Featuring fresh takes and real-time analysis from HuffPost's signature lineup of contributors
Michael Geist


Should Anti-Spam Laws Come With Opt-In Consent?

Posted: 02/08/2013 11:36 am

For the past two days I've called attention to the shocking demands by business groups, including the Canadian Chamber of Commerce, the Canadian Marketing Association, and the Entertainment Software Association of Canada, to legalize spyware by permitting the secret installation of computer programs to monitor activities of Canadians suspected a potential contravention of the law (including laws such as copyright or any foreign law) or unauthorized use of a computer system (including wireless networks).

The Canadian Chamber of Commerce added its own submission to the government's consultation on the anti-spam regulations. The Chamber's key concern is the very foundation of the law: opt-in consent that requires businesses to obtain consent before sending commercial electronic messages (subject to a wide range of exceptions). The Chamber says:

Despite the enduring need to combat nuisance messages and malware, the multitude of compliance problems introduced through the "opt-in" approach to regulating commercial electronic messages and software needs further scrutiny.

The business lobby group therefore argues that opt-in should be dropped for business-to-business email altogether, that the government hold another round of consultations (thereby further delaying the law), and that the law be delayed for at least a year after the final regulations are published.

The opposition to the opt-in approach permeates throughout the organization, its affiliates, and members. For example, earlier this week the Niagara Falls Chamber of Commerce reacted to concern from a member about the spyware provisions by pointing to the law's opt-in requirements and asked "you don't think obligating business to get consent prior to sending a CEM is wrong"? (the complainant said no). Similarly, Graham Henderson, the CEO of CRIA/Music Canada, a Chamber supporter, claims that the law will pose an "immense threat to independent labels and young bands."

Despite these persistent claims that the opt-in approach found in the anti-spam law will greatly harm business (or apparently young music bands), the reality is that opt-in is the standard in most major developed countries. For example, the Australian anti-spam law is based on an opt-in express consent model, with exceptions for opt-out consent based on an existing business relationship or a published email address (Canada has the same exceptions). As for the oft-repeated concerns that this will prevent cold calling via email, Australia has had this prohibition in place for nearly five years (along with a more restrictive third party referral system).

Similarly, Japan switched from an opt-out system to opt-in in 2009, after it found that the opt-out system simply doesn't work. The Japanese system is described as follows:

The legislation is clear: Full auditable and trackable permission to receive email marketing messages must be received prior to any send. Even though there is a clause that states that for-profit entities who publicly announce their own email addresses or who have a preexisting business relationship with the sender can receive commercial email, there is still a requirement for an affirmative act prior to receipt.

The European Union has had an opt-in consent model for a decade. It describes its own system as:

Article 13(1) of the Privacy and Electronic Communications Directive requires Member States to prohibit the sending of unsolicited commercial communications by fax or e-mail or other electronic messaging systems such as SMS and MMS unless the prior consent of the addressee has been obtained (opt-in system).

This requirement has been implemented throughout Europe. For example, the Privacy and Electronic Communications (EC Directive) Regulations 2003 in the United Kingdom provides the following on the use of electronic mail for direct marketing purposes:

Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.

3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where--
(a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;
(b)the direct marketing is in respect of that person's similar products and services only; and
(c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

In other words, Canada is not an outlier in adopting an opt-in model. The only major trading partner with an opt-out model is the United States, whose CAN-Spam Act is widely regarded as a failure. While there are variations in the specifics between countries, the opt-in approach has been implemented around the world without email marketing grinding to a halt. As noted yesterday, the comment period on the draft regulations may have closed, but it is not too late to tell Industry Minister Christian Paradis or your local Member of Parliament to reject demands from groups like the Canadian Chamber of Commerce that would gut the anti-spam bill.

Loading Slideshow...
  • Clickjacking

    Clickjackers on Facebook entice users to copy and paste text into their browser bar by posting too-good-to-be-true offers and eye-catching headlines. Once the user infects his own computer with the malicious code, the clickjackers can take control of his account, spam his friends and further spread their scam. For example, clickjacking schemes hit Facebook soon after bin Laden's death and spread like wildfire by purporting to offer users a glimpse at <a href="http://www.huffingtonpost.com/2011/05/04/bin-laden-death-video-hoax_n_857730.html" target="_hplink">video or photos of bin Laden's death</a>.

  • Fake Polls Or Questionnaires

    If you click on an ad or a link that takes you to questionnaire on a site outside Facebook, it's best to close the page. When you complete a fake quiz, you help a scammer earn commission. Sometimes the quiz may ask you to enter your mobile number before you can view your results. If the scammers get your number, they could run up charges on your account.

  • Phishing Schemes

    Phishers go after your credentials (username, password and sometimes more), then take over your profile, and may attempt to gain access to your other online accounts. Phishing schemes can be difficult to spot, especially if the scammers have set up a page that resembles Facebook's login portal.

  • Phony Email Or Message

    <a href="http://www.facebook.com/help/?page=1187" target="_hplink">Facebook warns</a> users to be on the lookout for emails or messages from scammers masquerading as "The Facebook Team" or "Facebook." These messages often suggest "urgent action" and may ask the user to update his account. They frequently contain links to malware sites or virus-ridden attachments. They may even ask for your username and password. The best advice Facebook offers is to report the sender and delete the messages without clicking anything.

  • Money Transfer Scam

    If a friend sent you a desperate-sounding Facebook chat message or wall post asking for an emergency money transfer, you'd want to help, right? Naturally. That's what makes this scam so awful. The point is to get you to wire money to scammers via Western Union or another transfer service.

  • Fake Friend Request

    Not all <a href="http://www.huffingtonpost.com/2011/02/10/facebook-friend-request-spam_n_821584.html?page=1" target="_hplink">friend requests</a> come from real people, despite Facebook's safeguards against bots. Some Facebook accounts exist purely to establish broad connections for spamming or extracting personal data from users, so watch out whose friend requests you accept.

  • Fake Page Spam

    Malicious pages, groups or event invitations aim to trick the user into performing actions that Facebook considers "abusive." For instance, a fake invite might offer a prize if you forward it to all your friends or post spammy content on their walls. Sometimes a scammer will set up fake pages as a front for a clickjacking or phishing scheme.

  • Rogue Apps

    Malicious apps are pretty common on Facebook these days. They can be a cover for phishing, malware, clickjacking or money transfer schemes. Oftentimes, the apps look convincingly real enough for users to click "Allow," as they would do with a normal Facebook app. However, rogue apps use this permission to spread spam through your network of friends. For example, the recent "<a href="http://www.huffingtonpost.com/2011/04/08/facebook-closing-accounts-scam-app_n_846737.html" target="_hplink">Facebook Shutdown</a>" scam spread by claiming that Facebook would delete all inactive accounts except those that confirmed via app installation.

  • The Koobface Worm

    The <a href="http://en.wikipedia.org/wiki/Koobface" target="_hplink">Koobface worm</a> is getting on in years (it first appeared in late 2008) and has been mostly scrubbed from the site, but Facebook still warns users to look out for it. Koobface spreads across social networks like Facebook via posts containing a link that claims to be an Adobe Flash Player update. Really, the link downloads malware that will infect your computer, hijack your Facebook profile and spam all your friends with its malicious download link. This worm affects mostly Windows users.


Follow Michael Geist on Twitter: www.twitter.com/mgeist