Slashdot Mirror
E.U. Employers To Be Held Liable For Porn Spam?
Cowards Anonymous writes "Yahoo News has a story about a study of Europe's new anti-spam legislation. The overly broad wording of the legislation, according to the study, could allow employees to sue employers for not doing enough to stop porn spam. Businesses could be sued by their workers for allowing a hostile work environment. The author of the study advises companies running email servers to use filtering technology, and warn employees about the sometimes sleazy content of spam."
E-mail, as we know it today, has got to go. Non-authenticatable sending is a bug, not a feature. For as long as businesses allow incoming SMTP e-mail, their employees will always be exposed to all forms of Spam, including pornographic.
So, if the law basically makes it impossible to run an SMTP-based e-mail system in a business, that could be just the knockout blow it takes for businesses to finally see an incentive on picking a tigher protocol that allows better tracing of senders.
I know of one business that is still running Windows 98 based computers in the office, with very little preventing the employees from wandering on the Internet to wherever they want. Not surprisingly, the employees end up contracting spyware and browser hijackers on a regular basis.
The management has had enough of the IT department having to clean up the infected computers, and has basically ordered them to stop wasting their time on such machines. As a result, one machine's homepage is now perma-set to a porn site. There's a running process that resets it whenever the user attempts to change the home page by any way, but it's using rootkit tactics to shield itself from being uninstalled by anything. The OS is hosed, it needs to be reinstalled.
I just can't wait until the first female employee notices what's happened to this male employee's computer and files the lawsuit. Sometimes, IT spending is just plain mandatory...
Sounds like that is going to put a huge amount of burden on the companies. If I were running my own private business, I'd be inclined to unplug everyone's network connections and hand out typewriters. I don't know how strict the legistlation is, but it sounds to me that this might promote anti-technology.
You can do the same for any US employer using existing discrimination / harrassment laws.
In Soviet Russia, I ruled you
We should be celebrating laws that require business to do something about user-annoying IT problems. Legislating a need for IT translates to tech jobs that can't be cut... and that's more work for us.
There are solutions to Spam that companies can use, they just keep getting killed because PHB's say they fail the cost-benefit tests. However, when you throw the prospect of a big lawsuit in the face of a PHP, it changes the balance of the scale.
If this makes employers consider better spam-filtering mechanisms, surely that's a good thing for everyone. We know that it is more-or-less impossible to stem spam at the source, so legislating to impede spam at some other point is not entirely a bad thing.
Of course, the tinfoil-hat folks will be vomiting to themselves over the evil intrusive regulation, but come on, how hard is it to try to filter spam?
I stole this sig.
I just get spam telling me how small my penis is. I never get pictures of naked people!
:(
How comes I have to miss out?
The law is irrelevent, because not too many countries are following it.
From BBC news:
They also found that eight EU member nations have yet to implement the directive despite the deadline for compliance falling more than six months ago.
The rogue nations - Belgium, Germany, Greece, France, Luxembourg, the Netherlands, Portugal and Finland - have been threatened with legal action.
The problem with international laws is that nationalistic countries are generally inclined to ignore them.
Honestly, since I couldn't find a single link to the actual legislation, it's hard to tell whether employers could actually be held liable for spam, or whether this is just FUD.
Obviously, if an employer intentionally turns off the spam safeguards on one woman's machine, because she's very religious and he knows it'll freak her out, then that's sexual harassment through spam.
But spam that slips through the cracks despite reasonable efforts to stop it... I have to say, I don't think any court in the world would find a tort there.
"Beware he who would deny you access to information, for in his heart he deems himself your master."
"European employers must be aware of the risk of new computer-related liabilities," said the researcher for the University of Amsterdam's Institute for Information Law.
"An important example of such a potential new liability is the risk of being held accountable for not protecting employees against unsolicited pornographic e-mail."
This could encourage companies from denying Internet access to employees, after all why risk sexual harassment lawsuits for something that is so difficult to stop.
