AustLII Home | Databases | WorldLII | Search | Feedback

eLaw Journal: Murdoch University Electronic Journal of Law
You are here:  AustLII >> Databases >> eLaw Journal: Murdoch University Electronic Journal of Law >> 2004 >> [2004] MurdochUeJlLaw 11

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Quo, Shirley --- "Spam: An Examination of Private and Legislative Responses to Unsolicited Electronic Mail in Australia and the United States" [2004] MurdochUeJlLaw 11; (2004) 11(1) Murdoch University Electronic Journal of Law

Spam: Private and Legislative Responses to Unsolicited Electronic Mail in Australia and the United States

Author: Shirley Quo BComm, LLB, LLM
Associate Lecturer, Deakin University School of Law
Issue: Volume 11, Number 1 (March 2004)

Contents

    Acknowledgement: I would like to thank Elspeth McNeil, Assistant Lecturer, Law Faculty, Monash University for her feedback and comments. Any errors are my own.

    Introduction

  1. According to Brightmail, a provider of anti-spam technology, it filtered over 91 billion electronic mail messages ("email") in February 2004, of which 62 per cent were identified as spam, up from 50 per cent six months ago.[1] In Australia, the time and bandwidth lost to spam is estimated to cost business up to $2 billion a year.[2]

  2. The National Office for the Information Economy ("NOIE") has estimated that spam accounts for approximately 50 per cent of world-wide emails and is growing rapidly.[3] The Internet service provider, America Online ("AOL"), has reported that it blocks approximately two billion spam emails per day.[4] That equates to about 75 spam emails per customer. According to a report released by the All Party Internet Group ("APIG") in October 2003, about half the overall email volume globally was spam that is, 10 billion spam emails were sent per day.[5] Statistics vary partly because of how spam is defined but it is clear that spam is a significant and growing problem.

  3. This paper will propose a definition of spam and discuss the problems caused by spam. Both private and legislative approaches, which have been used to address the spam problem will be reviewed, that is, technical measures, regulatory and self-regulatory strategies, litigation under existing legislation and common law theories. Anti-spam legislation in the United States ("US") that specifically targets spam will also be examined.

  4. The Australian Spam Act 2003 (Cth) ("Spam Act") and the current legislative regime relevant to spam control will also be discussed. This will be followed by a summary of relevant Australian case law.

  5. Lastly, problems of enforcement and jurisdiction will be raised followed by policy considerations.

  6. It is concluded that current measures to counter the spam problem are inadequate and an international approach is necessary because spam is generally impervious to national boundaries and the largest source of spam in Australia comes from overseas, particularly the US.

    Definition of Spam

  7. Spam is generally used to refer to unsolicited or unrequested junk emails over the Internet, unsolicited commercial emails ("UCE"), or unsolicited bulk emails ("UBE"). The two most common definitions of spam are UCE and UBE.[6] Spam is unsolicited if there is no prior relationship between the parties and the recipient has not explicitly consented to receive the communication. The main problem with spam lies in the volume of email messages, not their content.[7] This is supported by the statistics on spam volume. However it should be noted that there is an overlap between UCE and UBE.

  8. If one accepts that the main problem with spam is volume, the UBE definition seems to make more sense. Whatever definition of spam is used, there are likely to be significant problems in defining precisely what is meant by 'commercial' or 'bulk' email and these definitional problems may serve as a barrier to effective responses to the spam problem.[8]

  9. Similarly, the NOIE notes that an agreed definition of spam is important in making any anti-spam provisions effective. Internet service providers ("ISPs") and regulatory authorities need to be reasonably confident of this definition before they enforce their terms and conditions or any regulations or laws against spammers, as do legitimate direct marketers who want to ensure their activities remain both legal and ethical.

  10. The NOIE defines spam as unsolicited electronic messaging, regardless of its content.[9] This definition takes into account bulk email and is deliberately technology neutral insofar as is possible to take into account the convergence of technologies and media. This definition of spam would include not only email but also other forms of online and mobile messaging. This is broader than the more common definition of spam.

  11. Spam is defined by the Internet Industry Association ("IIA") as electronic mail that is unrequested by the recipient and is of an advertising or promotional nature, except where the predominant purpose of the email is that of a contractual, operational or other service-related customer notice.

  12. The Spam Act does not explicitly define spam however it prohibits the sending of unsolicited commercial electronic messages. An unsolicited commercial electronic message is defined in section 6 of the Spam Act. Relevantly paraphrased, a commercial electronic message is an electronic message the purpose of which is to advertise, promote or offer to supply goods or services; to advertise or promote a supplier of goods or services; to advertise, promote or offer to supply land or an interest in land; to advertise or promote a supplier of land or an interest in land; to advertise, promote or offer to provide a business opportunity or investment opportunity; or to advertise or promote a provider of a business opportunity or investment opportunity.

  13. For the purposes of this paper, spam is defined as unsolicited emails, which are generally commercial in nature, usually transmitted to a large number of recipients. The word 'commercial' is generally used to refer to advertising, promoting or offering to supply goods or services. This definition encompasses the majority of spam with the exception of other forms of online and mobile messaging which are beyond the scope of this paper.

    Technical Solutions

  14. Despite the development of filtering mechanisms, it is estimated that the cost of spam to Australian businesses in lost productivity is $960 per employee, per year, and the situation is unlikely to improve in the near future.[10] The advocacy group, Electronic Frontiers Australia has estimated, that spam filters are 80 to 90 per cent effective.[11]

  15. There are several types of technical tools that will assist in filtering or blocking spam. Filters are programs that block access to email based either on a list of banned sites or keywords and phrases. Some also stop search engines from searching on unsuitable topics and block access to newsgroups, chat rooms and email. However, as well as blocking inappropriate sites or content, they may also block valuable and inoffensive sites.

  16. Filtering, anti-virus and firewall products use strategies including Bayesian logic to intercept spam. These products may be applied either by ISPs or corporate networks at the level they receive mail or by end users.

  17. Whitelists and blacklists are forms of filtering used to manage spam by focusing on certifying legitimate email sources. This option includes the use of approved sender lists or do-not-email lists. They allow businesses and individuals to set permissions that allow email only from approved sources or may be used in conjunction with a filtering option.

  18. System administrators can also close open relays to avoid having their email server used to send spam. A mail system should accept only incoming mail that it delivers locally, based on email addresses; and it should deliver only outgoing mail that originates locally, based on Internet Protocol ("IP") addresses, to be secure from being used as a relay.

  19. The technical solutions to deal with spam can provide a significant reduction in the amount of spam individuals receive but it is at best an imperfect solution, and in no way alleviates the load of spam on the Internet 'backbone' before it reaches the recipients' ISP. They do not address the fundamental aspects of the problem as they only deal with spam once it has arrived in-country and therefore do not deal with the problem of the stress spam is causing the Internet infrastructure.

  20. Another problem with technical approaches is the deleterious effects they can have on legitimate communications that is, false positives.[12]

  21. Technical approaches are unlikely to completely eradicate spam because of the inherent openness of the Internet and email protocols. Some technical approaches have also been criticised because of lack of transparency and accountability for example, blacklists.[13] Further, spammers are constantly finding new ways to circumvent the filtering software, such as deliberately misspelling words in the subject field of the email to avoid word recognition software.[14]

    Commonwealth Best Practice Model

  22. In 2000, the Australian Government released Building Consumer Sovereignty in Electronic Commerce: A Best Practice Model for Business ("Best Practice Model").[15]

  23. Clause 23 of the Best Practice Model provides that businesses should not send commercial email except to people with whom they have an existing relationship; or to people who have already said they want to receive commercial email; and businesses should have simple procedures so that consumers can let them know they do not want to receive commercial email.

  24. Any business or industry association engaging in business to consumer ("B2C") electronic commerce is encouraged to adopt the Best Practice Model. However, as the name suggests, the Model is not mandatory and there are no sanctions for non-compliance.

    Industry Codes

  25. The NOIE has suggested that a co-regulatory model, involving industry participation and codes of practice working in concert with underpinning legislation where needed could be effective in countering spam.[16] Codes of practice developed by industry bodies can be submitted to the Australian Communications Authority ("ACA") for registration.[17] Once a code is registered, the ACA will be able to direct industry participants to comply.

  26. Although there are no registered industry codes of practice dealing with spam, two industry-based voluntary codes of practice aimed at preventing spam are discussed below.

    Australian Direct Marketing Association ("ADMA")

  27. The ADMA is a self-regulatory body for the direct marketing industry. It has a Code of Practice developed in consultation with the Ministerial Council of Consumer Affairs, the Australian Competition and Consumer Commission ("ACCC") and consumer and business groups. The ADMA has put in place a series of self-regulatory mechanisms to ensure that organisations, which are members of ADMA, use electronic marketing techniques responsibly.[18] These measures include:

  28. An independent Code Authority was established to monitor compliance with ADMA's Code of Practice. The Code Authority receives complaints and can sanction ADMA members in a range of ways, the ultimate of which is the revocation of membership.

