Tuesday, 25 November 2003

Spam canned throughout the land?

The House of Representatives approved the CAN-SPAM Act on Friday, by a vote of 392-5. The acronym stands for the not-so-clever moniker, "Controlling the Assault of Non-Solicited Pornography and Marketing Act." The Senate is expected to approve the measure this week, and President Bush has agreed "in principle" to sign the bill.

This bill would have been a reasonable first step to take against spam five years ago, and Congress should be ashamed of itself for dawdling so long. We should be debating the second or third revision of the Act by now. What is done is done, however, so let us explore what the CAN-SPAM act says.

Update, 29 Nov 2003. I have been asked to revise and augment this essay for publication in the Journal of Internet Law. Toward that end, I would appreciate any constructive comments from any reader.

The full text of the bill is available at C|Net. The news agency also gives a bullet-point summary amidst its coverage, and the Institute for Spam & Internet Public Policy (ISIPP) gives a ten-point summary. Finally, C|Net gives this brief summary of the entire bill:

If the measure becomes law, certain forms of spam will be officially legalized. The final bill says spammers may send as many "commercial electronic mail messages" as they like — as long as the messages are obviously advertisements with a valid U.S. postal address or P.O. box and an unsubscribe link at the bottom. Junk e-mail essentially would be treated like junk postal mail, with nonfraudulent e-mail legalized until the recipient chooses to unsubscribe.

First, a few preliminary comments before I get into specific provisions. Spam has been a scourge on the 'net since the early 1990s, when non-academics and non-scientists first logged on in large numbers. The volume of commercial email was low at first but has grown exponentially for years. The result has been frustration for users who drown in the flood of messages, higher costs for service providers who must process all the unwanted email, embarrassment for legitimate businesses whose servers are hijacked by spammers trying to disguise their identities, and the corruption of children whose parents try to shield them from pornography and other sex-based products. The Act does not go as far as many people think it should (which is why Congress's long inaction is so lamentable); but it is, as I said above, a reasonable first step. The House seems to have made a genuine effort not to be heavy-handed with the rights of advertisers. Still, the Act has some sharp teeth for consumers and, if it is properly enforced, has the potential to significantly reduce the burdens caused by spam.

Now, some comments on specific provisions. This is not intended to be a comprehensive analysis of the bill — but rather a few thoughts on the provisions I think are important or interesting.

Update (6pm):Several readers have asked me to insert anchors in my subject headings so they can link to specific pieces of this article. Here they are:

False Header Information

The "false header information" provision is perhaps the easiest part of the bill for non-technologists to grasp, because you can examine the underlying problem even if you do not understand the technology. Spammers often disguise the origin of their advertising to make it more difficult for individuals and ISPs to use automated methods to filter and delete spam. These disguises also induce recipients to open the spam mail and begin reading — by pretending to be legitimate messages (e.g., with a deceptive or misleading subject line). Imagine paper junk mail, delivered by the post office, that comes in an envelope whose return address seems to be from your bank or your doctor. When you open the envelope, you find a flier for hard core pornography.

When spam is disguised as legitimate mail, more people will open the message and read the first few lines before realizing its true nature. This gives the advertiser a better chance of selling his product, be it pornography, generic viagra, or home mortgage services. As more spam is dealt with by human beings (rather than filtered by computers), more advertisements get read, and more products will be sold — even if most people hit the delete key immediately. In paper based "direct mail" ad campaigns, a response rate of one buyer per 100 mailings is generally enough to break even. The cost of sending email is much lower than the cost of sending paper mail, so a response rate of one buyer per 100,000 mailings is likely to earn a profit. The cost of sending email only seems lower to the sender, however, because most of the costs are shifted to the receiver and the receiver's ISP.

