Response to the DTI Consultation on the Directive on Certain Legal Aspects of Electronic Commerce

4. Commercial Communications

Introduction

Currently, the use of automatic calling systems and unsolicited faxes is prohibited under the 1997 Directive on Privacy in the Telecommunications Sector. The huge growth of the Internet and mobile communications has now created a divergence between laws covering traditional analogue transmissions and those covering unsolicited communications using new media. The principle of "technology neutrality" supported by the UK government in the 1999 Communications Review therefore must be enforced here as elsewhere.

The DTI consultation document correctly points out that there is an obligation under Article 7 of the Directive in question that unsolicited commercial communications must be clearly identifiable as such. However, neither the DTI nor the Direct Marketing Association appear willing to support a standardised labelling method, which would give consumers the right to filter out unsolicited mail. We can see no reason for opposition to such a measure, other than lack of respect for the rights of consumers to choose what mail they receive.

Current Practice

"Spammers" traditionally use methods to collect e-mail addresses which are contrary to the 1995 Data Protection Directive. These included using computer programs to randomly "guess" thousands of e-mail addresses, in the hope that some may be valid. Also, addresses are collected from public spaces such as chat rooms and message boards. These practices have created a de facto ban on legitimate companies from sending unsolicited e-mail - no company which values its good name would want to risk good name by being associated - even incorrectly - with such practices.

Therefore, the lack of a formal ban allows spammers to continue to hide behind weak legislation, but does nothing to make the situation better for legitimate companies. Indeed, the lack of a ban, together with the country of reception rules for unsolicited e-mail, means that it is almost impossible not to break the law if sending unsolicited e-mail, as a huge number of addresses (@hotmail.com, @yahoo.com, @aol.com) are not identifiable as coming from a specific country. The DTI's consultation paper says that a ban on unsolicited commercial communications via e-mail would be "disproportionate". On the contrary, the lack of a ban together with a country of reception legal regime, non-specific labelling requirements and widely diverging national data protection laws imposes a disproportionate and unreasonable burden on consumers and companies alike.

It is also worth noting that alleged "opt out registers" have traditionally been re-sold by spammers as value-added lists of addresses which have been confirmed to be active. There is therefore considerable consumer resistance to using such lists.

Data Protection Law

The consultation paper says that e-mail addresses are covered by national data protection law. When a spammer collects addresses via public spaces, "guessing", trafficking or however, the recipient of the junk mail has absolutely no indication, upon receipt of the junk mail, that his personal data has been abused - just an e-mail that he did not ask for. Therefore, the Office of the Information Commissioner will have nothing on which to base an investigation. Does the DTI have a concept of how it intends to enforce data protection law under the opt-out regime?

Global opt-out list

The E-MPS global opt out list is an acknowledged failure in the USA and the reference to it in the consultation paper is both surprising and disappointing. It is also very strange that the DTI believe that the the DMA's award to itself of the TrustUK symbol somehow makes it more credible. There are several reasons why the E-MPS will not work:

1. It refuses to allow ISPs to opt-out their entire domain name (@demon.co.uk, for example).
    
2. The opt-out expires, forcing consumers to opt-out again and again.
    
3. There are no security measures against "dictionary attacks". A company could send a million random addresses to the E-MPS, and maybe five percent could be removed by the opt-out list. That five percent could then be spammed, as they would be addresses which are proven to be active.

Costs

Recital 30 of the Directive states that unsolicited communications should not cost money to the recipient. However, both in terms of increased ISP charges (for customer churn caused by spam, bandwidth used by spam, customer service to deal with spam complaints, etc) and in terms of phone time, they do cost money to consumers. The costs of downloading mail via WAP, particularly when overseas, as well as roaming charges for SMS are also very significant.

ISP measures

Ironically, the Directive both supports the prevention of unsolicited communications, through its support for interception and deletion of unsolicited communications (recital 30) and supports the sending of unsolicited communications (through its opposition to interception of communications in recital 15, and in article 7). The only real measure at the disposal of ISPs is filtering, both directly and via blacklists. However, if the sending of unsolicited communications is legitimised by the transposition of the Directive, what legal right will ISPs have for filtering junk mail on behalf of their consumers?

Responses to questions:

4.1 To receivers of unsolicited commercial communications: what is your experience of using voluntary opt-out schemes?

Bad. Opt-out schemes either use addresses which do not work, or result in additional junk mail due to the fact that the consumer has proven that their address is correct and that mail sent to that address is read. If opt-out schemes are supported, this means that the consumer is forced to open the e-mail in order to establish how to fulfill the opt-out procedure.
 

4.2 How could the functioning and advertising of this system be improved?

The opt-out 'system' is fundamentally flawed and not subject to improvement. All ways of improving it have been rejected by the DMA - for example allowing the consumer to see how and when their address was obtained in the first place (to prove adherence to data protection law).
 

4.3 Have such schemes cut down on the amount of e-mail that you receive?

No. They inevitably have resulted in increases of junk e-mail.

The European Coalition Against Unsolicited Commercial Email is an all-volunteer, ad-hoc grouping of Internet users and professionals dedicated to bringing about an end to an unethical practice by technical and legislative means. http://www.euro.cauce.org