Centre for Internet & Society

This paper is divided into three sections. The first section puts forth a comparative table of the spam laws of five different countries - the United States of America, Australia, Canada, Singapore and the United Kingdom - based on eight distinct parameters- jurisdiction of the legislation, definition of ‘spam’, understanding of consent, labelling requirements, types of senders covered, entities empowered to sue, exceptions made and penalties prescribed. The second section is a brief background of the problem of spam and it attempts to establish the context in which the paper is written. The third section is a critical analysis of the laws covered in the first section. In an effort to spot the various loopholes in these laws and suggest effective alternatives, this section points out the distinctions between the various legislations and discusses briefly their respective advantages and disadvantages.

Note:- This analysis is a part of a larger attempt at formulating a model anti-spam law for India by analyzing the existing spam laws across the world.


CAN-SPAM Act, 2003

Spam Act, 2003 (Australia)

Spam Control Act, 2007 (Singapore)

Canada's Anti-Spam Legislation, 2014

The Privacy and Electronic Communications (EC Directive) Regulations, 2003

(United Kingdom)

Jurisdiction

National Jurisdiction.

The defendant must be either an inhabitant of the United States or have a physical place of business in the US.[1]

National Jurisdiction.

Must have an "Australian link" i.e.

(a) the message originates in Australia; or

(b) the individual or organisation who sent the message, or

authorised the sending of the message, is:

(i) an individual who is physically present in Australia

when the message is sent; or

(ii) an organisation whose central management and control

is in Australia when the message is sent; or

(c) the computer, server or device that is used to access the

message is located in Australia; or

(d) the relevant electronic account-holder is:

(i) an individual who is physically present in Australia

when the message is

Spam Act, 2003, § 7

Spam Control Act, 2007, § 7(2)

Canada's Anti-Spam Legislation, 2014, §accessed; or

(ii) an organisation that carries on business or activities in

Australia when the message is accessed; or

(e) if the message cannot be delivered because the relevant

electronic address does not exist-assuming that the

electronic address existed, it is reasonably likely that the

message would have been accessed using a computer, server

or device located in Australia.[2]

National Jurisdiction.

Must have a "Singapore link"

An electronic message has a Singapore link in the following circumstances:

(a) the message originates in Singapore;

(b) the sender of the message is -

(i) an individual who is physically present in Singapore when the message is sent; or

(ii) an entity whose central management and control is in Singapore when the message is sent;

© the computer, mobile telephone, server or device that is used to access the message is located in Singapore;

the recipient of the message is-

(i) an individual who is physically present in Singapore when the message is accessed; or

(ii)an entity that carries on business or activities in Singapore when the message is accessed; or

(e) if the message cannot be delivered because the relevant

electronic address has ceased to exist (assuming that the electronic address existed), it is reasonably likely that the

message would have been accessed using a computer, mobile telephone, server or device located in Singapore.[3]

Extends to cases where the mail originates in a foreign state but is accessed in Canada

Section 6 of the CASL prohibits the sending of unsolicited CEMs.[4]

As per Section 12 of the CASL, A person contravenes section 6 only if a computer system located in Canada is used to send or access the electronic message.

CASL applies to CEMs sent from, or accessed in, Canada.[5]

So, if a CEM is sent to Canadians from another jurisdiction, CASL will apply. Notably, there is an exception where the person sending the message "reasonably believes" that the message will be accessed in one of a list

of prescribed jurisdictions with anti-spam laws thought to

be 'substantially similar' to CASL and the message complies with the laws of that jurisdiction.

European Union

These regulations can be enforced against a person or a company anywhere in the European Union who violates the regulations.

Definition Of Spam

"unsolicited, commercial, electronic mail"[6], where

a commercial electronic mail is "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service"[7]

"unsolicited commercial electronic messages" where electronic message means a message sent "using an internet carriage service or any other listed carriage service; and to an electronic address in connection with: an e-mail account; or an instant messaging account; or a telephone

account; or a similar accounts."[8]

"unsolicited commercial electronic message sent in bulk", where

a CEM is unsolicited if the recipient did not-

i) request to receive the message; or

ii)consent to the receipt of the message;[9] and

CEMs shall be deemed to be sent in bulk if a person sends, causes to be sent or authorizes the sending of-

a) more than 100 messages containing the same subject matter during a 24-hour period;

b) more than 1,000 messages containing the same subject matter during a 30-day period;

c) more than 10,000 messages containing the same subject matter during a one-year period.

"unsolicited, commercial, electronic message"[10]

where, an "electronic message" means a message sent by any means of telecommunication, including a text, sound, voice or image message.[11]

These rules apply to all unsolicited direct marketing communications by automatic call machines[12], fax[13], calls[14] or e-mail[15].

Where, "direct marketing" is defined as "the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals"[16]

The UK used its discretion to include voice-to-voice telephone calls as well.

