BACKGROUND MATERIAL SESSION - I Defining SPAM: Identifying the Economic, Technical and Legal Problems 1. 1.1 Spam –Definition The most common definition of spam is “unsolicited commercial email”. This definition however limits itself to messages that are commercial in nature and consequently excludes many types of messages that could be considered as spam. Unsolicited messages that apparently do not promote any commercial activity are left out of the ambit of this definition. CAN-SPAM Act In the United States, the CAN-SPAM Act is premised on this approach and defines the expression “commercial electronic mail message” to mean “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose)”. The CAN-SPAM Act further clarifies that a ‘transactional or relationship’ message does not come within the ambit of the term ‘commercial electronic message’. The said Act defines “transactional or relationship message” to mean “an electronic mail message the primary purpose of which is: (i) (ii) (iii) to facilitate, complete, or confirm a commercial transaction that the recipient has previously agreed to enter into with the sender, to provide warranty information, product recall information, or safety or security information with respect to a commercial product or service used or purchased by the recipient, to provide (a) notification concerning a change in the terms or features of, (b) notification of a change in the recipient’s standing or status with respect to, or (c) at regular periodic intervals, account balance information or other type of account statement with respect to, a subscription, membership, account, loan, or comparable ongoing commercial relationship involving the ongoing purchase or use by the recipient of products or services offered by the sender to provide information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, participating, or enrolled, to deliver goods or services, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter into with the sender”.
1.2
(iv) (v)
1.3
The Australian Spam Act, 2003 In Australia, the Spam Act, 2003 has adopted a like approach and defined a “commercial electronic message” to mean “an electronic message, where, having regard to: (a) the content of the message; and 1-1
�(b) the way in which the message is presented (c) the content that can be located using the links, telephone numbers or contact information (if any) set out in the message; it would be concluded that the purpose, or one of the purposes, of the message is (d) to offer to supply goods or services; (e) to advertise or promote goods or services; (f) to advertise or promote a supplier, or prospective supplier, of goods or services; (g) to offer to supply land or an interest in land; (h) to advertise or promote land or an interest in land; (i) to advertise or promote a supplier, or prospective supplier, of land or an interest in land; (j) to offer to provide a business opportunity or investment opportunity; (k) to advertise or promote a business opportunity or investment opportunity; (l) to advertise or promote a provider, or prospective provider, of a business opportunity or investment opportunity; (m) to assist or enable a person, by a deception, to dishonestly obtain property belonging to another person; (n) to assist or enable a person, by a deception, to dishonestly obtain a financial advantage from another person; (o) to assist or enable a person to dishonestly obtain a gain from another person; or (p) (p) a purpose specified in the regulations.” 1.4 Unsolicited Bulk Email Another common definition of spam is that it is unsolicited bulk email. This definition categorizes messages based on the number of recipients to whom it is addressed. In this regard, while stipulating what constitutes “bulk”, some legislations attempt to specify a precise number whilst many do not. Even in cases where a specific number has been prescribed under State laws in the United States, the precise number varies from anything more than 2 messages in case of Idaho, to 500 in case of Kansas and 1000 in case of Louisiana. 1.5 OECD Approach The OECD adopts a definition that combines the elements of both the above approaches. It defines spam as “unsolicited and unwanted commercial electronic messages or emails that are sent to large numbers of people.”1 1.6 Characteristics of Spam The NOIE2 Report states that spam messages usually share one or more of the following characteristics: (a) Sent in an untargeted and indiscriminate manner, often by automated means;
1 2
Report of Directorate for Science, Technology and Industry, OECD. National Office for the Information Economy, Australia
2-2
