPAM Act
requires unsolicited commercial emails to be labelled and to include
opt-out instructions and the sender's physical address. The law also
prohibits the use of deceptive subject lines and false headers in such
messages. There is a provision authorising the FTC to establish a
'do-not-email' registry. However, the legislation remains to be
tested.[78]
76. Some of the recent bills introduced in the 108th Congress are:[79]
Anti-Spam Act of 2003
77. The bill would require all commercial emails to be identified as such
and to include the sender's physical street address and an opt-out
mechanism; messages relating to a specific transaction and consented
to by the recipient would be exempt from those requirements. The bill
would prohibit commercial emails with false or misleading message
headers or misleading subject lines, and it would be illegal to send
commercial emails to addresses generated by an automated dictionary
attack.
Ban on Deceptive Unsolicited Bulk Electronic Mail Act of 2003
78. The bill would prohibit the inclusion of false information in message
headers in unsolicited bulk commercial email. It also would require
senders of unsolicited bulk commercial email to include opt-out
instructions and honour opt-out requests, and would prohibit them from
harvesting email addresses of potential recipients from web pages and
other sources.
REDUCE Spam Act of 2003
79. The Restrict and Eliminate the Delivery of Unsolicited Commercial
Electronic Mail or Spam Act requires unsolicited bulk commercial
emails to include a valid reply address and opt-out instructions and a
label ('ADV' or 'ADV: ADLT' or other recognised standard
identification). These requirements would apply to messages sent in
the same or similar form to 1,000 or more email addresses within a
two-day period. In addition, false or misleading headers and deceptive
subject lines would be prohibited in all unsolicited commercial
emails, whether sent in bulk or not.
Criminal Spam Act of 2003
80. The bill would prohibit unauthorised or deceptive use of a third
party's computer for relaying bulk commercial emails. It also
prohibits the use of false header information in bulk commercial
messages and regulates the use of multiple email accounts or domain
names for purposes of sending such messages. The law would apply only
to quantities of more than 100 messages within 24 hours or 1,000
within 30 days or 10,000 within one year.
81. Like the CAN-SPAM Act, the proposed Federal anti-spam bills favour an
opt-out system that would require UCE to include instructions for
removal. This means that there would be no requirement for recipients
to have given their permission for the email to have been sent. There
is concern that the effect of such a law would be to remove the stigma
attached to spam and lead to the volume of spam increasing.[80]
Another concern is that State laws adopting an opt-in sytem would be
pre-empted.[81] The CAN-SPAM Act relevantly states that the Act
supersedes any state law that expressly regulates the use of email to
send commercial messages, except to the extent that any such state law
prohibits falsity or deception in any portion of a commercial email or
information attached thereto.[82]
State Anti-Spam Laws
82. In the US, 36 states have passed anti-spam legislation. The most
restrictive is Delaware, which prohibits the sending of bulk UCE
outright unless the sender has the permission of the recipient
beforehand. In general, state UCE laws can be divided into three
categories - prohibiting the sending of UCE without making certain
disclosures; prohibiting the sending of UCE through an ISP's computer
network if doing so would violate the ISP's policies regarding UCE;
and prohibiting the sending of UCE containing false or forged email
transmission information.
83. The behaviour most commonly targeted is that which involves
concealment of the identity of the sender. Some of the State anti-spam
laws enacted are set out below.[83]
Washington
84. In Washington, it is illegal to send a commercial email that uses a
third party's domain name without permission; that contains false or
missing routing information; or with a false or misleading subject
line. The law applies if a message is sent from within Washington; if
the sender knows that the recipient is a Washington resident; or if
the registrant of the domain name contained in the recipient's address
will confirm upon request that the recipient is a Washington resident.
California
85. In September 2003, legislation was approved in California that made it
the second state after Delaware to adopt an opt-in rule for email
advertising. Under this legislation, it is illegal to send unsolicited
commercial email from California or to a California email address. The
law applies to senders as well as to advertisers on whose behalf
messages are sent. California's prior law approved in September 1998
required opt-out disclosures and subject line labels.
Illinois
86. In Illinois, it is unlawful to initiate an unsolicited electronic mail
advertisement if it contains false or misleading information in the
subject line. In addition, the law was amended in July 2003 to require
inclusion of the sender's valid reply email address for opt-out
requests, along with a label ('ADV:' or 'ADV:ADLT') at the beginning
of the subject line. The law applies to email that is delivered to an
Illinois resident via a provider's facilities located in Illinois. A
separate provision makes it illegal to send unsolicited bulk email
with falsified routing information or to distribute software designed
to falsify routing information.
Virginia
87. The Virginia Computer Crimes Act anti-spam provisions were amended in
April 2003 to make it a felony to falsify header or routing
information and to attempt to send UBE exceeding 10,000 messages a
day, 100,000 messages a month or 1 million a year. The underlying
statute has so far survived constitutional challenges and is grounded
on email passing through Virginia-based ISPs and allows Virginia
prosecutors to pursue criminal charges against spammers in other
states and jurisdictions.[84]
Delaware
88. It is illegal to send unsolicited bulk commercial email, to send
unsolicited bulk email containing falsified routing information in
violation of a provider's policies, or to distribute software designed
to falsify routing information. The law applies to messages sent into
Delaware from outside the state if the sender knew that there was a
reasonable possibility that the recipient was in Delaware.
89. US state anti-spam laws have been criticised as being singularly
ineffective in preventing spam with spammers routinely ignoring their
requirements.[85] According to the APIG, although there were
exceptions, the laws were often used to prosecute legitimate companies
who had made a technical error in compliance.[86]
90. There is also some concern that unless universal rules are adopted in
relation to labelling requirements such as 'ADV', the existence of
contradictory requirements in different jurisdictions will merely make
things more difficult for people sending permission-based email.[87]
Consistent labelling would also assist Internet users to filter out
spam.
