Hong Kong: The Club Med or Club Fed Approach to Regulating SPAM: Hong Kong´s Dilemma

The Internet may have given us an unprecedented tool for locating and sharing information but it has also provided an unwelcome accomplice – unsolicited electronic commercial messages on a large scale, otherwise known as spam.

The Internet has provided us with a widely used communication tool in e-mail. Not all of us may surf the Net but many of us use e-mail to communicate. E-mail is nowadays an integral part of business communication. The more we have come to rely on its convenience and cost savings (with multiple e-mail accounts per person and more and more people around the world opening new domain accounts) - the more likely it was that we would open the doors to abuse of the technology. Some would say therefore that spam was, perhaps, inevitable.

The debate centres on the following question: in a borderless environment how can individual countries protect the privacy rights of their citizens whilst still allowing legitimate e-marketing to occur?

Despite the difficulties, a number of countries have taken steps to tackle the problem. Solutions range from the 'Club Med' styled approach of self-regulation to a more militant line that involves the quartet of public education, enhanced powers of ISPs, technological measures, and legislative provisions with considerable bite. Alas, this is no easy war; the law makers who attempt to fight spam are restrained by something that pre-dated the technology: jurisdictional borders.

This article examines Hong Kong's role in the global fight against spam. It asks whether proposed legislative measures will 'cure' the problem and, if legislation is the answer, what should be included within it.

SPAM is defined as bulk e-mail messages or news articles sent via electronic mail without the recipients' prior request or consent.¹

Whilst depressing news for many, the problem of "those e-mails" isn't set to go away any time soon. Of greater concern is the increasing prevalence of criminal activity (eg. phishing). The Hong Kong Internet Service Providers Association ("HKISPA") reports that Hong Kong spam now constitutes some 50% of e-mail handled by Hong Kong ISPs – a figure in line with international trends². The problem is a global one. A recent survey of 5 million pieces of spam revealed that slightly less than 86% of spam originates in the US, 3% from South Korea, just under 3% from China and Hong Kong, a little over 2% from Canada and about 1.5% from the Ukraine. Of the IP addresses sending spam, 23% were from China and Hong Kong and another 4% were from Brazil.³

Spam comes at a price. In a recent White Paper^4, the Hong Kong Anti-Spam Coalition outlined the tangible and intangible costs of spam on individuals and businesses, alike. These include: lower response rates; IT security issues; lack of storage space; waste of management time; more sluggish productivity; bandwidth cost; misused resources; decreasing opt-in rates; customer dissatisfaction; lower profitability; and user trust breakdown.

The White Paper puts the estimated cost of spam at approximately USD$9 billion annually in the United States and as much as HK$10 billion annually in Hong Kong.

There is a well-known saying that "a successful person is one who can lay a firm foundation with the bricks that others throw at him." If we consider spam as the brick against Internet technology then building a firm foundation requires as much a commitment to develop a strong local stance as it does to developing a global one.

Spam has been described as a "social rather than a technological problem"⁵. One way of dealing with social problems that get out of control is to try and tame them by cracking the legislative whip.

A number of countries have implemented legislation to deal with the problem of spam.⁶ For comparative purposes we will focus on the US, European and Australian legislation. The United States introduced anti-spam legislation in early 2004. The Controlling the Assault of Non-Solicited Pornography and Marketing Act 2003 is colloquially referred to as the CAN-SPAM Act.

The CAN-SPAM Act covers commercial electronic messages (defined as an electronic mail message with the primary purpose of advertising or otherwise promoting a commercial product or service) but does not include 'transactional or relationship messages' ie. those messages with the primary purpose of facilitating commercial transactions, providing warranty or safety information, providing information relating to a pre-existing business or employment relationship or delivering goods and services according to an agreed transaction. The US Federal Trade Commission is currently defining a framework of rules to determine, inter alia, the "primary purpose" of an e-mail message. Under current proposals an e-mail would be considered primarily commercial if its purpose is solely to advertise or promote a product or service. If a message contains both commercial and non-transactional information then the subject line and also the location of "transactional or relationship" content within the body of the message would be taken into account together with the relative proportion of commercial versus non-commercial content in order to determine the "primary purpose" of the e-mail message.⁷

The CAN-SPAM Act imposes a number of requirements on marketers:

• Advertisements must be clearly labeled;
• Advertisements must include the sender's name, e-mail address, physical address and opt-out directions;
• False or misleading information is prohibited;
• Address harvesting and dictionary attacks are prohibited;
• Sexual content (with some limited exceptions) is prohibited; and
• Messages cannot be sent through proxies or with fraudulent return-paths and received lines.

