Conclusion

The U.S has tried to fight against spammer in all ways it can. However, the law enforcement is not effective as expected. In my opinion,

(a) Many spammers have moved their bases to other countries after the enactment of the CAN- SPAM Act, therefore; avoiding regulation under the CAN SPAM Act.

(b) The purpose of adopting the National Do Not Email Registry is good, but if we can not develop an effective way to trace spammers, they may use the lists and send commercial emails to consumers. Such registry is criticized by FTC’s report above and many scholars.

(c) It is easier to trace outsourcing companies than spammers, therefore; through the enforcement, it is more possible to punish outsourcing companies than spammers.

(d) Since the U.S. adopted the opt-out system, spammers can continue sending commercial emails without explicit rejection. Compared with the opt-in system adopted by the EU, it is relatively less effective.

(e) In order to regulate spam effectively, the context of the CAN- SPAM Act should not only pertain to commercial emails but also include political or religious emails.

(f) Private people cannot bring suits against spammers under the CAN- SPAM Act, so they have to use state law to claim damages. However, because the state laws vary, a private person usually is not aware of his/her rights under the state law.

Chapter 5 The Spam Solution of EU

71 WAOAG: Selis, 15. The Commission’s spam cases rountinely require the issuance of numerous CIDS.

72 VAOAG: Mcguire, 5-11

5.1 The Attitude of the EU

The reason why the EU tries to regulate spam is that it affects the fundamental rights of individuals. Spammers not only receives personal information and email account addresses illegally but also make it impossible for individuals to control the flow of information into their inboxes.⁷³ Moreover, spam transmits pornography and viruses via the Internet.

The EU is aware that only laws are not enough to solve the spam problem.

Spam may be regulated through the cooperation of jurisdiction and technology. Therefore, EU law aims at two objectives: to reduce the amount of spam and guarantee the individual’s control over personal information and contacts.⁷⁴

5.2 From opt-out to opt-in

The early thinking of the EU was to protect their citizens and consumers from “high-pressure selling methods”⁷⁵ and “certain particularly intrusive means of communication.”⁷⁶ So, regulating spam is governed by some Directives, which are not special for electronic communication.

Though EU Directive 95/46/EC (Framework Data Protection Directive) is not special for electronic communication, some provisions regarding the processing of personal information consider email addresses as personal data.⁷⁷ Therefore, the Directive applies to the processing of emails. Among other things, freely given, informed, specific and unambiguous consent must be provided by the addressee before the address is collected.⁷⁸ Collectors of email addresses must specify the explicit and legitimate collection purpose.⁷⁹ If someone collects email addresses from public Internet places such as websites, chat rooms, newsgroups and so on, he/she has violated the above Directive.

The above Directive indirectly protects the use of email accounts. EU

73 European Union vs. Spam: A legal response, Nicola Lugaresi. Trento University, Law School.

74 Id. at 1.

75 Recital 5, Dir. 97/7/EC.

76 Recital 17, Dir. 97/7/EC.

77 Article 2 (a), Dir 95/46/EC.

78 Article 2(a) and 2(h), Dir. 95/46/EC.

79 Article 6(b), 10and 11, Dir. 95/46/EC.

Directive 97/7/EC (Distance Contracts Directive) tries to regulate the transmission of emails. However, unlike transmission by automated calling systems and facsimile machines, which requires prior consent of the receiver,⁸⁰ the transmission of other communication such as email can be used without clear objection of consumers.⁸¹ The Directive does not define the meaning of “clear objection”.

Similarly, Directive 97/66/EC (Telecommunication Sector Privacy Directive) confirms the opt-in rule only with regard to automated calling systems or fax machines for the purposes of direct marketing.⁸² After that, EU Directive 2000/31/EC (Electronic Commerce Directive) confirms that member states could adopt the opt-in system for unsolicited commercial communications by electronic mail. ⁸³ Finally, Directive 2002/58/EC (Electronic Communications Privacy Directive) confirms that prior consent given by consumers is required when sending unsolicited commercial email.⁸⁴

5.3 The Introduction of EU Directive 2002/58/EC (Electronic Communications Privacy Directive)

Article 13 of EU Directive 2002/58/EC (“Directive 2002”)defines spam as

“electronic mail for the purposes of direct marketing.”⁸⁵ The term

“electronic mail” covers any electronic communication including email, SMS, MMS and so on.⁸⁶ Since the 2002 Directive does not define “SPAM” as bulk of unsolicited commercial emails, sending one commercial email for marketing purpose could be deemed as “SPAM” under Article 13 of the 2002 Directive.

