[Previous] [Next] [Table of Memoranda]

---

Spam Bill 2003

Download RTF

2002-2003

THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA

HOUSE OF REPRESENTATIVES

SPAM BILL 2003

EXPLANATORY MEMORANDUM

(Circulated by the authority of the Minister for Communications, Information Technology and the Arts, Senator the Hon. Richard Alston)

SPAM BILL 2003

OUTLINE

The Spam Bill 2003 (the Bill) sets up a scheme for regulating the sending of commercial electronic messages. The main penalty provision prohibits the sending of unsolicited commercial electronic messages (commonly referred to as spam), but the Bill also contains rules regulating the sending of general commercial electronic messages, regardless of whether or not they are unsolicited. The Bill is accompanied by the Spam (Consequential Amendments) Bill 2003 (the Spam Consequentials Bill) which makes various amendments to the Telecommunications Act 1997 (Telecommunications Act) and the Australian Communications Authority Act 1997 (the ACA Act) to provide for an appropriate regulatory framework for the ACA to investigate complaints relating to commercial electronic messages and to enforce the scheme, and to enable the development of relevant industry codes and standards relating to commercial electronic messaging.

The Government is concerned that the exponential growth of what is commonly referred to as spam is threatening the effectiveness and efficiency of electronic communication. Spam is the commonly used term for unsolicited commercial electronic messages, mainly e-mail, but also including other forms of online and mobile messaging. It is an international problem affecting the efficient operation of Internet telecommunications networks and imposing costs on end-users.

After wide public consultation the National Office for the Information Economy (NOIE) released a report on the issue on 16 April 2003. Based on this report the Government is pursuing a series of measures to deal with the problem, including legislation.

The proposed framework contained in the Bill is aimed at reducing Australia as a source of spam, minimise spam for Australian end-users and extend Australia's involvement in worldwide anti-spam initiatives.

The Government recognises that legislation alone will not result in an immediate or dramatic reduction of the spam problem, but it is an important element of the framework, both in practice and perception. To complement these legislative measures, the Government will also be conducting an information campaign focussing on spam issues which will target user and business communities. The campaign will be coordinated by NOIE, in conjunction with government, industry and other bodies.

The Government also recognises that spam is fundamentally an international problem which can only be fully addressed through international cooperation and coordinated action. The Government will continue to participate and actively contribute to international anti-spam initiatives.

The main elements contained in the Bill are:

•       a prohibition on sending unsolicited commercial electronic messages which have an Australian link. The penalty provision is aimed at messages which are sent from Australia or from overseas to Australia;

•       a prohibition on sending commercial electronic messages which have an Australian link unless they include accurate information about the individual or organisation who authorised the sending of the message;

•       a prohibition on sending commercial electronic messages which have an Australia link unless they include a functional unsubscribe facility;

•       a prohibition on the supply, acquisition or use of address-harvesting software or a harvested-address list;

•       a civil sanctions regime. These prohibitions are civil penalty provisions, not criminal offences. Breach of a provision may attract a substantial monetary penalty.

•       a tiered enforcement regime which provides for a range of enforcement measures to be initiated by the ACA, depending upon the seriousness of the breach of a penalty provision. The enforcement measures available to the ACA include a formal warning, acceptance of an enforceable undertaking, or the issuing of an infringement notice. The ACA may also apply to the Federal Court for an injunction or may institute proceedings in the Federal Court for breach of a civil penalty provision. As well as ordering a person to pay a substantial monetary penalty, the Court may make an order to recover financial benefits that are attributable to the contravention of the civil penalty provision, or may order compensation to be paid to a victim who has suffered loss or damage as a result of the contravention.

The Spam Consequentials Bill which accompanies this Bill makes various amendments to the Telecommunications Act and the ACA Act to enable the effective investigation and enforcement of breaches of this Bill. The main elements proposed in the Spam Consequentials Bill are:

•       a framework to enable industry to develop codes to deal with the sending of commercial electronic messages, based on Part 6 of the Telecommunications Act;

•       an investigation role and appropriate information gathering powers for the ACA to investigate complaints relating to breaches of the Spam Bill and regulations made under the Bill, based on Parts 26 and 27 of the Telecommunications Act; and

•       monitoring warrants to monitor compliance with the Spam Bill and regulations, and search warrant relating to breaches of the Spam Bill and regulations, based on Part 28 of the Telecommunications Act.

FINANCIAL IMPACT STATEMENT

Implementation of the regulatory and legal measures proposed in this Bill and the Spam Consequentials Bill will require an additional expenditure of $0.3M in the 2003-4 financial year, $1.5M in the 2004-5 financial year, and $1.6M in the 2005-6 financial year ie. a total of $3.4M over this period which will be fully offset from within the Communications, Information Technology and the Arts portfolio and agreed with the Minister for Finance and Administration. To establish an accurate baseline for the function, and to inform future proposals it is proposed to fund the ACA role initially only until June 2006. Before October 2005 the funding and function will be reviewed. The NOIE-coordinated educational program will be funded from the existing NOIE budget.

REGULATION IMPACT STATEMENT

B.1 Problem or issue identification

Unsolicited electronic messages or "spam" are reaching plague proportions and growing exponentially. It is causing immense frustration and reduced productivity for users, businesses and government agencies. If left unchecked it will reach proportions which will threaten the viability of the internet as a reliable communications medium. A recent comprehensive review of the problem by the National Office for the Information Economy recommended a multi-layered approach to addressing the problem, including the implementation of specific anti-spam legislation. A substantial proportion of the information in this Statement has been sourced from the NOIE Final Report. Some of the data contained in the NOIE Report is already becoming dated, and has consequently been supplemented where possible by more recent figures.

BACKGROUND

What is spam?

Spam is the term now generally used to refer to unsolicited electronic messages, usually transmitted to a large number of recipients. They usually, but not necessarily, have a commercial focus, promoting or selling products or services; and they share one or more of the following characteristics:

•       They are sent in an untargeted and indiscriminate manner, often by automated means;

•       They include or promote illegal or offensive content;

•       Their purpose is fraudulent or otherwise deceptive;

•       They collect or use personal information in breach of the Privacy Act 1988 National Privacy Principles (NPPs );

•       They are sent in a manner that disguises the originator;

•       They do not offer a valid and functional address to which recipients may send messages opting out of receiving further unsolicited messages.

Not all bulk e-mail is spam. Bulk e-mail would probably not be generally regarded as spam if it:

•       Is sent to recipients who have previously dealt voluntarily with the sender before and, on the basis of that existing relationship, can reasonably be assumed by the sender to be prepared to accept messages of the type being sent;

•       Does not promote or include illegal content;

•       Is not deceptive in any way that breaches common law or statute law;

•       Does not collect or use personal information in breach of the National Privacy Principles.

While spam has increased in prominence in recent years, growing from a minor nuisance to a significant problem, its existence actually predates the Internet. It has been the subject of discussion since at least 1975[1], with one of the first recorded instances of spam dating back to 1978, when the Digital Equipment Corporation (DEC) spammed ARPAnet[2] users about new DEC products. Probably the first major commercial spamming occurred in 1994, when two lawyers posted a message advertising their services to several thousand newsgroups (message boards) on USENET, the world's largest online conferencing system. The reaction to spam was overwhelmingly negative, although as an occasional nuisance and did not pose a real threat. There were, even then, instances where spamming was used to maliciously interrupt services by overloading e-mail servers. Spam is now at the point where it poses a threat to the future functionality of the internet.

A definition of spam

An agreed definition is important in making any anti-spam provisions effective. Internet service providers (ISPs) and regulatory authorities need to be reasonably confident of this definition before they enforce their terms and conditions or any regulations or laws against spammers, as do legitimate direct marketers who want to ensure their activities remain both legal and ethical.

For the purposes of the proposal, spam is defined as unsolicited electronic messaging, regardless of its content. This definition takes into account the bulk characteristics discussed above, and the opinions expressed in submissions to NOIE during the consultation process. It is a deliberately technology neutral (insofar as is possible) definition which takes into account the convergence of technologies and media (eg SMS, MMS and 3G applications) and their potential for future spam growth.

What content does spam contain?

The previous chart suggests that pornography and `get rich quick' schemes are the most dominant categories of spam.

MAJOR PROBLEMS CAUSED BY SPAM

User Confidence and Network Integrity

Today, the problem of spam has reached a point where it is having a significantly negative effect on users' confidence in using e-mail. There are clear signs of a deleterious impact on the performance of the global e-mail network with some commentators predicting that the continuing proliferation of spam could mean the end of e-mail as an effective form of communication. The United States Direct Marketing Association, long-term advocates of using legitimate bulk e-mail as a form of direct marketing, acknowledge that e-mail is being threatened by spam and have recently expressed their support for legislative efforts to control the growth of spam[3].

Spam poses several challenges to both Internet users and regulatory agencies. It is typically anonymous, indiscriminate and global. With these characteristics spam has become a popular vehicle for promotions that can be illegal, unscrupulous or use tactics that would not be commercially or legally viable outside the virtual environment. Some of the key issues raised by spam include privacy, illegal/offensive content, misleading and deceptive trade practices and burdensome financial and resource costs.

Privacy

There are significant privacy issues surrounding the manner in which e-mail addresses and personal information are collected and handled. It is not uncommon for address collectors to covertly harvest e-mail addresses from the Internet, as users visit certain sites, and buy and sell them in bulk without the knowledge or consent of the owner.

Content - pornography, illegal online gambling and unlawful trade practices

A report to the US Federal Trade Commission (FTC) estimates that roughly half of all unsolicited commercial e-mail contains fraudulent or deceptive content[4]. There are obvious community and regulatory agency concerns with the illicit content of a considerable amount of spam - including those that promote pornography, illegal online gambling services, pyramid selling, get rich quick schemes or misleading and deceptive business practices. The indiscriminate method of distribution is of particular concern as it is common for minors to receive spam that is pornographic, illegal or offensive.

Deceptive practices - `spoofing'

Spoofing is the forgery of an e-mail header so that the message appears to have originated from an entity or location other than the actual source. Spammers may use spoofing to route spam through a reputable organisation in an attempt to entice recipients to open and respond to their messages. There are significant costs to the victims in terms of damage to commercial reputation as well as time and resource costs in rectifying this damage.

Financial costs

The dollar cost of spam is inherently difficult to estimate, but the following provides some appreciation of the orders of magnitude involved.

A European Union study in 2001 estimates that the worldwide cost of spam to Internet subscribers could be in the vicinity of 10 billion (A$18.4bn) per year[5]. A recent study from Ferris Research estimates that US companies alone lost US$8.9 billion (A$15.2bn) in 2002 and estimate that the cost of spam in Europe was US$2.5 billion (A$4.3bn)[6]. According to figures from Star Internet, a large Internet service provider in the UK, the cost to business in lost productivity is estimated at £326 (A$915) per employee each year[7]. Surfcontrol[8] recently estimated that spam cost employers approximately $1 per spam received. Erado's 2002 white paper on spam, viruses and other unwanted content estimates that annual cost of spam per employee is around US$1000 (A$1709) [9].