Consent Requirement

Opt-out

Opt-in

Opt-out

Opt-in

Opt-in

CEMs are unlawful unless the message provides-

(i)clear and conspicuous identification that the message is an advertisement or solicitation;

(ii)clear and conspicuous notice of the opportunity under paragraph (3) to decline to receive further commercial electronic mail messages from the sender; and

(iii) a valid physical postal address of the sender.[17]

Section 16 prohibits the sending of unsolicited commercial electronic messages. However, where a recipient has consented to the sending of the message, the said prohibition does not apply.[18]

Consent means:

(a) express consent; or

(b) consent that can reasonably be inferred from:

(i) the conduct; and

(ii) the business and other relationships;

of the individual or organisation concerned.[19]

CEMs are unlawful unless the message contains-

1 a) an electronic mail address, an Internet location address, a telephone number, a facsimile number or a postal address that the recipient may use to submit an unsubscribe request; and

b) a statement the above information may be utilized to send an unsubscribe request.

2. Where the unsolicited CEM is received by text or multimedia message sent to a mobile telephone number, the CEM must include a mobile telephone number to which the recipient may send an unsubscribe request. [20]

Under the CASL, it is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless,

(a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and

(b)

The message must-

(i) set out prescribed information that identifies the person who sent the message and the person - if different - on whose behalf it is sent;

(ii) set out information enabling the person to whom the message is sent to readily contact one of the persons referred to in paragraph

(i); and

(iii) set out an unsubscribe mechanism in accordance with subsection 11(1) of CASL.[21]

Under Section 19 , A person shall neither transmit, nor instigate the transmission of, communications comprising recorded matter for direct marketing purposes by means of an automated calling system except in the circumstances where the called line is that of a subscriber who has previously notified the caller that for the time being he consents to such communications being sent by, or at the instigation of, the caller on that line.

Under Section 20 , A person shall neither transmit, nor instigate the transmission of, unsolicited communications for direct marketing purposes by means of a facsimile machine where the called line is that of an individual or a company except in the circumstances where the individual subscriber has previously notified the caller that he consents for the time being to such communications being sent by, or at the instigation of, the caller.

Under Section 21, A person shall neither use, nor instigate the use of, a public electronic communications service for the purposes of making unsolicited calls for direct marketing purposes where the called line is that of a subscriber who has previously notified the caller that such calls should not for the time being be made on that line.

Under Section 22 , a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.

Labelling Requirements

Warning Labels mandatory on e-mails containing pornographic content

No person may send to a protected computer, any commercial electronic mail message that includes sexually oriented material and-

(a) fail to include in subject heading for the electronic mail message the marks or notices prescribed by the law; or

(B) fail to provide that the matter in the message

that is initially viewable to the recipient, when the message is opened by any recipient and absent any further actions by the recipient, includes only-

(i) material which the recipient has consented to;

(ii) the identifier information required to be included in pursuance Section 5(5); and

(iii) Instructions on how to access, or a mechanism to access, the sexually oriented material.[22]

Not Applicable.

True e-mail title and clear identification of advertisements with "ADV" label

Every unsolicited CEM must contain-

a) where there is a subject field, a title which is not false or misleading as to the content of the message;

b) the letters "<ADV>" with a space before the title in the subject field or if there is no subject field, in the words first appearing in the message to clearly identify that the message is an advertisement;

c) header information that is not false or misleading; and

d) an accurate and functional e-mail address or telephone number by which the sender can be readily contacted.[23]

Not Applicable.

Not Applicable.

Other Banned/Restricted Activities

Illegal Access- Prohibition Against Predatory and Abusive Commercial E-Mail-

"Whoever, in or affecting interstate or foreign

commerce, knowingly-

(1) accesses a protected computer without authorization, and intentionally initiates the transmission of multiple CEMs from or through such computer,

(2) uses a protected computer to relay or retransmit multiple

CEMs, with the intent to

deceive or mislead recipients, or any Internet access service, as to the origin of such messages,

(3) materially falsifies header information in multiple commercial electronic mail messages and intentionally initiates

the transmission of such messages,

(4) registers, using information that materially falsifies the identity of the actual registrant, for five or more electronic mail accounts or online user accounts or two or more domain names, and intentionally initiates the transmission of multiple

commercial electronic mail messages from any combination of such accounts or domain names, or

(5) falsely represents oneself to be the registrant or the legitimate successor in interest to the registrant of 5 or more Internet Protocol addresses, and intentionally initiates the transmission of multiple commercial electronic mail messages from such addresses, or conspires to do so, shall be punished as provided for in the Act.[24]

Supply of address harvesting software and harvested‑address lists

"A person must not supply or offer to supply:

(a) address‑harvesting software; or

(b) a right to use address‑harvesting software; or

(c) a harvested address list; or

(d) a right to use a harvested‑address list;

to another person if:

(e) the supplier is:

(i) an individual who is physically present in Australia at the time of the supply or offer; or

(ii) a body corporate or partnership that carries on business or activities in Australia at the time of the supply or offer; or

(f) the customer is:

(i) an individual who is physically present in Australia at the time of the supply or offer; or

(ii) a body corporate or partnership that carries on business or activities in Australia at the time of the supply or offer."