As we know, it is illegal to send commercial emails to consumers without their prior consent if we adopt the opt-in system. However, there are some provisions that may be exempted from this prohibition. For example, senders may send to the same email account information regarding similar products or services.⁸⁷ Nevertheless, recipients still should be given the

80 Article 10 (1), Dir. 97/7EC.

81 Article 10 (2), Dir. 97/7/EC.

82 Article 12 (1), Dir. 97/66/EC.

83 Article 7(2) and recital 14, Dir. 2000/31/EC.

84 DPWP, Opinion 7/2000, § 2, comment to article 3.

85 Article 13, Dir. 2002/31/EC.

86 DPWP, Opinion 5/2004,§3.1..

87 Article 13 (2), Dir/ 2002/58/EC.

opportunity to object to the emails, as they are given in the opt-out system.⁸⁸ An issue could occur if such an email account is provided by a company or a family. In this situation, the prior consent must be given by the representative, not the actual user.⁸⁹

Article 13 (4) of the 2002 Directive prohibits the practice of sending electronic mails by concealing the identity of the sender, or without a valid address where the recipient can exercise the opt-out system.⁹⁰ However, the opt-in system only applies to a natural person.⁹¹ Since Directive 2002 only requires that Member States must provide sufficient protection of a natural person from spam.⁹² The Member states are free to adopt the opt-in/ opt-out system for a legal person. Such distinction between natural and legal persons makes law enforcement more difficult. It’s hard for senders to identify whether this email account belongs to a natural person or a legal person. A better way is to require Member States to comply with the opt-in system regardless of a natural person or legal person.

Directive 2002 also encourages the industry filtering initiatives, through email system arrangements that allow recipients to view the sender and subject line for an email and to delete messages without having to download the contents or attachments,⁹³ for example, with “ADV” label in the subject line.⁹⁴ It is noted that without prior consent from consumers, it will not be legal even by labeling “ADV”.

Like the Do Not Email Registry in United States, Opt-out registry is considered under Directive 2002, however; it also exposes the same risk of possibly of infringing on the registrant’s privacy.

88 Recital 41 Dir. 2002/58/EC.

89 Article 2(k), Dir. 2002/21/EC.

90 Article 13 (4), Dir. 2002/58/EC.

91 Article 13 (5), Dir. 2002/58/EC.

92 Id.

93 Recital 20 Dir. 2002/31/EC.

94 Article 7, Dir. 2000/31/EC.

Chapter 6 The Result of OECD on Spam and International Cooperation-The London Action Plan

Since every country tries to enact the relevant spam regulations, the OECD has put more emphasis on the spam issue gradually. The OECD held a meeting in October 2005. During this meeting, the OECD not only tried to establish a set of regulations to assist every country on the SPAM issue but also examined the existing spam regulations of every country. Moreover, the OECD wished to figure out a solution for cross-border cooperation on the spam issue.⁹⁵

6.1 Redefine the Contents of Spam

The definition of spam varies in different countries. Some countries focus on a particular messaging medium such as email. Some provide a technology-neutral approach that provides an overreaching statement of principles that is more broadly applicable. The OECD recognized that spam has some of the following characteristics:

(a) Commercial: the majority of spam is sent in order to acquire a profit.

(b) Bulk: A common perception of spam is that it is sent or received in bulk.

Spamhaus, an international anti-spam advocate, has estimated that more than 80% of the world’s spam originates from 200 spam organizations. From this estimation, it is not difficult to search the origin of spam.

(c) Misleading, pornographic or criminal contents: there are obvious community and regulatory agency concerns with the illicit content of a considerable amount of spam including those that promote pronography, illegal online gambling services and get- rich- quick schemes. Such contents will affect the minor’s physical and mental state. Therefore, many regulators criminalize this type of spam under the existing laws such as in the EU.

Given the above, the OECD recognizes that spam can be transmitted by email, instant messaging, SMS, MMS, VOIP and Bluetooth.⁹⁶

6.2 Set Anti-spam Regulation

95 Task Force on SPAM. Anti-SPAM Regulation, Directorate for science, technology and industry committee on consumer policy, committee for information, computer and communication policy, Organization for Economic Co-operation and Development, Nov. 15, 2005.

96 Id. at 5.

The OECD points out that legislation alone will not stop potential spammers from taking advantage of this marketing technique. Legislators must cooperate with certain effective filtering programs and ISPs to actively filter such undesirable content.

6.3 Spam Issue in Developing Countries

The OECD also notices that spam is a much more serious issue in developing countries than in OECD countries. ISPs and network providers in developing countries lack the capacity and resources (for example, purchasing authorized software) to deal with sudden surges of spam that occur from time to time and this often causes their mail servers to break down or function at a sub-optimal level. Similarly, end users including consumers and businesses also lack knowledge to take effective actions against spam.⁹⁷ The OECD has tried to estimate the cost of filtering spam borne by the ISPs. According to its research, Outblaze limited is a large Webmail provider based in Hong Kong and China, that has over 40 million users around the world. The costs presented below are for filtering spam on just one of their mail sever clusters:

●Bandwidth costs USD 600 per month.

