Effective EU and US approaches to spam? Moves towards a co-ordinated technical and legal response - Part I

Tolley's Communications Law

Volumn 10, Issue 3, 2005, Pages 71-83

  Hladjk, Jörg ^a,b,c  

^a LLM Computer and Communications ^*  (Germany)

^b Brussels Office of Hunton and Williams LLP   (Germany)

^c GOETHE UNIVERSITY   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 32044445766     PISSN: 13619918     EISSN: None     Source Type: Journal    
DOI: None     Document Type: Review

References (134)

1. According to Hormel Foods, the term 'spam' became synonymous with unsolicited commercial email due to Monty Python, whose skit of Vikings boisterously singing 'spam, spam, spam ... ' and drowning out all other conversation exemplified how such email threatens to drown out all email conversation. See further Hornel Foods' Corporate Info, 'SPAM and the Internet', www.spam.com/ci/ci_in.htm.
2. See 'US Biggest Source of Spam and Digital Attacks - UN reports lists offenders', 27 Inquirer, 27 November 2003, www.theinquirer.net/Particle = 12890.
3. See also Shannon, 'The End User: EL' Leads the Spam Fight' International Herald Tribune. 17 November 2003, www.iht.com/articles/17855.html. reporting: 'Experts estimate that 85 percent of spam originates with people in the United States. 14 percent from Europe, and the rest from Asia and elsewhere.'
4. Fallows. 'Spam - How it is hurting email and degrading life on the internet', Pew Internet & American Life Project. 22 October 2003. p 7. www.pewinternet.org/pdfs/PIP_spam_Report.pdf.
5. Blakeley, 'Spam: It's Even Worse Than You Think. 11 November 2003. www.forbes.com/2003/11/11/cz_kb_1111spam.hml.
6. Ramasastry, 'Why the new federal "CAN-SPAM Law" probably won't work'. 5 December 2003. www.cnn.com/2003/LAW/12/05/findlaw.analysis.ramasastry. spam, noting the Congressional Findings in relation to the CAN-SPAM Act.
7. See MessageLabs, 'MessageLabs Intelligence Analysis Indicates Spam and Virus Threats Will Increase Dramatically in 2004', 8 December 2003, www.messagelabs.com/news/pressreleases/detail/default.asp? contentItemId= 613®ion=. predicting that 70% of all email traffic would be spam by April 2004 despite US and EU legislation.
8. See also Blakeley. supra n 4.
9. Blakeley. supra n 4.
10. See also 'Spam Could Cost Billions: UN', www.news.com.au/common/ story_page/0,4057,7933247%255E15306, 00.hml, estimating that spam could cost as much as US $20.5 billion.
11. Founded in 1917, the DMA is today the largest trade association for businesses interested in direct, database and interactive global marketing, with about 5,200 member companies from the US and 44 foreign nations on six continents.
12. 'DMA Statement Re: Operation Slam Spam', 22 August 2003, www.the-dma.org/cgi/disppressrelease?article=484.
13. Mailshell, 'SpamCatcher Attitude Survey'. 1 May 2003, released at FTC Spam Forum, www.ftc.gov/bcp/workshops/spam.
14. Wall Street Journal, 13 November 2002. In one case cited, a mailing of 3.5 million messages resulted in 81 sales in the first week, a rate of 0.0023%. Each sale was worth $19 to the marketing company, resulting in $1.500 in the first week. The cost to send the messages was minimal, probably less than $100 per million mail messages. The study estimated that by the time the marketing company had reached all of the 100 million addresses it had on file, it would probably have pocketed more than $25.000 on the project.
15. Revenue generated by spammers in 2003 was expected to be around $130 million, while their profit during the year would range from $20 million to $30 million: Keizer, 'Fighting Spam Pays Better Than Sending It'. 1 December 2003, www.securitypipeline.com/network/16401249.
16. Keizer, 'Fighting Spam Pays Better Than Sending It', InformationWeek, 1 December 2003, www.informationweek.com/story/showArticle.jhtml?articleID= 16401194. According to estimates by Ferris Research, which tracks the messaging market, revenue for vendors selling anti-spam products would be approximately $130 million in 2003 and would soar 200% in 2004 to a whopping $360 million. That is substantially more than the senders of spam see in revenue, much less profit.
17. Sec Geist, 'Untouchable? A Canadian perspective on the anti-spam battle'. May 2004, p 2, www.michaelgeist.ca/geistspam.pdf.