  29. While the Code of Practice appears to be effective for those organisations that are members of ADMA, it imposes no restriction on those organisations or individuals that are not members.

    Internet Industry Association ("IIA")

  30. The IIA is the national Internet industry organisation in Australia. The Internet Industry Privacy Code of Practice (draft) provides that its members and code subscribers must not spam and must not encourage spam with exceptions in the case of pre-existing relationships (acquaintance spam).[19] IIA members and code subscribers who do use acquaintance spam must provide recipients with the capability of opt-out and must include opt-out instructions in the email. The Privacy Code provides that members should have an Acceptable Use Policy that prohibits spam and services that depend on spam and install relay protection on their mail servers to prevent spammers from using the relay to evade detection.[20]

  31. The Privacy Code[21] prohibits IIA members, including ISPs, from sending direct marketing messages without the recipient's permission.[22]

  32. As with ADMA, IIA codes only apply to its members and code subscribers.

    NOIE Report

  33. The NOIE recommended that the Australian Government enact legislation to prohibit dissemination of unsolicited commercial email. It also suggested that Australia pursue a spam reduction strategy, which balances regulatory, self-regulatory, technical and consumer information elements. In summary, the NOIE proposed that:[23]

    1. National legislation should be introduced with these features:

      • No commercial electronic messaging to be sent without the prior consent of the end user unless there was an existing customer-business relationship;
      • All commercial electronic messaging to contain accurate details of the sender's name and physical and electronic addresses;
      • A co-regulatory approach with industry including recognition of appropriate codes of practice;
      • Appropriate enforcement sanctions.

    2. Industry bodies should:

      • build on existing work done by the IIA and implement codes of practice to ensure compliance with national legislation; prohibit use of members' own facilities for sending spam and provide clear complaint procedures for end users;
      • develop better practice guidelines to combat spam;
      • require ISPs to make available to clients filtering options from an approved schedule of spam filtering tools at reasonable cost and evaluate and publicise spam filtering options and products;
      • configure servers appropriately and take action to close down identified open relay servers.

    3. Australia should work with the OECD and other multilateral bodies to develop international guidelines and cooperative mechanisms which would:

      • aim to reduce the total volume of spam;
      • apply the opt-in principle where practicable;
      • minimise false or misleading subject lines and header information;
      • provide end users with information on anti-spam measures.
      • Australian Government agencies should work with partner country agencies to counter spam within appropriate legislative mandates.
      • Regulatory agencies like the ACCC, Australian Securities and Investments Commission ("ASIC") and the Office of the Federal Privacy Commissioner should ensure that relevant legislation is fully applied to spam.

  34. As a result of the NOIE Report, the Australian Government introduced the Spam Act, which is discussed below.

    Australian Position

  35. The Federal Government's anti-spam legislation, the Spam Act and the Spam (Consequential Amendments) Act 2003 (Cth),[24] received Royal Assent on 12 December 2003 and comes into effect on 10 April 2004. This legislation will target spammers and the techniques they use to send Australian consumers unsolicited and offensive electronic mail, while protecting the right to free speech. It will also play an important role in the Federal Government's multi-layered approach to the global nuisance of spam.

  36. Prior to the introduction of the Spam Act, no existing legislation was explicitly drafted to address the issue of spam.

    Spam Act

  37. The Spam Act sets up a scheme for regulating the sending of commercial electronic messages. Subsection 16(1) of the Spam Act prohibits the sending of unsolicited commercial electronic messages but the Act also contains rules regulating the sending of general commercial electronic messages, regardless of whether or not they are unsolicited.[25]

  38. According to the Explanatory Memorandum, the Spam Act is aimed at reducing Australia as a source of spam, minimising spam for Australian end-users and extending Australia's involvement in worldwide anti-spam initiatives.

  39. The Australian Government has acknowledged that legislation alone will not result in an immediate or dramatic reduction of the spam problem. Spam is an international problem that can only be fully addressed through international cooperation and coordinated action.[26]

  40. The main elements in the Spam Act are summarised below:[27]

  41. The legislation and the ACA would also facilitate and support the development of industry codes, which complement and are consistent with the legislation as suggested by the NOIE.

  42. The Spam Act establishes an 'opt-in' system such that commercial email may be sent to existing customers provided that the recipient has the ability to 'opt-out'.[34] The proposed legislation is not intended to adversely impact online marketing to bona fide existing customers. However, this still gives considerable scope for the sending of junk email because businesses would be able to lawfully send emails on behalf of other businesses or to promote very different products or services than the one that formed the original relationship.[35]

  43. Exceptions will also apply to protect currently accepted government, business and commercial practices, such as government to consumer messages, and commercial messages to publicly advertised addresses where the approach is specifically related to the addressees' employment function. The Australian Government has come under criticism for exempting government bodies, political parties, charities, religious organisations and educational institutions from the proposed legislation.[36] The fear is that this may prove to be a loophole if these organisations interpret the legislation as meaning that sending spam would be acceptable.[37]

  44. The Australian Government proposes to review the legislation two years after the commencement of the penalty provisions. The effectiveness of any legislation can be judged either by its capacity to prevent the targeted behaviour/activities or by the extent to which it enables predictable, cost-effective prosecution of the offending individual or organisation.[38] While it is too early to gauge the effectiveness of the legislation, it has been recommended by the APIG that Australia adopt rules that run as closely as possible along the lines of the European Directive on Privacy and Electronic Communications (2002/58/EC).[39] The basis of this recommendation is to ensure an entirely consistent anti-spam regime in every country.

  45. As an 'opt-in' law, the Spam Act should be more effective than the 'opt-out' legislation passed by the US Congress[40] that requires Internet users to request that they be taken off mailing lists. However, the legislation would have no effect on the amount of spam Australian Internet users received from outside Australia, the source of most spam.[41]

  46. Another criticism of the Spam Act is that it defines spam as a message sent without the recipient's consent. However, consent does not need to be express, it can be inferred.[42]

  47. It is unlikely that the legislation will have any impact on fraudulent or offensive spam without legitimate sender information or non-commercial UBE but it should cause a substantial reduction in other types of spam.[43]

    Existing Australian Legislation

  48. Current legislation which may assist in countering the spam problem include:

    Commonwealth Criminal Provisions

  49. The most recent Commonwealth legislation relating to criminal laws and privacy is the Cybercrime Act 2001 (Cth) ("Cybercrime Act"). The Cybercrime Act amended the Criminal Code 1995 to include new offences such as virus introduction and denial of service attacks and is aimed specifically at Internet activity.[44]

  50. The Cybercrime Act has a very wide jurisdiction and covers offences where the conduct constituting an offence occurs partly in Australia, where the conduct occurs on board an Australian ship or aircraft and where the person committing the offence is an Australian citizen or an Australian company.[45]

  51. Section 85ZE of the Crimes Act makes it an offence to use email in a manner that is menacing, harassing or offensive.[46]

  52. There are similar provisions under various state Crimes Acts.[47]

    Trade Practices Act 1974 (Cth)

  53. The consumer protection provisions in Part V of the Trade Practices Act 1974 (Cth) ("TPA") prohibit false and misleading claims about goods and services. This legislation can also potentially apply to the issue of transparency in terms of falsified headers and false opt-out options.[48]

  54. The ACCC has taken action in a number of cases where email was used as a vehicle to promote pyramid selling schemes.[49] The ACCC has also filed proceedings in relation to domain name renewals containing misleading and deceptive information which were sent via a number of channels, including email.[50]

  55. Like the Spam Act, the TPA is technology neutral and capable of addressing all commerce in both the online and offline environments.

  56. Subsection 52(1) of the TPA relevantly provides that a corporation shall not, in trade or commerce, engage in conduct that is misleading or deceptive or likely to mislead or deceive. This could be utilised in some contexts where disclosing information would be involved. For example, a website that sells information on customers to others, notwithstanding that it has a privacy policy, could be liable for misleading and deceptive conduct.

    Privacy Act 1988 (Cth)

  57. It is unclear whether there is a common law right to privacy in Australia. The High Court decision in Victoria Park Racing & Recreation Grounds Co Ltd v Taylor ("Victoria Park")[51] indicated that there was no such right of privacy.[52] This issue was reconsidered by the High Court in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd ("Lenah")[53] The Court found that, on the facts, it did not need to decide the issue of whether a right of privacy existed at common law in Australia. It did not however rule out the possibility.[54] Subsequently, in Grosse v Purvis[55] the District Court of Queensland reviewed Lenah and noted that Gummow and Hayne JJ, with whose reasons Gaudron J agreed, rejected the suggestion that the High Court's decision in Victoria Park in fact stood for such a proposition. The District Court held that there can be a civil action for damages based on the actionable right of an individual person to privacy.

