Docstoc

Opening speech and introduction of the Minister for E-Commerce

Document Sample
Opening speech and introduction of the Minister for E-Commerce Powered By Docstoc
					Opening speech and introduction of the Minister for E-Commerce CHAIRMAN: Good morning, everyone. I am Derek Wyatt. I am Chairman of the All-Party Group, or the Associate Internet Parliamentary Group, or the Associate Parliamentary Internet Group --- or whatever it is called! We have to say these things because we also have outside assistance for the Group. I was going to start with a major apology, which was that Stephen Timms could not make it this morning. That was only because he was caught in a cross-border statutory instrument at five to nine, and we were going to re-juggle. Thankfully, he has broken a world speed record and has got here! I am also incredibly pleased to welcome Jim Halpert from America. We only got him yesterday morning. He got on a plane in a great hurry from Washington. We are thrilled that you are here, and we look forward to what you have to say in a moment. [Using screen] Why is the All-Party Group doing this investigation into spam? It is partly because it is very difficult to place spam in the select committee procedures we have here. Because the Whips do not care about select committees, in a way the select committee system is outside the loop of the political system. We did write to the Liaison Committee when we were looking at broadband, but that is the group that sees the Prime Minister every six months, and there are 28 different MPs --- some from the Catering Committee and some from select committees. So that does not seem to work either. If you look at what we have tried to do internally over the last year, with broadband we tried to get six different select committees to get together to look into it. In the end, we had to do it as MPs. We cannot get the select committee to look at soccer; so the All-Party Soccer Group are looking at it. The Health Committee is looking at obesity, which crosses so many different groups, but it could just as easily be the Education or the Sports Committee. We looked at data last year and won an award for the work that we did. We are doing this, therefore, because we cannot locate it in the system that exists inside the House of Commons. That is why there are different groups now trying to change the way Parliament works. You have Parliament First, which has already published a booklet on how it would like to rein in the executive. You have Professor Hennessy‟s seminars which take place on Thursday mornings at 8.30. All of these are cross-party, cross-groups, trying to change the way this place works --- and doing it outside the system. For spam, it seems to me that, looking at the research we have done and some of you who are journalists have done, we have a real issue --- which is probably why so many of you are here. It is probably because your own e-mails are jammed up, let alone the issue itself. We have an EU directive. Stephen will talk about that. Washington are interested. They have already had congressional hearings. There are at least the state legislatures of Virginia and California legislating, however difficult. But it does not really matter, because the spammers just move. They move to wherever there is no legislation; wherever there are black holes. It is much easier for them. We must welcome the statements by Yahoo, AOL and Microsoft, and wish Microsoft well in its lawsuits against 15; but 15 is not many.

2

Lastly, there was a big piece in the Guardian last week, looking at what the OECD and the Internet Engineering Task Force are doing. So there is some activity out there regarding spam, which is encouraging. We have evidence sessions on the mornings of 3 and 10 July, in committee room 19 of the House of Commons, if you are interested in helping us. In a sense, there are two issues we are faced with. One is policy, which you and I can try to struggle with; the other is perhaps technical solutions to either screening or changing the way in which e-mails get to you. We hope that in the end we will have a report ready in early October. I would welcome your views at the end, but I wonder whether we need to involve more politicians, more journalists, more people in the business, to attempt this --- but to attempt it on a rather bigger scale and have a world summit. It seems to me that if only 10 per cent of spam originates inside the EU, the directive is fine but does not solve very much. We have somehow to tease out a solution. In the 1930s and 1940s, the whole of the world came together and agreed about telephony, as it did in relation to mail --- basically just to divvy up the costs of delivering it in each country and between each country. I am beginning to wonder whether or not that is something which is appropriate for us. I would welcome your thoughts on that at the end. That is the end of my short presentation. Stephen is our Minister. He has a dual responsibility. He was speaking on Radio 4 this morning on energy, so has had a busy day already. He has always been a most willing and accessible Minister in this area and --- if I can further embarrass him --- also the most open in this area, because he, like us, wants to find a solution. Keynote speech STEPHEN TIMMS: I am delighted to be here. I very much welcome this initiative and congratulate the All-Party Internet Group for taking it. The inquiry could not be more timely. We are about to introduce, as Derek has indicated, new controls on unsolicited commercial emails (UCE), at a time when the problem is getting significantly worse. There is a great surge of public concern. What Derek and his colleagues have done in taking this initiative and in gathering the very impressive level of support that is clear here this morning is making a very important contribution to tackling the issues. I think that we have to be clear at the outset that, when it is used properly, with the consent of the recipients, e-mail can be an entirely appropriate vehicle for marketing communications. Not all unsolicited commercial e-mail is spam. I define spam as unsolicited marketing e-mails sent without either the consent of the addressees, or at least an attempt to target it on recipients who are likely to be interested in the contents. At best, spam is an annoying intrusion, clogging up in-boxes with messages which have to be thrown away. Some results from ill-planned or poorly thought-through marketing campaigns --- businesses genuinely trying to promote a legitimate product but who buy e-mail circulation lists without asking how the names have been obtained --- or they just work their way through commercial directories without attempting to identify the real target market for their product. But some results from more deliberate intent --- spam with pornographic content which can cause serious offence and

3

distress, for example if it is picked up by children, even if the material involved is not actually illegal. At the worst end of the scale though, spam may be linked to serious frauds. There are sites which connect the user to a premium-rate access number, incurring substantial charges without the user‟s knowledge or consent. It may also be used deliberately to bring down a target recipient‟s system --- a form of industrial sabotage. Spam also, as well as being a real nuisance for the recipients, and maybe worse, constitutes an unwanted burden on Internet service providers, who may find their network efficiency damaged and are on the receiving end of complaints from subscribers about things that are beyond their control. What are the long-term trends? We have seen lots of estimates putting spam at between 20 and 40 per cent of current global e-mail traffic. We are starting to see estimates at around or maybe even in excess of 50 per cent of global e-mail traffic. Certainly it is clear that the problem is growing very quickly. Brightmail measured spam as 8 per cent of e-mail in September 2001, 15 per cent in December 2001 --- that is, three months later --- 46 per cent in May of this year. So it is growing very rapidly indeed. There are lots of reasons for the growth. There are more people going online worldwide, so there are more potential targets. The price of Internet access is falling. It costs so little to send out e-mail that marketing campaigns can pay for themselves, at least in the short term, with a very low rate of return. Spammers are becoming more sophisticated. There are very effective tools for harvesting e-mail addresses from the Internet and for also randomly generating addresses. Spammers are also becoming more sophisticated at hiding their identity. Some of them have clearly invested in large-scale e-mailing capacity. Steve Linford is speaking later on, and research by the Spamhaus project has led to what I think is the astonishing conclusion that 90 per cent of total spam on the Internet originates with about 140 spammers. In addition, the squeeze on advertising budgets that we have seen over the past couple of years has set businesses looking for cheaper forms of marketing. Some of them have been looking in this direction. Of course, we cannot hope to wrap Internet users in cottonwool. You could see spam as the inevitable downside of a communication medium which is incredibly cheap, accessible and global. Whatever else we do as a government, we are not going to be setting ourselves up as censors. Equally, however, we do not want to see potential users scared off the Internet or restricting themselves in what they do with the Internet because of fear of spam. There is an important public policy interest here in users being confident about using the Internet, and spam is a threat to that. What can we do in legislation? There is already legislation in the UK which applies to spamming and activities related to it: not least the Data Protection Act which contains requirements on the fair use and processing of personal data, and the Computer Misuse Act, which is the legislation being used by Microsoft in tackling UK targets in the recent action against spammers to which Derek referred.

4

Online premium-rate services are subject to regulation by ICSTIS, the Independent Committee for the Supervision of Standards of Telephone Information Services. They have taken action in a number of cases recently where services have been abused. Their position is being strengthened by the Communications Bill, going through Parliament at the moment. The regulatory controls on spam will be strengthened later this year, when we implement the new EU rules on unsolicited commercial e-mail. These arise from the 2002 Directive on Privacy and Electronic Communications, updating the rules that apply to privacy and data processing on telecommunications networks and applying them to the Internet and to e-mail. The directive brings in a new requirement for opt-in consent for unsolicited commercial e-mail. Once that regime comes into force, businesses will only be able to send unsolicited commercial e-mail to individual addressees with their consent. If they have ticked a box giving their e-mail address directly through that business‟s website, for instance, or if they have actively agreed that a third party can pass on their e-mail address. The directive makes an exception to the opt-in consent rule in the case of e-mail that is sent in the context of an existing customer relationship. Where a business is marketing to its own customers, it may do that on an opt-out basis --- that is, unless or until the addressee decides that they do not want further messages from that sender. There are some restrictions. The directive stipulates that the sender must have obtained the e-mail contact details fairly and in accordance with existing data protection rules. They must always offer a free-of-charge opt-out facility, and they must be marketing their own similar products. I think that the directive is absolutely right about this. The kind of UCE most likely to cause a problem is that which is sent outside the context of existing relationships. That is where there is most danger of contact details being obtained without consent, and of people receiving UCE which is badly targeted or which comes from an unknown source. There are two other provisions in the directive. First, senders must not hide their identity; they must always provide valid contact details. That is in line with the emphasis on transparency in other parts of the European e-commerce framework and it addresses one of the more unpleasant aspects of spamming --- the use of false identities. Secondly, all the rules which apply to unsolicited commercial e-mail will also apply to text messaging to mobiles. Converging technologies are making it harder to distinguish between conventional e-mail to a fixed computer and messages to mobiles. Since problematic unsolicited commercial text messages are generally generated within the UK, the directive is likely to be a particularly effective way of dealing with that problem. The transition deadline for the directive is 31 October. We have just completed a consultation exercise on draft UK regulations for implementing the directive. We are analysing the responses at the moment. I have not yet made any decisions on the issues raised in the consultation. We have received over 400 responses, and I am grateful to everybody who has taken part in that exercise. The responses have ranged from simple pleas to do something about spam, to much more detailed commentaries on the draft regulations and the way in which we are proposing to implement them. A key question has been how to apply the rules on UCE; in particular, the rules on email sent in the context of a customer relationship. Most people who responded have broadly

5

welcomed the rules in the directive and we have had a lot of support for the way we are proposing to implement them. These are new provisions; inevitably there are questions of interpretation that arise. Quite a number of those who have responded have raised some detailed questions about how exactly the new rules will work in practice. An issue has been whether the protections available to individual subscribers should also apply to e-mail sent to businesses. There has been a range of views about that. A lot of people who responded felt strongly that that would go too far in restricting business-to-business communications; but others have felt equally strongly that badly targeted e-mail is as much of a problem for businesses as it is for individual consumers, and that the same overall rules should apply. That is a subject on which I will need to reflect with particular care. Other respondents have commented on the arrangements for enforcement and the sanctions that should apply to breaches of the new rules. Under the regime that we are proposing, the Information Commissioner will have powers to take action against breaches of the rules. Ultimately, failure to comply with a formal enforcement notice for, say, breaching the opt-in rules on UCE would be a criminal offence and subject to a fine. Individuals will also have the right to sue for any losses caused by breaches of the regulations. Some people have called for much stiffer penalties than that, and I can well understand the anger that spam provokes; but I think that we have to be careful not to penalise everybody for the faults of the worst offenders. Where spam is associated with fraud or other more serious offences, then it will be subject to stiffer penalties. We will be working on all of this over the summer, with the aim of producing our response and the final version of the regulations in August. So the discussions today are a very timely contribution to our reflection on that. We are aiming to allow a 12-week familiarisation period between laying the regulations in Parliament and then bringing them into force in time for the EU deadline. That will also allow the Information Commissioner‟s office the time to produce guidance on the regulations, to help businesses comply with the new arrangements. The Information Commissioner, of course, is the office dealing with data privacy matters under the existing legislation. Does all this mean that we will get rid of spam from our in-boxes by the end of the year? Realistically, the answer has to be no. Derek has made that point already. I do think that the new privacy regulations have a very important part to play, not least in setting the framework for legitimate e-mail marketing, but I think that it is clear that it is not a problem that will be solved by regulation alone. The directive can only apply to intra-EU communication, which is a small part of the problem at the moment. We know from experience of regulating fax marketing that, where the advertising medium is cheap and lends itself to high-volume use, there is less natural incentive on direct marketeers to comply and more temptation for unscrupulous marketeers to flout the rules. Spam poses particular difficulties because of the problem of tracing the senders in a lot of cases. So, even within the UK, experience suggests that we can expect incomplete compliance with the new rules of e-mail marketing. However, there is obviously a particular problem because of the global nature of the net. Spam is not a UK or European phenomenon. Most of the spam we get comes from outside the European Union and so will not be directly affected by the directive. A lot originates in the US, although that is by no means the only source. I think that it would be

