Regulation and Mitigation of Unwanted Communications (e.g. Spam)
03 September 2014 - A Best Practice Forum on in Istanbul,Turkey
This is the output of the real-time captioning taken during the IGF 2014 Istanbul, Turkey, meetings. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
[ Joined in Progress ]
>> MYLA PILAO: So that's the good news. A lot of this is attributed, a lot of the botnets and CNC that has been discovered over time, I belong to a company.
[ Off Microphone ]
Trying, which is an Internet security solutions provider for the last 26 years and I can guarantee the bot nets on a local and regional basis help significantly reduce the number. However, there is good news, there is also a bad news. Part of that is today, the bad news is we still see even in the tremendous decrease of spam, there is still few but I'd call them deliberate spam run campaigns and for those who are technical in nature you know that campaigns are more deliberate, targeted, they're obviously not the one time big time thing. They will be there for many times, they will try to get the good foothold on everyone's network to stay there long‑term so even if there are few, they linger on. These are just some of the other bad news, even there are very few in terms of campaign and method. They become probably the few and the most successful spam campaigns so some of the names in front of you. You've heard about this invisible ink, hidden URLs, forwarding of header, but I'd like to pay particular attention to black hole exploit. This is a new discovery in the last two years. It is very strong because unlike spam that is maybe low level in technique or in disruption, black hole attempts to focus on lets mat companies and have been very, very deliberate in focusing their message so that it becomes more attractive to their target and to their market. So some of the figures that we've just released in our last report next slide please. I don't think the clicker is working. Next slide.
Next slide, please.
[ Internet disconnected ]
‑‑ some of this problem. I always come with the bad news and the point is it's going to be very tough for us because it's all about the money. As I say in front, a lot of the organisations that are behind this are doing a lot of how to say this, have been perfecting a lot of this technique as a result. On the next slide you can see that in the underground community ‑‑ the next slide, please.
Thank you. On your slide here you can see that the mere fact that it is will not go away is because of the fact that the underground Cybercrime industry is getting a lot of money from here. In front of you is an underground service prices on how much it cost. If we were probably in this room ten years ago this is running on three to six figures but today as you can see if you want to buy a spamming method technique in the underground community it can go as cheap as $13 to about $100. On the next slide, you can see they have turned around as well in providing spamming as a service. You can just push the next slide, Sir.
Sorry for this.
You can see also that the underground community is offering a lot of services. Ordinary people who are obviously have the intent to disrupt the service can just buy from the community, this cybercriminal community, spamming services which means that if I want to spam a specific country, a specific institution, most of the service is already available in this, as cheap as $10, as pricy as about $50,000, and here you go. Depends on what kind of spamming technique do you want. My bottom line is spam is still probably sexy in the eyes of a lot of cybercriminals because as I said they're able to convert all the clicks that we do and all the redirections that we do into money, and the challenge is: How much regulation is in place? Our best practices and our guidance are adept as to what we see as the new form of techniques and methods that they're using. Thank you.
>> KAREN MULBERRY: Thank you very much. Next I have Yiannis, who can provide some perspective from the mobile industry.
>> YIANNIS THEODOROU: Thanks, Karen. Hi, everyone. I'm Yiannis Theodorou. I'm a Public Policy Manager of the GSMA, which is the mobile industry global trade body based in London. I'd like to start by congratulating the contributors and authors of the paper, because I think it captures in‑depth the key issues, challenges and best practices around spam.
[ Technical issues ]
I think it misses the mobile elements. And I think that would add value if there were included a subsection or perhaps a case study outlining I guess the industry's approach to tackling mobile spam. By that of course we mean SMS and MMS related spam. That's for example bulk SMS messages being sent that are fraudulent or intended to encourage consumers to call or text a premium number, and then obviously incur a large bill charge for the month.
Before I go into outlining the mobile perspective, I'd like to suggest a statement which I think captures the essence of the paper, and that is that to successfully combat spam, we need the willingness of all parties involved to both act and cooperate. By parties, I don't just mean the networks. Also Governments and regulators.
Now, in the mobile space, this concept of action and cooperation is what led to the GSMA's spam reporting service initiative. We've been around since a few years ago, and have already stopped thousands of spammers. But first, just to give you a brief history of mobile spam, why has mobile spam been on the rise?
And there are three reasons for that. Firstly, mobile is a very easy platform for spammers to reach mass audiences. Secondly, it's a trusted and well monitored platform because you and me and everyone carry their mobiles with them 24/7 so it's much more likely for someone to respond with a text near your time. And of course, the cost of sending spam has plummeted in the last few years, in part mainly because of the all‑inclusive, unlimited SMS plans that are bundled with a mobile phone contract, for example.
Now, in 2006, many mobile operators came together acknowledging the challenges, and developed and signed up to a code of practice, so it was 8 years ago, and that code of practice included a number of commitments obviously against fighting spam. And one of those commitments for example was to include anti‑spam provisions in their contracts with third parties, a commitment to cooperate between them both nationally and internationally, a commitment to educate consumers on the issues in terms of technical measures, commitments to filter out spam if they know what to filter out, and obviously shut down SIM cards once they are identified as spam sources. This commitment led to in 2009 to the initiative mentioned, the spam reporting service, which is essentially a complaint and intelligence gathering tool but does again three things.
