Thursday, 9 January 2014

Nuisance or loss?

One of the huge possible issues with the The Privacy and Electronic Communications (EC Directive) Regulations 2003 is that the only way to make progess is a civil case for damages.

The legislation covers the nuisance of junk calls and junk emails. It is illegal, a crime, to junk call me (i.e. an unsolicited marketing call) because my number is in the TPS. It is also illegal to junk mail me on any of my personal (individual subscriber) email addresses. It has been for over 10 years.

Sadly, the criminal side, the law breaking, is handled by the ICO, who rarely do swat, IMHO.

But the regulations do allow, in section 30, a civil action for damages against someone that has committed the crime. This can be very effective at causing the criminals nuisance at the very least, and in some cases costs. Enough people doing this would eventually screw up their business model.

There are problems, though, and a court case today by a customer of mine against some junk callers has highlighted some of these.

1. In the case of junk emails there is a need for the email to be that of an individual subscriber. After a lot of discussion with the ICO, they have agreed what the law says. If, for the email address, there is a contract between an ISP and their customer for that email, and their customer is an individual and not a company, it is an individual subscriber email address. It does not matter if the email is used for business purposes, has a domain owned by a business, or is clearly a work email address as long as the contract with the ISP is with an individual. This is one hurdle that should be easy to prove to a judge. We have not had that opportunity yet, but proving it to ICO and having an email from ICO confirming that, should help matters if ever we do.

2. Who broke the law? In the case of my customer there was a complex chain of parties that made calls and transferred as a qualified lead to someone else (who I would say clearly instigated such calls, but judge did not agree), and so on. In this case it is important to take all of the parties to court in one case as that means the judge can separately decide if there is a liability from which of them is liable, and could even decide they are joint and severally liable. Taking one to court can, as happened for my customer, mean that they manage to blame someone else and get off as a result.

3. What are the costs of a nuisance call or email? This really is a big issue, and is another reason my customer lost. For most people, most of the time, a single nuisance call or email is no actual cost (damages). But the constant bombardment of nuisance emails and calls is clearly a problem. I even started a petition on this. I want to make it that you don't have to justify costs for claims of up to £50.

So, the legislation is useless if we cannot show any costs. How can a junk call or email have costs? Anyone? Suggestions please? Something a judge may accept?

Well done for trying, Tim, and well done not having to pay costs for their train fares.


  1. Since I don't want to end up in court myself..... All of the following is my own opinion based on hearsay only. It should not be considered correct or truthful in any way. Please liberally insert "I believe", "allegedly" and "in my opinion" at every opportune moment!

    Tim's case clearly highlights, in my opinion, everything that is wrong with the current laws. It should have been open-and-shut - Company admits breaching the PECR, company pays compensation.
    Instead it has turned into a long, drawn out saga involving, I believe, three separate hearings, pages and pages of documents, accusations of this, that and the other, illogical arguments, nonsensical arguments, and circular arguments all but the most determined would have thrown the towel in on.

    What has shocked me more about the whole thing, though, are three opinions offered by the judge that simply stagger belief.
    The first is that the fact that company A offered company B £20 each for leads and the judge opined that this offer didn't instigate the call. The logical progression from this would be to argue that the call would still have been made if nobody was paid for it and this is quite clearly utterly ludicrous.
    The second is that by judging that Tim's loss was de minimis and therefore there was nothing to claim, he has effectively rendered the compensation sections of the PECR both pointless and worthless - in this case, the judge appears to be saying "the people who wrote this law are goons and I know better than they do".
    The third is that the judge stated that because the contract between the companies required calls to be made within the law, company A were not liable if company B (who were being paid by company A for leads) broke this agreement. I would argue that since the call to Tim clearly was illegal (which company A admits, I believe), then the fact that company B had broken their contract with company A does nothing to remove company A's liability to Tim, but does make company B liable to company A. That the judge sees company A having no liability with regard to Tim because of one sentence in a contract with a third party is just plain daft.

    I was hoping that the judge would make a common sense ruling that was in line with the intent of the legislation. Instead he has, in my opinion, chosen to boast quite clearly the details of his ivory tower.

    1. What we really need is a short-code for reporting these illegal nuisance calls to the telco - say, 1475. All it needs to do is log the preceding caller's identity (regardless of caller ID suppression, which doesn't stop the telco knowing the number, just prohibits them showing it to the end user directly). This should then be reported to the ICO for enforcement purposes.

