Supplementary memorandum by the Department
of Trade and Industry
Q 879 (third party legal actions against spammers)
Spam is an international problem and the Government
does not collect data on e-mail volumes and the nature of e-mail
traffic. Available statistics on the problem vary widely but they
do show that the volume of spam is increasing. For example, Symantec,
a leading security software company, produce a six monthly Internet
Threat Report. This is one of the most widely read documents that
measures the problem on the basis of the company's large number
of sensors on the internet. The latest report, issued in March
2007, estimates that spam made up 59% of all monitored e-mail
traffic in the second half of 2006. This is a steady increase
over the previous six months and they found that some 30% of this
spam related to the financial services industry. The UK is clearly
a major target for spammers but the fact that most is generated
by parties outside the UK (and indeed from outside the EU) poses
a significant problem in terms of enforcement.
This is borne out by research conducted by Spamhaus[2],
a UK-based anti-spam initiative. According to their latest figures,
the 200 spammers named on the Register of Known Spam Operations
(ROKSO) are responsible for 80% of spam. The list consists of
predominately US based spammers and there is only one UK citizen
who appears on the list.
It was this background that led us to comment
in evidence that we thought it unlikely that action would be taken
against UK spammers in the Court. At the time of the session on
28 March, we were unaware that Microsoft had in fact brought two
actions. One was against Paul McDonald whose business sold e-mail
address lists for the purpose of direct marketing without the
holders of those addresses having consented to the receipt of
direct marketing.[3]
Microsoft successfully sought relief under the Privacy and Electronic
Communications (EC Directive) Regulations 2003[4]
("the Privacy Regulations"). The court ruled that McDonald
had breached regulation 22 of the Privacy Regulations and that
Microsoft, a provider of e-mail services, was entitled to protection
under that regulation. Microsoft was entitled to compensation
under regulation 30 of the Privacy Regulations for damages as
a result of the breach of regulation 22 and also to an injunction
restraining McDonald from further breaches.
The second case was a claim against a person
who used bulk unsolicited e-mail within the Microsoft Network
to attract custom to his pornographic website. Microsoft sued
him for breach of terms and conditions relating to the use of
their Hotmail service. The claim was settled when the defendant
undertook not to send any further unsolicited e-mails and to pay
compensation to Microsoft. These actions allow us to confirm the
proposition of the Committee that third party legal action is
another viable approach to addressing the spam problemat
least for organisations with the resources to pursue such actions.
We know that this approach is more prevalent
in the US but that reflects both the prevalence of spammers resident
in the US and the different legal system. In the US the CAN-SPAM
legislation clearly enables ISPs to take spammers to court. Awards
there are much higher than the UK, for example a recent Nevada
based claim resulted in a fine of $11 million as repayment to
ISP customers inconvenienced by a spammer. We do, however, understand
that fines are rarely collected.
Q 883 (how the network and information security
platform is working)
The Network Security Innovation Platform (NSIP)
is a new way of working for Government aimed at positioning business
and Government closer together to generate more innovative solutions
to major policy and societal challenges.
As electronic networks increasingly become critical
to society, so Network Security is seen as being a major growth
area, and one where the UK is well placed to create added value,
through the provision of both products and services. The real
"challenge" is to bring together key Government Departments,
academia and business to identify both where innovation could
be used to solve specific problems and the actions needed to bring
Government procurement and innovative business solutions closer
together.
The most pressing weakness in network security
is the interaction between the system and the person using the
system. The key aim of the Network Security Innovation Platform
is to bring together technological innovation and social sciences
to ultimately create systems that are secure, user friendly, trusted
and respect individual privacy. The Platform will aim to place
UK business at the forefront of expertise in this area and create
wealth by allowing business to compete successfully for major
global opportunities.
After consultation two Initial themes were chosen
to take forward the platform activities; Human Vulnerabilities
in Network Security and Balancing Privacy and Consent in Network
Security.
The two areas are dealt with below, showing
what activities the NSIP is undertaking, with expected deliverables,
time scales and associated R&D spend.
Human Vulnerabilities in Network SecurityRestricted
Commercial
Four successful Autumn 2006 Technology Programme
(collaborative R&D) Proposals were selecteddetails
below. The six month feasibility stage projects started in April
2007 and require a total grant of £350k, with follow up funding
of up to £4 million available for successful proposals from
2008-10.
Integrating Security Technology &
Organisational Culture for Employee RiskBAe Systems, Loughborough
University, more industrial partners expected to join the full
project stage if the feasibility is successful. The project will
deliver a novel organisational and human factors focused network
security risk assessment package.
Trust EconomicsHewlett-Packard
Ltd, Merrill Lynch, University of Bath, University of Newcastle
and University College London; The project will deliver explore,
develop and apply a predictive modelling framework within which
the effectiveness and value of security policies that regulate
the interaction between humans and information systems can be
assessed.
The Analysis of Human Behaviour from
Network CommunicationChronicle Solutions, University of
Plymouth; The project aims to develop the scientific basis to
support a potential technology solution for the analysis of enterprise
digital communications in order to identify and act on potential
security threats introduced by humans to information and IT services.
CatalysIS: A tool to improve risk
culture and identify human vulnerabilities in Network SecurityThe
National Computing Centre Ltd, University of Manchester; The consortium
believes that a catalyst to improve attitudes towards risks both
to and from information systems should be created. The deliverable
is a software-based tool that provides a network security awareness
programme that is tailored to the individual employee.
Balancing Privacy and Consent in Network Security
The Identity and Passport Service (IPS) is the
primary challenge holder in the area of "Balancing Privacy
and Consent in Network SecurityUsing innovation to address
privacy and consent in Identity Service Provision". The NSIP
is working with the Identity & Passport Service (IPS) to develop
a work package that will sponsor research and development into
how to balance the intrusive nature of identity services and network
security with expectations of privacy and consent.
ID service provision will both create
wealth and reduce fraud, by allowing secure verification of identities.
The work programme will be geared to creating a new business sector
in the emerging privacy enhancing technology area. A functioning
but still embryonic ID services sector will emerge by 2010 and
the NSIP will increase the likelihood that secure digital identities
will be accepted by the public and will create opportunities for
UK business.
The NSIP will bring together Government
Departments, large businesses, retail, banking, innovative SME's
and academic partners in collaborative partnerships.
A joint DTI and IPS workshop highlighted
specific scenarios where NSIP activity would have best effect.
This formed the basis of a scoping study to identify the key areas
for the NSIP to target. The IPS funded study, conducted by PA
consulting, will be delivered by July 2007 and will include a
workshop to clearly define what challenges the programme should
address such as;
How do you implement informed consent?
How do you prevent further dissemination
of private information?
How do you revoke consent?
We expect the R&D activity to
be launched in Autumn of 2007. The initial activity will be via
an "Ideas Factory" Sand Pit in collaboration with EPSRC
and ESRC who have committed over £3 million of co-funding.
2 Spamhaus tracks the Internet's Spammers, Spam Gangs
and Spam Services, provides dependable real-time anti-spam protection
for Internet networks, and works with Law Enforcement to identify
and pursue spammers worldwide. See http://www.spamhaus.org/. Back
3
Microsoft Corporation v Paul Martin McDonald [2006] EWHC 3410
(Ch), [2006] All ER (D) 153 (Dec). Back
4
SI 2003/2426. Back
|