Annexes to COM(2006)688 - Fighting spam, spyware and malicious software - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2006)688 - Fighting spam, spyware and malicious software. |
|---|---|
| document | COM(2006)688  |
| date | November 15, 2006 |
Companies that offer software products are encouraged to clearly and prominently describe all the terms and conditions of the offer, in particular if there is processing of personal data by any monitoring devices that are included in software packages.
Self regulation and the use of some sort of 'seal of approval' could provide a means to separate trustworthy companies from those who are not. Codes of conduct, which aim to inform the user on conditions that imply the processing of personal data, can be submitted for endorsement to the Article 29 Data Protection Working Party.
4.2.3 Contract clauses in the chain of supply
Often companies are not aware of how advertisements of their products and services are technically being delivered to the public. Legitimate software may be packaged with spyware used to gain access to sensitive data, including credit card data, confidential documents etc.
Companies that advertise and or sell products need to ensure that their contracting parties’ activities are legitimate. A company needs to understand the contracting chain of relationships, monitor legal compliance and make malpractice subject to termination throughout the chain, so that further affiliation with mal-practicing companies can be ended immediately.
4.2.4. Security measures by service providers
An ENISA survey in 2006 [33] confirms that service providers in general have taken measures to tackle spam. It does however report that service providers could further contribute to the overall security of the network, and recommends that more emphasis is put on filtering e-mail that leaves a service providers network (egress filtering). The Commission encourages service providers to implement this recommendation.
The Article 29 Data Protection Working Party adopted an Opinion on privacy issues related to the provision of email screening services [34] which provides guidance on the question of confidentiality of email communications and, more specifically, on the filtering of on-line communications against viruses, spam, and illegal content.
4.2.5. Proposed actions
The Commission invites:
- companies to ensure that the standard of information for the purchase of software applications is in accordance with data protection law.
- companies to contractually prohibit illegal use of software in advertisements, monitor how advertisements reach consumers and follow up on malpractice.
- e-mail service providers to apply a filtering policy which ensures compliance with the recommendation and guidance on e-mail filtering.
4.3. Action at European level
The Commission will continue to address the issues surrounding spam, spyware and malware in international fora, in bilateral meetings and where appropriate through agreements with third countries and will continue to foster cooperation between stakeholders including Member States, competent authorities and industry. It will also take new initiatives in the area of legislation and research that aim to provide fresh impetus in the fight against malpractices that undermine the Information Society. The Commission is currently working on the further development of a coherent policy on the fight against cyber crime. This policy will be presented in a Communication planned for adoption in the beginning of 2007.
4.3.1. Review of the regulatory framework
The Commission Communication [35] on the regulatory framework for electronic communications proposes to strengthen the rules in the area of privacy and security. Under the proposal, network operators and service provider would be obliged to:
- notify the competent authority in a Member State of any breach of security that led to the loss of personal data and/or to interruptions in the continuity of service supply.
- notify their customers of any breach of security leading to the loss, modification, access or destruction of personal customer data.
National regulatory authorities would have the power to ensure operators implement adequate security policies and new rules could be established providing for specific remedies or an indication of the level of penalties to be expected for breaches.
4.3.2. Role of ENISA
The proposals also include a provision recognising the advisory role of ENISA in security matters. Other tasks foreseen for ENISA are outlined in the Commission Communication on a Security Strategy [36] and include:
.
- to build a trusted partnership with Member States and stakeholders to develop an appropriate data collection framework on security incidents and levels of consumer confidence.
.
ENISA will closely coordinate that Framework with Eurostat in view of the Community statistics concerning the information society and the i2010 benchmarking framework [37].
.
- to examine the feasibility of a European information sharing and alert system to facilitate effective responses to existing and emerging threats to electronic networks.
4.3.3. Research and development
The forthcoming FP7 program aims at the continued development of knowledge and technologies to secure information services and systems in close coordination with policy initiatives. Topics of work related to malware are expected to include hidden botnets and viruses, and attacks on mobile and voice services.
4.3.4. International cooperation
As the internet is a global network, the commitment to fight spam, spyware and malware needs to be shared around the world. Hence, the Commission intends to reinforce the dialogue and the cooperation with third countries on the fight against these threats and criminal activities that are linked to them. To this end, , the Commission will seek to ensure that spam, spyware and malware is addressed in agreements between the EU and third countries, will seek firm commitment of the most concerned third countries to work with EU member states to fight these threats more effectively, and will closely follow-up the enforcement of jointly committed objectives.
