Spam: Where’s the beef?

April 30, 2004

I had 12 emails in my inbox this morning: four were client correspondence, three were advertisements from companies I do actually use, the rest were totally unsolicited bulk advertising communications otherwise known as ‘spam’. Evidently a quiet day for the spammers.

· Unwanted and intrusive advertising is a nuisance that has been around for many years, and it is not surprising to see the practice of sending unsolicited marketing materials develop just as communications technology itself develops.

So What’s the Problem?

Spam is an annoyance on your home account. It can clog up space, invade your privacy, and the often inappropriate contents are a concern for parents with young e-mail users. For a business, spam has additional cost and policy implications:

· the time lost by staff wading through spam

· offensive spam being received by staff

· potential for forwarding of spam and damage to reputation

· storage space losses over undeleted spam

· the potential for missing important real business communications by accidentally killing off the useful e-mail with the spam.

Spam varies in significance. It ranges from:

· unsolicited advertisements that are business-related: repeated attempts to get your business to change its print cartridge suppliers, purchase recycled desk equipment, or to change printers – these are annoying and time consuming, but are unlikely to offend from their content

· lewd and badly worded inducements to ‘extend your size’ and ‘earn $$$ in your spare time’ – there are not just time wasting, but can also be offensive

· plain fraud – also known as ‘phishing’ – an attempt to extract money from you by pretending to be your bank and asking for your bank passwords, or a Nigerian who is owed much money and all he needs is your bank details to give you half.

The take-up rate from spam is extremely small, but enough to make it worthwhile.[i] So what’s new? There has always been unnecessary annoying marketing in the form of unsolicited faxes and post. The difference is the per item cost to the company sending such unwanted information – even after discounts for mass mailings are taken into account. Such an economic limit does not exist with spam. Once the system is set up, spam is virtually free to send. More than 50% of global e-mail traffic is now estimated to be spam. The rate of growth is huge: in 2001 the figure was only 7%.[ii] The extent to which any company is affected varies. The European Commission for instance, has estimated 30% of its external e-mails are spam.[iii]

Some kind of legal and/or technological intervention is required to stop the growth. The good news is that the fight against spam is happening on both fronts – with varying degrees of success.

What’s the Solution?

Anti-Spam Technology

Everyone would love a simple technical solution, but the difficulty with spam is that there are lots of tricks to hide who the spam is from and ensure that the spammer can’t be shut down: using free Web sites, obfuscating URLs, encrypting Web pages, hijacking foreign mail servers to hide their tracks and avoid filters, and if that fails and the spammer is discovered, it will have a backup system.

There are various technical methods to avoid spam – none of them are perfect. The real test of any anti-spam technical measure is not just that it stops spam, but that it doesn’t give any false positives either. You don’t want legitimate mail disappearing. Consider the following options.

· Self help measures like keeping e-mail addresses off Web sites and not disclosing e-mail addresses to anyone other than a legitimate business are possible for home users, but just not feasible for a business. No company wants to keep its address and e-mail a secret.

· The use of basic filtering software (key word search so it will reject spam) can be successful but it’s not perfect. They may remove e-mails which aren’t spam. Word identifiers need to be chosen so that they won’t affect legitimate messages, which is not always easy – the NHS must be inundated with ‘buy buy buy viagra’ together with legitimate messages from medicine suppliers. Spammers try to update their methods accordingly.

· Statistical and more sophisticated word search methods, e.g. Bayesian Filtering technique are available. The filter engine has to be trained so there is some effort required of the user, but this is one of the best technical methods available.[iv]

· ‘Black hole lists’ are in common use.[v] These are lists of systems that are used by spammers or are open relays of which spammers have taken advantage. These lists are compiled by companies or anti-spam groups. E-mail messages identify where the message came from. If a spammer sends a message through his own ISP’s email server, then it could be tracked back to him because he has an account on that server. Spammers hijack open relays to disguise their identity. ISPs and large users that subscribe to the black hole lists will bounce back messages that originate from the open relay -email system. This means all users from that e-mail system are blocked. Legitimate users will not be able to send e-mail through either. This may cause concern for the users when their messages start bouncing back (but does at least warn the system owner that their server is open to the Internet without authentication or their security is faulty).

