Analysis of Spam Bills 2003

Last Updated: 1 November 2003


Note: The analysis below dated 3 October 2003 has been partly superseded by EFA's submission to the Senate Committee inquiry into the Spam Bills dated 20 October 2003. EFA's final position on the Bills is substantially the same as below, but some recommendations below are not identical to EFA's final recommendations. EFA's submission also contains additional comments and most sections below were revised to improve clarity.


3 October 2003

Proposed laws, claimed to be "anti-spam" laws, were introduced into Australian Parliament on 18 September 2003.

However, close scrutiny of the proposed legislation reveals that it is not anti-spam. While it would prohibit the sending of some spam, it would also legitimise and authorise the sending of other spam (unsolicited bulk commercial electronic messages). It would also prohibit the sending of some single messages to a particular person that few, if any, people would consider to be spam.

Contents


Executive Summary

  • Close scrutiny of the proposed "anti-spam" laws reveals that the proposed legislation is not anti-spam.
  • While the proposed legislation does prohibit the sending of some spam, it also:
  • The legislation should be applicable to the sending of all unsolicited commercial electronic messages in bulk. It should not treat a single message sent to a particular individual as spam merely because the message has a commercial aspect.
  • The entry, search and seizure powers enable ACA appointed inspectors (government employees) and police to enter homes and search and seize an individual's computer and other possessions without a search warrant and without the consent of the individual. A judicial warrant should be required.
  • The entry, search and seizure powers apparently enable entry and search/seizures (with and without a warrant) in relation to the premises and possessions of a recipient of spam. Searches of recipients' premises should not be permitted.
  • The provision enabling a suspect or other person to be imprisoned for forgetting a password or other information is completely absurd in legislation that does not involve imprisonment even if a person is found guilty. The access order provisions should be deleted.
  • The exemption for Australian (and overseas) government bodies should be deleted. If government bodies such as the Australian Tax Office wish to promote or advertise their services (or goods) by email, they should be required to obtain the recipient's prior consent.
  • The exemption for political parties, religious organisations, charities and charitable institutions, and educational institutions should be deleted. There is no legitimate reason why individuals should be, in effect, forced to receive unsolicited electronic messages relating to goods and services from any of these bodies.
  • The exemption for unsolicited bulk messages that contain "factual information" and also have commercial aspect is large enough to drive a truck through. It should be deleted. It is inappropriate that legislation, in effect, compel individuals to receive information in their email box (whether the government thinks it is "beneficial" information or not).
  • No persons or organisations that send commercial electronic messages in bulk (whether "designated" spam or not) should be exempt from the requirement to provide a functional unsubscribe facility.
  • The provision concerning inferred consent to receive spam by "conspicuous publication" of an address presents serious problems for, at the least, self-employed persons and small business owners.
  • The supply, acquisition and use of address-harvesting software and harvested address lists should also be prohibited in relation to the purpose of sending "designated" spam (if the designated spam provisions are not deleted) and all other unsolicited electronic messages, not only the narrow category of messages referred to in Section 16(1).
  • The prohibitions on supply, acquisition and use of address-harvesting software and harvested address lists should apply to government bodies (which are currently exempted from these prohibitions).
  • The protection from civil proceedings provision for ISPs and other electronic message service providers must be changed so that it applies only to anti-spam filtering services provided at the request of a customer, that is, where a customer has voluntarily opted in to having their electronic messages spam-filtered by their ISP or other provider.
  • The possible benefit of the currently proposed law in minimising receipt of spam is outweighed by its authorisation of "designated" spam and its potential to result in unnecessary invasions of the privacy of innocent individual's homes and possessions and/or their imprisonment.
  • The proposed legislation should not be enacted in its current form.

Up ArrowGo to Contents List

Introduction

The proposed laws contained in the Spam Bills have been claimed to be "anti-spam" laws. However, close scrutiny of the proposed legislation reveals that it is not anti-spam.

The Explanatory Memorandum to the Spam Bill 2003 acknowledges that the term "spam" is generally used to refer to unsolicited bulk electronic messages that are usually sent in an untargeted and indiscriminate manner.

However, the proposed law does not apply to unsolicited bulk electronic messages. Instead, it establishes rules applicable to the sending of one, or more, commercial electronic messages.

While the proposed legislation does prohibit the sending of some spam, it also:

  • specifically legitimises and authorises the sending of other spam; and
  • prohibits the sending of some messages that few, if any, people would regard as spam; and
  • establishes special classes of senders who are authorised to send spam and who are also exempt from the requirement to provide an opt-out mechanism.

While EFA supports the general intent of the proposed law insofar as it may be intended to reduce the quantity of unsolicited bulk commercial electronic email, we consider that unless amendments are made to the current Bills, the legislation may be more effective in increasing spam than in reducing it. In addition, we object to legislation that in effect mandates that individuals be forced to receive various types of unsolicited bulk commercial email in their mail boxes.

Further, EFA is strongly opposed to a number of aspects of the proposed regime including, among other things:

  • the search and seizure provisions that enable government employees and police to search and seize an individual's computer and other possessions without a search warrant and without the consent of the individual; and
  • the access order provisions that enable a suspect or other person who has forgotten a password or other information to be imprisoned for six months (although a person found guilty of breach of the Spam Act is not subject to imprisonment).

EFA opposes the enactment of the proposed laws in their current form, that is, as set out in the Bills introduced into Parliament.

Detailed information concerning issues and problems with the proposed law, together with recommended amendments, is provided in the following sections. Note that the analysis and recommendations below do not necessarily cover every issue and/or problem, there may be others that EFA has not yet become aware of in the course of analysing these complex Bills.

Up ArrowGo to Contents List


Background to the Spam Bills

In August 2002, the National Office for the Information Economy ("NOIE") issued a Spam Review Interim Report seeking public comment on various proposals for dealing with the spam problem. EFA sent a submission to NOIE expressing concerns about a number of suggestions and proposals in their Report in September 2002.

Following consideration of submissions from the public, NOIE issued their Spam Final Report on 16 April 2003. On 23 July 2003 the Commonwealth government announced that anti-spam legislation would be introduced into Parliament later in the year.

NOIE subsequently commenced drafting the Spam Bill 2003 and consulted EFA and a number of other organisations in late August 2003 about the provisions of a then draft Bill.

On 18 September 2003, the Minister issued a media release announcing that the Spam Bills had been introduced into the House of Representatives that morning.

As is stated in the Explanatory Memorandum to the Spam Bill 2003, EFA was consulted during the drafting:

"Consultations continued during the drafting of the Spam Bill with key industry and community stakeholders to ensure that the final form of the legislation does not adversely impact legitimate and ethical businesses, and community groups. These included ADMA, the IIA, CAUBE, Electronic Frontiers Australia, the Australian Information Industries Association, the Australian Chamber of Commerce and Industry, the Coalition of Small Business Associations, the Fundraising Institute of Australia, ISOC-AU, the Australian Consumers Association and others. After these consultations, including consideration of an exposure draft, the overwhelming response from these groups was one of the legislation having struck an appropriate balance, notwithstanding that each group felt that some minor changes would be beneficial. These comments have been considered and are incorporated in the final Bill where appropriate.