US Case Law
91. There have been a number of successful prosecutions in the United
States, particularly by ISPs against spammers.
CompuServe Inc v Cyber Promotions Inc ("CompuServe") [88]
92. The plaintiff, an ISP, received complaints from its subscribers about
the amount of spam they were receiving from the defendant. The ISP
ordered the defendant to cease using its network for spamming in
accordance with its acceptable use policy. The defendant then began to
falsify the sender information in the headers of its messages and to
configure its server to falsify its domain name and IP address. The
ISP sued on the basis of the common law theory of trespass to
chattels.
93. Cyber Promotions relied on the First Amendment of the US Constitution
as its affirmative defence. In granting CompuServe's motion for a
preliminary injunction, the court held that CompuServe had a viable
claim for trespass under Ohio law.[89] The court indicated that
electronic signals generated and sent by computer are sufficiently
physically tangible to support a trespass cause of action and held
that the defendant's contact with the plaintiff's computers was
clearly intentional. The tort of trespass to chattels in US law
requires some actual damage as a prima facie element whereas damage is
presumed where there is a trespass to real property. The court held
that the diminished value of the ISP's computer equipment due to
spamming by the defendant and the draining of disk space and
processing power was sufficient damage to uphold the cause of action.
94. This is an example of 'aggravated spamming' that is, the defendant was
repeatedly ordered to cease and desist yet continued spamming. It
appears that the CompuServe trespass doctrine may be readily applied
to bulk mailers who have actual notice that they are trespassing but
would not apply to a one-time spammer or an individual using different
accounts or network providers for each unsolicited advertisement
sent.[90]
America Online Inc v IMS [91]
95. The plaintiff, AOL, alleged that IMS had unlawfully sent more than 60
million UCE over a 10-month period. AOL sued for false designation of
origin; dilution of interest in service marks; violation of the
Computer Fraud and Abuse Act; violation of the Virginia Computer
Crimes Act; and trespass to chattels under Virginian common law.
96. The court entered default judgments against the defendants and awarded
compensatory and punitive damages to AOL.
97. In so doing, the court followed the CompuServe case for authority as
the trespass law of Virginia was similar to that of Ohio.
98. Based on these cases, the common law doctrine of trespass to chattels
appears to be an effective weapon for ISPs in their fight against
spam.
Hotmail Corporation v Van Money Pie [92]
99. The plaintiff, Hotmail, sought an injunction to enjoin the defendants
from inter alia, infringing its trade name and service mark, engaging
in acts of unfair competition, committing trespass to chattels and
breaching its contract.
100. To become a Hotmail subscriber, one must agree to abide by a service
agreement, which specifically prohibits subscribers from using
Hotmail's services to send UCE. Under the agreement, Hotmail can
terminate the account of any subscriber who violates the terms of
service.
101. Hotmail discovered that the defendants were sending thousands of UCE
to its users which were intentionally falsified in that they contained
return addresses bearing Hotmail account addresses including Hotmail's
domain name and thus its mark when in fact such messages did not
originate from Hotmail or a Hotmail account. The messages advertised
pornography, bulk emailing software and get-rich-quick schemes.
102. The overwhelming number of emails took up a substantial amount of
Hotmail's finite computer space, adversely affected Hotmail's
subscribers in sending and receiving email, and resulted in
significant costs to Hotmail in sorting and responding to the
misdirected complaints.
103. The court found the defendants to have breached the Hotmail subscriber
service agreement by sending UCE from a falsely designated Hotmail
address and using a separate Hotmail account to return invalidly
addressed messages.
104. This is a useful cause of action where there is a contractual
relationship between the ISP and spammer and the terms of service
specifically proscribe the sending of UCE.
Intel Corporation v Hamidi [93]
105. After being dismissed from his employment by Intel, Hamidi aired his
grievances in mass emails sent to approximately 29,000 Intel
employees. Intel was unable to block the emails from entering its
computer systems and Hamidi ignored Intel's requests to stop sending
the emails. Intel brought civil proceedings, claiming that by
communicating with its employees over the company's email system,
Hamidi committed the tort of trespass to chattels. Hamidi argued that
his emails did not originate on Intel property nor were they sent to
Intel property - they were simply sent over the Internet to a server.
The trial court granted Intel an injunction preventing Hamidi from
sending any more emails to Intel's computer systems.
106. On appeal, Hamidi argued that the injunction violated his
constitutional free speech rights.[94] The appellate court upheld the
trial court's injunction.
107. The Supreme Court reversed the appellate court's decision.[95] The
court concluded that Intel did not have a claim for trespass to
chattels because it did not show that the emails caused physical
damage or functional disruption to Intel's email system or somehow
deprived Intel of the use of its computers. The contents of the
messages were what the company was objecting to. Consequential
economic damage such as loss of productivity did not constitute an
actionable trespass to Intel's personal property.
108. The Supreme Court distinguished CompuServe and its progeny where
trespass to chattels was used successfully against spammers. In those
cases, there was evidence that the vast quantities of mail sent by
spammers both overburdened and impaired the ISP's computers and made
the entire computer system harder to use for recipients, the ISP's
customers.
109. The decision has been criticised as issuing a licence to send
unsolicited non-commercial emails.[96] Although Hamidi sent thousands
of copies of the same message on six occasions over 21 months, the
court indicated that the number of emails was minuscule compared to
UCE.