Here is how the technology works, in a nutshell. An email's "header" is the addressing and routing information — such as the to, from, and date fields that you see at the top of each message. Most email software hides the bulk of the header from you, unless you take an extra step to have it displayed. This "hidden" information documents where the email originated and the route it took across the Internet to your inbox. Each computer on the Internet has a unique "IP address" consisting of four numbers separated by dots (periods). Each line of the "hidden header" contains the IP address of each computer that touched the email en route and states the action that computer performed. Usually, these intermediary computers simply receive the message and hand it off to another computer that is "closer" to the recipient; after five or six hops, the email arrives at your inbox, and the process stops. Each intermediary computer adds a line to the top of the header, so the very top line always documents your mail server's delivery to you. Each successive line below that will document where each computer got the message from, going all the way back to the original sender. For example, and email I received this morning has these two lines in its header:

  • Received: (from uucp@localhost) by andros.alumniconnections.com [198.212.10.70] (8.11.6+Sun/8.11.6) id hAPEpit20254; Tue, 25 Nov 2003 09:51:44 -0500 (EST)
  • Received: from voyager.bna.com(149.79.136.49) by andros via smap (V2.1) id xma010225; Mon, 24 Nov 03 15:04:27 -0500

The first line is from my mail forwarding service (which sent the message to my ISP after it added this stamp, and my ISP later delivered the message to me). The name of this computer is andros.alumniconnections.com, which resolves to the IP address 198.212.10.70. Before that, the message was handled by a computer named voyager.bna.com (149.79.136.49). This makes sense because the email in question was an Internet law newsletter from BNA, a publisher of print and electronic news, analysis, and reference products. Also note that each header line has a date & time stamp.

Some automated spam filters take advantage of this stamping process by searching the email header for computers that are known to be used for sending spam. The bottom line of the header should be the original sender, and the identities of the biggest spammers are well known, so it should be an easy matter to delete all messages coming from them. Spammers know this, however, so they go to great lengths to forge these headers and route their mail through other people's servers to disguise its true origin. CAN-SPAM's "false header information" provision would make this illegal. The practice is already arguably illegal under a patchwork of existing laws, which could be interpreted to cover this situation. However, there is no substitute for a clear, specific statute directly on point that removes all doubt.

Resource Misappropriation

The "resource misappropriation" provision is perhaps the most difficult for non-technologists to understand. Congress borrowed this idea from a line of judicial opinions based on a tort called trespass to chattel. A "chattel" is simply the legal term for an item of personal property — a toaster or a chair, for example. I cannot make toast or sit down when someone else is using my chattels without my permission. That property belongs to me, so the common law allows me to sue the person using it. If I prove my case, I would get money for the damages I suffered from the delay in satisfying my hunger or relaxing my legs, and the court would order the trespasser to stop. The crux of this policy is that a computer is a chattel just like a toaster or a chair. Intuitively, we all understand that if someone else is using my laptop, he is blocking me from using it at the same time.

In the spam context, we must look at the technology on a slightly deeper level than this simplistic first approach allows. The Internet relies on powerful computers called servers, which answer queries from many people at the same time. When I read Yahoo!'s home page, the odds are very high that many other people are reading it at the same time. Yahoo!'s web server can dish out thousands of pages at the same time. However, when the number of readers grows too high, even the most powerful server has trouble keeping up, and users experience delays — or worse, the server "crashes."

A similar phenomenon occurs with mail servers — the computers that process email after it is sent and before it is received. Suppose the average email user sends and receives an average of 20 legitimate messages per day and receives an average of 80 spam messages per day. His Internet Service Provider's (ISP) mail server will spend 80% of its time processing spam and only 20% processing the "real" mail — which is what the user (the ISP's paying customer) wants it to process. Instead of buying the server it wanted to buy, the ISP had to buy one with five times the processing power to accommodate the unwanted extra load. This does not increase the cost of the server linearly (by five times), but it does increase the cost of the server by a measurable amount. Similarly, the ISP has to pay for five times the bandwidth (transmission capacity) that its customers want to use. Even if the ISP filters out spam as a service to its customers, it must still pay for all this extra capacity — to receive each piece of mail, look at the contents of each message, and flag each message for deletion or delivery.