18. See also Festa and Hansen. 'Happy Spamiversary', www.zdnet.com.au/news/ security/0,2000061744,39144765,00.htm, regarding events in 1994.
19. See Wyatt. Allan, Fabricant, White and Palmer. '"Spam": Report of an Inquiry by the All Party Internet Group (APIG)', October 2003, p 1, www.apig.org.uk/spam_report.pdf.
20. CNIL is an independent French authority dealing with data protection, www.cnil.fr. The definition may be different for countries adopting an opt-out approach.
21. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, OJ L201 31.7.2002. p 37. http://europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_201/l_20120020731en00370047. pdf.
22. Spam activities are now also spreading to mobile phone multi-media messaging ('wireless spam') and instant messaging services ('spim'). See Cramer, 'The future of wireless spam' [2002] Duke L & Tech Rev 0021, www.law.duke.edu/joumals/dltr/articles/PDF/2002DLTR0021. pdf:
23. and Biever, 'Spam being rapidly outpaced by "Spim"', 26 March 2004. www.newscientist.com/news/news.jsp?id=ns99994822.
24. Nevertheless, s 4 of the US CAN-SPAM Act talks of 'multiple' commercial electronic mail messages, meaning 'more than 100 electronic mail messages during a 24-hour period, more than 1,000 electronic mail messages during a 30-day period, or more than 10,000 electronic mail messages during a 1-year period'. For a discussion on these notions, see Sorkin, 'Technical and Legal Approaches to Unsolicited Electronic Mail' (2001 ) 35 USF Law Review 325 at 328 et seq, in particular 333-336.
25. In June 2004, an AOL employee was arrested after having sold some 90 million email addresses of AOL customers: see 'AOL worker arrested in spam scheme', 23 June 2004, http://money.cnn.com/2004/06/23/technology/aol_spam/?cnn= yes.
26. In addition, spammers arc always discovering new techniques for sending spam without being traced. See the paragraph 'Security implications' in the OECD Directorate for Science, Technology and Industry. Committee for Information, Computer and Communications Policy, 'Background Paper for the OECD Workshop on Spam', DSTI/ICCP(2003)10/Final, 22 January 2004, p 16. It is estimated that 90% of viruses are passed through email.
27. See the statistics on the homepage of the Anti-phishing Working Group, www.antiphishing.org.
28. See Blau, 'Big German banks hit by phishing attacks', 23 August 2004, www.computerworld.com/softwaretopics/software/groupware/story/0,10801,95429,00. html.
29. FTC, 'National and State Trends in Fraud and Identity Theft, January-December 2003', 22 January 2004, www.consumer.gov/sentinel/pubs/ Top10Fraud2003.pdf.
30. The word 'phishing' recalls the sound of fishing and well represents the activities of these scammers, using email lures to 'fish' for passwords and financial data from the sea of internet users. The particular spelling 'ph' is a common hacker replacement for 'f' and is a nod to the original form of hacking, known as 'phreaking'. Phishing is used to trick recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, and social security numbers by sending messages that direct them to legitimate-looking websites masquerading as the sites of a trusted financial institution or online merchant. The information is then used to access and drain money from their accounts. For detailed information, see Anti-phishing Working Group, 'Phishing Attack Trends Report', July 2004, www.antiphishing.org/ APWG_Phishing_Attack_Report-Jul2004.pdf.
31. The most targeted businesses have typically been the web auction giant eBay and its PayPal payment services division, with the financial institution Citibank serving as another popular target.
32. US FTC Report, 'False Claims on Spam', 30 April 2003, www.ftc.gov/reports/spam/030429spamreport.pdf.
33. For a detailed chart, see Salem, 'The Scope of the problem', p 3, www.itu.int/osg/spu/spam/presentations/SALEM_Session%201,pdf.
34. Association for Interactive Marketing, 'Survey on the Commercial Use of Email', 2002, www.interactivehq.org/councils/CRE/valuesurvey.asp.
35. See Cerf and Swindle, 'Spam: Can it be stopped?', 18 June 2002, www.gip.org/publications/papers/spam061802.asp.
36. Furthermore, the cost of increasing bandwidth and storage capacity to deal with spam is inevitably passed on to the consumer in the form of higher access fees.
