pdf (38.78 KB)

Our reference:
Mr Allan le Busque
Manager
On-line Policy
National Office for the Information Economy
GPO Box 2154
CANBERRA ACT 2601

Dear Allan

INTERIM REPORT OF THE SPAM REVIEW THE SPAM PROBLEM AND HOW IT CAN BE COUNTERED

Thank you for the opportunity to put in this late submission on the National Office for the Information Economy’s (NOIE’s) Interim Report of the Spam Review The Spam Problem and How it can be Countered.

Spam can have a significant privacy impact for Australian’s particularly with respect to the collection and re-use of personal information including email addresses for spamming where the individuals concerned do not know about or have the ability to control the practice but also to the extent that it supports the building detailed profiles of individuals. As I noted in a media release of 25 September 2002 in response to concern about my consultation paper on collection of publicly available personal information “We all have a right to know who is calling us, why they have called us and where they got our information from. In many ways the Privacy Act is about putting common courtesies such as these into law. The Act is about putting people in control of their information.”

My Office welcomes the work that NOIE is undertaking. At present we are able to devote only limited resources to the issue but it is one we regard as a priority and my officers will contribute to the work within the limits of our resources. Should additional resources become available the Office could take a more active role in this area.

The approach taken in this submission is to provide comments in relation to the recommendations in the draft submission. To some extent these comments will raise questions or aspects that we think need further consideration rather than providing detailed positions.

One aspect of the recommendations that I understand that you have particularly sought feedback on relates to the allocation of responsibilities for spam measures as between:

• Regulators;
• Technical solutions;
• Internet service providers; and
• Individuals.

This is a complex area and one where there is no clear answer. All contribute and are needed if effective solutions are to be achieved. I would also add a fifth element – the market. In the case of regulators it will be critical for them to have workable laws and for them to be adequately resourced to enforce their laws. The issues in relation to individuals contributing effectively to protecting themselves against spam are in part about education and awareness but this will probably not be the full story. It seems likely that there will be other factors that affect the willingness of people to make use of tools and strategies even if these are available. For example, the cost, availability and usability of tools are likely to affect how widely they are used. As I suggest below, more research into the relative contributions and factors that affect their effectiveness may be fruitful.

My comments on the recommendations in the Interim Report are set out below.

Summary of Draft Recommendations

1. A clear and widely accepted working definition of “spam” should be developed for consistent interpretation, and to better inform and enable anti-spam enforcement at the consumer, Internet Service Provider (ISP), business and government levels.

I support this recommendation, subject to reservations, set out below, about the nature and purpose of any definition. I am also happy for my Office to participate in further discussions towards a definition of spam, subject to the Office’s resources and priorities.

I am wary of attempts to use a definition to distinguish between classes of unsolicited commercial email. I am not sure that it is possible or desirable to make a distinction between bad spam and spam that may be a ‘possibly valuable contribution’. From a privacy perspective it is not clear that the intrusive aspects of spam, for example a volume of unexpected and unwanted emails based on covert collection of email addresses, only apply to spam that is misleading, deceptive or otherwise illegal.

As Privacy Commissioner my intention is not to prevent organisations from making approaches to people that they might find valuable and I am open to solutions that provide this while still giving individuals the right to say how information about them will be used (or is not to be used).

I note the suggestion in the Interim Report that a possible way forward would be to make a distinction on the basis of whether or not the organisation has an existing relationship with the individual concerned and if not to then test whether the organisation has the individual’s consent to make marketing approaches. I favour an approach of this sort, which as noted at page 28 of the Interim Report is essentially the European Union response to spam, although I agree it then raises questions about how to determine whether relationships exist and the nature of consent needed. It would also be consistent with Treasury’s best practice model set out in Building Consumer Sovereignty in Electronic Commerce A best practice model for business (May 2000)[1] which says that for commercial e-mail:

23.1 Businesses should not send commercial e-mail except:

23.1.1 to people with whom they have an existing relationship; or

23.1.2 to people who have already said they want to receive commercial e-mail; and

23.2 Businesses should have simple procedures so that consumers can let them know they do not want to receive commercial e-mail.