  58. The Privacy Amendment (Private Sector) Act 2000 (Cth) which amends the Privacy Act 1988 (Cth) ("Privacy Act") makes certain acquaintance spam illegal as of December 2001. Businesses covered by the provisions must obtain permission from their customers in some situations prior to using their email addresses for anything that can be construed as spam.[56]

  59. There are significant privacy issues surrounding the manner in which email addresses and personal information are collected and handled.[57] It is not uncommon for address collectors to covertly harvest email addresses from the Internet, as users visit certain sites, and buy and sell them in bulk without the knowledge or consent of the owner.[58]

  60. At present, there is no legislation specifically requiring a sender to obtain a recipient's consent prior to sending spam to that individual, either initially or on an ongoing basis. Under the Privacy Act, the collection of personal information from public sources may require an individual's explicit consent, but this aspect of the legislation has not yet been tested.[59]

  61. The National Privacy Principles ("NPP") do not prevent a business from using personal information for the primary purpose for which it is collected.[60] Accordingly, if a spammer collects personal information from an individual or from anywhere else for the primary purpose of spamming the Privacy Act may not prevent the spammer from using this information in that way. Also in these circumstances the spammer is under no legal obligation to give the recipient an opportunity to opt out, or to comply with such a request. However this is subject to the fair and lawful requirement in NPP 1.[61] Collection of personal information includes gathering, acquiring or obtaining personal information from any source and by any means. Collection is necessary for the purposes of NPP 1 if an organisation cannot effectively pursue a legitimate function or activity without collecting that information. For the purposes of NPP 1 'fair' means without intimidation or deception. In general, collection without the individual's knowledge for example, through the use of cookies will not be considered fair.[62]

  62. Where spammers are subject to the Privacy Act and they collect information about an individual indirectly, they will be required to take reasonable steps to make the individual aware of the details collected.[63]

  63. Most of the obligations imposed by the NPPs relate to personal information. 'Personal information' is defined by the Act as:
    Information or an opinion (including information or an opinion forming part of a database), whether true or not; and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.[64]
  64. An email address may be considered to be personal information when it contains a user's name or when it can be used in conjunction with other information sources to identify the person.[65]

  65. Although the Privacy Act has the potential to significantly lessen the incidence of spam, there are some loopholes. The Privacy Act requires companies to seek permission before sending advertising material to individuals. However this is qualified by the words 'where it is reasonable and practicable' to do so.[66]

  66. The Guidelines to the NPPs also require that the consumer must opt-in to any spam schemes as opposed to an easier standard where they might be included unless they opt-out. However, in practice this rarely occurs either through ignorance or deliberate avoidance. In any event, there is limited enforcement of the responsibilities under the Privacy Act.

  67. The Privacy Act currently does not extend to many spammers including those that send spam from overseas and small businesses that do not trade in personal information.[67]

  68. Because the amendments to the Privacy Act only commenced in December 2001, some of the NPPs only apply to information collected after that date and not to information that was collected and retained by organisations before the commencement of the amendment.[68]

    Australian Case Law

  69. These cases illustrate the limited range of existing legislation with potential applicability to spam. As none of the existing legislation was specifically intended to address spam, they are rarely used to prosecute spammers, other than where there is a breach of consumer protection legislation.

    R v Hourmouzis [69]

  70. Hourmouzis sent approximately four million spam emails to addresses around the world intended to induce purchase of stock in a US company, Rentech. He pleaded guilty to charges including interference with, interruption of or obstruction of the lawful use of file server computers operated by various companies by means of a telephone facility operated by Telstra.[70] Hourmouzis also pleaded guilty to making a statement or disseminating information that was false and misleading and likely to induce the purchase of securities of Rentech in breach of the Corporations Law.[71]

    ACCC v SkyBiz.Com Inc [72]

  71. The case involved the dissemination of false and misleading information via unsolicited emails. The ACCC successfully alleged that SkyBiz.Com, a US company, promoted a pyramid selling scheme in breach of the TPA. In a settlement with the ACCC, SkyBiz.Com consented to orders of the Federal Court.[73]

    ACCC v Chen [74]

  72. The ACCC filed proceedings against the operator of the website "www.sydneyopera.org" for various breaches of the TPA including s 52. It was alleged that Chen, a foreign resident, misrepresented to the Australian public via unsolicited emails that his site was the official booking site of the Sydney Opera House. Interlocutory injunctions granted by the Federal Court required Chen to remove the site from being accessible to Australian users.

    ACCC v Internic Technology Pty Ltd [75]

  73. In conjunction with the US Federal Trade Commission ("FTC"), the ACCC alleged that Internic Technology, had been involved in misleading and deceptive conduct as it had established a website that was deceptively similar to a site owned by a US company known as InterNIC. InterNIC provided a global register of second level domains and owned the domain name internic.net. Internic Technology set up a business with the same purpose. It effectively acted as an intermediary between consumers and InterNIC but charged consumers significantly more for the service. The ACCC alleged that consumers would be misled into believing that they were dealing with the US company when they were not. Internic Technology gave undertakings to the court that it would no longer use the name 'internic' or any similar name and agreed to refund consumers.

  74. The case may prove to be a precedent in dealing with similar issues in relation to spam which seeks to mislead the recipient as to the identity of the sender, and its association with others. However, whether or not simply using a false identity which has no direct or implied association with another person or product falls within the scope of the TPA is uncertain.[76]

    United States Position

    In general there is a stronger distinction drawn in the US between commercial and non-commercial spam because of potential constitutional barriers to any anti-spam legislation due to freedom of speech concerns about the latter.[77]

    Federal Anti-Spam Legislation

  75. The Controlling the Assault of Non-Solicited Pornography and Marketing Act 2003 ("CAN-SPAM Act") was signed by the US President on 16 December 2003 and took effect on 1 January 2004. The CAN-SPAM Act requires unsolicited commercial emails to be labelled and to include opt-out instructions and the sender's physical address. The law also prohibits the use of deceptive subject lines and false headers in such messages. There is a provision authorising the FTC to establish a 'do-not-email' registry. However, the legislation remains to be tested.[78]

  76. Some of the recent bills introduced in the 108th Congress are:[79]

    Anti-Spam Act of 2003

  77. The bill would require all commercial emails to be identified as such and to include the sender's physical street address and an opt-out mechanism; messages relating to a specific transaction and consented to by the recipient would be exempt from those requirements. The bill would prohibit commercial emails with false or misleading message headers or misleading subject lines, and it would be illegal to send commercial emails to addresses generated by an automated dictionary attack.

    Ban on Deceptive Unsolicited Bulk Electronic Mail Act of 2003

  78. The bill would prohibit the inclusion of false information in message headers in unsolicited bulk commercial email. It also would require senders of unsolicited bulk commercial email to include opt-out instructions and honour opt-out requests, and would prohibit them from harvesting email addresses of potential recipients from web pages and other sources.

    REDUCE Spam Act of 2003

  79. The Restrict and Eliminate the Delivery of Unsolicited Commercial Electronic Mail or Spam Act requires unsolicited bulk commercial emails to include a valid reply address and opt-out instructions and a label ('ADV' or 'ADV: ADLT' or other recognised standard identification). These requirements would apply to messages sent in the same or similar form to 1,000 or more email addresses within a two-day period. In addition, false or misleading headers and deceptive subject lines would be prohibited in all unsolicited commercial emails, whether sent in bulk or not.

    Criminal Spam Act of 2003

  80. The bill would prohibit unauthorised or deceptive use of a third party's computer for relaying bulk commercial emails. It also prohibits the use of false header information in bulk commercial messages and regulates the use of multiple email accounts or domain names for purposes of sending such messages. The law would apply only to quantities of more than 100 messages within 24 hours or 1,000 within 30 days or 10,000 within one year.

  81. Like the CAN-SPAM Act, the proposed Federal anti-spam bills favour an opt-out system that would require UCE to include instructions for removal. This means that there would be no requirement for recipients to have given their permission for the email to have been sent. There is concern that the effect of such a law would be to remove the stigma attached to spam and lead to the volume of spam increasing.[80] Another concern is that State laws adopting an opt-in sytem would be pre-empted.[81] The CAN-SPAM Act relevantly states that the Act supersedes any state law that expressly regulates the use of email to send commercial messages, except to the extent that any such state law prohibits falsity or deception in any portion of a commercial email or information attached thereto.[82]

    State Anti-Spam Laws

  82. In the US, 36 states have passed anti-spam legislation. The most restrictive is Delaware, which prohibits the sending of bulk UCE outright unless the sender has the permission of the recipient beforehand. In general, state UCE laws can be divided into three categories - prohibiting the sending of UCE without making certain disclosures; prohibiting the sending of UCE through an ISP's computer network if doing so would violate the ISP's policies regarding UCE; and prohibiting the sending of UCE containing false or forged email transmission information.