These sorts of costs are usually borne by Internet users (and/or employers), through increased download times and lost productivity. Spammers themselves, on the other hand, bear relatively small costs in sending these messages. E-mail costs do not scale like sending surface mail or making telephone calls - the cost of sending out a million e-mails is not significantly more than the cost of sending out a hundred. IBM's Almaden Research Centre in 1998 estimated that it cost between $0.000082 and $0.000030 to send a single e-mail[10], and data from the Global Internet Project site suggests that that it only costs the sender of spam 0.00032 cents to obtain one e-mail address[11] ]. The extremely low cost of sending spam, meaning that even a `hit rate' of below 1% can be profitable, is the biggest single factor leading to its growth.

Resource costs

The chart above shows that spam being received by ISPs is using significant amounts of bandwidth.

Assuming that the average e-mail size is 5 kilobytes [12], a gigabyte of spam represents over 200,000 individual messages. Based on these estimates, the table above indicates that even the small ISPs surveyed may be receiving more than 4 million spam messages a month, and that the medium-sized ISPs surveyed may be receiving up to six times as many.

What percentage of e-mail is spam?

Data released by Brightmail Inc, a business specialising in anti-spam software and managed anti-spam services, indicates that spam accounts for 20% of all e-mail. Recently the Gartner Group has estimated that 35% of all inbound business messages are currently spam, and that this percentage will reach 50% by 2005[13]]. At a May 2003 Federal Trade Commission (FTC) forum on spam AOL reported that the proportion of mail coming in to the US which was spam through its facilities had reached 70%.

Where is spam coming from?

The chart above suggests that the majority of spam received by Australian ISPs originates from the United States. However, the actual percentages shown may be misleading. Research from the University of Maryland presented at the INET conference in June 2002 suggests that the US may be over-represented as a spamming origin because Eastern European and Asian spammers may be taking advantage of `open relays' in the United States. Open relays are essentially non-secure e-mail servers through which large volumes of spam can be routed, typically without the owner's knowledge.

A 1999/2000 survey by the Australian based Coalition Against Unsolicited Bulk E-mail (CAUBE) estimated that Australia accounted for about 16% of all spam sent globally,[14]]. In recent discussions CAUBE has suggested this percentage (although not the total volume) may have decreased significantly in recent years as the volume of spam from other regions, such as Asia and Eastern Europe, has increased. An increasing volume of spam is originating or being routed through the northern Asia, particularly China and South Korea, and the former Soviet states.

Western Europe was not regarded by any Australian ISP as being the primary source of spam, possibly because of relatively strong European privacy laws, which are currently being reinforced through an EU directive requiring a qualified opt-in for commercial e-mail.

How quickly is the volume of spam in Australia growing?

Whilst users will receive different quantities of spam depending on the availability of their e-mail addresses, Internet use and security awareness, there is evidence to suggest that the average incidence of spam received by Australian Internet users is growing rapidly. CAUBE tracked the amount of spam received at their survey e-mail address and found that spam grew in volume by a factor of six in 2001[15]. Brightmail is reported to have detected a 300% increase in spam from 2001 to 2002 [16].

Apart from indicating an increasing population of spammers, or more aggressive spamming, this growth may be partly attributable to increasing Internet penetration in Australia, as well as a possible increase in the duration and frequency of online sessions and consequently greater exposure of Internet users to spamming.

This is certainly reflected across Australia's business sector. According to the Australian Bureau of Statistics (ABS) Business Use of Information Technology Survey, Internet connectivity levels reached 72 % of all businesses at June 2002. This was an increase of 167% since June 1998.

Data from the previous year's ABS survey estimated that 26% of all online businesses in Australia reported using the Internet for marketing purposes. This was a 221% increase over the June 1998 estimate and indicates that the demand for the specialist services of direct marketers will also increase as more and more businesses seek assistance in maximising the benefits of the Internet as a relatively inexpensive mass-marketing tool.

Why is regulatory intervention required?

At present there are;

Ø       a range of laws potentially relating to undesirable content of spam

Ø       relevant codes of practice from the Australian Direct Marketing Association, the Internet Industry Association and the Australian Communications Industry Forum, and

Ø       many technical anti-spam options available at the ISP, corporate and consumer level,

so why is anti-spam legislation necessary?

At the moment Australian-originated spam comes from individuals who are not members of the relevant associations and therefore not subject to the codes of practice. The laws potentially covering spam content were not specifically designed to deal with spam and therefore applying them to this situation can involve significant cost (assuming the originator can be found) with an uncertain outcome. The technical solutions to deal with spam can provide a significant reduction in the amount of spam individuals receive but it is at best an imperfect solution, and in no way alleviates the load of spam on the internet "backbone" before it reaches the recipients ISP.

There is no sign or suggestion that the exponential growth of spam is going to slow or plateau in the foreseeable future. With the sale of spamming kits now providing a significant element of the spammers' income, and a number of large and emerging economies coming on-line, there is every expectation that spam will continue to increase at the current rate and not become self-limiting in the foreseeable future. By the time it is reached, significant damage to the internet as a medium for communications and business could result. Intervention is therefore considered necessary to protect the internet for the common good.

B.2 Specification of the desired objective(s)

1) Reduction of spam emanating from Australia - effective immediately from the introduction of the proposed legislation. The reduction is expected to be substantial with the majority of benefit gained by the expiration of any "sunrise" provisions contained within the proposed package of measures.

2) Reduction of spam in Australia from other sources - progressively and gradually as international frameworks and agreements are developed, implemented and enforced. It is likely to take some time (years) before the full benefits from these arrangements, in Australia or internationally, are realised.

B.3 Identification of options

Option 1 - Retention of the status quo

In the existing environment there are a number of elements which play some role in influencing spam, spamming and the user experience of spam these include the existing codes of Conduct/Codes of Practice, existing legislative measures and existing technical measures.

Ø       Industry self-regulation

Some significant advances have been made in terms of industry self regulation and co-regulation. For example the ADMA Direct Marketing Code of practice has provided an framework for ADMA members and their Agents to follow in undertaking direct marketing responsibly. Organisations which follow the code generally don't spam, as it is permission-based. The code only applies to ADMA members and their agents - it does not apply to all companies involved in direct marketing, so non-ADMA member companies can consequently spam with impunity, and some do.

Self-regulation is also being explored in the Internet Service Provider (ISP), content hosts, and e-commerce providers segment of the market - the Internet Industry Association (IIA) has developed a number of codes and draft codes which deal with a range of issues associated with spam such as privacy, cybercrime and content issues. Approved codes apply to IIA members, but not all internet businesses are yet IIA members. ISPs also have Acceptable Usage Policies (AUPs) which their customers must abide by. The degree to which these AUPs address spam, and the vigour with which they are enforced, varies between ISPs.

The Australian Communications Industry Forum (ACIF) has a Code of Practice which covers SMS spam by telecommunications carriers. The ADMA is currently drafting a code for mobile telecommunications content advertising eg via SMS, WAP, MMS and 3G services, which will complement the ACIF code.

Ø       Existing Australian legislative measures

The range of existing legislation with potential applicability to spam is summarised at Attachment A. None of the existing measures was specifically intended to address spam or spamming, and despite the breadth of measures theoretically available they are rarely used to prosecute spammers, other than where there is a clear breach of consumer protection legislation eg the claims made for a product are demonstrably false.

Ø       Technical Solutions

There is a wide range of technical solutions available to users at every level from consumers through to corporates and ISPs, and these are summarised at Attachment B. Although technical measures to combat spam are advancing the situation is akin to the situation in computer virus protection, with anti-spam advances being matched by new spamming techniques. Indeed there is an increasing number of programs which provide both anti-virus and anti-spam protection. Given the likely continuation of this dynamic tension, technical solutions are primarily included as part of the status-quo, with emerging technical solutions included as a separate option.

Option 2 - Anti-spam legislation

No existing legislation, including the amendments to the Criminal Code Act 1995 contained in the Cybercrime Act 2001, was explicitly drafted to address the issue of spam. Given significant gaps in the existing legislation one option is for government to introduce legislation specifically targeting the act of spamming, regardless of content. It is proposed that specific anti-spam legislation be developed which sets standards for commercial e-mail. The proposed standards to be set by the legislation include:

(a) no commercial electronic messaging to be sent without the prior consent of the recipient except where there is an existing business relationship;

(b) all commercial electronic messaging to contain accurate details of the sender's name and physical and electronic addresses. Such messages from businesses must also include the Australian Business Number or Australian Company Number as applicable; and

(c) all commercial electronic messaging to contain a functional "unsubscribe" facility which must be responded to within a reasonable timeframe (by default 1 week), except where there is a requirement for ongoing electronic communication due to a continuing business relationship or a contractual requirement.

The legislation, to be administered by the Australian Communications Authority (ACA) would also prohibit the sale, supply or use of software for the primary purpose of electronic address collection, list generation or the use of lists generated thereby - sometimes referred to as "address harvesting" or "dictionary attacks". This would have no impact on existing permission-based lists used by businesses.

Exceptions will apply to protect currently accepted government, business and commercial practices, such as government to consumer messages, and commercial messages to publicly advertised addresses where the approach is specifically related to the addressees' employment function. The proposed legislation will not adversely impact on-line marketing to bona fide existing customers.

The legislation and the ACA would also facilitate and support the development of Industry Codes by the IIA, ADMA and others, which complement and are consistent with the legislation, including (where relevant) features such as:

•       requiring ISPs to make available to retail clients filtering options from an approved schedule of spam filters;

•       encouraging members to publicise spam filtering options and products and participate in their evaluation;

•       requiring code members to ensure their servers are configured appropriately and to take action to close down open relay servers; and

•       requiring code members not to send spam and to take due care to prevent their facilities being used for the purposes of sending spam.

Option 3 - Educational Programs - industry and consumer

As spam is a comparatively recent problem the understanding of it is uneven in the user community (at all levels) both in terms of the nature and extent of the problem and in terms of best practice in:

•       preventing e-mail addresses from becoming targets for spam;

•       implementing filtering technologies;

•       how not to spam when direct marketing online; and

•       how to protect computer resources and prevent them being vulnerable to being exploited by spammers (eg open relays).

User groups, filtering technology companies, industry associations, NetAlert and NOIE, are currently beginning to implement some awareness raising through their websites, public seminars, announcements and articles. (Because of the emergent state of this strategy it is not included under the status quo). This has had increasing success as the magnitude of the problem permeates the public and corporate consciousness. This is accelerating through the significant press interest that the spam problem has recently generated. Significant gaps remain however in the understanding with the problem, and there is a need for a more concerted and integrated information/education campaign, particularly at the consumer level. This will need to be reasonably continuous until inroads are achieved against the problem.

Option 4 - Multi-Layered Strategy (Preferred Option)

This option proposes the adoption of the strategy recommended in the NOIE Final Report on spam. It involves the coordinated implementing of both Options 2 and 3 above and further leveraging this work to develop and implement international guidelines and cooperative mechanisms to address the international dimension of spam.

