CHAPTER 4 INTERNATIONAL INITIATIVES TO COMBAT SPAM ITU AND OECD
In the first three chapters the basis for the study was laid by noting how spam evolved into the scourge it is today. Also the technological measures put in place in order to combat spam were considered. The international arena entered the discourse as far back as the early 2000s lending its voice in this ongoing process. A number of international organisations (some of which were highlighted in the previous chapter), were formed with the sole purpose of creating awareness of this problem, and coming up with solutions. In this chapter focus is on the two organisations which conducts research among others in combating spam, namely: the ITU; and the OECD.
The research undertaken by these organisations has been and remains instrumental in encouraging the transposition of Model Laws to the national level, encouraging mutual agreements in combating spam at a global level, advising regional communities on their initiatives to address the issue of spam, and the question of enforcement.
Here a discussion on initiatives by these two organisations to estabish how this battle has been waged through the years and whether there are solutions in sight for this ever-escalating problem is undertaken. Focus will be on the backgrounds of each organisation, research and initiatives the organisations has undertaken, and the recommendations each has come up with. Surveys, discussion documents, and reports are highlighted to establish whether they offer solutions to the problem.
International Telecommunications Union (ITU)
The ITU was established in 1865 to facilitate and regulate the interconnection and inter-operability of national telegraph networks.1 Over the years, its mandate has extended to cover the development of radio-communication and telecommunication, among others.2 The ITU has also been a specialised agency of the United Nations (UN) since 1947.3 It has over 190 member states and 700 private-sector members.4
The overall objectives of the ITU are to promote the development of telecommunication networks and access to telecommunication services by fostering cooperation between governments and a range of non-governmental actors, which include a variety of role players.5 The three main sectors6 of the ITU are: Radio-communications (ITU-R); Telecommunication development (ITU-D); and Telecommunication standards (ITU-T).7 Focus will be on the ITU-T sector whose mandate it is to research and put forth initiatives in combating spam.
The Telecommunication Standards Sector (ITU-T)
The ITU-T assembles experts from around the world to develop international standards known as ITU-T recommendations.8 These recommendations act as defining elements in the global infrastructure of ICT.9 The framework of the ITU-T sector includes the following groups and/or activities: the World Telecommunication Standardisation Assemblies10 – an assembly that sets out the overall direction and structure for the ITU-T;11 the Telecommunication Standardisation Advisory Group12 which provides ITU-T with flexibility between WTSA by reviewing priorities, programmes, operations, and strategies, among other things;13 and study groups which represent the standardised work of the ITU-T by technical study groups. Representatives of the ITU-T membership develop recommendations (standards) for various fields of international telecommunication;14 hold workshops and seminars to promote existing work areas and explore new ones;15 and Technology Watch, which identifies and surveys emerging technologies and their likely impact on future standardisation for both developed and developing countries.16
Study Group 17
Study Group 1717 was formed by the merging of study groups 7 and 10 in 2001.18 SG17 coordinates security-related work across all ITU-T study groups which includes cyber-security, security management, identity management, and countering spam.19 SG17 has been designated the “Lead Study Group” (LSG) for the telecommunication security sector.20 The objective of the ITU’s study of spam is to help member states and relevant operating agencies to investigate the significance and characteristics of their spam issues.21
Countering and combating spam
The ITU’s initial activities relating to countering spam consisted of a discussion framework for international cooperation.22 Following the recommendations of the Global Symposium Regulator (GSR) a virtual conference on regulatory cooperation on spam was held on 30 March 2004.23 In May of the same year, the spam laws and authorities web site was created containing data from more than 40 countries which had adopted anti-spam measures.24 This web site is updated continuously with information received directly from member states.25 The web site maintains a webpage dedicated to international cooperation initiatives, providing information on the content and scope of new projects, referring to and linking with the organising or responsible entities, and maintaining an updated list of interesting meetings and conferences on the topic.26
The ITU World Summit on the Information Society27 Thematic Meeting on countering spam followed,28 where it was noted that: “spam was becoming a major concern taking into account fraudulent activities such as phishing which threatened the confidence in e-mail and the Internet as a whole”.29 The following sessions covering the topics below were held at this meeting: the scope of the problem; technical solutions; consumer education and awareness; spam legislation and enforcement (a cross-border issue); multilateral and bilateral cooperation; and frameworks for international action.30
In 2005 it was noted that spam had developed into a real threat to the security of e-mails and of the Internet as a whole.31 Also noted was that spam is a significant and growing business for users, networks, and the Internet as a whole, and that to build confidence and security in the use of ICTs, there is a need to take appropriate action at both national and international levels.32