On one hand you can have an opt-in list for employees, where someone must "allow" a person to send mail to an inbox. I use this for my Dads email account due to all of the spam (however, being his personal and business email address, I must constantly monitor the mail so that nothing important gets caught in the SPAM TRAP)
Which leads to the other hand, opt-in limits your ability to do certain things, for instance if you pass out business cards with an email or want legitimate, but currently unkown people to contact you it is a pain in the ass.
I thought the U.S. had the market cornered when it came to ridiculous PC requirements in the workplace. Honestly, you'd think that in all places, EUROPE...where there is topless advertising in magazines...would be sensible enough to tell its users, "Look, we're all grownups here, and we all know how hard spam is to deal with. There is no magic solution yet, you're going to have to deal with it." I mean honestly, how many people have spam tackled at home on their own, anyways? It seems nuts to ignore the difficulty of stopping spam in an enterprise environment when coming up with guidelines to punish companies for not doing so.
For your security, this post has been encrypted with ROT-13, twice.
Delete a few of the mortgage spams, leave in the "Tentacle Rape" and "Beat her to death with your horse cock" spams.
Then run the mess through SpamAssassin, and say "Here's what we'd be free of if we could just get the administration to authorize installation of this Free software on our mail servers."
Hand both printouts to a female accomplice (preferably lesbian, or at least able to fake it), and have her do the talking to the Dean of Womyn's Studies office. "Demand the Right to be Free of Harassment and Traumatization in Our Free Speech" or something.
Your university's Women's Studies Department is a powerful weapon, but maybe it's time to use it as a force for good.
Slightly OT, but still...
One day, one of my colleagues came to me and asked (absolutely furious) " Why do you send me gay porn on my email address? ".
Turned out that some sleazeball spamfscker had harvested my work email address and was using it to send gay porn HTML email, using 'clever' JavaScript to open dozens of windows containing images of a nature I will not describe here (Think group goatse.cx here -- yes, it was that bad). The 'From:' header contained, of course, my spoofed address.
Fortunately, this was a rather tech-friendly company and the colleague was also a good friend. I was able to explain to her that this was, in fact, not coming from me. And I showed her how to disable JavaScript in Netscape Mail. She, in turn, relayed the information to the rest of her open-space co-workers.
I still shiver when I think of the potential consequences if she had shown the email to our bosses, instead of closing down all the windows and going into my office... A short time after this incident, our sysadmins (bless their souls) installed SpamAssassin on the Postfix server, with a very threshold. And that was the end of spam.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Or is it vice-versa? Idiots can be well-meaning people?
Where I work, we installed a Barracuda Spam Firewall. It works fairly well, but crap still gets through. And as we add our own REGEX filters, we find the false-positive rate increasing. The only real solution is to expand existing mail protocols to account for spam. Specifically, some changes to the SMTP protocol that require the sender definitively ID themselves before sending. This would provide accountability of some sort. I know, I know. Some people are going to attack me for proposing the modification of SMTP. What, then, do YOU suggest Oh mighty one?
Who is Twirlip of the Mists?
Is an employer required to open all snail mail to screen it for porn? Would that, actually, be illegal?
Sometimes sleazy content of spam? Since when has spam not been "sleazy?"
While there doesn't appear to be any caselaw handy there is a consensus view that it falls under the "duty of care" an employer has to their employees. That isn't a disaster since the law revolves around the ficticious "reasonable person" so it requires reasonable effort rather than perfection.
Similarly although case-law has yet to appear there are good arguments that someone failing to take reasonable care of their systems and getting viruses/being used to spam others could be liable for negligence.
"for every right there is a duty" is the basis of a lot of UK law
Damn straight! That's why Finland is now ranked as the number one most technologically advanced nation on earth, but I'm sure that private enterprise friendly China will be playing catch up.
