<--- 4 CHI-K. J. INTELL. PROP. 1 --->
CAN-SPAM: A First Step to No-Spam[1]
By
Grant Yang
On
No single law or method is going to stop spam. Because of the intangible and boundary-less nature of the Internet a technical solution and international solution is necessary. Spam fighters should take their cues from law enforcement’s work to curb other criminal offenses with characteristics similar to those of spam. One of the oldest international crimes, money-laundering, has many similar attributes as spam, which allow launderers to evade enforcement officials. By looking at the techniques and methods of international cooperation applied to money-laundering laws, countries can emulate the legislative and coordinating efforts used to combat money laundering and apply this to the war on spam.
Part I of this article provides a background of the medium of electronic mail (e-mail) and the types of spam. This section also describes the profile of spammers and their incentives for entering the spam market. Part II briefly examines the negative impact that spam plays in the dynamics of e-mail use. Part III illustrates the various features that CAN-SPAM provides and compares them with provisions of several state spam laws. Finally, Part IV presents many of the solutions that have been used in the fight against spam.
I. Background
E-mail has been hailed as the original “killer app” of the Internet[9] and it is a pervasive aspect of Internet life. An e-mail is a data file, usually a text message, sent from a computer, traveling through various interconnected computer networks, and arriving at a destination computer.[10] The route by which the data packets are sent through the Internet is indeterminable, as the path of the packets is decided dynamically depending on the efficiency and expediency of the path.[11] A study conducted by the Pew Internet & American Life Project stated that 93% of adult American Internet users (about 117 million people) use e-mail.[12] The number of e-mails sent each year has increased significantly with the prevalent use of the Internet.
Unfortunately, the amount of spam e-mails has risen along with the amount of legitimate e-mail. Almost 15 billion spam messages are sent daily,[13] and this number is growing in volume by 15-20% a month.[14] Spam constituted half of all e-mail traffic in 2003, up from an estimated 7% in 2001.[15] If left unchecked, experts estimate that, within a year, nine out of ten emails will be spam.[16] Surprisingly, only 25% of people see spam as a problem;[17] however, upon closer examination those who consider spam to be a big problem are more likely to have an expansive online presence and to be longtime, active members of the online community.[18] As broadband becomes less expensive and the Internet becomes more accessible, people are likely to extend their online presence and become more active members of the online community. As a consequence, spam is likely to become an increasingly burdensome problem in the years to come. Venture capitalists and technologists have recognized this trend. There are approximately a thousand businesses selling anti-spam software,[19] and the anti-spam and content filtering industry, a $1 billion market in 2003, is expected to grow 25 percent annually for the next few years.[20]
A. What is “Spam”?
It is clear that spam is a problem, but the definition of spam[21] itself is unclear. Generally, 92% of email users agree that spam is “unsolicited commercial email from a sender they do not know or cannot identify.”[22] However, there is much disagreement and variation among e-mail users as the definition appears to depend upon several factors, such as the sender and the subject matter of the message.[23] These factors make it difficult to create legislation to curb the use of spam. Academics generally define spam as either Unsolicited Commercial E-mail (UCE) or Unsolicited Bulk E-mail (UBE);[24] CAN-SPAN is tailored to the UCE definition.[25]
The consensus is that spam must be unsolicited,[26] but from there scholars and experts disagree on other characteristics that may be classified as spam. CAN-SPAM does not actually define the term “unsolicited.”[27] However, CAN-SPAM does not target unsolicited spam; rather, it prohibits fraudulent commercial e-mails and requires an opt-out provision.