6

very interesting if there were to be any pointers to a possible EU-US approach arising from the discussions today. This is perhaps a good opportunity for some reflection on that. Legislation on its own will not crack this. We need a multi-strand approach. We need to educate users on what they can do to avoid spam. To be careful, for example, who they disclose their e-mail address to; where they post them; to consider using different e-mail addresses for different uses --- for example, one for personal e-mail and another for Internet browsing. I was interested to see that FTC research last year found that a major source of the addresses which spammers use are chat rooms. Internet users need to take that into account. There are now very good, very sophisticated, spam-blocking and filtering products available to subscribers and via Internet service providers, relying on a range of techniques to identify and block unwanted e-mails. Internet users need to be more aware of those and they need to have access to advice on the choices that are available to them, both initially when they sign up to Internet access packages and as existing subscribers, if they find themselves in trouble with spam. Under the Communications Bill, Ofcom, the new communications regulator, will have a duty, set out in Clause 10 of the Bill, to promote media literacy. That includes improving, “...public awareness of the available systems by which persons...may control what is received”, and, “...to encourage the development and use of technologies and systems regulating access to such material, and for facilitating control over what material is received, that are both effective and easy to use”. That will be a duty that Ofcom has. There is, in our view, an important role for Ofcom and for government in raising awareness of what is available. Different people have different needs but, for users who rely on the Internet for business purposes or as their main means of electronic communications or for users who want their children to use the Internet but are worried about pornographic or offensive spam, an effective technical filter will be indispensable. As an aside on the issue of offensive material on the Internet, let me draw attention to the work of bodies like the Internet Content Rating Association in enabling protected Internet browsing, and the excellent work of the Internet Watch Foundation, which is playing a key role in tackling offensive and illegal material online. Secondly, I would like to highlight and again underline a point that Derek made --- the scope for international action against spam. Internet service providers already co-operate internationally to block subscribers who breach acceptable use policies. At national government level there is a number of initiatives for new legislation, which I know you will be hearing about. There are proposals for federal legislation in the US and consultation on new rules in Australia. The European Commission is looking at the role that it can play in promoting good regulation at a global level, and that is potentially very valuable. We are active in a number of international discussions. Derek was talking about the possibility of a world summit, but there is a world summit on the information society being held in Geneva in December this year. That will include spam on its agenda, with a view to issuing a plan of action for members to tackle the problem. That may well prove to be a valuable forum. The International Telecommunications

7

Union (ITU) has started to consider the problem, and there is some promising work being taken forward by OECD. OECD governments have just agreed on guidelines outlining a framework for international co-operation to protect consumers against the growing problem of cross-border fraudulent and deceptive practices, particularly on the Net. We hope that the parallel work being taken forward by OECD on spam will result in a similar concrete and concerted initiative, helping to provide a policy framework for dealing with spam at a national and at a multilateral level. I want to conclude on an optimistic note. This is an area where, yes, there are huge problems, a great deal of frustration and irritation, and not infrequently worse; but it is an area where there are also solutions. I do not want to suggest that spam will ever disappear, but I do think that a combination of sensible, well thought-through regulation, industry action, and better user awareness of the technologies and support available, can make a very big difference and make big inroads in reducing the scale of the problem we are facing at the moment. I am very encouraged by the initiatives taken recently by AOL, Yahoo and Microsoft to tackle spam. I think that, as I have suggested, there are other very fruitful lines we can also pursue. I am sure that this inquiry will highlight some other ideas. I look forward very much to seeing those and being able to consider them. What I hope is that all of us can work together in the months ahead to address this problem of spam, and to do so successfully. CHAIRMAN: Stephen has half an hour. Shall we take some questions now? Otherwise, we will miss the opportunity to ask the man at the helm. RICHARD COX (Mandarin): An impressive speech, and it is good that you mentioned enforcement. You mentioned the Data Protection Registrar or Information Commissioner, who has traditionally been extremely reluctant to force an provisions. You mentioned the Metropolitan Police and the Computer Misuse Act. They do not have the resources to tackle even 1 per cent of the cases they see. You also mentioned ICSTIS. Paul Whiting, in this very room, has confirmed to me in the last few minutes that they are absolutely swamped by the level of complaints and cannot handle them. My point to you is a simple one. Legislation will get us halfway. To get us a result, what we need are the resources for enforcement. How do you propose to address that? JAMES CRABTREE (The Work Foundation): It has been suggested --- and it is not necessarily my opinion but I have read a few articles --- that the type of legislation that might used to cut spam will do more harm than good, penalising legitimate people and letting other people get away with it. How does the Government react to that problem? STEPHEN TIMMS: I take the point about the issue of enforcement, but I would not be quite as despairing about the effectiveness of what is in place at the moment. For example, the Internet Watch Foundation is being very well supported by the industry and has seen a significant increase in resources as a result --- and I think is doing a very good job. We clearly will have to look at the question of the resourcing of this activity as things develop, but the key at this stage is to make sure that we have the right legislative framework in place. That is why we have spent a lot of time, effort and energy on the regulations to implement the directive, and I hope that we can get this right when they come into effect at the end of

8

October. We will need to make sure that there are also provisions in place to make a success of them. But I recognise, as I was saying earlier, that intra-EU spam is a relatively small part of the overall problem that we are seeing. That is why it does require everybody in this industry --government, industry, people involved with education --- to focus on addressing the issue together. On the question whether we are penalising legitimate users, I know that, potentially at least, there is a problem there of people finding that legitimate e-mails are blocked by the automatic filtering systems. I recognise the concern. However, as the filters become more sophisticated, I think that we can be confident that they will target the right e-mails and not those that are legitimate. Clearly there are some technical challenges there, but good progress is being made on that. I do not think that need be an impediment to progress along the lines I have been describing, but it is an issue that we have to bear in mind. CHRISTOPHER REES (Herbert Smith, Solicitors): Thank you very much, Minister, for your very coherent speech. What struck me was that, if there are an identifiable 190 spammers who are creating 90 per cent of the problem, if we applied the 80:20 rule which is so famous in the IT industry --- to try to solve 80 per cent of the problem by attacking those people --- then that would be a very sensible approach for intergovernmental action, and something which I would commend to your attention. Also, possibly as a way of pursuing that, through the International Bar Association which is a body designed to co-operate across government boundaries to enforce the rule of law around the world. If that is of any use, I would be happy to make an introduction. SIMON MOORES (Computer Weekly): Spam can possibly be subdivided into a number of categories. The one that perhaps concerns me most as a parent is the explicit nature of spam, particularly where children are concerned. I will not let my child anywhere near the Internet. Is there scope to treat explicit, and arguably offensive or inappropriate content, in a different manner to the other uses of spam? After all, we are trying to protect the next generation. We are trying to encourage the next generation to go online, and we are doing a very bad job of protecting the interests of our children in the future. JAMES CRONIN (faxyourmp.com): I wanted to understand whether the EU directive considers control of organisations who supply services. STEPHEN TIMMS: A very large proportion of material is produced by a small number --actually by 140. You have made a very fair point about that. We have, of course, seen Microsoft taking action against 15 or 17 in the first instance. I agree with you that, particularly given the use of the Internet resources that have been raised, there may well be opportunities for us to tackle a big proportion of the problem by looking at a relatively small number of individuals and organisations. Thank you for the helpful offer that you made. Is there a distinction that can be made in terms of the content? Clearly, filtering tools can make distinctions on that basis, and I think that it is very important that they do. We would distinguish between material which is actually illegal --- because if it is illegal offline then it is

9

also illegal online --- and other material which is just offensive, which is quite hard to address by legislative means but can be addressed through filtering. I think that we need a mixture of the technical and the legislative approaches to make a success of this. In terms of the coverage of the directive, it is the spammers themselves who are addressed by the directive rather than other contributors --- but that is an interesting point which we should perhaps reflect on. CHAIRMAN: Stephen has to leave now. Thank you very much again, Stephen. I wonder if the International Bar Society has not submitted evidence to us, and whether it is not too late? That is quite a good suggestion and would feed into what we are thinking. You might just reflect on that. I should perhaps mention our sponsors now because, without Aungate and Brightmail, you could not have had your coffee and we could not have had our next speaker. We get no monies as an all-party group; we have to go and find them. I welcome Jim Halpert. Jim was happily minding his own business in America yesterday morning. Because we had been screaming to try to find an American speaker, Dot, who has arranged this, found one for us. We felt that, without someone from America to give a different perspective, this would be a useful summit but not that useful. We are therefore incredibly grateful to you, Jim. Jim is a partner in the E-Commerce and Privacy Group of Piper Marbury Rudnick & Wolfe. Spam in the US JIM HALPERT: It is a pleasure to be here to speak with you today. As somebody who has worked on the spam issue in the United States for many years, I am extremely impressed by the degree with which all of you in the UK are facing exactly the same problem, and your government officials are very aware of the challenges and issues that this particular problem presents. [Using screen] I am here to talk to you about the American perspective on the spam issue. I will quickly give you an overview of the problem in the United States. It is very similar to what is going on in the UK, so I will not dwell on it very long. There is the context of the US legal system‟s approach to the whole issue of information privacy, the state legislative framework for dealing with spam --- and you will see the defects in that framework --- and what is going on at the federal level in terms of national legislation, and we will touch on the need for international co-operation, which is something that I think the EU and the US could very productively discuss, once we get our legal frameworks sorted out. The spam problem in the US --- over half the e-mail on Internet service providers‟ systems now is spam. AOL blocks as many as 2 billion spam messages every day going to their users. That is the single largest market for spammers to try to hit. There are 26 million AOL

10

customers, so spammers will just attack that network persistently. That gives you an idea of the volume and the challenges that are presented. Spammers are in a technology arms‟ race to circumvent filtering technology to protect users from spam. Even the more legitimate forms of unsolicited commercial e-mail are being drowned out by this huge volume of get-rich-quick schemes, anatomy enlargement offers, ways to get pornography or, in the gambling content, there are all of these offers which deluge consumers today. The average individual Internet user gets approximately 30 spam messages per day, sometimes more --- depending on the network that they are on. What is the role of law in addressing this problem? We will hear later about technology solutions, which are more than half the problem, but let us think a little about the legal issues. The e-mail architecture and the cost model, as Stephen Timms mentioned, for delivering e-mail create a whole incentive structure where spam can and will happen. So we need to fight that. There is a total cost shift from the sender of the message to the recipient network and the recipient of the message, and network architecture is inherently open. What we will need, if we are to get a handle on this problem, is rules of the road for legitimate e-mailers. Their e-mails can be blocked if they do not abide by the rules of the road. There are more sophisticated technological and legal solutions for dealing with the outlaw spammer problem, which I will discuss shortly. Filtering technologies and trust-your-sender models hold a lot of promise for solving this problem, but have to deter the fraud spammers who are circumventing them. They hide where they are coming from. They play a game of cat and mouse with the providers of the filter technology and the end user who may implement the filtering technology on their own computer. They hide where they are coming from, to get around the filters. They are constantly trying to attack networks and are very sophisticated in doing this. As soon as an ISP implements a new filtering method, the spammer will react and change, even within hours, the ways of trying to get round the filter. This is a constant game. Enrique Salem will be talking later and you will hear what this game is about from the provider of a very sophisticated and effective spam-filtering technology. These people are very sophisticated. In a future world in which only authenticated senders can send e-mail, they will try to spoof that system. Whatever the technology is, they will try to get round it. Civil laws may work with the legitimate marketeers, but these fraud spammers routinely flout civil law. The United States provides a pretty good example at the state level of what works and what does not work in the way of civil legislation. FTC has carried out a detailed survey, which I hope is available to you. I forwarded it as background reading regarding the spam problem in the US. Over 66 per cent of the e-mail they studied was falsified in one way or the other. Either it contained a falsified subject line or it somehow falsified where it was coming from. That is already illegal in the United States, but it was two-thirds of the spam that they studied. In addition, although 12 states in the United States require an ADV label in the subject line of an e-mail to facilitate filtering, only 2 per cent of e-mails, the FTC said, actually contain this ADV label. It gives you an idea of the fact that civil legislation does not work effectively to get at the centres of the overwhelming volume of unsolicited commercial e-mail.

