NordVPN Promotion

Home / Blogs

The New Hong Kong Anti-Spam Law, and a Small Fly in the Ointment

Well, it has been quite a while since first the Hong Kong OFTA (in 2004) and then CITB (in 2006) issued requests for public comment about a proposed UEM (Unsolicited Electronic Messaging) bill to be introduced in Hong Kong, for the purpose of regulating unsolicited email, telephone and fax solicitations.

We’re a large (worldwide) provider of email and spam filtering - but we’re based in Hong Kong, and any regulation there naturally gets tracked by us rather more actively than laws elsewhere.

We sent in our responses to both these agencies. I’ve linked to what we sent OFTA [PDF] and CITB [PDF].

Our responses to OFTA and CITB were endorsed and supported by other key industry players, such as various Hong Kong based chambers of commerce, that graciously agreed to submit Outblaze’s response to OFTA and CITB as endorsed by them, and as their joint response with us to the requests for public comment.

The bill is becoming law now - and most of it looks good:

  • Emphasis on a “Hong Kong link” for spam that is covered under the law, modeled on the excellent Australian Spam Act of 2003.
  • Prohibition of header forgery, email harvesting and other “illegal” methods to gather addresses and send out spam
  • Making the person or organization that commissioned a spam liable, along with the actual sender of the spam, for any violations of the law
  • Mandatory Do Not Call list for unsolicited telephone and fax marketing

There’s one major fly in the ointment though - the act tries to treat email on an equal footing with telephone and fax related regulations, and also takes into consideration the interests of businesses over those of consumers - and thus adopts a “business friendly” optout approach.

Put in blunt language, marketers are now given a blanket license to send unsolicited bulk email. “I can keep sending unsolicited bulk email to you, as long as I don’t use illegal methods such as abusing open relays or forging headers. And I can keep emailing my marketing pitches to you till you beg me to stop”.

The trouble is, such an approach puts a needless burden on the consumer - the owner of the email address that’s at the receiving end of all these solicitations. He never asked for, most probably never even wanted those emails in the first place, and now he’s getting buried in emails from what seems like every single business in Hong Kong, right from street noodle shops to Fortune 100 companies. He then has to email each and every single marketer and ask him to stop.

It also ignores the economics of spam - that spam is cheap for the spammer. He has very low initial costs, and negligible running costs for starting his unsolicited marketing. At the most basic level, all that he needs is a computer, an internet connection and some bulk mailing software that he can just download off the internet, to start blasting out thousands of spam.

The reason it is so cheap for the spammer is that all the costs are spread among the various recipients of the spam. Kind of like those salami bank frauds where someone tells the bank’s computers to skim off any credits lower than a cent from all the bank’s accounts, and credit it all to a single account. That account tends to fill up very fast, with several thousand quarter cent transactions a day at a busy bank

Spam’s economics are Salami style as well - an infinitesimal fraction of a cent per spam recipient, but hey, a fraction of a cent here, a fraction of a cent there, pretty soon you’re talking real money, of the sort that puts a noticeable dent in the balance sheet of the ISPs and email providers who have to spend extra money just because over 90% of the email coming into their servers is spam.

They get to spend thousands of dollars at a time on more servers, more bandwidth, more spam filters, more staff, more research to develop newer spam filters. And they then get to spend far, far more than that on customer support, to handle calls and emails from a whole lot of irate people who just want the spam to stop, period, and find that their ISP is far easier to reach out to and yell at than some faceless, [censored] spammer is.

Oh, and the hotel and airfare bills for ISP employees to spend participating in antispam and cybersecurity conferences, such as MAAWG and the WSIS Spam / Cybersecurity thematic meetings. That’s a necessary business expense, believe it or not - you have to reach out to the larger anti-spam community - other ISPs, governments, NGOs, email and anti-spam technologists… everybody has to roll up their sleeves and pitch in, together, to mitigate spam - and the best way to do that and stay on track is to have all the relevant people in the same room, from time to time.

I won’t say “solve” spam, because spam’s going to get solved just about when we start to solve (say) the common cold, or cockroaches - I’ll leave “solutions” to spam to hot air vendors intent on selling their products. The word is “mitigation”- doing all that you can do, together, to reduce the huge torrents of spam coming in and keep it at manageable levels.

The OECD put in some excellent work over the last few years to produce an excellent Anti Spam Toolkit, that describes how governments, industry and civil society can work together to mitigate spam, using a combination of legislation and regulation, technical solutions, international cooperation and outreach.

The Hong Kong government has definitely kept these precepts in mind when drafting its antispam law - it is an active participant in several international initiatives on spam and cybersecurity, such as the Seoul Melbourne Agreement, and the excellent work on malware currently ongoing as a joint effort of the OECD and APECTEL’s Security and Prosperity Steering Group (SPSG).

The Hong Kong ant-ispam law recognizes its limitations, and concentrates on spam with a Hong Kong link, and steers clear of the temptation to enact unenforceable “long arm” legislation. And at the same time, Hong Kong actively participates in international efforts to mitigate spam and cybercrime, so that they can count upon the support of law enforcement from other countries with laws that prohibit spam and cybercrime, in order to deal with cases that require cross border enforcement cooperation.

