Members will hear testimony on the effectiveness of the CAN-SPAM Act and the anticipated effect of new anti-spam initiatives in curtailing the delivery of unwanted e-mail, known as spam, to consumers. Senator McCain will preside. Witness list will be released at a later time.
Witness Panel 1
Mr. Timothy MurisFoundation Professor of Law, George Mason University School of LawOf Counsel O'Melveny & Myers LLP
Mr. Chairman, the Federal Trade Commission appreciates this opportunity to provide information to the Committee on the agency's efforts to address the problems that result from unsolicited commercial email (“spam”), its activities undertaken to date to fulfill the various mandates contained in the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM” or the “Act”), and its efforts to enforce the Act’s substantive provisions. Spam creates problems well beyond the aggravation it causes to the public. These problems include the fraudulent and deceptive content of a large percentage of spam messages, the offensive content of many spam messages, the sheer volume of spam being sent across the Internet, and the security issues raised when spam is used to disrupt service or to send spyware or viruses carrying malicious code. The Commission has pursued a three-fold strategy to combat the plague of spam. First, it has pursued a vigorous program of law enforcement against spammers, both before the enactment of CAN-SPAM and since it became effective on January 1, 2004. Second, we have an extensive education program to alert consumers and businesses about self-help measures they can take against spam. Third, we have studied the problem of spam to inform our enforcement and consumer education efforts, and to remedy the paucity of reliable data about spam. Law Enforcement The Commission has brought 62 law enforcement actions in recent years against alleged fraudulent operations using spam as an integral component of their scams. Most of these cases predate CAN-SPAM, and were brought under Section 5 of the FTC Act. Two of our most-recent spam cases, filed in federal district court in April, target extremely prolific spammers and allege violations of both CAN-SPAM and the FTC Act. The Commission’s complaint in the first of these cases, FTC v. Phoenix Avatar, LLC, et al., alleges that the Defendants used materially false or misleading header information in their email messages, in violation of Section 5(a)(1) of the CAN-SPAM Act; specifically, the Defendants placed the email addresses or domain names of unsuspecting third parties in the “reply-to” and/or “from” fields of their spam (a practice known as “spoofing”). The complaint also alleges that the Defendants failed to provide the disclosures required by Sections 5(a)(5)(A)(ii) and (iii) of the Act, including the required notice of an opportunity to decline to receive further commercial email from the sender. Further, the complaint alleges that the Defendants made false and unsubstantiated claims about diet patches marketed in part through the email messages, in violation of Section 5 of the FTC Act. The Commission has obtained a temporary restraining order that, among other things, stops further deceptive product sales, freezes the Defendants’ assets, and preserves their records. In investigating and filing this matter, the Commission worked closely with the U.S. Attorney for the Eastern District of Michigan and the Detroit Office of the Postal Inspection Service, who are pursuing a concurrent criminal prosecution of the principals of this scheme. The U.S. Attorney filed a criminal complaint, executed a criminal search warrant, and arrested four principals. The principals have been charged with violations of the federal mail fraud laws as well as with criminal violations of the CAN-SPAM Act. The second case, FTC v. Global Web Promotions Pty Ltd., targets an Australian company that the FTC alleges is responsible for massive amounts of spam sent to consumers in the United States. According to the complaint, the Defendants used spam to advertise a diet patch similar to the one in Phoenix Avatar, as well as purported human growth hormone products “HGH” and “Natural HGH” that Defendants claimed could, among other things, “maintain [a user’s] appearance and current biological age for the next 10 to 20 years.” The Defendants sold the diet patch for $80.90 and the HGH products for $74.95. The FTC alleged that these claims are false and unsubstantiated, and therefore deceptive in violation of Section 5 of the FTC Act. The complaint alleges that the Defendants also used materially false or misleading header information of unsuspecting third parties (spoofing), in violation of Section 5(a)(1) of the CAN-SPAM Act, and failed to include required disclosures in their email messages, including disclosure of an opportunity not to receive further email, in violation of Sections 5(A)(5)(a)(ii) and (iii) of CAN-SPAM. Because the Defendants shipped their products using fulfillment houses in the United States, the Commission has obtained a preliminary injunction that, among other things, will enjoin the fulfillment houses from further delivery of the Defendants’ deceptively-marketed products. In investigating this case, the Commission received invaluable assistance from the Australian Competition and Consumer Commission and the New Zealand Commerce Commission. The CAN-SPAM cases the Commission is currently pursuing follow an extended Commission effort to target spam under Section 5 of the FTC Act. One aspect of this effort has been the Commission’s two-year Netforce law enforcement partnership with other federal and state agencies, which has targeted deceptive spam. This partnership includes the Department of Justice, FBI, Postal Inspection Service, Securities and Exchange Commission, and Commodities Futures Trading Commission, as well as state Attorneys General, and local enforcement officials. In four regional law enforcement sweeps, the most recent announced in May 2003, the Netforce partners filed more than 150 criminal and civil cases against allegedly deceptive spam and other Internet fraud. In one recent sweep case, for example, the Commission obtained a permanent spam ban against defendants who allegedly used deceptive “From” lines in their spam to claim affiliation with Hotmail and MSN in touting a fraudulent work-at-home envelope-stuffing scheme. The Commission remains committed to aggressive pursuit of spammers who violate Section 5 of the FTC Act and the CAN-SPAM Act, and we remain committed to working with our law enforcement partners to find and take action against spammers. Consumer and Business Education The Commission’s educational efforts include a spam home page with links to 15 pamphlets for consumers and businesses, including one in Spanish, and summaries of our partnership enforcement efforts to halt deceptive spam. One of the most important business education efforts was “Operation Secure Your Server,” announced on January 29, 2004. Through this initiative, the Commission partnered with 36 agencies in 26 countries to highlight the problem of “open proxies” on third-party servers that spammers use to hide the true source of their spam. This project was an outgrowth of last year’s “Open Relay Project,” in which 50 law enforcers from 17 agencies identified 1,000 potential open relays. The agencies sent a letter, signed by 14 different U.S. and international agencies and translated into 11 languages, urging the organizations with these open relays to close them and explaining how to do so. Studies and Workshops Everybody receives spam, but there is little known about it. Reliable information about spam is extremely limited, although there is much “spam lore” that has little if any basis in fact. For example, some sources in Europe claim that the vast majority of spam originates in the United States. Similarly, some sources in the U.S. opine that most spam in Americans’ in-boxes arrives from Asia, South America, or Eastern Europe. In fact, nearly all spam is virtually untraceable, either because it contains falsified routing information or because it comes through open proxies or open relays. Moreover, “spoofing” and “forging” of an email message’s “from” line and header information are common spammer