11

So what are Internet service providers and policymakers in the United States turning to? Criminal deterrence of these different methods for intruding in networks --- which are really a species of hacking. To do criminal enforcement effectively, one needs international co-operation. As we have heard, these outlaw spammers will migrate --- some of them to Boca Raton, Florida. The United States Government will shortly begin to deal with that problem, once the legislative framework is in place. These people will then move to the Caribbean and to other places. We will need an international co-operation framework, and some detailed discussions between the US, the EU and, by the way, the rest of the world --- where spammers can very easily move --- to address this hacking problem. How does the US legal framework address spam? We have a very different approach to data protection than Europe does. There are some recurring themes. One is that information privacy is not what we call a fundamental right. It is always balanced with rights of free speech and certain government prerogatives. We have what we like to think of as learning from John Locke --- that we apply an empirical approach to data protection. We do not treat all problems the same. You will see that in the solutions to spam that I am about to discuss. We have a greater suspicion of government than of civil society. For example, the data retention regime that the EU is putting in place is unthinkable in the United States --- the notion that government would require retention of personal data, but the restrictions on private sector handling of data are much less. We have very robust enforcement, with very real risks for not complying with legal requirements. As you know, we have a very aggressive plaintiffs‟ bar. The FTC and state attorneys general devote a lot of resources to enforcement and take their jobs very seriously. So legitimate companies will comply and make serious efforts to comply with privacy regulation, even though there is less of it than in the EU. There is not an approach of just declaring broad principles and then later having half-measures in terms of enforcement. How does this regime translate in comparison with the EU data protection approach? There is reliance on sector-specific laws addressing specific harms. Spam will be within that panoply of a specific type of intrusion on privacy that will be the subject of national legislation in the US, probably in the next two years and maybe in the next year. There is also selective application of bare information practices‟ concepts, so that not all bare information practices apply to every problem. There is then a reliance on a mix of legislation, specific regulatory measures, and self-regulation. In the spam context, self-regulation clearly does not work. We have tried that and, while legitimate marketeers do follow self-regulatory practices, they send a small percentage of the spam that comes out. There is also dual enforcement by national and state governments --- what we call a system of federalism --- and a backdrop of deceptive trade practices‟ laws that already prohibit misrepresentations and frauds of the sort that we commonly see in spam. There is broad consensus that spam is a privacy problem that merits specific legislation, but in two different approaches. One is the privacy/data protection approach and the other is a criminal/computer crime approach for the methods to intrude in networks by hiding who you are and where you are coming from. There are also the background common law and deceptive trade practices‟ laws to which I have alluded, which prohibit most forms of spam.

12

In a series of actions that ISPs have brought --- AOL has sued over 100 spammers in the United States --- there is very clear precedence saying that you cannot trespass on a network unless you have permission of the owner of the network. There are also deception laws. However, there are limits to what state legislation can do. There are some constitutional challenges that I will not dwell on; also, states cannot reach out and effectively deal with citizens in other states who are sending most of the spam. There is a resource problem with just finding them. We have no shortage of state legislation --- not just Virginia and California. We have over 30 state laws that generally fall into four different types of legislation. One is criminalising falsification of the identity of the sender or the content of the e-mail message. Then simply regulating commercial e-mail, typically through an opt-out approach with an existing business relationship exception --- quite similar to what has been discussed at the EU level. There is also specific regulation of pornography spam, and requirements like the ADV label in the subject line of the e-mail --- which have proven to be totally ineffective. These are enforced by state attorneys general, ISPs, and sometimes by a plaintiffs‟ class action bar. Utah is, ironically, a very conservative state but has a law that is becoming a class action bonanza --- with all sorts of multimillion-dollar lawsuits being filed against companies that may have made minor errors in the notices they have provided to consumers in their e-mails. It illustrates the dangers of having a system where the trial bar can get rich. They will sue the easy-to-find businesses; they will not sue the very-difficult-to-find spammers. The ISPs generally have the interest in doing that to protect their customers and networks, but it requires a lot of resources to be able to go after them. Moving on to an example of California‟s law, it has an opt-out requirement, the ADV requirement in the subject line, and the state attorney general enforces the law. It applies to email delivered to a Californian resident via an ISP‟s facilities in California --- and it does not work. California is currently looking at three different laws to change this approach. They will probably have some version of an opt-in rule in California, enforced by the trial lawyers‟ bar, and we will see a huge amount of litigation in California. What about the national level? It is widely expected that spam legislation will pass the United States‟ Congress probably early next year. It has failed in the previous five years due to disagreement among the marketeers, the ISPs and the consumer groups; but, with the conservative Republican leadership in the United States, Congress realises that this problem has grown to such a dimension that they need to act. The marketeer businesses want a preemption, a superseding of the state laws, because there are conflicting requirements and they can be sued. They want a single national standard and they also want to clean up e-mail as a medium for marketing. There is significant momentum for legislation in the United States. What are the constituencies that care about this? The state attorneys general want to preserve state enforcement and, to the extent they can, preserve their state laws. The US Department of Justice is now interested in criminally prosecuting spammers, particularly pornography spammers. The FTC would simply like a law giving it very broad regulatory authority to go solve the problem. That is very unlikely to happen, because Congress likes to be more prescriptive about solutions. ISPs want stronger government and ISP enforcement. They particularly want criminal prohibitions against these outlaw spammers who hide where they are coming from, and they want to preserve some of the state laws that they use to go after those

13

outlaw spammers. Marketeers would like to clean up e-mail marketing by preemption and a single set of rules, but the financial services industry --- which is a very powerful constituency --is about to have a big fight over financial privacy. They want to get good precedent for their financial privacy behaviour; they would also like preemption. Finally, consumer groups, who are less powerful in the current Republican climate in Washington, would like an opt-in rule --- which is very unlikely to happen --- and the ability to sue directly, with trial lawyers representing them. That too is unlikely to happen. There is a proliferation of different federal bills with different approaches. They generally fall into five different categories. You might want to draw on a few of these for your own approach in the UK. One is a notice and opt-out approach that applies to unsolicited commercial e-mail. That is unlikely to happen. It may be appropriate in the EU, because of the directive. It may be appropriate in the business-to-business context. Labelling requirements for spam, and for pornography spam in particular; bounties for individuals who locate spammers, so that the government can go after them; a national do-not-spam list. We have a do-not-call list for tele-marketing. That is a sure recipe that outlaw spammers will just go and get the list and send even more e-mails! Finally, there is criminal prohibition --- on which I will spend a little more time at the end --- probably the most fruitful role for legislation. There are five different bills that are significant vehicles in the Congress. I will not dwell on these, because they are not of great interest to people who do not live in the United States, but I will talk about them in terms of the general elements. There is a bill that was introduced by two very powerful committee chairmen in the House, which is a notice and opt-out approach, with criminal falsification. That is likely to become law in some form. There is a competing bill that some Republicans have signed on to, to make that a little tougher but generally accepting the general framework. There is a bill in the Senate which has already passed a committee and is likely to be considered on the Senate floor, either this summer or fall, which is another notice and opt-out bill. There is then a criminal bill, introduced recently by the Senate Judiciary Committee. I will go into some detail on that, because it is quite well thought through. The final bill on the list is the one with the national donot-spam list, which makes for a great press release but would not work. The general elements in the leading House vehicle are requirements for notice on every e-mail as to the identity of the sender and that the consumer has the right to opt out; an opt-out right for further messages for all commercial e-mail solicitation, including within an existing business relationship; civil and criminal prohibitions against harvesting e-mail addresses; against falsified header or routing information, and other forms of falsification of the identity of the sender, which is very important; preemption of most state laws, except for those dealing with falsified e-mail deception; and common law rights, property rights and contract rights. Then enforcement by the ISP, state attorneys general, and the Department of Justice. The ways that this might be toughened are in a competing bill that a Republican has introduced with a bunch of Republican co-sponsors from this key committee. There is negotiation going on to adjust this first vehicle, to add elements like prohibiting dictionary attacks --- which are an example of how spam is not entirely a data protection problem. Spammers will randomly generate e-mail addresses that tie to a large ISP and try combinations to see if they work. They do not get an e-mail list anywhere; they make their own, and there is an

14

infinite number of permutations that apply. So simply applying the data protection framework will not be successful in addressing the problem. There is an issue about whether the opt out should apply to all affiliates: not just to the particular affiliate that e-mails the customer. Also, whether there should be some sort of knowledge or intent requirement for those who aid spammers. The Wilson bill would create strict liability for anybody who assists a spammer. State attorneys general would also have a broader right to sue and there would be no limitation on the damages that state AGs could obtain. There is a statutory $500 per e-mail sent. So this would really add up to a significant amount of money. The general approach for all these House bills is an opt out, with criminal penalties for fraud and deception, limited to commercial communications so that there is no infringement on rights of non-commercial speech; a fairly strong preemption with a single approach nation-wide; a notice in every e-mail that it is an advertisement, but not an ADV labelling requirement; no consumer right to sue; enforcement by ISPs, the state AGs, the Federal Trade Commission, and criminal enforcement by the Department of Justice. I will skip ahead to a criminal approach, which may be worth considering in the UK as you go about dealing with the 140 or 190 people --- or the 200 --- who are supposed to be the main source of the spam problem. These are not people who will be deterred by civil laws. They are often sophisticated computer hackers. They sometimes will steal credit card numbers and register for e-mail accounts using someone else‟s name. They really need to be dealt with through very strong measures. The goal here is to have some measure of stronger deterrence and to set up a legal framework so that technologies can work more effectively. If people are constantly falsifying where they are coming from and spoofing the technology, then the technology solutions will be less effective. In the UK, so I am told, they are 90 per cent successful at blocking e-mail. This deals with the 10 per cent of e-mail that slips through, through a series of ruses. What are those ruses? Hijacking computers to send spam through Trojan horses. Peerto-peer users, for example, will open up their hard drives and spammers will send in technologies that will then take over that user‟s computer temporarily and send out e-mails from that computer. Using open relays is another way that spammers will find computers, often in other parts of the world, and just take over the computer and relay messages --- so that it looks like the University of Cairo is sending huge amounts of spam, when in fact it may come from the US or, for that matter, from the UK. Falsifying header/router information --- saying that the e-mail is coming from some reputable company. This happens in the US and is a significant problem. We are a law firm that has represented some very reputable consumer product companies. All of a sudden, they are sending out pornography spam and are getting complaints about that, because e-mails are bearing their return address when in fact it is not them. Finally, falsifying registration and registering for multiple e-mail accounts to domain names. Spammers can sometimes set up hundreds of Hotmail accounts and then send spam from those. They register automatically. Those e-mail addresses are totally new and will not show up on the filtering technology‟s list of e-mails to block. This is an even more difficult problem because there is no tracing. At least to open an e-mail account there is some registration