There are many types of spam. Most spam campaigns are fraudulent: a 1998 FTC study listed what it calls the “dirty dozen,” the scams most likely to arrive via bulk e-mail.[28] For instance, “phishing” is a type of spam where an e-mail user receives an e-mail that simulates a trusted company. This leads the user to provide account or credit card information, which ultimately results in identity theft and credit card fraud.[29]
B. Spam Techniques
Spam is most effective when sent in bulk, thus spammers use various methods to gain access to e-mail addresses. Many spammers use harvesting programs to scour the Internet looking for publicly available e-mail addresses.[30] However, spam has exploded because spammers have started using techniques to obtain e-mail addresses which may not have been made publicly available by the e-mail user. For example, harvesters may implement a “dictionary attack,” using an algorithm which creates variations of e-mail address combinations. When an e-mail address succeeds against the mail server, the address is automatically recorded onto an e-mail list that can be resold to other spammers.[31]
Most spammers employ different tactics to serve two purposes: to evade detection and to slip past spam filtering technology. First, to evade detection spammers exploit open relays and proxies on the Internet.[32] Using this technique, e-mail can be routed through ISPs in different countries. While it does not make it difficult for law enforcement to track the e-mail, it may make it difficult to regulate ISPs.[33] Another technique, known as “spoofing,” is to appropriate a company or ISP’s address and to send spam under the forged sender address.[34] In addition to forging the sender address, spammers will also forge return e-mail addresses and message headers[35] to evade detection.[36] Spammers also use psychological techniques, such as spoofing the recipient’s own e-mail address.[37] Most of these spam tactics amount to fraud and are specifically addressed by CAN-SPAM.[38]
Once e-mail evades ISP filters, it usually reaches its target. Fewer than 10% of companies have effective spam-filtering technologies.[39] Furthermore, companies that do employ spam-filtering software find the technology ineffective because the software tends to over-block or under-block e-mail.[40] Spammers often try to simulate or mimic real e-mail messages.[41] Consequently, if spam software is not “intelligent,” then it may block legitimate e-mail. In fact, computer security analysts predict that it will be nearly impossible to filter spam based on keywords because spammers are now filling their e-mails with “R.a..n,d,o.,m p,u,,n,c.t,,u_a.t.1..0.n.”[42] At this level of reliability, spam-filtering can only be a piece of the puzzle in the fight against spam.
C. Who Are
Spammers?
One would imagine that only a sophisticated spam ring[43] would be able to amass the technical knowledge to constantly adapt to ISPs’ attempts to filter spam and bombard users’ inboxes. While the majority of spam comes from well-known professional spammers,[44] the truth is that the cost to spam is near zero,[45] making it easy for anyone to become a part-time spammer.[46] People are drawn to the spam industry because anyone with a little technical know-how can become a spammer.[47] Furthermore, many marketers resort to this type of advertisement because the cost of spam is comparatively lower than junk mail or telemarketing.[48] According to the Pew Study, 7% of email users have ordered a product or service from UCE, but spammers report they only need a 0.001% response rate to break even.[49]
Despite the ease of entry into the market, almost 90% of spam originates from 1 of 200 professional “spam gangs.”[50] One lawyer in Virginia who has sued hundreds of spammers says these types of “big-time” spammers are “hackers gone bad, or crooks gone geek.”[51] Indeed, regardless of how the law is written, CAN-SPAM will not be a deterrent to these criminals.
II. Is Spam Really a Big Problem?
Most marketers are not aware of the real social costs spam is imposing on the Internet community, the e-commerce industry, and even the advertising industry.[52] Experts estimate that companies lose anywhere between $10[53] to 87[54] billion a year to lost productivity,[55] investment in technology, and other resources to filter and handle the load of spam.
The burden on the Internet community and private, individual e-mail users is heavy. Marketers cleverly mask their spam as legitimate e-mails, forcing individuals to spend time opening and reading e-mail.[56] If spammers continue this trend, according to Nicholas Graham, a spokesman for America Online (AOL), there is a “very real threat that the e-mail function is going to rot before our very eyes.”[57] Already, 25% of e-mail users say that the volume of spam has caused them to reduce their overall use of e-mail.[58] Furthermore, when spammers hack users’ e-mail accounts, the users typically receive so many replies flooding their inboxes that they have to close their account completely.[59]
Spam also has a significant impact on the e-commerce and advertising industries. The problem is largely related to the fraudulent aspect of spam.[60] When a spammer spoofs a company’s domain name it can disrupt the business because the company will receive an influx of e-mails consisting of returned e-mails, irate e-mails, and virus e-mails.[61] More importantly someone will have to sift through all the e-mails to find legitimate e-mails from customers.[62]
While not an infant industry, e-commerce is still relatively young[63] and far from replacing the brick and mortar method of retail. In fact, only recently has the moratorium on Internet taxes expired,[64] and Congress is debating whether to extend the moratorium,[65] signifying that Internet commerce is still in its developing stages. It is crucial for consumers to be able to trust the websites and companies from which they order goods. Spam is starting to create distrust in consumers of the young and fragile e-commerce industry. For instance, “phishing” can create distrust among Internet shoppers, and this especially hurts smaller startups that have yet to create a trusted brand.[66] Small businesses, startups, and advertising companies that try to market products through spam may not get a second glance or may be filtered due to the growing distrust of unsolicited e-mail, even though 16.5% of spam is from legitimate advertisers peddling legitimate products.[67] If spam persists only the brand names will survive, and the no-names will be denied the brick-and-mortar equivalent of coveted “shelf-space.”