  83. The behaviour most commonly targeted is that which involves concealment of the identity of the sender. Some of the State anti-spam laws enacted are set out below.[83]

    Washington

  84. In Washington, it is illegal to send a commercial email that uses a third party's domain name without permission; that contains false or missing routing information; or with a false or misleading subject line. The law applies if a message is sent from within Washington; if the sender knows that the recipient is a Washington resident; or if the registrant of the domain name contained in the recipient's address will confirm upon request that the recipient is a Washington resident.

    California

  85. In September 2003, legislation was approved in California that made it the second state after Delaware to adopt an opt-in rule for email advertising. Under this legislation, it is illegal to send unsolicited commercial email from California or to a California email address. The law applies to senders as well as to advertisers on whose behalf messages are sent. California's prior law approved in September 1998 required opt-out disclosures and subject line labels.

    Illinois

  86. In Illinois, it is unlawful to initiate an unsolicited electronic mail advertisement if it contains false or misleading information in the subject line. In addition, the law was amended in July 2003 to require inclusion of the sender's valid reply email address for opt-out requests, along with a label ('ADV:' or 'ADV:ADLT') at the beginning of the subject line. The law applies to email that is delivered to an Illinois resident via a provider's facilities located in Illinois. A separate provision makes it illegal to send unsolicited bulk email with falsified routing information or to distribute software designed to falsify routing information.

    Virginia

  87. The Virginia Computer Crimes Act anti-spam provisions were amended in April 2003 to make it a felony to falsify header or routing information and to attempt to send UBE exceeding 10,000 messages a day, 100,000 messages a month or 1 million a year. The underlying statute has so far survived constitutional challenges and is grounded on email passing through Virginia-based ISPs and allows Virginia prosecutors to pursue criminal charges against spammers in other states and jurisdictions.[84]

    Delaware

  88. It is illegal to send unsolicited bulk commercial email, to send unsolicited bulk email containing falsified routing information in violation of a provider's policies, or to distribute software designed to falsify routing information. The law applies to messages sent into Delaware from outside the state if the sender knew that there was a reasonable possibility that the recipient was in Delaware.

  89. US state anti-spam laws have been criticised as being singularly ineffective in preventing spam with spammers routinely ignoring their requirements.[85] According to the APIG, although there were exceptions, the laws were often used to prosecute legitimate companies who had made a technical error in compliance.[86]

  90. There is also some concern that unless universal rules are adopted in relation to labelling requirements such as 'ADV', the existence of contradictory requirements in different jurisdictions will merely make things more difficult for people sending permission-based email.[87] Consistent labelling would also assist Internet users to filter out spam.

    US Case Law

  91. There have been a number of successful prosecutions in the United States, particularly by ISPs against spammers.

    CompuServe Inc v Cyber Promotions Inc ("CompuServe") [88]

  92. The plaintiff, an ISP, received complaints from its subscribers about the amount of spam they were receiving from the defendant. The ISP ordered the defendant to cease using its network for spamming in accordance with its acceptable use policy. The defendant then began to falsify the sender information in the headers of its messages and to configure its server to falsify its domain name and IP address. The ISP sued on the basis of the common law theory of trespass to chattels.

  93. Cyber Promotions relied on the First Amendment of the US Constitution as its affirmative defence. In granting CompuServe's motion for a preliminary injunction, the court held that CompuServe had a viable claim for trespass under Ohio law.[89] The court indicated that electronic signals generated and sent by computer are sufficiently physically tangible to support a trespass cause of action and held that the defendant's contact with the plaintiff's computers was clearly intentional. The tort of trespass to chattels in US law requires some actual damage as a prima facie element whereas damage is presumed where there is a trespass to real property. The court held that the diminished value of the ISP's computer equipment due to spamming by the defendant and the draining of disk space and processing power was sufficient damage to uphold the cause of action.

  94. This is an example of 'aggravated spamming' that is, the defendant was repeatedly ordered to cease and desist yet continued spamming. It appears that the CompuServe trespass doctrine may be readily applied to bulk mailers who have actual notice that they are trespassing but would not apply to a one-time spammer or an individual using different accounts or network providers for each unsolicited advertisement sent.[90]

    America Online Inc v IMS [91]

  95. The plaintiff, AOL, alleged that IMS had unlawfully sent more than 60 million UCE over a 10-month period. AOL sued for false designation of origin; dilution of interest in service marks; violation of the Computer Fraud and Abuse Act; violation of the Virginia Computer Crimes Act; and trespass to chattels under Virginian common law.

  96. The court entered default judgments against the defendants and awarded compensatory and punitive damages to AOL.

  97. In so doing, the court followed the CompuServe case for authority as the trespass law of Virginia was similar to that of Ohio.

  98. Based on these cases, the common law doctrine of trespass to chattels appears to be an effective weapon for ISPs in their fight against spam.

    Hotmail Corporation v Van Money Pie [92]

  99. The plaintiff, Hotmail, sought an injunction to enjoin the defendants from inter alia, infringing its trade name and service mark, engaging in acts of unfair competition, committing trespass to chattels and breaching its contract.

  100. To become a Hotmail subscriber, one must agree to abide by a service agreement, which specifically prohibits subscribers from using Hotmail's services to send UCE. Under the agreement, Hotmail can terminate the account of any subscriber who violates the terms of service.

  101. Hotmail discovered that the defendants were sending thousands of UCE to its users which were intentionally falsified in that they contained return addresses bearing Hotmail account addresses including Hotmail's domain name and thus its mark when in fact such messages did not originate from Hotmail or a Hotmail account. The messages advertised pornography, bulk emailing software and get-rich-quick schemes.

  102. The overwhelming number of emails took up a substantial amount of Hotmail's finite computer space, adversely affected Hotmail's subscribers in sending and receiving email, and resulted in significant costs to Hotmail in sorting and responding to the misdirected complaints.

  103. The court found the defendants to have breached the Hotmail subscriber service agreement by sending UCE from a falsely designated Hotmail address and using a separate Hotmail account to return invalidly addressed messages.

  104. This is a useful cause of action where there is a contractual relationship between the ISP and spammer and the terms of service specifically proscribe the sending of UCE.

    Intel Corporation v Hamidi [93]

  105. After being dismissed from his employment by Intel, Hamidi aired his grievances in mass emails sent to approximately 29,000 Intel employees. Intel was unable to block the emails from entering its computer systems and Hamidi ignored Intel's requests to stop sending the emails. Intel brought civil proceedings, claiming that by communicating with its employees over the company's email system, Hamidi committed the tort of trespass to chattels. Hamidi argued that his emails did not originate on Intel property nor were they sent to Intel property - they were simply sent over the Internet to a server. The trial court granted Intel an injunction preventing Hamidi from sending any more emails to Intel's computer systems.

  106. On appeal, Hamidi argued that the injunction violated his constitutional free speech rights.[94] The appellate court upheld the trial court's injunction.

  107. The Supreme Court reversed the appellate court's decision.[95] The court concluded that Intel did not have a claim for trespass to chattels because it did not show that the emails caused physical damage or functional disruption to Intel's email system or somehow deprived Intel of the use of its computers. The contents of the messages were what the company was objecting to. Consequential economic damage such as loss of productivity did not constitute an actionable trespass to Intel's personal property.

  108. The Supreme Court distinguished CompuServe and its progeny where trespass to chattels was used successfully against spammers. In those cases, there was evidence that the vast quantities of mail sent by spammers both overburdened and impaired the ISP's computers and made the entire computer system harder to use for recipients, the ISP's customers.

  109. The decision has been criticised as issuing a licence to send unsolicited non-commercial emails.[96] Although Hamidi sent thousands of copies of the same message on six occasions over 21 months, the court indicated that the number of emails was minuscule compared to UCE.

    Jurisdiction and Enforcement

  110. Jurisdictional barriers together with practical issues of enforcement are the most significant limitations of legal responses to spam.[97] Email is generally unaffected by state and even national boundaries due to the borderless nature of the Internet. Many email addresses provide no indication of the addressee's physical location and an email address that does include a geographic identifier can be used from anywhere in the world.[98] Given this, it is difficult to see how a spammer would know whether a recipient is in, say Washington, and thus subject to the laws of that state by virtue of the fact that the recipient is a Washington resident.[99]

  111. Even if a state is able to exercise long-arm jurisdiction over a foreign defendant, it may be difficult to locate and subsequently enforce a judgment on someone in another state or country.[100]

  112. The technology creates difficulties in determining the location at which an event giving rise to a legal claim has occurred. Very few decisions in Australia have dealt with jurisdiction in respect of electronic commerce matters. Some guidance can be gained from overseas cases likely to be taken into account by Australian courts, in conjunction with the recent High Court decision, Dow Jones Inc v Gutnick.[101] A detailed discussion of this issue is beyond the scope of this paper.