Jurisdiction and Enforcement
110. Jurisdictional barriers together with practical issues of enforcement
are the most significant limitations of legal responses to spam.[97]
Email is generally unaffected by state and even national boundaries
due to the borderless nature of the Internet. Many email addresses
provide no indication of the addressee's physical location and an
email address that does include a geographic identifier can be used
from anywhere in the world.[98] Given this, it is difficult to see how
a spammer would know whether a recipient is in, say Washington, and
thus subject to the laws of that state by virtue of the fact that the
recipient is a Washington resident.[99]
111. Even if a state is able to exercise long-arm jurisdiction over a
foreign defendant, it may be difficult to locate and subsequently
enforce a judgment on someone in another state or country.[100]
112. The technology creates difficulties in determining the location at
which an event giving rise to a legal claim has occurred. Very few
decisions in Australia have dealt with jurisdiction in respect of
electronic commerce matters. Some guidance can be gained from overseas
cases likely to be taken into account by Australian courts, in
conjunction with the recent High Court decision, Dow Jones Inc v
Gutnick.[101] A detailed discussion of this issue is beyond the scope
of this paper.
113. In general terms, the jurisdiction of a court to hear a claim is
usually confined to matters with a requisite territorial connection.
This jurisdiction will be established over matters occurring within
the country's 'law area' that is, its geographical area. It will also
be established over persons having a defined connection with the law
area for example, through incorporation or registration in the country
or through residence. Such connecting factors vary from country to
country.[102]
114. In addition to extra-territorial issues, it is necessary to consider
the likelihood of judgments and orders of Australian courts being
recognised and enforced overseas. This is particularly relevant to
foreign Internet based businesses that are subject to a claim but have
no presence or assets in Australia. One must also consider whether an
injunction preventing the display of a website or website content is
suitable for enforcement given that the relevant website or website
content may not be in breach of the laws of other countries in which
the website is based or accessible.[103]
115. Approaches to recognition and enforcement of foreign judgments differ
from country to country and depend upon the application of complex
conflict of laws principles, the existence of relevant legislation,
for example, the Foreign Judgments Act 1991 (Cth) and bilateral
agreements between countries.[104]
Policy Considerations
116. While the application of existing common law theories to spam provides
a degree of flexibility that is not available in anti-spam
legislation, the unintended consequences that may result from
stretching the law in such a manner may outweigh the benefits of
avoiding legislation.[105]
117. Another objection to legislative approaches is that a partial
solution, one that regulates spam without prohibiting it altogether,
will merely serve to legitimise spam.[106] If the law requires spam to
be labelled and to include opt-out instructions, the stigma presently
attached to spam will begin to disappear.
118. The current trend appears to involve less reliance on self-regulation
and other informal measures in favour of increased emphasis on more
formal responses, both technical and legal.
119. Spam is perhaps the most costly advertising mechanism, not costly to
the spammer but to the email user. Spammers in effect make consumers
pay for unwanted advertisements. ISPs are paying for the costs of spam
by being forced to purchase additional computers and increase
bandwidth and take measures to try to minimize the effect of
spam.[107] A recent study estimates that spam costs US corporations
approximately $10 billion each year and costs US and European ISPs an
additional $500 million.[108]
120. At the heart of this issue lies a contradiction. In attempting to
strike a balance between the rights of commercial entrepreneurs to
market their wares and the rights of email users to be free from
unwarranted solicitation, a clear contradiction exists between
business interests and those of private individuals.[109] The main
problem with spam and the reason for its proliferation is the shifting
of the costs involved away from the advertiser onto the consumer and
other parties. Unlike other forms of advertising such as television
commercials or billboards, direct marketing usually involves some
degree of effort or involvement on the part of the consumer. In most
forms of communication, the sender experiences significant and usually
measurable costs. Therefore the sender usually has an incentive to
compare the expected benefits of the communication against these costs
in deciding whether to proceed with the communication. Email changes
the entire equation because the cost of sending spam is negligible.
Spammers have little incentive to consume resources in an efficient
manner.[110]
121. As noted previously, spam statistics differ due to the classification
and definition of spam. A utopian definition of spam would include all
emails that are of no benefit to the recipient from the recipient's
point of view.[111] But this definition is problematic when looked at
in practical terms. If one classifies spam as all email that is both
unsolicited and bulk in nature, restrictive regulation is likely to
conflict with the rights of citizens' free speech, where the email in
question is not commercial in nature. This has caused legal
difficulties for anti-spam legislation in the US where the degree of
constitutional protection for commercial speech is lower than that for
political speech. Also, different jurisdictions may apply widely
different interpretations to the term 'commercial'.[112] The problem
is apparent when attempting to define services such as education or
health care which may have been semi-privatised and for which a fee is
paid.[113] In this regard, it is noted that the Spam Act exempts
currently accepted government, business and commercial practices, such
as government to consumer messages, and commercial messages to
publicly advertised addresses where the approach is specifically
related to the addressees' employment function.
122. Like the US, the Australian government has responded to the public
demand for legislation. As so often happens in the policy arena, there
are competing interests at stake, all with some validity. Legislation
must effectively curb the proliferation of commercial spam without
constraining the legitimate online marketplace. It must limit the
unwanted messages that reach consumers, while protecting the right of
free speech. It must address the technological threats to the Internet
experienced most directly by ISPs without stifling innovative means of
reaching individuals.[114]
123. For example, a relevant issue raised by the Spam Act would be accurate
header information requirements versus the right to online anonymity.
This would aid ISPs in filtering messages from known spammers who mask
the source of their messages by using falsified header information,
and assist consumers in identifying the source of unwanted email so
they can effectively opt out of receiving further communications.
