The CAN-SPAM bill examined [LWN.net]

November 25, 2003

This article was contributed by Joe 'Zonker' Brockmeier.

The U.S. House of Representatives passed a version of the "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003," on Saturday. Commonly referred to as the "CAN-SPAM" bill, the House agreed on a version of the bill very similar to the bill passed by the Senate in October. This makes it likely (but not certain) that the U.S. will soon have a national law governing unsolicited commercial e-mail (UCE) -- better known as "spam" (or any number of less polite terms) by the rest of us.

Very few outside of the Washington beltway or the Direct Marketing Association (DMA) seem convinced that the CAN-SPAM bill is going to put a halt to spam. A number of people, including several state Attorneys General have argued that CAN-SPAM will make matters worse, rather than better. There is a fair amount of evidence to support this opinion.

The CAN-SPAM bill actually has the effect of legitimizing spam so long as it is non-fraudulent and provides the recipient with a means to "opt-out" of future e-mails. This is a big win for the DMA, and a major loss for the rest of us. Having to opt-out of receiving spam from each and every "legitimate" source of spam is a burden that should not be placed on the user. Given that there are thousands of legitimate businesses that will seek to make use of e-mail marketing, users are going to be doing a lot of opting out.

What about a "do-not-spam" list? The CAN-SPAM Act does contain a provision to create a national "do-not-spam" list. This can only be seen as a tactical error of gargantuan proportions. While a "do-not-call" list may succeed in reducing or eliminating unwanted telemarketing calls, spammers operating beyond U.S. borders are unlikely to be deterred by the CAN-SPAM provisions. Indeed, getting a copy of the the "do-not-spam" list will likely be a high priority for offshore spammers looking for a roster of known-good e-mail addresses. Users who place their e-mail addresses on a "do-not-spam" list may avoid spam from legitimate businesses, but will still find themselves subjected to unwanted e-mail from offshore spammers. Happily, the CAN-SPAM bill does not require the Federal Trade Commission to create a "do-not-spam" list, it only permits the creation of such a list. Given that the FTC has objected to this provision, implementation seems unlikely.

Even worse, the bill overrides state legislation that may be more stringent than the CAN-SPAM bill. This is presented as a solution to the difficulty for "law-abiding businesses" to comply with anti-spam laws, but complying with multiple state laws is a cost of doing business. This should not be an excuse to shift the burden to users and organizations rather than businesses seeking to advertise their goods or services. By overriding state laws that require "opt-in" rather than "opt-out," the CAN-SPAM Act is giving merchants free reign to send unwanted spam, at least until the user asks to be left alone. While one may argue that any laws against spam are unlikely to be effective, at least laws like those passed in California are stacked in favor of the user rather than the spammers.

Some have claimed that the CAN-SPAM Act may make anonymous e-mails illegal altogether. John Gilmore argues that the bill would make it a crime "to use any false or misleading information in a domain name or email account application, and then send an email." However, this is a somewhat liberal interpretation of the bill, which actually says:

Whoever, in or affecting interstate or foreign commerce, knowingly...
(3) materially falsifies header information in multiple commercial electronic messages and intentionally initiates the transmission of such messages,
(4) registers, using information that materially falsifies the identity of the actual registrant, for 5 or more electronic mail accounts or online user accounts or 2 or more domain names, and intentionally initiates the transmission of multiple commercial electronic mail messages...

A close reading of this language indicates that merely sending an anonymous e-mail or e-mail with a falsified header would not automatically be a crime. The provisions only apply to those "in or affecting" commerce, which would seem to exclude a user who sends an anonymous e-mail for non-commercial purposes. It might be that the language could be abused to include someone who has sent an anonymous e-mail that may have some impact on a business, perhaps a whistleblower or disgruntled customer sending out negative commentary about a company, but then the user would have to send a relatively large number of e-mails. Further on, the bill classifies "multiple" as "more than 100 electronic mail messages during a 24-hour period," up to 10,000 during a 1-year period.

Unlike some of the state laws, which allow users to sue spammers directly, the CAN-SPAM Act seems to put users at the mercy of others to take action against spammers who do not comply. The Act explicitly addresses the ability of state and federal agencies to prosecute spammers under the provisions of the Act, and provides authorization for ISPs to bring action against spammers.

