Tuesday, 15 March 2005

I've been trolled

In the last 24 hours I received several emails relating to my last blog post, "Piracy Phishing." A couple have informed me (one politely, one hilariously) that I have been trolled. The "email" I received from "Jack Meihoff" of LiquidGeneration is a well-executed spoof. Run to your nearest Flash-enabled browser and check out this explanation of the gag.

Posted at 8:33:08 PM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/272
Topics: Cybercrime, Cyberlaw, IP, Technology

Saturday, 5 March 2005

Piracy Phishing

"Phishing" is a growing problem. In a cross between spam and scam, an email designed to look like a legitimate query from eBay, your bank, or someone else you trust purports to alert you to some problem and asks you to visit a web site, type in your name and password, and verify some information. The press has spent a lot of ink on this recently.

I just got caught a phish with an interesting twist. The email I received purports to be from the Motion Picture Association of America (MPAA). It accuses me of pirating movies and demands an unspecified payment. Then it provides a link which, I am told, will tell me the exact amount I owe to settle the claims of MPAA. The email is quoted below.

Unfortunately, the MPAA has never heard of the sender, Jack Meihoff, and it also states that it does not handle piracy cases in this manner. Also, the MAC address identified in the email is ficticious, and the domain in the link it points to (saynotopiracy.org) is registered to an entity called LiquidGeneration, Inc., incorporated in Illinois. The only individual person associated with its whois entry is one Bruce Freud. He can apparently be reached at:

Bruce Freud
LiquidGeneration, Inc.
200 E. Ohio, Suite 200
Chicago IL 60611
(312) 573-0123
bruce@liquidgeneration.com

I can find no mention of Jack Meihoff, Bruce Freud, or LiquidGeneration on MPAA's web site, and Google returns no hits for searches on mpaa.org for those keywords. Very likely, LiquidGeneration wants me to click on the link (which contains a long strong of random-looking characters to verify my email address in its spam database. The email originated from db1.liquidgeneration.com (65.61.160.116). Maybe it even has a payment mechanism and would ask me to type in a credit card number. If anyone out there actually cares, you are welcome to investigate the matter further. For my part, I will shortly send an email to the Federal Trade Commission and the California Attorney General with a link to this post.

The email follows:


From: Jack Meihoff
To: [my email address]
Subject: Motion Picture Association of America
Date: Sat, 5 Mar 2005 13:45:36 -0600

Illegal Movie Downloads
Motion Picture Association of America
Encino, California
3/5/2005 1:45:36 PM
Dan Fingerman
MAC ADDRESS: 00-11-2F-41-BD-21
Case No.: IS035HY36NURS0E8

Mr. Fingerman,It has been brought to our attention by John Smythe that you have been involved in the unauthorized downloading and transferring of licensed movies.

Federal laws mandate that you immediately cease and desist all illegal activities pertaining to movie theft. Further, you are required by law to pay all incurred penalties in conjunction with Amendment 34-C, officially passed on January 30, 2005.

In accordance with state jurisdictions, your failure to pay these penalties in full within 30 days of receipt of this notice will result in a warrant for your arrest. We are also required by law to inform you that a second offense will result in a minimum jail sentence of 90 days.

Penalties incurred in your particular case may be reviewed on our government Web site. All cases are deemed confidential. Penalties are assessed by each individual download, charged at a nonnegotiable rate of $1,200 per infraction. Click your specific case number (Case No.: IS035HY36NURS0E8 [link]) to view the total amount due or to dispute your case.

Sincerely,
Jack Meihoff Piracy AgentMotion Picture Association of America

Posted at 1:33:34 PM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/271
Topics: Cybercrime, Cyberlaw, IP, Technology

Tuesday, 15 February 2005

ChoicePoint & Privacy

I used to consider myself reasonably well informed about the issues surrounding privacy and information technology. I admit to feeling a little smug when I read Bob Sullivan's article on MSNBC yesterday, about breaches of consumer privacy admitted by ChoicePoint ("Database giant gives access to fake firms"). Mostly, I felt smug about one consumer whom Sullivan quoted as saying she had never heard of ChoicePoint — the data mining company that tries to collect and organize information about every consumer, business, and transaction that occurs in the United States.

However, my smugness vanished when I clicked through to a linked article, by Robert O'Harrow, Jr., of the Washington Post, that describes ChoicePoint in some detail ("ChoicePoint finds wealth in information"). I had no idea the company had reached such an enormous size and was still growing so fast. It was pretty humbling.

Posted at 7:04:44 AM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/268
Topics: Civil Liberties, Cybercrime, Privacy, Technology

Monday, 15 March 2004

FBI proposes expansive broadband "wiretap" rules

Declan McCullaugh and Ben Charny report on C|Net that Uncle Fed issued a proposal for expedited rulemaking [pdf] which would grant him new and expansive "wiretapping" powers for broadband Internet services. In this case, Uncle Fed is backed by the Federal Bureau of Investigations (FBI), Department of Justice (DOJ) and the Drug Enforcement Agency (DEA).

Two months ago, Uncle Fed asked the Federal Communications Commission (FCC) to do this dirty work for him. FCC Chairman Michael Powell paid some lip service to security concerns at the time, but he has apparently let the request languish. (At least, I have not seen the media report any subsequent FCC actions.) Around that time, I blogged on the word wiretap and complained that it makes a poor analogy to surveillance of digital communications ("Wiretapping & VoIP"). I would like to make the same comment again now and point out that Uncle Fed's newest proposal supports my point even more clearly.

I promise to write more on this in the near future. Unfortunately, I do not have time today to write a multi-volume treatise on the dangers these regulations would pose to civil liberties.

Posted at 8:40:16 PM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/213
Topics: Civil Liberties, Cybercrime, Politics, Privacy, Technology, VoIP

Monday, 12 January 2004

Wiretapping & VoIP

Last week, Uncle Fed (specifically, the Department of Justice, the FBI, and the Drug Enforcement Administration (DEA)) asked the FCC to force providers of voice-over-Internet protocol (VoIP) services to provide easy "wiretapping" capability to federal and local authorities. See Declan's report on C|Net: "Feds seek wiretap access via VoIP." A few comments are in order before the press mangles this situation and manages to obscure the facts. (Not to impugn Declan; I thought his article was good.)

Lawyers are in the language business, so we should examine the word wiretap to shed some light on exactly what Uncle Fed is asking for. Webster's Dictionary defines wiretap as an intransitive verb meaning "to tap a telephone or telegraph wire in order to get information." This definition is too circular to be useful at first, but this circularity becomes important later. Dictionary.com's nominal definition is a better starting point: "A concealed listening or recording device connected to a communications circuit." This was an accurate physical description when the term arose, during electric telegraphy's youth.

In those days, telegraphic circuits were hard-wired — that is, each pair of telegraph stations was connected by a single wire with one operator at each end. (Busy pairs of stations were connected by multiple wires, each one having operators at both ends.) Each transmission wire was plugged into a magnet-driven apparatus at each end that translated incoming electric signals into audible sounds and generated outgoing electric signals when the operator pressed a button. For an excellent beginner's text on early telegraphic technology and the economic and cultural developments it spawned, see Tom Standage, The Victorian Internet (1998).

In this environment, police had two options for surreptitious surveillance: (1) force the operator to disclose a message's contents after he received it, or (2) intercept the signal between the stations. Option 1 was inefficient because it was slow (the police had to wait for someone else to translate the message from Morse code and deliver it to them), and operators could not always be trusted to keep surveillance secret. Therefore, laws were passed that made option two mandatory. Telegraph companies were required to cooperate with the installation of a device (the "tap") onto their transmission wires that allowed the police to siphon off a tiny amount of the electric signal between two stations and send that signal to a police-operated station.