4.3.5. Proposed actions
The Commission will:
- continue efforts in raising awareness and fostering cooperation between stakeholders
- continue to develop agreements with third countries including the issue of the fight against spam, spyware and malware
- aim to introduce new legislative proposals at the beginning of 2007 that strengthen the rules in the area of privacy and security in the communications sector and present a policy on cyber crime
- involve ENISA expertise in security matters
- support research and development in its FP7 program.
5. Conclusion
Threats such as spam, spyware and malware undermine the confidence in, and the security of, the Information Society, and have a significant financial impact. While some Member States have taken initiatives, over the EU as a whole there is insufficient action to address this development. The Commission is using its role as an intermediary to create greater awareness about the need for greater political commitment to fight these threats.
Enforcement efforts need to be stepped up to stop those who knowingly disobey the law. Further action by industry should be undertaken to complement enforcement activities. Cooperation is needed at national level both within government and between government and industry. The Commission will reinforce the dialogue and the cooperation with third countries and also examine the opportunity to make new legislative proposals and will undertake research actions to further strengthen privacy and security in the electronic communication sector.
Integrated and, where possible, parallel implementation of the actions identified in this Communication can contribute to reducing the threats that are currently compromising the benefits of the Information Society and the economy.
The Commission will monitor the implementation of these actions and assess by 2008 whether additional action is needed.
[1] COM(2006) 251 final
[2] COM(2006) 334 final.
[3] COM(2004) 28 final
[4] Spam refers to sending unsolicited communications –e.g. by e-mail- for commercial purposes. However, unsolicited e-mail messages may also carry malicious software and spyware.
[5] In 2001 spam was 7% of global e-mail traffic.
[6] Symantec 54%; Messagelabs 68,6 MAAWG 80-85.
[7] Q1 2006 (Sophos) Asia 42.8%, N. America 25.6, Europe 25.0, S. America, 5.1, Australasia 0.8 Africa 0.6, Other 0.1.
[8] Ferris research, 2005.
[9] Botnets are compromised computers used by spammers to send bulk e-mails by installing hidden software that turns computers into mail servers without the users' knowledge.
[10] Symantec top botnet infected countries, (Q 3-4 2005) : US 26 %, U K 22%, China 9%, France, S. Korea, Canada 4%, Taiwan, Spain, Germany 3%,Japan 2%.
[11] Computer Economics: the 2005 Malware Report.
[12] Art. 13 Directive 2002/58.
[13] Supra 3.
[14] Annex 1, point 26, Directive 2005/29/EC
[15] Regulation (EC) 2006/2004
[16] WSIS, Geneva, December 2003.
[17] Tunis Agenda, para. 41.
[18] http://europa.eu.int/information_society/policy/ecomm/doc/todays_framework/privacy_protection/spam/cooperation_procedure_cnsa_final_version_20041201.pdf
[19] http://www.oecd-antispam.org/
[20] http://www.asemec-london.org/
[21] Tunis Agenda para's 39-47. http://www.itu.int/wsis/docs2/tunis/off/6rev1.doc
[22] www.diademhttp://cordis.europa.eu/fp6/projects.htm#search
[23] http://www.maawg.org/home/
[24] http://www.spotspam.net
[25] A CNSA survey showed that fifteen out of eighteen responding members prosecuted cases in the period 2003-2006.
[26] Directive 95/46/EC.
[27] Art. 13 e-Privacy Directive.
[28] Art. 5 (3) e-Privacy Directive.
[29] Supra 28.
[30] Art. 6 (a) General Data Protection Directive.
[31] Council Framework Decision 2005/222/JHA.
[32] Supra 18.
[33] http://www.enisa.eu.int/doc/pdf/deliverables/enisa_security_spam.pdf
[34] Opinion 2/2006, WP 118.
[35] http://europa.eu.int/information_society/policy/ecomm/tomorrow/index_en.htm
[36] Supra 1.
[37] I2010 High Level Group benchmarking framework of 20 April 2006.
--------------------------------------------------