Fighting Spam the Multistakeholder Way – A Case Study on the Port 25/TCP Management in the Brazilian Internet
This case study by the Institute for Technology & Society at Rio de Janeiro State University explores how CGI.br, the multistakeholder Brazilian Internet Steering Committee, addressed through a collaborative decision-making and educational process the difficult issue of arresting spam propagation, and it highlights how collaborative governance can be applied in an iterative and educational fashion.
Photo: Will Lion (CC BY-NC-ND 2.0)
Fighting Spam the Multistakeholder Way – A Case Study on the Port 25/TCP Management in the Brazilian Internet
Authors: Ronaldo Lemos, Carlos Affonso Souza, Fabro Steibel, and Juliana Nolasco
Institute for Technology and Society at Rio de Janeiro State University
Abstract: This case study explores how CGI.br, the multistakeholder Brazilian Internet Steering Committee, addressed through a collaborative decision making and educational process the difficult issue of spam propagation. Although the technical solution to the spam problem in Brazil was relatively clear, convincing stakeholders to adopt the solution was challenging. Telecommunications companies and ISPs initially resisted this recommendation out of concern around the costs of switching and the challenges of communicating the change to end users. This case study examines how a multistakeholder process involving telecommunications companies, ISPs, consumer rights associations, and government ministries and agencies was able to overcome these obstacles while simultaneously respecting consumer rights, freedom of speech, and commercial competition. CGI.br’s Anti-Spam Working Commission (CT-Spam Commission) highlights how collaborative governance can be applied in an iterative and educational fashion. Addressing the spam issue would require buy-in and cooperation from a variety of parties, and by engaging all stakeholders, the CT-Spam Commission was able to identify the concerns of stakeholders and then develop a variety of educational materials, technical reports, and policy changes in order to address those concerns. By developing the policy in such a fashion, the CT-Spam Commission was able to gain the support of the telecommunications companies and ISPs without regulatory oversight. Ultimately, with the buy-in of key stakeholders, implementation of the Port 25/TCP recommendation in 2013 led to a dramatic decrease in spam in Brazil.
Table of Contents
I. Introduction
II. Identifying a Policy Issue
A. Notes On the Structure of CGI.br
B. Spam as a Technical Policy Issue: 2005-2009
C. Spam as a Broad Policy Issue: 2009-2011
III. Research as a Policymaking Aid
A. Measuring the Problem Size
B. Informing the Community
IV. Consensus-Building Measures
V. Results and Discussion
I. Introduction
For over fifteen years Brazil has developed a model of multistakeholder Internet governance. There is already substantive literature covering the process of creating the Brazilian Internet Steering Committee (CGI.br), but less attention has been dedicated to describing how a multistakeholder decision-making process has been implemented and fostered by CGI.br, or to exploring its peculiarities and challenges.
The fight against spam, and more specifically the adoption of Port 25/TCP management on the Brazilian Internet, is a case study that is worth exploring due to the elements it pulls together, providing a complex and in-depth picture of the multistakeholder process in practice. In 2005, CGI.br, through its Anti-Spam Working Commission (CT-Spam),[1] began addressing the issue of spam in Brazil. Since then, CT-Spam has produced a number of academic studies and technical reports that have supported the adoption of Port 25/TCP management as the most effective measure to fight spam.[2]
The initial efforts of CT-Spam focused on the technical aspects of limiting spam. Its recommendation for telecommunication companies (telcos) and Internet service providers (ISPs) alike was to replace Port 25/TCP—a TCP port with low security standards—with Port 587/TCP, which has higher standards. Telecommunications companies and ISPs, however, did not adopt the recommendation outright, and in 2009 Brazil was first on the list of countries that send out the largest amount of spam, according to the Composite Blocking List (CBL).[3] The international press called Brazil the “new king of spam,” and the issue also made headlines in national media.[4] In order to reverse this situation, in 2009 CGI.br changed its tactics and started to attack the issue more broadly. Instead of treating spam as a purely technical Internet infrastructure problem, they addressed it as a regulatory issue that concerned consumer rights, freedom of speech regulation, and commercial competition. This approach led to the 2013 implementation by telcos and ISPs of the technical recommendation formulated first in 2005, and reformulated in 2009. Since then, Brazil’s spam ranking has dropped drastically.