37. Other research indicates that the costs to service providers are 10% of the overhead cost of providing internet access: see Court and Atkinson. 'How to Can Spam', 1 November 1999, www.ppionline.org/ndol/print.cfm?contentid = 1349.
38. Gauthronet and Drouard, 'Unsolicited Commercial Communications and Data Protection', European Commission, January 2001, http://europa.eu.int/comm/ internal_market/de/dataprot/studies/spam.htm.
39. Assuming it takes three to four seconds to determine the nature of a message and delete it. Another survey conducted by InsightExpress suggests that 65% spent more than ten minutes each day dealing with spam, and 24% reported dealing with it for more than 20 minutes per day: Greenspan and Morrissey, 'Spam expected to outnumber non-spam', Jupiter Media Corporation, 12 December 2002, http://cyberatlas.internet.com/big_picture/applications/article/ 013231301 _155583100.html.
40. Based on the assumptions that 10% of total email is spam and that each employee spends 30 seconds per day deleting spam: Brightmail The State of spam - Impact and Solutions, White Paper, Document Version 1.0 January 2003, p 7.
41. The Radicati Group, 'Anti-Spam Market Trends, 2003-2007', www.radicati.com/cgi-local/brochure.pl?pub_id=202&back_link=/single_report/.
42. See also Ho and Tan, 'Background Paper for ITU WSIS Thematic Meeting on Countering Spam: "Curbing Spam via technical measures: An overview'", p 4, www.itu.int/osg/spu/Spam/contributions/ Background%20Paper_Curbing%20Spam%20Via%20Technical%20Measures.pdf.
43. For example, (a) Domain-Authorised SMTP Mail by David Green, http://ops.ietf.org/lists/namedroppers/namedroppers.2002/msg00656. html;
44. (b) the RMX DNS RR and method for lightweight SMTP sender authorisation by Hadmut Danisch, www.danisch.de/work/security/txt/drafi-danisch-dns-rr-smtp- 03.txt;
45. (c) Designated Mailer Protocol by Gordon Fecyk, www.pan-am.ca/dmp/drafl- fecyk-dmp-01.txt:
46. (d) Caller ID for Email by Microsoft Caller ID for Email, www.microsoft.com/mscorp/twc/privacy/Spam_callerid.mspx;
47. (e) Sender Policy Framework ('SPF') by Wong Meng Weng and Mark Lentczner, Sender Permitted Form, http://spf.pobox.com;
48. (f) Domain Keys by Yahoo DomainKeys Internet Draft, www.ietf.org/ internet-drafts/draft-delany-domainkeys-base-00.txt.
49. Including adoption by big players, such as AOL, Google and Earthlink.
50. 'Microsoft to Merge Caller ID With SPF Anti-Spam Scheme', www.itu.int/osg/spu/newslog/categories/Spam/2004/06/02.html#a662.
51. The following is an illustration of how such authentication mechanism is used to prevent forgery: (a) When the destination email server receives an email coming from a certain IP address, the email claims to be from a certain sender, but we need a way to find out if this is genuine. (b) The authentication system will provide one of three things: (i) the sender is good - the sender has previously announced that they do send mail from that IP address; (ii) the sender is bad - the purported sender has published a list of IP addresses they send mail from, and the incoming IP is not one of them; (iii) the sender is unknown - there is insufficient information to decide one way or the other. For the authentication system to answer the question, the domain owners will typically have to designate a list of IP addresses that they use to send mails from their domains.
52. 'MTA Authentication Records in DNS', June 2004, www.ietf.org/internet- drafts/draft-ietf-marid-core-01.txt.
53. See also 'IETF Releases Anti-Spam Sender ID Internet Draft Specification', 25 June 2004, http://xml.coverpages.org/ni2004-06-25-a.html. Under the merged proposal, organisations will publish information about their outgoing email services, such as their IP address. The Anti-Spam Technical Alliance, including AOL, British Telecom, Comcast, Earthlink, Microsoft and Yahoo! has recently expressed support for Sender ID.
54. Such as (a) Mail Abuse Prevention System ('MAPS') Mail Abuse Prevention Real-time Black Hole List, http://mail-abuse.org/;
55. (b) Open-Relay DataBase ('ORDB'), www.ordb.org;
56. Spam Haus BlackHole List, www.Spamhaus.org.
57. With the result that innocent parties that take over their old domain names and IP addresses find themselves mistakenly dealt with as spammers.
58. For example, it could set a lower rate limit for servers that are black-listed, but they should not be totally ignored.
