Canada Strikes At Spam

Editors' note: Canada's national spam task force delivered its report in May to Industry Minister David Emerson. Michael Geist, Canada Research Chair in Internet and E-commerce Law at the University of Ottawa and a member of the Board of Editors of our sibling publication Internet Law & Strategy, was on the task force and served as co-chair of the law and regulatory working group. The task force helped facilitate a series of cases, including Geist's own privacy complaint against the Ottawa Renegades football team over unsolicited commercial e-mail sent to him, to test the current Canadian legal framework.

The Government of Canada's Task Force on Spam concluded that the current laws governing spam are not good enough. While Canada alone is not able to deal with the spam problem nationwide, it must at least deal with the spammers in its own backyard. The current legal framework contains some significant holes and the task force's recommendations call for a spam-specific law accompanied by a new separate body to work on policy and enforcement coordination.

The recommendations, if adopted and put into legal force, would have far-reaching and deep implications for e-commerce and related activities. No public action had been taken by late July, though the government was working on the report. After Emerson finishes with the report, it would advance to the Cabinet, and then to Parliament as a bill for consideration.

The task force and recommendations come a year and a half after two bills that would have made it tough going for Canadian spammers expired in Parliament. The legislators vowed to reintroduce the proposals, but the measures failed to advance. (See, “Canadian MP And Senator Champion Anti-spam Bills,” in the December 2003 edition of e-Commerce Law & Strategy [Vol. 20, No.8].) One of those proposals, the one submitted by Sen. Donald Oliver of Nova Scotia to establish a Canadian national No Spam List, was recently reintroduced, and is still alive, though no definitive action had been taken on it as of late July.

The most important statutory recommendation in the May report of the task force is a call for a new rule in a spam-specific law that would make it an offense to fail to abide by an opt-in regime for sending unsolicited commercial e-mail. This would set a critical baseline for Canada ' opt-in (as compared to the U.S. opt-out approach) with penalties. It also sends a clear message that the Personal Information Protection and Electronic Documents Act (PIPEDA), 48-49 Elizabeth II Chapter 5, the national privacy legislation, is simply ill equipped to deal with the most serious spam issues.

The task force also concluded that new legal provisions are needed to address issues such as false or misleading headers, dictionary attacks and the harvesting of e-mail addresses ' all among universal and annoying e-mail assault tactics ' and, when unchecked for long, potentially harmful. It also called for the establishment of a private right of action to help facilitate lawsuits against Canadian spammers. Taken together, the spam-specific statute would be far more robust than the current legal framework and would send an important message to law enforcement that this is a serious issue that demands government action.

While there are 22 recommendations in the task force report, Stopping Spam: Creating a Stronger, Safer Internet, the success of the initiative will depend on the government's ability to act on the eight recommendations that focus on a strong new stand-alone spam-specific law, and an effective coordinating mechanism to make the new system work. (See, “Legislative Recommendations By The Canadian Task Force On Spam“.)

That won't be easy, given current governmental uncertainty, but there were encouraging words from Minister Emerson.

“We need to rid the Internet of the scourge of spam if Canada is going to be able to reap the full benefit of a strong e-economy,” Emerson said in a statement, adding that the recommendations merit “strong” consideration. The Minister thanked task force participants for their efforts.

The findings also received strong support from Philippa Lawson, director of the watchdog and advocacy outfit Canadian Internet Policy and Public Interest Clinic at the University of Ottawa.

“We hope that the Canadian government acts on this report, swiftly and decisively,” Lawson said.

Spam on the Rise

According to the report's executive summary, spam is estimated to have accounted for as much as 80% of global e-mail traffic at the end of 2004 – up from about 10% in 2000.

The report calls spam “more than a growing nuisance.” It says that while spam is still thought of as simply a nuisance, it is actually a public policy issue that “is increasingly associated with activities that are intended to mislead and deceive, to violate privacy, to make unauthorized use of consumer or business equipment, to cause harm to computers or networks, to commit fraud or to steal personal information.” Quite the indictment. The report notes that: “During [the past year], spam and these other kinds of threats have begun to spread from Internet e-mail to instant messaging and wireless communication services.”

