The new Hong Kong antispam law

Well, it has been quite a while since first OFTA (in 2004) and then CITB (in 2006) issued requests for public comment about a proposed UEM (Unsolicited Electronic Messaging) bill to be introduced in Hong Kong. We sent in our responses to both these agencies: OFTA and CITB

Our responses to OFTA and CITB were endorsed and supported by other key industry players, such as various Hong Kong based chambers of commerce, that graciously agreed to submit Outblaze’s response to OFTA and CITB as endorsed by them, and as their joint response with us to the requests for public comment.

The bill is becoming law now – and most of it looks good.

  • Emphasis on a “Hong Kong link” for spam that is covered under the law, modeled on the excellent Australian Spam Act of 2003.
  • Prohibition of header forgery, email harvesting and other “illegal” methods to gather addresses and send out spam
  • Making the person or organization that commissioned a spam liable, along with the actual sender of the spam, for any violations of the law
  • Mandatory Do Not Call list for unsolicited telephone and fax marketing

There’s one major fly in the ointment though – the act tries to treat email on an equal footing with telephone and fax related regulations, and also takes into consideration the interests of businesses over those of consumers – and thus adopts a “business friendly” optout approach.

Put in blunt language, marketers are now given a blanket license to send unsolicited bulk email. “I can keep sending unsolicited bulk email to you, as long as I don’t use illegal methods such as abusing open relays or forging headers. And I can keep emailing my marketing pitches to you till you beg me to stop”.

The trouble is, such an approach puts a needless burden on the consumer – the owner of the email address that’s at the receiving end of all these solicitations. He never asked for, most probably never even wanted those emails in the first place, and now he’s getting buried in emails from what seems like every single business in Hong Kong, right from street noodle shops to Fortune 100 companies. He then has to email each and every single marketer and ask him to stop.
It also ignores the economics of spam – that spam is cheap for the spammer. He has very low initial costs, and negligible running costs for starting his unsolicited marketing. At the most basic level, all that he needs is a computer, an internet connection and some bulk mailing software that he can just download off the internet, to start blasting out thousands of spam.

The reason it is so cheap for the spammer is that all the costs are spread among the various recipients of the spam. Kind of like those salami bank frauds where someone tells the bank’s computers to skim off any credits lower than a cent from all the bank’s accounts, and credit it all to a single account. That account tends to fill up very fast, with several thousand quarter cent transactions a day at a busy bank

Spam’s economics are Salami style as well – an infinitesimal fraction of a cent per spam recipient, but hey, a fraction of a cent here, a fraction of a cent there, pretty soon you’re talking real money, of the sort that puts a noticeable dent in the balance sheet of the ISPs and email providers who have to spend extra money just because over 90% of the email coming into their servers is spam.

They get to spend thousands of dollars at a time on more servers, more bandwidth, more spam filters, more staff, more research to develop newer spam filters. And they then get to spend far, far more than that on customer support, to handle calls and emails from a whole lot of irate people who just want the spam to stop, period, and find that their ISP is far easier to reach out to and yell at than some faceless, [censored] spammer is.

Oh, and the hotel and airfare bills for ISP employees to spend participating in antispam and cybersecurity conferences, such as MAAWG and the WSIS Spam / Cybersecurity thematic meetings. That’s a necessary business expense, believe it or not – you have to reach out to the larger antispam community – other ISPs, governments, NGOs, email and antispam technologists .. everybody has to roll up their sleeves and pitch in, together, to mitigate spam.

I won’t say “solve” spam, because spam’s going to get solved just about when we start to solve (say) the common cold, or cockroaches – I’ll leave “solutions” to spam to hot air vendors intent on selling their products. The word is “mitigation”- doing all that you can do, together, to reduce the huge torrents of spam coming in and keep it at manageable levels.

The OECD put in some excellent work over the last few years to produce an excellent Anti Spam Toolkit, that describes how governments, industry and civil society can work together to mitigate spam, using a combination of legislation and regulation, technical solutions, international cooperation and outreach.

The Hong Kong government has definitely kept these precepts in mind when drafting its antispam law – it is an active participant in several international initiatives on spam and cybersecurity, such as the Seoul Melbourne Agreement, and the excellent work on malware currently ongoing as a joint effort of the OECD and APECTEL’s Security and Prosperity Steering Group (SPSG).

The Hong Kong antispam law recognizes its limitations, and concentrates on spam with a Hong Kong link, and steers clear of the temptation to enact unenforceable “long arm” legislation. And at the same time, Hong Kong actively participates in international efforts to mitigate spam and cybercrime, so that they can count upon the support of law enforcement from other countries with laws that prohibit spam and cybercrime, in order to deal with cases that require cross border enforcement cooperation.

There is probably a whole lot more that we could say, but I rather suspect that we’ve already said it in our responses to OFTA and CITB. So, I’ll stop right here and just wish OFTA all the best in their efforts to enforce this new law.