Later, switching technology made telegraphy more flexible. A switching device made temporary connections between transmission wires coming into the telegraph station. This allowed one operator (or more, at busy stations) connected to the switch to monitor several incoming wires simultaneously. Wiretap devices evolved in lock-step with switches and were quickly moved inside the switches so that fewer taps could monitor more transmissions without being physically reinstalled over and over. Whether this new configuration continued to qualify as "tapping" a "wire" is debatable. Early switching devices made temporary physical connections between telegraph wires by means of a third wire. Early switch tapping devices siphoned the electric signal off this switching wire, so there is a plausible argument that the term was still an accurate physical descriptor. Today we would understand the tapping devices as monitoring the operation of the switch device, not an individual wire within the switch. While wiretapping remained a reasonably good logical description of the tapping device's function, its accuracy as a physical descriptor was highly questionable.

The point to take from this is that wiretap first became an ambiguous term more than a century ago. Now reconsider Webster's circular definition, "to tap a telephone or telegraph wire in order to get information." Webster probably intended to denote the tapping of a circuit, not a wire, but we can forgive lexicographers for not being electrical engineers. However, Webster's definition unambiguously means eavesdropping on a single transmission or group of transmissions between two specified end points. In my experience, this is how law enforcers, laymen, and journalists all use the term. To convey the idea of collecting more than this information, they use such words as surveillance, eavesdropping, or data sniffing.

If the introduction of circuit switching made wiretap an ambiguous term, then the introduction of packet switching renders it positively useless. Packet switching is the transmission technology underlying the Internet Protocol, which is used for all Internet (and most local area network (LAN)) transmissions. Packet switching involves breaking data down into tiny pieces ("packets") and sending each packet across the network individually. This system eliminates the need for circuit switching, which dedicates a circuit to each transmission for the duration of that transmission. Few transmissions use the circuit continuously, so circuit switching inevitably involves inefficient "down time" for active circuits. Consider, for example, how frequently people pause while talking on the telephone. No information is transmitted during these pauses, but their circuit is monopolized nonetheless. Other callers cannot use this circuit until the first call ends — which forces the phone company to install a sufficient number of circuits to carry the maximum foreseeable number of transmissions simultaneously. This extra infrastructure is expensive to install and maintain.

Packet switching allows a small number of circuits to accommodate many transmissions because each one uses the circuit only while information is being actively sent. During each pause, the circuit is used for other transmissions. Additionally, different packets from the same transmission often take different routes across the network. Intermediate nodes will send packets along different routes to bypass busy sections of the network to avoid delays, among other reasons. Since packets must reach the destination individually, it must contain complete addressing information so that intermediate nodes can route it appropriately.

The same features that make packet switching more efficient than circuit switching also make it cheaper. (Sarcastic aside: This is as close to a "law" as the "science" of economics can offer us.) They also make it much more difficult to monitor communications. By definition, packets of information do not all travel through a packet-switched network by the same route. Therefore, there is no central box inside which to install a tapping device, as there is in circuit-switched networks.

The good news for law enforcers is that there does exist a place where all packets of a transmission must pass through before they are dispersed. That place is wherever the sender connects to the Internet backbone. "Backbone" is the name for high-speed networks that carry most Internet data until that data gets very close to its destination, at which time it is moved to a smaller (and usually private) network. All packets must travel from the sender's computer to the backbone through some identifiable means of transmission, be it in a cable or via wireless transmission in a form such as Wi-Fi.

The bad news for law enforcers is that each computer (or network) that connects to the Internet is connected via its own "pipe." They must install "tapping" devices on the connection used by each individual computer whose users' communications they intend to monitor. This requires that they get much closer to the target of the surveillance than they did with circuit-switched networks. In the old days, they could install tapping devices inside the switch at the telephone company's office. Conceivably they might do something similar at the target's Internet service provider (ISP). The FBI's (since-renamed) Carnivore project was an example of this. Unfortunately, this arrangement monitored traffic from all the ISP's customers, not just the intended surveillance target. In order to separate the target's transmissions from everyone else's, Carnivore has to read all packets that pass through. The only real solution to this problem is to install a device very close to the target — for example, in the cable that physically connects him to his ISP or at the antenna via which he transmits information to his ISP. This poses two main problems. First, the target may notice an unfamiliar device outside his house or office and become aware of the surveillance. Second, it is expensive because the police need to build many more devices and pay officers for the time it takes to install them at disparate locations.

By now, the linguistic difficulty of referring to any surveillance of data transmitted via the Internet as "wiretapping" should be obvious. At this point, I would like to shift direction slightly and briefly address a few related problems.

First, it is far from clear that the FCC has the authority to regulate VoIP as if it were a telecommunication service. It was widely reported last October that a federal judge in Minnesota ruled that VoIP companies provide "information" services, not "telecommunication" services, which means that states cannot regulate them under the Telecommunications Act of 1996. On the other hand, the 9th Circuit ruled earlier that month that the FCC erred in classifying cable broadband as an "information" service rather than a "telecommunication" service.

Second, according to Declan, Uncle Fed wants the FCC to require VoIP providers "to rewire their networks to guarantee police the ability to eavesdrop on subscribers' conversations." This is technically possible only for a few such services. In my understanding, Vonage sells black boxes that take input from a telephone and transmit data through the user's broadband ISP connection to Vonage's network, where Vonage routes it to another Vonage device or to a circuit-switched telephone network. Therefore, Vonage may be able to install devices that "tap" a specified user's conversations. Other services, however, operate in a fundamentally different way. Skype, for example, does not have any communications network at all. Its client software transmits voice data using the same decentralized P2P architecture found in Kazaa, the popular file-sharing client. (Skype was, after all, designed by the makers of Kazaa.) Therefore, Skype has no capability to install tapping devices, even if it wanted to cooperate with a hypothetical FCC order.

Third, as discussed above, to surveil transmissions on a packet-switched network, the police must read all data packets that pass through. If they ignore any individual packet, they may miss a piece of the message they intend to intercept. This makes it an unavoidable certainty that any "packet sniffer" will collect data that is not legally subject to surveillance — it would exceed the scope of all but the most expansive warrants. (Never mind that any warrant so expansive is probably unconstitutional because it would fail to state with particularity the information intended to be collected). Depending on the environment where the sniffer is installed, it may also collect data transmitted by third parties, who are not the intended targets of surveillance and who have a reasonable expectation of privacy in their communications. This is a Fourth Amendment problem of enormous magnitude — one that is well beyond the scope of this weblog.

Fourth, Uncle Fed's own statistics for 2002 show that about 80% of all wiretaps — both federal and state — were for criminal investigations in the course of enforcing drug laws. Only the remaining 20% were used for all other types of investigations. One is left to wonder whether the alarmist language in Uncle Fed's letter to the FCC was disingenuous: "criminals, terrorists, and spies (could) use VoIP services to avoid lawfully authorized surveillance." Uncle Fed tries to make it sound as if wiretaps are already an effective tool against such people when his own statistics show that wiretaps are rarely used against them. It would be another matter entirely if Uncle Fed intended to use VoIP monitoring technology to enforce drug laws. Even then, none of the dope dealers I knew of in college even knew what "broadband" meant — so it was unlikely that any of them had the equipment necessary to use VoIP. Even if drug importers are more sophisticated, the police can still monitor their communications through conventional warrants and responsible police work.

In conclusion, the only thing I can really say is that Uncle Fed's request is problematic, at best — and I am just a guy with an interest in Internet law, not an expert in history, technology, or constitutional law. If Uncle Fed was trying to start a national debate on the merits of Internet surveillance, it is about time we had one. If he thought he could slip this in under the radar, shame on him.

Posted at 1:04:31 PM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/185
Topics: Civil Liberties, Cybercrime, Privacy, Technology, VoIP

Friday, 9 January 2004

Treasury breaks privacy policy because it's convenient

The Alcohol and Tobacco Tax & Trade Bureau (an arm of the U.S. Treasury Department) lied to us.

