Submission

1 February 2006

Review of the Spam Act 2003

Below is EFA's submission in response to the Spam Act 2003 Review Issues Paper issued by the Department of Communications, Information Technology and the Arts.

Contents:

  1. Executive Summary
  2. Introduction
  3. Rules about sending commercial electronic messages
    1. Unsolicited commercial electronic messages must not be sent
    2. The identification requirement
    3. The unsubscribe requirement
  4. Designated Commercial Electronic Messages
    1. Exemption from the requirement to provide a functional unsubscribe facility
    2. Exempt Factual Information Messages
    3. Exempt Bodies
  5. Consent
    1. Inferred Consent
    2. Conspicuous Publication Exemption
      1. Publication by other persons/organisations
      2. Definition of "Conspicuous"
      3. Freshness of Publication
      4. Work-related address / functions
      5. Business cards
      6. Summary
  6. Rules about address-harvesting software and harvested address lists
  7. Enforcement
    1. Enforcement Measures - penalties, infringement notices, etc.
    2. Investigatory Powers
      1. Entry, Search and Seizure without a warrant and without the consent of the occupier
      2. Entry, Search and Seizure in relation to premises occupied by recipients of spam
      3. Searches of stored messages/ISP equipment without a warrant
      4. Assistance Orders
  8. Service Provider Protection from Civil Proceedings
  9. Facsimile Spam
  10. Conclusion
  11. References
  12. About EFA

1. Executive Summary

  1. The effectiveness of the Spam Act 2003 in reducing receipt of unwanted commercial electronic messages from Australian businesses is questionable. While some types of spam have been outlawed and reduced, other types have been legalised and have increased.

  2. The provisions permitting consent to receive spam to be inferred from "conspicuous publication" of an electronic address are unclear, confusing, impractical and unworkable. The inference from conspicuous publication should be reversed. If it is not, then at the least a number of amendments should be made to clarify the intent of the provisions and narrow the breadth of the circumstances in which consent may be inferred.

  3. The exemption for unsolicited bulk messages that contain "factual information" and also have commercial aspect contains many loopholes. It should be deleted. It is inappropriate that legislation, in effect, compels individuals to receive and pay for unsolicited information sent to their email address.

  4. The exemptions for Australian (and overseas) government bodies, political parties, religious organisations, charities and charitable institutions and educational institutions should be deleted. The sole purpose of these exemptions is to authorise such bodies to send unsolicited commercial messages "relating to goods and services". If such bodies wish to promote or advertise their goods and services by electronic messages, they should be required to obtain the recipient's prior consent.

  5. If the exemptions for senders of legislatively authorised "designated" spam are not deleted, these senders should not be exempt from the requirement to provide a functional unsubscribe facility.

  6. The existing requirements concerning provision of a functional unsubscribe facility are not adequate because in some circumstances, although a sender has complied with the requirement, the recipient is not able to avail themself of the unsubscribe facility. This occurs primarily in corporate environments where recipients are not able to send a message "from" the address to which the unsolicited message was sent. Amendments are necessary to require senders to provide an effective means by which such recipients can unsubscribe.

  7. The legislation should not treat a single message sent to one specific individual as spam merely because the message has a "commercial aspect". This aspect results in prohibition of messages that are not generally regarded as spam. At the least, the legislation should be amended to provide a defence in such circumstances.

  8. The entry, search and seizure powers enable ACMA appointed inspectors and members of the Federal and Territory police forces to enter and search people's homes without a search warrant and without the consent of the occupier. A judicial warrant, or the voluntary and informed consent of the occupier, should be required, consistent with the Guide To Framing Commonwealth Offences, Civil Penalties And Enforcement Powers issued in February 2004.

  9. The entry, search and seizure powers enable entry and search/seizures (with and without a warrant) in relation to the premises and possessions of a person who is merely a recipient of spam. Amendments are necessary to prevent the potential misuse of these entry, search and seizure powers.

  10. The assistance order provisions requiring disclosure of passwords, encryption keys, etc, apply to a larger class of people, and for a greater number of purposes, than the assistance order provisions in the the Crimes Act 1914 and Customs Act 1901. Powers of the Federal Police to require persons to provide assistance to access computer data should represent the high-water mark. The powers of inspectors in relation to the Spam Act 2003 to require persons to provide assistance should be narrowed accordingly.

  11. The supply, acquisition and use of address-harvesting software and harvested address lists should be prohibited for the purpose of sending "designated" spam (if the designated spam provisions are not deleted) and all other unsolicited electronic messages, not only the narrow category of messages referred to in Section 16(1).

  12. The prohibitions on supply, acquisition and use of address-harvesting software and harvested address lists should apply to government bodies (which are currently exempted from these prohibitions).

  13. The protection from civil proceedings provision for ISPs and other electronic message service providers should be changed so that it applies only to anti-spam filtering services provided with the prior consent of the customer, that is, where a customer has voluntarily opted in to having their electronic messages spam-filtered by their ISP or other provider.

  14. Commercial facsimile messages should be regulated in substantially the same way as commercial electronic messages under the Spam Act 2003 i.e. opt-in to receive. Furthermore, there should be no exemptions for "factual information" messages, nor in relation to "conspicuous publication" of facsimile numbers, nor exemptions for any types of organisations.

Up ArrowGo to Contents List


2. Introduction

01. EFA appreciates the opportunity to make a submission in response to the Spam Act 2003 Review Issues Paper[1].

02. EFA considers the effectiveness of the Spam Act 2003[2] in reducing receipt of unwanted commercial electronic messages from Australian businesses is questionable. In 2003, we expressed concern that "exemptions for 'designated' spam and 'conspicuous publication' of work-related addresses may result in the law being as effective in increasing spam as in reducing it". In our experience since enactment of the legislation, that has been the case. While some previous Australian spammers have apparently ceased their operations as a result of the legislation, there has also been an increase in spam of the type that has been "legalised" by inappropriate exemptions. While we continue to be of the view that those exemptions should be entirely deleted, we also make a number of recommendations with a view to narrowing the breadth of the exemptions.

03. EFA remains strongly opposed to the breadth of applicability of the entry, search and seizure provisions and assistance order provisions in the Telecommunications Act 1997[3] as amended by the Spam (Consequential Amendments) Act 2003[4]. A number of aspects of these provisions are, without justification, inconsistent with other Commonwealth legislation and/or the Guide To Framing Commonwealth Offences, Civil Penalties And Enforcement Powers[5] issued by authority of the Minister for Justice and Customs. We note that according to the Government response to the Senate Scrutiny of Bills Committee Report on Entry and Search Provisions in Commonwealth Legislation[6], those guidelines were being revised in November 2003 and the current version was issued in February 2004. We submit that the investigatory power provisions should be amended in a manner consistent with the guidelines as detailed later herein.

Up ArrowGo to Contents List


3. Rules about sending commercial electronic messages

2.1.2 Definition of a 'commercial electronic message'
Q1 Do you think this provides suitable coverage?
Q2 Does it include things that it should not?
Q3 Does it fail to cover things that should be included?

04. EFA questions whether the definition of a "commercial electronic message" covers SMS messages that ask the recipient to phone a number because allegedly they have won a "prize", or to obtain "free" goods or services. It is not until the recipient telephones the number that they discover the prize or free goods/services is conditional on payment of money for other goods or services. While in EFA's opinion such messages plainly have a purpose of advertising or promoting goods or services, arguably that is not obvious until after a recipient telephones a number. Hence it is not clear whether individuals are entitled to report such messages to the ACMA without first having called the spammer's telephone number. EFA suggests that the legislation be amended to clarify its application to such messages, or, if individuals are already able to report such messages without first telephoning the spammer's number, that the ACMA make information to that effect available on its web site and in its informational brochures about the spam laws.

3.1 Unsolicited commercial electronic messages must not be sent

Q4 Does this provision cover messages that it should not?
Q5 Are there spam messages that are not currently covered by this provision that should be?
Q6 Does this provision suitably cover the spam problem?

05. EFA remains concerned that the Spam Act 2003 prohibits the sending of messages that are not commonly regarded as spam as a result of the applicability of the law to a single message combined with the definitions of a "commercial electronic message" and "consent".

06. The definition of a commercial electronic message covers a wide range of messages that are not generally regarded as spam, including messages that are unquestionably ordinary email, because:

  • the definition does not target the sending of unsolicited messages in bulk, nor the sending of unsolicited form messages indiscriminately by automated means;
  • the definition is based on analysis of the content of a message, including determination of whether a small portion of the content has a commercial aspect (e.g. as stated in the Explanatory Memorandum: "if the message itself contains nothing of a 'commercial nature', but it provides a link to a web page which is 'commercial in nature' then this will be a commercial message for the purposes of this Bill");
  • it is irrelevant whether or not there is a relationship between the sender and the organisation (or individual) that may receive financial or other benefit as a result of promotion or advertising of their goods, services, etc.;
  • the intent and purpose of the sender in sending the message is irrelevant.

