BAILIWICK OF GUERNSEY
DATA PROTECTION
DEALING WITH SPAM
Spam
These pages are intended to provide individuals with general
information about spam, and advice about the steps they can
take to help prevent or help reduce the spam they receive.
The Data Protection Commissioner is responsible for enforcing
the Implementation of Privacy and Electronic Communications
(Guernsey) Ordinance, 2004 (the Regulations). There are similar
regulations in the United Kingdom. The new Regulations
prohibit the sending of unsolicited commercial email or SMS
messages without consent. (See page 10).
The problem of spam cannot, however, be addressed by
regulation alone. Given the volume of spam in circulation (most
of which originates from outside the Bailiwick and the UK) it
would be impossible for the Data Protection Commissioner’s
Office to investigate each and every instance of spam being
received. However if spam should originate in the Bailiwick the
Commissioner will investigate. The problem can only be
properly addressed through international action.
Further information can be provided through links to a number
of related websites on the UK Information Commissioner’s
website, www.ico.gov.uk.
August 2007
1
WHAT IS SPAM?
In simple terms, spam is e-mail that you don’t want and, more
importantly, don’t ask for. Some of it promotes ideologies,
beliefs and even humour. Most spam is simply trying to sell
often dubious products although it may also carry dangerous
computer viruses. Unsolicited communications aren’t unique to
the Internet. Most of us regularly receive junk mail and
telephone calls. The difference with the Internet is in terms of
volume. Many Internet users now receive more spam emails
than useful emails, with the result that email is being diminished
as a fast, effective communication tool.
If you are unsure about some of the terms used regarding spam,
have a look through the Glossary of Spam terms on our website,
www.gov.gg/dataprotection.
Why is spam so prevalent on the Internet?
The main difference between posted junk mail and spam is that
the sender pays relatively little for their communication. The
majority of the cost in a spam campaign is borne by the
recipient. If the spammer had to pay the cost of a stamp, they
would have to account for the aggregated stamp cost in each sale
and therefore their entire business model would change. The
company sending the spam would have to target their product at
people who might have a genuine interest in purchase. At the
very least, they would have to direct their adverts
geographically. The effect would be to filter spam resulting in
overall reduction in the volume of spam and the remainder
would at least be somewhat relevant.
August 2007
2
Problems caused by the growth of Spam
Why is Spam so bad?
From a user’s perspective, it’s wasteful of their time and
resources. It takes time to filter through e-mails that are
mixed with spam, making you less productive. For most
Internet users, the added time it takes to download the spam
equates to cost. There is also the risk that you might
overlook or even delete an important email. Parents face
the dilemma that the Internet as a whole is a wonderful
educational tool but that spam often carries inappropriate
content that is difficult to control.
As society moves towards the information revolution, spam
poses a number of problems. The concept of a digital
divide, where parts of society become excluded from
information technology is being exacerbated by
spam. Studies show that cost is a major factor in
determining Internet usage and adoption. The fact that the
recipient pays the cost for downloading spam and that many
internet users use pay-per-minute internet services means
that spam is likely to impinge on their use of the internet.
Finally, spam is a waste of the Internet’s resources. Nearly
half of all messages today are spam which means that
double the capacity is needed on the mail servers and the
circuits. Ultimately, this cost is passed on to the consumer.
August 2007
3
Help prevent Spam
Be careful who you give your e-mail address to
Only give your email address or mobile number to those
individuals and organisations that you want to communicate
with and that you trust to keep your information private.
Consider using two or more email addresses.
Use one for personal and business email and one for use with
systems that might result in spam. This can reduce the burden of
sifting through emails to find the relevant ones. Many ISPs
allow customers to have multiple email addresses and mail
aliases as part of their standard package. Many other companies
offer free email addresses. To keep spam to a minimum, opt out
of any white pages style directories and try to choose an email
address that is difficult to guess.
Choose a less vulnerable email address.
Spammers get people’s email addresses in many different ways.
Often, they simply search the web, chat rooms or contact
directories. Sometimes they buy lists of email addresses from
sites that are willing to sell their own customers’ details to
spammers. When all else fails, they simply “guess”.
An email address is a unique reference to a person and as such
people want it to not only reflect their persona, but also be
memorable.