�(b) Includes or promotes illegal or offensive content; (c) Purpose is fraudulent or otherwise deceptive; (d) Sent in a manner that disguises the sender; (e) Does not offer a valid and functional address to which recipients may respond, in particular, for opting out of receiving further unsolicited messages. The manner in which spam is disseminated also differs significantly from case to case. Broadly, spam falls within one of the following categories – (a) Usenet Spam – Messages sent to multiple Usenet or other newsgroups. Usenet spam robs users of the utility of newsgroups by flooding them with unsolicited advertising. (b) Email Spam – Messages targeting individual users through email messages direct to their addresses. (c) Wireless Spam – A relatively new form of unsolicited electronic messages is spam sent by text messages to mobile phones. In view of the above there is a need for an agreed definition of spam so as to examine its impact and permit evaluation of potential measures that may be adopted to counter it. 2. 2.1 Magnitude of the Spam Menace To date, no significant statistics have been compiled regarding incidence of spam in India. Estimates indicate that there were approximately 5 million internet users in India in 2003, nearly all of whom would have been faced by the problem of spam at some time or the other. However, in absence of specific data reliance may be placed on surveys conducted in foreign jurisdictions. Such surveys would suffice as a reference point for India given that the Internet renders geographical divides meaningless. Spam uniformly affects users on the Internet across the globe regardless of territorial borders. Available data from various jurisdictions indicates that the incidence of spam is rapidly increasing. The CAN-SPAM Act includes the following finding of the United States Congress: “The convenience and efficiency of electronic mail are threatened by the extremely rapid growth in the volume of unsolicited commercial electronic mail. Unsolicited commercial electronic mail is currently estimated to account for over half of all electronic mail traffic, up from an estimated 7 percent in 2001, and the volume continues to rise…” Brightmail Inc., a business specializing in anti-spam software and services, has estimated that spam accounts for 20% of all email messages sent. The
2.2
2.3
3-3
�Gartner Group has estimated that 35% of all business messages received are spam, and that this figure is likely to touch 50% by 2005.3 2.4 Microsoft MSN and Hotmail together block an average of 2.4 billion spam messages every day. In a civil action initiated in the United States by America Online (AOL) against spam, AOL averred that it receives around two billion emails on a daily basis, of which spam filters installed by the ISP block over one billion. This figure is ten times higher than what it was in 1999. Data released by Postini, a spam-blocking filter program that monitors over a billion emails per month, reveals that the amount of spam is doubling approximately every five months. The NOIE Report notes that as per the findings of the survey conducted by CAUBE4, Australia spam increased six times in volume in 2001 alone. The NOIE Report further cites a 300% increase in spam from 2001 to 2002. This dramatic increase is attributable in part to the increase in the penetration of the Internet across users worldwide. In case of a developing country like India with very low Internet penetration levels at present, there is an imminent likelihood of spam growing at exponential rates over the coming years. Effects of Spam General impact of Spam The United States Congress, after extensive deliberations on the impact of spam, decided to incorporate the following findings in the CAN-SPAM Act which succinctly sets out the effects of spam: “…(3) The receipt of unsolicited commercial electronic mail may result in costs to recipients who cannot refuse to accept such mail and who incur costs for the storage of such mail, or for the time spent accessing, reviewing, and discarding such mail, or for both. (4) The receipt of a large number of unwanted messages also decreases the convenience of electronic mail and creates a risk that wanted electronic mail messages, both commercial and noncommercial, will be lost, overlooked, or discarded amidst the larger volume of unwanted messages, thus reducing the reliability and usefulness of electronic mail to the recipient. (5) Some commercial electronic mail contains material that many recipients may consider vulgar or pornographic in nature. (6) The growth in unsolicited commercial electronic mail imposes significant monetary costs on provides of Internet access services, businesses, and educational and nonprofit institutions that carry and receive such mail, as there is a finite volume of mail that such providers, businesses, and institutions can handle without further investment in infrastructure.