KFG
...in most cases, mail sent to you at your place of employement is considered business mail (i.e. the secretary or your boss can open it) unless it is specifically marked private or confidential.
People say I'm crazy, I got diamonds on the soles of my shoes...
No e-mail client should ever request content from a remote server and/or load images without a direct action by the user.
Most porn spam loads images via html image tags or some other remote mechanism. (Usually with a web bug to figure out which address downloaded it so they can send you more spam.)
If the user has an e-mail client configured by default to download contact automatically then it needs to be corrected. That is the fault of their IS/IT department or whoever ordered the IS/IT department to use that client. I don't even think Outlook is that stupid anymore.
The other problem is that there are a whole lot of people who are unable or unwilling to just grow the hell up. So you get e-mail that describes sex. So what? Big deal! Sex is a part of life. Just delete it and move on.
But instead, these growth stunted pod people want to obscess over that part of life that they have not learned to accept. Instead of blaming themselves and their upbringing (or lack thereof) they are going to take it out on ANYONE else.
The best thing to do to avoid such legal problems is find out who these people are in your company and deny them ANY outside e-mail whatsoever until they can behave like a grownup.
"Trademarks are the heraldry of the new feudalism."
...and of course, it wasn't accepted, but that's beside the point.
We had an issue here in the workplace where porn spam was getting through to a list. Basically this was the equivalent to an "info@..." list, where potential customers would email for product information. One woman who was required to read those emails started to complain about the porn spam. Even though I had spamassassin doing a heck of a lot of blocking, plenty still got through.
Let's put aside the web form option for the moment. Could she really sue the company for making her read the email to that address? From what I was told, I don't think so, since we had proof that we were at least trying to remedy the situation any way we could. Has anyone else run into a similar situation and had someone really sue the company?
Trolls lurk everywhere. Mod them down.
My primary job function is R&D and I've told bosses for quite awhile that I thought it exposed the government to liability if we weren't using industry best practices to combat spam.
I even offered to ask the agency's legal section what our exposure was and was 'discouraged' from bringing this to Legal - I think because if the lawyers *do* find a risk the problem would be immediately escalated to HQ for resolution ;-)
Anyway, I researched several client, server and mail gateway products - everybody thinks combating spam is a good thing, but the higher-ups can't decide whether to automagically delete spam at the gateway (lousy idea) or just tag it and use client-based rules to quarantine it (much better idea).
Anytime you do rule-based mail deletion you open up the opportunity for me to explain to my boss that the reason he didn't receive my project was because the mail gateway ate it.
IM frequently less than HO corporations need to protect both themselves and their employees.
we see things not as as they are, but as we are.
-- anais nin
What about the situations where someone who knows your work email address submits you to the p0rn sites and you start receiving messages. I had this happen to me a couple years back where a college buddy of mine decided it would be funny to sign me up for "p0rn picture of the day".
Could be difficult to prove that you weren't the one to do it, plus you'd be a lot more careful in who gets your email address.
Jim
Well, there's the proper point of attack for the law. We throw people in jail for cracking other forms of computer security in order to gain unauthorized access to other people's systems; we need to enforce the same laws against this subspecies of cracking.
/. If the government wants us to respect the law, it should set a better example.
when politicians get involved with problems that aren't political.
What's stopping these users from installing their own filters?
Next thing you know, empolyees will be suing employers for lost e-mails killed by the main filter.
As for SMTP being broken...you can already trace spam back to it's origin. All the way back to that open relay. It doesn't take brain surgery to fire up a DNS server or use an already existing one like DNSMadeEasy.com and assign your spam domain to the IP of the proxy you'll be using. The owner of the IP can in no way shape or form prevent "unuauthorized" domains from pointing to their IP. I pointed linux.icarusindie.com at Microsoft's web-site and windows.icarusindie.com at linux.org for awhile. MS's site automatically fixes the url while Linux.org showed up as my domain no matter where I went on the site.