Option 5 - Emerging Technical Solutions

In the longer term, a range of innovative strategies have been proposed to address the spam problem by developing a framework of proven identity. For example it has been suggested that spam could be countered by setting an e-mail client to accept only messages signed with trusted digital certificates issued from a trusted public key infrastructure (PKI) service provider. However, these systems will only become practicable with the wider implementation and use of digital certificates therefore it is not a viable option for consideration at this stage.

B.4 Assessment of impacts (costs and benefits) of each option

The current spam problem exists despite the existence of a number of the options listed above (existing legislation, industry self-regulation and co-regulation) and the costs/benefits of these options are therefore not examined individually.

Impact group identification

Small Business

Large Organisations

Direct-Marketing Businesses

Internet Service Providers (ISPs)

Consumers

Impact Analysis

Small Business

Option 1 - Retention of the Status Quo

Costs: Given the estimated average costs of spam of in excess of $900 per employee per year small business can experience considerable costs from spam. Technical and filtering strategies can provide significant, but not complete, relief to small business and the cost of implementing these solutions will be comparatively low. For some businesses the risk of false-positive events (where legitimate e-mail is mistakenly blocked or filtered out) will mean that they cannot risk using filtering technologies, and must consequently continue to bear the full cost of spam. Individual small businesses will suffer significant damage and loss due to the exploitation of their computer resources and spoofing attacks by spammers. For some small businesses, particularly the home office segment, the costs often extend beyond the purely financial as spam imposes a significant emotional cost (eg due to a fear of minors or spouses being exposed to offensive material in spam) on recipients.

Benefits: By implementing readily available anti-spam strategies (such as selecting an ISP who provides spam-filtering and/or implementing filtering themselves) small business can significantly reduce the volume of spam it currently has to deal with, often by up to 80% with some vendors claiming greater than 95%. Depending on the nature of their business not all small businesses may be able to avail themselves of this option. The benefits if filtering would be spread across almost all small business which are online.

Option 2 - Anti-spam legislation

Costs: Targeted anti-spam legislation will not generally impose any significant cost on small business, as very few small businesses send spam, recognising the generally deleterious effect this has on customer perceptions. For the vast majority of small businesses the proposed legislation will have zero impact in terms of a need for awareness or compliance. Businesses communicating with their existing customer base (ie where there is an existing business relationship) will still be able to do so with the proviso that they adhere to the accuracy requirements in the proposed legislation. At most this may require a template change at trivial cost. Depending on their business model for attracting new customers, a small minority of businesses may face additional cost as "spam-vertising" will no longer be a valid approach. This is an uncommon practice amongst Australian small business. No hard figures are available on this but anecdotally it is estimated at perhaps 1-5%.

Benefits: Anti-spam legislation should deliver both a short-term and long-term reduction in spam volumes, particularly for spam arising within Australia. The benefit from legislation alone would be small initially increasing very gradually over time. The benefits of this for small business can include:

•       increased visibility and confidence in normal commercial messaging (both incoming and outgoing);

•       reduced spamming attacks (due to a greater likelihood of spammers facing prosecution); and

•       reduced employee/network stress due to spam.

Option 3 - Educational programs

Costs: User education (eg education of employees on not entering on-line "competitions" with work e-mail addresses) may reduce the cost of spam to business but not substantially, as many employee e-mail addresses are harvested and used without the consent or knowledge of the employee, or are generated through "dictionary" attacks. The main cost (and benefit, discussed later) would accrue where as a consequence of the education program a business elects to enhance their anti-spam strategy, eg by implementing appropriate spam-filtering programs. For most businesses the cost of this will not be substantial, and may be integrated with their anti-virus strategies.

Benefits: The benefits to small business of an education campaign for small business would accrue from better understanding of the options available and how to select and implement the technical or filtering strategy that best suits their business needs, and advice on how to market online without spamming. With estimated costs in the order of $900/pa per employee due to spam significant benefit can be derived through an educated approach to the problem for businesses that have an online component.

Option 4 - Multi-layered Strategy

Costs: The costs to small business would be as the combination of those outlined in options 2 and 3 above, which will in the case of most businesses be extremely minor.

Benefits: This strategy would provide both an immediate and a long-term reduction in spam volumes and leverage and enhance the benefits available though each element. This would provide benefits to small business in the areas of:

•       increased visibility and confidence in normal commercial messaging (both incoming and outgoing);

•       reduced spamming attacks (due to a greater likelihood of spammers facing prosecution);

•       reduced owner/employee/network stress due to spam;

•       enhanced consistency in terms of regulatory frameworks and adherence to them;

•       increased confidence in own online marketing strategy (where applicable); and

•       better decision making regarding appropriate anti-spam measures

Large Organisations

Option 1 - Retention of the Status Quo

The costs to most large organisations of spam is very significant and arises not only from the productivity cost of sorting through spam itself but also from the potential malicious code it contains and the legal liability it can be exposed to through not adequately protecting employees from offensive material.

The cost of implementing appropriate technical solutions may be significant, covering both software costs, network administrator resources and often hardware resources. Most large organisations have appropriate in-house or contracted expertise to enable them to develop and implement an anti-spam strategy that will significantly reduce the spam load of both the organisation and individual employees. The cost for implementing such technical solutions in large organisations is significant but is likely to occur regardless of any other options due to the significant risks the organisations are exposed to through spam.

Benefits: The benefits of implementing existing anti-spam technologies and strategies can be substantial both in terms of productivity improvement and in terms of risk reduction, depending on the nature of the organisation and the business sector (the imperative will be greater for more network dependant and online related business.

Option 2 - Anti-spam legislation

Costs: No significant costs are anticipated for general major organisations as a consequence of the proposed anti-spam legislation. It is considered that such organisations will already be maintaining appropriate levels of accuracy and transparency in their communications and undertaking marketing on an opt-in basis in accordance with industry standards.

Benefits: Anti-spam legislation should deliver both a short-term and long-term reduction in spam volumes, particularly for spam arising within Australia. The benefit from legislation alone would be small initially increasing very gradually over time. The benefits of this for small business can include:

•       increased visibility and confidence in normal commercial messaging (both incoming and outgoing);

•       reduced spamming attacks (due to a greater likelihood of spammers facing prosecution);

•       a greater opportunity to initiate action to recover the costs of spam and spam attacks from spammers; and

•       reduced employee/network stress due to spam.

Option 3 - Educational programs

Cost: User education is likely to be a small relative cost to major organisations as the majority of the required materials are likely to be developed by third parties.

Benefits: Appropriate user education can provide some benefit in terms of spam-load reduction by reducing the amount of inappropriate e-mail address distribution and list.

Option 4 - Multi-layered Strategy

Costs: The costs to business would be a combination of those outlined in options 2 and 3 above. Depending on the organisation size, complexity, configuration and nature the potential cost of implementing technical solutions could vary substantially. It is not imposed by the proposed legislation, but simply by the desire to gain a business benefit.

Benefits: This strategy would provide both an immediate and a long-term reduction in spam volumes and leverage and enhance the benefits available though each element. This would provide benefits to small business in the areas of:

•       increased visibility and confidence in normal commercial messaging (both incoming and outgoing);

•       reduced spamming attacks (due to a greater likelihood of spammers facing prosecution);

•       reduced employee/network stress due to spam;

•       enhanced consistency in terms of regulatory frameworks and adherence to them;

•       increased confidence in own online marketing strategy (where applicable); and

•       better decision making regarding appropriate anti-spam measures

Direct Marketing Businesses

Option 1 - Retention of the Status Quo

Cost: Under the status quo direct marketing businesses will suffer increasing marginalisation and reducing efficacy of their legitimate product due to the increasing proliferation of spam. They also risk being blacklisted by anti-spamming organisations or their own ISP who may also fear being blacklisted internationally.

Benefits: Spammers benefit from the existing environment which enables them to operate with comparative impunity, largely free from the requirement to conform with appropriate codes of practice or behaviour, to which other business conform.

Option 2 - Anti-spam legislation

Option 2 - Anti-spam legislation

Cost: The costs to direct marketing businesses will consist of the need to review and possibly configure their direct marketing strategies to conform with the relevant legislation - ie that the persons they are electronically messaging already have an existing business relationship with them, or that they have actively chosen to receive such messages. For companies which comply with the ADMA direct marketing code this may require some adjustment, depending on the permission regime they currently employ - many already work on a strict opt-in basis and are therefore already compliant.

For direct marketing businesses which are not currently behaving responsibly (eg those that buy and use non-specific address lists of dubious relevance and/or parentage and who send messages indiscriminately) the costs will be significant. They may choose to either cleanse or recreate their lists to only include those who have meet the criteria or revisit their business model. This group is a minute proportion of the overall business and marketing community.

Benefits: This would provide benefits to direct marketing businesses in the areas of increased visibility and confidence in normal commercial messaging (both incoming and outgoing) and in the customer base. It should also reduce the amount of spam that these companies receive themselves.

Option 3 - Educational programs

Costs: ADMA currently provides significant education and training to ADMA members on direct marketing issues, and further education alone seems unlikely to cause and significant reduction in spam problems, as most spammers are not ADMA members. The option exists for better public education of the holistic opt-out options offered by ADMA which may come at some cost to ADMA and indirectly therefore to ADMA members.

Benefits: The benefits to Direct marketing organisations of the strategy described above would be a small reduction in potential addressees with a potentially significant enhancement in consumer understanding and confidence.

Option 4 - Multi-layered Strategy

Costs: The costs to direct marketing businesses would be as the combination of those outlined in options 2 and 3 above, which will vary from business to business. For example some businesses may have to choose to either cleanse or recreate their lists to only include those customers who meet the criteria or revisit their business model.

Benefits: This strategy can provide both an immediate and a long-term reduction in spam volumes and leverage and therefore gradually restore the legitimacy and value of ethical on-line direct marketing. It should also progressively increase the public understanding of the distinction between this activity and spamming, and restore confidence in the former.

Internet Service Providers (ISPs)

Option 1 - Retention of the Status Quo

Costs: The costs of implementing technical measures to minimise spam is significant for the ISP sector but is occurring rapidly in response to customer demand. Many ISPs are already implementing spam-filtering and offering desktop-based spam-filtering options to customers, and most others are actively trialing filtering options. The IIA and members (including ISPs) are already examining the option of developing or enhancing their codes of practice to specifically deal with spamming issues. There is no industry association, group or code which encapsulates all ISPs however, so any codes developed by the IIA will not impact all ISPs equally.

Benefits: None immediately identified.

Option 2 - Anti-spam legislation

Costs: The proposed anti-spam legislation would complement the existing and proposed codes of practice and would not impose significant additional financial costs on ISPs beyond what would arise from the proposed code enhancements.

Benefits: By reducing the volume of spam generated in Australia, Australian ISPs will significantly reduce their risk of being black-listed internationally due to spamming which has occurred hitherto undetected form their facilities. ISPs will also experience in the load of spam they must filter and field complaints about. ISPs will also be better protected in taking action against spammers as the activity will be clearly unlawful. ISPs have indicated they are looking for legislation to assist them in this regard.

Option 3 - Educational programs

Costs: The base cost of education programs to individual ISPs will be comparatively small as many of the required materials will be either collaboratively developed or developed through third-party channels such as the IIA, AIIA, and NOIE.

