The eye-popping US$873-million judgment awarded to Facebook Inc. against a Montreal spammer will have little to no impact on cyber crime and spam distribution, according to industry analysts.
In a San Jose, Calif. court last Friday, a U.S. judge awarded the social networking giant $436.2 million in statutory damages and another $436.2 million in aggravated statutory damages against Montreal resident Adam Guerbuez and his company, Atlantis Blue Capital.
The Canadian spammer, along with 25 other unnamed people, were accused of falsely obtaining login data from Facebook users and then sending over four million sex- and drug-related spam messages over the social network. Guerbuez set up a dummy Facebook page, where users would enter their e-mail and password, in order to steal thousands of user logins.
The award is the largest judgment in U.S. history for an action brought under the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM).
David Senf, director of security and software research at Toronto-based IDC Canada, said the Facebook ruling signifies that courts remain serious about phishing and spam attacks, but the decision will offer little help to the security and privacy concerns of most consumers and businesses.
“Sadly, little will change as billions of spam messages will still arrive in inboxes daily,” he said. “The problem is that so much of hacking and spamming occurs from offshore, making prosecution, let along conviction and punishment, difficult.”
James Quin, senior research analyst at London, Ont.-based Info-Tech Research Group, said that similar fines and settlements have proved to have little impact on spam distribution. “Judgments in the hundreds of millions have already been handed down to spammers previously and that doesn’t seem to have stopped the flow of spam,” he said.
In 2006, a Florida man was fined $US11.2 billion for sending out over 280 million spam messages. And earlier this year, another ruling under CAN-SPAM saw two men accused of sending unsolicited messages relating to pornography and gambling sites over MySpace ordered to pay $234 million in damages to the social networking giant.
Quin said it was unlikely that the ruling would deter younger spammers – such as teenagers – or other emerging forces in the cyber crime industry.
“In terms of teens, they generally have the attitude that they are indestructible and I think this will extend to anticipating that they will never be caught,” he said. “Furthermore, they likely don’t circulate enough spam to really catch anyone’s attention. In regards to emerging spammers, it may give them pause, but again, it comes back to how much money there is to be made in spam.”
In a blog post earlier this week, Facebook’s security director Max Kelly called this month’s ruling an “important victory” for its users and against those who create and distribute spam. Kelly did admit, however, that it would be very unlikely that Facebook would ever fully collect on the court’s ruling.
“Does Facebook expect to quickly collect $873 million and share the proceeds in some way with our users? Alas, no,” he wrote in a blog post. “It’s unlikely that Guerbuez and Atlantis Blue Capital could ever honour the judgment rendered against them (though we will certainly collect everything we can). But we are confident that this award represents a powerful deterrent to anyone and everyone who would seek to abuse Facebook and its users.”
Quinn said that organizations that distribute spam in massive volumes are usually well protected with convoluted ownership and hidden business assets. “The judgment will result in payment, but I seriously doubt it will be anything more than a small fraction of the $873 million,” he said.
The judgment, according to Facebook, is a result of tireless efforts of the company’s security and legal teams, dedicated to stopping spam attacks at their source. Kelly also vowed to continue to invest in new security safeguards and future legal initiatives against spammers.
