Uncle Sam Vs. Spam
A slew of proposed federal and state bills promise to protect your in-box. But can any law stem the tide of spam?In Virginia, it's a felony to send out bulk e-mail with forged return-address information. Spammers who use misleading subject lines can be sued for $500 per infraction in Washington state. Fourteen states require e-mail advertisements to carry the label ADV in the subject line, and Delaware bans all forms of unsolicited commercial e-mail. But anyone with an in-box knows that none of these laws--nor any of the 15 other state antispam statutes now on the books--has stopped unwanted bulk e-mail.
According to the e-mail security vendor MessageLabs, the volume of spam has now surpassed the quantity of legitimate e-mail arriving in people's in-boxes. Federal lawmakers are finally responding by attempting to pass spam laws of their own. Can the feds succeed where the states have not?
Popular demand for a cure to the spamdemic has prompted a flurry of new federal legislation, aggressive legal action, and innovative technological proposals. Yet none of these responses guarantees relief, and some might make things worse over the long term.
That's because two battles are being waged over spam. The first is the one legislators are fighting today over how to keep your e-mail account free of sleazy come-ons for pornography, herbal Viagra, and other junk. The second battle involves what your in-box will look like if and when the slimy spam messages are eradicated. Mainstream marketers--the Citibanks, Fords, and Microsofts of the world--and large ISPs, which may end up profiting from the traffic, want to be able to deliver ads to your in-box until you tell them to stop (a procedure known as "opting out").
The antispam community--which consists largely of individual activists and small-to-midsize ISPs--wants legislation that requires any marketer, sleazy or otherwise, to obtain your permission before it can send you a message: the "opt-in" approach. Otherwise, they say, the volume of commercial mail most people receive could grow large enough to kill e-mail as a communications medium.
Billions of dollars--and the future of your in-box--are riding on the outcome. And so far, the marketers are winning.
Down by Law
Last April, Senator Conrad Burns (R-Montana) stood before 400 attendees at the Federal Trade Commission's Spam Forum in Washington, D.C., and declared that spam is "killing e-mail, the very tool we use every day." The senator's appearance was intended to drum up support for the Can-Spam Act, which Burns cosponsored with Senator Ron Wyden (D-Oregon).
This act would impose stiff criminal and civil penalties for sending fraudulent e-mail--messages that use bogus address information, deceptive subject lines, and misleading or spurious content. But it's just one of a half-dozen similar federal bills that lawmakers have proposed this year. In April, Representative Zoe Lofgren (D-California) introduced the Reduce Spam Act, which would require e-mail advertising to bear an ADV label, and would establish rewards for users who turn in spammers. Senator Charles Schumer (D-New York) introduced the Stop Pornography and Abusive Marketing Act (the SPAM Act) in mid-June; it proposes to create a registry of people who don't want to receive e-mail advertising, similar to the telemarketing industry's Do Not Call list.
The federal bill with the best chance of passing this year may be the Reduction in Distribution of Spam Act (RID Spam), introduced last May in Congress by Representative Richard Burr (R-North Carolina). Burr's bill would penalize spammers who harvest e-mail addresses, use false or misleading information, send pornographic images, or fail to abide by consumers' opt-out decisions. Violators could face prison terms of up to two years and could have to pay statutory damages of up to $3 million.
Burr's bill has two powerful cosponsors--Representatives Billy Tauzin (R-Louisiana), chair of the House Energy and Commerce Committee; and F. James Sensenbrenner Jr. (R-Wisconsin), chair of the House Judiciary Committee--and it is endorsed by the Direct Marketing Association, a powerful industry lobby.
Some federal bills, like Burns-Wyden, would preempt stronger state laws; antispammers argue that those bills would make prosecuting spammers more difficult because they would substitute hard-to-prove fraud statutes for existing consumer-protection guidelines. Other proposals, like Lofgren's and Burr's, would rely largely on overburdened state and federal authorities to pursue violators and would prevent consumers from filing antispam civil suits. And all currently proposed federal legislation would require users to opt out of mailings--freeing marketers to send you an initial pitch without penalty. Furthermore, even if you opt out, nothing would prevent a company from selling your name to other marketing firms or starting to send you ads from one of its subsidiaries.
John R. Levine, author of Internet for Dummies, says that laws based on an opt-out approach are "hopeless." "I get mail from a dozen different spammers every day," Levine says. "Am I supposed to spend an hour every day figuring out the opt-out hoops they want me to jump through?"
After several years of inaction, Congress may pass one of these bills this year. Too bad none of them is the right one.
