First published: 28th November 2007
1 Abstract
Hong Kong passed the "Unsolicited Electronic Messages (UEM) Bill"1 on Wednesday, 23rd May 2007 and some parts came into effect on 1st June 2007. The remainder will be implemented towards the end of 2007.
2 Introduction
Hong Kong’s anti-spam law, the Unsolicited Electronic Messages Ordinance (UEMO), has been in the making since 2000 and has been in effect for less than six months, some provisions have still to come into force, but already there is a lot to learn.
2.1 Abbreviations
OFTA Office of the Telecommunications Authority, the Government regulator for telecommunications.
LegCo Legislative Council, Hong Kong’s lawmakers.
UEMO Unsolicited Electronic Messages Ordinance
3 Development of the Ordinance
There has been a slow change in the attitude of the Hong Kong Government, and, more specifically OFTA, towards spam. Before 2000, there was nothing to suggest OFTA was even aware spam existed.
In February 2000, OFTA, the Hong Kong Internet Service Providers Association (HKISPA) and the Office of the Privacy Commissioner for Personal Data (PCO) issued a press release outlining Joint Anti-Spam Initiatives2. This consisted of an “industry Code of Practice”, detailing sanctions to be imposed on spammers, and a leaflet “FAQs on Spam”, published by OFTA. ISPs that conformed to the Code were to be given a special identification logo. However, no ISPs announced they were adopting the Code of Practice, and no list of ISPs authorised to use the special logo was ever published by the HKISPA.
In October 2003, OFTA’s normal response to spam complaints was “at present there is no law in Hong Kong specifically prohibiting spamming. The Government encourages the Internet industry to exercise self-regulation in tackling spamming activities.”3
In November 2003, Hon. Sin Chung Kai, Legislative Councillor for the IT Functional Constituency, conducted a survey on spam among his constituents, and followed that up with an Anti-Spam Forum - “to REGULATE or NOT” in January 2004, jointly organised with the HKISPA and the Hong Kong Anti-Spam Coalition (a new organisation, formed in the summer of 2003, involving the HKISPA, Asia Digital Marketing Association, Microsoft and Time Warner). At the forum, the HKISPA estimated “the potential economic lost to the Hong Kong economy could be as much as HK$ 10 billion per year, with lost productivity alone at HK$ 6 billion per year”, and Hon. Sin revealed his survey showed 70% in favour of anti-spam legislation.4
At the beginning of 2004, OFTA met informally to discuss views on anti-spam legislation with industry groups, including the Hong Kong Computer Society5, but the public Government position was to reply on technology to combat spam6. In June, OFTA issued a consultation paper on measures to control spam7,8 . There were seventeen responses from companies, nineteen from organisations, and six from individuals, published in November 20049.
In February 2005, the then Commerce, Industry and Technology Bureau launched an anti-spam campaign called “STEPS”10, which consisted of a multi-pronged approach:
- S – Strengthening existing regulatory measures
- T – Technical solutions
- E – Education
- P – Partnerships
- S – Statutory measures
The existing regulatory measures were those covering junk faxes and junk SMS. The technical solutions were supported by a website11 and Government support of industry events12. Education also included the website, radio programmes, teaching materials for schools, exhibitions and a leaflet. Under partnerships, the Commerce, Industry and Technology Bureau and 11 other Agencies signed the Seoul-Melbourne Multilateral Memorandum of Understanding (MoU) on Co-operation in Countering Spam on April 27 2005. Under statutory measures the Commerce Industry and Technology Bureau reported to the Legislative Council that it aimed, “to work out a legislative framework which is largely acceptable to different stakeholders by striking the right balance between the need to discourage spamming and to enable legitimate e-marketing activities to develop properly”13, with the intent to introduce a bill in 2006.
In March and June 2005, the Commerce, Industry and Technology Bureau invited Stakeholders (including industry organisations, business organisations, legal parties, the Consumer Council and Government Bureaux and Departments), to informal discussions on the draft framework for the legislation. The discussion document recommended six guiding principles:
- Recipients should have the right to decide whether to receive UEMs.
- The legislation should provide room for the development of e-marketing in Hong Kong as a legitimate promotion channel.
- The legislation should prevent Hong Kong from becoming a safe haven for illicit spamming activities.
- Freedom of speech and expression must not be impeded.