stratagems. Even with incredibly painstaking, expensive, and time-consuming investigation, it is often impossible to determine where spam originates. Spammers are extremely adroit at concealing the paths that their messages travel to get to recipients’ in-boxes. Typically, the most that can be ascertained with certainty is the last computer through which the spam traversed immediately before arriving at its final destination. To frustrate law enforcers, clever spammers may arrange for this penultimate computer to be outside the country where the spam’s ultimate recipient is located. Another example of “spam lore” is the notion that a handful of “kingpin” spammers are responsible for the vast majority of spam. This may or may not be true, but nobody knows for sure. The Commission recently used its compulsory process authority under Section 6(b) of the FTC Act to require the production of information on an exhaustive list of spam topics from various ISPs and other entities. The Section 6(b) specifications included items focusing on the “kingpin” theory. These requests yielded wildly varying estimates, ranging from the familiar “200 spammers” figure to “thousands” of individuals responsible for the majority of spam. In fact, the low barriers to entry suggest that many individuals, and not just a handful, may engage in spamming and contribute significantly to the volume of spam traversing the Internet. The prevalence of “spam lore” of questionable validity and the corresponding paucity of reliable data on spam has prompted the FTC’s staff to perform research on the issue. In one of the first of these efforts, the Commission’s staff, working with a partnership of law enforcement officials in several states and Canada, conducted a “Remove Me” surf in 2002 to test whether spammers were honoring “remove me”or “unsubscribe” options in spam. From email that the partnership had forwarded to the FTC’s spam database, the Commission’s staff selected more than 200 messages that purported to allow recipients to remove their names from a spam list. To test these “remove me” options, the partnership set up unique email accounts that had never been used before and submitted “remove me” requests from these accounts. The staff found that 63 percent of the removal links and addresses in the sample did not function. If a return address does not work to receive return messages, it is unlikely that it could be used to collect valid email addresses for use in future spamming. In no instance did we find that any of our unique email accounts received more spam after attempting to unsubscribe. This finding is inconsistent with the common belief that attempting to unsubscribe guarantees that consumers will receive more spam. Another study in 2002, the “Spam Harvest,” examined what online activities place consumers at risk for receiving spam. We discovered that all of the email addresses that we posted in chat rooms received spam. In fact, one address received spam only eight minutes after the address was posted. Eighty-six percent of the email addresses posted in newsgroups and Web pages received spam, as did 50 percent of addresses in free personal Web page services, 27 percent in message board postings, and 9 percent in email service directories. The “Spam Harvest” also found that the type of spam received was not related to the sites where the email addresses were posted. For example, email addresses posted to children's newsgroups received a large amount of adult-content and work-at-home spam. A third study focused on false claims in spam by analyzing a sample of 1,000 messages drawn from three sources. The Commission staff issued a report on April 30, 2003, explaining that two-thirds of the sample contained indicia of falsity in the “from” lines, “subject” lines, or message text, and that in a smaller random sample of 114 pieces of spam taken from the same set of data, only one came from an established business in the Fortune 1000. This study, the first extensive review ever conducted of the likely truth or falsity of representations in spam, underscores both the potential harm to consumers from spam and spammers’ willingness to ignore the law. One of the most important projects in our ongoing effort to study and understand the phenomenon of spam and its impact on the Internet and the economy at large was the Spam Forum, a three-day public forum from April 30 to May 2, 2003. This Forum provided a wide-ranging public examination of spam from all viewpoints. The Spam Forum was organized into twelve panel discussions covering the mechanics of spam, the economics of spam, and potential ways to address the problem of spam. Panelists at the Forum brought forward an enormous amount of information about spam and how it affects consumers and businesses. Several primary themes emerged from the various panels. First, there was much discussion about the increasing amount of spam. Second, spam imposes real costs. The panelists offered concrete information about the costs of spam to businesses and to ISPs. Specifically, ISPs reported that costs to address spam increased dramatically in the two years immediately preceding the forum. ISPs bear the cost of maintaining servers and bandwidth necessary to channel the flood of spam, even that part of the flood that is filtered out before reaching recipients’ mail boxes. At the Forum, America Online reported that it blocked an astonishing 2.37 billion pieces of spam in a single day. Third, spam is an international problem. The panel discussing open proxies and open relays and the international panel described spam’s cross-border evolution and impact. Most panelists agreed that any solution will have to involve an international effort. The Commission convened this event for two principal reasons. First, as noted above, spam is frequently discussed, but facts about how it works, its origins, and what incentives drive it are elusive. The Commission anticipated that the Forum would generate an exchange of useful information about spam to help inform the public policy debate. Second, the Commission sought to act as a potential catalyst for solutions to the spam problem. Through the Forum, the Commission brought together representatives from as many sides of the issue as possible to explore and encourage progress toward possible solutions to the detrimental effects of spam. The Commission believes that the Forum advanced both goals. The panelists contributed valuable information from various viewpoints to the public record. In addition, the Forum spurred both cooperation and action among a number of participants. Most notably, on the eve of the Forum, industry leaders Microsoft, America Online, Earthlink, and Yahoo! announced a collaborative effort to stop spam. This promising effort continues today with participation from additional industry leaders. Moreover, several potential technological solutions to spam were announced either at or in anticipation of the Forum. The Commission intends to foster this dialogue, and, when possible, to encourage other similar positive steps on the part of industry. We believe that the Forum contributed significantly to the ongoing effort on the part of industry, consumers, and government to learn how to control spam. Efforts Since CAN-SPAM Went Into Effect To provide additional tools to fight spam, Congress enacted the CAN-SPAM Act on December 16, 2003. The Act took effect on January 1, 2004, and the Commission immediately sought to enforce the Act, to meet the aggressive deadlines it set for the completion of several rulemakings and reports, and to develop national and international partnerships to help combat deceptive spam. The Commission filed its first two CAN-SPAM cases within four months of the Act’s effective date. As mentioned earlier, combating spam has been one of the Commission’s top priorities for several years, and currently half of the staff members in the Bureau of Consumer Protection’s largest enforcement division work on CAN-SPAM issues, as do staff in all of the Commission’s regional offices and additional lawyers, investigators, and technologists throughout the FTC. Moreover, to facilitate enforcement by other law enforcement agencies, we have consulted with our partners at the Department of Justice