Page 9 of 12
Spam is a global scourge and is currently probably the most significant problem facing the Internet. At a conference organised by ITU in July 2004, it was revealed that 76 percent of all email was spam, costing national economies US$25 billion a year. The volume of spam is a significant pricing factor for ISPs of all sizes, and their costs are passed on to end-users. Given the problems of Internet pricing and interconnection just described, the effect of spam on developing nations is especially severe. It also degrades the quality of service, particularly on the low-bandwidth and already congested links of poorer users.
Spamming is also strongly associated with network security breaches. Spammers use software viruses and worms to infect computers and hijack users’ email address books as a source of more addresses to spam. The year 2004 saw a great increase in the incidence of attacks by viruses that can take control of an infected computer so that it can be used as a launch pad for sending spam. Known as zombies or spam Trojans, these machines are controlled without their owners’ knowledge by the virus writer to send large quantities of spam. Control of these zombie machines can also be sold by virus writers working in tandem with professional spammers and crooks.
Many countries are beginning to introduce legal and regulatory measures to combat spam and, combined with other consumer protection and business laws, to make many of the practices used by spammers illegal or in contravention of existing regulations. Yet, these efforts are clearly not enough. Spam continues to grow rapidly, accounting for 10 percent of Internet email in 2000, 48 percent in May 2003, and 64 percent in April 2004; estimates today suggest it is nearer 80 percent. Spammers hide their tracks well, and finding and prosecuting them is difficult and costly, particularly across jurisdictions. International cooperation is clearly essential, but countries should also examine their existing enforcement measures, add new measures where required, and enforce them if or once they exist.
With one or two notable exceptions, Asia-Pacific nations have been slow to introduce legal measures to counter spamming. To date, only Australia, Japan and South Korea have passed specific anti-spam legislation. All other countries in the region are at best relying on piecemeal solutions offered by existing laws, making it difficult to take legal action against spammers. It is also confusing for industry self-regulation efforts and hampers international cooperation. Some countries, such as China, Malaysia, New Zealand and Singapore, are at an advanced stage of drafting legislation.13
Asia part of the global spam problem
America has always been the main source of spam. The most prolific spammers, the actual originators of spam, have tended to be US companies and individuals. The most recent estimates suggest that around 42 percent of all spam originates from the USA. However, South Korea and China, with around 15 percent and 10 percent respectively, are the next worst offenders. South Korea’s very high penetration of always-on broadband-connected PCs has been exploited by virus writers, and the country is the source of many zombie- and Trojan-generated messages. The answer to South Korea’s problems, and as a lesson for all countries with an expanding broadband market, is to focus on improving security by equipment vendors, ISPs and end-users.
China presents a different type of problem. During 2004, it became a haven for spammers. Estimates by anti-spam firms Commtouch and Spamhaus suggest that in August and September 2004 almost 70 percent of websites referenced in spam are hosted on servers in China.
China’s Internet infrastructure has developed very rapidly over the past few years and is now both very advanced and very cheap to operate. High-bandwidth web-hosting services capable of hosting thousands of spam sites are available very cheaply. Unsolicited email is legal and currently virtually unregulated, so both domestic and international authorities are unable to act against the culprits. Spamhaus research also found that China was the main market for buying and selling lists of zombie and Trojan PCs. These lists of compromised computers combined with cheap website hosting are all a spammer needs to set up business. The lists change rapidly: research by Commtouch found that approx-imately 2.55 million URLs were used in spam messages in October 2004, and 99.2 percent of those URLs were not used in spam messages the previous month.
China’s Internet policy has focused on keeping out disruptive influences. Gateways very effectively block websites that are critical of the Chinese regime or have content that the authorities judge to be inappropriate. However, while strictly controlling the inflow of information, China has done virtually nothing to control the spam that flows out from its networks.
As the spam industry has grown in sophistication and towards increasingly criminal activities, spammers have moved their activities offshore to avoid detection by law enforcement. Like other high-tech offshoring, Asia offers cheap and safe solutions. Chinese ISPs are hosting fraudulent schemes with impunity, particularly phishing scams. Phishing uses fraudulent email to lure people to fake websites where they hand over sensitive information such as passwords, credit-card details and other personal information. The email uses spoofed headers to pretend to be a trustworthy party such as an online banking or auction service – Citibank and eBay are common targets – and directs users to a website designed to fool them into giving up their personal data. The email and websites look very authentic, and a study by the Gartner Group claimed that phishing attacks cost US credit-card companies and banks US$1.2 billion in 2003.
Commtouch reported that ChinaNet Henan and ChinaNet Chongqing were the number 1 and 2 spam ISPs in October 2004, with ChinaNet Hainan at number 5. ChinaNet is a subsidiary of China Telecom and is by far the largest ISP in the country.
ISPs around the world have responded by blocking email traffic from many Chinese providers. This practice, known as blackholing, has caused the Internet Society of China to complain that international organisations are trying to harm China’s Internet growth. There were signs at the end of 2004 that China was beginning to do something about the problem. Indications are that the number of hosted spam sites decreased in the last months of the year. Time will tell, but clearly the short-term profit gained from hosting spam sites is doing long-term harm to the Chinese Internet industry; and if such services continue, China will be increasingly isolated from the rest of the network. China must begin to devote as much energy to controlling outbound traffic as it does to monitoring what comes in.
