Signposts the world over warn passers-by that trespassers will be prosecuted. But as every law student knows, trespassers will not be prosecuted because trespass is not a crime. It’s a civil wrong, or tort. Committing trespass, which means interfering with another’s property, leaves the trespasser liable to be sued for compensation for any harm that results.
This ancient tort has been the talk of Internet activists recently with a court defeat in the US for Intel in its case against former employee Ken Hamidi and new anti-spam initiatives by Microsoft for its popular msn.com and Hotmail services.
The California Supreme Court ruled 4 to 3 in June that Hamidi did not trespass on Intel’s servers when he blitzed 35,000 odd Intel employees with emails accusing Intel of unfair employment practices. The court found that regardless of owner consent trespass is not committed by sending email to a network that neither damages it nor impairs its functioning. California has enacted commercial anti-spam legislation, but it was not relevant because the Hamidi emails were aimed at selling anything.
Some US constitutional lawyers have applauded the decision as pro free speech, whereas others fear it has raised the bar for companies trying to protect customers from spam. But the court went some way to circumscribe its ruling. It did not consider free speech arguments in any detail and it expressly distinguished previous US decisions accepting that commercial spam sent in such volumes that it affects the functioning of the targeted networks can constitute trespass.
The court noted that Intel’s real objection was probably the content of the emails rather than any physical consequences. That is the province of defamation rather than trespass.
As the Hamidi ruling was being digested Microsoft announced new measures in its ongoing anti-spam campaign. Spam is a massive headache for the company with some 2.4 billion emails blocked every day. The measures include better filtering in its Exchange and Outlook software and assistance to governments planning anti-spam legislation in Asia where such laws lag behind America.
The company has also launched direct legal action over 15 individual alleged spammers in the UK and the US.
A writ filed in the UK against one individual defendant reveals the extent of the problems web mail operators face when intending spammers launch “dictionary attacks” on their servers. These attacks sent test emails to computer generated target addresses to compile lists of non-rejected and thus operational email addresses, and thereby recreate part of the confidential address database.
Microsoft pleads that around 80% of email reaching Hotmail accounts is spam which means it needs to devote enormous resources, including extra employees and servers, to tackle the problem.
Microsoft pleaded that the individual had engaged in the ‘harvesting’ of addresses by attacks on its servers presumably in preparation for future spamming. As Intel did in Hamidi, Microsoft argues that this amounts to trespass. The UK writ goes on to plead breach of confidence, breach of statutory duty under the UK’s Computer Misuse Act and wilfully causing economic loss. The reliance on the Computer Misuse Act is interesting because that Act creates only criminal offences and is not normally thought of as creating civil obligations.
That Microsoft has to rely on this miscellany of causes of action, all of which originated long before spam, illustrates the problems litigation lawyers face when technology outpaces legislation. The UK is to enact anti-spam legislation in October under its EU obligations, but dictionary attacks would probably not constitute spamming anyway because the blank test emails will usually not have the necessary character.
It is not clear whether English courts will follow the limitations on trespass that allowed Mr Hamidi to get home free in the US. While case law in the two countries is divergent, the basic concepts of English and US law remain remarkably similar. The UK courts might be willing to go further than their California counterparts and find that even non function impairing bulk email can amount to trespass.
After filing its initial round of writs against UK individuals Microsoft subsequently accepted that one action was a case of mistaken identify. The individual concerned, Simon Grainger, told the BBC that he thought he had been targeted because a domain name he bought last year may have been used in spam attacks by a previous owner.
Much of the world’s spam is said to originate in Asia so we may expect similar action in that region. Both Hong Kong SAR and Korean government agencies have publicly welcomed Microsoft’s new initiatives.
Given the similarities between English and Hong Kong law, an identical writ could be filed here subject only to changing the Act to our Crimes Ordinance which creates similar unauthorised computer access offences.
OFTA, the Privacy Commissioner and the Hong Kong ISP Association joined forces in 2000 to publish an anti-spam ISP Code of Practice, but the only local legislation directly regulating spam is the direct marketing provisions of the Personal Data (Privacy) Ordinance. The key problem for web mail operators trying to utilise that legislation against spammers would be that a mere email address without additional details would not constitute personal data at all if the owner’s name were not identifiable from it. Furthermore, the obligations on marketers under that Ordinance are owed to the recipients of the marketing material rather than the owners of any conduit through which it passes.