Like almost everyone who uses e-mail, I receive a ton of spam every day. Much of it offers to help me get out of debt or get rich quick. It would be funny if it weren't so exciting.

Bill Gates, Microsoft

The Internet may have given us an unprecedented tool for locating and sharing information but it has also provided an unwelcome accomplice – unsolicited electronic commercial messages on a large scale, otherwise known as spam.

The Internet has provided us with a widely used communication tool in e-mail. Not all of us may surf the Net but many of us use e-mail to communicate. E-mail is nowadays an integral part of business communication. The more we have come to rely on its convenience and cost savings (with multiple e-mail accounts per person and more and more people around the world opening new domain accounts) - the more likely it was that we would open the doors to abuse of the technology. Some would say therefore that spam was, perhaps, inevitable.

The debate centres on the following question: in a borderless environment how can individual countries protect the privacy rights of their citizens whilst still allowing legitimate e-marketing to occur?

Despite the difficulties, a number of countries have taken steps to tackle the problem. Solutions range from the 'Club Med' styled approach of self-regulation to a more militant line that involves the quartet of public education, enhanced powers of ISPs, technological measures, and legislative provisions with considerable bite. Alas, this is no easy war; the law makers who attempt to fight spam are restrained by something that pre-dated the technology: jurisdictional borders.

This article examines Hong Kong's role in the global fight against spam. It asks whether proposed legislative measures will 'cure' the problem and, if legislation is the answer, what should be included within it.

Defining the problem

SPAM is defined as bulk e-mail messages or news articles sent via electronic mail without the recipients' prior request or consent.1

Whilst depressing news for many, the problem of "those e-mails" isn't set to go away any time soon. Of greater concern is the increasing prevalence of criminal activity (eg. phishing). The Hong Kong Internet Service Providers Association ("HKISPA") reports that Hong Kong spam now constitutes some 50% of e-mail handled by Hong Kong ISPs – a figure in line with international trends2. The problem is a global one. A recent survey of 5 million pieces of spam revealed that slightly less than 86% of spam originates in the US, 3% from South Korea, just under 3% from China and Hong Kong, a little over 2% from Canada and about 1.5% from the Ukraine. Of the IP addresses sending spam, 23% were from China and Hong Kong and another 4% were from Brazil.3

Spam comes at a price. In a recent White Paper4, the Hong Kong Anti-Spam Coalition outlined the tangible and intangible costs of spam on individuals and businesses, alike. These include: lower response rates; IT security issues; lack of storage space; waste of management time; more sluggish productivity; bandwidth cost; misused resources; decreasing opt-in rates; customer dissatisfaction; lower profitability; and user trust breakdown.

The White Paper puts the estimated cost of spam at approximately USD$9 billion annually in the United States and as much as HK$10 billion annually in Hong Kong.

Club Med or Club Fed

There is a well-known saying that "a successful person is one who can lay a firm foundation with the bricks that others throw at him." If we consider spam as the brick against Internet technology then building a firm foundation requires as much a commitment to develop a strong local stance as it does to developing a global one.

Spam has been described as a "social rather than a technological problem"5. One way of dealing with social problems that get out of control is to try and tame them by cracking the legislative whip.

A number of countries have implemented legislation to deal with the problem of spam.6 For comparative purposes we will focus on the US, European and Australian legislation. The United States introduced anti-spam legislation in early 2004. The Controlling the Assault of Non-Solicited Pornography and Marketing Act 2003 is colloquially referred to as the CAN-SPAM Act.