- Penalties and remedies against spammers should be proportionate to the severity of the offences.
- Statutory provisions should be enforceable with reasonable efforts.
In June 2005, the HKISPA published version 2.0 of its Code of Practice14, and an implementation guide for service providers and web site operators15.
RTHK broadcast an anti-spam documentary on 11 July 2005, in the news magazine programme, “The Hong Kong Connection”. On the same day, the CITB presented the draft legislation to the Legco Panel on Information Technology and Broadcasting16,17.
In January 2006, the Commerce, Industry and Technology Bureau (CITB) issued a consultation paper on the proposed legislation18,19. There were twenty submissions from organisations, sixteen from companies and thirty-four from individuals, published in July 2006.
In March 2006, the Legco Panel on Information Technology and Broadcasting met and heard submissions from Stakeholders on the draft legislation20.
The Bill was introduced into LegCo on 12 July21,22. The Bill Committee accepted submissions from Stakeholders in October 200623. The Bill was passed in May 2007, and the first phase came into force on 1 June 2007.
In October 2007, OFTA’s point of view24 was that the top priority for the Hong Kong public in unsolicited electronic messages at the moment was fax, particularly because of the paper costs. Pre-recorded voice messages had been the biggest concern during 2006, but OFTA had dealt with it by administrative methods and introducing a code of practice with telco operators, resulting in a 90% drop in calls by the end of 2006. Under the code of practice, if a telco receives complaints from its customers, it can refer the case to the originating telco, who can take action, e.g. by cutting lines. As IVR equipment is expensive, there are few offenders, each making thousnds of calls per day, and disupting their activities causes a large drop-off in a short space of time. Some IVR operators are still in business, their activities are not illegal as long as they follow the rules.
In September 2007, OFTA issued a consultation paper on the Code of Practice for the UEMO25. There were twelve submissions, published October 200726. In October 2007, OFTA announced the second phase of the legislation would come into force on 22 December27. The Code of Practice was published on 26 November28,29.
4 Main Features of the Ordinance
The full Unsolicited Electronic Messages Ordinance (UEMO) is published online in the Bilingual Laws Information System1. OFTA has also published a General Guide30, and an Industry Guide31 to the Ordinance. The main features are:
- Opt-out regime.
- The UEMO covers commercial electronic messages with a Hong Kong link:
- includes (but not limited to) email, IM, pre-recorded voice messages sent to telephones, and fax;
- "commercial" includes offers and advertisements of goods, services, facilities, land, investments and business opportunities;
- a Hong Kong link means sent to a HK telephone number, or received in HK, or sent or authorised by someone physically in HK, or by a HK company or organisation.
- Exemptions are listed in Schedule 132 and include:
- television and radio broadcasts;
- messages that involve person-to-person interactive communications between a caller and a recipient, with or without any pre-recorded or synthesized element
- A reasonable response to information sent by the recipient to the sender
- A message about a transaction the recipient has previously agreed to enter into with the sender, or warranty/recall information about a product purchased or used by the recipient, or to deliver goods or services, inc. product updates or upgrades
- Account statements, subscription information concerning an ongoing commercial relationship
- Messages about the recipients’ employment relationship or related benefit plan.
The UEMO is coming into effect in two phases. The first phase took effect on 1 June 2007 and included:
Fraud and other illicit activities related to sending of multiple commercial electronic messages are offences punishable by up to 10 years jail and an unlimited fine. Specifically:
- accessing a telecommunications device without authorisation to send multiple commercial electronic messages;
- sending of multiple commercial electronic messages from a telecommunications device without authorisation with a view to deceiving or misleading recipients about the source;
- falsifying header information in multiple commercial electronic messages and sending of such messages;
- registering for electronic addresses or domain names using information that falsifies the identity of actual registrants to send multiple commercial electronic messages;
- falsely representing to be the registrant of an electronic address or a domain name to send multiple commercial electronic messages.
Use of unscrupulous techniques to reach out to more recipients is an offence punishable by up to 5 years jail and a fine of up to HK$1,000,000. Specifically:
- supply, acquisition or use of telephone number or email address harvesting software / harvested address lists for sending commercial electronic messages without the consent of the recipients;
- generating electronic addresses by automated processes to send a commercial electronic message;
- use of scripts or other automated means to register for five (5) or more email addresses to send multiple commercial electronic messages; or
- relay or retransmission of multiple commercial electronic messages to deceive or mislead recipients as to the source of such messages.
