United Kingdom (UK)

of Great Britain and Northern Ireland

Don't know your MP's email address? Just drop a line to our Enquiry Desk [mp-uk-01(à)euro.cauce.org]. Be sure to include the Member's name or constituency.

Implementation of the E.Commerce Directive (00/31/EC)

The Communication and Information Industries Directorate of the Department of Trade and Industry has released its Public Consulation Document.

The following questions are asked in Chapter 4:

1. To receivers of unsolicited commercial communications: what is your experience of using voluntary opt-out schemes?
    
2. How could the functioning and advertising of this system be improved?
    
3. Have such schemes cut down on the amount of e-mail that you receive?

Be sure to let the Department know what you think. We will.
 

Draft Communications Data Protection Directive

The Communication and Information Industries Directorate of the Department of Trade and Industry would welcome views concerning the draft Communications Data Protection Directive COM(2000) 385. Let the Department know you care. See our statement.

Implementation of Distance Selling Directive (97/7/EC)

The Department of Trade and Industry announced a package of regulations designed to implement the Distance Selling Directive under the heading NEW RIGHTS FOR HOME SHOPPING CONSUMERS. Of interest to us:-

Unsolicited Commercial Communications

These Regulations do not specifically implement Article 10 of this Directive, which relates to Unsolicited Commercial Communications from business to consumers by phone, fax, mail or e-mail. In the case of phone and fax implementation has already been made by means of the Telecommunications (Data Protection and Privacy) Regulations 1999.

For mail and e-mail the Department considers that the self-regulatory schemes that are currently in place provide the necessary protection. This approach is in accordance with Article 11.4 of the Directive which provides for voluntary supervision by self-regulatory bodies.

There are a number of schemes which allow consumers to register their wish not to receive unsolicited marketing material or telephone calls :

<...>

Unsolicited Marketing E Mails

If you wish to register not to receive Unsolicited Commercial E-mails (UCE), the EMPS (E-mail Preference Scheme) is operated by the DMA in the United States. Please note that the database is held in the US, and your personal data is not, therefore, covered by UK Data Protection legislation. For further details see

http://www.e-mps.org/en/ [*]

If a consumer does receive UCE, (s)he should contact the Internet Service Provider (ISP) in the first instance to report the matter. [our emphasis]

This is the nearest the DTI can come to admitting that the only "self-regulatory scheme" which has the ghost of a chance of working is the prohibition on all kinds of Unsolicited Bulk / Broadcast Email outlined in the LINX Best Current Practice (RIPE 206). Data Protection issues in relation to address gathering are not covered in these regulations.

[*] the lack of built-in hyperlink on the above URL is deliberate. We cannot and do not endorse this scheme because it is

• ineffective (senders of UCE can and do ignore it)
• hedged about with unnecessary restrictions. The DMAs want to demonstrate that they, not you, are the ultimate arbiters of what comes into your mailbox.
   

Unsolicited Messaging on the Internet

The conference opened with a very clueful account of the problem of Unsolicited Commercial Email, presented by Bill Onwusah of Lovell White Durrant. Cost shifting, waste of time, invasion of privacy, poor to non-existent targeting, and possible inclusion of hostile programs by way of "baggage" were all mentioned as factors explaining providers' and providers' customers' opposition to UCE. The majority of users dislike UCE: in one survey, 83% responded that they disliked UCE, dividing only on the degree (20% "somewhat", 63% "a lot").

Most users appear to be of the opinion that "someone else" should be taking care of the problem. European respondents tend to favour legislation, US respondents say that it is up to the service provider.

Mark Rhoads of the United States Internet Council pointed out that it seemed a bit strange that on the one hand, the Internet is "hostile to geography", and yet, in the United States, it is the state governments who seem to be able to act more quickly and lead the way with legislation. Extensive material on the "Can Spam Act" (HR 2162) was presented (with arguments for), as well as an overview of other bills (with arguments against). (See the CAUCE site for similar details.)