Spammers already use tons of domains to host the product page linked to by the "click me." All they're going to do is put a mail server on that domain. So now all you're going to have are spams where the "click me" domain and from domain match. Whoopee.
You can already filter out "click me" domains which results in 100% accuracy (as long as you're not silly enough to think a computer can do all the work) and 0% collateral damage.
If your plan of attack involves some kind of "accountability," forget it. The internet is an anonymous place. You have to find a way to deal with the problem without this silly idea that spammers are somehow going to surrender and identify themselves just because you changed the protocol.
Ben
Work Safe Porn
I think it's absurd for users to demand protection from the spam that THEY CAUSED by being promiscuous with their email address. I've had my work email address for almost five years now, and I've never gotten a single piece of spam because I'm not dumb. My coworkers complain about spam endlessly, and I have not an ounce of sympathy for them. Hotmail has great spam filtering these days, maybe they should be using it instead of their employers' email.
I dont know why this was posted as AC because I was logged in.
Comment removed based on user account deletion
It is a category error to treat spam as a software bug rather than as human misbehavior. It's true that technical measures can reduce or ameliorate the spam problem, just as technical measures such as locks and sturdy vaults can reduce or deter robbery. However, that doesn't make spam (or robbery) a technical rather than a behavioral problem.
There is no technical fix for spam. Real fixes for the spam problem must take place on the human level: enforcement of laws against spam and spam-related computer crime; refusal of connectivity to spammers and spam supporters; boycotting of firms which spam or benefit from spam.
Shooting at people.
I have to agree, in the four years I've worked hear and had the same email address, I've gotten not a single spam to it. One coworker in particular gets literally hundreds of porn spams in a day. He thinks it happens to everyone, and doesnt realize that I know the only reason he gets it is because he stays late browsing the web's stickier side.
I use my work email only for work and personal correspondance, not to sign up for websites, etc.. I use a hotmail address for that, and lo and behold - it's crammed with spam.
My home email, on comcast.net gets the odd spam - maybe 3 or 4 in a week. I hardly ever use it and have never given it out. Big domain names like hotmail or comcast or aol are just going to be targets no matter what.
All the same, I agree. I'm tired of peoples lack of personal responsibility these days, laws like this make me sick. So Vladimir stays late one night, browsing pictures of hot man-cow anal action - then sues his employer when his inbox floods with man-cow advertisements?
It's like saying you're going to jerk off in the washroom, then sue your boss when your dicks sore because he didn't provide vaseline in the stalls.
I don't need no instructions to know how to rock!!!!
blocking keywords like p0rn, porn, virgins etc if one gets through by using words like p.o.r.n for example - does that count as enough?
I've had an email account for 3 years that was totally spam-free. I was careful with it, wasn't "promiscuous" with it. I carefully shielded it by using a "spamtrap" address to vet companies - any company I start doing bidniz with is "on probation" for a coupla months, then if they behave and don't send me ads, I'll update my addy with them to my protected account. I do several other things also to protect myself.
Then a person to whom I'd given my email to stupidly answered the ebay-phishing email, got trojan'd and harvested. No, I wasn't stupid to give my email to that person. I needed to communicate.
I received 10 spams the next day, and I'm "WTF is all this $&#^@????". I'm soon gonna have to change my email cuzza this.
No matter how careful a user is, he/she must actually share his/her email address for it to be of any use at all (by definition).
There's no way to be sure that absolutely everyone to whom you MUST provide an email is as careful as you are.
Even if they and you are both careful, there's no garauntee that the M$ critical-security-flaw-of-the-week isn't going to be exploited and hit you or them 10 seconds before you/they click the button to apply the patch.
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
No thanks, I rather like having some.
