Feeds

Europe drags heels in war on spam

Legal review

  • alert
  • submit to reddit

SANS - Survey on application security programs

Infosecurity Europe 2004 The shortcomings of Europe's war against spam are highlighted in a study of anti-spam legislation published today.

The Institute for Information Law (IViR) of the University of Amsterdam and security firm Sybari Software looked into the law regulating unsolicited commercial email (i.e. spam) in the EU. Special emphasis was placed on the EU's July 2002 Directive on Privacy and Electronic Communications.

Their report reveals weak spots in the implementation and enforcement of anti-spam legislation. For example, interpretation of a number of important aspects of the Directive is left to individual countries. So spamming is a criminal offence in Italy - but not in the UK.

Meanwhile, many countries have dragged their heels on implementing EU rules. The European Commission has issued warnings to eight countries - Belgium, Germany, Greece, France, Luxembourg, the Netherlands, Portugal and Finland - for not implementing the directive in time.

The IViR study tried to identify potential liabilities for ISPs and business arising as a result of obligations under the directive.

It notes that the Directive provides "fails to introduce a strong right" for users to object to their ISPs about deficiencies in spam filtering. The Directive also places extra responsibilities on employers, while giving little in return. Organisations have a duty to protect employees against receiving pornographic email. Businesses also risk being held responsible if rogue employees send out spam from a corporate account. But the directive only prohibits spamming individuals and not the email boxes of businesses.

Jeux sans frontieres

Even if European legislation was perfectly framed and widely enforced - it can do little to reduce the volume of spam. This is because most spam originates from outside Europe. EU rules harmonise opt-in rules for the dispatch of commercial email across Europe but unless an international approach is adopted this regime is "rendered meaningless", the IViR concludes.

The IViR study also looked at how consumers and businesses can still use other parts of the law to fight spam. Trespass to chattel can be used by providers to refuse spammers access to their networks. Civil law tort could be relevant in some cases. European Commission law prohibiting of unsolicited communication without prior consent is complemented by civil law liabilities in individual member states.

Much of the shortcomings of EU anti-spam law were predicted in advance by anti-spam activists like Steve Linford of Spamhaus, and ignored by politicians

Lodewijk Asscher, head of research at the IViR, agreed with this assessment but nonetheless remains resolutely upbeat about Europe's anti-spam laws. "All in all, the new anti-spam regime is a useful step forward," he said. “However, it is only a first step and it should be followed up by a stronger pan-European guarantee for efficient complaint mechanisms, serious enforcement tools, effective international cooperation and education on the ways to protect oneself from spam."

The complete 80 page study, conclusions and recommendations can be here.

Are you drowning under spam?

In addition to the legal study, Sybari Software and the IViR conducted a survey of IT pros in 180 companies from 12 European countries into their experiences with spam. The survey also surveyed the attitudes towards spam of technology professionals, system administrators and IT decision makers.

The vast majority of those surveyed (82 per cent) said that their government had so far failed to communicate local spam law changes to their organisation. More than half (56 per cent) rejected the idea that their organisation should have any legal responsibility to protect employees from obscene, pornographic or offensive emails.

More than one in four (29 per cent) of the companies polled said they have stopped sending unsolicited commercial email out to non-clients at some time in the last five months. The survey fails to shed any light on how many organisations carried out this questionable business practice before the directive came out.

Respondents estimate that spam costs their organisation €300 per employee, per year in wasted time, administration costs, wasted bandwidth and squandered IT resources.

Troy Swanson, an anti-spam analyst at Sybari Software, said the survey showed many organisations are unclear about local spam legislation and responsibilities. "The survey results are quite alarming considering that they are the opinions of the people that are most entrenched in the spam issue - corporate messaging professionals." ®

Related stories

No need for anti-spyware laws - FTC
The average PC: spyware hotel
Germany moots jail for spammers
Caped crusading sysadmin rumbles 419er
MPs hold inquiry into UK computer crime law
Big US ISPs set legal attack dogs on big, bad spammers
Spam is 10
Prior consent does not mean opt-in
EU anti-spam laws are OK
CAN-SPAM means we can spam
Anti-spam law will tie up UK firms up in red tape
Wanna complain about spam? You must be joking
UK anti-spam law goes live
Congress passes anti-spam bill
The economics of spam

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.