However, an "exposure draft" was only made available for discussion during a briefing meeting. It was not left with EFA for close scrutiny, nor with other organisations according to advice from NOIE.

While EFA expressed general support for the apparent intention of the proposal, we reserved judgement pending the opportunity to closely scrutinise the Bill because the "devil may be in the detail".

The main changes EFA proposed to NOIE have not been incorporated in the Spam Bill 2003 introduced into Parliament. Also, EFA was not consulted about the provisions of the Spam (Consequential Amendments) Bill 2003 which contains amendments to the Telecommunications Act 1997.

EFA has major concerns about a number of aspects of the proposed laws - the devil is in the detail.

Up ArrowGo to Contents List


The Spam Bills

The proposed legislation comprises two Bills:


Up ArrowGo to Contents List

Spam Bill 2003

The Spam Bill 2003 contains a civil penalties regime for regulating commercial email and other types of "commercial electronic messages" that have an "Australian link".

The proposed law prohibits the sending of some unsolicited commercial electronic messages and also authorises the sending of some other unsolicited commercial electronic messages. It also regulates the supply, acquisition and use of address-harvesting software and harvested-address lists.

The provisions are outlined and discussed in the following sections:

Unsolicited Commercial Electronic Messages

  • A person must not send, or cause to be sent, a commercial electronic message that has an Australian link (s.7) and is not a designated commercial electronic message (sch.1) (s.16(1)).
    • commercial electronic message is defined in the Bill and means, generally speaking, a message that apparently has one or more of the following purposes:
      • to offer to supply, or to advertise or promote any of the following:
        • goods or services; or
        • an interest in land; or
        • a business opportunity or investment opportunity; or
      • to advertise or promote a supplier, or prospective supplier, of any of the above; or
      • to assist or enable a person, by a deception, to dishonestly obtain property belonging to another person; or obtain a financial advantage from another person; or obtain a gain from another person; or
      • a purpose specified in the regulations."
        (Other purposes may be specified in the future if it becomes evident the existing list is inadequate to achieve the intent of the law.)
    • Australian link generally speaking means that the message is sent by a person in Australia or is received by a computer device in Australia or there is something about the message content that relates to Australia. 'Link' in this context does not mean a URL of a web page in Australia (but a message containing such a URL would meet the definition of "Australian link").

  • The prohibition applies to sending single messages. The Bill does not refer to sending messages in bulk.
  • It is irrelevant whether or not the message is received, and whether or not the recipient address exists.
  • The prohibition does not apply if:
    1. the relevant electronic account-holder consented (as defined in Sch.2) to the sending of the message, or
    2. the person (e.g. sender) did not know and could not, with reasonable diligence, have ascertained that the message had an Australian link, or
    3. the message was sent by mistake (means "a reasonable mistake of fact").

      A person who wishes to rely on (a), (b) or (c) above bears an evidential burden in relation to that matter.
  • A person does not contravene the s.16(1) prohibition on sending messages merely because the person supplies a carriage service (e.g. is an ISP) that enables an electronic message to be sent (s.16(10)).
  • A person would not be subject to penalty in the circumstance of their computer automatically sending messages as a result of the computer having been hijacked by a virus.

Issues:

The application of the law to single messages, combined with the definition of a "commercial electronic message" and "inferred consent", has undesirable consequences. It appears the law would prohibit the sending of a message that the recipient would want to receive and that would not normally be regarded as "spam" by anyone.

Provision needs to be made to ensure that a single message that is very likely to be welcomed by a particular recipient is not prohibited.

Case Scenario 1:

An individual has a personal (not business) web site and publishes their resume on it with their personal (not work-related) email address, for example: xybloggs@yahoo.com.au. The individual may, for example, be an unemployed person, or an employed person who is nevertheless interested in full or part-time contract, consultancy or job offers.

Another person (or organisation/company) wishes to email the individual to offer a business opportunity, for example, a contract for work that is directly relevant to the experience and skills set out in the individual's resume.

The message would be caught by the definition of "commercial electronic message" because its purpose is to offer a business opportunity. A contract for work/consultancy or employment would constitute a "business opportunity" - if it would not, then neither would many messages that unquestionably are spam such as: "Work from home selling this or that"; "Make money advertising these porn sites on your own site"; etc, etc.

The proposed law would apparently prohibit sending of the above message because:

  1. the law applies to a single message no matter how carefully and relevantly targeted; and
  2. the sender would not be able to rely on the defence that the individual had given consent, as currently defined in the Bill, because:
    1. "Express consent" applies only when the individual has given explicit consent to the particular sender, e.g. when "the person has specifically requested such material (either verbally or in writing) from the sender" (EM).
    2. "Inferred consent" means consent that may reasonably be inferred from the conduct and the business and other (e.g. family) relationships of the individual or organisation concerned. Hence, unless there is a prior relationship between the sender (person or organisation) and recipient, consent as currently defined in the Bill cannot be inferred.

      The Explanatory Memorandum ("EM") makes the above intention in relation to "inferred consent" clear. It states:
      • "For example if the person has an existing business relationship with the sender and as part of that relationship has knowingly and directly provided an electronic address to the sender, then it would be reasonable to infer that the person has consented to receiving commercial electronic messages from the sender" and
      • "Subclause 16(2) of the Bill provides a defence to the prohibition on sending unsolicited commercial electronic messages if the sender points to evidence that the relevant electronic account-holder consented to the sending of the message. The effect of this defence provision is that a person may send another person commercial electronic messages where that other person has consented to receiving it. It therefore enables persons to send commercial electronic messages to persons with whom they have a pre-existing business relationship."

      In addition, all of the examples of "inferred consent" in the EM are when the individual (recipient) and sender (person or organisation) have been in prior contact and the individual has specifically provided their electronic address to the person or organisation and from that conduct (i.e. provision of address) the individual's consent (to receiving commercial messages from that person or organisation) may be inferred. (Note however that provision of an address in the foregoing circumstances would not constitute inferred consent to sending of all types of commercial messages.)
  3. the sender would not be able to rely on the exception applicable to "conspicuous publication" of an electronic address because the individual's published electronic address is not a work related address, i.e. it is not the address of an employee, officer, etc. at a company or other organisation (Sch.2(4)(2)).

Case Scenario 2:

An individual has a personal (not business) web site providing information about a particular topic and also publishes a list of recommended books on the same topic. The individual's personal (not work related) email address, for example: xybloggs@yahoo.com.au, is also available on the site.

