Does English Law Offer a Solution to the Problem of Spam?

The problem of spam receives widespread attention; so deeply engrained is this electronic nuisance that the appearance of unsolicited, bulk e-mails, advertising dubious wares in the inboxes of countless millions of Internet users worldwide is a regular, increasingly common experience. Such proliferation offers the best indication of the scope of the issue, and reveals the problems and challenges legal regulation must face. E-mail has become a dominant form of communication; efficient and inexpensive, reliable and instant. These boons of the age of digital communication have, however, proved equally advantageous to those who would seek to abuse them, to the extent that it is estimated that by 2006 60 billion spam messages will be sent per day.[1]

Those who disseminate spam have not, however, felt any need to confine themselves only to nuisance e-mails. In an increasingly technologically complex age, perhaps, in this context, only one simple truth remains: any technology that permits the convenient dispatch of messages to others will fall victim to its advantages and come under the parasitical influence of spam. Thus Short Message Service (SMS) spam has also increased in volume.[2]

The issue abridged, in the context of email, although equally applicable elsewhere, concerns “rendering email useless for unsolicited advertising before unsolicited advertising renders email useless for communication”.[3] Legal regulation must take some part in the achievement of this goal.

What is “spam”?

A message is spam if it is equally applicable to a widespread number of recipients, and the recipient has not granted permission to the sender for the dispatch of the message.[4] Although many e-mails fulfil this description, such as large office communications, or “chains” forwarded from acquaintances, it is “pure” spam that causes the most problems; the constant chirruping of irrelevant, misleading, and often highly inappropriate messages can rightly be regarded as a nuisance by users of email systems; even though this nuisance is often remedied by the simple press of the “delete” key.

At another level, the sheer volume of these messages represents a severe problem to the administrators of email systems; deluges of spam consume finite resources, taking up space on email servers, and eating valuable connection bandwidth. The economics involved “are tilted in favour of mass marketers, and stacked against the rest of society”;[5] such messages are cheap to send, but the resource cost used in the administration of spam, in terms of the price paid for bandwidth consumed, the filtering of spam and addressing customer problems is ultimately passed to the users of email, whilst it has been estimated that a spammer needs only one response in a million to make their venture worthwhile.[6] There can be little doubt, therefore, that spam is a problem worthy of legal regulation, representing a costly interference with a method of communication as essential as any other. The question is, therefore, whether the law in the UK provides an effective mechanism to prevent such interferences.

Regulation – The legal landscape of cyberspace

It has been mooted that the Internet and cyberspace are areas into which the law may fear to tread, being a “loosely coupled and somewhat mysterious conglomeration of virtual communities”.[7] But, as Biegel points out, the Internet, although ever evolving, is under a significant degree of control, whether governmental, evidenced by the significant contribution made by governmental authorities to the growth of the Internet, semi-governmental, in terms of bodies such as ICANN, which regulate essential attributes such as namespaces and IP addresses on the Internet, or in the form of regulation imposed by the “gate keepers” to this brave new world, Internet Service Providers, and those who provide the tools to enter it, telecommunications, hardware, and software companies.

Thus characterising cyberspace as a “Wild West” frontier is rather a misnomer. The problem comes, however, not in the potential for regulation, but its enforceability. As noted by Davies,[8] if rules are proved unenforceable by “jurisdictional or substantive issues, then there is a threat that users of the Internet will hold them in contempt”.[9] The Internet is thus peculiar, not in its ability to be regulated, but in the potential of regulation not matched over trans-national boundaries, nor backed up by effective sanction, to weaken the normative force of rules themselves.

Reed[10] gives three hallmarks of enforceability, which, although similar to more orthodox, physical regulation, must be assessed globally in every jurisdiction. These are that regulation must be practically feasible, it must be limited in scope to those over whom the legislator has a legitimate claim (thus giving rise to, in trans-national situations, the need for reciprocal provisions throughout) and, crucially, it must contain an effective enforcement mechanism. Without this, “all but the most scrupulous” will be inclined to ignore legal provisions.

Thus it is apparent that any laws relating to the regulation of spam must not only address jurisdictional application but must also provide sanctions sufficient to discourage all those who would presume to offend. With this in mind, such provisions in the UK must be examined.

There are a number of legal issues concerned with the sending of spam. The actual content of the message may be illegal, and thus certain cases will fall to be considered individually. However, to offer protection from spam, the law must also deal with the actual processes involved in sending it. A spammer seeking to exploit third-party systems to use, for example, open-relays that may facilitate the undetected dispatch of spam will infringe the general provisions of the Computer Misuse Act 1990. Section 1 governs unauthorised access to computer material, and s 3 governs unauthorised modification of computer material. Both of these provisions could potentially be employed.

The transposition of EC Directives has provided further provisions to deal with the problems of the “Information Society”. The Data Protection Act 1998, borne of Directive 95/46/EC, protects email addresses since they are “personal data”. The Distance Selling Regulations (SI 2000 No. 2334) govern the formation of contracts made via “distance communications” (email is included within the definition of this term but spam is not specifically mentioned) and the Electronic Commerce (EC Directive) Regulations 2002 (SI 2002 No. 2013, implementing Directive 2000/31/EC), reg 8 provides that any unsolicited commercial communication via electronic mail shall be “clearly and unambiguously identifiable as such”.

