The NewZealand government is currently requesting input on drafting new laws against Spam. The WLUG is uniquely placed to offer advice to the government on the issue of spam, as many of it's members are technically savvy about how the InterNet works and the rise of Spam, and the LUG is not affiliated any way with any commercial entity that is likely to want to taint the new law.

I propose that the WLUG makes a submission to the government about Spam legislation. To contribute, edit this page with your comments. While I don't think laws alone are going to stop spam, they a certainly a powerful tool against spammers and should be encouraged.

The request is available online: PLEASE read this before commenting on the questions below. The document is very well written and discusses the various issues.

The deadline for the submission is 30 June 2004

I hope that we can draft up a document based on the comments on this page.

1. Do you consider spam to be an important issue? Has it significantly affected you in any way?

PerryLorier: Yes, it has reduced the utility of email, which is one of my primary means of communication. Also spammers have started sending penis enlargement spams from a domain I help administer which is used by a biopharmaceticals company that sell amongst other things, growth hormones. The spammers are not affiliated in any way with the real owners of the domain, and are causing considerable loss of good will.

zcat(1): My kids (7 and 9) would like to be able to exchange email with their friends at school, email stuff to kids TV, enter competitions, etc. I've set them up their own email addresses, but I see today they're starting to get viruses and I have no doubt that spam (much of it highly pornographic) will soon follow. Now I have to discreetly pre-screen their mail.

MatthiasDallmeier: Yes, it wastes my time and money. (By the way, the original meaning of "spam" is not really the same as junk e-mail, so we should probably not use that word.)

PhilMurray: Yes, to give an idea of the epidemic proportion it has reached here are some numbers from my company's mail server on any average day, which handles in excess of 100,000 messages (spam and legitimate) a day:

| Type | Number | Legitimate Mail |> 2.5% | Identified as spam |> 51.5% | Email Viruses |> 46%

As you can imagine, this costs us in terms of server capacity (more hardware and bandwidth) and time for administration.

PerryLorier: Matthias: See Spam vs SPAM

2. Do you think legislation has a role to play alongside other complementary measures?

PerryLorier: Yes. There are several promising technological solutions on the horizon such as SPF, CallerID?, Penny Black, however even if these are effective at wiping out email spam, there is still other types of spam, such as IM spam.

JohnMcPherson: I'm not convinced new legislation would change much. Much of the spam I receive is probably already illegal, in some ways. Under the recent changes to the Crimes Act (?), unauthorised access to a computer is crime. (Much spam is currently sent from insecured personal computers, and the owner is unaware that a spammer is running programs on it). Sending mail with misleading subjects and with other forged headers sounds like it could be covered as fraud. Advertising pills and medicines is already covered under existing legislation. Similarly, pornographic texts and images are covered under current laws. If these laws can't be adequately enforced when it comes to electronic media, new laws won't change that. Perhaps spam that advertises a company's services (and isn't covered by one of the above morality laws) would need extra legislation.

OliverJones: Perhaps. However I think it would probably be more effective to ammend existing legislation covering unsolicited advertising, hawking, cold calling etc.

3. Do you consider existing privacy protections in this area sufficient?

PerryLorier: As stated in paragraph 25 it is possible to trade email addresses that are considered to be publically available. This is causing people to actively conceal their contact information on the Internet, thus destroying one of it's most important uses, as a communications medium.

4. Do you agree that stand-alone anti-spam legislation is preferable to reliance on the Harassment Act?

PerryLorier: The harassment act does not seem to be applicable to Spam. In particular if it was to be enforced, it would be possible for spammers to easily bypass it by rotating through email addresses annually. Also, due to the sheer number of different spammers that are out there even if each spammer only sent you one email then you'd still be flooded with spam.

MatthiasDallmeier: Yes.

JohnMcPherson: With respect to harrassment, a "one-off" message probably wouldn't meet the threshold of a "pattern of behaviour".

5. What message mediums should be caught by the legislation (e.g. email, short message services using mobile phones, Internet instant messaging, faxes, telephones (telemarketing), physical mail delivery)?

PerryLorier: I believe that Spam is not limited to the mechanism that it's delivered by. While spam is generally considered to be a product of electronic communication, Spam is only a problem because the cost of sending the email is so low. If it was possible to send messages via some other medium at very low cost, those mediums would also fall victim to spam.

