Home / Blogs

Privacy Rules to Change in the EU, But What If …?

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Wout de Natris

In a presentation EU Commissioner Viviane Reding gave a preview of the new Privacy regulation her DG is preparing. As she states, privacy rules need to be brought up to date and harmonized. With all 27 member states having the same rules and tools to enforce, a company only will deal with one privacy commissioner, i.e. the one of the country of its main establishment. What a lot of red tape gotten rid off. So, what if we, for the sake of this blog, take this initiative towards spam and cyber crime. What would this do to spam enforcement?

ACMA receives a major compliment

In 2004, when I first entered the anti-spam arena, this was a mantra that I had to hear very often: "Spam is international. We cannot do anything", spoken with a lot of emphasis and some despair. Unfortunately in 2012 this is still true for many countries. Not because of the fact that it is impossible to do something about spam, no, but due to a lack of initiatives. I think that a great compliment to Australia's ACMA (Australian Communications and Media Authority) was published on CircleID in a comment to an article about the impact of Canada's spam law on local businesses. Brett Watson, an Australian internet engineer, writes:

"However, my present (and general) lack of anything to complain about reflects well on the law and its enforcement… Perhaps what's most telling is that I have, for the first time, subscribed to some advertising newsletters in recent years. I don't feel the need to jealously protect my email address any more, or diligently use uniquely tagged addresses when handing them over. I trust ACMA to keep the companies in line, and the trust seems well placed so far."

This proves that fighting spam is effective and that the combination enforcement with filtering by ISPs keeps mailboxes clean. Spam hasn't gone away, but at national level companies are disciplined and mostly act within the law in the few countries with vigorous enforcement bodies.

Who enforces what?

Privacy and spam are closely related. Spam is seen as an invasion of privacy. But it goes way beyond mere privacy. Privacy sensitive data is often used, sold or worse stolen in order to approach people. Whether to sell a(n illegal) product, phish for more (bank)data or industrial espionage, a stolen e-mail address is often the basis of law violations. The patchwork of enforcement agencies, unclear enforcement powers, the lack of understanding of the issues at stake, of resources, training or powers, the unavailability of online reporting of spam or cyber crime, all make that enforcement is far from optimal in most countries.

Standardisation of spam and cyber crime law

Could a standardised law, with a standardised toolkit for enforcement agencies make a difference? Yes, I think that it would. For the public it would mean that there is the certainty that when the law is broken, it is clear who to report to and that it is likely that an investigation follows. That it makes a difference to complain. For senders it also sets clear boundaries. Their business continues, as is proven in e.g. The Netherlands, but in compliance with the law. Next to that it offers this clearness in 27 states.

As spam, e-fraud, phishing, cyber crime and worse are all so closely related and often involves several countries, it makes sense to be more directive from Brussels. At national level there are so many different laws, ministries and enforcement agencies involved, that coordination there is almost utopian. Next to the fact that success without industry participation is clearly unthinkable. Despite the fact that the Dutch National Cyber Security Centre is a promising initiative, it is obvious that for most countries this form of public-private cooperation is hard to attain.

A proposed course of action for the EU Cyber Security Centre

The discussion about the EU Cyber Security Centre is under way. Let me give a pointer on what the centre could do. To my mind it ought, also, to actively collect, analyse and share data with those involved: public and private entities, universities. This gives the centre coordinative powers in matters cross border and across different enforcement organisations as well. Two difficult hurdles taken… should this come to pass. The combination of the overview and oversight with the transparency caused by available, shared data makes all concerned answerable for their (lack of) actions to the centre and each other. I am also convinced that this model will lay the foundation for cooperation with whole new groups of Internet industry partners that are now harder to reach/convince.

Ambition at Commissioner level

If Commissioners Kroes, Malmström and Reding used their powers to harmonise the laws and enforcement in the way Ms. Reding proposes for privacy, i.e. the same law and enforcement tools, standardised enforcement agencies and a point of case handling, the fighting of privacy infringements, spam, malware and cyber crime may actually take a turn for the better. They are so intertwined that another approach is (well, should be) almost unthinkable.

The combination of a pro-active EU Cyber Security Centre with a layer of harmonisation where enforcement is concerned will prove to be a structural step forward from the present situation in many countries. Yes, this is ambitious, but it is clear that the present approach is not going to change much. Everything cyber is still a field day for criminals and a private company, Microsoft, so far is the most successful in fighting botnets. This ought to be different, shouldn't it?

By Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement. More blog posts from Wout de Natris can also be read here.

Related topics: Cybercrime, Data Center, Email, Law, Malware, Policy & Regulation, Privacy, Spam



To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Port25 Announces Release of PowerMTA V4.5r5

New Case Study: Jobtome.com Replaces 30 Postfix Servers with a Single PowerMTA

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

An Update on Port25 and the Future of PowerMTA - One Year Later​

Encrypting Inbound and Outbound Email Connections with PowerMTA

US Court Grants DCA Trust's Motion for Preliminary Injunction on .Africa gTLD