Declan explains on C|NET that in March 2003 TTB solicited comments from the general public on "a proposal that could raise the price of malt beverages like Bacardi Breezer and Smirnoff Ice." The Bureau promised: "For the convenience of the public, we will…post comments received in response to this notice on the TTB Web site. All comments posted on our Web site will show the name of the commenter, but will not show street addresses, telephone numbers, or e-mail addresses." Far be it from us to expect an express promise to be kept. Fortunately (for democratic interests) but unfortunately (for TTB), the agency was overwhelmed with comments.

As news of the proposed regulations circulated around malt beverage aficionados online, word-of-mouth took over and comments started flooding in to nprm@ttb.gov. By October, the Treasury Department had received about 9,900 e-mail messages, plus 4,800 comments sent through the U.S. mail or fax — and decided it could no longer keep its promise.

"The unusually large number of comments received…has made it difficult to remove all street addresses, telephone numbers and e-mail addresses from the comments for posting on our Internet Web site in a timely manner," the Treasury Department said in a follow-up notice, published last month in the Federal Register. "Therefore, to ensure that the public has Internet access to the thousands of comments received…at the earliest practicable time, we will post comments received on that notice on our Web site in full, including any street addresses, telephone numbers, or e-mail addresses contained in the comments."


If a private company pulled a stunt like this and published the addresses of 10,000 people, its executives would go to prison. The government, however, has a long history of treating itself differently. See, for example, Congress' eagerness to spam voters a week after passing the CAN-SPAM Act.

Via beSpacific

Posted at 12:22:15 AM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/183
Topics: Cybercrime, Cyberlaw, Privacy, Spam

Wednesday, 7 January 2004

FBI uses web bug to track extortionist?

Abandoning the incentives not to report cybercrime (see my last blog entry), Best Buy called in the FBI when it received emails threatening to expose security weaknesses in its e-commerce site unless the retail giant forked over $2.5 million. The Bureau worked with Best Buy to snare Thomas E. Ray III, of Mississippi, the would-be scammer. The most interesting feature of this case is in the tools used by the FBI to catch the alleged blackmailer. The Bureau responded to Ray's messages with its own emails laced with something that allowed it to trace the IP address from which he read them.

Unfortunately, the early press reports are unclear as to exactly what that something was. The St. Paul Pioneer Press reports that the investigation "was aided by a computer-tracing technique." The FBI got "permission from the courts to use a specialized e-mail device — called the Internet Protocol Address Verifier — to track down the author." I have no idea what an "Internet Protocol Address Verifier" is, but it sounds an awful lot like a web bug.

Web bugs are tiny pictures embedded in email messages using HTML. When an HTML-enabled mail client opens the message, it renders the HTML — including any image tags. The sender can embed an image tag that will query his own web server for an image file, then examine his server logs to determine from what IP address the query came. For example, I could send an email with HTML tags pointing to images stored on www.danfingerman.com, then record the IP addresses of all requests for that image. After I collect the IP addresses and dates & times the image was accessed, I could take a page from RIAA's playbook and find a way to intimidate ISPs into telling me which individuals were using each IP address at the relevant date and time. Then I would know who read my email, the exact date and time, and I could get more information with some extra effort — like the reader's home address and phone number or the geographic location where he read the message.

Web bugs got the name bug after spammers started using them to verify email addresses. Recording calls to an image stored in a static location on a web server is not very helpful when you send email to millions of addresses and have no good way to link each IP address & time/date combination to a particular email address. (Believe it or not, the DMCA does have limits.) Spammers began to design web server software with dynamic links to a single image measuring 1x1 pixel. The images are tiny so that most people will not notice them (how often do you really view the source code of your email?) and to make them load quickly — before most people could hit the delete key. The relevant HTML tag written into each individual email would include a directory path that included the address to which that message was sent. Then, the web server's log would record the image request with the email address (as a simple text string) as part of the directory path to the image. This made it obvious which email addresses the queries were coming from. "Verified" email addresses are like gold for spammers, and they would use this information to charge higher prices for their services — because they could now guarantee that a higher percentage of their emails were being delivered to addresses where an actual person would see them.

The Pioneer Press article makes the FBI's Internet Protocol Address Verifier sound a bit like a web bug, but it is ambiguous. For example, it calls the verifier "a specialized e-mail device." Furthermore, the St. Paul Star Tribune had this to say ("Feds thwart extortion plot against Best Buy"):

The federal search warrant was obtained the morning of Oct. 24 [2003] and allowed the FBI, with Best Buy's cooperation, to use an Internet device known as an Internet Protocol Address Verifier. It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address. The response allowed investigators to identify Ray as the sender of the e-mail threats, according to the government.

Assistant U.S. Attorney Paul Luehr said the address verifier was one of several investigative tools the government used to track Ray down.

"It was a tool that helped us confirm that other leads were moving in the same direction," said Luehr, who declined to discuss details of the investigation.


Did you see that? The Star Tribune called the verifier "a program." A web bug could never be confused with a "program." The source of my confusion should now be obvious.

If anyone knows what the heck an Internet Protocol Address Verifier really is, please let me know.

Posted at 12:11:01 PM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/178
Topics: Civil Liberties, Cybercrime, Cyberlaw, Spam

Cybercrime underreported in Australia

From the "understandable but regrettable" department. A study [pdf] by the Victorian Parliamentary Drugs and Crime Prevention Committee found that individuals and companies were reluctant to report cybercrimes and fraud. Being taken advantage of can be embarrassing, and businesses fear losing revenue after being perceived by the public as insecure or incompetent. These reasons are understandable (and occasionally rational); but, from a social-welfare perspective, I would like to see this trend reverse.

Posted at 11:13:48 AM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/177
Topics: Cybercrime

Monday, 5 January 2004

Norweigan authorities drop DeCSS case

Mary of bIPlog reports that the Norweigan prosecutors on the DVD Jon case have decided not to appeal his second acquittal. This is wonderful news.

Posted at 11:03:11 AM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/170
Topics: Civil Liberties, Cybercrime, Cyberlaw, DMCA, IP, Technology

Tuesday, 30 December 2003

Do spammers fear CAN-SPAM?

Alan Ralsky, Detroit's resident spam lord, told the New York Times that he intends to comply with the CAN-SPAM Act to the best of his ability because he fears a $6 million fine and going to prison. ("An Unrepentant Spammer Vows to Carry On, Within the Law") He says he stopped sending email ads earlier this month, even before President Bush signed the bill into law, to give himself time to bring himself into compliance. Ralsky intends to resume his business in January — legally — once his new systems are complete. He claims that he will identify himself in each email and honor any opt-out requests that he receives.

We should, of course, take Ralsky's self-serving statements with a grain of salt. He sees himself as an honest businessman with an undeserved bad reputation. He expects ISPs to stop filtering his mail after CAN-SPAM takes effect — despite that the law does not require them to do so and that they have at least as great an incentive as before to continue filtering.

If you are still wondering how out of touch Ralsky is, consider an event that occurred thirteen months ago. In November 2002, Mike Wendland of the Detroit Free Press wrote a profile of Ralsky's $750,000 mansion, dubbed the house that spam built. Two weeks later, Wendland reported that anti-spam activists had used the information in his first column to figure out Ralsky's home address.

"They've signed me up for every advertising campaign and mailing list there is," [Ralsky] told [Wendland]. "These people are out of their minds. They're harassing me."

That they are. Gleefully. Almost 300 anti-Ralsky posts were made on the Slashdot.org Web site, where the plan was hatched after spam haters posted his address, even an aerial view of his neighborhood.

"Several tons of snail mail spam every day might just annoy him as much as his spam annoys me," wrote one of the anti- spammers.