  113. In general terms, the jurisdiction of a court to hear a claim is usually confined to matters with a requisite territorial connection. This jurisdiction will be established over matters occurring within the country's 'law area' that is, its geographical area. It will also be established over persons having a defined connection with the law area for example, through incorporation or registration in the country or through residence. Such connecting factors vary from country to country.[102]

  114. In addition to extra-territorial issues, it is necessary to consider the likelihood of judgments and orders of Australian courts being recognised and enforced overseas. This is particularly relevant to foreign Internet based businesses that are subject to a claim but have no presence or assets in Australia. One must also consider whether an injunction preventing the display of a website or website content is suitable for enforcement given that the relevant website or website content may not be in breach of the laws of other countries in which the website is based or accessible.[103]

  115. Approaches to recognition and enforcement of foreign judgments differ from country to country and depend upon the application of complex conflict of laws principles, the existence of relevant legislation, for example, the Foreign Judgments Act 1991 (Cth) and bilateral agreements between countries.[104]

    Policy Considerations

  116. While the application of existing common law theories to spam provides a degree of flexibility that is not available in anti-spam legislation, the unintended consequences that may result from stretching the law in such a manner may outweigh the benefits of avoiding legislation.[105]

  117. Another objection to legislative approaches is that a partial solution, one that regulates spam without prohibiting it altogether, will merely serve to legitimise spam.[106] If the law requires spam to be labelled and to include opt-out instructions, the stigma presently attached to spam will begin to disappear.

  118. The current trend appears to involve less reliance on self-regulation and other informal measures in favour of increased emphasis on more formal responses, both technical and legal.

  119. Spam is perhaps the most costly advertising mechanism, not costly to the spammer but to the email user. Spammers in effect make consumers pay for unwanted advertisements. ISPs are paying for the costs of spam by being forced to purchase additional computers and increase bandwidth and take measures to try to minimize the effect of spam.[107] A recent study estimates that spam costs US corporations approximately $10 billion each year and costs US and European ISPs an additional $500 million.[108]

  120. At the heart of this issue lies a contradiction. In attempting to strike a balance between the rights of commercial entrepreneurs to market their wares and the rights of email users to be free from unwarranted solicitation, a clear contradiction exists between business interests and those of private individuals.[109] The main problem with spam and the reason for its proliferation is the shifting of the costs involved away from the advertiser onto the consumer and other parties. Unlike other forms of advertising such as television commercials or billboards, direct marketing usually involves some degree of effort or involvement on the part of the consumer. In most forms of communication, the sender experiences significant and usually measurable costs. Therefore the sender usually has an incentive to compare the expected benefits of the communication against these costs in deciding whether to proceed with the communication. Email changes the entire equation because the cost of sending spam is negligible. Spammers have little incentive to consume resources in an efficient manner.[110]

  121. As noted previously, spam statistics differ due to the classification and definition of spam. A utopian definition of spam would include all emails that are of no benefit to the recipient from the recipient's point of view.[111] But this definition is problematic when looked at in practical terms. If one classifies spam as all email that is both unsolicited and bulk in nature, restrictive regulation is likely to conflict with the rights of citizens' free speech, where the email in question is not commercial in nature. This has caused legal difficulties for anti-spam legislation in the US where the degree of constitutional protection for commercial speech is lower than that for political speech. Also, different jurisdictions may apply widely different interpretations to the term 'commercial'.[112] The problem is apparent when attempting to define services such as education or health care which may have been semi-privatised and for which a fee is paid.[113] In this regard, it is noted that the Spam Act exempts currently accepted government, business and commercial practices, such as government to consumer messages, and commercial messages to publicly advertised addresses where the approach is specifically related to the addressees' employment function.

  122. Like the US, the Australian government has responded to the public demand for legislation. As so often happens in the policy arena, there are competing interests at stake, all with some validity. Legislation must effectively curb the proliferation of commercial spam without constraining the legitimate online marketplace. It must limit the unwanted messages that reach consumers, while protecting the right of free speech. It must address the technological threats to the Internet experienced most directly by ISPs without stifling innovative means of reaching individuals.[114]

  123. For example, a relevant issue raised by the Spam Act would be accurate header information requirements versus the right to online anonymity. This would aid ISPs in filtering messages from known spammers who mask the source of their messages by using falsified header information, and assist consumers in identifying the source of unwanted email so they can effectively opt out of receiving further communications. However, advocates of an individual's right to online anonymity have raised concerns that this would destroy anonymous communications on the Internet. Mere concealment of one's identity, without intent to deceive, is not in and of itself fraud.[115] In this regard, it is noted that NPP 8 provides that wherever it is lawful and practicable, individuals should have the option of not identifying themselves when entering transactions.[116]

  124. Another criticism of current enforcement efforts is that they are too narrowly focused on fraudulent and misleading spam, thus giving a kind of legitimacy and immunity to spam that is not misleading.[117] Given that the main problem with spam is the volume rather than the content, another option would be to ban all spam. However, this would raise the contentious issue of an agreed definition of spam.[118]

  125. Three categories of approaches have been used to address the spam problem: informal measures, such as social norms and self-regulatory efforts; technical measures undertaken by individuals and organisations; and legal responses including litigation under existing statutes and traditional common law theories and anti-spam legislation that specifically targets spam.[119] These categories can be loosely compared to the four types of constraints on behaviour outlined by Lawrence Lessig in his theoretical approach to cyberspace regulation: law, norms, markets and architecture or 'code'.[120]

  126. The law generally regulates individual behaviour by threatening ex post facto sanctions.[121] However, in real space as well as cyberspace, law also regulates individual behaviour indirectly, by aiming to change markets, norms or code. It has been argued that law in cyberspace will often be more effective if it regulates code or architecture rather than trying to directly regulate individual behaviour.[122]

  127. The nature of cyberspace is defined as including software, hardware, Internet protocols and other standards and aspects of human biology. Cyberspace architecture is inherently plastic, which is one reason why law regulating cyberspace architecture is likely to be effective. It is generally possible for law to require changes to software, standards and hardware.[123]

  128. While lawsuits and anti-spam legislation can ameliorate the spam problem by imposing costs and other disincentives on spammers, it is unlikely to be successful in eliminating spam on its own.[124] Some support for this conclusion is found in the theory of cyberspace architecture.

  129. Another limitation on Australian anti-spam legislation is that the law only applies within local boundaries whereas most spam is from foreign hosts, mainly the US.

  130. The jurisdictional problems created by the proliferation of transborder unsolicited emails may prove to be an insurmountable hurdle.[125] As unsolicited commercial email touches on so many aspects of the law, for example, commerce, advertising, free speech, libel, privacy, intellectual property and the criminal law, it has been argued that it would be difficult to apply a global legally binding framework.[126]

    Conclusion

  131. Given the significant rate of increase of spam, it seems reasonable to conclude that current legislative and private responses are having little effect on the activities of most spammers.

  132. It has been estimated that spam will peak at 80 per cent of all emails by 2007 and Australia's anti-spam legislation will offer little protection to Australian end-users.[127]

  133. There is no 'silver bullet' that will eliminate spam entirely however, the incidence of spam can be reduced and controlled.[128] In general, commentators agree that the most effective solution to spam will combine legal and technological elements.[129] While the Australian government has taken a technology neutral approach to anti-spam legislation, there is an argument that the most effective legislation will be crafted with the technology in mind, designed to enhance the tools' usefulness.[130] Spam will only be significantly reduced when the combination of spam filtering and user awareness makes sending spam unprofitable.[131] In the future, structural changes to the Internet such as tracking and authentication mechanisms should minimise spam however it will never be eradicated.[132]

  134. Achieving consistency in regulating spam, especially across all jurisdictions, is very difficult. Australian regulation of spam will have to meet international standards which is acknowledged by the Spam Act. The only constructive way forward, as recognised by the Australian government, is to keep pushing for a global convergence. It is not desirable that each country imposes a separate regime for regulating spam, which would encourage a race to the bottom, reducing protection on a global scale. It would also frustrate law enforcement efforts, impede informed decision-making by consumers and deprive consumers of meaningful access to judicial recourse. An international agreement to reduce the incidence of spamming worldwide is required. Ultimately, a consensus approach that coordinates legal and technical responses is likely to provide the most effective solution. National legislation per se is not a comprehensive answer to the problem because of the difficulties in identifying spammers, lack of jurisdiction over offshore offenders and competing priorities faced by law enforcement and regulatory agencies.

Glossary [133]

Bayesian logic
Named for Thomas Bayes, an English clergyman and mathematician, Bayesian logic is a branch of logic applied to decision making and inferential statistics that deals with probability inference: using the knowledge of prior events to predict future events. According to Bayesian logic, the only way to quantify a situation with an uncertain outcome is through determining its probability. Bayesian logic is being incorporated in more advanced spam filters (also see 'Filter').