07. While commercial electronic messages may be sent with consent of the recipient, the definition of consent is narrow and hence does not overcome the undesirable consequences arising from the definition of a commercial electronic message and the applicability of the legislation to a single message.

08. Detailed information on the above matters is available in EFA's submission to the inquiry into the Spam Bills 2003[7] conducted by the Senate Environment, Communications, Information Technology and the Arts Legislation Committee.

09. We recognise the Spam Act's applicability to every message that has a "commercial aspect", rather than dealing with the sending of unsolicited direct marketing messages or messages sent in bulk, arises from due regard to avoiding loopholes for spammers. However, we consider insufficient consideration has been given to the effect on ordinary email.

10. We note that the Australian Computer Society ("ACS") remarked in its submission to the 2003 inquiry[8] that the Bills "seem to prohibit or otherwise burden legitimate email activities that most people would not regard as spam" and made the following recommendation:

"14. Amend clauses 16(1) and 18(1) of the SB by replacing 'a commercial electronic message' with 'an unsolicited commercial electronic message' and by adding the following new subclause (1A) to each of the proposed clauses: 'For the purposes of subsection (1) a commercial electronic message is not unsolicited if at the time the message was sent the sender genuinely held the view that the addressee would have an interest in receiving the content of that message and the holding of that view by that sender at that time was in all the circumstances objectively reasonable.'"

11. The ACS submission contained related proposed amendments (paragraph numbers 15-17 inclusive) which included placing the onus of proving the existence of the bona fide view on the sender absent an existing, recent or imminent business relationship.

12. In a similar vein, the Australian Consumers Association ("ACA") recommended[9] "the Bill be amended to provide a defence of single messaging to offences under the Act. This should be framed to allow an individual or company to successfully and prima facie defend themself by demonstrating in fact that the message subject of complaint or investigation was a bona fide single message and not part of a pattern of spamming".

13. While EFA does not favour legislation that in effect requires individuals to mount a defence to sending single messages of a type that are not generally regarded as spam (and therefore should not be covered by the legislation in the first place), we consider amendments of the type recommended by the ACS or the ACA would be a significant improvement to the existing legislation which does not even offer a defence.

Recommendation:
  1. The legislation be amended to either:
    1. exclude its applicability, or provide a defence, to the sending of a single message where such message is not part of a bulk mailing and/or is not sent by automated, indiscriminate means; or
    2. incorporate amendments the same as, or substantially similar to, those proposed by the Australian Computer Society in paras 14-17 inclusive of their 2003 submission.

3.2 The identification requirement

2.2.2 The identification requirement
Q7 Is this a suitable requirement for commercial electronic messages?

14. Yes. This requirement should not be watered down in any way.

3.4 The unsubscribe requirement

2.2.3 The unsubscribe requirement
Q8 Is this a suitable requirement for legitimate commercial electronic messages?

15. Yes. The requirement to provide a functional unsubscribe facility should remain.

16. However, amendments are necessary because since the commencement of the legislation it has become evident that, although the sender has complied with the requirement, some recipients are not able to avail themselves of the unsubscribe facility. This occurs primarily in corporate environments where company policy and IT systems prevent employees from sending a message "from" the address to which the unsolicited message was sent. For example:

  • Addresses such as "[email protected]", "[email protected]", etc, are often "receive-only" addresses and messages sent to such addresses are automatically forwarded by the organisation's mail server to one or more employees. However, many unsubscribe facilities in spam messages only work by replying from the address to which the message was sent. In a business environment, the recipient often has no means of replying from that address (e.g. "[email protected]") because, for example, the organisation has email software locked down to prevent employees from sending messages from any address other than their own address such as "[email protected]". In these circumstances, the only unsubscribe method that works effectively is where the unsubscribe facility is provided by a URL with a unique id parameter incorporated.
  • The same problem as above occurs when a message is sent to an old email address that is being redirected to another address, for example, when someone has left the organisation and mail to their address is forwarded to a current employee, or there has been a corporate entity domain name change and employees continue to receive messages sent to addresses at the old domain name but are not able to respond from that old domain name.

17. Currently the Spam Act 2003 requires that messages include "a statement to the effect that the recipient may use an electronic address set out in the message to send an unsubscribe message" (Section 18). We consider that requirement, and the obligation to honour an unsubscribe request sent by that method within five working days, should remain.

18. However, we submit that the legislation should be amended to require senders to also honour a request not to receive further communications made by any other method, or, at least require senders to provide notification of an effective unsubscribe method that can be used by recipients who are not able to send a message from the address to which the unsolicited message was sent.

Recommendation:
  1. The Spam Act 2003 be amended to require senders to honour a request not to receive further communications made by any method, or, at least require senders to provide notification of an effective unsubscribe method that can be used by recipients who are not able to send a message from the address to which the unsolicited message was sent.

Up ArrowGo to Contents List


4. Designated Commercial Electronic Messages

Q16 Are the provisions relating to designated commercial electronic messages necessary?
Q17 Are these provisions appropriate as to:
(a) exemption from the prohibition on unsolicited commercial electronic messages?
(b) exemption from the requirement for a functional unsubscribe facility?

4.1 Exemption from the requirement to provide a functional unsubscribe facility

19. Senders of unsolicited commercial messages, deemed "designated" by legislation, should not be exempt from a requirement to provide a functional unsubscribe facility. There is no reason why bodies that are permitted to send commercial messages, without consent, should not be required to provide a functional means by which recipients can notify the body that they do not wish to receive their unsolicited commercial messages. Where a law creates a presumption that consent exists, a person must be able to easily withdraw consent.

Recommendation:
  1. That the Spam Act 2003 be amended to:
    • require senders of "designated commercial electronic messages" to provide a functional unsubscribe facility, and
    • provide that a message is not a designated commercial electronic message if the relevant electronic account holder has previously unsubscribed, or otherwise advised the sender of a desire not to receive commercial electronic messages from the sender.

4.2 Exempt Factual Information Messages

20. In 2003 we considered the exemption for "factual information" messages contained many loopholes and in our experience this has proven to be true since the commencement of the Spam Act 2003. We remain of the view that the exemption should be deleted.

21. An example of the type of spam that has commenced being received by EFA personnel from Australian businesses since the Spam Act 2003 became operative is as follows:

"Our company is a ... and we specialise in ...
Our valued clients include ...
Our reason for contacting you is to offer you, with our compliments, a subscription to our popular e.newsletter ...
Below is our [latest] edition. ...
"

22. EFA believes the vast majority of people would regard such messages as spam and would conclude that the purpose of such messages is to advertise/promote the company's services. However, no doubt businesses sending such messages would claim that the purpose is to provide a copy of their newsletter and that, as the message contains only "factual information" plus "additional information" legislatively permitted to be included in "designated commercial electronic messages", such unsolicited messages are expressly permitted to be sent by the Spam Act 2003.

23. Furthermore, businesses sending "factual information" messages are not required to provide an unsubscribe facility, nor honour requests to cease sending messages, and are free to use address harvesting software to collect email addresses.

24. The provisions of the Spam Act 2003 that, in effect, consent on individuals' behalf to receiving unsolicited "factual information" messages from businesses and hence compel individuals to receive such messages should be deleted. They are entirely inappropriate.

Recommendation:
  1. The exemption for factual information messages having a commercial element be deleted.

4.3 Exempt Bodies

25. EFA considers the exemptions for government bodies, political parties, religious organisations, charities or charitable institutions and educational institutions (based both in Australia and overseas) to be undesirable and completely unnecessary.

26. The sole purpose of these exemptions is to authorise those bodies to send unsolicited messages advertising, promoting, etc. goods and services by establishing a class of senders of "legalised" spam.

27. EFA sees no reason why individuals should be forced to receive and pay for unsolicited electronic messages relating to goods and services from any of the exempt bodies.

28. Moreover, it unacceptable that the exempt bodies are not required to to provide a functional 'unsubscribe' facility the same as that applicable to commercial messages sent with the recipient's consent, and are also exempt from the prohibitions on use of address harvesting software and harvested address lists.

Recommendation:
  1. The exemptions for government bodies, political parties, religious organisations, charities and charitable institutions, and educational institutions, be deleted.

Up ArrowGo to Contents List


5. Consent

2.7 Spam Act - Schedule 2- Consent
A key principle of the Spam Act is that people should be able to decide what messages are sent to them, and have that decision respected.
Q18 Do the consent provisions effectively support people's ability to choose what messages are sent to them?
Q 19 Do the consent provisions provide a clear distinction between legitimate commercial electronic messages and spam?