Spam is an almost uncontrollable problem for ISPs because if spam is not filtered it may disrupt individual users’ accounts.[68] Furthermore, if a spammer decides to use a particular ISP which has a weak spam filter or does not have resources to fight spam, then that ISP is at risk of being blacklisted and its e-mails rejected from the rest of the Internet community.[69] Larger ISPs such as AOL or Earthlink, however, are at less risk of being blocked than their smaller rivals.[70] ISPs may also face a legal dilemma in protecting its customers. Existing technology is not sophisticated enough to differentiate legitimate e-mail from spam. Consequently, ISPs could risk litigation on grounds of invasion of privacy, censorship, or freedom of speech and expression for filtering legitimate e-mails.
As if the spam industry itself was not devastating enough to commerce,[71] virus writers and spammers are starting to employ each others’ techniques.[72] Virus writers employ fake subject headers to entice users to open the e-mail.[73] To see how the two work together, one can look at the most recent SoBig virus, occurring in August 2003 and estimated to set the new record in damages to industry.[74] The SoBig virus operated by raiding e-mail directories and sending spam messages to victims’ contacts.[75] This year, other viruses, such as the Beagle virus, are proliferating through spam.[76] Virus writers resort to spam tactics because e-mail filters and scanners look for viruses, so instead, virus writers insert hyperlinks in the e-mail that download the virus from a website.[77]
Spam is also problematic because the sexual content of spam can be offensive to e-mail users.[78] One of the motivations behind CAN-SPAM was to protect children from pornography.[79] Many women[80] and children[81] are already connected to the Internet, and the numbers are expected to rise for these demographics over the next few years.[82] Pornographic spam is often cited by parents to be the worst type of spam.[83] Spam makes pornographic content even more accessible[84] and offensive, as the content is often visually forced upon an unsuspecting e-mail user.[85]
III.
CAN-SPAM: Better Than Having No Law At All?
The U.S. declared the war on spam long ago. Thirty-seven states already have anti-spam laws in effect.[86] CAN-SPAM is criticized for being less effective and less stringent than state laws. However, CAN-SPAM has many similarities to many of the state laws and in some ways is stricter than some international laws. In addition, having a federal law is advantageous because it will protect the residents of the 13 other states that currently do not have an anti-spam law in place.
A federal law also would not face the same constitutional challenges to which state spam laws are vulnerable. Already two state laws, California and Washington, have been challenged on grounds that they violated the Dormant Commerce Clause under the theory that they placed an undue burden on interstate commerce.[87] Though in both cases the statutes were found unconstitutional by state courts,[88] they were both reinstated in their respective states’ appeals courts.[89] Nevertheless, other state spam laws have faced similar challenges.[90] With the passage of CAN-SPAM this is no longer a concern.
Critics have declared that spammers will simply ignore the laws. FTC Chairman Muris has stated that he believes spammers would ignore a Do-Not-Spam registry.[91] Steve Linford, founder of The Spamhaus Project,[92] believes that the “problem with these [anti-spam] laws is that they are geared to spammers being honest and respecting laws … Of course there are no honest spammers – the whole profession is based on deceit.”[93] However, spammers’ willful disobedience of the law does not necessarily mean that a federal law, such as CAN-SPAM, would not solve many jurisdictional and constitutional problems as well as the difficulty in international cooperation posed by state spam laws.