There are a few good things about the CAN-SPAM Act. The bill specifically states that nothing in the bill requires an ISP to carry or deliver spam. This prevents spammers from claiming that an ISP is in any way required to deliver spam, even if it is explicitly legal. The bill also contains a provision that allows the court to force a spammer to pay legal fees for the party that initiates proceedings. This may make it more likely that prosecutors will take on spammers who violate provisions of the bill.

CAN-SPAM also makes it illegal to for spammers to use open relays or other methods of hijacking computers to send spam, and requires a working method to opt-out of e-mail. Again, these provisions are unlikely to deter offshore spammers, but the provisions are welcome nonetheless.

Finally, the bill provides for vendor liability. This means that if a vendor contracts with a third party to send e-mail on their behalf, the vendor can be held liable for failure to comply with the CAN-SPAM provisions. This prevents companies from contracting with offshore spammers to escape legal liability.

In all, however, the CAN-SPAM Act is disappointing legislation. It fails to affirm users' rights to consent to e-mail marketing, and instead burdens them with the responsibility of opting out of unwanted marketing. The bill will negate tougher state laws against spam that have the backing of the general populace in favor of weakened provisions that are backed by lobbyists. After more than six years of Congressional foot-dragging, we will likely be stuck with a law that does little good, and may even serve to exacerbate the problem. It may well be that the spam problem is not solvable by legislation, but, even if it is, the CAN-SPAM act is not the law we need.

(For those who are interested, the full text of the proposed law is available in PDF format.)

(Log in to post comments)

The CAN-SPAM bill examined

Posted Nov 26, 2003 6:32 UTC (Wed) by AnswerGuy (guest, #1256) [Link]

Thus U.S. legislative process is systemically broken at this point. Almost no consideration remains for mainstream popular interests --- it's all special interest pandering; mostly purchased by professional lobbyists, with a few
nods to politically influential extremists on a few knee-jerk issues (abortion, gun control, etc).

It is almost inconcievable that any law could materially reduce spam.

A "do not spam" list could be implemented in a distributed and technically sound way that didn't give spammers a simple new target list. I would specify a sort of DNS query sort of like a negated SMTP VRFY --- call it a "NOMAIL" query. So, if I have a purported e-mail address in your domain I can make the query --- if I get a "TRUE" back it mean that I may NOT send mail to that address at that domain.

Trying to harvest addresses through this won't work --- if you make up addresses I'll just return a TRUE for any possible address. I will ONLY return a "false" NOMAIL for those (very few) people who *want* to receive spam. I'd extend that spec. a little to provide rate throttling. So the extra fields for this query would say: "don't ask about *any* other NOMAIL addresses for at least N minutes" It would be illegal to violate that part of the spec (from the client side) :)

In my version of the "opt-out" list each ISP would be free to have a policy that all spam is unwelcome (if you want spam go join another ISP) or to treat the default as "NOMAIL" and internally implement it as more of an "opt-in" mechanism. Commercial mailers would be required to make a NOMAIL query before sending unsolicited bulk mail (defined as 100 or more recipients in 24 hours, 1000 or more per week or 10000 or more per year).

Would this be too much of a "burden" for legitimate commercial mailers? Certainly not on a technical level. There is only a tiny incremental cost to the extra DNS query. On a political level --- HELL YEAH! It would prove to all and sundry that almost NO ONE wants to get unsolicited mail. Almost NO ONE would sign up for this (and many ISPs would publicly state that customers who did want spam were unwelcome at their site).

In other words it would reveal, even more starkly than the U.S. national "Do Not Call" list, that people are tired to pushy forms of advertising.

Jim

The CAN-SPAM bill examined

Posted Nov 26, 2003 12:02 UTC (Wed) by ekj (subscriber, #1524) [Link]

Too complicated. I am completely convinced that allowing spam at all has no positive benefit for the economy or society whatsoever. Why not simply forbid it ? The Scandinavian countries have, and it works ok.

The bill needed is not complicated. It is forbidden to send comercial email to a person unless this is either a) a current and ongoing customer of you or b) the person has given prior, informed consent to receiving such.

Yes, this *does* mean that say my online-bank can legally "spam" me aslong as I am a customer there. But the thing is: they have a very strong incentive not to; they want to *keep* me a customer there.

I fail to see why all US legislation and debate assumes as a default that random people on the Internet want to receive spam, and only want to provide a way for you to say that you don't. In my experience the reality is completely the oposite: 99% of the people do *not* want any spam, and it'd be sufficient to provide a way for the remaining 1% to say "yes please".

Make a national "spam please" list, people on the list can be spammed, others not. See how popular the list will be....

