Legal Affairs

July|August 2004

Sell Outs By Doug Pappas
$t0pp^ng $p@m!! By Paul Jamieson

$t0pp^ng $p@m!!

The private sector needs to regulate spam because the government can't.

By Paul Jamieson

LOSE 20 POUNDS IN 20 DAYS on the amazing grapefruit diet pill! Expand the size of your body parts! You have emerged one of the winners of the EGOLI LOTTERY SOUTH AFRICA!

Spam is that rare legal and public policy problem in which the behavior in question is anathema to nearly every publicly identifiable interest holder. Legitimate businesses that use e-mail as a marketing tool support spam reform because their communications are often lost in the avalanche. Consumers and businesses that rely on e-mail for transactions and communication overwhelmingly dislike spam for the same reason and make their displeasure known to elected officials. Internet service providers, or ISPs, such as Yahoo and Earthlink, oppose it because junk e-mail taxes their networks.

Nevertheless, five months after the effective date of a sweeping federal law imposing stiff civil and criminal penalties on spammers, well over half of all e-mail is still spam. There is just as much if not more spam now than there was before the legal barriers were erected. What gives?

The short answer is that legal measures may be largely powerless to affect the spam problem because the architecture of e-mail is resistant to traditional methods of government regulation. While members of Congress and the Federal Trade Commission will be quick to claim credit in the event that the spam problem is reduced, the role they play is small. Consumers and businesses suffering from the torrent of spam must look for relief not from formal law developed on Capitol Hill or in a watchdog agency, but from the people who write the code that makes the Internet run, and then from the private businesses that put the code to work.

THE CONTROLLING THE ASSAULT OF NON-SOLICITED PORNOGRAPHY AND MARKETING ACT, or CAN-SPAM, was signed by President George W. Bush in December 2003 and is ambitious in intent if not effect. Under the statute, unsolicited commercial e-mail isn't banned, but it must contain headers revealing that a message is an advertisement or solicitation. All unsolicited commercial e-mail must come from a valid e-mail address and contain an accurate postal address to which a recipient can write back. Misleading message headers are also banned, even for recipients who have agreed to receive commercial mail, as with users who checked a box asking for future promotional material about dog food on the Pets.com website.

Under the statute, Internet service providers are not held liable for routine conveyance of e-mail. If you get spam from loseweight@earthlink.net, you can't sue Earthlink. But all of those who send or who contract to send illegal commercial e-mail are subject to civil suits by Internet service providers, the FTC, and state law enforcement officials. Penalties are severe. For example, if a state brings a suit, a spammer may be forced to pay damages of $250 per e-mail, up to $2 million (the cost of 8,000 e-mails), plus attorneys' fees. Egregious spammers, as repeat offenders, may also face felony charges with prison terms of up to five years per violation.

But the law has had no appreciable effect on reducing spam. Consumers surveyed by the Pew Internet Project report that the volume of spam is the same or has increased since January 1, when the law went into effect. Postini, a company that runs a spam-filtering service processing one billion messages a week for 2,500 other companies, said that spam rates have stayed virtually constant since before that date.

Some supporters of government action argue that the bill will work if given more time. It was only in March that Microsoft joined the other major ISPs—AOL, Earthlink, and Yahoo—in filing six lawsuits against over 200 defendants for violations of the law. Others argue that formal legal solutions could be effective, but that this law isn't. The current law doesn't give individuals a right to sue and it requires spammers only to allow individuals to "opt out" of future e-mail by making it easy to request that they be taken off a spam list. A better alternative might have been to permit the transmission of spam e-mails only when the recipient has consented to receive them (an "opt in" regime).

These criticisms of CAN-SPAM miss a crucial point. No permutation of the law—opt-in rather than opt-out, more funds for enforcement, or a private right of action—would have led to significantly less unsolicited commercial e-mail. The law seeks to regulate behavior by threatening adverse consequences for violators, but the scope and anonymity of the Internet make such consequences unlikely.