Unfortunately, these justifiable desires aid the spammer in
attempting to “guess” email addresses. For example, if your
name is John Smith, a spammer will try john.smith@...,
August 2007
4
j.smith@..., jsmith@..., smithj@..., smith.j@...,
Spammers have access to software packages that do the
“guessing” for them automatically. They can “guess” thousands
every minute. The system works by using dictionaries. A
dictionary, in this instance, is simply a list of words that people
frequently use in email addresses. Typically, the dictionary will
contain:
•
•
•
•
•
•
•
•
•
•
•
•
•
Forenames
Surnames
Initials
Nicknames
Pet names
Brand names
Star signs
Months of the Year
Days of the Week
Place Names
Car Makes and Models
Media & Culture derived terms
Sporting Terms
The spammers’ systems simply take every dictionary entry and
try it in various combinations with every other dictionary entry.
What’s more, they will also introduce letters and numbers into
the combinations because people might use birthdates, ages or
even lucky numbers in their email addresses.
If you are willing to use an impersonal email address to attempt
to reduce the problem of spam, use an address that does not have
any potential dictionary entries in it.
August 2007
5
Don’t advertise your email address.
Don’t advertise your address on search engines, contact
directories, membership directories or web pages.
If you use chat systems, never expose your email address on the
listing or directory and never disclose it to anyone other than
friends.
Check Privacy Statements and Marketing OptOuts Carefully.
If you are purchasing a product on-line or subscribing to a
service, check the company’s privacy statement before giving
your email address, mobile phone number or any other private
information. Consider carefully how the company uses private
information and the restrictions they may have regarding
distribution and use of private information within their own
company and with other external companies.
Help reduce spam
I already get spam. What can I do about it?
Once you have started to receive spam, it is almost impossible
to stop it completely other than by changing your email address.
We have, however, listed practical steps that you can take to
reduce the proliferation of spam. Web sites such as http://
www.junkbusters.com/junkemail.html and http://
www.getnetwise.org/ also offer practical advice, although some
of the advice is specific to US based users.
August 2007
6
Consider that in some cases it may not be
appropriate to reply to the spam.
Senders are allowed to send marketing emails until the recipient
chooses to “opt out” (see page 10 of this booklet). You should,
however, bear in mind that most spam email originates from
outside the Bailiwick and the UK and will not, therefore, be
subject to the same regulation. Given that replying to the spam
can tell a spammer that your email address is live, which can
encourage the more unscrupulous senders to send you even more
emails, you should not reply to emails sent from outside the
Bailiwick and the UK unless you are familiar with, and trust, the
sender.
If your email system has an automatic facility to tell
the sender when an email has been delivered or
read, turn it off.
Delivery and read receipts can identify your email address as
active and will result in even more spam.
Don’t click on the adverts in spam emails.
By clicking on spammers’ web pages, you are identifying your
email as a live address and may make yourself a target for even
more email. Graphics and images in spam emails can tell the
spammer not only that you have received the email but also other
private information such as your IP address.
August 2007
7
You can report spam.
Reporting and investigating spam incidents is becoming
increasingly complicated as some spammers employ hackers to
cloak their true identity. ISPs are generally diligent in
withdrawing service from spammers when they receive reports
of spam originating on their networks. Unfortunately, by the
time the ISP has withdrawn service, the spammer has often
moved on to another account.
Various bodies including the Data Protection Commissioner also
have powers to investigate some spam incidents. Before you
report an instance of spam to the Commissioner, however, you
should first check that the matter is appropriate to his remit. If
you are satisfied that the matter is appropriate to refer to the
Commissioner and you wish to do so, please do not forward
your unwanted emails to us. You should instead complete the
relevant complaint form which may be obtained from our office
or downloaded from our website, see back of this leaflet for
details.
Use client side filters
Client filters are software programs that work in conjunction
with your email package to sift through new emails, separating
the spam from the wanted emails. Most packages can claim a
high success rate. The main downsides are that they sometimes
block good email as well as spam and the spam still has to be
downloaded before they can do their job. Spam filters are being
further developed all the time. You can search the Internet for a
spam filter that is suitable for you.
August 2007
8
Use ISP based filters.
Many ISPs offer solutions that can be very effective at blocking
spam. They use a combination of content examination and
blacklists to restrict the amount of spam reaching the reader. The
main downsides are that they sometimes block good email as
well as spam and there is also usually a cost involved. For
further information on the services that are available to you,
please check with your ISP.
Keep your systems well maintained.
