Remarks by Brad Smith, Microsoft Senior Vice President and General Counsel, and Jean-Philippe Courtois, Senior Vice President and Chief Executive Officer, Microsoft Europe, Middle East and Africa (EMEA)
Microsoft International News Conference to Discuss Spam
June 17, 2003
BRAD SMITH: Good morning. It’s a pleasure to welcome you here in Redmond, Washington, and a pleasure to welcome others who are participating by Web cast and from London and around the world.
My name is Brad Smith. I’m the senior vice president and general counsel for Microsoft. It’s a pleasure to be joined here today by one other person here and two people in London. Here we have Attorney General Christine Gregoire. General Gregoire is the chief law enforcement officer for the State of Washington, and she has been one of the leaders in this country in creating new legislation to help us fight spam.
We’re also joined by Jean-Philippe Courtois, who those of you can see on the right on the monitor in London. Jean-Philippe is President and CEO of Microsoft Europe, Middle East and Africa. He is joined in London by Iain Bourne. Mr. Bourne is the Strategic Policy Manager for the Information Commissioner’s Office in the United Kingdom. The Information Commissioner’s office is responsible for the regulation of data protection, or as people in the United States might call it, privacy, in the UK.
I’m pleased to be able to welcome you today and to share with you some of the things we’re here to talk about.
As I think all of you are aware, spam is a growing problem, and it’s a global problem. It is e-mail that’s unsolicited, that consumers never ask for, and increasingly it is e-mail that is deceptive, that is misleading, that is seeking to defraud consumers or people who work in businesses. It’s a global problem and it requires a global solution.
And it’s for that reason today that we at Microsoft are announcing that we have filed 15 lawsuits in the United States and in the United Kingdom. These lawsuits follow investigations that have literally traversed 34 borders, have taken place in 34 countries around the world. They have enabled us to assemble the evidence, to bring these cases against people who have sent over 2 billion illegal spam to users of MSN and Hotmail services.
We recognize here that spam is a big problem, and we need a coordinated partnership and a broad response if we’re going to be effective in addressing it. We believe that a multifaceted approach is needed: better technology tools to enable consumers to keep spam from getting to their computer screens, more collaboration among the industry leaders so that we have better partnerships among companies like Microsoft, AOL, Yahoo and Earthlink, more collaboration with regulators and people in government, and targeted enforcement against people who are breaking the law.
The types of steps that we’re announcing today are obviously an important step forward in the latter area.
We at Microsoft are ramping up our efforts to combat spam around the world. We have built up over the years extensive expertise among investigators and lawyers, expertise gained by fighting counterfeiting and piracy. We have personnel around the world engaged in those battles, and we are tapping that expertise and working with these people to fight spam as well.
One reason we’re able to announce these lawsuits today is because of the farsighted legislative approach here in the State of Washington. General Gregoire was one of the first attorneys general in the United States to recognize that spam was a problem that government needed to address. So Washington was only the second state in this country to enact an anti-spam statute. Twelve of our 15 lawsuits today are being brought under that statute, not necessarily against people who are sending spam from the state of Washington, but against people who are sending spam to consumers in the state of Washington and, of course, to other consumers around the world. Some of these people are located in other states, some of them have been using servers in other countries, but in either event the message is clear: If people are breaking the law, there is an effective recourse, and we and other industry leaders increasingly will work together to make that law effective.
So that in short is part of what we’re here to talk about today and it’s my pleasure now to introduce to you General Gregoire. General?
CHRISTINE GREGOIRE: Well, thank you, Brad, and thank you for bringing these actions today. I am pleased to support this announcement by Microsoft. Let me be clear that spam is no longer just an annoyance to consumers; it is threatening the credibility and the profitability of legitimate e-commerce. It is bringing pornography, phony get-rich-quick schemes, illegal pyramid scams, computer viruses and dubious health cures uninvited into our homes, and it is exposing our children to material that we frankly do not want our children to see. No wonder spam has rocketed to the number one position in our consumer complaint list.
We must get tough on spammers. We need an aggressive, sustained, comprehensive assault by industry, government and consumers to stop spam. Today’s lawsuits are exactly the kind of actions that we need to help put illegal spammers out of business.