Posted at 6:27:50 PM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/165
Topics: Cybercrime, Spam

Third-party fix for IE URL spoof vulnerability

While Microsoft has yet to fix the URL spoof vulerability in its Internet Explorer browser, at least one amateur software enthusiast community has come up with a robust solution. Users of Proxomitron have found a way to use the local proxy server and web filtering client to work around IE's shortcoming. The proxomitron filters posted in this forum alter links and buttons that lead to web pages that exploit this vulnerability. Additional filters posted there will trigger an alert message box when the active web page contains links that exploit the vulnerability.

These solutions were created by users, free of charge and with no expectation for payment — for fun and for the benefit of Internet users generally. The first request for a fix was posted on 12 December, and four filters were available that same day. Over the next five days, the filters were refined and made more robust, until they handled all situations yet conceived by their developers. Note for emphasis: amateurs created a comprehensive solution in five days. All this happened while Microsoft, one of the most profitable software companies in the world, has been unable or unwilling to fix the problem for nearly a month. Anyone care to explain to me again how high-quality software cannot exist without a profit motive?

Posted at 12:15:27 PM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/162
Topics: Cybercrime, Technology

Monday, 29 December 2003

Cyberbullying and school (in)action

The Christian Science Monitor has a feature article by Amanda Paulson on "cyberbullying." The article outlines the problem, analyzes it as merely a new platform for old-fashioned bullying, and discusses the perils of censoring speach for short-term disciplinary goals. I think that analysis is on the right track, but I would like to add a few points.

The article ignores the grandaddy of all cyberbullying cases and the publicity that surrounded it — the case of Jake Baker and the University of Michigan. Mr. Baker's First Amendment defense ultimately led to his exoneration of charges of making threats. (See the EFF case archive for comprehensive information.) The CS Monitor article does, however, discuss the more recent case of "Ghyslain, the Canadian teenager who gained notoriety this year as 'the Star Wars kid.'" This young man videotaped himself goofing around with a broomstick, as if it were a fighting staff.

Some peers got hold of the video, uploaded it to the Internet, and started passing it around. Doctored videos, splicing him into "The Matrix," "The Terminator," or the musical "Chicago," with added special effects and sounds, soon followed. He's now the most downloaded male of the year. According to news reports, he was forced to drop out of school and seek psychiatric help.

"It's one of the saddest examples," says [Glenn Stutzky, an instructor at the Michigan State University School of Social Work]. "He did one goofy little thing, and now it will always be a part of that young man's life."

The article also mentions that (public) schools may lack the authority to shut down off-campus channels of speech used for bullying. The author seems to divide this into two distinct points, one practical and one legal, but it could stand some clarification. First, schools lack the practical ability to censor such centralized speech channels as web-based bulletin boards and instant messaging networks — because the school is not the central entity. These are generally physically controlled by private companies. When it comes to open and decentralized channels (like email, IRC, or usenet), the school has no chance. Second, the legal barriers. Any action that schools take or fail to take can open them up to the modern American passtime, lawsuits. Any course of action necessarily requires the school to make judgments that pit one student's civil rights against another's — specifically, the right of the bully to speak vs. the right of the victim to have a public education free from harassment. Schools are understandably reluctant to break any new ground in this context. If I were a school board lawyer, I might recommend the most conservative course of action I could think of.

However, schools are not always so loathe to target Internet speech that is generated off-campus. Some get trigger happy when a student's web site criticizes teachers or administrators. Just the other day, I blogged on a recent case involving the Oceanport School District in New Jersey. I could probably turn up ten more examples in as many minutes on Google.

Finally, I want to highlight a case described in the article that displays the best the First Amendment has to offer. "J. Guidetti, principal of Calabasas High School, did get involved, after comments on schoolscandals.com caused many of his students to be depressed, angry, or simply unable to focus on school." All of Guidetti's initial efforts failed — as long as he used a law-enforcement approach. Then, he decided to counter speech with speech:

Eventually, a local radio station got involved and put enough pressure on the people running the site — a father-son duo — that they took it down in the spring. Already, there's a schoolscandals2 — relatively harmless, so far. Guidetti checks it regularly for offensive content, one of the ever-growing tasks of a 21st-century principal.

To be clear, I do not advocate publicly shaming people for their speech. However, opinions that wilt in sunlight are exactly the sort that the Framers of the constitution believed could be controlled by encouraging counter-speech. Guidetti engaged in honest public debate, convinced more people than his opponents, and won the day. By taking his case to the airwaves, Guidetti created speech where he had previously tried to destroy it, and liberty had a rare chance to serve a utilitarian purpose.

Posted at 9:45:19 PM | Permalink
| Comments (1)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/161
Topics: Civil Liberties, Cybercrime, Cyberlaw, Privacy, Technology

E-voting security firm hacked

The Associated Press reports (via Wired News) that the e-voting security firm VoteHere, of Bellevue, Washington, was hacked in October. A yet-unidentified individual gained illicit access to VoteHere's network and read internal documents and may have copied some files. Company executives reportedly blame the break-in on the recent spate of public attention paid to electronic voting. If nothing else, this episode highlights the tenuous security to which public elections might be entrusted. (Via beSpacific)

Posted at 9:08:46 PM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/160
Topics: Cybercrime, eVoting

Sunday, 28 December 2003

Scam exploits IE URL spoof vulnerability

It was only a matter of time before someone exploited the Internet Explorer URL spoof vulnerability. (As Xeni Jardin points out, Microsoft has yet to issue a fix.) This particular scam involves an email that purports to be from PayPal and includes a link that appears to take the unwary reader to PayPal's web site, where he is asked to "verify" his account information. The users is really taken to http://www.epack.ch/p/verify.htm, which looks like a legitimate PayPal page and which the scammer thoughtfully induced IE to make it look like it is hosted at PayPal.

Posted at 3:49:29 PM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/158
Topics: Cybercrime, Technology

Wednesday, 24 December 2003

CyberAge Stalking on LLRX

Barbara Fullerton of Locke, Liddell & Sapp has published an interesting article on LLRX called "CyberAge Stalking." She reviews several high-profile cases, the tools used in each case, and the statutes passed in their aftermaths.

Posted at 3:45:24 PM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/150
Topics: Cybercrime, Cyberlaw

Monday, 22 December 2003

DVD-Jon acquitted — again!

The Norweigan newspaper Aftenposten reports that Jon Johansen has been acquitted — again ("DVD-Jon wins new legal victory"). He was being tried for copyright infringement a second time (by an appellate court, this time) for his role in creating DeCSS. The power brokers in the movie industry are, of course, "disappointed."

Posted at 9:31:42 AM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/146
Topics: Cybercrime, Cyberlaw, IP

Friday, 19 December 2003

Dutch high court: Kazaa not liable

The Dutch supreme court has ruled that the makers of Kazaa are not liable for illegal use of the software by users. Reuters UK reports ("Dutch Court Throws Out Attempt to Control Kazaa"):

The decision by the Dutch court, the highest European body yet to rule on file-sharing software, means that the developers of the software cannot be held liable for how individuals use it. It does not address issues over individuals' use of such networks. […] The Supreme Court rejected demands by Buma Stemra, the Dutch royalties collection society, that distribution of Kazaa cease and that future versions be modified so that copyrighted materials cannot be exchanged over the network, lawyers representing Kazaa said.
It looks like Matt Oppenheim, a senior vice president of RIAA, has to eat his words from March 2002. Describing the Dutch appeals court action underlying yesterday's supreme court decision, he said: "I don't think this summary decision…will have any more impact than it would have from any other country that doesn't enforce copyright law consistent with the United States." Matt, perhaps you can tell me if I spelled "jingo" correctly.