59. Examples of such email attributes are: source of sender (email, mail server etc); subject title; date of email; text within the body of the email; number of intended recipients (derived from 'To' field, 'CC' field etc); type of email attachment (zip, doc etc); format of email (HTML or plain text).
60. Some examples of filtering rules are as follows: (a) If (source_of_sender contains Spamyou@Spammer.net) MOVE incoming message to JUNK folder; (b) If (source_of_sender contains boss_email_address) MOVE incoming message to VIP folder; (c) If (subject_title contains 'sex' or 'porn') DELETE incoming message.
61. The examples in footnote 47 above demonstrate such an approach to static filtering.
62. As for example in the following rule: If (email_attachment contains Malicious Executable Program) MOVE incoming message to VIRUS.COLLECTION folder.
63. For example, they will replace the letter 'o' with numeric '0' in the words they use, or they will hide their text within HTML lingo as illustrated in the following example: S E X . This word is not easily decipherable by a human or a non-HTML-enabled email client. However, with an HTML-enabled email client the word 'S E X' will appear correctly, because the client will be able to understand the HTML tag ' ' and know that it represents a blank space between the characters. This intelligent little trick that exploits the HTML rendering capability in modern email clients poses a great challenge to static filtering rules, because there are millions of ways of spelling the word 'SEX' by padding different HTML tags in between the letters. For a solution to this problem, see for example A Swatz's HTML to Text Script, www.aaronsw.com/2002/html2text/.
64. For example, if the end user keeps telling his or her email client that any incoming messages consisting of the phrase 'get rich fast' should be considered as spam, an adaptive system will be able to deduce the appropriate filtering rule and automatically block any future incoming messages with the phrase 'get rich fast'.
65. See Graham, 'A Plan for Spam', August 2002, www.paulgraham.com/Spam.html;
66. and Graham, 'Better Bayesian Filtering', January 2003, www.paulgraham.com/better.html.
67. See Graham, 'Better Bayesian Filtering', www.paulgraham.com/better.html., ibid.
68. Such as the Mozilla email client.
69. One technique involves manipulating the font and background colours so that they are the same, rendering the bogus text invisible (eg white text on white background). Another shortfall is that Bayesian needs to be sufficiently trained before it becomes usable.
70. Thus, when users move from one email client to another that has a different Bayesian implementation, they will most likely need to spend a few days or even weeks retraining their system from scratch. Furthermore, users tend to get complacent after making use of the Bayesian system for a period of time because the system is fairly good at classifying spam.
71. For example, blocking email traffic from a spam-friendly site often means blocking a great deal of legitimate email. Closing down an open relay that has been used for sending spam as well as for legitimate purposes can be inconvenient for many users.
72. Blacklist maintainers, for example, need not disclose the criteria they use nor afford due process to accused spammers. The market does provide a check on such activity, but incomplete information, complexity of the issues and concentration of market power all affect the extent to which blacklists and other anti-spam measures are likely to be held accountable (although see Cyber Promotions, Inc. v AOL, Inc., 948 F. Supp 456, 464 (E.D. Pa 1996) holding that AOL is not likely to be proven an 'essential facility' despite its substantial market share).
73. For a good overview before the enactment of the E-Privacy-Directive, see Schaub, 'Unsolicited Email - Does Europe allow Spam? The State of the Art of the European legislation with regard to unsolicited commercial communications' (2002) CLSR, Vol 18 No 2, 99 et seq.
74. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L281 23.11.1995, p 31, http://europa.eu.int/eur-lex/lex/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046: EN:HTML.
75. See also Schaub, supra n 59, at 4.
76. The Working Party consists of representatives of each Data Protection Authority in Europe.
77. Article 29 Data Protection Working Party, 'Privacy on the Internet An integrated EU Approach to Online Data Protection - Working Document', adopted on 21 November 2000, 5063/00/EN/FINAL WP 37, http://europa.eu.int/comm/ internal_market/privacy/docs/wpdocs/2000/wp37en.pdf.
78. Supra n 17.
79. Directive 97/7/EC of the European Parliament and of the Council of 20 May 1997 on the protection of consumers in respect of distance contracts, OJ L144 4.6.1997, p 19, http://europa.eu.int/eur-lex/lex/LexUriServ/LexUriServ.do?uri= CELEX:31997L0007:EN:HTML.