Spam is at the top of our hit list for very good reasons: 45 percent of all e-mail is spam, 2.7 trillion spam messages are sent each year, 13 times the total of snail-mail delivered by our U.S. Postal Service. The average wired American is deluged by 2,200 spam messages each year, and that’s after ISPs have filtered out an estimated 80 to 90 percent. Some say that number would increase fivefold in the near future. It is estimated that spam costs legitimate businesses some US$9 billion a year in the United States.
It’s become obvious that our delete key will not solve this problem. It takes a multi-pronged approach of consumer education, legal enforcement of state laws, industry self-regulation and technical solutions to bring spam under control. We need to make life tough on spammers, just like they are doing to our families and businesses around the world. Spammers need to know that they may have to defend themselves in court with sizable legal judgments hanging over them if they lose. They need to be challenged by increasingly effective filters and other technological advances, and they need to face increasingly sophisticated consumers who are making it harder to get spammed.
Government cannot solve this problem alone. In an average month, we receive more than 1,600 complaints about spam. That is double what we received just one year ago. 130,000 junk e-mails are forwarded to the FTC on a daily basis by consumers.
Government can and must be a partner. In Washington, we have armed businesses and citizens with laws to take action. We have passed a tough law that makes spam illegal and we have successfully defended that law from legal challenges by spammers. We have provided the right of private action, which is the foundation of these Microsoft lawsuits, and hopefully many more lawsuit actions in the future. We ourselves have brought four successful lawsuits against spammers.
Finally, we are working to help consumers protect themselves by providing them with necessary education.
Microsoft’s lawsuits are a step forward in the fight against spam. I look forward to a continued partnership with business and consumers as we work to put an end to spam.
Thank you, Brad.
BRAD SMITH: Thank you, General Gregoire.
And at this point I’d like to turn it over to Jean-Philippe Courtois and Iain Bourne in London.
JEAN-PHILIPPE COURTOIS: Hi. Good morning, Brad, and good morning to all of you who have been flying from all over the world to be in London. It’s my pleasure to be with you this morning with Iain Bourne, here from the Information Commissioner Office in the UK.
What I’d like to share with you in the next few minutes is the approach we are taking in Europe today. We are announcing an anti-spam initiative across Europe. To be clear, this is the starting point because obviously as the time goes and as we do more products, we want to make standard to the other countries: the Middle East, Africa and the rest of the world.
How big is the problem? I think General Gregoire made a very good point, but to give you a sense in Europe, the estimate is about basically a cost of 2.5 billion Euros in terms of damage cost to the economy. This is roughly 50 percent of the e-mails being exchanged across all the countries and people and businesses, and this is basically a problem that gets bigger day after day.
So why do we need to fight and to basically mobilize ourselves against spam? I think number one, as you probably know, computing is a key priority for a company, and to us it means privacy, security, reliability and business ethics. In that sense, the anti-spam initiative is fully aligned with all major companies’ initiatives.
The second reason is basically if you don’t do anything, the Internet is not going to be any more a good place to do business, and Internet commerce is growing significantly for business-to-business, business-to-consumers, and we need now to eradicate or stop or slow down the pace of spam.
So what are we going to do? As Brad mentioned briefly, we’re going to take a four-pillared approach: technology, self-regulation, basically education and also regulation and enforcement.
Technology: We have a number of technologies we are using to basically stop and address the spam and junk e-mails that are attacking our Hotmail and MSN services across the world. We’ve been developing some filtering technologies on our servers and we’ve been acquiring some new technologies like Brightmail to make that even more effective. As a matter of fact, today we are stopping every day 2.5 billion e-mails on MSN, so that’s quite a big activity already going on. Moving forward we plan to increase the level of investment we are making again on those technologies and obviously to extend the partnership we have with some other companies.
The second approach is all about industry self-regulation. We support the establishment of a trusted authority around the globe, and we certainly support that initiative whenever it comes in Europe. And again, that’s the place where we need to work with the rest of the industry, those companies like Yahoo, AOL, but also all the local European providers that are very concerned by those basic spam initiatives.
So the third arena where there is a lot of work to be done on all sides is education, and today we are announcing a new Web site, MSN Spam Central Web site, which is going to be accessible by 44 million of MSN users in Europe, which is all about the basics for people, consumers at home and businesses to understand what do they need to do to protect themselves from spam, because there are some very early steps and things that people just don’t do today.