Firstly, it captures reports from subscribers so basically you get a text and you forward it to a specific number, in the U.K. that's 7726, so you forward the spam. Then this tool analyzes the reports and matches them against known attacks, and if there's no match, they save that report for future matching and future comparisons. And lastly, the tool also includes a dashboard which displays in realtime to whoever has access to it the realtime statistics showing the various spam attacks, the level of threats where the spam attack has originated, destination, and a bunch of other numbers are really helpful for two reasons.
One is these numbers help operators target and invest in tools and measures that are better I guess at specific threats, and also the numbers are shared with Government authorities who can then prosecute spammers effectively in court, so they act as concrete evidence against spammers for prosecution, so that's again showing how both the action and the cooperation that I spoke about earlier are combined to reach successful outcomes.
Now, over the past 5 years, the SRS was initially adopted in the USA, and since then operators in New Zealand, Brazil, Argentina, and the U.K. have adopted it. Today among them the operators who are signed up cover between them more than half a billion consumers, but clearly that's not enough, and we want Governments and operators around the world to also join the initiative and sign up to the SRS so we can achieve the outcomes.
And to sum up, there are three things that one can achieve with this approach. First of all, consumer trust. If you do that, consumers will stick with you, gathering intelligence, as I mentioned both for the operator's perspective and empowering the tools and the filter process and also to help governing authorities catch criminals and spammers and of course the final things is savings because operators by having this tool they can save money from cutting the cost of delivering redundant messages.
In terms of next steps, clearly the objective is to establish a broad international sharing community enabling operators and Governments to act effectively against spam globally. We're actively promoting the value of the SRS by conducting in‑country workshops to show case the value and how easy it is to use the dashboard I talked about, and encourage mobile operators and governments to support the initiative, and the Action Plan and are in contact with various Government authorities around the world on behalf of our members.
In fact, it's in the U.K. Parliament where I work and finally as far as Governments are concerned I think there are three or four recommendations I would put forward to them. One is which I'm sure they're raised in the paper later on, one is to define clear laws. So what's illegal and what's not illegal. Secondly, to work with the advertising industry to develop advertising codes of practice. Thirdly, to give clear powers to their law enforcement agencies so that they can act to use the information gathered and effectively prosecute spammers.
And also impose monetary penalties to deter the crime. And finally, we urge Governments not to regulate traffic limits or impose limits on the number of SIM cards that can be sold to each consumer because that wouldn't solve the problem. The spammer would just buy more SIM cards and carry on spam so that's no solution and I think that's my contribution, so thank you very much.
>> KAREN MULBERRY: Thank you, Yiannis. I appreciate the information. I think it will be valuable to move forward into our draft report. Next I have Julia who will talk about the Australian perspective and some comments they have on what we have.
>> JULIA McKEAN: Sorry. My name is Julia Cornwell McKean. I'm from the Australian Communications and Media Authority, where I wear two hats. One is the investigations around communications, and the Manager of our Internet security programmes, including the Australian Internet Security Initiative. I'm also honoured to be representing the London Action Plan. I'm also an academic. In fact I will shortly be submitting my Ph.D. dissertation so it's from that approach I would like to take the paper that we're considering today. The first phase in an academic approach is to define terms for present purposes, I want to ‑‑ I'll set this aside because the definition of "spam" is one for further discussion.
The second phase is to define our aim or our mission and I think that's important. I think that our mission could be to ensure confidence in e‑mail as a communications means for both commercial and personal use. And out of that form some objectives. Firstly to minimize and mitigate against detriment for citizens as a consequence of spam. And secondly, to minimize and mitigate against detriment for business as a consequence of spam.
In my mind, there are two questions that arise out of that that we need to consider. Are we trying to stop spam reaching in‑boxes? Or are we trying to stop spam being sent? I suspect it's a bit of both but I think that we need to understand what it is that we're trying to do.
When the Australian Government introduced legislation in 2003, some 11 years ago, it was always envisaged that legislation would only ever be part of the solution. In fact, our Parliament set out five strategies, a multilayered strategic approach, to combating spam. One part was strong legislation that was enforced. Then there was education. Industry partnerships, technological solutions, and international cooperation.
And while the threat has evolved with the focus of spam moving sharply away from the delivery of messages containing adult content or promoting pharmaceuticals, delivery of malware that we know can have a far greater impact, stealing credentials and distributing even more spam to name a few things, these strategies actually still hold true. I always like to return to first principles and I think there were a good set of principles that we can use others to use in other developing economies using lessons those of us who have been around for a while have learned.
Indeed I've always said that education is the number one strategy in the fight against spam, starting with the very basic message that if you don't recognize the sender, or you're not expecting a message, don't open it, and don't open any of the attachments. However, the message is becoming increasingly complex for citizens with the backdrop of extending life cycles for computer software. Indeed some of the life cycles are ending in terms of support for operating systems, and I note a particular concern I have in terms of education is there are a large number of systems still operating on Windows XP which is no longer supported. It's an issue both in developing countries and developed countries and it's one which leaves people with vulnerabilities and could impact on the spam problem more broadly.
