UK Anti-Spam Laws Criticised

stripyd writes "The Guardian has an article about the ineffectiveness of British anti-spam regulations. Asside from the limited penalties, the Office of the Information Commissioner have yet to actually hand out a fine. From personal experience, the OIC aren't good at answering email on queries regarding the law, their web site, or suggestions that the current procedure of tracking down, printing out and mailing off (with a stamp!) a five-page pdf form to report miscreants be streamlined. The form itself is good for a few yuks, until you remember your taxes are paying for it to be outsourced to private sector hosting."

Better in Belgium

[Halo1]

Here we can mail spam sent by Belgians (or spamvertising Beglian website) to the economical inspection, and they do investigate (they even called me once for more information). Foreigners getting Belgian spam (not many of those, I guess) can report them as well, fwiw. Their address is inspec dot eco at mineco dot fgov dot be

Re:Better in Belgium

Strange, that email address seems to have been obfuscated through some strange slashcode bug.. it converted all the fullstops to the word dot!

the actual address is probably inspec.eco@mineco.fgov.be

Hope this helps!

Re:Better in Belgium

[Halo1]

Fucking idiot.

Re:Better in Belgium

Actually, before somebody mods the parent as a troll, think about the effects of this - saving the good citizens of Belgia the time and effort of mailing these people spam.

I suggest that it be moderated to +5 insightful, for the AC's contributions to "cutting out the middleman".

Re:Better in Belgium

[Halo1]

Just stop wasting your time modding yourself funny and making yourself appear even more stupid than you already are. I'm glad I was able to assist you in making your day, however.

Re:Better in Belgium

[gujo-odori]

Speaking as a professional spam fighter (kind of a nice job to have, really), I fully concur. I can't imagine what Halo1 was thinking of by obfuscating an email address for reporting spam. You are absolutely correct in your "cutting out the middleman" analysis, and the person who de-obfuscated the address should indeed be modded Insightful.

Re:Better in Belgium

Their address is inspec dot eco at mineco dot fgov dot be

Why obfuscate? Don't we want the spam inspectors to receive lots of spam?

Re:Better in Belgium

[Halo1]

These people are the Belgian economical inspection. They only have jurisdiction over Belgium. Inundating them with US viagra mails and offers from Nigerians will only slow down their work.

Re:Better in Belgium

hahaha pwned!

Re:Better in Belgium

[Halo1]

Why on Earth do you think the Belgian economical inspection has any power (or time) to spend hunting e.g. US viagra peddlers? By increasing the spam they get, you only make sure they have less time to deal with spam they actually can do something about (and with other things).

But I guess I've been trolled once more in this discussion, I suppose it's time for me to really shut up now <g>

Re:Better in Belgium

[gujo-odori]

OK, you have a valid point there.

Of course, I have a counterpoint, and I'm not trolling you :-)

Not a large percentage, it's true, but some of that spam does get routed through Belgium on its way back to mailboxes here in the United States. It wouldn't be that hard for them to put in a set of automatic filters to discard anything that wasn't and then go after the the relay points, if that's within their power.

Re:Better in Belgium

[Halo1]

They don't do anything specifically about spam that gets routed through Belgium, only to spam sent by Belgians (routed via anywhere). They go after spam sources/senders (that's what's illegal according to the law and where they have jurisdiction), they're not the Belgian public proxy-shutdown service.

Re:Better in Belgium

[beders]

Their address is inspec dot eco at mineco dot fgov dot be

Good job you didn't include the address in plain text, you wouldn't want them to get the spam before you sent it :)

Re:Better in Belgium

[Halo1]

1, 2, 3.

Limited scope

[pjt33]

It's not just limited penalties: it's also limited scope, in that the only spam prohibited is spam to personal addresses. I actually get more spam to my work address than my personal addresses, and am rather unamused by this... cop-out. ("Loophole" isn't quite the right word, because it's intentional).

Re:Limited scope

[prandal]

It's another example of the UK's inability to enact good laws.

When has a law not been criticized?

[md358]

Especially since it's not even being enforced.

Re:When has a law not been criticized?

[Anne+Thwacks]

And when has the Blair government produced a form that is not crammed will complex and irrelevant questions, which then requires us to pay an army of civil servants to read.

Re:When has a law not been criticized?

[Atrax]

> requires us to pay an army of civil servants to read.

