Spam and E-Security Bruce Matthews Manager, Anti-Spam Team International Training Program 11 September 2006
Chronology – Spam & the Australian Government 2002 – Australian Government commences review into problems caused by spam, and potential solutions April 2003 – Report delivered. Recommended five part strategy, including enactment of legislation December 2003 – Legislation enacted - Spam Act 2003 April 2004 – Act becomes enforceable June 2006 – Report into 2-year review of Act delivered. – No changes to Act recommended.
Five-Part Strategy 1.Strong enforcement of the Spam Act Education and awareness activities 3.Industry measures 4.Developing technological solutions and spam- monitoring processes, and 5.Working internationally to combat spam
Anti-Spam Team Bruce Matthews Manager Investigations & Enforcement (2 officers) Technological & Industry Initiatives (3 officers) Complaints & International (2 officers)
1. Legislation – Spam Act 2003 Regulates ‘commercial’ electronic messages only – advertising, promotional, marketing messages – ‘phishing’, Nigerian scams – viruses or harassment messages (if no commercial component) are not regulated by the Act ‘Technology neutral’ – Covers s, SMS, MMS, instant messaging – Voice calls and fax currently excluded
1. Legislation – Spam Act 2003 All commercial electronic messages require: 1. The consent of the recipient; 2. Accurate sender information; and 3. An unsubscribe facility. PLUS: Address harvesting software and lists prohibited.
1. Legislation – Spam Act 2003 “Opt-in” regime – therefore need consent of recipient before sending – Differs from US and other jurisdictions, which are opt-out Spam Act recently reviewed – June 2006 – Act effective against spammers in Australia – Balances interests of consumers & businesses in legitimate e-marketing – No changes to legislation therefore recommended
1. ACMA Enforcement of Legislation Under the Spam Act 2003, ACMA is empowered to: receive complaints about spam (over 2,000 each year); impose and enforce penalties; search premises and seize equipment where the Act is breached; and prosecute offenders in the Federal Court.
1. ACMA Enforcement of Legislation Complaint Trends
1. ACMA Enforcement of Legislation Complaint Trends - SMS Formal complaints are increasingly about SMS spam Act is ‘technology neutral’ but written for SMS messages have 160 character limit: – No meaningful information about consent can be provided – ‘Sender’ is often altered – Unsubscribe facility often omitted Mobile premium services now account for over 60% of SMS complaints
1.ACMA Enforcement of Legislation Complaints Process Complaint Received No Action Possible – Eg. Outside of Act Scope First / Minor Complaints about Sender Educational Contact with Company Multiple / Serious Complaints received about sender Complaints team commences formal action Refer to Investigations Team
1.ACMA Enforcement of Legislation Enforcement Actions Over 900 companies/individuals directed to comply with the Spam Act– including formal warnings to 11 companies/individuals Enforceable undertakings accepted from 6 companies/ individuals Fines issued to 5 companies/individuals One successful prosecution in the Federal Court
2. Education and awareness ACMA aims to increase awareness of spam legislation among consumers & the business & internet industries, by: – providing consumers and businesses with information on how to reduce the amount of spam they receive; – informing businesses that send commercial electronic messages about the requirements the Act places on them, and providing information on how they can avoid sending spam; and – informing internet service providers (ISPs) about their obligations under the Act.
3. Industry liaison A cooperative approach is vital to combating spam. ACMA is working in partnership with industry bodies in the following ways: – The e-marketing industry developed a Code of Practice that ACMA registered in March – The internet industry developed the Internet Industry Spam Code of Practice. It came into effect 16 July Both Codes are available on the ACMA website.