However, I digress. Legislation may be a good step for many economies but that can only be if there's an appetite and resourcing for an adequate compliance rewards strategy. Compliance and enforcement strategy need not be one ‑‑ at the end of the day the objective is to stop spam and you need to be able to do that with minimum intervention so there are low cost effective strategies that can be considered if that appetite and resource exists.
At the moment I won't speak about technological initiatives or industry partnerships, because I know that I've dealt with some of those in some of the postings that I do for these groups, and I suggest that some of you may like to read those further. However, I would like to conclude by referring to international cooperation.
Today I represent both the ACMA and the London Action Plan, an international group of industry and enforcement. There have been cases, successful ones at that, where multiple jurisdictions have focused on a single respondent. I know we hear many times about the case involving ‑‑ and I'd like to call in my friend Lance. It's cases such as these which have opened a dialogue between participating agencies to allow for the sharing of the information and technology. However, it should be noted in these times of austerity in public programmes unless there is a particular strategic reason for us all to focus on a single respondent that it may be more useful for us to share information allowing us to broaden our access to enforcement and perhaps focus on it broadly.
>> KAREN MULBERRY: Thank you very much. Next is Christine who will provide some perspectives on what Brazil is doing to better manage their spam issues.
>> CHRISTINE HOEPERS: As Karen said I work at ‑‑ a lot of people ask what's our interest in fighting spam. It's basically in 10 years ago ‑‑ but the main interest from our perspective is really about spam just goes on because spammers and criminals are using the Internet and we need to catch them.
And if you know it's all about money, they make so much money because it's so cheap to send spam and it's so easy to use the infrastructure. So this is one of the major points and perspectives that we are seeing. But the whole anti‑spam work being done in Brazil, it was coordinated by the Internet Community that was mostly consumer protection organisations. We have other organisations that join our clients who have experts. And the first step was to understand what was the problem because if you just go for one solution maybe it's not the best for your country so in the case of Brazil, we did some extensive studies and we saw that as we suspected we didn't have Brazilian ‑‑
So really clear legislation could be effective for some other local problems like having local standards for doing that ‑‑ .
But the major problem that really ‑‑ we used to be number one in the world for a long time and it was really to take technical measures and this is one of the points I don't think there is ‑‑ to fight spam but you need to think and you need to analyze for the specific problem you have what is the best solution. From some studies that we're ‑‑ 11 countries and others that partner with us we are seeing there is this trend that developing countries are being ‑‑ because of technical measures but we're still seeing a lot of developing countries coming from some others, so from the ones that are using this legislation to go off the spammers themselves, those few that are doing different things that would be one but from us that are being used we really need to higher the stakes and make it more expensive for people to send spam. They shouldn't be able to use our programme. In fact everyone ‑‑
And this was a major ‑‑
[ Captioner cannot hear the speaker ]
But we also work in self‑regulation for ‑‑ although there are not so many issues, not such a volume as the other spam, we are not generating spam for others. At the same time, there is some legislation, but that is ‑‑ and didn't prevent us from stopping ‑‑ we took some actions on regulations.
And policies on ISPs and hostings can help a lot for others because spammers need to host their companies somewhere. So it's a mix of policies and practices, technical measures that had to discuss the law. There was a lot of discussion about why it would not be bad for them ‑‑
It was the consensus that ‑‑
[ Audio technical issues ]
‑‑ can help other countries to see what we did and the whole multistakeholder ‑‑ and help move forward to get the Internet clean, or at least ‑‑ this is just a short ‑‑ where do I start? You should probably start where it makes more sense ‑‑
[ Audio technical issues ]
>> KAREN MULBERRY: Thank you, Christine. Next I have Betsy Broder from the U.S. Federal Trade Commission to speak about their perspectives.
>> BETSY BRODER: Thank you, Karen, and it's a pleasure to be here. I'm going to try to be very brief because I know all of you have a lot to share, as well and we want to spend as much time as possible hearing from you and getting input on the report, and steps forward. So I will be ‑‑ I will try to be brief. It's hard as a lawyer to be brief because we're usually paid by the word but I'll do my best here.
So I'm from the U.S. Federal Trade Commission, and we are fundamentally a consumer protection law enforcement Agency. The history of the FTC dealing with spam is maybe a microcosm of the problem of spam as it's developed over time so maybe our experience could be illustrative and helpful in our discussions. About 11 years ago, our Congress passed a law called CAN‑SPAM, and those letters stand for something, but I can't quite remember what, and it did not outlaw spam. It said consumers should be able to opt out, subject line and header information needs to be accurate, and that adult content needs to be properly labeled. There were other provisions, as well.
At that time, the problem that Congress was addressing was that people's e‑mail boxes were filled with commercial advertisements that people found a nuisance, and unwanted, and so that dealt with what we'll call the nuisance problem, the clutter problem of spam. At that time, the London Action Plan, also called LAP, was organised, and as Julia said, it's an interesting and remarkable group, because it's not simply Government representatives, but it's also consultancies such as Wout is a member and Michael O'Reirdan is a member.