Another commonly voiced criticism is that CAN-SPAM essentially gives spammers the right to spam e-mail users. Critics worry that if each of the 22.9 million small businesses in the country decides to send non-fraudulent spam, then we could see a short-term rise in spam as well as a loss in productivity while e-mail users take the time to opt-out.[94] However, before CAN-SPAM, many businesses could have advertised through spam without fear of legal retribution. These businesses did not spam before CAN-SPAM and most likely will not after it is effective because “few legitimate businesses, if any, engage in bulk email marketing for fear of offending potential customers.”[95]
Instead, legitimate businesses try to entice e-mail users to allow them access to their inbox through promotions or gifts.[96] For example, US Airways gives 1,000 frequent-flier miles to passengers who sign up for their newsletter,[97] and companies that want to advertise through e-mail can become affiliated with Opt-In Marketing Databases.[98] Eventually, to resurrect e-mail as an effective method of marketing, companies will have to give e-mail users incentive to read e-mail advertisements.
Despite the various methods of categorizing spam, the stated purpose of CAN-SPAM is to regulate commercial electronic mail.[99] One way to approach spam is to divide it into two types: fraudulent and non-fraudulent. To put it in the policy perspective, non-fraudulent, which can be controlled by laws, and fraudulent, which will require more progressive and encompassing measures than statutes can provide. While CAN-SPAM allows legitimate commercial e-mail, it also delineates the methods by which legitimate e-mail can be sent, thus allowing any “good” spam software to be able to filter it out. Spam filters are ineffective against fraudulent spam. As the Australian government recognized when enacting their spam bill, legislation combating spam should be a part of a “multi-layered” approach and is meant to complement the use of technology.[100]
Ultimately, anti-spam legislation should serve two purposes: to penalize fraudulent spam and to promote commerce by protecting non-fraudulent commercial e-mail. Legitimate marketers and businesses have a right to be put on notice about the jurisdiction and laws regarding the methods they may put to use to stimulate their business. We should not ask businesses to stop sending advertising through e-mail. Rather, we should find a balance so that businesses treat e-mail as a means to reach potential consumers.
Therefore, the real question is, how effective will CAN-SPAM be against fraudulent e-mail? One way to measure CAN-SPAM’s potential effectiveness is to analyze each major provision and compare that to similar provisions of state laws.
A. Targeting Spam Tactics
CAN-SPAM aims to regulate spam by ensuring that commercial e-mail is not misleading or fraudulent.[101] Most anti-spam laws prohibit fraudulent content, as that is the primary method that spammers use to infiltrate an e-mail user’s inbox. CAN-SPAM only prohibits fraudulent commercial e-mail that contains false header information[102] and deceptive subject headings.[103] Half of state anti-spam laws also have this requirement.[104] CAN-SPAM also amends the crimes and criminal procedure code to preclude interstate or international spam.[105] It is a violation under CAN-SPAM to send commercial e-mail to an address obtained through address harvesting and dictionary attacks.[106] CAN-SPAM also prohibits spammers to take control of other computers or routing the spam through open relays.[107] To combat this, the FTC recently launched a campaign called “Operation Secure Your Server,” encouraging system operators to configure their computers to prevent routing of spam.[108]
B. Opt-out vs. Opt-in
Anti-spam legislation generally has either an opt-out or an opt-in mechanism. The opt-out model allows a spammer to send e-mail until the e-mail user indicates he does not wish to receive further e-mails from that particular spammer. The opt-in model requires that the spammer receive prior consent from the e-mail user before the spammer may assail the user with e-mail. In effect, the spam stops being “unsolicited.” Currently most spam e-mail does not have an effective opt-out mechanism. Often e-mail users do not use an opt-out mechanism if provided because the request is often ignored, and users fear that it would only confirm that the e-mail address is active.[109]
CAN-SPAM requires a “clear and conspicuous” opt-out mechanism.[110] At least thirteen states offer similar opt-out mechanisms.[111] To facilitate with the opt-out mechanism, CAN-SPAM requires that spam e-mails contain a valid and functioning return address.[112] CAN-SPAM allows additional opt-out mechanisms such as menus to allow recipients to choose between different types of spam they may wish to receive or opt-out.[113] The opt-out mechanism has been criticized by the National Association of Attorneys General (NAAG) as a potential way of allowing spammers to confuse consumers.[114] However, it is important here to distinguish between the fraudulent and non-fraudulent e-mail. Confusing opt-out mechanisms, as noted by CAN-SPAM’s co-authors, are not the primary tools of the spam trade.[115] If a particular spam e-mail were to hide the opt-out mechanism in text or to create confusing menus, one could surmise that the e-mail was from an illegitimate business and could most likely be prosecuted on other grounds in CAN-SPAM, such as fraudulent header information or subject lines. On the other hand, the opt-out mechanism can be viewed as a way for legitimate businesses to tailor e-mails to potential customers. Advertising companies would want comply with opt-out mechanisms if they hope that e-mail can once again become an effective advertising medium.