Benefits: The benefits to ISPs of users effectively being able to understand the spam problem and take effective action to relieve themselves of a significant proportion of the spam load, should provide benefits to ISPs through a significant lowering of related help-desk calls and complaints, and a reduction of "churn" as users either drop e-mail accounts that have become polluted or through simple frustration.

Option 4 - Multi-layered Strategy

Costs: The cost of implementing the multi-layered approach to spam is the combined cost of Options 2 and 3 above ie nil to significant.

Benefits: By reducing the volume of spam generated in Australia, Australian ISPs will significantly reduce their risk of being black-listed internationally due to spamming which has occurred hitherto undetected form their facilities. ISPs will also experience in the load of spam they must filter and field complaints about. In the longer-term, as international strategies take effect, it will have the effect of further reducing the spam-load coming into the country from overseas and consuming ISP resources.

Consumers

Option 1 - Retention of the Status Quo

Costs: The potential cost of retaining the status quo could be to significantly degrade the value and functionality of the internet both as a communications medium and as a conduit for commerce due to the negative impact spam is having on many consumers. This arises from financial issues (bandwidth cost), time issues (taken wading through spam to get to legitimate e-mail), emotional distress issues (from being sent spam promoting rape sites, promotions for extreme pornography and bestiality, to name but a few), and the promotion by spam of financial and other scams.

Consumers can implement existing filtering technologies either for free or at a small cost. Many users, depending on their requirement, will find that using an ISP that does ISP-level filtering will also provide significant spam relief, effectively at no cost to the consumer. For many consumers, particularly those responsible for minors, do not however find this degree of relief adequate.

Benefits: None immediately apparent.

Option 2 - Anti-spam legislation

Costs: There is no apparent cost of anti-spam legislation for consumers.

Benefits: Improved confidence in the medium and a reduced spam load.

Option 3 - Educational programs

Costs: There is no apparent cost to consumers of anti-spam education, other than a minor time investment of their own choosing.

Benefits: Better understanding of the problem, how to avoid it as much as possible and a reduced spam load through informed choices of anti-spam strategies.

Option 4 - Multi-layered Strategy

Costs: Other than the cost of implementing optional filtering technology there are no identifiable costs to the consumer of this strategy.

Benefits: Improved confidence in the internet as a communications and business medium. The benefits to consumers of the both the technical regulatory and legislative strategies proposed are all expected to be positive, partially financially through reclaiming bandwidth, but also in reclaimed time and peace of mind.

Restrictions on competition

Nil effects anticipated.

Ecologically Sustainable Development

The degradation of the medium for legitimate online direct marketing has been sufficiently severe that some marketing strategy advisers are indicating to clients that they should revert to paper-based (eg mail, letterbox) marketing. Rehabilitation of legitimate online direct marketing should see this trend reverse with consequent positive environmental impacts.

There is also expected to be an improvement in the human environment with a decrease in spamming activity - many consumers are afraid of opening e-mails, or of their children doing so, because of the potential content. As anti-spam measures take effect this concern should dissipate.

B.5 Consultation

The consultation in developing the report has been protracted and extensive, involving over 50 submissions or consultations (including consumers, industry associations, consumer organisations, and commonwealth and state government bodies and agencies) and the publication of an interim report.

An interim report was published by NOIE in September 2002. The responses to these consultations and submissions significantly contributed to the form and substance of the final report. Many submissions were substantial and detailed bodies of work and summarising individual submissions would not do them justice. Some of the organisations that provided submissions and/or were consulted directly include:

Australian Broadcasting Authority (ABA)

Australian Consumers Association

Australian Competition and Consumer Commission (ACCC)

Australian Direct Marketers Association (ADMA)

Australian Federal Police (AFP)

Attorney-General's Department (AGD)

Australian Privacy Charter Council (APCC)

Australian Securities and Investments Commission (ASIC)

AOL/7 Online Services

Coalition Against Unsolicited Bulk E-mail (CAUBE)

Centre for International Research on Communication and Information Technologies (CIRCIT)

Department of Communications, Information Technology and the Arts (DCITA)

Distributed Systems Technology Centre (DSTC)

Human Rights and Equal Opportunity Commission (HREOC)

Internet Industry Association (IIA)

Internet Society of Australia (ISOC-AU)

Office of the Federal Privacy Commissioner (OFPC)

Office of Small Business

Optus

OzEmail

Telstra

Treasury Department

Yahoo!

The submissions explored a diverse range of issues surrounding spam. A number of submissions from existing enforcement agencies provided detail of the aspects of spam to which their legislation does, or might, apply - these have been incorporated in the summary at Attachment A - while others sought to reinforce the legitimacy of permission-based marketing (which the proposed legislation would permit).

Apart from a small number of submissions that were generally against any form of internet regulation most submissions were clear that they felt that there was a significant problem which was not being addressed by the status quo, and they wanted it dealt with. A number of submissions advocated an "opt-out" approach to spam, but this was not ultimately considered to be sustainable. As a number of other respondents indicated `opt-out' is effectively impractical due to the number of e-mails involved and the understandable reluctance of users to use the often suspect `unsubscribe' options contained in them, and the rapid "identity changes" that spammers undergo.

A recurring theme of many of the submissions was a desire for a "tough legislation", based on an opt-in approach, regardless of content - which one submission summarised as "...it is an issue of consent, not content."

Consultations continued during the drafting of the Spam Bill with key industry and community stakeholders to ensure that the final form of the legislation does not adversely impact legitimate and ethical businesses, and community groups. These included ADMA, the IIA, CAUBE, Electronic Frontiers Australia, the Australian Information Industries Association, the Australian Chamber of Commerce and Industry, the Coalition of Small Business Associations, the Fundraising Institute of Australia, ISOC-AU, the Australian Consumers Association and others. After these consultations, including consideration of an exposure draft, the overwhelming response from these groups was one of the legislation having struck an appropriate balance, notwithstanding that each group felt that some minor changes would be beneficial. These comments have been considered and are incorporated in the final Bill where appropriate.

B.6 Conclusion and recommended option

Maintenance of the status quo is not a viable option given the grave consequences that may arrive in terms of consumer confidence, frustration and the potential degradation of the internet as a medium for communications and the common good.

Whilst the existing technical solutions and industry codes of conduct can provide some significant relief for the recipients of spam they do not address some of the more fundamental aspects of the problem, not least because the spamming organisations and individuals are not members of the relevant industry associations. They also only deal with spam once it has arrived in-country and therefore do not deal with the problem of the infrastructure stress on the internet spam is causing.

Both educational measures and legislation as options can contribute individually to dealing with the problem, but they do not provide the breadth of benefits and efficiencies of the preferred approach - the multi-layered approach. It is consequently recommended that this approach, as outlined in the NOIE report, including the development of specific anti-spam legislation, be implemented. Only through the implementation of strong anti-spam legislation can Australia effectively prevent spamming from within its shores and then work with other nations to develop a harmonised approach to dealing with spam at source. The legislative approach proposed by Government is a strong approach, consistent with existing and emerging industry codes, which will reinforce existing measures, not conflict with them. It is also consistent with the approach taken in most other countries to date.

The proposed approach does not impose significant costs on business (large, small or medium), indeed the cost-impact for most business will be zero, particularly for small businesses, but can provide both short term and long-term benefits to all online businesses and general consumers. Some initial impost is likely for some companies involved in direct marketing, whilst they move to best practice (eg ensuring their address lists are opt-in based or that an appropriate business relationship exists), but this will be short-term and provide long term benefits in terms of improved efficacy of direct online marketing as a channel.

B.7 Implementation and review

As new legislation in a new, and evolving, policy sphere it is proposed to initially fund the ACA to undertake the activity to June 2006 only, pending a review of the program before that time. This will enable a good resource baseline to be established to inform future investment decisions. The legislation penalty provisions will commence 120 days after the legislation receives Royal Assent. This will ensure that persons or companies that currently unknowingly spam will be able to correct their behaviour without penalty. It is proposed to undertake a review of the legislation 2 years after the commencement of the penalty provisions. The development of improved statistical baselines for spam trends has been proposed as part of the NOIE report and will be implemented in concert with the legislation and other measures outlined in the report. This will enable a ready comparison of the spam trends both within Australia and vis-a-vis other countries.

Attachment A

Existing Legislation with Potential Applicability to Spam and Spamming Activities

Privacy and consent

At the present time there is no legislation specifically requiring a sender to obtain recipient's consent prior to sending spam to that individual, either initially or on an ongoing basis. Under the Privacy Act 1998 the collection of personal information from public sources may require an individual's explicit consent, but this aspect of the legislation has not yet been tested.

There are several components of the Privacy Act, in particular the National Privacy Principles, that could be clarified and/or strengthened to better regulate the way in which spammers collect and use e-mail addresses:

•       The National Privacy Principles do not prevent a business from using personal information for the primary purpose for which it is collected. Accordingly, if a spammer collects personal information from an individual or from anywhere else for the primary purpose of spamming the Privacy Act may not prevent the spammer from using this information in that way. Also in these circumstances the spammer is under no legal obligation to give the recipient an opportunity to opt out, or to comply with such a request.

•       Where spammers are subject to the Privacy Act and they collect information about an individual indirectly, they will be required to take reasonable steps to make the individual aware of the details specified in National Privacy Principle 1.3. However, in practice this rarely occurs either through ignorance or deliberate avoidance on the part of the spammer. In any event, there seems to be limited enforcement of the responsibilities under the Act.

•       The Privacy Act currently does not extend to many spammers, including those that send spam from overseas and small businesses that do not trade in personal information.

•       Where e-mail addresses do not contain an individual's name they may not be regarded as personal information under the Privacy Act and therefore not covered by it.

•       Clarification may be needed as to what level of consent is required in the online environment - specifically, whether the National Privacy Principles require opt-out or opt-in for unsolicited commercial e-mail. Any decision made on this should reflect the general awareness that replying to spam, as opt-out requires, may encourage more spam to be sent as the user's e-mail address has been confirmed as active.

The National Privacy Principles allow opt-out-based marketing in some circumstances, but the Federal Privacy Commissioner's formal guidance on NPP 2.1 is that, in the context of online communications, the National Privacy Principles will generally require an opt-in model. Conflicting priorities and resource constraints may limit the ability of the Federal Privacy Commissioner to target spam-based complaints in the immediate future.

Content and transparency

A number of existing legislative measures may be relevant in dealing with various types of spam:

•       The Interactive Gambling Act 2001 prohibits certain forms of online gambling services and the advertising of those services.

•       The Therapeutic Goods Act 1989 is effective in dealing with misleading therapeutic goods related content, where that content is hosted in Australia. It is not effective in dealing with overseas-hosted content. Most content of this type originates overseas.

•       The scheme for dealing with content on the Internet contained in Schedule 5 to the Broadcasting Services Act 1992 does not apply to ordinary e-mail. It can however apply to the sites to which spammers are attempting to direct people, if these sites host prohibited content or potentially prohibited content as defined in Schedule 5.

•       The consumer protection provisions of the Trade Practices Act 1974 prohibit false and misleading claims about goods and services. This legislation can also potentially apply to the issue of transparency in terms of falsified headers and false opt-out options.