The first case to examine spam from this perspective was CompuServe v. Cyber Promotions, 962 F. Supp. 1015 (S.D. Ohio 1997). CompuServe, an ISP, sued Cyber Promotions (CP) over spam that CP was sending to CompuServe's customers. (CP is no longer in that line of business.) That court built on the analysis written by a California Court of Appeals from a year before in Thrifty-Tel, Inc. v. Bezeneck, 56 Cal. App. 4th 1559, 1567 (1996). The California court had held that "Electronic signals generated and sent by computer have been held to be sufficiently physically tangible to support a trespass cause of action." CompuServe, 962 F. Supp. at 1021. In other words, the electric impulses that computers use to communicate constitute a physical invasion of property when they are sent into a privately-owned system without permission. In Thrifty-Tel, a telephone company had sued the parents of children who engaged in "phreaking" — attempting to crack the company's authorization codes in order to make long distance calls without paying for them. The most famous decision in this line of cases is eBay v. Bidder's Edge, 100 F. Supp. 2d 1058 (2000), which extended the same reasoning to web servers.

Meaningful Unsubscribe Mechanism

Two pieces of the bill — the "working unsubscribe" and "anti-resubscribe" provisions — belong under the same conceptual umbrella, which I call the "meaningful unsubscribe mechanism."

The "working unsubscribe" provision would require each piece of spam to include instructions for the recipient to "opt out" of future advertising. This opt-out mechanism must function for 30 days after the spam is sent, to ensure that recipients have a reasonable opportunity to use it. Otherwise, the spammer could shut it down immediately after clicking send — before most people have received the junk mail.

Some spammers get around states' opt-out laws by removing people from lists when they make opt-out requests, then immediately adding the same person to a new list. This new list has a much higher economic value to the spammer because the addresses on it are "verified" — the spammer knows that each one belongs to and is being actively used by a live person. This formalistic interpretation of many state laws' opt-out requirements is not possible under CAN-SPAM's "anti-resubscribe" provision, which bars the spammer from adding opted-out addresses to other lists.

The "working unsubscribe" provision is the most controversial and troubling provision in the Act. A great controversy surrounds the question of whether spam should be an opt-in or an opt-out enterprise. An opt-in system would forbid unsolicited commercial email by requiring spammers to document that the owner of each email address on a mailing list has requested to be placed on that list. An opt-out system would permit unsolicited commercial email but requires spammers to remove an address from their lists when the person who owns it asks to be removed. The CAN-SPAM bill passed by the House came down on the side of opt-out.

The foundation of American law is the U.S. Constitution, and the First Amendment to the Constitution provides that "Congress shall make no law…abridging the freedom of speech, or of the press." Despite this plain language, the Supreme Court has held that not all speech is equal under the First Amendment. While indecent speech (e.g., ordinary pornography) is protected from most government interference, obscene speech and child pornography enjoy no First-Amendment protection whatsoever. (See, for example, Ashcroft v. Free Speech Coalition, 535 U.S. 234, 122 S. Ct. 1389 (2002) for child pornography and Miller v. California, 413 U.S. 15, 24-25 (1973); Smith v. U.S., 431 U.S. 291, 301-02, 309 (1977); and Pope v. Illinois, 481 U.S. 497, 500-01 (1987) for obscenity.) Commercial speech gets an intermediate level of protection. Central Hudson Gas & Electric Corp. v. Public Service Commission of N.Y., 477 U.S. 557, 564-65 (1980).

Since the First Amendment was ratified, it has been axiomatic that "prior restraints" on speech are one of the greatest evils threatening the health of our polity. A prior restraint is a government prohibition on a particular message before the speaker has a chance to communicate it. The freedom of speech and the fundamental liberty of self-expression demand that everyone be given an opportunity to voice his thoughts. Some speech is always socially harmful — such as threats of violence or statements made in the formation of a criminal conspiracy. However, it is simply not possible to articulate in advance a definition of all forms that such harmful speech will take without our definition also encompassing many forms of legitimate speech. Therefore, we only punish speech after it has been uttered, when we can analyze the facts of each case. True, this allows some harms to occur that we might otherwise prevent, but a system of prior restraints would create far more and far greater harms by having a "chilling effect" on socially-necessary speech.