The fourth arena, which is key to us and today is an important date as well, is regulation and enforcement, and I must say that we are very supportive of public authority, data protection authority regulation, and in Europe, I must say there is a very solid framework, legal framework in Europe, an electric communications data protection initiative, which is being implemented in Europe in the next coming months. We do support that, and as a matter of fact today we are filing two court cases in the UK, which is the first country where it’s happening in Europe, of people who have been attacking our MSN or Hotmail services in Europe. And as we said before with Brad, this is a beginning of a bigger approach using again a combination of education, technology, industry partnerships and better protection authority enforcement.
So today I’m very pleased to embark on this very long journey, which is going to take a lot of time, and hand it over to Iain Bourne to talk about the specifics of the UK environment.
IAIN BOURNE: Okay, hi everyone, and first of all, it’s a great pleasure to take part in this initiative. This is certainly a problem that we take as seriously as you do, and it’s an enormous problem, spam. It’s a complicated one and it requires a seriously thought-out, multifaceted, strong approach.
And maybe I should explain first of all what the UK Data Protection Law is supposed to do. The Data Protection Law is supposed to protect information about individuals. This includes their e-mail addresses. And spam therefore is a data protection problem.
And this is an enormous problem for the regulators, and it’s a growing problem. We receive a huge number of complaints about spam from people who quite rightly wonder why their e-mail addresses have been compromised and why therefore their personal privacy has been compromised. We want something to be done about this.
It’s interesting that people actually do bother to complain about this. It’s not an academic issue. It’s not a technical legal point. It’s something that bothers people in the real world and that they want something to be done about.
I think in the sense of the wider picture, it certainly undermines the integrity of the Internet and all the things that we would like the Internet to be able to do. We would like people to trust the Internet. We would like people to trust its communications. We would like people to be able to feel they can do new things with the Internet, there can be electronic government and so forth.
We feel the whole issue of Internet communications has been tarnished by this, and as Christine said earlier, all sorts of horrendously inappropriate messages are being delivered in an unsolicited manner to individuals who do not want them and that is a data protection, a privacy problem.
The problem for us as regulators is this is enormously difficult for us to do anything about, and the scale of it is enormous and the technical issues are complex. And perhaps most important are the jurisdictional issues make it very, very hard for us as Ireland-UK to protect the citizens of the United Kingdom; it’s an international problem and most spam that we hear about we don’t think originates in the UK.
So what are we going to do? As we’ve said, we’ve got quite a strong legal framework in the UK, and indeed in Europe, but unless it’s actually enforced, unless we can actually catch people, it’s very difficult for us.
It’s not something that we as regulators can deal with on our own. We need the assistance of industry, and most importantly, we want an educated public who can deal with these problems themselves to a large extent. The problem is so big the regulators cannot deal with all of it. We want reliable tools that individuals can trust. We want somewhere they can go to download, et cetera, the tools that they need to protect them from the spammers. And in that sense, we certainly support Microsoft’s initiative today. It will certainly help us as regulators if such tools exist, and I think it’s a crucial time to be doing this. The problem, it seems to me, is if we don’t do something now, it’s going to be too late.
I’d like to turn it back now to Jean-Philippe, because I think he’s probably going to say more about Microsoft’s plans.
JEAN-PHILIPPE COURTOIS: Okay, thank you, Iain. I will be actually very brief. I’d like to thank Iain and the UK Data Protection Authority for showing this leadership, and I would expect frankly to see the same happening in many other European countries in the months to come, because this is a common issue all across Europe.
I’d like now to hand it over back to Brad for the end of this presentation.
BRAD SMITH: Great, and I’d like to invite General Gregoire to join me at the podium and open it up for questions and answers. Feel free to ask questions, feel free to direct your questions to any one of the four of us or to all four or us, if you’d like. And we’ll also take some questions from people on the phone, but we’ll start with people here in Redmond.
If you could speak into the microphone so the people in London can hear you.
QUESTION: I have two questions for Mr. Smith. You mentioned similar lawsuits in the UK and in the U.S. and you also mentioned 34 borders. Would you please elaborate?
And the second one is I’d like to confirm if all are civil cases and are criminal cases; would you please confirm?
BRAD SMITH: All 15 of the lawsuits that we’re announcing today are civil cases. Thirteen have been filed in the United States; 12 of those in Washington State and one in federal court in California, in Los Angeles. Two of the cases are being filed in the United Kingdom.
