Thursday 12 April 2007

Speech on the Spam Control Bill: 12 April 2007

This is my speech on the Spam Control Bill that passed today. Today's sitting has been a bit more mundane than the sturm und drang of the past 3 days, but I think the normal business of government such as this is also important.

Spam Control Bill
12 April 2007

Mr Speaker Sir, I rise in support of the Bill.

I contribute commentaries to the TODAY newspaper. In December 2003, I wrote a piece about spam. That was in the wake of the US passing its CAN-SPAM Act. Three and a half years later, I am speaking in Parliament on Singapore’s own Spam Control Bill. I have, in a way, come full circle.

So this bill is timely. In fact, it is perhaps a little late in the game. For instance, both the US and Australia passed spam legislation in 2003. The Info-communications Development Authority first conducted a public consultation on spam legislation in May 2004, and we have taken almost three years to reach the second reading of this Bill.

Be that as it may, it is better late than never.

Opt-in vs opt-out

Sir, the Spam Control Bill implements an opt-out model for unsolicited commercial electronic messages. The Minister has explained what that means. I would only add that I was previously in favour of an opt-in model, but I now favour an opt-out model.

It is a judgment call, as to which model is superior. But all things considered, I would agree that the opt-out model represents a more practical approach to the issue of spam, one that avoids unnecessarily onerous compliance obligations. And to those marketeers who would argue against even the compliance obligations for an opt-out model, I would say that they really should exit the business if their revenue cannot cover these added compliance costs.

Limitations on Bill

Sir, the Minister has rightly pointed out the limitations of the Bill, and what it will and will not accomplish. The Bill seeks to regulate spam. It does not seek to, and it will certainly not, solve the problem of spam or reduce the volume of spam. It legalizes unsolicited messages that comply with the prescribed requirements, and may well increase the volume of unsolicited messages received.

That seems to have been the experience in the US. Our opt-out model is very similar to the model in the US CAN-SPAM Act. According to a New York Times article in February 2005, the one year period since the CAN-SPAM Act went into effect actually saw spam e-mail going up, from 50 to 60 percent of all e-mails sent over the Internet before the law went into effect, to 80 percent after. A more recent New York Times article, in December 2006, reported that the volume of spam e-mail as a proportion of all e-mails sent had risen to more than 90%.

Furthermore, the proposed legislation will apply to all unsolicited messages with a Singapore connection. That includes messages sent from outside Singapore, to a recipient in Singapore. But enforcement against a spammer operating outside Singapore would be difficult.

Sir, the IDA survey in 2003 found that 77% of the total spam e-mail received came from overseas-based companies. This percentage is unlikely to be significantly affected by the Spam Control Bill.

Having said that, I still believe that the Bill will be helpful. There is a substantial amount of local unsolicited messages, especially sent to mobile phones, and the Bill will help to regulate them.

In fact, my own personal experience is that although local spam e-mail is low in volume, it actually takes up a disproportionate amount of time, compared to overseas spam, which is typically much easier to identify as spam. And mobile phone messages will always take up the time of the recipient, to open, scan and delete the message.

More importantly, passing anti-spam legislation will give Singapore the right to a seat at the table, in any eventual international effort to fight spam. And given the cross-border nature of this problem, international efforts is the only sort of effort that can effectively reduce spam and is probably inevitable in the long term.

Clarifications required

But Sir, the Bill is not perfect. I should disclose that I had co-authored a submission in response to the consultation paper in 2005 on an earlier draft version of the Bill. I had also, in my professional capacity as a private practitioner, advised clients on the first consultation exercise conducted by the IDA and AGC in 2004.

I will now address certain issues in connection with the Bill that remain under despite the two consultation exercises, that I hope the Minister can clarify.

Firstly, the status of communications sent pursuant to a pre-existing relationship remains unclear. Miss Penny Low has mentioned this, and I would like to add a few comments.

The Bill simply does not address this issue, despite it having been repeatedly raised by industry players in the public consultation exercises, including in the first consultation in 2004.

This is actually of great concern to most commercial enterprises, who would have to, or want to, send communications to their existing customers from time to time. But if this communication is not initiated by the customer, would it be considered an unsolicited message? It is unclear, and clarity on this would be helpful.

In fact, from my years of experience specialising in the area of Internet law, I would say that this is possibly the single-most important issue to the industry in connection with the Bill.

Indeed, given how this issue had been repeatedly raised by respondents to the public consultation exercises, it seems to me a little unsatisfactory of the IDA and AGC not to have addressed this issue earlier, whether in connection with the second consultation exercise in 2005 or in the Bill itself.