15

information. You can falsify registration in registering for a domain name. You are told that there is no record of what you have sent; you just have your own mail server. You have set this up and gone to Network Solutions, or whatever registrar, and registered for a domain. Then you can destroy all records of your spamming activity and send out a huge amount of e-mail. These are the sorts of exploits that spammers are currently using, and there will be more in the future. It all makes it very difficult to know where the spammers are coming from, to block their e-mail. What to do about these problems? The idea in this Senate bill is to have felony penalties of three to five years, so that prosecutors have an incentive to prosecute. There are certain measures of what would constitute a serious spam crime, meriting a felony. Exceeding a certain volume sent --- but it is very difficult to prove the volume that a spammer sends. Spammers will divide the messages into small numbers and will send them from 150 different e-mail accounts, and you need to connect the dots through a complicated investigation to figure out what volume was actually sent --- by which time the records of the e-mails may no longer be around. Exceeding a certain revenue threshold through spamming activity; causing loss and knocking out a computer system, or imposing costs on the recipients; hacking and using Trojan horses --- that would be a per se felony, without any additional elements. Exceeding a certain threshold number of e-mail accounts for domain names, for which one has falsified registration; having a prior conviction for a hacking or e-mail crime; or leading three other people in a violation. Frequently the way that these spamming operations work is that the spammer will procure the help of some teenagers, who will then send e-mail for the spammer and will also have a series of fake websites that the user will go through in order to reach the actual website that the spammer is running. Finally, what would be the ways in which this crime might be more serious? Harvesting e-mail addresses is clearly a way that spammers get their e-mail addresses. Using these dictionary attacks of permutations of letters and numbers, as an alternative way to get through to users. Falsifying an advertised website --- the domain name that was falsely registered, so that you cannot find the identify of who is profiting from the spam --- or hiring a minor to help perpetrate the crime. The idea for all of these offences is that there would be similar enforcement by both ISPs and the Department of Justice, and criminal enforcement by the Ministry of Justice. What to do about these spammers who move around the Internet? Illegality on the Internet migrates away from locales with effective enforcement. What to do about this? It is important to have international co-operation, at least with regard to these egregious violators, who are the greater enforcement priority, because they are sending most of the spam and they are the ones who are very difficult to block. Preservation of evidence is vital, in order to keep track of what the spammer actually did. The Council of Europe Cybercrime Convention may provide one way to reach beyond the US and the EU to get at these activities. There are two Articles that are relevant. One is illegally accessing a computer system without right --- which seems to be what is going on here. Secondly, computer-related forgery. The definition in the Council of Europe Cybercrime Convention, which I helped work on in the private sector, working with the US delegation, is “inputting or suppressing computer data so that it is inauthentic, intending that somebody act upon it”. That goes to falsifying the header/router information.

16

There are some frameworks, therefore. Certainly, working with the UN and other bodies, we can help to define these. But going after the particularly difficult-to-block spammers should be an international priority, even if we have some differences in terms of the opt-in or optout approach with regard to the legitimate marketeers. CHAIRMAN: John Carr has an NSPCC lunch to go to---JOHN CARR: A “launch”. Lunch I could miss! CHAIRMAN: Because he is up against time, I will let him speak next. Spam and the issues of child safety JOHN CARR: At twelve noon Carol Vorderman and I are launching an NSPCC summer campaign, which is about trying to get safety software pre-installed on computers at the point of sale. If the safety software is installed and set to a high level of security --- which is what we are asking for --- then that would address, in part at any rate, some of the problems of spam that we are talking about. By the way, I am sure that Carol Vorderman will get more media coverage than me. She will do BBC News; I will do Barnsley FM! That is usually how it works when you do something with Carol! Let me first of all tell you a little about CHIS, the Children‟s Charities Coalition for Internet Safety. In the late-1990s all of the major child welfare bodies in the UK --- just to name them, the NCH, NSPCC, Barnardos, Childline, The Children‟s Society, the National Children‟s Bureau and the National Council for Voluntary Childcare Organisations --- were working together on a range of things to do with child protection. We noticed that, increasingly, child protection issues around the Internet were intruding onto our otherwise mainstream child protection agenda. So in 2000 we formed the Children‟s Charities Coalition, in order to give a specific focus to a whole range of issues to do with child protection and child safety on the Internet, which were increasingly coming up. At that point in time, when I went and spoke to gatherings like this, I would open my remarks by saying, “Barely a week goes by without there being a terrible case in the newspapers, in the national media, where somebody has been arrested and convicted for a child pornography case. And occasionally there are even more horrible cases in the press where a child has been, typically, ensnared by a paedophile in a chat room, then met them in real life, where they have been raped”. Today, if I were to make similar remarks, as I am doing now, I would have to say that barely a day goes by when there is not a case where somebody has been arrested, convicted and sentenced in a court for a child pornography offence; and barely a week goes by without our reading about another case where a child has been ensnared by a paedophile in a chat room, met them in real life, where they have been sexually assaulted or raped. That, in a way, forms part of the backdrop to the discussions we are having today about spam. The political climate and the anxieties around children and the Internet arise not just because of the issue of spam --- and that, as I am about to explain, has increased in frequency too over the last year or so --- but those other things are also impacting upon it. In a way, they are simply another side of what I see as being the same problem. That is to do with the way that the Internet facilitates the abuse of anonymity or allows people to hack, or to do all of these other things. By and large, in our experience at any rate, people behave more badly and are more likely

17

to commit offences, certainly in relation to children, if they believe that there is a low or zero probability of their being caught. To put it another way, if there were a high probability that people knew they could be identified, traced, and therefore caught, if they did something wrong, the chances of their behaving illegally or improperly generally, and particularly in relation to children, decrease. This issue of spam, therefore, seems to me to be another aspect of a bigger, more fundamental problem across the whole of the Internet, which is to do with the way the network lends itself to that kind of abuse. As I have said, spam is now very much part of that child care agenda. It is very much part of the issues that we are concerned about. One of the most distressing cases I had to deal with was of a father who rang us up not that long ago from Lancashire. I did not hold that against him --- I am from Yorkshire, in case you did not guess! His 10 year-old daughter had clicked on a link that had come through on a bit of spam in her in-box, kept clicking and, in the end, was confronted by what he described as being a prepubescent child, probably about the same age as his daughter, being anally raped by somebody who was clearly an adult. She found it very distressing; he found it very distressing, and he wanted to know what could be done about it. I told him all the usual stuff. “You can set up a list so that only a specified number of e-mail addresses can get through. You can block the rest” ---and do all of these things. He said, “But why do they let this thing happen in the first place? I never knew all this stuff. There‟s a million things going on on a web page. I didn‟t know all about that. Now I know, perhaps there is something I can do about it”. It is very often difficult for parents, who certainly feel a lot less confident than their children do, to deal with a whole set of issues to do with child safety on the Internet. They feel that these things should be taken care of at the very beginning: that they should not have to go to these additional lengths. They certainly do not feel that they should pay extra money --- and that is often what it comes down to --- for companies to provide them extra services to deal with these things. They provide a free service which is open to abuse, in the way that we have been hearing about. I think that is very much the view that we will be pressing for in the future, and it is part of what the NSPCC campaign that is being launched today is about. There should be some basic safety mechanisms built into computers --- particularly computers being sold into the domestic market --- or Internet service providers that are marketing and accept children into their networks. We have nothing to say about what happens in the business world. We have nothing to say on the question of how adults choose to use their computers. But we do have things to say about the way that children are being used through this mechanism. On the child porn point --- and I see Peter Robbins here, the chief executive of the Internet Watch Foundation --- this week, as in every other week, the IWF will receive between 75 and 85 reports of pay-per-view websites which sell, and only sell, illegal child pornographic images. Those pay-per-view websites which only sell illegal child pornographic images can only market themselves through spam. So spam is not just a peripheral little issue. What spam is allowing and promoting directly leads to criminals abusing children, in order to get new and more pictures which they can put on the website to sell to customers that they hope will revisit on the next occasion. So it feeds very directly into the sexual abuse of children. Whilst I do not disagree with what the Minister said at the beginning --- we have no argument to say that Internet users as a whole need to be protected or “cottonwooled”, or whatever the phrase he used --- but we do think that, in relation to children, the industry as a whole has a special responsibility to try to find better and more acceptable solutions.

18

I listened with great interest to what was said about the legislative plans that people have, here and elsewhere, and I am all in favour of them. But people who are already criminally abusing children in order to make money are not the most likely candidates to change their behaviour simply because the State of Virginia has passed a new law. It seems to me that it is the industry, and we have to find more and better technical solutions to solve this problem. Simply saying that parents have to be better educated, or have to supervise their children in a more coherent or persistent way, does not acknowledge the reality of life today for modern parents in the UK and, I suspect, elsewhere. We can go on as much as we like about parental responsibility. We certainly agree and do everything we can to encourage parents to have greater involvement in and more supervision of their children‟s use of the Internet --- not least because of the problem of spam --- but if that is your only answer, it will not be an acceptable one. That does not recognise the reality of modern parenting. It does not recognise that the great majority of parents feel intimidated by and do not feel comfortable with lifting the “bonnet”. Icarus is a great solution. I am all in favour of it and I hope it works, but if you lift the hood on Icarus and see the matrix of options you have to make decisions about in order to fine tune it for your child, that is not the way forward in the end. I want to say a brief word about 3G phones and the way that will change the dynamic of all of this. One of the objections to spam is that if you have a dial-up account, you are paying for this to come onto your machine because you are paying by the minute for your use of the Internet. Some of the 3G phones will also be using a time-related or data-related model for charging. We could therefore see the growth in the market of 3G phones, some of which plan to allow for Internet access with full e-mail capabilities. It will be quite hard for them to sell that if what happens next is that you find that, with your new 3G device, you are paying what are presumably higher rates for all of this spam to start coming down the line to you. We know quite a bit about what is likely to happen because we know how children already treat their mobile phones. Children‟s mobile phones are the single most precious possession that they have. They feel that it is an expression of themselves as an individual; it says something about them; they are a “cool dude”, or whatever. They really treasure their mobile phone. If a child lends you their mobile phone, they are basically saying that they trust you in a big way. One of the things we say to parents in the fixed Internet world --- and we say it partly because of the issue of spam --- is, “The proper thing for you to do as a concerned parent is to sit by your child and supervise their use of the computer and the Internet. Be on hand. If you can‟t do that, be nearby, so that if something dreadful happens your child can shout, „Hey Mum‟ or „Hey, Dad, can you come and have a look at this? What shall I do about this?‟”. One of the other pieces of advice often given to parents is to have the machine in a communal room. All of that completely flies out of the window when you have the Internet in your hand; you are on the bus going to school; you are in the playground, or whatever. Again, that is a factor which I think will impact adversely on the development of the 3G market, and again underlines the importance of finding a workable solution here. The other point on 3G is that bullying is now a fact of life. By definition, it will be spam-linked in some way or another. Nobody willingly accepts bullying messages. With 3G phones, I think that we will see new and more inventive forms of bullying becoming possible, because of the cameras and the fast, always-on access that these new devices will be providing.