3 4
2.5
2.6
3. 3.1
The NOIE Report at 9. Coalition Against Unsolicited Bulk Email
4-4
�(7) Many senders of unsolicited commercial electronic mail purposefully disguise the source of such mail. (8) Many senders of unsolicited commercial electronic mail purposefully include misleading information in the messages’ subject lines in order to induce the recipients to view the messages. (9) While some senders of commercial electronic mail messages provide simple and reliable ways for recipients to reject (or ‘opt-out’ of) receipt of commercial electronic mail from such senders in the future, other senders provide no such ‘opt-out’ mechanism, or refuse to honour the requests of recipients not to receive electronic mail from such senders in the future, or both. (10) Many senders of bulk unsolicited commercial electronic mail use computer programs to gather large numbers of electronic mail addresses on an automated basis from Internet websites or online services where users must post their addresses in order to make full use of the website or service…” On the basis of the above findings, the United States Congress determined that: “(1) there is a substantial government interest in regulation of commercial electronic mail on a nationwide basis; (2) senders of commercial electronic mail should not mislead recipients as to the source or content of such mail; and (3) recipients of commercial electronic mail have a right to decline to receive additional commercial electronic mail from the same source.” 3.2 3.2.1 Impact on Consumers Among the direct impacts of spam are the inconvenience and costs incurred by the users for the amount of time they spend online, either reading or downloading their email messages. Additionally, for those recipients who have limits on the amount of mail permitted to be stored by their ISP, spam often creates full mailboxes, which may result in legitimate messages being rejected. A study conducted by the European Union in 2001 estimated the worldwide cost of spam to Internet users to be in the range of US$ 10 billion annually.5 Equally significant are issues relating to invasion of privacy and the fact that spam is widely regarded as an intrusive nuisance by most users. The ease with which spammers can access databases of email addresses (known as address harvesting) of users as well as personal information, without the knowledge or consent of the users or the website owner, highlights the need to protect the privacy of the users.
3.2.2
Commission of the European Communities Unsolicited Commercial Communications and Data Protection: Summary of Study Findings, 2001.
5
5-5
�3.2.3
The fact that a high percentage of spam often has illegal or offensive content or involves confidence tricks and scams is a matter of considerable concern especially in view of the fact that recipients of such spam may often be minors. Spam exposes users to additional risks as in many cases the messages may be fraudulent or deceptive in nature. Impact upon Businesses Businesses suffer due to spam on account of the investments they are required to make in order to filter out and counter spam. It is also perceived that spam is adversely impacting e-commerce by eroding the confidence of consumers in the Internet being a medium for safe and secure transactions. Spammers sometimes alter the subject line of a message or the address from which it appears to have been sent in order to create the impression that the message has originated from a legitimate business. For the business so targeted, this results in a loss of reputation and goodwill since consumers mistakenly believe that the business concerned is sending spam. In fact, businesses have been compelled to initiate legal proceedings against spammers in order to prevent such damage to their reputation. Ironically, one area of concern for businesses is the filtering software employed by ISPs in an attempt to counter spam. In many cases, consumers have willingly subscribed to certain services or to receive information or updates from genuine businesses. However, messages sent by such businesses to the recipients who have expressly consented to receive them are often confused by the filters installed by ISPs as being spam and therefore, blocked. Impact on ISPs’ Spam is an area of concern for ISPs not merely because it uses up large amounts of available bandwidth on the network and storage space on servers but more importantly because it upsets customers and increases the technical support costs. In light of the available data that estimates spam to account for more than half of all message traffic, it follows that ISPs are presently bearing the costs for infrastructure that in the absence of spam, would not be required. To compound their problems, ISPs are required to continually make further investments to upgrade existing infrastructure to cope with the escalating threat. Other negative impacts of spam on ISPs include costs incurred on account of incorporating internal measures to counter spam, for instance, by way of filtering programs. Owing to the fact that spammers often generate random email addresses, many of the recipients to whom spam is sent are non-existent. In order to avoid the deluge of undelivered messages that would normally be sent to the sender, spammers do not disclose a genuine email address and rely instead on a fake or substitute one, often that of an ISP. This results in a substantial amount of email traffic getting diverted to an ISP. 6-6
3.3 3.3.1
3.3.2
3.3.3
3.4 3.4.1
3.4.2
3.4.3
�3.5 3.5.1
Impact and Concerns for Regulatory Authorities In addition to what has been stated above, spam is a major concern for regulatory and law enforcement agencies worldwide for reasons of public welfare. Due to the attraction that the sender’s identity can be easily disguised in a spam message, spam is fast becoming a popular medium for advertising illegal or immoral activities as well as disseminating offensive content. Seen in light of the enormous reach of the Internet as a medium for mass communication and the increasingly significant role it has come to play, widespread and indiscriminate distribution of such socially harmful content is a matter of grave and urgent concern.
