Introduction
Have you ever received unsolicited e-mails/text messages relating to enhancement of certain organs of the body, unsubscribed sexually explicit e-mails, e-mails stating that you have won a million dollars, random unsolicited and unsubscribed promotional e-mails and messages? These e-mails/messages are generally termed to be “spam”. Spam is the most inexpensive way of tapping into a potential customer base[1] and gives you visibility with the recipient of the e-mail, since the recipient has to in some cases necessarily open the spam e-mail to delete such spam or click on the delete option. By the time the delete option is exercised by the recipient of the e-mail, the labelling of the e-mail, the name of the brand, etc. has already subconsciously registered in the recipient’s mind.The first use of spam and e-mail spam campaigns dates back to 1994-1995 with the advent of the TCP/IP internet connectivity in India and the widespread access of internet and the use of e-mails in India.[2] Within about 20 odd years, it was found that 66.34% of e-mails exchanged/received are in the nature of spam.[3]
While some spam e-mails can be harmless and just a promotional offer, commercial or transactional e-mail, some spam mails can be virulent and can compromise sensitive data which is saved on the system. One such instance was when the Bhabha Atomic Research Centre system was compromised and documents relating to India’s nuclear weapon program was downloaded and published by a terrorist by the name of Khalid Ibrahim.[4] Spam has also been known to breed and successfully release viruses such as “Brain”, the first personal computer virus, “Happy Birthday Joshi”, the first Indian virus, and viruses such as “Stoned”, “Milworm”, “Yaha”, “YahaSux” and more than 1000 different viruses, severely compromising sensitive data such as trade secrets, a company’s business details, national security details and such like details.
Spam can be categorised into two broad heads, which are unsolicited commercial e-mail (UCE) and unsolicited bulk e-mail (UBE). UCE, as defined in various foreign legislations[5], is essentially advertisement, promotion and marketing of a particular good/product or service while UBE includes bulk mail not necessarily sent for the purposes of promotion.
UCE’s and UBE’s are sent by using one of the two popular methods i.e. the dictionary method or the e-mail harvesting method. The dictionary method essentially entails that e-mails are sent to sequential e-mail addresses or to common names. Illustratively, e-mails would be sent sequentially to xyz1@yahoo.com, xyz2@yahoo.com, etc. The difficulty in such a method was that not all such e-mail addresses would exist and some of the e-mails would be returned with mailer errors. The second method i.e. the e-mail harvesting method was a little more complex. This process was undertaken by making software, which would find e-mail addresses embedded in the code of web pages and other files and would supply such e-mail addresses to the maker of the software.[6] Thus, this was not based on guesswork, like the dictionary method but was based on actual existing users of e-mails.
Law in India on spamming
By 1994-1995, the world started to recognise the potential that the internet had in uploading information, dissemination of information, in the world of research and development, for business transactions, for the purposes of e-commerce, etc. In order to effectively regulate the virtual world, as it so came to be referred to, it was decided by the General Assembly of the United Nations to adopt a model law on electronic commerce, which set out the broad guidelines as to how electronic data could be protected, as to how certain offences such as hacking, etc. could be prevented and how data interchange could be made expedient. This Resolution was signed by India. Since India had signed the United Nations’ resolution, it was incumbent to incorporate such a resolution into municipal law. Accordingly, the Information Technology Act, 2000 (IT Act) came to be passed, promulgated and enacted. The introduction of the IT Act implied that certain laws such as the Penal Code, 1860, the Evidence Act, 1872, the Bankers’ Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934 were to be amended, which amendment was contemporaneously carried out by the legislature.
While the introduction of the IT Act was much required, the otherwise clumsily drafted legislation failed to acknowledge the nuisance of spam e-mails and text messages. The IT Act also did not envisage or provide for several contingencies such as measures to protect privacy, identity theft, cyber terrorism, etc. The legislature, in 2008, in order to somehow meet the eventualities stated above, thus brought about a slew of amendments to strengthen the information and technology regime. By these amendments, the legislature not only buffed up the IT Act significantly but also, for the first time, provided for an anti-spamming law [Section 66-A(c) of the IT Act], made intermediaries and body corporates liable for providing personal information (Section 43-A read with Section 72-A of the IT Act) and made the spam website liable in case the spam alters or destroys information in the system [Section 43(i) of the IT Act].