Secondly, the Bill relies exclusively on civil actions by persons who have suffered loss or damage directly or indirectly resulting from a contravention of its provisions. The Minister has explained why it does not provide for criminal sanctions, and has pointed out that the criminal offences in the US CAN-SPAM Act are aimed at fraudulent spasm. But there is a middle ground. I believe that the US CAN-SPAM Act also empowers the US regulator, the Federal Trade Commission, to commence civil enforcement actions against spammers.

Sir, spam is like a hydra. Cut off one head, and another two grow elsewhere. Shut down one spammer, and two more will spring up elsewhere.

Spam is also a problem that affects everyone. Its effects are diffuse, but it affects many. When added up, the negative effects become substantial. That is why the resources of private enterprise alone will not be sufficient to combat spam effectively.

The Spam Control Bill would have a lot more teeth, if it had included criminal sanctions for the more serious offences, such as where dictionary attacks or address harvesting software are used. Alternatively, the IDA could be empowered to commence civil enforcement actions against offenders, or even to impose civil penalties.

This would lighten the burden on private industry. It would also have helped to ensure that in cases where the ISPs are unable or unwilling to take action for any reason, there remain other entities able to commence proceedings. The US example, where the FTC has commenced a substantial number of civil actions against spammers, shows that there is a significant role that regulatory and law enforcement agencies can play.

Sir, the third issue I would like to touch on is the exclusion of telemarketeers and junk faxes from regulation.

I think most people would agree with my view, that telemarketing calls are far more intrusive and annoying than spam e-mails and unsolicited mobile phone messages. And annoyance becomes actual cost when such calls are received on the mobile phone when one is overseas and roaming. As for junk faxes, they consume physical resources in the form of paper and, depending on the type of fax machine used, toner.

Australia has both a Spam Act and a Do Not Call Register Act, which was enacted last year and recently took effect. The DNCR Act creates a “do not call” register that the public can register with, and it is unlawful for telemarketeers to call the numbers on the register, although there are certain exemptions.

Both the US and the UK regulate telemarketing, junk faxes, and spam.

So why are we proposing to regulate spam e-mails and mobile phone messages, but not telemarketeers and junk faxes? I do not understand.

I accept that it is possible to make a reasonable distinction for spam e-mail, on the basis that it costs very little to send massive amounts of spam e-mail. Telemarketing and junk faxes cost money, which creates an inherent control on the amount of telemarketing and junk faxing done.

But what about mobile phone messages? That also costs money to send. So why regulate that, but not telemarketing and junk faxes? I do not think that any convincing justification for this distinction has been articulated, and I hope that the Minister can clarify this.

Fourthly, and finally, the Bill proposes a code of practice for Internet access service providers and telecommunications service providers. The Bill provides that they may, with the IDA’s approval, issue a code of practice on minimum standards of technical measures to effectively control unsolicited commercial electronic messages. And if they do issue such a code, they must comply.

However, the Bill does not prescribe any consequences for non-compliance. There is no requirement for all IASPs and telecommunications service providers to be involved in issuing the code, although all must comply. Having said that, I acknowledge that the IDA could require all of them to be involved before giving its approval.

Most importantly, the process involves only IASPs, telecommunications service providers, and the IDA. But what about other important stakeholders, such as consumers, commercial enterprises who do send out electronic communications, and direct marketing organisations? They should be involved, or at least given an opportunity to be involved, in the process as well.

Education

Sir, I have said that this Bill is a positive step. And I fully agree with the Minister, that the problem of e-mail spam and unsolicited mobile phone messages requires a holistic, multi-pronged solution. And even with the passage of the Bill, spam e-mail, especially from overseas, will remain a real problem.

In my view, of all these various prongs, education remains paramount. Indeed, education will probably become even more important, so as to prevent a false sense of safety amongst the public simply because there is legislation in place.

We need to continue efforts to educate the public on what to do when spam is encountered. There are some very commonsensical things that can be done. The advertisements for drugs, pornography, pirated software and the like are actually easy to identify and easy to deal with. Phishing e-mails and fraudulent scams remain real risks, although public awareness on these have improved in recent years.

Most importantly, e-mail users need to be taught how to differentiate between local unsolicited e-mails that comply, and non-compliant spam. It would be safe to send an unsubscribe request to the former, but certainly not the latter, as Madam Ho has explained. Users can save themselves a lot of grief, if only they were more informed, and applied some commonsensical measures.

Conclusion

Sir, this Bill is an important component of our efforts to fight spam. It may not be perfect. But it is a positive step forward, and brings Singapore’s regulatory environment in this area in line with other leading countries like the US, Australia and Europe. But this is not the finishing line, and all stakeholders must continue to play their parts in this fight.

Sir, with that, I support the Bill.

No comments: