16 September 2002

NOIE Spam Review Report

This is a submission in response to the NOIE's call for comment on the Spam Review Report.


Calling Line Identification (CLI)

The proposed use of Calling Line Identification (CLI) contained in Recommendation 3 of the NOIE Spam Review Interim Report is an extraordinarily privacy invasive idea for dealing with the spam problem - a problem that could be significantly reduced by far more effective, non privacy invasive, means.

The recommendation states:

"3. ISPs should be assisted to reduce the capacity for spammers to utilise anonymous accounts, through the appropriate implementation of technologies such as Caller Line Identification (CLI) and encouraged to establish identification requirements for prepaid accounts. However, such measures should only be developed if privacy protection levels are maintained or improved."

We note that the NOIE report contains no information on how use of CLI data might reduce spam, nor any indication concerning how effective, if at all, such information might be. We question whether NOIE has considered these aspects in any detail and provide the following information in relation thereto.

How could provision of CLI information to ISPs reduce spam?

Currently, when an ISP finds one of their customers sending spam through their network, they can cancel that customer's account, record the customer's name, credit card number, etc. and refuse to allow that person to open another account. Many ISPs already do this and they do not need CLI information to do so because they know who the customer is.

However some Australian ISPs, for example OzEmail, choose to sell anonymous prepaid accounts. Although an ISP can cancel an anonymous prepaid account that is being used by a spammer, the same spammer can immediately start using a different prepaid account and the ISP does not know it is the same spammer. For example, the same spammer could use an account name of 'johnsmith' the first time and 'janedoe' the second.

At most, CLI information would enable ISPs to use calling telephone numbers to match the first anonymous account to the second and subsequent account, that is, to assume that 'johnsmith' and 'janedoe' are the same person because they use the same phone number. When an Internet access account is found to be spamming, the ISP could look up the telephone number/s used by that account and then blacklist the telephone number/s so that any future attempts (by anyone) to send email (including email that is not spam) from an account/Internet connection using a blacklisted telephone number could be blocked by the ISP.

Implementation of that idea will infringe the privacy of many Internet users who are not spammers, while still allowing spammers to send more spam using anonymous prepaid accounts than they could if ISPs implemented technical measures to prevent spam being sent through their system from anonymous accounts. In addition, there is very likely to be collateral damage from such a proposal where a telephone line is used by more than one individual. These matters are further addressed below.

CLI information is ineffective in reducing spam

Spammers could still send thousands of spam emails from a prepaid (or any) account

Unless an ISP has an automatic rate limit (or other rate checking system) set up on their mail server, the first time a spammer uses a particular telephone number to connect to the Internet and send spam, the ISP will be unaware that spam is being sent through their mail server until a recipient of the spam complains to the ISP about it. In the meantime, a spammer can successfully send thousands of spam emails. Provision of CLI information to the ISP would make no difference to the number of spam emails that can be sent using a particular telephone number for the first time.

A rate limit on anonymous prepaid accounts will defeat spammers far more effectively than would provision of CLI information.

When an ISP has an automated email rate limit (i.e. a limit on the number of emails that can be sent from an account in a specified period of time) set up on their mail server, the spammer can be blocked the first time (and also subsequent times) they send spam using the ISP's system, regardless of the phone number they use to connect to the ISP's system. ISPs can (and some do) configure their mail server to automatically block attempts to send email from an account that has exceeded their rate limit.

The CLI provision proposal only addresses the problem of a prepaid dial-up account being used to send a great deal of email. It is the combination of these two things (prepaid account with large amount of email sent) that are the hallmarks of a spammer. These hallmarks are easily detectable, right now, without CLI information being provided to ISPs.

It is unlikely that a rate limit would inconvenience anyone who is using a prepaid account to send legitimate emails because, apart from use by spammers, prepaid accounts are normally used by individuals who send a small number of emails at any one time and therefore would not be affected by a rate limit - companies/organisations that send a lot of legitimate emails are unlikely to be using a small prepaid dial-up account.

On 13 June 2002, OzEmail stated in a newsletter to customers that:

"Spammers tend to use pre-paid accounts to send their junk email, so we have re-engineered our pre-paid products to make spamming very difficult - if not impossible".
Apparently this included a rate limit on email sent from OzEmail's pre-paid accounts. OzEmail and other ISPs do not need CLI information in order to implement such technical spam prevention measures.

Nothing stopping overseas spam

Provision of CLI information to ISPs will not make any difference to the amount of spam that comes from overseas.