The Opt-In vs Opt-Out debate was enlivened by vigorous participation from both panel and floor. Our position was (and is):-

• Individual or single-instance opt-out will not work: the time and effort involved in issuing opt-out requests from thousands of list would eventually prove to be too burdensome
  
• A voluntary list scheme will not work: it relies on cooperation and goodwill on the part of those types of people notably lacking in such character traits
  
• A statuory list scheme has never been tried, so we reserve judgement as to whether it could be made to work. (Enforcement at the general taxpayer's expense does not seem to be too fair, though.)
  
• Direct Marketers would be well-advised to go opt-in. A central register scheme could be established by the DMA for its members to which consumers could subscribe and change subscriptions at will. Under the right circumstances, people are willing to pay to receive certain types of advertising: just look at the success of such papers as Exchange and Mart, for example. The point is that it is the consumer's choice.

Christine Oddy, the former MEP, was Rapporteur for the Committee of Legal Affairs and Citizens' Rights on the e-commerce directive proposal. According to her, UCE was not a serious issue. The other parliamentarians were more concerned with other aspects of the directive proposal, such as providers' liability for illegal content (copyright infringements, child pornography) and so on. Since consumers' groups did not appear to be concerned, UCE does not appear to be too great a problem. [Well... there were supposed to be about 22 million 'net users in Europe, of which just under 30.000 signed the c't/politik-digital petition against spam, i.e. about 0,13%. We do maintain that the "activists" are but the tip of a much larger iceberg, and that it is only because the providers have been keeping the problem in check and that the current methods of address gathering are relatively inefficient (the same Webmasters and Usenet posters get pounded over and over again whilst many happy surfers are largely untouched) that many more 'net users are not affected. In any case, consumers' associations have other issues on their agendas, so net.abuse is seen as a matter for 'net users and providers anyway.]

Malcolm Hutty of the Campaign Against Censorship of the Internet in Britain (CACIB) brought up a number of offending collateral issues. The biggest ones were the right to protest and the issue of anonymity.

Protest is all well and good, but protesters' rights on private property are far more limited than they are on public ground. The UK is no exception in placing more restrictions on advertisements than on political or artistic expression.

Those who run genuine anonymous mail services (as distinct from misconfigured servers functioning as open relays) tend to take measures to reduce the likelihood of abuse. In extreme cases of harassment, they will block outgoing mail destined for a particular address.

The Direct Marketing Association was ably represented by Messrs. Dirskovski and Robottom. Their presentation included some elements of myth and wishful thinking, however. Most notably, it was mentioned that a preference scheme based on one implemented by the US DMA was already in place, which was not the case as at 2 October 1999 (to say nothing of the date of the conference). It should be noted that Rodney Joffe (who is also a member of the American DMA) counts it as one of the successes of his SAFEeps scheme that the DMA had not to date implemented its own scheme.

A favourite myth of the small company making use of "targeted" UCE to "outrun" larger and slower competitors was also given an airing. No concrete examples were given, and the widespread prohibition on the part of many providers against their customers' sending of UBE would appear to militate against the practice becoming more common. DMAs in the USA and Europe are nevertheless keen to avoid a more restrictive "opt-in" regime which would tend to restrain their usual processes of address gathering and brokering (as currently practiced with postal addresses). They do not seem to have an answer to those who find the emailing policies of Progressive Networks or Amazon totally unacceptable, except perhaps for "individual opt-out". This has been demonstrated to be less than effective and is not likely to find much acceptance amongst recipients of UCE.

Glyn Morgan of Taylor Joynson Garrett gave an overview of possibilities for regulating commercial email. Much of this revolves around the UK Data Protection Act of 1998 which will come into force on 1 March 2000. This Act is the UK implementation of the Data Protection Directive 95/46/EC and the Data Protection and Telecommunications Directive 97/66/EC.