However, advocates of an individual's right to online anonymity have
raised concerns that this would destroy anonymous communications on
the Internet. Mere concealment of one's identity, without intent to
deceive, is not in and of itself fraud.[115] In this regard, it is
noted that NPP 8 provides that wherever it is lawful and practicable,
individuals should have the option of not identifying themselves when
entering transactions.[116]
124. Another criticism of current enforcement efforts is that they are too
narrowly focused on fraudulent and misleading spam, thus giving a kind
of legitimacy and immunity to spam that is not misleading.[117] Given
that the main problem with spam is the volume rather than the content,
another option would be to ban all spam. However, this would raise the
contentious issue of an agreed definition of spam.[118]
125. Three categories of approaches have been used to address the spam
problem: informal measures, such as social norms and self-regulatory
efforts; technical measures undertaken by individuals and
organisations; and legal responses including litigation under existing
statutes and traditional common law theories and anti-spam legislation
that specifically targets spam.[119] These categories can be loosely
compared to the four types of constraints on behaviour outlined by
Lawrence Lessig in his theoretical approach to cyberspace regulation:
law, norms, markets and architecture or 'code'.[120]
126. The law generally regulates individual behaviour by threatening ex
post facto sanctions.[121] However, in real space as well as
cyberspace, law also regulates individual behaviour indirectly, by
aiming to change markets, norms or code. It has been argued that law
in cyberspace will often be more effective if it regulates code or
architecture rather than trying to directly regulate individual
behaviour.[122]
127. The nature of cyberspace is defined as including software, hardware,
Internet protocols and other standards and aspects of human biology.
Cyberspace architecture is inherently plastic, which is one reason why
law regulating cyberspace architecture is likely to be effective. It
is generally possible for law to require changes to software,
standards and hardware.[123]
128. While lawsuits and anti-spam legislation can ameliorate the spam
problem by imposing costs and other disincentives on spammers, it is
unlikely to be successful in eliminating spam on its own.[124] Some
support for this conclusion is found in the theory of cyberspace
architecture.
129. Another limitation on Australian anti-spam legislation is that the law
only applies within local boundaries whereas most spam is from foreign
hosts, mainly the US.
130. The jurisdictional problems created by the proliferation of
transborder unsolicited emails may prove to be an insurmountable
hurdle.[125] As unsolicited commercial email touches on so many
aspects of the law, for example, commerce, advertising, free speech,
libel, privacy, intellectual property and the criminal law, it has
been argued that it would be difficult to apply a global legally
binding framework.[126]
Conclusion
131. Given the significant rate of increase of spam, it seems reasonable to
conclude that current legislative and private responses are having
little effect on the activities of most spammers.
132. It has been estimated that spam will peak at 80 per cent of all emails
by 2007 and Australia's anti-spam legislation will offer little
protection to Australian end-users.[127]
133. There is no 'silver bullet' that will eliminate spam entirely however,
the incidence of spam can be reduced and controlled.[128] In general,
commentators agree that the most effective solution to spam will
combine legal and technological elements.[129] While the Australian
government has taken a technology neutral approach to anti-spam
legislation, there is an argument that the most effective legislation
will be crafted with the technology in mind, designed to enhance the
tools' usefulness.[130] Spam will only be significantly reduced when
the combination of spam filtering and user awareness makes sending
spam unprofitable.[131] In the future, structural changes to the
Internet such as tracking and authentication mechanisms should
minimise spam however it will never be eradicated.[132]
134. Achieving consistency in regulating spam, especially across all
jurisdictions, is very difficult. Australian regulation of spam will
have to meet international standards which is acknowledged by the Spam
Act. The only constructive way forward, as recognised by the
Australian government, is to keep pushing for a global convergence. It
is not desirable that each country imposes a separate regime for
regulating spam, which would encourage a race to the bottom, reducing
protection on a global scale. It would also frustrate law enforcement
efforts, impede informed decision-making by consumers and deprive
consumers of meaningful access to judicial recourse. An international
agreement to reduce the incidence of spamming worldwide is required.
Ultimately, a consensus approach that coordinates legal and technical
responses is likely to provide the most effective solution. National
legislation per se is not a comprehensive answer to the problem
because of the difficulties in identifying spammers, lack of
jurisdiction over offshore offenders and competing priorities faced by
law enforcement and regulatory agencies.
Glossary [133]
Bayesian logic
Named for Thomas Bayes, an English clergyman and mathematician, Bayesian
logic is a branch of logic applied to decision making and inferential
statistics that deals with probability inference: using the knowledge of
prior events to predict future events. According to Bayesian logic, the
only way to quantify a situation with an uncertain outcome is through
determining its probability. Bayesian logic is being incorporated in more
advanced spam filters (also see 'Filter').
Blacklist
A blacklist is the publication of a group of ISP addresses known to be or
believed to be sources of spam. Emails from these sources are blocked,
preventing their further transmission or receipt.
Dictionary attack
In the context of spam, in a dictionary attack is a large number of
delivery attempts of test messages to email addresses within a domain (e.g.
a range of addresses ending in @bigpond.com). These email addresses are
generated based on words from a "dictionary" of likely or possible words,
combined with the domain being attacked. This is done to compile a list of
deliverable email addresses for future spam communications. Dictionary
attacks are also used as a means of obtaining passwords to gain
unauthorised access to computer systems. The automatic and repetitive
nature of a dictionary attack means that the domain's server is hit with a
large amount of traffic. This either restricts the system resources that
can be utilised by legitimate processes, causing a slowdown, or overwhelms
the network altogether, causing it to cease operation. In this regard, a
dictionary attack operates similarly to a hostile denial of service attack.
Email
(electronic mail) is the exchange of computer-stored messages by
telecommunication. Email can be distributed to lists of people as well as
to individuals.
Filter
In the context of spam, a filter is a program or section of code that is
designed to examine each input or output request for certain qualifying
criteria and then process or forward it accordingly. A filter can be used
to block the receipt of mail based on concrete information (e.g. block all
mail originating from @spam.com), simple heuristic criteria (e.g. block all
mail with a subject containing "viagra" or "FREE!!!") or through the
application of more complex Bayesian logic.
Firewall
A firewall is a set of related programs, located at a network gateway
server that protects the resources of a private of a private network from
users from other networks. The term also applies to the security policy
that is used with the programs.
Harvesting
The use of a program to scan through internet documents, emails, bulletin
boards and other material to identify and store email addresses. The
addresses are combined into a contact list and then used and/or sold by
spammers.