The report also made clear that spam causes problems on many levels of communication, and society.

“At the macro level, spam is a direct threat to the viability of the Internet as an effective means of communication,” the task force said. “Because of this, spam is also a direct threat to increasing economic prosperity, to more efficient public services and to the emergence of an e-economy that includes all Canadians.

“At the micro level, spam annoys and offends Internet users. It also provides a vehicle for activities that are clearly illegal ' or should be.

“[S]pam undermines consumer confidence in e-commerce and electronic transactions between citizens and their governments. In addition, it imposes significant costs throughout the economy.”

In fact, surveys in the United States and elsewhere have shown that many consumers say they are reluctant to participate in e-commerce because of fear that their personal information will be compromised, or because they have received deceitful and misleading unsolicited e-mails, some that appeared to be legitimate advertisements or charity appeals, and some that were flat-out scams.

And in the United States?

The United States has tried to tackle the problem with the CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, 15 USC 7701), which regulates the lawful sending of e-mails for commercial purposes. The Canadian recommendations go beyond that Act by calling for an opt-in requirement, instead of an opt-out rule ' putting the onus on the sender, not the recipient. e-Mail users in Canada would have to elect to receive electronic solicitations, rather than respond to each one by “unsubscribing” to the e-mail list, Canada's proposal being an option that many users most likely would prefer.

But not all observers think the opt-in, or even more government regulation of spam, may be the end-all solution to annoying and harmful inbox clutter. Consider the comments of e-commerce and business-law expert Stanley P. Jaskiewicz of Spector Gadon & Rosen in Philadelphia.

“An opt-in requirement and creation of a private right of action for spam victims may deter those who abide by the laws, and are concerned about being sued,” Jaskiewicz, also a member of e-Commerce Law & Strategy's Board of Editors, says.

Indeed, the U.S. Federal Trade Commission (FTC) in May embarked on a rulemaking to address loopholes and just plain holes in CAN-SPAM. The FTC said in a news release that the proposed rulemaking would solicit public input on:

• Defining the term “person,” a term used repeatedly throughout the Act but not defined there;
• Modifying the definition of “sender” to make it easier to determine which of multiple parties advertising in a single e-mail message will be responsible for complying with the Act's “opt-out” requirements;
• Clarifying that Post Office boxes and private mailboxes established pursuant to United States Postal Service regulations constitute “valid physical postal addresses” within the meaning of the Act;
• Shortening from 10 days to three the time a sender may take before honoring a recipient's opt-out request; and
• Clarifying that to submit a valid opt-out request, a recipient cannot be required to pay a fee, provide information other than his or her e-mail address and opt-out preferences, or take any steps other than sending a reply e-mail message or visiting a single Internet Web page.

The notice of proposed rulemaking was a follow-up, the FTC noted, to an Advance Notice of Proposed Rulemaking (ANPR) on the provisions outlined above and to other CAN-SPAM topics published on March 11, 2004. The FTC said it got 13,517 comments and suggestions during the ANPR public-input period from “representatives of a broad spectrum of the online commerce industry, trade associations, individual consumers, and consumer and privacy advocates.” The proposals put out in May were based on the ANRP commentary, and the FTC's own experience in enforcing laws, the Commission said.

The notice of proposed rulemaking ' the comment period for which ended on June 27 ' also addresses other concerns raised in the ANPR, but that aren't part of any rulemaking at this time. These include:

• CAN-SPAM's definition of “transactional or relationship message”;
• The FTC's views on how CAN-SPAM applies to certain e-mail marketing practices, including “forward-to-a-friend” e-mail marketing campaigns; and
• The Commission's determination not to designate additional “aggravated violations” under section 7704(c)(2) of the Act.

Still, Jaskiewicz wonders, in the wake of CAN-SPAM and previously difficult actions against spammers, whether any law can thwart determined spammers who, after all, often are scofflaws and, when conducting e-commerce, take careful steps to avoid jurisdictions and being detectable in the first place.