MatthiasDallmeier: All present and future message mediums should be covered, obviously.

6. Do the messages caught by the legislation have to be sent/conveyed to many recipients, and if so, how many?

PerryLorier: I believe that yes, part of what makes spam what it is is the fact that it is sent in bulk. I'd suggest that bulk email is email where you are sending on average more than 1 email every 10 seconds over any one hour period.

zcat(1): BULK and UNSOLICITED should be the only criteria, commercial makes no difference whatsoever. I would be just as annoyed if I was being sent religious, charity, or political bulk mail.

MatthiasDallmeier: I disagree with Perry and possibly also Bruce depending on the definition of "bulk", because it makes no difference to me how many recipients also received an unwanted message. Anyway, my answer to this question is a definite NO.

zcat(1): I think this is a very silly arguement. If the 200-odd spammers in the ROKSO database were to restrict themselves to sending just ten or twenty emails a day, the chance of ever recieving even ONE spam in your lifetime would be comparable to the chance of winning lotto. BULK is the problem.

OliverJones: No. A user is annoyed by the spam existing in their inbox. Not by the fact that it also got sent to 2 million other inboxes. The quantity of emails is only of concern to ISP's or organizations that process the mail as it is delivered as this effects their quality of service to customers or costs money in handling problems internally.

MatthewBrowne: I don't think it makes any difference how many other people receive the message.

7. Should the messages caught by the legislation be of a commercial advertising and promotional nature only or should other types of messages be caught? Should there be exceptions and if so what should be exempted? Exempting from political parties, religious groups and charities seems to not solve the problem. Spam would still be spam if I was being spammed by religious groups.

PerryLorier: It is not the content of the emails which is a problem, it is the number of them that cause the issue. Waking up and finding another 50 emails that are irrelevant to me if they are commercial in nature or not is my problem.

MatthewBrowne: No exceptions. Like Perry says, the content of the messages does not matter.

MatthiasDallmeier: No exceptions. And this should be extended to cover phone calls as well.

8. Should the legislation extend to coverage of acts done overseas? If so, what acts should be covered?

zcat(1); 'follow the money' - If the the spam benefits a New Zealand 'entity', it should make no difference that they hired some kid in Romania to send their mail via hacked Chinese servers. The same applies if a New Zealander organises the spamming on behalf of an overseas client. And I personally feel that it should also apply if a New Zealander, through lack of appropriate care and computer maintenence, allows their computer to become a 'spam relay' for someone else..

9. Should all parties involved in the act of spamming, such as the vendor sponsoring the spamming, be covered by the legislation? Should there be express exceptions such as for telecommunications companies and ISPs?

PerryLorier: Yes, all parties involved should be covered. I don't believe ISP's or telecommunications companies should be excepted, especially as these are the groups that are technologically the most able to perform spamming.

MatthiasDallmeier: Yes, all parties involved should be covered. Telecommunications companies and ISPs should be required to act on abuse complaints to avoid being held liable for the actions of their customers, but unless they are knowingly hosting spammers, sending spam themselves, or running open servers they cannot really be held responsible.

10. Should New Zealand adopt an opt-in, double opt-in or opt-out approach in legislating against spam? Why?

PerryLorier: Opt-out is unlikely to work as spammers have used "Opt-out" approaches to harvest valid email addresses, and users are reluctant to use it even if it is available due to the risk of recieving even more spam. Opt-in has issues with viruses or malicious people forging email and subscribing you to spam without your consent. Double opt in seems to be the only reliable way of determining peoples true intentions.

MatthiasDallmeier: Double opt-in, because it is the only way to ensure that someone does in fact want to be "spammed". Opt-in could be abused by third parties. Opt-out would be equivalent to allowing spam and therefore a complete waste of time.

zcat(1): Double-opt-in only. The 'confirm' message should contain information that identifies the sender, clearly traces the web form submission or message which invoked it (IP address, mail headers, etc), and lists the name, origin, and purpose of the mailing list. It should not contain anything else that could be considered 'advertising'.

MatthewBrowne: Doublt opt-in is the only workable solution.

