Public Consultation On Draft Resolution to Issue Anti-SPAM Regulations

Transcription

1 Public Consultation On Draft Resolution to Issue Anti-SPAM Regulations

2 Contents Chapter One Introduction Chapter Two Consultation Process Chapter Three Key Principles for Anti-SPAM Draft Regulations Chapter Four Anti-SPAM Legislative Framework. 4.1 Consent Explicit Consent - (Opt-In) Assumed Consent 4.2 Technology Neutral Approach 4.3 Content of SPAM 4.4 Bulk or Single Message 4.5 Defining Criteria of SPAM 4.6 Criteria for Legitimate Commercial Messaging 4.7 Enforcement 4.8 Dictionary Attacks and Address Harvesting Software

3 4.9 Privacy 4.10 Licensees Obligations 4.11 Limitation of Liability 4.12 Right of Compensation 4.13 Complaints and SPAM Reporting 4.14 Sanctions Chapter Five Definitions

4 Chapter One Introduction Privacy is one of the most important rights for every human being and it is the most sanctified right because of the meanings it carries and the repercussions it would have when this right is violated which would result in a negative influence on him and his family. The right to privacy is as important as the right of liberty or life, a right born with the birth of the human and this was the importance of protecting and defending its sanctity. Modern technology and the Internet have helped create a global village, which allowed humans to discover all that is new which bridged the distances and overcame the challenges. As much as those changes created positive effects, we cannot hide that they formed the elements that human used to violate and damage the rights of others. Besides, humans excelled in the creation of the means of infringement to the extent that they surprised themselves, therefore a number of cyber crimes have emerged such as stealing personal information and data, breaching regulations, hacking websites and credit card theft and forgery. Among the abuses that occurred frequently in the recent years are the unwanted messages that emerged as a kind of commercial and advertising messages. Such messages developed later to provide fraud content that intended to harm the network carrier or the inbox of the recipient. Since those s addressed all groups in society and received amazing responses, the senders saw a stunning gold mine in those s and a valuable opportunity for huge profits at the lowest cost and efforts. Hence it was necessary to society, represented by the public authorities, to address this new threat and protect its members and their interests from the risk of the messages that appear to be safe and normal messages but they carry many risks. Therefore, the TRA considered the importance of legal protection through issuing a legislation that will combat those SPAM messages so that this legislation is the first step in an integrated construction to achieve a number of objectives including: 1. Protect the privacy of individuals. 2. Reduce the transmission of SPAM. 3. Enhance the confidence of individuals in businesses and e-services. 4. Ensure easy exchange of messages that take place in a situation of good intentions.

5 5. Ensure that businesses with media, cultural, service and commerce products are able to continue using electronic messaging service as an effective means to promote products and services and to communicate with their customers. 6. Protect telecommunications networks and the quality of telecommunications services. This document presents the key principles proposed to be used in the draft resolution on the anti-spam legislation. It is a summary of several studies that have been conducted in the TRA by comparing a number of international legislations for some sisterly and friendly countries, including, for example, Saudi Arabia and the Hashemite Kingdom of Jordan, Australia, the United States, Singapore and Canada. Moreover, detailed review of some frameworks recommended by international bodies such as Organization for Economic Cooperation and Development (OECD), ITU and London Action Plan.

6 Chapter Two: Consultation Process The TRA invites all members of the public, whether in Oman or abroad, including private individuals, organizations, institutions, commercial entities, associations and others to participate in this consultation process on draft resolution to issue anti-spam Regulations. The objective of this consultation process is to provide all interested parties with the opportunity to participate in providing comments to the TRA on the draft resolution before taking the necessary measures to issue the resolution in accordance with the norms accepted in the Sultanate. Therefore, the draft resolution on combating spam will be published for public consultation. The TRA invites interested parties to provide detailed comments on the Resolution annexed hereto. The comments should be supported to the extent possible with relevant rationale, justifications, data, benchmarks and analysis. In providing the comments, you are kindly requested, to indicate the chapter and section number in the document to which their comments relate. The parties providing the comments are also kindly requested to specify contact details including the name, address and phone numbers. The consultation document and any responses to it are not binding to the TRA. All responses are the property of the TRA. Responses and comments to this Public Consultation should be submitted to the TRA (in Microsoft Word format) not after 25/07/2012 to either one of the following addresses: 1. to: 2. Delivery (hard and electronic copy) by hand to the TRA at 2 nd floor, Oman Oil Building, next to Muscat International School, Al-Qurum, or by post to the following address: Telecommunication Regulatory Authority (TRA) Legal Affairs Unit P.O. Box 579, Ruwi, P.C Sultanate of Oman.