Posted at 10:53:25 AM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/139
Topics: Cybercrime, Cyberlaw, IP, P2P

Wednesday, 17 December 2003

CAN-SPAM coauthors respond to criticism

The two coauthors of the CAN-SPAM Act, U.S. Senators Ron Wyden (D-Ore.) and Conrad Burns (R-Mont.), published an essay yesterday in response to criticism of their bill. They state in no uncertain terms what I have been saying all along — that CAN-SPAM is not a silver bullet but that it is a good first step. The money line: "Big-time spammers will inevitably violate the Can-Spam Act because it strikes at the heart of how their sleazy businesses work." (Thanks to GrepLaw for the heads up.)

Also, I did not mention yesterday that President Bush signed the Act.

Posted at 2:00:15 PM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/133
Topics: Cybercrime, Cyberlaw, Politics, Spam, Technology

Webb filters CAN-SPAM

Today, Washington Post columnist Cynthia Webb writes about the CAN-SPAM Act. She nicely summarizes the major criticisms of it, taking excerpts from other journalists. Article: "Un-Canning Spam"

Posted at 9:25:45 AM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/132
Topics: Cybercrime, Spam

Monday, 15 December 2003

Spam rage defendant pleads not guilty

I would not have picked Charles Booher's way of becoming famous, but famous he is. He also pleaded not guilty the other day to charges of making threats. The San Jose Mercury News has coverage.

Posted at 10:47:38 AM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/121
Topics: Civil Liberties, Cybercrime, Cyberlaw, Privacy, Spam, Technology

Friday, 12 December 2003

Virginia launches felony spam prosecutions

Virginia's Attorney General, Jerry Kilgore, announced yesterday that his office has launched two prosecutions on felony charges related to sending spam. One well known spammer, Jeremy Jaynes, a.k.a. Gaven Stubberfield, was arrested in Raleigh, NC, where his alleged coconspirator, Richard Rutowski, negotiated his surrender to authorities. (The New York Times and Washington Post have coverage: NYT "Virginia Indicts 2 Under Antispam Law," WP "Virginia Indicts Two Men On Spam Charges.")

Much ado has been made of the federal CAN-SPAM Act's preemption of state spam laws, so let us compare a few features of the Virginia and federal statutes.

The crime defined under the Virginia law becomes a felony when the spammer sends more than 10,000 illegal messages in a day or 100,000 in a month. CAN-SPAM's bar is set much lower, requiring only 100 and 1,000 messages, respectively, to trigger felony penalties. The maximum prison sentence is 5 years under both laws, assuming that aggravating factors are present. Finally, the Virginia law permits a fine up to $2,500, whereas CAN-SPAM permits fines under Title 18 U.S.C., which can reach many times higher than $2,500.

In addition, the Virginia law requires that spam pass through the state. Unless an email is sent to a Virginia resident, it can be impossible to prove beyond a reasonable doubt that the message passed through the state's borders, unless it was handled and its header stamped by a mail server in that state. Virginia is more the exception than the rule in this area, as the home of America Online (AOL), the world's largest ISP. It is unlikely that any spam would not reach at least one AOL customer. The other 49 states would have a harder time proving this element of the crime. CAN-SPAM, on the other hand, is triggered when spam affects any "protected computer," as defined in 18 U.S.C. 1030(e)(2)(B): "a computer…which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States." That definition includes all computers that connect to the Internet.

Posted at 10:55:40 AM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/114
Topics: Cybercrime, Spam

ECPA permits employer to search stored email

Law.com reports that a Third Circuit panel has interpreted the Electronic Communications Privacy Act (ECPA) to permit an employer to search its employees' email messages that are stored on its network ("Federal Law Allows Employer's Search of Worker's E-Mails"). Such a search, the court held, does not constitute "interception" of messages during "transmission," as prohibited by the ECPA. The full text of the decision in Fraser v. Nationwide Mutual Insurance Co. is available via FindLaw.

Posted at 10:29:23 AM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/113
Topics: Civil Liberties, Cybercrime, Cyberlaw, Privacy, Technology

Tuesday, 9 December 2003

Response to Anita Ramasastry's criticism of CAN-SPAM

GrepLaw gives a pointer to Anita Ramasastry's FindLaw article criticizing the CAN-SPAM Act. She scores a few points, but she ignores several important provisions that render her conclusions — in my opinion — wrong.

CAN-SPAM's major faults, in Ramasastry's view:

  • Not all spam is prohibited
  • Individual consumers cannot file lawsuits to enforce the Act
  • Many spammers are already located abroad or will soon relocate abroad — beyond the reach of U.S. authorities
  • Many spammers have few assets and are therefore judgment-proof
  • Spammers can ignore the hypothetical do-not-spam registry that the FTC has not yet designed and implemented
  • The hypothetical registry will be challenged under the First Amendment
  • State spam laws are preempted
  • Technological solutions to the spam problem are preferable to a statutory one.

First, on the prohibition of some but not all spam. This criticism seems somewhat disingenuous, since Ramasastry later recognizes that the First Amendment would prevent a prohibition of all advertising via email. Furthermore, She appears to assume that any do-not-spam registry will be struck down under the First Amendment. The do-not-call registry is a good model to look at — precisely because its legal status is currently undergoing judicial review. This litigation will, eventually, clarify the law. Besides, if it is struck down, the obvious workaround is to implement the registry in a new way, that deals with the First Amendment problems.

Second, on enforcement by individual consumers. CAN-SPAM expressly provides for enforcement by at least 110 government bodies, plus any ISP "adversely affected" by illegal spam. The public servants will have strong political incentives to file spam lawsuits, and ISPs will have strong economic incentives. Why add hundreds of millions of consumers to this list when their lawsuits will inevitably be less well-funded than the institutional enforcers? With potential damage awards of $6 million for public enforcers and $3 million for private enforcers, those entities will easily be able to recoup their legal costs (even if they are not awarded attorney fees, as provided in the Act).

Third, on the difficulty of enforcing CAN-SPAM against foreign and judgment-proof spammers. The Act's third-party liability provisions will solve much of this problem. The Act attaches liability to (1) any business knowingly promoted via illegal spam and (2) any vendor that provides goods or services to a spamming operation with knowledge that those goods or services will be used to send spam. These provisions give third parties one free bite — before the first potential plaintiff sends a cease & desist letter, putting them on official notice. Much advertising currently distributed via spam promotes products on sale within the U.S. or manufactured or sold by people in the U.S. Once the first such person is prosecuted, the demand for advertising space in spam will decline precipitously. Spam will inevitably decline, as fewer people are willing to pay for it.

Fourth, on the purported shortcomings of the do-not-spam registry. For god's sake, give the thing a chance before you accuse it of failing. As I said above, the FTC can learn from the outcome of the pending do-not-call litigation, and there is an infinite variety of implementations that the do-not-spam registry could take. I proposed one not long ago. Also, the possibility that some spammers will evade it is not a reason not to try. CAN-SPAM's third-party liability provisions do not currently apply to registry violations, presumably because the registry does not exist and the Act only empowers the FTC to consider the idea of the registry. That shortcoming can easily be rectified by an amendment to the statute or FTC rule.

Fifth, on state spam laws. How, exactly, is the fundamental shortcoming of the Westphalian territorial legal system solved by having fifty state laws, no matter how restrictive? What if a spammer in California sent spam only to residents of other states and other countries? No state or country would have jurisdiction. The major complaint in this area that does have some validity is the preemption of California's tough opt-in law with the federal opt-out standard. This is a valid criticism, but it goes to the policy choices that Congress made when it traded opt-in for the possibility of an effective opt-out registry.

Sixth, on technological solutions. You cite Congress's findings on the rapid rise of spam traffic in an era that had no comprehensive spam law. The primary method of dealing with spam has been technological measures. And the volume of spam rose rapidly during that period. One of CAN-SPAM's greatest strengths is that it expressly permits ISPs to implement private mail policies — a provision that should exempt them from tort liability for doing so. It looks somewhat like § 230 of the Telecommunications Act of 1996 in that respect.