5.1 Inferred Consent

29. EFA notes that Schedule 2 of the Spam Act 2003 states:

"2 Basic definition
For the purposes of this Act, consent means:
(a)express consent; or
(b)consent that can reasonably be inferred from:
(i) the conduct; and
(ii) the business and other relationships;
of the individual or organisation concerned.
"

30. EFA submits that Schedule 2 Section 2 should be amended to make clear that failure to unsubscribe or otherwise opt-out from receipt of commercial electronic messages cannot be regarded, by a spammer or the Federal Court, as "conduct" that infers consent to receiving such messages.

31. It would be completely unreasonable for the absence of action on the part of recipients of spam to be regarded as conduct inferring consent because:

  • the intended recipient may not see the message because it has been defensively filtered out by a spam filter;
  • users are often wary of opening obvious spam because they may contain malware;
  • the huge quantity of spam received by Australians from around the world creates a situation where many, probably most, individuals do not have time to read spammers' messages to find out whether they contain unsubscribe instructions, nor should they be expected to read spam to find out.

32. However, we understand that failure to opt out has been contended to infer consent by a sender of commercial electronic messages (Australian Communications & Media Authority v Clarity1 Pty Ltd [2005] FCA 1161[10]), although to our knowledge this matter has not been determined by a Court in relation to the Spam Act 2003. We therefore consider it essential that Schedule 2 of the Spam Act 2003 be amended to ensure that in future consent can not be inferred from a failure to "unsubscribe" or otherwise opt out from receiving commercial electronic messages.

Recommendation:
  1. Schedule 2 Section 2 be amended to make clear that consent can not be inferred from a failure to "unsubscribe" or otherwise opt out from receiving commercial electronic messages.

5.2 Conspicuous Publication Exemption

33. EFA notes that although the legislation generally established an opt-in regime, an opt-out regime was applied to work-related electronic addresses that have been conspicuously published. In 2003, EFA expressed the view that the "conspicuous publication" exception is seriously flawed and our experience since then confirms that view.

34. The provisions allowing consent to be inferred from "conspicuous publication" of an electronic address are inappropriate and unworkable. They are vague, unclear, subject to differences of opinion concerning what is "reasonable to assume" and hence do not effectively support people's ability to choose what messages are sent to them. Instead, they result in people receiving unwanted messages.

5.2.1 Publication by other persons/organisations

35. EFA considers that the circumstances in which consent may be inferred from publication should be narrowed to publication in documents issued by the account holder and/or their employer/organisation.

36. It is impractical, and in numerous instances impossible, for individuals to deny use of a published electronic address by adding "No Spam" or "No UCE" statements:

  • Prior to commencement of the Spam Act 2003, electronic addresses were already published on CD ROMs, in books, journals, magazines and newspapers, in printed telephone directories, etc. where it is reasonable to assume that the person consented to the publication but which cannot be changed.

  • Two years after commencement of the Act, numerous publishers still do not provide an option of including "No Spam" statements in their publications. For example, an EFA electronic address has been published in the Australian Consumers Handbook (printed version and web site version[11]) since prior to commencement of the Act. To date, the publishers of that publication - currently the ACCC and previously the Federal Treasury Department - have not made available an option of including a "No Spam" statement. Similarly the Australian publishers of a printed directory of organisations do not provide such an option and EFA has recently requested removal of our entry from that publication due to the quantity of unsolicited commercial electronic messages still being received from Australian businesses as a result of an EFA address being published in that directory.

  • Some government departments are publishing other people's addresses without consent in circumstances in which some Australian businesses appear to be concluding it is "reasonable to assume" consent to receive spam is implied by a conspicuous publication. See "Conspicuous Publication" below.

5.2.2 Definition of "Conspicuous"

37. EFA considers legislative amendments are necessary to more clearly explain what is meant by "conspicuous" publication and preferably to, at the least, limit this to publication by the intended recipient and/or the organisation/business they represent.

38. For example, in December 2005, a Federal Government Department sent an email message titled "Update to Stakeholders" to people who had been invited to attend a then recent meeting about a government project. The message included the addresses of 127 recipients in the "To" and "Cc" fields of the message, one of which was EFA's Executive Director, who had not attended the meeting, and had not consented to publication of her address to the 126 other recipients of the message. Six days later, EFA's Executive Director received an unsolicited commercial electronic message advertising a commercial conference (of no interest to EFA) from a business (previously unknown to EFA) which had also been one of the recipients of the government department's email.

39. It is not clear to EFA whether or not the publication of an address in the To or CC fields of a message is "conspicuous publication" for the purposes of the Spam Act 2003. Whether or not it is, we do not consider it "reasonable to assume that the publication occurred with the agreement of" the listed recipients given the number of times in EFA's experience that government departments have disclosed email addresses in such a manner and subsequently sent an apology to the recipients stating it was accidental/inadvertent.

40. Nevertheless, evidently the organisers of the commercial conference either considered it reasonable to assume publication of addresses occurred with agreement, or were still unfamiliar with the provisions of the Spam Act 2003.

41. EFA suggests that the legislation be amended to expressly exclude To and CC fields of messages from the definition of "publish" and recommends that DCITA and/or ACMA conduct an education campaign throughout government departments concerning the use of the BCC field when sending electronic messages to people who have not expressly consented to disclosure of their address to other recipients.

5.2.3 Freshness of Publication

42. As mentioned in Section 5.2.1 above, EFA has recently requested removal of our entry from a printed directory of organisations due to the quantity of unsolicited commercial electronic messages being received from Australian businesses. Unfortunately however, businesses that have already collected our electronic address from that publication, or subsequently obtain an old copy of the publication, are legislatively permitted to continue sending, forever, unsolicited "designated" commercial electronic messages to that address.

43. EFA considers the legislation should be amended to add a freshness requirement to the provisions permitting consent to be inferred from conspicuous publication. Consent should not be allowed to be inferred from a publication that occurred more than three months prior to the time when the commercial electronic message is sent. For example, Schedule 2[12] Section 4(2) should be amended by the addition, after clause (b), of:

"(ba) the electronic address was published not more than three months before the commercial electronic message is sent; and"

5.2.4 Work-related address / functions

44. EFA considers the provisions permitting spam relevant to work-related business, functions or duties to be sent to a work-related address are unclear and confusing and therefore cause uncertainty for both businesses and consumers. These provisions are either being used to skate around the intent and objective of the legislation or are still misunderstood by some Australian businesses.

45. We note that the legislation states that work-related addresses are addresses of a "particular" person (employee, director, etc.) or an "individual, or a group of individuals" performing a particular function, etc. We assume this is why ACMA's Business Guide - Protecting Your Business from Spam[13] states:

"If you want people to be able to contact you from your business website, but don't want to be inundated with spam, you have several options:
- Use a non-personal address, such as: [email protected] or [email protected]
"

46. If ACMA's interpretation of the legislation is correct, that is, that consent cannot be inferred to send commercial electronic messages to conspicuously published addresses that do not refer to a particular person or function/role, then this aspect of the legislation needs, at the least, vastly greater publicity.

47. Following enactment of the Spam Act 2003, EFA created a new address "enquiries @". Shortly after that address was published in a printed directory in 2004 (it has never been published on our web site), EFA commenced receiving unsolicited and unwanted commercial electronic messages sent by Australian businesses to that address and continues to receive same (most recently on 17 Jan 2006). Most of these spam messages commence with questions, for example:

  • Do you sub-contract the carriage of your goods ?? Do you think that you have the best deal and service from your current carrier, agent or freight forwarder ??
  • Looking for a venue for your winter 2006 conference? [Venue] is renowned...
  • Do you hold events? Do you need help with managing your events? If your answer is yes to either of the above questions [company] can help. We specialise in ...

48. EFA does not hold conferences, events, or use freight services or use any other types of goods or services being advertised in spam sent to our enquiries address by Australian businesses.

49. As a result of this ongoing problem, EFA has recently requested the publishers of the printed directory to remove EFA's entry. The publishers do not provide an option of including "no spam" statements in their directory.

50. In our view it is an entirely unsatisfactory state of affairs that non-profit organisations and other organisations evidently cannot conspicuously publish any type of address (without including "no spam" statements) that does not receive spam from Australian businesses.

51. We submit that Schedule 2 Section 4 should be amended by the addition of a sub-section similar to the following:

"(3) To avoid doubt, consent is not inferred by the publication (whether or not conspicuous) of an electronic address that does not identify a particular individual, office holder, position, function or role.