and have organized a task force with state officials to bring cases. The Task Force is co-sponsored by the FTC and the Attorney General of Washington, and is comprised of 136 members representing 36 states, several units within the Department of Justice, and the FTC. The FTC staff so far has conducted two training sessions on investigative techniques for the Task Force, each of which was attended by approximately 100 individuals representing about 35 different states. The Task Force conducts monthly conference calls to share information on spam trends, technologies, investigative techniques, targets, and cases. The Commission is also on target to complete the rulemakings and reports required by CAN-SPAM. On January 28, 2004, the Commission issued a Notice of Proposed Rulemaking for a mark or notice that will identify spam containing sexually oriented material. The Commission received 89 comments in response. We issued a final rule in advance of the statutory deadline of April 14. Effective May 19, the rule requires all messages containing sexually oriented material to include the warning “SEXUALLY-EXPLICIT: ” in the subject line. This rule also prohibits these messages from presenting any sexually explicit material in the subject line or in the portion of the message initially viewable by recipients when the message is opened. In addition, on March 11, 2004, the Commission issued an Advance Notice of Proposed Rulemaking (“ANPR”) to define the relevant criteria to be used in determining “the primary purpose” of a commercial electronic mail message subject to CAN-SPAM’s provisions. The ANPR requested comment on this issue, as well as a number of other issues for which CAN-SPAM has provided the Commission discretionary rulemaking authority, such as modifying the definition of “transactional” email messages; changing the 10-business-day statutory deadline for emailers to comply with consumers’ opt-out requests; and implementing other CAN-SPAM provisions. The Commission received over 12,000 comments in response. Commission staff is incorporating suggestions and recommendations from these comments into its Notice of Proposed Rulemaking. The Commission is also actively preparing several reports required by the CAN-SPAM Act. The March 11 ANPR solicited comment from interested parties on a plan and timetable for establishing a national Do-Not-Email Registry, and an explanation of any practical, technical, security, privacy, enforceability, or other concerns commenters may have about the creation of such a registry, for a report to Congress due on June 16. To supplement information collected from this public comment process, the staff has used additional tools to enhance its understanding of all relevant issues. First, the staff has held meetings on the record with more than 80 interested parties representing more than 60 organizations to explore all aspects of the concept of a “Do-Not-Email Registry” from as many viewpoints as possible. Second, the Commission also issued compulsory process to a number of ISPs and other entities under Section 6(b) of the FTC Act to obtain information relevant to this report and other reports required by CAN-SPAM. Third, the Commission issued a Request for Information from vendors for creation of such a registry, and obtained assistance of expert consultants to assess vendors’ submissions. Through these efforts, the Commission has received invaluable information that will allow us to prepare a comprehensive report. In addition, the staff is actively gathering information for and preparing: ? a report due September 16, 2004, setting forth a system of monetary rewards to encourage informants to report the identities of violators of CAN-SPAM; ? a report due June 16, 2005, recommending whether or not commercial electronic mail should be identified as such in its subject line by the use of a label like “ADV”; and ? a report due December 16, 2005, on the efficacy of the Act . Conclusion Email provides enormous benefits to consumers and businesses as a communication tool. The increasing volume of spam, coupled with the use of spam as a means to perpetrate fraud and deception, has put these benefits at serious risk. The Commission intends to continue its law enforcement, education, and research efforts to protect consumers and businesses from the current onslaught of unwanted spam messages. The Commission appreciates this opportunity to describe its efforts to address the problem of spam and its activities to fulfill the mandates of CAN-SPAM.
Ms. Jana D. Monroe
Good morning Chairman McCain, and other members of the Committee. On behalf of the FBI, I would like to thank you for this opportunity to address the FBI’s role in anti-spam initiatives. Cyber crime, in its many forms, continues to receive priority attention from the FBI. A paramount objective of the Cyber Division has been to arm field investigators with the necessary resources to identify and combat evolving cyber crime matters. Over the past 18 months, the FBI has supported the establishment of more than 50 multi-jurisdictional task forces nationwide. Partnerships with federal, state, and local law enforcement are vital to the success of these teams, because cyber crime, by its nature, does not respect jurisdictional boundaries and we need to leverage existing resources to effectively and efficiently fight cybercrime. In addition to law enforcement partnerships, another prime objective of the FBI’s Cyber Division is to establish active partnerships with subject matter experts from the private sector. Such experts are often better equipped to identify cyber crimes at their earliest stages. Early identification of cyber crimes is an absolute must, and directly correlates to ultimate successes in investigating and prosecuting cyber criminals. In keeping with this approach, and even before passage of the CAN-SPAM Act by Congress, the FBI had begun work in a Public/Private Alliance to specifically target the growing spam problem. The Internet Crime Complaint Center (IC3), working in coordination with industry, developed “SLAM-Spam,” an initiative that began operation last fall. This initiative targets significant criminal spammers, as well as companies and individuals that use spammers and their techniques to market their products. It also investigates the techniques and tools used by spammers to expand their targeted audience, to circumvent filters and other countermeasures implemented by consumers and industry, and to defraud customers with misrepresented or non-existent products. Enforcement Before and After the CAN-SPAM Act: Before Congress passed the CAN-SPAM Act of 2003, some schemes perpetrated by spam could have been pursued as violations of statutes such as Title 18, United States Code, Section 1030 (fraud and related activity in connection with computers) Title 18, United States Code, Section 2319 (criminal Infringement of a copyright) or Title 18, United States Code, Section 1343 (wire fraud), as well as through several other existing criminal or civil statutes. No existing statute, however, directly addressed some typical behaviors of spammers, including: using widely-available “open proxies” to bounce e-mail traffic through intermediary computers with the intent to hide the true location of the sender, the abuse of free e-mail services to send out spam from accounts with false registration information, and the use of tools to forge the return address and other headers associated with the e-mail. Prior to the CAN-SPAM Act, law enforcement lacked the legal tools to address the spam problem directly. Because of this, many investigators and prosecutors viewed cases based primarily on the sending of spam as unlikely to result in successful investigations and prosecutions. As the economic impact attributable to spam, and the use of spam to send unwanted pornographic images have become known, however, law enforcement interest increased. Similarly, investigations of computer intrusions and viruses have uncovered that infecting computers with viruses is now often being done to facilitate spam. In the SoBig.F computer intrusion investigation, we learned that millions of computers were infected globally, primarily to convert those computers into spam relays. The CAN SPAM