The Act makes it plain what is required for data to be processed "fairly and lawfully", namely the consent of the data subject. No processing is allowed except for the purposes originally stated and to which the data subject had given consent. This could have an impact not only on UCE but other forms of traffic in mailing lists, and practices such as scraping addresses from the Web or from Usenet would seem to be similarly prohibited.

Jeremy Drew of Ashurst Morris Crisp concluded the conference with a review of the arsenal of legal measures possible under existing legislation. These include

• Breach of contract
• ISP's explicit provisions against spamming
• General provisions against annoying conduct
  
• Trespass
• Torts (Interference with Goods) Act 1977
• Common Law
  
• Infringement/dilution of registered trade marks

Subsidiary claims can involve anything from computer fraud through unjust enrichment or unfair competition to nuisance or criminal damage.

Remedies include temporary or permanent injunctions, and monetary compensation for damages. Examples of actual cases were included, the one particularly relevant to the UK being Virgin Net Limited vs Adrian Paris.
 

Building Confidence In Electronic Commerce

An initial consultation with a view to forming the UK's negotiating position on the "electronic commerce" directive was carried out early 1999. The report is now available. From the summary on responses to the question on whether "industry solutions" would be adequate, or whether government action would be needed:-

There exists a strong case for the market to determine how to deploy technologies and methods to tackle the issue of 'spamming'. However, there is a need to recognise that some legal recourse could be required to address persistent offenders and the government needs to keep a watching brief on industry's progress on this issue.

Promoting Electronic Commerce

A further "Consultation on Draft Legislation and the Government's Response to the Trade and Industry Committee's Report" has been published. In its current form, the legislation proposed has more to do with encryption and electronic signatures. Concerning UCE:-

The Government's earlier consultation paper also sought views on whether it should take any measures to regulate unsolicited email ("spam"). The majority opinion was to allow the industry to take effective voluntary measures, but that the Government should keep a watching brief and be ready to take legislative action if necessary. The Government has decided to follow this approach and work with industry and rely on existing measures. The EU Distance Selling Directive (97/7/EC) contains provisions requiring Member States to enable consumers to register their objection to receiving unsolicited emails sent for the purpose of distance selling, and to have their objections respected. The Directive does not apply to business-to-business transactions and certain contracts are excluded, including those related to financial services (subject of a separate EU proposal). The Directive has to be implemented by 4 June 2000, and DTI plan to consult on its implementation later in the summer.

UBM Conference: "Junk Mail Fatigue - Finding a Cure"

A one day conference on the problems of Unsolicited Bulk Messaging on the Internet was hosted by the London Internet Exchange on 8 October 1998. Paul Vixie was the keynote speaker, and was joined on the platform by representatives of the DTI, the UK Direct Marketing Association, the Data Protection Registrar's Office, RIPE, and EuroCAUCE.

The Legal Fight Against Spam

Eduardo Ustaran of Paisner & Co in London writes:-

Together with an American firm, we have been involved in a case where our client, Bibliotech, sued a number of US spammers/spoofers.

Related articles in The Register Spam war victory for BiblioTech UK anti-spam minnow takes on US big fish UK ISP takes anti-spam crusade to US US spammer flouts British court restraining order   Bibliotech's press release

In addition, we have taken part in the consultation process regarding the Telecoms Privacy Regulations, to offer our views that e-mail should be included in the Regulations.

Concerning draft regulations implementing Directive 97/66/EC "Data Protection and Telecommunications"

Among other things, the new regulations should provide:-

• a ban on sending unsolicited direct marketing faxes to individual subscribers;
• the ability for corporate subscribers to opt out from receiving unsolicited direct marketing faxes;
• the ability for individual subscribers to opt out from receiving unsolicited direct marketing phone calls;
• enforcement by the Data Protection Commissioner (formerly known as the Data Protection Registrar), who will be advised on technical matters by OFTEL.