7 Chapter Three Key Principles for Anti-SPAM Draft Regulations A list of the key principles that require your comments could be summarized in the table below. The participants are kindly requested review the listing below and send their comments, if any, to the TRA by following the mechanism explained in the previous Chapter. For further information, participants can refer to the sections referred to in the last column of the table (Detailed Information Available Under): Detailed Information Available Under Consent Principle TRA will adopt a key principle to regulate combating SPAM which is the principle of "Explicit Consent" in the sense that the disapproval of the recipient or the addressee to receive the correspondence is by default, as such the exchange of electronic messages between the two parties will be enabled upon the explicit consent of the recipient. Detailed Information Available Under Technology Neutral Approach Content of SPAM The second principle, which represents an exception, is the principle of "Assumed Consent", meaning that there is no need for an explicit permission in the case of previous relationships that naturally show no objection on the part of the recipient. The definition of the technology used to send SPAM will not be based on identifying a particular technology, but on a technology neutral approach that is independent from technologies being used. The definition of SPAM will include one of the following characteristics: Commercial or advertising Messages sent without prior consent. Misleading or harmful messages. Unsolicited and objectionable Bulk or Single The definition of SPAM will be based on the

8 Message Defining Criteria of SPAM Criteria for Legitimate Commercial Messaging transmission of a single message that meets the characteristics mentioned above. Evidence shows repetitive transmissions is not required. Based on the previous principles, the defining criteria of SPAM will include: 1. A commercial or advertising message sent without prior consent or request of the recipient. 2. A misleading or harmful message. 3. A message constantly sent by the sender to the recipient who has a relation with the sender, or who has made his electronic address available to the public, and who has expressly requested the sender to refrain from sending it. The TRA will adopt the following criteria to define the legitimate commercial messaging: a. Obtain the explicit prior consent of the recipient. b. Include a message header indicating the essence of the content and add the word commercial or ad to the header. The title and the two words: commercial or ad or any indication thereupon shall be in the same language of the message text. c. Include the sender s name or the name of the person on whose behalf the message has been sent in a manner that is accurate, clear and not misleading, in addition to the electronic addresses of both and any information of their identities. d. Give cost details of sending a message or any other information relating to rates that may affect a choice decision on promotions. e. Refrain from sending messages during times and days commonly recognized as rest times and days. f. Ensure that the message contains a simple,

9 Enforcement Dictionary Attacks and Address Harvesting Software Privacy Licensees Obligations efficient and free means to cancel the consent of the transmission of such messages. g. Send the advertising or commercial messages to the suitable age group on promotions. h. Ensure that the size of the message does not exceed 1 MB and that it does not contain software or links to make unauthorized phone calls if it is sent by . The Anti-SPAM Regulations will apply to a message originating within, sent to or from Oman, or a message whose sender is proved to be working or 4.7 residing in Oman, or that his head quarters or any of his branches is in Oman It is impermissible to use, help or incite others to use software that help or facilitate the sending of SPAM such as Address Harvesting and Dictionary Attacks. 4.8 In addition to the obligations contained in the Resolution No.113/2009 on issuing Regulations on Protection of the Confidentiality and Privacy of Beneficiary Data, the sender of advertising and commercial messages shall maintain the confidentiality and privacy of whatever data he has obtained from the recipient, and shall not sell, publish, distribute, exchange with others or misuse or otherwise use such data in purposes other than the ones for which the data was compiled. For the purpose of combating and curbing SPAM or any other doubtful messages, the Licensee shall: a. Ensure that the sender obtains the prior explicit consent of the recipient if the Licensee sends advertising and commercial messages on behalf of any person. b. Use software, services or tools necessary to combat, curb or cease such messages. c. Establish a database containing the content of all the advertising and commercial messages