Dictionary Attacks and Address harvesting software

"No person shall send, cause to be sent, or authorize the sending of, an electronic message to electronic addresses generated or obtained through the use of-

a) a dictionary attack;

b) address harvesting software.[25]

Where,

"dictionary attack" means the method which by which the electronic address of a recipient is obtained using an automated means that generates possible electronic addresses by combining names, letters, numbers, punctuation marks or symbols into numerous permutations.[26] And,

"address harvesting software" means software that is specifically designed or marketed for use for-

a)searching the Internet for electronic addresses; and,

b) collecting, compiling, capturing or otherwise harvesting those electronic addresses."[27]

Altering Transmission Data

"It is prohibited, in the course of a commercial activity, to alter or cause to be altered the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender, unless

(a) the alteration is made with the express consent of the sender or the person to whom the message is sent, and the person altering or causing to be altered the data complies with subsection 11(4) of CASL; or

(b) the alteration is made in accordance with a court order.[28]

Installation of Computer Program

A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person's computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless

(a) the person has obtained the express consent of the owner or an authorized user of the

computer system and complies with subsection 11(5) of the CASL; or

(b) the person is acting in accordance with a court order.

(2) A person contravenes subsection (1) only if the computer system is located in Canada at the relevant time or if the person either is in Canada at the relevant time or is acting under the direction of a person who is in Canada at the time when they give the directions."[29]

Electronic mail for direct marketing purposes where the identity or address of the sender is concealed

A person shall neither transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail-

(a) where the identity of the person on whose behalf the communication has been sent has been disguised or concealed; or

(b)where a valid address to which the recipient of the communication may send a request that such communications cease has not been provided.

Types of Senders Covered

Spammers and beneficiaries-

the term ''sender'', when used with respect to a commercial electronic mail message, means a person who initiates such a message and whose product, service, or Internet web site is advertised or promoted by the message."[30]

Spammers and beneficiaries-

A person must not send, or cause to be sent, a commercial electronic message that:

(a) has an Australian link; and

(b) is not a designated commercial electronic message.[31]

Spammers,

beneficiaries, and

providers of support

services

"sender" means a person who sends a message, causes the message to be sent, or authorizes the sending of the message.[32]

Further, persons aiding or abetting the offences under Section 9 or 11 are also punishable under the Act.[33]

Spammers and beneficiaries-

Under Section 6, it is prohibited to send or cause or permit to be sent to an electronic address a CEM.

Under Section 7, It is prohibited, in the course of a commercial activity, to alter or cause to be altered the transmission data in a CEM.

Under Section 8, A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person's computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from

that computer system.

Spammers and beneficiaries-

The texts of Sections 19, 20, 21 and 22 all prohibit the transmission as well as the instigation of the transmission of, communications for direct marketing purposes without the consent of the recipient.

Who Can Sue

FTC[34], Attorney Generals[35], ISPs and IAPs[36] and most recently even companies/private entities[37]

Australian Communications and Media Agency (ACMA)[38]

Any injured party, including individual users.[39]

Any injured party, including individual users.[40]

Any person who suffers damage by reason of any contravention of any of the requirements of these Regulations.[41]

Exceptions

Transactional or Relationship Messages [42]

where,

The term ''transactional or relationship

message'' means an electronic mail message the primary purpose of which is-

(i) to facilitate, complete, or confirm a commercial

transaction;

(ii) to provide warranty information, product recall information, etc. with respect to a commercial product or service used or purchased by the recipient;

(iii) to provide notifications-

(I) concerning a change in the terms or features of;

(II) of a change in the recipient's standing or status with respect to; or

(III) information with respect to a subscription, membership, account, loan, or comparable ongoing commercial relationship involving the

ongoing purchase or use by the recipient of products or services offered by the sender;

(iv) to provide information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, participating,

or enrolled; or

(v) to deliver goods or services, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter into with the sender.

Designated Commercial Electronic Message (DCEM). A DCEM is a message containing purely factual information, any related comments of non-commercial nature and some limited commercial information as to the identity of the sender company/individual.[43]

A message is a DCEMs if-

a) the sending of the message is authorized by any of the following bodies:

(i) a government body;

(ii) a registered political party;

(iii) a religious organization;

(iv) a charity or charitable institution; and

(b) the message relates to goods or services; and

(c) the body is the supplier, or prospective supplier, of the goods or services concerned.[44]

Messages from educational institutions:

an electronic message is a DCEM if:

(a) the sending of the message is authorised by an educational institution; and

(b) either or both of the following subparagraphs applies:

(i) the relevant electronic account‑holder is, or has been, enrolled as a student in that institution;

(ii) a member or former member of the household of the relevant electronic account‑holder is, or has been, enrolled as a student in that institution; and

(c) the message relates to goods or services; and

(d) the institution is the supplier, or prospective supplier, of the goods or services concerned.