Act now allows law enforcement to apply criminal leverage to spammers, who previously were viewed as “facilitators” of fraudulent schemes, but who would disclaim any knowledge of the fraudulent or pornographic nature of the products they were advertising. CAN-SPAM’s provisions address the most significant fraudulent and sexually explicit spam, and provide both civil and criminal tools to combat them. Project SLAM-Spam: In response to the growing number of complaints it was receiving about fraudulent and pornographic spam, the Internet Crime Complaint Center began development of a project to address the spam problem. The Center has developed extensive experience in taking complaints relating to all types of crime occurring over the Internet, analyzing them for significant patterns, and then referring appropriate case leads out to the field for further investigation. The IC3 receives more than 17,000 complaints every month from consumers alone, and additionally receives a growing volume of referrals from key e-commerce stakeholders. The use of spam is a substantial component of these schemes, which includes reports of identity theft schemes, fraudulent pitches and “get rich quick” schemes, and unwanted pornography. Currently, over 25 percent of all complaints to the IC3 involve some use of spam electronic mail. To develop the project, the IC3 coordinated with industry Subject Matter Experts and representatives of the Direct Marketing Association (DMA), which have provided essential expertise and resources to the project. The IC3 has also consulted with the Federal Trade Commission, which has several years of working with consumers on the spam problem. This project has also identified a significant list of the methods used by subjects to advance their individual schemes. I will describe some of the efforts and summarize the primary accomplishments of this project over the past six months, and project future accomplishments, consistent with the overall project plan. This include a national initiative in which suitable cases developed or advanced through this project, will be highlighted as part of our overall effort against those who have committed criminal and civil violations of the CAN-SPAM Act. The first several months of the project focused on building support structures to support the initiative. The IC3 identified and consulted with Subject Matter Experts from Internet Service Providers, anti-spam organizations, and other groups. They defined responsibilities of participants, and began weekly strategy meetings to ensure that progress and priorities were consistent and clear. Experts developed communications channels and databases to exchange information quickly and robustly among the experts in the alliance. Finally, a list of potential subjects was developed by analysts from the Internet Crime Complaint Center (IC3), and compared against existing IC3 referrals to determine if law enforcement had already initiated investigations of subjects, and if those investigations were making progress. After the effective date of the CAN-SPAM Act, the IC3 helped organize and participated in three regional training conferences on a number of subjects relating to cybercrime. At these conferences, representatives of the FBI and Department of Justice gave presentations designed to familiarize agents specializing in cyber crime with the SLAM-Spam initiative, the techniques used by spammers to falsify their identity, and the additional criminal prohibitions in the CAN-SPAM Act. Identifying the most significant subjects involved in criminal spam scenarios is a prime objective of the SLAM-Spam initiative. Equally significant has been developing those cases so that they can be further investigated and prosecuted by field offices, cyber task forces, and United States Attorneys’ Offices around the United States. Accordingly, while a growing number of Internet crime schemes use spam to target larger pools of victims, the Cyber Division’s task force capabilities have increased as well. Cyber Crime squads in our field divisions are trained in quickly investigating computer intrusions and virus attacks. When they are available, these resources can also be used to investigate the source of unwanted fraudulent and pornographic spam. Project SLAM-Spam is on course and on schedule to achieve substantial results against individuals and organizations that are complicit in criminal (and potentially civil) schemes where spam is used. As a result of these activities, more than 20 Cyber Task Forces are actively pursuing criminal and in some cases joint civil proceedings against subjects identified to date. We expect that this number will continue to rise, as successful actions are brought under this act. We are also improving our cooperation with the FTC, State Attorneys General, and industry partners, because we understand that criminal enforcement is only one aspect of the fight against spam. While we cannot share every detail of ongoing criminal investigations, we can and will share our knowledge about tools and techniques used by spammers, their current primary targets of opportunity, and the types of schemes they are favoring. Notable Early Accomplishments of SLAM-Spam: The SLAM-Spam initiative has now moved beyond the planning stages, and has begun identifying and packaging investigations from the field. Within the last few months, the Initiative has: · Identified over 100 significant spammers · Targeted 50 Spammers so identified as points of focus for the SLAM-Spam project. · Developed ten primary subject packets developed and for referral to Law Enforcement · Linked three groups of subjects into potential organized criminal enterprises · Referred five significant ongoing investigations linked to spammers. · Over 350 compromised and misconfigured resources identified, including 50 government sites. · Engaged military criminal investigators to help identify criminal acts associated with compromised Government sites. · Identified common denominators relating to spam both domestically and internationally. · Catalogued numerous exploits and techniques being used by spammers, including e-mail harvesting, use of viruses, and turn-key tools to bypass filters. [A sample of these exploits and techniques is attached to the end of this testimony.] Future Initiatives: The FBI, via the IC3, periodically coordinates National Investigative Initiatives, together with our Federal, State, and Local partners. Such initiatives are designed to highlight escalating areas of cyber crime, and demonstrate decisive action taken by law enforcement to combat it. These events also serve to alert the public to new and evolving cyber crime schemes, such as criminal spam. Three such initiatives have been carried out over the last 2 ½ years, including Operation Cyber Loss, Operation E-Con, and most recently Operation Cyber Sweep. A succeeding initiative is being projected for later this year in which it is anticipated that criminal and civil actions under the CAN-SPAM Act of 2003 will be included. We have begun preliminary notification to our field offices of our newest initiative, underscoring our emphasis on cases involving criminal uses of spam. Such cases may be investigated and prosecuted as computer intrusion matters, or as on-line cyber frauds which may lend themselves to a variety of existing state and/or federal statutes, including the recently passed CAN-SPAM Act. Similar notifications have been or will be made through appropriate channels to the U.S. Secret Service, U.S Postal Inspection Service, the FTC, the Department of Justice, and in the state and local agencies that are members of the National White Collar Crime Center. We are already planning meetings to ensure that this initiative is on track, and to further define the scope and packaging of this activity are being planned. We will be happy to brief you on the results of this initiative when it has been completed. Conclusion: Once again, I appreciate the opportunity to come before you today and share the work that the Cyber Division has undertaken to begin to address the problem of spam. Our work in this area will continue, and we will continue to keep Congress informed about our progress in overcoming the challenges in this area.