“Multiple messages” means >100 messages within 24 hours, or >1000 messages within 30 days.
The second phase is planned to take effect from 22 December 2007 and sets rules for what can be termed “proper mailing list management”. OFTA can issue an enforcement notice where there is a contravention, and continued contravention can lead to a fine up to HK$100,000. The rules include:
Commercial electronic Messages with a HK link must:
- contain accurate sender information;
- contain a functional unsubscribe facility;
- must not be sent to electronic address listed in do-not-call register;
- must not use misleading subject headings
- must not be sent with calling line identification information concealed
Unsubscribe requests must
- be acted on within 10 working days
- be kept for 3 years
Misuse of information in an unsubscribe request, or a do-not-call register is an offence punishable by up to 5 years jail and a fine up to HK$1,000,000.
The UEMO also allows OFTA to establish codes of practice. Breaking a Code of Practice is not an offence, but may be used to determine a matter in court. The first Code of Practice established29,33 details supplementary rules about the sending of commercial electronic messages when the second phase comes into effect:
All commercial electronic messages must include:
- Senders name (as shown on identity document, if the sender is an individual)
- Telephone number
In addition, SMS messages must include an address, unless the recipient can obtain the address by using the telephone number. Other messages must include an address.
Emails must also include an email address.
The information must be given in both Chinese and English, unless the recipient has indicated otherwise. However, the name and address may be given in only Chinese or English if they are Chinese only or English only.
Messages sent to telephone numbers must present the information at the beginning, unless they are accessible throughout the message.
At least one of the provided unsubscribe facilities must be usable from the device used by the recipient to access the message. For an SMS message, the unsubscribe facility must be a HK phone number usable orally or by key input. Unsubscribe facilities must be convenient to use, readily available and must not contain a commercial message.
The UEMO also gives OFTA the power to establish do-not-call registers, and various powers to investigate and make arrests.
Also, a spam victim can bring proceedings for damages in the District Court, or Small Claims Tribunal, whether or not there was an offence, or a conviction.
5 Operation
From the date of the UEMO coming into force, OFTA had facilities and instructions for submitting reports by fax, phone, webpage and in writing. The webpage report form has already passed through several versions. The original version limited the email headers and email content to 2000 characters each, files uploaded had to have particular extensions, and were scanned for viruses. The latest version fixes these problems, but the submission still involves a captcha, making automating spam submission difficult. There are also no shortcuts for multiple submissions – each submission requires the reporter to fill in their name and company, contact details etc. The form also asks for details that can be determined automatically from message headers, such as the time of receipt. The author found that the web submission process could be completed in approximately 2 minutes; a person unfamiliar with the process would take longer. This can be compared to about 5 seconds for forwarding a message for adaptive filtering training, or about 2 seconds for deleting a message in the in-box.
Matching individual messages to later responses from OFTA was also a problem. OFTA allocates case numbers to the messages, but these are not reported at submission time. Initially, OFTA’s reponses referred to reports by date, apparently not considering that a reporter may make more than one report per day. This made matching the messages to responses in the later part of this paper infeasible. Currently, OFTA includes the Message-ID as a unique identifier in its responses, but the ideal procedure would be to report the case number at submission time, and to include the case number and Message-ID in later responses.
OFTA is also operating honeypots24 for capturing voice (pre-recorded and person-to-person) and fax calls, and, for email: address harvesting, open relays and dictionary attacks. The email-related honeypots have been established with .hk domain names and Hong Kong IP addresses, they got results the first day they were operating, but the sources have not been in Hong Kong yet.
OFTA noted34 a particular challenge of spamvertised .hk domains, i.e. .hk websites that are promoted by spam. Like all other anti-spam legislation, the UEMO does not cover spamvertised hyperlinks as it is almost impossible to prove the domain owner was involved in sending the spam. During June and July 2007, over 40% of spam reports were related to spamvertised .hk domains, overseas recipients were reporting spam messages not sent from Hong Kong, but containing a .hk link. Although the messages did not have a “Hong Kong link”, as defined by the UEMO, OFTA considered that the high volume of reports indicated that the issue required attention, particularly as it affected the worldwide reuptation of .hk domains. OFTA has collaborated with the .hk registrar, the Hong Kong Domain Name Registration Company (HKDNR) and established a daily feed from a reputable source of .hk URI spam to the HKDNR. The HKDNR applies a set of delisting criteria, and domains that exceed a certain score are delisted. The HKDNR delisted over 8,000 .hk spamvertised domains within two weeks of the introduction of the system in July 2007. The owners of the delisted domains have not appealed; it is assumed the spammers simply went elsewhere.
