Is Hong Kong's new Anti-Spam Law Effective?

First published: 28^th November 2007

1 Abstract

Hong Kong passed the "Unsolicited Electronic Messages (UEM) Bill"¹ on Wednesday, 23rd May 2007 and some parts came into effect on 1st June 2007. The remainder will be implemented towards the end of 2007.

2 Introduction

Hong Kong’s anti-spam law, the Unsolicited Electronic Messages Ordinance (UEMO), has been in the making since 2000 and has been in effect for less than six months, some provisions have still to come into force, but already there is a lot to learn.

2.1 Abbreviations

OFTA Office of the Telecommunications Authority, the Government regulator for telecommunications.

LegCo Legislative Council, Hong Kong’s lawmakers.

UEMO Unsolicited Electronic Messages Ordinance

3 Development of the Ordinance

There has been a slow change in the attitude of the Hong Kong Government, and, more specifically OFTA, towards spam. Before 2000, there was nothing to suggest OFTA was even aware spam existed.

In February 2000, OFTA, the Hong Kong Internet Service Providers Association (HKISPA) and the Office of the Privacy Commissioner for Personal Data (PCO) issued a press release outlining Joint Anti-Spam Initiatives². This consisted of an “industry Code of Practice”, detailing sanctions to be imposed on spammers, and a leaflet “FAQs on Spam”, published by OFTA. ISPs that conformed to the Code were to be given a special identification logo. However, no ISPs announced they were adopting the Code of Practice, and no list of ISPs authorised to use the special logo was ever published by the HKISPA.

In October 2003, OFTA’s normal response to spam complaints was “at present there is no law in Hong Kong specifically prohibiting spamming. The Government encourages the Internet industry to exercise self-regulation in tackling spamming activities.”³

In November 2003, Hon. Sin Chung Kai, Legislative Councillor for the IT Functional Constituency, conducted a survey on spam among his constituents, and followed that up with an Anti-Spam Forum - “to REGULATE or NOT” in January 2004, jointly organised with the HKISPA and the Hong Kong Anti-Spam Coalition (a new organisation, formed in the summer of 2003, involving the HKISPA, Asia Digital Marketing Association, Microsoft and Time Warner). At the forum, the HKISPA estimated “the potential economic lost to the Hong Kong economy could be as much as HK$ 10 billion per year, with lost productivity alone at HK$ 6 billion per year”, and Hon. Sin revealed his survey showed 70% in favour of anti-spam legislation.⁴

At the beginning of 2004, OFTA met informally to discuss views on anti-spam legislation with industry groups, including the Hong Kong Computer Society⁵, but the public Government position was to reply on technology to combat spam⁶. In June, OFTA issued a consultation paper on measures to control spam^7,8 . There were seventeen responses from companies, nineteen from organisations, and six from individuals, published in November 2004⁹.

In February 2005, the then Commerce, Industry and Technology Bureau launched an anti-spam campaign called “STEPS”¹⁰, which consisted of a multi-pronged approach:

• S – Strengthening existing regulatory measures
• T – Technical solutions
• E – Education
• P – Partnerships
• S – Statutory measures

The existing regulatory measures were those covering junk faxes and junk SMS. The technical solutions were supported by a website¹¹ and Government support of industry events¹². Education also included the website, radio programmes, teaching materials for schools, exhibitions and a leaflet. Under partnerships, the Commerce, Industry and Technology Bureau and 11 other Agencies signed the Seoul-Melbourne Multilateral Memorandum of Understanding (MoU) on Co-operation in Countering Spam on April 27 2005. Under statutory measures the Commerce Industry and Technology Bureau reported to the Legislative Council that it aimed, “to work out a legislative framework which is largely acceptable to different stakeholders by striking the right balance between the need to discourage spamming and to enable legitimate e-marketing activities to develop properly”¹³, with the intent to introduce a bill in 2006.

In March and June 2005, the Commerce, Industry and Technology Bureau invited Stakeholders (including industry organisations, business organisations, legal parties, the Consumer Council and Government Bureaux and Departments), to informal discussions on the draft framework for the legislation. The discussion document recommended six guiding principles:

1. Recipients should have the right to decide whether to receive UEMs.
2. The legislation should provide room for the development of e-marketing in Hong Kong as a legitimate promotion channel.
3. The legislation should prevent Hong Kong from becoming a safe haven for illicit spamming activities.
4. Freedom of speech and expression must not be impeded.
5. Penalties and remedies against spammers should be proportionate to the severity of the offences.
6. Statutory provisions should be enforceable with reasonable efforts.

