E.U. Employers To Be Held Liable For Porn Spam?
Cowards Anonymous writes "Yahoo News has a story about a study of Europe's new anti-spam legislation. The overly broad wording of the legislation, according to the study, could allow employees to sue employers for not doing enough to stop porn spam. Businesses could be sued by their workers for allowing a hostile work environment. The author of the study advises companies running email servers to use filtering technology, and warn employees about the sometimes sleazy content of spam."
E-mail, as we know it today, has got to go. Non-authenticatable sending is a bug, not a feature. For as long as businesses allow incoming SMTP e-mail, their employees will always be exposed to all forms of Spam, including pornographic.
So, if the law basically makes it impossible to run an SMTP-based e-mail system in a business, that could be just the knockout blow it takes for businesses to finally see an incentive on picking a tigher protocol that allows better tracing of senders.
I know of one business that is still running Windows 98 based computers in the office, with very little preventing the employees from wandering on the Internet to wherever they want. Not surprisingly, the employees end up contracting spyware and browser hijackers on a regular basis.
The management has had enough of the IT department having to clean up the infected computers, and has basically ordered them to stop wasting their time on such machines. As a result, one machine's homepage is now perma-set to a porn site. There's a running process that resets it whenever the user attempts to change the home page by any way, but it's using rootkit tactics to shield itself from being uninstalled by anything. The OS is hosed, it needs to be reinstalled.
I just can't wait until the first female employee notices what's happened to this male employee's computer and files the lawsuit. Sometimes, IT spending is just plain mandatory...
Sounds like that is going to put a huge amount of burden on the companies. If I were running my own private business, I'd be inclined to unplug everyone's network connections and hand out typewriters. I don't know how strict the legistlation is, but it sounds to me that this might promote anti-technology.
You can do the same for any US employer using existing discrimination / harrassment laws.
In Soviet Russia, I ruled you
We should be celebrating laws that require business to do something about user-annoying IT problems. Legislating a need for IT translates to tech jobs that can't be cut... and that's more work for us.
There are solutions to Spam that companies can use, they just keep getting killed because PHB's say they fail the cost-benefit tests. However, when you throw the prospect of a big lawsuit in the face of a PHP, it changes the balance of the scale.
I just get spam telling me how small my penis is. I never get pictures of naked people!
:(
How comes I have to miss out?
The law is irrelevent, because not too many countries are following it.
From BBC news:
They also found that eight EU member nations have yet to implement the directive despite the deadline for compliance falling more than six months ago.
The rogue nations - Belgium, Germany, Greece, France, Luxembourg, the Netherlands, Portugal and Finland - have been threatened with legal action.
The problem with international laws is that nationalistic countries are generally inclined to ignore them.
Honestly, since I couldn't find a single link to the actual legislation, it's hard to tell whether employers could actually be held liable for spam, or whether this is just FUD.
Obviously, if an employer intentionally turns off the spam safeguards on one woman's machine, because she's very religious and he knows it'll freak her out, then that's sexual harassment through spam.
But spam that slips through the cracks despite reasonable efforts to stop it... I have to say, I don't think any court in the world would find a tort there.
"Beware he who would deny you access to information, for in his heart he deems himself your master."
"European employers must be aware of the risk of new computer-related liabilities," said the researcher for the University of Amsterdam's Institute for Information Law.
"An important example of such a potential new liability is the risk of being held accountable for not protecting employees against unsolicited pornographic e-mail."
This could encourage companies from denying Internet access to employees, after all why risk sexual harassment lawsuits for something that is so difficult to stop.
On one hand you can have an opt-in list for employees, where someone must "allow" a person to send mail to an inbox. I use this for my Dads email account due to all of the spam (however, being his personal and business email address, I must constantly monitor the mail so that nothing important gets caught in the SPAM TRAP)
Which leads to the other hand, opt-in limits your ability to do certain things, for instance if you pass out business cards with an email or want legitimate, but currently unkown people to contact you it is a pain in the ass.
I thought the U.S. had the market cornered when it came to ridiculous PC requirements in the workplace. Honestly, you'd think that in all places, EUROPE...where there is topless advertising in magazines...would be sensible enough to tell its users, "Look, we're all grownups here, and we all know how hard spam is to deal with. There is no magic solution yet, you're going to have to deal with it." I mean honestly, how many people have spam tackled at home on their own, anyways? It seems nuts to ignore the difficulty of stopping spam in an enterprise environment when coming up with guidelines to punish companies for not doing so.
For your security, this post has been encrypted with ROT-13, twice.
Slightly OT, but still...
One day, one of my colleagues came to me and asked (absolutely furious) " Why do you send me gay porn on my email address? ".
Turned out that some sleazeball spamfscker had harvested my work email address and was using it to send gay porn HTML email, using 'clever' JavaScript to open dozens of windows containing images of a nature I will not describe here (Think group goatse.cx here -- yes, it was that bad). The 'From:' header contained, of course, my spoofed address.
Fortunately, this was a rather tech-friendly company and the colleague was also a good friend. I was able to explain to her that this was, in fact, not coming from me. And I showed her how to disable JavaScript in Netscape Mail. She, in turn, relayed the information to the rest of her open-space co-workers.
I still shiver when I think of the potential consequences if she had shown the email to our bosses, instead of closing down all the windows and going into my office... A short time after this incident, our sysadmins (bless their souls) installed SpamAssassin on the Postfix server, with a very threshold. And that was the end of spam.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Or is it vice-versa? Idiots can be well-meaning people?
