“Spam is one of the most significant challenges facing the Internet today. Its rapid growth threatens the convenience and efficiency of electronic messages and undermines user confidence online more generally. Thus the very purpose of the Internet is under threat.”
“In light of the above statement critically evaluate the terms of the United Kingdom’s Privacy and Electronic Communication (EC Directive) Regulations and assess the effectiveness of those provisions in defeating the ‘challenges’ of spam.”
No sensible challenge can be mounted to the arguments that spam e –mails are both a monumental threat to the integrity of a computer system and a more generalised nuisance in typical day to day access to the Internet. However, the title question addresses only one half of the current issues associated with spam. The purpose attributed to the Internet is not solely that of the individual Internet user. Commercial activity is an equally valid component of Internet use.
Spam as a targeted threat carrying a multitude of potential viruses, spy ware and other insidious digital attackers is properly characterised as a menace to be deterred. Spam as a direct marketing tool is in theory a far more innocuous concept.
The fundamental issue to be addressed is whether an appropriate balance can be struck between these interests, ones that are not competing positions so much as they are disparate. It shall be submitted the UK Privacy and Electronic Communication (EC Directive) Regulations (“the Regulations”) are an entirely inadequate response to the issues posed by Internet spam.
Spam is generally defined as undesired e-mail or junk e –mail; the common attributes to spam are bulk mailings from a typically corporate source, often employing techniques such as anonymizing servers and other methods to mask the sender’s web address or identity.
At a more innocuous level, spam is a bulk mailing that indiscriminately advertises or promotes a commercial product such as erectile dysfunction medication or the promotion of ‘hot’ stock market tips. In its most repulsive format, the spam may be either pornographic in content, an inducement to fraudulent activity or it may contain viruses or other harmful attributes that damage or disable the recipient’s computer. Spam is a consumer of significant system bandwidth and has the capacity to damage large scale computer networks.
The financial cost of spam are also profound, both in terms of direct tolls taken on computer systems and the indirect seepage of productivity in workplaces where spam must be deleted from employee mailboxes on a seemingly incessant basis.
The weapons available to the individual computer user with Internet access to combat spam are relatively straightforward, including:
never opening e-mails received from unknown mail addresses
equipping the computer with anti-spam filtering software, virus protection, and firewalls
Many direct marketing advocates suggest that these simple remedies are ample protection against the unscrupulous; further government regulation represents an unwarranted inhibition of their commercial efforts, analogous to a “No Soliciting” sign in a front door residential window. It is submitted that the question is not nearly so simple.
Notwithstanding the sophistication of anti-spam technology, estimates as to the volume of spam received at both workplace computers and residential addresses ranges from 30 percent to 80 percent of all e-mail received in the UK.
The Regulations, 2003
The Regulations were a much anticipated UK governmental weapon when they were enacted in September, 2003. The UK computer industry hailed the Regulations as “spam busters” that were anticipated to both result in prosecutions of the most prevalent spammers and create a more healthful UK commuting environment.
The Regulations were designed to bring the UK into compliance with the European Community Directive concerning electronic marketing, Directive 2002/58/EC. The EC Directive stressed a balance between the harmonization of regulation between member states in the interest of commercial efficiency and the enhancement of citizen privacy rights.
The Regulations were not restricted to spam. The provisions also restrict the manner in which such digital techniques as cookies (the HTTP method of tracking and authenticating user data), traffic data, and public directories. The act of clicking ones computer mouse to open a spam transmission can potentially provide significant cookie data to the spammer.
The industry optimism of 2003 was replaced by blunt scepticism as to the efficacy of the Regulations by late 2004. The same industry insiders who had lauded the Regulations on their introduction now panned them as ineffective, as no prosecutions had been launched pursuant to the Regulations. Questions were raised as to whether the UK government was truly committed to the spam battle due to the suggested under funding of the enforcement aspects of the Regulations.
The Regulations as promulgated could never have fulfilled their promise due to the structure of the e-mail provisions of the Regulation. The relevant portions of s. 22 the Regulation and commentary are set out below:
1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers.”
The Regulation is therefore not applicable to the regulation of corporate and commercial users of the Internet. 2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit… unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, …the sender.
If (2) stood alone in the Regulations, the individual user would have a reasonable line of protection against spam, provided that the user had not previously consented to the transmission 3)(3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where–
that person has obtained the contact details of the recipient …in the course of the sale or negotiations for the sale of a product or service to that recipient;
the direct marketing is in respect of that person’s similar products and services only; and
the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing,”
Subsection (3) serves to create an exception to the consumer protection afforded through (2) so as to render the section ineffective. The spam mailer can conceivably obtain the contact particulars of the recipient in a myriad of ways, all of which are unknown to the recipient but entirely legal. The expression ‘similar products and services’ is so broad as to suggest that the subjective opinion of the spammer would be a complete answer to any complaint.