19

There will be further sessions in the coming week when evidence will be called for. One of the things that I suggest you do --- and I see the producer is in the room --- is get hold of the tape of a Woman’s Hour programme that was broadcast last week, which I was on. In that programme they interviewed three different families with children who are regular Internet users. They were talking to the children about the spam they were getting. In a mixed environment like this I will not repeat everything that those children were saying, but actually all they did was to read off the headers of the spam e-mail that they were getting every day. A lot of it was to do with animals, farms and stuff like that --- leave aside the anatomy enhancements and the Viagra offers. There were some extremely graphic e-mails. Just the titles were upsetting. God knows what effect it would have had on the children had they actually clicked through them! These sounded like particularly savvy kids, who had in the past clicked through and decided that they were no longer interested in it. But a lot of other kids would perhaps not be so wise to it, would click through, and would see these images. We do not know what impact in the longer term exposure to that kind of graphic, hard-core, bizarre form of sex and sexuality will have on children. It is another reason, using the precautionary principle, for the importance of our finding more and better solutions to help deal with children. Otherwise, in the end we will see two Internets. We will see one where essentially you go at your own risk; you accept e-mail from it at your own risk; and it is definitely where the wild things happen. There will be another Internet, which everybody will have to pay for and which will be very different from the one that we know now. Maybe that is, in the end, what we need. Maybe that is a desirable objective. One big, walled garden where children go, where there is a great deal of certainty about who is sending, who is communicating and who is transacting there, and the rest of the Internet which is the Internet we know today, where children rarely go or they only go definitely at their own risk. CHAIRMAN: John has to go, but that was so stimulating does anyone want to ask any questions before he goes? HELEN SHREEVE (BBC Radio 4): I am from Woman’s Hour, which John was just mentioning. We had a huge response to that item. We had about 50 minutes of our programme about the effects on children of pornographic spam. It was not about whether they visited sites or things like that, but about things that come to their mailboxes totally and utterly unsolicited. Our listeners are really concerned and worked up about it. I just want to say how urgently they think that something needs to be done about this. I think that there will be a growing pressure in terms of lobbying of the industry about it, as parents become aware of it. I regard myself as fairly media-savvy, working for the BBC, but I must admit that, until my own son started getting these sorts of e-mails --- when I had set up an e-mail account for him --- I had not realised the extent of it. How do parents become aware? I think that you will have stronger and stronger calls to do something about it. SIMON MOORES (Computer Weekly): I was at the Hi-tech Crime Congress last year and I was speaking to the head of Internet crime in the police force of one of the old Soviet republics. He was pointing out to me that he has 10 officers and has to police three cities, and that much of this stuff is coming out of the old Soviet Union. When he takes a server down, they go to court; it is probably a $10 or $20 fine, and they are back up the next day.

20

Even though we perceive we have a problem, we go back to what we were saying earlier --- that we cannot really stop it spreading from places like the old Soviet Union, because there is an industry devoted to actually making it happen. MATT WEST (Tiscali): What software are you recommending that parents download today? JOHN CARR: Officially or unofficially? MATT WEST: Both! JOHN CARR: Officially, we do not endorse a specific product. I point out to people who ask me that at home we have Cyber Patrol and at work we have Net Nanny. What I also point out to them is that if you have young children, AOL has the best, most comprehensive set of tools --particularly if you have younger children in the house. But I never ever say that officially and I would not dream of saying it in a room where journalists are present! RICHARD ALLEN MP: I would pick up John‟s point about people saying that they do not expect to have to pay for the tools to make the Internet safer. An important issue raised is that security and costs are always a trade-off, and one of the reasons e-mail is so cheap --- the reason anyone can sit and e-mail anyone around the world without apparently paying anything --- is the fact that it is relatively insecure. One of the questions that we have, therefore, is who should end up paying for a more secure e-mail system. Is it everybody, by all of us paying higher Internet charges? Or is it just the people who want secure e-mail systems? The idea that we can have a more secure e-mail system free, without paying for it, is one we have to knock off the agenda immediately. JOHN CARR: For governments, however, this raises a social policy question about our attitude towards child protection. In a sense, we have to decide collectively, or the government has to decide, what attitude are we to take. I think that it is perfectly legitimate for government to say --- and again this is the launch that Carol Vorderman will be making later today --- that the state has a direct interest in ensuring that this happens. Child safety should not be an optional extra; it should be built in. When you buy a new car at the garage, the garage does not say to you, “By the way, the seat belts are in the boot. Put them on yourself later if you want to”. I think that we should take a similar attitude in relation to child safety on the Internet. Perhaps I could make one point about the policing aspect. I follow these things very closely, and on my estimate today there are only 25 police forces in the entire world which have the necessary components to take part in this type of activity. Those components are: (1) the right legal framework; (2) the right technical equipment, knowledge, trained personnel and so on; and (3) a political commitment on the part of the governments locally to make it happen. There are only 25 countries where that is true at the moment. It therefore seems obvious to me that we have to think of a new way of getting more and better international machinery. The G8 are doing quite a lot, but they do not have a full-time secretariat. I can see one of the part-time G8 civil servants here today. There is not any kind of obvious vehicle or

21

machinery, however, to try to move this agenda forward. We all have to think of new ways of doing that. JIM HALPERT: There is a lot of interest among Internet service providers in the United States in providing for centralised reporting of child pornography crimes in particular --- they are so egregious and tend to be international --- and in finding better funding for Interpol and others to provide resources to parts of the world that do not have the resources to go after this problem. This is truly a problem of collective global action, because cybercrime is so new, as John said. This may be a very productive area for dialogue between the US and others. CHAIRMAN: I want to come now to Philippe Gerard, who is from the EU DG Information Society. It is another reason to thank our sponsors, Aungate and Brightmail, who have been able to bring him here from Brussels. European perspective on spam PHILIPPE GERARD [Using screen]: I will not tell you so much that is political, in a way, because I think that we have heard a lot on what is and is not politically acceptable, what is pornography and so on. I want to step back a little. As we understand it in the EU, legislation and the Directive on Privacy and Electronic Communications will not solve spam. It is a much more difficult problem as to how the Internet is used or abused. In terms of the background, in a nutshell, what you need to know about the new legislation is that in the EU there is a general communication directive and a specific telecoms data protection directive. This the background; this is data protection/privacy. It is something dealt with under privacy in the first place. Do you want that first? How awful can it be? Do you want to be hassled by this? The question and the answer was open. We had a general directive. The general directive is interesting in one way in particular. It has broad principles that anyone dealing with personal data has to respect. It means that you have to have legitimate purposes before you start processing the data and, if you use the personal data of the family, you will most probably be in contradiction with the general data protection directives. I have tried to summarise this by saying that harvesting is illegal in the EU. We see that the US is looking at that possibility, but in fact if you look at the general data protection directive, this is illegal. This is important because probably this is the reason why it is not as important in the EU compared to the US in terms of EU spam. Secondly, the Specific Telecoms Data Protection Directive was adopted in 1997. It has very different provisions vis-a-vis confidentiality of communications, security, directory, subscribers and unsolicited commercial (?) calls and faxes. It was a text adopted in 1997 and I can tell you that the background was that junk faxes were illegal until we adopted this EU Directive. You can think about why we extended this regime to e-mail marketing. Again, more background information, the directive on privacy is part of a new package for communications. I just want to mention that because the objective of this entire package was to adapt a framework to convergence, to make it future-proof, to make it pro-competitive and this meant, particularly on privacy in data collection, to try to reflect developments and provide an equal level of protection of personal data privacy regardless of the technology used. In other

22

words, we do not care what technology you are using, we will try not to favour one given industry. What are the main features of the new directive? I believe that you have new legislation in the UK. First of all, it means that the scope of this directive has been extended to all communication networks and services. This means that the provision of the directive of unsolicited commercial communications will be applicable to e-mails, to faxes of course and also to SMSs and MMSs. We have really tried to have a technologically neutral approach to this. We have new definitions that mirror this and that is quite important in terms of the US, EU and other third country discussions. The scope of this directive is quite a broad one. Our rules are applicable to services on public communication networks in the EU, wherever they come from. This means that the spam provision directive will be applicable to spam coming from the US. Either we are saying it is possible or we are saying that we have the possibility to improve enforcement internationally and we seized that opportunity and worked at it. In greater detail, I want to come back to reasons why we have provided this opt-in system in the EU because I think we have gone through various reasons and various possibilities and proposals in the US and elsewhere. Some reasons have been mentioned. The first problem certainly from the Information Society would be to say that there is a problem with confidence because people will not risk using e-mails to the extent that they will be able to do without spam. It seems that they do not trust e-mails anymore. That is one fundamental problem because it means that spam is a threat to e-commerce and e-development of the Information Society. Secondly, it creates costs and nuisance for professional consumers. You know all of that. I think it is important to look at industry in particular. Industry has a huge interest in solving this issue and I think we will hear more about this later. It may be a difference compared to other provisions or legislation in general, but here industries have a great interest and it coincides with privacy and privacy interests of users and I think that is very important. Also, filtering systems used by ISPs seemed open to legal challenge. We had a consultation with Member States and not everyone repeated this argument, but we heard from ISPs, at least when we were negotiating the text, that there were problems because we were open to being challenged because of the fact that you are forced to transmit communications when you get them, so why would you filter out? We have now provided for a legal basis which is clear, and unsolicited commercial e-mails are illegal, so ISPs have greater certainty now to filter out spam. I think that is again one point to bear in mind. Of course, at European level, we will legislate once there is the problem of single market and again we were seeing different Member States going in different directions, so we wanted to avoid being patch working on this issue. Why opt-in? Well, as I said, compared to what I heard earlier on, privacy is a right. Privacy is a right. It is not an option. I think that is the starting point. It may be that spam has increased to another level in terms of an industry problem, but the starting point is that privacy is a right and therefore you should be able to say whether or not you want to receive commercial emails. Just to respond to industry, I think they have the message now. I think at the beginning of opt-in - and it is the same in the US at the moment - it was felt that it was against the industry

23

interests to do that because we want to be able to communicate with people, and what we have found out already in 2001 is that permission-based marketing based on prior consent is much more effective in terms of marketing. It may be that there is not a business model behind that because some companies sell each other this and therefore, for the business model to continue working out on opt-out systems without legislation, but if you look at the marketing element, in fact permission-based marketing is a right. You heard the basic principles from the Minister himself. I will not add to it. I will just mention that in the UK, the proposals I understand are ... You have this opt-in and you have the exception to the opt-in, you are in the process of sale or if you are in an existing customer relationship, the thing is that we should not arrive at a situation where some Member States would have that exception too wide compared with the principles. Otherwise you ruin the principle again and we hope that Member States will get it right ...(inaudible). There is a tiny exception there but you should not make this exception too bold. Additional safeguards to compare with the US. Concealing the identity is prohibited under this directive. It is more than privacy. All marketing messages must include a valid return address and allow opt-out, also confirm opt-in. I just want you to know that of course other provisions will apply. As in real life and in many other situations, a lot of other provisions can apply: misleading advertising and deceptive practices. To respond to this cybercrime circular, obviously there are provisions and there is a framework decision at European level to be officially adopted in the coming weeks that bans hacking and all sorts of intrusions that arise in QV systems and obviously spammers doing that will be caught, but I think that is a different story. I need to talk about enforcement. The structure in the EU is such that Member States have control on enforcement. They are the ones responsible for enforcement in the first place. So, we hope that Member States will be tough on enforcement. What we have provided in the directive is that through the general directive, adequate complaints and penalty mechanisms will be established, an individual right of action, claims for damage sanctions. It is for the Member States to choose the right sanctions to do that. We have started following up because we knew that legislation was not enough. I want to tell you a lot more about this because Commissioner Buchanan wants to announce in coming weeks I believe, but certainly we want to work and we have started working with Member States services and data protection of the release through the Information Fellowship on how to follow up on that, how to have industry adopt codes of practices which conform opt-in provisions, how to have effective reporting mechanisms and complaint mechanisms, how to talk to other Member States, and of course international co-operation and how to close on that. International cooperation is of course key. Commissioner Buchanan was last weekend in Washington to talk to the Chairman of the FPC on this issue exclusively. So, it shows you that we are really keen to do something. Again, it is for the United States in the first place to talk enforcement, but we are currently investigating what we can do. I will be happy to respond to questions on that. Thank you. (Applause) CHAIRMAN: We are going to have all the presentations up on the website, so, if you are worried about how you are going to get them, they will on by tomorrow, I hope. We will take two questions about USA and EU because it is quite interesting.