●Bandwidth consumption for mail is 70MB.

●80% of incoming mail will be rejected as spam.

●15% of spam passes filters.

●Monthly bandwidth cost of spam is USD 6300.

●Monthly storage cost of spam is USD 5400.

●Monthly salary expenses for mail administrators is USD 75,000.

●The total amount of the above costs is almost 10 % of one ISP bill.⁹⁸

ISPs in developing economies like India, which has more bandwidth and adequate data centre facilities, may find themselves infested by spammer customers, not just local spammers, but also spammers from the U.S. and the EU who shift their bases to developing countries.

The reasons why the OECD concludes it is hard to integrate developing countries are below:

(1) Inaccurate, outdated and incomplete “Whois”: Developing countries often

97 Id. at 4.

98 Id. at 7.

have only one single ISP which provides Internet and email services to the entire country. This ISP does not modify the IP Whois records that it maintains in the RIR’s Whois database nor does it maintain a publicly accessible “RWhois” database of IP assignments made to their customers.

Therefore, smaller ISPs who buy bandwidth and lease IP addresses from this ISP only can be traced to the tier 1 ISP and no further. Consequently, the Tier 1 ISP becomes the de facto point of contact in the complaints about spam.

Neither the Tire 1 ISP nor their customers have a dedicated team to deal with spam issues, and they do not even maintain postmaster or abuse account.

Therefore, such spam issue solution will be delayed.

(2) Pink contract: some ISPs will not reject spam if the spammer would like to pay more administration fees.

6.4 Action Required by the Developing Economies against Spam:

The OECD provides some solutions to assist the developing countries as follows:

(a) Technical solutions to spam: even though ISPs in the developing countries can not afford licensed filtering software, such ISPs can use free software like Libre and Open Source Software (FLOSS), Spamsassassin, ASSP, Clame AV and so on.

(b) Formation of CSIRTs and CERTs: like Computer Security and Incident Response Teams (CSIRTs) or Computer Emergency Response Teams (CERTs) help the developing countries to form an effective and efficient response to individual computer security incidents. Also, CSIRTs or CERTs may educate and train ISP personnel, systems and network administrators to develop the best security on computer.

(c) Anti-spam policy setting and enforcement: ISPs must have a strong anti-spam policy and make it part of the “terms and conditions of the service” that a user must sign or agree with when he signs up for the ISP’s service. ISP may reserve the right to terminate the contract and cease to provide service to a customer who violates any part of its anti-spam policy.

(d) International co-operation: ISPs in the developing economies must integrate themselves with their peers in other economies if they attend NOG meetings or use the INOC DBA phone system-a closed VOIP phone network that directly connects different ISPs around the world. Therefore, ISPs in the developing economies can get more assistance.

(e) Legislative and regulatory framework: Several countries have already called for the development of an international framework or signature of a Global MOU to fight spam. However, such framework will take a long time to complete. The developing countries may implement the relevant laws or regulations against spam or computer crimes along with adequate data protection. Moreover, the legislative measures must be backed by a well trained, sufficiently equipped and adequately funded enforcement arm.

(f) Educating users: Teach users through media to understand what spam is and how to protect personal information and the way to fight spam.⁹⁹

Besides improvement of the developing countries, the OECD and the developed countries should provide some relevant assistance.

The OECD countries have already organized the Spam Task Force to put a

“spam toolkit”, which exemplifies how to devise a spam law and refers to some existing structures. Australia signed MOUs with several countries to enable the countries to study and learn from its experience against spam. The FTC, together with UK Office of Fair Trading (OFT) has put forward the London Action Plan to exchange experiences in enforcement techniques and so on.¹⁰⁰

99 Id. at 17-25.

100 Id. at 28.

6.5 International Cooperation- The London Action Plan 6.5.1 Formation

On October 11, 2004, governments and public agencies from 27 countries met in London to discuss international spam enforcement cooperation. Based on the previous efforts of the OECD and OECD Spam Task Force and other international organizations,¹⁰¹ the participants issued this Action Plan.

The conference, hosted by the FTC and the United Kingdom’s Office of Fair Trading,¹⁰² was the first international forum to address spam enforcement issues exclusively. There were 24 participants, including Taiwan.¹⁰³

6.5.2 The Content of the London Action Plan

The London Action Plan requires the members to (1) designate a contact window for further enforcement communication; (2) encourage communication and coordination among the different agencies and designate a contact for coordinating enforcement cooperation; (3) take part in periodic conferences to discuss (a) cases; (b) legislative and law enforcement developments; (c) effective investigative techniques and enforcement strategies; (d) the way to overcome the obstacles to effective enforcement; (e) how to train their consumers and businesses and(f) spam investigation techniques with representatives from private sectors; (4)encourage agencies and representatives from private sectors to fight spam; (5)prioritize cases based on international assistance; (6)complete the OECD Questionnaire on cross-border enforcement of anti-spam laws; and (7) encourage and support

101 Such as OECD, the international Telecommunication Union, the European Union, and the Asia-Pacific Economic Cooperative Forum.