Posted at 5:42:09 PM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/106
Topics: Cybercrime, Cyberlaw, Spam

Monday, 8 December 2003

Mexico threatens 3 with treason charges for data sale

The government of Mexico is threatening to charge three of its citizens with treason. They are executives of a company called Soluciones Mercadologicas en Bases de Datos, which sold a database private information on 65 million Mexican voters to ChoicePoint, an Atlanta-based database company. ChoicePoint bought the data at the behest of the U.S. government shortly after 11 Sept. 2001 to help bolster Uncle Sam's investigation of terrorism.

The database contained such private information as the number of cars owned in households and unlisted phone numbers. If nothing else, this episode highlights the incumbent dangers when a government — any government — collects massive amounts of data on its citizens without a compelling and clearly articulated purpose. What, for example, does voter registration have to do with the number of cars one owns?

The Macon Telegraph has the story: "Mexican company officials may face treason charges."

Posted at 9:45:15 AM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/101
Topics: Civil Liberties, Cybercrime, Politics, Privacy, Technology, eVoting

Sunday, 7 December 2003

Finished writing CAN-SPAM summary & comments

I finished writing my formal summary and commentary on the CAN-SPAM Act for the Journal of Internet Law. I would like to thank everyone who posted and emailed comments over the last two weeks; they all helped me clarify the issues. Several of you asked me to post the paper here. I will do so, as soon as I get "permission" — i.e., confirmation that posting it here will not jeopardize its publication next month. Meanwhile, my preliminary thoughts are still available here.

Posted at 10:22:21 AM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/97
Topics: Cybercrime, Cyberlaw, Spam

Monday, 1 December 2003

Hi-tech protection racket

BBC News reports a new twist on an old scam. ("E-commerce targeted by blackmailers") A Russian organized crime syndicate is allegedly threatening e-commerce sites with distributed denial of service (DDoS) attacks unless they pay protection money.

Posted at 12:48:34 PM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/84
Topics: Cybercrime

Thursday, 27 November 2003

Worm infects Diebold ATMs

Diebold, the very same company being raked over hot coals for its authoritarian response to criticism, now has the ignoble honor of being the first ATM manufacturer to have its machines infected with a worm. (New Scientist: "Cash machines infected with worm")

The controversy over Diebold's electronic voting machines is no longer theoretical (if it ever was). This is a real-world, already-happened, no-excuses problem affecting a Diebold product very similar to its voting machines. How could this happen? Simple — Diebold's ATMs run Windows XP.

Posted at 10:44:44 PM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/79
Topics: Civil Liberties, Cybercrime, Cyberlaw, DMCA, IP, Privacy, Technology, eVoting

Wednesday, 26 November 2003

Man charged in "spam rage" case

This seems to be a first. Charles Booher of Sunnyvale, California has been arrested and charged with 11 counts for threats he made to a company he blamed for sending him spam and causing web popup ads on his computer. Wired News reports ("Man Arrested Over 'Spam Rage'"):

Booher threatened to send a "package full of Anthrax spores" to the company, to "disable" an employee with a bullet and torture him with a power drill and ice pick; and to hunt down and castrate the employees unless they removed him from their e-mail list, prosecutors said.

This case presents a good opportunity to mention a recurring a point about defining classes of speech for legal purposes. I have yet to see a case where this was not problematic, but it is never more so than when the communication of words alone constitutes a crime. Mr. Booher's words (as reported in Wired) clearly threatened physical violence, his intent to make a threat seems clear, and he communicated the threat to the threatened person — satisfying the basic requirements of most threat statutes. Do prosecutors have a slam dunk case? Maybe. But the inquiry only starts there.

It is what Wired failed to report that I find interesting. The article in Saturday's San Jose Mercury News makes Booher look much more sympathetic. (Article: "Spam sends local man into rage") There, we learn that Booher "is a three-time survivor of testicular cancer" and that the overwhelming flood of spam that triggered his emotional outburst was hawking — you guessed it — penile enlargement products. Suddenly, his response is understandable.

Before you send me angry email, note that I do not condone what Booher did. My point here is that it is irresponsible to condemn someone based on a small amount of information. When the condemnation implicates the most basic liberties of any free society, we have to be especially careful. Some of you may remember Jake Baker, the University of Michigan student who wrote a revolting rape/torture/murder fantasy story about a classmate and posted it on alt.sex.stories. Baker was charged with making threats, notwithstanding that he had unambiguously stated that the story was fiction. The subsequent uproar ended with his exoneration of all charges of making threats — a result demanded by the First Amendment. For those unfamiliar with the case, the Electronic Frontier Foundation (EFF) maintains an archive of relevant documents. (If you have a strong stomach, the story is still available online. However, you have been warned: This is pretty sick stuff.)

Posted at 5:32:16 PM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/75
Topics: Civil Liberties, Cybercrime, Privacy, Spam, Technology

Tuesday, 25 November 2003

Spam canned throughout the land?

The House of Representatives approved the CAN-SPAM Act on Friday, by a vote of 392-5. The acronym stands for the not-so-clever moniker, "Controlling the Assault of Non-Solicited Pornography and Marketing Act." The Senate is expected to approve the measure this week, and President Bush has agreed "in principle" to sign the bill.

This bill would have been a reasonable first step to take against spam five years ago, and Congress should be ashamed of itself for dawdling so long. We should be debating the second or third revision of the Act by now. What is done is done, however, so let us explore what the CAN-SPAM act says.

Update, 29 Nov 2003. I have been asked to revise and augment this essay for publication in the Journal of Internet Law. Toward that end, I would appreciate any constructive comments from any reader.

The full text of the bill is available at C|Net. The news agency also gives a bullet-point summary amidst its coverage, and the Institute for Spam & Internet Public Policy (ISIPP) gives a ten-point summary. Finally, C|Net gives this brief summary of the entire bill:

If the measure becomes law, certain forms of spam will be officially legalized. The final bill says spammers may send as many "commercial electronic mail messages" as they like — as long as the messages are obviously advertisements with a valid U.S. postal address or P.O. box and an unsubscribe link at the bottom. Junk e-mail essentially would be treated like junk postal mail, with nonfraudulent e-mail legalized until the recipient chooses to unsubscribe.

First, a few preliminary comments before I get into specific provisions. Spam has been a scourge on the 'net since the early 1990s, when non-academics and non-scientists first logged on in large numbers. The volume of commercial email was low at first but has grown exponentially for years. The result has been frustration for users who drown in the flood of messages, higher costs for service providers who must process all the unwanted email, embarrassment for legitimate businesses whose servers are hijacked by spammers trying to disguise their identities, and the corruption of children whose parents try to shield them from pornography and other sex-based products. The Act does not go as far as many people think it should (which is why Congress's long inaction is so lamentable); but it is, as I said above, a reasonable first step. The House seems to have made a genuine effort not to be heavy-handed with the rights of advertisers. Still, the Act has some sharp teeth for consumers and, if it is properly enforced, has the potential to significantly reduce the burdens caused by spam.

Now, some comments on specific provisions. This is not intended to be a comprehensive analysis of the bill — but rather a few thoughts on the provisions I think are important or interesting.

Update (6pm):Several readers have asked me to insert anchors in my subject headings so they can link to specific pieces of this article. Here they are:

False Header Information

The "false header information" provision is perhaps the easiest part of the bill for non-technologists to grasp, because you can examine the underlying problem even if you do not understand the technology. Spammers often disguise the origin of their advertising to make it more difficult for individuals and ISPs to use automated methods to filter and delete spam. These disguises also induce recipients to open the spam mail and begin reading — by pretending to be legitimate messages (e.g., with a deceptive or misleading subject line). Imagine paper junk mail, delivered by the post office, that comes in an envelope whose return address seems to be from your bank or your doctor. When you open the envelope, you find a flier for hard core pornography.