“I suspect that the worst spammers have no fear of the law in Canada, in the U.S., or anywhere else,” he says. “Either they have no assets that a court could find, or they expect that they will never be under the jurisdiction of any court that they would fear. I expect that anti-spam laws will quickly become the proverbial race to the bottom. No matter how strong or well written the efforts of the developed world to control spam may be, the only law that actually affects spam will be the weakest law in the world. Internet technology allows spammers to operate through countries with the weakest laws, and it is to those countries that spammers will relocate (if they have not already done so). If anything, the passage of more effective anti-spam laws such as the opt-in regime in Canada will only hasten the flight of spammers abroad.”

But in the end, with international cooperation, even the racers to the bottom who seek refuge in nations that allow spam operations might find themselves ultimately brought down by developed nations with laws against spam abuse, putting pressure on the spammers' haven nations to shut them down, and to cease their law-flouting ways. The international pressure might also bring those out-of-sync nations into compliance with world spam standards, and force their governments to pass laws that complement those in place in other nations.

CAN-SPAM Has Plenty Of Critics

Indeed, critics of the Act from before President Bush signed it into law have said that CAN-SPAM doesn't do enough to stop the real spam threat or nuisance. It might curtail the obvious spam artists; for instance, the flood of ads for pornographic Web sites and sex-enhancement products seems to have slowed considerably, but it doesn't go far enough. And the United States, although legislators are subject to constituents' input, has no task force similar to its northern neighbor's looking into the problem and that could make recommendations to the legislature. Several states do, however, have legislation pending or in the drafting stage that focuses on spam, and court decisions have fashioned some case law on the matter. But CAN-SPAM critics may well have another hurdle ' though not one that might be insurmountable by all accounts ' notes D. Reed Freeman Jr., chief privacy officer and vice president of legislative and regulatory affairs at online marketing firm Claria Corp. in Washington, DC.

“CAN-SPAM preempts most state law,” says Freeman, a member of e-Commerce Law & Strategy's Board of Editors. “This means that states cannot pass opt-in laws such as that apparently being considered in Canada.”

The Canadian Recommendations

The Canadian task force's report says “a multifaceted, multistakeholder approach to fighting spam works ' and is the only approach likely to be fully effective in the long term.” In defining this approach, the report states its finding that: “Sound business practices, consumer awareness, public education and international cooperation are equally important instruments of the anti-spam toolkit. To maximize results, these tools must be developed and used in a coordinated fashion within a sound legal framework backed by effective enforcement.”

The task force recommends:

• Vigorous enforcement of current laws that prohibit spamming activities, as well as new legislation as required to fill any gaps identified in existing laws;
• Stronger penalties and enforcement mechanisms to deter spammers more effectively;
• Industry standards and recommended practices to guide ISPs, other network operators and commercial e-mail marketers in the legitimate conduct of business;
• Public education and awareness; and
• International cooperation.

As for the overall effort, and the state of Internet advertising and general business pretty well demands that an effort must be made. Jaskiewicz, of Philadelphia's Spector Gadon & Rosen, believes that the Canadian task force is walking, from his reading of the report to the Industry Minister, the right path toward well-considered regulation in conceding in its report (perhaps with echoes of CAN-SPAM pealing down the halls of governance in Ottawa) that spam is a difficult foe to beat.

“Canada's task force wisely recognized that its own laws cannot solve the spam problem alone, and did not try to oversell to Canadians the benefits it hopes the new law will provide them,” Jaskiewicz says. “I think that the ineffectiveness of the CAN-SPAM Act in the United States has led to a consensus on the difficulty (if not impossibility) of solving the spam problem legislatively, in any country. In a world where technology makes spam both possible and profitable from anywhere that an Internet connection is available, spammers will ' as they have done to date ' evade any efforts at regulation with little effort.”

A list of the recommendations regarding new legislation mentioned in this article can be found in the sidebar, Legislative Recommendat-ions by the Canadian Task Force on Spam, below. The full report can be found at http://ecom.ic.gc.ca/epic/internet/inecic-ceac.nsf/en/h_gv00317e.html. Also, find information about spam and e-commerce in Canada at the government's Web site, http://www.canada.ca/, and from the Canadian Internet Policy and Public Interest Clinic at http://www.cippic.ca/.