Therefore, everyone must have a reasonable opportunity to stand in a public square, tap passers-by on the shoulder, and say, "Would you like to hear what I have to say?" However, the freedom of speech guarantees a right to speak — not a right to force others to listen. Each listener has the right to say, "No, I find your views offensive, and I do not want to listen to you." Spam may be the 21st century, commercial-speech embodiment of this tap on the shoulder. The mandated opt-out system is the listener's opportunity to decline.

Many people believe that commercial speech should get less protection than it does today. Consumer protection demands it, they argue. How else can we prevent hucksters from selling snake oil through lies and deceit? These arguments do have merit, and I do not mean to dismiss them here; they are just beyond the scope of this blog. However, it would be irresponsible not to note at this point that, in recent years, the Supreme Court has been backing away from the Central Hudson doctrine because it is proving impractical to differentiate commercial speech from other types of speech. In ten years, what is "commercial speech" today may get full constitutional protection.

Harvesting & Random Generation Prohibition

Spammers employ many strategies to collect email addresses for their spam lists. One common strategy is called "harvesting." Spammers write software that trolls the Internet for character strings that appear to be email addresses. The software scans the text of web pages, chat rooms, message boards, and usenet, recording all the email addresses it finds. The CAN-SPAM Act will make this practice illegal. The very next paragraph of the Act prohibits another common strategy, "randomly generating electronic mail addresses by computer." The combination of these two prohibitions will make it much harder for spammers to get a hold of functional email addresses.

Rights of Action

The Act allows states to enforce the act by suing spammers on behalf of their citizens and ISPs to sue on their own behalf or on behalf of their subscribers. This is a common-sense compromise between the factions advocating a private right of action (which would permit individuals to sue spammers for themselves) and those advocating federal enforcement (which would permit only the U.S. Attorney General to enforce the Act).

Both extreme positions carry dangers and benefits. With a private right of action, the courts might be clogged with individual or class action suits, and it would take too long to reach large judgments against spammers for the law to be effective. On the other hand, leaving enforcement in the Attorney General's hands exposes the law to the dangers of under-enforcement and political cherry-picking. First, spam may seem minor compared to violent crimes, which rightfully get prosecutors' prime attention. Spam prosecutions might fall by the wayside. Second, the economic and technological damage caused by any two pieces of spam are identical, but does anyone honestly believe that John Ashcroft would approve the prosecution of inkjet toner vendors if there are any pornography vendors still standing? With finite resources, any Attorney General (like any manager) must set priorities for his office, and I would never fault Ashcroft for setting clear guidelines. However, I frequently disagree with the content of his guidelines; and, in this context, his preferences would probably lead to systematic selective enforcement, which would be untenable under the First Amendment — which prohibits the government from treating different speech differently, based on its content or viewpoint. With all fifty states and hundreds of ISPs bringing spam suits, the danger of selective enforcement declines.

Preemption of State Laws

CAN-SPAM expressly "preempts" state laws dealing with spam. The Supremacy Clause of the U.S. Constitution (article 6, § 2) establishes that the Constitution, laws, and treaties of the United States "shall be the supreme law of the land" and that they preempt state laws where they are in conflict (and in certain other situations). California, in particular, has passed several statutes prohibiting spam. California's most recent statute, which will not take effect until January, is far more protective of consumers than CAN-SPAM. All of these laws would be rendered unenforceable by the federal Act.