Brazil was one of the first countries to attempt to regulate Port 25/TCP, nonetheless, it took more than seven years for the issue to be solved. In the meantime, countries such as the United States, Japan, and the European Union implemented the same recommendation in much shorter timeframes.[5] In contrast to CGI.br’s multistakeholder model, these countries and regions opted for a more government-oriented decision-making process, which suggests that the multistakeholder approach adopted in Brazil is less efficient than the more top-down initiatives adopted elsewhere. There are, however, two arguments which counterbalance this fact: first, the multistakeholder process had an intrinsic value in connecting different stakeholders in a joint effort; second, particular characteristics of the Internet regulatory environment in Brazil made it so that no stakeholder alone coulc implement the necessary technical solution without cooperation from others. Thus, a more drastic political approach was likely to face major criticism.
As this case study argues, a top-down regulatory initiative in Brazil was likely to fail. Implementing TCP port management can be done in several ways, but it requires a collaboration of three levels of players: telcos (who control the use of Internet infrastructure), broadband providers and ISPs (who provide connectivity and IP addresses, and/or authenticate users and provide services such as e-mail and web), and Internet users.
In contrast to other countries, in Brazil, telcos, broadband providers, and ISPs are not regulated in the same way. While telcos are closely regulated by Anatel, the other stakeholders are less strictly regulated through various governmental and self-regulatory institutions. If a top-down, government-run solution was implemented, there would be no single agency or decision-making process that could enforce compliance. This is why a multistakeholder approach was more likely to succeed in Brazil.
This long process, conducted in a multistakeholder fashion, is the focus of this case study. Grounded in national and international literature on Internet governance and regulation, as well as in the current status of the multistakeholderism debate, this article is a result of a yearlong series of 11 in-depth semi-structured interviews involving 12 interviewees. We address the following research questions: How were different stakeholders identified, and how have they interacted with each other? What was the role of governmental entities in pushing the process forward, and how did it negotiate power relations between private sector and civil society players? How was consensus reached? What has motivated different stakeholders to engage in Port 25/TCP management?
Research on the process and obstacles to implementing the management of Port 25/TCP in Brazil offers a rich case study for academic analysis. From that, we can make observations about how this process took place, how the different parts interacted, and how consensus was obtained.
[1] Comissão de Trabalho Anti-Spam. More information available at http://www.cgi.br/acoes/antispam.htm#a4 (accessed on 01.Jul.2014). The working group started on 14 January 2005.
[2] HOEPERS, C. JESSEN, K. Gerência da Porta 25: Motivação, Importância da Adoção para o Combate ao Spam e Discussões no Brasil e no Mundo, 2009. http://www.cert.br/docs/ct-spam/ct-spam-gerencia-porta-25.pdf (accessed on 01.Jul.2014).
[3] http://www.nic.br/imprensa/clipping/2013/midia182.htm
[4] Composite Blocking List, http://cbl.abuseat.org/country.html (accessed on 01.Jul.2014).
[5] Japan Email Anti-Abuse Group: [http://jeag.jp/index.html; Rubenking, Neil. Port 25 Block Stalls Spam After All, http://securitywatch.pcmag.com/spam/290791-port-25-block-stalls-spam-after-all; BEVERLY, Robert; BAUER, Steven; BERGER, Arthur. “The Internet’s not a Big Truck: Towards Quantifying Net Neutrality”, http://www.akamai.com/dl/technical_publications/truck-pam07.pdf
II. Identifying a Policy Issue
To better understand how the CT-Spam, formed inside CGI.br, came to the conclusion of how it should act to fight spam, it is necessary to first highlight a few structural aspects of the Brazilian Internet Steering Committee as a whole, since they will play a larger role in the discussion around the challenges faced by the anti-spam project.