In June 2005, the HKISPA published version 2.0 of its Code of Practice¹⁴, and an implementation guide for service providers and web site operators¹⁵.

RTHK broadcast an anti-spam documentary on 11 July 2005, in the news magazine programme, “The Hong Kong Connection”. On the same day, the CITB presented the draft legislation to the Legco Panel on Information Technology and Broadcasting^16,17.

In January 2006, the Commerce, Industry and Technology Bureau (CITB) issued a consultation paper on the proposed legislation^18,19. There were twenty submissions from organisations, sixteen from companies and thirty-four from individuals, published in July 2006.

In March 2006, the Legco Panel on Information Technology and Broadcasting met and heard submissions from Stakeholders on the draft legislation²⁰.

The Bill was introduced into LegCo on 12 July^21,22. The Bill Committee accepted submissions from Stakeholders in October 2006²³. The Bill was passed in May 2007, and the first phase came into force on 1 June 2007.

In October 2007, OFTA’s point of view²⁴ was that the top priority for the Hong Kong public in unsolicited electronic messages at the moment was fax, particularly because of the paper costs. Pre-recorded voice messages had been the biggest concern during 2006, but OFTA had dealt with it by administrative methods and introducing a code of practice with telco operators, resulting in a 90% drop in calls by the end of 2006. Under the code of practice, if a telco receives complaints from its customers, it can refer the case to the originating telco, who can take action, e.g. by cutting lines. As IVR equipment is expensive, there are few offenders, each making thousnds of calls per day, and disupting their activities causes a large drop-off in a short space of time. Some IVR operators are still in business, their activities are not illegal as long as they follow the rules.

In September 2007, OFTA issued a consultation paper on the Code of Practice for the UEMO²⁵. There were twelve submissions, published October 2007²⁶. In October 2007, OFTA announced the second phase of the legislation would come into force on 22 December²⁷. The Code of Practice was published on 26 November^28,29.

4 Main Features of the Ordinance

The full Unsolicited Electronic Messages Ordinance (UEMO) is published online in the Bilingual Laws Information System¹. OFTA has also published a General Guide³⁰, and an Industry Guide³¹ to the Ordinance. The main features are:

1. Opt-out regime.
2. The UEMO covers commercial electronic messages with a Hong Kong link:
   1. includes (but not limited to) email, IM, pre-recorded voice messages sent to telephones, and fax;
   2. "commercial" includes offers and advertisements of goods, services, facilities, land, investments and business opportunities;
   3. a Hong Kong link means sent to a HK telephone number, or received in HK, or sent or authorised by someone physically in HK, or by a HK company or organisation.
   4. Exemptions are listed in Schedule 1³² and include:
      1. television and radio broadcasts;
      2. messages that involve person-to-person interactive communications between a caller and a recipient, with or without any pre-recorded or synthesized element
      3. A reasonable response to information sent by the recipient to the sender
      4. A message about a transaction the recipient has previously agreed to enter into with the sender, or warranty/recall information about a product purchased or used by the recipient, or to deliver goods or services, inc. product updates or upgrades
      5. Account statements, subscription information concerning an ongoing commercial relationship
      6. Messages about the recipients’ employment relationship or related benefit plan.

The UEMO is coming into effect in two phases. The first phase took effect on 1 June 2007 and included:

Fraud and other illicit activities related to sending of multiple commercial electronic messages are offences punishable by up to 10 years jail and an unlimited fine. Specifically:

1. accessing a telecommunications device without authorisation to send multiple commercial electronic messages;
2. sending of multiple commercial electronic messages from a telecommunications device without authorisation with a view to deceiving or misleading recipients about the source;
3. falsifying header information in multiple commercial electronic messages and sending of such messages;
4. registering for electronic addresses or domain names using information that falsifies the identity of actual registrants to send multiple commercial electronic messages;
5. falsely representing to be the registrant of an electronic address or a domain name to send multiple commercial electronic messages.