10 sent on behalf of any person, details of their information, electronic addresses of recipients, approvals and requests based on which the sending took place and its date. This information should be maintained for at least six months from the date of sending. d. Cease to send all the commercial and advertising messages that are sent on behalf of any person if so requested by the recipient. The licensee shall cease to send messages within one working day from the date of sending the request. e. Stipulate clearly in any agreement made between the licensee and any other person for the purpose of offering promotion and advertising services via commercial or advertising messages that the provisions of these Regulations shall be adhered to as well as the penalties imposed in the event of breach including the annulment of the agreement if the breach is repeated. f. Cooperate with the others operating in the ICT sector to lay down standard rules and procedures to control SPAM. This should include investigation into users complaints and the measures taken against offenders and a method to establish a unified list of offenders names and their data to be approved by the Authority before its enforcement. g. Design awareness and educational programs for the users of telecommunications services to control SPAM. h. Prepare guidelines to use telecommunications services and make them available to users. These should include the requirements, provisions and rules set out in the Act and its Executive Regulation and the other decisions issued in implementation thereof particularly

11 Limitation of Criminal and Civil Liability Right of Compensation Complaints and SPAM Reporting Sanctions the provisions of these Regulations such as the conditions and requirements to send commercial and advertising messages and the penalties to be imposed for breaching these Regulations and the other rules and guidelines approved by the Authority. i. Provide a simple and efficient means to all users of telecommunications services to enable them to file complaints or report any SPAM sent or any breach of the provisions of these measures. The licensee shall follow the investigation procedures set out in clause (f). j. Prepare reports, at the request of the Authority, on the procedures taken to meet their obligations as set out in these measures, in addition to an annual report on the number of SPAM messages sent from and to systems and networks of each licensee and the number of complaints received and the action taken in their respect and the other relevant data and information. k. Carry out any other works as requested by the Authority. The sender of SPAM messages and the beneficiary from the transmission or the promotion while being aware of that will be held liable, as well as any individual or organization that deals or makes available systems and software that help in the sending of SPAM or Address Harvesting and Dictionary Attacks. Any person affected by SPAM in any way or means may seek legal recourse. The Authority may look into any complaint received in respect of violating the provisions of these Regulations Notwithstanding any penalties, fines or legal proceedings set out in the Telecommunications Regulatory Act or the regulations and decisions issued in implementation thereof, the Authority may after

12 having proof that the violation has taken place take any of the following steps: 1- Caution the offender. 2- Instruct the licensee to disconnect the service of the violating subscriber. 3- Impose a financial penalty not less than RO 1,000 for each violation. 4- Take any other action as it deems appropriate. In addition, the TRA would like to receive your inputs on the translation of the SPAM term to Arabic. Please refer to the Arabic document for more details.

13 Chapter Four Anti-SPAM Legislative Framework. The most important provisions in the Draft Resolution to Issue Anti-SPAM Regulations are as follows: 4.1 Consent There are different types of consents that relate to transmission of messages, explicit (opt-in), implicit (opt-out) and assumed consent. The Authority will adopt two types of consents: Explicit Consent - (Opt-In) As a general rule, explicit consent will be required for the transmission of messages, thus the sender requires an explicit consent from the recipient or the addressee before sending him a message Based on most international experiences on the consents to send messages, the dominant trend is the adoption of Explicit Consent (Opt-in) due to the protection it provides for individual privacy and the protection of their right to only receive messages that they gave their prior permission to receive. The adoption of this trend will increase the number of legal commercial and advertising messages being sent and will increase their use among individuals. Such trend will be accepted by the public because the messages will only be sent to individuals who have opted-in. In addition, this trend will require the sender to carry the burden of demonstrating evidence for obtaining the prior consent of the recipient and not vice versa Assumed Consent As an exception to the general rule which is the adoption of Explicit Consent (Opt-In), Assumed Consent will be adopted in the case of pre-existing relationships between parties or for who have made his electronic address available to the public or to a specific group for the purpose of communication.