This should be good news to corporate subscribers who have hitherto been plagued with "junk" faxes. Although not as desirable from the subscriber's point of view, the "opt-out" scheme enforced by the Data Protection Commissioner could work well enough.

On the other hand...

Electronic mail

2.3 Some questions have been raised as to the extent to which electronic mail is covered by the Directive. It is important to note that not all provisions of the Directive apply to all publicly available telecommunications services. Notably, certain Articles (6, 8, 9,10,12; Parts II, III and V of the Regulations and regulation 28) impose obligations in respect of "calls", "calling line identification", and "unsolicited calls" etc.

Having regard to Recitals 7,11 and 13 to the Directive, and to the fact that electronic mail is a value added service delivered via publicly available telecommunications services, it is our present view that electronic mail is not a "call". On the other hand, provisions on security (Article 4; Regulation 25) and directories (Article 11; Part IV of the Regulations) will apply to electronic mail as to other publicly available telecoms services.

The recipient may have another opinion, because there is a great deal of similarity to being inundated with "junk" faxes and "junk" email. Nevertheless, this does demonstrate that the Department does not regard Internet providers as Public Carriers. This means that the providers are free to adopt whatever Terms of Service/Acceptable Use Policy they want and can persuade their subscribers to accept, and that traffic is carried or refused at their sole discretion. [So all we have to do is to convince the providers of the desirability of adopting and enforcing anti-UBE policies. Simple, yes?]

The implementation of the Distance Selling Directive (97/7/EC) will be another matter, because the provisions governing contact by telecommunications are broader in scope:

Article 10/2. Member States shall ensure that means of distance communication, other than those referred to in paragraph 1, which allow individual communications may be used only where there is no clear objection from the consumer.

[Paragraph 1 refers to automated dialing systems playing a pre-recorded message and fax. It ought to have included email...IMHO]

(Beebit 1998-09-27)
 

DTI Workshop - EU Directive on Data Protection and Telecommunications.

A workshop was held at the Department of Trade and Industry recently. On the panel were representatives of OFTEL and the Data Protection Registrar, and in attendance were representatives of telecommunications providers (BT, Orange, and others), the (UK)DMA, operators of the Fax Preference Scheme, Internet providers (notably Demon), Internet "exchanges" (the London Internet Exchange and Joint Academic Network), the National Consumer Council, and others.

The timetable for implementation looks something like:-
July - Draft regulations published
August - Comments and possible revisions
September - Final Draft laid before Parliament
October - adopted Directive brought into force

Most of the directive covers directories, the contents and usage thereof. Two items can (by implication) apply to email. Other salient points emerging from the discussions:-

• the price structure for Cellular phones is such that the caller pays, and the called party does not. This removes the impetus for banning "junk" phone calls to cellular phones, but there could be problems with some forms of "roaming" service where the called party does end up paying.
• Both this directive and the Distance Contracts directives apply to consumers only. Business-to-business communications are covered by other regulations.
• There is quite a lively "junk fax" activity in the UK. Individual consumers will be protected by the opt-in requirements of both directives, but businesses will not be.
• There is an underpublicised "Fax Preference Scheme" which is an opt-out list. It was not completely clear whether or not businesses could sign up.
• The UK has the highest percentage of telephone subscribers who are completely ex-directory.
• There is (and has been for a long time) a scheme whereby a telephone subscriber can have no information appear in the printed directory but have contact information available via the directory enquiries service.
• A database consisting of no more than contact information of members or customers would not come under the ambit of the Data Protection Registrar, but databases containing more information probably would. This could apply to our operations as well...

There was one moment when a question concerning fax-to-email and email-to-fax gateways simply could not be answered by anyone on the panel. Indeed, the members of the panel seemed a little frightened at the prospect of being blinded by science on the part of the "Internet brigade". It was generally acknowledged that the "economics of email" IOW cost-shifting create conditions which are unique.