Better Solutions
The strongest antispam legislation currently on the table in the United States isn't before the U.S. Congress at all. In May, the California Senate approved Senate Bill 12, sponsored by State Senator Debra Bowen (D-Redondo Beach).
Bowen's SB 12 takes as its model the federal Telephone Consumer Protection Act of 1991. Better known as the Junk Fax Law, the TCPA has proved extremely effective against unsolicited faxes. SB 12 prohibits sending commercial e-mail without a consumer's prior permission, and it permits individuals who receive unsolicited commercial e-mail messages to sue for $500 to $1500 per offense. So a consumer who received ten pieces of e-mail from one spammer could sue for $5000--or $15,000, if a court deemed the violation intentional.
"The only thing spammers will understand is if they can't make money any more," says Bowen, who wrote California's existing opt-out antispam statute. She now says a stronger law is needed. "That's the only thing that will stop this." (A 1997 U.S. Senate bill sought to amend the Junk Fax Law to cover junk e-mail, but it died in committee.)
Editor's Note: California's state legislature is reconsidering its antispam measures. Senate Bill 12 failed to pass out of an Assembly committee, which instead favored the similar SB 186, endorsed by Microsoft. SB 186 still needs Assembly approval to become law.
Antispam activists widely favor giving individuals the right to sue spammers for damages--known as a private right of action--but marketers oppose it, fearing that such a right would result in a rash of suits against legitimate advertisers. Meanwhile, the marketers argue, underground spammers would go untouched.
"It essentially provides incentives for plaintiff attorneys to go after easy-to-hit targets, which are legitimate businesses," says Trevor Hughes, executive director of the E-mail Service Providers Coalition. Hughes points to a Utah statute that allows individuals to sue mailers for up to $25,000 per day for sending bulk mail that lacks a valid street address or ADV label. He says attorneys have exploited the law to pursue judgments against companies that hired marketers without knowing exactly how they operated.
Attorney David Kramer, who represented the ISPs CompuServe and Concentric in lawsuits against self-proclaimed "Spam King" Sanford Wallace during the mid-1990s, agrees that the Utah antispam law is flawed; he adds that California's SB 12 lacks a cap on damages, leaving it open to abuse. But he says, "It's a problem that can be solved with a few minutes of careful drafting.... Any law that doesn't have a private right of action is paying lip service to the problem instead of solving it."
According to Andrew Barrett, executive director of The SpamCon Foundation, a nonprofit antispam organization, any spam law should absolve bulk mailers who obtain permission before sending mail, yet should allow individuals and ISPs to enforce the law through private legal action. "Those two things absolutely must happen together," he says. "Almost anything else is worse than no federal law at all."
The success of the anti-junk fax TCPA indicates that a well-crafted law could have an impact on spam. "We didn't see a tidal wave of junk-fax litigation," Kramer says, "but we certainly saw enough to hold back the flood of junk faxes we used to receive."
Follow the Money
As you might expect, opt-in opponents include not only some of the most powerful marketers in the world, but also ISPs such as America Online, EarthLink, and Microsoft Network.
Large ISPs that charge fees for delivering ads oppose any scheme that might limit the volume of mail they can send; and the Direct Marketing Association argues that an opt-in law would choke off Net commerce, preventing new businesses from making themselves known to consumers. "For opt-in to work, consumers would already have to know the entire universe of all offerings, all markets, at all times," says Louis Mastria, director of public and international affairs for the DMA. "When you go to an opt-in law, you close off the universe to new entrants."
Jennifer O'Shea, an aide to Senator Burns, says that the Burns-Wyden bill is designed to punish fraudulent spammers while permitting legitimate advertisers to "take a shot" at reaching consumers through e-mail. "Senator Burns feels we shouldn't put an end to the opportunity for legitimate businesses to be working with e-mail and the Internet," she adds.
Antispam advocates reply that tech-savvy marketing companies have been using opt-in lists with great success. "Direct marketers have put quite a bit of fear in the minds of legislators that an opt-in approach will destroy all marketing on the Internet," says Ray Everett-Church, counsel for the Coalition Against Unsolicited Commercial E-mail (CAUCE). "But there are many in the direct marketing industry who've gone completely to opt-in and are doing tremendous volumes of business as a result."
The E-mail Service Providers Coalition's Hughes acknowledges that some legitimate senders are moving toward opt-in, but he opposes any laws that would mandate obtaining such permission. "The opt-in/opt-out debate has led to four or five years of stasis," Hughes says. "We need to move forward by accepting a standard like Burns-Wyden and focus on building accountability into the system."
