Date: September 20, 2008 - 7 am
Category: Advice, Consumer Protection, Marketing, Privacy and POPI
(First published on 18 August 2003)
Unsolicited commercial communications, also known as “SPAM“, whether in the form of e-mail, SMSs or instant messages, have been described as being the mosquitoes of the Internet – numerous, annoying and often carrying objectionable content and nasty viruses.
What is spam?
The word “spam” as applied to e-mail (and more recently, SMSs or instant messages) means “unsolicited commercial communications” and usually takes the form of unsolicited commercial e-mail (UCE) and unsolicited bulk e-mail (UBE).
“Spam” is a registered trademark owned by Hormel Foods, Minnesota and is the descriptive name of one of their meat product which many people find unpalatable. “Spam” as applied to e-mail shares the same negative connotations as the meat product. This is often misleading as genuine marketing activities are often tarnished by the same brush: spam often does not equate to “unwanted” and often, not all bulk email is spam.
How do you define “spam”?
Precisely how to define spam is a contentious issue. Some define spam as UBE. Others believe that “bulk” is irrelevant. They argue that the issue is merely whether the communication sent was solicited. For others, the issue is whether the communication was commercial in nature. An issue which is common to all the various definitions is that due to the low cost of sending spam, each spam communication costs the consumer more in terms of both money and resources than it costs the sender to send.
From a legal perspective, the absence of a definition of spam in South Africa brings the efficacy of the anti-spam provisions in our law firmly under the spotlight.
SPAM IS A PROBLEM
SPAM is a significant and growing problem representing as it does close to 50% of all e-mail traffic. Whilst it creates significant productivity costs for business and the Internet community, it also threatens the underlying IT systems and network integrity. In order to solve the SPAM problem, a holistic approach is required which balances legislative, self-regulatory, technical and education/awareness elements. This article focuses on the legislative component in the context of a greater spam reduction strategy.
THE LEGAL POSITION IN SOUTH AFRICA
[Update: 23 April 2013. What is set out below is the legal position as it was in August 2003. The law has changed a lot in the last 10 years. For a brief synopsis of the current position, click here.]
SPAM is pertinently addressed in section 45 of the Electronic Communications Act, 25 of 2002 (“the ECT Act“). There are, however, several other areas of law which would cast a wider net over several spamming activities.
SPAM per se is not illegal in South Africa. However, if a sender fails to do one of three things she is guilty of an offence and liable on conviction to an unspecified fine, or a maximum of 12 months imprisonment. A consumer may choose not to institute criminal proceedings against a spammer, but rather lodge a complaint with the Consumer Affairs Committee established by section 2 of the Consumer Affairs (Unfair Business Practices) Act, 71 of 1988. This option is created in terms of section 49 of the ECT Act.
Section 45 of the ECT Act requires the sender of an unsolicited commercial communication to observe 3 rules: firstly, to provide the consumer “with the option to cancel his or her subscription to the mailing list“, secondly, to furnish the consumer “with the identifying particulars of the source from which that person obtained the consumer’s personal information, on request of the consumer“ and thirdly, not to send a second unsolicited commercial communication to a person “who has advised the sender that such communications are unwelcome“.
PROBLEMS WITH SECTION 45
There are essentially 6 problems with section 45, all of which revolve around the absence of a definition of an “unsolicited commercial communication“.
While it will ultimately be left up to the Courts to interpret the meaning of certain words used in section 45, this article attempts to highlight some of the problems with the current wording.
Given the high cost of litigation, coupled with the fact that no organisation ordinarily wants to be the subject of a “test case“, and given the enormity of the SPAM problem, it might be necessary for the legislature to either revisit section 45 of the ECT Act, or enact a standalone “anti-SPAM” law, or for the South African Law Commission to deal with the issue in the pending Privacy Act which they are currently working on.
(1) Section 45 does not apply to ‘legal persons’
Section 45 only offers protection to “consumers” who are spammed. The Act defines a “consumer” as a “natural person”. Therefore if spam is sent to legal persons, such as companies or close corporations, for example, the provisions of section 45 do not apply. However, certain spam related actions could be covered under other sections of the ECT Act or other laws. For example (i) forgery of message headers could be a crime under section 86(2) of the ECT Act which makes the unintentional and unauthorised interference with data “in a way which causes such data to be modified …” a criminal offence, (ii) unsolicited bulk e-mail which causes an e-mail server to crash could be considered a denial of service attack which would also constitute a cyber crime under section 86(2) of the ECT Act inasmuch as it would constitute an unauthorised interception or interference with data and (iii) senders who use trademark material in their unsolicited communications without permission could be violating our trademark laws, or render them susceptible in terms of our common law to legal action based on passing-off.
