Wednesday, 6 November 2013

The next spammer to tackle

I am trying to do these one at a time, hopefully one will get to an actual court hearing. The next one is Fuel Card Service Ltd who have spammed my titanic address at least 5 times now, and ignored my reply and notice of action every time.

What is interesting is that they are advertising fuel discount cards for specific supermarkets, e.g. Morrisons and Tesco.

So this time I have written not only to Fuel Card Services Ltd, but also to Morrissons and Tescos stating that I intend to make them co-defendants as the party that has apparently instigated the sending of the marketing email.

We'll see what happens when you threaten someone big like that. Should be fun.


  1. You might get an answer from large corporate, the last thing they want is seeing their name in the press next to "court" and "spam".
    I also started to notify spammers based on your notice, and while most spam houses completely ignored me, mailing PR and marketing director of the "advertiser" seems to work for large companies. Didn't get any compensation nut the one promising to pressurise the spam house to be sure my address is removed seemed to have done their job well. I'm virtually UK based spam free for the last couple of months.

    1. My standard spammer notification (which I send in reply to spams from UK companies) tells them that:
      1. They're breaking the law and please can they stop.
      2. That I am making a DPA request for all information they hold on me.
      3. That I will be reporting them to the ICO if they don't respond.

      Most of them don't respond at all. Of the few who do respond, I just get a "you've been removed from our lists" - no response to the DPA request.

      At some point I will get around to actually reporting a few of them to the ICO, but annoyingly last time I checked you had to raise a separate complaint for each law they broke, which is a pain, and they won't accept reports of spam unless you provide proof that you asked them to stop and they didn't (which seems to ignore the fact that they are _already_ breaking the law, whether or not you tell them not to).

      Next time I break into someone's house to nick their telly, I presume I won't be arrested until the owner asks me to stop and I ignore them and nick their second telly too. :)

  2. Sounds like they've been at it for a while - has a review mentioning spam from early 2012.

  3. Inspired by Rev K's spam adventures, I thought about buying a ("for personal use only"), setting up a web page which says "You do NOT have permission to email me at [dynamically generated email address] which is a personal, individual email address as defined by the ICO". The email address is tagged in the backend with requesting IP, referrer browser etc. When emails come in (from UK IPs, UK domains or with words such as "Registered in England" in the body text) and automatic notification/bill is sent out. If not paid within 14 days, a small claims is started. (Yes, I was partially inspired by Project Honeypot).

    Anyone think this is a good/bad idea?

    1. I think you'll very much struggle to automate it:

      Who are you going to send the notification / bill to? Almost no one sends automated emails from an address that goes to a real person, so your automated system can't just reply to the address the spam came from. Especially since the email probably says something like "this address isn't monitored". When I send my "stop spamming me" notifications I (manually) send them to the address the spam came from, any addresses listed in the whois records, any useful looking contact addresses on the spammer's website and any "contact us" form on the website. Frequently, the "contact us" form is the only way to reach them.

      I suspect the courts might not be too happy at you billing people for a one-off spam - certainly the ICO's spam complaints procedure requires that prove you asked to be removed from the mailing list and that the spammer has continued to send spam after they've done this. I think this is pretty bad since they've *already* broken the law by spamming you once, so you shouldn't be required to go to the effort of asking them to stop, but I suspect a court may also say you're being unreasonable if you can't show a similar level of evidence.

      As I've previously mentioned, my spam responses include a DPA demand for all the data they hold on me and where they got it. Whilst the spammer can ask you to pay a "nominal" fee for this data, that might carry some weight when they outright ignore the DPA request instead.

      Another thing is whether an email address that goes to an automated system such as you describe, which has the potential for making profit through litigation, is actually considered a "individual email address"...

    2. I was under the impression that the asking to be removed related to Data Protection Act issues, and certainly spammers have replied (tried using in defence to court) that they removed within a time frame in accordance with DPA, ignoring the fact that they had already broken the PECR.