A. Notes On the Structure of CGI.br
CGI.br was created by Interministerial Ordinance nr. 147/1995[6], which was amended by Presidential Decree nr. 4,829/2003[7], “with the purpose of coordinating and integrating all Internet service initiatives in Brazil, as well as promoting technical quality, innovation and the dissemination of the services available”. It is a multistakeholder institution comprised of members from the government, the private sector, non-governmental organizations (NGOs) and the academic community. CGI.br has 21 councilors, 10 of them nominated by the Government and eleven selected through elections to represent the private sector, NGOs and academia in the Council. A representative of the Ministry of Science and Technology coordinates the works of the Council, as established by Article 2 of the aforementioned Decree.
The elected councilors have a three-year mandate and, according to Decree nr. 4,829/2003, they render a public interest service, not being entitled for any remuneration for the time they serve in the Council.
Figure 2 : CGI.br and NIC.br Structure[8]
The CGI.br organization increased in complexity along the years, including the establishment in 2005 of NIC.br, the Brazilian Network Information Center, which implements the decisions and projects approved by the Brazilian Internet Steering Committee.
In 2009 CGI.br approved a ten-principle list for the governance and use of the Internet in Brazil. Commonly referred to as CGI.br’s Decalogue,[9] this set of principles offered inspiration for the Brazilian Internet Bill of Rights (approved in the National Congress as Law 12,965/2014) and serves as a guiding reference to a number of initiatives developed by the Council, such as CT-Spam and its blocking of Port 25/TCP project. Especially as concerns the anti-spam project as described in this report, the Decalogue’s principles of Democratic and collaborative governance, Neutrality of the network and Legal and regulatory environments are instrumental to the better understanding of how the project came into being.
CT-Spam is the anti-spam task force of CGI.br, created in 2005 with the objective to reduce and control spam in Brazil. It was called in reaction to the increased blacklisting of Brazilian broadband providers' IP ranges, a rise in operational costs, the instability of broadband connectivity, and the decrease of consumer quality service associated with the spam problem. Its objectives include “raising awareness about the importance of best practices, data protection and privacy issues related to e-mail marketing, studying a legal framework for Brazil, suggest procedures to combat spam, legal review and promote international articulation to fight spam”.[10]
CT-Spam began addressing spam as a policy issue in 2005, offering a technical solution for a technical problem of Internet infrastructure. By then, only CGI.br advisors and academics were involved in the process. Other stakeholders were quickly called in to raise awareness of the topic, but this was not sufficient to implement the plan. By 2009, four years later, telcos, broadband providers, and ISPs alike were reluctant to adopt CT-Spam’s recommendations. This reluctance prompted CT-Spam to liaise with the CGI.br Committee Board and to reframe the policy issue more broadly. In 2009, CT-Spam began to relate the technical aspects of Port 25/TCP management to consumer rights, freedom of speech, and economic competition. The result of these actions is the creation of a policy network[11] that, seven years later, has succeeded in implementing the adoption of Port 25/TCP management to mitigate spam.
[6] http://cgi.br/portarias/numero/147
[7] http://cgi.br/pagina/decretos/108
[8] HOEPERS, Cristine. “A multistakeholder effort to reduce spam – The case of Brazil”, available at http://www.cert.br/docs/palestras/certbr-isoc-lac2014.pdf.
[9] CGI.br’s Decálogo, available at http://cgi.br/en_us/resolucoes/documento/2009/003
[10] CT-Spam website, available at http://antispam.br/en/
[11] CT-Spam aimed to group Telcos, ISPs, security groups, direct marketing businesses, civil society groups and other segments directly related to the problem, in the technical and operational levels. Amongst those represented in the Task Force were a CGI.br’s Board Member (coordinating the group), CGI.br’s Concil Board members, NIC.br and CERT.br members, and also representatives from telecom companies, academics and governmental representatives (from the Ministry of the Technology and Science and from Anatel, the Telecommunication Regulatory Agency).
B. Spam as a Technical Policy Issue: 2005-2009
When the issue of spam was brought forward by CT-Spam, two types of spam messages were identified: spam based on its content, and spam based on its source. Content-based spam, which typically originates from individual email accounts without users’ knowledge, is a complex and disputed topic, and was perceived as a challenging regulatory issue. CT-Spam analyzed the role of users in spam (users here defined as end users – contract holders with ISP providers) in order to understand the role of spam messages sent by users on purpose (i.e., spammers), and messages sent by users without their knowledge (i.e., victims of spammers’ attacks).