Electronic Messages authorized by the Government[45]

The Act does not apply to any electronic message where the sending of the message is authorized by the Government or a statutory body on the occurrence of any public emergency, in the public interest or in the interests of public security or national defence.[46]

A certificate signed by the Minister shall be conclusive evidence of existence of a public emergency and the other above stated matters.[47]

  • Family and Personal relationships, where

"Family relationship" is a relationship between two people related through marriage, a common law partnership, or any legal parent-child relationship who have had direct, voluntary two-way communications; and

"personal relationship" means a relationship between two people who have had direct, voluntary two-way communications where it would be reasonable to conclude that the relationship is personal.[48]

  • Mails sent to an individual who practices a particular commercial activity with the mail containing solely an inquiry or application related to that activity[49].
  • A mail which - provides a quote or estimate for the supply of a product, goods, a service, etc. if requested by the recipient;

· facilitates, completes or confirms a commercial transaction that the recipient previously agreed to enter into with the sender;

· provides warranty information, product recall information etc. about a product, goods or a service that the recipient uses, has used or has purchased;

· provides notification of factual information about-

(i) the ongoing use or ongoing purchase by the recipient of a product, goods or a service offered under a subscription, membership, account, loan or similar relationship by the sender, or

· provides information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, is currently participating or is currently enrolled;

· delivers a product, goods or a service, including updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that they have previously entered into with the sender.[50]

· Telecommunications service provider merely because the service provider provides a telecommunications service that enables the transmission of the message.[51]

· CEMs which are two-way voice communication between individuals sent by means of a facsimile or a voice recording sent to a telephone account.[52]

A person may send or instigate the sending of electronic mail for the purposes of direct marketing where -

(a) the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;

(b) the direct marketing is in respect of that person's similar products and services only; and

(c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.[53]

Penalties

Civil and Criminal

Statutory damages-

Amount calculated by multiplying the number of violations by up to $250. Total amount of damages may not exceed $2,000,000. [54]

Imprisonment- upto 5 years.[55]

Forfeiture from the offender, of-

i) any property, real or personal, constituting or

traceable to gross proceeds obtained from such offense;

ii) any equipment, software, or other technology used or intended to be used to commit or to facilitate the commission of such offense.[56]

Civil only

For a body corporate without prior record,

for upto 2 contraventions, civil penalty should not exceed

i) 100 penalty units if the if the civil penalty provision is subsection 16(1), (6) or

(9); or

ii) 50 penalty units in any other case.

For more than 2 contraventions, civil penalty should not exceed

i) 2000 penalty units if the if the civil penalty provision is subsection 16(1), (6) or

(9); or

ii) 1000 penalty units in any other case.

For a body corporate with prior record,

for upto 2 contravention, civil penalty should not exceed

i) 500 penalty units if the if the civil penalty provision is subsection 16(1), (6) or

(9); or

ii) 250 penalty units in any other case.

For more than 2 contraventions, civil penalty should not exceed

i) 10,000 penalty units if the if the civil penalty provision is subsection 16(1), (6) or

(9); or

ii) 5,000 penalty units in any other case.

For a person without prior record,

for upto 2 contraventions, civil penalty should not exceed

i) 20 penalty units if the if the civil penalty provision is subsection 16(1), (6) or

(9); or

ii) 10 penalty units in any other case.

For more than 2 contraventions, civil penalty should not exceed

i) 400 penalty units if the if the civil penalty provision is subsection 16(1), (6) or

(9); or

ii) 200 penalty units in any other case.

For a person with prior record,

for upto 2 contravention, civil penalty should not exceed

i) 100 penalty units if the if the civil penalty provision is subsection 16(1), (6) or

(9); or

ii) 50 penalty units in any other case.

For more than 2 contraventions, civil penalty should not exceed

i) 2,000 penalty units if the if the civil penalty provision is subsection 16(1), (6) or

(9); or

ii) 1,000 penalty units in any other case.[57]

Civil only

i) Injunction

ii) Damages- calculated in terms of loss suffered as a direct or indirect result of the contravention of the Act.

ii) Statutory Damages

not exceeding $25 for each CEM; and not exceeding in the aggregate $1 million, unless the plaintiff proves that his actual loss from such CEMs exceeds $1 million.[58]

iii)Costs of litigation to the plaintiff.[59]

Civil only

Administrative Monetary Penalty , the purpose of which is to promote compliance with the Act and not to punish.[60]

The maximum penalty for a violation is $1,000,000 in the case of an individual, and $10,000,000 in the case of any other person.[61]

Civil on private action; Criminal for non-compliance with IC's notice

A person who suffers damage by reason of any contravention of any of the requirements of these Regulations by any other person shall be entitled to bring proceedings for compensation from that other person for that damage.[62]

The enforcement authority for these regulations is Britain's Information Commissioner who oversees both the Act and the Regulations, and investigates complaints and makes findings in the form of various types of notices.[63]

Failure to comply with any notice issued by the Information Commissioner is a criminal offence and is punishable with a fine of upto £5000 in England and Wales and £10,000 Scotland.[64]