Ah! a make-work scheme to keep unemployment figures low before the next election. cunning

Outmanned, Outgunned

[The+Slashdotted]

.. they are using the loopholes to threaten Spamhaus with potentially devastating legal action if it continues to name them as spammers and block their mass mails targeted at business addresses.

Is there any such thing as a British libertarian? :P

As for the site, it says nothing about the Reg 22 in question, a search only finds the same letter in Word format. However it does look like they spent a pretty penny on their web designer. That's more comforting to the public than enforcing the law, I guess.

Re:Outmanned, Outgunned

[dazed-n-confused]

As for the site, it says nothing about the Reg 22 in question

Here's the Information Commissioner's Guidance on Regulation 22 (you have to scroll down to p.24 of the pdf). What, you expected something accessible from that bunch of clowns? Think again...

Re:Outmanned, Outgunned

[murky_lurker]

If it's the one I think it is, it's part of an EU directive. There's details of it here, the chapter relevant to spam is here , albeit in .doc format. I've only had a chance to skim but the legislation seems to be mostly aimed at legitimate businesses who have over-zealous customer newsletter runs, rather than preventing mass mailing spammers. I have to say, though, that the form linked in the article is completely asinine.

Re:Outmanned, Outgunned

[murky_lurker]

scratch that, was thinking of the wrong one. sorry!

Re:Outmanned, Outgunned

[Toraz+Chryx]

"Is there any such thing as a British libertarian? "

Aye, over here!

>:(

Re:Outmanned, Outgunned

[prandal]

Therein lies your first lesson in international law - how to implement a European Union directive in such a way as to follow the letter of the law but with no real intention to do anything serious about the problem the Directive is supposed to be addressing.

British politicians and lawmakers are just like politicans anywhere - totally cynical bastards with their own agendas.

Re:Outmanned, Outgunned

[prandal]

And over here too! But I should qualify that by saying the the British concept of libertarianism may well be very different from that of the gun-toting Yankee crazies.

Re:Outmanned, Outgunned

[miruku]

Is there any such thing as a British libertarian? :P

not really, after the people of the uk had to live through several years of laissez-faire capitalism in the guise of thatcherism and have realised how soul destroying an experience it is. however, the uk does have the liberal democrats who are like; well, libretarians + democrats, i.e., the best of both worlds

Death threats???

[N4DMX]

I did not realize that spammers took themselves this seriously. And spam-gangs? What is this world(wide web) coming to?

Re:Death threats???

[Sv-Manowar]

People getting into the internet thinking there is easy money even after the boom, and spamming can be lucrative if done well. Its a risky game, but if some play it right the rewards are huge

Re:Death threats???

I've been investigating them for almosst 2 years now.
I cannot say how I know this, without blowing my ONLY contacts I have with this "Underworld".

I CAN say this... the "Russian Mafia" is throwing in a huge pile of cashola to fund smart Russian and E European programmers who write the likes of SOBIG and other nasties lurking out there.

Tracing this activity is almost inpossible. With the mechanisms in place today, it's impossible to probe a box to see what it's 'listening' to.

There are ways to detect 'in real time" when one of these trojans are hijacked and record the IP address, but this is just some other infected host, there are approx a million out there.

Some anti spammers I know are responsible for shutting down about 100,000 in the past month, but that won't even make a dent.

Another project I know of is an Instant spam bounce system. When Spam enters a mail relay, it's instantly classified, if spam, it goes back to the original ISP it came from as a 'spam report", and do it within a second. Reports are consistant, so a script strips out the IP address (always in the header of the spam report), and sends the IP to the mechanism that disables known ports used by the virus or trojan.

All this takes place within about a minute, and can really ruin the day for one of those sleaseballs that started it.

Of course for this to be effective, every ISP can use something like AbuseButler, which can take immediate instant action.

I'm sure the people in this project are going to make an official announcement, but I'm told they are getting a lot of political resistance from the ISP... But this mechanism totally protects the privacy of the innocent victim. It blocks ONLY the capability of the worm or trojan to communicate, and it sends a log to the ISP.

Other methods are being experimented with, like crafting snoret rules to detect the trojan's protocol, extract information from the 'event' and pass it onto other systems who can deal with it.