•       Section 85ZE of the Crimes Act 1914 makes it an offence to use e-mail in a manner that is menacing, harassing or offensive: this could include sexually-related content.

Pornographic content and links

One of the most common and disturbing forms of spam is either pornographic images or links to pornographic sites, often accompanied by explicit descriptions of the images on offer. Whilst often offensive to adults, this practice is even more irresponsible in that spammers have no regard to the age of the recipients and such spam is easily viewed deliberately or inadvertently by minors.

Schedule 5 to the Broadcasting Services Act 1992 (BSA) establishes a scheme to control illegal and highly offensive online content in Australia. Under this scheme, any person can complain to the Australian Broadcasting Authority (ABA) if they believe Australians can access illegal or potentially illegal online content, including content attached to spam.

The online content scheme relies on the national classification guidelines administered by the Office of Film and Literature Classification, to determine which Internet content should acted upon. If the ABA finds that the content involved is illegal, it requires sites either to be taken down or instructs filter makers to block the site. The public complaints process administered by the ABA applies to Internet content including websites that are linked to spam. However, the scheme does not extend to normal e-mail messages, including spam messages.

Misuse/abuse of computing resources

Even where spam contains no illegal or inappropriate content it can still cause damage to both individuals and organisations, and to the Internet as a whole, due to the massive amounts of messages and consequently bandwidth and computing resources that can be consumed. This can be further compounded for the individual or organisation if they are spoofed, resulting in potentially significant costs and damage to reputation.

Where spammers suborn third party computing resources for spamming there are a number of criminal provisions or other legal remedies under the Criminal Code, which may be potentially available [17]:

•       Section 477.1 makes it an offence for a person to knowingly commit or facilitate the commission of unauthorised impairment of electronic communication to or from a computer by means of a telecommunications service. This may apply to spam which is sent without authorisation and which overtaxes computer/Internet resources;

•       Section 477.2 makes it an offence to cause any modification of data held in a computer or impair the reliability, security or operation of such data, by means of a telecommunications service. This may apply to spam which is sent without authorisation through third party servers, as is the case in many spoofing attacks;

•       Section 477.3 makes it an offence for a person to cause any unauthorised impairment of electronic communication to and from a computer by means of a telecommunications service, or to or from a Commonwealth computer, and where the person knows the impairment is unauthorised;

•       Section 478.1 makes it an offence for a person to knowingly cause any unauthorised access to or modification of restricted data[18] where the data is held in a Commonwealth computer, or is held on behalf of the Commonwealth, or the access or modification is achieved by the use of a telecommunications service;

•       Section 478.3 makes it an offence for a person to possess or control data with the intention of it being used in committing or facilitating the commission of an offence against Division 477 of the Criminal Code.

Attachment B

Existing Technical Approaches to Limiting Spam

Desktop PC users

Some users simply manually delete unsolicited e-mail from their inbox. Other Internet users rely on the features of their operating system, virus protection or firewalls as a measure to control spam, for example by adding spammers to the `junk-senders' list in their e-mail software. Increasingly larger e-mail providers are providing their members with facilities to remove spam messages before they reach their inbox, by comparing them against a range of criteria and parameters, which are refined through client interaction.

Spammers are resourceful in avoiding this type of detection by account hopping (changing to new e-mail accounts frequently) or by avoiding words commonly used in spam when drafting their message in order to bypass content filters and firewalls. Increasingly spam messages are composed to capture the target group's attention by the use of innovative subject lines and message text that entices the recipient to open the e-mail and/or visit a website. Many Internet users protect the integrity of their private e-mail address by restricting its use, preferring to establish an anonymous e-mail address through a free e-mail service when communicating with the Internet user, newsgroups or chat rooms.

Business and ISPs

Increasingly Internet businesses and ISPs are turning to technical solutions to combat the problem of spam. There are several types of technical tools that will assist in filtering or blocking unwanted e-mail messages. Many businesses and Internet service providers are now using more robust tools that filter spam before it finds its way into corporate networks and onto the desktops of end users.

Filtering, anti-virus and firewall products use strategies including Bayesian logic to intercept spam. These products may be applied either by ISPs or corporate networks at the level they receive mail (ie. message transfer agent (MTA) or message user agent (MUA)) or by end users. An MUA interacts with a software e-mail browser to access, display and prepare messages on the user desktop. An MTA is a program responsible for receiving, routing, and delivering e-mail messages. MTAs receive e-mail messages and recipient addresses from local users and remote hosts, perform alias creation and forwarding functions, and deliver the messages to their destinations. An MTA is sometimes called a mail transport agent, a mail router, an Internet mailer, or a mail server program.

System administrators can also close open relays to avoid having their e-mail server used to send spam. According to the ISP Xmission [19], a mail system needs to have two rules to be secure from being used as a relay:

•       It should accept only incoming mail that it delivers locally, based on e-mail address;

•       It should deliver only outgoing mail that originates locally, based on IP address.

The actual configuration settings will of course vary for different server types. More detailed information on setting configurations for particular systems is at http://mail-abuse.o rg/tsi/ar-fix.html.

A related problem to open relays is open proxies, particularly open proxies on broadband connections. In this context a proxy is software that can be used on a `single computer' Internet service (such as a dialup, cable or DSL connection) to allow other computers connected on a home network to get access to the Internet via the single computer that has direct access to the Internet service. If a proxy is misconfigured so that it does not restrict who can use it - that is, it is open - it can be used by spammers to send spam, making it look like it came from the misconfigured computer. This type of abuse doesn't even leave telltale signs like open proxy abuse typically does. This is something that the broadband service providers in particular need to deal with, possibly by scanning for open proxies themselves or blocking the ports normally used by open proxies.

Pressure has increasingly been placed on sites offering free web-based e-mail to take steps to counter spam. Free web-based e-mail offers potential spammers the ability to establish a web address freely and quickly - allowing multiple accounts to be created and making spammers difficult to pinpoint and effectively dealt with through filtering and blocking software or other measures.

It is however encouraging to see companies these free web-based e-mail services taking responsibility for the spam they both generate and attract.

For example, Hotmail has implemented an initiative to limit to 50 the number of addresses that a user can send a single e-mail to, and has also limited the amount of e-mails a user can send from an account to 100 per day. These moves are said to effect less than one percent of all Hotmail users - but will have a significant impact on the ability of spammers to use the service to send bulk e-mails.

Filtering

Filters are programs which block access to e-mail based either on a list of banned sites, or keywords and phrases. Some also stop search engines from searching on unsuitable topics, and block access to newsgroups, chat rooms and e-mail. They may either operate on a home computer or through an ISP. Each filtering tool categorises differently based on their own set of metrics, so that as well as blocking inappropriate sites or content, may also block valuable and inoffensive sites, such as medical sites or e-mail which happen to contain words or phrases on banned lists.

The AC Nielsen.consult survey of ISPs commissioned by NOIE in 2002 found that of the five largest ISPs in Australia, only one filtered for spam before their mail servers forwarded e-mail to customers. One of the remaining four said it is active in encouraging its customers to employ filter products (provided through the ISP at a discounted price).

Of the smaller Australian ISPs, most employed filters before forwarding mail, but many did not filter for all spam. This partly reflects the fact that filtering messages cost ISPs time and money and slow network performance, without reducing the number of spam messages being sent or the cost of bandwidth abuse and media storage. Another general perception among ISPs is that filtering products are worthwhile using, at least at the consumer level, but are not always easy to design, configure or install in a manner which blocks spam without blocking wanted messages. Spam is a dynamic problem and spammers are adept at overcoming filtering technologies.

`Whitelists' and `blacklists' are forms of filtering used to manage spam by focusing on certifying legitimate e-mail sources. This option includes the use of `approved sender lists' or `do not e-mail' lists. They allow businesses and individuals to set permissions that allow e-mail only from approved sources or may be used in conjunction with a filtering option.

Whitelists filter on the basis that a list of the addresses of people or businesses from whom you expect to receive e-mail is created, filtering out e-mail that is not from an address on the list. A blacklist provides a list of IP addresses that can be used to filter out undesirable traffic. Blacklists reject e-mail delivered from mail servers known (or believed) to send spam or where e-mail from a certain list of e-mail or specified text patterns is rejected or otherwise filtered. Internet vigilantes have been known to use blacklists to target and disrupt the business of ISPs and others; essentially innocent parties who have been used by spammers. Blacklists are not a reliable form of filtering, as they are not always accurate or reliably maintained. Nor is there any real consistency in the checks applied (if any) by the often anonymous maintainers of these lists. On occasions this has led to innocent parties being posted to a blacklist with no way of being able to clear their name or gain a de-listing. Further information on spam filtering databases may be found at www.declude.com/JunkMail/Support/ip4r.htm and http://www.moensted.dk/spam.

ABBREVIATIONS

The following abbreviations are used in this explanatory memorandum:

ACA:        Australian Communications Authority

ACA Act:        Australian Communications Authority Act 1997

Bill:        Spam Bill 2003

Crimes Act:        Crimes Act 1914

Minister:       Minister for Communications, Information Technology and the Arts

NOIE:       National Office for the Information Economy

SMS:        short message service

Spam Consequentials Bill:       Spam (Consequential Amendments) Bill 2003

Telecommunications Act:       Telecommunications Act 1997

TPA:        Trade Practices Act 1974

NOTES ON CLAUSES

Part 1 - Introduction

Clause 1 - Short title

Clause 1 provides that the Bill, when enacted, may be cited as the Spam Act 2003.

Clause 2 - Commencement

Clause 2 sets out when each of the provisions in the Bill will commence. It provides that the following provisions will commence on Royal Assent:

•       clauses 1 to 14 of the Bill, and anything else not covered by the table. These are the introductory provisions, including the short title of the Bill, these commencement provisions and the definitions (items 1 and 2).

•       clauses 42 and 47. These clauses provide for the additional ACA functions and the regulation-making power (items 5 and 7). This will enable an education program to be conducted about the scheme provided for in the Bill prior to any enforcement action being undertaken.

•       Schedule 2, the provisions relating to the concept of consent (item 9). This concept of consent is relevant to the industry codes provisions in the Spam Consequentials Bill, which commence upon Royal Assent.

The following provisions will commence 120 days after Royal Assent:

•       Parts 2 to 6 (item 3). These Parts relate to rules about sending commercial electronic messages and about address-harvesting software and harvested-address lists, the civil penalties provisions and the injunctions and enforceable undertakings provisions. This delayed commencement will ensure that an education program can be conducted prior to the penalty provisions coming into effect.

•       clauses 41, 43 to 46 (items 4 and 6). These are miscellaneous provisions.

•       the provisions defining `designated commercial electronic messages' and the infringement notice scheme provisions which are set out in Schedules 1 and 3.

Subclause 2(2) makes it clear that column 3 of the table contains additional information that is not part of this Bill.

Clause 3 - Simplified outline

Clause 3 provides a simplified outline of the Bill. It is not a comprehensive statement of the measures contained in the Bill, but is designed to assist people in understanding the broad elements in the Bill.