The CAN-SPAM Act covers commercial electronic messages (defined as an electronic mail message with the primary purpose of advertising or otherwise promoting a commercial product or service) but does not include 'transactional or relationship messages' ie. those messages with the primary purpose of facilitating commercial transactions, providing warranty or safety information, providing information relating to a pre-existing business or employment relationship or delivering goods and services according to an agreed transaction. The US Federal Trade Commission is currently defining a framework of rules to determine, inter alia, the "primary purpose" of an e-mail message. Under current proposals an e-mail would be considered primarily commercial if its purpose is solely to advertise or promote a product or service. If a message contains both commercial and non-transactional information then the subject line and also the location of "transactional or relationship" content within the body of the message would be taken into account together with the relative proportion of commercial versus non-commercial content in order to determine the "primary purpose" of the e-mail message.7

The CAN-SPAM Act imposes a number of requirements on marketers:

  • Advertisements must be clearly labeled;
  • Advertisements must include the sender's name, e-mail address, physical address and opt-out directions;
  • False or misleading information is prohibited;
  • Address harvesting and dictionary attacks are prohibited;
  • Sexual content (with some limited exceptions) is prohibited; and
  • Messages cannot be sent through proxies or with fraudulent return-paths and received lines.

If marketers do not comply with these criteria then they are at risk of falling within the scope of 'fraudulent spamming activities', and dependant upon the nature and gravity of their action/s would be potentially liable for fines of up to $6M and up to 5 years of jail time. Fraudulent activities can also be halted by ISPs who have been given significant power to seek injunctive relief and fines up to US$1M against offenders. This is certainly the Club Fed approach to penalties.

Whilst the US penalties are commendable, the legislature's approach to consent is open to debate. There are two approaches to consent as it relates to e-mail - express prior permission due to an existing relationship between the parties ('opt-in') or alternatively, non-permission based messages provided that recipients can choose not to receive further communication from the sender ('opt out').

The US CAN-SPAM Act adopts the 'opt out' approach. The opt-out approach is lauded by many as upholding the rights of legitimate marketers and also maintaining a closer affinity with an individual's right to free speech. However, from the perspective of spamming it is worth noting the research conducted by CipherTrust which shows that spammers have already relied on a legitimate loop hole in the legislation and now make it harder for recipients to unsubscribe from spam messages by including postal rather than e-mail addresses in their opt-out message.8

At a more basic level the opt-out provision allows insufficient protection to users in non-US countries from unsolicited US-generated e-mail. The amount of spam being generated from the US has actually increased since the enactment of the new law9 due to increased reliance on infected offshore proxies to 'hide' sender details. The effect such measures have on public trust as it relates to direct marketers cannot be understated. Equally, given the role of public education in the fight against spam, the opt-out rule does appear to stand at odds with educational efforts which recommend that recipients of spam e-mail should not reply to a spammer as such reply merely confirms the e-mail address.

In legislating against spam, Europe and Australia have adopted the opposite approach to consent and a wider definition of what constitutes spam. The EU Directive on Privacy and Electronic Communications (2002/58/EC) and the EU Directive on E-Commerce (2000/31/EC) define a 'commercial electronic messages' as including, in addition to e-mail, SMS, MMS and IM. If fraudulent activity or spamming is proved, sanctions are determined by the individual Member States but the latter Directive states at Article 20 that "such sanctions … shall be effective, proportionate and dissuasive". Similar to the US, the Directives require messages to be clearly labeled as an advertisement and to include the sender's name, physical address and opt-out directions. There are also prohibitions on disguising origin. The Directives and the Australian legislation – the Spam Act 2003 - adopt an opt-in approach to user consent. The Australian legislation also prohibits the use or circulation of harvesting addresses or harvesting tools.

Whilst the Australian and EU approach are stricter in terms of consent, they fall down when it comes to penalties. In the European Union the level of penalties varies from Member State to Member State depending on the provisions in such Member State. In the UK, for example, an offence at the Magistrate's level stands at £5,000 (US$9,112) and can be (in theory) referred to a higher court for a limitless fine, while in France penalties include a maximum fine of €90,000 (US$108,539) and a three year jail term. By contrast, the Australian SPAM Act imposes a US$156,219 penalty for a repeat offender (US$44,000 for a one off offence) or at an organizational level US$780,667 for a repeat offender (US$156,219 for a one off offence).

