Interception and Monitoring of Emails
The issue of interception was graphically illustrated in a recent High Court decision in S P Bates & Associates Ltd v Woolworths (NZ) Ltd (HC Auckland, CL 15/02, 13 March 2003, Fisher J; unreported, noted in 26 TCL 15/2 and  BCL 391).
The plaintiff trades under the name “SecureNet”. SecureNet is an ISP which provides Internet services to Woolworths. Part of the service included scanning for viruses, spam, fraud, unauthorised access of the Woolworths’ computer system along with unauthorised computer usage by Woolworths’ own staff. Woolworths pulled out of their arrangement and SecureNet sought an interim injunction to prevent Woolworths doing so.
Of relevance here, when the relationship deteriorated, SecureNet started checking Woolworths’ e mails saying that that they were entitled to do so pursuant to the arrangement and in the context of the deteriorating commercial relationship.
Justice Fisher was less than impressed with this suggestion. The Judge noted (at paragraph 8) that the screening of e mails, was in the first instance a purely automatic process effected by software services contracted by others to SecureNet. Even though these findings were preliminary in nature, His Honour found, at paragraph 35, that
“It can not be said that SecureNet’s interception in the present circumstances was carried out honestly, in good faith, or for a proper purpose”.
Further, at paragraph 34 the Judge noted:
“SecureNet was providing technology services. Woolworths was providing money. Nowhere in that simple exchange is there room for the possibility that Woolworths intended to give SecureNet the right to covertly rummage through Woolworths’ communications in order to use them against Woolworths if the two should later fall out.”
The lesson is clear. Technical ability and access does not justify an invasion of others’ space. Likewise, a contractual relationship does not entitle a party to go beyond the terms of the agreement to pry into other person’s affairs, whether they are commercial or private.
Sections 216 A-F of the Crimes Amendment Act (No 6) extends the prohibition against interception of communications to cover electronic and data communications, which would probably cover e mails. S 216 B(1) now makes it an offence to intercept any private communications by means of an interception device (which is widely defined so as to include a “computer”). To “intercept” requires the conduct to occur while the communication is taking place. Arguably it would cover the unauthorized tracking and monitoring of e mails in the fashion dealt with in SecureNet and suggests that caution will need to be exercised by contractors who go outside the scope of their contracts (and indeed others).
The Privacy Commissioner in the Telecommunications Information Privacy Code 2003 (28pp) (document available from firstname.lastname@example.org) relates to telecommunications agencies, insofar as they handle personal information about customers and telecommunications users. Amongst the requirements are that telcos must provide “blocking” options free of charge when caller ID is offered and prohibiting the use of traffic data gained from interconnection for unauthorised direct marketing. The Code commences in November 2003.
Spam is basically unsolicited bulk communications usually by way of e mail. It is reported that some industry commentators estimate that more than half of e mail traffic worldwide is spam. What makes spam so attractive to direct marketers is that the recipients end up paying for the inconvenience as they are responsible for paying for the Internet connection.
A recent Federal Trade Commission Report indicates that in the US about 44% of spam users have a false return address and/or a misleading subject line and in total 66% of spam was deceptive in some way. This indicates the magnitude of the problem and is consistent with other reports. Refer to article by Hall, Dickler, Kent, Goldstein and Wood LLP in World eBusiness Law Report, 17 June 2003 at http://www.worldebusinesslawreport.com/index.cfm?action=login&c=17801&id=2058
It is a serious problem that has sprung up in the last few years. However, given the almost universal dislike for spam, responses are being formulated. A backlash against the epidemic is gaining. In the US, the US Senate Commerce Committee has just introduced the first federal anti-spam legislation. Called, in typical American fashion, the “Controlling the Assault of Non-Solicited Pornography and Marketing Act” or the “CAN-SPAM” Act, the Act will allow regulators and ISPs to take action against spammers who:
•Use inaccurate email subject headers;
•Do not let recipients unsubscribe; or
•Send bulk messages to email addresses obtained by crawlers.