Several factors constrain the law's regulation of spam. First, the nature of e-mail makes it hard to locate perpetrators. Because of the Internet's configuration, spammers can easily hide their actual e-mail addresses in addition to their countries of origin, using false header information and bogus domain names. One popular tactic is to send messages that appear to be from technical support staff of the recipient's Internet service provider (e.g., administrator@msn.com) with a message that the user's account needs to be updated or fixed. Sending a message that appears to come from one of these accounts requires no specific access to either MSN or Earthlink. Spoofing an address requires only an Internet connection and a few minutes to learn how to falsify the information.

Identifying purveyors of spam, then, is challenging. Of the 222 defendants of recent CAN-SPAM lawsuits filed by the four largest ISPs, only seven were named, because the plaintiffs' attorneys couldn't figure out who they were going after. And even if spammers could be identified, many are beyond the jurisdiction of American law. AOL reported that, one week after the new statute went into effect, approximately 10 percent of the 2.4 billion spam e-mail messages it was receiving daily had shifted in origin to offshore locales.

The economics of spam are so favorable to spammers that no matter how high regulation erects the barrier to entering the business it wouldn't be high enough. Direct mail and telemarketing require companies to spend a lot of money—to pay people to spend time on the phone, and for printing messages and sending them through the mail. But spam puts nearly all the costs on recipients, ISPs, and the companies that built and that run the "pipes" through which e-mail travels. Sending an e-mail promoting Viagra to 500,000 users costs a spammer about the same as sending it to 50.

PRIVATE SECTOR REGULATION by the "code" of cyberspace, rather than by formal law, has been crucial to the Internet's development, to which the government has contributed most significantly by being restrained in its use of regulation. The development of encryption standards that protect the exchange of financial information over the Internet makes a good example. As a result of development by companies of encryption protocols that are strong but easy to use, it's now no more dangerous to type your MasterCard number into Amazon.com than it is to give the number to a phone operator. This encryption technology came entirely from the private sector and not from the government, which chose not to enact strong encryption standards in part because it feared that they would limit the FBI's surveillance powers.

A similar effort by the private sector to regulate spam by code is being mounted by influential code writers. Microsoft's Bill Gates announced in February that he was helping to create a loose consortium of companies called the Global Infrastructure Alliance for Internet Safety, formed to share ideas about technical solutions to Internet security threats as well as spam, which many people see as the major threat to the continued expansion of the Internet. Gates cited several technological innovations designed to combat spam, including a sort of caller ID for e-mail that would verify the sender's e-mail name address conveyed as a series of numbers that the software could look up.

Another authentication proposal under consideration by members of the consortium is a system known as challenge-response, under which a sender not already on a recipient's "safe" list would have to confirm his identity by responding to an automatic message from the recipient's e-mail system. The computer-generated reply message would direct the sender to a website to answer questions—such as "What is the number of states in the United States?"—that would rotate each time a sender went there, and which would be simple for humans to answer but hard for machines.

Still another coalition option would be implementing a form of postage for e-mail (say, some fraction of one cent charged to senders by their ISPs) that would only lightly burden regular users but would be prohibitively expensive for mass e-mailers. ISPs are also reviewing restrictions on the number of e-mail messages that can be sent at one time, in an effort to undercut spammers who send thousands at once.

The government's CAN-SPAM law doesn't undermine these solutions, each of which holds great promise, and several of which could also be used to help protect other technologies—such as cellphones and instant messaging—likely soon to face spam onslaughts. But CAN-SPAM doesn't help, either.

To solve the spam problem, the federal government should create incentives for the private sector to develop solutions. It could subsidize effective technological solutions to spam, much like what the government does to subsidize the availability of Internet access in the nation's schools and libraries. Or it could require that a company license any truly effective solution to anyone who wants it. Government could also be more aggressive in supporting industry consortia, including the recognition of an industry standards-setting body that would develop practices to combat spam and share the best ones. If it turned out that the best anti-spam strategy required ISPs to employ a particular method of authentication, the government could mandate compliance with that standard.

In the meantime, as e-mails pile up that come from the ostensible fortune-wielding children of "Nigerian dictators" and from network administrators asking us in vaguely worded messages to open attachments, it's clear that we are far from having a good solution to spam. Until the government figures out a new way of working effectively with programmers, we will just have to keep hitting "delete."

