[clug] LONG - Anti Spam Laws (Spam Act 2003) - a simple outline.

Sun Jun 27 02:32:11 GMT 2004

Hi All.

I am willing to give a presentation about the state of the Australian
Anti-Spam laws to a CLUG meeting, so that there is some awareness of the
laws that are in force. Unfortunately I will be otherwise occupied on
22/07/2004 which is the next CLUG so August CLUG is the earliest I will
be available. In the meantime please email me if you have questions
about the laws and enforcement.

Unfortunately for those of you who disagree with the laws, the laws stand.
At this time your or mine opinion as to what is reasonable or sensible matters
very little. I did not make the laws, so don't flame me.

Here is a synopsis. Net that this is my opinion and understanding. Seek
own legal advice as I may well be incorrect.

The Anti-Spam laws are in force as of 10 April 2004. The bill has
been passed, amended, regulations issued and is now is force. You can get 
a copy of it on-line from the various law libraries type places. Just look
for the "consolidated" version - that will have all the amendments and 
regulations. At this time the law pertains to all Australian Citizens and 
companies, as well as to foreign entities that have physical presence in 
Australia and send messages to Australian subjects. 

The Act is the result of the surveys that were done in 2002 and early
2003 that found that about 15% of world's spam originated in Australia,
was sent by Australians or was commissioned by Australians. So the
government reacted and the act was passed. In my opinion it is a sanely
written law (with the exception of implied consent bit) but more about
that later.

Here is a brief outline of what I understand that the law is:

1. Commercial message as defined is any message that advertises or
solicits goods and services for commercial gain.

2. Electronic message is defined as ANY electronic message sent via a
telecommunications network other than voice. Faxes are at this time
placed outside of the scope of the Act by ministerial regulation. 
This means that ALL:
 * emails
 * SMS
 * MMS
 * Instant Messages (yahoo, jabber, MSN, IRC, etc)

that carry commercial content (see 1 above) are commercial electronic
messages for the purpose of the law.

Note: yes we get SMS and MMS Spam in this country.

3. What is required under the law:

A commercial electronic message must have the following in the body of
the message (the law does not take headers of the message into account
at all):

a) Clear identification of the sender or person who commissioned the
message
b) Clearly marked and functional un-subscribe facility

c) there must be explicit or inferred consent for the
message to be sent to the recipient.

Lack of any of the above makes the message illegal and constitutes breach
of the act.

4. Clear identification

Your name, logo, ABN number or any other way is which you can be
uniquely identified must be clearly displayed in the body of the
message.

5. Un-subscribe facility

It must be clearly marked as such and 

a) honour all un-subscribe messages within 5 business days if sending (in case of
electronic message) or 5 business days of receipt in case of fax, post or
hand delivery.

b) must function for 28 days form the day the commercial message was
sent.

6. Consent

There must be consent for the message to be sent. Consent can be:

Expressed. Simple - you gave permission for the message to be sent to
you. Abuse of pre-ticked boxes in forms is something to watch out for.

Implied/inferred. This issue gets murky, but the general advice is
that:

a) if you have a prior business relationship with the recipient you
can send messages. You cannot however on-sell the address to someone
else without expressed consent to do so. 

b) if you conspicuously published your address you can be sent commercial messages relating to your business and/or function in the organisation, but not
others (e.g. a blacksmith advertises his email address in yellow pages.
People can email him about his products, or offer sales of coal and iron,
but not sale of computers or fabrics). Note: This issue gets more ugly and murky.

Note: You CAN put "no commercial messaged" next to your email address on your web page and thus pre-empt removal of inferred consent right then and there. any spam you get is then illegal.

Consent can be withdraw at any time. Once that happens both explicit
and implied consent go away and explicit consent must be obtained. 

Note: messages sent to non-existent addresses (ala dictionary attacks
are specifically mentioned in the act) are in breach of the Act. One
can not obtain or infer consent for a non existent address.

7. Address harvesting bots:

The Act makes if illegal to produce, sell or use address harvesting
software. 
The Act makes it illegal to buy or use address harvesting software
The Act makes it illegal to buy or use address lists that are produced
by address harvesting software.

8. Penalties

All of the breaches of the act are subject to civil penalties, and they
can be/are nasty in nature.
In cases where legislation provides an out, the Act places the burden
of proof on the accused. 

Best regards
Tomasz Ciolek
-- 
Tomasz M. Ciolek	
*******************************************************************************
 tmc at dreamcraft dot com dot au 
*******************************************************************************
   GPG Key ID:		0x41C4C2F0
   GPG Key Fingerprint: 3883 B308 8256 2246 D3ED  A1FF 3A1D 0EAD 41C4 C2F0
   Key available on www.pgp.net	
*******************************************************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/linux/attachments/20040627/e7054ddb/attachment.bin