80. Schaub, supra n 59, at 5.
81. Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector, OJ L024 30.1.1998, p 1, http://europa.eu.int/eur-lex/lex/LexUriServ/LexUriServ.do?uri=CELEX:31997L0066: EN:HTML.
82. Magee, "The law regulating unsolicited commercial email: An international perspective' (May 2003) 19 Santa Clara Computer & High Technology Law Journal 333, p 20.
83. Article 29 Data Protection Working Party, 'Opinion 2/2000 concerning the general review of the telecommunications legal framework', adopted on 3 February 2000, 5009/00/EN/FINAL WP 29, p 3, http://europa.eu.int/comm/internal_market/ privacy/docs/wpdocs/2000/wp29en.pdf.
84. Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the internal market, OJ L178 17.7.2000, p 1, http://europa.eu.int/eur-lex/pri/en/oj/dat/2000/l_178/l _17820000717en00010016. pdf.
85. Recital 30 of the E-Commerce Directive states: 'The sending of unsolicited commercial communications by electronic mail may be undesirable for consumers and information society service providers and may disrupt the smooth functioning of interactive networks; the question of consent by recipient of certain forms of unsolicited commercial communications is not addressed by this Directive, but has already been addressed, in particular, by Directive 97/7/EC and by Directive 97/66/EC; in Member States which authorise unsolicited commercial communications by electronic mail, the setting up of appropriate industry filtering initiatives should be encouraged and facilitated; in addition it is necessary that in any event unsolicited commercial communities are clearly identifiable as such in order to improve transparency and to facilitate the functioning of such industry initiatives; unsolicited commercial communications by electronic mail should not result in additional communication costs for the recipient.'
86. This has been interpreted as the E-Commerce Directive leaving Member States the choice between opt-in and opt-out regimes, although Recital 30 specifically states that the question of consent is not addressed by the Directive: Schaub, supra n 59, at 6.
87. See in more detail Wendlandt, 'Cybersquatting, Metatags und Spam', 2002, p 85 et seq, p 107 et seq, p 113 et seq.
88. See also Leistner and Pothmann, 'Email-Direktmarketing im neuen europäischen Recht und in der UWG-Reform', WRP 2003, p 825;
89. Weiler, 'Spamming - Wandel des europäischen Rechtsrahmens', MMR 2003, p 228.
90. For a summary of these laws, see Sorkin, www.Spamlaws.com/state/summary, html.
91. See also Khong, 'Spam Law for the Internet' (2001) JILT, Issue 3, for an overview in tabular form of the single regulatory mechanisms of the different state laws, http://elj.warwick.ac.uk/jilt/01-3/khong.html.
92. California Business And Professional Code, Division 7. Part 3. Chapter 1. Art 1.8. 'Restrictions On Unsolicited Commercial Email Advertisers', Ca. Bus. & Prof. ss 17529 and 17538.45.
93. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act), Public Law 108-187, Dec 16, 2003, http://frwebgate.access. gpo.gov/cgi-bin/getdoc.cgi?dbname=108_cong_public_laws&docid=f:publ187.108. pdf.
94. Recital 16 of the E-Privacy Directive adds to this: 'Information that is part of a broadcasting service provided over a public communications network is intended for a potentially unlimited audience and does not constitute a communication in the sense of this Directive.'
95. Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services, OJ L108 24.4.2002, p 33, http://europa.eu.int/ information_society/topics/telecoms/regulatory/new_rf/documents/ l_0820020424en00330050.pdf.
96. According to Art 2(a) of the Framework Directive, an 'electronic communications network' means 'transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, electricity cable systems (to the extent that they are used for the purpose of transmitting signals), networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed'.
97. According to Art 2(c) of the Framework Directive, an 'electronic communications service' means 'a service normally provided for remuneration which consists wholly or mainly in the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting, but excluding services providing, or exercising editorial control over, content transmitted using electronic communications networks and services; it does not include information society services, as defined in Article 1 of Directive 98/34/EC, which do not consist wholly or mainly in the conveyance of signals on electronic communications networks'.
98. The original version of Art 2(h) of the E-Privacy Directive contained the phrase 'which is addressed directly or indirectly to one or more natural or legal persons', instead of 'until it is collected by the recipient'. By contrast, an earlier version of Art 13(1) stated: 'The use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail and other personally addressed electronic communications for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent.': Committee on Citizens Freedoms and Rights, Justice and Home Affairs, 'Report on the proposal for a European Parliament and Council directive concerning the processing of personal data and the protection of privacy in the electronic communications sector', 13 July 2001, FINAL A5-0270/2001 (COM(2000) 385), p 58 [emphasis added].