A number of the cases had a very international dimension. For example, the California case involved an individual in California who actually was using a server that was registered in Belize. One of the concerns that people have had is that people will move spam to computers in other countries to seek to evade the law. That was done in many of these instances. But the good news is that our investigators were able to track down the individuals who were involved and the computers that they were using, and we were able to reach them through this Washington State statute.
I think this kind of international coordination is a sign of things to come. Certainly, we at Microsoft will be continuing to expand our enforcement, and I think you’ll see us doing more on an international basis and bringing more cases in more countries around the world.
QUESTION: You said you are going to file more lawsuits in Europe. Can you elaborate on that and what countries that will possibly be?
BRAD SMITH: I think the short answer, and Jean-Philippe may want to add to this, but the short answer is wherever there are consumers that are being harmed by spam and wherever there are individuals who are engaging in illegal spam activity, we will move forward. In some cases, we may be able to rely on one statute, as we did in Washington State, where we were able to use this statute really to address this problem on a national basis. Similarly, in Europe, we may be able to rely on a UK provision, depending on the nature of the activity, or we may need to bring legal actions directly in other countries.
BRAD SMITH: Is there a question from here in Redmond?
QUESTION: I’m Roland from Germany. My question is the 15 cases: are those all you were able to track down or are these just like the bad cases, the worst cases?
BRAD SMITH: I think this is an important start for us, but it’s really only a starting point. We did focus on cases that were substantial and serious. They were substantial in magnitude. These 15 spammers sent over two billion spam to our users alone. They probably sent another three billion spam to users of other services, so that they were very substantial actors.
They were also engaged in activity that I think one would say is very serious. Most of what they were doing was really deceptive or in some cases designed to defraud consumers. One example is a spammer who sent many e-mails telling the recipient that they had a virus and that they needed to download some software to protect themselves from the virus when, in fact, these people never had a virus and, in fact, the software they downloaded did not protect them from the virus, but instead tracked their usage of the Internet.
Another example is someone who sent an e-mail that purported to come from a credit card company saying that the recipient was entitled to a credit card refund. But, in fact, when one opened the e-mail, it had nothing to do with a credit card refund. Instead, in some cases, it had to do with sort of a pyramid marketing scheme that was defrauding people, and in other cases it was seeking to sell people debt consolidation services.
So, as we’ve seen in many of these instances, and one of the things that we’ve seen public officials really pointing out to individuals, is you need to be alert, because unfortunately many of these people who are sending spam are not only sending e-mail that’s unsolicited; they’re sending e-mail that’s intended to deceive and defraud people.
CHRISTINE GREGOIRE: If I might just add to what Brad is saying, in at least one of the cases filed today, it’s a spammer teaching other spammers how to spam. In another one that’s filed today, it’s pretty hard-core pornography, that which parents absolutely do not want coming into their homes when they’ve got children present, and many adults don’t want it either.
So there’s a wide range of actions here, and they pretty much cover the waterfront of the kinds of complaints that we receive every single day from our consumers.
BRAD SMITH: I think we have a question on the phone, if I’m reading this right, and we’ll hear it.
JANELLE WINTER (KEX Radio): Okay, great. Could you provide some more detail about the losses that you found, and then who these people are, companies?
BRAD SMITH: Sure. In fact, we have a detailed fact sheet that you can read through that will give you a great deal of information about the cases, and the individuals involved. What I would say is, they fall into different categories. Many of the cases that we’re filing in Washington State relate to deceptive practices. They’re brought in part under Washington State’s very strong anti-spam statute. And they’re also brought under Washington State’s consumer protection statute. And in most cases, these were spam e-mails that have a subject line that was false, or it had an identification of the sender that was false, in addition to the specific examples that General Gregoire and I just gave you. Another example is people who spoof their identity. For example, in some cases they pretended that they were a Hotmail subscriber sending an e-mail to another Hotmail subscriber, and they were spoofing Hotmail in doing so.
The case in California involves not only deceptive practices, but it also involves a trademark violation because the person was using the Microsoft trademark in ways that were not permitted. The two cases in the United Kingdom involve what’s called harvesting. Basically, as Jean-Philippe Courtois and Ian Bourne were saying, these were attacks on the servers of our MSN and our Hotmail services by people seeking to connect to the server to identify e-mail names and accounts. They use automated tools to do this. They identify e-mail names that belong to people, they collect, or harvest, those names, then they use those to send spam to those people. And so those two cases are aimed at that activity, which is unlawful under UK law.
