Advertising doesn't inherently imply wastefulness or even being spyware or a malware & scam vector.
If all the negative externalities were properly priced in, a lot of bottom-feeding crap at all layers of the stack will die off, but advertising itself will remain and would actually become better as a result for all parties involved.
Why? He didn't kill anyone in the end. It's doubtful that sentences longer than some minimal amount actually contribute to deterrence.
He committed these crimes because he thought he wouldn't get any sentence - which is true because online fraud and mischief has been effectively decriminalized aside from a few edge-cases like this one. You'll notice he didn't even try to be sneaky about it after all.
What's needed is merely to bring back actual enforcement to make it clear that online crime does not pay and would-be criminals will not get away with it. That will be the deterrent.
eSIMs all need to have a chain of trust all the way back to some GSMA gatekeepers. As usual with all kinds of mobile telco stuff, it's never open and really doesn't like people messing around (partly because people messing around might find how much of a broken, insecure and "designed by committee" shit-show most of it is).
Voting with your wallet only works in competitive markets. The vast majority of what you use day-to-day have been monopolized so you don't really have a choice.
Every single company out there uses fingerprinting and breaches the GDPR in one way or another - it's normal business practice. It's effectively impossible to run a business nowadays complying with the GDPR when your competition doesn't.
I absolutely agree that the enforcement is significantly lacking and this "regulator" is useless, but I'm wondering why you are angry that someone got a fine for SMS spam? Some enforcement is still better than no enforcement at all as long as the underlying basis is just, and there should be zero sympathy for spammers out there.
> What makes you think the UK ICO won’t bring legal cases against individuals or companies applying fingerprinting?
The vast majority of consent flows ("cookie banners") out there are not compliant and they do absolutely nothing about it. It's very unlikely this would be any different.
Problem is that a significant chunk of the technology industry still relies on "engagement" as its business model. The objective of slapping an overzealous bot protection system isn't to protect high-risk endpoints like logins/etc, it's to ensure a human is "engaging" and human time is being wasted by making even legitimate automated usage impossible.
From their perspective, the blocking of power users with unusual setups is actually a happy coincidence, as those are unlikely to "engage" with the product in the desired way (they run ad & spyware blockers, don't fall for dark patterns, and are more likely to fight back if they get defrauded by the corporation).
Lookup what's the email host of the destination address. Get a local account on it. If the provider supports scheduled sending, use that, otherwise use Telnet or automate the HTTP request to the webmail.
Being on the same provider will remove a lot of the variable delays in internet delivery. Scheduled send could also mean your email actually arrives in the destination inbox ahead of time but is just hidden until the required time (as it may all be one database under the hood).
If you can get 2 accounts on said provider, you can also test various strategies against your own accounts.
My reconnaissance has shown the server is in fact a self-hosted ESMTPD on a static IP address owned by Vodafone, but using a script to submit directly is a good idea!
If you want to beat other romantically inclined geeks running scripts, you could make sure your script is running somewhere with low latency to that static IP. Use traceroute, looking glass, tools to ping from multiple regions to find the perfect place to run your script.
A VPS in the same region with good peering would be a start. Could see what else is running on IP addresses in the same range, maybe find someone who runs infra on a nearby IP who is willing to run your script.
Problem is that passkeys aren't resilient enough to loss of the authenticator device, which means a fallback flow is always made available, that is vulnerable to phishing/MITM/social engineering.
This is even more pronounced thanks to the efforts to roll out passkeys to the masses. Most of them don't understand what they're getting into and are most likely gonna get themselves locked out quite quickly, which may mean recovery flows need to actually become more relaxed than they currently are.
I'm not interested in litigating the broader question of Passkey-only login setups, only in spelling out why the field cares so much about phishing-resistant authenticators, which password managers and random passwords do not provide.
If all the negative externalities were properly priced in, a lot of bottom-feeding crap at all layers of the stack will die off, but advertising itself will remain and would actually become better as a result for all parties involved.