There is a particular class of hard-line anti-spam zealot that tends to deride the idea of legislation as a method of controlling spam: you will often hear them make comments along the lines of "You can't stop spam with laws". What's more, they are right: on its own, legislation is no more a solution for spam than technical solutions (such as filtering) or education. Any serious approach to solving spam needs to have elements of all three of these techniques if it is to have any real chance of success.
Why does legislation need to be an important component of a co-ordinated anti-spam solution? Because the Law is the way society differentiates between acceptable and unacceptable behaviour: as it stands, spam is legal (and hence acceptable) in many countries around the world, including New Zealand. Until society makes an explicit statement that spam is unacceptable, there is no formal disincentive against people employing it. We contend that a significant number of people would not send spam if they knew that the practice were illegal, thinning the numbers and leaving a hard core that should thus be easier to track down and eliminate.
Effective anti-spam laws can be used to make an example of the worst abusers, while technical solutions can cast a broad net to catch the smaller fry that are not worth prosecuting. Over time, as the public becomes more aware of the spam problem through education, and takes greater personal responsibility for it, the phenomenon will eventually become increasingly unattractive and peter out.
The real risk with anti-spam legislation is the risk of getting the wrong laws passed. Knee-jerk legislation that does not properly address the real issues can end up being worse than the problem it tries to solve - the U.S. Congress has recently given us a stellar example of this. Proper consultation with industry, the public, and the government sectors is required to craft anti-spam legislation that works.
The biggest hurdle in creating effective anti-spam laws is the issue of definition - deciding what constitutes spam, and establishing solid positions on a number of crucial associated issues, in particular, the question of Opt-in vs. Opt-out permission systems. With Opt-in systems, a spammer can only send you mail if you have explicitly agreed in advance to accept it, while Opt-out systems allow the spammer to send you his junk until you explicitly ask him to stop. We believe in the strongest possible terms that Opt-in permission systems are the only valid kind, and that Opt-out systems have the (usually unintended) effect of legalizing spam. For a more detailed discussion of the key issues in defining spam, please see the author's Spam White Paper.
New Zealand
Spam is illegal in New Zealand under the provisions of the Unsolicited Electronic Messages Act.
It is not known how many high-level spammers operate in New Zealand: conventional wisdom suggests that the relatively high cost and limited bandwidth of Internet services in this country act as natural barriers to the practice, but it is now clear that we are not entirely bereft of our own home-grown spam problem. Still, we are luckier than many nations in that the incidence of the problem is undoubtedly comparatively slight. A major aim of anti-spam legislation in New Zealand is to avoid the "arbitrage effect", where spammers flee from strict jurisdictions to those that are more lenient.
The U.S.A.
The usual estimate within the anti-spam community is that approximately 70% of all spam originates in the U.S.A. For this reason, the legislative situation in the U.S.A. is unusually important to the rest of the world.
For the last several years, individual states in the U.S.A. have each come up with their own anti-spam legislation, almost all of it notably ineffective. The result has been a patchwork of contradictory laws that only affected small areas of the country: issues of cross-state enforcement have meant that only one or two prosecutions have ever taken place. In 2003, the then Governor of California, Gray Davis, signed into California law the strongest anti-spam statute ever proposed in the U.S.A, due to come into effect in January 2004. The law would have required opt-in permissions for spam and would have introduced significant penalties for spammers. In a country not always noted for proactive, socially responsible legislation, the California act stood out as an aggressive approach to the problem. State anti-spam laws are now all superseded by Federal legislation (see below) but as a matter of historical interest, you can find information on the laws passed by each state here.
Since 1999, three different sessions of the U.S. Congress have typically had seven or eight different Federal anti-spam proposals before them at any given time. Aggressive lobbying by Direct Marketing associations meant that almost all these proposals were based on the idea of opt-out permission systems, and there was a clear consensus amongst all parts of the anti-spam world that they were fatally flawed. In November 2003, under urgency, the U.S. Congress passed the CAN-SPAM act (S.877), which was signed into law by George W. Bush and came into effect on January 1st 2004. While CAN-SPAM does have some worthwhile provisions (particularly the outlawing of forged or false headers and "bandwidth theft"), it is unfortunately based on opt-out permissions: this means that a spammer may send you mail until you explicitly ask him to stop, effectively legalizing spam. The worst part of CAN-SPAM is that it overrides state legislation, meaning that the California statute (which might actually have been effective) is now null and void. The SpamHaus Project has the full text of the act and discussion here; it was also widely-covered in the media.
The "prophet of doom" element of the anti-spam community has greeted CAN-SPAM with howls of dismay, claiming that it will cause the spam problem to get even worse. In fact, CAN-SPAM probably won't make the problem any worse than it already is, but it will certainly do very little to alleviate it. The most significant impact of CAN-SPAM is probably going to be that it puts the U.S.A. on a collision course with the European Union, which has adopted legislation at the other end of the anti-spam spectrum (based on opt-in permissions - see the next section).
Europe and the U.K.
As it was with the various states in the U.S.A, so many European nations have previously introduced piecemeal local legislation against spam. These laws varied in form, ranging from strict and aggressive (Italy) through to largely non-existent (the U.K.). Then, in 2002, the EU Parliament issued its E-Privacy Directive, effectively requiring EU member states to enact legislation covering the broad issue of online privacy, including specific provisions outlawing spam. The E-privacy directive is a far-reaching document, but its most significant element is that it is based on an opt-in permisson system - in other words, a spammer can only send you e-mail if you have explicitly given him permission to do so in advance. This is the issue at the core of spam, because spam is by its very nature unsolicited: if the law requires explicit permission, then spam immediately becomes an illegal practice. More discussion on the form and effect of the E-Privacy directive can be found here.
Individual nations within the European Union are now obliged to implement the E-Privacy directive, although they have some latitude in the exact form of the legislation. Most EU members have now enacted legislation putting the directive into effect (a good summary can be found here).
Significantly, although probably not surprisingly, the U.K has chosen to take a slightly different path: it has enacted legislation that attempts to outlaw spam, but does so only for individual users: the effect of the legislation is to leave businesses still exposed to spam. Reaction to the U.K. legislation has been uniformly negative.
The EU Privacy Directive is fundamentally different from the U.S.A's CAN-SPAM act in a crucial form - it mandates opt-in permission systems. This puts the two largest consumer blocs in the world on a collision course when it comes to the issue of spam, and only time will tell what the final impact will be.