It may be necessary to point out that the law relating to anti-spamming [Section 66-A(c) of the IT Act], which was enacted by the legislature, was extremely vague, uncertain and failed to provide proper and efficacious parameters to prevent spamming. Like every other provision in law is susceptible to gross misuse coupled with the fact that Section 66-A of the IT Act was extremely vague, the said provision was used and abused by certain politicos against two innocent citizens, which led to the filing of a writ petition titled as Shreya Singhal v. Union of India[7], before the Supreme Court of India challenging the validity of Section 66-A of the IT Act. The Supreme Court struck down Section 66-A in its entirety, on the ground that it was violative of Article 19(1)(a) of the Constitution of India i.e. fundamental right to speech and expression and not saved by Article 19(2) of the Constitution of India. The judgment also contained scathing observations with respect to the vagueness of Section 66-A of the IT Act.
Critical analysis of the Shreya Singhal judgment
In the estimation of the author, while freedom of speech and expression/each establishment’s right to advertise ought be given primacy, like the Supreme Court has held in a catena of judgments[8], the Court ought to have realised that Section 66-A(c) of the IT Act was enacted to prevent misusers and spammers from sending out UBE’s and UCE’s and hence striking it down would imply that the companies/establishments could send spam mails, with or without viruses, without (a) there being any regulation to stop them and/or (b) there being any legal consequences. The Supreme Court also probably erred since Section 66-A(c) of the IT Act was enacted so that a national security is not compromised with spam mails in the manner that it was with the Bhabha Atomic Research Centre. Since preventing spamming also included safety and security of the State and national security, Section 66-A(c) of the IT Act should not have been struck down.
The Supreme Court failed to appreciate that Section 66-A(c) of the IT Act was saved by the concepts envisaged and enshrined under Article 19(2) of the Constitution of India i.e. decency and morality as the law [Section 66-A(c) of the IT Act] sought to safeguard a recipient from receiving sexually explicit e-mails/text messages, etc.
Another aspect, which could be analysed, was the spam recipient’s right to privacy. At least in the case of spam, some e-mails, as stated hereinabove, send out viruses, which not only access the personal and private data of the recipient, without altering it or in any manner destroying such information, but also re-transmit the data through these infected systems. Since the recipient has a right to privacy, as guaranteed under Article 21 of the Constitution of India, which was a competing right to freedom of speech and expression agitated by the petitioners, it was incumbent on the Hon’ble Supreme Court to see which would sub-serve the greater public interest i.e. to strike down the entire statute or sever the unconstitutional portion of the Act and to allow a part of the statute to survive and guarantee the right to privacy. The Supreme Court laid down this test in its earlier judgments such as “X” v. Hospital “Z”.[9]
The other ramification of the striking down of Section 66-A(c) of the IT Act was that if a certain company is sending spam, he could only be prosecuted for nuisance, under tort law and the Penal Code.
A solution which could be brought about
Be that as it may, since Section 66-A of the IT Act was struck down in totality, it is now imperative to bring about a law governing and regulating spam. The said law would have to be brought into force with some urgency considering the amount of spam mails received by a person on a day-to-day basis.
The legislature ought to consider providing an exclusive law relating to the subject with:
(a) A exhaustive definition stating clearly as to what falls within the ambit of spam, a definition with respect to UBE and UCE.
(b) A consent based opt-in and opt-out approach wherein the establishment has to first request for the users permission to send the e-mail/spam, the recipient has to confirm that he/she wishes to subscribe to such e-mails and if subscribed by the user, providing an opt-out option where the recipient can unsubscribe at his/her whims and fancies; which opting out ought to be honoured by the establishment.
(c) Parameters relating to the:
(i) proper labelling or the content in the subject title of the spam. For e.g. explicit material ought to be labelled as “sexually explicit”;
(ii) manner in which the e-mail sender procured the e-mail address of the recipient;
(iii) proper identification of the sender of the spam, with a postal address, telephone number and contact person information;
(iv) cap on the number of UCE’s sent within a 1-year period; and
(v) proper enforcement mechanism in case of breach of any of the parameters. The legislature could also provide for both a civil and criminal action for breach of the law.