Editors' note: Canada's national spam task force delivered its report in May to Industry Minister David Emerson. Michael Geist, Canada Research Chair in Internet and E-commerce Law at the University of Ottawa and a member of the Board of Editors of our sibling publication Internet Law & Strategy, was on the task force and served as co-chair of the law and regulatory working group. The task force helped facilitate a series of cases, including Geist's own privacy complaint against the Ottawa Renegades football team over unsolicited commercial e-mail sent to him, to test the current Canadian legal framework.

The Government of Canada's Task Force on Spam concluded that the current laws governing spam are not good enough. While Canada alone is not able to deal with the spam problem nationwide, it must at least deal with the spammers in its own backyard. The current legal framework contains some significant holes and the task force's recommendations call for a spam-specific law accompanied by a new separate body to work on policy and enforcement coordination.

The recommendations, if adopted and put into legal force, would have far-reaching and deep implications for e-commerce and related activities. No public action had been taken by late July, though the government was working on the report. After Emerson finishes with the report, it would advance to the Cabinet, and then to Parliament as a bill for consideration.

The task force and recommendations come a year and a half after two bills that would have made it tough going for Canadian spammers expired in Parliament. The legislators vowed to reintroduce the proposals, but the measures failed to advance. (See, “Canadian MP And Senator Champion Anti-spam Bills,” in the December 2003 edition of e-Commerce Law & Strategy [Vol. 20, No.8].) One of those proposals, the one submitted by Sen. Donald Oliver of Nova Scotia to establish a Canadian national No Spam List, was recently reintroduced, and is still alive, though no definitive action had been taken on it as of late July.

The most important statutory recommendation in the May report of the task force is a call for a new rule in a spam-specific law that would make it an offense to fail to abide by an opt-in regime for sending unsolicited commercial e-mail. This would set a critical baseline for Canada ' opt-in (as compared to the U.S. opt-out approach) with penalties. It also sends a clear message that the Personal Information Protection and Electronic Documents Act (PIPEDA), 48-49 Elizabeth II Chapter 5, the national privacy legislation, is simply ill equipped to deal with the most serious spam issues.

The task force also concluded that new legal provisions are needed to address issues such as false or misleading headers, dictionary attacks and the harvesting of e-mail addresses ' all among universal and annoying e-mail assault tactics ' and, when unchecked for long, potentially harmful. It also called for the establishment of a private right of action to help facilitate lawsuits against Canadian spammers. Taken together, the spam-specific statute would be far more robust than the current legal framework and would send an important message to law enforcement that this is a serious issue that demands government action.

While there are 22 recommendations in the task force report, Stopping Spam: Creating a Stronger, Safer Internet, the success of the initiative will depend on the government's ability to act on the eight recommendations that focus on a strong new stand-alone spam-specific law, and an effective coordinating mechanism to make the new system work. (See, “Legislative Recommendations By The Canadian Task Force On Spam“.)

That won't be easy, given current governmental uncertainty, but there were encouraging words from Minister Emerson.

“We need to rid the Internet of the scourge of spam if Canada is going to be able to reap the full benefit of a strong e-economy,” Emerson said in a statement, adding that the recommendations merit “strong” consideration. The Minister thanked task force participants for their efforts.

The findings also received strong support from Philippa Lawson, director of the watchdog and advocacy outfit Canadian Internet Policy and Public Interest Clinic at the University of Ottawa.

“We hope that the Canadian government acts on this report, swiftly and decisively,” Lawson said.

Spam on the Rise

According to the report's executive summary, spam is estimated to have accounted for as much as 80% of global e-mail traffic at the end of 2004 – up from about 10% in 2000.

The report calls spam “more than a growing nuisance.” It says that while spam is still thought of as simply a nuisance, it is actually a public policy issue that “is increasingly associated with activities that are intended to mislead and deceive, to violate privacy, to make unauthorized use of consumer or business equipment, to cause harm to computers or networks, to commit fraud or to steal personal information.” Quite the indictment. The report notes that: “During [the past year], spam and these other kinds of threats have begun to spread from Internet e-mail to instant messaging and wireless communication services.”