    3. Well, my standard response is:

      This is an unsolicited communication by means of electronic mail
      transmitted to an individual subscriber for direct marketing purposes.
      This is contrary to section 22 of The Privacy and Electronic
      Communications (EC Directive) Regulations 2003.

      Please do not send any further unsolicited emails. A charge of £25 per
      email will be made for any further unsolicited emails received and your
      sending of any such emails will be deemed as acceptance of these terms.

      I am also making a request under Section 7 of the Data Protection Act
      1998 for all the data / information you hold on me and from where you
      obtained it.

      I suggest you remove me from your list and review your marketing methods
      with a qualified lawyer.

      Please confirm the receipt of this email. Failure to respond will
      result in your organisation being reported to the Office of the
      Information Commissioner.

      So in theory, I am:
      (1) Pointing out that they already broke the law by sending me the email in the first place.
      (2) Asking to be removed from their mailing list.
      (3) Agreeing to a contract whereby they will pay £25 per mail they send me thereafter if they ignore (2).
      (4) Making a DPA request for all the personal information they hold on me.
      (5) Requiring them to acknowledge the email (which, frankly, point (4) requires anyway).

      The ICO's PECR complaint procedure seems to require you to do (2) and for the spammer to ignore you before you can file a complaint anyway (of course that doesn't stop you taking them to court instead, but I suspect the court wouldn't look too favorably on you if you don't at least attempt to go through the pre-PECR-complaint steps first).

      Since I'm making a DPA request, they are required to respond to that anyway (either providing the data I asked for, or telling me how much they are going to charge for the DPA response).

      So in theory, if the spammer completely ignores the email and keeps spamming, I can lodge a PECR complaint with the ICO, also make a DPA complaint to the ICO, invoice them £25 per email (and take them to court if they don't pay), and presumably also take them to court for damages for their initial email breaking PECR (I suspect the subsequent emails wouldn't be breaking PECR since they have been solicited by the £25/email contract).

      I haven't yet actually taken any action against anyone. It seems I either get no response at all, or a "we've removed you from the mailing list". None of the responses have actually answered the DPA issue properly - I think the best I got basically boiled down to "you probably entered your details on our website when you placed an order or something", which seems to boil down to "we have no idea how we got your details, we don't maintain any kind of a paper trail for that and therefore wouldn't be able to prove that you had consented to receiving marketing".

      For what it's worth, some of the spams certainly are from companies I've ordered things from, but I always tick the "don't spam me" box when I do that. I'm not sure how they would go about proving that I consented (or indeed how I would go about proving that I didn't), given that the preference would, at best, be a flag in their database (which they can trivially alter), and at worst wouldn't be recorded at all!

      Another thing that seems increasingly prevalent is companies running multiple mailing lists for various different types of marketing and letting you opt-out of each one; which is all well and good until they invent a new mailing list (which they do on a regular basis) and automatically opt everyone in to it, even those customers who are opted out of all the existing marketing lists.

    4. > Since I'm making a DPA request, they are required to respond to that anyway (either providing the data I asked for, or telling me how much they are going to charge for the DPA response).

      Steve — it's a small point but, off the top of my head, whilst the ICO might consider it "good practice" for a controller to respond saying that they require a fee, I don't believe that they are required to do so by law: it is not a valid request until such time as the fee is paid (s7(2), from memory).

      Whilst the subject may not know that a fee is a required unless informed, the wording of s7(2) is weak, in my view; from a subject perspective, wording mirroring that of s7(3) would be more suitable, as it would resolve the potential ambiguity here, stating "no fee unless a response is sent demanding one", and placing the onus on the controller to prove in the event of a dispute that it sent this message.

    5. The fee isn't a fixed amount - the law sets out a maximum fee that can be charged, not the actual amount that will be charged. I can't pay a fee unless they tell me how much it is.

    6. And they don't have to even reply to you, even just to say what the fee is, unless you pay the fee :-)

  4. I like the letter of Steve's. Rev, you mentioned creating a framework for this process, how is it going? Will it include standard letters etc?
    If you don't have the extra time for it, by the look of it from the comments, if you were the one pointing us all to a wiki, something would spring up fairly quickly :)