The UK initiative is however not without potential merit. The UK authorities have suggested that the UK ISPs are denying the spammers a place in their networks out the outset and that the Regulation sin this direct fashion are having a desired effect. 
The provisions in the Regulations concerning facsimile transmissions as direct marketing are of interesting in this context. Facsimiles may not be used to direct market goods unless the subscriber has provided their prior consent; the facsimile provisions are more protective of the individual user’s privacy.
As apparently toothless as the Regulations may be in practice, the other options available on a strictly UK based regulatory footing are very modest. The individual Internet user who is bombarded with spam has no practical alternatives – the potential common law tort remedies of invasion of privacy, intentional interference in economic relations, or the pursuit of an injunction have at best a theoretical appeal; the cost of mounting such actions is likely prohibitive.
A corporate complainant has the same concerns as the individual user in terms of legal costs, coupled with the realization that the targets will in all likelihood be far removed from UK legal jurisdiction unless the various reciprocity provisions of the European Community might be engaged, a prospect that assumes EC domicile for the target spammer.
The only viable legal remedy is an extension of the international co-operation exhibited through the response to the Council of Europe Treaty on Cyber Crime, ratified by 33 European nations and signed by four international states to date. It is plain that so long as computers and their requisite networks may be situated anywhere on Earth, a concerted expansion of regulatory efforts is the only true manner in which spam can be regulated.
A number of recent commentators, including Bazelonhave stressed that computer systems, the most global of entities ever created, will require a correspondingly sophisticated transnational legal framework to counter all forms of computer crime. While spam is not always considered a criminal product, the loss of both productivity and computer enjoyment, compounded by user fears of the compromise of their private information, make the concept of an international spam treaty an imperative.
The distinction between the European Treaty of Cyber Crime and the distinct provisions regarding spam as enacted in the Regulations and the initial EC Directive are the fundamental distinction between the readily identifiable criminal computer act, such as the dissemination of child pornography or the perpetration of identity theft, and the clear commercial flavour imparted to the European regulation of spam.
It is submitted that given the potential for misuse and criminality inherent in spam, international powers to combat its spread would be significantly furthered if spam were simply treated as a lesser but included form of cyber crime activity, while holding out the ability to regulate its transmission in carefully defined and legitimate business and commercial settings. In this sense, the prospects of true international enforcement of anti-spam legislation would be enhanced if never perfect. The elevation in the status of spam to a true crime might also carry a significant level of deterrence in the activity that is clearly not present through the enforcement of the current Regulations.
It must also be noted that another avenue exists to encourage the promotion of spam as a criminal act. The G-8 group of nations, of which the UK is a member, has an existing protocol for the sharing of law enforcement information regarding computer crime.
Spam currently rests in an enforcement netherworld – a well defined problem, a significant irritant, but like the weather, no one evidently can do much about it in the current Regulatory climate.
Spam solutions will be ones of stark choice – either a ‘grin and bear it’ Internet consumer attitude, with an assumption of risk that requires the taking of all necessary personal precautions for home computer safety, or encourage the UK to broaden the reach of international cyber crime enforcement to tackle spam as an adjunct to existing computer crime initiatives.
Bazelon, Dana L et al “Computer Crimes Journal” American Criminal Law Review, Vol. 43, 2006 , 1
Dickinson, David “An Architect for Spam Regulation: Federal Communications Law Journal, Vol. 57, 2004
Crews, C.W ‘The Government should not ban E-Mail spam’ In: The Internet – Opposing Viewpoints, James D. Torr, Ed. (New York: Thomson Gale, 2005)
Edlind, Peter J. and David Naylor / Morrison & Forester LLP “United Kingdom: The United Kingdom Privacy and Electronic Communications (EC Directive) Regulations 2003” 09 March 2004
Munir, A.B. “Unsolicited Commercial E-Mai: Implementing the EU Directive (2004)” Computer and Telecommunications Law Review, Vol. 10, Issue 5
Nordlinger, Jay, ‘The government should ban E-mail spam’, In: The Internet – Opposing Viewpoints, James D. Torr, Ed. (New York: Thomson Gale, 2005)
Silicon.com “UK soft on spam” (August 11, 2005) http://www.silicon.com/research/specialreports/thespamreport/0,39025001,39151286,00.htm (accessed January 21, 2007)
ZDnet “UK law smashes consumer spam” (September 18, 2003)
http://news.zdnet.co.uk/internet/0,1000000097,39116473,00.htm (Accessed January 20, 2007)
ZDnet “UK law failing to nail spammers” (December 13, 2004) http://news.zdnet.co.uk/internet/0,1000000097,39181034,00.htm (Accessed January 20, 2007)
Table of Regulations
Directive 2002/58/EC, (Directive on privacy and electronic communications)
The United Kingdom Privacy and Electronic Communications (EC Directive) Regulations 2003