A Multi-Faceted Approach

Legislation in isolation will not curb the problem of spam. A multi-faceted approach to dealing with spam is the only effective way to target the issue as this allows privacy rights to be upheld whilst also promoting responsible online direct marketing. This multi-faceted approach should include voluntary codes of conduct, the use of technology and also public education.

Voluntary codes of conduct.

Codes of Conduct are becoming increasingly prevalent. In February 2000 the Hong Kong Internet Service Providers Association issued the Anti-Spam Code of Practice. In June 2004 a coalition of leading Internet Service Providers (Yahoo, Microsoft, EarthLink, America Online, British Telecom and Comcast) announced a proposal of best practices for sending and filtering email. Similarly in Australia, the Australian Direct Marketing Association ("ADMA") industry lobby produced a draft code of practice for members in August 2004. The Australian Code aims to reduce complaints about spam e-mail. In addition to the ADMA code, the Industry Association is working in conjunction with the South Australian and Western Australian Internet Associations on behalf of the Australian Communications Authority while the Australian Communications Industry Forum is developing anti-spam recommendations through its Piracy Advisory Group.


Technology has the ability to act as a surrogate police force via ISP controls, filters, cryptographic developments, sender ID, black lists and network management solutions (including authentication and technical tools) but Carl Hutzler10, Director of Anti-Spam at AOL admits that this is "an escalating technology war … and a high-level cat and mouse game".

There are a number of examples where the ISPs (who really are at the front line of spam given their role in relaying information across the Internet) and other companies reliant on the medium have demonstrated good corporate citizenship by working alongside their customers to safeguard them from further risk and cost. A recent example: eBay's Web Caller ID which allowed users to verify the authenticity of a Web Site. eBay released the tool to the public11 to protect them from the increased risk of phishing attacks by online perpetrators who set up websites in the guise of the well known online auctioneer. It's a step up from blacklist technology and another example of companies and the public working together to overcome the problem.

In the United Kingdom ISPs have adopted a code of practice that allows them to shut down e-commerce sites that distribute spam regardless of how and from were the spam was sent. The initiative is directed at stopping spammers hosting their e-commerce with a reputable ISP but sending spam from an alternative network. There is also precedent to the suggestion that global collaboration is possible. The London Internet Exchange ("LINX"), for example, introduced a Best Current Practice document ("BCP") on spam in 1999. The BCP received endorsement from RIPE, the Internet policy-setting body for more than 90 countries across Europe, the Middle East, Central Asia and Africa. By the Year 2000, the BCP had become the basis for an increasing number of anti-spam standards. In another promising move, the OECD countries have set up a task force to address spam at the global level; the task force recognizing that close international cooperation is essential in any attempt to contain spam. Other examples include the International Chamber of Commerce (ICC) that offers a global inventory of opt-out and reporting facilities in 26 countries and the SPAMHAUS Project which tracks the Internet's Spammers, Spam Gangs and Spam Services and works with global law enforcement agencies to locate and prosecute (where possible) spammers.

This mutual cooperation is integral if enforcement is to be effective (albeit potentially problematic given political tensions in some countries that may be reluctant to enforce deportation orders or indeed allow the requisite evidence to be collected from their jurisdiction).

The Role of Education

Any approach to spam needs to remain cognizant of the rapidly developing technologies behind it and the number of spammers who are as adept at side stepping the law as they are at developing new methods of reaching your in-box.

Educating consumers about their role in the fight against spam is an integral part of the process. Consumers need to: (i) understand what spam is and how to respond to it; (ii) understand what tools they have available to them on their PC's to filter and block spam (eg. Beysian filters and key word technology); (iii) be made aware of local services that can assist eg. OFTA and a number of service providers allow users to register their phone numbers on 'not-to-call' lists12; (iv) check ISP contracts to ensure they contain provisions pertaining to anti-virus protection and anti-spam features; and (v) have ready access to complaint channels.