THE PROBLEM OF SPAM -WHY IT PERSISTS

As per a study conducted by Kaspersky Lab in 2014, 66.34% of all messages exchanged over the internet were spam.[65] Over the 2000s, several countries recognized the threats posed by spam and enacted specific legislations to tackle the same. The ones taken into consideration in this paper are the CAN-SPAM Act, 2003 of the United States, Canada's Anti-Spam Legislation, 2014, The Spam Act, 2003 of Australia, Singapore's Spam Control Act, 2007 and The Privacy and Electronic Communications (EC Directive) Regulations, 2003 (United Kingdom). As will be analyzed in the course of this paper, none of these laws have evolved to become comprehensive mechanisms for combating spam yet. Nevertheless, post the enactment of these laws, spam has reduced as a percentage of the net email traffic; however, the absolute quantity of spam has increased owing to the exponential growth of email traffic universally.[66]

Who Benefits from Spam?

1. Commercial establishments - Spamming is one of the most cost-effective means of promoting products and services to a large number of potential customers. Spams are not necessarily duplicitous and often contain legitimate information to which a fraction of the recipients respond positively. As per a recent study, for spam to be profitable, only 1 in 25,000 spam recipients needs to open the email, get enticed, and make a gray-market purchase.[67]

2. Non-commercial establishments benefitting from advertisements - Many seemingly non-profit messages benefit from revenue generated through advertisements when recipients visit their site. Advertisers pay these sites either per click or per impression.

3. Spammers - The costs incurred by spammers largely include the cost of e-mail/phone number harvesting and the cost of paying botnet operators. As compared to the revenue generated as a percentage of profits earned by the merchant on whose behalf spam messages are sent, these costs are negligible.[68]

Thus, spamming proves to be an activity that involves minimal investment and often yields some response from prospective clients.

The impact of spam is clearly widespread. Presently, India lacks a specific anti-spam legislation. In consideration of the swelling growth of spam across the globe and the increasing number of Indian users, it is of utmost urgency that a specific legislation is formulated to tackle the issue.

OBSERVATIONS AND ANALYSIS

1. Definition of Spam

a. 'Spam' must be defined in a technologically neutral manner

The legislations analyzed in this paper deal with either one or a cluster of modes of communication through which spam may be sent. However, it is essential that 'spam' is defined in a manner that is technologically neutral. Most commercial spam is aimed at promoting products and services to a large number of prospective customers. Thus, making only spam e-mails illegal, like the CAN-SPAM Act does, fails to address the issue wholly as companies would always retain the option of sending unsolicited messages through other communicative devices. It becomes an issue of merely switching modes of communication without there being any actual deterrence to spamming. Thus, a narrow understanding of spam, limiting it to one or few modes of communication, is problematic and for a model law, a broader definition that discourages unsolicited messages sent via any network is warranted.

b. Non-commercial spam must also be addressed

The five legislations examined in this paper address only the issue of unsolicited 'commercial' mails/messages. For instance, under the CAN-SPAM, a commercial mail means " any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service". Singapore's Spam Control Act defines a commercial message in a similar fashion but more elaborately. CASL, while limiting the scope of the law to commercial mail, additionally prescribes that such communication need not have a profit motive. Australia's Spam Act defines a commercial message as a message that has the purpose of offering, advertising or promoting goods or services or the supplier or prospective supplier of goods or services. Under the EC Directive, the term used is 'marketing communication'; however, in essence, it includes only commercial communications.[69] These definitions suffer from an obvious exclusion error. It is known from experience that not all unsolicited messages received are in pursuance of commercial interests. Often, unsolicited mails and messages are received with explicit sexual content as well as promoting political and religious agendas sent by party volunteers.

Thus, it would be in higher consonance with the greater aim of curbing spam to broaden the scope of these legislations to address both commercial as well as non-commercial messages.

c. Bulk requirement and its quantification

The Singaporean law makes 'sent in bulk' a mandatory requirement for spam. However, deciding what quantity of a particular message qualifies it as bulk is difficult. If an objective threshold is set, say 100 messages in 24 hours, then anything short of that, say even 99 messages, go unaddressed simply because it does not meet the statutory requirement of being in bulk. This enables spammers to misuse the law by marginally falling short of the threshold and still continuing to spam. The issue here is comparable to the one faced in setting age as bar to criminal culpability. No matter what, any number arrived at is likely to be arbitrary and consequently subject of criticism. A possible way to tackle this would be to strengthen the unsubscribe mechanisms by virtue of which individuals are able to, at the very least, stop receiving unsolicited mails. For the determination of threshold for State action and its feasibility, a much more detailed study is merited.

2. Consent Requirement

Opt- out Model

Opt-in Model

Double Opt-in Model

Countries following the model

United States of America and Singapore

Canada, Australia and the United Kingdom

None at present.

When messages may be sent

At all times until recipient voluntarily opts out/unsubscribes.

Only after the recipient voluntarily opts-in/subscribes to receive messages by submitting his/her contact details to be part of a particular mailing list.