Note: Examples of electronic addresses where publication does not infer consent include: [email protected], [email protected], [email protected], [email protected]"

52. Further, as we remarked in our 2003 submission, these work-related address provisions present significant difficulties for some individuals because the matter of what is relevant to a person's job function is just as open to interpretation as the matter of what is spam. For example, the "work-related business, functions or duties" of self-employed persons and small business owners can readily be interpreted to include everything related to managing any type of business. The "conspicuous publication" exception therefore enables such persons to be spammed with advertisements for e.g. insurance, office equipment, computer supplies, printer cartridges, business software, seminars about marketing, etc, etc, in addition to goods and services relevant to their specific type of business.

53. Since commencement of the Spam Act 2003, it has become apparent that the foregoing problem also applies to EFA's personnel. For example, EFA's Executive Director has commenced receiving unwanted and unsolicited commercial electronic messages from Australian businesses advertising staff recruitment services, freight and cargo services, conference management services, conference venues, etc, none of which are in fact relevant to the function, duties, position, etc. of the recipient, nor are they relevant to the role of any other EFA personnel because EFA has no need, or use, for such services.

5.2.5 Business cards

54. EFA considers the Spam Act 2003 should be amended to state that consent to receive commercial electronic messages of any type whatsoever cannot be inferred from the inclusion of an electronic address on a business card.

55. It seems apparent from publications by NOIE and ACMA that even regulatory agencies are not sure whether publication on a business card, of itself, infers consent. For example (a) and (b) below indicate that it does not, while (c) below indicates that it does:

  1. "Giving someone a business card is not conspicuous publication, although it could be enough to infer consent."
    ACMA - Complying with the Spam Act: The Consent Condition[14]
  2. "Pre-existing business relationships ...
    Examples of when consent could reasonably be inferred from pre-existing relationships include instances where a person: ...
    - has handed over their business card, containing their electronic address, to a representative of your business; and your business then sends that person commercial electronic messages that are directly relevant to their work"

    ACMA - Spam Act 2003 Information for business: Consent[15]
  3. "when an addressee has provided a business card containing their electronic address, it would be a reasonable expectation on both sides that relevant messages would be sent to that electronic address."
    NOIE/ACA - Spam Act 2003: A practical guide for business[16]

56. If (c) above is an accurate interpretation of the law, then EFA considers the legislation should be amended. In our view, merely providing a business card should not signify an expectation of receiving commercial electronic messages of any type. There are many reasons individuals may provide a business card which have nothing to do with wishing to receive advertising material. Similarly, in relation to (b) above, EFA considers that whether or not consent could be inferred depends on the nature of the pre-existing relationship. In our view, unless the person is already a customer or has expressed an interest in becoming a customer, the mere provision of a business card would not infer consent to receive spam. It is entirely inappropriate that legislation in effect consent on individuals' behalf to receiving spam sent to an address on a business card, unless the organisation has printed "no spam" on a business card. This should not be necessary.

5.2.6 Summary

57. Overall, EFA considers the conspicuous publication exemption is inappropriate, impractical and unworkable. We consider the inference from conspicuous publication of a work-related address should be reversed.

58. The legislation should provide that consent may only be inferred from publication of an electronic address when it is accompanied by a statement to the effect that "This address may be used for ..." in which the person has designated the type of information they wish to receive, or is accompanied by a statement such as "UCE accepted".

59. The absence of an accompanying statement should mean: "This address is to contact me or my organisation about the products and services that we can provide to you. It is not to used for the marketing of your own products or services."

Recommendations:
  1. The inference from conspicuous publication of a work-related address be reversed so that consent may only be inferred from publication when the electronic address is accompanied by a statement such as "UCE accepted".

  2. In the unsatisfactory event that the inference is not reversed:
    1. the circumstances in which consent may be inferred from publication be narrowed to publication only in documents issued by the account holder and/or their employer/organisation; and
    2. the legislation be amended to expressly exclude To and CC fields of messages from the definition of "publish"; and
    3. a freshness requirement be added to the provisions permitting consent to be inferred from publication; and
    4. Schedule 2 Section 4 be amended by the addition of a sub-section similar to the following:
      (3) To avoid doubt, consent is not inferred by the publication (whether or not conspicuous) of an electronic address that does not identify a particular individual, office holder, position, function or role.

      Note: Examples of electronic addresses where publication does not infer consent include: [email protected], [email protected], [email protected], [email protected]
      and
    5. Schedule 2 be amended to state that consent to receive commercial electronic messages of any type whatsoever cannot be inferred from the publication of an electronic address on a business card.

Up ArrowGo to Contents List


6. Rules about address-harvesting software and harvested address lists

2.3 Spam Act-Part 3-Rules about address-harvesting software and harvested address lists
Q9 Do the address harvesting provisions suitably cover spam-related activities?
Q10 Do these provisions cover circumstances that they should not?

60. EFA notes with concern that the prohibitions concerning address-harvesting software and address-harvest lists do not apply to either of the following:

  • their supply by, or acquisition or use by, a government body i.e. a department, agency, authority or instrumentality (the prohibitions only apply to a "person" which means an individual, a partnership, and a body politic or corporate);
  • their supply or acquisition or use for the purpose of sending unsolicited designated commercial electronic messages.

61. This means that the software and/or lists is permitted to be supplied to, acquired by and used by:

  • government bodies for any purpose;
  • political parties, religious organisations, charities and charitable institutions, educational institutions for the purpose of sending unsolicited designated commercial electronic messages;
  • any organisation or individual for the purpose of sending unsolicited designated commercial electronic messages that consist of primarily "factual information";
  • any organisation or individual for the purpose of sending unsolicited bulk email that is not a commercial electronic message as defined in the Bill.
Recommendations:
  1. The prohibitions on supply, acquisition and use of address-harvesting software and address-harvest lists be made applicable to government bodies.
  2. The supply, acquisition and use of address-harvesting software and address-harvest lists for the purpose of sending "designated commercial electronic messages" be prohibited.

Up ArrowGo to Contents List


7. Enforcement

7.1 Enforcement Measures - penalties, infringement notices, etc.

2.4.1 Spam Act - Enforcement - Enforcement actions under the Spam Act
Q11 Are these enforcement measures suitable and appropriate?
Q12 Are there any spamming activities so serious as to warrant criminal sanctions?

62. EFA considers the pecuniary penalties payable by means of an ACMA infringement notice are inappropriately high for a case such as the sending of one single unsolicited message by a non-prior offender. For example, the ACMA could issue an infringement notice to a person who has never committed a prior breach, alleging the person sent one single commercial electronic message, and requiring them to pay $440 or else the matter will be taken to Court.

63. While it may be unlikely that the ACMA would issue an infringement notice to such a person, or take them to Court, EFA has significant concerns about the potential application of the law to a single message that has a commercial aspect and about definitional issues concerning what is or is not a commercial aspect.

Recommendation:
  1. The provisions be amended so that the ACMA is not permitted to do more than give a formal warning to a first time offender who is alleged to have sent a single message in contravention of s.16.

Up ArrowGo to Contents List


7.2 Investigatory Powers

2.4.2 Spam Act - Enforcement - Telecommunications Act
Q13 Are the investigatory powers granted in these sections sufficient and appropriate for effective enforcement of the Spam Act?
Q14 Do they go too far?
Q15 Do they not go far enough?

64. EFA considers some aspects of the investigatory powers are inappropriate and go too far.

7.2.1 Entry, Search and Seizure without a warrant and without the consent of the occupier

65. EFA is strongly opposed to the entry, search and seizures provisions of Section 542 of the Telecommunications Act 1997, as amended by the Spam (Consequential Amendments) Act 2003 ("SCA Act"), that empower an inspector to enter and search a residence without a warrant and without the consent of the occupier (such as with the consent of a landlord). Furthermore, these provisions apply not only to a residence occupied by a person suspected of having contravened the Spam Act 2003, but also to a residences occupied by a recipient of spam.

66. Section 542 of the Telecommunications Act 1997[17] states:

"(2) The inspector may, with the consent of the owner or occupier of the land, premises, vessel, aircraft or vehicle, or in accordance with a warrant issued under Division 3:
(a) enter the land, premises, vessel, aircraft or vehicle; and [search, break open, examine and seize]"
(emphasis added)

67. The above provisions fail to strike an appropriate balance between enforcing the law and the privacy of individuals and families, including the privacy of people who are not suspects.

