Get involved in fighting SPAM - What does it mean to consent?

[ellipsis]

Parliament is considering a proposal made by one MP to amend the definition of "consent" as this is currently set out in the Protection of Personal Information Bill.

Why should you care? If the proposal goes through we will go backwards to an opt-out system where you will be regarded as having consented to receiving more communications if you fail to use the opt-out provided, i.e. more spam.

As things currently stand:

"consent" means any voluntary, specific and informed expression of will in terms of which a data subject or a competent person agrees to the processing of personal information relating to him or her or, as the case may be, relating to a child;

Option:[1]

"consent" means any voluntary, specific and informed expression of will in terms of which a data subject or a competent person agrees to the processing of personal information relating to him or her or, as the case may be, relating to a child and includes the failure on the side of a data subject or competent person to object or opt out when given a reasonable opportunity to do so;

From what we can see there are plenty of people on the forum that get irked by spam. It would be great if we could get a clear statement to Parliament rejecting the proposed change and letting the politicians know that South Africans generally do not like having their personal information sold and/or abused (and having to pay for the privilege...).

20 constructive posts giving reasons why this proposal is a bad idea & we will do a submission to Parliament. Any other ideas for publicising the issue most welcome.

[Saajid]

This is terrible. Definitely going backwards. I thought we were just starting to make progress, with the cellular operators implementing double opt-in systems.

Besides giving all spammers a gold access card to spam the hell out of us, this will also have big implications for privacy issues. Personal information and email/SMS lists will become more valuable, and will be traded big time. This will result in worsening the problems of identity theft and fraud.

This proposal is so backwards and blind (was gonna say short-sighted, but that is too mild) it could only be a truly African idea: lets fix it by making it worse.

[PsiCoRe]

The opt-out system requires us to validate our information with the spammers. To start off with, why is parliament even discussing this? It's quite obviously a bad idea. Secondly, as opposed to an opt-in system the spammer can only obtain my information through A - number phishing. B - obtaining my information without my consent or permission (data theft or trade of information). If a company that I have, in good faith, provided my personal information with wishes to share my information then he or she first needs to confirm this with me, notify me of which information they wish to share and provide me with the company details that they wish to share it with before that information may be submitted. and C - contacting me repeatedly without my consent is harassment. The opt-out system in itself is quite obviously illegal and unconstitutional. With SMS scams and phishing messages becoming so prevalent these days it is also a major security risk. I also believe that operators need to take responsibility much like email service providers and block known scammers.

[XperiAnce]

Instead of going forwards, we're going backwards?! What are Government thinking? It shouldn't be on me to stop SPAM reaching my Inbox, it should never be allowed to get there in the first place.

[The_Librarian]

*sigh*

And there's a good reason why I don't opt-out - it just confirms the email is valid and in use.

[The_Librarian]

20 constructive posts giving reasons why this proposal is a bad idea & we will do a submission to Parliament. Any other ideas for publicising the issue most welcome.

1. Spam traffic wastes bandwidth unnecessary.
2. Spam traffic requires spam filtering tools to be implemented - which means you will have to sacrifice resources on your email server just to process spam.
3. Resources in (2) costs the company time and money to purchase, to implement and to maintain.
4. Because of (1) companies will have to pay more on their Internet bill and to fight spam - which could be used better for staff training or staff morale building.
5. The current proposal means that spammers will be free to spam us at will, which means we have to implement more spam-fighting measures.
6. To battle spam effectively, the onus should be on the sender to prove that the recipient did indeed consent to receive spam.
7. Implementing (6) will mean decreased bandwidth usage, and decreased resource utilization (2) as only people who want to receive advertising/spam will receive said.
8. It just is not only spam, it also may include pornographical content, which we don't want children to see.
9. If spam is not controlled, spammers will start to send pornographical content out, there's no doubt about it. (dom, think we can hammer a bit on this point?)

[SwimGeek]

The opt-out system requires us to validate our information with the spammers.

And there's a good reason why I don't opt-out - it just confirms the email is valid and in use.

It's possible to do opt-out without giving details to spammers.

You involve a 3rd party and you never hand out the info, you just let them check their lists.

To check the list you also don't need to provide the email address in plain text, you could hash the data.

Have a look at: https://www.trustfabric.com/connect/

[WireFree]

The clause provides the opportunity for people for formulate contracts or other documentation where the opt-out option is either included in small print and hence not easily visible to the reader.

It may also provide an opportunity to not include the opt-out option in a document. The provider of the document need simply say that if the person agreeing to other terms in the document did not want marketing material he/she should not have signed the document.
As an example consider a cellphone contract which is larger and covers various terms and conditions. A clause reading, "The COMPANY may provide cellphone contract holders details to other third parties for promotional purposes," can be easily included. Not many people would object to this clause as it is the least of their concern.

[lifeboy]

One good reason to require explicit opt-in or consent as it is currently defined and not to require opt-out is that it isn't possible currently (and probably won't be for quite some time) to opt out of SMS spam free of charge. It is not legal to provide an opt-out facility for which the recipient would need to have airtime available. To make an opt-out facility free, cellphone network providers would have to create a special opt-out service, which in itself will create numerous new problems, or drop the costs of sms texts, which is a major money maker for the networks and won't happen.