However, the National Privacy Principles (NPPs), as currently drafted, would not limit spammers to approaches based on an existing relationship or consent. This leads me to note that, whatever definition is used, once it is established there will need to be consideration of how it interacts with the proposed strategies and with existing legislation such as the Privacy Act 1988. As a further illustration of this point I note that the working definition proposed by NOIE includes as a factor in deciding whether a communication is spam the question of whether it is “sent in a largely untargeted and indiscriminate manner, often by automated means”. This test would appear to be more specific than the current requirements in the NPPs and so would not be legally enforceable via the Privacy Act in its current form.

2. Industry bodies, such as the Internet Industry Association (IIA), and their members should be encouraged to:

• build on existing work done by the IIA and implement Codes of Practice to deal with spam;
• develop better practice guidelines for ISPs (and their customers) to combat spam; and
• further develop strategies to have Internet users shut down open relay mail servers.

I agree with this recommendation.

3. ISPs should be assisted to reduce the capacity for spammers to utilise anonymous accounts, through the appropriate implementation of technologies such as Caller Line Identification (CLI) and encouraged to establish identification requirements for prepaid accounts. However, such measures should only be developed if privacy protection levels are maintained or improved.

As noted in my previous comments I do not agree with this recommendation at this point. It would as I understand it need to be introduced as blanket requirements; that is ISPs would receive CLI and would be able to require individuals to identify themselves regardless of whether they were potential spammers. These proposals therefore have the potential to significantly reduce the privacy of Internet users. I also understand that they may only address part of the spam issue. For example, I understand that there are software applications that are capable of sending bulk e-mail without going through a specific mail server or a particular ISP. Electronic Frontiers Australia (EFA) has set out a more detailed series of questions about the efficacy of this recommendation.[2]

I consider that the questions such as those raised in the EFA submission would need to be addressed as part of any consideration of this recommendation. The framework I put forward for balancing privacy and other public policy interests, in a speech I gave to the Australian Institute of Criminology in June 2001[3], may be a useful adjunct to the processing of considering whether the potential privacy intrusion is justified taking account of the seriousness of the problem, the alternatives available and whether the proposal is even likely to be effective.

A further consideration for this recommendation is NPP 8, which requires organisations to allow anonymous dealing where lawful and practical. The value in individuals being able to remain anonymous to the extent possible is a significant policy consideration that needs to taken into account here.

The solutions may involve some form of risk assessment so that identification requirements can be targeted and/or a role for authentication or authorisation using pseudonym considered. Any use of CLI override should also be subject to rules of transparency (for example publication of lists of occasions when it was used and the reasons for doing so, a complaint handling arrangement and/or a requirement for external authority, consistent with the criminology paper framework).

4. The Internet industry should consider managing a self-regulated list of known spammers so that ISPs can make better informed decisions about signing up customers with a record of spamming.

I agree with this recommendation in principle but consider it needs further development to assess whether it can be implemented fairly and without undue impact on the privacy of non-spamming users. In this regard my comments in relation to recommendation 3 are also relevant. I note that in the discussion of this recommendation a clear definition of spam and greater identification of ISP customers are seen as pre-requisites and as I have noted above both of these are problematic.

5. Filtering options and products should be properly evaluated and publicised by the Internet industry to better inform Internet users of the technical options available to them. ISPs should be encouraged to offer their customers cost-effective filter and firewall products. Government, industry and the community should remain aware of the anti-spam opportunities presented by new technologies.

I agree with this recommendation.

6. Regulatory agencies, in particular the Australian Competition and Consumer Commission (ACCC), Australian Securities and Investment Commission (ASIC) and the Office of the Federal Privacy Commissioner (OFPC), should be encouraged to fully apply existing laws to spam. Appropriate resources need to be allocated for this task. For example, section 52 of the Trade Practices Act includes provisions with potential to operate against spam that is misleading or deceptive such as spoofing and misleading privacy statements.