(d) The legislature ought to provide an extra-territorial operation of the Act in case the company, which has breached the obligation under the law, is based in a foreign jurisdiction. This power of extraterritoriality could be similar to the one provided in the Penal Code.
(e) The legislature could also provide for a “do not disturb service” or a spam blocking option, similar to the one adopted by the TRAI, whereby the recipient would not receive any spam whatsoever.
(f) An exception could be made for promotions carried out by the State or instrumentalities of the State, in discharge of its sovereign functions, if at all.
(g) The other approach to stop spam could be the introduction of human interaction proof to each e-mail, which could stop establishments from sending bulk mail. Human interaction proof is the random 5-digit number appearing on the screen such as “ER5G1”, etc. involving different digits and alphabets, which is in the nature of a verification code. This would stop establishments sending UBE’s and UCE’s since it would be time consuming to type in the human interaction proof in order to send out each e-mail.
(h) The establishment of a robust and proactive Tribunal to enforce the provisions of the Act. It is the author’s understanding that the Cyber Appellate Tribunal (Cybat) has been in shambles of the past 5 years.
Bill Gates had also come up with an extraordinary solution wherein the companies sending UBE and UCE (more than 3000 mails in 30 days) ought to be made to pay a token amount per e-mail, like people used to spend for postage stamps, to the Government. By this logic, the exchequer could only stand to benefit.
Conclusion
When we surf the internet, the last search, IP address carrying out such search and the e-mail address of the person carrying out such a search is stored in the web pages. These details are easily accessible by most establishments, who use this information to carry out activities of sending UBE’s and UCE’s. Thus, the promotional establishments not only send spam e-mails, against our will, but when one uses a search engine for separate unrelated search, the same establishments follow us through pop-ups, etc. in relation to the last search. This activity has to stop with immediate effect. Such spam can only be prevented when there is an effective law to protect each unassuming internet users interest, from nuisances such as spam e-mails and texts. This law could be based on various legislations such as CAN-SPAM Act, 2003 (USA), Spam Act, 2003 (Australia), Spam Control Act, 2007 (Singapore), Canadas’s Anti-Spam Act, 2014 and the Privacy and Electronic Communications (EC Directive) Regulations, 2003.
* Advocate, Delhi High Court
[1] David E. Sorkin, Unsolicited Commercial E-mail and the Telephone Consumer Protection Act, 1991, 45 Buff L. Rev. 1001.
[2] Suresh Ramasubramanian, Spam and Internet Abuse in India — A Brief History and Keith Lynch’s timeline of spam related terms and concepts; 23-11-2002; <http://keithlynch.net/spamline.html>.
[3] <https://usa.kaspersky.com/resource-center/threats/spam-statistics-report-q1-2014>, Spam and Phishing Statistics Report Q-1, Kaspersky Lab.
[4] Niall McKay, Do Terrorists Troll the Net.<www.wired.com/politics/law/news/1998/ 11/15812>.
[5] CAN-SPAM Act, 2003 (USA), Spam Act, 2003 (Australia), Spam Control Act, 2007 (Singapore), Canadas’s Anti-Spam Act, 2014 and the Privacy and Electronic Communications (EC Directive) Regulations, 2003.
[6] Brian McWilliams, Spam Kings, 302 (2005), Verizon Online Services, Inc. v. Ralsky, 203 F Supp 2d 601, 607 (ED Va 2002) and Priyanka Vora, Spam! Spam! Spam! The Need for an Anti-Spamming Law in India.
[8] Tata Press Ltd. v. MTNL, (1995) 5 SCC 139; Virendra v. State of Punjab, AIR 1957 SC 896, Indian Express Newspapers (Bombay) (P) Ltd. v. Union of India, (1985) 1 SCC 641 : AIR 1986 SC 515 and Bennett Coleman Co. v. Union of India, (1972) 2 SCC 788 : AIR 1973 SC 106.
