JUNK EM@IL BAM! - no thank you SPAM
Email is almost every direct marketer's dream come true. It's fast, cheap and ... just about legal.
Virgin Net made history in April by becoming the first British ISP toheap and ... just about legal. sue a subscriber for spamming - sending unsolicited junk emails. It is accusing a Surrey businessman of breach of contract and trespass, after he sent more than a quarter of a million emails advertising his services.
The case highlights the trouble spam leaves in its wake. The spammer allegedly sent smaller numbers of emails on three previous occasions - a fact that came to light when recipients complained to Virgin Net. The ISP ticked him off and he promised to stop. Instead, he dispatched thousands more spams over a three-day period.
Like many ISPs, Virgin automatically checks whether subscribers are sending suspiciously large numbers of emails, but the spammer still managed to send 260,000 messages before being stopped, resulting in 1,200 complaints.
Worse still, Virgin Net suffered the ignominy of being temporarily black-balled, when other ISPs refused to accept emails from any of its subscribers.
After each offence, Virgin closed down the spammer's account, but he simply opened another one in a different name. Although the offences pre-date Virgin's switch from paid-for to free access, the spammer didn't pay a penny for three of his four accounts because he spammed from them within a one-month free trial period. Virgin estimates that it cost pounds 5,000 in management time to deal with the case.
The ISP argues that the spammer was in breach of his contract with the company - which forbids spamming - and that his overuse of Virgin's computers degraded their performance and amounted to trespass. If Virgin's case succeeds, the company stands to win up to pounds 50,000 in damages, although money is not the main object, says David Johnson, business development director at Virgin. 'We're not seeking punitive damages. We're looking for direction from the courts on what ISPs can do.'
Ironically, the product the spammer was advertising was spam itself, or a database of up to 10 million email addresses. Other popular spam subjects include porn and pornographic Websites, get-rich-quick deals, product promotions, chain letters and computer viruses.
More than 90 per cent of spam originates in the US, but there is a steady trickle of warnings and account terminations from UK ISPs dealing with spamming subscribers. Demon Internet, for example, has to terminate contracts with a couple of customers every month. Many observers believe the problem is on the increase in this country.
Spam volume is difficult to quantify, although some estimates put it as high as a third of worldwide internet email traffic and 80 per cent of Newsnet postings (40 per cent spam and 40 per cent cancellation messages). Demon believes 10 per cent of email delivered to its subscribers is US spam. Although the bandwidth issues are minor - because email uses far less internet bandwidth than Web access - this still means that an ISP such as Demon is effectively spending 10 per cent of its email infrastructure budget delivering messages that its subscribers don't want. Demon also employs four full-time staff to monitor spam and deal with spam-related complaints.
'Apart from the network and bandwidth costs, the biggest expense is dealing with complaints about spam,' says Joe McNamee, deputy head of secretariat at the European ISP Association, based in Brussels. 'Consumers think there's some complicity by ISPs, that allow it and give away people's email addresses - which isn't true.'
The spam lists - usually compiled by hijacking legitimate mailing lists, hacking into mail servers, or using 'spiders' that locate email addresses on Web pages and newsgroup postings - continue to grow. 'Since September 1998, I've received 438 pieces of email to an account I haven't used for four years,' says Richard Clayton, an internet expert at Demon. 'Once you're on a list, you're on for ever.'
The law, at least in Europe, has so far failed to keep up with the spam menace. A handful of US states - including Washington, Virginia and California - have introduced anti-spamming legislation, but UK and European law makes no direct mention of it; hence Virgin Net's recourse to the ancient laws of contract and trespass. The nearest UK law comes is the Data Protection Act (DPA) that seeks to ensure that people know what is being done with their personal data. The DPA covers firms collecting data for one purpose and then using it for another, collecting it surreptitiously - from a Website, for example - and selling data to third parties.
The snag is, that unlike postal addresses, many email addresses are not considered personal data because you cannot identify the individual to whom they belong. The address [email protected] could belong to any of the thousands of Joe Bloggs in the world, and thus it is not personal data. By contrast, a business address, such as [email protected], could easily be used to identify the Mr Bloggs who works for the specified company, and therefore would be considered personal data.
If prosecuted and convicted under the DPA, spammers would initially face a fine up to pounds 5,000. But the Data Protection Registrar has never issued a warning to a spammer, let alone taken one to court. The updated DPA, which comes into force later this year, says it must be made clearer to people that they can opt out of all forms of direct marketing, including email.
The Data Protection Registrar also enforces telecoms regulations that came into effect on 1 May. These are designed to govern phone calls and make it illegal for companies to cold-call people who are registered with the Telephone Perference Service (28,000 to date). This differs from the postal-oriented Mailing Preference Service (with nearly 500,000 registrants) where compliance by direct mail is only voluntary.
When PC Dealer spoke to the Data Protection Registrar, it was still considering whether the regulations would cover email. They definitely cover fax, specifying that consumers and sole traders cannot be sent faxes unless they have specified that they want to receive them. Applying similar rules to email could reduce the torrent of spam to a trickle - assuming the spammers took any notice of the law.
This, of course, is part of the problem. The most persistent spammers are pariahs who operate at the fringes of the law. There is no guarantee they would comply with the regulations, especially foreign spammers.
Last year, the UK's Direct Marketing Association (DMA) considered setting up a voluntary email preference service, but decided it would be ineffective.
'With 90 per cent or more of spam coming from the US, there's not much point setting up a service for UK consumers,' says Tessa Kelly, director of compliance operations at the DMA.
