CPSC 457: Sensitive Information in a Wired World Anti – Spam Legislation and Technology Jeannie Wong
Costs of Spam In the U.S. and the E.U., half of all are unsolicited commercial s. The Federal Trade Commission maintains and monitors a spam database, and has set up a special mailbox that receives 40 thousand junk s a day. Spam is used not only to peddle merchandise and various money-making scams, but also to disseminate computer viruses. FTC: spam costs between $10 billion and $87 billion annually. 7 billion pieces of spam are sent daily, which drains bandwidth and productivity. ISPs pass the increased cost along to their customers. Schumer: NYC residents receive 8.25 million pieces of spam daily and spend 4.2 million hours annually deleting them. Jupiter Research: in 2002, $1.4 billion spent on marketing campaigns in 2007, $8.3 billion will be spent Anti-spam technology is an $88 million industry.
Spam originates mainly from: 1. United States - 33% 2. China - 18% 3. Korea - 9% 4. Brazil - 4% 5. Canada - 3% 6. United Kingdom - 2% 7. Italy - 2% 8. Mexico - 2% 9. Germany - 2% 10. Taiwan - 1%
Anti-spam Legislation 107 th Congress: 8 bills 106 th Congress: 11 bills 108 th Congress: 9 bills Anti-Spam Act of 2003 Ban on Deceptive Unsolicited Bulk Electronic Mail Act 0f 2003 CAN-SPAM Act of 2003 Computer Owners’ Bill of Rights Criminal Spam Act of 2003 REDUCE Spam Act of 2003 Reduction in Distribution of Spam Act of 2003 Stop Pornography and Abusive Marketing Act Wireless Telephone Spam Protection Act
CAN-SPAM Act of 2003 Controlling the Assault of Non-Solicited Pornography and Marketing Act Reintroduced for the third time in April 2003 by Sen. Conrad R. Burns (R-MT) and Sen. Ron Wyden (D-OR) Requires unsolicited commercial messages to be labeled, to include opt-out instructions, workable return addresses, and the sender’s physical address Preempts state laws that prohibit unsolicited commercial outright Imposes fines of up to $10 per on spammers if the receiver has opted out, up to $500,000, and a fine of up to $1.5 million for spammers who willingly and knowingly violated the law
CAN-SPAM Act of 2003 Imposes fines of up to $1 million for delibrately deceptive A criminal penalty of up to a year in jail for spammers who include deceptive subject lines and misleading header information.
Criminal Spam Act of 2003 Introduced June 19, 2003 by Sen. Orrin Hatch (R-UT) Cosponsors: Senators Leahy, Schumer, Grassley, Feinstein, DeWine, Edwards, Wyden, Burns, Pryor, Miller, and Nelson. Prohibits unauthorized or deceptive use of a third party’s computer for relaying bulk commercial messages Prohibits the use of false header information in bulk commercial messages Regulates the use of multiple accounts or domain names for the purposes of sending such messages. Applies only to quantities or more than 100 messages within 24 hours, or 1000 within 30 days, or within one year. Senders of with misleading headers may fined up to $25,000 each day or receive up to five years in federal prison
SPAM Act Stop Pornography and Abusive Marketing Act Introduced in June 2003, Sen. Charles Schumer (D-NY) Establishes a national “no-spam” registry, administered by the FTC, using fees paid for marketers for access to the list FTC would be empowered to prohibit explicit commercial messages to minors even if they are not on the list Requires full disclosure in headers and addresses, require working unsubscribe mechanisms, ban the use of false sender names, and automated harvesting of addresses
SPAM Act All messages that contain commercial content must have the letters ADV in the subject line, except those sent in compliance with an FTC-approved self-regulatory program, and must include the sender’s physical address. Jail time of up to 2 years for severe repeat offenders. $75 million needed to create the system, including the FTC registry and for enforcement. Supports domain-wide opt-out
REDUCE Spam Act of 2003 Restrict and Eliminate the Delivery of Unsolicited Commercial Electronic Mail or Spam Act of 2003 Introduced in May 2003 by Rep. Zoe Lofgren (D-CA) Unsolicited bulk commercial messages would be required to include a valid reply address and opt-out instructions, and a label (“ADV:” or “ADV:ADLT” or some other form of recognized standard identification) Applies to messages send in the same or similar form to 1000 or more addresses within a two-day period False or misleading headers and deceptive subject lines would be prohibited in all unsolicited commercial messages, whether or not sent in bulk
REDUCE Spam Act 0f 2003 Similar to the Burns-Wyden bill with the addition of a reward of 20 percent of the civil fine levied by the U.S. Federal Trade Commission against the spammer to the first person to report a spam offender. Gives Internet service providers the right to bring civil actions against marketers who violate those requirements and disrupt their networks, and it allows for criminal fines and up to a year in prison for fraudulent spam.