Do Not Spam Registry

The House considered drafts of the bill that would have required the Federal Trade Commission (FTC) to maintain a "Do Not Spam" registry, similar to the "Do Not Call" registry that it recently established in conjunction with the Federal Communications Commission (FCC). Spammers would have been required to compare the email addresses in this registry to their own mailing lists and remove any addresses that match. In effect, it would have been illegal to send unsolicited commercial email to any address in the registry. However, the House rejected this provision (which would have required the FTC to create the registry) in favor of one that merely requires the FTC to study the issue and permits the it to create a registry if it sees fit.

Anyone taking odds on what the FTC will do? Before you answer, consider that the bill fails to allocate a single dollar to fund the registry.

Private Mail Policies

By making certain kinds of email illegal, the Act, by implication, renders all other kinds of email legal. However, some spam that Congress intended to make illegal will always slip through cracks in the law's definitions. (This is a fundamental shortcoming of human language, not necessarily a fault of Congress.) Therefore, the bill expressly permits ISPs to devise and implement their own, private email-handling policies.

Without this provision, ISPs would be vulnerable to lawsuits from spammers if they decide to block this slippery spam on their own. By blocking mail that is technically legal, the ISPs would arguably be liable for such torts as interference with business relations (for blocking legal business communications) and defamation (for falsely labelling messages as "spam"). Much like § 230 of the Telecom Act of 1996 (47 U.S.C. § 230), CAN-SPAM's "private mail policy" provision is designed to protect ISPs from an onslaught of litigation that would render them unable to conduct business. If ISPs cease operating out of fear of litigation, consumers would be unable to access the Internet at all.

Posted at 2:36:16 PM | Permalink
| Comments (11)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/74
Topics: Cybercrime, Cyberlaw, Politics, Spam, Technology
Email this entry to:


Your email address:


Message (optional):


Comments

Mr. Fingerman,

Excellent summary of and commentary on the CAN-SPAM Act.

I have bookmarked your site, especially the Skeptical Inquiry article, for possible use in a Freshman Seminar on "The Scientific World View" that I occasionally teach.

Keep up the good work.

Cheers.
SSS

Posted by Satinder S Sidhu: Sun, 30 Nov 2003, 9:43:54 AM

I don't have time to argue the merits of all the points right now, but one point struck me. You state that spam may be the 21st century equivelant of someone standing in a park, tapping people on the shoulder and asking them to listen to whatever they have to say. The problem is, this analogy doesn't hold any water - my email inbox is NOT the city park. It is my private property. Not only do I not have to listen, but there is no guaranteed right for you to be allowed to tap me on the shoulder in the first place.

The opt-out methodology in this law is probably the most troubling aspect. Not only has Congress made it clear that we must go through and manually opt out of every spam we receive, which is going to be enormously more time-consuming than simply hitting the delete button as we do now, but for the past few years we have been training computer newbies to NEVER reply or click an unsubscribe link in a message from a sender that they don't recognize, let alone open the email. Many of these types that I know have a hard enough time recognizing spam, to say nothing of them being able to determine if the unsubscribe link they are about to click will actually get them off the list or simply put them on 15 more. (I am aware of the auto-resubscribe language; however, offshores spammers, and those inside the US who simply couldn't care less about this law, will still exist and will still be happily spamming away. This illustrates another huge problem with opt-out. The law-abiding businesses no longer need your permission to start sending you spam, so long as they follow the provisions of this law regarding unsubscribe mechanisms, etc. The people who send the vast majority of spam right now - some estimates place a handful of people as responsible for upwards of 90% of all spam - are the people who are not going to follow this law. So the level of spam increases, since you now have legitimate businesses doing it alongside the Viagra hawkers. Even if the illegitimate spammers are caught and prosecuted, the damages are limited enough to the point that in many cases it is still commercially viable for them to continue what they have been doing for the past 5 to 8 years.)