To understand that distinction in types of spam, CGI.br conducted an educational campaign with private sector players,[12] and jointly published an Ethical Code of Conduct. The Code labeled spam messages as UCE (Unsolicited Commercial E-mail) and defined spam as messages that share four characteristics: commercially oriented messages, sent indistinctively to a large groups of receivers, with identical content, and without users’ consent. Managing this type of spam involves analyzing the content of all messages. Interviewees noted that if addressed using port management, this approach violates certain fundamental principles of human rights (the right to privacy, in particular).
Source-based spam, however, is a much less disputed policy issue. In the case of content-based spam, such as email marketing and chain emails, the user’s account is responsible for sending the message to others. As such, the user has (or might have) control of what it says. In the case of source-based spam, however, it is the user’s computer (and not their email account) that is responsible for sending the messages. This means that the spam message is not the user’s message, but instead is a message sent through the user’s computer without the user’s intent or knowledge.
As interviewees explained, regular email messages are sent using SMTP (Simple Mail Transfer Protocol), a technical standard that enables users’ computers to communicate with email servers in order to link an email access point to an email server. The default outbound port to provide this communication is Port 25/TCP, meaning that all emails a user sends from their computer need to access this outbound port to reach ISPs to be routed to their final destination. It is possible to set up the user’s computer to perform both tasks, acting not only as regular email access points but also as an email server.
CT-Spam’s policy suggestion focused on the capability of a user’s computer to be set up to operate as an email server when Port 25/TCP is used. Each computer, if properly exploited and externally controlled, could send spam bulk messages without the user’s notice or control. This also means that ISPs or other Internet hubs cannot effectively fight spam without analyzing a message’s content, which invades user privacy and violates human rights standards. Replacing Port 25/TCP with Port 587/TCP would address a default system that offers a low standard of security (i.e., no password requirement) by replacing it with a system offering a higher standard of security. This would drastically reduce the amount of spam going out of the country.
Interviewees describe the technical solution chosen as being crystal clear, but they report having difficulties translating what they saw as a low-cost, highly efficient, easily implemented, and internationally accepted solution into terms easily understood by non-technical communities (such as lawyers, journalists, and public servants). In 2009 CT-Spam was about to drop the case due to the challenges with implementation. They knew beforehand they had to align three levels of Internet infrastructure: end users, who had to manually set up their own computers; ISPs and broadband providers, who had to change their default TCP port and instruct end users on how to set up their own machines; and telcos, who were responsible for blocking Port 25/TCP traffic. But CT-Spam did not anticipate that implementing Port 25/TCP management could not be accomplished through approaching it as a purely technical Internet infrastructure matter.
[12] CERT.br, Cartilha spam http://cartilha.cert.br/spam/. Accessed on 01.Jul.2104
C. Spam as a Broad Policy Issue: 2009-2011
When CT-Spam issued a technical note in 2005 suggesting the replacement of Port 25/TCP with Port 587, it was clear that the policy issue had a strong technical aspect. What was not clear at that point, according to the interviewees, was the broad range of related political, social, and economic aspects that would surface. CT-Spam had several meetings with high ranked technical staff from telcos, broadband providers, and ISPs, who raised several concerns. The first was economic: the private sector wanted to investigate the costs of switching TCP ports, and what hardware implications this would have. There was also a consumer rights concern: if, as a result of the switch, users could not access their email accounts, they would blame ISPs and telcos, which could lead to private sector companies being brought to court.
Lastly, there was a broad regulatory concern related to the ecology of Internet regulation in Brazil. While areas such as telecommunications and broadcast are specifically regulated based on constitutional grounds, the Internet is not. The first Internet-related legislative proposal was sent to Congress in 1998. However, only after landmark attempts at regulation were made in 2005, 2008, and particularly in 2009 (when the Brazilian civil rights framework for the Internet, Marco Civil, was drafted) did Internet regulation become a top priority policy issue for government, civil society, and private sector alike.