So effectively many South Africans will have no option to opt out, thus making this sneaky attempt to change the meaning of "consent" not valid.

[dominic]

i count 5 constructive posts - will keep this open to the end of this week, i.e. Friday 6th July

[morkhans]

Opting out of unsolicited communication is often not possible due to the sender not providing a method to unsubscribe. Also many unsolicited bulk mail senders use their op-out system as way to verify that the mail was received, which in turn means additional unsolicited mail being sent to the recipient. Personally I only use the unsubscribe links provided in communications I singed up for, anything else is flagged and reported as spam. A more suitable change to the legislation would be to place the onus on the bulk mail sender to ensure that permission has been received to send communication to the recipient (i.e. opt-in). It is the sender, after all, who has a vested interest in the communication they are sending, and thus should be proving the relationship with the recipient.

PS. Feel free to include my signature, although I suspect the humour would be lost on our MPs.

[Paul Hjul]

constructive post 7:

Lets assume that the intended change has good motives underlying it. The reason, I assume, that the MP wishes to change the provision pertains the fact that the current provisions could be viewed as particularly onerous for certain SMMEs and quite honestly the POPIB has the potential to create laws in SA which are unenforceable against companies abroad. In the last week I have signed up to use a dozen or so apps or services and whatnot and each one has me having to uncheck the checkbox to receive promotional material - its quite funny how often you need to check an acceptance of the terms of use and uncheck the send me semi-spam box).
Further a real problem exists in just what you get sent when you decide to allow material from company - like Microsoft - because you genuinely want to know about X new products but end up getting crap unrelated to what you have signed up for. This isn't spam but if an opt-in premise is taken and you consent to google and google is in turn spinning off product amazing to company bob company bob isn't allowed to email you [of course google ought to do so before the spin off]. The essence of the point is that in order to give informed consent to the processing of personal information and its use in a particular context has an element of disclosure not currently found in practice and quite honestly a combination of explicit opt in and continuous capability to opt out is far better than putting to many eggs into an opt in premise.


However the problem is that the new definition amounts to taking a canon to a fly. Two alternatives to this over-broad attempt that fundamentally maligns the English language on the meaning of consent and butchers the statute:
Firstly an exception in the instance where a "data subject" has signed up for an online service and such sign up provided an explicit explicit opt out option exists at the instance of sign up and such service allows for the cancellation at any point thereafter.

Secondly additional provisions in the bill providing for gradual alignment by providers requiring reasonable and progressive steps to ensure that users explicitly consent to the content which they receive rather than an immediate thou art spamming approach. Basically what I have in mind is that ISPA or another industry body have jurisdiction to issue notices on identifying that an entity is sending what I'd term semi-solicited mail of the fact that SA demands a greater notion of user consent and on transmission of this notice the presumption that such semi-solicited mail has consent applies provided that if no progressive steps are taken the issuer of the notice may withdraw same AND take action to enforce the material as spam. What this would mean is that while currently many apps on the appstore and so forth are able to farm your email address to give you usability and have you needing to check on a opt-out checkbox the industry body would be able to put pressure on Apple and others to ensure that the practice changes. This way we aren't coming in to hard with to "progressive" legislation that is far beyond norms in the industry but does ensure that we can progress with the industry and play a small part in doing so.
It particularly should prevent an expansion of questionable practices.

[DarkWrath]

The opt-in system will i.m.o. never come into force because it would hurt business too much and lead to a massive loss of jobs, i'm not specifically talking about email spam but also SMS and Call Centers.

[dominic]

The opt-in system will i.m.o. never come into force because it would hurt business too much and lead to a massive loss of jobs, i'm not specifically talking about email spam but also SMS and Call Centers.

hi DarkWrath

can you expand on that a little - good to have the other side represented? my understanding is that SMS is mostly opt-in because that is the requirement under the WASPA code of conduct but what kind of impact do you see on call centres based on their having to use opt-in lists as opposed to opt-out? Are you aware ofany literature in this regard?

[ambo]

From my point of view this clause provides a big technical loophole:
"reasonable opportunity" is extremely vague and very easy to abuse. The problem here is that a spammer could decide the a subject has implicitly opted-in when they fail to get a response to their email spam. It is quite possible that the spammers mail does not get delivered for technical reasons, gets delivered to a spam folder, does not get downloaded timeously or even gets just gets overlooked by a subject who may have a genuine desire to unsubscribe.

In order to infer implicit opt-in the sender should have to: a) prove that the message was delivered to the subject's end device, b) prove that the communication has been read/consumed/acknowledged and then finally c) receive verifiable feedback from the user/user's device of the above. The burden of proof must lie with the sender and the penalties for failing to provide proof must be harsh.

From a technical perspective, this will be as hard if not harder to implement than opt-in. The only truly verifiable way of confirming delivery as above would be to place a link at the bottom of the message saying "click here to confirm you have received this message"...

But wait... we're back at opt-in