Spam gangs, having a lot of money to spend, have the upperhand at present. All we can do, is report spam, get the ISP's to close down their gateways, or put huge IP blocks in the RBL's.

Because of some activities from some friends I know, who have been actively shutting down the infected hosts on a massive scale, the Spam gangs are very pissed off right now.

I wonder if anyone noticed any less spam...

At any rate - spammers WOULD stoop to killing anything that threats their MONEY MACHINE.. laws or not... A law is not going to prevent some Russian programmer from releasing a virus.

Anything that threatens their PORN hosting service, which is really a huge collection of infected hosts, including some that might be used in church groups. Imagine them hosting porn.

Elaborate dynamic DNS servers are constantly re-pointing to new infected hosts many times a day.

Reason...

[vchoy]

"Asside from the limited penalties, the Office of the Information Commissioner have yet to actually hand out a fine."

Most of the spam offences are committed outside of the UK. I consider this a localised solution to a global problem.

Re:Reason...

[vchoy]

I consider this a localised solution to a global problem.

Coming to think about it, I don't think solution was a good word to use. The laws still would not 'STOP' or stamp out spamming. I should of said...'deterrent' instead.

Re:Reason...

[Halo1]

See it as an attempt to clean up your own neighbourhood. I don't see anything wrong with that idea (whether the implementation of that idea is good, is another question obviously).

Re:Reason...

[dazed-n-confused]

Oh, come off it! This isn't a 'deterrent,' or a 'solution,' localised or otherwise. It's not even any use as a 'fig-leaf.' It's just an embarrasment. The UK Government looked at the problem, and waved its hands in the air, and decided to do nothing effective. Luckily, in the Office of the Information Commissioner, they had the perfect enforcer (ha!) ready to do their bidding.

Compared to the successful anti-spam laws where?

[evilandi]

And this compares to the highly successful anti-spam laws of which country, exactly? (Disclaimer: I have a vested interest, I the anti-spam development manager at MessageLabs)

Laws are useless without enforcement

[lewko]

Laws are useless unless they are enforced. There is no deterrent if would-be lawbreakers know they either won't get caught, or if caught, won't be significantly punished.

It's therefore relevant in planning anti-Spam legislation that the legislators consider how they can follow up on whatever laws they draft to make them more than a 'toothless tiger'.

British spam

[CdBee]

"Get your online next-day tea supplies here"
"How to understand Americans - get the guidebook!"
"Sizzling Shots of the Queen - Join today!"

It all gets rather too much at times.

More seriously, I'd say in the UK we have more trouble with semi-legitimate opt-out marketing than pure spam, almost all of which seems to come from the USA (yes, re earlier story, particularly Comcast and the baby-Bells)

There are so many sites in UK cyberspace geared towards getting email addresses for "free newsletters", and any club or association seems to want to send emails with a bare minimum of content and masses of advertising added. This I see as an attempt to legitimise spam, rather than mass-mailing, people are paying asociations and clubs to sell their products for them. Affiliate programs suck, and so many firms have been founded to do just this in the UK.

How many times must I tell them? I already have enough Tea.

Re:British spam

Yes, but do you have enough "T3A"?

Re:British spam

[CdBee]

yeah, I used MAILsweeper to ban any email carrying the word T3a

Re:British spam

[doppelfinity]

there are just too many mailing lists and newsletters present in websites. one should rather take note of free newsletters when signing up any email accounts >_

Re:British spam

[kraut]

Beowulf beat Grendel, and then kicked Grendel's mum's butt!;)

Ineffective.

[vchoy]

Maybe they got their code logic wrong:

if (potentialSpam.EmailAddress.endsWith(*.uk))
{
id(potentialSpam.PotientialSpammer);
fine(potentialSpam.PotientialSpammer.potentialSpam mer);
}
else
{
System.out.println("Does not concern us, processing next message...");
}

Just J/king

Also in The Netherlands

[ControlFreal]

In The Netherlands, you can report spam on-line as well at the Spam Klacht (lit.: "spam complaint") website. This is an official website of the OPTA organization, which monitors and control telecommication in The Netherlands. Note that the link to the Spam Klacht website is even an SSL link.