There is probably a whole lot more that we could say, but I rather suspect that we’ve already said it in our responses to OFTA and CITB, and I’ve said more about this myself, in CircleID and elsewhere. So, I’ll stop right here and just wish OFTA all the best in their efforts to enforce this new law.

By Suresh Ramasubramanian, Antispam Operations

Filed Under

Comments

Eric Goldman  –  Jun 3, 2007 8:51 PM

I think this cost-accounting for spam is incomplete.  See here.  Eric.

Suresh Ramasubramanian  –  Jun 4, 2007 4:29 AM

Saw. An interesting perspective.

But the economic harm caused

[1] is very easy to underestimate
[2] Is not the only reason to regulate spam

Suresh Ramasubramanian  –  Jun 4, 2007 4:49 AM

Eric Goldman said:

I think this cost-accounting for spam is incomplete.  See here.  Eric.

Read some more of your paper.  I must disagree with most of its conclusions.  The 7-8% of people surveyed purchased items sold in spam, and that spam’s economic damage is overrated.

If you compare the recipients of spam (and those who buy products advertised in spam) to a bell curve, keep in mind the huge, huge part of the bell curve you’ve entirely missed .. the over 90% of invalid recipients a spammer typically has in his mailing list.

There was this analysis of how Jeremy Jaynes (a spammer who is now in jail for the next several years) could own a million dollar home in suburban Raleigh, shares in an expensive restaurant etc - all on the profits of spam sent using zombies. 

He would send to multiple million people, an infinitesimal fraction of those would receive it. And an even smaller fraction would actually buy his product (some useless junk that was priced at $49.95 or similar, sold through mail order, or shall we say “spam order”).  His costs were still low enough - courtesy “other peoples money”

And do remember that the costs only APPEAR trivial with free webmail services, or email services bundled with fixed rate, dirt cheap dialup and dsl plans.  And remember that the costs are much more visible when aggregated at the ISP’s end.

If you want to see what costs you CAN face for email - I’m in a hotel room right now, with wired broadband charged at EUR 20 a day.  And I’m forced to use webmail to check my work account, as my vpn connection to my work mailbox keeps timing out.  Far slower and more cumbersome than using my usual Mozilla Thunderbird, I assure you.  What cost do you think I have to eat to clear out tons of spam from my mailbox before dealing with regular email?  (My mailbox is unfiltered for various reasons .. including that there is a ton of spam related work that I have to do, and I can hardly filter the mailbox like I do my personal accounts).

Or look at what happens when you use your treo or blackberry when roaming abroad - what costs do you then face when downloading spam?  If your argument is that access is now cheap so that end user spam costs are trivial and negligible, the point fails, hard, in several instances.

I do wish you’d rethink that paper a bit, apply your mind to these facts and rewriteit.

srs

Alessandro Vesely  –  Jun 7, 2007 11:15 AM

Thus far, we are only talking about live costs, such as downloading and sorting expenditures and time losses. Social and educational losses may turn out to be even more detrimental in the long run. That’s because hiding one’s email address, or having none tout-court, is going to be the only way to avoid the spam game.

If we value the Internet, participating in mailing lists, contacting anyone in the globe directly, and publishing our email addresses are part of its value. Governments wishing to sacrifice that on the ephemeral altar of a negligible business increase are short-sighted.

Suresh Ramasubramanian  –  Jun 7, 2007 11:20 AM

Ale said:

If we value the Internet, participating in mailing lists, contacting anyone in the globe directly, and publishing our email addresses are part of its value. Governments wishing to sacrifice that on the ephemeral altar of a negligible business increase are short-sighted.

Participating in a mailing list or a usenet newsgroup isnt regulated by these laws.  In case it escaped your attention, the law regulates UNSOLICITED bulk email.

If you sign up to a mailing list and participate in it, just how does the email you receive through that list become unsolicited, or against an antispam law?

srs

Alessandro Vesely  –  Jun 7, 2007 12:09 PM

Suresh Ramasubramanian said:

If you sign up to a mailing list and participate in it, just how does the email you receive through that list become unsolicited, or against an antispam law?

If it comes through the list it’s not unsolicited, of course. However, IME, after subscribing to a list one receives more spam than before. Ditto for putting the address on a web page.

You mentioned that the law prohibits to harvest email address, but I don’t think such a prohibition can ever be effective, unless senders are required to produce detailed evidence that competent human judgment has been involved in the selection of each and every recipient address. Opt-out obviously implies that spammers harvest from public repositories, or buy illegal lists whose existing addresses have been obtained in that way.

To hide email addresses is currently being taught by many. It is considered an obvious behavior by most newcomers. Yet, it is a limitation of personal freedom and it prevents interactions that might be relevant in the formation and education of people. Technical skills and foreign languages practice are the first areas that come to mind, but human interactions are obviously not limited to that.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

NordVPN Promotion