Another question from the phones?
BENNY FISHBERG (Wired News): In a couple of the Washington cases, particularly Rockingtime Holdings, Incorporated, of Miami, the allegations listed on the Web site in that case is that they sent a large volume of unsolicited e-mail to Hotmail accounts for various body enhancement products, and listing various domain names. I would like an explanation of how that is contrary to the law?
BRAD SMITH: In many cases, there was illegal spoofing, or misrepresentation, of who the sender of the e-mail was. And so, there was that kind of deception at work. In other instances — and I don’t frankly remember whether this particular case represents this, but we can check if you’re interested in that particular case — but in many of these, the subject line was misleading, which is also unlawful. Basically, one of the things, and General Gregoire can probably speak to this better than me, but one of the things that the law really addresses is people who are sending unsolicited e-mail in a manner that, in one form or another, is deceiving, misleading, or defrauding consumers.
CHRISTINE GREGOIRE: An example of that is the case in which we brought it because the subject line said “payment overdue” so consumers had no idea that it was spam. They actually thought that there was some problem with them in terms of their credit. So they opened it up, and of course found that it was nothing more than spam. And that’s an example of a deceptive subject line which is unauthorized under Washington State law.
QUESTION: If I may follow-up, in most of the cases listed here, there are clearly deceptive practices. The one that I’m asking about, the only allegation listed (Questioner interrupted by other questioner).
QUESTION: In terms of the lawsuits that you’ve brought, what sort of damages are you looking for, cease and desist, monetary damages? What are the specific, I guess, retaliatory steps that you’d like to take?
BRAD SMITH: Well, specifically, we’re seeking both of the things you mentioned, both injunctive relief that will result in a court order that will require these individuals or businesses to stop engaging in this kind of illegal activity. We’re also seeking monetary damages so that there is some real pain in people’s pocketbooks when they are engaging in this kind of illegal activity.
I don’t think I can give you a precise number, but we can probably give you something on some of the specific cases in terms of what we’re seeking.
MICHELLE ESTABAN (KOMO TV): Good morning. Michelle Estaban from KOMO TV. This question is for General Gregoire. What I would like to do in this story is not only report what happened today, but offer something to our viewers. You said that you can’t hit the delete key and rid yourself of this problem. What sort of advice would you give to them, what should they do besides just deleting spam? Should they contact your office?
CHRISTINE GREGOIRE: Well, clearly if they do get spam, they need to contact our office and the FTC. But the simple biggest piece of advice I could give consumers is protect your e-mail addresses. In other words, when you’re dealing with companies, make sure that that e-mail address is not going to be sent out to others. Make sure that they are availing themselves of their own personal remedies. In other words, they’ve got an ISP, as in Microsoft, who has a filter system that’s working and effective to 89 percent of the spam, that they can themselves purchase software to filter out more. I guess at the end of the day, the number one protection not only against spam but other kinds of problems — not the least of which is identity theft committed over the Internet — is for people to protect their e-mail address, and to make sure that it doesn’t fall into the hands of those who will misuse and abuse it, and allow it to be registered with spammers around the country and around the world, because volume simply increases with them every time they allow their e-mail address to get into the hands of someone who shouldn’t have it.
BRAD SMITH: A good point, or a good example of that, is there’s an easy trap for consumers to fall into. Many times you receive a spam, and it will say at the bottom of the e-mail, “If you want to be removed from this e-mail address, if you don’t want to get anymore e-mail from us, send us an e-mail back requesting that you be removed.” Unfortunately, that’s probably not the right thing to do. If you’re receiving an e-mail from someone and you have never had any contact with them, you have no reason to believe that they’re a reputable business. If it’s a name you don’t recognize, there’s a good chance that when you send your e-mail back to them, what you’re really doing is telling them that you’re a real person. They didn’t necessarily know that this was a real account that they were sending to. And in a way your actions can backfire because then you’re just on their list for their next e-mail.
QUESTION: Brad, can you give a few more details about the investigation, how you tracked down these spammers. Were you working with ISPs, with law enforcement? Were they with MSN or Hotmail, MSN or Hotmail users?
BRAD SMITH: I think the short answer is all of the above, but let me give you a few examples of the way these investigations have tended to work.