An incident where a HK media company sent out a message with an unsubscribe link where the text did not match the link revealed that people are more likely to report when a mechanism is not working. OFTA received multiple reports about the message24 and considered it indicated a good willingness of the public to report incidents.
Hong Kong companies and organisatons do appear to be gearing up for the second phase. For example, the author has been unable to unsubscribe for several years from the mailing list of a local marketing association, each email would arrive containing an unsubscribe link, and using the link would report that unsubscription had happened, but the messages did not stop. However, the last message received had a different link, and the messages appear to have stopped. OFTA noted that Wharf T&T has built a “public unsubscribe system” that SME senders can make use of free of charge24 for cleansing their marketing databases.
OFTA sees that the second phase will have more direct impact on the public, and it considers that it has gained a lot of useful experience, for example, in conducting investigations, in the months since the first phase took effect24. It has also gathered useful intelligence on possible offenders.
6 Statistics
6.1 OFTA Statistics
OFTA received about 1000 reports in the period from 1 June 2007 to 30 September 200734. Out of which 917 (91.7%) have been handled (please see Table 2), with a remainder of 83 still in progress. There have been no prosecutions.
Table 1: Breakdown by status and type
| Reports Received | Reports Handled | In Progress |
Type of UEM Reports: | Number | Percentage | Number | Percentage |
a. Junk Fax | 478 | 47.80% | 457 | 49.84% | 21 |
b. Email | 397 | 39.70% | 390 | 42.53% | 7 |
c. Others (SMS, Pre-recorded, etc) | 125 | 12.50% | 70 | 7.63% | 55 |
Total | 1000 | | 917 | | 83 |
Table 2: Breakdown of handled reports
Type of handled reports: | No. of Reports | Percentage |
Out of Scope (e.g. non-commercial, person-to-person calls, no Hong Kong link, spamvertised domains) | 122 | 13.30% |
Relevant to Part 2 offences only (the provisions that are not yet in effect) | 656 | 71.54% |
Other | 139 | 15.16% |
Total | 917 |
OFTA noted that the second category was highly relevant to their manpower planning when the second phase starts24.
Table 3: Country of Origin (Email only)
Name of Country | No. of Reports | Percentage |
People's Republic of China | 57 | 41% |
United States | 23 | 17% |
Germany | 8 | 6% |
Republic of China (Taiwan) | 6 | 4% |
United Kingdom | 6 | 4% |
Switzerland | 5 | 4% |
Czech Republic | 3 | 2% |
Countries with less than 3 reports are not individually listed | 31 |
Total | 139 |
OFTA commented34 that the technology neutral approach of the UEMO led to a high volume of reports of a diverse nature. The majority of the reports were either outside the scope of the UEMO, or related to the parts not yet in operation, though OFTA took the opportunity to remind senders of the need to comply when those parts come into force. In general, senders reacted positively, taking action to be ready for the second phase, for example, by buying more capable mailing software. OFTA suggested that these reports were due to the large scale of the problem, and people’s frustration, wanting something to be done24.
6.2 Author’s Statistics
6.2.1 Measuring Spam
Figure 1 shows the messages passing the author’s email gateway in the period from December 2005 to last Tuesday. The categorization as spam, virus or other is as reported by the gateway, and is not adjusted for false positives and false negatives. The number of spam messages is roughly doubling each year, while the number of other messages is roughly constant. Note that phase 1 of the UEMO came into effect on 1 June 2007; there is no discernable effect on the number of spam messages. Interestingly, the number of virus–containing messages has fallen dramatically since June, but it is difficult to explain this as a causal relationship.