Paul Jamieson is a lawyer and freelance writer living in New York City.



					July\|August 2004 Sell Outs By Doug Pappas $t0pp^ng $p@m!! By Paul Jamieson $t0pp^ng $p@m!! The private sector needs to regulate spam because the government can't. By Paul Jamieson LOSE 20 POUNDS IN 20 DAYS on the amazing grapefruit diet pill! Expand the size of your body parts! You have emerged one of the winners of the EGOLI LOTTERY SOUTH AFRICA! Spam is that rare legal and public policy problem in which the behavior in question is anathema to nearly every publicly identifiable interest holder. Legitimate businesses that use e-mail as a marketing tool support spam reform because their communications are often lost in the avalanche. Consumers and businesses that rely on e-mail for transactions and communication overwhelmingly dislike spam for the same reason and make their displeasure known to elected officials. Internet service providers, or ISPs, such as Yahoo and Earthlink, oppose it because junk e-mail taxes their networks. Nevertheless, five months after the effective date of a sweeping federal law imposing stiff civil and criminal penalties on spammers, well over half of all e-mail is still spam. There is just as much if not more spam now than there was before the legal barriers were erected. What gives? The short answer is that legal measures may be largely powerless to affect the spam problem because the architecture of e-mail is resistant to traditional methods of government regulation. While members of Congress and the Federal Trade Commission will be quick to claim credit in the event that the spam problem is reduced, the role they play is small. Consumers and businesses suffering from the torrent of spam must look for relief not from formal law developed on Capitol Hill or in a watchdog agency, but from the people who write the code that makes the Internet run, and then from the private businesses that put the code to work. THE CONTROLLING THE ASSAULT OF NON-SOLICITED PORNOGRAPHY AND MARKETING ACT, or CAN-SPAM, was signed by President George W. Bush in December 2003 and is ambitious in intent if not effect. Under the statute, unsolicited commercial e-mail isn't banned, but it must contain headers revealing that a message is an advertisement or solicitation. All unsolicited commercial e-mail must come from a valid e-mail address and contain an accurate postal address to which a recipient can write back. Misleading message headers are also banned, even for recipients who have agreed to receive commercial mail, as with users who checked a box asking for future promotional material about dog food on the Pets.com website. Under the statute, Internet service providers are not held liable for routine conveyance of e-mail. If you get spam from loseweight@earthlink.net, you can't sue Earthlink. But all of those who send or who contract to send illegal commercial e-mail are subject to civil suits by Internet service providers, the FTC, and state law enforcement officials. Penalties are severe. For example, if a state brings a suit, a spammer may be forced to pay damages of $250 per e-mail, up to $2 million (the cost of 8,000 e-mails), plus attorneys' fees. Egregious spammers, as repeat offenders, may also face felony charges with prison terms of up to five years per violation. But the law has had no appreciable effect on reducing spam. Consumers surveyed by the Pew Internet Project report that the volume of spam is the same or has increased since January 1, when the law went into effect. Postini, a company that runs a spam-filtering service processing one billion messages a week for 2,500 other companies, said that spam rates have stayed virtually constant since before that date. Some supporters of government action argue that the bill will work if given more time. It was only in March that Microsoft joined the other major ISPs—AOL, Earthlink, and Yahoo—in filing six lawsuits against over 200 defendants for violations of the law. Others argue that formal legal solutions could be effective, but that this law isn't. The current law doesn't give individuals a right to sue and it requires spammers only to allow individuals to "opt out" of future e-mail by making it easy to request that they be taken off a spam list. A better alternative might have been to permit the transmission of spam e-mails only when the recipient has consented to receive them (an "opt in" regime). These criticisms of CAN-SPAM miss a crucial point. No permutation of the law—opt-in rather than opt-out, more funds for enforcement, or a private right of action—would have led to significantly less unsolicited commercial e-mail. The law seeks to regulate behavior by threatening adverse consequences for violators, but the scope and anonymity of the Internet make such consequences unlikely. Several factors constrain the law's regulation of spam. First, the nature of e-mail makes it hard to locate perpetrators. Because of the Internet's configuration, spammers can easily hide their actual e-mail addresses in addition to their countries of origin, using false header information and bogus domain names. One popular tactic is to send messages that appear to be from technical support staff of the recipient's Internet service provider (e.g., administrator@msn.com) with a message that the user's account needs to be updated or