A new book about exactly the same topic is published and the author's public relations company wishes to send the individual an email message offering the person a copy of the new book.

Such a message would be caught by the proposed law because the purpose of the message is clearly to promote a book (that is, a good as in "goods and services") and the same situation applies as in Case Scenario 1 above, irrespective that the particular web site owner would (most probably) want to receive that message and offer.

Case Scenario 3:

An individual has a personal web site containing a number of articles written by them about one or more topics.

A publisher of a magazine or author of a proposed book wishes to email the individual offering to pay them for the right to re-publish one of their articles in a magazine or book.

Such a message would be caught by the proposed law because the purpose of the message is to offer a business opportunity, and the same situation applies as in Case Scenario 1 above, irrespective that the particular individual would (most probably) want to receive that message and offer.

There are numerous similar scenarios arising principally as a result of the Bill's failure to deal with "spam" and instead regulate single messages that have a commercial aspect.

Recommendation:

  1. The proposed law should be amended to either:
    1. exclude its application to the sending of a single message (i.e. apply only to messages that have a "bulk" aspect); or
    2. the definition of inferred consent needs to be changed to a provide for a circumstance where there is no prior relationship but consent can be inferred to the receipt of a particular type of message from the conduct of the individual or organisation other than mere publication of an address, or merely that the individual or organisation is involved in a particular type of business or activity; or
    3. the exception in relation to "conspicuous publication" needs to changed to provide for circumstances where an individual has published their personal electronic address on their personal web site and having regard to the topic of the web site and/or specific information published by the individual on their web site, it is obvious to the average person that the individual would not regard a particular and directly relevant "commercial electronic message" sent specifically and only to them as "spam".

    The phrasing of any changes in relation to "inferred consent" or "conspicuous publication" would need to be carefully crafted to ensure it would not open the door to sending of messages that a spammer may claim is relevant to numerous individuals and/or web sites, such as "seminar on how to write more effectively", "search engine service for your web site", "how to promote your web site", "web site design services", etc.

    Consideration needs to be given to which of the above alternatives would be most practical and could be phrased in a way that did not also enable "spam" to be sent, that is unsolicited bulk commercial email. (As at 3 Oct 2003, EFA has not had sufficient time/resources available to analyse which of the above options would be best. Readers who have suggestions or comments they'd like to offer are invited to send an email to our feedback address.)
  2. In addition to the above, the definition of "consent" in Section 2 of Schedule 2 needs to be changed so that there does not have to be both a 'business' and an 'other' (e.g. family) relationship. It presently states:
    "2 Basic definition
    For the purposes of this Act, consent means:
    (a) express consent; or
    (b) consent that can reasonably be inferred from:
      (i) the conduct; and
      (ii) the business and other relationships;
    of the individual or organisation concerned."
    In s.2(b)(ii), the word "and" should be changed to "or", that is, to "the business or other relationships".

Designated Commercial Electronic Messages

The proposed law authorises the sending of designated commercial electronic messages without the recipient's consent. Designated commercial electronic messages are exempt from section 16 (unsolicited commercial electronic messages must not be sent).

Senders of designated commercial electronic messages are also exempt from section 18 (commercial electronic messages must contain a functional unsubscribe facility), that is, the sender is not required to provide a means by which the recipient can notify the sender that they do not wish to receive unsolicited commercial messages.

Issue:

Where a law creates a presumption that consent exists, a person must be able to easily withdraw consent.

Recommendation:

All persons and organisations who send designated commercial electronic messages must be required to provide a functional unsubscribe facility.

A designated commercial electronic message is:

  • a message that relates to goods or services that is sent or authorised by any one of the following bodies and the body is the supplier, or prospective supplier, of the goods or services concerned:
    • a government body
      (defined to mean: a department, agency, authority or instrumentality of the Commonwealth, a State or a Territory; or of a foreign country; or of the government of a part of a foreign country);
    • a registered political party (Commonwealth or State or Territory);
    • a religious organisation (not defined in the Bill);
    • a charity or charitable institution (not defined in the Bill);
    • an educational institution (defined to include a pre-school; a school; a college; a university) if the recipient, or a member or former member of the recipient's household, is or has been enrolled as a student in that institution.
  • The above bodies are also in effect exempted from the prohibitions on use of address harvesting software and harvested address lists. That is, the prohibitions do not apply to the use of such software and lists for the purpose of sending unsolicited "designated" messages.
  • The EM states that the exemption permitting the above bodies to send unsolicited commercial messages: "aims to ensure that there is no unintended restriction on government to citizen or government to business communication, nor any restriction on religious or political speech."
Issues:

While the stated aim may have some legitimacy, the exemption is absurdly broad and is apparently completely unnecessary as discussed below.

  • Government agencies:
    The exception would, for example, enable government agencies to shift the cost of providing services to their "clients" (i.e. citizens) from the agency to the recipient. The Australian Tax Office, for example, could send huge files containing the latest GST Booklet, or Annual Tax Guide, resulting in the recipient being forced to pay the cost of receiving it in their Internet access fees. If the ATO wishes to send such information electronically, they should be required to obtain the recipient's prior consent. Further, the ATO would not even have to provide a functional unsubscribe facility.

    The EM states: "Local government often provides services on a fee-for-service basis which are essential to the community, but electronic messaging about them might potentially be restricted, but for this exclusion." Again, if local government wants to shift their communication costs to the recipient of messages, they should be required to obtain consent.

    (It also seems questionable whether government business enterprises would be covered by this exception. If so, it may give such entities an unfair competitive advantage over the private sector.)

    EFA cannot perceive of any reason why citizens should be forced to receive unsolicited electronic messages relating to goods and services from government bodies, without the recipient's consent.
  • Political parties, religious organisations, charities and charitable institutions, and educational institutions:
    There is no legitimate reason why individuals should be forced to receive unsolicited electronic messages relating to goods and services from any of these bodies, without the recipient's consent.

The proposed law does not prohibit the sending, by anyone, of non-commercial messages. Furthermore, without the special exemption, it would not prevent the bodies from sending commercial electronic messages to individuals with whom they have an existing or prior relationship and the individual's consent has been inferred in their provision of an electronic address to the body.

Recommendation:

The exemption for government bodies, political parties, religious organisations, charities and charitable institutions, and educational institutions, must be deleted.