If marketers do not comply with these criteria then they are at risk of falling within the scope of 'fraudulent spamming activities', and dependant upon the nature and gravity of their action/s would be potentially liable for fines of up to $6M and up to 5 years of jail time. Fraudulent activities can also be halted by ISPs who have been given significant power to seek injunctive relief and fines up to US$1M against offenders. This is certainly the Club Fed approach to penalties.

Whilst the US penalties are commendable, the legislature's approach to consent is open to debate. There are two approaches to consent as it relates to e-mail - express prior permission due to an existing relationship between the parties ('opt-in') or alternatively, non-permission based messages provided that recipients can choose not to receive further communication from the sender ('opt out').

The US CAN-SPAM Act adopts the 'opt out' approach. The opt-out approach is lauded by many as upholding the rights of legitimate marketers and also maintaining a closer affinity with an individual's right to free speech. However, from the perspective of spamming it is worth noting the research conducted by CipherTrust which shows that spammers have already relied on a legitimate loop hole in the legislation and now make it harder for recipients to unsubscribe from spam messages by including postal rather than e-mail addresses in their opt-out message.⁸

At a more basic level the opt-out provision allows insufficient protection to users in non-US countries from unsolicited US-generated e-mail. The amount of spam being generated from the US has actually increased since the enactment of the new law⁹ due to increased reliance on infected offshore proxies to 'hide' sender details. The effect such measures have on public trust as it relates to direct marketers cannot be understated. Equally, given the role of public education in the fight against spam, the opt-out rule does appear to stand at odds with educational efforts which recommend that recipients of spam e-mail should not reply to a spammer as such reply merely confirms the e-mail address.

In legislating against spam, Europe and Australia have adopted the opposite approach to consent and a wider definition of what constitutes spam. The EU Directive on Privacy and Electronic Communications (2002/58/EC) and the EU Directive on E-Commerce (2000/31/EC) define a 'commercial electronic messages' as including, in addition to e-mail, SMS, MMS and IM. If fraudulent activity or spamming is proved, sanctions are determined by the individual Member States but the latter Directive states at Article 20 that "such sanctions … shall be effective, proportionate and dissuasive". Similar to the US, the Directives require messages to be clearly labeled as an advertisement and to include the sender's name, physical address and opt-out directions. There are also prohibitions on disguising origin. The Directives and the Australian legislation – the Spam Act 2003 - adopt an opt-in approach to user consent. The Australian legislation also prohibits the use or circulation of harvesting addresses or harvesting tools.

Whilst the Australian and EU approach are stricter in terms of consent, they fall down when it comes to penalties. In the European Union the level of penalties varies from Member State to Member State depending on the provisions in such Member State. In the UK, for example, an offence at the Magistrate's level stands at £5,000 (US$9,112) and can be (in theory) referred to a higher court for a limitless fine, while in France penalties include a maximum fine of €90,000 (US$108,539) and a three year jail term. By contrast, the Australian SPAM Act imposes a US$156,219 penalty for a repeat offender (US$44,000 for a one off offence) or at an organizational level US$780,667 for a repeat offender (US$156,219 for a one off offence).

Legislation in isolation will not curb the problem of spam. A multi-faceted approach to dealing with spam is the only effective way to target the issue as this allows privacy rights to be upheld whilst also promoting responsible online direct marketing. This multi-faceted approach should include voluntary codes of conduct, the use of technology and also public education.

Voluntary codes of conduct.

Codes of Conduct are becoming increasingly prevalent. In February 2000 the Hong Kong Internet Service Providers Association issued the Anti-Spam Code of Practice. In June 2004 a coalition of leading Internet Service Providers (Yahoo, Microsoft, EarthLink, America Online, British Telecom and Comcast) announced a proposal of best practices for sending and filtering email. Similarly in Australia, the Australian Direct Marketing Association ("ADMA") industry lobby produced a draft code of practice for members in August 2004. The Australian Code aims to reduce complaints about spam e-mail. In addition to the ADMA code, the Industry Association is working in conjunction with the South Australian and Western Australian Internet Associations on behalf of the Australian Communications Authority while the Australian Communications Industry Forum is developing anti-spam recommendations through its Piracy Advisory Group.

