Allan Dyer
This article first appeared in the South China Morning Post, 2004
Furtively you tap at your keyboard, the opportunity is too good to miss, but the risks are high. You hit "send", but before you can relax the crack enforcement squad has broken down the door and swung through the window. You have been caught for the heinous crime of sending a surprise birthday greeting to a friend!
Spam is out of control. Since February, the amount of spam received by my company has doubled. The good news is that our email gateway is recognising and stopping about 99% of that, but, if the growth continues, our Internet connection will cease to be our method of communicating with the world - it will be full of spam on its way to deserved destruction. When a problem is out of control, we tend to call on our politicians to wave the magic wand of Legislation; how can we legislate effectively against spam without making everyone a criminal?
Technology has provided cheap, fast communications, but can we strike a balance between drowning in a rising tide of spam or suffocating under restrictive legislation? OFTA's forthcoming public consultation on Anti-Spam legislation will provide an excellent opportunity for discussion.
On the one hand, I have been accused of being a spammer - my company had recently sent out some marketing material to addresses in its database, and I received a strongly worded reply saying, among other things, that the recipient had never given us his address. After deleting the recipient's record from the database, I posted his name card to him - I hope he was a little embarrassed about the false accusation.
On the other hand, even well-known organisations in Hong Kong are sending unsolicited email. Last October, the Hong Kong Productivity Council sent a message promoting a marketing course to an address published for reporting problems about my webserver. When asked, they reported that they had bought a mailing list, but said they were adding the address to an opt-out list, "which prevents our promotional messages sent to you in the future". Last month, I received a promotional message at the same address with a contact number at the HKPC. The HKPC confirmed they had provided their address database to the organisation that sent the message. Interestingly, the message promoted an SME E-Marketing Seminar, I wonder if they included "good mailing list management" in the agenda.
Does it matter that companies and organisations are using addresses they find in automated searches of webpages? Suppose you have a personal webpage about your hobby and write, "if you are interested in basket weaving email me", or a company puts on its page, "to purchase our products, email …". The current situation is that every one of the approximately 300,000 companies in Hong Kong can scan those pages and add the addresses to their mailing lists about their products, their seminars on E-Marketing, their shipping schedules etc. Just asking them all to stop is a Herculean task.
This is why I think that the recent US anti-spam legislation, the "CAN-SPAM" Act, will prove ineffective. The CAN-SPAM Act says that companies can send messages until you ask them to stop. Hong Kong should adopt a similar approach to Australia and Belgium, which both require the recipients' prior consent. If the law applies to all mailing list managers, and all recipients, whether companies or individuals, it will eliminate spam from responsible organisations that respect the law.
However, critics point out that the most prolific spammers are already criminals: they are using hijacked computers to send fraudulent messages about illegal deals or illegal substances, so one more law will not stop them. Effective enforcement is difficult, but perhaps spam could become a trail to follow to the culprit. Each message is circumstantial evidence of the methods and intent of the sender, but it is currently thrown away. Suppose a victim of an advanced fee fraud scam, "You have won $100,000 in a Lottery (send $10 processing fee)", managed to identify the culprit and wanted to prosecute - the sentence for a ten-dollar crime is not going to be very high. But add evidence that the sender had hijacked one hundred computers and used them to send fifty million similar messages and a more meaningful sentence can result. What about those hijacked computers? The owners are unaware their machines are dirty and harbouring rats, and currently no one is telling them. The spam and ISP records can lead directly to identifying the machines, why not send a team to collect evidence, clean up, and educate the owner about better online security? This is like Public Health Inspections, the visit may seem invasive, but the goal is of benefit to the subject, and to the whole Society.
To achieve this at reasonable cost we need a highly automated system. The existing gateways that organisations use to block spam could be modified to make standardised reports to the Authorities. Those reports could be collated to identify and target the most prolific sources for action. A little human judgement should be added before dispatching enforcement teams, to prevent silly mistakes.