A designated commercial electronic message also includes:

  • a message that consists of no more than factual information (with or without directly-related comment) and additional information as specified in the law (such as name, logo and contact details of the sender, author, sponsor) provided that if none of that additional information had been included in the message, the message would not have been a commercial electronic message (Sch.1(2)).
  • The Explanatory Memorandum states:
    "This provision is designed to ensure that messages which may be seen to have some form of commercial element, but which are primarily aimed at providing factual information are not covered by the rules relating to commercial electronic messages in clauses 16 and 18 of the Bill. Many firms and organisations provide newsletters and updates of this type which are of benefit to sections of the general or business community and it is not intended to prevent this beneficial activity."

    and provides various examples such as:
    • "an electronic message from a private law firm which includes an information sheet outlining the effects of a particular court decision";
    • "an electronic version of a neighbourhood watch newsletter which is sponsored by the local newsagent";
    • "an electronic newsletter from the local chamber of commerce which is sponsored by one of their members".
  • In relation to sending unsolicited messages of the above types, senders are exempt from the prohibitions on use of address harvesting software and harvested address lists.
Issue:

This exemption for "factual information" is large enough to drive a truck through.

Moreover, it is inappropriate that legislation, in effect, compel individuals to receive information in their email box (whether the government thinks it is "beneficial" information or not).

The proposed law is claimed to be an anti-spam law. However, it does not prohibit numerous types of unsolicited bulk email that everyone other than spammers would regard as "spam" and, to add insult to injury, it consents on individuals' behalf to receiving "factual information" that many people regard as spam when it is unsolicited. To make matters worse, senders of unsolicited "factual information" are exempt from the requirement to provide a functional unsubscribe facility and are permitted to use address harvesting software and related lists.

Spammers will have no difficulty writing a paragraph containing "factual information".

The specified "additional information" includes "the name, logo and contact details of the individual or organisation who authorised the sending of the message" and "if the message is sponsored-the name, logo and contact details of the sponsor" and various other information.

The "additional information" is of itself sufficient to advertise goods and services, etc. The inclusion of a contact email address will of course include the domain, that is, the website address. A logo can be designed to in effect advertise the product. The name of the organisation can also advertise the goods or services, etc.

Recommendation:

The exemption for "factual information" must be deleted.

Other Commercial Electronic Messages (sent with express or inferred consent)

  • Commercial electronic messages may be sent with consent as defined in Schedule 2 of the Spam Bill.
    For the purposes of the proposed Act, "consent means:
    (a) express consent; or
    (b) consent that can reasonably be inferred from:
    (i) the conduct; and
    (ii) the business and other relationships;
    of the individual or organisation concerned." (Sch.2(2))

    Refer to the earlier section titled "Unsolicited Commercial Electronic Messages" regarding issues and recommendations related to this definition of consent.
  • Users of an account are authorised to consent or withdraw consent on behalf of the relevant electronic account-holder (Sch.2(3)).
  • Express Consent:

    "Express consent" means the individual has given explicit consent to the particular sender, e.g. it applies when "the person has specifically requested such material (either verbally or in writing) from the sender" (Explanatory Memorandum).
  • Inferred Consent:

    "Inferred consent" means consent that may reasonably be inferred from the conduct and the business and other (e.g. family) relationships of the individual or organisation concerned. As is made clear in the Explanatory Memorandum (see earlier herein), unless there is a prior relationship between the sender (person or organisation) and recipient or at least prior contact, consent as currently defined in the Bill would not be able to be inferred, unless the "conspicuous publication" exception is applicable (see below).

    Consent may not be inferred from the mere fact that the relevant electronic address has been published. However, the proposed law includes an exception to the foregoing rule. It provides that consent may be inferred from "conspicuous publication" of a work related electronic address in specified circumstances (Sch.2(4)). In this regard, the EM states:
    "If a person has conspicuously published their work related electronic address that person is taken to have consented to receiving commercial electronic message to that address, so long as the messages are relevant to the relevant job function, and the person has not specifically provided that they do not wish to receive commercial electronic messages."
    The inferred consent by "conspicuous publication" provision applies to a work related electronic address that enables sending of electronic messages to:
    • a particular employee, director or officer of an organisation;
    • a partner in a partnership;
    • a holder of a statutory or other office;
    • a self-employed individual;
    • an individual from time to time holding, occupying or performing the duties of a particular office or position within the operations of an organisation; or
    • an individual, or a group of individuals, from time to time performing a particular function, or fulfilling a particular role, within the operations of an organisation.
      (See Sch.2(4) for more detail).

    A person in the above categories is taken to have consented to the sending of commercial electronic messages:

    • if their work related electronic address has been "conspicuously published" (on the Internet or in a hard copy publication or elsewhere offline); and
    • the publication of the address is not accompanied by a statement to the effect that the person does not want to receive unsolicited commercial electronic messages at that electronic address (the EM provides examples of statements such as "No spam", "No UCE"); and
    • it is reasonable to assume that the publication of the electronic address occurred with the agreement of the person; and
    • if the unsolicited messages are relevant to the person's work-related business, functions or duties, or office or position or role, etc. as applicable (see Sch.2(4) for more detail).
    Issues:

    The provision establishing inferred consent by "conspicuous publication" of a work-related electronic address presents serious problems for, at the least, self-employed persons and small business owners.

    The "work-related business, functions or duties" (Sch.2(4)(2)(e)) of such individuals cover a vast range of matters. The inferred consent provision therefore enables them to be spammed with advertisements etc about everything relevant to managing any business: e.g. insurance, office equipment, computer supplies, printer cartridges, business software, seminars about marketing, etc, etc, in addition to goods and services relevant to their specific type of business.

    Further, the provision concerning accompanying the "conspicuous publication" of an electronic address with a statement such as "No spam" or "No UCE" may be impractical because:

    • the individual may wish to receive commercial messages that are directly relevant to their particularly type of business but not indiscriminately targeted bulk email; or
    • the electronic address may already be published on a web site where it can be assumed the person consented but over which the individual has no control, or which does not have provision for giving effect to the person's wishes. In this regard, EFA questions whether, for example, government sites such as Austrade will be required to add "No spam" statements on request of the individuals whose address are published in the Austrade database (the Austrade site acknowledges the problem of spam being received by their clients whose electronic addresses are published on the site).

    In addition, the clause stating "it would be reasonable to assume that the publication [of the work-related address] occurred with the agreement of [the person]" may have unintended consequences. Reasonable to assume by who? Spammers? The clause appears to require amendment to include the concept of what a reasonable person would consider reasonable to assume.

    Recommendation:

    (As at 3 Oct 2003, EFA has not had sufficient time/resources available to consider whether there is a potential solution to the above problem. Readers who have suggestions or comments they'd like to offer are invited to send an email to our feedback address.)

  • Commercial electronic messages must include information that clearly and accurately identifies the individual or organisation who authorised the sending of the message; and accurate information about how the recipient can readily contact that individual or organisation; and that information must be reasonably likely to be valid for at least 30 days after the message is sent (s.17).

    The above applies to messages sent with consent and also to designated commercial electronic messages.
  • Commercial electronic messages must contain a clear and conspicuous statement to the effect that the recipient may use an electronic address set out in the message to send an unsubscribe message. The unsubscribe facility must be reasonably likely to be functional at all times during a period of at least 30 days after the message was sent (s.18).