Technology has the ability to act as a surrogate police force via ISP controls, filters, cryptographic developments, sender ID, black lists and network management solutions (including authentication and technical tools) but Carl Hutzler¹⁰, Director of Anti-Spam at AOL admits that this is "an escalating technology war … and a high-level cat and mouse game".

There are a number of examples where the ISPs (who really are at the front line of spam given their role in relaying information across the Internet) and other companies reliant on the medium have demonstrated good corporate citizenship by working alongside their customers to safeguard them from further risk and cost. A recent example: eBay's Web Caller ID which allowed users to verify the authenticity of a Web Site. eBay released the tool to the public¹¹ to protect them from the increased risk of phishing attacks by online perpetrators who set up websites in the guise of the well known online auctioneer. It's a step up from blacklist technology and another example of companies and the public working together to overcome the problem.

In the United Kingdom ISPs have adopted a code of practice that allows them to shut down e-commerce sites that distribute spam regardless of how and from were the spam was sent. The initiative is directed at stopping spammers hosting their e-commerce with a reputable ISP but sending spam from an alternative network. There is also precedent to the suggestion that global collaboration is possible. The London Internet Exchange ("LINX"), for example, introduced a Best Current Practice document ("BCP") on spam in 1999. The BCP received endorsement from RIPE, the Internet policy-setting body for more than 90 countries across Europe, the Middle East, Central Asia and Africa. By the Year 2000, the BCP had become the basis for an increasing number of anti-spam standards. In another promising move, the OECD countries have set up a task force to address spam at the global level; the task force recognizing that close international cooperation is essential in any attempt to contain spam. Other examples include the International Chamber of Commerce (ICC) that offers a global inventory of opt-out and reporting facilities in 26 countries and the SPAMHAUS Project which tracks the Internet's Spammers, Spam Gangs and Spam Services and works with global law enforcement agencies to locate and prosecute (where possible) spammers.

This mutual cooperation is integral if enforcement is to be effective (albeit potentially problematic given political tensions in some countries that may be reluctant to enforce deportation orders or indeed allow the requisite evidence to be collected from their jurisdiction).

Any approach to spam needs to remain cognizant of the rapidly developing technologies behind it and the number of spammers who are as adept at side stepping the law as they are at developing new methods of reaching your in-box.

Educating consumers about their role in the fight against spam is an integral part of the process. Consumers need to: (i) understand what spam is and how to respond to it; (ii) understand what tools they have available to them on their PC's to filter and block spam (eg. Beysian filters and key word technology); (iii) be made aware of local services that can assist eg. OFTA and a number of service providers allow users to register their phone numbers on 'not-to-call' lists¹²; (iv) check ISP contracts to ensure they contain provisions pertaining to anti-virus protection and anti-spam features; and (v) have ready access to complaint channels.

There is no legislation in place in Hong Kong that deals directly with spam. Hong Kong currently relies on industry self-regulation which includes initiatives by the following organisations:

1. Hong Kong Internet Service Providers Association (HKISPA) [February 2000]: The Anti-SPAM Code of Practice;
2. Mobile operators [December 2001]: The Code of Practice on Handling of Unsolicited Promotional IOSMS under the Code of Practice for Inter-Operator Short Message Service (IOSMS); and
3. Local wire-line FTNS network operators [revised January 2004]: Code of Practice setting out the standard procedures for handling complaints against unsolicited fax advertisements.

In light of the growing cost to individuals and businesses alike, the call has increasingly been made to allow the law to assume a more prominent role.

In June 2004, in response to the growing problem of unsolicited email messages, OFTA released a Consultation Paper on Spam¹³. Views and comments should be submitted to the Government by 25 October 2004. In particular, the Government seeks comments on the following:

1. The extent of the spam and the loss in monetary terms to individuals/business;
2. The extent of industry co-operation and whether Codes of Practice should be voluntary or mandatory.
3. The role and scope of a user education process
4. Available technical solutions and their effectiveness; and
5. The pros and cons of a legislative approach to combating spam.

Should Hong Kong choose to legislate against spam then there are a number of provisions within the existing Hong Kong legislative framework that provide some precedent value. No provision in existing legislation however, specifically tackles the issue of spam or can be interpreted to cover spam.