Witness Panel 2
Mr. Shinya Akamine
To date, the CAN-SPAM act has had no substantial impact on the flow of spam. In fact, in the four months since CAN-SPAM went into effect, spam has increased from 78% to 83% of messages processed by Postini. Although they have garnered headlines, ISPs’ recent lawsuits against alleged spammers are mostly “John Doe”, highlighting the root problem: proficient spammers know how to hide their identities by using a variety of techniques. In addition, many spammers are offshore, so they’re beyond the reach of U.S. law enforcement. Recent arrests are catching smalltime operators who are sending an insignificant amount of spam. CAN-SPAM is a good law to have. The government should continue to enforce it and punish those spammers that can be found. But Americans should not rely solely on laws. Although it’s beneficial to have the laws on the books making spamming a crime, most spammers are criminals who are unconcerned about breaking the law. The problems facing email go beyond just spam. Other malicious threats hurt the utility of email. Viruses are delivered primarily via email, and they are becoming more frequent and more destructive. Denial of Service attacks are attempts to crash email servers and disrupt communications. Directory Harvest Attacks are attempts to steal corporate directory information. Spammers are modifying their messages to defeat traditional, or first-generation, anti-spam technologies that were primarily based on content analysis. Spam is becoming more personalized and unique. Spammers are also putting less and less content in their messages. Less content means less context for typical spam filters to assess. Private sector companies like Postini have developed second-generation Email Security & Management solutions that render the spam problem, as well the other email threats, moot for their customers. Spam is a problem today only for companies and organizations that are unaware of – or unwilling to implement – one of today’s second-generation spam blocking solutions. Spam filters can cost just $1 per user per month, and the payback period for companies installing such filters is typically just 3 months. Postini has more than 3,000 customers today, with more than 5 million users, who have no spam problem. Postini appreciates the Senate’s recognition of the important role that email plays in our world today and the passage of CAN-SPAM. Free enterprise will do the rest.
Mr. Ted Leonsis
Chairman McCain, Senator Hollings, and Members of the Committee, my name is Ted Leonsis, and I am Vice Chairman of America Online, Inc. and President of the AOL Core Service. I appreciate the opportunity to testify before the Committee on the issue of unsolicited commercial e-mail, or “spam.” I testified before this Committee last year on this matter, and I am grateful for the Committee’s continued attention to this important issue. At this time last year, it appeared that the onslaught of spam was growing exponentially in a manner that threatened the vitality of Internet networks. Surveys at that time indicated that spam was doubling in overall volume every 4-6 months. We asked for your help in passing strong legislation that would help us target spammers and curb their ability to abuse our network and our users. Mr. Chairman, we are grateful that you and your colleagues responded to this plea. Thanks to Senator Burns, Senator Wyden, and other key Members of this Committee, a new federal law known as the “CAN-SPAM Act” has provided some important enforcement tools in the fight against spam, as well as a heightened awareness of the need for cooperation between industry and government in the fight against spam. Where are we one year later? Have we made any progress in reducing spam and restoring the integrity of the online experience? Although spam continues to be a huge problem facing Internet users and Internet service providers (ISPs), I believe that there have been significant developments in fighting spam over the past year, in the areas of legislation, enforcement, and technology. Although we still have much more work to do, I believe that we have made substantial progress in combating spam. I would like to describe some of the steps that we, along with our partners in government and industry, have taken in recent months to address the spam problem, and the results that we are seeing from some of these initiatives. AOL has continued to devote significant resources to the battle against spam over the past year. We have a team of anti-spam fighters on call 24x7 to fight spammers’ varied and changing tactics. We have worked continuously to adapt the strong technologies on our network to block and filter spam, and we have launched an awareness campaign to provide our members with important consumer safety tips that can help them reduce spam and improve the security of their online experience. Since the hearing last year, AOL has introduced new tools in the 9.0 version of our software to help our members, both in the U.S. and internationally, reduce spam to their inbox. AOL’s Mail Controls allow our members to block e-mail from specific mail addresses or entire domains, or to create a “permit list” of addresses from which they will accept mail. Our adaptive spam filters allow members to personalize their spam blocking experience, based on specific words or types of e-mails that they do not wish to receive. And we have included a feature that blocks images and Web links from displaying in e-mails from unknown senders unless a member chooses to see them. Also included in AOL 9.0 is our “spam folder” feature. Beginning in October of 2003, AOL began transferring e-mail messages with characteristics indicating that the e-mail was likely to be spam to the “spam folder.” This feature separates spam from the user inbox and allows the recipient to view such messages in a separate folder, or not view them at all. Between our spam folder and our anti-spam filters, we are now keeping up to 2.5 billion pieces of unwanted mail per day out of our members’ inboxes. We are pleased that there has been a downward trend in the amount of spam in AOL members’ inboxes, which we believe is based primarily on our technical countermeasures and new product features. We believe that our members’ experience with spam is improving, based on information gathered through customer satisfaction surveys, as well as the number of complaints we are receiving through our popular “Report Spam” feature. However, even though subscribers to the AOL service may now be experiencing less spam in their inbox, the total volume of spam that senders attempt to deliver to our networks has not decreased. Spammers are continuing to attack the AOL network, and spam is still a major problem for online users and ISPs. Last year, I testified that it is our belief that a large part of the overall spam problem is caused by “outlaw spammers,” those who engage in fraudulent tactics such as hiding their true identity or the true source of their messages. We believe that outlaw spammers continue to be responsible for the great majority of the spam problem that consumers and ISPs face today. The “outlaw” spam problem includes: 1) e-mail that is sent using falsified means of technical transmission; 2) e-mail sent using hacked e-mail accounts; and 