While there is a significant amount of spam sent from Australia, there is far more that originates from outside Australia. Over 80% of spam received in Australia originates overseas, according to the survey of ISPs conducted by ACNeilson.consult for NOIE in 2002. Similarly, CAUBE estimates that Australia accounts for only about 16% of all spam sent globally.

In other words, even if the CLI proposal is implemented in full, it would have no effect on the approx. 80% of spam that comes from overseas.

CLI not available in all places

A great majority of callers are connected to telephone exchanges that have Calling Line Identification technology enabled. However there are places where CLI is not available. These are not just remote locations but even some exchanges within the Sydney area do not present CLI information.

ISPs would have to configure their systems to allow calls from these areas without CLI. Spammers will find out where these locations are and dial-up from there.

Shared Telephone Lines

Many individuals share a telephone line with other people, e.g. people who share a flat/house, families, individuals who log in to their personal account from their workplace telephone line, etc. If an ISPs blacklists a telephone number that has been used to connect to their service and send spam, then other people who use that phone number and have a separate account with the same ISP will not be able to send email either.

Will ISPs prevent everyone who uses the shared telephone line from sending email? Unless they do so, the spammer will be able to send more spam, for example, by purchasing another anonymous prepaid account and using the same phone number.

Privacy and Anonymity

In recommending the use of Calling Line Identification (CLI) the NOIE report states "such measures should only be developed if privacy protection levels are maintained or improved".

Existing "privacy protection levels" are inadequate. The CLI proposal, if implemented, would infringe individuals' privacy for the supposed purpose of preventing spammers from invading their privacy. Provision of CLI to ISPs without the specific consent of the caller would enable ISPs to use this information for privacy invasive purposes unrelated to reducing spam. Internet users should not be required to provide personal information such as their calling number to ISPs simply because some ISPs claim it is necessary to reduce spam. As discussed above, there are far more effective, non privacy invasive, means of reducing spam.

Even if there was no other means to reduce spam sent from anonymous prepaid accounts, there is no need to require or even "encourage" ISPs to require all their customers to provide their calling telephone number. Most Internet users are not spammers and do not use anonymous accounts.

The NOIE report states that several draft recommendations are reliant on "reducing the ability of individuals to obtain access to the Internet anonymously" and that "This would require: ... consideration of the implication for NPP 8 ('Anonymity Principle')".

As discussed above, "reducing the ability of individuals to obtain access to the Internet anonymously" will have miniscule affect on the amount of spam received by Australian Internet users. ISPs are already able to use technical means to significantly restrict the amount of spam that can be sent from an anonymous account.

Moreover, it is not necessary for spammers to use anonymous accounts. There is at least one very well known Western Australian based business that has been spamming for several years. While the business apparently sometimes uses anonymous accounts, the content of their spam identifies them in any case. It appears unlikely that this type of spammer will be stopped until there is legislation prohibiting their spamming activities, because some ISPs are apparently willing to have them as paying customers.

EFA considers reducing the ability of individuals to obtain access to the Internet anonymously would infringe NPP 8 of the Privacy Act and would not result in a reduction in spam. Spammers will simply use methods other than anonymous pre-paid accounts provided by Australian ISPs to send spam.

Legislative Options

Privacy Act 1988

EFA considers that a first step in terms of legislative options should be to amend the Privacy Act 1988 to remove the existing exemptions and loopholes (intended or otherwise) that permit spammers and direct marketers to collect and use individuals' personal information (such as their email address) for the purpose of sending them unsolicited information without the explicit prior consent of the individual. EFA raised this issue in our submissions to the two Parliamentary inquiries into the provisions of the Privacy Amendment (Private Sector) Bill 2000 and warned that the provisions would have the effect of legitimising spam.

Provisions of the Act that need to be changed include those concerning "primary purpose" of collection, the specific exemption for direct marketing, and the small business exemption. We note that these matters are discussed in the submission to NOIE made by the Office of the Federal Privacy Commissioner and outlined in the "Legislative Reform" section of the NOIE report, so we have not addressed these matters in detail in this submission.

We also note the comments in the OFPC submission to NOIE regarding whether or not some types of email addresses would fall within the definition of "personal information" in the Privacy Act. Any arguable greyness of this aspect of the Act could be easily dealt with by amending the definition of "personal information" to clearly include any email address. Any email address is very likely to be able to be used to identify the individual who is the recipient of email to that address whether or not their "real" name is obvious to everyone by merely looking at the email address. EFA considers that any individual who chooses to use a pseudonym as their email address should be entitled to the same privacy protections in relation to collection and use of personal information about them - whether or not their pseudonym immediately and obviously identifies them to everyone else.