24

QUESTION: I have a question about the EU opt-in request. Is that double-referral opt-in or single opt-in? PHILIPPE GERARD: There are lots of discussions in the US as to what is opt-in. We say that prior consent must be provided. The way you get it is up to you, but it is the prior consent. It means that you cannot send the first marketing messages to get the consent, that is marketing already, but it depends on how you do that. There may be different ways of doing it. You can go on the website. In other words, we do not ask explicitly for confirmation afterwards that this person has effectively agreed. It is up to Member States. Member States want margins and closing directives. It is up to Member States to choose the right level of precision in terms of what is involved in that. What we want is prior consent to make sure that consumers have indeed accepted to get e-mails. QUESTION: Would you accept that, if you do not confirm opt-ins, then, in this environment, knowing what goes on, you are being negligent? QUESTION: Very much on a similar theme but perhaps putting it a little more clearly because obviously these things are not understood yet in Europe. Do you not see that if I want to send you an unsolicited e-mail, I can ask a friend to send me an unsolicited e-mail in your name subscribing you to my list? Under your proposals, that would be sufficient. The view of the Internet community is that it most certainly is not. RICHARD ALLAN: On the American proposals, it is a fascinating way to start to understand US legislation but really to ask whether, if the Americans implement the opt-out system as proposed, there will be any revenue for a UK citizen if the American company ignores the optout message given because you said that there was no private action available to individuals. We do not have any state attorneys or anybody to represent us, so if an American company sets up and bombards the British systems, would they have any redress at all? PHILIPPE GERRARD: Just for clarification, the consent must be provided. In other words, someone else subscribing you to the service is not consent, it is simply disguised fraud or whatever you want to call it. It is not consent. You can imagine lots of technical ways to make it seem that consent has been provided, but it is simply illegal under EU law. There are dozens and dozens of possibilities to be fraudulent compared with the system in our directive. You must see that there must be some margins here and that we must be future-proof. The future-proof message here is that consent has been provided. It is not true consent if someone else did it. It is illegal. CHAIRMAN: I am sure this debate will go on. JIM HALPERT: This is not really a debate, it is a point about the outlaw groups operate. They are very sophisticated in what they will do. They will have numerous relationships. For example, a website will offer referral fees to others who send out e-mail and bring in traffic to the website. They will say, “We do not have any knowledge as to what these people who are sending traffic to us are doing” and it becomes a challenge to prove what is going on, but permissionbased marketing is another area that confuses the difference between permission-based marketing and opt-out and in practice may not mean all that different under certain circumstances. The problem with the opt-out rule is that consumers right now do not trust opt-out. Spam are saying

25

that they are offering opt-out and, if one has an opt-out regime for certain activities in the UK which says, “this is the business”, there needs to be very strong enforcement for fraudulent offering of the opt-out just like there would be for false use of permission-based marketing as well. For the outlaw group, they will be trying all sorts of ways to disassociate themselves from the actual e-mail activity while collecting the revenue and it is very harsh to apply those sorts of rules to legitimate companies who do not have strict liability rules necessarily and a consent regime. There really are almost two categories of enemies that will be e-mailing, and having a set of rules that deals with the outlaws in an effective way is a real challenge while not imposing really extreme liability for legitimate companies. So, it is tricky and your question highlights this question about what is real consent etc. CHAIRMAN: Relating to John Carr‟s remarks, those who read the Financial Times that the Japanese are sending over what are called smutty photos - I expect they are called s-mails or something like that - but I guess it is becoming the increasing element of 3G in Japan. It is a very good argument and it echoes some of the remarks that John said just now. We are going to go on to look at some of the solutions with technical solutions. Enrique I have met a couple of times. I was fortunate enough to be in San Francisco four weeks ago and had a private visit with him and we discussed this ad nauseam. He has also given evidence to Congress. Enrique, come and tell us a little about Brightmail solutions. The technological solutions to spam ENRIQUE SALEM: I am not going to limit my remarks to what Brightmail does, I am actually going to go ahead and extend beyond what we do to really talk about the solution to this problem. What I do want to do is give you some data; you have heard a lot of data and I want to clearly clarify a couple of components. First and foremost, one of the things that Brightmail does is that we see about 10 per cent of the Internet e-mail. Of all the Internet e-mail, we get 10 per cent. What our data is showing is that, in May, we saw 63 billion messages across all of our customers. Of that, 48 per cent was spam. You have heard lots of different numbers. You have heard 50-plus and you have heard 10, so let me debunk that a little. Basically, what is going on is that, when I say 48 per cent, that is a cross-section of our customer base. We have seen large ISPs that actually have as much as 80 per cent of their total e-mail in spam, but then we have also seen technology-manufacturing companies that have 10 per cent, 12 per cent, 15 per cent of their Internet e-mail as spam. So, that 48 per cent actually represents a blended number. We are predicting though that, at this pace, we will see that, by the end of the summer, it will be more than 50 per cent and, by next year, it will probably be 65 per cent, and that should be a concern to all of us and hence the reason that spam is getting as much attention as it is today. Another important point is that we have actually seen the amount of adult content increase about 500 per cent over the last two years. It now represents about 19 per cent of all Internet spam and that number is also continuing to increase. There are a couple of challenges that I think have been touched on but that I want to highlight. We heard Jim talk about the FTC member who said that two-thirds of mail contains some form of deception in the headers. We actually run something we call a probe network which is a series of decoys; they are spread out across the Internet. Our probes receive on a monthly basis somewhere in the order of 400 million messages. When we sampled the data

26

coming into those probes, what we found is that 90 per cent had some form of forgery or deception in the headers. This is one of the inherent issues. When e-mail was created in the mid1980s, RSPA22 and others, no one envisioned that spam would be one of the primary users of email, so we did not build in all the necessary securities to make sure that somebody could not be anonymous, that somebody could not spoof a legitimate e-mail address. I do want to say that, when I hear about solutions that speak to upgrading the e-mail infrastructure, that is not an easy proposition. E-mail is very ubiquitously deployed and the notion of just building security in after the fact I think is something that, while interesting and useful for an academic discussion, is not going to allow us to solve the problem in the immediate term. It is also important to note that when you talk to ISPs - and I spend a lot of time talking to ISPs, both here, in Europe, in the US and in Asia - they all see spam as a problem. It is one of the largest customer satisfaction issues that they face. An ISP that has one million users will spend somewhere in the order of $7 million a year across all of the different techniques and all of the different things that they do. That is from a recent Garter Group Study. It is also important to note that businesses are now losing a tremendous amount of money due to spam. First Research recently was quoted as saying that as much as $10 billion is being lost in productivity as a result of spam. I can also tell you that the spam we saw six months ago is not the spam you are seeing today. Spammers will adapt their techniques; they will change what they do. Today, a majority of spam is actually not just simple text; it is actually ACML based, making it harder and harder to detect. So, we are dealing with an arms race here: the spammers will react; the technology will need to adopt and adapt, adapt and change to stay ahead of what spammers are doing. I will tell you a little story and then I will go on to the solutions that we see and believe. I was presenting at a conference where there was actually a spammer who was asked to give his perspective and he spoke to the notion that users should get to choose what is being sent to them, that they should have the final decision. The problem with that statement is that what happens is that e-mail and sending e-mail is basically free. It costs almost nothing to send e-mail. I think it is important to note that, as we look at that statement, just allowing ISP networks to be overrun by spam is a very significant problem. So, the notion that the end user should be the only person having a decision I think does not fully address the costs associated with spam. What I would like to do now is turn my attention to how we will solve this problem and we will solve it. There is enough interest. Everywhere I go, there is interest in solving it from a legislative front, from a technology front and from a direct marketing front. Direct marketers are being hurt as much as individual consumers and as much as businesses because their e-mail is being lost in a sea of spam. They are not being able to use this valuable form of communication as a valid form of marketing. So, if we look at the solution, what we believe is that it will take a combination of efforts between legitimate direct marketers who will comply with best practices, technology companies, ISPs and legislation that can serve as a deterrent. One thing that is very interesting as an observer today in this conference is that you will notice that there are different perspectives - there is a perspective from the EU and there is a perspective from the US - but I think what we are going to have to do is to try and get to some fundamental principles on what should be allowed and what should not and we will be able to get there because there is enough interest in this problem. As I paint an answer as to how we solve it, what I would like to tell you is what one of the biggest fundamental issues is. What is the definition of spam? For me, I can get up here and say that it is unsolicited commercial e-mail. Somebody else may say, “I have a

27

slightly different definition of spam.” So, I think that that in itself does create part of the problem. When I talk to some of our large ISP customers, what they will tell me is, “Hey, this mailer did not get blocked” and, sure enough, what we will see is that somebody has requested that access but somebody else has not. So, there is a complexity in fighting spam. The specifics to the solution are as follows. I think that there is no silver bullet. From a technology perspective, there is no one answer. You will need to use multiple techniques to fight and block spam. There are lots of different techniques that are being applied today but it will be a combination that will win out in the end. I said a moment ago that e-mail is such that you can send it anonymously, so part of the solution will be that the technology will have to enable us to identify the legitimate direct marketers. If they want to be able to send a message into your in-box, if Hewlett Packard or General Motors or any company wants to end up in your in-box, they are going to need to be willing to be identified. The second component which is also interesting is that spam has a unique characteristic. It is bulk by definition. So, if we are able to collectively across the Internet share information about bulk e-mail, that in itself will help us to identify what is spam and what is not. So, you take those two points: the ability to identify legitimate marketers and the characteristics of bulk. If you can see those two things, the group that is now exposed is the spam. We know who the good guys are and we know who is sending bulk. So, if they are not willing to be identified, then they will be classified as a spammer and I think that that in itself will start driving us towards the technological solution to this problem. The next point that I think is important is to speak to some of these best practices that are going to be required. I think that legitimate direct marketers have to be willing to do several things that will allow us to know that they are a trustworthy organisation. They will have to provide us with, for example, a valid opt-out capability. If I push a button on my computer screen saying, “I do not want to receive anything from this organisation”, then that should be honoured and I should no longer continue to receive messages from that businesses. There is the issue of list management. A direct marketer should also think about how they obtain their lists because we have talked about the notion of targeted e-mail. I run a business and I spend a lot of time thinking about how to maximise our marketing dollars. Would I rather send something to somebody who is interested in what I am selling or just send something to everybody? I think it is pretty clear that I would rather send something to somebody who is interested. I think the same applies in e-mail marketing. Just because it is free does not mean that sending a lot of it will have significant return. So I think it is important to note that what we would like to see is that direct marketers continue to improve the techniques that they use for list management. Specifically, if five years ago I transacted business with a company on the Internet, should they, for the rest of time, be able to send me e-mail? The answer is that we would like to see those lists being refreshed. We would like to see that there is some kind of confirmation, maybe once a year, that says, “Do you want to continue receiving information from this business?” I think it is also important to note that the debate on opt-in and opt-out is a very heated debate but, as I listen to the different groups, I think that there is a solution and I will not try to extend that debate, but we do need to come together on what those definitions are because what we have seen in the US is that 33 states have a specific piece of legislation against spam and, to date, they have not been very effective. So, I think what we need is a set of laws that are

28

consistent and can expand beyond one country‟s jurisdiction or beyond the EU‟s jurisdiction and that is something that is very important as we try to create a solution to this problem. The other important point I would like to make is that spammers are very dynamic. They make money. So, what we absolutely have to realise is that what we do today we cannot stop. We need to continue to evolve what we will do to combat this problem because spammers will adapt, they will change and we will need to deal with it on an ongoing basis. I would like to make a couple of other comments specifically to some things that were talked about earlier. One of the biggest issues is, who should bear the burden and the cost of paying for or eliminating spam? When you look at that question, we are all paying for it today, whether it be in lost productivity or band-width charges at ISP level or storage. So, what we would like to propose and what we think about it is that ISPs today are investing significant amounts of money in marketing to their user base and providing for storage of spam for the bandwidth charges. In fact, because customers are so concerned and consumers are so concerned about spam, we believe that businesses and ISPs are bound to solve this problem. I deal with a large ISP and they receive in the order of roughly two billion messages a day and they were telling me that their storage costs if they had to store all of the spam for any significant period of time would be astronomical. So, what they do is delete it immediately when it is detected as spam. So, there are economic incentives for ISPs to deal with spam. Hence, I think that there is an opportunity to maximise their customer satisfaction and reduce their costs by dealing with this problem. I will tell you that every ISP I talk to understands that this is an important issue and is willing to deal with it. The next thing I would like to do is also mention one other thing as a caveat. I think it is important that, as we provide solutions, we cannot block legitimate mail. That is one of the biggest concerns that I have today because what I have seen is that a lot of legitimate mail is now being blocked by over-zealous filters. It is also important to note that e-mail is one of the most valuable communication tools that we have. So, as we look at this problem, we need to quickly address this root problem and what I will tell you is that, as I have looked at the solutions, I think a combination of technology, direct marketers, ISPs and strong legislation will allow us over the next three years to get this problem under control. It will not go away, but it will be under control and we will be able to use e-mail for the purpose for which it was initially intended. (Applause) CHAIRMAN: Thank you, Enrique. Last but not least, we have Steve Linford from Spamhaus and then we will take questions. Tracking down spammers STEVE LINFORD: Spamhaus is mainly concentrated on the American spam problem. We have been working in America for about the last five years because it has been mainly an American issue. This issue is only just starting in Britain, so much of the British knowledge of what is going on with spam has only been coming up in the last year to six months. The volume of e-mail that British ISPs are receiving in terms of spam intake is far less than what the Americans are doing. What we have been doing is that we started out by tracking the spammers and trying to find out who they are, what sort of operations they have and how to shut their operations down.