11. If an opt-in or double opt-in approach was to be adopted, what should amount to express consent and what actions and/or relationships should amount to inferred consent to the sending of a "commercial" electronic message?

12. How should the scope of any opt-in or double opt-in assent be framed?

zcat(1): "This list only". Every mailing should clearly come from the same company, preferably from the same address.

13. Should there be a requirement for commercial electronic messages to accurately identify the sender of the message? If so, what constitutes accurate identification (e.g. name and physical address, name and email address)?

PerryLorier: This should be a requirement for all commercial communications that they have obvious and accurate sender information. Commercial or not, it should be illegal to send mail as someone you are not.

OliverJones: I do not agree. One should be able to be anonymous. But anonymous and bulk probably shouldn't go together. Also there are problems when it comes to computer generated emails. How do you identify them?

MatthewBrowne: I do not see why any "commercial" email should be anonymous.

PerryLorier: There is no longer any such thing as anonymous email. I personally don't disagree with the ideal of sending anonymous email. However email should still be trackable. IE, I can send mail under the pseudonym "Fred Blogs" and that's fine, however sending mail as OliverJones is not.

14. Should there be a requirement for commercial electronic messages to include a statement to the effect that the recipient may use an electronic address set out in the message to send an unsubscribe message to the sender, and to ensure that such electronic address is functional?

JohnMcPherson: In practise, this doesn't work, because unethical people (such as those who spam) merely use such responses to confirm that their message was actually read by a human, and so that sender's valid address is of a higher "quality" compared to an address of unknown status.

MatthewBrowne: If we have used the double opt-in system to receive these messages then yes, an unsubscribe message would be useful. In all other cases I'd agree with what John said above.

PerryLorier: (I thought I'd replied to this? Hmm weird). People no longer trust opt-out mechanisms, spammers have been known to sell "opt out lists" of email addresses "that have opted out of recieving spam" so that other spammers could use them as a "do not call" list. However the reciepients just use it as a new list of emails to spam.

15. Should there be a requirement that commercial electronic messages provide accurate header and subject information?

PerryLorier: Yes.

JohnMcPherson: Yes. Legitimate headers allows end users, system administrators, and ultimately law enforcement to contact, or at least discover, the origin of the message. Whether such a requirement could be enforced is another matter, or course.

OliverJones: Mail should have acurate and true headers. However this defeats anonomity.

PerryLorier: No it doesn't, Not having a "from" doesn't make my headers inaccurate or false. This just says that the headers that are there must be true. And I'm STILL pissed at people forging spam FROM my email accounts. Also, the envelope is not part of the email headers.

16. Should there be a requirement for the labelling of advertising or adult messages?

PerryLorier: Adult material should be labelled obviously as such and should be labeled in a way that can be detected by software for filtering purposes for younger children.

zcat(1): This shouldn't be necessesary. My children should not be recieving anything that they didn't explicitly subscribe to. I'm fairly sure they didn't sign up anywhere for hot oral sex and penis-enlargement emails, so I shouldn't HAVE to filter those out.

MatthiasDallmeier: I would tend to agree with Bruce on that one. Without UCE this is not an issue and such a requirement would only confuse matters. There might or might not be a need for such a requirement independent of anti-spam legislation and not limited to e-mail only though.

JohnMcPherson: Current legislation already covers indecent messages. Someone sending pornographic email to a minor should be treated in the same way as someone physically giving printed pornographic material to a minor.

OliverJones: I agree with John. Pornographic content on the internet should be covered by the same laws that cover ponography in print.

PerryLorier: In print we have standard warning labels saying "This contains adult material", however on the Internet we can have the computer interpret that. The current laws say "They must be labelled", however there is no requirement that they must be labeled in a computer readable fashion. Being able to use something like PICS? to mark up content means that automagic filtering of content is possible by computers, having text at the bottom that says "You must be old enough to read this email" while it meets the criteria for labelling theres no way a computer will be able to interpret that.

17. Should anti-spam legislation include rules against the supply, acquisition and use of address-harvesting software and harvested-address lists in connection with the unlawful sending of electronic messages?

PerryLorier: Yes. Publishing an email address on a website should not be an open invitation to email it with things that are unrelated to the page that it was posted on.

