Presentation Nairobi 9 September 2013. Joint workshop on spam(law) of African Telecommunication Union and the Internet Society
- 1. Spam legislation in the Netherlands: the law, results, approach and lessons learned Wout de Natris De Natris Consult Joint ATU ISOC meeting on combatting spam Nairobi, Monday 9 September 2013
- 2. Introduction 1. Consultant at De Natris Consult 2. Member of London Action Plan 3. Asked to represent the Dutch Ministry of Economic Affairs (and LAP) 4. Background in spam enforcement, national and international cooperation spam and cyber crime at OPTA 2
- 3. An overview 1. Dutch anti-spam law 2004 2. Approach by OPTA 3. Results 4. Lessons learned 5. Advanced Cyber DefenceCentre (ACDC) 3
- 4. The law 2004, Art. 11.7,1 Telecommunications Act (Tw) 1. The use of automatic calling systems without human intervention, faxes and electronic messages for transmitting unrequested communication to subscribers for commercial, idealistic or charitable purposes will only be permitted if the sender can demonstrate that the subscriber concerned has given prior consent for this, notwithstanding that laid down in paragraph 2. 4
- 5. The law 2004, Art. 11.7,2 2. Any party who has received electronic contact information for electronic messages as part of the sales of his product or service may use this information for transmitting communication for commercial, idealistic or charitable purposes in relation to his own similar products or services, provided that with the obtaining of the contact data the customer is explicitly given the opportunity to submit an objection in a straightforward manner and free of charge against the use of his electronic contact information and, if the customer has not taken up this opportunity, he is offered the opportunity with each communication transmitted to submit an objection against the further use of his electronic contact information under the same conditions. Article 41, paragraph 2, of the Personal Data Protection Act is applicable mutatis mutandis. 5
- 6. The law 2004, Art. 11.7,3 3. The following information should be stated at all times when using electronic messages for the purposes as referred to in paragraph 1: a. the actual identity of the party on whose behalf the call is being made, and b. a valid postal address or number to which a recipient may direct a request to stop such communications. 6
- 7. The law 2004, Art. 11.7,4 4. The use of means other than those referred to in paragraph 1 for transmitting unrequested communication for commercial, idealistic or charitable purposes to subscribers is permitted unless the subscriber concerned has stated that he does not wish to receive communications by such means and if the subscriber is offered the opportunity with each communication transmitted to submit an objection against the further use of his electronic contact information. In that case, the subscriber will not be charged for the facility that prevents such unrequested communications being made to him. 7
- 8. The law 2004, Art. 11.8 The application of Article (…) 11.7 shall be limited to subscribers who are natural persons. 8
- 9. The law 2004 Basically one article, 11.7Tw on spam (One article on malware 4.1 BUDE (Decision Universal Service End users)) Tw empowers OPTA (Independent Post and Telecommunications Authority), now ACM OPTA already has many enforcement powers and they all applied to spam! 9
- 10. The law specified Automated calls, faxes and electronic messages Subscribers Without prior consent Opt-in regime Commercial, idealistic and charitable Natural persons 10
- 11. The law specified interlude There is no definition of spam in the law. It’s on unsolicited electronic communications Whether by fax, computer, device or phone So, much broader than “spam” 11
- 12. The law specified, 2 The exception: Existing customer “as part of a sale” Similar products His own products Explicitly asked for consent Easy and free to stop the mailing Opportunity to object with each mailing 12
- 13. The law specified, 3 An electronic message must contain: A valid postal address or number to which a recipient may direct a request to stop such communications I.e. it is forbidden to send anonymous messages and/or use spoofed headers Separate violation from just sending 13
- 14. The law specified, 3: beyond 11.7 Tw All powers invested in OPTA as post and telecommunications regulator were in place for spam fighting Administrative coercion to enforce the obligations Allowed to prevent to provide services (Periodic penalty) fines 14
- 15. The law specified, 4 is authorised to seal off business premises and objects ; Authorised to enter business premises; private homes only with consent Seize or copy information OPTA is authorised to demand information from anyone at any time (18.7) General Administrative Act Law OPTA law: allowed to share data 15
- 16. The law specified, 5 Conclusions in general: Concise Effective Successful 16
- 17. The law specified, 6 Conclusions: One, comprehensive, article is enough to start Attribute one organisation Right to enquire information from every one Fine, stop, disrupt and seize where necessary Right to visit (International) cooperation 17
- 18. OPTA’s approach Asked for a budget € 300.000,= for 2004 8 people for 50% of their time Complaint system opened on day 1 Two hired, temporary forensic experts First forensic gear bought Active in international cooperation Active in national cooperation 18
- 19. Results 85% of identifiable Dutch language spam was gone in 6 months First fines given after 6 months Fraud cases involving Premium Rate Service Numbers dissappeared within first year However: It did nothing for international spammers ISP filters tackle these Country cooperation should too 19
- 20. Case examples Straight commercial e-mails Fraud in combination with newspaper print SMS spam in combination with PRS numbers War drive Lottery scam/autodialers Fax-to-e-mail spam Cross border cases Malware spreading Hosting of spammers 20
- 21. 2013, lessons learned Costumer/subscriber is not enough Include legal persons Six months for two cases was not enough time Cases involve fraud and crimes, up to serious organised crime Tw was unclear on attribution 21
- 22. 2013, lessons learned, 2 Territoriality is a major problem Three major cases rejected in court Should ACM be able to deal with the content of messages? Internet fraud and police do not match Spam law no longer effective for NL? 22
- 23. 2013, lessons learned, 3 But, First successes remain Dutch spam was halted Many frauds were stopped 23
- 24. 2013 My advice to you Start simple and concise Work from there Celebrate early successes and build on them 24
- 25. 2013 My advice to you, 2 On a model law Define what you think spam is Define a “spammer” attribution Protect companies as well Give all reasonable enforcement and inquiry powers needed Allow cooperation/data exchange 25
- 26. ACDC Advanced Cyber Defence Centre EU co-funded botnet mitigation program Open to all How could your country profit? www.botfree.eu 26
- 27. Conclusion Spam law works Law and enforcement tools need to be in balance Effective enforcement does not come at highest cost Find out about cooperation and training Be ambitious 27
- 28. Art. 4.1 BUDE Section 4.1 of the Decision universal service and endusersinterests (Bude) i.e. implementation of art. 5, section 3 of Directive 2002/58/EC (Directive on privacy and electronic communications) Section 4.1 Bude prohibits storage of communications without prior consent: OPTA authorized 28
- 29. De Natris Consult National and international cooperation Reach out officer for ACDC botnet program Internet governance Blogger Today represents the Dutch government Ex enforcement officer spam at OPTA (ACM) 29
- 30. More information De Natris Consult Wout de Natris denatrisconsult@hotmail.nl +31 64838 8813 http://woutdenatris.wordpress.com www.circleid.com 30