Hong Kong

There is no legislation in place in Hong Kong that deals directly with spam. Hong Kong currently relies on industry self-regulation which includes initiatives by the following organisations:

  1. Hong Kong Internet Service Providers Association (HKISPA) [February 2000]: The Anti-SPAM Code of Practice;
  2. Mobile operators [December 2001]: The Code of Practice on Handling of Unsolicited Promotional IOSMS under the Code of Practice for Inter-Operator Short Message Service (IOSMS); and
  3. Local wire-line FTNS network operators [revised January 2004]: Code of Practice setting out the standard procedures for handling complaints against unsolicited fax advertisements.

In light of the growing cost to individuals and businesses alike, the call has increasingly been made to allow the law to assume a more prominent role.

Hong Kong Consultation Paper on Spam

In June 2004, in response to the growing problem of unsolicited email messages, OFTA released a Consultation Paper on Spam13. Views and comments should be submitted to the Government by 25 October 2004. In particular, the Government seeks comments on the following:

  1. The extent of the spam and the loss in monetary terms to individuals/business;
  2. The extent of industry co-operation and whether Codes of Practice should be voluntary or mandatory.
  3. The role and scope of a user education process
  4. Available technical solutions and their effectiveness; and
  5. The pros and cons of a legislative approach to combating spam.

Legislative framework in Hong Kong

Should Hong Kong choose to legislate against spam then there are a number of provisions within the existing Hong Kong legislative framework that provide some precedent value. No provision in existing legislation however, specifically tackles the issue of spam or can be interpreted to cover spam.

The following Ordinances provide limited guidance:

Summary Offences Ordinance (Cap 228) s.20 - deals specifically with telephone calls, or messages and telegrams.

Control of Obscene and Indecent Articles Ordinance (Cap. 390) – relates to content, specifically that which is obscene and indecent.

Personal Data (Privacy) Ordinance (Cap. 486) – s.34 is the closest Hong Kong has to a law that regulates direct marketing. Of note, from an anti-spam perspective, the provision refers to an "opt out" right which may have some influence on the longer term debate in Hong Kong regarding consent.

Telecommunications Ordinance (Cap. 106) s.27A – relates to hacking (rather than the act of sending spam).

Crimes Ordinance (Cap. 200) ss.59, 60 & 161(1) – deal with misuse of computers, destruction of property and accessing a computer with the intention to commit an offence (note however that these provisions were not intended to criminalize the act of sending spam email per se).

Existing research

In any move to draft local legislative measures it would also be remiss to overlook a large body of research already undertaken. In March 2000, in response to the increase in computer crimes cases14, the Government of the Hong Kong SAR established an Inter-departmental Working Group on Computer Related Crime ("the Working Group").

The Working Group, with representatives from various Government bureaux and departments, was tasked with studying the adequacy of Hong Kong legislation in dealing with computer and Internet crimes and identifying areas where changes would be required. In September 2000 the Working Group submitted a report of its findings. The report was released for consultation on 1 December 2000. The Report reported on the potential benefits of ISP collaboration given the use of accounting and session records in the investigation of offences. The Working Group therefore recommended that assistance should be given by ISPs to law enforcement agencies as follows:

  1. ISPs should check subscriber details at the time of registration; rather than introducing statutory provisions administrative guidelines to this effect (and compatible with the privacy safeguards contained in the Personal Data (Privacy) Ordinance) should be drawn up. The guidelines would specify the details that would be required at the point of opening an Internet account and the details that would need to be kept as long as the account is being maintained and for a reasonable period after the account is closed;
  2. ISPs should be encouraged to keep log records including the calling numbers as a good management practice but no mandatory requirement for all Internet transactions to be tracked by the caller line identification function or caller number display function should be adopted;
  3. Both the Government and ISPs should encourage Internet users to make use of PKI but this should not be a mandatory requirement;
  4. ISPs should keep log records for a reasonable period of time i.e. six months;
  5. As content providers, ISPs should be responsible for any contents they may provide but as carriers, ISPs should not be responsible for the contents of messages or sites they carry;
  6. Relevant Policy Bureaux should examine the feasibility of putting in place take-down procedures for infringing copyright material, gambling content and pornographic materials;
  7. As a multiple log-in facility carries some security risk, ISPs should be encouraged to set their system default to deny multiple log-in but only offer this facility as an option;
  8. ISPs and law enforcement agencies should improve their communications to encourage the exchange of ideas on cyber security.