Do you represent the MAAWG, the Messaging Malware and Mobile Anti‑Abuse Working Group, GSMA, so it brings together people from various perspectives, but also with different tools for addressing the problem.
So at that point again the problem was a nuisance but over the last 10 years, the problem has been migrated in a different way so I would say in terms of the enforcement of our law, that's less of a priority at the FTC. Oh at this point I'm supposed to say my comments are my own and don't necessarily reflect those of the Federal Trade Commission.
So the problem has migrated. As Yiannis has said it's gone from one platform to another. It's gone from just your e‑mail box to your mobile device. There's an emergence of spam‑related type problems on social networks, and so we need to be agile. We need to understand what all the tools are, so the purpose and the focus often in the London Action Plan has changed and migrated as threat has changed but at the same time we're very much focused on working with organisations, regulatory bodies, interested parties, on how they see spam at this moment.
We understand that the development of spam and its impact differs in different economies. We're very much aware and responsive to that. One of the initiatives that the London Action Plan hopes to pursue with Internet Society, ISOC, is a mentoring programme so for those in the London Action Plan who may be more technologically oriented for them to partner with others from other economies who are interested in learning about how to implement technological solutions, what certain policy initiatives might be. For those who have another interest in a regulatory function, we hope to partner that way so maybe that's something that we can talk about further.
So over the course of 10 years, the threat has changed, the nature of the threat has changed, and our response has changed but one thing has remained constant, and that is that there is no silver bullet. There is no single way of addressing this problem, and I think that's what we hope to hear from as we proceed that education is important, technology is important, enforcement is important. We all do what we can to approach the problem from our various perspectives, but we also need to do it together, because as Christine said, it's not simply what you see within your borders but what is coming from other nations.
I guess just the last point I would put is that that is why it's so important that we talk to each other, so that we are able to coordinate, we're able to share information in accordance with what our National laws allow, and we can coordinate whether it is talking about what the threats are, what the solutions are. So I hope that we get a lot of collaboration out of our process today and that we come up with ways of working in partnership so that we can be more effective to protect both our consumers and those in everyone else's country. Thank you.
>> KAREN MULBERRY: Thank you, Betsy. Next, Michael O'Reirdan and he'll talk a little bit about industry organisation that focuses specifically on spam and other network threats.
>> MIKE O’REIRDAN: Hi, I'm Mike O'Reirdan. I'd like to really start off with a perspective on spam because the fact is, it's not very hard to do. I mean, you don't often get prosecuted for doing it with all deference to regulators in the room. Quite a lot of people get away with it and unlike a bank robbery you don't get shot when you try to do it. So there's an awful lot of really cool outsourced services. I think from Thailand and we can name some of them but there are services which allow you to rent space on a bot. Once you've rented a space on a botnet there's really neat control panels that show you how effective you are at delivering spam. It's almost like being a valid e‑mail center. Oh yeah, we got those through to Comcast, we hit Yahoo! with a few million. They offer templates so you can make your spam look pretty. There are services which offer calibrating services so that if you're one of these ISPs that offer free accounts where captures protect the account generation service, you can be creative of thousands of accounts. It's sold so much per thousand on the appropriate underground Forum. So what we're talking about is something that has a pretty low cost of entry, has very decent outsource service supporting. You might call it rather a modern business model.
[ Technical issues ]
>> There's a public comment Section going on and it doesn't end until the 5th of September right now, although there's discussion about potentially extending that public comment cycle so all of you in the room will have an opportunity to review the report and provide comments on the content.
Now, in that light, we have some comments to deal with right now that I thought might be useful for our discussion today for the time we have remaining. And the most significant one started in the beginning of the report in terms of the definition of the issue. And Michele has raised it and several of the other of the speakers have raised the issue and that is what is it. This is what is it in the context of what we're trying to produce in this document.
I don't know if they can pull the document up on the screen or not. But you will see in the beginning of our draft. There is some mention of unwanted e‑mail. There's also context where we use unsolicited communications. Many approaches have been used to define what it is, in essence known as spam. I think it would help us as we move through our work if we could reach some sort of consensus on ‑‑
[ Audio technical difficulties ]
Is it unsolicited? The majority of the comments we see so far to use unsolicited. I can also tell you ‑‑
[ Audio technical difficulties ]
>> I don't want to get a bill from my phone provider. I don't want that hot girl to say no to going out with me tonight. I don't want to discover that my friend has cancer. These are all things I don't want. It's very, very different when it's unsolicited so I think unwanted as a choice of words, I think it can be inappropriate.
>> KAREN MULBERRY: Do we have any other opinions on whether it should be at least from the context of outcome report, on unwanted things or unsolicited things?
>> So I was asked for my view. We're referring to National location information.
[ Audio technical difficulty ]
Is that from January 1st next year, there will be the Treaty that will be in force ‑‑ and for me the spirit of the paper which ‑‑
[ Captioner unable to hear ]
From our perspective ‑‑
>> KAREN MULBERRY: Thank you very much. Based on the discussion so far, it seems to be ‑‑ are there some comments? Please.