Only after the recipient responds in the affirmative to the confirmation mail sent by the sender on receiving an opt-in request from the recipient.

Specific requirements

1. The mail/message must bear a clear identifier of its content. E.g. marked as 'ADVT' for advertisements;

2. An 'unsubscribe' option must be provided in the message which may be utilized by the recipient to express his/her disinterest in the message; and

3. The message must conspicuously bear a valid physical postal address.

N/A

N/A

Advantages

Promotes commercial speech rights-

Since the default position presumes the right to market, average collection rates are considerably higher as more emails can be sent to more people.

1. Reduction in unsolicited messages- Commercial messages are not sent until the recipient voluntarily consents to receiving such messages by submitting his/her contact information.

2. Availability of unsubscribe option- Even after a recipient voluntarily opts in, he/she still has the right to withdraw from such messages by unsubscribing.

1. Ensures people are entering their information correctly, which equals a cleaner list and lowers bounce rates.

2. Reduces the probability of spam complaints because subscribers have had to take the extra step to confirm their consent.

Disadvantages

1. This merely places the burden of reduction of spam on the recipients.

2. The functionality of the 'unsubscribe' link is itself questionable. Very often these links themselves are fraudulent. In such a case, the recipient is further harmed before any opting-out can even take place.

3. In the absence of any strict regulatory oversight, there exists no incentive for the senders to strictly address unsubscribe requests.

1. Consent may be obtained in fact but not in spirit through inconspicuous pre-ticked check boxes.

2. E-mail addresses may be added to a list by spambots. Where, the person 'opted-in' may not actually be the person opting in.

3. Errors may be made when entering emails; a typo may result in someone submitting an address that is not theirs.

4. Legitimate addresses may be added by someone who does not own the address.

1. Genuine subscribers may not understand clearly the confirmation process and fail to click the verification link.

2. Confirmation emails may get stuck in spam filters.

The comparison above highlights that the opt-out model as well as the opt-in model may leave loopholes. The opt-in model has been advocated for as the better model as compared to the opt-out model as it prohibits the sending of messages unless the recipient consents to receiving such messages. However, as pointed out above, in this model consent may be given by entities other than the owner of the contact details. In such a situation, a double opt-in model may be a viable option to contemplate as it is the only model where it can be ensured that only the addressee is enabled to successfully opt-in.[70]

Presently, the double opt-in model has not been adopted by any of the countries discussed in this paper. Nonetheless, it seems to have the potential to aid the fight against spam more effectively than the existing models. Its real efficacy however, shall be proven only on practical implementation.

3. Exceptions

a. Family and Personal Relationships

Under the CASL, an exception is made for 'personal relationships' and 'family relationship'. However, these terms are defined quite narrowly. For instance, family relationship is defined as 'a relationship between two people related through marriage, a common law partnership, or any legal parent-child relationship and those individuals have had direct, voluntary, two-way communication'.[71] This implies that in a situation where an individual wants to send a message offering to sell something to an individual in his extended family, say his cousins, doing so without obtaining their consent first, would qualify his mail as spam under the CASL. This would become especially problematic in the Indian context where comparatively larger family structures prevail.

In the anti-spam legislations of the other four countries, no such exceptions are made. Quite obviously, these exceptions are of crucial significance and must be provided in any anti-spam legislation; however, it is important that they are defined in a manner such that their actual purpose i.e. of exclusion of familial and personal relationships from regulations applicable to spammers, is effectively achieved and the law does not become a creator for unnecessary litigation.

b. Transactional Messages

The term 'transactional messages' is used only under the CAN-SPAM Act of the USA. It basically covers messages sent when the recipient stands in an existing transactional relationship with the sender and the mail contains information specific to the recipient. It also includes employment relationships. In CASL, a similar exception is made under Section 6(6). The section is worded almost identically as the CAN-SPAM provision, though the term 'transactional messages' is not used. In the UK laws, messages for the purpose of direct marketing may be sent where the contact information of the recipient is received in the course of the sale or negotiations for the sale of a product or service to that recipient, thus implying an existing transactional relationship. One added proviso under the UK law is that the recipient must be clearly and distinctively given the opportunity to object, free of charge and in an easy manner, to the use of the e-mail address when collected and on the occasion of each message in case the customer has not initially refused such use.[72]

An exception for transactional messages is essential to ensure freedom of commercial speech rights even while effectively tackling spam. In the formulation of a model law, a combination of the American and the English laws may be workable.

c. Governmental Messages

The Spam Act, 2003 of Australia makes an exemption for 'designated commercial electronic message (DCEM)'. This exemption is to avoid any unintended restriction on communication between the government and the community.[73] In order to be a DCEM, a message must-

1. Be authorized by the government;

2. Contain purely factual information and any related comments of non-commercial nature; and

3. Contain some information as to the identity of the sender company/individual.

DCEMs need not always be sent by government bodies and may also be sent by third parties authorized by the government.[74] Such messages are exempt from the consent requirement as well as the unsubscribe option requirement but must comply with the identifier requirement. However, where government bodies are operating in a competitive environment, the provisions of the act would apply normally to them.[75]

Similarly, Singapore's Spam Control Act does not apply to any electronic message where the sending of the message is authorized by the Government or a statutory body on the occurrence of any public emergency, in public interest or in the interests of public security or national defence.