When spam is disguised as legitimate mail, more people will open the message and read the first few lines before realizing its true nature. This gives the advertiser a better chance of selling his product, be it pornography, generic viagra, or home mortgage services. As more spam is dealt with by human beings (rather than filtered by computers), more advertisements get read, and more products will be sold — even if most people hit the delete key immediately. In paper based "direct mail" ad campaigns, a response rate of one buyer per 100 mailings is generally enough to break even. The cost of sending email is much lower than the cost of sending paper mail, so a response rate of one buyer per 100,000 mailings is likely to earn a profit. The cost of sending email only seems lower to the sender, however, because most of the costs are shifted to the receiver and the receiver's ISP.

Here is how the technology works, in a nutshell. An email's "header" is the addressing and routing information — such as the to, from, and date fields that you see at the top of each message. Most email software hides the bulk of the header from you, unless you take an extra step to have it displayed. This "hidden" information documents where the email originated and the route it took across the Internet to your inbox. Each computer on the Internet has a unique "IP address" consisting of four numbers separated by dots (periods). Each line of the "hidden header" contains the IP address of each computer that touched the email en route and states the action that computer performed. Usually, these intermediary computers simply receive the message and hand it off to another computer that is "closer" to the recipient; after five or six hops, the email arrives at your inbox, and the process stops. Each intermediary computer adds a line to the top of the header, so the very top line always documents your mail server's delivery to you. Each successive line below that will document where each computer got the message from, going all the way back to the original sender. For example, and email I received this morning has these two lines in its header:

  • Received: (from uucp@localhost) by andros.alumniconnections.com [198.212.10.70] (8.11.6+Sun/8.11.6) id hAPEpit20254; Tue, 25 Nov 2003 09:51:44 -0500 (EST)
  • Received: from voyager.bna.com(149.79.136.49) by andros via smap (V2.1) id xma010225; Mon, 24 Nov 03 15:04:27 -0500

The first line is from my mail forwarding service (which sent the message to my ISP after it added this stamp, and my ISP later delivered the message to me). The name of this computer is andros.alumniconnections.com, which resolves to the IP address 198.212.10.70. Before that, the message was handled by a computer named voyager.bna.com (149.79.136.49). This makes sense because the email in question was an Internet law newsletter from BNA, a publisher of print and electronic news, analysis, and reference products. Also note that each header line has a date & time stamp.

Some automated spam filters take advantage of this stamping process by searching the email header for computers that are known to be used for sending spam. The bottom line of the header should be the original sender, and the identities of the biggest spammers are well known, so it should be an easy matter to delete all messages coming from them. Spammers know this, however, so they go to great lengths to forge these headers and route their mail through other people's servers to disguise its true origin. CAN-SPAM's "false header information" provision would make this illegal. The practice is already arguably illegal under a patchwork of existing laws, which could be interpreted to cover this situation. However, there is no substitute for a clear, specific statute directly on point that removes all doubt.

Resource Misappropriation

The "resource misappropriation" provision is perhaps the most difficult for non-technologists to understand. Congress borrowed this idea from a line of judicial opinions based on a tort called trespass to chattel. A "chattel" is simply the legal term for an item of personal property — a toaster or a chair, for example. I cannot make toast or sit down when someone else is using my chattels without my permission. That property belongs to me, so the common law allows me to sue the person using it. If I prove my case, I would get money for the damages I suffered from the delay in satisfying my hunger or relaxing my legs, and the court would order the trespasser to stop. The crux of this policy is that a computer is a chattel just like a toaster or a chair. Intuitively, we all understand that if someone else is using my laptop, he is blocking me from using it at the same time.

In the spam context, we must look at the technology on a slightly deeper level than this simplistic first approach allows. The Internet relies on powerful computers called servers, which answer queries from many people at the same time. When I read Yahoo!'s home page, the odds are very high that many other people are reading it at the same time. Yahoo!'s web server can dish out thousands of pages at the same time. However, when the number of readers grows too high, even the most powerful server has trouble keeping up, and users experience delays — or worse, the server "crashes."

A similar phenomenon occurs with mail servers — the computers that process email after it is sent and before it is received. Suppose the average email user sends and receives an average of 20 legitimate messages per day and receives an average of 80 spam messages per day. His Internet Service Provider's (ISP) mail server will spend 80% of its time processing spam and only 20% processing the "real" mail — which is what the user (the ISP's paying customer) wants it to process. Instead of buying the server it wanted to buy, the ISP had to buy one with five times the processing power to accommodate the unwanted extra load. This does not increase the cost of the server linearly (by five times), but it does increase the cost of the server by a measurable amount. Similarly, the ISP has to pay for five times the bandwidth (transmission capacity) that its customers want to use. Even if the ISP filters out spam as a service to its customers, it must still pay for all this extra capacity — to receive each piece of mail, look at the contents of each message, and flag each message for deletion or delivery.

The first case to examine spam from this perspective was CompuServe v. Cyber Promotions, 962 F. Supp. 1015 (S.D. Ohio 1997). CompuServe, an ISP, sued Cyber Promotions (CP) over spam that CP was sending to CompuServe's customers. (CP is no longer in that line of business.) That court built on the analysis written by a California Court of Appeals from a year before in Thrifty-Tel, Inc. v. Bezeneck, 56 Cal. App. 4th 1559, 1567 (1996). The California court had held that "Electronic signals generated and sent by computer have been held to be sufficiently physically tangible to support a trespass cause of action." CompuServe, 962 F. Supp. at 1021. In other words, the electric impulses that computers use to communicate constitute a physical invasion of property when they are sent into a privately-owned system without permission. In Thrifty-Tel, a telephone company had sued the parents of children who engaged in "phreaking" — attempting to crack the company's authorization codes in order to make long distance calls without paying for them. The most famous decision in this line of cases is eBay v. Bidder's Edge, 100 F. Supp. 2d 1058 (2000), which extended the same reasoning to web servers.

Meaningful Unsubscribe Mechanism

Two pieces of the bill — the "working unsubscribe" and "anti-resubscribe" provisions — belong under the same conceptual umbrella, which I call the "meaningful unsubscribe mechanism."

The "working unsubscribe" provision would require each piece of spam to include instructions for the recipient to "opt out" of future advertising. This opt-out mechanism must function for 30 days after the spam is sent, to ensure that recipients have a reasonable opportunity to use it. Otherwise, the spammer could shut it down immediately after clicking send — before most people have received the junk mail.

Some spammers get around states' opt-out laws by removing people from lists when they make opt-out requests, then immediately adding the same person to a new list. This new list has a much higher economic value to the spammer because the addresses on it are "verified" — the spammer knows that each one belongs to and is being actively used by a live person. This formalistic interpretation of many state laws' opt-out requirements is not possible under CAN-SPAM's "anti-resubscribe" provision, which bars the spammer from adding opted-out addresses to other lists.

The "working unsubscribe" provision is the most controversial and troubling provision in the Act. A great controversy surrounds the question of whether spam should be an opt-in or an opt-out enterprise. An opt-in system would forbid unsolicited commercial email by requiring spammers to document that the owner of each email address on a mailing list has requested to be placed on that list. An opt-out system would permit unsolicited commercial email but requires spammers to remove an address from their lists when the person who owns it asks to be removed. The CAN-SPAM bill passed by the House came down on the side of opt-out.