According to interviewees, telcos were keen to promote Anatel (the Brazilian Agency of Telecommunications) as an important regulatory agency for the Internet, and demanded that Anatel officially support CT-Spam’s recommendation. At this point in 2009, however, Anatel’s role in CGI.br was unclear. Also, there was a concern that the CT-Spam recommendations would violate net neutrality, a value supported by CGI.br principles (as outlined in the Decalogue) and strongly supported by the Marco Civil. Previous attempts by telcos to block VOIP ports were defined as a violation of net neutrality, and they feared that the same would happen in the initiative to block Port 25/TCP.
Taking the three concerns together (i.e., the economic impact, consumer rights, and the regulatory ecology), interviewees report that only after 2009—when CGI.br’s Committee Board joined the negotiation and vice-presidents and legal consultants of private sector companies were invited to join the debate—were the technical aspects of the policy issue able to be considered. After this initial expansion, more governmental bodies and civil society representatives joined the decision-making process, which cleared the way for the technical solution to be implemented in March 2013. As interviewees report, they were all ready for a massive number of complaints from final users who suddenly found they could not access their email. The implementation, however, was done gradually, from one set of cities and ISPs to another, and the overall perception was that the policy was implemented without any major drawbacks.
III. Research as a Policymaking Aid
As interviewees clearly point out, Brazil was the first country to officially define source-based spam as a policy problem and issue an official document to address Port 25/TCP management. Between 2005 and the implementation of the policy solution in 2013, however, several other regions took the action Brazil was slow to adopt. Japan, the European Union, and the United States (i.e., Comcast) all switched TCP ports within six months or less, while in Brazil the change took more than seven years. However, interviewees state that the long timeframe to implement the port management was necessary because stakeholders needed plenty of time, information, and knowledge before agreeing to support the policy recommendation.
Brazil has some particular characteristics that made Port 25/TCP management peculiar. As mentioned above, in Brazil, telcos and ISPs are not regulated in the same way, nor are they regulated by the same agency (telcos are regulated by Anatel, and ISPs are softly regulated by Anatel and other institutions). CGI.br is also a unique institution, taking a multistakeholder regulatory approach and focusing more heavily on consultation processes. Within this regulatory framework, CT-Spam had to perform a policy change from a non-binding position, in an environment where other agencies had a clear legal mandate to act (though at the same time they could not implement a policy change alone).
To achieve their goals, CT-Spam decided to invest in research initiatives to persuade key stakeholders to approve of the policy change. They approached this on three different fronts. First, they funded research to measure the dimensions of spam in the country, investigating the number of messages involved, the main incoming and outbound destinations, and the amount of Internet traffic consumed. The second component investigated non-technical aspects of Port 25/TCP management, requesting policy reports on the consumer rights and human rights impacts from the Federal Prosecutor’s Office, consumer defense organizations, the public servants from the Ministry of Justice, and academics. Lastly, CT-Spam created tools to disseminate the information they generated, aiming to educate and mobilize actors.
All the above aspects were key to the success of the blocking of Port 25/TCP project. Investing in research, for example, provided a key argument for telcos and ISPs to consider, and raised awareness about the topic. After all, if up to 90% of the Internet traffic they were selling to their clients might be used without their users’ awareness, their efforts were being wasted from a marketing perspective. At the same time, major concerns about other regulatory issues kept stakeholders immobile. Only after non-technical issues such as consumer rights and commercial competition were discussed alongside the technical issues did telcos and ISPs feel secure enough to block the Port 25/TCP. Parallel to all these efforts, CT-Spam launched a website to explain what spam was and what needed to be done in order to legitimize the process. It allowed key civil society representatives to advocate for the cause online. This in turn allowed telcos and ISPs to join a well-known cause.
A. Measuring the Problem Size
In 2005, CT-Spam operated as a working group to measure and identify the key aspects of spam in the country. This initiative was mostly coordinated by CERT.br member Klaus Steding-Jessen, with the support of CGI.br council member Marcelo Fernandes. Questions asked by the working group included: how much of data traffic is consumed by spam? Are the sources of spam domestic or international? What is the impact of spam on the average user’s experience on the Internet? What other services are impacted by the blocking of Port 25/TCP?