Internet Content Host
An Internet Content Host (ICH)publishes content on the internet on their
own or others' behalf. An ICH typically has an established point of
presence on the Internet, much like an ISP, but unlike an ISP does not
necessarily provide access services to others.
Internet Protocol (IP)>
The Internet Protocol is the method by which data is sent from one computer
to another on the Internet. Each computer (known as a host) on the Internet
has at least one IP address that uniquely identifies it from all other
computers on the Internet.
Internet Service Provider (ISP)
An Internet service provider (ISP) is a company that provides individuals
and other companies access to the Internet and other related services such
as Web site building and content hosting. An ISP has the equipment and the
telecommunication line access required to have a point of presence on the
Internet for the geographic area served. The larger ISPs have their own
high-speed leased lines so that they are less dependent on the
telecommunication providers and can provide better service to their
customers.
Open relay
An open relay is an email message transfer agent that will deliver any mail
for any sender. Spammers seek out these servers as a free ride for their
spam messages.
Opt in
The practice of having people sign up to receive emails or other
communications. The person has nominated to receive communications from a
particular source. Countries with "opt in" legislation have the rule that
commercial electronic messages may only be sent to people who have made a
prior positive indication that they wish to receive messages from that
source.
Opt out
The practice of having people request their removal from commercial contact
lists, usually in response to having received an unsolicited communication.
There are well known problems with opt out methodologies, the most common
being that the request to be removed from the contact list is not honoured,
but rather used as a stimulus for increased communication.
Virus
A virus is a self-replicating computer program that may cause an unexpected
and usually undesirable event. A virus is often designed so that it is
automatically and covertly spread to other computer users via email, hidden
within downloads, or on diskettes or CDs. Viruses are notorious for data
corruption and destruction, and occasionally for collecting email
addresses, credit card details or causing additional system security
breaches.
Whitelist
The opposite of a blacklist. A whitelist is an explicit list of senders
from whom email will be accepted. Any mail that originates from someone not
on the whitelist will be blocked (see 'Blacklist').
Bibliography
Articles/Books/Reports
All Party Internet Group ("APIG"), Spam: report of an inquiry by the All
Party Internet Group' (2003) at 1 December 2003.
Berman, Jerry and Bruening, Paula J, 'Can spam be stopped? Rather than
legislate a quick fix, Congress needs to look harder at legal and technical
complexities' (2003) Legal Times 26(24) 76.
Bick, Jonathan, 'Spam-related class actions are on the horizon: and the US
government could end up as a defendant' (2003) 172(5) New Jersey Law
Journal 20.
'Bill lets some spam slip through the net', Financial Review (Sydney), 18
September 2003.
Boyarski, Jason R, Fishman, Renee M, Josephberg, Kara et al, 'European
authorities consider cookies and spam' (2002) 14(3) Intellectual Property &
Technology Law Journal 31.
'Buffalo Spammer hit with arrest and $16.4 million judgment' (2003) 20(7)
Computer & Internet Lawyer 35.
Cisneros, Danielle, 'Do not advertise: the current fight against
unsolicited advertisements' (2003) Duke Law & Technology Review 10.
Clark, Eugene and Sainsbury, Maree, 'Privacy and the Internet' (2002).
'Court shuts down web sites in deceptive spam case' (2002) 5(11) Journal of
Internet Law 27.
Culberg, Katya, 'Regulating the proliferation and use of spam' (2002) 6(3)
Journal of Internet Law 18.
D'Ambrosio, Joseph, 'Should junk e-mail be legally protected?' (2001) 17(2)
Santa Clara Computer and High-Technology Law Journal 231.
Delaney, Edwin M, Goldstein, Claire E, Gutterman, Jennifer et al, 'Proposed
legislation targets unsolicited commercial email' (2003) 15(8) Intellectual
Property & Technology Law Journal 16.
Fisher, Michael A, 'The right to spam? Regulating electronic junk mail'
(2000) 23(3-4) Columbia-VLA Journal of Law & the Arts 363.
Fishman, Renee M, Josephberg, Kara, Linn, Jane et al, 'Chinese companies to
address spam' (2002) 14(7) Intellectual Property & Technology Law Journal
31.
Fishman, Renee M, Josephberg, Kara, Linn, Jane et al, 'FTC announces
international Internet fraud efforts' (2002) 14(7) Intellectual Property &
Technology Law Journal 32.
Fogo, Credence E, 'The postman always rings 4,000 times: new approaches to
curb spam' (2000) 18(4) John Marshall Journal of Computer & Information Law
915.
'FTC obtains TRO against deceptive spam' (2002) 5(12) Journal of Internet
Law 29.
'FTC study finds deception in 66 percent of spam' (2003) 20(7) Computer &
Internet Lawyer 34.
Geraci, Danna, 'Spam: opt in if you like' (2001) 34(2) Law-Technology 18.
Greene, Jenna, 'The slippery fight over e-mail spam: bills aim to slash
junk mail while protecting e-commerce' (2001) 24(19) Legal Times 1.
Greene, Jenna, 'Two bills seek to provide protection against e-mail spam'
(2001) 225(95) New York Law Journal 5.
Greenleaf, Graham, 'An endnote on regulating cyberspace: architecture vs
law?'(1998) 52 University of NSW Law Journal 1.
Hahn, Robert W and Layne-Farrar, Anne, 'The benefits and costs of online
privacy legislation' (2002) 54(1) Administrative Law Review 85.
Harhai, Stephen J, 'A modest proposal on spam' (2003) 29(2) Law Practice
Management 16.
Heels, Erik J, 'Combating spam' (2002) 28(6) Law Practice Management 9.
Henry-Davis-York-iTEAM, 'Spam: remedies against the crime not the ham'
(2001) Keeping Good Companies 53(2) 119.
Hollander, Jay, 'Raising the E-drawbridge on Cybertrespass' (2002) 228(101)
New York Law Journal 5.
Kolker, Carlyn, 'Canning the spam' (2002) 24(9) American Lawyer 31.