fixed. Sending a message that appears to come from one of these accounts requires no specific access to either MSN or Earthlink. Spoofing an address requires only an Internet connection and a few minutes to learn how to falsify the information. Identifying purveyors of spam, then, is challenging. Of the 222 defendants of recent CAN-SPAM lawsuits filed by the four largest ISPs, only seven were named, because the plaintiffs' attorneys couldn't figure out who they were going after. And even if spammers could be identified, many are beyond the jurisdiction of American law. AOL reported that, one week after the new statute went into effect, approximately 10 percent of the 2.4 billion spam e-mail messages it was receiving daily had shifted in origin to offshore locales. The economics of spam are so favorable to spammers that no matter how high regulation erects the barrier to entering the business it wouldn't be high enough. Direct mail and telemarketing require companies to spend a lot of money—to pay people to spend time on the phone, and for printing messages and sending them through the mail. But spam puts nearly all the costs on recipients, ISPs, and the companies that built and that run the "pipes" through which e-mail travels. Sending an e-mail promoting Viagra to 500,000 users costs a spammer about the same as sending it to 50. PRIVATE SECTOR REGULATION by the "code" of cyberspace, rather than by formal law, has been crucial to the Internet's development, to which the government has contributed most significantly by being restrained in its use of regulation. The development of encryption standards that protect the exchange of financial information over the Internet makes a good example. As a result of development by companies of encryption protocols that are strong but easy to use, it's now no more dangerous to type your MasterCard number into Amazon.com than it is to give the number to a phone operator. This encryption technology came entirely from the private sector and not from the government, which chose not to enact strong encryption standards in part because it feared that they would limit the FBI's surveillance powers. A similar effort by the private sector to regulate spam by code is being mounted by influential code writers. Microsoft's Bill Gates announced in February that he was helping to create a loose consortium of companies called the Global Infrastructure Alliance for Internet Safety, formed to share ideas about technical solutions to Internet security threats as well as spam, which many people see as the major threat to the continued expansion of the Internet. Gates cited several technological innovations designed to combat spam, including a sort of caller ID for e-mail that would verify the sender's e-mail name address conveyed as a series of numbers that the software could look up. Another authentication proposal under consideration by members of the consortium is a system known as challenge-response, under which a sender not already on a recipient's "safe" list would have to confirm his identity by responding to an automatic message from the recipient's e-mail system. The computer-generated reply message would direct the sender to a website to answer questions—such as "What is the number of states in the United States?"—that would rotate each time a sender went there, and which would be simple for humans to answer but hard for machines. Still another coalition option would be implementing a form of postage for e-mail (say, some fraction of one cent charged to senders by their ISPs) that would only lightly burden regular users but would be prohibitively expensive for mass e-mailers. ISPs are also reviewing restrictions on the number of e-mail messages that can be sent at one time, in an effort to undercut spammers who send thousands at once. The government's CAN-SPAM law doesn't undermine these solutions, each of which holds great promise, and several of which could also be used to help protect other technologies—such as cellphones and instant messaging—likely soon to face spam onslaughts. But CAN-SPAM doesn't help, either. To solve the spam problem, the federal government should create incentives for the private sector to develop solutions. It could subsidize effective technological solutions to spam, much like what the government does to subsidize the availability of Internet access in the nation's schools and libraries. Or it could require that a company license any truly effective solution to anyone who wants it. Government could also be more aggressive in supporting industry consortia, including the recognition of an industry standards-setting body that would develop practices to combat spam and share the best ones. If it turned out that the best anti-spam strategy required ISPs to employ a particular method of authentication, the government could mandate compliance with that standard. In the meantime, as e-mails pile up that come from the ostensible fortune-wielding children of "Nigerian dictators" and from network administrators asking us in vaguely worded messages to open attachments, it's clear that we are far from having a good solution to spam. Until the government figures out a new way of working effectively with programmers, we will just have to keep hitting "delete." Paul Jamieson is a lawyer and freelance writer living in New York City.