In realising its objective of countering spam, the ITU conducted a survey among its member states to establish their anti-spam measures or lack thereof.33 The survey was conducted in 2004 and involved 189 ITU member states.34 Of the 189 member states who participated, only 58 responses were received.35 The survey revealed that while a number of countries had implemented anti-spam laws,36 several countries used alternative laws – such as data protection laws, consumer protection laws, or electronic commerce laws – to address the spam issue.37 In other countries laws used to enforce spam fell under the jurisdiction of communication regulators and other related bodies.38 Some countries were in the process of discussing the adoption of specific anti-spam legislation,39 while several countries had developed no anti-spam legislation at that time.40
Approaches to combating spam by the ITU
The ITU noted that since spam is a serious problem for the Internet it concluded that a single approach to resolving the problem was inadequate and that a coordinated global approach was required.41 The ITU further observed that spam was a problem impacting on privacy issues, the protection of minors and human dignity, additional costs for businesses, and a loss of productivity. Furthermore, spam was increasingly used in combination with or as a vehicle for viruses.42 It was further noted that spam generally undermines consumer confidence which is essential for the success of electronic commerce, electronic services, and the development of the information society.43 The acknowledgment of this problem as one with global implications gave rise to a number of initiatives in the fight against spam.
A coordinated global approach was outlined in Resolutions 5144 and 52 and included a multi-pronged or comprehensive approach to combating spam. This was reiterated in 2006 when it was noted that this approach should include international cooperation to counter the problems associated with cyber security, including spam.45 These two resolutions were later combined to form a consolidated ‘Resolution 52’ on countering and combating spam.
A comprehensive or multi-pronged approach to combating spam (Resolution 52)
The ITU considered that exchanging e-mails and other forms of telecommunication over the Internet had become one of the main means of communication between people around the world.46 The ITU also noted that with a variety of definitions for spam, it was clear that spam has become a widespread problem resulting in potential loss of revenue for ISPs, telecommunication operators, mobile telecommunication operators, and business users alike.47 Countering spam by technical means burdens affected entities, including network operators, ISPs, and users who receive spam against their wishes.48
Further, spam is often used for criminal, fraudulent, or deceptive activities and is a global problem that requires international cooperation if solutions are to be found.49 Addressing the issue of spam has become a matter of urgency and that a “multi-pronged” or “comprehensive approach” to combating spam was important. Resolution 52, which outlined the following multi-pronged approach: strong legislation; the development of technical measures; the establishment of industry partnerships to accelerate the studies; education; and international cooperation.50 All five elements will be discussed in order to review the recommendations and or guidelines mooted.
First on the list of a multi-pronged approach to combating spam is strong legislation. According to the ITU, “legislation is a fundamental tool in the anti-spam battle and care must be taken in enacting appropriate and efficient legislation in conjunction with appropriate enforcement”.51 And that spam is a “horizontal issue” touching different aspects of telecommunications, trade, privacy and consumer protection.52 Therefore, the legal framework that must be put in place to combat spam is complex owing, in particular, to the multitude of laws that have been enacted and differing national authorities which deal with the topic.53
The first step to strong legislation is to identify and use or create laws to prohibit spam in one’s country.54 For the ITU, there is a need not only to embrace national approaches to spam, but also to be clear on the international component of those anti-spam responses as, realistically, no one is able to stop spam on his or her own.55 Each set of laws should be seen as part of a web of anti-spam legislation stretching around the globe.56 The ITU noted that the first anti-spam law was enacted when an average e-mail user received approximately one unsolicited commercial e-mail message per week, and since then the volume of spam has increased.57 The ITU further noted that while countries have enacted anti-spam laws, those laws have largely been “sentimental laws” and were passed for purposes of having legislation in place.58 Little effort or design was put into how these laws were to be enforced.59 Those who had anti-spam legislation in place were seen to have failed to harmonise their legislation so as to provide greater protection for their consumers by ensuring that the laws not only protect users nationally, but that they also do so internationally.60 Adopting effective legislation was seen as the first and essential step in combating spam. And while legislation may not on its own be sufficient, it was seen as a minimum necessity to cope with spam to define the rights and obligations, and thereby ensure as much legal certainty as possible.61 In dealing with this issue the ITU noted that while there were anti-spam legislation in place, there were also challenges facing its implementation.