Latham Plunkett, Dianne, 'Spam remedies' (2001) 27(3) William Mitchell Law
Review 1649.
'Law enforcement tackles deceptive spam' (2003) 20(2) Computer & Internet
Lawyer 34.
Lerner, David, 'Seeking to clear cyberspace of spam: recent court decisions
boost efforts to regulate unsolicited commercial e-mail' (2002) 227(110)
New York Law Journal S4.
Lewis, Samuel, 'The politics of spam: yet another way to annoy voters'
(2002) 25(38) Legal Times 21.
Litchman, Lori, 'Federal law doesn't ban e-mail spam' (2002) 25(27)
Pennsylvania Law Weekly 1.
Loomis, Tamara, 'Junk e-mail: filing suit against a spammer is a way to
fight back' (2002) 227(69) New York Law Journal 5.
Magee, John F, 'The law regulating unsolicited commercial e-mail: an
international perspective' (2003) Santa Clara Computer and High-Technology
Law Journal 19(2) 333.
McGill, Matt, 'E-mail marketing: targeted opt-in campaigns (not spam)
aren't just for products anymore' (2001) 24(21) Legal Times 51.
Miller, Nigel, 'New rules for inboxes' (2002) 146(36) Solicitors Journal
857.
'More self-regulation of spam & privacy' (2002) 5(8) Journal of Internet
Law 21.
National Office for the Information Economy, Spam: Final report of the NOIE
review of the spam problem and how it can be countered, (2003).
at
27 July 2003.
Oakes, Dan, 'The long arm of the law takes a crack at breaking through the
spam jam', The Sunday Age (Melbourne), 11 January 2004.
Paonita, Anthony, 'Drowning in spam? Here's how you can fight back' (2002)
170(10) New Jersey Law Journal 30.
Paonita, Anthony, 'Tired of spam? There are steps you can take to fight it'
(2002) 25(49) Legal Times 28.
Pink, Scott W, 'State spam laws survive constitutional scrutiny but should
Congress enact a federal law?' (2002) 5(10) Journal of Internet Law 11.
Pruitt, Scarlet, 'Spam deluge leads to search for silver bullet',
Information Age (Apr-May 2003) 52.
Raysman, Richard and Brown, Peter, 'E-mail blocking: spammers (and alleged
spammers) fight back' (2001) 226(12) New York Law Journal 3.
Redford, Monique, 'The indecency of unsolicited sexually explicit emails: a
comment on the protection of free speech v the protection of children'
(2002) 26(1) Seattle University Law Review 125.
Riach, Emma, 'Cookies and spam' (2003) 153(7071) New Law Journal 379.
Ryman, Rene, 'The adverse impact of anti-spam companies' (2003) 20(1)
Computer & Internet Lawyer 15.
Sinrod, Eric J, 'Court enjoins bait-and-switch spam scam' (2002) 227(87)
New York Law Journal 5.
Sorenson, Andrew and Webster, Matthew, 'Trade practices and the Internet'
(2003).
Sorkin, David E, 'Technical and legal approaches to unsolicited electronic
mail' (2001) University of San Francisco Law Review 35(2) 325.
'Spam brings home a harsh reality', The Sunday Age (Melbourne), 11 January
2004.
Steinmeyer, Peter A, 'California spammin': opening the e-mail spigot'
(2003) National Law Journal 25(48) 34.
Valetk, Harry A, 'Spam scammers hit a new low with spoofed e-mail' (2002)
228(52) New York Law Journal 56.
'Virginia claims toughest anti-spam law in nation' (2003) 20(7) Computer &
Internet Lawyer 34.
Young, Gary, 'Canning cyber spam won't be easy: a national solution at
center of debate' (2003) 25(39) National Law Journal 1.
Case Law
ACCC v Chen [2002] FCA 1248 (8 October 2002)
ACCC v Internic Technology Pty Ltd (1998) ATPR 41-646
ACCC v Skybiz (Unreported, Federal Court of Australia, 27 September 2002)
America Online Inc v IMS 962 F Supp 1015 (SD Ohio 1997)
Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd [2001] HCA
63
CompuServe Inc v Cyber Promotions Inc 24 F Supp 2d 548, 550 (ED Va 1998)
Grosse v Purvis [2003] QDC 151
Gutnick v Dow Jones & Co Inc [2002] HCA 56 (10 December 2002)
Hotmail Corporation v Van Money Pie 1998 USDist LEXIS 10729; 47 USPQ 2D
(BNA) 1020 (16 April 1998). Intel Corporation v Hamidi 30 Cal 4th 1342; 71
P 3d 296; 1 Cal Rptr 3d 32; 2003 Cal LEXIS 4205 (2003)
Macquarie Bank v Berg [1999] NSWSC 526
R v Hourmouzis (Unreported, County Court of Victoria, 30 October 2000)
Victoria Park Racing & Recreation Grounds Co Ltd v Taylor (1937) 58 CLR 479
Legislation
Anti-Spam Act of 2003*
Ban on Deceptive Unsolicited Bulk Electronic Mail Act of 2003*
CAN-SPAM Act of 2003
Crimes Act 1914 (Cth)
Criminal Spam Act of 2003*
Criminal Code 1995
Cybercrime Act 2001 (Cth)
Privacy Act 1988 (Cth)
REDUCE Spam Act of 2003*
Spam Act 2003 (Cth)
Trade Practices Act 1974 (Cth)
* Proposed legislation - has not been enacted.
Notes
[1] at 25 March 2004. Brightmail
defines spam as unsolicited bulk email.
[2] 'Spam brings home a harsh reality', The Sunday Age (Melbourne), 11
January 2004.
[3] at 25
March 2004.
[4] All Party Internet Group ("APIG"), Spam: report of an inquiry by the
All Party Internet Group' (2003) at 1 December
2003.
[5] Ibid.