The FTC do-not-email list has got to be the stupidest provision of this entire bill. Let's assume the FTC did manage to find funding for this. At some point, the list has to be provided to mass-emailers. And at some point, it *will* get into the hands of illegitimate spammers who will be THRILLED to have hit the goldmine of a list with thousands or millions of verified, clean, working email addresses. Not to mention, this would put a huge burden on businesses who have to find software to match a database containing potentially millions of email addresses against their email list, which would likely take a lot of computing power. The opt-in approach, by contrast, is simple and puts no burden on the business, and they benefit by having a list of customers who WANT their email, and who are going to be MUCH more receptive to their products, services, and offers.

Posted by Kevin Schumacher: Mon, 1 Dec 2003, 8:47:43 PM

Three quick responses to Kevin:

1. Opt-out & free speech. True, your inbox is your property, not a public sidewalk. However, I doubt you want the government deciding for you what you are allowed to receive there. You agree with this particular prohibition (spam), but what if they decide next to ban pornography? And then information on contraception? And then Islamic fundamentalism? Congress chose an opt-out scheme because individuals should decide for themselves what they read. The do-not-spam registry (if it ever comes to fruition) will be a valuable tool toward that end.

2. Third-party liability. The Act will hold many third parties liable to the same extent as those who actually send spam. (I did not discuss these provisions of the Act in this blog, but I do discuss them in some detail in the journal article I am working on right now.) The relevant parties are (a) sellers of the products and services advertised in spam and (b) vendors who provide goods and services to spammers. The spam I get is almost entirely ads for things on sale within the U.S. The people selling those things as well as the people who sell PCs, Internet access, and paper clips to spammers can be held liable. Once the first third party is prosecuted or sued, I foresee an immediate drop in the demand for advertising via spam.

Full disclosure: There is a state-of-mind requirement that goes beyond what must be proven for the spammer himself. Generally, a prosecutor (or plaintiff, in a civil suit) must prove that the third parties had actual knowledge of the CAN-SPAM violation or that a reasonable person would have known of the violation. The worst that could happen is that they get one freebie before someone informs them — then they are on the hook for all spam sent on their behalf (or sent with their equipment/supplies) thereafter.

3. Do-not-spam registry. Yes, the do-not-spam registry could theoretically be a gold mine of verified email addresses; and yes, spammers could relocate offshore. However, demand for advertising space will dry up awfully fast once the first vendor is prosecuted. If nobody selling products in the U.S. is willing to pay spammers to send spam, then spam aimed at the U.S. market will diminish. If you are worried about products like online casinos or pornography that can also be located offshore, realize that they still rely on U.S.-based assets to operate, and these can be seized. An online casino cannot operate for long if a plaintiff attaches all his MasterCard and Visa receipts to satisfy a default judgment.

Posted by Dan Fingerman: Mon, 1 Dec 2003, 10:01:39 PM

I have to agree disagree with the other Kevin on the 'public park' comparison. The Internet is quite literally such a public park. The only divisions in the internet are the fences (firewalls) that ISPs and consumers use to protect against hackers. The whole rest of the net is free open territory, no borders, no guards, no police, no nothing. So I agree with you here, Dan.

And I feel that the third-party section is probably the most important part of this new law, and if you feel like doing a comprehensive analysis of this section and its merits, please do post a link when you are done.

But I disagree on the registry. The spammers AND the suppliers can BOTH easily relocate. Remember we are not talking about IBM or Microsoft here, where you have to move factories and offices and thousands or millions of workers. We are talking about businesses (we'll be generous and not use accurate language to describe these people) with one to ten employees, at the very most, with rented properties, a product they can purchase elsewhere and have shipped to them wherever they move to, and no conscience. If they can sell generic viagra from Cuba and send all the spam they want to known valid addresses (thanks to a list of thousands or millions of people who have now given out their emails to the registry)... and as soon as one succeeds in getting away with it, most or all will follow suit within months.

You think one suit against the suppliers will curtail spam. I think that one supplier relocating and getting away with it will bring the flood of spam to proportions that will make the (comparatively) mild annoyance of today something we remember fondly and desperately wish we could return to.