6.2.2 Reporting Contravening Messages
The author reported selected spam to OFTA, the reports from 1 June to 6 October 2007 are discussed here. The spam arrived in the author’s mailbox, so it was a false negative for the gateway, and messages that the author considered represented a clear violation of the parts of the ordinance already in place. Mostly, these were commercial emails sent to the author’s webmaster address (see Table 4), on the grounds that an intelligent person harvesting addresses from websites would understand the special purpose of the address, but automated software would not, and the address had not been published elsewhere, the same is true of the virus@samples.y*****.com.hk address, a special-purpose address for receiving virus samples. A few were sent to the author’s normal address, but other features, such as a large To: field, indicated abuse. The rest were addresses that had never existed, and therefore indicated address generation.
Table 4: Recipient’s Address of Reported Messages
(Addresses partially obscured to prevent further harvesting)
webmaster@y*****.com.hk | 116 |
adyer@y*****.com.hk | 13 |
0@va*****.com.hk | 5 |
virus@samples.y*****.com.hk | 2 |
vampire@va*****.com.hk | 1 |
sp2yn7a6utqir67m7x76@anti-*****.com.hk | 1 |
Total | 138 |
In most cases (see Table 5), OFTA found that the email originated in another jurisdiction, and referred the case to the relevant agency, if one existed. In sixteen cases, OFTA contacted the sender and found the address was probably not harvested by software – the companies claimed manual collection, and the address lists contained additional information, such as recipient names. OFTA reported that the companies had unsubscribed the recipient address. In four cases the email content could not be understood – it looked like junk, and was not a common encoding or character set. OFTA concluded they had no commercial content, and were therefore not covered by the UEMO. Two cases appeared to be criminal fraud, and OFTA agreed to pass the details to the Police.
Table 5: OFTA’s Response to the Reports
Response | Cases |
not harvested | 16 |
no commercial element | 4 |
Advanced Fee Fraud | 1 |
phishing or scam | 1 |
| | Anti-Spam Agency |
Argentina | 1 | None |
Belarus | 2 | None |
Brazil | 3 | None |
Bulgaria | 1 | None |
Canada | 1 | None |
China | 84 | Internet Society of China |
Czech Republic | 1 | None |
Germany | 1 | None |
France | 2 | None |
India | 3 | None |
Netherlands | 1 | None for company recipients |
Philippines | 1 | None |
Portugal | 3 | None |
Russia | 1 | None |
Spain | 1 | None |
Switzerland | 3 | None |
Taiwan | 2 | None |
Turkey | 2 | None |
UK | 1 | Information Comissioners Office |
United Arab Emirates | 1 | None |
USA | 21 | Federal Trade Commission |
Vietnam | 1 | None |
7 Conclusions
The informal discussion of the proposals with stakeholders considered six guiding principles, most been met:
- Recipients should have the right to decide whether to receive UEMs.
Recipients merely have the right to stop receiving UEMs.
- The legislation should provide room for the development of e-marketing in Hong Kong as a legitimate promotion channel.
e-marketing in Hong Kong can continue with minor adjustment, e.g. compliance with the functional unsubscribe facility requirement.
- The legislation should prevent Hong Kong from becoming a safe haven for illicit spamming activities.
The action on spamvertised domain names, while it was not mandated by the legislation, makes it clear there is now willingness to take action.
- Freedom of speech and expression must not be impeded.
The author is unclear why anti-spam laws are seen as a danger to freedom of speech. We do not consider trespass laws, which prevent people from entering your home to preach in your living room, as impeding freedom of speech.
- Penalties and remedies against spammers should be proportionate to the severity of the offences.
The UEMO has three levels of penalties and remedies, matched to the severity of the offences.
- Statutory provisions should be enforceable with reasonable efforts.
Spam is an automated offence, but the current reporting mechanism is designed to ensure manual reporting. In addition, reporting takes a lot more time than likely alternate actions; so reporting is strongly discouraged.
Address harvesting is largely an unprovable offence. It is unclear how to prove, beyond reasonable doubt, that and address was not collected by legitimate means. Possibly, a large number of reports concerning the same sender could make it unlikely, but the current reports of email spam are a snowflake on the tip of the iceberg.
Overall, it is unlikely that the UEMO will have a noticable effect on email spam received by Hong Kong users. It will have a positive effect by ensuring better management of legitimate email lists and it has made it more difficult for spammers to use Hong Kong resources. The UEMO has helped Hong Kong to take part in International cooperation as Hong Kong is now regarded as one of the jurisdictions that take the issue of anti-spam seriously34.