(b) Challenges in implementing legislation to combat spam at national level
The ITU observed that in countries with anti-spam laws, there was a trend towards adopting spam-specific regulation rather than simply applying general-purpose laws to electronic communications.62 It also noted that spam posed unusual challenges to regulation given its cross-border context and unique financial structures.63 Legislators were advised to adopt rules aimed specifically at spam and emphasise the need to align existing laws64 for example, data protection and anti-fraud provisions – with these new rules to ensure that the theories underlying the regulations are coherent.65 These laws vary considerably in their approach to tackling the issue of spam. This includes the way in which countries define the term spam and the mechanisms they use to regulate it.66 These countries also set requirements subject to which unsolicited communications can be sent. These requirements are discussed in greater detail below.
(c) Requirements for strong anti-spam legislation
Definition of spam
The ITU noted that there is no agreed definition of spam generally accepted by stakeholders embodied in anti-spam laws.67 Therefore, the initial decision for legislators when assessing spam, is whether to differentiate between messages on the basis of their content or of their purpose.68 A further characteristic is that spam is sent in bulk – whereby the sender distributes a large number of essentially identical messages and recipients are chosen indiscriminately.69 Many spam laws focus on messages with a commercial content which presupposes the advertising of products and services addressed to recipients.70
While there is disagreement and confusion as to the precise definition, it was noted that there is fairly widespread agreement that spam exhibits certain general characteristics. First, spam generally takes the form of an electronic message – in most cases restricted to e-mail but there are other methods of delivering spam including: SMS; Voiceover Internet Protocol (VoIP); and mobile phone multimedia messaging services.71 Secondly, spam is unsolicited in that no consent is given for the receipt of the messages.72
Mechanisms for regulating spam
The ITU advised that in order to regulate spam, legislators should, in the initial phase, determine whether unsolicited messages are permitted or forbidden.73 To that end, anti-spam legislation should either adopt the “opt-out mechanism”, or the “opt-in mechanism”.74 These mechanisms, while common, vary from country to country. Opt-in regimes focus on the means of obtaining, recording, and revoking consent, while the opt-out regime concentrates on how recipients can indicate that they do not wish to receive messages.75
This mechanism requires prior consent from the recipient before any marketing correspondence can be sent.76 The opt-in mechanism discourages marketers from sending spam to consumers unless they have clearly asked to receive those messages.77 The ITU noted that “those who adopt this approach are making a statement that marketers should not send messages to recipients unless those recipients have expressly asked to receive such communications”.78 Under the opt-in approach affirmative requests for messages may be delivered directly by a recipient in the form of an actual request, or consent can be constructively construed if the sender has an existing business relationship with the recipient.79 The ITU noted in some jurisdictions that have adopted this approach, also create an exception for business entities with which recipients have a pre-existing business relationship.80 In that case, member countries could choose between the opt-in and opt-out approaches, provided that they respect the legitimate interests of subscribers with regard to unsolicited communications.81
The ITU pointed out that the critics of the opt-in mechanism contend that it unreasonably burdens legitimate business.82 Direct marketers have in this case cited statistics to show that some e-mail users wish to receive unsolicited offers via e-mail, and that closing that channel entirely would be overly restrictive and burdensome.83 The ITU also noted that approximately one-third of anti-spam laws are considered to have adopted the opt-in mechanism.84 It also observed that although these laws have proliferated over the years, prosecutions under them remain virtually non-existent.85 The ITU further noted that any anti-spam regime with an opt-in system at its core, is almost certain to offer a more aggressive anti-spam regime than the opt-out system.86