Re:Also in The Netherlands

[Animaether]

SpamKlacht website

I read through some of the tidbits there, and it appears to be setup pretty well. And it appears our legislation is very nice too... "opt-in" conditions including
- If it's a checkbox form, then the user has to check it - it can't be pre-checked for the user.
- The opt-in description is not allowed to be 'vague' where "I hereby give permission for company X and partners to send me e-mail" is declared 'vague' enough.
- You cannot implicitly re-use old contact lists such as those acquired from other companies or through company take-overs; one has to first contact the user again and ask them if it's okay to establish a NEW relationship. Only if the user agrees to this they can start to 'spam' again.

However, I was also quite baffled to find that the OPTA :
1. Excludes all these rules when it is spam sent to a company.
2. Excludes all these rules when it is spam sent to a fax machine!

Now #1 I could rationalize if I tried hard.
#2, however, is just ridiculous. Apparently it is not illegal as it was at some point judged to be the same as 'colportage' (door-to-door sales). yish. I can only hope that at least there's a law against sending a looped-back black fax :/

Re:Also in The Netherlands

[tuxzone]

You must have misread.
Point 1: You are right, but law is to be changed.
Point 2: You are wrong. Spam by fax van be reported online too!

Policy conflict...

[cardpuncher]

It's quite amusing that while on the one hand expecting ISPs to keep e-mail logs for several years for "security" purposes, another branch of the same government is ensuring that those logs are so full of spam-related noise that it would be infeasible to analyse them in most practical cases.

Of course, anti-spam legislation is only effective against "legitimate" slimeball businesses. And at present, their contribution is minimal compared to criminal slimeball businesses. The latter cannot only be addressed by technical fixes, after which point legal solutions may have a chance of working.

What's the point?

[neilmoore67]

The sad thing is that however strong and well supported the laws are by the community, it's probably not going to make one bit of difference to the amount of crap an individual receives. For a start, UK laws can't stop foreign spammers. Secondly, they are likely to be difficult to enforce even if we know who the culprits are. We have drug laws and anti-terrorism laws in Britain, but does that mean that they are no longer a problem? I think not. IMHO the best way to avoid spam is to take precautions and get some good filters.

Re:What's the point?

[Andy_R]

Actually, I've found the threat of the law to be quite effective in cutting down the spam that I get. I have quite often I've mailed the head of legitimate organisations that have spammed me because some random 3rd party has mistakenly signed up an address in my domain to their lists, and got some pretty grovelling replies.

I'm just about to send of my first dozen forms to the OIC, and as with any UK government department, all you need to do to get action is threaten them with their own regulatory body to get action.

Also, I've picked my targets carefully, some big names that have ignored written warnings.

Top of my hit list are:

xmr3.com (uk bulk mailer that pretends it's legitimate)

Yahoo.co.uk (those adverts at the top and bottom of yahoogroups mails are illegal, but Yahoo think they are above the law)

Ticketweb.co.uk (claim that every time you buy from them they have thr right to start samming you again)

- Andy_R

Re:What's the point?

[julesh]

Ticketweb.co.uk (claim that every time you buy from them they have thr right to start samming you again)

They do. IIRC, the law excludes e-mails sent to prior customers.

Email queries to the OIC

[gilgongo]

> From personal experience, the OIC aren't good at
> answering email on queries regarding the law

My personal experience was going to their site to look for guidelines on the use of cookies and the collection of anonymous data. Finding lots of "guidelines" about stuff (which are basically extracts of legal documents it seems), but nothing that seemed relevant, I mailed them my question. Three weeks later I got a reply, which was at least relevant, if amazingly long and almost as confusing as the other stuff on their site that I couldn't undertand either.

They've got a hell of a long way to go in my opinion. During the trial of Ian Huntely, the police even admitted they were confused about the DPA! What hope is there for the rest of us?

Re:Email queries to the OIC

[julesh]

During the trial of Ian Huntely, the police even admitted they were confused about the DPA! What hope is there for the rest of us?

I've no clue. All I can say on this matter is, it's actually pretty simple. A 4 hour training session ought to be enough to get people to understand it, so if the police, or anyone else, has data-handling employees who don't understand it, then they're not providing enough training.

Re:Email queries to the OIC

[gilgongo]

Yes, but the devil's in the detail. In the court case, the police said they'd deleted Ian Huntely's files (containing records of him being accused of assaulting minors I think) because of the DPA's stipulation that personal data should only be kept only "for a long as necessary."