The report also made clear that spam causes problems on many levels of communication, and society.

“At the macro level, spam is a direct threat to the viability of the Internet as an effective means of communication,” the task force said. “Because of this, spam is also a direct threat to increasing economic prosperity, to more efficient public services and to the emergence of an e-economy that includes all Canadians.

“At the micro level, spam annoys and offends Internet users. It also provides a vehicle for activities that are clearly illegal ' or should be.

“[S]pam undermines consumer confidence in e-commerce and electronic transactions between citizens and their governments. In addition, it imposes significant costs throughout the economy.”

In fact, surveys in the United States and elsewhere have shown that many consumers say they are reluctant to participate in e-commerce because of fear that their personal information will be compromised, or because they have received deceitful and misleading unsolicited e-mails, some that appeared to be legitimate advertisements or charity appeals, and some that were flat-out scams.

And in the United States?

The United States has tried to tackle the problem with the CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, 15 USC 7701), which regulates the lawful sending of e-mails for commercial purposes. The Canadian recommendations go beyond that Act by calling for an opt-in requirement, instead of an opt-out rule ' putting the onus on the sender, not the recipient. e-Mail users in Canada would have to elect to receive electronic solicitations, rather than respond to each one by “unsubscribing” to the e-mail list, Canada's proposal being an option that many users most likely would prefer.

But not all observers think the opt-in, or even more government regulation of spam, may be the end-all solution to annoying and harmful inbox clutter. Consider the comments of e-commerce and business-law expert Stanley P. Jaskiewicz of Spector Gadon & Rosen in Philadelphia.

“An opt-in requirement and creation of a private right of action for spam victims may deter those who abide by the laws, and are concerned about being sued,” Jaskiewicz, also a member of e-Commerce Law & Strategy's Board of Editors, says.

Indeed, the U.S. Federal Trade Commission (FTC) in May embarked on a rulemaking to address loopholes and just plain holes in CAN-SPAM. The FTC said in a news release that the proposed rulemaking would solicit public input on:

• Defining the term “person,” a term used repeatedly throughout the Act but not defined there;
• Modifying the definition of “sender” to make it easier to determine which of multiple parties advertising in a single e-mail message will be responsible for complying with the Act's “opt-out” requirements;
• Clarifying that Post Office boxes and private mailboxes established pursuant to United States Postal Service regulations constitute “valid physical postal addresses” within the meaning of the Act;
• Shortening from 10 days to three the time a sender may take before honoring a recipient's opt-out request; and
• Clarifying that to submit a valid opt-out request, a recipient cannot be required to pay a fee, provide information other than his or her e-mail address and opt-out preferences, or take any steps other than sending a reply e-mail message or visiting a single Internet Web page.

The notice of proposed rulemaking was a follow-up, the FTC noted, to an Advance Notice of Proposed Rulemaking (ANPR) on the provisions outlined above and to other CAN-SPAM topics published on March 11, 2004. The FTC said it got 13,517 comments and suggestions during the ANPR public-input period from “representatives of a broad spectrum of the online commerce industry, trade associations, individual consumers, and consumer and privacy advocates.” The proposals put out in May were based on the ANRP commentary, and the FTC's own experience in enforcing laws, the Commission said.

The notice of proposed rulemaking ' the comment period for which ended on June 27 ' also addresses other concerns raised in the ANPR, but that aren't part of any rulemaking at this time. These include:

• CAN-SPAM's definition of “transactional or relationship message”;
• The FTC's views on how CAN-SPAM applies to certain e-mail marketing practices, including “forward-to-a-friend” e-mail marketing campaigns; and
• The Commission's determination not to designate additional “aggravated violations” under section 7704(c)(2) of the Act.

Still, Jaskiewicz wonders, in the wake of CAN-SPAM and previously difficult actions against spammers, whether any law can thwart determined spammers who, after all, often are scofflaws and, when conducting e-commerce, take careful steps to avoid jurisdictions and being detectable in the first place.

