Caveat spammer, caveat advertiser

The unlikely subject of spam e-mail recently catapulted the Scottish legal profession into the national press, when the Tayside law firm of Blackadders found that its clients and others had received an “official looking” e-mail supposedly sent from Blackadders.  The message had originated elsewhere, but looked authentic because it contained correct e-mail and telephone details.  The e-mail falsely suggested that (to put it no higher) a particularly robust form of service could be offered by the law firm concerned, and that minor inconveniences such as professional rules would not be permitted to stand in the way of delivering such a service.

It is sometimes said that any publicity is good publicity.  However, Blackadders found themselves deluged with replies from recipients of the original message, some approving of its contents, others quite the reverse.  The police ultimately became involved. Unquestionably the whole episode cost a significant amount of management time.

It is not technically very difficult to configure an e-mail account so as to give the impression a message has originated elsewhere. This is called “Spoofing”, in the trade. But whereas most e-mail systems can provide large amounts of information about the origin and transit details of a message in the message header, most people don’t want that information. So the average e-mail account is set up to hide the header information, apart from the apparent sender’s address.  Most people are only interested in reading the content of a message, not in discovering the various mailservers it has passed through to reach them.

The position might have been very different if it was the established best practice for the prudent Scottish solicitor to communicate with his or her clients only by way of digitally signed e-mails, and for clients to expect nothing else.  On that approach, any unsigned message claiming to be from a Scottish solicitor would attract suspicion as soon as the recipient found he could not verify the identity of the sender.  At the moment solicitors, clients, and insurers are not demanding the use of secure e-mail: something of a bizarre contradiction when one thinks of the speed with which most of us reach for a Recorded Delivery envelope as soon as we need comfort with postal mail. Such demand may of course materialise once secure e-mail solutions such as Lawseal do become the norm for solicitor/client communication. (LawSeal is the Law Society of Scotland’s project to assess the applicability of digitally signed and/or encrypted e-mail to the Scottish legal profession).  

In the meantime, however, most people who received the message in question mistakenly regarded it as just another spam e-mail. Conservative estimates suggest that spam currently accounts for nearly 40% of all e-mail traffic.  Very few people reading this article will not have received unsolicited e-mails offering free adult site passwords, low price drugs such as Viagra, DVD copying software, and lately the “419 scam” offers from Nigeria, seeking assistance to money launder unfeasibly large sums of US dollars.

The filtering firm SurfControl (www.surfcontrol.com) estimates that spam costs businesses around the world no less than US $9 billion per year to deal with.  How does this cost arise?  It includes the time it takes for people to read and delete the unwanted messages. It covers the cost of having IT staff unblock networks that have been swamped with spam.  There are also hardware costs, for example acquiring yet larger mailservers and storage systems where staff inboxes have overflowed their capacity.  

In the United Kingdom the E-Commerce Minister, Stephen Timms, announced on 28 March 2003 that the Government proposed to regulate unsolicited commercial e-mail messages and strengthen privacy rights for electronic communications.  “Spam has become the curse of the Internet.”, Mr Timms said in a statement.  “It is a source of major frustration as it clogs up inboxes the world over.  Just as the Internet and mobile technology have become a firm feature of our lives, spam is threatening that status.  It is in danger of becoming a real deterrent to online communication.”

These regulations are intended to implement the Directive on Privacy and Electronic Communications (2202/58/EC). The Government’s consultation document, also issued on 28 March, extends to no less than 126 pages.  The Law Society of Scotland’s Electronic Commerce Committee will be digesting this information over the coming weeks.  There does seem to be a need for Scottish input into the process – for example on page 19 of the consultation document, dealing with the definitions of corporate and individual subscribers, there is discussion around the wording of the Framework Directive (2002/21/EC): “Any natural person or legal entity who or which is party to a contract with the provider of publicly available electronic communications services for the supply of such services”. The consultation document’s terminology in the space of a few lines refers to ‘natural and legal persons’; ‘legal persons’, ‘individuals’, ‘individual persons’, and ‘natural persons’ but omits mention of ‘legal entity’. The document observes that “Under Scottish law, sole traders but not partnerships count as individual persons”.  However, the Partnership Act 1890, Section 4(2) provides “In Scotland a firm is a legal person distinct from the partners of whom it is composed”. No doubt the meaning can be clarified during the consultation process.

The intention of the regulations is understood to centre on the following:

• Businesses will have to gain prior consent before sending unsolicited advertising e-mails.  This consent must be explicitly given on an “opt-in” basis, except where there is an existing customer relationship.
• The use of cookies or bugs or similar devices must be clearly indicated and the opportunity must be given to reject them.  

Whilst these new regulations are awaited, the responsibility of UK advertisers will already have increased substantially on 4th June when the new Sales Promotion and Direct Marketing code issued by the Committee of Advertising Practice (www.cap.org.uk ), comes into force.  The CAP is the self-regulatory body that creates, revises and enforces the code.  CAP’s members include organisations that represent the advertising, sales promotion, direct marketing and media businesses.  From the consumer’s perspective, the “teeth” of the code lie in the administration of it that is undertaken by the Advertising Standards Authority (ASA) (www.asa.org.uk).

The new CAP code makes the following provisions in relation to spam:

• Unsolicited e-mail marketing communications must be clearly identifiable as marketing communications without the need to open them up.
• Any other unsolicited e-mail marketing communications, marketing communications for employment agencies and distance selling communications that require payment before products are received, must contain specified information before contacting the seller.
• The “explicit consent“ of consumers is now required before marketing by fax, marketing by e-mail or by way of SMS text transmission, with the sole exception that marketers may market similar products to existing customers.  

So there is some synergy between the new CAP code and Mr Timm’s aspirations. Anything that reduces spam is to be welcomed and attempts to do so are being made world wide.  In the USA the states of New York, Missouri, and Colorado are on the point of introducing legislation that would establish “Do not spam” lists similar to “Do not call” lists already on use for telephone and fax numbers. The lists will be supplemented by fines for spam e-mail at rates varying from $10 up to $5000 per unwanted message. The state of California requires each unsolicited advertising e-mail to be headed “ADV”.

Laudable effort all round, but doubtful any of this is going to make much difference.  Genuine firms, who value their reputation and wish to avoid prosecution, will play by the rules and will risk losing out on sales. Historically, the worst and most persistent spammers have paid no attention whatsoever to the exisiting rules. There does not seem to be much reason to suppose they will change their ways due to the introduction of a few new ones.

Paul Motion is a partner with Ledingham Chalmers, Edinburgh, and Convener of the Law Society of Scotland’s E Commerce Committee