(2) What constitutes a proper opt-out?
On a strict legal interpretation of sections 45(1)(a) and (b) it is a moot point as to whether the sender is statutorily obliged to provide “the option to cancel” (whether in the form of an e-mail address or a hyperlink to a website) in the first e-mail sent. The issue is important as the sometimes innocent act of a sender (e.g. where the sender is negligent and simply forgets to provide the option to cancel in their first electronic communication) is now criminalized.
The effectiveness of an “opt-out” request is questioned as all it often serves to do is validate the existence of an e-mail address being spammed.
Was it correct for parliament to legislate an “opt-out” provision as opposed to an “opt-in” provision in section 45(1)(a)?
It is important to remember that at the time the ECT Act was being drafted (in the first half of 2001) SPAM was not the scourge that it is today. A reading of section 46 of the ECT Bill will show that failure to comply with the SPAM provisions was not a criminal offence at Bill stage and was only made a criminal offence by the Parliamentary Portfolio Committee when they dealt with the Bill in May 2002, at a time when SPAM was on the increase and the Parliamentary Portfolio Committee was of the view that it was necessary to impose some criminal sanctions for failure to adhere to the SPAM requirements.
It is important to remember that much of the thinking around opt-out provisions worldwide tends to involve benchmarking them in the first instance against direct mail where the incremental cost of each communication provides marketers with a sufficient incentive to refrain from communicating with persons who have submitted opt-out requests. Moreover, the cost factor restricts marketers from sending unsolicited non-electronic communications to consumers in other countries – whereas with e-mail, one rarely receives unsolicited electronic communications from South African senders. Unsolicited and bulk e-mail do not involve an analogous incremental cost and spammers lack a similar incentive to respect opt-out requests. Further, e-mail opt-out requests are rarely effective and some spammers collect and sell e-mail addresses of those who have submitted such requests.
(3) No definition of “sender“
If the “option to cancel” in section 45(1)(a) is in the form of the provision of an e-mail address of the sender and the consumer “has advised the sender” that its “communications are unwelcome” in terms of section 45(4) it follows that the consumer must be able to make contact with the sender in order to inform them that they have elected to cancel or that their unsolicited commercial communications are unwelcome. The snag, however, is that the sender is not statutorily obliged to provide accurate information as to his identity. Section 45 does not require that the sender provide accurate details of his name or physical or electronic addresses, thereby making practical compliance with section 45 problematic. Issues also arise pertaining to what a consumer opts in to receive: is it a single communication, or multiple communications in respect of other products offered by a sender.
In general (not in terms of the ECT Act) a communication is considered to be unsolicited if 3 factors are present: (i) if there is no prior relationship between the parties, (ii) the consumer has not expressly consented to receive that communication and (iii) the consumer has previously sought to terminate the relationship, usually by instructing the sender not to send any more communications in the future.
From a technical perspective, it is often difficult to assess whether an e-mail communication is unsolicited. This is particularly so if the prior relationship comprised something other than a previous exchange of e-mail messages. A broad interpretation of “unsolicited” might include all contracts that are not part of a current transaction, for example, where a consumer purchases a product from a supermarket using a credit card and the supermarket is somehow able to obtain the purchaser’s e-mail address. If the supermarket in this example subsequently sends the consumer an e-mail advertising a sale on products, even those similar to the product he purchased, the communication could be considered unsolicited. The scenario is more likely if the consumer is a member of the supermarket’s loyalty programme during the transaction, thereby enabling the supermarket to link the transaction to personal information about the consumer already on their files. The consumer may have also previously consented to receive subsequent unrelated communications from the supermarket when he signed up for the loyalty programme, in which event the communication would probably not be considered unsolicited.
(5) No definition of “commercial“
Commercial is generally defined in terms of message content, rather than the intention of the sender for sending the communication. As is apparent from the wording of the heading of section 45, the communication must promote the sale of goods or services.
Examples of where an unsolicited communication is of a commercial nature but in the writer’s opinion should not be subject to criminal sanction is where the electronic communication:
- does not include or promote illegal or offensive content
- the e-mail does not have a fraudulent or otherwise deceptive purpose
- does not collect personal information
- is not sent in a manner that disguises the originator
- offers a valid and functional address to which consumers can send messages opting out of receiving further unsolicited communications.
There are many varieties of non-commercial SPAM including charitable fundraising solicitations, opinion surveys, religious messages, political advertisements, virus hoaxes and other urban legends and chain letters.