      ICO should then aggregate these reports - a trivial database operation, and permitted since it is for the detection of crime - and use them to go after the worst offenders. Easy to extract substantial fines, which should more than cover the cost of the operation; appropriate compensation could easily be routed back to the subscribers who filed the complaints via their carriers in most cases. (Not possible for payphones or some terminated lines, but that probably isn't a major issue.) For genuinely overseas spam callers, BT and co could be required either to terminate interconnect with the originating carrier, or to block the illegal callers by number.

      Until then, we're left with the ridiculous situation where I am bombarded with these illegal spam calls - but they refuse to identify themselves, hanging up when asked, withholding their numbers to obstruct any complaint to the ICO. One fellow A&A customer has simply disconnected his landline phone entirely: spammers may call, but will never get an answer since there is no handset connected. Perhaps if mobile phones stop ripping callers off I could do the same.

    2. Although your idea is nice in principle, in practice it wouldn't work.
      The problem is that caller ID doesn't have to be available, can be spoofed and is being spoofed by these callers.
      Sadly there are a number of dodgy SIP termination services who permit their customers to present whatever numbers they want. As a telco with access to the caller id, I can list numerous examples of non-existent, invalid and spoofed numbers hiding behind the Withheld flag.
      In an ideal world, it should be required by law that any commercial organisation presents a valid caller ID which, when called, *must* allow the caller to determine who the number belongs to. The problem is, though, how is this verified and managed and how are breaches prosecuted?
      As a company on the receiving end of tens of these calls per day, we took the decision to block calls where the caller ID is either withheld or is invalid[1]. Lo and behold, the problem has pretty much gone away[2]. Perhaps the short-term answer is for everybody (business and individual alike) to block withhold number calls[3]. Of course, then we come on to the problem with some (inferior) telcos who don't permit ACR!

      [1] We play a message something along the lines of "Due to the number of spam and unsolicited calls we receive, this number does not accept calls where the caller's number is withheld. If this is not an unsolicited or sales call, please hang up and re-dial 0871xxxxxx which accepts all calls. Calls to this number are charged at 10p/min, however we will call you back straight away.
      [2] 95% or more of the calls we were receiving were caller ID withheld.
      [3] Why would anybody want to speak to somebody who doesn't want them to know who they are anyway?

      So, here's a challenge... Everybody with systems capable of making call flow decisions based on caller ID - try blocking the calls (perhaps offer an alternative) and see if it helps.

    3. I had BT's rather limited anonymous call rejection for a while, though one drawback was the fact my mother's office switchboard showed up "number withheld" - most of the spammers seem to have got wise to this now and started showing up as "out of area" instead. (Irritatingly, after one string of silent calls, I answered the latest rather irritably ... to find it was my brother's Sky landline, failing to present CLID for some unknown reason...)

      Once I nail the lingering packet loss on my A&A line (I have a replacement modem+router sitting here to try when I get a chance - that'll either fix it, or confirm it's something for A&A to beat BT up about) I'll get working on hooking up an Asterisk server to answer withheld/invalid CLID.

  2. In regard to 3 specifically

    The spammers ARE doing more than every before in volume.

    I've actually been through rejectlog on my spamassassin/exim box last month - I run 3 domains with usually only circa 20Mbyte of valid email a day, and I rejected 1G of spam from Dec 10th to Jan 10th - previous month was nearer 4G though as the Cryptolocker virus was in full spread mode this month. As I am on AAISP's unit based charging and 2.5G of that was during day, there is a tangiable cost for all spam/viruses. Then it's just down to the amount of times a particular spam hit the rejectlog. Nov 10 to Dec 10 - the stats are stunning, at peak times there was up to 50Mbyte of spam an hour being rejected by my exim box.

    The above actually made me switch to an off-box primary MX from December to January, as I realised under AA's unit based charging for first time in 10 years of running MX at home I couldn't cope with inbound mail rejections in terms of costs.

    I do wonder if I could go after spammers for using my bandwidth on things I even rejected from even being delivered sometimes.

    1. The problem with this, though, is as the law stands you can only go after a spammer for the very specific damage their spam has caused you. Let's say I spam you with one e-mail and I'm nice and easy to track down. You see me in court where I freely admit to spamming you. Total damages that can be awarded would be less than a penny (i.e. the specific cost of my spam) - you can't come after me for the costs of everybody else's spam.
      It would be much better if the law was like the Late Payment Act and specified a pound sterling amount per breach.