    Issue:

    The requirement to provide a function unsubscribe facility does not apply to designated commercial electronic messages.

    Recommendation:

    Designated commercial electronic messages must be subject to the same requirements as commercial electronic messages regarding provision of a functional unsubscribe facility.

Address Harvesting Software and Lists

  • Address-harvesting software and harvested-address lists must not be supplied (or offered) by or to a person or body corporate or partnership in Australia (s.20).

    The prohibition does not apply if the supplier had no reason to suspect that the customer, or another person, intended to use the address-harvesting software or the harvested-address list, as the case may be, in connection with sending commercial electronic messages in contravention of s.16.
  • Address-harvesting software and harvested-address lists must not be acquired or used by a person or body corporate or partnership in Australia (s.21 and s.22).

    The prohibition does not apply if the person did not intend to use, and does not use, the address-harvesting software or the harvested-address list, as the case may be, in connection with sending commercial electronic messages in contravention of s.16.
    ("address-harvesting software means software that is specifically designed or marketed for use for:
    (a) searching the Internet for electronic addresses; and
    (b) collecting, compiling, capturing or otherwise harvesting those electronic addresses.")
    ("harvested-address list means:
    (a) a list of electronic addresses; or
    (b) a collection of electronic addresses; or
    (c) a compilation of electronic addresses;
    where the production of the list, collection or compilation is, to any extent, directly or indirectly attributable to the use of address-harvesting software.")
Issues:

The prohibitions concerning address-harvesting software and address-harvest lists do not apply to either of the following:

  • their supply by, or acquisition or use by, a government body (the prohibitions only apply to a "person" who is an individual, a body corporate or a partnership);
  • their supply or acquisition or use for the purpose of sending designated commercial electronic messages.

This means that the software and/or lists can be supplied to, acquired by and used by:

  • government bodies for any purpose;
  • political parties, religious organisations, charities and charitable institutions, educational institutions for the purpose of sending designated commercial electronic messages;
  • any organisation or individual for the purpose of sending designated commercial electronic messages that consist of primarily "factual information";
  • any organisation or individual for the purpose of sending unsolicited bulk email that is not a commercial electronic message as defined in the Bill.

Recommendation:

The prohibitions on supply, acquisition and use should apply to government bodies.

The supply, acquisition and use of the software and lists should be prohibited in relation to the purpose of sending "designated" and all unsolicited electronic messages, not only the narrow category prohibited by s.16.

Remedies

Remedies for breaches of the proposed Act are civil penalties and injunctions.

The Australian Communications Authority will be empowered to issue formal warnings, seek/accept enforceable undertakings, issue infringement notices seeking payment of pecuniary penalties, commence proceedings for the recovery of pecuniary penalties in the Federal Court and seek injunctions.

Maximum penalties vary depending on whether the spammer is an individual or organisation and the number of breaches etc. (For full details refer to the Bills and Explanatory Memoranda.)

In relation to infringement notices, the ACA will be empowered to issue a notice to a person alleging a breach, and requiring the person to pay a pecuniary penalty or else the matter will be taken to Court. It appears the ACA will not be required to give the person any evidence of the alleged breach, merely "brief details" consisting of the date of the alleged contravention and the civil penalty provision that was allegedly contravened (Sch.3(4)).

Issues:

Pecuniary penalties payable by means of an ACA infringement notice are inappropriately high for a case such as the sending of one single unsolicited message by a non-prior offender.

For example, the ACA could issue an infringement notice to a person who has never committed a prior breach, alleging the person sent one single commercial electronic message, and requiring them to pay $440 or else the matter will be taken to Court.

While it may be unlikely that the ACA would issue an infringement notice to such a person, or take them to Court, EFA has significant concerns about the application of the law to one single message that has a commercial aspect and about potential definitional issues concerning what is or is not a commercial aspect.

Recommendation:

The provisions should be amended so that the ACA is not permitted to do more than give a formal warning to a first time offender who is not alleged to have engaged in sending messages in bulk.


Up ArrowGo to Contents List

Spam (Consequential Amendments) Bill 2003

The Spam (Consequential Amendments) Bill 2003 makes a number of amendments to the Telecommunications Act 1997 including in relation to:

Search and Seizure Powers

The proposed search and seizure provisions fail to strike an appropriate balance between enforcing the proposed law and individuals' and families' privacy.

The Bill gives inspectors appointed by the ACA the power to enter and search homes without a warrant and without the consent of the relevant occupier of the home, that is, without the consent of the owner of the things (computers, files, documents, etc) to be searched and potentially seized. More detailed information in this regard is provided below.

Under the existing provisions of the Telecommunications Act 1997, the ACA may appoint as an "inspector" persons who are:

  • Commonwealth or State Government employees, including part-time and/or temporary employees, and/or
  • State police officers.

Members of the Australian Federal Police and Territory police are also inspectors.

Currently, inspectors' search and seizure powers are limited to enforcement of Part 21 of the Telecommunications Act 1997 dealing with technical regulations. As such, they are only empowered to conduct searches in peoples' home to investigate matters such as whether illegal customer telephone equipment and/or cabling has been connected to the telecommunications network and/or compliance with the conditions of a connection permit. The existing search powers are far less privacy intrusive than those proposed in the Bill which permit inspectors to search through people's personal possessions such as their computers and email without a warrant. (While arguably inspectors may have such powers presently, it seems most unlikely an inspector could legitimately claim a necessity to search a computer to see whether illegal telephones or cabling were in the premises.)

Inspectors would gain powers to conduct two types of searches:

  • Searches relating to breaches of the Spam Act 2003
  • Searches to monitor compliance with the Spam Act 2003

Both types of searches would be able to be conducted with, or without, a search warrant.

Searches relating to breaches of the Spam Act 2003

Searches relating to breaches may be conducted

  1. with a search warrant issued by a magistrate (s.535)
    if an inspector suspects on reasonable grounds that there may be on any land, or in or on any premises, vessel, aircraft or vehicle:
    (a) anything in respect of which a breach of the Spam Act 2003 has happened; or
    (b) anything that may afford evidence about a breach of the Spam Act 2003; or
    (c) anything that was used, or is intended to be used, for the purposes of breaching the Spam Act 2003 (s.535(1));
    or
  2. without a search warrant, with the consent of the owner or occupier of the land, premises, vessel, aircraft or vehicle, if an inspector suspects on reasonable grounds that there is on any land, or on or in any premises, vessel, aircraft or vehicle "anything connected with" a particular breach of the Spam Act 2003 (s.542(1)). A thing is "connected with a breach of the Spam Act 2003 if it is:
    (a) a thing in respect of which the breach has happened; or
    (b) a thing that may afford evidence about the breach; or
    (c) a thing that was used, or is intended to be used, for the purposes of the breach" (s.541A).