68. The provisions are also inconsistent with the Guide To Framing Commonwealth Offences, Civil Penalties And Enforcement Powers[18], issued by authority of the Minister for Justice and Customs, which states:

"Entry requisites
There must be a proper basis for entry
Principle: Legislation should only authorise entry to premises under warrant or by consent, or in a limited range of other circumstances such as a condition of a licence.
Discussion: An occupier of premises is entitled to decide who may enter the premises unless some other consideration overrides that right. A warrant is the most common mechanism for authorising entry to premises. However, the Commonwealth Parliament has accepted powers to enter premises without consent or a warrant in certain limited circumstances, as follows:
[Licensed premises, Funding or levy, Conveyances, Taxation legislation]."
(emphasis added)

69. EFA is unaware of any other consideration in relation to the Spam Act 2003 that would override an occupier's right and no such consideration was put forward by government representatives in Parliament or anyone else to our knowledge in 2003 nor since then.

70. EFA notes that in 2003 NOIE informed a Senate Committee that "The search and seizure provisions in that Act [i.e. Spam Bills] are consistent with similar provisions existing in other Commonwealth legislation"[19]. While that statement is true, EFA observes that the number of Commonwealth Acts with which the provisions are consistent is very small. A search of Commonwealth legislation databases strongly indicates that there are only three other Acts that permit entry to a residence with the consent of a landlord as distinct from an occupier. These are Radiocommunications Act 1992 - Sect 272[20], Fisheries Management Act 1991 - Sect 84[21] and Torres Strait Fisheries Act 1984 - Sect 42[22]. (EFA has not investigated whether there may be considerations in relation to those Acts which may override the right of an occupier of a residence to decide who may enter. If not, the provisions of those Acts should become the subject of law reform).

71. There are a larger number of Commonwealth Acts that contain specific provisions to ensure that the right of an occupier of a residence to deny consent to enter can not be overridden without a warrant authorising entry. For example:

Road Transport Reform (Dangerous Goods) Act 1995 - Sect 20 - Powers of authorised officer where offence suspected[23]
(3) If the premises are unattended or are a residence, the authorised officer may only enter with the consent of the occupier of the premises or with the authority of a warrant issued under section 24.

Offshore Minerals Act 1994 - Sect 379 - Inspection of licence-related premises etc. without warrant [24]
(3) An inspector may not enter premises under subsection (1) if:
(a) the premises are a residence; and
(b) the occupier has not consented to the entry.

Petroleum (Submerged Lands) Act 1967 - Schedule 7 - 31B Powers of entry and search-premises (other than regulated business premises)[25]
(2) An OHS inspector may exercise the powers referred to in subclause (1) to enter premises only:
(a) if the premises are not a residence:
   (i) in accordance with a warrant under clause 31C; or
   (ii) with the consent of the occupier of the premises; or
(b) if the premises are a residence-with the consent of the occupier of the premises.

Medicare Australia Act 1973 - Sect 8U - Authorised officers may conduct searches for the purpose of monitoring compliance[26]
(2) If the occupier does not consent to entry under subsection (1), an authorised officer must not enter the premises without a search warrant.
(3) The authorised officer must not under subsection (1) enter premises that are a residence unless the occupier of the premises has consented to the entry.

Agricultural And Veterinary Chemical Products (collection Of Levy) Act 1994 - Sect 21 - Searches to monitor compliance with Act[27]
(2) An inspector may not, under subsection (1), enter premises that are a residence unless the occupier of the premises has consented to the entry.

72. The entry powers of inspectors investigating suspected contraventions of the Spam Act should be no broader than powers under the above mentioned Acts. Accordingly, Section 542 of the Telecommunications Act 1997 should be amended as follows:

(2A) An inspector may not, under subsection (2), enter premises that are a residence unless:
(a) the occupier of the premises has consented to the entry; or
(b) the entry is made under a warrant under Division 3.

73. In addition, Section 542 should be amended to provide that consent must be informed and voluntary. In this regard, we note the Guide To Framing Commonwealth Offences, Civil Penalties And Enforcement Powers[28] states:

"9.3 Entry by consent
Informed consent
Rights notified in request for consent; consent may remain in effect
Principles: Legislation providing for entry by consent should require that the occupier be informed of the right to refuse consent, and that consent be voluntary."

74. Accordingly, Section 542 should be amended to include the following:

Consent
(2B) Before obtaining the consent of a person for the purposes of subsections (2) and (2A), the inspector must inform the person that he or she may refuse consent.
(2C) An entry of an inspector by virtue of the consent of a person is not lawful unless the person voluntarily consented to the entry.

75. EFA observes that the above consent provisions are included in Section 547A pertaining to entry for the purpose of monitoring compliance. Inspectors wishing to enter for the purpose of search and seizure should also be required to notify occupiers of the above.

76. We note that the Government response to the Senate Scrutiny of Bills Committee Report on Entry and Search Provisions in Commonwealth Legislation[29], issued in November 2003, states:

"The Government agrees [with the Scrutiny Committee's recommendation] that the entry and search powers available to the Australian Federal Police (AFP) under the Crimes Act 1914 (Cth) should constitute the 'high-water mark' for search powers generally. This is reflected in the policy currently adopted by the Government on such matters, which provides that the search warrant provisions applicable to police 'define the outer limits of the powers and the minimum limitations and obligations that should normally apply to search warrant powers conferred in other contexts'."

77. The Government response also stated that the Government's policy on entry and search powers was set out in guidelines (previously issued) that were "currently being revised" as at November 2003. The revised guidelines were issued in February 2004[30].

78. EFA agrees that the powers available to the AFP should constitute the high-water mark. However, the entry and search powers available to inspectors in relation to the Spam Act 2003 are in some respects more extensive and involve less obligations. For example:

  • under the Crimes Act, issue of search warrant requires information "that there are reasonable grounds for suspecting that there is, or there will be within the next 72 hours, any evidential material at the premises" while an inspector in relation to the Spam Act is only required to provide information "alleging that an inspector suspects on reasonable grounds that there may be... in or on any premises...[any thing]". EFA considers that issue of a warrant in relation to the Spam Act should be subject to the same test as under the Crimes Act rather than merely requiring an allegation that there may be a thing (that is not necessarily evidential material) on the premises. We also note that the Commonwealth guidelines issued in February 2004 state:
    "Magistrate issues warrant if objective test satisfied
    Granting: The warrant should be required to show on its face that the magistrate was satisfied by information on oath or affirmation that proper grounds existed for issuing the warrant. Those grounds should be that there were reasonable grounds to suspect that, in the premises named in the warrant, there were the things described in the warrant which would afford evidence of a Commonwealth offence identified in the warrant. The warrant need not identify the suspected offender. The 'things' to be searched for need not be itemised or specifically described but the thing or class of things must be required to be delimited with reasonable certainty.
    "

  • Inspectors should be required to inform an occupier of a right to be present during a search (see s3P of the Crimes Act).

  • Inspectors should be required to provide copies of things seized (see s3N of the Crimes Act).

Recommendations:
  1. Section 542 of the Telecommunications Act 1997 be amended by addition of the following subsections:
    (2A) An inspector may not, under subsection (2), enter premises that are a residence unless:
    (a) the occupier of the premises has consented to the entry; or
    (b) the entry is made under a warrant under Division 3.

    Consent
    (2B) Before obtaining the consent of a person for the purposes of subsections (2) and (2A), the inspector must inform the person that he or she may refuse consent.
    (2C) An entry of an inspector by virtue of the consent of a person is not lawful unless the person voluntarily consented to the entry.

  2. Section 535 be amended to require information on oath that there are reasonable grounds for suspecting that there is, or there will be within the next 72 hours, any evidential material in or on the premises (vehicle, etc).

  3. Inspectors conducting searches be required to:
    • inform an occupier of a right to be present during a search (see s3P of the Crimes Act),
    • provide copies of things seized (see s3N of the Crimes Act).

7.2.2 Entry, Search and Seizure in relation to premises occupied by recipients of spam

80. Amendments are necessary to prevent the potential use of the existing legislation to enter and search premises in relation to a person who is merely a recipient of spam without the person's consent.

81. We note that some proponents of the Bills in 2003 regarded the provision enabling search of innocent recipients' homes and possessions as unimportant because they did not expect the legislation would be used for that purpose. For example, the then Minister for Communications, Information Technology and the Arts said in the House[31] that:

"The suggestion that an ACA inspector would conduct a search and seizure operation in respect of a recipient of spam is, on the face of it, ludicrous. It would be a waste of time and resources when the act could target the origin of the messages."

82. EFA considers that legislation that does empower an inspector, being either an ACMA inspector or "a member (other than a special member) of the Australian Federal Police or of the police force of a Territory" (s533), to conduct such a search and seizure operation is of itself ludicrous and should be amended. Law enacted on the basis that it would only be applied selectively is a bad law. EFA's concern is not that an ACMA employee would waste their time and resources, it is that the legislation is open to abuse by members of police forces who could use the entry powers for "fishing trips" in relation to matters that are not connected with contravention of the Spam Act 2003. EFA would like to think that no police officers are or ever will again be corrupt or misuse their powers. However, history suggests that would most likely be wishful thinking.

