The European Union is introducing regionwide legislation to stop spammers, but even the most enthusiastic member states are not expecting prosecutions any time soon.
Spam is a serious and growing problem in Europe, just as in the United States, and faces the added problem that while European users receive comparable levels of spam to those in America, most of that junk e-mail doesnt originate locally, making the culprits harder to prosecute. The United States is by far the biggest generator of spam, according to figures released this week by security firm Sophos, originating nearly 43 percent of junk e-mail; South Korea, in second place, accounts for only about 15 percent. Germany, France, Spain and the U.K. are also in the top 10, but each sends less than 2 percent of the worlds spam, according to Sophos.
Nevertheless, the EU introduced an anti-spam directive in July of last year, requiring that each member state implement it as national law by October 2003. So far, the directive has not been a success, receiving little support from member states. As of this spring, six months after the deadline, more than half of the EUs member states hadnt yet implemented the law, the offending countries including Germany, France, Belgium, Netherlands, Greece, Portugal, Luxembourg and Finland. Critics charge that the directive is fundamentally flawed in that it allows member states too much leeway in how they choose to implement it.
The U.K. was one of the first countries to bring in its own version of the EUs Privacy and Electronics Communication Directive, in the form of a law that took effect at the end of last year. In some ways, the UKs law is more stringent than legislation elsewhere: Unlike the United States CAN-SPAM act, for example, it requires users to explicitly give their permission to receive an e-mail, unless they are an existing customer.
However, the law only protects personal e-mail addresses, giving no relief to office workers. And the U.K. government agency in charge of enforcement has said that it doesnt expect to mount any prosecutions this year, due to lack of funding and a circuitous enforcement procedure.
The U.K.s Information Commissioners Office said it cannot force a spammer to immediately cease and desist, meaning suspects are free to continue spamming while an investigation takes its course, a process that could take months. And business awareness of the law is low: In a Pitney Bowes survey carried out four months after the law took effect, half of the companies in the telecoms, publishing, banking, insurance and retail sectors were found not to have implemented opt-in procedures.
The law may be doing more harm than good so far. The Spamhaus Project, a pioneering U.K.-based anti-spam organization that maintains a blacklist of known spammers, said spammers appear to have relocated to the U.K. in the wake of the new law, and are actually using it to threaten the project. Spamhaus founder Steve Linford said in June that spammers are now claiming that the law means he has no legal right to block their messages.
U.K. politicians have already called for the law to be overhauled, but the Department of Trade and Industry said it wont consider a review until the law has “bedded in” for several months. “I believe that this legislation needs to be looked at again if Britain isnt to become a pariah nation amongst the global e-community,” said Michael Fabricant, the opposition Conservative partys minister for economic affairs, in a speech earlier this year.
In the absence of effective legislation, European ISPs (Internet service providers) and government agencies have begun to resort to other tactics.
In July, several U.K. government bodies signed a memorandum of understanding with the Federal Trade Commission and the Australian Competition and Consumer Commission to coordinate their efforts against spammers; other European countries are pursuing similar individual agreements. In June, British Telecom helped form a coalition of international ISPs, including Yahoo, Microsoft Corp., Earthlink, America Online and Comcast, that will promote best practices for blocking fraudulent e-mails and shutting down “zombie” spam relay machines.
On Wednesday a coalition of 150 U.K. ISPs launched a similar campaign at a more grassroots level. The London Internet Exchange, or LINX, which handles more than 90 percent of the U.K.s Internet traffic, published a Best Current Practice document targeting companies who host a Web site with a reputable ISP, while promoting themselves via junk messages on a different network or through a third party.
LINX believes the policy will soon be adopted by RIPE (Réseaux IP Européens), which sets ISP policy for more than 90 countries across Europe, the Middle East, Central Asia and Africa, and is promoting its standard through international organizations such as Euro-IX, the World Summit on the Information Society and the OECD.
LINXs member ISPs have little faith that laws can make a significant impact on spam, according to a LINX spokesman. “ISPs are on the front line and can respond much more swiftly than a legislative approach,” the spokesman told eWEEK. “Spam is produced by companies that are here today, gone tomorrow, and that makes it difficult to take action. Were hoping that this will be adopted as best current practice across Europe and internationally.”
He added that it makes economic sense for ISPs to take direct action when possible, as theyre paying for the infrastructure that carries spammers traffic.