Where I work, we installed a Barracuda Spam Firewall. It works fairly well, but crap still gets through. And as we add our own REGEX filters, we find the false-positive rate increasing. The only real solution is to expand existing mail protocols to account for spam. Specifically, some changes to the SMTP protocol that require the sender definitively ID themselves before sending. This would provide accountability of some sort. I know, I know. Some people are going to attack me for proposing the modification of SMTP. What, then, do YOU suggest Oh mighty one?
Who is Twirlip of the Mists?
Is an employer required to open all snail mail to screen it for porn? Would that, actually, be illegal?
...in most cases, mail sent to you at your place of employement is considered business mail (i.e. the secretary or your boss can open it) unless it is specifically marked private or confidential.
People say I'm crazy, I got diamonds on the soles of my shoes...
No e-mail client should ever request content from a remote server and/or load images without a direct action by the user.
Most porn spam loads images via html image tags or some other remote mechanism. (Usually with a web bug to figure out which address downloaded it so they can send you more spam.)
If the user has an e-mail client configured by default to download contact automatically then it needs to be corrected. That is the fault of their IS/IT department or whoever ordered the IS/IT department to use that client. I don't even think Outlook is that stupid anymore.
The other problem is that there are a whole lot of people who are unable or unwilling to just grow the hell up. So you get e-mail that describes sex. So what? Big deal! Sex is a part of life. Just delete it and move on.
But instead, these growth stunted pod people want to obscess over that part of life that they have not learned to accept. Instead of blaming themselves and their upbringing (or lack thereof) they are going to take it out on ANYONE else.
The best thing to do to avoid such legal problems is find out who these people are in your company and deny them ANY outside e-mail whatsoever until they can behave like a grownup.
"Trademarks are the heraldry of the new feudalism."
My primary job function is R&D and I've told bosses for quite awhile that I thought it exposed the government to liability if we weren't using industry best practices to combat spam.
I even offered to ask the agency's legal section what our exposure was and was 'discouraged' from bringing this to Legal - I think because if the lawyers *do* find a risk the problem would be immediately escalated to HQ for resolution ;-)
Anyway, I researched several client, server and mail gateway products - everybody thinks combating spam is a good thing, but the higher-ups can't decide whether to automagically delete spam at the gateway (lousy idea) or just tag it and use client-based rules to quarantine it (much better idea).
Anytime you do rule-based mail deletion you open up the opportunity for me to explain to my boss that the reason he didn't receive my project was because the mail gateway ate it.
IM frequently less than HO corporations need to protect both themselves and their employees.
we see things not as as they are, but as we are.
-- anais nin
For another example, our CEO wants to sign up to mailinglists of all our partners, competitors, etc. Both use their "secondary" email address for this spam-ridden mail.
Most of the "legimite" "corporate" use of email doesn't actually get your email address listed with porn spammers. People just like giving out their email addresses to everyone, and that's what gets them in spam-trouble. By giving a second throwaway account, most people's primary account stays nice and spam-clean.
As an european living in North-America, this article , although true in its content, plays a lot of noisy drums for nothing.
Contrary to USA, europe does not have a culture of suing people or companies, and in particular against "hostile work environment".
I don't think the situation were an employee sues his company for receiving p0rn spam will arise often, since the employee will have nothing to win apart from losing his job and never find another one (suing your company is generally not a good thing on a resume). (I dont say you lose your job if you sue your company - legally you cannot, but we all know how easy it is to for companies to find other supposedly legal reasons to fire you).
Moreover, if your receive spam, it generally means that you have used your work e-mail address for non-business related issues, and you'll end up walking on dangerous grounds if you try suing your company for that.
So, to me, this article has been written by someone who knows laws, can forsee their effect, but do not know the european culture enough and makes the common mistake of comparing it to north-america. Or maybe he never worked in a company where e-mail is used for work.
Take a shot. Some design criteria you should keep in mind:
- People need to be able to send messages to people they don't know, and have no common contacts with. A system which relies on "introducers" can be layered on top of a more open system (think PGP) but is not adequate alone. If one user can't send email to any other off-the-cuff, you lose, since people will have to resort to SMTP when they need it
... and if they have to do that, why use your system?
- Sites require their own servers, and no dependence on a central authority to process messages. They can choose to delegate authority over filtering (as with DNSBLs) but it can't be a requirement. If you (the system's creator) or any other power (say, Verisign) can monitor, censor, or shut off anyone's email, you lose -- why should General Electric trust your system?
- A new mail system must support gateways to SMTP. After all, SMTP would never have replaced UUCP, BITNET, and Fidonet mail if it had not been able to gateway to them. (If the only mail system you know about is SMTP, you don't know enough to build a new mail system.) These gateways must not themselves be easily abusable, or users of SMTP will reject mail from them. If that happens, your gateways get kicked off their ISPs for being spam sources, and you lose.
- A new mail system must offer its early adopters immediate benefit. If a new system doesn't offer real benefits until 51% of the world is using it, then no more than 0.1% will ever adopt it. If the only way your abuse-proof protocol is abuse-proof is to reject email from the whole dirty SMTP world, you lose.
- The standard must be a single open protocol, not a single implementation. Developers must be able to implement that protocol on disparate platforms on all different scales. Any implementation conformant with the standard must be able to talk to any other. Handing the world a Perl script and saying "this is the new email system" means you lose -- most people don't have Perl on their Windows and Palm systems and aren't going to install it to try out a new mail system.
Think you're up to it? Go for it. You have nothing to lose, right?