Use of unscrupulous techniques to reach out to more recipients is an offence punishable by up to 5 years jail and a fine of up to HK$1,000,000. Specifically:

1. supply, acquisition or use of telephone number or email address harvesting software / harvested address lists for sending commercial electronic messages without the consent of the recipients;
2. generating electronic addresses by automated processes to send a commercial electronic message;
3. use of scripts or other automated means to register for five (5) or more email addresses to send multiple commercial electronic messages; or
4. relay or retransmission of multiple commercial electronic messages to deceive or mislead recipients as to the source of such messages.

“Multiple messages” means >100 messages within 24 hours, or >1000 messages within 30 days.

The second phase is planned to take effect from 22 December 2007 and sets rules for what can be termed “proper mailing list management”. OFTA can issue an enforcement notice where there is a contravention, and continued contravention can lead to a fine up to HK$100,000. The rules include:

Commercial electronic Messages with a HK link must:

1. contain accurate sender information;
2. contain a functional unsubscribe facility;
3. must not be sent to electronic address listed in do-not-call register;
4. must not use misleading subject headings
5. must not be sent with calling line identification information concealed

Unsubscribe requests must

1. be acted on within 10 working days
2. be kept for 3 years

Misuse of information in an unsubscribe request, or a do-not-call register is an offence punishable by up to 5 years jail and a fine up to HK$1,000,000.

The UEMO also allows OFTA to establish codes of practice. Breaking a Code of Practice is not an offence, but may be used to determine a matter in court. The first Code of Practice established^29,33 details supplementary rules about the sending of commercial electronic messages when the second phase comes into effect:

All commercial electronic messages must include:

1. Senders name (as shown on identity document, if the sender is an individual)
2. Telephone number

In addition, SMS messages must include an address, unless the recipient can obtain the address by using the telephone number. Other messages must include an address.

Emails must also include an email address.

The information must be given in both Chinese and English, unless the recipient has indicated otherwise. However, the name and address may be given in only Chinese or English if they are Chinese only or English only.

Messages sent to telephone numbers must present the information at the beginning, unless they are accessible throughout the message.

At least one of the provided unsubscribe facilities must be usable from the device used by the recipient to access the message. For an SMS message, the unsubscribe facility must be a HK phone number usable orally or by key input. Unsubscribe facilities must be convenient to use, readily available and must not contain a commercial message.

The UEMO also gives OFTA the power to establish do-not-call registers, and various powers to investigate and make arrests.

Also, a spam victim can bring proceedings for damages in the District Court, or Small Claims Tribunal, whether or not there was an offence, or a conviction.

5 Operation

From the date of the UEMO coming into force, OFTA had facilities and instructions for submitting reports by fax, phone, webpage and in writing. The webpage report form has already passed through several versions. The original version limited the email headers and email content to 2000 characters each, files uploaded had to have particular extensions, and were scanned for viruses. The latest version fixes these problems, but the submission still involves a captcha, making automating spam submission difficult. There are also no shortcuts for multiple submissions – each submission requires the reporter to fill in their name and company, contact details etc. The form also asks for details that can be determined automatically from message headers, such as the time of receipt. The author found that the web submission process could be completed in approximately 2 minutes; a person unfamiliar with the process would take longer. This can be compared to about 5 seconds for forwarding a message for adaptive filtering training, or about 2 seconds for deleting a message in the in-box.

Matching individual messages to later responses from OFTA was also a problem. OFTA allocates case numbers to the messages, but these are not reported at submission time. Initially, OFTA’s reponses referred to reports by date, apparently not considering that a reporter may make more than one report per day. This made matching the messages to responses in the later part of this paper infeasible. Currently, OFTA includes the Message-ID as a unique identifier in its responses, but the ideal procedure would be to report the case number at submission time, and to include the case number and Message-ID in later responses.

OFTA is also operating honeypots²⁴ for capturing voice (pre-recorded and person-to-person) and fax calls, and, for email: address harvesting, open relays and dictionary attacks. The email-related honeypots have been established with .hk domain names and Hong Kong IP addresses, they got results the first day they were operating, but the sources have not been in Hong Kong yet.