In relation to both (1) and (2) above, an inspector may enter; search; break open and search a cupboard, drawer, chest, trunk, box, package or other receptacle, whether a fixture or not; and examine and seize anything that the inspector suspects on reasonable grounds to be "connected with" the offence or breach (s.542(2)).

Issues:
  1. Section 542 will give inspectors the power to enter and search homes and property therein without a warrant and without the consent of the relevant occupier of the home, that is, without the consent of the owner of the things (computers, files, documents, etc) to be searched and potentially seized. For example:
    • An inspector could enter a home with the consent of the landlord (the owner) and search the tenants' computers and other possessions.
    • In the case of a residence shared by several people (e.g. joint owners/tenants, flat mates, family, etc.), an inspector could enter the home with the consent of one occupier and search possessions belonging to a different occupier.

    This situation appears to arise because inspectors' existing powers to enter premises with the consent of the owner or occupier are to be extended to breach of the Spam Act 2003. However, the existing entry and search powers only apply to investigating whether illegal telephone equipment or cabling has been connected to the telecommunications network which can normally be ascertained without searching individuals' cupboards, and certainly without searching individuals' computers and email etc. The proposed search powers are therefore vastly more privacy invasive.

    In addition, a search of a suspect's computer (including email etc) is very likely to invade the privacy of innocent parties who have been in contact with the suspect at some time. Judicial scrutiny is required to minimise the potential for invasion of the privacy of innocent parties without adequate justification.

    Recommendation:

    The entry, search and seizure provisions must be changed to require a warrant issued by a magistrate.

  2. Both Sections 535 (with search warrant) and 542 (without search warrant) apparently enable searches of the homes and other premises of recipients of spam.

    This situation appears to arise because the entry and search powers are not limited to premises/property associated with a suspect, but apply to any "thing" that is "connected with a particular breach of the Spam Act 2003". The Bill states, inter alia, that "a thing is connected with a breach of the Spam Act 2003 if it is ... (b) a thing that may afford evidence about the breach". Presumably, an unsolicited commercial electronic message that has been received is a thing that may afford evidence about a breach. While it may be considered unlikely that inspectors would search the homes of recipients of spam, it is essential that the law specifically not allow that to occur without the consent of the owner of the property, e.g. the computer containing the "thing".

    Recommendation:

    The entry, search and seizure provisions must be changed to ensure that a search cannot be conducted (whether with or without a warrant) of the premises or possessions of a recipient of spam.

  3. The inclusion of provisions allowing searches with the consent of the owner or occupier of premises would have the effect of authorising an ISP to allow an ACA inspector (a civil penalty-enforcement agency employee) to search customers' email/mail boxes (possibly including the actual content of messages) without a warrant by use of the "reasonably necessary assistance" provisions of Section 282(2) ("Law enforcement and protection of public revenue") of the Telecommunications Act 1997. EFA has long been of the view that Section 282 requires amendment to ensure that the content of messages cannot be accessed without a warrant to better protect Internet users' privacy and minimise the potential for "fishing trips" without a warrant.

    Recommendation:

    The entry, search and seizure provisions must be changed to ensure that carriage service providers and other electronic message service providers (as defined in the Bill) cannot permit searches related to suspected breach of the Spam Act to be undertaken of their customers' (or any other persons') communications (either content or other information such as to and from fields of messages) without an appropriate warrant.

    In addition to removing the owner/occupier consent provisions, Section 282 of the Telecommunications Act 1997 must be amended to specifically exclude its use in relation to suspected breaches of the Spam Act in order to ensure that a warrant is required to access content of any electronic messages.

Searches to monitor compliance with the Spam Act 2003

Searches to monitor compliance may be conducted:

  1. with a monitoring warrant issued by a magistrate (s.547D)
    if the magistrate is satisfied that it is reasonably necessary that one or more inspectors should have access to the premises for the purposes of finding out whether the Spam Act 2003 has been complied with.

    If the premises are a residence (s.547D(4)), the magistrate must not issue the warrant unless:

    • within the last 10 years the Federal Court has found, in proceedings under the Spam Act 2003, that an individual has breached that Act and the finding has not been overturned on appeal and the individual ordinarily resides at the premises and the breach involved the use of equipment that is or was on those premises (s.547D(4)(a)); or
    • an individual has given an undertaking for the purposes of section 38 of the Spam Act 2003 and the undertaking is in force and the individual ordinarily resides at the premises and the undertaking applies to the use of equipment that is on those premises (s.547D(4)(b)).

    An inspector may enter the premises and exercise the powers set out in s.547B (see below) in relation to the premises (s.547D(5)(a)).

  2. without a warrant, with the consent of the occupier of the premises "for the purpose of finding out whether the Spam Act 2003 has been complied with". The inspector must inform the person that he or she may refuse consent (s.547A).

    An inspector may enter "any premises" and exercise the monitoring powers set out in s.547B (see below) (s.547A).

In relation to both (1) or (2) above, an inspector's powers as set out in s.547B include:

(a) to search the premises;
(b) to inspect and take photographs, or make sketches, of the premises or any substance or thing at the premises (including operate equipment at the premises to determine whether it or related disks etc contain relevant information (s.574B(2)) and if so put the information in documentary form or on a storage device and remove it from the premises (s.574B(3));
(c) to inspect any document kept at the premises;
(d) to remove, or make copies of, any such document;
(e) to take onto the premises such equipment and materials as the inspector requires for the purpose of exercising powers in relation to the premises;
(f) to secure a thing, until a warrant is obtained to seize it,
(g) to secure a computer, until an order under section 547J is obtained in relation to it.

Issues:
  1. Sections 547A and 547B will give inspectors the power to enter and search homes and property therein without a warrant and without the consent of the person who has either previously been found to have breached the Spam Act 2003 or who has given an undertaking to comply. For example, in the case of a residence shared by several people (e.g. joint owners/tenants, flat mates, family, etc.), an inspector could enter the home with the consent of one occupier and search possessions belonging to a different occupier.

    This situation appears to arise for the same reasons mentioned above in relation to searches related to a breach under s.542 (as distinct from monitoring compliance) and is inappropriate for the same reasons.
  2. Sections 547A and 547B will also give inspectors the power to enter and search homes and possessions (e.g. computers) therein without a warrant in instances when either:
    • no occupier has previously either been found to have breached the Spam Act 2003 or given an undertaking to comply; or
    • it is more than 10 years since the Court finding or undertaking was given.

    However, monitoring warrants (s.547D) may not be issued unless there has been a prior breach or undertaking in the last 10 years. The Bill should be amended so that entry without a monitoring warrant is not permitted in circumstances in which an inspector would not be able to obtain a monitoring warrant.