(6) No definition of “communication” in the context of SPAM
Section 45 is slanted in favour of unsolicited commercial e-mail (UCE). However, given that the real problem with SPAM lies in the volume of e-mail messages, and not their content, measures need to be put in place to deal with unsolicited bulk e-mail (UBE) as well. If one is able to demonstrate that UBE falls within the ambit of section 45, it then becomes necessary to define what constitutes UBE. A single message sent to a very large number of recipients clearly qualifies as bulk. By the same token, separate but identical copies of a message that are sent to a large number of recipients, are also considered to be sent in bulk. The only distinction between the two is the stage at which the e-mail server takes the incoming message and forwards copies of the message to multiple recipients. Substantially similar, as well as identical copies of a single message, would probably also qualify as “bulk“. The main issue appears to lie in how many copies of a message are sent and within what time period they are dispatched, for them to qualify as a bulk transmission.
Whilst drawing a distinction between UCE and UBE may be somewhat academic, it has been the subject of considerable controversy within the anti-SPAM community as well as among legislative bodies in other jurisdictions that have considered enacting restrictions on SPAM.
SPAM ISSUES CAN BE COVERED BY OTHER CURRENT SA LAWS
The ECT Act specifies what constitutes an offence under section 45 of the ECT Act. Certain SPAM-related actions could, however, also be covered under other sections of the ECT Act, or other laws. For example:
- Forgery of message headers could be a crime under section 86(2) which makes the intentional and unauthorised interference with data “in a way which causes such data to be modified …” a criminal offence.
- UBE which causes an e-mail server to crash could be considered a denial of service which would also constitute a cyber crime under section 86(2) of the ECT Act inasmuch as it would constitute an unauthorised interception or interference with data.
- Senders who use trademarked material in their unsolicited communications without permission could be violating our trademark laws or render themselves susceptible in terms of our common law to legal action based on passing off.
- As indicated above, unsolicited communications would constitute an unlawful business practice which could be reported to the Consumer Affairs Committee under section 49 of the ECT Act.
ROLES OF INTERESTED PARTIES
Internet Service Providers
Apart from the senders and recipients of unsolicited communications, Internet service providers which typically manage the consumers e-mail through their servers (as well as those organisations which run their own e-mail servers) are part of the “SPAM chain” and thus have an important role to play.
SPAM is a known nuisance. From a legal perspective, an important question is whether Internet service providers (ISPs) can be liable for negligence if they fail to adhere to the standard of care legally required of them? In terms of South African law if a reasonable person in the position of an ISP:
- would foresee the reasonable possibility of its conduct injuring a subscriber/ s and causing him loss; and
- would take reasonable steps to guard against such occurrence; and
- fails to take such steps, the ISP is negligent.
The negligent conduct envisaged on the part of the ISP would likely be in the nature of an omission – e.g. by not taking technical steps to deal with the problem. Such steps could include not implementing subject line blocking, the use of blacklists and reverse domain name look-ups (establishing whether a sender is real). .
The type of loss envisaged would include a situation where a virus attached to a spam email which passes through the ISPs email server deletes all the subscriber’s data on his hard-drive.
The taking of reasonable steps to guard against such occurrence would include the taking of steps necessary to empower their subscribers and assist them manage the SPAM problem by, for example, making SPAM filtering software and blacklists available to them, or by making facilities available to report SPAM (whether in the form of a helpdesk or reporting on a customised e-mail application – which AOL provides to its subscribers for example) as well as by creating an awareness of the issues directly to the subscribers and in joint collaborative efforts with other interested bodies such as the South African Marketing Federation.
Very often organisations manage their own e-mail servers (or outsource same to a third party) instead of getting an ISP to do so for them. It is a moot point as to whether an employer owes a common law duty of care to its employees and whether the standard of legal care applicable to ISPs also applies to such organisations.
The Marketing Federation of Southern Africa
The Marketing Federation of Southern Africa (MFSA) should consider self-regulation and require its members to subscribe to an E-mail Best Practice Guide and be seen to be engaging with the South African Internet Service Providers Association (ISPA) in the eyes of the public and possibly even compiling a white list of its members who have subscribed to its code of conduct and whose IP addresses can be trusted for purposes of bulk e-mailing. This white list would be accepted by all ISPA members.
Both ISPA and the MFSA should be engaging in discussion with various government departments with a view to establishing a body which would play a monitoring and overseer role in the war against SPAM in much the same way as the Federal Trade Commission in the United States does. It is our understanding that such discussions have been initiated.