3) e-mail sent by spammers who intentionally abuse legitimate e-mail service providers by registering for multiple e-mail accounts or Internet domain names using a false identity for the sole purpose of transmitting spam. We believe that more than 80% of the current spam problem comes from other ISPs and hosting companies that are infested with viruses. These software viruses, or “trojans” as we refer to them, typically make their way onto machines via vulnerabilities in end-user software and the absence of firewalls or anti-virus software. These viruses/trojans infect users’ computers without their knowledge and allow spammers to use the infected machines to initiate or relay spam. We believe that most of the viruses/trojans are developed by the spammers themselves or hackers being paid by spammers. Last fall, we supported the CAN-SPAM Act because it offered critical tools to ISPs and law enforcement to deter “outlaw” spam by imposing strict penalties on spammers who engage in techniques of fraud and falsification. Now that these tools are being utilized, we are optimistic that this new law will produce some positive results. Developing criminal cases against spammers and preparing civil litigation against them take time. However, we and our ISP colleagues, as well as the Federal Trade Commission and Department of Justice, have announced major actions in the months following enactment of CAN-SPAM. Several recent announcements provide a glimpse of the significant efforts underway in this regard: In March of this year, AOL, Earthlink, Microsoft, and Yahoo! announced the coordinated filing of the first major industry lawsuits under the CAN-SPAM Act. The country’s four leading e-mail and Internet service providers filed six lawsuits against hundreds of defendants, including some of the nation’s most notorious large-scale spammers. Similarly, the FTC, DOJ, and U.S. Postal Service made a major announcement at the end of April of its first set of enforcement actions using the CAN-SPAM Act against two spam operations that the FTC had found to have clogged the Internet with millions of deceptive messages in violation of CAN-SPAM and other federal laws. AOL was pleased to cooperate in these investigations, and we look forward to continued cooperation with both the FTC and DOJ on other spam enforcement cases. AOL is pursuing other civil actions aggressively, and is also expanding its cooperation with state law enforcement to assist them in prosecuting spammers. In December of 2003, AOL collaborated with Virginia Attorney General Jerry Kilgore and others to announce the first-ever indictments under Virginia’s tough, new anti-spam statute. Two out-of-state spammers from North Carolina who stand accused of spamming AOL members could face jail time, asset forfeiture, and monetary penalties in these cases. Thanks to the attention and efforts of lawmakers on this issue last year, new legislation like the CAN-SPAM Act has spurred increased enforcement initiatives by ISPs and government. We are also seeing the level of enforcement on the rise in Europe, with the FTC cooperating with European agencies to bring legal action against spammers. We are continuing to work with state lawmakers to support legislation to reduce “outlaw” spam. We are delighted that Maryland has passed a criminal spam law modeled on the criminal provisions of CAN-SPAM and that other states, including New Jersey and Ohio, are likely to follow suit later this year. These legislative initiatives show increasing recognition that the spam problem can best be addressed by providing specific enforcement tools that can be used to pursue outlaw spammers who engage in fraud and deception. Ultimately, in order to radically reduce spam, we must know who the senders are. Spammers could not do what they do without hiding behind false names, trojan horses, and the like. That’s why, in addition to enforcement and legislation, we are excited about the development of promising new technological advancements focused on authentication of senders. These technologies would allow ISPs to identify e-mail in order to prevent spam from entering our networks. A variety of different technologies and approaches are now being tested, all with the same goal of eliminating spam. AOL is participating in a number of working groups to discuss the development and application of new industry standard technologies for email identity. Specific technologies that appear promising are SPF (Sender Permitted From), CallerID, and DomainKeys, as well as variations or combinations of these approaches. These technologies aim to reduce the domain name spoofing that is central to many forms of spam by confirming that an email is actually coming from the domain it claims to be from. The Internet Engineering Task Force (IETF), which is the standard-setting body for the Internet, is working to set technical standards using a combination of these technologies. AOL is currently testing the SPF technology, and we believe it can be implemented quickly due to its readily available software and already widespread adoption. Our assessment is that all three technologies can work well together and should be implemented quickly on a broad scale. AOL has joined with other leading ISPs, including Earthlink, Microsoft, and Yahoo, to study ways in which we can make use of new technologies to reduce spam. In addition to working together to test authentication approaches, this ISP working group is discussing other types of best practices that industry can employ to fight spam. Potentially effective spam fighting methods that deserve further attention include: (1) for all ISPs to confirm that their members who are sending e-mail have accounts and are allowed to send mail; and (2) for abuses indicated by ISP members to be handled as quickly as they arise. We are continuing to work with our ISP colleagues to develop additional solutions to the spam problem, both from a technology and enforcement perspective. In conclusion, we believe that industry and government have made great strides in fighting the spam problem over the past year, although there is much more work to be done. Professional spammers are always on the cutting edge of technology, which means that staying ahead of them requires extensive time, resources, and cooperation. The CAN-SPAM Act has provided some important tools for pursuing spammers; we believe we will start to see additional progress in the war against spam as these tools start to be employed. AOL is committed to protecting our members and maintaining our leadership role in the fight against spam. We recognize that the goodwill and trust of our members depend on our continued focus on developing solutions to the spam problem. We continue to believe that the spam battle must be fought on many fronts simultaneously in order to be successful. From technology to education, from legislation to enforcement, industry and government can work together to reduce spam significantly and give consumers control over their e-mail inboxes. We look forward to continuing to work with this Committee and other lawmakers, as well as with our Internet service provider colleagues, to stop spammers in their tracks. Thank you again for the opportunity to testify; I would be happy to answer any questions you may have on this topic.