In an open letter to Congress, CAUCE condemned opt-out bills. "In our opinion, these bills have no business being called 'anti-spam.' [They] do little more than establish minimal ground-rules for a federal license to spam. If marketers can meet these rules, they may send as much e-mail as they wish."
The Enforcers
Another big snag is enforcement. Most federal proposals give the FTC and state attorneys general more power to go after spammers, but limited resources and competing priorities make adjudication of many spam cases unlikely.
The FTC has filed 53 civil suits against spammers that allegedly used deceptive practices, says staff attorney Brian Huseman. One case required 21 separate subpoenas before investigators could identify the spammers' true location--and this case involved e-mail messages that listed a physical address, which should have made the spammers easier to find. With more than 130,000 spam complaints pouring into the FTC's offices each day, the agency can pursue only the most egregious offenders.
Meanwhile, AOL, EarthLink, and MSN resort to private litigation. Last year, EarthLink sued spammers for trespass, breach of contract, and violations of the Computer Fraud and Abuse Act, among other statutes. "I've got my guns loaded with a dozen bullets, any one of which would get the spammer," says Atlanta attorney Pete Wellborn, who won judgments of $24 million and $16.4 million for EarthLink. In June, Microsoft filed 15 suits against marketers for sending 2 billion unsolicited messages.
Of course, pursuing spammers isn't always easy, because they can set up shop abroad, and they aren't required to disclose their location. The Center for Democracy & Technology's Ari Schwartz notes that the Junk Fax Law is easier to enforce than a similar spam provision would be because the sender can't fake the source of the faxes--the sending number--and faxing from overseas greatly increases costs. "Spammers can move offshore," says Schwartz. "Junk faxers can't."
Wellborn says that most spammers have a financial link to the United States that plaintiffs can use to find out who's sending the messages. "It's very rare that spam will ask a recipient to send a payment to Timbuktu," Wellborn explains. "There's almost always a U.S. connection through which you can track the money and identify the responsible party." In most cases, the company whose products or services are being marketed, or the marketer, or both parties may be held accountable. Experts say that most of the spam delivered to U.S. addresses originates in the United States, even if the senders route it through foreign servers. Furthermore, foreign spammers are subject to U.S. laws governing civil liability if they spam U.S. residents.
Take a Stand Against Spam
Most marketers, ISPs, and antispammers agree that only a combination of strong federal laws, effective litigation, and technological innovation will solve the spam problem.
Some Capitol Hill insiders believe that Congress will have to act against spam. "We've reached a point where people are saying, 'The spam problem is extreme--let's get something that can pass and make a difference'," says Schwartz.
That mood makes antispammers nervous. "We're worried that in its haste to do something--anything--about the problem," SpamCon's Barrett says, "the current Congress is going to pass legislation that'll be incredibly damaging to the Internet and everyone who uses it."
Comparing the Bills: Who Can Can Spam?
Congress is weighing a number of proposals designed to put a lid on unsolicited commercial e-mail, but none requires advertisers to obtain your permission before sending ads to your in-box. A California state bill does.
Legal Definitions: Spam Laws: Opt-In vs. Opt-Out
Every federal law under consideration relies on an opt-out scheme: You must take action to prevent a marketer from sending you additional e-mail. Under that setup, some marketers may send a one-time mailing to gauge your interest. Some may give up if you don't reply; others will keep spamming until you tell them to stop.
With an opt-in proposition, ideally, you would have to give permission before receiving any e-mail, but the actual practice can be tricky. For example, having purchased a product from a vendor may be interpreted as proof of a "preexisting business relationship," in which case the vendor would be free to send you an e-mail under most opt-in requirements. In other cases, you may unwittingly opt in to e-mail ads by signing up for free newsletters or online contests. Confirmed opt-in, in contrast, adds a step in which marketers must get you to verify your subscription before they can send any further mailings.
Dam the Spam: Five Steps to Stop Spam
No single solution will put an end to all spam, but these tactics could slow it down.
A federal law that relies on opting in: Antispammers and even some e-marketers agree that only recipients who ask to receive e-mail advertising can accept it with equanimity. A federal law based on opting in, requiring advertisers to get a request from you before they e-mail you, may be the only way to stop both spammers and mainstream marketers from cramming your in-box.
Send spam, go to jail: Virginia mandates criminal penalties for spammers who falsify e-mail addressing information. New York State Attorney General Eliot Spitzer has initiated criminal proceedings against Howard Carmack, aka The Buffalo Spammer, charging that he used stolen identities in his spamming activities. Putting spammers in the slammer might convince some of them to find a new line of work.