>> UGO AKIRI: My name is Ugo. I'm from Nigeria. Until recently I worked for a company in Nigeria. They manage and run a registry ‑‑ registrar system, and I discovered that some time in the process, there are times I had to send bulk e‑mails, okay, and to our registrars, to the registrars of the ‑‑ and sometimes after you send those communication a registrar gets back to you to say: I didn't receive your mail. I guess it's trying to prevent something like the spam, whether it's going to be called unwanted or unsolicited and sometimes you send mails to them, they don't receive it either. So I think while we're discussing this, such factors should be taken into consideration because it's not all of the time that unwanted e‑mails or unsolicited e‑mails are spam or illegal or something. That's one.
Somebody made an allusion to 419. 419 is a Nigerian problem. Somebody also said something about the spammers have to have a place to host their content. I'll tell you what was done in .ng. It is not attractive to spammers or scammers. If the people who do 419 e‑mails are likely not to be doing it from a .ng Domain Name. Because from the moment it is discovered, the Domain Name will be taken off for certain. There's a policy position on that and so you discover that most of the spammers in Nigeria, they operate from a Yahoo! account.
So I think it's something the gTLD or the ccTLD have to take policy positions about. Sorry, you disagree? Okay.
But I think, well, that's how we have been able to tackle it. .ng is not attractive to people who want to send ‑‑ who want to scam, you know? It isn't. Thank you.
>> Given that I was the person that raised the 419 issue, yeah, I would completely agree. We don't see it coming out of the .ng domain. We see it coming out of the large free e‑mail providers. I don't see it as a .ng issue and to be honesty don't see it particularly ‑‑ while it's an attribute, 419 is the generic name that seems to be used, it comes from all over the place but the unfortunate Nigerian code has gone down in myth and legend.
>> KAREN MULBERRY: You raised good things for us to consider as well as the fact that a reputation is at stake, whether you have earned it or not, things that are being attributed in particular to Nigeria that don't happen in Nigeria. That's one of the risks in the past from spam and some of the risks that are being faced in future when we look at unsolicited forms of electronic communication.
So if everyone is comfortable with us using that as our framework for the document that we're working on, "unsolicited electronic communication"?
>> The thing that's interesting about unsolicited while yes I think unsolicited is probably one way of looking at it, the way in a lot of cases that actually stuff is spotted as spam is because it's actually handled as unwanted and a lot of spam detection systems now rely on feedback from end users and things like technology where people actually click on a button to say I don't want it. It may have been unsolicited but it's also unwanted so we have to bear that in mind, because spam ‑‑
>> KAREN MULBERRY: That's a very important point, that's important for all of us as users to keep our network operators informed of things that are sent our way that we didn't ask for. And that they weren't solicited, therefore they need to come up with steps and processes to deal with it.
But what I was trying to get at is if we're all in agreement that we can approach this in terms of the work and the outcomes document and what we're trying to draft and produce that we're focusing on unsolicited things that may also be unwanted and the process needs to be in place to establish that, that would help us then provide some context to what we're trying to accomplish. We have a remote comment?
>> REMOTE MODERATOR: The drafter of the report would like to do an intervention. We do seem to have some sort of rough consensus as the report already mentioned but that there is a difference about how it's looked at officially, how it's looked at unofficially and what I would like to do here following up on Mike's comment doing a footnote or something saying that industry looks upon it as it is contacted by end users and then you can say unwanted in the footnote, and make it unsolicited in the official text.
Would that be a way forward? Because that is the distinction, what the end user flags, and what is officially acted upon. There is a nuance between the two as far as I can see at this moment.
You look at that, Mike, as a possible way forward?
>> JULIA McKEAN: Without dwelling on this. We could spend the whole afternoon talking about this. It's a very challenging issue. As our friend said there are lots of things that are unwanted and I think the phrase can be interpreted in different ways. I think when Michael was referring to it was consumers marked it as unwanted, in other words it was spam. It came into their mailbox and they're marking it and probably in their e‑mail service, is this spam? And they say yes and that's why it's unwanted. So I think maybe it muddies the water to include that word because it could be overly broad and a very subjective thing so I would kind of go with the clean copy if that's all right rather than I think we're trying to find something very clean and direct. If that's possible. Thank you.
>> KAREN MULBERRY: Thank you very much. Yes, sir?
>> Since I was the one who was talking about "unwanted," I have no issue with the suggestion of putting it in a footnote because I think there's a disjoint between those of us in industry who deal with this stuff on a day‑to‑day basis, and your average end user who sees an e‑mail that they do not want, and depending on what system they're using, they could be marking it as spam, they could be marking it as something else. So I think the clarification type thing in the footnote from my perspective is perfectly okay.
>> We can make note of that for our next draft. Based on all the comments we received ‑‑ and we received numerous comments through the public consultation so far ‑‑ we will be working on a second draft of the document. So we need to approach this along the lines of what's raised today in our discussion, and what's being submitted through the public comment cycle, we will improve upon what we have.