14 This type of consent will be applied for the following cases: When the parties have pre-existing relationships such as the employeremployee relationship or the relationship between hospitals, schools or universities and their visitors. When the recipients make their electronic address available to the public by any means such as publication in newspapers, telephone directory or internet, for the purpose of communicating with the public at large or with a specific group. This is due to the circumstances surrounding the relationship between the sender and the recipient in the first case that may necessitate the need to exchange messages between the two parties. This is also applied for the second case whereas the consent of individuals to publish their electronic address in the newspapers, telephone directory or the internet is considered an assumed consent of them to receive messages from the public. However, the text in the Regulations protects their right through enabling them to express explicitly their desire not to communicate with a specific person, and if the sender continues to send further messages with the explicit rejection by the addressee (the recipient), such messages turn to be SPAM rather than legal messages. 4.2 Technology Neutral Approach The definition of SPAM will be technology neutral There are unlimited messaging technologies used to send SPAM and it is not possible to predict the technologies that may emerge in the future or the advancement level that may occur to the current technologies. Therefore, if we specify the technologies that are currently in use to send these messages such as internet, SMS, MMS, Bluetooth, fax, etc, then it will be difficult to include other technologies that may emerge in the future to apply the provisions of the Regulations. Based on this, the Authority has chosen to follow the technology-neutral approach to combat SPAM.

15 4.3 Content of SPAM The definition of SPAM will only include one of the following characteristics: 1. A commercial or advertising message sent without the prior consent or request of the recipient. 2. A misleading or harmful message. 3. A message constantly sent by the sender to the recipient who has a relation with the sender, or who has made his electronic address available to the public or to a specific group, and who has explicitly requested the sender to stop sending it. The definition of SPAM will apply to the following: Messages that are commercial or advertising in nature such as those promoting products or services directly or indirectly and sent without the prior consent or request of the recipient. Misleading or harmful messages that may contain viruses or those that are fraudulent or contain false content. Messages sent to a person who has explicitly requested the sender to stop sending it, either the recipient has a relation with the sender or has made his electronic address available to the public or to a specific group through publication in newspapers, telephone directory or internet or any other publication means. 4.4 Bulk or Single Message The definition of SPAM will be based on the transmission of a single message without the prior consent of the recipient. A number of international experiences distinguished between the number of messages sent during a specific period of time and defined messages as SPAM when they exceed a certain number during a specified period of time, for example, USA and Singapore stipulated in their definition for SPAM that the defining criteria include sending more than 100 messages in bulk of the same or similar subject within 24 hours or sending more than 100 messages of the same or similar subject within 30 days, or more than message of the same or similar subject in one year. At the same time, some other experiments, stipulate that even a single unsolicited message can be considered to be SPAM regardless of the number

16 of messages. The Authority has adopted the second opinion for a number of reasons, including: It is difficult for the recipient to know or prove the number of messages that the sender has sent, and thus difficult to prove that the message sent was a SPAM. The defining criteria in the first opinion will be a legal loophole for senders, as they will send less than the specified number by one or two messages so as to avoid meeting the defining criteria of SPAM, such as sending 90 messages in 24 hours instead of 100 messages and therefore the text will not apply to them. Sending a single SPAM creates the same problems and challenges as sending more than one message 4.5 Defining Criteria of SPAM The defining criteria of SPAM are as follows: 1. A commercial or advertising message sent without prior consent or request of the recipient. 2. A misleading or harmful message. 3. A message constantly sent by the sender to the recipient who has a relation with the sender, or who has made his electronic address available to the public or to a specific group, and who has expressly requested the sender to refrain from sending it. That sent through various communication modes including SMS, , fax, Bluetooth and other types of media The above criteria will simplify the identification and distinction between SPAM and other legitimate messaging, whether the defining criteria apply to a set of messages sent in bulk or to a single message, and regardless of the type of technology used to send the message either by an , SMS, MMS, fax, Bluetooth or through any other communication technology that is currently in use or will appear in the future.