While not all the suggestions in the Working Group would be appropriate, a careful review of the report would be advisable before any drafting of anti-spam legislation is embarked upon.

Finally, as mentioned above, the effectiveness of any anti-spam legislation very much depends, on the penalties imposed and the ease and willingness of authorities to enforce the laws15.

Section 113C of The Criminal Procedure Ordinance in Hong Kong outlines the range of fines from a level one offence ($1 to $2000) to a level 6 offence ($50,000 - $100,000). It is therefore interesting to consider that should Hong Kong adopt anti-spam legislation the potential penalties would be on par with the UK but well below those in other countries such as the United States of America.


Hong Kong, like every other country in the world, is facing an unprecedented challenge in the form of spam. The current system of self-regulation is fast proving an ineffective deterrent and legitimate direct marketers are at risk of losing public trust.

Whilst legislation may be an effective tool in dealing with the problem, the global nature of spam requires a multi-faceted approach to manage both the costs and privacy concerns it generates. A number of countries have already taken steps to tackle the problem and the precedent value these countries offer will assist Hong Kong in adopting a solution best tailored to local conditions.

© Gabriela Kennedy and Katrina Partridge (September 2004)
The authors are Partner and Professional Support Lawyer working in the TMT Group at Lovells in Hong Kong. For any questions regarding issues raised in this article please contact either author by clicking on the Lovells link at the top of this page.

Table 1: Anti-spam legislation by country












Unsolicited commercial e-mail

Other electronic communications containing adult material

  • Clear labelling as an advertisement. Including the sender's name, e-mail address, physical address and opt-out directions
  • Transmission of e-mail to user who has opted-out is prohibited
  • Prohibition of harvesting

Fines up to KRW 10,000,000
(US$ 8,574)


Specific E-mail Law17

Commercial Transactions Law18


Unsolicited commercial e-mail

  • Clear labelling as an advertisement. Including the sender's name, e-mail address, physical address and opt-out directions
  • Transmission of e-mail to user who has opted-out is prohibited
  • Prohibition of dictionary attacks

Fines up to: JPY 500, 000
(US$ 4,549) for failure to comply with warning


The Spam Act 2003


Commercial electronic messages
(e-mail, SS, MMS, IM)

  • Clear labelling as an advertisement. Including the sender's name, e-mail address, physical address and opt-out directions
  • The use or circulation of harvested addresses or harvesting tools is prohibited
  • There is an exemption for entirely factual mail

1st offence (individual):

AU$ 44, 000 (US$ 31,244) per day

Repeat offence (individual): AU$220,000 (US$ 156,219) per day

1st offence (organisation):

AU$220,000 (US$ 156,219) per day

Repeat offence (organisation): AUD1,100,000 (US$ 780, 667) per day









The European Union

Privacy Directive19

E-Commerce Directive20


Commercial Electronic Messages (e-mail, SMS, MMS, IM)

  • Clear labelling as an advertisement. Including the sender's name, e-mail address, physical address and opt-out directions
  • Prohibition on disguising origin
  • Opt-in consent except for an existing customer who has not opted-out.

Depends on Member State Legislation


UK: £5,000 (US$ 9,112) at Magistrates court. Organisation can be referred to higher court for limitless fines.