The following Ordinances provide limited guidance:

Summary Offences Ordinance (Cap 228) s.20 - deals specifically with telephone calls, or messages and telegrams.

Control of Obscene and Indecent Articles Ordinance (Cap. 390) – relates to content, specifically that which is obscene and indecent.

Personal Data (Privacy) Ordinance (Cap. 486) – s.34 is the closest Hong Kong has to a law that regulates direct marketing. Of note, from an anti-spam perspective, the provision refers to an "opt out" right which may have some influence on the longer term debate in Hong Kong regarding consent.

Telecommunications Ordinance (Cap. 106) s.27A – relates to hacking (rather than the act of sending spam).

Crimes Ordinance (Cap. 200) ss.59, 60 & 161(1) – deal with misuse of computers, destruction of property and accessing a computer with the intention to commit an offence (note however that these provisions were not intended to criminalize the act of sending spam email per se).

In any move to draft local legislative measures it would also be remiss to overlook a large body of research already undertaken. In March 2000, in response to the increase in computer crimes cases¹⁴, the Government of the Hong Kong SAR established an Inter-departmental Working Group on Computer Related Crime ("the Working Group").

The Working Group, with representatives from various Government bureaux and departments, was tasked with studying the adequacy of Hong Kong legislation in dealing with computer and Internet crimes and identifying areas where changes would be required. In September 2000 the Working Group submitted a report of its findings. The report was released for consultation on 1 December 2000. The Report reported on the potential benefits of ISP collaboration given the use of accounting and session records in the investigation of offences. The Working Group therefore recommended that assistance should be given by ISPs to law enforcement agencies as follows:

1. ISPs should check subscriber details at the time of registration; rather than introducing statutory provisions administrative guidelines to this effect (and compatible with the privacy safeguards contained in the Personal Data (Privacy) Ordinance) should be drawn up. The guidelines would specify the details that would be required at the point of opening an Internet account and the details that would need to be kept as long as the account is being maintained and for a reasonable period after the account is closed;
2. ISPs should be encouraged to keep log records including the calling numbers as a good management practice but no mandatory requirement for all Internet transactions to be tracked by the caller line identification function or caller number display function should be adopted;
3. Both the Government and ISPs should encourage Internet users to make use of PKI but this should not be a mandatory requirement;
4. ISPs should keep log records for a reasonable period of time i.e. six months;
5. As content providers, ISPs should be responsible for any contents they may provide but as carriers, ISPs should not be responsible for the contents of messages or sites they carry;
6. Relevant Policy Bureaux should examine the feasibility of putting in place take-down procedures for infringing copyright material, gambling content and pornographic materials;
7. As a multiple log-in facility carries some security risk, ISPs should be encouraged to set their system default to deny multiple log-in but only offer this facility as an option;
8. ISPs and law enforcement agencies should improve their communications to encourage the exchange of ideas on cyber security.

While not all the suggestions in the Working Group would be appropriate, a careful review of the report would be advisable before any drafting of anti-spam legislation is embarked upon.

Finally, as mentioned above, the effectiveness of any anti-spam legislation very much depends, on the penalties imposed and the ease and willingness of authorities to enforce the laws¹⁵.

Section 113C of The Criminal Procedure Ordinance in Hong Kong outlines the range of fines from a level one offence ($1 to $2000) to a level 6 offence ($50,000 - $100,000). It is therefore interesting to consider that should Hong Kong adopt anti-spam legislation the potential penalties would be on par with the UK but well below those in other countries such as the United States of America.

Hong Kong, like every other country in the world, is facing an unprecedented challenge in the form of spam. The current system of self-regulation is fast proving an ineffective deterrent and legitimate direct marketers are at risk of losing public trust.

Whilst legislation may be an effective tool in dealing with the problem, the global nature of spam requires a multi-faceted approach to manage both the costs and privacy concerns it generates. A number of countries have already taken steps to tackle the problem and the precedent value these countries offer will assist Hong Kong in adopting a solution best tailored to local conditions.

© Gabriela Kennedy and Katrina Partridge (September 2004)
The authors are Partner and Professional Support Lawyer working in the TMT Group at Lovells in Hong Kong. For any questions regarding issues raised in this article please contact either author by clicking on the Lovells link at the top of this page.

Footnotes