It provides that the Bill, when enacted, will set up a scheme for regulating commercial e-mail and other types of commercial electronic messages. The regulation of these types of messages is not confined to unsolicited commercial electronic messages (commonly known as spam). Certain measures (such as commercial electronic messages being required to include sender information) will also apply to messages which are not unsolicited. In particular the Bill provides that:

•       unsolicited commercial electronic messages must not be sent (see clause 16 of the Bill);

•       commercial electronic messages must include information about the person (individual or organisation) who authorised the sending of the message (see clause 17 of the Bill);

•       commercial electronic messages must contain a functional unsubscribe facility (see clause 18 of the Bill);

•       address-harvesting software must not be supplied, acquired or used (see Part 3 of the Bill) ;

•       an electronic address list produced using address-harvesting software must not be supplied, acquired or used (see Part 3 of the Bill); and

•       the main remedies for breaches of this Bill are civil penalties and injunctions (see Parts 4 and 5 of the Bill).

The outline also notes that the Telecommunications Act contains additional provisions relevant to commercial electronic messages. Those provisions relate to industry codes and standards (Part 6), investigations by the ACA (Part 26), information-gathering powers of the ACA (Part 27) and enforcement by the ACA (Part 28). These provisions are proposed to be amended by the Spam Consequentials Bill to apply to commercial electronic messages.

Clause 4 - Definitions

Clause 4 sets out the key definitions used in the Bill. These definitions are discussed below.

ACA

The term `ACA' is defined to mean the Australian Communications Authority. Under this Bill and the Spam Consequentials Bill, the ACA is responsible for investigating complaints about the sending of unsolicited commercial electronic messages and taking appropriate enforcement action (see Parts 4 to 7 of this Bill which set out the various enforcement options available).

account

The term `account' is defined to include a free account, a pre-paid account and anything that may be reasonably regarded as the equivalent of an account. This term is used in the definition of `electronic message'. An `electronic message' for the purposes of this Bill is defined in clause 5 to mean a message sent using an Internet carriage service or other listed carriage service which is sent to an electronic address in connection with an e-mail account, instant messaging account, telephone account or a similar account. For example an electronic message includes an e-mail message (which is sent using an Internet carriage service to an e-mail address) or an SMS message (which is sent using a listed carriage service to a mobile phone number).

This definition of `account' is intended to put beyond doubt that messages sent to accounts such as free web-based e-mail accounts, which are free accounts, or to a pre-paid Internet account, come within the meaning of an account in this Bill.

The linking of the sending of a message to an electronic address which is connected with a particular account (relevant to that address) is intended to exclude messages sent to an Internet protocol address (for example, a message sent to retrieve a particular webpage) from the meaning of an electronic message, as they would not be being sent to an electronic address in connection with a particular account. A message sent to an IP address associated with an instant messaging service or web-mail account, would however be an electronic message for the purposes of the Bill.

acquire

The term `acquire', when used in relation to goods or services, is defined to have the same meaning as in the TPA.

Subsection 4(1) of the TPA defines `acquire' to include:

(a)       in relation to goods - acquire by way of purchase, exchange or taking on lease, on hire or on hire-purchase; and

(b)       in relation to services - accept.

The meaning of the term `goods', as defined in the TPA is discussed below under the definition of goods in clause 4 of this Bill. It is an inclusive definition which would include software.

The definition of `acquire' is an inclusive definition which does not limit the ordinary meaning of the term. It would cover the exchange of goods without any payment. For example, if a person has downloaded software which is freely available on the Internet, then they have acquired the software for the purposes of this Bill.

The term `acquire' is used in clause 21 of the Bill. This clause prohibits the acquisition of address-harvesting software and harvested-address lists for the purposes of sending `spam'. The terms `address-harvesting software' and `harvested-address list' are defined in clause 4 (see discussion below).

address-harvesting software

The term `address-harvesting software' is defined to mean software that is specifically designed or marketed for use for searching the Internet for electronic addresses (for example e-mail addresses or telephone numbers) and collecting, compiling, capturing or otherwise harvesting these electronic addresses. Some commercial examples of this sort of software are Speed Email Extractor, Advanced Email Extractor and Xtreme Xtractor, although it should be noted that the retailers of some products specifically prohibit their use for sending spam. Legitimate data-warehousing activities do not fall within the definition.

The term `use' is given an extended meaning in clause 11 of the Bill to include use of a thing in isolation or in conjunction with other things. Therefore if software is accompanied by other mechanisms which automate the process, this would fall within the definition of address-harvesting software.

Under this Bill the supply, acquisition or use of address-harvesting software is prohibited where it is intended to be used to send unsolicited commercial electronic messages in contravention of clause 16 (see Part 3 of the Bill). This Part also prohibits the supply, acquisition or use of lists produced using address-harvesting software. The Bill prohibits the offer to supply address-harvesting software or harvested-address lists where they would be intended to be used in a contravention of clause 16.

agency

The term `agency' is defined to include an armed force and a police force. This term is used in the definition of a `government body' in clause 4, which in turn is relevant to the various exclusions to the penalty provisions (as part of the definition of a `designated commercial electronic message' in Schedule 1). The definition is included to ensure that armed forces and police forces come within the meaning of a government body for the purposes of the Bill. The definition is necessary, as these forces would not ordinarily come within the meaning of an agency.

Australia

The term `Australia', when used in a geographical sense, is defined to include the external Territories. These Territories include Norfolk Island, Cocos (Keeling) Islands and Christmas Island. If this definition were not included then the term `Australia' would not include Norfolk Island.

Examples of the use of the term `Australia' are in clauses 7 (which sets out the meaning of an Australian link for the purposes of the Bill, which is relevant to the penalty provisions in Part 2 of the Bill), 14 (extra territorial application of the Bill), and Part 3 of the Bill (which sets out rules about address-harvesting software and harvested-address lists).

One of the effects of this extended definition is that a person is prohibited from sending unsolicited commercial electronic messages to Norfolk Island or from Norfolk Island (because it will come within the meaning of an Australian link).

Australian link

The term `Australian link' is defined to have the meaning given by proposed section 7. An Australian link is a key element in the penalty provisions in Part 2 which set out the rules about sending commercial electronic messages. Only those commercial electronic messages which have an Australian link will be subject to the rules.

An Australian link in relation to a commercial electronic message is established by one or more of the following:

•       the message originates in Australia;

•       the person or organisation authorising the message is physically present (for individuals), or centrally managed (for organisations), in Australia when the message is sent;

•       the computer, server or device that is used to access the message is located in Australia;

•       the relevant electronic account holder (usually the recipient) is physically present (for an individual), or centrally managed (for an organisation), in Australia when the message is accessed.

Essentially an Australian link is established if the message originates in Australia and is sent to Australia or overseas, or if a message originates overseas and is sent to Australia. Australia is defined to include the external territories (see above).

If a message cannot be delivered because the relevant electronic address does not exist (for example because the spammer used a dictionary attack to send the messages) then an Australian link is established if it is reasonably likely that the computer, server or device that would have been used to access the message if the electronic address existed, is in Australia. For example if a spammer sent an e-mail message to an address within the .au domain that did not exist then it is reasonably likely that the computer that would have been used to access the message would have been located in Australia.

authorise

The term `authorise', when used in relation to the sending of an electronic message, is defined to have a meaning affected by proposed section 8.

Proposed section 8 provides that if an individual authorises the sending of an electronic message and does so on behalf of an organisation then the organisation rather than the individual is taken to have authorised the sending of the message. This will not apply in the case where an individual purports to act on behalf of an organisation but goes beyond his or her authority. In this case the organisation will not be taken to have authorised the message.

In addition, if an electronic message is sent by an individual or organisation without being authorised by any other individual or organisation, then the first-mentioned individual or organisation is taken to authorise the sending of the message. This concept of self-authorisation has been included to remove any argument that there has been no authorisation when an individual or organisation has sent a message on his or her own behalf.

The term `authorise', in relation to the sending of an electronic message, is used in clause 17 (which requires commercial electronic messages to include accurate identification of the person or organisation who authorised the sending of the message), clause 18 (which requires commercial electronic messages to enable recipients to send an unsubscribe message to the individual or organisation who authorised the sending of the message), Schedule 1 (which defines designated commercial electronic messages as messages authorised to be sent by certain bodies and factual messages with certain additional information about the person authorising the sending), and in clause 3 of Schedule 2 to the Bill (which deals with users of an account who are authorised to consent on behalf of the relevant electronic account-holder).

business

The term `business' is defined in clause 4 to include a venture or concern in trade or commerce, whether or not conducted on a regular, repetitive or continuous basis. This definition has been included to make it clear that an electronic message would be a commercial electronic message where it includes an offer to provide a business opportunity even if the offeror is conducting a one-off or irregular commercial activity.

The term `business' is used in the basic definition of commercial electronic message (in clause 6) and in Schedule 2 of the Bill (which defines the concept of consent). The definition of a commercial electronic message includes an offer to provide a business opportunity or to advertise or promote a business opportunity or supplier, or prospective supplier of a business opportunity. For the purposes of the Bill consent includes consent that can be reasonably inferred from a pre-existing business relationship (see subparagraph 2(b)(ii) of Schedule 2).

The settled legal meaning of carrying on a business' is to conduct some form of commercial enterprise, systematically or regularly, with a view to a profit: Hyde v Sullivan [1956] SR (NSW) 113. The definition of `business' in clause 4 varies the ordinary meaning of `business' so it is clear that, for the purposes of the Bill, it is not necessary to establish that a commercial enterprise is carried on in a regular or continuous manner.

carriage service

The term `carriage service' is defined to have the same meaning as in the Telecommunications Act. A carriage service is defined in section 7 of the Telecommunications Act to mean a service for carrying communications by means of guided and/or unguided electromagnetic energy. The reference to the carriage of communications by means of `guided electromagnetic energy' includes the carriage of communications by means of a wire, cable, waveguide or other physical medium used, or for use, as a continuous artificial guide for or in connection with the carrying of the communication. The reference to the carriage of communications by means of `unguided electromagnetic energy' includes communications by means of radiocommunications.

This term is used in clause 9 and in the penalty provisions (subclauses 16(10), 17(6) and 18(7)) to clarify that a person does not send or cause to be sent commercial electronic messages simply because the person supplies a carriage service that enables the message to be sent. This means that carriage service providers (such as an Internet service provider) will not be in breach of the penalty provisions simply because they have supplied the service over which the message was sent.

civil penalty provision

This definition sets out those clauses in the Bill which are civil penalty provisions. Civil penalty provisions are provisions which may attract a pecuniary penalty if breached. The following provisions are civil penalty provisions:

•       proposed subsections 16(1), (6) and (9) which set out the rules relating to sending unsolicited commercial electronic messages;

•       proposed subsections 17(1) and (5), which set out rules relating to the requirement to include accurate sender information in commercial electronic messages;

•       proposed subsections 18(1) and (6), which require commercial electronic messages to include a functional unsubscribe facility;

•       proposed subsections 20(1) and (5), which prohibit the supply of address-harvesting software and harvested-address lists;

•       proposed subsections 21(1) and (3), which prohibit the acquisition of address-harvesting software and harvested-address lists;

•       proposed subsections 22(1) and (3), which prohibit the use of address-harvesting software and harvested-address lists; and

•       a provision of the regulations that is declared to be a civil penalty provision in accordance with paragraph 45(2)(c).

