Publications

Spam and the law

Spam is illegal in many countries and Russia is certainly no exception. So why then is it mostly left up to the technical experts to try to combat the problem when it could be argued that the legislature should be leading the crusade? In this article we will discuss anti-spam legislation as it exists in different countries around the world, focusing on how effective such legislation is and what prevents it from being more so.

What makes spam so dangerous and why is it so difficult to combat?

There can be no Internet or email user out there that at one time or another has not come into contact with spam. Currently, spam messages account for over 85% of all the mail traffic on the Internet.

Spam can cause a number of very serious problems, not least of which are excessive mail traffic, unrecoverable costs generated by staff productivity losses and server overloads, this last being a real headache for email providers and system administrators. But it doesn’t end there. Due to its perceived anonymity, spam is an effective tool for fraudulent activities such as the advertising of counterfeit goods and other forms of contraband, the distribution of pornography and a host of other crimes besides. Additionally, spam acts as a malware ‘delivery service’. A malicious program can be attached to an email, or a link can be placed in the body of an email that points to an infected website. Phishers also employ spam to trick users into visiting fake versions of well known websites with the intention of stealing their confidential data.

Any email system, including those provided free of charge, will employ integrated spam filtering to allow legitimate emails to be separated from unsolicited advertisements. However, it is impossible to filter out every spam email without impacting legitimate correspondence and it is for this reason that we continue to receive invitations to different seminars, advertisements for medication to improve potency, notifications of lottery wins, etc.

One of the main difficulties in fighting spam is that spam is international. The virtual world does not have borders so spammers can easily operate on a global basis. The same spam message may end up in a user’s inbox in Canada, Australia or elsewhere. An unsolicited advertisement written in Chinese may be distributed from an infected computer in India with the help of a management center located in Russia. We can only guess at where the spammers themselves reside.

However, whilst the spam itself remains unbounded, anti-spam legislation, which differs from country to country, does have to respect territorial borders. Sometimes legislation may not be uniform throughout a single country and in some places there may even be no anti-spam legislation at all. This of course hinders the possibility of bringing cybercriminals to justice.

Cases involving spam are notoriously difficult to investigate and it is even more difficult to prove the spammers’ guilt. However, that’s not the only issue. The second problem is that many people, including some authorities whose job it is to protect us, simply underestimate the damage that spam can do, often seeing little problem in the mere fact that unsolicited correspondence is to be found in someone’s inbox. That is why much less attention is paid to the question of fighting spam than, for example, to the question of computer fraud.

Anti-spam Legislation: A short history

The process that initiated the creation of statutory instruments regulating Internet activity began during the 1980s, with the 1990s seeing the introduction of an international legal framework for this purpose. However, the majority of the legislation was brought in towards the end of the 1990s and the beginning of the year 2000. This does not mean that cybercrimes committed before this date went unpunished – very many of them fell within the realms of legislation that already existed. The development of technologies and the worldwide spread of the Internet necessitated a more detailed description of the new types of crime committed on the Internet and the methods that the cybercriminals used to commit them.

On 8 June, 2000 the European Parliament and the European Council adopted Directive 2000/31/EC, otherwise referred to as The Directive on Electronic Commerce, in order to provide a framework of regulation for e-commerce within the EU. The directive covers the process of purchasing goods and services over the Internet.

On 23 December 2001, the European Council adopted the Convention on Cybercrime. This convention has currently been approved by 46 countries, with 24 of them having ratified it. The convention requires that parties establish legislation against cybercrime and take other necessary measures to prosecute cybercrime offenses effectively. It covers a wide range of crimes such as unauthorized access to personal data, computer fraud, the distribution of pornography and copyright infringement. Unfortunately Russia, China and some Latin American countries, the key sources of spam and malware, are not among the countries which have signed up to the convention.

On 12 July 2002, the European Parliament and the European Council introduced Directive 2002/58/EC, otherwise known as The Directive on Privacy and Electronic Communications. This is concerned with the processing of personal data and the protection of privacy in the electronic communications sector. It also criminalizes the sending of unsolicited bulk emails for commercial purposes.

The jurisdiction of both directives is rather restricted however, and this has led to many European countries creating and ratifying their own supplementary legislation concerning cybercrime and spam distribution.