China’s problems should be a lesson to other parts of Asia Pacific where the Internet infrastructure is also developing rapidly. Such rapid growth often creates problems that traditional legal systems are unable to keep pace with.
Despite China, over 80 percent of spam is currently generated by OECD nations. But as more people come online, spammers will no doubt be among the new online population. Nations in the process of developing e-strategies and ICT policies should ensure that anti-spam measures are included and appropriate laws and regulations are in place.
Taking into account what has worked for other countries can be an effective way of getting started in the legislative process. Topping the list of best practices at the moment is Australia, which introduced legislation in April 2004 that has been universally praised. The law is based on an opt-in requirement: email addresses cannot be used for promotional mailings without consent. The law covers all unsolicited commercial mass email marketing and includes a package of measures backed by fines of over A$1 million per day of operation for repeat offenders. The Australian direct marketing association and ISP association introduced new best practices and self-regulation guidelines to complement the new law.
Whether spam and other issues are matters of Internet governance is for WGIG and the community that responds to its work to decide. But the reasoning put forward for considering spam is that not only is it an abuse of Internet resources and a problem that is very strongly associated with fraud and consumer protection but also it requires international cooperation and coordination to resolve.
International cooperation on spam
It is abundantly clear that spam is a cross-border problem and solutions will require some form of international cooperation and coordination. Yet, there is no common international agreement on what constitutes spam, even at a fundamental definitional level. In the USA, commercial speech can be regulated, but other forms of speech cannot. Consequently, in North America, spam is usually described as “unsolicited commercial email”, whereas many other parts of the world refer to it as “unsolicited bulk email”. In cross-border situations, lack of common agreement on what spam is leads to confusion over what law or regulation may have been broken.
International regulatory bodies are becoming increasingly involved in discussions about countering spamming, and regional organisations such as ASEAN and APEC TEL are natural forums for such discussions. A risk associated with regulating spamming, particularly any centralised international regime, is that it might easily become a first step in the global regulation of Internet content. Given cultural and other differences, and the nature of the decentralised Internet, a centralised regime would unlikely be effective, and any temptation to coordinate broader content regulation must be resisted.
In the Asia-Pacific region, where too many governments have been quick to restrict freedom of speech on the Internet, the regulation of spamming could lead to severe restrictions on this basic human right. In New Zealand, the Office of the Privacy Commissioner is the government department responsible for controlling spamming, and the privacy code of practice and legislation that the country is developing may become valuable models taken alongside the Australian legislation. Spam is harming consumer trust in e-commerce; enforcing privacy protection alongside measures to ensure security will go a long way to reestablishing faith in e-commerce.
The development and sharing of technical and operational best practices should be supported, as should knowledge and acknowledgement of different legal and regulatory systems. Industry practices from developed countries that have been shown to be effective must be shared with industry in the developing world. Such exchanges should be one of the foundations of an international system of industry self-management and self-regulation. For Asia Pacific, with its mix of economies and experiences, this would be a natural step to take.
Mutual recognition through bilateral agreements and MoUs can give more binding power to loose arrangements; but for mutual recognition to be workable, specific anti-spam laws need to be enacted. Monitoring compliance is important, and regional organisations such as OECD, APEC and the European Union, as well as individual governments and civil society, must be willing to “name and shame” nations that persist as major generators of spam.
Limited impact of anti-spam technical solutions
Technical solutions to spam are having only a limited impact. Client and server filtering software is available for incoming mail, and these filters identify and reject spam quite effectively. Large ISPs filter email as it travels across their networks. But spammers have responded by devising methods to fool the filters, and economics is on the side of spammers, who can easily and cheaply send more and more spam in the knowledge that some will get through. Filters are not perfect and often reject legitimate email along with unwanted spam. User surveys indicate that most people believe filters prevent some of the email they send from being delivered, and some email sent to them from being received. Filters also tend to be a defensive measure as they do nothing to stop spam at its source.
IETF, the Internet’s main standards-making body, has been discussing spam for some years and recently began work on a solution to counter spam by authenticating that the email is being sent from a real email address. The measure will prevent a common spamming technique called spoofing that fakes an email header to make it look as though the message comes from a legitimate sender. Preventing spoofing will only eliminate a small proportion of spam, but it will prevent the increasingly common online fraud known as phishing. Microsoft and Yahoo are also developing email authentication systems to prevent address spoofing.
With so much spam now being sent by hijacked zombie PCs, more must be done to ensure security throughout the network. The vulnerability of the Microsoft Windows operating system to viruses is a significant problem, and one that will not be fixed until the next major release of Windows sometime in 2006. Furthermore, Microsoft has stopped providing security updates for older versions of its operating systems, many of which are still used particularly in developing nations. It has also stopped providing security patches for pirated copies of Windows; and while it makes perfect business sense not to endorse theft, this does mean unsafe computers are widely present on the Internet. Operating systems based on free and open source software (FOSS), which are more secure, as well as cheaper, are being promoted by governments and others in the Asia-Pacific region.