3. Industry liaison E-Marketing Code of Practice Developed by marketing and advertising industry bodies Provides: – specific guidance to the e-marketing industry on compliance with the Act – alternative complaint handling mechanisms – best practice guidelines for e-marketing Code is strongly supported by the e-marketing industry, currently with 49 signatories
3. Industry liaison Internet Industry Spam Code of Practice Internet Industry Spam Code of Practice December 2005 (the Spam Code) The Spam Code came into effect on the 16 July 2006 Applies to all ISPs and Service Providers (ESPs) including international ISPs and ESPs – international ESPs treat reports from Australian consumer no less favourably than reports from end users in the country where the ESP is located
3. Industry liaison Internet Industry Spam Code of Practice Among other things, the Spam Code requires ISPs/ESPs to: – Have a reasonably prominent link on their home page to a spam information page, which must contain information prescribed by the code – Provide to ACMA 24 hour contacts for spam issues. Currently 33 ISPs have supplied details covering over 90% of Australian end users. There is an example of an ‘Acceptable User Policy’ statement contained in code
4. Technological solutions & monitoring Working in partnership with industry and other government bodies. ACMA is pursuing the development of effective technological solutions and security measures to reduce spam, as well as monitoring national and global patterns of spamming activity. The SpamMATTERS system is a key part of this activity.
4. Technological solutions & monitoring - SpamMATTERS SpamMATTERS (SM) is a reporting and forensic analysis system developed to help fight spam The reporting element of SM can be downloaded from the ACMA website as a ‘plug-in’ to either Microsoft Outlook or Microsoft Outlook Express The plug-ins are free and designed to enable users to easily report spam to the ACMA SM can simultaneously delete spam & report it to ACMA These reports enable ACMA to take enforcement action against Australian spammers and advise overseas countries of spammers operating in their jurisdiction
4. Technological solutions & monitoring - SpamMATTERS SpamMATTERS currently has over 100,000 submitters ACMA has received around 8 million spam s from submitters since the launch on 30 May 2006 SpamMATTERS has sorted the spam received into around 1200 discrete campaigns. Spam is trending away from porn to phishing and fraud type s. Phishing s are becoming increasingly common and sophisticated.
5. International cooperation The Australian government is at the forefront of establishing and strengthening spam-reduction arrangements with other countries. Major ACMA international cooperative arrangements include: – Seoul-Melbourne Spam MoU – London Action Plan – Significant engagement with APEC-TEL and ITU
5. International cooperation Seoul-Melbourne Spam MoU Cooperation in anti-spam regulatory frameworks and policies, technical and educational solutions, enforcement support, intelligence exchange, and industry collaboration. 12 member organisations from 10 economies, all of which are government and/or agencies with government-related functions. Members are from Asian and Australasian countries ACMA chairs and provides secretariat support
5. International cooperation London Action Plan (LAP) Focus is: effective enforcement, law enforcement developments, effective investigative techniques and enforcement strategies, obstacles to effective enforcement, joint consumer and business education projects, joint training sessions, and private sector initiatives and collaboration. 61 members, including government, industry associations and suppliers. Members are in Europe, America, and Asia.
E-Security Spam s are increasingly for malicious purposes, such as e-security compromises Compromised computers are also the source of a high proportion of spam ACMA accordingly takes an active role in spam- related e-security issues ACMA has also developed a software package to reduce the amount of compromised computers operating on Australian networks
E-Security Australian Internet Security Initiative (AISI) The AISI is a database to collect information on compromised computers. Compares IP address of compromised computer to a list of IP addresses of Australian ISPs Advises relevant ISP with a compromised computer on their network of the IP address, for ISP to inform customer and liaise with customer to fix ISP can disconnect customer but to ACMA’s knowledge this has not happened to date.
E-Security Australian Internet Security Initiative (AISI) AISI has been tested with 6 ISPs to date. Trial has demonstrated how effective the AISI is, with all trialling ISPs wishing to continue with the AISI Extension of trial of ISI is expected in October 2006, in conjunction with DCITA – around 35 ISPs to participate ACMA will be contacting ISPs before October to ask them to participate
Anti-Spam Team Current Issues Major investigation of spammer initiated through information provided by overseas regulator ‘Missed call’ marketing practices SMS spam - particularly mobile premium services and interaction with Spam Act Incorporation of SpamMATTERS data into AST processes