The Convention on Cybercrime and the directives of the European Parliament and the European Council compelled many EU countries, as well as the USA and Australia, to adopt anti-spam legislation and to augment any relevant legislation already in existence.

In Europe and the USA a raft of anti-spam legislation was introduced between 2000 and 2003, whilst this process happened a few years later in Eastern and Latin American countries. China and Russia adopted anti-spam legislation in 2006 and India and Brazil in 2008. The participation of these countries in the struggle against unsolicited correspondence is very important because they are major sources of spam. In 2009 Russia, Brazil and India took 2nd, 3rd and 4th places respectively in the rating of the Top 10 originators of spam. China was also up there among the leaders.

Sources of spam in 2009
Sources of spam in 2009

Principles of anti-spam legislation

Obviously the legislative authorities of different countries liaise with one another and that is why any anti-spam legislation introduced in these countries will have much in common:

  • The OPT-IN principle: a user must not receive any bulk email if they have not specifically subscribed to the service;
  • The OPT-OUT principle: a user must always have the opportunity to unsubscribe from any mailing list;
  • An email must clearly show the sender’s address, the From field must show who the real sender is and any information about the source of the message and its transmission path must not be falsified;
  • The message header must reflect its content and messages containing advertisements must be appropriately marked;
  • An email must contain a sender’s contact details, in particular their reply address;
  • Software designed to harvest addresses must not be used.

OPT-IN, which is considered to be the most important element of anti-spam legislation, is accepted almost everywhere. However, there are differences and restrictions. For example, in the UK the law refers only to emails sent to users’ private email addresses. This means that spam reaching corporate mail boxes falls outside the realms of the legislation. In Germany, bulk emails containing advertisements are allowed providing that the user has bought something from an advertiser previously.

Probably the most notable piece of anti-spam legislation is the American CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act). This act states that unsolicited commercial emails must be marked accordingly. For example, the theme of the message must contain the word ‘AD’ or ‘Advertisement’. It must include the sender’s physical address and provide the recipient with the possibility of unsubscribing. This law also forbids the harvesting of email addresses via monitoring websites as well as the automatic selection of addresses using the substitution technique. Violation of the CAN-SPAM Act is punishable by fine or even imprisonment. However, this law does not include the OPT-IN principle: the user’s prior consent to receive bulk emails is not required. In other words, the distribution of any quantity of emails is permissible provided that they contain a proper reply address and meet the requirements of the OPT-OUT principle.

Despite of the absence of the OPT-OUT principle, US federal anti-spam legislation is still pretty effective. As recently as May 2009, several people were found guilty of violating the CAN-SPAM Act. One of them was Alan Ralsky who was sentenced to 4 years and 3 month in prison, followed by 5 years probation and ordered to pay a fine of [US] $250,000 for fraud, criminal conspiracy and the distribution of bulk emails.

The harshest anti-spam legislation currently in existence is the Australian Spam Act 2003, which as with similar legislation, requires that a sender provide a recipient with information about themselves and with the possibility to unsubscribe if they wish. Additionally, prior consent from users to receive bulk emails is required. Fines for spam distribution fixed by this law are very high and may reach [Australian] $1.1 million (approximately US $800,000) for each unwanted email sent to multiple addresses. The Australian government actively involves Internet providers in the struggle against spam: they are required to detect zombie computers on their networks (infected end-user computers which distribute malware and spam) and help their users to treat infected machines. Additionally, users are offered an easy spam notification tool: one mouse click is enough to send a sample of an unsolicited email to the state agencies whose task it is to control spam.

The Spam Act 2003 has considerably reduced the amount of spam originating from Australia. Before this piece of legislation was adopted this country had frequently been in the Top 10 sources of spam, whilst after it came into force in 2003, Australia occasionally dropped so far down the list as not to appear in the Top 20 at all. Unfortunately, that does not mean there is less spam in Australia now – the spammers have just changed their location, transferring their activity to other nations. Those who persist in such nefarious activities in Australia are regularly brought to justice. For example, in March 2010, one offender was handed a fine of [Australian] $22,000 (about US $20,000) for distributing commercial spam in violation of the national spam legislation.