This European impetus has resulted in the adoption, however, of a more wholesale approach to the problem in the UK. It is to these new provisions that we must turn.

The Privacy and Electronic Communications Regulations 2003

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003 No. 2426) represent the greatest inroad made so far in addressing the problem of spam. The Regulations implement EC Directive 2002/58/EC, and came into force in the UK on the 11 December 2003. The Regulations make the sending of unsolicited commercial e-mails illegal. In the face of such a widespread problem, it is, however, necessary to examine their efficacy and regulatory potential.

Regulation 22(2) restricts unsolicited commercial email; communications may be sent only where the recipient has “opted-in” to receipt (and thus has consented prospectively, rather than “opting-out” retrospectively). Failure to comply with the requirements of the regulation could result in an action being taken by a person suffering damage as a result of contravention of the provisions against the sender (reg 30), or in the Information Commissioner using enforcement powers to ensure compliance (reg 32).

This rule is, however, subject to the exceptions contained in reg 22(3). A company may use contact details obtained in the course of a sale, or negotiations for a sale, for the sending of direct email marketing (reg 22(3)(a)), but only where such marketing is in respect of similar goods and services (reg 22(3)(b)). This provision effectively precludes the sale of contact details to third parties, ending this lucrative practice. The recipient of such communication must also be given the opportunity to refuse such use in a straightforward, cost-free manner, both at the time of the original collection of contact details, and at the time of each subsequent communication (reg 22(3)(c)). Regulation 23 further prohibits the spammer’s favoured tactic of concealing their identity and contact address details in order to prevent the recipient tracing the message. This provision is also enforced by the Information Commissioner.

The Regulations have been praised and criticised in equal measure. Since reg 2, on Interpretation, defines electronic mail as “any text, voice, sound or image sent over a public communications network”, this will include messages sent via SMS. This technology neutral approach provides a basis upon which to prevent the growth of other forms of unsolicited communication, and this approach must be welcomed.

The “opt-in” approach, which makes the transmission of unsolicited mail illegal unless the recipient has specifically consented, is also to be praised, despite the fact that this is “soft opt-in”; the sending of mail on the basis of a pre-existing business relationship is still allowable in certain circumstances, and these circumstances, of course, will have to be interpreted. The merits of this approach, however, can be demonstrated by reference to the equivalent US provision, the CAN-SPAM Act 2003, which provides for an “opt-out” mechanism. It has been contended that such an arrangement constitutes a “licence to spam”,[11] since the onus is on the user to opt-out, rather than on the sender to refrain in the first place.

The Regulations also provide the ability for persons suffering damage as a result of spam to bring an action against the spammer; thus it is feasible for ISPs to bring actions on behalf of email users, and, given the size of these organisations, such a method of enforcement should not be underestimated.

By the same token, however, the Regulations have been criticised for lacking bite. The Information Commissioner, who will regulate the general state of unsolicited mail in this country, and who will undertake the majority of enforcement, can levy a £5,000 fine, but there are real doubts as to whether the Commissioner can act quickly and decisively enough to stop spam when it is taking place, and the Commissioner himself has called for stronger powers.[12] It may be that the Commissioner will be able to pursue only the largest and most belligerent offenders, who in turn may not be deterred by the potential sanction.

On a similar theme, the Regulations may be criticised for focussing on established businesses rather than the established spammer. In the former case, the scrupulous business will conform rather than risk the damage to reputation that may ensue; the same characteristics, however, cannot be attributed to the dedicated spammer, who has no such considerations to take into account.

Further, the provisions relating to unsolicited electronic mail refer only to “individual subscribers”; thus businesses, equally affected by spam, are not included within the ambit of the Regulations. Spam is no less of a problem for businesses than individuals; this unequal application can only be considered a frailty of the regime.

Spam Law – A Question of Taste?

The latter point illustrates one of the major problems facing any anti-spam legislation; by drawing boundaries, along the lines of individuals and businesses, for example, such provisions vicariously legalise and licence the spam that they exclude. It has been admitted by the Assistant Information Commissioner that the role of the Regulations is to enforce “acceptable norms” of behaviour.[13] Yet the Regulations may not go far enough in this aim; in Italy for example, spammers now face three-year jail sentences. But, such an enforcement approach, whilst fulfilling one of the attributes of effective cyberspace regulation, may not be the answer. Unsolicited advertising may yet ruin email for communication by bringing about the introduction of yet stricter laws that reduce an instant, informal medium to an arid, consent based mechanism for those who wish to use it legitimately. This, combined with the necessity of reciprocal international laws to deal with trans-jurisdictional spammers, leaves the law always subject to qualification, not by virtue of the solution that it offers, but by virtue of the problem that it seeks to address.

Without technological solutions, developed in tandem with domestic and international laws, legal regulation will find itself constantly evaded by the problem that it seeks to address, placing false hope of a solution in the introduction of laws that cannot be enforced effectively, and can, therefore, do little to solve the problem of the dedicated spammer, and thus the problem of spam.

Matthew Brewer is a student at the University of Bristol.