I agree with this recommendation in principle. However, I suggest it needs to take account of whether the regulators mentioned have in fact been resourced to the extent necessary to respond adequately on the issue. For example, I anticipate that my Office will be able to investigate complaints within a reasonable timeframe if the current trends in complaint numbers continue. However, within present resources the Office would able to make only a limited contribution to community education campaigns or to policy development or to more active pursuit of spammers than responding to complaints.

My Office’s earlier comments to NOIE, that noted areas where the NPPs will not be an effective remedy for spam, are also relevant here.

7. At the operational level, Australian government agencies should work with partner country agencies where appropriate to counter spam. The International Marketing Supervision Network, in which Australia participates through the ACCC, is one model for such co-operation.

I agree with this recommendation.

8. At the policy level, Australia should work with the OECD, APEC and other relevant multilateral bodies, and bilaterally where appropriate, to develop international guidelines and co-operative mechanisms for dealing with spam. 

I agree with this recommendation.

9. The current application of the National Privacy Principles (NPPs) to spam should continue to be clarified, in straightforward publicly available advice, as cases evolve.

I understand this recommendation to be focusing on the clarification of the application of the NPPs through the resolution of complaints rather than through guidelines or advice prepared by my Office. I presume the recommendation also anticipates that the outcomes of any complaints will be relatively public.

I agree with this recommendation subject to a number of factors. Firstly, the ability of my Office to respond to the recommendation is clearly constrained by the number and type of complaints received and how they are resolved. The Office’s approach will continue to be to work with both organisations and individuals to find workable solutions. Those solutions may sometime involve the Privacy Commissioner making determinations that are enforceable through the courts but this will not be an objective in itself.

Secondly I see value in publishing the outcome of some complaints but will not be in a position to publish them all. The Office’s response will therefore also be subject to the policy it is developing on the publication of case notes.

I also note that while my Office receives numerous enquiries about spam to date it has only been able to commence a small number of investigations. There are a number of factors that come into play here including that:

• as noted in the Interim report, a characteristic of much spam is that the source of the communication and/or the means by which contact details have been obtained is deliberately obscured making it difficult to lodge a complaint;
• spam may not be subject to the Privacy Act in any case because of jurisdictional issues; because the email address in question does not contain personal information; or because although personal information is involved it was collected prior to the commencement of the Act;
• the private sector provisions have only been in place for eleven months and the existence of the Office as a channel for complaints is still not widely known; and
• only a small number of people who are aggrieved will actually complain to an external source.

I am not expecting that the volume of complaints involving spam will increase dramatically at least in the short term.

Thirdly, it worth reiterating that the government intended that the Privacy Act be ‘light touch’ legislation and that the lightness of touch is reflected in the resources available to the Office to undertake policy development or educative programs based on its complaints experience.

In summary, while I agree with the intent of the recommendation I do not expect that the Office will be producing much in additional guidance in relation to spam in the short term. That said, I reiterate the position I put in my Guidelines to the National Privacy Principles in relation to consent in on-line environments which was that in most cases I would expect prior opt-in consent to apply.

10. The application of the Privacy Act to spam should be considered. The proposed review of private sector amendments of the Privacy Act may be an appropriate vehicle for this.

I agree with this recommendation. The comments my staff provided to NOIE in the course of its development of the Interim Report, and attached again for convenience, stand.

11. The question of offensive content contained in spam should be considered as part of the forthcoming review of those provisions in the Broadcasting Services Act 1992 dealing with offensive and illegal Internet content.

I agree with this recommendation.

12. The Government should consider anti-spam legislative options in further detail, consulting with all interested parties, and focusing at this stage on the following options:

• An outright prohibition on the sending of unsolicited bulk electronic messaging;
• A requirement for greater transparency in the nature and origin of bulk electronic messaging;
• the creation of a new offence of using a carriage service to commit any Commonwealth offence.

I am not in a position to comment on this recommendation at this stage. There appears to be merit in the proposals but they would need to be carefully crafted to avoid unintended consequences.

13. In conjunction with relevant bodies, including the Australian Consumers Association (ACA), the Internet Society of Australia (ISOC-AU), IIA, Treasury, ASIC, ACCC and the OFPC, NOIE should develop and implement an information campaign on spam that creates awareness and provides accurate information and useful resources to consumers (possibly developed in conjunction with related e-security initiatives).