Unleash the lawyers: Leaving antispam enforcement to understaffed bureaucracies is no solution. Freeing an army of angry users (and ISPs with deep pockets) to sue spammers out of existence would be much more effective. Antispammers and their lawyers have already ferreted out most of the worst offenders, but imagine their zeal if money were involved.
Charge bulk e-mailers postage: Adding a "postage" fee--say, one tenth of a cent for each message--that kicks in only when senders attempt to deliver 1000 or more messages a day would deter many spammers. ISPs would be happy to collect (and keep) the fees, and legitimate marketers could receive a favorable rate if they adopted consumer-friendly practices. On the other hand, some observers argue that, once bulk mailers have to start paying for e-mail, individual users will be next.
More-imaginative technological solutions: A promising idea called HashCash, which would be implemented on ISPs' servers, makes a sender's computer solve a complex equation for each message before the ISP will deliver it. It causes a trivial delay for most senders but slows a spammer's mail delivery to a crawl. Another innovation: EPrivacy Group's Spam Squelcher detects spam coming into a network and slows the connection to submodem speeds until the spammer gives up and looks for another victim.
The Latest Techniques to Fight Spam
Think you're deluged with spam? Your ISP or your employer likely already has some methods in place to prevent it from getting to you in the first place. But an array of newer techniques may prove more effective.
For years, the war on spam has been fought largely on the technology front. ISPs and individuals rely on blacklists that block e-mail from known spam sources, and on filters that examine each message for signs of spammishnessfor example, tip-off words and phrases. Spammers counter by using bogus addresses and by continually tweaking messages to fool the filters.
While many people have proposed new approaches to fighting spam, a true technological solution would likely entail making changes to the simple message transfer protocol (SMTP) on which most e-mail relies, such as including a way to indicate whether the user has agreed to receive commercial mail. But changing an essential Internet protocol like SMTP would be a monumental task requiring all ISPs and every user to change their software.
"If I could wave a magic wand and replace SMTP with a new protocol overnight, I could reduce the problem of spam to a level where most people wouldn't even notice it was there," says Steve Atkins, principal of Word to the Wise, an Internet consultancy. But replacing a protocol completely like that would take years, maybe decades.
In the short term, the industry is focusing on making better filters, to catch more spam and to reduce the number of so-called false positiveslegitimate bulk e-mail, such as opt-in newsletters, that gets trashed along with the junk. Last spring, e-mail technology company EPrivacy Group promulgated the Trusted E-mail Open Standard (TEOS), a way to identify e-mail senders so that software can filter messages more accurately. Such a system would entail, at minimum, identifying the source of the mail via DNS records (online databases that match Internet protocol addresses with domain names); and it might ultimately involve embedding information in each message about the type of advertisement it contained and whether the recipient asked for it.
"If you tell us who you are, the type of e-mail it is, and the type of permission you have, your mail will go through without a doubt," says Vincent Schiavone, CEO of EPrivacy Group.
Around the same time, the E-mail Service Providers Coalition proposed an initiative, dubbed Project Lumos, to establish a system that would work like a credit bureau for bulk mailers. Marketers would be rated (though by whom isn't very clear) on a series of objective criteria, such as how well they handle bounced messages or unsubscribe requests, and ISPs could choose to allow or block mail from them based on their rating on this list.
Another approach is Habeas's Sender Warranted E-mail (SWE), an e-mail verification system that allows the sender to insert trademarked material (a haiku) into an e-mail text header, where e-mail servers could read it but it would be invisible to most users. ISPs and enterprises can program their filters to look for the SWE warrant mark and let these messages through. Under U.S. trademark law (which permits much larger financial penalties than state spam laws do), Habeas can sue spammers who use the mark in violation of the rules.
For such solutions to work, they need to be broadly adopted by users and mailers alike. The TEOS proposal for identifying senders is still fairly new, though Microsoft chairman Bill Gates's endorsement of trusted-sender principles in testimony before Congress may boost support for the concept. For its part, Project Lumos faces questions as to how each mailer would be scored and who would do the scoring. Habeas CEO Anne Mitchell says her program is protecting 500 million in-boxes, including those at two of the top four ISPs, but few electronic marketers have signed up for the service.
Though these proposals may help legitimate e-mail messages reach the people who want them, we're unlikely to achieve a system where the only e-mail you'll ever receive is from trusted sources. Filters will always be necessary, says Jason Catlett, founder of the Internet advocacy group Junkbusters. But they are imperfect (and always will be).
Contributing Editor Daniel Tynan shovels spam from his in-box in Wilmington, North Carolina.