To address these questions, in 2006 CT-Spam started to use an in-house research program from CERT.br named HoneyPots. HoneyPots are computers, distributed along the network, that emulate normal Internet use and computer configurations. After some preliminary tests, CERT.br adapted their computers and started to run a specific script to investigate spam (naming the project SpamPots). The SpamPots were run without the awareness of telcos or ISPs to avoid possible external interference, and provided CT-Spam for the first time with quantitative measurements of spam circulation in the country. Over 325 days, the SpamPots collected a total of 370,263,413 messages addressed to more than 3 million users worldwide and originating from 157 countries, most of them from Taiwan and mainland China (the project also found that 90% of the spam messages were written in Chinese).[13]
Later on, an academic institution (UFMG) conducted additional research. Over 15 months they used ten computers to provide broad and statistical information about spam in Brazil. The results of this research enabled CT-Spam to make specific policy arguments based on hard data. Summarizing the three main arguments stated by interviewees, it was clear by then that: (a) Brazil was actually a spam hub: a mule, not a spam producer, with local computers being used by outsiders to send messages abroad (mainly to and from China); (b) Because most users in the country used ADSL, which provides an asymmetric connection, the amount of Internet bandwidth used to upload spam messages was seriously compromising their Internet use; and (c) Inbound computer invasions came from several types of IP ports, but all of them used Port 25/TCP for outbound communication.[14]
As the interviewees argue, until these numbers were collected, the technical community was not convinced that spam was an urgent topic. Spam records so far were mostly provided by antivirus and malware software companies, which were perceived by the community as untrustworthy sources. When CT-Spam revealed the numbers to the telcos and ISPs, and reinforced that blocking Port 25/TCP had already been recommended by the IETF,[15] the technical community agreed on the need to address the issue. There was nonetheless debate over whether Port 25/TCP would be a sufficient solution. As Klaus Jessen stated in an interview:
(...) it was by then clear to us that no matter how many incoming ports were being abused, the outbound port was always the same: Port 25/TCP (…) However, some ISPs counter-argued saying we should also manage inbound ports, but we replied saying: “look, we identified 30 inbound ports being used today for invading users’ machines, but there is only one port in use to send spam out, and this is the one used as default port in SMTP configuration” (…) [after that] we thought that exposing that spam was a waste of Internet traffic, and that was bad for ISPs, and that there was a clear solution to address it, they would agree with us. But they kept disagreeing with us, even amongst technical staff.
In order to allow the debate to move forward, CT-Spam engaged CGI.br’s Committee Board to research the role of spam particularly with respect to consumer rights. The academic institution Fundação Getulio Vargas developed a policy report on the impact of spam in Internet regulation and Internet fundamental rights, which was written by legal experts including Ronaldo Lemos, Danilo Doneda, Carlos Affonso Pereira de Souza, and Carolina Rossini.[16] The report concluded that the management of Port 25/TCP was not a threat to net neutrality because it offered alternatives for the same service using an alternative TCP port. They also argued that Port 25/TCP management would improve fundamental rights online, and supported the initiative as a creative solution to address spam without invading privacy.
Moreover, CGI.br also requested a report from the Brazil Secretary of Citizen’s Rights (SENACON) on the responsibilities of telcos, broadband providers, and ISPs in Port 25/TCP management. The report concluded that ISPs were responsible for providing information to end users on how to switch TCP ports, but released them from responsibility for problems relating to the port block. They also concluded that users who wanted to have their port set to Port 25/TCP could request it, which enabled telcos to implement the change with minor judicial pitfalls. SENACON was also asked to inform other agencies of the judicial system related to consumer rights of this decision, which interviewees viewed as a safeguard to support the private sector in the event of legal action by users.
[13] http://www.nic.br/imprensa/clipping/2007/midia354.htm (acessado em 12.10.2013). Segundo o release de divulgação dos dados da iniciativa Spampots, publicado em 11.07.2007: "A lista dos 10 países que mais abusam do Brasil, de acordo com os resultados preliminares, traz Taiwan em primeiro lugar, com 281.601.310 e-mails capturados, ou 76% das ocorrências. China vem em segundo lugar, com 58.912.303 e-mails ou 16% do volume analisado. Estados Unidos, Canadá, Coréia, Japão, Hong Kong, Alemanha, Brasil e Panamá são os outros países que aparecem na listagem, e que juntos somam menos de 8%."