I agree with this recommendation subject, as noted above, to the fact that my Office currently has limited resources to commit to this activity.

If resources are available there are number of areas of research that may feed into the development of an education campaign and may also be useful to ISPs, industry associations and regulators in developing advice and guidance on measure to respond to spam. These areas could include:

• the identification and evaluation of filtering and other anti-spam software;
• the characteristics that make anti-spam measures user-friendly and so encourage individual uptake;
• the potential for pseudonym to provide an alternative to direct identification when establishing a relationship with an ISP; and
• how to best encourage individuals to adopt effective anti-spam strategies.

14. Regulatory agencies and NOIE should develop a comprehensive guide for business and the community on how existing legislation can be applied to counter spam.

I agree with this recommendation and would be happy to participate in this activity subject to available resources.

15. NOIE should continue to obtain data that monitors spam volume and characteristics and tracks the progress of spam counter-measures.

I agree with this recommendation.

Thank you again for the opportunity to put in these comment. If you wish to discuss the matters raised the contact officer is Ms Chris Cowper. She can be contacted by telephone on 02 9284 9651 and by email at chriscowper@privacy.gov.au

Yours sincerely
Malcolm Crompton
Privacy Commissioner
11 October 2002

UNSOLICITED COMMERCIAL EMAILS OR SPAM AND THE PRIVACY ACT 1988 (Cwth)

Comments by the Office of the Federal Privacy Commissioner

April 2002

Introduction

The purpose of this paper is to provide a brief analysis of the way the Privacy Act 1988(Cwth) (the Privacy Act) applies to the practice of organisations sending unsolicited commercial emails (UCEs) or UCE. It should complement the material also being prepared on this issue by the federal Attorney-General’s Department.

Jurisdiction

It is not clear at this point how many organisations that send UCEs to Australians would be subject to the Privacy Act. There are two areas that are possibly problematic. Firstly, many senders of UCEs are based outside Australia so that they fall outside the jurisdiction of the Privacy Act. Secondly, not all businesses in Australia are covered by the Privacy Act. There is an exemption for many small businesses (for more information see the Office’s information sheet on the coverage of the Privacy Act at http://www.privacy.gov.au/publications/IS12_01.html.

The small business exemption is not available to small businesses that trade in personal information. However, it is not clear that all the practices that businesses use to compile lists of email addresses for spamming would involve trading. For example, lists generated by random combinations of letters and words would not fall within the definition.

Nature of information covered

The Privacy Act is essentially designed to regulate the use of personal information about particular identifiable individuals. It generally assumes a set of records and a relationship between an organisation and an individual rather than the scattergun approach of many spammers. Where the activities of a spammer involve simply generating or collating a list of email addresses, including information and dispatching it and the email addresses do not contain an individual’s name, there may be no personal information involved and no application of the Privacy Act. Even if people respond to spammers, to take up an offer or to ask to be deleted from a list, the email address and information contained in it will not necessarily be personal information. The test is whether the information is about ‘an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion’.

How the NPPs apply

If the sender of the UCE is an Australian organisation subject to the National Privacy Principles (NPPs) it will have legal obligations under those principles. For example, NPP 1.2 requires organisations to collect personal information only by lawful and fair means. NPP 1.5 requires an organisation that has collected personal information about an individual from a third party to take reasonable steps to let the individual know about the collection. NPP 2.1 says that if an organisation collects personal information for one purpose it can only use or disclose it for a new purpose in limited circumstances. In particular, NPP 2.1(a) says that the organisation can use or disclose the information for a new purpose if (i) the new purpose is related to the original purpose and (ii) use for the new purpose is within the ‘reasonable expectations’ of the individual.

Possible complaints about breaches of the NPPs

In the case of UCE there may be a breach of privacy if the person does not get information about who has collected information about them for what purposes. There may also be unfair collection practices involved, depending on where and how the spammer obtained a persons email address.