It was agreed that the Americans would set up an email preference service first, with which British people could register. This is due to launch later this year. In June 2000, the EU Distance Selling Directive comes into force, giving people the right to opt out of receiving direct selling information via any medium, including email. A large proportion of spam is related to distance selling, so an email preference service will be needed by then.
Two pieces of e-commerce legislation would also tackle the problem of spamming. The European E-commerce Directive is going through the European Parliament and should pass by the end of the year. It says commercial emails should be clearly identifiable - although it has not yet decided how - and is considering an email preference service. The UK's own e-commerce bill, due to be tabled by the summer, could also contain measures to deal with spam.
With spam in legislators' sights, you might think the anti-spam lobby would be pleased. But they aren't. ISPs say identifying spam as spam won't change much, because they will still have to deliver it.
Indeed, it might make things worse for those ISPs that currently reject all messages from known spam sites - they might have to be allowed through if they are openly marked as spam.
As for email preference lists, the big difficulty is whether these should be opt-in - where people can't be sent spam unless they say they want it - or opt-out where anyone can be sent spam unless they specifically say they don't want it. Direct marketing companies, supported by the DMA, the EC's Consumer Protection Committee and others, want opt-out lists, because it would leave them the largest target audience.
Most ISPs and other internet organisations, plus the enforcement agencies and the EC's Culture Committee, want opt-in lists, because this would reduce significantly the number of people receiving spam. They would also be easier to enforce. Opt-in lists would be similar to mailing lists, which are already an accepted part of the internet, and account for about half of internet email - far more than spam itself. 'We favour opt-in, because that gives people freedom,' says David Smith, assistant Data Protection Registrar. 'Then, the choice is always with the individual and you don't get anything unless you ask for it.'
The issue behind it all is the legitimacy of spam. If spam becomes socially acceptable it will doubtless be re-christened 'bulk commercial email' or something equally anodyne. A lot of big-name companies would love to take advantage of the wide reach and low cost of email, but are scared by the negative reaction it would cause. Make it legal and above board and the flood gates will open. 'One ISP told me that the last thing it wants is for a respectable marketeer to make a success of it, because that would legitimise it,' says Kelly.
But it's already beginning. 'A worrying trend is that some large, respectable organisations are considering spam,' says Steve Harris, proprietor of Net Services, which publishes email filtering software Spamicide. 'It's starting to look a tiny bit more respectable.'
For some years, companies with commercial Websites have been collecting email addresses from customers and enquirers, with a view to using them for promotional email. The dividing line between useful information and useless spam is difficult to define, especially if the tick-box to opt out is hidden in tiny type on page eight. Some observers also fear that if large companies start spamming, using opt-in or opt-out lists, smaller and less Net-savvy firms may try to follow suit, but without following the correct procedures.
The only solution, according to the internet industry, is a combination of self-regulation, education and eternal vigilance. Businesses and other organisations need to be warned off sending spam, and made aware of the ill will and brand damage it would create.
Most reputable ISPs have taken basic measures to prevent their own subscribers from spamming. A smaller number of ISPs are prepared to go further than the basics such as outlawing spamming in its terms and conditions. Some block email from the domains of known spammers, or from ISPs that have been black-balled. But many are wary of black-balling because it can cut off legitimate email, too. Most argue that individual customers must use software to filter out email from specific domains or addresses, or email that contains words or phrases such as 'unrepeatable offer' or 'teenage sex'.
Initial fears that free ISPs would prove a spammer's paradise because customers don't have to supply any verifiable personal details such as credit card numbers to gain an account have not been justified. The majority of free ISPs seem to be reasonably careful about what they allow users to send.
The best that can be said for the spam problem at the moment is that it is not getting significantly worse. ISPs and others are managing to keep the lid on it, but they give the impression of running flat out just to stand still. 'The internet industry is getting to the point where it's doing everything it can,' says Keith Mitchell, chairman of the London Internet Exchange. 'But it is becoming an arms race.'
A spammer speaks
Most spammers keep a low profile, especially when they realise how unpopular their actions are. But in January last year, I received a spam from a London market research agency, asking for people to take part in surveys and online discussions. Unusually, the company included its phone and fax number, so while writing this feature I called it and asked what it had done and why.
Pete Comley, the director who sent the spam (he has since left to form his own company), says: 'In market research, you're always striving to take a sample of the population from which to do your research. The problem with the online world is that there's nothing like the phone book or the electoral roll from which to base your initial list.'
As an experiment, Comley paid dollars 99 for a list of 100,000 email addresses from a US company that had spammed him to advertise its services. About 15,000 were UK addresses, and Comley mailed between 3,000 and 4,000 of them before 'my nerve cracked'.
The company's ISP suspected nothing. 'We sent the emails in batches of less than 1,000 in case the ISP checked to see how many messages we were sending at a time,' says Comley. Four of the recipients were very angry and complained to the ISP, and to Net Abuse, which monitors spamming, but no action was taken. Of the rest, five per cent replied and actually completed Comley's survey - a remarkably high success rate compared with most spams. Some of the respondents have since become regular contributors to Comley's online market research, and he gives them a pounds 5 Amazon.com voucher for each survey they complete.
Comley stresses that the spam was partly an experiment and that he has no plans to do it again. But he would welcome a legitimate route for sending bulk commercial email, and believes that, done properly, it could be very effective. 'There ought to be a system for me to pay a fee to Internic or someone for the number of people I send emails to,' he says. 'Then, at least the recipients would know it had been paid for.'