102 FTC, International Agencies Adopt Action Plan on SPAM Enforcement, October 12, 2004

103 Australia, Belgium, Canada, Chile, China, Denmark, Finland, Hungary, Ireland, Japan, Latvia, Lithuania, Malaysia, Mexico, Nigeria, Norway, republic of Korea, Spain, Sweden, Switzerland, Taiwan, The Netherlands, UK, USA. Agencies including Office of Fair Trading (UK), Information Commissioner Office (UK), Federal Trade Commission (US), Australian Communications Authority, Australian Competition and Consumer Commission, Dutch Telecommunications Regulator, Korean Information Security Agency, Ministry of Economic, Trade and Industry (MERI), Ministry of Internal Affairs and Communications (Japan), Japan Fair Trade Commission, Spanish Data Protection Agency, National Consumer Service (Chile), State Secretariat for Economic Affairs (Switzerland), General Inspectorate for Consumer Protection of Hungary, Finnish Consumer Agency and Ombudsman, Norwegian Consumer Ombudsman, Swedish Consumer Protection Agency, Data Protection Commissioner (Ireland) and Communications Regulatory Authority of the Republic of Lithuania.

the less developed countries in spam enforcement cooperation.¹⁰⁴

In order to begin the work pursuant to this Action Plan, the U.K. Office of Fair Trading and U.S. Federal Trade Commission will utilize their best efforts to (1) collect and disseminate information, including points of contact, notifications from new participants of their willingness to endorse this Action Plan; and responses to the questionnaire of the OECD; (2) set up conference calls and (3) provide a contact for further communications.¹⁰⁵

The Action provides members with information about increasing and decreasing spam and viruses monthly and submits an annual security report to its members. In its 2005 annual security report, it pointed out that spammers using phishing methods¹⁰⁶ to attract victims were a major threat during 2005.¹⁰⁷ The report predicted that 3G will become the target of spam through development of technology and communication.¹⁰⁸

Chapter 7 The Spam Solution of Taiwan 7.1 Current Law and Regulations in Taiwan

Since spam problems are arising now, we should examine some existing laws to solve spam problems:

7.1.1 Privacy protection: first, we shall discuss whether an email account constitutes a part of the user’s personal information. According to Article 3 I (1) of the Computer-Processed Personal Data Protection Law (“CPPDP”)¹⁰⁹, personal data mean any data that can serve to identify a specific person.

Given that the email account is identifiable, it is regarded as personal data.

104 The London Action Plan on Intentional Spam Cooperation Enforcement Cooperation at http://www.ftc.gov/os/2004/10/041012londonactionplan.pdf#search='london%20action%20plan, last visited on March 21,2007.

105 Id.

106 Spam appears as though it has originated from inside the organization. Often, the perpetrator will offer a small reward in return for information and individuals who are duped into thinking the emails are legitimate often comply.

107 MessageLabs Intelligence 2005 Annual Security Report, at

http://www.londonactionplan.com/files/messagelabs/MLI%202005%20report%20Final.pdf, last visited on March 22, 2007.

108 Id. at 13.

109 The terms used herein denote the following meanings: 1. Personal data: the name, date of birth, I.D. Card number, characters, fingerprints, marital, family, educational, occupational, and health status, medical history, financial conditions, social activities of a natural person and other data which can serve to identify the said specific person.

Any person who collects and uses such personal information without the owners’ consent is punishable under criminal and administrative laws.¹¹⁰ However, CCPDP only applies to certain industries.¹¹¹ No violation of CCPDP will be constituted if other industries or persons collect, use or provide email accounts to third parties. Moreover, email accounts and transmission can be deemed as private. The court reasoned that if employees believe that they can reasonably expect the privacy on email transmission via computers owned by the employer, the email account can be deemed as private.¹¹² Therefore, if a third party disseminates emails through other persons’ email accounts without the email users’ consent, it is possible to

Any person who collects and uses such personal information without the owners’ consent is punishable under criminal and administrative laws.¹¹⁰ However, CCPDP only applies to certain industries.¹¹¹ No violation of CCPDP will be constituted if other industries or persons collect, use or provide email accounts to third parties. Moreover, email accounts and transmission can be deemed as private. The court reasoned that if employees believe that they can reasonably expect the privacy on email transmission via computers owned by the employer, the email account can be deemed as private.¹¹² Therefore, if a third party disseminates emails through other persons’ email accounts without the email users’ consent, it is possible to

在文檔中 未經邀約的電子由現規範趨勢及可行性之探討 (頁 26-0)