The UK's privacy watchdog has admitted that it has not successfully prosecuted any UK spammers, despite regulations designed to curb spam being brought in three years ago.
The Information Commissioner's Office (ICO) has frequently said it has a lack of power to combat spam, and blames its lack of power on the UK government. "We have not prosecuted spammers," said an ICO spokesman. "We have limited powers as you know to deal with people who pedal unsolicited marketing emails."
"As the commissioner said in his annual report this year: 'We do not believe the powers provided by PECR [Privacy and Electronic Communications Regulations] are sufficient for us to tackle the nature of the problems created by irresponsible electronic marketing'," the ICO told ZDNet UK. "We are continuing to discuss measures to strengthen our powers with the DTI."
Despite the Information Commissioner's Office repeatedly calling for more powers to combat spam from the Department of Trade and Industry (DTI), there has been no indication from the UK government that the ICO will receive them. "The ICO already has powers under [the Data Protection] Act and it is important that these powers are used to the full extent before we consider amending the legislation," said the DTI in a statement.
"We are still considering the case for extended powers in the light of the ICO's use of its current powers and the effectiveness of the current system," said a DTI spokewoman. "We do have regular discussions."
The ICO has been in existence for five years, and for at least two years has been calling for more powers to be added to PECR — the piece of legislation which, in tandem with the Data Protection Act, gives it the authority to prosecute UK-based spammers.
The DTI would not disclose to ZDNet UK the exact nature of its ongoing discussions with the ICO, but said it was still looking at whether the powers the ICO possesses already are working properly. "We're looking at the powers [of the ICO] — how they're being used and whether they are working appropriately," the DTI told ZDNet UK. "Step one is looking at how those powers are being used, but [whether they are being used appropriately or not is] a private discussion between ourselves and the Commissioner."
The DTI could not confirm exactly when it would decide whether the ICO was using its existing powers effectively and whether it would grant the ICO more powers. "It's impossible to say a definite timescale for those answers — there's no set timescale. We are talking about the use of powers; these things take as long as they take," said the DTI spokeswoman. "The ICO has only been in place for a relatively short space of time. We have to give them time to bed in, and also have discussions," the spokeswoman added.
The DTI said that any methods to deal with spam would have to be agreed at a European level, despite there being provision in the European Union E-Privacy Directive — part of which was enacted in UK law as PECR — for individual member governments to formulate their own legislation regarding privacy. "We need to look at an enforceable regime, to be agreed on at a European level," said the DTI spokeswoman.
The DTI advocated a unified approach to dealing with spam, as the problem is international. "The vast majority of spammers work outside of UK jurisdiction. The UK has long advocated taking a three-pronged approach, involving all stakeholders and especially internet providers alongside government. [There needs to be] co-operation with enforcement agencies [which] has to be global to be effective; technical solutions — filters, [anti-]spyware, firewalls, [and] network solutions; and education — putting security software on PCs, choosing email addresses carefully, having more than one address for personal use and shopping; not responding to spam, and reporting spam," said the DTI in its statement. "Our approach to tackling spam does not and cannot rely on regulation alone. We pursue a collaborative approach," it continued.
However, the ICO said that complaints about UK-based spammers had fallen, indicating that the threat of prosecution may have had an effect. "The number of complaints about emails has actually gone down," said the ICO. "We have seen a decline in complaints about email and text messaging. The majority of complaints concern faxes and phone calls. We can and do take prosecutions across the wide remit for which we are responsible. Where we have strong evidence that will stand up in court we will take action if organisations fail to comply with the regulations."
The DTI claimed that enforcement actions by the ICO against UK spammers had been effective alone, without having to pursue prosecutions. "The ICO's investigations into breaches of the regulations have resulted in enforcement actions that have been effective and have not needed to be progressed to a prosecution," said the DTI.
Last week the European Commission issued a communication on spam which called on governments, regulators, ISPs and business to step up the fight against spam, spyware and malicious software.
The DTI said it "welcomed the Commission's communication on spam, and our response to it will focus on the importance of taking this [unified] approach."
Dave Rand, chief technical officer of internet content security for Trend Micro, said that the number of UK-based spammers was "very small" — and that the problem lay with the number of compromised computers in the UK pushing out spam. "The number of true UK-based spam senders is very small, primarily because they know they will be prosecuted," said Rand. But he added: "A lot of spam comes from the UK directly. UK telecommunications companies and ISPs in the UK are producing substantial amounts — mostly from compromised PCs."