Posted by Kevin: Tue, 2 Dec 2003, 8:52:08 AM

Kevin the first has my agreement; Kevin the second and Dan do not.

The Internet itself certainly is a public park, and I do not want the government making any decisions whatsoever concerning its content or who is allowed to speak. But my mailbox is not the Internet. It existed in other forms before the Internet, and even tho it may use TCP/IP to transfer mail, it is my mailbox. The public has no read access to my mailbox, and write access has to come thru th epost office, at the sender's expense. My mailbox is like a snail mail mailbox. It is for my use only. The general public has no right to stuff my snail mail box with circulars and ads and so forth. I have no desire to regulate ads on the street or in store windows, but I sure as heck would be upset if my snail mail mailbox was loaded with ads at my expense.

Posted by Felix: Tue, 2 Dec 2003, 12:23:39 PM

A peron's mailbox is not equivalent to a public anything, in that the unauthorized use of it has economic costs to the owner. For most people, these are indirect costs. For some, they are not.

While most people in the US enjoy free e-mail as part of their ISP agreement, not all do. Some of the people with free e-mail service must pay for connection time. In both these cases, spam imposes a direct cost on the recipient.

This is not true for a public forum.

Posted by Rod: Tue, 2 Dec 2003, 12:39:27 PM

I have been carrying on an email dialog with several readers on the point of the public/private characteristics of several aspects of the Internet. I believe one of the points I am making there counters, at least partially, the objections of Rod and Felix.

The contents of an email inbox are certainly private, but I am not convinced that the existence of the inbox is private information. To me, it seems more like a postal address, which is traditionally held out to the public, saying, "This is how to contact me." Some may disagree with this analogy, arguing that it is more like a private mailbox operated by a private entity, which receives mail on the user's behalf before distributing it via an internal system. That argumenth has a lot of merit, but I am not totally convinced by it. Superficially, it seems to fit precisely — but only because the U.S. government is not in the ISP business. To me, a private ISP seems more like the company that manufactured the physical mailbox I bought at Home Depot and installed in my yard. I am open to being convinced otherwise, however.

There are problems with opt-in, too. Whenever the government has made legal distinctions between channels of speech, especially channels as affected with technology as email, we have seen disaster. The best recent example is the furor over regulation of VoIP — whether it should be treated as a telephone-like service or an information/data service. (Click for background info.)

If the government tries to distinguish between email and other Internet-based communications, how should it define "email?" What is IM? Mobile messaging? RSS? All of those have varying degrees of similarity with email, web pages, and other formats — and these are just the ones that exist today. We cannot anticipate the channels of speech that will exist in five years, so we must be extremely careful in drafting laws based on current ones. I hate spam as much as anyone else, but I believe the free speech implications of an opt-in system are so dangerous that I am willing to put up with hoops like opt-out and a do-not-spam registry to avoid them.

I certainly understand the argument that opt-out is inconvenient because it requires each of us to contact each spammer individually. I believe a do-not-spam registry can solve most of this problem, if properly implemented and enforced. Yes, there may be ways around the registry. However, it will have done its job if it substantially curtails the amount of spam — even if some spam does slip through. For the few pieces that slip through, we can opt-out individually.

I disagree with arguments that the registry will be too difficult to enforce. For this, I must clarify something that I wrote earlier. There are two third-party liability provisions in the CAN-SPAM Act. The first makes liable many people who sell products and services to spammers. The second makes liable most people whose products and services are advertised via spam. Even if both groups of people relocate en mass to other countries, we can still enforce CAN-SPAM against them. For example, we can seize any assets they have that pass through the U.S. If any of them take credit card orders, a U.S. court can order the seizure of all their receivables from MasterCard and Visa. If they have accounts at any banks that have assets in the U.S., those assets are also vulnerable. It would be hard for any business to operate on the Internet without making use of some financial institutions that do not have a U.S. presence.

