The Role of Public Policy in the Fight Against Spam
description
Transcript of The Role of Public Policy in the Fight Against Spam
![Page 1: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/1.jpg)
The Role of Public Policy in the Fight
Against Spam
Jacob ScottUC Berkeley
IEEEAugust 3rd, 2004
![Page 2: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/2.jpg)
Spam Threatens the Viability of
“Spam is about to kill the ’killer app’ of the Internet - specifically, consumer use of e-mail and e-commerce.”
FTC Commissioner Orson Swindle, June 2003
![Page 3: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/3.jpg)
Incredible Growth
“Since Hotmail deployed it six months ago, SmartScreen has been blocking more than 95 percent of all incoming spam — an average of nearly 3 billion messages every day.”
Bill Gates, June 2004
![Page 4: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/4.jpg)
Wide-ranging Effects• Businesses• Consumers• ISPs• Legitimate E-Mail Marketers
“Today, it is estimated that 80% of email traffic is spam and the costs of spam to the global economy amounts to USD 25 billion annually.”
Press Release, UN ITU, July 2004
![Page 5: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/5.jpg)
Example: Phishing
“Direct losses from identity theft fraud against these phishing attack victims cost U.S. banks and credit card issuers about $1.2 billion last year”.Press Release, Gartner Research, May 2004
Anti-Phishing Working Group
![Page 6: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/6.jpg)
Good Spam versusBad Spam
![Page 7: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/7.jpg)
Good Spam• Annoying• Identifiable• Legitimate• Possibly Requested
• Big Business
“This translates into an excess of $19 billion spent in response to commercial e-mails in 2003.”
Direct Marketing Association, March 2004
![Page 8: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/8.jpg)
Bad Spam• Untraceable• Deceptive• Fraudulent• Pornographic• Illegitimate• The Problem
![Page 9: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/9.jpg)
The Reasons for Spam:Profit and Anonymity
![Page 10: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/10.jpg)
The Spam Profit Numbers• 5% of e-mail users have purchased from UCE
• Cost to send one e-mail: $.0005
• Profit possible with .0001% response rate
AOL’s captured spammer Porsche
![Page 11: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/11.jpg)
E-Mail: Exactly the Same Since
1982
![Page 12: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/12.jpg)
SMTP Provides No Authentication, Enables
Anonymity
![Page 13: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/13.jpg)
Anti-Spam Technology
Filters look at incoming e-mail and sort spam from legitimate messages
![Page 14: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/14.jpg)
Filtering Mechanisms
• IP Blacklists• Header/Routing Analysis• Heuristics • Adaptive (Bayesian) • URL Filtering• Checksums/Signatures• Collaborative Networks• Challenge-Response• Many more…
![Page 15: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/15.jpg)
Filtering Success
• Brightmail advertises that their filter catches 95% of all spam, and mislabels only 1 in a million false positives
• CRM114, open source spam “classifier” reports over 99% accuracy rate in spam/ham sorting
• Vibrant R&D, commercial implementations
![Page 16: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/16.jpg)
The Spam “arms race”
• Increased volume• Evasive techniques• Concern over false positives• The worst spam (sent by “outlaw spammers”) are the hardest to defeat technologically
“Knowing that only a small percentage of their output will get past today's filters, spammers have responded by significantly cranking up the volume of emails they send. So networks are burdened with even more junk than before.”
Bill Gates, June 2004
![Page 17: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/17.jpg)
The CAN-SPAM Act of 2003
![Page 18: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/18.jpg)
Introduction• First national anti-spam law
• Originated as S877• Passed Senate 97-0• Passed House 392-5• Signed December 16, 2003
Senator Burns
Senator Wyden
![Page 19: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/19.jpg)
Motivation“senders of commercial electronic email should not mislead recipients as to the source or content of such mail; and recipients of commercial electronic mail have a right to decline to receive additional commercial electronic mail from the same source.”
CAN-SPAM Act of 2003• Strong on fraud and deception• Weak on privacy• Consumer protection law – Federal Trade Commission is point
![Page 20: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/20.jpg)
Opt-In, Opt-Out• CAN-SPAM is single-source opt-out
– Ask each e-mailer to stop, one at a time
• Chosen over opt-in– marketers have to ask before they send– Popular in Europe
• Does the difference matter?
