Throwback Thursday: Legal attempts to reduce spam. A UK perspective (November 2003)

(This article was first published in Virus Bulletin in November 2003.)

It is clear that the ever increasing deluge of spam is becoming a real nuisance. As such, it is to be applauded that governments throughout the world are taking notice and attempting to introduce a regulatory framework whereby legitimate email can be distinguished legally from the nuisance of unsolicited bulk commercial email, and those who insist on sending spam may be dealt with accordingly.

However, such an approach is fraught with difficulties. Poorly worded legislation risks legitimising spam, introducing loop holes that spammers can exploit – or, indeed, outlawing the legitimate practice of sending one-off emails to people you have never met.

This article summarises from a UK perspective the various legislative attempts to ban the abuse of email by law.

The unregulated and increasing processing of personal data, including email addresses, caused sufficient concern for the EU to pass the Data Protection Directive (95/46/EC) in the mid 1990s. This established that the processing and storage of personal information must be carried out with consent of the individual and with regard to the individual’s rights to privacy.

The provisions of this directive were passed into UK law with the 1998 Data Protection Act. Nevertheless, this did not halt the collection and processing of email addresses by spammers. Presumably the posting of a personal email address on a web page or in a Usenet post was taken by the spammers as an indication of permission to process and store such information.

The EU Electronic Commerce Directive (2000/31/EC), which was integrated into UK law as the Electronic Commerce Regulations 2002, clearly states that ‘[the sender] shall ensure that any unsolicited commercial communication sent by him by electronic mail is clearly and unambiguously identifiable.’

This law renders all spam that attempts to masquerade as legitimate email illegal. So far, however, this appears to have had little effect – the spam keeps coming, mostly unmarked.

It is to be imagined that identifying a spam as such in the subject line is effective in reducing the number of recipients who open and respond to the email. Hence, the spammers prefer not to comply with the law – and in any case most spam is sent from countries outside of the EU where the senders do not feel obliged to follow EU law.

Meanwhile in the US, existing laws were being used to combat the loss caused by processing spam and to prosecute fraudulent claims contained in spam.

AOL scored a major victory when it sought an injunction against CN Productions Inc. in 1998. The company objected to CN Productions sending spam to AOL subscribers, claiming that this was against AOL’s terms and conditions, that it cost AOL time and money to process the emails, and that the spoofing of the From headers to make it appear that the emails were coming from ‘aol.com’ was having an adverse effect on their reputation. The Virginia judge agreed and awarded AOL $1,819,863 in damages plus legal costs.

This case demonstrates that even in the absence of specific anti-spam laws, recipients and ISPs can seek to prevent spammers sending them spam and recover the costs involved in processing spam.

Similarly, in 1999 a British provider of email services, BiblioTech, sought damages through the Georgia state courts in the US for the costs of processing the undeliverable message bounces generated by a spammer that were relayed to the company’s servers.

Although Sam Khuri and his Atlanta print company Benchmark Print Supply tried to push for an out of court settlement, BiblioTech eventually won an undisclosed sum of damages and an injunction preventing Sam Khuri, the main defendant, from ever sending unsolicited bulk email. Thus, spammers can be pursued across national borders.

Nevertheless, despite these court rulings and increasingly strict legislation being introduced in the EU and across the US to govern unsolicited email, the volume of spam keeps increasing. In May 2003 the ratio of spam to non-spam emails passed the 50 per cent mark, according to MessageLabs’ statistics – a 40.6 per cent increase over the preceding 12 months.

A further tightening of the regulatory framework is due to be introduced in the Privacy and Electronic Regulations 2003, implementing EU directive 2002/58/EC. This law prevents the sending of unsolicited email ‘unless the recipient of the electronic mail has previously notified the sender that he consents’. But will further regulation make any difference to the volume of spam?

Identifying spammers is not necessarily easy when emails are relayed through unsecured proxies or relays hiding their origin. Spam is a worldwide problem; emails can be sent from any country or jurisdiction to arrive in any other. The time, cost and sheer effort involved in tracking down and prosecuting the sender of an unsolicited message is prohibitive to all but the most tenacious or slighted companies and individuals.

To put the legal effort in context, one of the earliest and most well known legislative codices contains the law ‘Thou shalt not steal’, nevertheless some 3000 years after this was written theft continues to blight society. Despite the existence of laws and law enforcement assistance, the onus is on the individual to protect their possessions from theft through the use of good security and appropriate concealment.

It is likely to be a similar case for protecting the individual’s inbox from spam. Invest in a good spam filter to prevent the spam from clogging your inbox, and be wary of broadcasting the existence of your most precious email addresses to people you do not trust completely.

Legislation assists in identifying clearly what is and what is not acceptable, but ultimately while there is money to be made through the sending of spam, this is not a problem that is going to go away any time soon.

Martin Lee is a software engineer in MessageLabs’ anti-spam team writing in a personal capacity. The opinions and interpretations expressed here may not reflect those of his employer.