Part 4 of the Bill sets out the penalties which apply for contravention of these civil penalty provisions, and the action which may be taken to recover these penalties. In essence civil penalty provisions may attract pecuniary penalties (as set out in clause 25 of the Bill). Criminal proceedings may not be brought against a person for breach of a civil penalty provisions (see clause 27 of the Bill).

commercial electronic message

The term `commercial electronic message' is defined to have the meaning given by proposed section 6. For the purposes of the Bill, whether an electronic message is a commercial electronic message will be determined by having regard to its purpose or one of its purposes as determined by the content of the message, the way it is presented and the content located at any associated links, such as links to other websites, or telephone numbers. An electronic message is defined in clause 5. The definition of a `commercial electronic message' is discussed in more detail below under the notes to clause 6.

A commercial electronic message is one of the key elements of the penalty provisions in the Bill, which regulate commercial electronic messages. It is central to the prohibition on sending unsolicited commercial electronic messages (see clause 16), requiring commercial electronic messages to include accurate sender information (see clause 17) and requiring commercial electronic messages to include a functional unsubscribe facility (see clause 18). The amounts of the penalties are set out in clause 25.

consent

The term `consent', in relation to the sending of an electronic message, is defined to have the meaning given by proposed Schedule 2 to the Bill.

Consent may be express consent or implied consent. If a person has a pre-existing business relationship or other relationship such as a family relationship, consent may be implied (subparagraph 2(b)(ii) of Schedule 2). Implied consent may also be inferred from the conduct of the person. The definition of consent is discussed in greater detail below in the notes to Schedule 2.

The concept of consent is a key element in the defence to the penalty provisions relating to the sending of unsolicited commercial electronic messages in proposed section 16. Subclause 16(2) of the Bill provides a defence to the prohibition on sending unsolicited commercial electronic messages if the sender points to evidence that the relevant electronic account-holder consented to the sending of the message. The effect of this defence provision is that a person may send another person commercial electronic messages where that other person has consented to receiving it. It therefore enables persons to send commercial electronic messages to persons with whom they have a pre-existing business relationship.

data processing device

The term `data processing device' is defined to have the same meaning as the Telecommunications Act. Section 7 of the Telecommunications Act defines it as any article or material (for example a disk) from which information is capable of being reproduced, with or without the aid of any other article or device.

This definition is relevant to the infringement notice provisions in subparagraph 4(1)(c)(ii) of Schedule 3.

dealing with

The term `dealing with', when used in relation to a commercial electronic message, is defined to include accessing the message, responding to the message or filtering the message.

This definition is relevant to clause 45 of the Bill which provides for the making of regulations in relation to giving effect to an international convention that deals with commercial electronic messages and/or address-harvesting software. It means that any international convention which dealt with one or more aspects of commercial electronic messages (ie accessing, responding to or filtering messages) or address-harvesting software, could be given effect to under this regulation-making power.

designated commercial electronic message

The term `designated commercial electronic message' is defined to have the meaning given by Schedule 1 to the Bill.

In essence, certain messages sent or authorised to be sent by government bodies, registered political parties, religious organisations, and charities, as well as certain messages sent or authorised to be sent by educational institutions are designated commercial electronic messages for the purposes of this Bill. In addition certain factual messages are also designated commercial electronic messages.

The meaning of `designated commercial electronic message' is discussed in greater detail below in the notes to Schedule 1 to the Bill.

The concept of a `designated commercial electronic message' is relevant to the prohibition on sending unsolicited commercial electronic messages in clause 16 of the Bill, and the requirement for commercial electronic messages to contain a functional unsubscribe facility in clause 18 of the Bill. Designated commercial electronic messages are exempt from clauses 16 and 18. The effect of these provisions is that messages containing certain factual information and certain messages sent by government bodies, religious organisations, charities, registered political parties, or educational institutions are not required to contain unsubscribe facilities and their sending is not prohibited. It is worthwhile noting that a lot of such messages would fall outside the meaning of a commercial electronic message as defined in clause 6 for the purposes of this Bill, even without a specific exemption, as they would not be commercial in nature.

director

The term `director' is defined to include a member of the governing body of an organisation. This definition is included to ensure that the term `director' is not limited to persons who have been appointed to the position.

The term `director' is used in subparagraph 2(1)(a)(v) of Schedule 1 to the Bill (which relates to when a director of an organisation is the author of a factual message) and in subclause 4(2) of Schedule 2 to the Bill (which relates to when consent may be inferred from publication of an electronic address and refers to the circumstances in which a particular electronic address enables the public to send electronic messages to a particular director of an organisation).

educational institution

The term `educational institution' is defined to include a pre-school, a school, a college and a university. It is an inclusive definition, and does not preclude the inclusion of other institutions which would come within the ordinary meaning of educational institutions, within this definition. This definition would include both private and public educational institutions. For example it would include Bond University as well as Melbourne University, Catholic high schools and TAFEs. It would not cover individuals who are conducting training courses on a particular subject matter, for example a person offering private French lessons.

This term is used in the definition of `designated commercial electronic messages' in clause 4 of Schedule 1 to the Bill. This clause provides that certain messages sent by educational institutions are designated commercial electronic messages. This means that such messages are exempt from the prohibition in clause 16 of the Bill on sending unsolicited commercial electronic messages. In addition such messages are not required to contain a functional unsubscribe facility (as required by clause 18 of the Bill). The definition of designated commercial electronic messages is discussed in greater detail below under Schedule 1.

electronic message

The term `electronic message' is defined to have the meaning given by proposed section 5.

In essence an electronic message is a message sent using an Internet carriage service or other listed carriage service to an electronic address in connection with a particular account. The terms `Internet carriage service' and `listed carriage service' are defined below in clause 4. Some examples of electronic messages are e-mail messages and SMS messages.

This definition is discussed in greater detail below at clause 5.

The meaning of an electronic message is a key concept in the definition of a commercial electronic message, which is broadly an electronic message which has a particular `commercial purpose' (see clause 6 of the Bill). As discussed above, under the definition of a commercial electronic message, this definition in turn is critical in the penalty provisions in the Bill, which regulate commercial electronic messages.

employee

The term `employee' is defined to include an individual who is in the service of an armed force, a police force or a religious organisation. This definition has been included as members of the armed forces and police forces or religious organisations are not ordinarily considered to be `employees'.

This term is used in subparagraph 2(1)(a)(iii) of Schedule 1 to the Bill (which refers to the circumstance in which an employee of an organisation is the author of a factual message) and in subclause 4(2) of Schedule 2 to the Bill (which relates to when consent may be inferred from publication of an electronic address and refers to the circumstances in which a particular electronic address enables the public to send electronic messages to a particular employee of an organisation).

evidential burden

The term `evidential burden' in relation to a matter, is defined to mean the burden of adducing or pointing to evidence that suggests a reasonable possibility that the matter exists or does not exist. This is the same as the definition of an evidential burden in criminal matters (see subsection 13.3(6) of the Criminal Code).

This term is used in the penalty provisions in subclause 16(5), 16(8), 17(4), 18(5) and 20(4), where the initial burden of pointing to evidence rests with the defendant, rather than the prosecution.

Federal Court

This term is defined to mean the Federal Court of Australia. This term is used in Part 4 of the Bill. Under this Part the Federal Court may order a person to pay a pecuniary penalty if the Court is satisfied that a person has contravened a civil penalty provision. The rules regulating commercial electronic messages (ie prohibiting the sending of commercial electronic messages, the requirement to include accurate sender information in commercial electronic messages, the requirement to include functional unsubscribe facilities in commercial electronic messages and the prohibition on the supply, acquisition or use of address-harvesting software or lists generated from such), and any provision of the regulations declared to be a civil penalty provision are civil penalty provisions. Under clause 26 of the Bill the ACA may institute proceedings in the Federal Court for the recovery of a pecuniary penalty.

In addition to an order for payment of a pecuniary penalty under clause 24 of the Bill, the Federal Court may make certain ancillary orders. The Court may direct a person to compensate a victim, where the person has suffered loss or damage as a result of the contravention of a civil penalty provision, or may direct that a person pay to the Commonwealth the amount of the financial benefit the person has obtained from breaching the provision (see clauses 28 and 29).

Part 5 of the Bill provides for the Federal Court, on the application of the ACA, to grant injunctions in relation to contraventions of civil penalty provisions.

goods

The term `goods' is defined to have the same meaning as in the TPA.

Section 4 of the TPA defines goods as including ships, aircraft and other vehicles; animals, including fish; minerals, trees and crops, whether on, under or attached to land or not; and gas and electricity.

This definition is relevant to the meaning of commercial electronic messages in clause 6 of the Bill.

The definition of goods is also relevant to the meaning of acquire or supply, which are relevant to the rules relating to address-harvesting software and harvested-address lists in Part 3 of the Bill. Relevantly, in this context, goods would include software.

government body

The term `government body' is defined to mean a department, agency, authority or instrumentality of the Commonwealth, State or Territory or of the government of a foreign country or of part of a foreign country (eg. a State or province of a foreign country). The term `agency' is defined above to include armed forces and police forces.

It includes a Commonwealth department, such as the Department of Communications, Information Technology and the Arts, a statutory authority such as the ACA and includes foreign government and authorities. A part of a foreign country means, for example, one of the States of the United States of America.

The term `government body' is used in the definition of `designated commercial electronic message' in clause 3 of Schedule 1 of the Bill. This is relevant to the exceptions to clauses 16 and 18 (the prohibition on sending unsolicited commercial electronic messages, and the requirement on including functional unsubscribe facilities in commercial electronic messages). Certain messages sent or authorised to be sent by government bodies are exempt from these provisions. The definition of commercial electronic messages is discussed in greater detail below under Schedule 1.

harvested-address list

The term `harvested address-list' is defined to mean a list, collection or compilation of electronic addresses, where the list, collection or compilation was produced by using address-harvesting software to any extent (see definition of address-harvesting software above in clause 4).

Lists which consist primarily of addresses which have been collected using address-harvesting software, but which include some addresses which have been obtained from other means, will be included in this definition.

The definition does not cover lists which are compiled solely by means other than the use of address-harvesting software. For example if electronic addresses are harvested from a source other than the Internet and compiled in a list then they do not come within this definition. For example, the definition does not cover integrated public number databases which are not collected via the Internet. It also does not cover manually created lists.

'Electronic address' is not defined in the Bill but includes e-mail addresses, telephone numbers and the like.

This term is relevant to the rules about address-harvesting software and harvested-address lists set out in Part 3 of the Bill, which prohibits the supply, acquisition or use of harvested-address lists for the purposes of contravening clause 16.

This definition covers lists produced before the commencement of this Bill. Therefore a person must not supply, acquire or use a harvested-address list even if the list was produced prior to the commencement of this Bill.

international convention

The term `international convention' is defined to mean a convention to which Australia is a party, or an agreement between Australia and a foreign country. This term is used in clause 45 of the Bill which enables regulations to make provision for giving effect to an international convention that deals with commercial electronic messages and/or address-harvesting software. The terms `commercial electronic message' and `address-harvesting software' are defined in clause 4.