OFTA noted³⁴ a particular challenge of spamvertised .hk domains, i.e. .hk websites that are promoted by spam. Like all other anti-spam legislation, the UEMO does not cover spamvertised hyperlinks as it is almost impossible to prove the domain owner was involved in sending the spam. During June and July 2007, over 40% of spam reports were related to spamvertised .hk domains, overseas recipients were reporting spam messages not sent from Hong Kong, but containing a .hk link. Although the messages did not have a “Hong Kong link”, as defined by the UEMO, OFTA considered that the high volume of reports indicated that the issue required attention, particularly as it affected the worldwide reuptation of .hk domains. OFTA has collaborated with the .hk registrar, the Hong Kong Domain Name Registration Company (HKDNR) and established a daily feed from a reputable source of .hk URI spam to the HKDNR. The HKDNR applies a set of delisting criteria, and domains that exceed a certain score are delisted. The HKDNR delisted over 8,000 .hk spamvertised domains within two weeks of the introduction of the system in July 2007. The owners of the delisted domains have not appealed; it is assumed the spammers simply went elsewhere.

An incident where a HK media company sent out a message with an unsubscribe link where the text did not match the link revealed that people are more likely to report when a mechanism is not working. OFTA received multiple reports about the message²⁴ and considered it indicated a good willingness of the public to report incidents.

Hong Kong companies and organisatons do appear to be gearing up for the second phase. For example, the author has been unable to unsubscribe for several years from the mailing list of a local marketing association, each email would arrive containing an unsubscribe link, and using the link would report that unsubscription had happened, but the messages did not stop. However, the last message received had a different link, and the messages appear to have stopped. OFTA noted that Wharf T&T has built a “public unsubscribe system” that SME senders can make use of free of charge²⁴ for cleansing their marketing databases.

OFTA sees that the second phase will have more direct impact on the public, and it considers that it has gained a lot of useful experience, for example, in conducting investigations, in the months since the first phase took effect²⁴. It has also gathered useful intelligence on possible offenders.

6 Statistics

6.1 OFTA Statistics

OFTA received about 1000 reports in the period from 1 June 2007 to 30 September 2007³⁴. Out of which 917 (91.7%) have been handled (please see ^{Table 2}), with a remainder of 83 still in progress. There have been no prosecutions.

Table 1: Breakdown by status and type

	Reports Received		Reports Handled		In Progress
Type of UEM Reports:	Number	Percentage	Number	Percentage
a. Junk Fax	478	47.80%	457	49.84%	21
b. Email	397	39.70%	390	42.53%	7
c. Others (SMS, Pre-recorded, etc)	125	12.50%	70	7.63%	55
Total	1000		917		83

Table 2: Breakdown of handled reports

Type of handled reports:	No. of Reports	Percentage
Out of Scope (e.g. non-commercial, person-to-person calls, no Hong Kong link, spamvertised domains)	122	13.30%
Relevant to Part 2 offences only (the provisions that are not yet in effect)	656	71.54%
Other	139	15.16%
Total	917

OFTA noted that the second category was highly relevant to their manpower planning when the second phase starts²⁴.

Table 3: Country of Origin (Email only)

Name of Country	No. of Reports	Percentage
People's Republic of China	57	41%
United States	23	17%
Germany	8	6%
Republic of China (Taiwan)	6	4%
United Kingdom	6	4%
Switzerland	5	4%
Czech Republic	3	2%
Countries with less than 3 reports are not individually listed	31
Total	139

OFTA commented³⁴ that the technology neutral approach of the UEMO led to a high volume of reports of a diverse nature. The majority of the reports were either outside the scope of the UEMO, or related to the parts not yet in operation, though OFTA took the opportunity to remind senders of the need to comply when those parts come into force. In general, senders reacted positively, taking action to be ready for the second phase, for example, by buying more capable mailing software. OFTA suggested that these reports were due to the large scale of the problem, and people’s frustration, wanting something to be done²⁴.

6.2 Author’s Statistics

6.2.1 Measuring Spam

Figure 1 shows the messages passing the author’s email gateway in the period from December 2005 to last Tuesday. The categorization as spam, virus or other is as reported by the gateway, and is not adjusted for false positives and false negatives. The number of spam messages is roughly doubling each year, while the number of other messages is roughly constant. Note that phase 1 of the UEMO came into effect on 1 June 2007; there is no discernable effect on the number of spam messages. Interestingly, the number of virus–containing messages has fallen dramatically since June, but it is difficult to explain this as a causal relationship.

