Antispam advocates question Senate bill

A bill attempting to regulate the sending of unsolicited commercial e-mail passed the U.S. Senate last week, but many antispam advocates say the bill would have little impact on the amount of spam coming into e-mail users’ in-boxes.

The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act, which the Senate approved 97-0 late last Wednesday, requires e-mail users to opt out of unwanted commercial e-mail, instead of requiring e-mail senders to get opt-in permission, and the bill can do little to stem the tide of spam coming from outside the U.S., said vendors of antispam technologies and at least one consumer advocacy group.

The bill gives consumers little control over spam, said Ray Everett-Church, counsel for the Coalition Against Unsolicited Commercial Email (CAUCE). Everett-Church said he was encouraged that the final version of the bill included an amendment requiring the U.S. Federal Trade Commission (FTC) to study the possibility of a national do-not-spam e-mail registry, but the bill only authorizes the agency to create such a list, rather than requiring it to do so.

A law Congress passed in 1991 authorized the Federal Communications Commission to create a national do-not-call telemarketing registry, and it went into effect earlier this month – 12 years later, Everett-Church noted. The FTC has expressed concerns about creating and maintaining a massive do-not-spam list, and the opt-out approach of CAN-SPAM basically legalizes spammers to send out e-mail until they’re told to stop, he added.

“Until the FTC decides whether or not they care to create a do-not-e-mail list, (CAN-SPAM) creates essentially carte blanche permission for spammers to send unlimited quantities of e-mail to the consumer,” Everett-Church said. “I’m deeply concerned that we may never see a do-not-e-mail list, and until such a time as we do, we will see an unlimited right to see spam.”

CAN-SPAM includes a requirement that commercial e-mail include valid opt-out mechanisms and allows fines of up to US$100 per piece of spam sent with misleading header information, with fines up to $3 million allowed for some types of spam. But Everett-Church questioned whether state and federal law enforcement agencies would have the time to go after spammers without larger budgets for enforcement, which CAN-SPAM does not provide. The FTC and state attorneys general would be responsible for most spam enforcement under the bill.

The bill’s cosponsors, Senators Conrad Burns, a Montana Republican, and Ron Wyden, an Oregon Democrat, defended the bill, saying it was one necessary piece in a multipronged fight against unsolicited commercial e-mail. Technology will also need to play a part in eliminating spam, but CAN-SPAM should send a “strong message” to spammers, said a Burns spokeswoman.

“No legislation will be a silver bullet against spam, but the Burns-Wyden legislation gives consumers considerable control over the e-mail coming to their in-boxes by backing up the law’s requirements with stiff civil and criminal penalties,” added a spokeswoman for Wyden, responding by e-mail. “This is a good step toward taking back the Internet from the ‘kingpin spammers’ — the worst actors of the online world.”

Not surprisingly, vendors of antispam technologies agreed that technology needs to be part of the solution, with some suggesting that antispam technologies will go further to help e-mail users than CAN-SPAM will. The spirit of the law is headed in the right direction, and CAN-SPAM can help set a moral tone against spam, said Dave Jevans, senior vice president of marketing at Tumbleweed Communications Corp., an e-mail firewall vendor based in Redwood City, California.

But CAN-SPAM won’t be enforceable, Jevans said, because it’s difficult to validate the identify of any Internet user and because a large percentage of spam comes from outside the U.S. CAN-SPAM might make some potential spammers think twice before getting in the business, but the amount of spam sent is doubling about every two months, he said.

“The growth will outweigh by far the amount of spam stopped by CAN-SPAM,” Jevans said.

Jevans called for a blend of legislative and technological approaches to fighting spam, including requiring that e-mail carry a digital signature establishing the identity of the sender.

Another antispam vendor expressed even less hope that CAN-SPAM would stop spam. The bill might stop legitimate marketers from employing spam techniques, but would do nothing to stop hackers from using spam as a tool for identity theft, said Pete Privateer, senior vice president for product strategy and marketing at Internet Security Systems Inc., a security and antispam vendor based in Atlanta, Georgia.

“This bill is like trying to write a law to ban viruses,” Privateer said. “It’s just about that effective. I expect the volume of traffic in your in-box to increase.”

But Al DiGuido, chief executive officer of Bigfoot Interactive, a New York City-based provider of e-mail marketing services, said CAN-SPAM would at least clear up the confusion of more than 30 state laws dealing with spam. “We’re really excited about federal guidelines that will put an end to all the chaos and confusion on a state-by-state basis,” he said.

DiGuido agreed with Wyden that the legislation will be one piece in the fight against spam. He recommended that reputable marketers work on a fee-based e-mail system, where they pay a small fee to Internet service providers to create “white lists” – lists of commercial entities that are permitted to send e-mails – to ensure that their messages are delivered.

“There will be some real teeth put behind the law that will impose jail terms and significant penalties from a dollars and cents standpoint,” he said. “We also think … the criminal element has been trying to evade the law for some time now, so they’ll continue to try to find ways to evade the law.”