“Imagine that you put a ‘do not solicit’ sign at the front door of your home, and every company in the world could only ring your doorbell once, at which point you could tell the salesperson not to bother you anymore…”
Consumers Union, May 2004
![Page 21: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/21.jpg)
Probably Not“the practical difference between opt-in and opt-out laws in terms of real enforcement is virtually nonexistent. If a spammer wishes to convert the strongest opt-in law into an opt-out law, all he or she needs to do is tell one lie: ‘The recipient requested to receive my messages.’”
Matthew Prince, July 2004• The worst “outlaw” spammers will not care either way
![Page 22: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/22.jpg)
Compromise?• Do Not E-Mail Registry– Provides global opt-out
– Anyone who sends to e-mails in the registry is in trouble
– Modeled after the Do Not Call Registry
![Page 23: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/23.jpg)
Probably Not
“This Report concludes that a National Do Not Email Registry, without a system in place to authenticate the origin of email messages, would fail to reduce the burden of spam and may even increase the amount of spam received by consumers.”
FTC DNE Registry Report, July 2004• How can you not e-mail someone without knowing who not to e-mail?
• How can use of the registry be required and enforced?
![Page 24: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/24.jpg)
The Ways in Which You Can Spam Under CAN-SPAM
![Page 25: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/25.jpg)
Good Spam, Bad Spam Again
![Page 26: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/26.jpg)
What You Must Do
• In commercial e-mail– Include an opt-out mechanism– Include a real physical address– Clear notice that the message is an advertisement
• No requirement for this to be machine readable, but does give good hints to filters
![Page 27: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/27.jpg)
What You Cannot Do
• Falsify header or route information of your e-mail messages
• Hack into other computers and send spam from them
• Harvest e-mail addresses from the web or in a directory harvest attack
• Hire other people to spam for you• Send adult-oriented spam without a subject line label (FTC rulemaking)
![Page 28: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/28.jpg)
Penalties• Quite stiff
– Violations of CAN-SPAM are considered violations of the FTC Act, $11,000 per violation
– Some violations are criminal, with up to five year prison terms
– ISPs and State AGs can sue under CAN-SPAM for civil damages (caps in some cases)
![Page 29: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/29.jpg)
Getting Tough on Enforcement
![Page 30: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/30.jpg)
Importance of Enforcement
• CAN-SPAM has teeth, but does it bite?– Outlaw spammers will not follow law if not enforced
• Provides an avenue to recoup spammer profits
• Creates a deterrent effect, makes spammers think twice
![Page 31: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/31.jpg)
Compliance and Enforcement
• Average CAN-SPAM compliance over first six months only 2.3%
• FTC has brought only two actions under CAN-SPAM (62 total spam cases in history)
• Roughly a half dozen ISP CAN-SPAM based lawsuits pending
• Maybe one or two state cases
![Page 32: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/32.jpg)
Enforcement Difficulties
• Three ways to pursue, generally– Trace communications– Follow the money– Follow the goods
• With spam– Communications notoriously difficult– Money gets tricky if stolen credit card, or overseas
– Goods may not be physical (software, identity theft)
![Page 33: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/33.jpg)
Spam Enforcement Generally
• Computer misuse, identity theft, fraud laws can all apply to spam– ISP lawsuits pre CAN-SPAM (AOL Porsche)
• States have further laws– New York’s “Buffalo Spammer” case– Virginia’s recent case against Texan
• Not insignificant enforcement, but certainly not enough– CAN-SPAM compliance numbers
![Page 34: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/34.jpg)
Enforcement Inhibitors
• CAN-SPAM did two things that made enforcement harder
• Pre-empted most state spam laws– Only (state) laws which do not deal specifically with spam or only deal with fraud are still in force
• Denied private right of action– Bad experience with frivolous lawsuits under Utah Law
– Individuals and businesses cannot sue spammers
• Tradeoffs in both cases, but bottom line is enforcement was softened
![Page 35: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/35.jpg)
CAN-SPAM Bottom Line
• Strong in some areas, weak in others
• Not as horrible a law as it is made out to be in the press
• Nonetheless, ineffective due to lack of enforcement
• If CAN-SPAM were followed, there would probably be less spam in your inbox
![Page 36: The Role of Public Policy in the Fight Against Spam](https://reader035.fdocuments.net/reader035/viewer/2022062517/56813af8550346895da385b9/html5/thumbnails/36.jpg)
Recommendations• More enforcement• Consider private right of action• Conduct technology oversight• Revisit privacy concerns• Help with user education