The FTC encourages consumers in the United States to report SPAM to them and the FTC uses the unsolicited e-mails stored in their database to institute legal proceedings against persons who send SPAM e-mail in the United States. The creation of a body to perform the same role in South Africa would be particularly important given the high cost of litigation in South Africa: again, no one organisation would ordinarily want to be the subject of a test case and that the law enforcement agencies have other competing priorities.
A SOUTH AFRICAN SPAM REDUCTION STRATEGY
The provisions of section 45 and any possible changes to section 45 of the ECT Act will not in itself provide a comprehensive answer to the SPAM problem. The practical difficulties in identifying spammers, a lack of jurisdiction over offshore offenders and competing priorities faced by the South African law enforcement agencies will all contribute significantly to paralysis in practical implementation of the protection seemingly offered by the ECT Act.
Technological solutions per se are also not a comprehensive answer to the problem. The war between spammers and anti-spammers has frequently been described as an “arms race“, with each side constantly developing new “weapons”. A law that attempts to neutralise these weapons is likely to be obsolete before it even takes effect because of the rapid advancement in technology.
South Africa should be endeavouring to follow a SPAM reduction strategy which strives to achieve 2 objectives:
- Recognition of the fact that permission is ultimately what the consumer says it is; and
- Balance through combined legislative, self-regulatory, technical and consumer education/awareness.
Legislative changes should aim at least deal with the following key features:
- Introducing a definition of “unsolicited commercial communications“;
- Providing that no commercial electronic communications may be sent without the prior consent of the end user unless there is an existing customer/business relationship;
- All commercial electronic messaging must contain accurate details of the sender’s name and physical and electronic addresses;
- Recognition of appropriate industry codes of conduct;
- Appropriate enforcement sanctions;
- Recognition of prevailing trends in SPAM legislation in other jurisdictions so as to ensure a measure of interoperability with those laws, given that SPAM knows no geographical borders or boundaries.
Worms and viruses come and go and to the largest extent they don’t affect the day-to-day use and enjoyment of the electronic oriented consumer. Spam on the other hand is a daily scourge which clogs the virtual mailboxes of almost every email user in a more pervasive, intrusive and offensive way than any junk mail wedged in the garden gate.
On a technological level it has the potential to threaten network overload to the point of near collapse. It is the equivalent of virtual rampant cholesterol clogging the arteries of the Internet.
Undoubtedly urgent retaliation is need and foot-soldiers from every interested quarter need to be urgently conscripted to stem the onslaught, or we all face SPAMICIDE!
Of 37 States in the USA which have SPAM laws, only 3 contain opt-out provisions and of the 42 countries in the rest of the world which have SPAM laws, only 17 contain opt-out provisions – see www.spamlaws.com and www.the-dma.org/antispam/spamlaws.shtml.
The opt-in approach is not without its own problems as it is likely to be very difficult from an evidentiary point of view for a marketer to prove that a consumer did indeed opt-in: note for example, marketers will in all probability have to record the IP address where the consumer opted in from, if a website, the date and time of the opt-in or third party website where the consumer opted in, if not the sender’s own website.
The author is grateful for research support furnished by Acceleration (www.acceleration.biz).
also sometimes referred to as “spoofing” – see the CERT Co-ordination Centre at www.cert.org/tech_tips/email_spoofing.html
this is “an assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted … [and] interrupts network service for some period …” – the Compute Desktop Encyclopaedia: see www.computerlanguage.com.
On occasion, our Courts have not applied the test of the reasonable person and instead have followed English law in applying the so-called “duty of care” doctrine (see Neethling, Potgieter & Visser at pages 148-149). According to this approach, one must first establish whether the defendant owed the plaintiff a duty of care and thereafter whether there was a breach of this duty. If both questions are answered in the affirmative, negligence is said to be present. In determining whether a duty of care was owed, the criteria is whether a reasonable person in the position of the defendant would have foreseen that his conduct (whether by doing something or not doing something) might cause damage to the plaintiff. In determining whether there was a breach of the duty of care, our Courts consider whether the wrongdoer exercised the standard of care that the reasonable person would have exercised in order to prevent the damage.
Blacklists contain the names of IP addresses and open relays frequently used by spammers – see the Spamhaus Project for example located at www.spamhaus.org.
The technical solutions include blacklists and other databases of Internet hosts frequented by spammers (the best known of which is the Mail Abuse Prevention System’s Realtime Blackhole List, SPAM filtering and blocking software.
See “Blah on steroids“, 7 March 2003 located at http://illuminated.co.uk/blog/2003/03/is-this-spam-if-so-why.html