On a course, a teacher will say that data should only be kept for "as long as necessary." The student will ask "How long is that?" and the teacher will say "It depends on the data, the reason it's being kept, and the intended use of that data."

This is obviously nuts. The Inland Revenue says that records should be kept for seven years. Other records should be kept for longer (e.g. government records under the 60, 100 year rule etc.) So why the vague "you decide" thing with the DPA?

And that's just length of life. There are hundreds of vague provisions that ultimately depend on lots of local factors. Like the provision to "take reasonable measures" to protect the data. The only bit of guidance I could see on this was that if the data contained credit card details then it should be encrypted. No idea how, to what standard, or to whom. Just "encrypted". Whoopy doo.

A course might do something, but would probably give the students just enough rope to hang themselves with. Just like the Sussex Police.

Re:Compared to the successful anti-spam laws where

[BarryNorton]

Good point. Some people always act (or, more to the point, talk about acting) from the point of view of wanting to police the world and enforce "truth, justice and [their] way".

Some of us just want to make a practical start on the problem...

Must be a term for this...

[16K+Ram+Pack]

... but I'd call it a "media question bounce" law.

That is, when some story comes up about spam and a govt. official is interviewed, they can point to the spam law being passed.

See also Data Protection Act, Freedom of Information Act.

increasing PostBlock devise criticism?

just keep it to yourself?

The Office of the Information Commissioner

[BillsPetMonkey]

Is a paper tiger. It was designed that way. You only really find this out when you try to invoke the Data Protection Act 1998 against a data conroller company, and find that it's not designed to protect you, it's designed to safeguard companies holding your data from you.

The reason the UK spam laws are weak is not a coincidence either. The UK government uses the electoral register to sell your data (regardless of whether you "opt out") to third party marketing companies to get revenue.

It's not freedom of information as you might know it, it's a case of "do as I say, not as I do".

Re:The Office of the Information Commissioner

[vigilology]

The UK government uses the electoral register to sell your data (regardless of whether you "opt out") to third party marketing companies to get revenue.

How do you know?

Re:The Office of the Information Commissioner

http://explanation-guide.info/meaning/Census.html

United Kingdom

The UK census as we know it today started in 1801, as part of a drive to ascertain the number of men able to fight in the Napoleonic wars. England took its first Census when the Domesday Book was compiled in 1086 for tax purposes. Dalriada (now Scotland) in the 7th century was the first territory in what is now the UK to conduct a census, with what was called the "Tradition of the Men of Alba" (Senchus fer n'Alba').

The census has been conducted every ten years since 1801 (except in 1941), the last one having been completed in 2001. The census is undertaken by the government, and the information is sold to interested parties, as well as being used for policy and planning purposes.

The census is usually very accurate, and with a fine of 1,000 for those who do not complete it, filled in by a high percentage of the population. An exception may have been the census conducted during the years of the poll tax (1991), when some people avoided it in case it was used for enforcing the tax.

The 2001 census was the first year in which the government asked about religion. Perhaps encouraged by a chain letter that started in New Zealand, 390,000 people entered their religion as Jedi Knight (more than either Sikhs, Buddhists or Jews), with some areas registering up to 2.6% of people as Jedi.

See also: UK census dates and Population of England.

Re:The Office of the Information Commissioner

[julesh]

Err.. the census is _not_ the electoral register, which is what the GGP and GP articles were talking about. Sorry.

Re:The Office of the Information Commissioner

[jeremyp]

The UK government uses the electoral register to sell your data (regardless of whether you "opt out") to third party marketing companies to get revenue.

This is a lie. It's not even maintained at the national level, but at the district council level. By law, anybody can see a copy of the register (under supervised conditions) and certain companies are allowed to use the register for restricted purposes. For example, credit agencies can use it to verify your address. It is illegal for them to pass the data on to anyone else or use it for any but a set of restricted purposes.

The editted version of the register may be bought by anybody, but you can opt out of that. See here for more details.

Re:The Office of the Information Commissioner

[julesh]

The UK government uses the electoral register to sell your data (regardless of whether you "opt out") to third party marketing companies to get revenue.

I don't believe this is true. You can pay for an electronic copy of the electoral register, but I believe this has the opt-out parties removed.

You can inspect the official register and your local council office, which doesn't have the opt-out parties removed, but you can't buy a copy of this version, as far as I'm aware.