As regards the opt-out mehanism, the ITU noted that this regime considers direct marketing, and therefore unsolicited commercial communication, a legitimate activity unless certain conditions are not respected.87 The opt-out approach advocates that a sender may send a message to a recipient even if there is no existing business relationship. It is important to note that the recipients must have not specifically elected to receive such messages.88 Laws that advocate for this mechanism, typically require the sender to honour the requests of recipients to be removed from its mailing list.89
Critics of the opt-out mechanism note that this mechanism legalises spam because it does not expressly provide that the sending of unsolicited e-mail messages is illegal.90 Instead, this mechanism provides a framework under which such messages may be sent as a result exacerbating the problem.91 It is noted that most users already have strong preconceptions regarding spam, and they have been widely advised not to open or reply to any spam messages to avoid confirming that their e-mail addresses are active.92 The ITU observed that approximately two-thirds of world’s anti-spam laws can be regarded as expressions of the opt-out mechanism.93 It noted further that two of the most effective anti-spam laws originated in two states in the USA which have adopted the opt-out mechanism as their default mechanism.94 The same was later adopted by the federal law in 2003. Even the OECD noted that while these laws appeared to have been weak on paper, they managed to address the practical problems prosecutors face when enforcing laws against spammers.95 Regarding these two mechanisms (opt-in and opt-out) the ITU noted that the lesson to be learned is “that the strength of the sentiment in a specific law bears little correlation to the successful enforcement of that law”.96
Note should be taken here that the first two requirements – the definition and the mechanisms – are found in most anti-spam laws currently in force. However, in most jurisdictions the requirements that follow do not necessarily apply either in whole or in part. In the discussion below I continue by outlining additional requirements for anti-spam laws.
Fraudulent or misleading header information
The ITU defines a subject line as part of the message body which is generally displayed by a user’s e-mail application system along with the sender’s name and address.97 It is common cause that spam messages often contain false subject lines designed to lure users into opening and viewing the messages.98 The ITU noted that a common concern regarding subject-line requirements is “the burden they place on legitimate law-compliant advertisers while having no effect on non-compliant senders”.99
TABLE OF CONTENT
TABLE OF ABBREVIATIONS
CHAPTER 1 BACKGROUND TO THE STUDY
1.2 Scope and purpose of this study
1.3 Synopsis: Chapter trajectory
CHAPTER 2 DIRECT MARKETING AND THE DEVELOPMENT OF SPAM VIA ELECTRONIC COMMUNICATIONS
2.2 Direct marketing
2.3 Development of spam via electronic communications
2.4 Lucrative business for spammers
CHAPTER 3 THE EFFECT OF SPAM ON E-MAIL MESSAGES
3.2 Methods used to extract e-mail addresses for purposes of spam
3.3 Problems caused by spam
3.4 Technical measures for combating spam
CHAPTER 4 INTERNATIONAL INITIATIVES TO COMBAT SPAM
4.2 International Telecommunications Union (ITU)
4.3 Countering and combating spam
4.4 The OECD
4.5 Commentary and conclusion on the ITU and OECD initiatives
CHAPTER 5 REGIONAL INITIATIVES TO COMBAT SPAM: AFRICAN REGION
5.2 African Region
5.3 Combating spam in the African region
5.4 Contexualisation of the African region’s Model Laws and Conventions
CHAPTER 6 A COMPARATIVE STUDY OF ANTI-SPAM LAWS: THE UNITED STATES OF AMERICA (USA)
6.2 Anti-spam laws at state level in the USA
6.3 Anti-spam legislation at federal level
6.4 Commentary on the CAN-SPAM Act
6.5 Solutions for improvements to the CAN-SPAM Act
6.6 Concluding remarks
CHAPTER 7 A COMPARATIVE STUDY OF ANTI-SPAM LAWS: AUSTRALIA
7.2 Anti-spam legislation in Australia
7.3 Other multi-faceted measures to combat spam
CHAPTER 8 A COMPARATIVE STUDY OF ANTI-SPAM LAWS: A SOUTH AFRICAN PERSPECTIVE
8.2 The ECT Act 25 of 2002
8.3 Consumer Protection Act 68 of 2008
8.4 Protection of Personal Information Act 4 of 2013
8.5 Bills on unsolicited electronic communications
8.6 Contextualisation of South Africa’s anti-spam and direct-marketing provisions
CHAPTER 9 RECOMMENDATIONS AND CONCLUSION
9.1 Summing up the issues
9.2 A multi-layered approach to combating spam
9.3 Recommendations and conclusion
GET THE COMPLETE PROJECT