Fight against spam, spyware and malicious software

Despite the passing of Community legislation banning spam in Europe, illicit online activities continue to have a negative effect on the European Union. That is why the Commission, via this Communication, is calling on regulatory authorities and stakeholders to redouble their efforts to combat spam, spyware and malicious software. The Commission hopes that the growing concern about this phenomenon will be translated into concrete measures.

ACT

Communication from the Commission of 15 November 2006 to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on fighting spam, spyware and malicious software [COM(2006) 688 final - Not published in the Official Journal].

SUMMARY

This Communication presents a summary of the initiatives adopted so far to deal with the threats posed by spam *, spyware * and malicious software (malware). It also summarises the measures that need to be taken by Member States, businesses and the EU to ensure that this problem is dealt with in a more effective manner.

ACTION TAKEN SINCE 2004

The EU recently adopted measures intended to penalise illegal online activities:

• the 2002 Directive on Privacy and Electronic Communications, which prohibits the sending of spam;
• the 2004 Communication on Spam, which details the actions intended to supplement the Directive. These actions relate to raising awareness, self-regulation, technical solutions, cooperation and enforcing the law);
• the Safer Internet plus programme on promoting safer use of the Internet and new online technologies;
• the Unfair Commercial Practices Directive, which protects consumers against aggressive commercial practices;
• meaures to raise the issue of combating spam, spyware and malware in discussions with third countries.

Action to raise awareness

Member States have launched campaigns to make users aware of the spam problem and how to deal with it. Internet service providers (ISPs) also offer their customers advice on how to protect themselves against spyware and viruses.

International cooperation

By its very nature, spam is a cross-border problem. A number of international cooperation initiatives and mechanisms for cross-border enforcement of the law have been put in place. The Commission has supported these initiatives by means of:

• the establishment of the Contact Network of Spam Enforcement Authorities(CNSA), which promotes the sharing of best practice and cooperates on cross-border enforcement of the law;
• support for the London Action Plan, which includes enforcement authorities from 20 countries and which has adopted a cross-border cooperation procedure;
• cooperation between the European Union and its main international partners (particularly the United States, Canada, China and Japan) in the fight against spam, spyware, and illegal and malware.

Research and technological development

Under the Sixth Research Framework Programme, the Commission has launched various projects intended to help stakeholders combat spam and other forms of malicious software. Such actions include:

• the establishment of a research community dedicated to malware containment;
• the development of European infrastructure to monitor internet traffic;
• the development of adaptive phishing filters which can detect unknown threats and cyber attacks.

Industry actions

Industry is playing a pro-active role in the fight against spam.

ISPs have introduced technical measures to combat spam, particularly in the field of anti-spam filters. They provide users with help desk support and software against spam, spyware and malware. In addition, most ISPs have inserted contractual clauses prohibiting online malpractices.

Mobile phone operators have introduced their own measures, in the form of codes of conduct intended to combat unsolicited messages.

Enforcement actions

The fight against spam is clearly yielding results. The filtering measures imposed in Finland have reduced the proportion of spam in email from 80% to 30%.

However, there are still substantial differences between Member States as regards the actual number of prosecutions. The authorities in some countries have launched a significant number of investigations, which had led to penalties for those engaging in spam activities. However, in other Member States, the number of prosecutions has been very small.

WORK TO BE DONE

Action at Member State level

Obstacles remain to the effective implementation of the European Privacy Directive in most Member States. For progress to be made, there is need for a clear definition of responsibilities.

Close cooperation should be put in place at the national level between the authorities, network operators and ISPs. The aim is to promote the exchange of information and technical expertise, and to encourage the pursuit of online malpractices.

In addition, international cooperation continues to be a major element in the fight against spam and should therefore be encouraged. Efforts must also be made to ensure that the necessary resources (such as online complaints procedures) are dedicated to the enforcement of the law.

Industry action

Online software offers constitute a very much employed method for delivery and installation of spyware on users' computer terminals. In order to prevent spyware from reaching end users, companies offering software products are encouraged to clearly describe all the terms and conditions of the offer and to ensure that their software complies with data protection legislation. Self-regulation and the use of quality labels can also be used to distinguish between reputable and non-reputable companies.

Companies that sell products should introduce contractual provisions that prohibit their trading partners from the illegal use of software in advertising. Also, the Commission recommends that they monitor how advertisements reach consumers and that they follow up on instances of malpractice.

Service providers are encouraged to filter electronic mail in accordance with the relevant recommendations and guidelines (especially those issued by the working group on data protection).

Action at European level

The 2006 Communication on the review of the regulatory framework for electronic communications proposes strengthening the rules on privacy and security. The Commission may also propose new rules concerning the severity of penalties for infringements.

On account of its expertise, the European Network and Information Security Agency (ENISA) has an important role to play in the fight against illegal online activities. The Commission intends to make use of this expertise to examine the viability of a European information sharing and alert system, which would react to threats to electronic networks.

New actions intended to provide better security for information systems will be launched under the Seventh Research Framework Programme.

In addition, the Commission will continue to draft agreements with third countries concerning the fight against spam, spyware and malicious software.

Background

The large-scale sending of unsolicited electronic messages continues to cause concern. Spam accounts for 50-80% of messages sent to end users. The majority originate from outside the EU (particularly from Asia and the United States), but 25% of unsolicited messages are passed on by European countries.

The worldwide cost of spam is estimated at EUR 39 billion.

Spam is not simply a nuisance for end users, it can also be fraudulent and criminal, particularly when it makes use of phishing software.

See also

Further information on the fight against spam can be found here.

Last updated: 28.02.2007