83. The problem arises because the "things" that may be searched for are unduly broad in that they include "anything connected...with a particular breach of the Spam Act 2003" which includes:

"(a) a thing in respect of which the breach has happened; or
(b) a thing that may afford evidence about the breach; or
"

84. Item (b) would include copies of spam received and item (b), and perhaps (a), would include a computer on which spam was received.

85. EFA submits that amendments should be made to narrow definitions of "things" to exclude things that may afford evidence of receipt of spam, or, amend the entry and search provisions to exclude entry to premises when the only thing/s suspected on reasonable grounds of being in or on the premises are thing/s that may afford evidence of receipt of spam.

Recommendation:
  1. Amendments be made to either:
    • narrow definitions of "things" to exclude things that may afford evidence of receipt of spam, or
    • amend the entry and search provisions to exclude entry to premises when the only thing/s suspected on reasonable grounds of being in or on the premises are thing/s that may afford evidence of receipt of spam.

7.2.3 Searches of stored messages/ISP equipment without a warrant

86. EFA also remains highly concerned that the enactment of the Spam Act 2003 may have had the effect of authorising an Internet Service Provider ("ISP") to allow an inspector to search the ISP's customers' email boxes (possibly including the actual content of messages) without a warrant under the existing "reasonably necessary assistance" provisions of Section 282(2) ("Law enforcement and protection of public revenue") of the Telecommunications Act 1997.

87. EFA has long been of the view that Sections 282(1) and (2) of the Telecommunications Act 1997 require amendment to ensure that the content of messages cannot be accessed by law enforcement agencies without a warrant, in order to adequately protect Internet users' privacy and minimise the potential for "fishing trips" without a warrant. Whether or not Sections 282(1) and (2) authorise disclosure of the content of communications (as distinct from, for example, the 'To' and 'From' fields of messages) has long been a recognised grey area of the Telecommunications Act 1997. See for example Section 4.3 of the Telecommunications Interception Policy Review - May 1999 issued by the Attorney-General's Department[32].

88. EFA notes that the 2005 Report of the Review of the Regulation of Access to Communications[33], prepared by Mr Anthony Blunn AO, states "[f]rom a privacy point of view the provisions [of subsections 282(1) and (2)] as presently drafted are not adequate" and recommends that those subsections "be reviewed with a view to clarifying their intent and scope and better identifying the processes to be followed".

Recommendation:
  1. Sections 282(1) and (2) of the Telecommunications Act 1997 be amended to ensure that carriage service providers (includes ISPs) and other electronic message service providers are not permitted to allow inspectors to conduct searches associated with the Spam Act 2003 of their customers', or any other persons', communications without a warrant.

7.2.4 Assistance Orders

89. EFA strongly objects to the breadth of applicability of the assistance order provisions in Section 547J of the Telecommunications Act 1997[34]. These provisions, which require disclosure of passwords, encryption keys, etc. on threat of potential imprisonment, apply not only to a person who is suspected of having contravened a civil penalty provision of the Spam Act 2003 but also to people who are not suspects for purposes that apparently are not limited to obtaining evidential material.

90. EFA's concerns about these provisions are exacerbated by the fact that a person who is merely suspected of having been "involved in" sending a single unsolicited commercial electronic message could be the subject of an order, and that it appears a person (including but not limited to a carriage service provider) who was unknowingly "involved in" a breach could be the subject of an order.

91. Section 547J states:

"Grant of access order
(3) The magistrate may grant the order if the magistrate is satisfied that:
(a) there are reasonable grounds for suspecting that a thing connected with a breach of the Spam Act 2003 is held in, or is accessible from, the computer; and
(b) the specified person is:
   (i) reasonably suspected of having been involved in the breach; or
   (ii) the owner or lessee of the computer; or
   (iii) an employee of the owner or lessee of the computer; and
(c) the specified person has relevant knowledge of:
   (i) the computer or a computer network of which the computer forms a part; or
   (ii) measures applied to protect data held in, or accessible from, the computer.
"

92. EFA observes that the above provisions apply to a larger class of people, and for a greater number of purposes, than the assistance order in the Customs Act 1901 Section 201A(2) and the Crimes Act 1914 (as amended by the Cybercrime Act 2001) Section 3LA(2).

93. EFA considers the powers of the Australian Federal Police under the Crimes Act to require persons to provide "assistance" to access computer data should constitute the high-water mark[35] and accordingly assistance available to inspectors in relation to the Spam Act 2003 should be no more extensive.

94. Assistance orders should not be available when there are only grounds for suspecting "a thing connected with a breach", as distinct from evidential material, is in or accessible from the computer, and persons who are merely suspected of having been "involved in a breach", as distinct from being suspected of having contravened a provision of the Spam Act 2003, should not be subject to an assistance order.

95. EFA submits that Section 547J(3) should be amended to become substantially the same as the provisions of the Customs Act 1901 Section 201A(2)[36] and the Crimes Act 1914 (as amended by the Cybercrime Act 2001) Section 3LA(2)[37]. Amendments that would be necessary to make it identical to those Acts are shown below:

547J. Access to computer data that is relevant to the Spam Act 2003
...
Grant of access order
(3) The magistrate may grant the order if the magistrate is satisfied that:
(a) there are reasonable grounds for suspecting that a thing connected with a breach of the Spam Act 2003
evidential material is held in, or is accessible from, the computer; and
(b) the specified person is:
(i) reasonably suspected of having been involved in the breach
committed the offence stated in the relevant warrant; or
(ii) the owner or lessee of the computer; or
(iii) an employee of the owner or lessee of the computer; and
(c) the specified person has relevant knowledge of:
(i) the computer or a computer network of which the computer forms a part; or
(ii) measures applied to protect data held in, or accessible from, the computer.

96. However, we note that in relation to (b)(i) above, the Spam Act 2003 does not contain offences and, unlike the Customs Act and Crimes Act, Section 537 of the Telecommunications Act does not require that the warrant state "the offence" (under Part 21 Technical Regulation), or the breach (under the Spam Act), to which the warrant relates.

97. EFA submits that:

  • Section 537 should be amended to require that a warrant issued in relation to the Spam Act 2003 must state the civil penalty provision to which the warrant relates; and
  • Section 547J(3)(b) should be amended to state "the specified person is: (i) reasonably suspected of having contravened the civil penalty provision stated in the relevant warrant".

98. Alternatively, if the above changes are not made, the term "involved in" should be defined. The use of this term without definition in this type of context is inconsistent with other Commonwealth legislation such as the Trade Practices Act 1974, Corporations Act 2001, etc, and other parts of the Telecommunications Act 1997[38]. Accordingly, if the phrase "involved in" is to remain in Section 547J(3), then new subclauses should be added to Section 547J stating:

(3A) A reference in subclause (3) to a person who is reasonably suspected of having been involved in the breach is a reference to a person who is reasonably suspected of having:
(a) aided, abetted, counselled or procured the breach;
(b) induced, whether by threats or promises or otherwise, the breach;
(c) been in any way, directly or indirectly, knowingly concerned in, or party to, the breach; or
(d) conspired with others to effect the breach.

99. (3B) A person has not been involved in a breach merely because the person supplies a carriage service that enables an electronic message to be sent.

100. EFA furthermore notes that during debate in the Senate Chamber[39] concerning proposed amendments to Section 547J in relation to the phrase "involved in", the representative of the Minister for Communications stated that "persons involved in a breach may include those described in the subsections of the bill describing ancillary contraventions, which cover such activities as aiding and abetting breaches of the Spam Bill". However, the intended meaning of the term is not apparent from the face of the legislation and we consider it highly unlikely that a magistrate issuing an access order would be aware of the intention stated in Parliament, nor likely to refer to secondary materials to find out (nor should they be expected to do so). Hence the currently inappropriate breadth of the term should be narrowed by defining it in the legislation in a manner consistent with the ancillary contraventions of the Spam Act 2003 as set out above.

101. In relation to Section 547J(3)(a) which states "there are reasonable grounds for suspecting that a thing connected with a breach of the Spam Act 2003 is held in, or is accessible from, the computer", as discussed in Section 7.2.2 above the breadth of "things" is excessive. Further, EFA considers that access orders should not be able to be issued when it is not reasonably suspected that evidential material is held in, or is accessible from, the computer. We submit that the amendments proposed in Section 7.2.2 should be made and that Section 547J(3)(a) should be amended to become identical to the relevant provision of the Crimes Act and Customs Act, that is, "there are reasonable grounds for suspecting that evidential material is held in, or is accessible from, the computer".