99. The objective was to adapt the predecessor of the E-Privacy Directive, the Telecoms Privacy Directive, to developments in the markets and the technologies for electronic communications services in order to provide an equal level of protection of personal data and privacy for users of publicly available electronic communications services, regardless of the technologies used (E-Privacy Directive, Recital 4).
100. According to Art 2(d) of the Framework Directive, 'public communications network' means 'an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services'. The definition in Art 2(a) of an 'electronic communications network', supra n 80, specifically mentions the internet as a network. With regard to the other phrases: 'which can be stored in the network or on the recipient's terminal equipment' - anything can in principle be stored on terminal equipment, provided it has the appropriate functionality; 'until it is collected by the recipient' before an email user pulls email messages into the inbox of an email program on his computer, the email is stored on the mail-server and it is possible to leave email on the server to be able to use it as an archive when working with web mail, or to retrieve email from the server at different locations (eg at home and at work).
101. Discussing the exclusion of electronic mail from the opt-in regime of Art 13(1) of the E-Privacy Directive, and the inclusion of SMS, the Council stated 'with protection of the subscriber and of technological neutrality in mind, the Council thought that the subscriber consent arrangements should embrace every use of electronic mail for the purposes of direct marketing purposes, and not just SMS'. The Commission commented on this by stating 'EP amendment 35 proposed to only single out SMS messages and include them in paragraph 1 of this article requiring prior consent of recipients while leaving the approach to other forms of email for the Member States to decide. The Council preferred a harmonised approach on the basis of prior consent for all forms of electronic mail.': Communication from the Commission to the European Parliament pursuant to the second subparagraph of Art 251(2) of the EC Treaty concerning the common position of the Council on the adoption of a Directive of the European Parliament and of the Council on processing of personal data and the protection of privacy in the electronic communications sector, SEC/2002/0124 final-COD 2000/0189, pp 1-2, 17 [emphasis added].
102. It has also been considered that some service providers offer the translation of SMS into voice messages. If the message results from a manually assisted call and is not further stored as an electronic message, Art 13(3) of the E-Privacy Directive applies.
103. 'The proposed Directive is part of a package of five Directives and one Decision intended to reform the existing regulatory framework for electronic communications services and networks in the Community. One of the aims of this overall reform is to create rules which are technology neutral. The legal framework must try to ensure that services are regulated in an equivalent manner, irrespective of the technological means by which they are delivered.': Commission Communication, supra n 85, pp 1-2.
104. Article 29 Data Protection Working Party, 'Opinion 5/2004 on unsolicited communications for marketing purposes under Art 13 of Directive 2002/58/EC', adopted on 27 February 2004, p 7, http://europa.eu.int/comm/internal_market/ privacy/docs/wpdocs/2004/wp90_en.pdf.
105. Council Directive 84/450/EEC of 10 September 1984 relating to the approximation of the laws, regulations and administrative provisions of the Member States concerning misleading advertising, OJ L250, 19.09.1984 p 17, http://europa.eu.int/eur-lex/lex/LexUriServ/LexUriServ.do?uri=CELEX:31984L0450: EN:HTML.
106. The phrase 'directly or indirectly' can be interpreted either to include direct marketing in the category of commercial communications or to include communications with an indirect commercial aim such as communications by political parties or charities.
107. Council of Europe, 'Recommendation No R (85) 20 of the Committee of Ministers to Member States on the protection of personal data used for the purposes of direct marketing', Appendix with Guidelines. 'Recommendation No R (95) 4 of the Committee of Ministers to Member States on the protection of personal data in the area of telecommunication services, with particular reference to telephone services' refers to this 1985 Recommendation.
108. FEDMA, 'European Code of Practice for the use of Personal Data in Direct Marketing', www.fedma.org/img/db/FEDMACodeEN.pdf.
109. Article 29 Data Protection Working Party, 'Opinion 3/2003 on the European code of conduct of FEDMA for the use of personal data in direct marketing', adopted on 13 June 2003, 10066/03/EN/FINAL WP 77, http://europa.eu.int/comm/ internal_market/privacy/docs/wpdocs/2003/wp77_en.pdf.