  3. In most cases the cost of receiving calls is free, unless you are abroad using your mobile or you're on a US mobile contract. But it doesn't have to be that way, we could pay to receive calls instead of making them. Be interesting if RevK could create a special AAISP tariff that charges for inbound calls then each spam call received has a material cost to it for any subscriber on that tariff.

    1. Sadly, I think that and the "forward to a premium rate number so it does cost you money" option below would both count as self-inflicted in the court's view. Generally, there are things like a "duty to mitigate your loss" and that the loss must be "reasonably foreseeable".

      That's the beauty of getting a statutory damages figure of £50 - it bypasses all that. "You spammed me therefore owe me £50" - they can't argue the £50 is too much, or unnecessary, or anything else. A statute has the power to impose that; any private contract with A&A would not. Even if you have a contract with A&A that creates a cost for suing purposes, that's unlikely to hold up.

    2. I get junk calls on numbers that cost me, as they are relayed to my mobile. Sadly, it is a few pence, but I do wonder how this de minimis works. The regulations say you *can* take action for costs - so is it valid to take a case for 5p, simply because the law says you can?

    3. It's all at the judge's discretion - the bit which seems to be missing from the ADR setup: take up court time over 5p, or indeed £5, and you will probably get shouted at then ejected by an angry judge, or worse.

      Also, in the case of call forwarding, it's debatable whether that would be accepted as a cost caused by the caller, as opposed to being caused by your own choice to forward calls to a mobile - a "novus actus interveniens" in law: the spammer called a regular geographic number and paid the costs involved in that, it was you not the spammer who chose for the call to be forwarded to something more expensive. Supposing you forwarded your calls to 999: who do you think would get the blame, the spam callers, or you?

      Now, if one of those spammers got stuck flooding your sales/support numbers so legitimate customers couldn't get through you'd have a case - I imagine that's probably what the regulations had in mind for claiming costs, though I would dearly love to see it amended to recover £50 per call for us all. (Particularly having just had yet another number-withheld silent call while typing this reply...)

  4. I understand it's a concern when it happens, but how do you guys get so much spam email? I get virtually none. Not that I want any, I'm just interested in what is different. My email address doesn't appear on any web pages and I gave up on usenet 13 years and 3 email addresses ago.

    1. Participating in mailing lists (which get archived on the web) is a good one. Also, there are plenty of instances where someone's machine gets malwared and the malware harvests all the addresses in their address book / inbox. I ahve email addresses that have only been used to send email to one specific organisation, yet they get unrelated spam - clearly the organisation's computers got malwared and the addresses harvested.

      I also get an increasing number of spam emails from legitimate UK businesses who I have done business with - businesses who think that they are allowed to send junk mail to all email addresses in their database by default rather than getting the customer to opt-in first. Another trick I've noticed frequently with this is companies who have a set of tick-boxes for various different marketing mailing lists when you first do business with them; so you untick all the boxes. Once a year or so they invent some new types of marketing mailing lists and automatically aubscribe everyone to them irrespective of whether the customer had already unticked all of the damned mailing lists that existed when they first gave their address. And yes, all of this is illegal but no one cares.

    2. A big one for me is agencies.. maybe 3 years ago I signed up to some of them hoping they might be something better than useless (they weren't) - they subsequently sold their lists to more agencies, who sold their lists to more agencies, etc. I now get 2-3 a day from random idiots asking if I'd like to work for 20k in london etc. (um.. no!).

  5. If you redirect all calls to a geographical number to a mobile number where you pay for the then incoming call, then there is a cost.

  6. If it's nuisance then perhaps we need to try and push for it to be covered by the ASBO legislation - it would be great to see a spammer get an ASBO restricting them from sending e-mail or similar...

  7. I got a call from a guy at ICO last week, after emailing asking for clarification regarding section 30 in the PECR.

    He interestingly said he had taken people to court and won. The "damages" referred to in section 30 is indeed for disruption and lost time asking them to stop.

    He proceeded to tell me, however, that you have to tell them to stop first, and with that set out a clear claim for any further messages, which I somewhat disagree with.

    That approach is wrong in at least two ways:

    1) It is clearly illegal to send even the first mail, so why do I have to tell t
    hem to stop? A lot of companies likely take a chance and mass email out, knowing that people have the option of un-subscribing and hence won't take it further.

    2) If, even as an individual subscriber, you have to "unsubscibe" before using section 30, there is essentially no difference between being an individual and corporate subscriber. All marketing emails must have an un-subscribe option, so if I can't use section 30 unless they continue to email, which they probably won't, then I am no better off than being a corporate subscriber.