Infosecurity Europe 2004 The shortcomings of Europe's war against spam are highlighted in a study of anti-spam legislation published today.
The Institute for Information Law (IViR) of the University of Amsterdam and security firm Sybari Software looked into the law regulating unsolicited commercial email (i.e. spam) in the EU. Special emphasis was placed on the EU's July 2002 Directive on Privacy and Electronic Communications.
Their report reveals weak spots in the implementation and enforcement of anti-spam legislation. For example, interpretation of a number of important aspects of the Directive is left to individual countries. So spamming is a criminal offence in Italy - but not in the UK.
Meanwhile, many countries have dragged their heels on implementing EU rules. The European Commission has issued warnings to eight countries - Belgium, Germany, Greece, France, Luxembourg, the Netherlands, Portugal and Finland - for not implementing the directive in time.
The IViR study tried to identify potential liabilities for ISPs and business arising as a result of obligations under the directive.
It notes that the Directive provides "fails to introduce a strong right" for users to object to their ISPs about deficiencies in spam filtering. The Directive also places extra responsibilities on employers, while giving little in return. Organisations have a duty to protect employees against receiving pornographic email. Businesses also risk being held responsible if rogue employees send out spam from a corporate account. But the directive only prohibits spamming individuals and not the email boxes of businesses.
Jeux sans frontieres
Even if European legislation was perfectly framed and widely enforced - it can do little to reduce the volume of spam. This is because most spam originates from outside Europe. EU rules harmonise opt-in rules for the dispatch of commercial email across Europe but unless an international approach is adopted this regime is "rendered meaningless", the IViR concludes.
The IViR study also looked at how consumers and businesses can still use other parts of the law to fight spam. Trespass to chattel can be used by providers to refuse spammers access to their networks. Civil law tort could be relevant in some cases. European Commission law prohibiting of unsolicited communication without prior consent is complemented by civil law liabilities in individual member states.
Much of the shortcomings of EU anti-spam law were predicted in advance by anti-spam activists like Steve Linford of Spamhaus, and ignored by politicians
Lodewijk Asscher, head of research at the IViR, agreed with this assessment but nonetheless remains resolutely upbeat about Europe's anti-spam laws. "All in all, the new anti-spam regime is a useful step forward," he said. “However, it is only a first step and it should be followed up by a stronger pan-European guarantee for efficient complaint mechanisms, serious enforcement tools, effective international cooperation and education on the ways to protect oneself from spam."
The complete 80 page study, conclusions and recommendations can be here.
Are you drowning under spam?
In addition to the legal study, Sybari Software and the IViR conducted a survey of IT pros in 180 companies from 12 European countries into their experiences with spam. The survey also surveyed the attitudes towards spam of technology professionals, system administrators and IT decision makers.
The vast majority of those surveyed (82 per cent) said that their government had so far failed to communicate local spam law changes to their organisation. More than half (56 per cent) rejected the idea that their organisation should have any legal responsibility to protect employees from obscene, pornographic or offensive emails.
More than one in four (29 per cent) of the companies polled said they have stopped sending unsolicited commercial email out to non-clients at some time in the last five months. The survey fails to shed any light on how many organisations carried out this questionable business practice before the directive came out.
Respondents estimate that spam costs their organisation €300 per employee, per year in wasted time, administration costs, wasted bandwidth and squandered IT resources.
Troy Swanson, an anti-spam analyst at Sybari Software, said the survey showed many organisations are unclear about local spam legislation and responsibilities. "The survey results are quite alarming considering that they are the opinions of the people that are most entrenched in the spam issue - corporate messaging professionals." ®
No need for anti-spyware laws - FTC
The average PC: spyware hotel
Germany moots jail for spammers
Caped crusading sysadmin rumbles 419er
MPs hold inquiry into UK computer crime law
Big US ISPs set legal attack dogs on big, bad spammers
Spam is 10
Prior consent does not mean opt-in
EU anti-spam laws are OK
CAN-SPAM means we can spam
Anti-spam law will tie up UK firms up in red tape
Wanna complain about spam? You must be joking
UK anti-spam law goes live
Congress passes anti-spam bill
The economics of spam