The definition of international convention includes a treaty which Australia has signed and/or ratified. It also includes other agreements between Australia and a foreign country.

Australia is currently pursuing bilateral agreements on general cooperation between anti-spam agencies, for example between NOIE, the ACA and the Korea Information Security Agency (KISA). Once a legislative basis has been provided and the Australian enforcement arrangements are in place, the focus will shift to agreements which will facilitate mutual investigations and enforcement activities.

Internet carriage service

This term is defined to mean a listed carriage service that enables end-users to access the Internet. A listed carriage service is defined in clause 4 (see discussion below under the definition of `listed carriage service').

Like the Telecommunications Act, the Telecommunications (Consumer Protection and Service Standards) Act 1999, and the Interactive Gambling Act 2001, the term `end-user' is used in this Bill without being defined. An end-user need not necessarily be a customer of an Internet service provider.

This term is relevant to the definition of an `electronic message', which is defined in clause 5 of the Bill, and includes certain messages sent using an Internet carriage service.

investment

The term `investment' is defined broadly to mean any mode of application of money or other property for the purpose of gaining a return (whether by way of income, capital gain or any other form of return).

This term is used in the basic definition of a `commercial electronic message' in clause 6 of the Bill, which includes messages which offer to provide investment opportunities or which advertise or promote investment opportunities or providers or suppliers of investment opportunities. It is defined to ensure that offers to provide investment opportunities or to advertise investment opportunities may come within the meaning of a commercial message even if there is no guaranteed income return for the investment. For example, an offer to buy land could come within the meaning of an investment opportunity, notwithstanding that there may be no direct income return for the investment of money, but may merely be an opportunity for a capital gain.

listed carriage service

This term is defined to have the same meaning as in the Telecommunications Act. Section 16 of the Telecommunications Act defines a listed carriage service as:

•       a carriage service between a point in Australia and one or more other points in Australia;

•       a carriage service between a point in Australia and one or more other points, at least one of which is outside Australia; and

•       a carriage service between a point outside Australia and one or more other points, at least one of which is in Australia.

Subsection 16(2) of the Telecommunications Act provides that a `point' includes a mobile or potentially mobile point, whether on land, underground, in the atmosphere, in outer space, at sea or anywhere else. This would include, for example, points on vehicles, aircraft and ships.

Subsection 16(3) of the Telecommunications Act makes it clear that a point in the atmosphere, in or below the stratosphere and above Australia is taken to be in Australia. Accordingly, a point on an aircraft above Australia is taken to be a point in Australia for the purpose of this clause.

Subsection 16(4) of the Telecommunications Act provides that a point on a satellite that is above the stratosphere is taken to be a point outside Australia.

A `carriage service' is defined in section 7 of the Telecommunications Act, see definition of `carriage service' above in clause 4.

This definition of `listed carriage service' is relevant to the meaning of an electronic message, which is defined in clause 5 of the Bill. A listed carriage service would include an Internet carriage service or a mobile telephone service where such services involve a `point' in Australia (as discussed above).

logo

The term `logo' is defined to include a trade mark.

This term is used in clause 2 of Schedule 1 to the Bill (which deals with factual electronic messages). This clause enables messages containing factual information to include a logo identifying the authorised sender of the message, the author's employer, or the message's sponsor, without bringing it within the meaning of a commercial electronic message.

message

A message is defined broadly to mean any information whether in the form of text, data, speech, music or other sounds, visual images, or any other form or combination of forms. This is similar to the definition of `communications' in section 7 of Telecommunications Act.

It is defined broadly to ensure that messages which simply include a graphic (for example to attempt to get around filtering software) may still be included within the meaning of a commercial electronic message for the purposes of this Bill, notwithstanding that it does not contain any text.

This term is integral to the definition of an electronic message, which is defined to mean a message sent using a particular type of service to an electronic address (see clause 5 of the Bill).

mistake

The term `mistake' is defined to mean a reasonable mistake of fact. This term is relevant to the defences provided in subclauses 16(4), 17(3) and 18(4). These provisions provide a defence to the rules prohibiting the sending of unsolicited commercial electronic messages, requiring commercial electronic messages to include accurate sender information, and requiring commercial electronic messages to include a functional unsubscribe facility, if the person sent the message, or caused the message to be sent by mistake.

This definition ensures that the defence is only available if the mistake was reasonable and it removes any possible argument that the defence is available if the person has made a mistake as to the law.

organisation

An organisation is defined to include a body corporate, a partnership, a government body (as defined in clause 4 of this Bill), a court or tribunal and an unincorporated body or association.

This term is used in various provisions in the Bill, including clauses 7 (Australian link), 8 (authorising the sending of electronic messages), 17(1) (commercial electronic message must include accurate sender information), 18(1), (3) and (9) (commercial electronic messages must contain a functional unsubscribe facility), clauses 2 and 3 of Schedule 1 to the Bill (dealing with factual electronic messages and electronic messages sent by religious or charitable organisations), and clauses 2, 4 and 6 of Schedule 2 to the Bill (dealing with consent).

Paragraph 22(1)(a) of the Acts Interpretation Act 1901 provides that in any Act, unless the contrary intention appears, the word `person' includes a body politic (such as a Commonwealth, State or Territory government) or a body corporate (such as a company or an incorporated association) as well as an individual. To avoid the possibility of a court finding a contrary intention in the Bill, the Bill makes it clear that express references in the Bill to organisations do not imply that references in the Bill to persons do not include bodies politic or bodies corporate.

penalty unit

This term is taken to have the meaning given by section 4AA of the Crimes Act 1914 (Cth), which provides that in a law of the Commonwealth, unless the contrary intention appears, penalty unit means $110. This term is used in clause 25 (maximum penalties for contravention of civil penalty provisions) and clause 5 of Schedule 3 (amount of penalty under the infringement notice scheme).

person

A person is defined to include a partnership. A person would also include individuals as well as bodies politic or corporate (as provided for in paragraph 22(1)(a) of the Acts Interpretation Act 1901).

The note to this definition provides that section 585 of the Telecommunications Act sets out rules relating to the treatment of partnerships. Section 585 of the Telecommunications Act will also apply to this Bill, by virtue of proposed amendments to this section by the Spam Consequentials Bill.

Section 585 of the Telecommunications Act (as amended by the Spam Consequentials Bill) will provide that this Bill applies to a partnership as if the partnership were a person, with some changes. Namely, obligations that would be imposed on the partnership are imposed instead on each partner, but may be discharged by any of the partners, and any breach of this Bill that would otherwise be committed by the partnership is taken to have been committed by each partner who aided, abetted, counselled or procured the relevant act or omission or was in any way knowingly concerned in or party to the relevant act or mission.

This has the effect that if a partner in a partnership breaches the penalty provisions in the Bill, each partner who aided, abetted, counselled or procured, or was knowingly concerned in or was a party to the relevant act would be in breach.

publish

The term `publish' is defined to include publish on the Internet and publish to the public or a section of the public. This term is used in the context of determining consent for the purposes of the Bill, see clause 4 of Schedule 2 to the Bill. Clause 4 of Schedule 2 provides when consent may, or may not, be inferred from publication of an electronic address. It provides that the mere fact that an electronic address has been published does not imply consent for the purposes of receiving unsolicited commercial electronic messages under this Bill.

This definition ensures that the meaning of publish cannot be limited to electronic addresses published in hard copy and not on the Internet. Nor can its meaning be limited to addresses published to the public broadly. It includes publication to a limited or restricted audience, for example on a subscription based web page. Therefore publication of an electronic address includes where an e-mail address has been published on the Internet, either on a restricted section of the Internet (for example on a subscription service website) or on a generally accessible place on the Internet.

registered political party

This term is defined to mean a political party, or branch or division of a political party, that is registered under the Commonwealth Electoral Act 1918, or a State or Territory electoral law.

The term `registered political party' is used in the definition of `designated commercial electronic message' in clause 3 of Schedule 1 of the Bill. This is relevant to the exceptions to clauses 16 and 18 (the prohibition on sending unsolicited commercial electronic messages, and the requirement on including functional unsubscribe facilities in commercial electronic messages). Messages sent or authorised to be sent by registered political parties are exempt from these provisions. This definition has been included so as to avoid persons who are not legitimately considered to be political parties attempting to take advantage of the exemption.

relevant electronic account-holder

The relevant electronic account-holder in relation to the sending of an electronic message to an electronic address means the person (either an individual or an organisation) who is responsible for the relevant account (either e-mail account - in the case of an e-mail messages, an instant messaging account - in the case of an instant message, a telephone account - in the case of a telephone number, or any other relevant account).

For example, this may be the individual or organisation who has paid for the relevant account (for example Koala Kites Pty Ltd for an e-mail account for its employees) or the person who initiates the account for free accounts such as provided by a free web-based e-mail service).

This term is relevant to the concept of consent which is defined in Schedule 2 to the Bill. The rules relating to the sending of commercial electronic messages set out in clause 16 (prohibiting the sending of unsolicited commercial electronic messages) do not apply where the relevant electronic account-holder has consented to the sending of the message. It is also used in the context of establishing an Australian link in clause 7 of the Bill.

send

The term `send' is defined to include an attempt to send. This clarifies that the concept of `send' does not require a person to have received the message. A message has been sent regardless of its successful receipt or otherwise.

The concept of `send' is central to the penalty provisions in Part 2 of the Bill which broadly prohibit the sending of unsolicited commercial electronic messages (clause 16), prohibit the sending of commercial electronic messages unless they include accurate sender information (clause 17), and prohibit the sending of commercial electronic messages unless they contain a functional unsubscribe facility (clause 18).

This definition is included to ensure that a person will be in breach of these provisions even if they have not been successful in sending the message (for example because the server was down, an electronic address did not exist, or the recipient does not receive the message).

The term is also used in the basic definition of an electronic message in clause 5. Subclauses 5(2) and (3) of this definition reinforce that a message may be sent regardless of whether an electronic address exists, and regardless of whether or not a message reaches its intended destination.

It is clarified in clause 9 that a person does not send an electronic message, or cause it to be sent, merely because the person provides a carriage service that allows the message to be sent.

services

The term `services' is defined to have the same meaning as in the TPA.

Section 4 of the TPA defines services as follows:

services includes any rights (including rights in relation to, and interests in, real or personal property), benefits, privileges or facilities that are, or are to be, provided, granted or conferred in trade or commerce, and without limiting the generality of the foregoing, includes the rights, benefits, privileges or facilities that are, or are to be, provided, granted or conferred under:

       (a) a contract for or in relation to:

       (i) the performance of work (including work of a professional nature), whether with or without the supply of goods;

       (ii) the provision of, or the use or enjoyment of facilities for, amusement, entertainment, recreation or instruction; or

       (iii) the conferring of rights, benefits or privileges for which remuneration is payable in the form of a royalty, tribute, levy or similar exaction;

       (b) a contract of insurance;

       (c) a contract between a banker and a customer of the banker entered into in th