MatthiasDallmeier: Yes, e-mail addresses should never be passed on to anyone without the expressed permission of their owner...

OliverJones: Matthias, that is unworkable. What if I get asked by a friend what another friend's email address is. Is it illegal for me to give him that address? I think that's pretty draconian. Email addresses should be treated just like phone numbers. Phone numbers get printed in a big book that you can easily acquire. This is highly useful and Internet users should have confidence that publishing their contact details does not result in "unsolicited unwanted" contact. However "unsolicited wanted" contacted should not be excluded. However I do think that the act of harvesting addresses in connection with breaking another law should probably be covered by legislation. However it would need to be fairly specific so as to avoid other legitimate reasons for collecting email addresses. Eg, creating a "whitepages" for email.

MatthewBrowne: I don't think you guys have read the question. I most definitely disagree that any software should be illegal to use. DeCSS anyone?

PerryLorier: I'm against address lists, I'm not against address list software. It's the action which makes it illegal.

MatthiasDallmeier: Sorry, let me try again now that I have actually read the question: I am for freedom of expression, but also for gun control. Anyway, I stand by my original comment that "e-mail addresses should never be passed on to anyone without the expressed permission of their owner," possibly with small exceptions allowing friends, family, and business partners to pass along your e-mail address if it is in your interest to make Oliver happy. This is all about privacy for me. Moving right along to software: If the only use for software is address harvesting, it might help if it was only allowed to be distributed as source code for educational purposes, but address harvesting is not rocket science. In the end, all that matters is what you do with your software, like Perry said.

18. Who should be able to bring an action against an alleged spammer?

MatthiasDallmeier: Anyone who is actually affected by their action.

OliverJones: This includes recipients, owners of forged domains, ISP's who had the mail travel through their network, and companies or individuals who's computer systems may have been hijacked.

19. What agency should have the enforcement role under the legislation?

JohnMcPherson: As mentioned earlier, much spam is technically already in breach of existing laws. I guess the Police are responsible for enforcing laws within New Zealand, although the nature of electronic networks would require cooperation with agencies from like-minded countries for infringements that occur or transit external countries.

20. What should be the available penalties and remedies for breaches of anti-spam legislation and what should be the maximum fine or pecuniary penalty?

SamJansen: I believe it should be a criminal offense. The penalty should range from a fine (perhaps thousands of dollars) to a short-term prison sentence; in the order of a few months.

DanielLawson: apropos of both of the above points: and The former is tongue in cheek. The latter is current law in place in Italy, and I think is on the right track

MatthiasDallmeier: A ban from connecting to the Internet.

GreigMcGill: I'm not really sure the penalty matters so much, but I'd agree with Matthias in that a ban would be the most useful, and nobody can be accused of using the legislation as a revenue trap. I think the main point is that whatever penalty is decided on gets enforced publically, and as frequently as possible as a deterrent.

JohnMcPherson: Similar penalties to existing laws, eg fraud. Currently large-scale fraud involving large sums and/or many victims normally results in jail sentences and large fines.

OliverJones: The penalties should be similar to other fraud, pornography, false advertising or telephone related crimes.

21. Should contraventions give rise to criminal or civil penalties?

JohnMcPherson: large scale offending for commercial gain should be a crime.

22. Should the responsible enforcement agency be given the ability to obtain search warrants conferring powers of entry, search and seizure?

SamJansen: Yes. This really needs to be the case.

zcat(1): Since spammers are an exceptionally low-life form of sociopath, it is felt by many that they may try to 'frame' legitimate mailing lists in order to hurt honest retailers in competition, draw attention away from themselves, or merely confuse the whole issue of legitimate vs. unwanted commercial mail. Any agency investigating spam needs to be aware that spammers are often completely devoid of normal human ethics.

JohnMcPherson: Yes. Abundant evidence should be easily available on computers controlled by someone involved in large volume spamming. However, because the removal of computer hardware can result in severe disruption to an individual or company, such a warrant should only be issued by a judge in the face of significant circumstantial evidence indicating that the suspect is involved in significant offending. I also believe that in the result of a conviction, any such equipment seized may not be returned.

OliverJones: The evidence to get a warrant should need to be very good.