Feeds

Good Spam: Bad Spam

Report from the OECD workshop floor

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

The world+dog is ganging up against spam with the US and UK governments and the European Commission this week all urging multinational co-operation and action in the fight against spam. Prompting this flurry of press release activity was a workshop convened in Brussels by the OECD to discuss ways of halting the spam tsunami. Monika Ermert attended the workshop on behalf of The Register. Here is her report.

EC Commissioner Erkki Liikanen this week issued a call to action in the "battle against spam, which we must not lose". In his opening remarks at a two-day OECD conference on Spam in Brussels, Liikanen declared that spam is a global problem that "requires global action. If we want to combat spam effectively, efforts made in the European Union and other regions of the world must be echoed by similar efforts at the international level, not only by governments but also businesses and consumers."

Co-operation, yes; but co-operation on what? The OECD conference shows all too clearly that there is a faultline in the huge international anti-spam coalition being assembled. Countries and their agencies remain divided over The Big Question: should spam be fought by opt-in or opt out?

Target-rich

Many of the spammers that the US government is prosecuting "violated 72 laws", said Hugh Stephenson from the US Federal Trade Commission (FTC). The agency has successfully brought 55 spammer cases to court, all investigated before the CAN-SPAM Act with its opt-out principle was enacted on January 1.

An FTC study showed that most spam mails are in one way or another fraudulent, by falsifying header information, disguising the sender's identity or trying to lure recipients to criminal get-rich-quick schemes. Spam prosecutions therefore, according to the FTC is such a "target-rich field", that the anti-spam fighters should go for cooperation, instead of debating legal differences.

However, many European member states see themselves as victims of the more liberal opt-out principle, even after they have implemented the opt-in regime. European member states have to transfer opt-in into national legislation in compliance with the European Data Protection Directive.

"France is more an importer of spam," said Eric Walter from the Direction for Media Development at the Office of the French President. "We do have French spammers, and we try to prevent them from growing. But our main concern is, what can we do about is English spam, which we do not know where it comes from."

At least 80 per cent of spam originates from the US, claim European representatives such as Kurt Einzinger, general secretary of Internet Service Providers Austria (ISPA). With opt-out spam, numbers still could continue to rise, warned George Mills of EuroCAUCE (European Coalition against Unsolicited Email).

"If only one per cent of the 23 million companies in the US start to play opt-out in their marketing activities European companies need to have a fulltime employee to do the opt-out procedures," he said.

Opt-In-Out

This could become even more of a nightmare scenario if one looks at the spam load conveyed by mobile operators in Asia. In Japan, 90 per cent of the spam already goes to mobile phones, the conference was told.

Philippe Gerard, presenting the European's Commission's thinking on spam, said the Community wanted to tackle all unsolicited mail, not just fraudulent spam. Only last week, the EC published a Communication to pressure member states not only to transfer the directive in national laws, but also to apply strong enforcement with financial and even criminal sanctions.

Some member states have implemented harsh fines and penal laws against spammers; in Italy, spammers can go to prison. And in Denmark last month a convicted spammer was ordered to pay a fine of €50,000, Liikanen noted. But many member states say the task to bring cases against spammers is burdensome.

The Commisson recommends that member states open email "spam boxes" to receive complaints from the public. But few have complied - they fear they will simply be swamped by the sheer mass of complaints that would flood in. (The FTC estimates that it receives 300,000 spam complaints every day.)

"Enforcement faces huge problems," says Marianne Abyhammar of the Swedish Consumer Agency. She urged co-operation within Europe and with other countries. On this point the international Anti-Spam workshop again converges. Co-operation in investigation and legal enforcement is critical according to all participants of the OECD conference.

Lindsay Barton of the Australian National Office for the Information Economy (NOIE) presented the concept of a memoradum of understanding(MoU) between his agency and the Korean Information Security Agency (KISA) - notwithstanding the fact that Australia follows the opt-in philosophy while Korea plumps for opt-out.

All other methods

Korea, with its large number of broadband customers, is viewed as a haven for spammers using servers of innocent users for their mass mailings, but has seen high fines for illegal spam. This MoU could be a model that Australia apply to other bilateral pacts in the anti-spam war. The FTC this week rallied a group of more than 30 agencies from all over the world for its Secure your Server Campaign, announced this week.

Phil Jones of the UK Information Commissioner's Office said his office was already in talks with the FTC to co-operate on spam. The Office is to enforce the new British anti-spam legislation. So far he has received dozens, rather than hundreds of complaints.

When this comes to the point where fraudulent cases are handled properly and only the issue of opt-in and opt-out remains, "we will be in a much better situation as we are right now," according to Jones After all, he says, quoting a former Israeli prime minister: "Countries behave reasonably when they have exploited all other methods." ®

Related stories

EC draws line in spam sand
EU anti-spam laws are OK
Feds seek input on spammer sentencing
CAN-SPAM means we can spam
UK anti-spam law goes live

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.