Blacklist
A blacklist is the publication of a group of ISP addresses known to be or believed to be sources of spam. Emails from these sources are blocked, preventing their further transmission or receipt.

Dictionary attack
In the context of spam, in a dictionary attack is a large number of delivery attempts of test messages to email addresses within a domain (e.g. a range of addresses ending in @bigpond.com). These email addresses are generated based on words from a "dictionary" of likely or possible words, combined with the domain being attacked. This is done to compile a list of deliverable email addresses for future spam communications. Dictionary attacks are also used as a means of obtaining passwords to gain unauthorised access to computer systems. The automatic and repetitive nature of a dictionary attack means that the domain's server is hit with a large amount of traffic. This either restricts the system resources that can be utilised by legitimate processes, causing a slowdown, or overwhelms the network altogether, causing it to cease operation. In this regard, a dictionary attack operates similarly to a hostile denial of service attack.

Email
(electronic mail) is the exchange of computer-stored messages by telecommunication. Email can be distributed to lists of people as well as to individuals.

Filter
In the context of spam, a filter is a program or section of code that is designed to examine each input or output request for certain qualifying criteria and then process or forward it accordingly. A filter can be used to block the receipt of mail based on concrete information (e.g. block all mail originating from @spam.com), simple heuristic criteria (e.g. block all mail with a subject containing "viagra" or "FREE!!!") or through the application of more complex Bayesian logic.

Firewall
A firewall is a set of related programs, located at a network gateway server that protects the resources of a private of a private network from users from other networks. The term also applies to the security policy that is used with the programs.

Harvesting
The use of a program to scan through internet documents, emails, bulletin boards and other material to identify and store email addresses. The addresses are combined into a contact list and then used and/or sold by spammers.

Internet Content Host
An Internet Content Host (ICH)publishes content on the internet on their own or others' behalf. An ICH typically has an established point of presence on the Internet, much like an ISP, but unlike an ISP does not necessarily provide access services to others.

Internet Protocol (IP)>
The Internet Protocol is the method by which data is sent from one computer to another on the Internet. Each computer (known as a host) on the Internet has at least one IP address that uniquely identifies it from all other computers on the Internet.

Internet Service Provider (ISP)
An Internet service provider (ISP) is a company that provides individuals and other companies access to the Internet and other related services such as Web site building and content hosting. An ISP has the equipment and the telecommunication line access required to have a point of presence on the Internet for the geographic area served. The larger ISPs have their own high-speed leased lines so that they are less dependent on the telecommunication providers and can provide better service to their customers.

Open relay
An open relay is an email message transfer agent that will deliver any mail for any sender. Spammers seek out these servers as a free ride for their spam messages.

Opt in
The practice of having people sign up to receive emails or other communications. The person has nominated to receive communications from a particular source. Countries with "opt in" legislation have the rule that commercial electronic messages may only be sent to people who have made a prior positive indication that they wish to receive messages from that source.

Opt out
The practice of having people request their removal from commercial contact lists, usually in response to having received an unsolicited communication. There are well known problems with opt out methodologies, the most common being that the request to be removed from the contact list is not honoured, but rather used as a stimulus for increased communication.

Virus
A virus is a self-replicating computer program that may cause an unexpected and usually undesirable event. A virus is often designed so that it is automatically and covertly spread to other computer users via email, hidden within downloads, or on diskettes or CDs. Viruses are notorious for data corruption and destruction, and occasionally for collecting email addresses, credit card details or causing additional system security breaches.

Whitelist
The opposite of a blacklist. A whitelist is an explicit list of senders from whom email will be accepted. Any mail that originates from someone not on the whitelist will be blocked (see 'Blacklist').

Bibliography

Articles/Books/Reports

All Party Internet Group ("APIG"), Spam: report of an inquiry by the All Party Internet Group' (2003) <http://www.apig.org.uk/> at 1 December 2003.

Berman, Jerry and Bruening, Paula J, 'Can spam be stopped? Rather than legislate a quick fix, Congress needs to look harder at legal and technical complexities' (2003) Legal Times 26(24) 76.

Bick, Jonathan, 'Spam-related class actions are on the horizon: and the US government could end up as a defendant' (2003) 172(5) New Jersey Law Journal 20.

'Bill lets some spam slip through the net', Financial Review (Sydney), 18 September 2003.

Boyarski, Jason R, Fishman, Renee M, Josephberg, Kara et al, 'European authorities consider cookies and spam' (2002) 14(3) Intellectual Property & Technology Law Journal 31.

'Buffalo Spammer hit with arrest and $16.4 million judgment' (2003) 20(7) Computer & Internet Lawyer 35.

Cisneros, Danielle, 'Do not advertise: the current fight against unsolicited advertisements' (2003) Duke Law & Technology Review 10.

Clark, Eugene and Sainsbury, Maree, 'Privacy and the Internet' (2002).

'Court shuts down web sites in deceptive spam case' (2002) 5(11) Journal of Internet Law 27.

Culberg, Katya, 'Regulating the proliferation and use of spam' (2002) 6(3) Journal of Internet Law 18.

D'Ambrosio, Joseph, 'Should junk e-mail be legally protected?' (2001) 17(2) Santa Clara Computer and High-Technology Law Journal 231.

Delaney, Edwin M, Goldstein, Claire E, Gutterman, Jennifer et al, 'Proposed legislation targets unsolicited commercial email' (2003) 15(8) Intellectual Property & Technology Law Journal 16.

Fisher, Michael A, 'The right to spam? Regulating electronic junk mail' (2000) 23(3-4) Columbia-VLA Journal of Law & the Arts 363.

Fishman, Renee M, Josephberg, Kara, Linn, Jane et al, 'Chinese companies to address spam' (2002) 14(7) Intellectual Property & Technology Law Journal 31.

Fishman, Renee M, Josephberg, Kara, Linn, Jane et al, 'FTC announces international Internet fraud efforts' (2002) 14(7) Intellectual Property & Technology Law Journal 32.

Fogo, Credence E, 'The postman always rings 4,000 times: new approaches to curb spam' (2000) 18(4) John Marshall Journal of Computer & Information Law 915.

'FTC obtains TRO against deceptive spam' (2002) 5(12) Journal of Internet Law 29.

'FTC study finds deception in 66 percent of spam' (2003) 20(7) Computer & Internet Lawyer 34.

Geraci, Danna, 'Spam: opt in if you like' (2001) 34(2) Law-Technology 18.

Greene, Jenna, 'The slippery fight over e-mail spam: bills aim to slash junk mail while protecting e-commerce' (2001) 24(19) Legal Times 1.

Greene, Jenna, 'Two bills seek to provide protection against e-mail spam' (2001) 225(95) New York Law Journal 5.

Greenleaf, Graham, 'An endnote on regulating cyberspace: architecture vs law?'(1998) 52 University of NSW Law Journal 1.

Hahn, Robert W and Layne-Farrar, Anne, 'The benefits and costs of online privacy legislation' (2002) 54(1) Administrative Law Review 85.

Harhai, Stephen J, 'A modest proposal on spam' (2003) 29(2) Law Practice Management 16.

Heels, Erik J, 'Combating spam' (2002) 28(6) Law Practice Management 9.

Henry-Davis-York-iTEAM, 'Spam: remedies against the crime not the ham' (2001) Keeping Good Companies 53(2) 119.

Hollander, Jay, 'Raising the E-drawbridge on Cybertrespass' (2002) 228(101) New York Law Journal 5.

Kolker, Carlyn, 'Canning the spam' (2002) 24(9) American Lawyer 31.

Latham Plunkett, Dianne, 'Spam remedies' (2001) 27(3) William Mitchell Law Review 1649.

'Law enforcement tackles deceptive spam' (2003) 20(2) Computer & Internet Lawyer 34.

Lerner, David, 'Seeking to clear cyberspace of spam: recent court decisions boost efforts to regulate unsolicited commercial e-mail' (2002) 227(110) New York Law Journal S4.

Lewis, Samuel, 'The politics of spam: yet another way to annoy voters' (2002) 25(38) Legal Times 21.

Litchman, Lori, 'Federal law doesn't ban e-mail spam' (2002) 25(27) Pennsylvania Law Weekly 1.

Loomis, Tamara, 'Junk e-mail: filing suit against a spammer is a way to fight back' (2002) 227(69) New York Law Journal 5.

Magee, John F, 'The law regulating unsolicited commercial e-mail: an international perspective' (2003) Santa Clara Computer and High-Technology Law Journal 19(2) 333.

McGill, Matt, 'E-mail marketing: targeted opt-in campaigns (not spam) aren't just for products anymore' (2001) 24(21) Legal Times 51.

Miller, Nigel, 'New rules for inboxes' (2002) 146(36) Solicitors Journal 857.

'More self-regulation of spam & privacy' (2002) 5(8) Journal of Internet Law 21.