· Microsoft is considering changes to its products that will require senders to have to solve a puzzle thus taking up the computing memory of the sender once the puzzle is solved, the sender will be added to a ‘safe list’ of senders. The loss will not be significant for normal e-mailers, but for spammers the costs may make spamming uncommercial. The details have yet to be fleshed out, but legitimate marketing companies may look at the innovation with both interest and concern.[vi]

Anti-Spam Direct Action

As an aside there has been action taken by groups to stop spam over and above technical measures.

Microsoft was vilified by some users for requiring users actively to opt-out of receiving material on Hotmail back in July 2002, however, in a move that is guaranteed to gain sympathy for the company, Microsoft set up spam traps on the Hotmail service to identify spammers harvesting e-mail addresses from its Hotmail services and is now litigating in both the US and UK civil courts for substantial sums.[vii]

Anti-spam groups have got imaginative. In December 2002 anti-spam campaigners ran a campaign to sign up Alan Ralsky owner of a then US-based bulk e-mailing company to every form of junk postal mail possible. Alan Ralsky complained “They’ve signed me up for every advertising campaign and mailing list there is … these people are out of their minds.” and is reported even to have issued proceedings against the groups complaining of harassment.[viii]

A brief warning to UK law firms. There are anecdotal Internet reports that law firms in the US representing spam companies suing the anti-spammers have been personally targeted by some of the more vociferous anti-spam campaigners (note these reports have not been confirmed by any law firm). There doesn’t appear to be even rumour that this kind of action has spread to the UK, but before publicly taking on such a case it may be as well to check your firm’s IT security is up to it.

Anti-Spam Legislation

Some argue that it is not spammers that suffer from a change in legislation as they will not abide by it or will simply move to jurisdictions that do not have similar legislation. In any event, if we get rid of one won’t ten just take its place? The bright light here is that action against the spammers is not impossible. It is thought that less than 200 spammer companies are responsible for 90% of junk e-mail,[ix] so there are a limited number of potential defendants.

As ever the legislation is taking a while to catch up with the problem. Ideally what is needed is international anti-spam legislation that covers every jurisdiction, or effective anti-spam law in each country with efficient cross-border cooperation, so the spammer has nowhere to hide. This is not going to happen anytime soon, and each jurisdiction is tackling the problem in its own way.

Directive 2002/58/EC on Privacy and Electronic Communications (e-Privacy Directive) set EU rules for the protection of privacy and personal data in electronic communications. It was to be incorporated into national law by 31 October 2003 at the latest.

The UK implemented the directive in The Privacy and Electronic Communications (EC Directive) Regulations 2003.[x] Regulations 22 and 23 are designed to limit spam.

The main aspects of the regulations in relation to e-mail to companies are:

· the sender must identify itself in the e-mail

· the sender must provide a valid address as an opt-out mechanism

· when a business recipient opts-out, it only applies to that recipient not the business as a whole.

The main aspects of the regulations in relation to e-mail to individuals are:

· the sender must identify itself in the e-mail

· the sender must provide a valid address as an opt-out mechanism

· it allows e-mails which users actively agree to

· it allows e-mails where the supplier has obtained the contact details pursuant to the negotiation and/or provision of goods/services and the marketing e-mail relates to the same or similar goods/services.

The UK Information Commissioner has also made it clear in his guidance that there is an implicit further requirement to implement any request to opt-out by any user and to store such requests.

The UK implementation is compliant with the Directive but has been criticised for taking the softest approach. Arguably the laws do not go far enough and the maximum £5,000 fine in a magistrates’ court is not a disincentive. Senders are not required to gain the consent of companies, so business spam will not really be affected. Business e-mails are established by whether they are sent to a business address not by content, so e-mails containing ‘increase your size’ type content sent to company do not require the company’s consent to be sent. Many lawyers will have an advantage here: partnerships come under the ‘individuals’ category.

Not all of Europe is taking a soft approach: Italy‘s anti-spam legislation fines persistent spammers up to 90,000 euros (£66,000), and makes spamming a criminal offence punishable by up to three years’ in jail.

