Spam laws in Australia and surveillance

1
Spam laws in Australia and surveillance

• Does our Spam Act stop Spam, or invite routine
  email surveillance at work?

David Vaile Executive Director Baker McKenzie
Cyberspace Law and Policy Centre Faculty of Law,
University of NSW www.bakercyberlawcentre.org
2
Promise more than deliver?

• Internet strange beast to regulate
• Cyberspace out there
• Jurisdiction none or too much?
• Brave attempts to legislate
• Good intentions and ingenuity
• But often undermined by a flaw
• Fails to deliver on promise
• Side effects can swamp intended effects

3
Email surveillance and Spam

• Spam threatens viability of email system
• Legislation in 2003, each flawed
• IT security seen as ultimate Spam solution
• Workplace surveillance as the answer?
• Threat to privacy of email
• Misses the target
• Wont work
• Erosion of trust, collateral damage
• Undermine training, organisation intelligence

4
Spam threatens emails viability

• Spam is 2/3 of all email (Messagecare)
• Technical load on infrastructure
• Threat to trust, Internet social bonds
• People begin to abandon email
• Network effect declines
• Tragedy of the Commons (Catlett)
• Market and technical failure

5
Some problems with real Spam

• Epidemic of asymmetric attacks
• Sender is hidden
• Sender is out of jurisdiction
• Spam bots
• Address harvesting
• Hybrid worms with built-in mail servers!
• Arms race, cheap technical advances
• Eg, Anti-filtering content

6
A tale of 2003 Spam laws

• Reaction to threat to Email system
• Californias Spam law
• US Federal CAN-SPAM Act
• Australian Spam Act
• EU Directive (not covered)
• Spot the crippling flaws

7
Californian Spam laws of 2003

• Stricter legislation than Australia
• Requires prior consent (Opt in)
• Cant rely on Unsubscribe
• Unsubscribe is too late
• Private right of action
• Anyone could have sued but
• Overridden by CAN SPAM (federal)

8
US CAN SPAM Act 2003

• Opt out not opt in
• Requires only
• Good return address
• Honour opt out request
• Over-rides Californian law
• Weakens protection drastically
• Triumph of Direct Marketers

9
Australias Spam Act 2003

• A different political balance
• ADMA accepted Opt in (unlike US)
• Loopholes to drive a truck through?
• Exempt bodies, Purely factual messages
• Dragnet to catch slippery spammers
• Single message can be Spam!
• Harsh search and seizure powers

10
Concepts

• Commercial electronic messages
• Banned if not solicited
• Explicit or implicit consent
• Covers individual emails
• Drastic fines for repeat offenders
• Complex exemptions
• Relationships relevant to the test

11
Enforcement of Spam Act

• ACA under-resourced
• Softly softly policy
• Target the extreme abusers
• Liability net is wide and complex
• Many offences not prosecuted
• Wide discretion, uncertainty

12
Risk of Spam Act prosecution

• Liability v. risk of prosecution?
• Serious Offences
• Huge Penalties
• But ACA policy, resources
• Intention needed for offence?
• Practical risk of single message Spam
• Difficult to frame legal advice

13
Problems of email at work

• Complex Spam liability rules
• Other legal issues
• Viruses and security
• Pornography etc.
• Temptation to track everything?

14
NSW workplace surveillance law

• Announced 30 March 2004
• Workplace surveillance already regulated
• Strict laws protocols to restrict employer
  snooping on workers phone
• Workplace Video Surveillance Act
• To be amended to cover email, other tech.
• Prohibits email surveillance
• Without court order or consent
• Challenges IT control, Spam monitoring

15
Issues

• Industrial opposition to monitoring
• Balance of interests
• Mutually respectable workplace
• Privacy rights protected in a new sphere
• See Privacy Acts Federal and State
• Focus on consent

16
Bark worse than bite?

• Act is not passed yet
• Unclear real intention
• Reduce secret surveillance
• May just result in forced consent
• Potential to be stricter - details!
• Any practical effect?
• Precedent for other safeguards?

17
Surveillance stops Spam?

• Divergence of views
• IT solution v people solution
• What is the problem?
• After the fact too late
• Not reveal the basis of exemptions
• Inadvertent breaches of the Act

18
A better solution?

• Trust and respect
• Training and peer support
• Sensible policies goodwill
• Cooperation with ACA, ACCC, TIO
• Complaint-based approach
• Review marketing and PR
• Seeking consent is good business

19
Conclusion

• Spam law unintended consequences
• Surveillance culture
• New awareness of privacy
• NSW anti-email surveillance law
• Effective risk management
• Low risk of prosecution
• Better solution