Broadcasting Services Act and Crimes Act

We refer to the comments in relation to Recommendation 11 of the report stating that:

" the Online Content Scheme is based on issuing take-down notices for hosted content and referrals to filter manufacturers, it is not clear how such a Scheme could address general e-mail traffic or spam that is typically not hosted. As such it may be appropriate for a regulatory mechanism be developed to deal with unsolicited e-mail that may be regarded by a reasonable person as offensive. This may also provide for improved protection for minors given the indiscriminate methods by which spam, including that which promotes pornography and other inappropriate content, is sent."

EFA draws to NOIE's attention that Section 85ZE (1)(b) of the Commonwealth Crimes Act, 'Improper use of carriage service', prohibits the knowing or reckless use of a telecommunications carriage service in a way that would be regarded by reasonable persons as being offensive.

While 'Internet content' as defined under the Broadcasting Services Act 1992 (Cth) is excluded from the provisions of 85ZE, ordinary email is not 'Internet content' as defined in the Broadcasting Services Act.

EFA doubts there is any need for new/additional Australian laws concerning offensive content received via email. While offensive content received in spam is a serious problem, probably all of such spam is sent by persons in overseas countries where sending of such material is not illegal and so cannot be prevented or dealt with by existing (or even new) Australian legislation.

If the existing provisions of Crimes Act 85ZE (1)(b) have proven to be inadequate in dealing with offensive spam sent by Australian spammers, relevant information in that regard should be publicly provided to inform debate on any proposed related changes to either the Broadcasting Services Act or the Crimes Act.

In relation to offensive content, we note page 5 of the NOIE report states:

"I have kids and like many parents, I find I have to clear my inbox before I let my kids go online. To have 10 year old kids see the sort of porn we see every day is sub-optimal. - Justin Milne, CEO OzEmail"

If Mr Milne made that comment as reported in The Australian IT, EFA finds it astounding that the CEO of one of Australia's largest ISPs either does not have adequate computer knowledge to be able to, or has not bothered to, better organise and manage his "kids" access to the Internet.

New legislation

In relation to Recommendation 12 of the NOIE Report:

12. The Government should consider anti-spam legislative options in further detail, consulting with all interested parties, and focussing at this stage on [Options (A), (B) and (C)]"

we comment as follows.

Option A: "An outright prohibition on the sending of unsolicited bulk electronic messaging"

EFA considers Option (A) merits further consideration and consultation with all interested parties. While EFA supports, in principle, development of new legislation outlawing "spamming", we have significant concerns about the potential effectiveness and unintended consequences of any such legislation. Consideration of such an option should, among many other things, carefully address:

  • definition of any term such as "unsolicited bulk electronic messaging" in a manner that appropriately balances individuals' "right" to privacy and their "right" to freedom to communicate, so that undesirable and unintended consequences do not arise as a result of ill-considered legislative drafting.
  • the potential for ordinary Internet users to be doubly victimised by spammers, who often use fake "from" addresses when sending their spam. Such an address may be and has been the real email address of an Internet user who has no association with the spammer nor knowledge of misuse of their email address. Such innocent Internet users usually receive a vast amount of vitriolic email from recipients of the spam that used their address without their permission or knowledge. Extreme care would need to be taken to ensure that any anti-spam legislation will not result in such victims of spammers facing prosecution.

EFA is of the view that amendments to the Privacy Act as mentioned earlier herein would result in major reduction in the amount of spam Australian Internet users receive from Australian based spammers without the need to carefully define terms such as "unsolicited bulk electronic messaging" and with less potential for innocent individual victims of spammers to face legal prosecution.

Option B: "A requirement for greater transparency in the nature and origin of bulk electronic messaging"

EFA does not support option (B) in so far as "greater transparency in the nature" of messages is concerned. Laws requiring terms such as "ADV" in a subject line of spam merely legitimise the sending of spam. There would be merit in considering in detail whether new Australian "laws banning spoofing" could be effective in reducing spam. However, as any such law would have no effect on the sending of spam (without spoofing) that is currently specifically permitted under Australian law, EFA considers Option (B) is of lower priority for consideration.

Option C: "The creation of a new offence of using a carriage service to commit any Commonwealth offence."

Option (C) should not be further considered. It would not be directly applicable to sending spam unless sending spam was a Commonwealth offence. If sending spam was a Commonwealth offence, there would be no need to consider Option (C) in order to reduce spam.