Examination of Witnesses (Questions 400
- 407)
WEDNESDAY 24 JANUARY 2007
MR NICHOLAS
BOHM, PROFESSOR
IAN WALDEN
AND MR
PHIL JONES
Q400 Baroness Sharp of Guildford:
Do you think that the current UK anti-spam laws are adequate,
and if not what should we do to improve them?
Professor Walden: From a criminal perspective,
which is an area I have been concerned with of late, some jurisdictions
have criminalised not the sending of spam but actions related
to spamming activities, but I think English law is currently sufficient.
The Computer Misuse Act would be the most relevant legislation
in most circumstances and I do not think the sending of spam per
se is necessarily an area for criminal law, and I think the
Data Protection Act and associated legislation is more suitable.
Mr Jones: Just two quick points there. First
of all, when you look at the way the Privacy and Electronic Communications
Regulations apply to unsolicited emails, rather strangely they
do not apply to unsolicited emails sent to a corporate subscriber,
that is to a company or an organisation. That is slightly strange
because the rules applying to phone calls and to faxes do apply
to corporate subscribers. So first of all there is actually a
mismatch between what people would traditionally think of as spam,
the bulk sending, the indiscriminateness, but the way these regulations
apply it distinguishes between the recipient, regardless of the
content of the message. That is something which is within the
DTI's purview. It does seem slightly odd. They did change the
rules fairly recently relating to phone calls, so that would be
a possibility.
Q401 Baroness Sharp of Guildford:
Does that explain why I get so much more spam and phishing on
my parliamentary email than I do on my NTL one at home?
Mr Jones: It may well do. It might be because
it is also very easy to work out what parliamentary email addresses
are. I think they follow a standard format. The other thing which
is true is that because the rules are part of the package which
applies to phone calls and faxes, the current rules treat them
the same in terms of penalty. I am not saying it is impossible,
but I think there would be some difficulty in deciding that one
form of communication, regardless of its content, was inherently
more heinous than another. So I think that would be quite a difficult
balance to get right if you were to think of changing the law
there.
Q402 Baroness Sharp of Guildford:
How many people in the UK actually send spam, and have there been
any prosecutions at all?
Mr Jones: We have not prosecuted anybody, for
two reasons. First of all, we still get far fewer complaints about
email than we do about phone calls and faxes, so the action we
have taken thus far has been against serial abusers of the fax
rules and the phone rules. That is the first point. The second
point is that, as I said before, they would only commit an offence
when they were subject to an enforcement notice and ignored it.
The email complaints that we get at the moment, some of them are
not valid because they are actually received by a corporate subscriber,
and that I have already explained. Some of them are perfectly
legitimate, where a UK company just sort of got things wrong,
it had made a mistake, and that is fairly easily put right, but
there are some from overseas and others which are good at hiding
themselves. But as I say, at the moment the numbers of complaints
we receive are much smaller than phone calls.
Q403 Baroness Sharp of Guildford:
I believe a lot of spam emanates from Eastern Europe, and so forth.
Is much effort put into identifying the senders of spam?
Professor Walden: Internet service providers
have an incentive to try and address this issue, and again I think
in terms of effective law enforcement we do need to look at Internet
service providers working in co-operation with each other on an
international basis to try and stop this sort of activity. I think
the activity which we have seen to date has probably been most
effective in that area.
Q404 Baroness Sharp of Guildford:
What about lottery spam and the advance fee fraud scheme? How
much investigation is there of these and how much money is being
recovered? Have you any idea?
Professor Walden: I understand from a recent
visit to the Serious and Organised Crime Agency that Nigerian
419 fraud has been one of their major areas of activity over recent
years. Successfully? I do not have any information about.
Baroness Sharp of Guildford: No. Thank
you very much.
Chairman: We are really running out of
time, but if we can quickly just take the last question.
Q405 Lord Harris of Haringey:
In the USA many prosecutions of spammers have been undertaken
as third party actions by AOL, Microsoft, or whatever. Is that
possible in the UK, and what would be the arguments for and against
doing so, going down that road?
Professor Walden: With private prosecutions
the general default rule under English criminal law is that private
prosecutions are perfectly possible. Some legislation actually
requires that the Information Commissioner or other regulatory
authorities, or the DPP has to lead private prosecutions, but
it would be possible under UK law.
Q406 Lord Harris of Haringey:
None of the legislation here, in terms that it might be used against
spammers, has that requirement, that it has to be led by the Information
Commissioner or that the Attorney-General has to personally sign
it off, or anything?
Professor Walden: I do not believe so. The DPP
has the right to take over a private prosecution which has been
commenced. For example, under the Computer Misuse Act I could
bring a private prosecution.
Mr Bohm: Some action taken, I think by private
parties in America, may have been civil rather than criminal and
may have relied on the fact that in the United States class actions
are sustainable on a much more simple basis than they seem to
be in the UK. I am not a litigation expert, but it does seem that
some organisations have succeeded in bringing proceedings representing
large numbers of those who have suffered. I think the difficulty
where that is not possible is that each individual person who
receives spam suffers a pretty small detriment and is not really
likely to take action of a burdensome kind to pursue it beyond
making a complaint, possibly, whereas if the rules about class
actions or representative actions were easier and if the costs
rules were different so that you did not have to pay costs when
you lost, and indeed if you could recover something substantial
when you won, then you might see a litigation solution to the
problem. I did want to draw to the Sub-Committee's attention one
aspect of spam which is not, I think, always given the attention
it deserves, which is one of the consequences. With my volumes
of spam I get statistics from my scanning service and I am getting
about 40,000 a day at the moment, of which happily I do not see
very many, but the result is that in order to trim that down to
tolerable proportionsand it is rising steadily, a few months
ago it was 20,000the scanning or filtering which takes
place necessarily risks false positives and although I am offered
the false positives they can get that wrong. Email is therefore
increasingly unreliable as a means of being sure that you have
received a communication. It is a side-effect of spam and it is,
funnily enough, a side-effect with potential legislative consequences
because as the courts become more modernised and willing to rely
on email and as other official channels begin to rely on electronic
communications, the public at the other end of these are at risk
of being told they are deemed to have received something because
an email was sent to their last known email address three weeks
before, and they simply have not succeeded in retrieving it from
intolerable piles of filtered spam. So there is an awkward side-effect
which points to a certain amount of need for caution as public
services become more electronic. People's security is, in effect,
affected because they are deemed to have received communications
they have not received.
Q407 Chairman:
That opens up the question of how many filtering systems notify
the sender that their message has been filtered out and not delivered.
Mr Bohm: It assumes, of course, that the senders'
systems are capable of noticing responses. Many people send messages,
official bodies send messages out saying, "Do not reply.
Your reply will not receive attention." Of course, if that
bounces, the bounce will not receive attention. So it raises a
quite complex delicate question about how these things ought to
be done, and indeed where the risk ought to lie, but it is fairly
dangerous for the individual to in effect be willing to be bound
by emails addressed to them nowadays, given the environment we
have.
Lord Harris of Haringey: That raises
quite important problems which we may want to follow up..
Chairman: I think we should pursue this,
yes. We have run out of time, Professor Walden and Mr Bohm. Thank
you very much indeed. It has been a very useful session to us
and if anything occurs to you that you think we should know, please
write to us. Thank you very much.
|