The CAN-SPAM bill examined

Posted Nov 26, 2003 15:21 UTC (Wed) by mmarsh (subscriber, #17029) [Link]

>The bill needed is not complicated. It is forbidden to send comercial
>email to a person unless this is either a) a current and ongoing customer
>of you or b) the person has given prior, informed consent to receiving such.

Unfortunately, as sound as this seems, I don't think it'll work in practice. I've been getting spam for years claiming (fraudulently) that I signed up to receive it. I get telemarketing calls like this, too, which usually begin with something like, "Hi. I'm responding to your request for information about our luxury dream time-share homes in prime swamp real estate." The other standard line is, "Either you or a friend or relative signed you up to receive this offer." You could add teeth to such a law by requiring companies to keep proof of consent for every email address (or phone number) on their list, but that still puts the burden on the victim to track down and file suit against each spammer.

There's another trick that further complicates matters. Not long after sign-up began for the U.S. "do not call" registry, random prize drawing or similar postcard-type offers started appearing. Entering the contest, or whatever the relevant gimmick was, also included granting permission to have your name and number sold to telemarketers. This was, of course, in the fine print that virtually nobody read, but it's still valid. Now just imagine what a spammer or address harvester could do with hidden form entries.

On the other hand, we can't and shouldn't ban true opt-in mailing lists, whether their aim is advertising or not. There are even some that aren't really opt-in but should be allowed, such as intra-organization mailing lists that serve administrative functions. It seems to me that there's really no way to craft a useful law that the spammers won't, in general, be able to get around and yet which still allows useful mailing lists. I think there really just needs to be more education of all these "entrepreneurs" who see mass-emailing as the greatest marketing tool in the world. The only other viable option is probably to assign some tangible cost to sending email. This brings up the whole morass of e-stamps and the like, or solving puzzles to "pay" for the transmission. Either one requires enough changes to infrastructure and clients that we'd be just as well off scrapping email as it exists today and building a new asynchronous message system.

Good gravy...that's a long way to say "Nah, it won't work."

The CAN-SPAM bill examined

Posted Nov 27, 2003 11:23 UTC (Thu) by rwmj (subscriber, #5474) [Link]

One good trick to use:

Telespammer: This is luxury kitchens ltd. Can I speak to Mr. Jones please?

Me: Sure, I'll just go and get him.

Go off and continue what you were doing for half an hour. Then come back
and place the phone back on the hook.

Works for me!

Rich.

I actually think this is doable, but won't work

Posted Nov 26, 2003 16:51 UTC (Wed) by pflugstad (subscriber, #224) [Link]

The FTC now has the authority to implement a do-not-spam list. Congress (AFAIK - I did not look at the bill) has not specified any implementation of it. So the FTC can implement it any way it wants, including something like how AnswerGuy described.

As far as being too complicated - only the techs at the ISP see this - you simply tell your ISP if you want to be on the list or not and they setup the DNS server appropriately. This would probably be a straightfoward extension to what they're already doing with various real-time black lists.

Anyway, just thinking. I doubt it would honestly work in any case. We need the equivalent of the anti-junk-fax law for spam - let the people go after the spammers and those who buy their services. That'd fix this problem with no effort from the gov't. But nooooo, we can't have people actually taking any responsibility on their own...

Free flow of information

Posted Nov 28, 2003 18:28 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

Well, we have this love of the free flow of information in this country. If I'm selling Viagra for half the usual price, I have a right to let it be known that I'm doing so.

Furthermore, commercial communication is a GOOD thing. If you're a regular user of Viagra, it is in your best interest as well as mine that you find out I'm selling it cheap.

I object to the government blocking my email box just as much as I object to the spammers doing it. (The spammers do it by creating such a flood of email that I couldn't pick out truly interesting unsolicited commercial emails even if they were there. And that is the only reason they aren't there!).

I support any law that gets me (and my ISP) more information to use in filtering out uninteresting email -- e.g. genuine headers -- but not a law that attempts to define which emails I don't want.

