Friday, May 05, 2006

Michael Geist: Technology alone not enough to win spam battle

Last month Government officials from throughout the Asia-Pacific region gathered in Calgary, Canada, for a two-day meeting on the anti-spam battle.

Delegates could almost be forgiven for believing that the spam problem has largely disappeared. Spam filters have become increasingly effective in limiting the amount of spam that lands in inboxes, while internet service providers in many countries have become very good at blocking spam messages before they leave their networks.

But first impressions can be deceiving. Global spam volume continues to increase, with recent surveys indicating 80 per cent of all email is now spam. Spam has also become far more dangerous as many messages secretly contain viruses or other hidden programs that can turn ordinary internet users with broadband connections into large-scale spammers.

Spammers have compounded the problem by branching out beyond traditional unsolicited commercial email. Millions of blogs have been hit with spam postings known as "splog", internet telephony is facing a growing spam problem referred to as "spit", and phishing emails, which deceptively send users to phony websites in order to extract personal information, are credited with being responsible for hundreds of incidents of identity theft.

Unfortunately the legal frameworks in both developed and developing countries have failed to keep pace with the new spam-related concerns. While countries such as Canada stand pat, others, including New Zealand, Hong Kong, and Japan, have introduced new anti-spam laws over the past year. In addition, Australia is currently reviewing the effectiveness of its well-regarded anti-spam law and many US states have enacted anti-spam statutes designed to supplement the federal Can-Spam Act.

Australia has also led the way in developing the world's first binding internet service provider anti-spam code of conduct. Drafted in consultation with the industry itself, the framework provides regulators with the power to intervene should an ISP fail to abide by industry anti-spam standards.

The need for stringent anti-spam laws has become particularly important in light of the growing emphasis on cross-border enforcement. Spammers regularly use computers in several countries to send their email and attempt to hide their tracks by routing their profits through multiple jurisdictions.

While there are a growing number of participants in the global dialogue on enforcement, the absence of a comprehensive anti-spam law could hamper many authorities' ability to pursue spamming activity.

Even the technical successes may be short-lived. By focusing on filtering spam or blocking it before it leaves the network, some countries have addressed the symptom rather than the problem. This technical approach clearly does not eliminate spam, but masks it from internet users, leaving everyone vulnerable to spammers, who invent new ways to circumvent ISP filters and blocking techniques.

The long-term elimination of spam requires action against the spammers themselves, including the use of privacy legislation, criminal codes, and anti-fraud statutes. Moreover, tough penalties are needed, since the deterrent value of anti-spam legislation depends upon spammers' perceived risk of violating the law.

The need for tough anti-spam laws is particularly acute in the developing world. Given limited bandwidth and internet infrastructures, the spam deluge is often the equivalent of a denial-of-service attack for developing countries. Many are ill-equipped to handle the increased email traffic, with the result that legitimate internet traffic comes to a standstill.

Moreover, as spammers turn to email servers in developing countries, those same countries risk being cut off from the global internet as ISPs consider blocking all traffic originating in a particular country as a crude mechanism for dealing with large spam volumes.

With spam still growing, countries must act on both the domestic and international levels.

Domestically, those without anti-spam laws should remove the uncertainty associated with the current anti-spam legal techniques by upgrading domestic legislation with tough penalties against spam.

On the international front, countries should increase their presence by working on cross-border enforcement initiatives. The OECD recently released a global anti-spam toolkit in the hope of promoting consistent anti-spam approaches worldwide, while the London Action Plan, a group consisting of 70 countries and private sector organisations, serves as the focal point for global anti-spam co-operation.

Ironically, the recent improvement in spam filtering may have the unintended result of decreasing public pressure for anti-spam action since the full impact of spam may be hidden from internet users. However, with spammers branching out to computer viruses and identity theft, and ISPs reporting that four out of every five email messages are now spam, the risks associated with the problem continues to increase.

* Michael Geist holds the Canada Research chair in internet and e-commerce law at the University of Ottawa, Faculty of Law.


Post a Comment

<< Home