Our intention is to capture the best input, the best examples, case studies and the information that we possibly can to contain it in this report so we can frame what is spam and provide some context around it and to identify the work that's being accomplished up to this point by various entities, by the GSMA, by the ITU, by MAAWG, London Action Plan. There are a lot of agencies, organisations and experts that are working to address this problem we're having right now. So how do we frame all of that and capture that information that therefore can be used and put out for others to take advantage of that may not be aware of all the work that's being done by all these various organisations and entities.
One thing I think that will be critical as we move forward here, too, is to hear other voices and examples. These are the things that are known by lots of folks but there's also lots of information, examples, experiences that we need to capture, too, that are unknown. So how do we get at that information so we can provide this collective that can be used by developing economies as they move into the Internet and broadband and other access so that they can be aware of things that they should watch out for, and then maybe use this as a means to provide some information on choices they could make as they move forward. At least that is my hope as we go through this document. So do we have any other comments on the draft itself?
I know there's been significant ones online. I wanted to make sure if there was anybody in the room, if you had an opportunity to provide some additional thoughts and input that we might want to consider.
>> TOMAS: Thanks, Karen. I think we'll provide more legal comments offline, as well, but I think just looking at the document, as well, so when we discuss already the definition of a question, I think that's where I also mentioned already that from our perspective, I think it's pretty landmark that from the next year, we'll have international instrument that will enforce the model, a pretty large chunk of the countries which regulates which basically encourages those countries to address spam issues together, so I think that could be the document and drafts and references in terms of the language because it's not necessarily the final provisions but we'll address that.
And also in terms of some of the other work that we do, we'd be happy to come up with more specifics on our development work, more specifically. The work that we're doing on our group 2 on this Information and Communication network and the practices for development, there's a list of practices also developed in terms of what ISPs are doing to protect their networks and that's something that could be included and as well with our Study Groups have 11 recommendations on the ‑‑ 11 recommendations on various spam related matters and in that context and following up also from what was said, we'd also encourage to look maybe in some respect beyond the e‑mail‑only, because the work that many of us are doing now is related to other aspects, which can be delivered by Internet. Internet can deliver the message, even at a sending platform. The same way we are now dealing we in IGF are now dealing with that voice or repeat spam, that's an increasing issue we're all trying to address.
The matter might be useful to address something. Maybe that's for future reference. Maybe some work needs to be done there, as well.
>> KAREN MULBERRY: Thank you very much. I think that that was a nice segue because one of the things we also need to think about as we work to finalize our draft outcome document and stabilize it is to ‑‑ what's the future of this best practice form and the work that's we're doing? It sounds like there are some next steps that we can take and further work that we can investigate, collect information, experiences, case studies and others on, Thomas as you pointed out, and that Michael stated as well. There's other aspects of spam as it moves into other media beyond just e‑mail. We started off with e‑mail, because that's where the major contexts I think of the work has been in terms of developing best practices, developing approaches, developing legislation and regulation around what's happening there.
It's also I think the easiest to talk about as you progress into other areas where spam becomes the delivery mechanism of malicious things that has a broader impact on access to the Internet, but that the user of the Internet that we need to potentially focus more of a dialogue on and see if we can provide better examples then as we progress through this work.
Do we have any other comments on the draft at this point in time, or suggestions for things that we might want to consider when we look at future work between this IGF and the IGF in Brazil next year?
>> One thing I just wanted to add and again we can take this offline, I scanned through the document, I think relevant to the discussion this afternoon there are a lot of techniques that has been used and our colleague from MAAWG mentioned it is very explosive when it comes to new techniques as well so probably revisiting some of the new techniques that may not be ‑‑ that have yet to be included would probably be worthwhile especially for a lot of Government and institutions that are very, very particular to the ones that is very specific to them. As we know, there are certain targeted technique that is relevant to only certain countries and institutions. They can pardon the words pick and choose what seems to be more relevant to them and then they can start focusing on that for solution or education process.
>> KAREN MULBERRY: Thank you. I think that would be an excellent suggestion as well as we look towards the future and what our next steps might be once we finish drafting the report that we have right now.
>> I also think that one of the areas we do have to sort of pay some attention to is around the suppression of the botnets. While not being the ultimate cause they're certainly one of the great facilitators of the delivery of spam so I think we need to make sure that contained within the report is a reasonable degree of emphasis that when you're getting your ISPs to look at the spam issue they've got to be looking pretty much simultaneously at the malware/consumer botnet issue as well. That's going to be much wider I think as we move forward into more machines, devices that are non‑human, the Internet of Things coming along, attaching and whilst I think currently the spam sending fridge is probably kind of unique, nevertheless things are going to get abused and services are going to be left open on devices that get sold for very ordinary purposes which are going to get used for all the wrong things and I have no doubt that spam will be one of them.
>> KAREN MULBERRY: Thank you. I think that's also something that would be very useful to continue on once we get this report stabilized to look at. It's a delivery mechanism of a lot of things and identifies some of those critical elements that would be useful information to share with others.
One thing that we have not spoken about much but has been on the agenda of other panels and discussions is the role of education, role of education of users, I'm looking over at Michael Kaiser, users of e‑mail, and steps that they can take, as well as businesses that may be unintended relays of malicious e‑mail, and whether there is a component that we need to discuss more fully or around the table talk about how that fits in.