6.2.2 Reporting Contravening Messages

The author reported selected spam to OFTA, the reports from 1 June to 6 October 2007 are discussed here. The spam arrived in the author’s mailbox, so it was a false negative for the gateway, and messages that the author considered represented a clear violation of the parts of the ordinance already in place. Mostly, these were commercial emails sent to the author’s webmaster address (see Table 4), on the grounds that an intelligent person harvesting addresses from websites would understand the special purpose of the address, but automated software would not, and the address had not been published elsewhere, the same is true of the virus@samples.y*****.com.hk address, a special-purpose address for receiving virus samples. A few were sent to the author’s normal address, but other features, such as a large To: field, indicated abuse. The rest were addresses that had never existed, and therefore indicated address generation.

Table 4: Recipient’s Address of Reported Messages

(Addresses partially obscured to prevent further harvesting)

webmaster@y*****.com.hk	116
adyer@y*****.com.hk	13
0@va*****.com.hk	5
virus@samples.y*****.com.hk	2
vampire@va*****.com.hk	1
sp2yn7a6utqir67m7x76@anti-*****.com.hk	1
Total	138

In most cases (see Table 5), OFTA found that the email originated in another jurisdiction, and referred the case to the relevant agency, if one existed. In sixteen cases, OFTA contacted the sender and found the address was probably not harvested by software – the companies claimed manual collection, and the address lists contained additional information, such as recipient names. OFTA reported that the companies had unsubscribed the recipient address. In four cases the email content could not be understood – it looked like junk, and was not a common encoding or character set. OFTA concluded they had no commercial content, and were therefore not covered by the UEMO. Two cases appeared to be criminal fraud, and OFTA agreed to pass the details to the Police.

Table 5: OFTA’s Response to the Reports

Response	Cases
not harvested	16
no commercial element	4
Advanced Fee Fraud	1
phishing or scam	1
		Anti-Spam Agency
Argentina	1	None
Belarus	2	None
Brazil	3	None
Bulgaria	1	None
Canada	1	None
China	84	Internet Society of China
Czech Republic	1	None
Germany	1	None
France	2	None
India	3	None
Netherlands	1	None for company recipients
Philippines	1	None
Portugal	3	None
Russia	1	None
Spain	1	None
Switzerland	3	None
Taiwan	2	None
Turkey	2	None
UK	1	Information Comissioners Office
United Arab Emirates	1	None
USA	21	Federal Trade Commission
Vietnam	1	None

7 Conclusions

The informal discussion of the proposals with stakeholders considered six guiding principles, most been met:

1. Recipients should have the right to decide whether to receive UEMs.

   Recipients merely have the right to stop receiving UEMs.

2. The legislation should provide room for the development of e-marketing in Hong Kong as a legitimate promotion channel.

   e-marketing in Hong Kong can continue with minor adjustment, e.g. compliance with the functional unsubscribe facility requirement.

3. The legislation should prevent Hong Kong from becoming a safe haven for illicit spamming activities.

   The action on spamvertised domain names, while it was not mandated by the legislation, makes it clear there is now willingness to take action.

4. Freedom of speech and expression must not be impeded.

   The author is unclear why anti-spam laws are seen as a danger to freedom of speech. We do not consider trespass laws, which prevent people from entering your home to preach in your living room, as impeding freedom of speech.

5. Penalties and remedies against spammers should be proportionate to the severity of the offences.

   The UEMO has three levels of penalties and remedies, matched to the severity of the offences.

6. Statutory provisions should be enforceable with reasonable efforts.

   Spam is an automated offence, but the current reporting mechanism is designed to ensure manual reporting. In addition, reporting takes a lot more time than likely alternate actions; so reporting is strongly discouraged.

   Address harvesting is largely an unprovable offence. It is unclear how to prove, beyond reasonable doubt, that and address was not collected by legitimate means. Possibly, a large number of reports concerning the same sender could make it unlikely, but the current reports of email spam are a snowflake on the tip of the iceberg.

Overall, it is unlikely that the UEMO will have a noticable effect on email spam received by Hong Kong users. It will have a positive effect by ensuring better management of legitimate email lists and it has made it more difficult for spammers to use Hong Kong resources. The UEMO has helped Hong Kong to take part in International cooperation as Hong Kong is now regarded as one of the jurisdictions that take the issue of anti-spam seriously³⁴.