17 4.6 Criteria for Legitimate Commercial Messaging The defining criteria of legitimate commercial messaging are as follows: a. Explicit prior consent of the recipient. b. Containing a message header indicating the essence of the content and adding the word commercial or ad to the header. c. Including the sender s name or the name of the person on whose behalf the message has been sent in a manner that is accurate, clear and not misleading, in addition to the electronic addresses of both and any information of their identities. d. Giving cost details of sending a message or any other information relating to rates that may affect a choice decision on promotions. e. Containing an obvious, clear and efficient means in the same language and similar to the method by which the message is sent, so as to enable the recipient to: 1. Contact the sender directly. This means must be valid for at least 30 days from the date of sending the message. 2. Cease or request to cease the transmission of such messages. The sender must cease to send any messages to the requesting recipient within 2 working days from the date of the request. f. Sending the advertising or commercial messages to the suitable age group on promotions. g. Ensuring that the size of the message does not exceed 1 MB and that it does not contain software or links to make unauthorized phone calls if it is sent by . It is important to provide means of communication for all and for all purposes- among which is the commercial purpose. In this age of technological development, means of communication became the most important means used for advertising and commercial promotion. As the Authority supports all legitimate purposes that use this technology, it opted to make those means available for commercial purposes, provided that the individual privacy rights and other rights are protected. The aforementioned conditions realize a number of objectives including: Protecting the individual's right to privacy. Ensuring transparency, truth and clarity in those messages. Giving the individuals the right to make a decision based on clear and true information. Ensure the protection of different age groups in general and children in particular. Protection of communications networks.

18 4.7 Enforcement The Anti-SPAM Regulations will apply to: 1. A message originating within, sent to or from Oman, or 2. A message whose sender is proved to be working or residing in Oman, or that his head quarter or any of his branches is in Oman Exemptions: 1. Messages sent by government or judicial authorities in Oman or sent by licensees at the request of these authorities in pursuit of the public interest. 2. Messages sent in cases of natural disasters and exceptional public emergency accidents. The Authority endeavored, when laying down enforcement measures, to close a loophole that can be misused to send SPAM without being enforced by the enforced regulatory framework, such as sending a message to Oman from a country where there are no anti-spam regulations enforced and where such messages are considered legitimate. As such, the sender finds a loophole which allows him not to be a subject to a penalty if the enforced legal system in Oman becomes not applicable. However, by the principle adopted by the Authority, the provisions of the Regulations will be applicable to the sender regardless his geographical location as long as the transmission was to Oman and that it would harm the Sultanate s interests. This is in addition to the measures applied without distinction to individuals, companies and institutions as an additional attempt to close the loophole that can be misused. The exemption included some cases where communication with the public is required for the purpose of public interest or in cases of natural disasters and exceptional accidents. In such cases enabling communication with the public becomes a must and thus the messages sent are considered legitimate and not SPAM as long as the goal is to protect the public interest, however this exemption is granted exclusively to the government and judicial bodies in the Sultanate.

19 4.8 Dictionary Attacks and Address Harvesting Software It is impermissible for any person to use, help or incite others to use software that help or facilitate the sending of SPAM such as Address Harvesting and Dictionary Attacks. Address Harvesting software collects lists of electronic addresses from web sites or from other internet sources. On the other hand, Dictionary Attacks software generates electronic addresses automatically through generating letters from a dictionary or through common names and numbers. Through collection and generation of internet addresses, the spammers send them to the random addresses that were collected and generated. Therefore the Authority considered that preventing the use of such software will reduce SPAM and thereby protect the privacy of individuals. 4.9 Privacy In addition to the obligations contained in the Resolution No.113/2009 on issuing Regulations on Protection of the Confidentiality and Privacy of Beneficiary Data, the sender of advertising and commercial messages shall maintain the confidentiality and privacy of whatever data he has obtained from the recipient, and shall not sell, publish, distribute, exchange with others or misuse or otherwise use such data in purposes other than the ones for which this data was compiled. By the end of 2009 the Authority has issued regulations to protect confidentiality and privacy of the data of telecom services beneficiaries, either those provided at subscription or those submitted to the Licensee after subscribing. Regardless of the purpose for providing such data, the Licensee is responsible for maintaining the data and not sharing them with a third party except when there is a consent of the beneficiary. The text in the Regulations emphasizes the need to adhere to those regulations as the sender of commercial and advertising messages shall abide by the following in respect of the data he receives from the recipient: 1- Maintain the confidentiality and privacy of the data. 2- Shall not sell, publish, distribute, exchange with others or misuse or otherwise use such data in any way and for any purpose.