Under CAN-SPAM, once the e-mail user makes a request to opt-out, the spammer has 10 business days to comply with the opt-out request.[116] Many experts would agree that this is an ineffective time period. According to some reports, AOL and Microsoft each block 2.4 billion spam e-mails daily.[117] If spammers were allowed to legally continue this for the next 10 days, one can imagine the heavy burden that e-mail users would incur by spam that was transmitted legally. However, CAN-SPAM remedies this concern by providing the FTC with supplementary rulemaking authority to reduce the compliance time period.[118]
In the ultimate form of opting out, CAN-SPAM authorizes, but does not require, the FTC to establish a national Do-Not-E-Mail registry, similar to the Do-Not-Call registry already established by the FTC.[119] The public supports a national Do-Not-E-Mail registry,[120] and some believe that the registry is CAN-SPAM’s “key to success.” It also solves some Fourteenth Amendment Due Process and Dormant Commerce Clause issues.[121] As explained by a U.S. consultancy company, Unspam:
An email address does not reveal its user’s jurisdiction and thus does not put a sender on notice of what laws apply when sending mail to that jurisdiction. In the United States that creates a 14th Amendment/Due Process concern because a sender has not “purposely availed” themselves [sic] of the recipient’s jurisdiction, but the problem appears in every modern democracy. The benefit of a no-spam registry is that it can tie an email address to a particular jurisdiction and solve this problem.[122]
The greatest danger for the Do-Not-Spam registry is that spammers will ignore it[123] since, as stated earlier, 90% of spam comes from spam gangs who generally ignore the law. For spammers who would violate CAN-SPAM, the list would provide e-mail addresses that spammers know are valid and are most likely users’ primary e-mail addresses. In addition, Do-Not-Call and Do-Not-E-Mail have different costs to implement, as it is much easier for spammers to hide behind a false e-mail address than it is for telemarketers to mask their phone number. Nevertheless, legitimate marketers have a right to be put on notice with regard to the laws and jurisdiction that govern the e-mails. Spam should be regulated by a federal law “because it’s at the very least a national marketplace.”[124] These are factors that the FTC will have to consider if it decides to establish the registry.
C.
Enforcement
Unlike most state laws regulating unsolicited commercial e-mail, which provide a private right of action for damages,[125] CAN-SPAM will be enforced primarily by the FTC,[126] and civil actions brought by State attorney generals[127] or ISPs.[128] However, States are required to give the FTC notice prior to any action, at which time the FTC may intervene if it chooses.[129] State laws provide broader rights to ISPs. Almost a third of state laws allow ISPs to prohibit spam according to their own policies, granting ISPs great power over defining and controlling spam that passes through their networks.[130]
1. State, ISP, and Private Rights of Action
Critics are discontented with the exclusion of a private right of action[131] that is allowed in many state laws and other proposed federal laws.[132] However, for now, private actions would tie up the system, and furthermore they do not have the same impact that ISPs or state attorney generals would have on the spam community. As the co-authors of CAN-SPAM[133] have noted, “it will be important for enforcement authorities to bring a few high-profile cases shortly after the bill is enacted. That will send a clear message to the kingpin spammers that the game has changed.”[134] Furthermore, ISPs and states have already been independently and cooperatively aggressively suing and prosecuting spammers.[135] Some ISPs have achieved a measure of success; for example, AOL won a $7 million judgment against a spam company last December.[136] In the future, Congress should consider allowing a private right of action. However, at this nascent stage of the federal anti-spam system, it may be best to have ISPs and states remain proactive, expending the resources that private citizens would not have, to flush out any loopholes and prevent adverse legal precedents that spammers may exploit or pursue in litigation.