Mr. Hans Peter Brondmo
Testimony for Senate Committee on Commerce, Science, and Transportation hearing on review of the CAN-Spam Act and new anti-spam initiatives. May 20, 2004 Hans Peter Brondmo Digital Impact, Inc. My name is Hans Peter Brondmo and I am a Senior Vice President with Digital Impact the largest email service provider in the country. Our company powers the customer communications and marketing email infrastructure for over one hundred large organizations such as the Gap, Hewlett Packard, Yahoo, Washington Mutual Bank and Verizon. In other words, we send emails that notify you about sales at your local Gap store, updates to your Hewlett Packard printer software and keeps you in touch with your bank. I am also the co-chair of the technology working group for the Email Service Provider Coalition, an industry coalition representing over 45 email services providers. It goes without saying that the spam problem is of great significance to Digital Impact, our customers and the ESPC. When we began to understand the scope of this problem a few years ago we decided that spam can be solved and that the solution can be summarized in one word: accountability. In order to stop spam, organizations sending legitimate email must be able to step into the light to be identified and held accountable for their behavior. Any organization sending email but not willing to be identified can then be treated with suspicion or may simply be blocked altogether. By leveraging the openness of the Internet we can ensure that those abusing the email medium can no longer do so while hiding in the dark corners of cyberspace. In order to hold senders accountable for the email they send we need to update the email infrastructure to support a new set of authentication, accreditation and reputation services. I will share some of the most recent developments in this space and describe why I agree with the claim made recently by Bill Gates that we will rid the world of the spam plague within two to three years. My perspective on how this is done differs slightly from Mr. Gates, but we agree on the objective and timeframe. Email is a powerful, timely, efficient, cost effective, convenient and environmentally friendly way to communicate. Those abusing the email infrastructure to spew out unwanted, unsolicited commercial emails by the billions and using email to attack computer users with viruses and identity theft schemes are abusing a public commons for personal gain. I have been an email user since 1982 and have come to rely on it more than any other tool of communication. Email has in fact become the number one preferred medium for business communications and one of the top three for personal communication. The abuse by those using email to broadcast nefarious payloads is threatening the medium. We all agree it must be stopped. Yet the question still remains: how? The CAN-SPAM Act is an important contribution to the war on spam and I commend Senators Burns and Wyden for their leadership in this effort. While modifying the code of law to impact the behavior of spammers is necessary, it is not sufficient. It is probably too early to determine the effectiveness of the CAN Spam Act, but there does seem to be evidence that the new law has turned up the heat on spammers who prior to January 1st 2004 were able to operate with impunity. Recently there have been media reports of spammers who have taken down their “shingles” because they do not want to risk jail time. Yet according to anti-spam firm Brightmail 64% of all email in April was spam, a record high number. Regrettably the CAN Spam Act is unlikely to eliminate the hard core spammers, especially those sending viruses and perpetrating “phishing” attacks – the most dangerous form of spam. I received an email recently regarding my Citibank credit card. It claimed that there was a problem with my account and requested that I click on a link verifying my username and password. This cleverly designed message – a phishing email – was designed to capture my username and password to steal personal account information. It was an attempt at identity theft. As I clicked on the link in the email it took me to a fake web page that looked identical to the Citibank web-site. I dug around a bit and discovered that the page was hosted by an ISP in Russia. I have received similar emails over the past year purportedly from eBay, Visa, Earthlink and several other companies with whom I have business relationships. As you may be aware the IRS was recently attacked in similar fashion. Unsolicited and deceptive spam, while annoying and offensive, is no longer my biggest concern. My greatest worry is spam’s evil cousins, phishing and computer viruses. Email is a carrier of payloads. These payloads take many different forms. They may take the form of a written message from a colleague or a long lost friend, a digital photo from a family member, or a web page with clickable links and images from a company we do business with. As we all know, emails can also contain payloads that we don’t expect, welcome or desire including offers for body altering herbs or undesired lewd images. The worst payloads contain computer worms and viruses that rapidly infect millions of computers and cause enormous economic harm and they contain schemes designed to play on our fears or abuse our trust while attempting to steal our identity in order to defraud us. I mention these examples because they illustrate the breadth and severity of the threats to the email infrastructure and to remind us that cyberspace knows no boundaries. A recent study conducted by the Anti-Phishing Working Group described 282 unique email phishing attacks in the month of February 2004 alone. Brightmail reports a ten-fold increase in the volume of fraudulent emails from August 2003 to April 2004. Even if the law were to be effective in reducing unsolicited, deceptive commercial email solicitations, the really bad guys will continue to operate without regard for US law. Laws alone will not enable us to solve the core problems we are facing – we must look to changes to the technology infrastructure to address the structural vulnerabilities of email. Email is currently a very simple and open system. The simplicity of the email protocols is probably responsible for its explosive growth and broad adoption. Yet with the simplicity of email come vulnerabilities. The engineers that designed the protocols used by every email system could not have foreseen the types of uses and the scale of deployment we have today. The vulnerabilities of email are being exploited by spammers and only a change to the email infrastructure can solve this problem and ultimately rid the world of spam, making it safe from identity thieves and making it much more difficult to distribute computer viruses. Such structural changes to email will have wide ranging consequences. I believe that the current discussion needs to shift, and that the legal debate should now be focused on the new changes happening to the way email will work in the future. Consider the nation’s air transportation infrastructure. It was not very long ago when getting on an airplane was as simple as having a valid ticket and showing up at the airport on time. The ticket did not even have to have your name on it. It was simply required as a proof of purchase. No ID was necessary to fly, nor were there security checks and luggage scans. Today things are very different. Why? Because the security of the infrastructure was compromised by passengers with anti-social motives. They carried dangerous payloads, hijacking planes for financial and political gain. A few bad passengers and their payloads threatened our safety by compromising air transportation. Airplanes were eventually even used as weapons threatening our very national security. Making hijacking a crime does not make our air transportation infrastructure safer. While it is illegal to carry a weapon onboard a commercial airplane, it does not protect us from true harm. A multitude of security measures have been put in place to ensure that it is difficult to compromise the safety of the air transportation infrastructure. In order to board an airplane today we must present a valid government issued ID and we may be subject to screening to ensure that we don’t have a history of anti-social or threatening behavior. Returning to email, we are still living in a world where no ID check is required in order to “board” a computer with an email message. We do have the equivalent of airport screeners for email in the form of computer programs, typically called filters, that scan the content of our emails attempting to determine whether the mail is spam or not. In essence, a computer is “guessing” whether emails are spam based on statistical analysis and rules applied to the contents of the message. Unfortunately, screening is far less effective for emails than for passengers boarding an airplane. Even if a great filter catches 99% of all spam, hundreds of millions of junk emails will still get through. Unlike a scanner at the airport, it is not economically feasible for a filter scanning electronic mail to request that a person look at every suspicious email. When a computer is left to guess whether a message is spam based on scanning the content of an email message it will not only miss unwanted messages, but also misclassify wanted mail as spam resulting in a false positives problem. Like spam itself, false positives reduce the value of email and make the medium less reliable. According to research recently commissioned by Goodmail, sixty eight percent of email users reported not having received important emails due to spam filters. A staggering forty eight