National Office for the Information Economy, Spam: Final report of the NOIE review of the spam problem and how it can be countered, (2003). <http://www.noie.gov.au/publications/NOIE/spam/final_report/index.htm> at 27 July 2003.

Oakes, Dan, 'The long arm of the law takes a crack at breaking through the spam jam', The Sunday Age (Melbourne), 11 January 2004.

Paonita, Anthony, 'Drowning in spam? Here's how you can fight back' (2002) 170(10) New Jersey Law Journal 30.

Paonita, Anthony, 'Tired of spam? There are steps you can take to fight it' (2002) 25(49) Legal Times 28.

Pink, Scott W, 'State spam laws survive constitutional scrutiny but should Congress enact a federal law?' (2002) 5(10) Journal of Internet Law 11.

Pruitt, Scarlet, 'Spam deluge leads to search for silver bullet', Information Age (Apr-May 2003) 52.

Raysman, Richard and Brown, Peter, 'E-mail blocking: spammers (and alleged spammers) fight back' (2001) 226(12) New York Law Journal 3.

Redford, Monique, 'The indecency of unsolicited sexually explicit emails: a comment on the protection of free speech v the protection of children' (2002) 26(1) Seattle University Law Review 125.

Riach, Emma, 'Cookies and spam' (2003) 153(7071) New Law Journal 379.

Ryman, Rene, 'The adverse impact of anti-spam companies' (2003) 20(1) Computer & Internet Lawyer 15.

Sinrod, Eric J, 'Court enjoins bait-and-switch spam scam' (2002) 227(87) New York Law Journal 5.

Sorenson, Andrew and Webster, Matthew, 'Trade practices and the Internet' (2003).

Sorkin, David E, 'Technical and legal approaches to unsolicited electronic mail' (2001) University of San Francisco Law Review 35(2) 325.

'Spam brings home a harsh reality', The Sunday Age (Melbourne), 11 January 2004.

Steinmeyer, Peter A, 'California spammin': opening the e-mail spigot' (2003) National Law Journal 25(48) 34.

Valetk, Harry A, 'Spam scammers hit a new low with spoofed e-mail' (2002) 228(52) New York Law Journal 56.

'Virginia claims toughest anti-spam law in nation' (2003) 20(7) Computer & Internet Lawyer 34.

Young, Gary, 'Canning cyber spam won't be easy: a national solution at center of debate' (2003) 25(39) National Law Journal 1.

Case Law

ACCC v Chen [2002] FCA 1248 (8 October 2002)

ACCC v Internic Technology Pty Ltd (1998) ATPR 41-646

ACCC v Skybiz (Unreported, Federal Court of Australia, 27 September 2002)

America Online Inc v IMS 962 F Supp 1015 (SD Ohio 1997)

Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd [2001] HCA 63

CompuServe Inc v Cyber Promotions Inc 24 F Supp 2d 548, 550 (ED Va 1998)

Grosse v Purvis [2003] QDC 151

Gutnick v Dow Jones & Co Inc [2002] HCA 56 (10 December 2002)

Hotmail Corporation v Van Money Pie 1998 USDist LEXIS 10729; 47 USPQ 2D (BNA) 1020 (16 April 1998). Intel Corporation v Hamidi 30 Cal 4th 1342; 71 P 3d 296; 1 Cal Rptr 3d 32; 2003 Cal LEXIS 4205 (2003)

Macquarie Bank v Berg [1999] NSWSC 526

R v Hourmouzis (Unreported, County Court of Victoria, 30 October 2000)

Victoria Park Racing & Recreation Grounds Co Ltd v Taylor [1937] HCA 45; (1937) 58 CLR 479

Legislation

Anti-Spam Act of 2003*

Ban on Deceptive Unsolicited Bulk Electronic Mail Act of 2003*

CAN-SPAM Act of 2003

Crimes Act 1914 (Cth)

Criminal Spam Act of 2003*

Criminal Code 1995

Cybercrime Act 2001 (Cth)

Privacy Act 1988 (Cth)

REDUCE Spam Act of 2003*

Spam Act 2003 (Cth)

Trade Practices Act 1974 (Cth)

* Proposed legislation - has not been enacted.

Notes

[1] <http://www.brightmail.com/spamstats.html> at 25 March 2004. Brightmail defines spam as unsolicited bulk email.

[2] 'Spam brings home a harsh reality', The Sunday Age (Melbourne), 11 January 2004.

[3] <http://www.noie.gov.au/projects/confidence/Improving/spam.htm> at 25 March 2004.

[4] All Party Internet Group ("APIG"), Spam: report of an inquiry by the All Party Internet Group' (2003) <http://www.apig.org.uk/> at 1 December 2003.

[5] Ibid.

[6] David E Sorkin, 'Technical and legal approaches to unsolicited electronic mail' (2001) University of San Francisco Law Review 35(2) 325, 330.

[7] Ibid, 330.

[8] Ibid, 332.

[9] National Office for the Information Economy, Spam: Final report of the NOIE review of the spam problem and how it can be countered, (2003) 2. <http://www.noie.gov.au/publications/NOIE/spam/final_report/index.htm> at 27 July 2003.

[10] Dan Oakes, 'The long arm of the law takes a crack at breaking through the spam jam', The Sunday Age (Melbourne), 11 January 2004.

[11] Ibid.

[12] False positives refer to legitimate messages mistakenly identified as spam and being filtered out.

[13] Above n 7, 342.

[14] Above n 11.

[15] <http://www.ecommerce.treasury.gov.au/publications/BuildingConsumerSovereigntyInElectronicCommerce-ABestPracticeModelForBusiness/context.htm> at 9 December 2003. The Best Practice Model is based on the Organisation for Economic Cooperation and Development ("OECD") Guidelines for Consumer Protection in the Context of Electronic Commerce.

[16] Above n 10.

[17] For a code to be registered by the ACA, it must, among other things be 'appropriate' in the way it deals with the matters it covers and must have undergone consultation with industry, the public, consumer representatives, the Australian Competition and Consumer Commission, the Telecommunications Industry Ombudsman and, in some cases, the Privacy Commissioner. <http://www.aca.gov.au/telcomm/industry_codes/codes/about.htm> at 25 March 2004.

[18] <http://www.adma.com.au/asp/index.asp?pgid =1985/#2- do not mail/call service> at 9 December 2003. Another aspect of the ADMA Code of Practice is its 'Do Not Mail/Do Not Call' database. Individuals can register with this service and ADMA members must remove the names of any consumer registered from their mailing/call lists.

[19] <http://www.iia.net.au/privacycode.html> at 9 December 2003.

[20] Ibid.

[21] The IIA draft Privacy Code was submitted to the Federal Privacy Commissioner for registration in March 2003. According to the Federal Privacy Commissioner's website, it is currently under consideration.

[22] Above n 20.

[23] Above n 10.

[24] <http://www.scaleplus.law.gov.au/html/ems/0/2003/rtf/03149em.rtf> at 8 November 2003. The Spam (Consequential Amendments) Act makes various amendments to the Telecommunications Act and the Australian Communications Authority (ACA) Act to enable the effective investigation and enforcement of breaches of the Spam Act.

[25] Explanatory Memorandum, Spam Act 2003 (Cth). <http://www.scaleplus.law.gov.au/html/ems/0/2003/0/2003092501.htm> at 8 November 2003.

[26] Ibid.

[27] Ibid.

[28] That is, electronic messages that originate from Australia and messages that are sent to Australian addresses whatever their point of origin: section 7 of the Spam Act.

[29] Section 17 of the Spam Act.

[30] Section 18 of the Spam Act.

[31] Sections 20 to 22 of the Spam Act.

[32] Part 4 of the Spam Act. Penalties for breach range up to $1.1 million per day, in addition to orders for recovery of profits from spammers and payment of compensation to victims.

[33] Parts 5 to 7 of the Spam Act. These measures include a formal warning, acceptance of an enforceable undertaking, or the issuing of an infringement notice. The ACA may also apply to the Federal Court for an injunction or may institute proceedings in the Federal Court for breach of a civil penalty provision.

[34] Similar to the European Union (EU) Directive 2002/58/EC where prior explicit consent of the recipient is required before communications are addressed to them unless it is within the context of an existing customer relationship.

[35] Above n 5.

[36] 'Bill lets some spam slip through the net', Financial Review (Sydney), 18 September 2003.

[37] Above n 5.

[38] Above n 10.

[39] Above n 5. The E-Privacy Directive adopts a modified opt-in approach. It prohibits unsolicited commercial email unless subscribers have given their prior consent. It also allows a company to email customers whose address it obtained in the context of a sale, provided that customers are given the opportunity to opt-out on the occasion of each message.

[40] See heading 'US Position'.

[41] Above n 10.

[42] Schedule 2 of the Spam Act provides that 'consent' may be express consent or implied consent. If a person has a pre-existing business relationship or other relationship such as a family relationship, consent may be implied. Implied consent may also be inferred from the conduct of the person.