102. In relation to Section 547J(4) which states:

(4) A person is guilty of an offence if:
(a) the person is subject to an order under this section; and
(b) the person omits to do an act; and
(c) the omission breaches the order.
Penalty: Imprisonment for 6 months.

103. EFA understands that:

  • Section 4B(2) of the Crimes Act 1914[40] applies in relation to the above penalty and enables a court, if it thinks it appropriate in all the circumstances of the case, to impose a penalty of up to 30 penalty units instead of imprisonment; and
  • Chapter 2 of the Criminal Code Act 1995[41] applies to the above offence (as stated in Section 11A[42] of the Telecommunications Act 1997) which sets out the general principles of criminal responsibility and among other things requires the prosecution to prove intent to omit to do an act. It also provides that conduct (e.g. an omission to perform an act) must be voluntary and that an omission to perform an act is only voluntary if the act omitted is one which the person is capable of performing.

104. Assuming EFA's understanding is correct in relation to Section 547J(4), if Section 547J(3) was amended as proposed above, EFA's concerns about the breadth of assistance order provisions would be significantly reduced.

Recommendations:
  1. Either:
    1. Section 537 of the Telecommunications Act 1997 be amended to require a warrant issued in relation to the Spam Act 2003 to state the civil penalty provision to which the warrant relates; and
      Section 547J(3)(b) be amended to state "the specified person is: (i) reasonably suspected of having contravened the civil penalty provision stated in the relevant warrant";

      OR
    2. The term "involved in" be defined by adding the following new subclauses to Section 547J of the Telecommunications Act 1997:
      (3A) A reference in subclause (3) to a person who is reasonably suspected of having been involved in the breach is a reference to a person who is reasonably suspected of having:
      (a) aided, abetted, counselled or procured the breach;
      (b) induced, whether by threats or promises or otherwise, the breach;
      (c) been in any way, directly or indirectly, knowingly concerned in, or party to, the breach; or
      (d) conspired with others to effect the breach.

      (3B) A person has not been involved in a breach merely because the person supplies a carriage service that enables an electronic message to be sent.

  2. The amendments proposed in Section 7.2.2 concerning "things" be made and Section 547J(3)(a) of the Telecommunications Act 1997 be amended to become identical to the relevant provision of the Crimes Act and Customs Act, that is, "there are reasonable grounds for suspecting that evidential material is held in, or is accessible from, the computer".

Up ArrowGo to Contents List


8. Service Provider Protection from Civil Proceedings

106. The SCA Act amended the Telecommunications Act 1997 to extend the matters that may be dealt with by industry codes and industry standards to include procedures to be followed by service providers "in dealing with unsolicited commercial electronic messages (including procedures relating to the provision or use of regularly updated software for filtering unsolicited commercial electronic messages)" (s.113(3)(q)).

107. It also gives providers protection from civil proceedings "in respect of anything done by the provider in connection with" procedures in a registered code or standard for dealing with unsolicited commercial electronic messages (s.137)

108. The Explanatory Memorandum states: "This will provide significant reassurance to these service providers regarding a common concern that they may attract civil liability for undertaking reasonable spam-filtering activity. It will provide an incentive for the development and the uptake of compliant code(s), in order to obtain the indemnity offered."

109. These provisions would enable the industry to develop a Code that could be registered by the ACMA and would then be enforceable against all ISPs and other electronic messaging service providers, irrespective of whether customers, i.e. the recipients of messages, wished their email to be spam filtered by their service provider or not. Also, it should be recognised that some people prefer to configure and use their own spam filtering system rather than a service provided by an ISP. Although the Telecommunications Act 1997 requires the industry to issue any draft code for public consultation, there is no requirement for the industry or the ACMA to remove any provisions opposed by even a majority of members of the public.

110. It appears the immunity from any civil proceedings may be sufficiently broad to give providers protection in relation to failure to provide contracted services, for example, non-delivery of email to a recipient that is not an "unsolicited commercial electronic message", if that occurred as a result of complying with procedures in an industry code or standard. Further, if a customer wished to change providers with a view to being able to receive messages being blocked by their current provider's spam filtering system, the customer would probably have to pay their current ISP one or more month's fees under the ISP's terms and conditions of termination of their account. It appears an existing right to decline to pay such fees due to non-provision of contracted service may in effect be over-ridden by the protection from civil liability provisions.

111. Extreme care needs to be taken in the development and registration of any Code to ensure it does not have the effect of undermining existing consumer protections and rights. However, there is no surety that a largely self-regulatory industry code would be sufficiently cautiously developed and/or implemented.

112. The essence of any "safe harbour" provision is a trade-off - if the entity complies with a certain set of standards then immunity is granted for acts done in good faith. An ISP or other electronic messaging service provider who spam-filtered a customer's email without their consent and thereby caused foreseeable loss should not receive immunity.

Recommendation:
  1. The provision providing protection from civil proceedings be changed so that, in relation to proceedings by a service provider's customers, the protection applies only to anti-spam filtering services provided with the prior consent of the customer, that is, when a customer has voluntarily opted in to having their electronic messages spam-filtered by the service provider.

Up ArrowGo to Contents List


9. Facsimile Spam

2.8 Other-Facsimile spam
Q20 Should commercial electronic messages sent by facsimile be covered by the Act?
Q21 Why?
Q22 Why not?

113. Since the commencement of the Spam Act 2003, unsolicited direct marketing facsimile transmissions have commenced being received at EFA's facsimile number. It appears this may be an effect of the prohibition on sending unsolicited commercial email messages.

114. EFA considers the sending of unsolicited advertising messages via facsimile should be made illegal in the absence of express prior consent of the recipient. Facsimiles result in costs to the recipient in use of paper and toner/ink. Furthermore, the intrusion/annoyance cannot even be effectively stopped by quickly disconnecting the call because most facsimile machines are configured to automatically re-dial at least twice after an unsuccessful transmission.

115. In addition, while unsolicited faxes received by EFA have generally purported to provide a telephone number for the purposes of unsubscribing, EFA's experience has been that these numbers are either always engaged or result in a recorded message stating information similar to "no lines are available at the present time, please try again later".

116. We consider facsimile messages should be regulated in substantially the same way as commercial electronic messages under the Spam Act 2003 i.e. opt-in to receive, not under provisions relating to an opt-out Do Not Call Register. Furthermore, there should be no exemptions for "factual information" messages, nor in relation to "conspicuous publication" of facsimile numbers, nor exemptions for any types of organisations.

Recommendation:
  1. Commercial facsimile messages be regulated in substantially the same way as commercial electronic messages under the Spam Act 2003 i.e. opt-in to receive and no exemptions be provided for "factual information" messages, nor in relation to "conspicuous publication" of facsimile numbers, nor for any types of organisations.

Up ArrowGo to Contents List


10. Conclusion

117. Although the Discussion Paper states that "[a] key principle of the Spam Act is that people should be able to decide what messages are sent to them, and have that decision respected", the legislation has not achieved that aim. Instead it has created a class of "legalised" spam by the inclusion of inappropriate exemptions, insufficiently clear definitions and prescribing circumstances in which individuals are deemed to have consented to receipt of spam although they have not. As a result, while there has been a decrease in receipt some types of spam, there has also been an increase in other types of spam. Legislative amendments are necessary to give effect to the principle that people should be able to decide whether or not commercial electronic messages advertising and/or promoting goods and services are sent to them.

118. In addition, the investigatory power provisions are excessive and unnecessarily open to misuse. These provisions are, without justification, inconsistent with other Commonwealth legislation and/or the Guide To Framing Commonwealth Offences, Civil Penalties And Enforcement Powers. The investigatory power provisions should be amended as detailed earlier herein.