Posted by Dan Fingerman: Tue, 2 Dec 2003, 1:30:31 PM

Well, I believe that the email address you use is, technically, the legal property of the ISP or email provider. If they decide to cancel your account, perhaps for non-payment of account, you lose the address. It is a service provided to you by the ISP/email provided, for some cost you are expected to pay (even if that is only viewing their online ads). You are just borrowing it. So how can you claim to have the right to keep it private when you don't even own it to begin with?

And Felix, the only reason one has the PRIVILEGE (NOT the *right*) to not have your physical mailbox loaded with flyers at your monetary expense is because the Post Office -- which by the way is a government-owned BUSINESS and has no statutory powers whatsoever -- chooses to require payment of the sender. But this does NOT make it a RIGHT. Rights are things encoded in the US Constitution. But advertisers have the opportunity to pay to mail you an ad, and you must pay in time to throw it away. And if the post office wanted to charge you a fee to receive mail (and, in fact, they do if you ask for a post office box), that would be their prerogative. Oh, we could appeal to congress to deny their request if they tried to charge for delivery route boxes. But they could try, if they wished.

Posted by Kevin #2: Tue, 2 Dec 2003, 5:00:51 PM

The "tap on the shoulder" really isn't essential to free speech, nor is spam an expression of free speech. If someone has an opinion they wish to express, let them post it in relevant newsgroups or on their own website, preferably their own website. If I want something, I go shop for it: I specifically do NOT want to buy from rude companies (those who cold-call, spam, or go door-to-door).

Posted by Michael Steele: Tue, 2 Dec 2003, 7:56:57 PM

The term "spam" itself is not clearly defined in casual debate. What I would love to see regulated is Unsolicited Bulk Email. It's not the advertising content at fault, I see no need to prevent a seller who reads my report on Singing Monkeys from writing me to say, "You know, you might get better data if you observed them with my Simian Binoculars, just $29.99 this month." I object to this seller Googling for "singing" and blasting a boilerplate "Saw your web page, thought you might want to try Bob's Tuning Forks for only $5.99 each"

Dan promotes opt-out schemes "because individuals should decide for themselves what they read." Puzzling ... the definition of opt-in is that I declare explicitly what I wish to read! Worse, opt-out ensures that I must read things I do NOT want at least once.

Opt-out protects the voices of those I don't wish to hear (free speech), but let us draw a distinction between the content of a channel and the mode of its use. No one may shout through a megaphone in the park at midnight, regardless of what he's talking about. UBE is an abuse of the medium, and would be still if it promoted Islamic fundamentalism or open source software design instead of Viagra.

Dan also notes: "The spam I get is almost entirely ads for things on sale within the U.S." Sure, but ten years ago the spam I got was NIL, and ten years hence may be entirely for off-shore products. When tomorrow's problem is predictable, let's craft today's laws accordingly. That said, I do think that shutting down the top few spam lords will curtail the majority of today's problem, so if this law can do that it is definitely a step in the right direction.

There is a simple way to define a channel for the purposes of regulation. Let us agree to forbid the use of ANY communication channel that is by nature intended to reach a single person at a time (email address, telephone number, IM) for broadcasting without permission. I may subscribe my email to a mailing list, I may have my office voicemail added to a group distribution, but these must be my choice - opt in.

Posted by Sean Gugler: Wed, 3 Dec 2003, 9:52:49 AM

CAN-SPAM defines spam like this:

§ 3(2)(A): "The term 'commercial electronic mail message' means any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose)."

Later, the Act excludes "transactional or relationship" messages. These are emails that are intended to implement transactions and emails between two parties who have a preexisting commercial relationship.

As to "bulk" email: the Act only prohibits sending "multiple" commercial emails. It defines "multiple" as: 100 in a 24-hour period, 1,000 in a 30-day period, or 10,000 in a 1-year period. § 4(a) (amending 18 U.S.C. § 1037 to include this definition).

Posted by Dan Fingerman: Wed, 3 Dec 2003, 10:08:25 AM



Powered by Movable Type