Italy: up to €90,000 (US$108,539) and 3 years prison term










CAN-SPAM Act 200321


Commercial electronic messages22

(not including 'transactional or relationship messages')23

  • Clear labelling as an advertisement. Including the sender's name, e-mail address, physical address and opt-out directions.
  • Prohibits false or misleading information
  • Prohibits address harvesting and dictionary attacks
  • Prohibits sexual content with some limited exceptions
  • FTC24 cases: fines up to US$11,000 per violation
  • State AG25 cases: injunctive relief and fines of up to US$250 per violation (maximum US$2 million)
  • ISP26 cases: injunctive relief and fines of US$25 per violation (maximum of US$ 1 million)
  • Attorney's fees
  • Up to 5 years prison sentence


1 Definition supplied by the Hong Kong Internet Service Providers Association (HKISPA)

2 A Lake "Is spam an issue in HK? HKISPA's survey of ISPs", Paper presented at Anti-Spam Forum 'To Regulate or Not', 13 January 2004, Hong Kong. SPAMHAUS ( in an article titled "Follow Australia" (19 July 2004) suggested that SPAM may constitute upwards of 76% of all e-mail.

3 G Gross "Survey: 86% of spam comes from the US", Computer World, August 12, 2004

4 STOP SPAM (Hong Kong Anti-Spam Coalition) White Paper "Legislation: One of the key pillars in the fights against spam", January 2004

5 As described by David Crocker, one of the founders of e-mail and a leader in promoting Internet standards for more than thirty years.

6 See Appendix 1

7 R Lieb "FTC Seeks Comments on 'Primary Purpose' of E-mail, 11 August 2004 a

8 G Gross "Survey: 86% of spam comes from the US", Computer World, August 12, 2004

9 S Olsen "US Cooks up Most Spam", CNET, August 24, 2004

10 Speech by Carl Hutzler, Director of Anti-Spam Operations, America Online Inc "Experiences with Spam in the US: Lessons for Hong Kong", Hong Kong General Chamber of Commerce, 7 September 2004

11 J Vijayan "Antiphishing tool adopted by eBay now available to general public", ComputerWorld (story #48811) 17 August 2004.

12 See also recent initiatives in the UK to tackle the problem of unsolicited telephone calls for direct marketing purposes. The Corporate Telephone Preference Service (CTPS) is a central opt-out register and was established on 25 June 2004. Further information can be downloaded at

13 "OFTA Consultation Paper, Proposals to contain the problem of unsolicited electronic messages", June 2004.

14 The report released by the Working Group states that the number of computer crime cases handled by the Police and the Customs and Excise Department increased from 21 cases in 1996 to 318 cases in 1999.

15 Consider for example the penalties imposed by Australian legislation. Fines exist of US$157,000 per day for individual repeat offenders and US$780,000 per day for organisations who repeatedly contravene the Spam Act which reflect the legislative intent that spam must be made uneconomical for the businesses perpetrating it. Compare with Japan and Korea whose fines of US$4,500 and US$8,500 respectively offer little incentive to deter commercial spammers. USA and Italy also include criminal penalties for serious offenders. Whether these are enforced remain to be seen.

16 Act on Promotion of Information and Telecommunication of Network Use and Protection of Personal Information

17 Law Regarding the Regulation of Transmission of Specific E-mail

18 Law Regarding Specific Commercial Transactions

19 EU Directive on Privacy and Electronic Communications (2002/58/EC)

20 EU Directive on E-Commerce (2000/31/EC)

21 Controlling the Assault of Non-Solicited Pornography and Marketing Act 2003

22 An electronic mail message with the primary purpose of advertising or otherwise promoting a commercial product or service

23 I.e. those messages with the primary purpose of facilitating commercial transactions, providing warranty or safety information, providing information relating to a pre-existing business or employment relationship or delivering goods/services according to an agreed transaction.

24 Federal Trade Commission: jurisdiction over instances of unfair or deceptive trade practices

25 State Attorney General: for cases of state-wide importance

26 Internet Service Provider: for cases where a particular provider is affected

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.