These exemptions are essential in order to enable free communication of important information between the government and the citizens. The Singaporean wording of the exception is rather broad and would give the government immense space for misusing the law. Such a wording might be more effective if supplemented with the Australian proviso wherein governmental communications operating in a competitive environment are excluded.

4. Penalties

a. Penalties must be higher than benefit from spamming

If the penalty prescribed itself is too low, such that loss suffered from paying penalties is lower than net benefit from spamming, the spammer is not sufficiently deterred. Four out of the five countries analyzed in this paper prescribe only civil penalties in the form of fines for spamming. Recently, a Facebook spammer was found to have made a profit of $200 million in a year.[76] For instance, as noted above, the Australian law sets a limit for penalty at $1 million. Thus, such a penalty would constitute a small fraction of the profit from spamming and would not deter a spammer.

b. High penalty does not imply effective deterrence where probability of prosecution is low.

The CAN-SPAM Act prescribes the harshest penalties including both civil as well as criminal penalties. However, it has been rather ineffective in reducing spam. This is for the reason that this Act is more about how to spam legally than anything else. It is more like- ' you can spam but do not use false headers.'[77] As a consequence, unintentional spam from ignorant commercial establishments has reduced. However, due to easy compliance standards, the 'real' spammers still go undetected to a large extent.[78] Thus, even moderate penalties may serve as good deterrents where the probability of prosecution is high.

c. Effective enforcement is the key to effective deterrence.

The cornerstone of an effective spam law is effective enforcement. Penalties must be enforced in a manner that the cost of punishment is always higher than the benefit from spamming and the probability of conviction is high. In order to implement legislative measures effectively, governments should also undertake an information campaign on spam issues targeting users, business communities, private sector groups and other stakeholders as the one primary reason for sustenance of spam is the response received from certain recipients. Such supplementary activities would also facilitate the preservation of commercial rights as excessive penalties could inhibit regular commercial activities.

CONCLUSION

The observations made in this paper are crucial to the formulation of a model anti-spam law for India. The most important part of any ant-spam legislation would be the definition of 'spam' which, as established above, must be technologically neutral in order to be able to address as much unsolicited communication as possible. On the question of consent, a double opt-in is what this paper would propose. This model has been contemplated and recommended by academic and policy researchers as a possibly more effective consent model for spam laws; however, it has not been codified as a legal regime till date. It could be a rather groundbreaking approach that India could adopt as this clearly is the only model where 'opting-in' is realized in fact and in spirit. Further, exceptions are necessary in order to prevent the abuse of laws making certain such exceptions do not suffer from inclusive or exclusion errors. A combination of the exceptions under the Australian and the American laws seems ideal at this stage of research. In terms of penalty, this paper observed that only prescribing harsh penalties is not sufficient to effectively deter spammers but efficient modes of enforcement have to be formulated to ensure actual deterrence. Lastly, while a well-drafted national anti-spam legislation is clearly the need of the hour for India; additional steps have to be taken towards sensitizing citizens to the fact that the problem of spam is real and a costly threat to the communications infrastructure of the country and combat has to begin at the individual level.


[1] CAN-SPAM Act, § 7706(f) (7).

[2] Spam Act, 2003, § 7

[3] Spam Control Act, 2007, § 7(2)

[4] Canada's Anti-Spam Legislation, 2014, § 6.

[5] Canada's Anti-Spam Legislation, 2014, § 12.

[6] 15 U.S.C. § 7701 (2003).

[7] CAN-SPAM Act, Section 3 (2)(A)

[8] Spam Act, 2003, § 6

[9] Spam Control Act, 2007, § 5(1)

[10] Canada's Anti-Spam Legislation, 2014, § 6

[11] Canada's Anti-Spam Legislation, 2014, § 1(1)

[12] Regulation 19, EC Directives, 2003

[13] Regulation 20, EC Directives, 2003

[14] Regulation 21, EC Directives, 2003

[15] Regulation 22, EC Directives, 2003

[16] Section 11, Data Protection Act, 1998

[17] CAN-SPAM Act, Section 5(5)

[18] Spam Act, 2003, § 16(2)

[19] Spam Act, 2003, Schedule 2 (2)

[20] Spam Control Act, 2007 Section 11, Schedule 2(2)

[21] Canada's Anti-Spam Legislation, 2014, Section 6

[22] CAN-SPAM Act, 2003, Section 5(d)

[23] Spam Control Act, 2007, Schedule 2, 3(1), Section 11

[24] Chapter 47 of title 18, U.S.C., § 1037, inserted through an amendment by the CAN-SPAM Act, § 4(a) (1); '§ 5(A)(1).

