The Role of Public Policy in the Fight Against Spam

1
The Role of Public Policy in the Fight Against
Spam

• Jacob Scott
• UC Berkeley
• IEEE
• August 3rd, 2004

2
Spam Threatens the Viability of E-Mail
Spam is about to kill the killer app of the
Internet - specifically, consumer use of e-mail
and e-commerce. FTC Commissioner Orson Swindle,
June 2003
3
Incredible Growth
Since Hotmail deployed it six months ago,
SmartScreen has been blocking more than 95
percent of all incoming spam an average of
nearly 3 billion messages every day. Bill Gates,
June 2004
4
Wide-ranging Effects

• Businesses
• Consumers
• ISPs
• Legitimate E-Mail Marketers

Today, it is estimated that 80 of email traffic
is spam and the costs of spam to the global
economy amounts to USD 25 billion
annually. Press Release, UN ITU, July 2004
5
Example Phishing
Anti-Phishing Working Group
Direct losses from identity theft fraud against
these phishing attack victims cost U.S. banks and
credit card issuers about 1.2 billion last
year. Press Release, Gartner Research, May 2004
6
Good Spam versusBad Spam
7
Good Spam

• Annoying
• Identifiable
• Legitimate
• Possibly Requested
• Big Business

This translates into an excess of 19 billion
spent in response to commercial e-mails in
2003. Direct Marketing Association, March 2004
8
Bad Spam

• Untraceable
• Deceptive
• Fraudulent
• Pornographic
• Illegitimate
• The Problem

9
The Reasons for SpamProfit and Anonymity
10
The Spam Profit Numbers

• 5 of e-mail users have purchased from UCE
• Cost to send one e-mail .0005
• Profit possible with .0001 response rate

AOLs captured spammer Porsche
11
E-Mail Exactly the Same Since 1982
12
SMTP Provides No Authentication, Enables Anonymity
13
Anti-Spam Technology
Filters look at incoming e-mail and sort spam
from legitimate messages
14
Filtering Mechanisms

• IP Blacklists
• Header/Routing Analysis
• Heuristics
• Adaptive (Bayesian)
• URL Filtering
• Checksums/Signatures
• Collaborative Networks
• Challenge-Response
• Many more

15
Filtering Success

• Brightmail advertises that their filter catches
  95 of all spam, and mislabels only 1 in a
  million false positives
• CRM114, open source spam classifier reports
  over 99 accuracy rate in spam/ham sorting
• Vibrant RD, commercial implementations

16
The Spam arms race

• Increased volume
• Evasive techniques
• Concern over false positives
• The worst spam (sent by outlaw spammers) are
  the hardest to defeat technologically

Knowing that only a small percentage of their
output will get past today's filters, spammers
have responded by significantly cranking up the
volume of emails they send. So networks are
burdened with even more junk than before. Bill
Gates, June 2004
17
The CAN-SPAM Act of 2003
18
Introduction

• First national anti-spam law
• Originated as S877
• Passed Senate 97-0
• Passed House 392-5
• Signed December 16, 2003

Senator Burns
Senator Wyden
19
Motivation

• senders of commercial electronic email should
  not mislead recipients as to the source or
  content of such mail and recipients of
  commercial electronic mail have a right to
  decline to receive additional commercial
  electronic mail from the same source.
• CAN-SPAM Act of 2003
• Strong on fraud and deception
• Weak on privacy
• Consumer protection law Federal Trade
  Commission is point

20
Opt-In, Opt-Out

• CAN-SPAM is single-source opt-out
• Ask each e-mailer to stop, one at a time
• Chosen over opt-in
• marketers have to ask before they send
• Popular in Europe
• Does the difference matter?

Imagine that you put a do not solicit sign at
the front door of your home, and every company in
the world could only ring your doorbell once, at
which point you could tell the salesperson not to
bother you anymore Consumers Union, May 2004
21
Probably Not

• the practical difference between opt-in and
  opt-out laws in terms of real enforcement is
  virtually nonexistent. If a spammer wishes to
  convert the strongest opt-in law into an opt-out
  law, all he or she needs to do is tell one lie
  The recipient requested to receive my
  messages.
• Matthew Prince, July 2004
• The worst outlaw spammers will not care either
  way

22
Compromise?

• Do Not E-Mail Registry
• Provides global opt-out
• Anyone who sends to e-mails in the registry is in
  trouble
• Modeled after the Do Not Call Registry

23
Probably Not

• This Report concludes that a National Do Not
  Email Registry, without a system in place to
  authenticate the origin of email messages, would
  fail to reduce the burden of spam and may even
  increase the amount of spam received by
  consumers.
• FTC DNE Registry Report, July 2004
• How can you not e-mail someone without knowing
  who not to e-mail?
• How can use of the registry be required and
  enforced?

24
The Ways in Which You Can Spam Under CAN-SPAM
25
Good Spam, Bad Spam Again
26
What You Must Do

• In commercial e-mail
• Include an opt-out mechanism
• Include a real physical address
• Clear notice that the message is an advertisement
• No requirement for this to be machine readable,
  but does give good hints to filters

27
What You Cannot Do

• Falsify header or route information of your
  e-mail messages
• Hack into other computers and send spam from them
• Harvest e-mail addresses from the web or in a
  directory harvest attack
• Hire other people to spam for you
• Send adult-oriented spam without a subject line
  label (FTC rulemaking)

28
Penalties

• Quite stiff
• Violations of CAN-SPAM are considered violations
  of the FTC Act, 11,000 per violation
• Some violations are criminal, with up to five
  year prison terms
• ISPs and State AGs can sue under CAN-SPAM for
  civil damages (caps in some cases)

29
Getting Tough on Enforcement
30
Importance of Enforcement

• CAN-SPAM has teeth, but does it bite?
• Outlaw spammers will not follow law if not
  enforced
• Provides an avenue to recoup spammer profits
• Creates a deterrent effect, makes spammers think
  twice

31
Compliance and Enforcement

• Average CAN-SPAM compliance over first six months
  only 2.3
• FTC has brought only two actions under CAN-SPAM
  (62 total spam cases in history)
• Roughly a half dozen ISP CAN-SPAM based lawsuits
  pending
• Maybe one or two state cases

32
Enforcement Difficulties

• Three ways to pursue, generally
• Trace communications
• Follow the money
• Follow the goods
• With spam
• Communications notoriously difficult
• Money gets tricky if stolen credit card, or
  overseas
• Goods may not be physical (software, identity
  theft)

33
Spam Enforcement Generally

• Computer misuse, identity theft, fraud laws can
  all apply to spam
• ISP lawsuits pre CAN-SPAM (AOL Porsche)
• States have further laws
• New Yorks Buffalo Spammer case
• Virginias recent case against Texan
• Not insignificant enforcement, but certainly not
  enough
• CAN-SPAM compliance numbers

34
Enforcement Inhibitors

• CAN-SPAM did two things that made enforcement
  harder
• Pre-empted most state spam laws
• Only (state) laws which do not deal specifically
  with spam or only deal with fraud are still in
  force
• Denied private right of action
• Bad experience with frivolous lawsuits under Utah
  Law
• Individuals and businesses cannot sue spammers
• Tradeoffs in both cases, but bottom line is
  enforcement was softened

35
CAN-SPAM Bottom Line

• Strong in some areas, weak in others
• Not as horrible a law as it is made out to be in
  the press
• Nonetheless, ineffective due to lack of
  enforcement
• If CAN-SPAM were followed, there would probably
  be less spam in your inbox

36
Recommendations

• More enforcement
• Consider private right of action
• Conduct technology oversight
• Revisit privacy concerns
• Help with user education