    The provision is also unsatisfactory because inspectors powers in relation to searches to monitor compliance by a prior offender appear to be more extensive than in relation to searches associated with a person who is not a prior offender. It appears such additional powers could be conveniently used to investigate in relation to persons who are not prior offenders. While any evidence obtained in such circumstances may not be admissible in a Court, the proposed law should not facilitate or enable the potential use of monitoring powers and associated privacy invasion in relation to non prior offenders.

    Recommendation:

    The entry, search and seizure provisions must be changed to require a monitoring warrant issued by a magistrate.

Industry Codes and related protection from civil liability

The Bill extends the matters that may be dealt with by industry codes and industry standards (s.113(3)) to include:

(q) procedures to be followed by:
(i) Internet service providers;

  [defined to mean same as in the BSA] and
(ii) electronic messaging service providers;

  [definition includes, among others, e.g. Yahoo, Hotmail, etc. and apparently mailing list providers]
in dealing with unsolicited commercial electronic messages (including procedures relating to the provision or use of regularly updated software for filtering unsolicited commercial electronic messages);


[UCEM is defined as "a commercial electronic message that is sent: (a) without the consent of the relevant electronic account-holder; or (b) to a non-existent electronic address"]
and gives providers protection from civil proceedings in relation to anything they do in connection with a code or standard referred to above:
Division 7-Miscellaneous
137 Protection from civil proceedings
Civil proceedings do not lie against:
(a) an Internet service provider; or
(b) an electronic messaging service provider;
in respect of anything done by the provider in connection with:
(c) an industry code registered under this Part; or
(d) an industry standard;
in so far as the code or standard deals with the procedures referred to in paragraph 113(3)(q).

The Explanatory Memorandum states: "This will provide significant reassurance to these service providers regarding a common concern that they may attract civil liability for undertaking reasonable spam-filtering activity. It will provide an incentive for the development and the uptake of compliant code(s), in order to obtain the indemnity offered."

Under the existing Act, the industry is required to issue any draft code for public consultation. However, there is no requirement for the industry or the ACA to remove any provisions opposed by even a majority of members of the public.

Issues:

The proposed provisions would enable the industry to develop a Code that could be registered by the ACA (and could then be enforced) that mandated filtering and blocking of unsolicited commercial electronic messages by all ISPs and other electronic messaging service providers.

It currently seems unlikely that a Code mandating filtering and blocking would be developed because:

  • spam filtering software and spammer blacklisting services are known to block legitimate messages, and
  • it would be difficult if not impossible for such systems and services to distinguish between 'unsolicited commercial electronic messages' as defined in Australian law and other messages.

However, it appears the proposed immunity from any civil liability may be sufficiently broad to give providers protection in relation to failure to provide contracted services, for example, non-delivery of email to a recipient that is not an "unsolicited commercial electronic messages", if that occurred as a result of complying with an industry code or standard. Further, if a customer wished to change providers with a view to being able to receive messages being blocked by their current provider, the customer would probably have to pay their current ISP one or month's fees under the ISP's terms and conditions of termination of their account. It appears an existing right to decline to pay such fees due to non-provision of contracted service may in effect be over-ridden by the protection from civil liability provisions.

Extreme care would need to be taken in the development and registration of any Code to ensure it would not have the effect of undermining existing consumer protections and rights. However, there is no surety that a largely self-regulatory industry code would be sufficiently cautiously developed and/or implemented.

The essence of any "safe harbour" provision is a trade-off - if the entity complies with a certain set of standards then immunity is granted for acts done in good faith. An ISP or other electronic messaging service provider (as defined in the Bill) which mandated spam filters and thereby caused foreseeable loss should not receive immunity.

Recommendation:

The protection from civil proceedings provision must be changed so that it applies only to anti-spam filtering services provided at the request of a customer, that is, where a customer has voluntarily opted in to having their electronic messages spam-filtered by their ISP or other electronic messaging service provider.


Up ArrowGo to Contents List

Assistance Orders compelling disclosure of encryption keys and passwords and imprisonment penalties

Proposed Section 547J enables an inspector to apply to a magistrate for an access/assistance order, when a search or monitoring warrant relating to the Spam Act 2003 is in force.

The provision empowers a magistrate to issue an order compelling a person who is "reasonably suspected of having been involved in a breach" to disclose encryption keys and/or passwords and any other any information or assistance that is considered "reasonable and necessary" to allow an inspector "to do one or more of the following:
(a) access data held in, or accessible from, a computer that is on those premises;
(b) copy the data to a data storage device;
(c) convert the data into documentary form."

The penalty for failure to provide the information or assistance is imprisonment for 6 months.

Issues:

These provisions are a great example of overkill. They are almost identical to those in the Cybercrime Act 2001, notwithstanding that sending unsolicited commercial electronic messages will not be a criminal offence.

The only difference between the assistance order provisions of the Spam Bills and the Cybercrime Act is that an order would be obtainable in relation to a larger number of people under the Spam Act than under the Cybercrime Act. The Cybercrime Act provision is limited to persons "reasonably suspected of having committed an offence" while the Spam Bill provision applies to persons "reasonably suspected of having been involved in the breach".

A person who is merely suspected of having been "involved in" sending one single unsolicited commercial electronic message could be the subject of an order and imprisoned for six months if they decline, or are unable, to provide the required information or assistance.

It is completely absurd that a person who is merely suspected of having been involved in a breach could be imprisoned for six months for failing to provide information or assistance to an investigator, when they could not be imprisoned even if they were found guilty of having committed the suspected breach.

These types of assistance orders have long been controversial in relation to criminal offences and are even more controversial in relation to non-criminal offences. As the drafters of the Model Criminal Code stated (in Chapter 4 of the MCC Report):

The issues involved are both difficult on a technical level and controversial in relation to the protection of individual human rights and the rights of corporate entities.

The matter of assistance orders is aimed squarely at the problems presented by security passwords and, more particularly, encrypted data. One of the major problems is the cursory treatment of the requirement for persons to reveal encryption keys.

There may sometimes be legitimate reasons why a private key or plain text could not be handed over to an ACA inspector or law enforcement agency, and it would be difficult for the subject of an assistance order to provide proof that they did not possess or have access to a key or plain text. The prospect of users of encryption being jailed despite having genuinely lost their private keys is a major and quite legitimate concern. Any legislation containing such provisions should, at the very least, provide an indication as to how those served with assistance orders requiring plain text or encryption keys can successfully prove that they cannot comply with the order.

It is also of concern that these requirements will rapidly fall behind the technology that is being used for encryption and data protection. For example, various biometrics around voice recognition (that may not work with a shaky voice), various movement registers such as keystrokes, mouse movements, etc. All of these could very be feasibly be "lost" by an individual during the stress of an investigation.

Furthermore, the 1997 OECD cryptography guidelines, which Australia has adopted, specifically recognize the fundamental right of privacy in relation to encrypted data:

Article 5. The fundamental rights of individuals to privacy, including secrecy of communications and protection of personal data, should be respected in national cryptography policies and in the implementation and use of cryptographic methods.