Besides, it's quite clear why there isn't a decent implementation here: the government don't believe in the legislation, but were required to implement it by the EU, so they implemented it sloppily. Simple enough.

Re:The Office of the Information Commissioner

[gilgongo]

> This is a lie. It's not even maintained at the
> national level, but at the district council
> level.

Agreed - the OP was talking through his bottom, although it's a very widely held belief in the UK - I know lots of people who refused to sign the electoral roll duing the Poll Tax years because of this.

However, the government's proposed identity card system and the accompanying *centralisation* of just about all citizens' data (electoral and otherwise) could bring about the theft/abuse of such data for commercial purposes in my opinion.

Re:The Office of the Information Commissioner

[BillsPetMonkey]

Hahaha.

This is the biggest lie of them all. I stand by my original comment.

MBNA Credit is a credit company. They also sell credit cards. There's a loophole as wide as goatse for them to abuse their privilige. Do you want me to send the junk mail I get from these companies since signing the electoral register? It can be arranged ....

Re:The Office of the Information Commissioner

[BillsPetMonkey]

OK, there's a lot of misunderstanding about this. The edited register cannot be sold without the authorisation of the local council. But if you happen to be an "approved" subscriber to this information (ie. you happen to be MBNA Europe or a number of other data controllers), you will have free access to the information regardless of whether voters have opted in or out.

Yeah, it's an uncomfortable reality. Because the illusion of censure on your own information is important, but it's completely non-existent. Remember when you were a student or when you lived in your parents' house? You didn't get half as much junk mail as now, as a separate voting entity with your own entry in the electoral register. Why do you think that is?

Re:The Office of the Information Commissioner

[jeremyp]

If you have evidence that they have been using the electoral roll to do marketing campaigns you should report them to the Government because they would be breaking the law.

However, getting lots of junk mail does not constitute evidence. There are any number of sources they could have got that info from.

Welcome to the UK

[Fullmetal+Edward]

If we can make it worse with out sourcing it's already in India.

"Free newsletters"

[prandal]

We need a new, pithy name for these. Getting people to sign up to receive spam is one of the spammers' cleverest tricks. And it works too well, alas.

why spam-proof that address?

[NumbThumb]

just let spammers pick it up and report themselves :-P

here goes: inspec.eco@mineco.fgov.be

Maybe this would generally be a cool idea: post honeypot-addresses all over the net, and cause spammers to spam people who CAN and WILL do something about that...

Re:why spam-proof that address?

[Halo1]

Read my answer to the post above yours (that person asked exactly the same thing) and this answer to another person.

Thanks to you as well for helping in trying to make that email address useless.

Spam laws

95% of the spam I get comes from outside the UK so its out of the ability of the UK Government to do anything about it.

Enough Tea

[wowbagger]

Yes, but do you have No Tea?

Otherwise, you can never get the last bit of fluff....

Meltdown

The thing that worried me most in the report was the claim (ok it was by the boy Sunner from MessageLabs) that 90% of email would be spam or viruses by 2005. I'm sure if they counted message size they'd find the majority of email is already viruses.

Latest spammer trick to defeat Baysian filters... correctly spelt spam with real content before the advertising pitch.

Wrong laws being used?

[CynicalGeek]

Arguably, a spammer is breaching the Computer Misuse Act 1990

This provides:

3.--(1) A person is guilty of an offence if-- (a) he does any act which causes an unauthorised modification of the contents of any computer; and
(b) at the time when he does the act he has the requisite intent and the requisite knowledge.
(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing--
...
(c) to impair the operation of any such program or the reliability of any such data.

*Any* email will "modify the contents of the computers" it is delivered to or passed through.
If the email has been crafted (e.g with nonsense keywords, hidden text, misleading subjects, forged headers) to avoid a spam filter then it could be held to "impair the operation of a program" - i.e. the spam filter.
This to me looks like a section 3 offence, which carries a five year sentence.

I'm not sure how you'd go about making a complaint though..

What's wrong with "private sector hosting"?

[mi]

until you remember your taxes are paying for it to be outsourced to private sector hosting.

They, probably, need a paper complaint because they can't prosecute without it -- law enforcement is backwards that way -- justices still wear gowns, for crying out loud! Given that, hosting the PDF through the private company is almost certainly cheaper for the taxpayers.