Where a person has done business with an organisation and has asked it not to contact them with marketing offers, our view is that the person could reasonably expect not to get any more offers. Continued offers in these circumstances may be a breach of privacy. A further area where the NPPs have some strength is in relation to the use of personal information for unrelated direct marketing. In the Guidelines to the National Privacy Principles that we issued in September last year, we drew the conclusion that NPP 2.1(c), that allowed some unrelated direct marketing, did NOT allow unsolicited UCE. The Guidelines are at www.privacy.gov.au/publications/nppgl_01.html. The most relevant part of the Guidelines start with the commentary on NPP 2.1 (b), which is at www.privacy.gov.au/publications/nppgl_01.html#npp21b.

The Guidelines tip on 2.1 (b) says that ‘It is unlikely that consent to receive marketing material on-line could be implied from a failure to object to it. This is because it is usually difficult to conclude that the message has been read and it is generally difficult to take up the option of opting out as it is commonly considered that there are adverse consequences to an individual from opening or replying to email marketing - such as confirming the individual's address exists. This may also apply where material is distributed using other automated processes. (This would not prevent an organisation from seeking opt in consent on-line if NPP 2.1 allowed it.)’ [Earlier in the Guidelines on2.1 (b), the common law is described in the following terms: ‘it may be possible to infer consent from the individual's failure to opt out provided that the option to opt out was clearly and prominently presented and easy to take up’.]

The Guidelines words on 2.1 (c) say that ‘As the cost of emailing is negligible, ordinarily it will not be 'impracticable' to seek consent where an organisation chooses on-line methods of contact or communication’. This means that generally an organisation could not rely on NPP 2.1(c) for techniques such as email marketing or SMS marketing. The option of using 2.1(b) is still available. However, in most cases, this will require express consent.’

Taken together, these parts of the Guidelines are saying that an online marketer must obtain opt in consent to use personal information for online marketing if that action is not related to the primary purpose of collection AND is NOT within the individual's reasonable expectations. This should rule out UCE in some circumstances.

Possible problems where there may be no breach of the NPPs

One area that may be problematic for UCE or spam is that the NPPs do not prevent a business from using personal information for the purpose for which it collected it (that is in terms of the NPPs the primary purpose). This means that if a business collects personal information for marketing purposes or for spamming, and uses it for those purposes, this is consistent with the NPPs and, provided that the other requirement of the NPPs have been met, there is no action that a person can take under the NPPs to stop it. This also means that the discussion above about the application of the direct marketing exception (NPP 2.1(c)) is irrelevant where the primary purpose of collection is direct marketing. Business can legitimately proceed without having to rely on the exception. It is possible that of spammers that may be subject to the Privacy Act the majority would have collected and be using person information for the primary purpose of marketing or spamming. While there may still be breaches of the collection principles the remedies available for these may not be enough to stop the activity or to deal with the annoyance caused.

Effectiveness of protection the Privacy Act applies to UCE or spam

It is not clear yet the extent to which the Privacy Act does provide an effective remedy for people who want to take action about UCE – the private sector provisions of the Privacy Act have only been in operation for four months and the small business sector is yet to be brought in (where the Act applies). The Privacy Act does mean that UCE or spam will be contrary to the NPPs in some circumstances if it is undertaken using identifiable personal information. However, it is really too early at this stage to determine whether this will be the bulk or just a small minority of cases. It may be that further experience with the Privacy Act, or issues brought to light by the NOIE review, will suggest that changes are needed to ensure that it does work where intended.

For example, there may need to be some modification to the concept of primary purpose to ensure that it does not operate as a loophole in the case of UCE. The Privacy Commissioner initially recommended this course of action in relation to all direct marketing at page 9 of his September 2000 submission to the Senate Legal & Constitutional Legislation Committee (see our website at www.privacy.gov.au/business/index.html) While it is now important to give the Privacy Act a chance to work – and the proposed review at the end of 2003 is a natural point to consider how it has worked – there will be some issues, and UCE may be one of these, where earlier changes are needed.

This may particularly be the case given that even if possible loopholes in the NPPs are closed this would not address all sources of spam – not all UCE is abusing data protection principles so much as other senses of privacy for example when spam is being randomly generated in the ways have described above.