[14] Entrevista de Cristine Hoepers e Klaus Jessen ao projeto de Documentação da Gerência da Porta 25, concedida em 25.09.2013.
[15] Internet Engineering Task Force (a non-commercial and not-for-profit non-governmental organization responsible for developing and promoting Internet Standards)
[16] LEMOS, Ronaldo; DONEDA, Danilo; SOUZA, Carlos Affonso; e ROSSINI, Carolina. Estudo sobre a Regulamentação Juridica do Spam no Brasil. Publicado originalmente em abril de 2007. http://www.cgi.br/publicacoes/documentacao/ct-spam-EstudoSpamCGIFGVversaofinal.pdf (acessado em 12.10.2013). Some of these authors are also authors of this case study.
B. Informing the Community
In 2006, CT-Spam launched a website to provide information about spam and Port 25/TCP (antispam.br). Different audiences were targeted through the website: end users could read FAQs and watch educational videos; the technical community could read advanced materials on how to configure computers and private networks; and NGOs could engage in the campaign and share promotional materials. Moreover, as interviewees argue, the portal increased the legitimacy of the campaign, making “official” the public initiative to combat spam. Apart from that, CT-Spam also organized a series of seminars and talks across the country, and used these opportunities to give publicity to the academic and technical research they had been doing. Internationally, CT-Spam signed 12 mutual cooperation agreements to conduct research on best practices abroad and to export knowledge on spam internationally. CT-Spam also hosted meetings with telcos, broadband providers, and ISPs to inform them of their research findings. The first meeting participants were technical staff of the private sector, but from 2009 onwards, company vice-presidents and lawyers also joined the meetings.
IV. Consensus-Building Measures
Although the technical solution for the spam problem was clear and uncontested, the implementation delay of more than seven years is due to a lack of cohesion among stakeholders. In 2005, interviewees reported that the international community was already complaining about the amount of spam coming out of Brazil. Interviewees were aware of the number of Brazilian URLs included in international blacklists. And the topic was appearing more and more frequently in media venues both outside and inside the country. Growing international concern motivated CGI.br to create CT-Spam, to issue the technical note on Port 25/TCP management, and to request best practices from abroad to inform the national debate.
CT-Spam, however, knew that even though the international reputation of Brazil was endangered abroad, the technical solution for spam did not depend on international collaboration. The block of Port 25/TCP was an efficient solution for the spam problem, and it could be implemented by national telcos alone. The work of CGI.br from that point onwards was to liaise with the international community to exchange experiences (for example, signing mutual cooperation agreements), receive international missions (e.g., a delegation from Japan visited Brazil before deciding to manage Port 25/TCP in their own country), and discuss the topics with international networks of which CGI.br was already a member.
The most challenging effort for CGI.br, however, was build a consensus among key stakeholders inside the country. CT-Spam could not enforce regulations, but only issue recommendations. Since the release of the technical note, however, only a few ISPs had voluntarily managed Port 25/TCP, while major players were mostly reluctant to accept the change. Telcos, for example, insisted that Anatel, their regulatory agency, support the initiative. Anatel’s role in CGI.br until 2009 was marginal, and only after the Committee Board officially requested that Anatel support the initiative did telcos begin to change their position. Telcos and ISPs also requested that the Ministry of Justice and the judiciary consumer rights group support the initiative; CGI.br also organized this.
As a result of these requirements, the blocking of Port 25/TCP project support gradually became more and more multistakeholder. In 2010, for example, CGI.br and Anatel signed a cooperation agreement, which resulted in a formal commitment by the telcos to support CT-Spam’s recommendations.[17] In 2011, the Department of Defense and Protection of Consumers of the Ministry of Justice (DPDC/MJ)[18] issued a technical note to inform judicial institutions about the block of Port 25/TCP, freeing telcos and ISPs of major consumer rights responsibilities (and at the same time assuring that, when necessary, users could request their Port 25 be opened). By then, the project website was established as a source of information and legitimacy, which cleared the way to align all players and implement the full block of Port 25/TCP in the country.