Refer article in World eBusiness Law Report by Steptoe and Johnson on 4 July 2003 at http://www.worldebusinesslawreport.com/index.cfm?action=login&c=17801&id=2103
A copy of the bill is available at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=108_cong_bills&docid=f:s877is.txt.pdf
Various states in the US have introduced new anti-spam legislation; including California which makes it unlawful to send unsolicited commercial emails unless the recipient has opted in, i.e. consented to receive the message. Alternatively, the sender can escape liability if it can show there is a verifiable business relationship between sender and recipient. Australia is also said to be on the verge of introducing legislation as are other countries.
Computerworld has reported that New Zealand representatives are “actively working” with international bodies to improve at least the chance of detecting the sources of spam. IT minister Paul Swain is quoted as saying:
“New Zealand is actively working in fora such as the OECD, the ITU (International Telecommunications Union) and APEC (Asia-Pacific Economic Co-operation), which are co-ordinating international approaches to matters such as consumer protection, privacy, internet security, intellectual property protection and cybercrime,”.
See Computerworld item on 21 February 2003 at
Large organisations are joining the fight. Microsoft is reported to have filed fifteen legal actions against spam operators – in Washington, California and the UK. The United Kingdom lawsuit is brought under the Computer Misuse Act 1990 (c18), which prohibits unauthorised access to computer material or unauthorised modification of computer material.
AOL and Yahoo have also taken steps to tackle the problem. See article by Hall, Dickler, Kent, Goldstein and Wood LLP in World eBusiness Law Report, 11 July 2003 at http://www.worldebusinesslawreport.com/index.cfm?action=login&c=17801&id=2130
Section 1 of the Computer Misuse Act 1990 makes in an offence to use a computer to access data without permission. Microsoft have alleged that harvesting email addresses from servers to build spam lists falls within the scope of s1 of the Act. Refer article by Berwin, Leighton, Paisner, International Law Office Report, 26 June 2003 at http://www.internationallawoffice.com/Ld.cfm?i=17801&Newsletters__Ref=6998
Arguably, spam can now be caught by s250 of the recently enacted Crimes Amendment Act (No 6), which covers a situation where someone intentionally or recklessly and without authorization:
“Damages, deletes, modifies, or otherwise interferes with or impairs any data or software in a computer system” (emphasis added).
The word “adds” was deleted from the provision because it would probably have caught “cookies”. Even so, Denial of Service (DOS) attacks would clearly be caught by the provision as would spam and crawlers that materially impair or erode a computer system/service through a sudden or sustained attack of sufficient magnitude, a view supported in principle by Judge Harvey at p315 in “internet.law.nz”.
At a practical level, a range of reasonably intelligent spam-blocking software is now available. McAfee’s SpamKiller using open-source software and Spam Assassin using the Linux platform are two. Others include, IHateSpam, MailWasher (a New Zealand product), Spamnet and Spamnix. There are also a few practical steps that can be taken to resist spam. These include the following:
•Do not reply to suspicious looking e mails. Avoid the tendency to “just have a quick look”. Spammers often give themselves away by using common variations on a domain name. A reply simply confirms that one of the options is the correct one and the address is worth retaining or on-selling to others. The welcome looking “unsubscribe” option is sometimes little better. It is often just another (even more devious way) of trawling for and getting confirmation of valid addresses.
•Publish your email address with care, particularly when going onto live sessions like newsgroups.
Evidence suggests that most spam originates from actual e mail addresses posted on public websites which are “harvested” and added to spammers’ lists. These lists are then utilised or on-sold for marketing purposes – with the net getting larger and larger.
One way to cut down on this is to mask or obscure actual e mail addresses in both e mail communications and on public websites. This can be done by using simple software tools which give the name of the person but not his or her actual e mail address. Once again the day may come when not doing so may be negligent, particularly if an organisation or person fails to take adequate or any measures to guard against disclosure of others’ full e mail addresses.
The law in this area is evolving. However, it is unlikely that the law will keep pace with technology. The observations of Justice Michael Kirby given during his recent Privacy Forum address in Wellington, that the courts in Australia and New Zealand may be emerging as important guardians of privacy rights is significant. With all the change we are facing, hopefully he is correct.