A further problem is that a single encryption key often serves the dual purpose of ensuring confidentiality and providing secure authentication of the signatory to a document (through a digital signature). Revealing the key (or the passphrase thereto) can therefore compromise the integrity of the owner's digital signature. (It should be noted that a person on whom the assistance order is served is not assumed to have committed a breach.)

In addition, increasing numbers of individuals are becoming conscious of the risks of disclosure of private and/or business information in the case of loss or theft of computers and therefore encrypt the entire hard drive of the computer. It is completely unreasonable that a person can be required to give up the "keys to the castle" to provide an investigator with access to a single piece of email or data.

Clearly there is tension between privacy rights and legitimate law enforcement needs. An approach needs to be found that balances these issues, or at least recognises in the law that an offence is not automatically criminalised in the event of failure to provide assistance.

In its present implementation, the law enforcement provisions in the Bill totally fail to address these potential problems, or even acknowledge that the measures proposed are controversial.

The law enforcement provisions may also have the effect of over-riding the common law privilege against self-incrimination. This situation could arise where a person was compelled to reveal a password or encryption key as a requirement of an assistance order. The right to silence is a long-standing right in most jurisdictions and it is unacceptable that it should be potentially over-ridden in the Bill without strong justification. There does not appear to be any strong justification for such provisions in relation to non-criminal offences such as those in the Spam Bill.

Recommendation:

  1. The provisions concerning assistance orders must be deleted.
  2. In the completely unsatisfactory event that the assistance order provisions are not deleted, amendments to the proposed provisions must be made to:
    • address the issues and problems raised above; and
    • apply only to persons reasonably suspected of having committed a breach; and
    • apply only in instances where the suspected breach concerns the sending of bulk unsolicited messages, not a single message or small number of messages; and
    • change the penalty for failure to provide assistance/information (including keys and passwords) from imprisonment to a pecuniary penalty (that is no more than the minimum pecuniary penalty applicable to the suspected breach).


Up ArrowGo to Contents List

Conclusion

The proposed legislation is not suitable for enactment in its current form.

The purpose of the proposed law is supposed to be prohibiting spam, not ordinary messages. However, it would legitimise and authorise the sending of "designated" spam (unsolicited bulk commercial messages), but would prohibit the sending of some ordinary messages that few, if any, people would regard as spam.

The legislation should be applicable to the sending of all unsolicited commercial electronic messages in bulk. It should not treat a single message sent to a particular individual as spam merely because the message has a commercial aspect.

The search and seizure powers should be subject to issue of a judicial warrant and should not be applicable to the property and possessions belonging to recipients of spam. The provisions enabling a suspect or other person to be imprisoned for forgetting a password or other information should be deleted. Such provisions are completely absurd in legislation that does not involve imprisonment even if a person is found guilty.

The possible benefit of the currently proposed law in minimising receipt of spam is outweighed by its authorisation of "designated" spam and its potential to result in unnecessary invasions of the privacy of innocent individual's homes and possessions and/or their imprisonment.

Up ArrowGo to Contents List


Appendix 1: Definitions concerning Electronic Messages

(Some of the below definitions are summarised. Refer to the Bill for the exact phrasing of definitions and also other definitions.)

  • message means information whether in the form of text; or of data; or of speech, music or other sounds; or of visual images (animated or otherwise); or in any other form; or in any combination of forms. (s.5)
  • an electronic message is a message sent using an Internet carriage service or any other listed carriage service, that is sent to an electronic address in connection with an e-mail, instant messaging, telephone or similar account.

    E-mail addresses and telephone numbers (in relation to SMS messages) are examples of electronic addresses. It is immaterial whether the electronic address exists and/or whether the message reaches its intended destination (s.5).

    Note: Facsimile messages and messages sent by way of a voice call made using a standard telephone service (as defined in the Telecommunications Act 1997) are not an electronic message for the purposes of the Spam Act.
  • a commercial electronic message is an electronic message, where, having regard to:

    (a) the content of the message; and
    (b) the way in which the message is presented; and
    (c) the content that can be located using the links, telephone numbers or contact information (if any) set out in the message;

    it would be concluded that the purpose, or one of the purposes, of the message is:
    (d) to offer to supply goods or services; or
    (e) to advertise or promote goods or services; or
    (f) to advertise or promote a supplier, or prospective supplier, of goods or services; or
    (g) to offer to supply land or an interest in land; or
    (h) to advertise or promote land or an interest in land; or
    (i) to advertise or promote a supplier, or prospective supplier, of land or an interest in land; or
    (j) to offer to provide a business opportunity or investment opportunity; or
    (k) to advertise or promote a business opportunity or investment opportunity; or
    (l) to advertise or promote a provider, or prospective provider, of a business opportunity or investment opportunity; or
    (m) to assist or enable a person, by a deception, to dishonestly obtain property belonging to another person; or
    (n) to assist or enable a person, by a deception, to dishonestly obtain a financial advantage from another person; or
    (o) to assist or enable a person to dishonestly obtain a gain from another person; or
    (p) a purpose specified in the regulations.

    The regulations may also provide that a specified kind of electronic message is not a commercial electronic message for the purposes of the Act.

    It is immaterial whether the goods, services, land, interest or opportunity exists, or whether it is lawful to acquire the goods, services, land or interest or take up the opportunity.
  • Australian link
    A commercial electronic message has an Australian link if, and only if:
    (a) the message originates in Australia; or
    (b) the individual or organisation who sent the message, or authorised the sending of the message, is:
      (i) an individual who is physically present in Australia when the message is sent; or
      (ii) an organisation whose central management and control is in Australia when the message is sent; or
    (c) the computer, server or device that is used to access the message is located in Australia; or
    (d) the relevant electronic account-holder is:
      (i) an individual who is physically present in Australia when the message is accessed; or
      (ii) an organisation that carries on business or activities in Australia when the message is accessed; or
    (e) if the message cannot be delivered because the relevant electronic address does not exist-assuming that the electronic address existed, it is reasonably likely that the message would have been accessed using a computer, server or device located in Australia.
  • relevant electronic account-holder means the individual or organisation who is responsible for the relevant account.

Feedback

1 Nov 2003: EFA thanks all who provided comments and suggestions. EFA's submission to the Senate Committee inquiry was lodged on 20 Oct 2003. The address for feedback has since been deleted as no feedback has been received in the last two weeks and the feedback address was receiving an increasing amount of spam.

3 Oct 2003: Persons wishing to offer suggestions or comments in relation to the matters and issues discussed in this document are invited to email EFA at:
[deleted 1 Nov 2003]
Email sent to that address will be read and considered. However, EFA may not necessarily reply to messages, depending on numbers received and our time and human resource availability.

Up ArrowGo to Contents List