“A nearly impenetrable thicket of geekitude…”

New UK Anti-Spam Regulations

There is a continual flurry of secondary legislation being laid before the UK parliament every day it is in session. Most of it, like the The Tonnage Tax (Training Requirement) (Amendment) Regulations 2003 (Statutory Instrument 2003 No. 2320), is of interest to very few of us. An exception to this general rule might be The Privacy and Electronic Communications (EC Directive) Regulations 2003, laid before parliament on the 18th of September and coming into force on December 11th.

The 22 pages of new regulations, explanatory text and schedules are the government’s implementation into UK law of the EC Directive on privacy and electronic communications (2002/58/EC, PDF link). They replace earlier regulations from 1999 and 2000, and cover a whole collection of issues from the right to have an un-itemized telephone bill if you want one to what looks like a moderately sensible “do not call” system for telephone and fax to be run by the new Office of Communications (OFCOM), hopefully a more effective system than the current Telephone Preference Service. On the other hand, as OFCOM won’t even start operations until the end of 2003, I’m not holding my breath.

Regulation 6 is interesting because underneath the opaque drafting language it is talking about cookies: if you want to store a cookie on someone’s computer, you now need to ask permission at least on the first occasion. Unfortunately, “stored” is not defined, so this regulation probably applies as much to the (relatively harmless) session cookies stored only in your browser as opposed to the persistent kind stored on your hard disk that are presumably the real target of the legislation.

The headline provisions in the new regulations, though, are contained in regulations 22 and 23. The DTI press release spins these as “New Moves to Hammer Spammers”, but others have been less kind: Spamhaus, for example, say “Britain Bungles Anti-spam Law”.

A quick summary of the main points of regulations 22 and 23 as I understand them follows:

  • The regulations address e-mail to living individuals only; e-mail to something other than a natural person is explicitly not addressed. As the Internet is notoriously somewhere where no-one knows your age, gender or even species, it is essentially impossible to tell for sure whether a given e-mail address represents a living individual or not. To an ethical sender of e-mail, this simply means assuming that all addresses are those of individuals and proceeding accordingly. The flip-side danger that some see here is that this may provide plausible deniability or even a legal defence for an e-mailer to continue to send mail as before on the basis that they “thought” the addresses were those of businesses rather than individuals. Certainly, it sounds like open season on addresses like sales@example.co.uk, with things like ian@example.co.uk being well into in the weasel zone.

  • The regulations only cover e-mail sent for “direct marketing purposes”. That may mean that other kinds of unsolicited e-mail, such as political or religious entreaties, are not covered.

  • Mobile phone text messages are treated as e-mail. This sounds like good news as there are essentially no technical measures available on current mobile phones for spam suppression.

  • To send e-mail to someone, you normally require explicit prior consent and to provide “a valid address” for unsubscription. “Address” not being defined, this would hopefully include unsubscription web links but that’s not clear from the wording. Certainly such things are much more convenient for both sender and recipient than manual processing of unsubscription e-mail, so it would be a pity to say the least if the regulations outlawed them.

  • Without explicit prior consent, you can still send e-mail to your own customers where you collected their e-mail as part of the sale as long as you are sending e-mail only about your own “similar” products and services. You must allow the customer to say “no” initially, and with each subsequent communication.

  • Faking sender information is an offence.

So, this all sounds like good news for users as far as it goes: it’s less clear whether it goes far enough. A bigger problem in the short term is that the usual estimate is that 90% of spam received in the UK comes from outside, mainly from the USA, and that a UK regulation by its nature can therefore have little effect on the total volume of spam received by users here. In the longer term, I can’t see any international legal framework addressing the problems of unsolicited bulk email until everyone has had a few years of experience with the more local variety.

Disclaimer: I am not a lawyer and none of the above should be taken as legal opinion; if you need advice, you should talk to a professional.

[Updated 20031007 to point to the official HMSO page for the new regulations now that it exists.]

AOL have blocked an email address I have for sending one email with more than 10 recipients with information they the had requested as club members. This will now put a strain on people sending friends jokes, companies sending conference emails, clubs notifiying members of events etc. Also AOL put the block on BEFORE the law was enforced and you do not know you have a problem until you try to send to an IPS. This is a total infringement of genuine people just getting on with their lives. I agree that SPAM is unpleasant, but the definition needs to be clarified.

— A. Giusti on December 12, 2003

From a business users perpective - a law firm in Scotland in our case - the new Regulations have had no positive impact. Over the 4 day New Year break we recieved 36,000 emails. We have 100 or so users in the office. Currently the spam/legitimate email ratio is about 7:3.That ratio was about 6:4 in August 2003.

— Stuart Murray on January 9, 2004