One of the interesting things about spam is that every spam e-mail has many things that are false. Usually there’s one piece of the e-mail that’s true. It may be the person’s e-mail address, or it may be something that can be discerned about the location of their server.
And what our investigators need to do is start with that piece of e-mail, and start going through it and look through each aspect, and they’ll eventually determine which piece of information actually is true. And that one true fact is, if you will, a thread that they can start to pull on, and they can start to trace things backwards. They can follow e-mail across servers to eventually get to the place where it started.
Another thing that is often useful is you can, as we say, follow the money. A lot of spam that is being sent is being sent to sell a product or service, and what in effect spammers are doing is they’re going to legitimate businesses, often times smaller businesses, and offering to send literally millions of spam on behalf of that business. We can go back to that business, talk to the business and find out who they entered into the contract with. Once we do that, that is another way to get to the source.
Ultimately, this is not all that different in one respect from the anti-counterfeiting work that we’ve done over the years. People who do this type of thing use the Internet, and they seek to cover their tracks. They seek to conceal their identity. And a lot of the work that we’ve done in partnership with law enforcement agencies and of a lot of the expertise that we’ve built up by hiring, for example, former investigators from the FBI or Scotland Yard or elsewhere, is readily applicable, and it enables us to follow the thread, if you will, and pull on it until we get to the source of the spam.
ERIC HASSELDALL (Forbes): Yeah, I wanted to ask quickly about Microsoft’s view on how spam should be regulated at the federal level. There’s been a lot of talk about federal legislation. Do you, for example, see the Washington State legislation as a potential model for federal legislation, or is any legislation needed at the federal level? Can the private sector deal with this problem through innovation?
BRAD SMITH: I think our view is you really need strong public action, hence strong action from the private sector. We need strong laws, like the law we have here in Washington State. There are 27 states in the U.S. out of our 50 states that have now good laws. Washington was the second and was one of the real leaders.
We do believe as a company that the time has come for federal legislation as well. The federal legislation needs to be based on a few key principles. First, it needs to have strong penalties and strong enforcement, and it needs to empower our state attorneys general and private ISPs — Internet Service Providers like Microsoft — to bring cases like we are today to enforce the law.
We’re going to need a continuing partnership between the Federal Trade Commission and the state attorneys general and the private sector on enforcement.
Second, we do need federal laws that make clear that bad acts are indeed criminal acts, that the kind of deceptive practices — fraudulent practices — that are taking place through spam are illegal under federal law.
And third and finally, we think that it makes sense for the law to in effect give an incentive for the private sector to keep moving farther. Spam is going to continue to evolve. Technology is going to continue to evolve. We cannot lock in legislatively a single solution.
And so, for example, we have supported federal law that would give incentives for Internet Service Providers to engage in self-regulatory steps that would go above and beyond the law and aim for an even higher standard and to continue to adapt in a rapid way as the problem itself continues to change.
CHRISTINE GREGOIRE: Can I add?
BRAD SMITH: Sure.
CHRISTINE GREGOIRE: I would agree with everything that Brad has said. I would just emphasize two things with respect to the federal legislation that’s currently pending, and that is at the end of the day, this is all about economics. This is about making it more costly for those who want to spam us to do so than it is for what they get in return for what they’re doing now. So any legislation has to make it more costly, tough penalties. It’s all about ensuring that the economics of this goes on the consumer and the ISP side, not on the spammer’s side.
And secondly, one of my other concerns about the federal legislation that I’ve seen pending today before Congress is if they are not careful, they are going to hamper the ability of ISPs to develop technology that really is the ultimate solution, I think, for this problem. So any legislation cannot be standstill legislation; it’s got to be visionary and allow the ISPs to develop the necessary technology to help solve it.
Again, this is an issue where I think it’s a partnership: it’s technology by the ISPs and their enforcement, federal and state legislation, and a state that’s not preempted, and the ability of the private consumer to have a private right of action that is also not present in most of the federal legislation. And only if we have that kind of vision of partnership are we going to be successful in changing the economy, so that spammers get out of the business.