Your computer system should also be maintained. Most
software companies issue product updates and patches that fix
known problems with their software. Hackers and spammers can
exploit these problems. Updates to the manufacturers’ software
are generally available through their web-site and are usually
free to download and install. Most users should also consider
using anti-virus software to protect against rogue virus programs
that can destroy computer files and are increasingly being
exploited by spammers.
August 2007
9
Government response
What is the States of Guernsey doing about spam?
In 2004 the Privacy and Electronic Regulations came into
force. In brief, these Regulations mean that marketing email
messages should not be sent to individual (as opposed to
business) subscribers unless either;
•
the recipient has previously notified the sender that he
consents, for the time being, to receiving such
messages;
or
•
the sender can satisfy these three criteria,
1.
2.
3.
recipient's contact details were collected in the
course of a sale or in negotiations for a sale of a
product or service;
the marketing is for similar goods or services
and
the recipient was given the chance to opt-out
when their contact details were collected and he
chose not to take it, and he continues to be
given the chance to opt-out in every subsequent
marketing message.
Finally, in all marketing messages, regardless of who the
recipient is, the sender must ensure that
•
•
they do not conceal their identity and
they provide a valid “opt-out” address
August 2007
10
You should, however, be aware that these Regulations apply
only to senders of messages based in the Bailiwick and the
UK. Given that the majority of the spam received originates in
other parts of the world, it is clear that the problem of spam
cannot be solved by regulation alone. One of the points raised
by the UK’s All Party Parliamentary Internet Group’s report
on Spam is that national initiatives are unlikely to solve the
problem in isolation. There are, however, steps that you can
take to help prevent spam and help reduce the amount
of spam you receive.
Why Me?
The content of the spam emails often causes embarrassment
and occasionally even distress. However, it is worth
remembering that the sender generally doesn’t target these
emails in any way. The same email can be sent to as many as
50 million people at a time and in a lot of cases the email
addresses are simply guessed.
How did they get my email address?
Various techniques are employed to get email addresses: some
spammers buy lists of email addresses from others, including
reputable companies; others use more covert methods such as
searching websites or abusing facilities in your web-browser;
others simply use specific software to generate or “guess”
email addresses based on dictionaries of common words and
terms. Combinations of first names, surnames, pet names,
initials, months, years, place names and even star signs often
yield valid email addresses for spammers to use. The process
of obtaining email addresses is known as harvesting.
August 2007
11
The following publications are available free of charge from
the Data Protection Office:
Guidance Handbooks (A4)
•
•
Notification Exemptions
Notification Handbook
Advice Booklets (A5)
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Baby Mailing Preference Service (how to stop unwanted mail about
baby products)
Be Open … with the way you handle information (obtaining data
fairly and legally)
Charities/Not-for-Profit organisations
CCTV Checklist/CCTV Guidance
Code of Practice—Criminal Records Check
Data Controllers (how organisations must process personal data)
Disclosure of Medical Data to the GMC
Disclosure to Elected Members
Exporting Personal Data
Facebook—How to protect your Privacy
Financial Institutions
Health Records—Subject Access
Your rights under the Law: Guidance for Individuals
Mailing, telephoning, fax and e-mailing preference services
Marketing—A guidance for Businesses
No Credit (how to access, and correct, details held by credit
reference agencies)
Notification - a simple guide
Privacy Statements on Websites
The Data Protection Law and You (advice for small businesses)
Respecting the Privacy of Telephone Subscribers
Schools—Information for Parents, Schools and Students
Spam—How to deal with Spam
States Departments—a Guidance
Subject Access Requests
Transparency Policy
Trusts and Wills Guidance
August 2007
12
•
•
•
Violent warning markers: use in the public sector
Disclosures of vehicle keeper details
Work references
For further guidance please contact the Data Protection Office
Tel:
Fax:
01481 742074
01481 742077
August 2007
E-mail: [email protected]
Website: www.gov.gg/dataprotection
13
Further information about compliance with the Data Protection
(Bailiwick of Guernsey) Law, 2001 can be obtained via:
E-mail address: [email protected]
Internet: www.gov.gg/dataprotection
Telephone: +44 (0) 1481 742074
Fax:
+44 (0) 1481 742077
Post: Data Protection Commissioner’s Office
P.O. Box 642
Frances House
Sir William Place
St. Peter Port
Guernsey
GY1 3JE