7-7
�BACKGROUND MATERIAL SESSION - II Containing Spam through integrated measures 1. 1.1 Technological Solutions Technological solutions are a primary means of addressing the problem of spam. Anti-spam technologies can be implemented at the desktop, server or ISP level, and are available through software packages as well as software services. Though there are presently several such solutions on the market, there is no single approach to blocking spam. Success depends on facts and circumstances and often a multi-layered technology solution approach. Desktop/Server Solutions Some of the solutions commonly used at the server or desktop level include – (i) Blacklist Services – Blacklist services involve a database of known spamming IP addresses. Before delivering an email, the ISP or the software programme in question checks the address of origin against those in the database. If a match is found, it is presumed that the message constitutes spam and is therefore not delivered. Whitelist Services - Whitelist services tackle the problem in exactly the opposite manner to Blacklist services. The Whitelist database comprises of a list of addresses that are “legitimate” or “safe”. Any message originating from an address other than those listed is presumed “unsafe”. Whitelist services are often coupled with a “challenge and response” system. In the event that the message originates from an unknown sender, the system automatically sends an email to the address of origin, seeking a confirmation message. In the event that a subsequent confirmation is received, the system assumes that the sender is a legitimate concern (and not an automated “spambot”) and permits the message to be delivered. Linguistic text analysis and Heuristic Engine based filters – Filters are possibly the most common method of dealing with spam. Filters comprise of algorithms that analyse the message and determine the likelihood of it being a spam message. Those that test positive are not delivered to the recipient. Filtering algorithms normally use linguistic analysis or statistically derived heuristics to determine the nature of a message. Linguistic tools permit filters to conduct Boolean searches based on content and combinations of words or phrases. Heuristic engines on the other hand use statistics and certain established thumb rules to analyse content and determine whether the message is spam or not.
1.2
(ii)
(iii)
8-8
�(iv)
Networked Vigilance – Networked vigilance refers to a recent initiative involving the creation of a centralized database of spam that is continually updated by submissions from contributing sites and users. The underlying concept is that a mail server can compare mail messages it receives with the centralized database to see whether the said messages have been entered as spam.
1.3
Internet Service Provider/Internet Gateway Solutions It is estimated that employing anti-spam practices at the Internet gateway can block up to 40% of incoming spam messages which can reduce the costs of the expensive message analysis techniques. Measures include6: (i) Address Harvesting Defense - Monitoring connections to the Internet mail gateway in order to recognize and block address harvesting attacks. Anti-Spoofing Rules - Spammers often attempt to deliver messages addressed from the recipient's domain on the assumption that most domains will "whitelist" their own mail, allowing it to pass through unchecked. This type of address spoofing can be prevented by carefully checking the origin of the messages. SMTP Authentication/Transport Layer Security (TLS) - Enables enterprises to tightly restrict access to their Internet gateways by authenticating users using usernames and passwords DNS checks - Verifies domain names by use of DNS lookups. This represents a relatively quick and easy technique to block spammers from delivering their messages. DNS-based Real-time Blacklists - Prevents messages originating from suspect IP addresses from being delivered. In addition, some email service providers and ISPs are considering future solutions based on electronic proof based approaches involving virtual “stamps” that notify that an email sender has expended some sort of resources for every email that they send. At the core of such approaches is the concept that the solution for spam lies in changing the economic incentive for sending it.