The junk-fax wallah was trying to advance the "everyone accepts adverts, however unwillingly". I just managed to get in my remarks about published and broadcast adverts paying the costs of the content and transmission, to which the viewer or reader "opts in" by virtue of reading the publication or viewing or listening to the programme.

In a "sidebar" conversation between representatives of the DMA and Demon, the DMA person was somewhat amazed as to how negatively Demon's customers react to junk email. Who knows, there may be hope. Certainly our message to any DMA would be, "Look, no matter what the actual legislative framework turns out to be, opt-in is the only answer which makes sense. There was, is, and will be no way the punters are going to accept UBE. Organisations like ours will see to it, and that's both a promise and a statement of fact."

At one point, when the trade in "umpty squillion email addresses" was mentioned, it was pointed out that the addresses themselves are only those of participants of one form or another: Usenet, the Web, or chat. Someone burbled something about addresses being snagged together with information concerning Web browsing habits. Now, I had thought that that problem had been sorted out in IE and NN, but a recent thread in n.a.n-a.e ('Scarfing Your Email Address When You Visit a Website') would seem to indicate otherwise. One correspondent related that there are some tricks with Javascript which I presume does something similar to the "FTP grab". Have a look at http://www.glenns.org/ftpgrab.html.

In conversations elsewhere, it turns out that small businesses seem to be adversely affected by "junk faxes". Apparently once a fax number appears in an advertisement, that fax will be spammed mercilessly. It is significant here that it was business which pushed for the passage of the "junk fax law" in the United States. I see a crying need for agitation in the future to transform unfocused discontent into a coherent lobby for change.

In a completely separate development, OFTEL was seen to be intervening in a case of harassment, where one party was continuing to send fax advertisements in spite of being asked to stop. The timing was merely coincidental, but it does show that it may be possible to stem the flow from one sender but only with a lot of bother.

A currently widespread perception is that the UBE problem is "made in USA" for the most part. Experts and anyone with bit of common sense realise that it is only a matter of time before the local "cowboys" get in on the act, and anything giving UBE a patina of respectability and legality is best avoided.

On current trends, it does not bode well for businesses with email in the UK. Private users may fare better in the short term.
 

DTI

The Department of Trade and Industry has requested comments (to be communicated by 1 June) concerning the implementation the 'Protection of Privacy in Telecommunications' Directive, which is to be implemented in October. The Department further comments:-

Directive 97/7/EC on the protection of consumers in respect of distance contracts (the 'Distance Selling Directive') has similar provisions to Article 12.2 in respect of unsolicited calls for marketing purposes. Article 10.2 in the Distance Selling Directive (the equivalent provision to Article 12.2), however, covers a wider range of means of communication (i.e. mail as well as telecommunications). The Distance Selling Directive has to be implemented by 4 June 2000, and DTI will consult on implementation this summer. However, the same opt-in or opt-out system chosen to implement the Telecoms Data Protection Directive is likely to be used for the Distance Selling Directive in respect of telecommunications.

(Beebit 1998-05-29)
 

JANET

A lot of spam seems to go to Academic networks here in the UK (.ac.uk) which means that it must go through JANET, the Joint Academic NETwork. In their document online of their Acceptable Use Policy:

http://www.ja.net/documents/use.html

they state that

• 9. JANET may not be used for any of the following:
• 9.1. the creation or transmission (other than for properly supervised and lawful research purposes) of any offensive, obscene or indecent images, data or other material, or any data capable of being resolved into obscene or indecent images or material;
• 9.2. the creation or transmission of material which is designed or likely to cause annoyance, inconvenience or needless anxiety;
• 9.3. the creation or transmission of defamatory material;
• 9.4. the transmission of material such that this infringes the copyright of another person;
• 9.5. the transmission of unsolicited commercial or advertising material either to other User Organisations, or to organisations connected to other networks;

(amongst other things) Which, in no short terms, means that spam may not be sent to any UK Academic institution.

(Beebit 1998-05-29)