[43] Adam Turner, 'Spam, laborious spam, to stay on the menu', The Age (Melbourne), 17 February 2004. Based on a report by anti-spam expert, Bruce McCabe, titled The Future of Spam.

[44] Sections 477.1 to 477.3 of the Criminal Code.

[45] Eugene Clark and Maree Sainsbury, 'Privacy and the Internet' (2002), 90.

[46] Above n 10.

[47] For example, sections 247B, 247C and 247D of the Crimes Act 1958 (Vic) as amended by the Crimes (Property Damage and Computer Offences) Act 2003 (Vic).

[48] Above n 10.

[49] See cases discussed under the heading 'Australian Case Law'.

[50] Australian Competition and Consumer Commission, Submission to the National Office for the Information Economy re: spam <http://www.accc.gov.au/ecomm/spam.pdf> at 27 July 2003.

[51] [1937] HCA 45; (1937) 58 CLR 479, at 495-496.

[52] Above n 46, 105.

[53] [2001] HCA 63.

[54] Above n 46, 105.

[55] [2003] QDC 151.

[56] <http://www.privacy.gov.au/business/index.html> at 8 December 2003. The private sector provisions of the Privacy Act apply to organisations with an annual turnover of more than $3 million. The provisions also apply to all health service providers regardless of turnover and some small businesses with an annual turnover of $3 million or less.

[57] Above n 26.

[58] Ibid.

[59] Ibid.

[60] Ibid.

[61] <http://www.privacy.gov.au/publications/nppgl_01.html#npp1> at 8 November 2003. NPP 1 provides that an organisation may only collect personal information if necessary for its functions and activities. The collection must be fair and lawful and not unreasonably intrusive; the organisation must take reasonable steps to ensure the individual is aware of the identity of the organisation; the purpose for which the information is collected; who it will be disclosed to; the fact that they can access the information; any law that requires the information to be collected; and the consequences for the individual if the information is not given.

[62] Above n 46, 24.

[63] <http://www.privacy.gov.au/publications/nppgl_01.html#npp2> at 8 November 2003. NPP 2 provides that information can be used for the secondary purpose of direct marketing where it is impracticable to seek the individual's consent before use; the individual can request not to receive such information; each direct marketing communication must draw the individual's attention to the fact they can request not to receive further communications; each communication must set out the organisation's contact details.

[64] Above n 46, 16.

[65] Ibid.

[66] Ibid.

[67] Above n 26.

[68] Above n 46, 16.

[69] (Unreported, County Court of Victoria, 30 October 2000) <http://countycourt.vic.gov.au/judgments/hourmouz.htm> at 4 December 2003.

[70] Henry-Davis-York-iTEAM, 'Spam: remedies against the crime not the ham' (2001) Keeping Good Companies 53(2) 119. Hourmouzis was convicted under section 76E(b) of the Crimes Act 1958 (Vic). This section imposes a maximum penalty of ten years imprisonment and makes it an offence to interfere with, interrupt or obstruct the lawful use of, a computer by means of a carrier (telephone line or ISP) or facility provided by the Commonwealth.

[71] The Corporations Law has been repealed and is replaced by the Corporations Act 2001 (Cth).

[72] (Unreported, Federal Court of Australia, 27 September 2002).

[73] <http://www.aar.com.au/pubs/cmt/foecomnov02.pdf> at 9 December 2003. In a settlement with the ACCC, SkyBiz.com Inc consented to orders of the Federal Court which declared that, inter alia, the Skybiz scheme was a pyramid selling scheme; SkyBiz.Com engaged in referral selling which is prohibited under the TPA; SkyBiz.Com made false or misleading representations.

[74] [2002] FCA 1248 (8 October 2002).

[75] (1998) ATPR 41-646.

[76] Above n 51.

[77] The First Amendment to the US Constitution relevantly provides that Congress shall make no law abridging the freedom of speech.

[78] On 10 March 2004, it was reported that four ISPs - AOL, EarthLink, Microsoft and Yahoo! - filed lawsuits targeting several spammers identified as the most flagrant offenders of the CAN-SPAM Act's rules for sending commercial email. <http://www.brightmail.com/pressreleases/031004_isp-crackdown.html> at 25 March 2004.

[79] David E Sorkin, Spam Laws: United States: Federal Laws: 108th Congress: Summary <http://www.spamlaws.com/federal/summ108.html> at 24 November 2003.

[80] Above n 5.

[81] Jerry Berman and Paula J Bruening, 'Can spam be stopped? Rather than legislate a quick fix, Congress needs to look harder at legal and technical complexities' (2003) Legal Times 26(24) 76, 80.

[82] Subsection 8(b)(1) of the CAN-SPAM Act. <http://www.spamlaws.com/federal/108s877.html> at 26 March 2004.

[83] David E Sorkin, Spam Laws: United States: State Laws: Summary <http://www.spamlaws.com/state/summary.html> at 24 November 2003.

[84] 'Virginia claims toughest anti-spam law in nation' (2003) Computer & Internet Lawyer 20(7) 34. It is estimated that approximately 50 percent of all spam passes through Virginia, the home of AOL.

[85] Above n 5.

[86] Ibid.

[87] Ibid.

[88] 962 F Supp 1015 (SD Ohio 1997).

[89] The court relied on Section 217(b) of the Restatement (Second) of Torts to affirm CompuServe's trespass claim. This section states that a trespass may be committed by intentionally using or intermeddling with another person's chattels (personal property). Intermeddling is defined as intentionally bringing about a physical contact with the chattel.

[90] Above n 7, 348.

[91] 24 F Supp 2d 548, 550 (ED Va 1998).

[92] 1998 USDist LEXIS 10729; 47 USPQ 2D (BNA) 1020 (16 April 1998).

[93] 30 Cal 4th 1342; 71 P 3d 296; 1 Cal Rptr 3d 32; 2003 Cal LEXIS 4205 (2003).

[94] The appellate court disagreed, finding that these rights did not permit Hamidi to trespass on Intel's private property.

[95] It was a narrow 4-3 decision.

[96] Peter A Steinmeyer, 'California spammin': opening the e-mail spigot' (2003) National Law Journal 25(48) 34.

[97] Above n 7, 353.

[98] Ibid.

[99] Coalition Against Unsolicited Bulk Email ("CAUBE"), The Problem <http://www.caube.org.au/problem.htm> at 27 July 2003. According to CAUBE, there is no way for a spammer to know what city you are in, and no reliable way for them to know what country you are in. Even if it were possible and reliable to eliminate out of area customers, this is the era of e-commerce and a customer can be anybody, anywhere in the world.

[100] Unlike Cyber Promotions which was an identifiable and fully incorporated company, if a spammer is a one-person operation, tracking down and identifying the spammer may prove to be a difficult obstacle to enforcement of anti-spam legislation. Most spammers do not have sufficient assets to justify litigation.

[101] [2002] HCA 56 (10 December 2002).

[102] Andrew Sorenson and Matthew Webster, 'Trade practices and the Internet' (2003).

[103] For example, see Macquarie Bank v Berg [1999] NSWSC 526.

[104] Above n 103.

[105] Above n 7, 354.

[106] Ibid.

[107] Danielle Cisneros, 'Do not advertise: the current fight against unsolicited advertisements' (2003) Duke Law & Technology Review 10.

[108] Ibid.

[109] John F Magee, 'The law regulating unsolicited commercial e-mail: an international perspective' (2003) Santa Clara Computer and High-Technology Law Journal 19(2) 333, 339.

[110] Ibid, 333.

[111] Ibid, 336.

[112] Ibid, 337.

[113] Ibid, 356.

[114] Above n 82, 78-9.

[115] Ibid, 79.

[116] Above n 46, 73.

[117] Above n 7, 354.

[118] Ibid.

[119] Above n 7, 328.

[120] Ibid, 358.

[121] Graham Greenleaf, 'An endnote on regulating cyberspace: architecture vs law?'(1998) 52 University of NSW Law Journal 1, 9.

[122] Ibid.

[123] Above n 122, 1.

[124] Above n 7, 353.

[125] Above n 110, 375.

[126] Ibid.

[127] Above n 44.

[128] Above n 82, 82. See also Scarlet Pruitt, 'Spam deluge leads to search for silver bullet' (Apr-May 2003) Information Age 52 <http://infoage.idg.com.au/infoage1.nsf/all/CF9C7EFBBD751EOCA256D08001B5F1D> at 28 July 2003.

[129] Above n 7, 355; n 82, 82; n 110, 379.

[130] Above n 82, 82.

[131] Above n 44.

[132] Ibid.

[133] <http://www.noie.gov.au/projects/confidence/Improving/Spam/Glossary.htm> at 24 March 2004.

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/MurdochUeJlLaw/2004/11.html