Without a private right of action, some spam experts, such as Ray Everett-Church of ePrivacyGroup,[137] believe that the scarcity of state attorney generals and FTC enforcement will not prove to be enough of a threat to deter spammers.[138] Nevertheless, while there is a lack of personnel policing the law, the potential amount of damages and possibility of imprisonment should prove to be a deterrent to most potential spammers. Wyden and Burns hope that a few high-profile cases will deter spammers.[139] Already, four of the biggest e-mail providers – Microsoft, AOL, Earthlink and Yahoo – are filing lawsuits under CAN-SPAM against six of the most prolific spam operations.[140]
Moreover, the FTC and ISPs should take a lesson from the Recording Association of America (RIAA). Their first wave of lawsuits created a lot of publicity. According to Nielsen/NetRatings, there was a direct correlation between the announcing of the lawsuits and a drop in the amount of file-swapping.[141] Like the RIAA, the FTC should be able to settle with most individual spammers. For those cases that are brought to trial, the FTC can recoup the costs in accordance with CAN-SPAM.[142] The lawsuits should prove enough to deter large-scale spammers, and it should also curb small-time spammers from entering the spam industry, which, until CAN-SPAM, had low-financial and low-risk entry barriers.
2. Bounty System
Although individuals may not have a private right of action, the FTC is currently studying the feasibility of allowing bounty hunters to track down fraudulent spammers.[143] U.S. Rep. Zoe Lofgren (D-Calif.), who authored an alternative federal anti-spam legislation,[144] pushed to include the provision in CAN-SPAM.[145] The bounty idea was devised by Stanford Law Professor Lawrence Lessig,[146] who is so confident that it will substantially reduce spam that he has bet his job that it will work.[147] Others are cautiously optimistic, such as John Palfrey, executive director of the Berkman Center for Internet & Society at Harvard University’s law school, who believes that a bounty system is a “promising approach” to catching spammers.[148] One indication of the effectiveness of a bounty system may be Microsoft’s establishment of a $5 million fund to pay for tips for the eventual capture of virus writers[149] and SCO Group’s $250,000 reward for information leading to the arrest and conviction of the author of the MyDoom virus.[150]
While the FTC is commissioned to study the possibility, some FTC attorneys already recognize that locating spammers is difficult without subpoena power.[151] Others believe a bounty system would be counterproductive. For example, the FTC may spend more resources on maintaining the bounty system and settling disputes over rewards.[152] Spam analysts believe that a bounty could lead to false leads and doubt that few individuals have the necessary expertise to identify and locate spammers.[153] Others believe that a bounty is unnecessary because spam is unpopular enough that an incentive is not needed.[154] Furthermore, many ISPs already spend significant resources tracking down spammers.[155] A bounty system would also not have the deterrent power like that of a private right of action.[156] However, much like a private right of action, it may be best to wait to see the impact of federal anti-spam legislation before implementing alternative measures.
3. Federal vs. State Law
One area of controversy is that CAN-SPAM preempts any state law regulating commercial e-mail.[157] Critics charge that having a federal law is advantageous but urge that it should complement rather than preempt stronger state laws.[158] In a letter to Congress, the Internet Committee of NAAG stated its disapproval of CAN-SPAM, citing a list of loopholes and barriers to enforcing the law.[159] However, states such as Minnesota, California, Missouri, and Tennessee, most likely anticipating the eventual enactment of a federal law, explicitly state that their laws would be superseded by federal law or inoperative once a federal law is enacted.[160]
Despite the criticism from the state and federal officials tasked to enforce CAN-SPAM, many in the technology industry support the law, such as ISPs like AOL.[161] In fact, AOL recently had a lawsuit dismissed in Virginia for lack of jurisdiction over Florida-based defendants, even though the spam was directed to AOL’s servers.[162] Professor Sorkin, one of the foremost authorities on spam laws, has stated that “it doesn’t make sense to regulate a relatively borderless environment with laws that vary according to geography.”