“I suspect that the worst spammers have no fear of the law in Canada, in the U.S., or anywhere else,” he says. “Either they have no assets that a court could find, or they expect that they will never be under the jurisdiction of any court that they would fear. I expect that anti-spam laws will quickly become the proverbial race to the bottom. No matter how strong or well written the efforts of the developed world to control spam may be, the only law that actually affects spam will be the weakest law in the world. Internet technology allows spammers to operate through countries with the weakest laws, and it is to those countries that spammers will relocate (if they have not already done so). If anything, the passage of more effective anti-spam laws such as the opt-in regime in Canada will only hasten the flight of spammers abroad.”

But in the end, with international cooperation, even the racers to the bottom who seek refuge in nations that allow spam operations might find themselves ultimately brought down by developed nations with laws against spam abuse, putting pressure on the spammers' haven nations to shut them down, and to cease their law-flouting ways. The international pressure might also bring those out-of-sync nations into compliance with world spam standards, and force their governments to pass laws that complement those in place in other nations.

CAN-SPAM Has Plenty Of Critics

Indeed, critics of the Act from before President Bush signed it into law have said that CAN-SPAM doesn't do enough to stop the real spam threat or nuisance. It might curtail the obvious spam artists; for instance, the flood of ads for pornographic Web sites and sex-enhancement products seems to have slowed considerably, but it doesn't go far enough. And the United States, although legislators are subject to constituents' input, has no task force similar to its northern neighbor's looking into the problem and that could make recommendations to the legislature. Several states do, however, have legislation pending or in the drafting stage that focuses on spam, and court decisions have fashioned some case law on the matter. But CAN-SPAM critics may well have another hurdle ' though not one that might be insurmountable by all accounts ' notes D. Reed Freeman Jr., chief privacy officer and vice president of legislative and regulatory affairs at online marketing firm Claria Corp. in Washington, DC.

“CAN-SPAM preempts most state law,” says Freeman, a member of e-Commerce Law & Strategy's Board of Editors. “This means that states cannot pass opt-in laws such as that apparently being considered in Canada.”

The Canadian Recommendations

The Canadian task force's report says “a multifaceted, multistakeholder approach to fighting spam works ' and is the only approach likely to be fully effective in the long term.” In defining this approach, the report states its finding that: “Sound business practices, consumer awareness, public education and international cooperation are equally important instruments of the anti-spam toolkit. To maximize results, these tools must be developed and used in a coordinated fashion within a sound legal framework backed by effective enforcement.”

The task force recommends:

• Vigorous enforcement of current laws that prohibit spamming activities, as well as new legislation as required to fill any gaps identified in existing laws;
• Stronger penalties and enforcement mechanisms to deter spammers more effectively;
• Industry standards and recommended practices to guide ISPs, other network operators and commercial e-mail marketers in the legitimate conduct of business;
• Public education and awareness; and
• International cooperation.

As for the overall effort, and the state of Internet advertising and general business pretty well demands that an effort must be made. Jaskiewicz, of Philadelphia's Spector Gadon & Rosen, believes that the Canadian task force is walking, from his reading of the report to the Industry Minister, the right path toward well-considered regulation in conceding in its report (perhaps with echoes of CAN-SPAM pealing down the halls of governance in Ottawa) that spam is a difficult foe to beat.

“Canada's task force wisely recognized that its own laws cannot solve the spam problem alone, and did not try to oversell to Canadians the benefits it hopes the new law will provide them,” Jaskiewicz says. “I think that the ineffectiveness of the CAN-SPAM Act in the United States has led to a consensus on the difficulty (if not impossibility) of solving the spam problem legislatively, in any country. In a world where technology makes spam both possible and profitable from anywhere that an Internet connection is available, spammers will ' as they have done to date ' evade any efforts at regulation with little effort.”

A list of the recommendations regarding new legislation mentioned in this article can be found in the sidebar, Legislative Recommendat-ions by the Canadian Task Force on Spam, below. The full report can be found at http://ecom.ic.gc.ca/epic/internet/inecic-ceac.nsf/en/h_gv00317e.html. Also, find information about spam and e-commerce in Canada at the government's Web site, http://www.canada.ca/, and from the Canadian Internet Policy and Public Interest Clinic at http://www.cippic.ca/.