MIGUEL HELF (San Jose Mercury News): Hi, this is a question for Brad, and it follows with what the attorney general was just speaking about, the suits filed today are based on existing laws, but many of the anti-spam activists believe that the current laws are not strong enough, and many believe that a total ban is necessary. And that’s defined as any unsolicited commercial e-mail, whether it’s deceptive or not. Such a ban is being proposed in California, and Microsoft has opposed it. Is Microsoft ready to support that bill, and if you can’t speak about that bill specifically, can you say whether Microsoft would support on all commercial e-mails that haven’t been solicited?
BRAD SMITH: We do believe that there is a need for stronger laws. We also believe that in creating stronger laws, it’s important that we not stifle opportunities for new businesses. And there’s a lot of catalogue-based companies, for example, Lands End is a good example of a company that many consumers in this country that, frankly, never would have been able to bring its economics or benefits to consumers without the ability to send things to people. So there needs to be clear rules of the road for commercial e-mail. We don’t think that the rules should be that commercial e-mail cannot be sent. We think that the rule for commercial e-mail needs to be that a responsible company needs to give people a basis or ability to opt out of it, so that they can stop getting it if they want. There also needs to be a clear principle that makes sure that it’s not sent on an unsolicited basis, meaning in an environment where either people never asked for it, or where there’s no preexisting business relationship.
But, we would say if there is a business relationship, and as long as people create an opportunity for consumers to opt out, then it should be permissible for people to send e-mail. I’ll give you an example. If a bank really did have a new service, a better online bill payment feature, or there really was a credit card refund, I think most people would agree that it would be appropriate for the bank, and would be beneficial for the consumer, to receive that e-mail. If we at Microsoft have a new security feature that is available for downloading, we may have a relationship with people where they have registered with us, and we have a preexisting business relationship, and it may make sense to send them an e-mail to let them know that that security patch is available. So I don’t think we should throw the baby out with the bath water just because there’s a lot of bath water here. We have a big problem to solve, but let’s not go beyond the problem itself.
QUESTION: I have two questions. First of all, does the Washington State provision also address spammers outside of Washington State and outside the U.S?
And my question for Jean-Philippe, which countries in Europe do you see are having a very advanced policy for fighting anti-spam, apart from the U.K.?
CHRISTINE GREGOIRE: I’ll go first, Jean-Philippe.
Yes, Washington State law provides that any spam that comes into a Washington consumer, from wherever the source, is subject to regulation in our state. So in this instance, all of the cases that were brought under Washington State law because a Washington consumer was harmed. So it doesn’t matter the origin, whether it’s U.S. or otherwise. That’s not to say there aren’t challenges for us to enforce in foreign countries. But, yes, under Washington State law, once you harm a consumer in our state, we have authority under our state statute.
QUESTION: Being a Washington State consumer, I live in California
CHRISTINE GREGOIRE: When you as a consumer in Washington State receive an unsolicited spam, then assuming that it meets the criteria of our statute, that it’s not only deceptive, or the origin is deceptive, then that’s when we have jurisdiction to bring an action, which is the instance in the cases that Microsoft has brought under Washington State law. That means that Washington State consumer received some sort of spam that met our criteria under our state statute.
BRAD SMITH: Yes, our cases in Washington State are based on a connection to e-mail accounts and consumers in Washington State, and not just to the co-location of our servers.
I’m sorry, Jean-Philippe.
JEAN-PHILIPPE COURTOIS: I was just going to make an additional comment for Europe, I don’t think we see any countries at the top of the pack in leading the movement. But, I would say that the adoption of the E.U. Electronic Communication Data Protection Initiative, which is happening now in many of the countries in the next coming months, is going to be a trigger to activate a number of legal actions. And I know that as we’ve been talking to some of the data protection authorities in Germany, in France and in Brussels, across Europe, there is a very strong interest in bringing forth this matter in the coming months.
BRAD SMITH: Okay. One last question from the phone, and then we’ll have one last question from the room.
JOE MENNEN (Los Angeles Times): Thanks. Christine, you said that Washington State has been successful in bringing four previous anti-spam suits. To what degree were they successful? Were you able to get these people off the net, were you able to recover any damages, and what realistically are the prospects in the new private actions to actually stop these guys? I mean, a lot of them are still John Does. What kind of a real punishment are you going to be able to bring? I guess that one is for Brad.
CHRISTINE GREGOIRE: Well, with respect to the actions that we brought, yes, we did shut them down. That is first and foremost our objective.
Secondly, in the case that was the leading case, the Heckel case that actually reached the United States Supreme Court the Court has ordered restitution, attorney’s fees and costs in excess of $98,000.