The Australian government has taken a strong line in relation to spam. In December 2003 it introduced legislation which bans commercial and private spam that has an Australian link (the definition of which includes Australians receiving from servers in the UK) and the harvesting of email addresses. There are fines for spammer companies of up to $1.1 million a day.[xi]

The US CAN-SPAM Act, enacted in December 2003, was predicted to have no effect on spam. It does not ban junk mail, and needs users to opt-out. Early reports indicate little impact so far, but then there may be a time lag before users’ opt-outs are processed.[xii]

Following the expiry of the 31 October 2003 deadline, the European Commission announced on 5 December 2003 that it has opened infringement proceedings for failure to notify transposition measures against Belgium, Germany, Greece, France, Luxembourg, the Netherlands, Portugal, Finland and Sweden.[xiii]

Effect on Legitimate Marketing Companies

Enough about spam, here’s the meat. What do the lawyers need to do?

Every user and ISP suffers from spam, but significant casualties of the spam business are legitimate responsible marketing companies who process e-mails for companies who have built up e-mail lists from customers who have opted-in – people who want and have requested the updates and sales pitch. Lawyers should review their contracts now to see if any amendments need to be made, and advise such legitimate marketing companies to obtain an indemnity from their clients that detail:

· who is responsible for the provision of the e-mail list

· indemnification against infringement of any legislation (UK or all jurisdictions if there are recipients worldwide)

· any requirements in relation to including opt-outs

· any consideration around the database construction of opt-outs – for instance this may be more complicated where the user is opting-out only of certain categories from the client’s services

· consideration of who will hold records of opt-out requests (individual’s contact details should not just be deleted off the system)

· the need for clear identification of the client in the design.

Bill Holt is CEO of Foretel Ltd,[xiv] a legitimate marketing company based in Harrogate which specialises in call centre software and services and markets e-mailing services for substantial UK-based clients. He stated:

“We were prepared for the legislation changes. Our clients are significant UK businesses and want to clearly identify and brand their e-mails. We have been advising them to place opt-outs into the marketing -emails as a matter of course for some time – the recipients prefer it.

However some of the technical attempts to block spam by e-mail service providers can affect our legitimate messages. We have in the past had discussions with one of the major service providers whose technical anti-spam measures have affected our service. We understand and support this process of course, but inevitably it is responsible businesses like Foretel that endure the extra time and cost of compliance.”

Is there anything that can be done about the increased costs such technical requirements impose?

The practical advice is to ensure that the legitimate marketing company’s IP reputation in the market place is second to none to ensure it doesn’t get added to any ‘Black-hole lists’. It must go through the technical processes with the major e-mail providers and build such costs into its business model.

The legal advice is to consider language that ensures the marketing company is not held responsible if its e-mails are refused by a major e-mail supplier – however such wording should be considered carefully. Receipt of the e-mail is the very point of the service. Such clauses may be seen as unreasonable and may simply ensure the legitimate marketing company loses its client list.

The new spam laws may affect legitimate marketing companies more than any other type of company and lawyers should be alive to the issue and be opening the contracts to see if updates are required. These companies may be affected not just by UK law, but also foreign jurisdictions if the target e-mail list includes e-mails to recipients outside the UK. Lawyers should also consider the impact of compliance with technical anti-spam measures, and ask their client to consider these issues in relation to any mass mailing.

[i] A bulk e-mailer recently testified at the FTC Spam Forum, organised in April-May 2003, that he could profit even if his response rate was less than 0.0001%. (Remarks by Timothy J. Muris Chairman, Federal Trade Commission, Aspen Summit, Cyberspace and the American Dream, The Progress and Freedom Foundation, August 19, 2003 Aspen, Colorado).

[ii] Communication From The Commission To The European Parliament, The Council, The European Economic And Social Committee And The Committee Of The Regions – On Unsolicited Commercial Communications Or ‘Spam’. Brussels, 22.01.2004.

[iii] ibid.

[iv] see

[v] Spamhaus is an anti-spam organisation that provides lists of IP addresses which are sending spam. These are used by many companies and ISPs to resist spam.

[vi] Microsoft Aims To Make Spammers Pay By Jo Twist BBC News Online technology reporter

[vii] Reported in Computer Weekly, 19 December 2003 – Microsoft Files Lawsuit Against Spammer.

[viii] Reported in Detroit Free Press, December 6, 2002 – Internet Spammer Can’t Take What He Dishes Out.

[ix] Spamhaus –



[xii] For a detailed view, see the article by Jeffrey D. Sullivan & Michael B. de Leeuw, vol 14, issue 6

[xiii] Europa –