Snail mail does not have the same problem (in the US, at least). The most important reason is the cost per piece mailed. At nearly 40 cents per item, sending out the massive quantities spam is known for is prohibitive. If they want bulk discounts, they must be legitimately registered with a permit. That permit can easily be revoked and there is no other service waiting in the wings to pick up the business. Air mail doesn't sneak past - in fact, it costs more and still must move through the US postal service. There is no competing postal service within the US. The US postal service is a federal entity and there is a fairly good-sized body of federal law related to posted mail. This also means it has federal entities (FBI comes to mind) in place to handle investigation and enforcement when violations occur.
The only "spam" I get through snail mail is 1) local business ads (grocery store sheets that are not addressed, but delivered to EVERY mailbox), 2) political pamphlets (but this is because I don't ask off), and 3) those with whom I have had a relationship (BofA's many offers, SBC's nonsense, and so on). I have only twice in my life received chain letters. I have never seen a "Nigerian scam" or pornographic materials (that I didn't personally request).
==========
Until we have a system in which every person is accountable for the email they send and an international body of enforceable laws to prevent abuses, we will not have protection from spam. I prefer not to go the way of charging for emails just to stop spammers -- because that enriches one group at the expense of another to combat a third, when the first group could have come up with better options.
===========
On a side note, what filters out there can scan the content of the images embedded in the email for pornography? What filters can find every single misspelling of every term considered offensive? (Not to mention one I ran into trouble with. Trying to trim spam offering stock tips I tried filtering out the word stock. Unfortunately, stock has other meanings that various customers use it for.)
The only way for an employer to really cover their ass would be to review every email that comes in -- and this is guaranteed to get privacy fanatics up in arms. Of course, if it comes in on company email lines and is supposed to only pertain to company business, but that still puts at least one employee in the unenviable position of having to review every email and make a judgment call. (Hey, maybe that's the next big employment opportunity - email reviewer.)
In closing, I haven't read the actual text of the legislation, but I would think there is a pretty wide gray area here. Are the "online pharmacies" spams considered pornographic if they offer viagra? Or would only those with images or explicit text count?
I was taking one day at a time, but then several days got together and ambushed me. (from a Rhymes with Orange comic)
[Emphasis in your quotation added by me]
If every one of your employees has to delete 95 copies of...
"XX3NICAL__ ULTR@M__ F!0RIC3T__"
" Pills You Want. Many On Stocks. abreact omrgphh"
"G.1.ANT T.1TS 4 HER 4914"
"horse fux my girl N.U.D.E on internet" and
"hoi pliancy herbul penls"
[remainder of my past hour's spam filter hits deleted for brevity]
...for every legitimate business email they receive, and that doesn't constitute a Denial of Service attack, may I politely inquire as to what the f.u.c.k. would?
"...you can delete them once, they hide in some other start-up file reinfecting the machine. Trust me, some of these are near totally uninstallable by anything else but a clean reinstall."
/a from the CD usually fixes it.
That's why you check autoexec.bat, config.sys, system.ini, win.ini and the registry */Software/Microsoft/CurrentVersion/Run* keys.
I love 98SE for this - it's extremely easy to un-fuck-up provided that no important system files were replaced with trojans, and even then a date check and extract
Absolute worst case, an install of 98 OVER the existing install usually fixes any problems, while retaining your files and a lot of Windows settings.
picpix image polls. create - share - vote. fun!
- email costs the company X dollars per year in servers, spam filters, network, etc.
- email now presents a risk of Y dollars in terms of possible lawsuits
- the cost of doing business without internet email is Z dollars
Do the math: Is X + Y > Z? Then get rid of internet email access. They my keep the inhouse email, but no internet gateway. Other technologies for allowing cooperation among employees will be used.You might complain its not fair or believe it could never happen. Haven't you seen things that are perceived to be mostly "employee benefits" get dropped? I sure have.
So, the spammer-parasites are coming very close to killing the host upon which they depend. Its on life-support now and it won't take much of a shock to push it over the edge. In 5 years, you will see posting on Slash dot like, "Hey, remember in the bad-old-days when you had an email address? Can you believe people actually got spam? ha ha ha".