And be mindful that in that particular instance that individual also incurred considerable legal costs for fighting it all the way through the state Supreme Court up to the United States Supreme Court.
Again, that reinforces the message I was trying to give earlier: it’s about economics, about making it more costly to spam consumers than it is for them to do what they’re doing.
The bottom line is I don’t want to over-promise. The fact of the matter is if the only tool in the toolbox is for a state Attorney General to bring an action, we will lose this war. The only way that we will be successful is the kind of partnership that we’re seeing today with Microsoft as an ISP, and the other ISPs that are bringing action, as well as an educated consumer group. And once we are able to achieve that partnership, coupled with tough laws, like what we have in Washington State, then I think we will be able to prevail.
We had one piece of legislation to update ours this year. The concern that came was whether the private right of action could be brought in a district court, which is much more friendlier to a consumer, and we were able to clarify that under Washington State law, thus allowing private consumers to bring their own action.
Sometimes that’s not plausible for the consumer, but at least it’s a vehicle, another tool in the toolbox. We’re trying to make sure we’ve got all tools available, and thus far we’ve been successful. But we really are looking to a partnership to make it overall successful to deal with the problem.
You know, let me back up and say with respect to the pornography issue, some 20 percent of spam is where we’re getting pornography from. That’s coming into the homes of families who don’t want to see that sort of thing in their home for their children, let alone for themselves. Ninety percent of the viruses are passed on by spam. So it’s not just a nuisance; it’s a huge cost to business, a cost and an annoyance to consumers, but it also is huge in its cost in terms of the social price that it’s paying by bringing pornography into homes and also creating this problem with respect to viruses.
So we really take it very seriously, and have partnered with the FTC and are one of the major partners on a national level with them to make sure that we’re not left alone as a law enforcement agency, that the FTC is equally aggressive. We participated in a three-day panel in Washington, DC and again what came out is partnership and partnership again.
BRAD SMITH: And, Joe, just to answer the other part of your question, I think one of the really encouraging signs is that we are making very good progress on the investigative front. If at the end of the day we had strong laws and even better tools, but people could evade them and avoid detection, it would be very hard to be optimistic about where we go looking forward.
But most of these cases are against identified and named individuals and businesses, and even in the other cases that we brought previously against John Does — meaning anonymous people we hadn’t yet identified who it was — we were able to file the lawsuit, get a subpoena and use the subpoena power to then get the information to identify who was, in fact, involved here.
I would just really echo what both Jean-Philippe and General Gregoire were saying. I think we’re going to continue to see this move forward on the basis of collaboration, and I think there’s going to be more international coordination as the months go forward, and I think that we will see some measurable progress in the next 12 months.
I don’t think that the war will be over in 12 months, but I think we will see some measurable progress and we’ll see it precisely because of the combination of efforts that will, as General Gregoire put it, change the economics of sending spam.
One last question from inside the room. Okay, we can take one last call from the phone I guess. Oh, wait, sorry, there is one last question in the room.
QUESTION: (In progress) — investigative force in further detail, who was involved, its funding and whether in any way this represents Microsoft effectively forming a policing force for the Internet?
BRAD SMITH: Well, to start with the latter point first, I mean no private company in the United States or anywhere in the world is its own police force. Private companies and private individuals have certain rights under the law and there are certain rights and powers they don’t have that are reserved for regulatory agencies, for law enforcement officials and for the government.
But nonetheless, it certainly is possible for private entities both to use information that is publicly available and to work with law enforcement agencies to follow the money or pull on the thread and obtain information.
In our case as a company, we have over the years built up a substantial group of people, roughly 25 or so investigators, in the United States and around the world, people who have always come to us from important enforcement positions in government. A typical example is the FBI here in the United States or a similar agency overseas, and so these people are expert in technology. We have one investigator here, Stirling McBride, who was very involved in these issues, and more and more we’re turning to our investigators to help look at these e-mails, figure out what’s true and what’s false, work with law enforcement to then do what it takes in an appropriate and legal way so that it is possible to bring litigation and enforce our rights and those of our users and our consumers.
All right, well with that, I’d like to thank you very much for joining us today, and on behalf I know of Jean-Philippe and Iain Bourne in London, it’s a pleasure for us to either host you in Redmond or on the phone or over the Web.