Anti-Spam Act of 2003 Introduced June 18, 2003 by Rep. Heather Wilson (R-NM) Cosponsors: Rep. Rick Boucher (D-VA) & Rep. Ed Markey (D-MA) Commercial messages must be identified as such, must include the sender’s physical street address, and an opt-out mechanism. Messages relating to a specific transaction and consented to by the recipient would be exempt from the requirements Sexually explicit messages must be identified with a standard label Commercial messages with false or misleading message headers or misleading subject lines are prohibited.
Anti-Spam Act of 2003 Sending commercial messages to addresses generated by an automated dictionary attack would be illegal. Preempts state laws that restrict the sending commercial , regulate opt-out procedures, or require subject-line labels. Laws that regulate falsification of message headers would remain in place
Reduction in Distribution of Spam Act of 2003 RID-Spam Act Introduced in May 2003 by Rep. Richard Burr (R-NC) Cosponsors: Rep. Billy Tauzin (R-LA) and Rep. James Sensenberger (R-WI) Requires all commercial messages to be identified as such, include the sender’s physical address, and an opt- out mechanism. Unsolicited sexually explicit messages must be identified with a standard label. Prohibits the use of false or misleading headers in commercial messages. Preempts state laws that prohibit unsolicited commercial , regulate opt-out procedures, or require subject- line labels. Lets ISPs (but not individuals) sue spammers for damages
Problems with proposed legislation Definition of spam as fraudulent Andrew Barrett, executive director of SpamCon: RID-SPAM Act = “The Spammer’s Bill of Rights” No distinction between content and consent Implementation barriers FTC Chairman Tim Muris: "A do-not-spam list is an intriguing idea, but it is unclear how we can make it work."
Problems with proposed legislation High cost of enforcement Makes it more difficult to prosecute spammers RID-Spam Act makes suing spammers more complicated than it is under the FTC Act Criminal Spam Act of 2003 requires that federal prosecutors prove a spammer falsified his identity in 10 thousand different s to bring a felony charge Opt-out puts the burden on consumers Better to have legislation favoring permission-based
Anti-spam legislation in the EU and UK In May 2002, the European Parliament passed anti-spam legislation requiring companies to receive consumer opt-in permission before sending them commercial In the U.K., starting December 11, under a new directive which starts on December 11, companies and individuals can be fined up to $8200 for sending unsolicited commercial and SMS text messages to mobile phones without prior agreement.
World’s Fourth Largest Spammer Details Magazine - October, 2003 Issue: 9th Most Powerful Men in America under Age 37
World’s Premier Spammer Alan Ralsky Settled a lawsuit brought against him by Verizon Internet Services in 2002 Now sends most of his spam mails from overseas Control 190 servers: 110 in Southfield, 50 in Dallas and 30 more in Canada, China, Russia and India Charges a commission on sales or a flat fee of up to $22,000 Has a master list of 250 million valid addresses Response rate of 0.25 percent
Spam blocking technology Bill Conner of Entrust: digital credentials Brightmail Solution Suite Internet Engineering Task Force: implementing a single architecture that will allow receivers to express consent or non-consent Destroy the spammer’s business model Bayesian filters Other client-side filters
Spam Tricks The online Field Guide to Spam Lost-in-space Slice-and-dice Message encoding
Steps individuals can take Choose an address name that is hard to guess Don’t post your online Get a spam filter Don’t reply to spam spam-baiting is inadvisable Be careful when installing free software Don’t sign up for free web services Report spam to your ISP or to the FTC at