Untouchable?:A Canadian Perspective on the Anti-

Spam Battle

Michael GeistCanada Research Chair in Internet & E-commerce Law

University of Ottawa, Faculty of Law

October 2004

2

The Spam Myths

>spam originates offshore>the delete key>the private sector >law is powerless>canadian anti-spam

legislation

3

Outline > The spam problem> Three Phases of Dealing With Spam

• Phase One - Spam as an Annoyance

• Phase Two - The Three Anti-Spam Pillars

• Phase Three - Getting Serious About Spam

4

Spam Growth > Estimated Cost - $10 - 87 Billion/year> 70% of email now spam> 90% of S. Korean email now spam> AOL - Blocking over 2 billion spam per day> 75% of spam now uses HTML> Profitability at response rate under 0.0001%> Brightmail estimates $250 million in profitability for

spammers in 2003

5

Canadian Spam > 10 of the 200 spammers worldwide (Spamhaus

ROKSO list) are Canadian> Top 200 spammers responsible for 90% of global

spam> Sophos ranks Canada as top ten source of spam

worldwide

6

The Spam Problem > Cost shifting> Privacy> Intermediary effects> Deception and fraud> Lost e-commerce confidence> Lost e-communication confidence

7

Phase One - Spam as an Annoyance > 1995 - 1999> Anti-spam groups form> Sporadic legislative initiatives but emphasis on private sector

leadership> Private sector legal tactics

• Contract• Criminal• Trademark• Trespass

> Private sector technical tactics - MAPS RBL, UDP> Public sector enforcement - FTC brings first action in 1998> Spammers fight back with own suits

8

Phase One - Spam as an Annoyance The federal government believes that its current policy and legal frameworks will continue to foster strong Internet growth and development in Canada while at the same time dealing adequately with computer abuse and criminal activity. Spam is but one of the new elements emerging from increased Internet growth and development. The government believes that an appropriate mix of policies and laws, consumer awareness, responsible Internet industry stakeholders and technological solutions is the best and most appropriate way to deal with behaviour in the new and evolving on-line environment. The government believes that Canada has this right mix today but will continue to monitor developments and consider changes if they are required.

- Industry Canada, 1999

9

Phase One - Spam as an Annoyance > Problem -- doesn’t work

• Spam continues grow• Isolated private sector actions have

limited deterrence value and are expensive

• Inconsistent legislative proposals

10

Phase Two - The Three Anti-Spam Pillars > 2000 - 2003> Spam problem worsens> Focus shifts to three pillars

• Technology• Education• Legal Solutions

11

Phase Two - The Three Anti-Spam Pillars > Technology

• Filters• Authentication

> Problems:• Cost• False Positives (Solution worse than the

problem)• Privacy• Spammer technological response

12

Phase Two - The Three Anti-Spam Pillars > Education

• Educate businesses via industry codes• Educate consumers on how to respond to spam

> Problems:• Lack of legal weight to codes• Bad actors• Inconsistent consumer messaging - opt-in vs.

opt-out

13

Phase Two - The Three Anti-Spam Pillars > Legal Solutions

• Global shift toward anti-spam legislation including US, Europe, Japan, South Korea, and Australia

> Key provisionso Definitional issueso Private rights of actiono Significant damageso Labeling requirementso Deceptive practices (headers, spoofing, etc.)o Email harvesting/Dictionary attackso ISP immunityo Opt-out vs. opt-ino Do-not-spam listso Commissioning spam

14

Phase Two - The Three Anti-Spam Pillars > Legal Solutions - Canada> Consider prospect for anti-spam legislation

in 2003> Focus on four main legislative solutions

• PIPEDA• Criminal Code• Competition Bureau, Fair Practices Branch• Telecommunications Act

15

Phase Two - The Three Anti-Spam Pillars > PIPEDA

• Email addresses as personally identifiable information

• Respecting opt-outs• Harvesting email addresses• Accountability• Security

16

Phase Two - The Three Anti-Spam Pillars > Competition Act

• Sections 51(1) and 74.01 - false or misleading representations for purpose of promoting product or service

• Significant fines > Could target:

• False or deceptive headers• Content of certain email

> FTC focused on deceptive practice legislation

17

Phase Two - The Three Anti-Spam Pillars > Criminal Code

• Section 380 -- fraud• Section 372(1) -- false messages• Section 342.1 -- fraudulently obtain computer service• Section 342.2 -- device for committing 342.1

> Could cover --• Fraudulent spam• Unauthorized use of email servers• Email harvesting• Email harvesting software

18

Phase Two - The Three Anti-Spam Pillars > Telecommunications Act

• Section 41 -- CRTC order prohibiting unsolicited communications

• No action yet from CRTC but theoretically section appears to cover spam

19

Phase Two - The Three Anti-Spam Pillars > Problems

• Enforcement challenges• Ineffective legislation• Unnecessary legislation?

20

Phase Three - Getting Serious About Spam > 2004 - ??

> Anti-spam activity is an enforcement problem…

NOT a legal or technological problem

21

Phase Three - Getting Serious About Spam > The spam problem will get worse if nothing

is done• Less email communication• Less e-commerce• More wireless spam• More IM spam (spim)• More phishing

22

Phase Three - Getting Serious About Spam > Resourcing anti-spam efforts> Follow the money> National anti-spam actions

• Canadian-specific action plan

> Multinational enforcement co-operation• Australia - S. Korea model• Operation Secure Your Server

> International organizations• ITU• WSIS• OECD

> Contemplating legislative alternatives

23

Untouchable?

24

What are we prepared to do?

25

Michael Geist

mgeist@pobox.com