[6] David E Sorkin, 'Technical and legal approaches to unsolicited
electronic mail' (2001) University of San Francisco Law Review 35(2) 325,
330.
[7] Ibid, 330.
[8] Ibid, 332.
[9] National Office for the Information Economy, Spam: Final report of the
NOIE review of the spam problem and how it can be countered, (2003) 2.
at
27 July 2003.
[10] Dan Oakes, 'The long arm of the law takes a crack at breaking through
the spam jam', The Sunday Age (Melbourne), 11 January 2004.
[11] Ibid.
[12] False positives refer to legitimate messages mistakenly identified as
spam and being filtered out.
[13] Above n 7, 342.
[14] Above n 11.
[15]
at 9 December 2003. The Best Practice Model is based on the Organisation
for Economic Cooperation and Development ("OECD") Guidelines for Consumer
Protection in the Context of Electronic Commerce.
[16] Above n 10.
[17] For a code to be registered by the ACA, it must, among other things be
'appropriate' in the way it deals with the matters it covers and must have
undergone consultation with industry, the public, consumer representatives,
the Australian Competition and Consumer Commission, the Telecommunications
Industry Ombudsman and, in some cases, the Privacy Commissioner.
at 25 March
2004.
[18]
at 9 December 2003. Another aspect of the ADMA Code of Practice is its 'Do
Not Mail/Do Not Call' database. Individuals can register with this service
and ADMA members must remove the names of any consumer registered from
their mailing/call lists.
[19] at 9 December 2003.
[20] Ibid.
[21] The IIA draft Privacy Code was submitted to the Federal Privacy
Commissioner for registration in March 2003. According to the Federal
Privacy Commissioner's website, it is currently under consideration.
[22] Above n 20.
[23] Above n 10.
[24] at 8
November 2003. The Spam (Consequential Amendments) Act makes various
amendments to the Telecommunications Act and the Australian Communications
Authority (ACA) Act to enable the effective investigation and enforcement
of breaches of the Spam Act.
[25] Explanatory Memorandum, Spam Act 2003 (Cth).
at 8
November 2003.
[26] Ibid.
[27] Ibid.
[28] That is, electronic messages that originate from Australia and
messages that are sent to Australian addresses whatever their point of
origin: section 7 of the Spam Act.
[29] Section 17 of the Spam Act.
[30] Section 18 of the Spam Act.
[31] Sections 20 to 22 of the Spam Act.
[32] Part 4 of the Spam Act. Penalties for breach range up to $1.1 million
per day, in addition to orders for recovery of profits from spammers and
payment of compensation to victims.
[33] Parts 5 to 7 of the Spam Act. These measures include a formal warning,
acceptance of an enforceable undertaking, or the issuing of an infringement
notice. The ACA may also apply to the Federal Court for an injunction or
may institute proceedings in the Federal Court for breach of a civil
penalty provision.
[34] Similar to the European Union (EU) Directive 2002/58/EC where prior
explicit consent of the recipient is required before communications are
addressed to them unless it is within the context of an existing customer
relationship.
[35] Above n 5.
[36] 'Bill lets some spam slip through the net', Financial Review (Sydney),
18 September 2003.
[37] Above n 5.
[38] Above n 10.
[39] Above n 5. The E-Privacy Directive adopts a modified opt-in approach.
It prohibits unsolicited commercial email unless subscribers have given
their prior consent. It also allows a company to email customers whose
address it obtained in the context of a sale, provided that customers are
given the opportunity to opt-out on the occasion of each message.
[40] See heading 'US Position'.
[41] Above n 10.
[42] Schedule 2 of the Spam Act provides that 'consent' may be express
consent or implied consent. If a person has a pre-existing business
relationship or other relationship such as a family relationship, consent
may be implied. Implied consent may also be inferred from the conduct of
the person.
[43] Adam Turner, 'Spam, laborious spam, to stay on the menu', The Age
(Melbourne), 17 February 2004. Based on a report by anti-spam expert, Bruce
McCabe, titled The Future of Spam.
[44] Sections 477.1 to 477.3 of the Criminal Code.
[45] Eugene Clark and Maree Sainsbury, 'Privacy and the Internet' (2002),
90.
[46] Above n 10.
[47] For example, sections 247B, 247C and 247D of the Crimes Act 1958 (Vic)
as amended by the Crimes (Property Damage and Computer Offences) Act 2003
(Vic).
[48] Above n 10.
[49] See cases discussed under the heading 'Australian Case Law'.
[50] Australian Competition and Consumer Commission, Submission to the
National Office for the Information Economy re: spam
at 27 July 2003.
[51] (1937) 58 CLR 479, at 495-496.
[52] Above n 46, 105.
[53] [2001] HCA 63.
[54] Above n 46, 105.
[55] [2003] QDC 151.
[56] at 8 December 2003.
The private sector provisions of the Privacy Act apply to organisations
with an annual turnover of more than $3 million. The provisions also apply
to all health service providers regardless of turnover and some small
businesses with an annual turnover of $3 million or less.
[57] Above n 26.
[58] Ibid.
[59] Ibid.
[60] Ibid.
[61] at 8
November 2003. NPP 1 provides that an organisation may only collect
personal information if necessary for its functions and activities. The
collection must be fair and lawful and not unreasonably intrusive; the
organisation must take reasonable steps to ensure the individual is aware
of the identity of the organisation; the purpose for which the information
is collected; who it will be disclosed to; the fact that they can access
the information; any law that requires the information to be collected; and
the consequences for the individual if the information is not given.
[62] Above n 46, 24.
[63] at 8
November 2003. NPP 2 provides that information can be used for the
secondary purpose of direct marketing where it is impracticable to seek the
individual's consent before use; the individual can request not to receive
such information; each direct marketing communication must draw the
individual's attention to the fact they can request not to receive further
communications; each communication must set out the organisation's contact
details.
[64] Above n 46, 16.
[65] Ibid.