20 Such terms and conditions protect the data and information of the recipients who have agreed to receive commercial and advertising messages Licensees Obligations The draft Regulations include a set of obligations on the Licensees for the purpose of reducing the sending and receiving of SPAM including: a. Ensure that the sender obtains the prior explicit consent of the recipient if the licensee sends advertising and commercial messages on behalf of any person. b. Use software, services or tools necessary to combat, curb or cease such messages. c. Establish a database containing the content of all the advertising and commercial messages sent on behalf of any person, details of their information, electronic addresses of recipients, approvals and requests based on which the sending took place and its date. This information should be maintained for at least six months from the date of sending. d. Cease to send all the commercial and advertising messages that are sent on behalf of any person if so requested by the recipient. The licensee shall cease to send messages within one working day from the date of sending the request. e. Stipulate clearly in any agreement made between the licensee and any other person for the purpose of offering promotion and advertising services via commercial or advertising messages that the provisions of these Regulations shall be adhered to as well as the penalties imposed in the event of breach including the annulment of the agreement if the breach is repeated. f. Cooperate with the others operating in the ICT sector to lay down standard rules and procedures to control SPAM. This should include investigation into users complaints and the measures taken against offenders and a method to establish a unified list of offenders names and their data to be approved by the Authority before its enforcement. g. Design awareness and educational programs for the users of telecommunications services to control SPAM.

21 h. Prepare guidelines to use telecommunications services and make them available to users. These should include the requirements, provisions and rules set out in the Act and its Executive Regulation and the other decisions issued in implementation thereof particularly the provisions of these Regulations such as the conditions and requirements to send commercial and advertising messages and the penalties to be imposed for breaching these measures and the other rules and guidelines approved by the Authority. i. Provide a simple and efficient means to all users of telecommunications services to enable them to file complaints or report any SPAM sent or any breach of the provisions of these measures. The licensee shall follow the investigation procedures set out in clause (f). j. Prepare reports, at the request of the Authority, on the procedures taken to meet their obligations as set out in these measures, in addition to an annual report on the number of SPAM messages sent from and to systems and networks of each licensee and the number of complaints received and the action taken in their respect and the other relevant data and information. k. Carry out any other works as requested by the Authority. As Licensees are partners with the Authority in its efforts to combat spam, and it is for their benefits to protect their networks and their subscribers from the risks of those messages, it was necessary for the Authority to include a set of obligations within the Regulations so as to emphasize the need for such a partnership. The obligations aim to achieve a number of objectives including: Protect confidentiality and privacy of the data of telecom services beneficiaries. Permanent supervision and protection of networks. Protect licensees from abuses and indiciplinary behaviours carried out by the senders of commercial and advertising messages. Ensure that all contractors with the Licensees to provide services to send commercial and advertising messages are aware of the relevant regulations and laws. Inform and educate the public on the dangers of SPAM and the protection methods. Increase cooperation between licensees to achieve the desired goals to combat SPAM and thereby reduce such messages. Establish communication bridges between licensees and beneficiaries to enable them to communicate in order to easily file complaints against any abuse.

22 4.11 Limitation of Liability In addition to the sender of SPAM messages, the following will also be legally liable: a. Whoever has commercially benefited from the transmission or the promotion while being aware that it has taken place in violation of the provisions of these regulations. b. Any person expected to benefit from the transmission or the promotion while being aware that it has taken place in violation of the provisions of these regulations. c. Any person who deals or makes available systems and software that help in the sending of SPAM or Address Harvesting and Dictionary Attacks. The Authority considers that limiting the legal liability, whether criminal or civil, to the sender only will not necessarily achieve the objective, as there are a number of parties who shall also be liable in addition to the sender. For example, whoever is commercially benefiting from the transmission or any person expected to benefit, such as a company using SPAM to promote its products and services, while being aware that the sender will carry out the transmission in violation of the provisions of these regulations, will also be liable for the violating transmission as he is knowingly violating the regulations and the Act for his own benefits. This is also applied to individuals who deal or make available systems and software that help in the sending of SPAM or Address Harvesting and Dictionary Attacks, where with such actions they help in sending and spreading SPAM and consequently they shall be held liable as, in practice, there is no difference between them and the sender Right of Compensation Any person affected by SPAM may claim compensation for the damages sustained due to the breach in accordance with the regulations in force in the Sultanate in this regard. Basically, any person suffers damage, material or moral, will have the right to seek legal recourse to claim compensation to cover the damage, in accordance with the procedures in place of the judiciary system. The affected person may not refer to the Authority to claim compensation because the provisions in the Telecommunications Regulatory Act, issued