[17] ofício n 195/2010-PR-ANATEL
[18] Nota Técnica - NT nº 65 CGSC/DPDC/SDE, available at http://www.antispam.br/porta25/brasil/notatecnica65.pdf.
V. Results and Discussion
The deadline for the implementation of Port 25/TCP management was March 2013. There was no need to impose penalties or incentives to implement it, mostly because stakeholders themselves paved the way for a smooth transition to take place, and they mutually agreed on a calendar of activities. As a result of the policy implementation, Brazil dropped from first place in the CBL spam ranking in 2009 to 25th place in 2013. The implemented solution has not fully resolved spam issues in Brazil, but it has at least significantly mitigated the problem. As Henrique Falhauber said in an interview:
“The website antispam.br aided us to mobilize and inform the public about the issue of spam. However, spam is still a problem that involves social networks and SMS, for example. Mobilizing and educating people is a fundamental task we continue to perform”.[19]
Figure 2. CBL IP blocked addresses vs. Country ranking, Nov 2012 to May 2013 (Source: nic.BR)
We might say however that the blocking of Port 25/TCP project succeeded in two main areas of multistakeholder processes: (a) improving decision-making processes for Internet regulation, and (b) supporting fundamental rights related to Internet use.
The implementation of Port 25/TCP management was highly influenced by the concurrent drafting of the Marco Civil, a bill protecting fundamental rights, including privacy, net neutrality, and freedom of expression, approved as law in Brazil in April 2014 (but drafted collaboratively since 2009). As interviewees argue, Port 25/TCP management was a pre-test of what legal implications Marco Civil would have, and how to solve them. The initiative was therefore a turning point for Internet regulation in Brazil. As Marcelo Bechara argued in an interview, the initiative was the first clear managerial decision-making action of the Committee Board, a case that contrasted with the more deliberative role usually performed by CGI.br.
The blocking of Port 25/TCP project was a managerial-oriented process that should not be mistaken for a top-down government-run initiative. The main policy actor driving the process (CT-Spam) was a multistakeholder group, and the main policy decision-making arena (CGI.br Committee Board) is by definition a multistakeholder body. It is true that not all stakeholders represented in CGI.br participated in the process (for example, no members of the Ministry of Communications, Ministry of Science and Technology, the National Scientific Development Council, or representatives of the Telebras System were mentioned by interviewees as key players). At the same time, other formal members of CGI.br are clearly mentioned (e.g., the academic community, the private sector, and the Internet user community). This ad-hoc set of stakeholders was empowered by working groups such as CT-Spam. This is the nature of the regulatory body that will address future challenges of Internet regulation in the country, such as in the case of net neutrality standards and IPv6 implementation.
Apart from that, we should also highlight an important observation from Brazil’s blocking of Port 25/TCP experience: for Brazil it was important to ensure stakeholder support for solutions, which is a move beyond just identifying and implementing solutions with multiple stakeholders. CT-Spam focused on convincing stakeholders that they should implement a particular solution, which required several years of action.
Identifying the issue and finding a solution was still important. CT-Spam identified a policy issue almost by itself: few academics and CGI.br advisors were previously aware of the role of Brazil as an international spam source. They conducted research to confirm their thesis and liaised internationally to validate their technical solution. But the key step was convincing other stakeholders to support it, which proved to be a harder task than identifying the problem itself.
What the next seven years revealed was a complex implementation process that required stakeholders to believe in the multistakeholder decision-making process itself. This required Anatel to raise its role in CGI.br and consumer rights agencies to support the process and to defend telcos’ and ISPs’ interests. It also demanded that the Committee Board personally engage with decision makers from the private sector. At the end of the process, all those participating were satisfied with the implemented policy solution, and expressed willingness to support such initiatives in the future. While there are still disagreements around Internet regulation in Brazil, the CT-Spam case provided CGI.br with additional legitimacy.
[19] Henrique Faulhaber, interviewee.