I know that certainly it's part of any programme but we haven't really spent a whole lot of time earlier in our discussion talking about the role of education.
>> KAREN MULBERRY: I also think that's a very critical component for us to consider too in terms of how we want to proceed.
>> MICHAEL KAISER: Michael Kaiser from the National Cyber Security Alliance from the United States. Thank you for calling us out. We do education awareness on cybersecurity. I would say that you can't fully battle this issue unless you have the users on your side as well and they need to know what to do and when to do it and when not to do it in this case as well. I think somebody raised the issue I think it was great that the risk vector has changed from unsolicited e‑mail or e‑mail to a vector of attack so spam is not about things you don't want to get anymore, it's about things that could do bad things to you if you do the wrong thing with it and I think that has to be an important part of this discussion. It's not just a nuisance or something clogging up the system. It's actually a way that bad things can happen and that has to be part of the discussion because it still remains and actually small business is a good example, it remains a way that small businesses get attacked, as well as the way consumers get attacked so I think we have to remember that in this discussion.
>> KAREN MULBERRY: Excellent points. Thank you very much. Yiannis?
>> YIANNIS THEODOROU: To build on Betsy's suggestions, education of users not just on e‑mail but also text users, as well, but also on the Government sides, education of policymakers and governments on what their role is, particularly in relation to empowering the enforcement agencies to prosecute effectively these spammers and give them sanction power as well to enforce, impose penalties to deter them. Because it's about making sure that all stakeholders understand their role in helping fight spam.
>> KAREN MULBERRY: We have a remote comment?
>> No. I've got one comment to Michael to come back to. You said about the Internet of Things. If I remember correctly there is a comment in the document somewhere about new parties that have to enter this discussion. I think that is something that you would like to have boldened from what I hear from your words.
>> M. O'REIRDAN: I do think some emphasis. The other thing I suggest from this report is to make sure we keep the technical recommendations out of the main body and put them into technical recommendation Appendices. There's a lot of basic principles that go into a report of this size, the emphasis on trust, the emphasis on cooperation and some basic steps you have to undertake and basic roles that are attributable to the various actors in the whole process ranging from the Legislature, the regulator, through to the ISP and through to the role of the consumer but when you actually come to the technical measures that need to be undertaken I suspect if you put them in the main body you'll dilute from the emphasis you really want to get.
And technical stuff generally, we need certain people to read it. If you're interested in technical stuff you'll go to the technical stuff but if you're someone for whom this is not something you do all the time, you want to read the key bits and maybe it's just a bit of the report structure. I think we've got all the right things it's just where we leave them.
>> The second comment I would like to make, what was also clear I think from what's being discussed at this moment that up till very recently you heard say at most huge conferences that spam is not a problem anymore. I'm not seeing anything in my inbox so it's sort of over. What I hear here is that it's definitely not over but maybe a new level of the ballgame. There's also a lot of cost involved I think, and that is something which is also being touched upon in the report, but is it possible from the industry side for example to say something about the costs actually that is being made? Because that will be a driver to get for example Governments interested again in this topic which they do not really seem to be anymore at this moment. Looking around at not so much EU or National governments present.
So is there anybody who would like to comment on that either now or online so we can reflect some more? Thanks.
>> KAREN MULBERRY: Please, go ahead.
>> MICHELE NEYLON: Thanks. I think we discussed this prior to the sessions for the sake of transparency. We are the largest hosting provider in Ireland so we process quite a bit of e‑mail and other things. In terms of the costs, they're huge. I mean, using really simple terms, it's huge. The bulk of Customer Service queries that we get are e‑mail related, and of those, up until we made a huge investment in something with little or no return, the bulk of the e‑mail complaints were spam related. We've ended up spending thousands of Euro per month outsourcing some of the scanning of e‑mail to stop certain aspects of this, because the problem had got to the point where it was completely unworkable. Some statistics I got from our sis Admins prior to this meeting. SMTP connections, very technical, my apologize, talking about spam, I can't avoid it, we were dropping 90% of SMTP connections into our core network by doing lookups against spam house. Spam house is black lists. The lady from Nigeria was talking about having issues sending e‑mail, this is a collateral damage issue which is another cost which needs to be highlighted so in the case of ourselves, at present we are blocking 20,000 IP addresses from our core network, certain specific machines within the network would also be blocking up to 100,000 IPs and we have been known to end up blocking entire countries. And we don't do this lightly but we have no choice. And the collateral damage to that is, and the cost, is that it means that because somebody over there is misbehaving, you and the innocent person in the middle cannot send or receive e‑mail or other communications.
As somebody in the, as a provider, the problem we see is that a lot of other providers are completely nonresponsive, that they don't take responsibility for the fact that they are providing services, and either knowingly or unknowingly are allowing for these networks. There was a Section this morning on blocking that was moderated by Paul Vixie which is very interesting but doing it together. A lot of us end up having to block very large portions of the Internet. It's got nothing to do with freedom of speech. It's got nothing to do with legislation. It's to do with the fact that some botnet somewhere is trying to rape our network. I'm sorry if you don't like the word rape but it's the best word I can think of, it's a violent attack on you and you have to take action but unfortunately a lot of ISPs, a lot of hosting providers they don't provide an abuse contact. If they do provide an abuse contact they don't respond and we all end up paying the cost of that.