110. See 'FTC Postpones Effective Date of Can-Spam Rule Establishing Criteria for Determining "Primary Purpose" of E-mail Messages', www.ftc.gov/opa/2005/01/primarypurp.htm.
111. See also Davidson, 'The US tackles Spam', (2005) CTLR 11(1), p 2 (Westlaw numbering), who suggests that it should be interpreted it as encompassing certain email communications not always thought of as commercial advertisements.
112. As a comparison, the Australian Spam Act 2003 covers unsolicited commercial electronic messages that are sent using email, SMS, MMS and instant messaging. However, it does not cover non-electronic messages (messages sent by way of voice calls using the telephone are specifically excluded in s 5(5)). Furthermore, the Australian Spam Regulations 2004 No 56 exclude facsimile messages from the definition as well. Hence, in this respect they have a narrower application than the European legislation. The Korean Act on Promotion of Information and Communications and Communication Network Utilisation and Protection of 2001, like the EU E-Privacy Directive, was amended in June 2003 to define 'spamming media' as including telephone, fax and other electronic multimedia, as well as email. SMS and 'pop-up' windows are also caught by the Act. This broad application of the Korean Act, like the E-Privacy Directive, thus recognises the serious nuisance posed by various media apart from emails.
113. See 15 U.S.C. ss 44 and 45.
114. Critical on this issue, Ramasastry, supra n 5.
115. See also Trussel, 'Is the CAN-SPAM Act the Answer to the Growing Problem of Spam?' (2004) 16 Loyola Consumer Law Review 175, p 4, www.law.washington.edu/ courses/winn/E539/Assignments/trussell%2 Ocan-Spam.pdf.
116. See Cheng, 'Recent international attempts to can Spam' (2004) CLSR, Vol 20 No 6, 472-479, on the Australian legislation.
117. The Australian Act's wide reach is also explicit in its s 14, which states that the Act 'extends to acts, omissions, matters and things outside Australia'.
118. Article 29 Data Protection Working Party, Document WP 43, adopted on 17 May 2001. Reference could also be made to the first report on the implementation of the Data Protection Directive, (COM(2003) 265 final), p 18.
119. Recital 17 of the E-Privacy Directive re-affirms this: 'Consent may be given by any appropriate method enabling a freely given specific and informed indication of the user's wishes, including by ticking a box when visiting an Internet website.'
120. Article 29 Data Protection Working Party Opinion 5/2004, supra n 88, p 5.
121. However, compare the broader approach of the DTI in the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426, implementing the Directive), speaking of 'the sale or negotiations for the sale' (reg 22(3)(a)) [emphasis added];
122. and the comments by Butler in 'Spam - the meat of the problem' (2003) CLSR, Vol 19 No 5, 390.
123. See Recital 41 of the E-Privacy Directive.
124. Article 29 Data Protection Working Party Opinion, supra n 88, p 9.
125. Article 29 Data Protection Working Party Opinion, supra n 88, p 9.
126. Louveaux and Asinari, 'New European Directive 2002/58 on the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector - Some Initial Remarks' (2003) CTLR, Vol 9, No 5, 133-138.
127. For a detailed analysis of the implementation of the exception in the UK, see Munir, 'Unsolicited Commercial Email: Implementing the EU Directive' (2004) CTLR 10(5), 4 (Westlaw numbering).
128. Directive 2002/65/EC of the European Parliament and of the Council of 23 September 2002 concerning the distance marketing of consumer financial services and amending Council Directive 90/619/EEC and Directives 97/7/EC and 98/27/EC, OJ L271, 9.10.2002, p 16, http://europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_271/ l_27120021009 en00160024.pdf.
129. See also Leistner and Pothmann, supra n 74, p 824;
130. and Weiler, supra n 74, p 228.
131. See Fingerman, 'Spam canned through the land? Summary of the CAN-SPAM Act With Commentary', (February 2004) Journal of Internet Law, Vol 7, Issue 8, p 10, in summary with a more optimistic view on the effects of the CAN-SPAM Act with regard to penalties.
132. See also Trussel, supra n 98, p 5.
133. For the completely opposing attitude towards spam, see Morissey, 'Poll: Spam Annoyance Leveling Off', 17 July 2003, www.clickz.com/news/article.php/ 2236631;
134. and Morissey, 'Spam Annoyance on the Rise', 3 January 2003, www.clickz.com/news/article.php/1564101.