Anti Spam Legislation in the U.S. circa 2003
Is it possible to can the spam?
Unsolicited email, spam, grrrrr. Everybody experiences it. Everybody
hates it. Nobody seems able to do anything about it. Ferris Research projects
that by 2005, everyone with an email account will receive 30 spam messages per
day1. I don't know about you, but I'm already there and the volume seems to
be picking up daily. Worse yet, I don't even remember the last time I
received a solicitation that was even remotely useful. This morning's haul
included online Mortgage offers, Penis enlargers, X-10 spy cameras, really
ugly and explicit porn, yet another Nigerian Prince needing my assistance, and
several organic Viagra specials (hmmm now that's a thought...).
I remember when fax machines were similarly under attack in the
1980's. The volume of junk faxes threatened to destroy the utility of the
fax machine, but American lawmakers came to the rescue with strong "junkfax"
laws that defined the problem legally and put draconian penalties in place for
violators. The Telephone Consumer Protection Act of 1991(TCPA), 47 USC ยง
227, made it a violation of U.S. federal law for anyone to send a junk
fax. It also gave private citizens the right to sue to stop further faxes,
and collect monetary damages from junk faxers2. These measures didn't stop
the practice entirely, but they brought it under control and initiated a cottage
industry of individual lawsuits against the junk fax abusers. In short,
the law worked pretty well. Although the language of the TCPA could be
interpreted as prohibiting unsolicited email as well as faxes, most lawmakers
feel that a stronger, more targeted approach is needed.
A review of three laws pending in the 108th U.S. Congress this year suggest
the time may have finally arrived to bring spam under control. Below
you'll find summaries of each of the bills, pick your favorite and call email
your state senator and representatives!
The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM)
Act was introduced last year and reintroduced again in 2003 with relatively
few changes. The bill's proponents, Senators Conrad R. Burns (R-MT) and
Ron Wyden (D-OR) believe that it stands a better chance now due to the rising
outrage about the spam problem. Last year, it won the support of the Senate Commerce
Committee, but did not make it to a vote in the Senate.
The Burns-Wyden bill requires all unsolicited commercial email message to
include opt-out instructions and the sender's physical address. It also
requires spam messages to be labeled, but doesn't specify a standard method
for doing so. The law would prohibit the use of deceptive subject lines
or false header lines and senders would be banned from further mailings once a
consumer request that they stop. Some ISP's have complained that the
bill is too weak to adequately address the problem, especially in the area of
enforcement. Another criticism is that the bill should force spammers to
include "ADV" labeling in the subject header.
The Computer Owner's Bill of Rights was introduced in March 2003 by Senator
Mark Dayton (D-MN). It requires the FTC to create a
"do-not-mail" registry of email addresses for individuals and
companies who do not want to receive unsolicited commercial email
messages. The FTC could impose civil penalties and fines on
violators.
REDUCE, stands for the Restrict and Eliminate the Delivery of Unsolicited
Commercial Email. This act was put foward by Congresswoman Zoe Lofgren
(D-CA) in May 2003. Under the act, unsolicited commercial email would
have to include a valid reply address and opt-out directions. The
message header would also be required to contain the text, "ADV:,: or
"ADV:ADLT." This would apply to all messages sent in the same
of similar form to 1000 or more email addresses within a two day period.
False or deceptive headers or subject lines would also be prohibited in all
unsolicited commercial email messages, even if they were not sent in bulk. A
controversial provision would allow the FTC to spend up to 20% of the fines
collected to create a "bounty," to reward individuals who identify
illegal spammers.
The Schumer legislation (to be introduced)
Senator Charles Schumer (D-NY) has recently proposed a tough approach
to unsolicited email. He will soon introduce a bill in the Senate that
combines the most important provisions of the bills discussed above and proposes
serious civil and criminal penalties on violators. Here are the highlights
on Senator Schumer's bill:
- The FTC will create a no-spam list and allow people to register
their email addresses. Commercial spammers will be
required to check the list and remove those listed from their database.
- All commercial mass-emailings will be required to have "ADV,"
in the subject line so that they can be easily filtered.
- All header information in the email header will be required to
accurately reflect the source and content of the email message.
- Bulk commercial email will be required to have a working unsubscribe
mechanism available to the recipient.
- Automatic email address collection via web spiders or "spam bots," will be prohibited.
These provisions would be backed up by tough civil and criminal
penalties for offenders. The law will provide for jail time of up to two
years and fines determined by the sentencing judge. It also gives state
attorneys general, the FTC and internet service providers the right to seek to
seek monetary damages against convicted spammers.
In addition to these federal laws, 26 states have currently passed anti-spam
laws. Among these is Virginia which recently passed the first state
law making it a felony to intentionally alter email header or origination
information and send more than 10,000 messages within 24 hours or 100,000 within
30 days. Violators face jail time of one to five years and fines.
According to Senator Schumer's research, email users in New York City alone
receive over 8 million unsolicited emails each day, over 3 billion per year. If
they spend five seconds to identify and delete each one of these obnoxious spam
messages, they will have been cheated out of 4.2 million hours ridding
themselves of junk mail each year3. We're
at the tipping point and something's got to give. Perhaps this is the year for it to
begin.
===================&===================
August 2004 Update
The CAN-SPAM act of 2003 is the law of the land, but by almost any measure the problem is considerably worse and the volume of unsolicited email continues to rise unabated. InformationWeek magazine estimates that spam accounts for 85% of all email and the anti-spam vendor Commtouch Software reports a sharp increase in the number of spammers who have simply chosen to comply with the CAN-SPAM regulations, thus becoming completely compliant with the law.
The computer industry has entered the battle with several technology-based solutions. Microsoft has proposed a system it calls Sender ID, that will require email senders to use an authenticated address for their email server. This will allow receiving orgranizations to verify incoming messages against lists of known spammers. VeriSign is proposing a similar authentication system and the Anti-Spam Technical Alliance (ASTA) has released a set of guidelines to assist ISPs in identifying and shutting down spamming email servers.
December 2004 Update
It was widely reported last week in the technical press that Bill Gates
receives over 4 million email messages each day, of which a dozen or so are
actually read. Suffice it to say that the problem is still getting
worse. In another technical effort to control unsolicited email, Yahoo has
recently proposed a cryptographic authentication protocol that it calls
DomainKeys. DomainKeys uses public key encryption to verify that incoming
email messages are coming from the sender listed in the message header.
Within weeks of its launch reports had already emerged of spammers hacking the
DomainKeys protocol and using it to penetrate spam defenses.
On the upside, Microsoft announced that it has filed lawsuits against seven spammers under the Can-Spam act. All seven appear to have violated the "brown paper wrapper" rule, requiring sexually oriented email to include an indentifying label in the subject line and header. To date, Microsoft has filed over 100 anti-spam lawsuits under the new law.
Notes
1 EWeek Magazine, 5 May 2003: www.eweek.com
2 Text of the Telephone Consumer Protection
Act of 1991: http://www.keytlaw.com/faxes/47usc227.htm
3 Senator Charles Schumer on Spam:
http://www.senate.gov/~schumer/SchumerWebsite/pressroom/press_releases/PR01647.html