The foundation of American law is the U.S. Constitution, and the First Amendment to the Constitution provides that "Congress shall make no law…abridging the freedom of speech, or of the press." Despite this plain language, the Supreme Court has held that not all speech is equal under the First Amendment. While indecent speech (e.g., ordinary pornography) is protected from most government interference, obscene speech and child pornography enjoy no First-Amendment protection whatsoever. (See, for example, Ashcroft v. Free Speech Coalition, 535 U.S. 234, 122 S. Ct. 1389 (2002) for child pornography and Miller v. California, 413 U.S. 15, 24-25 (1973); Smith v. U.S., 431 U.S. 291, 301-02, 309 (1977); and Pope v. Illinois, 481 U.S. 497, 500-01 (1987) for obscenity.) Commercial speech gets an intermediate level of protection. Central Hudson Gas & Electric Corp. v. Public Service Commission of N.Y., 477 U.S. 557, 564-65 (1980).

Since the First Amendment was ratified, it has been axiomatic that "prior restraints" on speech are one of the greatest evils threatening the health of our polity. A prior restraint is a government prohibition on a particular message before the speaker has a chance to communicate it. The freedom of speech and the fundamental liberty of self-expression demand that everyone be given an opportunity to voice his thoughts. Some speech is always socially harmful — such as threats of violence or statements made in the formation of a criminal conspiracy. However, it is simply not possible to articulate in advance a definition of all forms that such harmful speech will take without our definition also encompassing many forms of legitimate speech. Therefore, we only punish speech after it has been uttered, when we can analyze the facts of each case. True, this allows some harms to occur that we might otherwise prevent, but a system of prior restraints would create far more and far greater harms by having a "chilling effect" on socially-necessary speech.

Therefore, everyone must have a reasonable opportunity to stand in a public square, tap passers-by on the shoulder, and say, "Would you like to hear what I have to say?" However, the freedom of speech guarantees a right to speak — not a right to force others to listen. Each listener has the right to say, "No, I find your views offensive, and I do not want to listen to you." Spam may be the 21st century, commercial-speech embodiment of this tap on the shoulder. The mandated opt-out system is the listener's opportunity to decline.

Many people believe that commercial speech should get less protection than it does today. Consumer protection demands it, they argue. How else can we prevent hucksters from selling snake oil through lies and deceit? These arguments do have merit, and I do not mean to dismiss them here; they are just beyond the scope of this blog. However, it would be irresponsible not to note at this point that, in recent years, the Supreme Court has been backing away from the Central Hudson doctrine because it is proving impractical to differentiate commercial speech from other types of speech. In ten years, what is "commercial speech" today may get full constitutional protection.

Harvesting & Random Generation Prohibition

Spammers employ many strategies to collect email addresses for their spam lists. One common strategy is called "harvesting." Spammers write software that trolls the Internet for character strings that appear to be email addresses. The software scans the text of web pages, chat rooms, message boards, and usenet, recording all the email addresses it finds. The CAN-SPAM Act will make this practice illegal. The very next paragraph of the Act prohibits another common strategy, "randomly generating electronic mail addresses by computer." The combination of these two prohibitions will make it much harder for spammers to get a hold of functional email addresses.

Rights of Action

The Act allows states to enforce the act by suing spammers on behalf of their citizens and ISPs to sue on their own behalf or on behalf of their subscribers. This is a common-sense compromise between the factions advocating a private right of action (which would permit individuals to sue spammers for themselves) and those advocating federal enforcement (which would permit only the U.S. Attorney General to enforce the Act).

Both extreme positions carry dangers and benefits. With a private right of action, the courts might be clogged with individual or class action suits, and it would take too long to reach large judgments against spammers for the law to be effective. On the other hand, leaving enforcement in the Attorney General's hands exposes the law to the dangers of under-enforcement and political cherry-picking. First, spam may seem minor compared to violent crimes, which rightfully get prosecutors' prime attention. Spam prosecutions might fall by the wayside. Second, the economic and technological damage caused by any two pieces of spam are identical, but does anyone honestly believe that John Ashcroft would approve the prosecution of inkjet toner vendors if there are any pornography vendors still standing? With finite resources, any Attorney General (like any manager) must set priorities for his office, and I would never fault Ashcroft for setting clear guidelines. However, I frequently disagree with the content of his guidelines; and, in this context, his preferences would probably lead to systematic selective enforcement, which would be untenable under the First Amendment — which prohibits the government from treating different speech differently, based on its content or viewpoint. With all fifty states and hundreds of ISPs bringing spam suits, the danger of selective enforcement declines.

Preemption of State Laws

CAN-SPAM expressly "preempts" state laws dealing with spam. The Supremacy Clause of the U.S. Constitution (article 6, § 2) establishes that the Constitution, laws, and treaties of the United States "shall be the supreme law of the land" and that they preempt state laws where they are in conflict (and in certain other situations). California, in particular, has passed several statutes prohibiting spam. California's most recent statute, which will not take effect until January, is far more protective of consumers than CAN-SPAM. All of these laws would be rendered unenforceable by the federal Act.

Do Not Spam Registry

The House considered drafts of the bill that would have required the Federal Trade Commission (FTC) to maintain a "Do Not Spam" registry, similar to the "Do Not Call" registry that it recently established in conjunction with the Federal Communications Commission (FCC). Spammers would have been required to compare the email addresses in this registry to their own mailing lists and remove any addresses that match. In effect, it would have been illegal to send unsolicited commercial email to any address in the registry. However, the House rejected this provision (which would have required the FTC to create the registry) in favor of one that merely requires the FTC to study the issue and permits the it to create a registry if it sees fit.

Anyone taking odds on what the FTC will do? Before you answer, consider that the bill fails to allocate a single dollar to fund the registry.

Private Mail Policies

By making certain kinds of email illegal, the Act, by implication, renders all other kinds of email legal. However, some spam that Congress intended to make illegal will always slip through cracks in the law's definitions. (This is a fundamental shortcoming of human language, not necessarily a fault of Congress.) Therefore, the bill expressly permits ISPs to devise and implement their own, private email-handling policies.

Without this provision, ISPs would be vulnerable to lawsuits from spammers if they decide to block this slippery spam on their own. By blocking mail that is technically legal, the ISPs would arguably be liable for such torts as interference with business relations (for blocking legal business communications) and defamation (for falsely labelling messages as "spam"). Much like § 230 of the Telecom Act of 1996 (47 U.S.C. § 230), CAN-SPAM's "private mail policy" provision is designed to protect ISPs from an onslaught of litigation that would render them unable to conduct business. If ISPs cease operating out of fear of litigation, consumers would be unable to access the Internet at all.

Posted at 2:36:16 PM | Permalink
| Comments (11)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/74
Topics: Cybercrime, Cyberlaw, Politics, Spam, Technology

Sunday, 26 October 2003

California wins anti-spam lawsuit

California Attorney General Bill Lockyer announced on Friday that his office had won the first-ever anti-spam lawsuit in the state. The court ordered defendant PW Marketing (and its owners) to pay "$2 million in civil penalties for violating state laws prohibiting unsolicited commercial email, false advertising and unfair business practices." It also entered an injunction against PW, prohibiting it from doing the following:


  • Sending unsolicited commercial emails.
  • Disguising their identity by sending email that appears to originate from an email address that is neither the actual address nor the address where replies can be received.
  • Sending emails that contain false or misleading information about the country or Internet mail server from where the advertisement is sent.
  • Accessing and using the computers, computer systems or computer networks of other persons or businesses without their permission or in violation of their terms of service.
  • Using false or misleading information to register for an email address, Internet service or Internet domain name.
  • Using, transferring or otherwise making available to other persons email address lists compiled for the purpose of sending spam.
  • For 10 years, owning, managing or holding any economic interest in any company that advertises over the Internet, without first providing written notice to the Attorney General.

Readers should note that California's anti-spam law will not take effect until January 2004 — so this judgment rests wholly on preexisting law.

Posted at 2:29:03 PM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/28
Topics: Cybercrime, Cyberlaw, Spam



Powered by Movable Type