Free the Spam King!
June 6, 2007
06 June 2007
Spam is a serious annoyance for the user, and a real drain on internet service providers that have to process billions of unwanted (and often unreadable) messages. But the real loss from spam results not from volume, but from the malware, fraud and identity theft enabled by deceptive mass e-mails.
Laws against fraud and transmitting computer viruses have long been on the books, but that hasn't stopped Congress or state legislatures from looking for a more targeted fix. Unfortunately, these efforts have not stopped spam.
The Federal Controlling of Non-Solicited Pornography and Marketing Act (known as CAN SPAM) went into effect in 2004. CAN SPAM regulates commercial and pornographic e-mail, prohibiting falsification of the sender's identity, requiring the subject line to indicate the message is an advertisement and mandating the message include a functioning "unsubscribe" link.
So, how's it working? Check your inbox. Few spammers are following CAN SPAM. Many fraudsters are located outside the United States and out of the reach of the law. Savvy internet users know unsubscribe links often just give the unscrupulous spammer validation that a live person is reading mail sent to that address.
Perhaps these are reasons why so few people have been prosecuted for sending spam, and even fewer of those have been charged under the federal law.
In 2004, spammer Howard Carmack was sentenced to three-and-a-half to seven years in prison under New York state identity theft law. In 2005, Jeremy Jaynes was sentenced to nine years under Virginia law, which prohibits using false internet addresses and aliases to send mass e-mail ads. News reports at the time claimed he was one of the top 10 spammers.
Now federal authorities have arrested Soloway. Still, spam continues. Why doesn't the threat of long prison sentences stop the flood of fraudulent mail? First, criminal penalties are nothing new. The Wire Fraud Act, the Computer Fraud and Abuse Act and their state law correlates have targeted online fraud and virus transmission for years, but that hasn't stopped computer criminals, especially when a lot of money is at stake.
CAN SPAM added severe penalties for spam-related activities, but this threat has not worked. Hardly anyone has been prosecuted under CAN SPAM. Authorities have only pursued the U.S.-based culprits they can locate, and whose activities go beyond mere technical violations to actual security breaches and theft.
One popular criminal justice theory posits that when enforcement is low, the penalty has to be extremely high in order to dissuade people who otherwise reasonably believe they will not get caught. But this strategy has failed in the spam wars.
In addition, it's uncomfortable to punish spammers more severely than criminals who do physical harm to people. The most basic sentence for sending spam that fails to meet the CAN SPAM regulations is higher than crimes involving stolen property or property damage. Soloway is looking at 65 years. In California, a basic rape charge carries a maximum penalty of eight years.
The criminal justice system must be brought to bear to stop fraud, viruses and identity theft, but the law alone can not stop these evils, or milder, but still annoying, spam. Technology helps, but is not a complete answer.
In 2004, Neil Krawetz published a short and highly readable review of anti-spam efforts. He concludes that spam filters can work (imperfectly) for users, but that other technological solutions are not user friendly or scalable enough for widespread deployment. "Reverse-lookup systems attempt to identify forged senders but restrict e-mail's usability by preventing host-less and vanity domains, and restricting mobile users' abilities to send e-mail from anywhere at anytime. ... Challenge-response systems are only viable as long as they maintain a low profile, and computational challenges are unlikely to deter spammers. Cryptographic solutions, while accurately identifying forged e-mail, do not easily expand to a global scale."
I believe the answer will lie in following the money. Spammers send spam because it is profitable. When the messages are touting snake-oil cures or illegal pharmaceuticals, someone is banking the dollars from the people who click to buy. When the messages contain spyware that routes private information back to identity thieves, the virus code can reveal where the information goes.
Last year, students in my Cyberlaw Clinic and in Stanford's Computer Science Department banded together to analyze spyware transmissions. It wasn't easy, and maybe was impossible to track some of the off-shore purveyors, but government agencies and private companies with more resources should be able to do the same thing for many spammers.
Which brings me to the biggest hole in CAN SPAM: the law does not give individuals the right to bring lawsuits for violations. Only internet access service providers can bring such suits, and then only for "material" violations of the act. A broader "private attorney general" provision could avoid the problem of expensive investigations and over-incarceration by incentivizing and decentralizing enforcement.
There are also few resources in place for educating the public about the risks of opening attachments from strangers, and many versions of insecure software that expose customers to the risks of viruses, spambots and spyware. If people stopped clicking and buying, spamming would not be as profitable, and the incentive to do it would weaken.
Spam is a difficult challenge, but it's one we will not solve with Soloway's incarceration. We need a broader and more comprehensive plan that incorporates technology, private investigation and enforcement and public education. Otherwise we create more problems for e-mail users than solutions, while failing to stop the money flow. And we embarrass ourselves by punishing spammers more severely than criminals who physically hurt people.