29

This has led us to put up two databases that we have built in the last couple of years. The first one we set up in 1998, a database called Roxo which is the Register of Non-Spam Operations. Roxo lists 200 of the main spam outfits in the world. We used to say that the figure was 140, but that went up and we had to revise it to 150, 160 but we are up to 200 now and, by the time I get back to the office, it will be at 201. These are the main spammers that most of us know. Basically, 90 per cent of the spam that we are all receiving that we can track in some way back to a website or back to a phone number or back to an origin comes from one of these 200 spam outfits. It is these guys who are sending the vast majority of the stuff. Everything that they are not sending is just being sent by small marketing firms and small companies just spamming and really just testing the waters. These guys are professional fraudsters. They have been at it for years. They have been thrown off ISP after ISP after ISP. The entry criteria for the Roxo database is that the spammer has to have been thrown off three consecutive ISPs for spamming before we actually list them on Roxo. This allows us to get these guys and really you have to be a really professional spammer to be on the Roxo in the first place. The use that Roxo is being put to: the FPC uses Roxo to bring cases against spammers, large ISPs in the States such as Verial, one of the world‟s largest posting companies, uses Roxo on its sales desks, so that when they get a call from a customer who sounds dodgy asking for a large line for a short period of time, they just tap the information into Roxo and see if it one of the known spammers. Verial rejects quite lot of business based on Roxo listings. Because of this, this means that we are in the frontline. We identify the spammers, we track them back, we find their names, we find their addresses and we find out where they are and how the operations are working and we have a team of 12 investigators doing this and we dig up everything including their criminal records, everything that a judge could possibly use against these guys. That puts us in the frontline, so we get a lot of threats from them and we get a lot of law suits. We are sued by them on a pretty regular basis in the States under free speech laws and other things like that On the top of Roxo, we have built a blocking list called the Spamhaus Block List, it is known as the SBL. We have now just over 140 million users of this block list and basically we block the origin of the spammers, basically the spam sources. We block every IP block that these spammers own. These are all professional gangs; they own their own networks; they own their own IP addresses and we block wherever they are and because they are on Roxo, we preempt them and we block them wherever they move to. So, the next ISP that they move to, we block that the moment they get there and even before they start spamming. This system is very, very effective and is used by a lot of the main, large American ISP users and by a lot of American Government and the military - the US Navy for example uses it. Here in the UK, it is used by a few health authorities and a couple of police authorities. It is very effective at blocking the spam from the known spammers, basically the static spam coming in, but it is useless against spam from open proxies, open relays and everything else like that. It is one part of a solution, one technical part of a solution that needs to go together with other parts. The way we track spammers down is from the domains that are in spam, the IP addresses that spams are coming from and the IP addresses that domains lead to, who is providing the BMS service and things like that. We track them initially just to individuals. We then find out who the individuals are, what their names are and things go on from there. So, we do not elevate the status. Once we have a record that they have been thrown off three ISPs, we them put them on to Roxo. Some of you will be familiar with most of the names, people like Alan Rowsky, Ronnie Skelton, Scot Rigder and Eddie Marin. These are all professionals; they have criminal records as

30

long as your arm and they have no intention of stopping spamming whatever the law does. So, whatever the law says you cannot spam, these guys are set up as operations to do this. They have a typical operation. Alan Rowsky‟s or Ronnie Skelton‟s operations are about 16/20 servers just pumping spam 24 hours a day to huge, huge lists. So, every one of these spams on the Roxo list is sending a minimum of 50 million spams a day. Many of them are saying that they do a lot more, but we do not believe them because we know what sort of lines they have and we know what they can get through, so we know that they are exaggerating a bit on that. The volumes of spam that they are doing is what they can get out through deceptive means. Basically, through open proxies, they can only get a certain volume out, so they can only spam out through various places. They can only use loopholes in the current mailing system such as exploits such as open proxies, open relays and things like that. They have a lot of difficulty spamming directly from their own space because we block them and our blocking system does not absorb the message. The SBL is a failsafe blocking system in that we reject the message instantly. So, the moment that we know that this message is coming from this IP address, we know that the address belongs to a spammer and the message is rejected and the message is bounced straight back, so the sender is always told what has happened to their message. So, no message ever goes into the trash with our system, it is always bounced back at the spammer. This makes the spammers very angry at us because, when they are using their spamware, all they see is, “Blocked by Spamhaus”, “Blocked by Spamhaus” and “Blocked by Spamhaus”. They get on the phone; we pick up the phone and we are told that we are going to be killed, that we are going to have our throats cut and all this kind of stuff. A lot of these guys have a lot riding on this, so they put a lot of money into their spam operations and they are not going to give up very easily at all, so we need laws that criminalise them under racketeering type of laws. In Australia, some of the Australian porn outfits starting up are actually part of the Australian Mafia. So, the whole spamming scene is going more criminal all the time and the criminal element is getting bigger and bigger within the spam scene. Most of the spam that everyone is seeing now, that Brightmail is seeing and that (?) is seeing and all the other filtering companies are seeing is coming through open proxies all over the place and it is coming mainly advertising sites in places like China or South America. So, most of these spammers are on the run from the FTC already. They have already set up all over Beijing; about 100 of the American spammers are set up in the various suburbs of Beijing - not them physically, they are all still mostly in Florida but all their servers are based in various parts of China. This problem is one that we are having a particularly hard time with because a spammer can offer a small Chinese ISP $400 a day to host his spam site and, to a small Chinese ISP, that is a year‟s wages or so. So, it is very, very difficult to get these guys off. They have already gone out of America and what all of these spammers say is that, if spamming is made illegal, they will all go to China or to South America or Russia. So, there is not very much choice. Currently, the only thing that unites all of these spammers is that they all support the Direct Marketing Association. They have an absolute support for what the Direct Marketing Association does. They all support the Bill that is currently going through Congress. Every spammer thinks that the current Bills going through the United States Congress are great because they allow spammers, which is exactly what these spammers always wanted. With these Bills, they will not have to hide any more, they will just be able to spam. So, they will not need to spam out through open proxies, hide themselves and only get out these small volumes of 50 million to 100 million a day. Once legislation goes through the United States Senate legalising opt-out spamming, which is what is going through at the moment,

31

with the Can Spam Act and the Reducer Spam Act, these spammers will all go legit, they will all be out in the open, so they will all take their 15/20 servers and escalate that to 100/200 servers because that is exactly what they want. They all want the US Government to pass an opt-out law to force consumers to opt out of their spam lists. In Europe, we need to try and avoid this. We at Spamhaus think that the United States is going to make this mistake and actually legalise opt-out without realising the consequences. The United States has already held meetings with a number of spammers including Ronnie Skelton who is one of the biggest and he has told them that he fully supports what they are doing, he fully supports the law going through Congress. He would love them to put these laws through. That should have been ringing alarm bells for the United States Congress, but they seem to be going ahead anyway with these two main laws that are terrible. They will legalise spamming and the worst possible thing that you can do is to legalise it. There is no option but to ban spamming. We cannot possibly try and regulate it which is what the Americans are trying to do. We think that the European law as proposed is very good. It is a very good legal solution to the problem. It does need confirmation, but we do need to know that opt-in is not just opt-in. It does need to be confirmed opt-in because otherwise I can go on a website and sign in as “PresidentofWhiteHouse.Gov” and he is opted in. We do have to have confirmed opt-in, what we call closed-loop opt-in. The off-shore problem that we are trying to deal with is that we are dealing with China Telecom, which is the main problem here, the main spam problem, with all the websites being put through at the moment are in China. We have managed to get China Telecom to implement terms and conditions across a lot of the Chinamet ISPs which has been quite a battle over the last two years, but they have now been coming up and starting to put some regulations in place to get the spammers off, but they are looking at what Europe is doing and what America is doing and they will basically want to follow us, they will want to follow what Europe or America is doing. We are pretty sure that America is going to have an opt-out law by some time either late this year or at the beginning of next year, but they are going to make the mistake in going opt-out and we think that the Chinese Government will then bring in a Chinese law allowing opt-out as well and that will be a total disaster. If America does go for an opt-out law, we think that the spam problem will just go through the roof. It will literally explode with not just these 200 gangs that we have at the moment, but it literally opens the door for 23 million smaller US citizens, “You can all now spam. Just do not use deceptive subject lines and provide an opt-out.” So, the volume of spam that the businesses would start sending if this were legalised would be absolutely huge. As most of you will have seen in the current spam that you get or the spam that you have had in the last two years, at the bottom of the spam, spammers will often say, “This spam is legal under US Senate Bill 1618", which is a fake Bill; it went through Congress but got shot down. The spammers loved it. It is exactly what the Can Spam Act is at the moment and the other Acts going through US Congress. The spammers quote this Bill at the bottom of all their spams to try and intimidate users into thinking that spamming is legal and that they should not complain. So, they are really backing anything that can legitimise spam, which is any type of law that says, “You can spam, just do this or that, just put ABB, or do not sell a defective product.” What we are trying to say is that we see spam as unsolicited bulk e-mail and anything else apart from unsolicited bulk e-mail is a subset of spam. So, unsolicited bulk e-mail with a fraudulent header and selling a deceptive product and it has porn in it is a subset of spam. Spam is bulk e-mail.

32

We need that ban and, once we have unsolicited bulk e-mail banned, we will drive these 200-orso underground. There will be a lot more but we will drive them all underground. Underground, we can mop them up with the technology that we have. We can mop them up with the block lists, with filtering systems, with the Brightmail-type systems and with the message mail-type systems. So, we have the technology to be able to do it and we just need the legislators to drive these guys off any type of legitimate spamming platform. Thank you very much. (Applause) CHAIRMAN: We will take questions for the last two speakers and then we will take general questions. DAN REVENICK (Trinity College, Dublin): I must say that I have not heard the solution which I think is really going to work and that is to change the pricing model. I really do not believe that we can hunt these people down because they are so mobile, they move from one place to another. We could change the pricing model of the Internet whereby it costs you money to send out an e-mail and those who are sending out 50 million a day would have a big bill to pay. Those organisations such as the one that I am associated with sends out 10,000 a month and that is fine, we can meet that bill and we would be pleased to pay for that if it stopped the traffic. CHARLES ARTHUR (The Independent): My question is for Enrique Salem which is that I am amazed by his comments that he thinks we could evolve and adapt to spam, especially after what Steve said which I was going to say anyway. If you consider the parallel of viruses, no one gets paid to write a virus compared to quite a few years ago and, have the number of viruses gone down? No. Are there lots of companies which offer virus filtering? Yes and they are doing quite well. I do not see how evolving and adapting which is a reactive process can keep ahead of something. In evolution, one tends to find that something that has evolved and adapted simply reaches a natural level. You need something like the dinosaurs being wiped out by an asteroid! You need something hitting with the impact of that size. If you change the situation, you open up ways for something else to happen. My question is, what actual big change is going to happen and I will put this to Steve as well - that will actually make this problem really disappear? MONICA SEEDI (Co-author of the recent book, Managing in the E-mail Office): My question is partly addressed to Enrique. I was interested to hear you talk about best practice for marketing. I think this is part - and this is partly an observation and partly a question - of the jigsaw missing. One of the problems that I see is lack of best practice across users, lack of encouragement to get users to recognise what is spam and how to co-operate with their IT department to address it. I suggest that is one of the reasons why the Nigerian scam took so long because there was no single body of users identifying it. My question is, how important is it for businesses to take charge and have an e-mail best-practice policy at corporate level and what sorts of things can be done to encourage them if it is deemed to be important? ENRIQUE SALEM: The first question was really around the pricing model and speaking to the notion that we should go ahead and charge for e-mail. That is possible and you could build the infrastructure to do that but again you would have to change the infrastructure to make that happen. What I will tell you that when e-mail was initially developed, the idea was that we would all send e-mails to each other. I think that if you want to shift the cost burden to end users, you could go with that solution, but I do not want to under-estimate that that would require an upgrade to the e-mail infrastructure to allow us to do the billing. Again, I just use a parallel. In the US, we tried to move to high-definition TV. Every year, we have been trying to move to high-definition TV and getting to that point is non-trivial. Upgrading e-mail infrastructure is