[66] Ibid.
[67] Above n 26.
[68] Above n 46, 16.
[69] (Unreported, County Court of Victoria, 30 October 2000)
at 4 December 2003.
[70] Henry-Davis-York-iTEAM, 'Spam: remedies against the crime not the ham'
(2001) Keeping Good Companies 53(2) 119. Hourmouzis was convicted under
section 76E(b) of the Crimes Act 1958 (Vic). This section imposes a maximum
penalty of ten years imprisonment and makes it an offence to interfere
with, interrupt or obstruct the lawful use of, a computer by means of a
carrier (telephone line or ISP) or facility provided by the Commonwealth.
[71] The Corporations Law has been repealed and is replaced by the
Corporations Act 2001 (Cth).
[72] (Unreported, Federal Court of Australia, 27 September 2002).
[73] at 9 December 2003.
In a settlement with the ACCC, SkyBiz.com Inc consented to orders of the
Federal Court which declared that, inter alia, the Skybiz scheme was a
pyramid selling scheme; SkyBiz.Com engaged in referral selling which is
prohibited under the TPA; SkyBiz.Com made false or misleading
representations.
[74] [2002] FCA 1248 (8 October 2002).
[75] (1998) ATPR 41-646.
[76] Above n 51.
[77] The First Amendment to the US Constitution relevantly provides that
Congress shall make no law abridging the freedom of speech.
[78] On 10 March 2004, it was reported that four ISPs - AOL, EarthLink,
Microsoft and Yahoo! - filed lawsuits targeting several spammers identified
as the most flagrant offenders of the CAN-SPAM Act's rules for sending
commercial email.
at 25
March 2004.
[79] David E Sorkin, Spam Laws: United States: Federal Laws: 108th
Congress: Summary at 24
November 2003.
[80] Above n 5.
[81] Jerry Berman and Paula J Bruening, 'Can spam be stopped? Rather than
legislate a quick fix, Congress needs to look harder at legal and technical
complexities' (2003) Legal Times 26(24) 76, 80.
[82] Subsection 8(b)(1) of the CAN-SPAM Act.
at 26 March 2004.
[83] David E Sorkin, Spam Laws: United States: State Laws: Summary
at 24 November 2003.
[84] 'Virginia claims toughest anti-spam law in nation' (2003) Computer &
Internet Lawyer 20(7) 34. It is estimated that approximately 50 percent of
all spam passes through Virginia, the home of AOL.
[85] Above n 5.
[86] Ibid.
[87] Ibid.
[88] 962 F Supp 1015 (SD Ohio 1997).
[89] The court relied on Section 217(b) of the Restatement (Second) of
Torts to affirm CompuServe's trespass claim. This section states that a
trespass may be committed by intentionally using or intermeddling with
another person's chattels (personal property). Intermeddling is defined as
intentionally bringing about a physical contact with the chattel.
[90] Above n 7, 348.
[91] 24 F Supp 2d 548, 550 (ED Va 1998).
[92] 1998 USDist LEXIS 10729; 47 USPQ 2D (BNA) 1020 (16 April 1998).
[93] 30 Cal 4th 1342; 71 P 3d 296; 1 Cal Rptr 3d 32; 2003 Cal LEXIS 4205
(2003).
[94] The appellate court disagreed, finding that these rights did not
permit Hamidi to trespass on Intel's private property.
[95] It was a narrow 4-3 decision.
[96] Peter A Steinmeyer, 'California spammin': opening the e-mail spigot'
(2003) National Law Journal 25(48) 34.
[97] Above n 7, 353.
[98] Ibid.
[99] Coalition Against Unsolicited Bulk Email ("CAUBE"), The Problem
at 27 July 2003. According to CAUBE,
there is no way for a spammer to know what city you are in, and no reliable
way for them to know what country you are in. Even if it were possible and
reliable to eliminate out of area customers, this is the era of e-commerce
and a customer can be anybody, anywhere in the world.
[100] Unlike Cyber Promotions which was an identifiable and fully
incorporated company, if a spammer is a one-person operation, tracking down
and identifying the spammer may prove to be a difficult obstacle to
enforcement of anti-spam legislation. Most spammers do not have sufficient
assets to justify litigation.
[101] [2002] HCA 56 (10 December 2002).
[102] Andrew Sorenson and Matthew Webster, 'Trade practices and the
Internet' (2003).
[103] For example, see Macquarie Bank v Berg [1999] NSWSC 526.
[104] Above n 103.
[105] Above n 7, 354.
[106] Ibid.
[107] Danielle Cisneros, 'Do not advertise: the current fight against
unsolicited advertisements' (2003) Duke Law & Technology Review 10.
[108] Ibid.
[109] John F Magee, 'The law regulating unsolicited commercial e-mail: an
international perspective' (2003) Santa Clara Computer and High-Technology
Law Journal 19(2) 333, 339.
[110] Ibid, 333.
[111] Ibid, 336.
[112] Ibid, 337.
[113] Ibid, 356.
[114] Above n 82, 78-9.
[115] Ibid, 79.
[116] Above n 46, 73.
[117] Above n 7, 354.
[118] Ibid.
[119] Above n 7, 328.
[120] Ibid, 358.
[121] Graham Greenleaf, 'An endnote on regulating cyberspace: architecture
vs law?'(1998) 52 University of NSW Law Journal 1, 9.
[122] Ibid.
[123] Above n 122, 1.
[124] Above n 7, 353.
[125] Above n 110, 375.
[126] Ibid.
[127] Above n 44.
[128] Above n 82, 82. See also Scarlet Pruitt, 'Spam deluge leads to search
for silver bullet' (Apr-May 2003) Information Age 52
at 28 July 2003.
[129] Above n 7, 355; n 82, 82; n 110, 379.
[130] Above n 82, 82.
[131] Above n 44.
[132] Ibid.
[133]
at
24 March 2004.