S'pore draft spam bill is 'not perfect' yet

The second draft proposal could penalize law-abiding marketers while errant spammers slip through the cracks, says a local IT lawyer.

perspective This week, the Infocomm Development Authority of Singapore (IDA) and the Attorney-General's Chambers released the long-awaited draft Spam Control Bill, and called for public feedback on it.

The title of the proposed law is telling. It is not an anti-spam law. Instead, it seeks to regulate, not prohibit, unsolicited commercial electronic messages.

There are three crucial features of the draft law:

•  It implements an "opt-out" regime, where commercial electronic messages sent in bulk are permitted if they comply with certain requirements. These requirements include having a valid opt-out mechanism, and application of a "<ADV>" label. This was clearly the preferred approach in last year's consultation paper, and so was not surprising.

•  The law now applies to both e-mail and mobile (i.e. SMS and MMS) spam. This marks a surprising about-turn, as the IDA had previously stated it would conduct a separate study on mobile spam "in due course".

•  Both ISPs (Internet service providers) and victims of spam can now sue spammers. Previously, the IDA had proposed permitting only ISPs to sue. However, the right to sue does not always translate into actual lawsuits. At the end of the day, everyone--ISPs and victims alike--will still have to decide whether they want to undertake the financial expense and burden of taking a spammer to court.

What's still missing
The proposed law has many good points. It bans the use of address harvesting software and dictionary attacks, and introduces statutory damages for spam. But it is not perfect.

Can a person whose computer has been turned into a "zombie", and exploited to send spam whenever he performs a certain action, be held liable? Under the draft law, he may well be.

The IDA and AGC expressly state that issues considered in last year's consultation will not be re-opened in the present exercise. In other words, where a policy decision has been made, it will not be revisited.

However, it is not clear whether certain issues raised by respondents last year have been considered, and if so, why they were rejected. Here are some examples:

•  Can an entity send unsolicited messages to persons with whom it has a pre-existing relationship? For instance, can a software provider send an unsolicited message to its registered users to notify them of a crucial security flaw in the software, which it offers to fix for an additional fee?

Under the draft law, such messages must be labeled "<ADV>" and this may result in them being filtered out. Similarly, an association sending an announcement to its members about a workshop conducted by it, that requires a fee to attend, must also comply with the labeling requirements.

•  Why was the requirement to tag all commercial electronic messages with the "<ADV>" label decided on? Some respondents had previously objected to this, pointing out that some users would filter such messages out, thereby inadvertently punishing law-abiding marketers and without reducing "outlaw" spam that do not use the label. This was recognized by the US Federal Trade Commission in June 2005, who had recommended against such a requirement.

•  Can a person whose computer has been turned into a "zombie", and exploited to send spam whenever he performs a certain action, be held liable? Under the draft law, he may well be.

•  The draft law does not make spamming, whether using address harvesting software, dictionary attacks or otherwise, a criminal offence. Although ISPs and victims of spam can now sue, they may not always do so. Tellingly, the bulk of the enforcement actions in the United States have been criminal prosecutions by the authorities.

Furthermore, the treatment of converged devices is unclear. The law is supposed to be technology-neutral, in that it applies regardless of how the electronic message is received--for example, via a computer, mobile phone or PDA-phone. Unfortunately, the draft bill contains repeated references to "mobile telephone", which is a term that the bill does not explicitly define. It is therefore not completely clear whether other portable devices such as RIM's BlackBerry, are covered.

Finally, the draft bill does not cover spim (instant message spam), junk faxes or telemarketing, which can be even more intrusive than mobile spam. Unfortunately, there is no clear explanation as to why the draft law was expanded to include mobile spam, but not these other methods of marketing.

What it all means
So what does it all mean to you? Well, that really depends on who you are.

If you are a corporate or personal end-user, you will probably receive the same amount of or even more spam. A New York Times report in February 2005 suggested that spam volumes had actually gone up after the US CAN-SPAM Act (which also implemented an "opt out" regime) went into effect.

If you are a provider of direct marketing services, you will have to ensure that you comply with the requirements for e-mail marketing. Mobile marketing may lose some luster, as the unsubscribe and labeling requirements will eat into the amount of space available for the marketing message itself.

If you are an advertiser who personally does direct e-mail marketing, you may find it prohibitively cumbersome and possibly too risky to continue. So you may consider outsourcing. Again, mobile marketing may become less attractive.

If you are an ISP or a telecommunications service provider, and your services are used to send spam without your knowledge, you have an express defense against lawsuits that are brought against you. However, your network may continue to be congested by spam. You may also be subject to an industry code of practice, which although supposedly voluntary, is nevertheless stated to have mandatory application to all service providers.

The above scenarios are of course based on the present draft, which is still subject to change by the authorities.

What you should do
The consultation process is open until noon, October 14, 2005. Everyone who is interested should participate and give feedback, and I think everyone who uses e-mail or has a mobile phone should have an interest in this issue.

Spam is a problem that is here to stay. There is no cure-all magic bullet, least of all the proposed spam law.

But legislation plays a key part of the solution, and we need something that is effective and that achieves its intended objectives. So let's all play our part, and help the government make the spam law as perfect as possible.

Siew Kum Hong, a director of Keystone Law Corporation, specializes in Internet, information technology, intellectual property, media and entertainment law. The above comments are Kum Hong's personal views, and do not reflect the official position of Keystone Law Corporation or any client.