33

non-trivial and we can do it, but it will take a minimum of five to ten years. To put in a billing mechanism, that would be a potential way to go. Let me comment on the second question. We have seen viruses and I just spent ten years working for the Semetric Corporation where I ran an anti-virus business. Basically, what I would tell you is that the solution again that we are proposing is the foundation of filtering, but also the ability to identify who is legitimate because, if the legitimate mailers are willing to be identified, then all the other folk Steve mentioned who are sending bulk suddenly start coming out into the spotlight and then those folk end up in another folder and individuals can decide what to do with that whole folder. So, again, the point I am trying to make on the solution is, filter better, which we will improve, and also work to identify legitimate mailers is what we are proposing. STEVE LINFORD: We have a slightly different take on it in that we already know who is sending the bad bulk and who is sending the good bulk. Basically, we do not list people who are normal marketing firms sending opt-ins; they never appear on our systems at all and we never block them. So, there are a number of large major firms sending millions and millions and millions of messages and they never appear on our radar at all. As far as we are concerned, the only people causing all of the problem are the ones we have already identified, the ones belonging to the Roxo database. So, we have already identified that the bulk problem is there, that that is where all the problem is coming from, so we do not really need another method to do it. If any of the large mailing firms start to get dirty lists and start to send to bad addresses or clearly harvested addresses or start hitting our spam tracks or things like that, we immediately know that there is a problem there. In our case, we would just go and talk to them and say, “You have to clean that up.” We already do not discriminate against them. We know from all the volumes of mail coming in that this is fine, this is legitimate mail, legitimate bulk mail. It is the Roxo crowd that we have to stop. CHAIRMAN: Do you have a solution for the asteroid? STEVE LINFORD: The solution is that it has to be legislative first, we have to ban spam first, and then we can mop it up with technology. That technology would be that we would suggest using blocking lists, first in line filtering systems, second in line and so forth. Basically, any system that can be put up to block spam is good for us. ENRIQUE SALEM: I think the important point is that you want to be careful about blocking legitimate mail because a lot of legitimate mail is being blocked. I think that is one of the biggest issues that does need to be solved. We can say that it is not an issue but we know that it is. JIM HALPERT: There were some questions about correctly identifying the bad spammers from ordinary people who are e-mailing you and Steve has a system in place that is better than many others but in terms of this question that we should ban spam, there are 200 people to whom Steve has alluded and what they are doing is already illegal. We can ban spam in the US and the EU and those people will keep doing what they are doing. We will not answer this question by simply having an opt-in law and say that that is the law. These are very sophisticated people and what needs to happen is what I think will happen in the United States, not necessarily as you heard as an opt-out rule, is to have very strong enforcement measures against these sort of 200 people. Their e-mail will not be blocked unless they hide their identity and hiding their identity will be criminal. So, in fact the bad scenario you have just heard will not come about because the techniques that these people use will be severely penalised and they will no longer be able to live

34

in Boca Raton, Florida. If they choose to leave the countries they are living in and move some place else very quickly, that would be the way in which they do business and the fact that they hire somebody in Beijing to host their websites or handle their mail would be irrelevant for the purposes of US and we hope EU law as well and we will be able to bring these people to justice because they are active criminals and, to the extent that they are dealt with in that way, the same problem will not go away because other people will step up and do this activity from other parts of the world but these people who have been annoying all of us so much and sending some harmless stuff will either have to move where life is less comfortable or stop doing what they are doing or go to jail. QUESTION: I would like to take things away slightly from the 200 occupants of Boca Raton and mention something that is starting to bother me about what I am hearing. I am hearing people like John Carr worrying about the child pornography and the offensive spam and, yes, it is offensive and, if it is child pornography, it is illegal, but I am also hearing people talking about the legitimate marketing messages. The legitimate marketing message is the one I do not get. It is all spam; it is all equally bad; it all needs to be stopped. Can we please concentrate on getting rid of spam, all of it. PHILIPPE GERARD: I want to make a point on the different sorts of legislation. We have an opt-in system that we believe is very useful. We all know it is not the entire solution; we know that we need technical solutions as well; we need continual awareness etc. At the same time, legislation and good legislation is needed and an opt-in system makes it easier to enforce that. You know who consented to getting messages. Then it is easy to implement. This includes the international level by the way because if you have several lists that you have to consult every one month or two months, how do you manage that at global level? If you know which individual has consented to get e-mails, that is another story. It is much easier. With regard to spam, what kind of spam? We do not ask the question in Europe and you will not have that question in the UK as to what is good spam or what is bad spam. Spam is just unsolicited commercial e-mail. It is like many other things. You can use your mobile phone normally and you can also have different entries at the same time. Let us not mix up the different issues. Spam is also many different things, but what we have talked about this morning, both Enrique Salem and myself have spoken about, is spam in general. I get normal spam. Do you want to get that? I think the choice you made is that you do not want to get that and industry must, I think, agree to step up the system as to how to collect data and say, “Okay, can I have your consent?” Maybe this would be less long in the short term but at the same time we will have singled out the bad guys and the good guys and then we can at least try to find the path. JOHN LANE: Mr Halpert from the States talked about strong enforcement measures and I was wondering whether there was any political will on either side of the Atlantic to say, “Let‟s identify these people; let‟s actually go after their assets and take these and use that in the fight against this problem” in much the same way as 10 years ago when people said, “How can we deal with drug dealing? It is escalating.” One of the answers was to actually fund the fight against drug dealing by taking the assets. Is there any political will to say that we are serious about going after this and we will fund the enforcement and we will allow people to take away the profit these people make by being a bloody nuisance to the rest of us? CHAIRMAN: In the end, sadly, that is a Home Office issue and we do not have a Home Office Minister here, but somebody from Microsoft is here. Would they like to comment as to what

35

they are doing. In the sense that politicians are not doing anything at the moment but I know that Microsoft have made a decision to go after, so I wonder if they could just say something about what they are doing and what their intention is. ALISON GRAHAM (Microsoft): It is absolutely our intention to legislate enforcements against spammers. Our first move as I think you saw last week when we talked in the press about it was to pursue people who we felt were legitimate spammers. It is still in progress, it is not yet decided, but I actually think that this is an aspect that other people in the industry could collaborate with and it is completely our view that we should carry on doing this and put resources into that sort of aspect. QUESTION: We take the view that the directive as it stands at the moment is not really doing enough to address the problem in terms of industry level, big industry particularly in the UK, because we do not think it is going far enough, it is concentrating far too much on the media. QUESTION: Two points have been missed in the last few minutes which I feel need to be put on the table and possibly see if others want to comment. First of all, the point from the Irish university that charging for spam would help. Absolutely not. If you charge for spam, spammers will do what they do already which is dump those costs onto the innocent users from which they are already stealing service. This point perhaps has not been fully understood. People who have their own Internet connectivity and in some parts of the world pay by the byte and not by a flat rate as we do are being expected to meet the costs of other people dumping spam on their machines. New Zealand is a particularly good example where everything is metered by the byte or kilobyte and that is why there has been such a strong reaction to users in New Zealand. It was after all the home of one of the first ever blocking lists, now sadly no longer with us but there are replacements. Please do not propose charging as a solution because they have already got round that. Secondly, a specific point of Charles Arthur‟s who said that nobody has been paid to create a virus. Sorry, Charles, you have missed the point here. Jean, Zobic, A, B, C, D are we up to E yet? All of those were written and paid for in order to allow machines to be compromised for third-party spam to be sent through them. Those viruses were funded by spammers. There is absolutely no doubt on that point. (Applause) DAVE BRUNSWICK: I have a question regarding the EU Directive, particularly the opt-in nature. Is there any burden of proof on the sender of the unsolicited message to show where and when the opt-in happens because, without that, as a sender, you can claim that, yes, they opted in somewhere but I do not think they can prove where it was. STEVE LINFORD: Another issue on the subject of opt-in is that all the present spammers all claim they are doing opt-in, every single one. Every spammer now doing 50 million a day will absolutely swear that they are all opt-in and, if you ask any of these spammers to prove that, they will simply run up an Excel file showing random IP addresses, random dates and random times and say, “Look, you opted in then.” The consumer has no way of proving this. It is vital that the onus of proof has to be on the bulk mailer. The bulk mailer has to be the person responsible for proving that the end user opted in by being able to show the opt-in request from the end user. That can only happen if you confirm the mailing. Basically, when a user subscribes to a website, they must get a confirmation e-mail back, to which they have to reply because otherwise, as I said, I can subscribe as “PresidentoftheWhiteHouse.Gov and he is suddenly on the spam list.

36

This system would stop that in that PresidentoftheWhiteHouse.Gov would get a confirmation request, “Did you want to sign up to this list? Just reply to it.” If he does not reply to it, he has not subscribed to it. If he does reply to it, he has subscribed. If he does reply to it, he is wilfully asked to be on that list and that is permission-based marketing. QUESTION: Spam is getting bigger and is more of a problem and my question is, why? Why is spam increasing so much? STEVE LINFORD: Basically, most of the spammers are working on one sale per million and that is all they need. One bottle of Viagra or anything they are selling, they are making $10/$20 commission on the sale and they are sending 50 million spams a day and that is 50 sales guaranteed every day and, for that, they have to do nothing at all. It is almost free to send as much spam as you want. So, these guys just send more and more and more. QUESTION (Brian Thompsett, University of Hull): There are a couple of points that I would like to make; they are not really questions. (Inaudible) We heard the foundations of some of that from what John Carr said in his presentation that he is now making with Carol Vordeman elsewhere. The important point he is making is that products sold to consumers must be appropriate for use by consumers. If it were any other product than a software product, some of it would be ruled unsafe. Computers as sold domestically need to be rendered safe by the users they are intended for and some of the broadband services need to be rendered safe for the people they are being sold for. Why is there not a bigger upsurge? Simply because of those two point, the vast numbers of insecure machines being plugged in all over the first, second and third world? The last point I would like to raise is about prosecution. I did a lot of research into forensics. All of these issues make it very hard for those doing forensics to gain the evidence to prosecute people who really commit the serious crimes who we would like to send to jail and spammers are getting in the way and all those issues are getting in the way and we need to do something about it and we need to do something now and I thank John Carr for his initiative. CHAIRMAN: We have a light lunch if you can stay. We have done really well so far. Not many of us can stay three hours and listen to other people. We always like to do the speaking. Can I just wind up. They are not going away, they will be next door if you want to talk to them. First of all, can I thank our sponsors. I forgot to say that Aungate are now part of Autonomy, a small British company from Cambridge, and Brightmail who have been very generous to enable this debate. If you have not put your e-mail address on one of these sheets, give a business card to Anna. Is anybody going to the Information Society thing in Geneva? We need to go. I am just trying to see if anyone was going already. Lastly, before you go, these things would not happen without a hell of a lot of hard work from two sets of people. Dot Hodge and her team have put this together; I think she has now left but would you give her a round of applause, please. (Applause) I would personally like to thank my own team who have also done a hell of a lot for me, so thanks to them. (Applause) Thank you all, too. (The APIG Summit concluded at 12.47 p.m.)

37


				
DOCUMENT INFO