Up ArrowGo to Contents List


11. References

1. Spam Act 2003 Review Issues Paper
<http://www.dcita.gov.au/ie/spam_home/spam_act_review>

2. Spam Act 2003
<http://www.austlii.edu.au/au/legis/cth/consol_act/sa200366>

3. Telecommunications Act 1997
<http://www.austlii.edu.au/au/legis/cth/consol_act/ta1997214/>

4. Spam (Consequential Amendments) Act 2003
<http://www.austlii.edu.au/au/legis/cth/num_act/saa2003n1302003333>

5. Guide To Framing Commonwealth Offences, Civil Penalties And Enforcement Powers, issued by authority of the Minister for Justice and Customs, February 2004.
<http://www.ag.gov.au/agd/www/Agdhome.nsf/0/6F19B1D7FCBBF6C3CA256E5F00017937
?OpenDocument>

6. Government response to the Senate Scrutiny of Bills Committee Report on Entry and Search Provisions in Commonwealth Legislation, November 2003.
<http://www.ag.gov.au/agd/www/Agdhome.nsf/Page/9F32D2EA84594B5ECA256DF000112B41
?OpenDocument>

7. EFA submission to the Inquiry into the Spam Bills 2003, conducted by the Senate Environment, Communications, Information Technology and the Arts Legislation Committee
<http://www.efa.org.au/Publish/efasubm-ecitaspam.html>

8. Australian Computer Society submission to the Inquiry into the Spam Bills 2003
<http://www.aph.gov.au/senate/committee/ecita_ctte/completed_inquiries/2002-04/ spam/submissions/sub13.doc>

9. Australian Consumers Association ("ACA") submission to the Inquiry into the Spam Bills 2003
<http://www.aph.gov.au/senate/committee/ecita_ctte/completed_inquiries/2002-04/ spam/submissions/sub6.doc>

10. Australian Communications & Media Authority v Clarity1 Pty Ltd [2005] FCA 1161 (22 August 2005)
<http://www.austlii.edu.au/cgi-bin/disp.pl/au/cases/cth/federal_ct/2005/1161.html>

11. Australian Consumers Handbook Online
<http://www.consumersonline.gov.au>

12. Schedule 2, Spam Act 2003
<http://www.austlii.edu.au/au/legis/cth/consol_act/sa200366/sch2.html>

13. ACMA's Business Guide - Protecting Your Business from Spam [PDF 60 kb]
<http://www.acma.gov.au/acmainterwr/consumer_info/spam/business_guide-protecting
_your_business_from_spam.pdf>

14. ACMA - Complying with the Spam Act: The Consent Condition
<http://www.acma.gov.au/ACMAINTER.131456:STANDARD:970841095:pc=PC_2925>

15. ACMA - Spam Act 2003 Information for business: Consent
<http://www.acma.gov.au/acmainterwr/consumer_info/spam/information_for_business/ spam_businessinfo_consent.rtf>

16. NOIE/ACA - Spam Act 2003: A practical guide for business [PDF 243 Kb]
<http://www.acma.gov.au/acmainterwr/consumer_info/frequently_asked_questions/ spam_business_practical_guide.pdf>

17. Section 542 of the Telecommunications Act 1997
<http://www.austlii.edu.au/au/legis/cth/consol_act/ta1997214/s542.html>

18. See note 5.

19. NOIE submission to the Inquiry into the Spam Bills 2003
<http://www.aph.gov.au/senate/committee/ecita_ctte/completed_inquiries/2002-04/spam/
submissions/sub14.doc>

20. Radiocommunications Act 1992 - Sect 272
<http://www.austlii.edu.au/au/legis/cth/consol_act/ra1992218/s272.html>

21. Fisheries Management Act 1991 - Sect 84
<http://www.austlii.edu.au/cgi-bin/disp.pl/au/legis/cth/consol_act/fma1991193/ s84.html>

22. Torres Strait Fisheries Act 1984 - Sect 42
<http://www.austlii.edu.au/cgi-bin/disp.pl/au/legis/cth/consol_act/tsfa1984280/ s42.html>

23. Road Transport Reform (Dangerous Goods) Act 1995 - Sect 20 - Powers of authorised officer where offence suspected
<http://www.austlii.edu.au/cgi-bin/disp.pl/au/legis/cth/consol_act/rtrga1995406/ s20.html>

24. Offshore Minerals Act 1994 - Sect 379 - Inspection of licence-related premises etc. without warrant
<http://www.austlii.edu.au/cgi-bin/disp.pl/au/legis/cth/consol_act/oma1994188/ s379.html>

25. Petroleum (Submerged Lands) Act 1967 - Schedule 7 - 31B Powers of entry and search-premises (other than regulated business premises)
<http://www.austlii.edu.au/cgi-bin/disp.pl/au/legis/cth/consol_act/pla1967267/ sch7.html>

26. Medicare Australia Act 1973 - Sect 8U - Authorised officers may conduct searches for the purpose of monitoring compliance
<http://www.austlii.edu.au/cgi-bin/disp.pl/au/legis/cth/consol_act/maa1973164/ s8u.html>

27. Agricultural And Veterinary Chemical Products (collection Of Levy) Act 1994 - Sect 21 - Searches to monitor compliance with Act
<http://www.austlii.edu.au/cgi-bin/disp.pl/au/legis/cth/consol_act/aavcpola1994626/ s21.html>

28. See note 5.

29. See note 6.

30. See note 5.

31. Spam Bill 2003; Spam (Consequential Amendments) Bill 2003: Second Reading, Williams, Daryl, MP (Minister for Communications, Information Technology and the Arts), House Hansard, 9 October, 2003
<http://parlinfoweb.aph.gov.au/piweb/TranslateWIPILink.aspx?Folder=
HANSARDR&Criteria=DOC_DATE:2003-10-09%3BSEQ_NUM:18%3B>

32. Telecommunications Interception Policy Review Report - Section 4.3, Attorney-General's Department, 1999
<http://www.law.gov.au/agd/Department/Publications/publications/ teleintreview/teleintreview2.html#data>

33. Report of the Review of the Regulation of Access to Communications, Anthony S Blunn AO, August 2005 (tabled in the House of Representatives by the Federal Attorney General on 14 September 2005).
<http://www.ag.gov.au/agd/WWW/agdHome.nsf/Page/Publications_2005_Report_of_the
_Review_of_the_Regulation_of_Access_to_Communications_-_August_2005>

34. Section 547J of the Telecommunications Act 1997
<http://www.austlii.edu.au/au/legis/cth/consol_act/ta1997214/s547j.html>

35. See note 6.

36. Customs Act 1901 Section 201A(2)
<http://www.austlii.edu.au/cgi-bin/disp.pl/au/legis/cth/consol_act/ca1901124/ s201a.html>

37. Crimes Act 1914 (as amended by the Cybercrime Act 2001) Section 3LA(2)
<http://www.austlii.edu.au/au/legis/cth/consol_act/ca191482/s3la.html>

38. See, for example, Trade Practices Act 1974 - Sect 75B Interpretation, Corporations Act 2001 - Sect 79 Involvement in contraventions, Telecommunications Act 1997 - Schedule 3A Protection of submarine cables - Section 45(3).

39. Senate Hansard, 28 November 2003.

40. Section 4B(2) of the Crimes Act 1914
<http://www.austlii.edu.au/au/legis/cth/consol_act/ca191482/s4b.html>

41. Criminal Code Act 1995
<http://www.austlii.edu.au/au/legis/cth/consol_act/cca1995115/sch1.html>

42. Section 11A of the Telecommunications Act 1997
<http://www.austlii.edu.au/au/legis/cth/consol_act/ta1997214/s11a.html>

Up ArrowGo to Contents List


12. About EFA

Electronic Frontiers Australia Inc. ("EFA") is a non-profit national member-based organisation representing Internet users concerned with on-line rights and freedoms. EFA was established in January 1994 and incorporated under the Associations Incorporation Act (S.A.) in April 1994. EFA's membership includes individuals in all Australian States and Territories.

EFA is independent of government and commerce and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting online civil liberties.

EFA's major objectives are to protect and promote the civil liberties of users of computer based communications systems (such as the Internet), and to educate the community at large about the social, political and civil liberties issues involved in the use of computer based communications systems.

EFA's policy formulation, decision making and oversight of organisational activities are the responsibility of the EFA Board of Management. The Board consists of ten elected members who act in a voluntary capacity (they are not renumerated for time spent on EFA activities) and an Executive Director who is a non-voting member appointed by and reporting to the Board.

EFA has long been an advocate for the rights of users of the Internet and other telecommunications and computer based communication systems. EFA has presented written and oral testimony to Parliamentary Committee and government agency inquiries into numerous Internet and telecommunications related matters, including privacy, telecommunications interception laws, censorship, copyright, cybercrime, spam, etc. EFA spokespersons respond to frequent enquiries from the media and public about Internet related issues and have been speakers and lecturers in Australia and overseas. EFA's Executive Director was an invited member of the Federal Privacy Commissioner's National Privacy Principles Guidelines Reference Group and the Research Reference Committee (2001) and the Privacy Consultative Group (2004-2005); NOIE's Privacy Impact Assessment Consultative Group relating to the development of a Commonwealth Government Authentication Framework (2003); the ENUM Privacy and Security Working Group convened by the Australian Communications and Media Authority (2003-2005); Centrelink's Voice Authentication Initiative Privacy Impact Assessment Consultative Group (2004-2005); the Australian Communications Authority's Consumer Consultative Forum (2005) and the Smart Technologies and Services Interdepartmental Committee Consumer and Privacy Consultative Forum chaired by the Department of Human Services (2005).

Up ArrowGo to Contents List