Chinese anti-spam legislation introduced in 2006 under the title of ‘Internet Email Service Policing Methodology’ follows the examples set by other countries in this field. It also includes some interesting innovations: it adheres to the OPT-IN principle, but commercial spam must in any case be marked with ‘AD’ whether or not the originator has the prior consent of the recipient. Additionally, the law requires that a sender must offer the user a chance to unsubscribe if they do not wish to receive any further emails (OPT-OUT). The use of software designed for the harvesting and sale of email addresses is also forbidden. Chinese anti-spam law regulates providers’ activities as well: a provider must first register and obtain a government license allowing the provider to offer Internet email services. Any violation of this law can have dire consequences – a provider may be heavily fined or have their license revoked.

Anti-spam laws in Russia

In Russia, two pieces of legislation exist that are intended to protect Internet users from spam – the federal law ‘On Advertising’ and the federal law ‘On Personal Data. Both instruments clearly indicate that sending bulk mail is only allowed with the recipients’ consent, adhering to the OPT-IN principle.

Unfortunately this legislation is not enforced very often.

There are two reasons for this. The first reason is that the legislation includes many exceptions and the second is that the legislation is poorly drafted and ambiguous. For example, the legislation does not actually define what constitutes ‘spam’. It is also unclear exactly how an operator or a distributor of advertisements should prove that they have a recipient’s consent. Some lawyers also point out that the mere fact that the onus is on the operator or the distributor of advertisements to prove that they have such consent violates the assumption of innocence until proven guilty.

Fighting the spammers: the goals and the reality

As we can see, practically all of the developed and developing nations have adopted anti-spam legislation. Nonetheless, the amount of spam in mail traffic continues to grow every year. During the period 2003 to 2004 when anti-spam legislation was introduced in the USA and the majority of EU countries, many people thought that spam would soon become a thing of the past. Seven years on and new legislation is in place, old legislation has been improved, yet the situation has worsened. Why?

Well first of all, as mentioned above, spam is an international phenomenon which does not respect national borders, so only pan-national legislative solutions can be truly effective. Of course, by this we are not advocating the development of a legal framework that would take precedence over local legislation. If this were to happen then the establishment of an international organization would be required. It is important that local legislation apply common principles. Additionally, there should be a single international mechanism for cooperation in this sphere, for example, an international non-commercial organization empowered to aid the executive bodies of the different countries in the fight against the spammers – a kind of cyber-Interpol that could focus on the problems of computer fraud, malware and spam. Similar organizations (for example CERT) already exist in Europe and among their tasks are the unification of legislation and the facilitation of international cooperation on spam-related issues (see: ec.europa.eu [PDF 946,35 Кб]). In the other regions of the world this cooperation is not nearly so well developed.

The second reason for the worsening of the spam situation is that no country has a law to prevent the ordering of bulk mailing by those who have a product to sell, though they are much easier to trace and prosecute as their contact details appear in every spam email. Unlike the spammers themselves, those who employ the services of the spammers cannot remain anonymous. Such a law, if adopted, would remove any small businesses using spam as an advertising medium from the market, thus immediately identifying those remaining as fraudsters. The only problem here is that such a law renders falsification and slander possible – in order to knobble a competitor it would be enough to distribute spam purporting to originate from their network. Nevertheless it is hoped that a proper judicial approach will allow the development of a legal framework that will eventually help to reduce the overall level of spam.

Though effective anti-spam legislation should of course prevent small businesses from using spam to advertise their goods and services, small business must still be given the opportunity to legally advertise their products via email and other e-means. In this way, a user will only receive advertisements interesting to them and an advertiser will in their turn be able to target potential customers. This is the idea behind thematic portals that offer users the possibility to subscribe and unsubscribe. It should be noted that in the countries where such systems already exist, in the USA for example, small businesses only use spammer services on the rarest of occasions. In Russia this opportunity is offered by some electronic bulletin boards, but they are not very popular.

Another important element in combating spam is educating Internet users. First and foremost this applies to the representatives of the relevant enforcement agencies. If this group of people can be made fully aware of the scope of the problems caused by spam it is envisaged that development of the necessary legislation and its application would follow very shortly thereafter.

No law in itself is able to prevent the distribution of spam. The world at large needs to recognize that spam is a serious problem and that real progress can only be achieved if each country develops and implements a commonly agreed legislative framework. This needs to happen alongside closer international cooperation and the introduction of a package of measures aimed at educating Internet users.

Spam and the law

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

Subscribe to our weekly e-mails

The hottest research right in your inbox