>> KAREN MULBERRY: Thank you very much for that. If you can provide that in some context for us for our report it would be very useful to capture that. I've read some studies that some researchers from I think it's Google and Microsoft have done even just for an individual user that it takes them 5 seconds to delete an unsolicited e‑mail and you equate that time and money to about $25 an hour, you add the costs up for how many millions of people who happen to be using e‑mail and are online, you've got millions, billions of time and energy spent to deleting things that weren't solicited, let alone the network costs and all the other impacts that are out there.
>> Can I interject here? I think we have to be really careful about using financial statistics, I really do. When you look at spam, how many people look at their spam folder? I think some of the statistics are quite spurious and quite often are generated by security companies in search of good stats, and I think we need to be tremendously careful about using those because if you put them in there's a danger of detracting from the credibility of this report rather than adding to it by using shock horror statistics which don't actually get us where we need to get to. Yes, spam is indeed expensive. I grant you that. We have hundreds of services literally fighting spam and we have teams of tens of people who work in our security and abuse arm. They're not just handling spam but they're handling other forms of abuse as well and for an extremely large ISP it's an extremely expensive business. So I would say but I would be very careful about attributing costs to it. We end up with what look like very unlikely numbers and it's important that if we're going to be credible, we also have to be ‑‑ if we're going to be credible we have to have credible numbers.
>> Just coming back on you, I think you accept the fact that there is a cost and there is collateral damage and these are costs that are very, very hard to put a dollar or Euro number on. I think we're on the same page. I mean, I think about how long a user spends looking at e‑mail. Personally I don't know and I don't really care. I do care about the fact that we end up having to spend thousands of Euro on mail servers and firewalls and other things to deal with all this, and the problem of course is if you look around, it's a drive to the bottom in terms of price so you can't even recoup those costs because everybody expects you to provide spam‑free e‑mail for free.
>> And actually I was using it more as an example that there are different costs. Users have costs as well as networks and other providers. Christine?
>> CHRISTINE HOEPERS: I would say probably this could be some of the platform for discussion and especially for when we were doing our work. One of the major keys that all stakeholders said that we would like one neutral statistics and not vendor statistics. This is why we have a major port of our work that is a research project that we are running is how to have spam statistics without people abusing the infrastructure without depending on vendors and without depending on the user reporting that that's spam.
So we have some statistics that have part of the problem, and maybe that would be something to work on. It's because ‑‑ and why do I say that? Because most of the time when now I'm talking to especially countries in Latin America, they always say that okay, but why should we invest into anti‑spam? Or into doing something like that?
So it is really an operational cost or not and I'm talking about ‑‑ not talking about really like e‑mails but really why it is important and how expensive it is to implement. So that could be something for us to get, like ISPs have already implemented that, that would be through MAAWG, have a report on what was the impact, what was the reduction on span leaving our networks. What was the impact on operational cost? Doesn't need to be dollar figures. That could be about hours spent, about equipment, or something that could have like this motivation especially for people that are putting money into anti‑spam.
[ Technical issues ]
>> KAREN MULBERRY: We have a remote participant comment? No, go ahead, please.
>> We have Simon from Cameroon. We asked if he wants to ask a question. He didn't but he did comment that he thought it was an excellent and wonderful discussion so I wanted to put that in.
>> KAREN MULBERRY: Thank you very much, Simon, for that comment. I'm sure we all appreciate here as we try and get our arms around what this is, and move forward with our document and it sounds like we have through our conversation identified some key things that we can focus on in the coming year so that we can produce another iteration that captures some more future looking context and some opportunity costs or at least examples of what needs to be done, potentially look at consumer education and how we might frame what would be a good approach to consider for educating consumers as they use various devices and move forward and on to the Internet for what they need to watch out for and how they might want to consider protecting themselves. So do we have any other questions, comments, suggestions for the work of this best practice Forum? Yes, sir? Thank you. Chip Sharp with.
>> CHIP SHARP: Cisco Systems. It's interesting, sitting in on the session next door for a little bit and then coming in and listening to this one and one thing thinking about how these issues interact, thinking about how the port 25 blocking solution interacts with net neutrality debate, and that will be an ongoing debate that we'll have to look at but I agree that it's actually been a solution that stopped a lot of spam, but it does interact with the other policy discussions that we're having here, something to think about. Thank you.
>> KAREN MULBERRY: Thank you very much, Chip. I know there are a lot of other things on the fringe that will have some context for how people might want to approach and implement any kind of spam tools, legislation or approaches within their country because the other policy decisions will frame a lot of those opportunities or restrict some of these opportunities but right now we're trying to come up with a compendium of useful information hopefully to help with those choices along with how they choose other policies to implement.
If there isn't anything else that you would like to suggest, contribute or add to the work we have in front of us and what we hope to do in the future I'd like to thank you all very much for participating in this discussion and I look forward to your comments. You have many ways of doing that. So please send your information, send your questions, send your examples in so we can capture those for others to use. Thank you.
[ End of Session ]