(ii)
(iii)
(iv)
(v) (vi)
1.4
Changing Spam Requires a Flexible Solution To ensure effectiveness, and to consistently maintain the same, anti-spam solutions need to be continually monitored, tuned and modified, as necessary, to meet the evolving challenges of spam management. Such monitoring seeks to ensure adaptability of the solution in view of 7-
6 7
www.sendmail.com/products/antispam_pr.shtml www.sendmail.com/products/antispam_pr.shtml
9-9
�(i) (ii)
Spam changes – It has been estimated that a new spam message or technique is created every one to three days. Enterprises have different concerns about spam - Given individual corporate policies with respect to the use of language in email, offensive content filters should be customized to a particular enterprise's needs. Different Enterprises Have Different Legitimate Email Characteristics - Identifying characteristics of legitimate email are different from enterprise to enterprise, and even between different job functions within an enterprise.
(iii)
2. 2.1
Legislative/ Regulatory Features of an effective legislation In order to effectively address the problem, without disrupting existing commercial relationships, a successful anti-spam legislation should seek to allow consumers to receive email from trusted senders, while allowing them to block unsolicited or unwanted spam. Effectiveness of any legislation would have to be judged in terms of its ability to: (i) (ii) Decrease the volume of spam Lower costs to consumers, ISPs, service providers and businesses, who currently bear bandwidth, storage and software costs associated with spam, as well as the associated productivity losses and technical support costs Greater consumer control over whether and how to receive, filter or delete messages Broader commercial adoption and enforcement of email best practices Minimal disruption of pre-existing commercial relationships between businesses and consumers.
(iii) (iv) (v) 3. 3.1
International CooperationAnti-spam initiatives are often ineffective due to problems in identifying spammers and the lack of extra-territorial jurisdiction. Any national legislation will initially focus on the enforcement of locally sourced spam. The Government should work with multilateral and bilateral bodies to develop international guidelines and coordination mechanisms to attain a degree of uniformity in the policy approach to the anti spam drive and the adoption of international best practices. This would include awareness campaigns with participation of national consumer groups and self-regulatory groups. The Government should work along with bodies like the OECD and APEC to 10-10
3.2
�develop international guidelines and cooperative measures which aim to reduce the total volume of spam, apply the opt-in principle where practicable, eliminate false and misleading subject and header lines and provide end users with information on anti-spam measures. 3.3 Enforcement of penalties relating to overseas sourced spam will be problematic until a suitable international framework is in place. It will also ensure that there is an appropriate enforcement regime to deal with overseas spammers as soon as multilateral arrangements are in place. Conclusion In view of the above discussion, certain broad conclusions can be made out regarding spam and the need to take steps to address the problem. So far, spam has forced governments and private players to take immediate steps to remedy the situation. Though little consensus exists on what constitutes spam and the best way to address it, it is generally agreed that there is no one approach that can comprehensively solve the problem. Given the magnitude of the problem and its simultaneous impact on several interest groups, adopting a multi-pronged approach may be the only viable solution to the problem. Such multi-pronged strategy may include technological solutions, self-regulation, industry best practices, creating awareness and legislative/regulatory solutions. Even those countries that have implemented legislative and regulatory measures recognize that such measures alone are inadequate to mitigate the situation. Such countries now plan to implement further measures to supplement the regulatory framework. International businesses are urging governments to adopt balanced legislative approaches as part of a toolkit of possible ways to combat spam. At present India does not have a law on spam. The Information Technology Act, 2000 is silent on the issue, and other Indian laws do not appear to deal with the problem either. In keeping with the proposition of a multi-pronged approach, it India too may consider adopting a layered strategy comprising of technological solutions, appropriate self-regulatory measures, consumer awareness campaigns, legislative measures and guidelines for international cooperation.
4.
___________________________________________________________________________ Note: The views expressed are of FICCI IT Committee members. For more information please contact Mr. Tabrez Ahmad, Sr. Asstt. Director – IT at tabrez@ficci.com
11-11
