Exclusive: Paypal Under Investigation For Spam
Monday, 15 August 2011
The ACMA has today initiated an investigation into PayPal for repeated and systematic violation of Australia's Anti Spam laws, in a move which could cost the company A$1.1 million a day.
Paypal is one of the biggest on-line companies and it's not clear whether the investigation and potential penalties will effect it's share price.
Under the Spam Act 2003 it is illegal to send, or cause to be sent, unsolicited commercial electronic messages. The Act covers email, instant messaging, SMS and MMS (text and image-based mobile phone messaging) of a commercial nature.
Spam is a generic term used to describe electronic 'junk mail' – unwanted messages sent to a person's email account.
Spam emails swamp a user's email account making it hard to find legitimate emails and impact on the usability of email. They can also deny the owner of the email address access to their email account in a kind of denial of service attack, by sending so many emails and attachments that the user can't download their email.
The ACMA is responsible for enforcing the Spam Act in Australia and actively works to fight spam. The ACMA plays an important role in e-Security in Australia, gathering evidence and assisting in protecting Australians from computer fraud and identity theft.
The law requires senders of commercial email to comply with the three key points:
The message must be sent with the recipient's consent. The recipient may give express consent, or under certain circumstances consent may be inferred from their conduct or an existing business or other relationships. The guidance makes it clear that consent by a third party is not acceptable unless they have access to the email account that the sender is targeting.
The message must contain accurate information about the person or organisation that authorised the sending of the message and how to contact them.
The message must contain a functional 'unsubscribe' facility to allow the recipient to opt out from receiving messages from that source in the future.
Unsubscribe requests must be honoured within five working days.
Paypal is being investigated for failing to meet all three points as their unsolicited emails contain no unsubscribe option, they do not accept email replies, and they provide no details as to how to contact them to stop future emails.
The most serious issue though is that they send the emails without consent in the first place. As a matter of policy PayPal don't verify emails addresses or seek consent before using them for repeated mailing. They are required to do so under Australian and European law, and have been asked to change their system at least a half dozen times over the last few years and refused to do so.
Paypal has confirmed that they send email to any email account registered by on of their users regardless of whether they have control over that email account. This is a direct breach of the law in the Europe and Australia. Standard practice is to send an email to the email address to seek confirmation of consent to receive emails but Paypal do not do this.
Although some people set-up Paypal accounts using someone else's email address by accident, some people have started taking advantage of Paypal's no consent policy to harass others by creating accounts purely to direct unwanted email to the email address owner.
Even where it is an honest mistake, for Paypal to then use that email address is illegal, and, if the recipient wants to, they can gain total access to that Paypal account, and make or receive payments in someone elses name. This raised concerns over the security of Paypal accounts earlier this year. However Paypal have claimed that the email has to be verified before bank accounts can be associated with the account. This has not been tested.
What is clear though is that Paypal discloses personal information, including name and address, of the original account holder to the email address owner, which may be a breach data protection law. The ability to make or receive payments in someone else's name and across territories also opens up the possibility of money laundering and tax evasion.
When asked to comment, Paypal, issued the statement, "Our system prohibits the sending of emails to any address other than the primary email address of record on the account.". However they did not respond on the key points of their failure to verify the primary email account and obtain consent.