Your friend and well-wisher
m0smithslash
http://www.ferociousflirting.com
For another example, our CEO wants to sign up to mailinglists of all our partners, competitors, etc. Both use their "secondary" email address for this spam-ridden mail.
Most of the "legimite" "corporate" use of email doesn't actually get your email address listed with porn spammers. People just like giving out their email addresses to everyone, and that's what gets them in spam-trouble. By giving a second throwaway account, most people's primary account stays nice and spam-clean.
As an european living in North-America, this article , although true in its content, plays a lot of noisy drums for nothing.
Contrary to USA, europe does not have a culture of suing people or companies, and in particular against "hostile work environment".
I don't think the situation were an employee sues his company for receiving p0rn spam will arise often, since the employee will have nothing to win apart from losing his job and never find another one (suing your company is generally not a good thing on a resume). (I dont say you lose your job if you sue your company - legally you cannot, but we all know how easy it is to for companies to find other supposedly legal reasons to fire you).
Moreover, if your receive spam, it generally means that you have used your work e-mail address for non-business related issues, and you'll end up walking on dangerous grounds if you try suing your company for that.
So, to me, this article has been written by someone who knows laws, can forsee their effect, but do not know the european culture enough and makes the common mistake of comparing it to north-america. Or maybe he never worked in a company where e-mail is used for work.
SPF ( http://spf.pobox.com ) does this at the domain level. At the username level, authentication would be guaranteed by the domain server.
.
The grandparent post's issues can be solved by always using the domain SMTP server (as opposed to using an ISP server or sending direct). Most people already do this. If the ability to send from a dynamic IP is really needed, I notice that DynDNS is listed as an SPF supporter at http://spf.pobox.com/faq.html
A second conversation (to verify) is not needed. Just push all mail through the SMTP servers. Then the receiving server can verify the sender on receipt (the sender's IP is known as part of the TCP conversation).
There is also a proposal called IM2000 that would offer most of what you want as well. With IM2000 only a message notification is sent. Using that info, your email client then gets the actual message from the sending server. If you verify the sending server in DNS prior to retrieving the message, you can be guaranteed that it is sent by the correct server.
I know what I want, I want to be paid to open my email. The postage would be some sort of token that I and my legitimate corresponders would pass back and forth. Anyone with a need to mail more than he receives would be required to buy postage. The problem is that these tokens may be too easy to coounterfeit.
How does the Post Office sell postage on the internet? I mean, can't you just download postage and pay for it with a credit card?
If you must moderate, please moderate as irrelevent, not something bad, because I'm sure someone will find this interest
It seems to help. And the more people who send them their own junk back in their envelopes with "no thanks" written on it the better.
Actual story:
After filling out and mailing all the forms at Junkbuster's declaraion page and it not having enough of an effect, I tried this: everything I got in the mail that I didn't want I wrote "Return to sender" on and stuck in the out box. Some of it went back. Most of it the post office stuck back in my mailbox saying "we can't return bulk mail" or some other BS. I just kept writing "Return to sender" on it and sticking it back in the out box.
One day, I got a note in my mailbox from the post office. It said to come down to pick up my mail. So I went down to the post office. As soon as I handed over the note, the clerk took back to the offices. A little later a stern looking man came out and had a little "talk" with me about how they would have to discontinue delivering my mail if I continued to "abuse" the system (I was halfway tempted to continue
What it comes down to, even after getting off of all the junk mailing lists, and contacting all the companies that send you junk mail to tell them to FOAD, you will STILL get mail that you can't return to sender or have turned off. For me, it's the flyers I get from the local grocery store, cingular and the penny pincher, even though I never read them.
These ones never have return addresses, and I have been severely tempted to start a movement to get a bill passed in congress to disallow these kind of "mailings" anymore. But, I'm lazy, and most days there's not a thing in my mailbox anymore. Wish I could say the same for spam, but that will be fixed soon . .
Nathan's blog