Home / Blogs

9 Thoughts on Stepping Up Spam and Malware Enforcement

In a tweet, EU commissioner for the Information Society Neelie Kroes congratulates OPTA on the spam fine for the golf ball printing company Backsound. Since 2004 the Dutch OPTA is the number one spam and malware fighter of the EU with a total of €1.9 million in fines. It made me ask two question to myself:

How come that we seldom hear of other spam fines in the EU? And can the EU change this in any way? I am not going to speculate on the first question. The second one is after all much more interesting.

Spam and the damage done

I know that some of OPTA’s colleagues work on this problem, but on the other hand there are too many countries that do not have anything to show except the implementation of the e-privacy directive art. 13 and a nominal enforcement agency. This “surprises” me for several reasons. When the EU wrote spam legislation circa 2001, spam was mostly a nuisance. Since then spam has become a root of many evils. Those who have seen my presentation ‘From spam to warfare’ know how intricately spam and crime have become intertwined. The creation of botnets and zombie computers have made countries, industry and end users alike vulnerable to attacks of different sorts. A country should protect itself, the economy and it’s citizens, so why not start at the root: spam and malware? If the source is not taken away, the problem only grows, with more money spent on security as a result. This form of security is built on quicksand.

The weakest link

Countries that do not step up efforts in fighting spam, malware and cyber crime nor work on cyber security in all earnest, become liabilities for other nations. Criminals can use the infrastructure of those countries without hindrance, while they remain highly vulnerable themselves to cyber attacks and hacking as well. The weakest link in the chain in the end determines how safe the EU is.

Possible ways forward

Some ideas for DG Information Society to seriously look in to:

1. Install a head of spam enforcement agencies meeting

Spam and malware agencies are very different in character. Privacy commissioners, consumer authorities, telecommunication authorities, ministries, police, etc. In some member states there are up to four authorities involved with spam and malware investigations. They each fall under different EU DGs, Infoso, Home Affairs, Sanco, Justice, or under the Council itself. Heads never meet as spam authorities. So on spam and malware nothing is coordinated, prioritized, harmonised, discussed at a decisive level. This has to change in order to give the fight against spam (related cyber crime) more body.

2. Prioritize the topic at the highest level

Only if nations are made to understand the risks involved in spam and the dependency on each other for mutual cyber safety and security it is possible to change the course of cyber crime and cyber security for the better.

3. Coordinate between member states

Cyber crime and spam are cross border phenomena. A EU coordination centre for spam and malware would:

a) give a boost to investigation in the respective member states;
b) raise the level of knowledge and investigations;
c) force countries into action;
d) push back spam and cyber crime in the EU member states;
e) enhance cooperation on the most difficult cross border spam cases.

The new ENISA could be equipped to have this role. Also it would be wise to interact strongly with the EU cyber crime centre to be. Both are to start in 2013, I understand. Spam, malware and cyber crime interact in such a way, that close cooperation between the two centres will offer opportunities and a synergy the EU may not want to miss.

4. Train representatives

The EU could invite representatives from the respective enforcement agencies on the highest level for training and awareness raising sessions.

5. Do a survey on investigative tools and budgets

By not only looking at the law enforcement bodies work with, but specifically at the investigative tools that they are to work with, it is possible to see whether an agency can actually investigate spam and/or malware successfully. There are several agencies that truly lack any powers needed for investigations. The budget for fighting spam is also telling.

6. Tackle cross border investigation hinder

The EU needs to start looking into ways that make investigations with cross border components—and spam investigations usually have these—within the EU easier and more swift(, without infringing on national jurisdiction).

7. Public - private cooperation

In order to make this a success it is necessary that two things become clear:

a) what are sincere arguments of industry and how can they be dealt with accordingly by governments and/or regulators?;
b) who stands what to gain from cyber crime and may have a different perspective or incentive against cyber crime mitigation then expected?

8. Declare a spam fine valid in all member states

If a fine for spam or malware is given in one member state is valid and collectible in other member states, this would drop a major hindrance to cross border investigations. Cases do no longer need a referral, e.g. to member states that are not well equipped to fight spam or malware.

9. What makes a spam violation?

If the perpetration is not only the moment of sending or the commissioning of spam, but also the moment it is received on the desk—or laptop, cell phone, tablet, etc., this could make the decision to investigate different for an LEA. The violation is made in her own country and not abroad. Combined with ad 8., this would make all spam and malware violations equal within the EU. A spammer does not get away because of a cross border jurisdictional issue between member states.

The bigger picture

Looking at all this, the question rises in my mind in how far can spam, malware, identity theft, cyber crime and security breaches still be seen as loose components, spread out over different DGs? Can the EU afford to have different approaches, different priorities and cases handled, while they are so deeply entwined at the criminal side of the fence? What do you think?

By Wout de Natris, Consultant internet governance

Filed Under


Enforce after implementation Alessandro Vesely  –  Apr 20, 2011 6:43 PM

I wish OPTA were an European IAB and public-private cooperation helped it, but, after all, I think the most important point is 4.

EU privacy rules are quite clever, but lack implementation. Sadly, EU directives don’t spell the names or RFC numbers of the relevant IETF protocols. They talk in general. For privacy, this resulted in business units overwhelmed of photocopied privacy modules, duly hand-filled and hand-signed, and no useful deployment of such data.

For example, when I subscribe to a newsletter or a mailing list, my SMTP server is not notified of it. When I want to check the list of sites that I gave my personal data to, I have to interact with a structure that may be called a time-distributed database, in the sense that monthly or yearly I may receive a subscription reminder. Subscription notifications not only would automatically maintain a database that can be queried at any time, but would also return digitally signed acknowledgments for list managers to exhibit as evidence.

Another advantage of deploying such kind of protocol is the ability to whitelist digitally signed messages from acknowledged sources. And when users hit This-is-Spam buttons, their complaints can be treated smoothly and correctly according to a message’s List-Id and the corresponding subscription’s status.

Would training representatives lead them to designing useful protocols? Alternatively, we could politically train protocol designers. In several cases like this, technology and politics cannot be separated.

Follow up Wout de Natris  –  Apr 22, 2011 8:49 AM

Thanks for your comment. This could be of interest to the privacy community within the EU (which I am not a part of). If you think it of interest to follow up on your comments, I'd suggest to contact me off list.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC


Sponsored byVerisign


Sponsored byDNIB.com