23 under Royal Decree 30/2002, do not expressly provide the right for the Authority to decide on the compensation to be granted and consequently the Act shall not be violated by issuing regulations through a decision issued by the Authority Complaints and SPAM Reporting The Authority may look into any complaint received in respect of violating the provisions of these regulations. The Authority provides for any interested party to file a complaint against any Licensee or person sent SPAM or a beneficiary of sending such messages to make a complaint to the Authority according to the procedures set for such purpose. Initially, the concerned Licensee shall be contacted to file a complaint. If the Licensee failed to consider the complaint or provide a response, or if the response was not satisfactory the complainant may then refer the case to the Authority for consideration and to take the necessary legal procedures, which may entail criminal and administrative penalties if violation is proved Sanctions If a violation is proved the Authority may take any of the following steps: 1- Caution the offender. 2- Instruct the licensee to disconnect the service of the violating subscriber. 3- Impose a financial penalty not less than RO 1,000 for each violation. 4- Take any other action as it deems appropriate. If there is a proof that any person has violated the provisions of this Regulation, the Authority may impose administrative penalties required to apply sanctions to the violator and to deter any person from violating the provisions of the Regulation. The sanctions to be applied to the violator vary from a warning for minor violations or for first-time violations, or disconnecting the service such as mobile service if the violation was sending sms or mms,

24 to imposing a financial penalty not less than RO 1,000 as per the violation type and the consequences it may has on the recipient and on the networks at the discretion of the Authority. The proposed text of the Regulation gave the Authority the right to approve any administrative penalty that is not stipulated in the Regulation at its discretion, for example, the Authority may decide to close an internet café that uses its licensed service to send SPAM or it may stop granting approvals to other equipment used by the dealers in Address Harvesting and Dictionary Attacks software and systems when they apply to the Authority for such approvals. Therefore, all of the above mentioned penalties are considered to be incentive for every person to abide by the terms and conditions of the Regulation and thus reduce the sending of SPAM and encourage the sending of legitimate commercial and advertising messages.

25 Chapter Five Definitions No. Term Definition 1 Act: Telecommunications Regulatory Act issued by Royal Decree No.30/ Regulation: Anti-SPAM Regulation 3 Regulations on Regulations issued by TRA Resolution No. 113/2009 on the Protection of the licensees obligations in respect of protecting information Confidentiality and and data of the telecom services beneficiaries. Privacy of Beneficiary Data 4 London Action Plan An international action plan designed to encourage communication and cooperation between countries in tackling spam and spam-related problems and challenges 5 Explicit Consent Is the permission explicitly granted by a person to receive messages from the sender which is not likely to be misinterpreted. 6 Implicit Consent Is the permission that can be inferred from the conduct of the sender or from the relationship between the sender and the recipient 7 Assumed Consent The approval of the recipient to receive messages from the sender is by default, unless the recipient cancels such approval by requesting the sender to stop sending such messages. 8 Megabyte (MB) a measure of amount of information equals to 1024 bytes 9 Headquarter Is the location of the main administration center of the company, institution or natural person. 10 Electronic Address The electronic e mail address or the phone number that can receive an electronic message 11 Address Harvesting A software or an electronic tool that collects electronic addresses from web sites or from other Internet sources. 12 Dictionary Attacks A method, whereby electronic addresses are automatically generated based on names from a dictionary, common names and numbers. 13 Telecommunications Telecommunications system or group of integrated systems

26 Network including the necessary infrastructure that permits telecommunication between and among defined network termination points including means to access the 2 World Wide Web (the Internet). 14 Licensee A natural or legal person who obtains the license in accordance with the provisions of the Telecom Act, whether the license is issued by a Royal Decree, a decision by the Minister or a decision by the Authority.