The CAN-SPAM bill examined

Posted Nov 26, 2003 14:48 UTC (Wed) by copsewood (subscriber, #199) [Link]

I think that appropriate law on this can have an effect if denial of service starts to be voluntarily operated against email services from IP ranges within countries that don't implement and enforce laws based on certain principles. I suggest these principles are likely to include:

a. Opt in. AnswerGuy's post suggests how a suitable list might be implemented from a technical point of view. This would place an extra burden on DNS administrators, but use of DNS wildcards to opt-out everyone using a particular ISP or domain by default might make a legislated opt-out provision effective if the authority tasked with implementation by the legislation accepts a wilcarded opt-out implemented by ISPs as meeting the requirements of the legislation.

b. Companies are considered accessories for computer crimes or breaches of ISP contracts by third parties used to propagate their marketing messages. A civil liability should apply in civil matters (breach of ISP contract) and a criminal offence should be prosecuted in respect of criminal matters (e.g. causing a mail-relay trojan to be installed). Something similar was done to shut down pirate radio in the UK coastal waters during the 1960ies. Without the advertising revenue to fund it, this activity dried up.

c. Use of forgery and deception to attempt to hide the message origin. Where there is systematic intent to perpetrate a fraud, including deliberately misleading bulk recipients as to the message orgin and the law has loopholes, these need to be tightened up.

The CAN-SPAM bill examined

Posted Nov 26, 2003 16:30 UTC (Wed) by RobSeace (subscriber, #4435) [Link]

No, if it were GNU, the acronym would expand to:

CAN-SPAM Ain't No Spam-Prevention Act, Man

;-)

national do-not-spam list

Posted Nov 27, 2003 11:26 UTC (Thu) by rwmj (subscriber, #5474) [Link]

This is one way to do it.

Another way is to have the FTC (or whichever *trusted* body administrates this) either cleanse lists on behalf of spammers, or give spammers MD5 hashes of the addresses.

The hashing approach is the most interesting: to test an address, you MD5 hash it and look for it on the list of hashes. Reversing this process is mathematically very difficult, so given a list of hashes a spammer cannot derive a list of addresses.

Rich.

national do-not-spam list

Posted Dec 5, 2003 4:24 UTC (Fri) by khim (subscriber, #9252) [Link]

*Trusted* body ? What the hell ? Why you even need any trusted body ?

It's possible to create 1000 lists with untrusted bodies (including one nationa-wide) where only md5 hashes are stored. Generated locally, obviously. With 100% open-sourced program.

Then anyone can use any such database to check is address if there but nobody can harvest anything from there: e-mail adresses were never actually submitted to such databases!

Nobody can misuse information they do not have in first place - this eliminates needs for trust...

The CAN-SPAM bill examined

Posted Dec 4, 2003 12:29 UTC (Thu) by Wol (guest, #4433) [Link]

The other neat European trick - the company who's products are being marketed is responsible for maintaining the list - so if you do reply to an "opt-out", they can't then give the list to a different company and send you the same (or similar) spam again.

But how soon will it be before a BIG company sues the Direct Marketing Association for denial-of-service. I've heard of at least one company complain that their broadband connection was being hammered so bad by spam that their mail-server (configured for "rejection on header", therefore obviously not MS Exchange), couldn't keep up with the flood unless it had EXCLUSIVE use of the connection ...

Cheers,
Wol

The CAN-SPAM bill examined

Posted Dec 4, 2003 21:06 UTC (Thu) by gswoods (subscriber, #37) [Link]

The idea that government interference won't solve the problem is not new, it is rather obvious. You don't have to look any further than the War on Politically Incorrect Drugs and the Civil Rights of the Innocent ("War on Drugs", for short). Has this approach solved the drug problem? I would argue that it's made it worse, since addicts now have to admit to being criminals before they can get help, and we have thousands of people incarcerated for drug crimes who have never directly harmed anyone else. Keep in mind that drug dealers, unless they use force to make their clients use their product (or target children), aren't the ones doing harm, those who choose to take drugs are responsible for whatever harm is done to them. There are already laws against things that addicts might do while high or in order to obtain drugs that cause harm to others.

I am not trying to make a direct analogy between drugs and spam, but the point is that trying to control a social problem by making it illegal rarely works, almost always has side effects that are worse than the original problem, and it gives people a false sense of security. I believe that technical solutions can eventually make it unprofitable to spam, which is the ONLY thing that can effectively end it. As long as it's profitable, spammers (who already don't much care what laws they violate) will continue to spam.

I personally like the idea of SPF (Sender Permitted From), where sites can indicate in their DNS records which IP addresses are allowed to initiate mail that purports to be from that domain. If this spreads netwide, it can put a virtual end to e-mail forgery, which will go farther than any law in getting rid of spam. I could block 99% of all unsolicited spam if I could reject any mail whose sender address either doesn't exist or doesn't come from one of the real mail servers for that domain.