[25] Spam Control Act, 2007, '§ 9

[26] Spam Control Act, 2007, '§ 2

[27] Spam Control Act, 2007, '§ 2

[28] Canada's Anti-Spam Legislation, 2014, § 7

[29] Canada's Anti-Spam Legislation, 2014, § 8

[30] CAN-SPAM Act, 2003, § 3(16)(A)

[31] Spam Act, 2003, Section 16(1), Section 8

[32] Spam Control Act, 2007, § 2

[33] Spam Control Act, 2007, § 12

[34] CAN-SPAM Act, 2003, § 7(a)(c)(d)

[35] CAN-SPAM Act, 2003, § 7(f)

[36] CAN-SPAM Act, 2003, § 7(g)

[37] MySpace, Inc. v. The Globe.com, Inc., 2007 WL 1686966 (C.D. Cal., Feb. 27, 2007)

[38] Spam Act, 2003, § 26(1)

[39] Spam Control Act, 2007, § 13

[40] Canada's Anti-Spam Legislation, § 47

[41] Regulation 30(1), EC Directives, 2003

[42] CAN-SPAM Act, 2003, § 3(2)(B)

[43] Spam Act, 2003, Schedule 1, § 2

[44] Spam Act, 2003, Schedule 1, § 3

[45] Spam Control Act, 2007, § 7(3)

[46] Spam Control Act, 2007, First Schedule Clause (1)

[47] Spam Control Act, 2007, First Schedule Clause (2)

[48] Canada's Anti-Spam Legislation, § 6(5a)

[49] Canada's Anti-Spam Legislation, § 6(5b)

[50] Canada's Anti-Spam Legislation, § 6(6)

[51] Canada's Anti-Spam Legislation, § 7

[52] Canada's Anti-Spam Legislation, § 8

[53]Section 22(3), EC Directives, 2003

[54] CAN-SPAM Act, § 7 (f)(3)(A).

[55] CAN-SPAM Act, § 4 (b)

[56] CAN-SPAM Act, § 4 (c)

[57] Spam Act, 2003, Sections 24, 25

[58] Spam Control Act, 2007, § 14

[59] Spam Control Act, 2007, § 15

[60] Canada's Anti-Spam Legislation, 2014, § 20(2)

[61] Canada's Anti-Spam Legislation, 2014, § 20(4)

[62] Regulation 30(1), EC Directive, 2003

[63] Regulations 31-32, EC Directive, 2003

[64] Section 47 and 60, Data Protection Act, 1998

[65] Spam and Phishing Statistics Report Q1-2014, Kaspersky Lab

http://usa.kaspersky.com/internet-security-center/threats/spam-statistics-report-q1-2014#.VVQxNndqN5I (last accessed 29th May, 2015)

[66] Snow and Jayakar, Krishna, Can We Can Spam? A Comparison of National Spam Regulations, August 15, 2013. TPRC 41: The 41st Research Conference on Communication, Information and Internet Policy.

[67] Justin Rao and David Reiley, The Economics of Spam, Vol. 26, No. 3 The Journal of Economic Perspectives (2012), p. 104.

[68] Supra n. 66; p. 7

[69] Refer Table in Section 1.

[70] Dr. Ralph F. Wilson, Spam, Spam Bots, and Double Opt-in E-mail Lists, April 21, 2010; available at http://webmarketingtoday.com/articles/wilson-double-optin/ (last accessed 29th May 2015).

[71] Section 2(a), Electronic Commerce Protection Regulations, http://fightspam.gc.ca/eic/site/030.nsf/eng/00273.html (last accessed 29th May 2015)

[72] Evangelos Moustakas, C. Ranganathan and Penny Duquenoy, Combating Spam Through Legislation: A Comparative Analysis Of US And European Approaches, available at http://ceas.cc/2005/papers/146.pdf

[73] Spam Act 2003- A Practical Guide for Government, Australian Communications Authority, available at- http://www.acma.gov.au/webwr/consumer_info/spam/spam_act_pracguide_govt.pdf (last accessed 29th May 2015)

[74] Ibid

[75] Id

[76] Charles Arthur, Facebook spammers make $200m just posting links, researchers say, The Guardian, 28th August 2013, http://www.theguardian.com/technology/2013/aug/28/facebook-spam-202-million-italian-research (last accessed 29th May, 2015)

[77] Evangelos Moustakas, C. Ranganathan and Penny Duquenoy, Combating Spam Through Legislation: A Comparative Analysis Of US And European Approaches, available at http://ceas.cc/2005/papers/146.pdf

[78] Carolyn Duffy Marsan, CAN-SPAM: What went wrong?, 6th October 2008, available at

http://www.networkworld.com/article/2276180/security/can-spam--what-went-wrong-.html (last accessed 29th May, 2015)

The views and opinions expressed on this page are those of their individual authors. Unless the opposite is explicitly stated, or unless the opposite may be reasonably inferred, CIS does not subscribe to these views and opinions which belong to their individual authors. CIS does not accept any responsibility, legal or otherwise, for the views and opinions of these individual authors. For an official statement from CIS on a particular issue, please contact us directly.