percent reported not having received personal emails, twenty five percent said they had lost order and shipment confirmations and seventeen percent missed important work email. Spam continues to persist because it is impossible to trust the origin of email and therefore impossible to determine with certainty whether an email is from a good or bad source. The computer protocols that power our the foundation of our email infrastructure are flawed because they make it very easy for any sender of email to pretend to be whomever they want to be and to continuously change their identity. I can from my laptop computer, with no special software and minimal technical expertise send an email that looks like it comes from any email address of my choosing. In other words, it is trivial to spoof, or fake, the identity of the sender of an email message. If we cannot trust that the sender of a message that may contain important, sensitive, personal or harmful information is in fact who they say they are, we cannot trust the medium. This is the essence of the problem we are faced with, a problem that legislation cannot address. Until we can trust and rely on a message in our inbox to be from the sender that shows up on our computer screen, we will not solve the spam problem. Worse we will continue to be vulnerable to the really bad stuff: phishing and virus attacks. As mentioned above we can solve the email security and spam problem by making a few changes to the Internet, upgrades that in fact are under way. Here is how it will work: Just like we must present a valid ID in order to board an airplane, the email infrastructure will require the equivalent of an ID be presented by the sending computer in order to deliver mail. If I try to send email using an email from-address that I do not have control of under this scenario it will no longer work because my computer has to present its secure credentials and those credentials will not match the sending address. When I am sending from my own email address, my secure credentials would validate that I am indeed who I claim to be. This is a good first step but the recipient may still not know who I am and therefore not know whether to trust me not to be a spammer or virus hacker. It is therefore also necessary to keep track of the history and reputation of senders, so all recipients can look up the past behavior of unknown senders once they’ve been authenticated. By checking the reputation of a sender, his email credit score if you like, a determination would be made as to whether to let messages from that sender through, quarantine them for further investigation or simply reject them outright. Over time good senders would earn a good score (a good reputation) and spammers with their bad scores would fail to get their mail delivered. We would have accountability because we would have an accessible history of behavior. Let me emphasize that this is not some academic pipe dream. A number of solutions are already under development by large and small industry players such as Microsoft with its Caller-ID proposal, Yahoo! with Domain Keys, Verisign, Brightmail and Bonded Sender with accreditation and reputation services, Goodmail with email stamps and others such as Sender Policy Framework (SPF) being spearheaded through an open source initiative. The Internet Engineering Task Force (IETF) is playing an active role to standardize the various authentication proposals currently being discussed. As a matter of fact, the IETF is meeting in San Jose, California as we speak to discuss these very issues and coordinate and review existing initiatives. Let me in closing point out that the authentication proposals outlined above are not intended to track the behavior of individuals. They are intended to authenticate computers and domains, not individual email users and addresses. The real challenge we face is to facilitate the continued evolution of an email eco-system that supports authentication, accreditation and reputation services, while also protecting the power of open access to information that makes the Internet what it is. Technology and market forces will solve, in fact are now solving, the authentication and reputation problem. Authentication will enable law enforcement to do a better job and in combination with emerging accreditation and reputation services it will also allow the Internet to be more informed and individuals or organizations to make decisions about what sources of email they should trust. The emerging accreditation and reputation systems have many similarities to credit ratings, and there will be a need for transparency, fairness, and equal access that is better guaranteed through regulation than technology. While too early to act, I believe this is where regulatory action and oversight in the email space should be setting its sights. Updating the Internet as I have described in my comments means that we must create an infrastructure that supports accreditation of senders, implements authentication of the computers sending email and provides generally accessible reputation services. This is no small task, but it can and will be done. And once computers have identities and reputations, we will be able determine whether to trust the source of incoming email allowing desired messages into our inbox or throwing junk it the proverbial bit-bucket based on the recipients’ personal preferences and taste, not laws and regulation.
Mr. James Guest
Click here for a PDF version of Mr. Guest's remarks.
Mr. Ronald Scelson
May, 18, 2004 To the Honorable Senator McCain and the subcommittee on Commerce I am greatly honored to be invited to speak before this subcommittee today and would like to thank Senator McCain for inviting me. As we have worked under the new CAN SPAM Law a few issues have arisen. CAN SPAM CAN WORK I would like to begin however by stating that there are a few reasons why the new CAN SPAM Act is working and working well. It is very promising to see our government working to do something about fraudulent activities on the internet. It is very good to see companies that are identifying themselves. It has helped tremendously in the following areas: · Repeat business and · New business for the mailing companies. · It has helped the recipients who are familiar with the law to identify US companies working to be legitimate from non-compliant companies both abroad and in the US. · Finally, it has helped those Internet Service Providers who do wish to work with mailing companies to know whom they can offer services to without violating any laws themselves. ALL NEW THINGS HAVE A ROUGH TIME Despite all this good news, there are still many problems with implementation, cooperation, interpretation, and fraudulent or misleading practices – many stemming from the ISPs or their providers. Following are some examples and issues that need to be looked at and resolved for the internet community to work in harmony. Since the enactment of the CAN SPAM Act, my company and several others have all worked in compliance of the new law, which has been an extremely difficult task each day. When we mail under the new law the major ISPs focus on our from addresses, subjects lines, our company information, and our disclaimers on the bottom of the email as well as our IP address. They use this information to block our emails. Thus the Act that is to curtail fraud, is in fact curtailing our ability to engage in free enterprise and our business is greatly hindered. With this situation, many mailers – especially in foreign countries still have not been able to fully implement all steps of the new law. They are faced with the problem of how to comply with the law when the ISPs and backbones themselves are not being respectful of the new law. Although it is clear that the CAN SPAM law does not dive into the legalities or illegalities of the practices of ISPs, many mailing companies are still – simply put—backed into a corner. Shall they comply and go out of business due to ISP filtering or shall they attempt to comply partially, hoping that it will be clear that they have the intent to follow the law and remain out of trouble with the US regulating bodies. This is the dilemma for many. Of course foreign companies have mainly chosen to follow the laws of their land and disregard the laws of the United States – especially with the actions of the ISPs to put all bulk email in the trash. SHUT DOWN = AUTOMATIC NON-COMPLIANCE Every time a registrar shuts off a domain, an ISP closes a connection, or a hosting company shuts off or blocks an IP Address of a mailing company, there is a non-compliance issue. According to CAN SPAM of 2003, all mailing companies are to keep their removal systems active for 30 days after the email was sent. Every company including my own has had a major situation complying to this part of the law because ISPs, Registrars or hosting companies shut down the services without providing 30 day notice and keeping our connections active so that we can remain in compliance. Often we even lose our remove lists that were contained on the equipment that they now deny us access to. BLOCK, TACKLE AND THROW Here is an example of what our company and many others have experienced. AOL, Hotmail, Yahoo and other major carriers have blocked our network based on our company information. The larger anti-spam groups have done the same. These anti-spam groups act like vigilantes now more than ever before. They put you on their blacklists—often networking these blacklists to other anti-spam groups as well. It is possible to have both your company name and IP addresses completely blocked in as little as 4 hours, thus preventing you from delivering your mail to more than ½ the internet. These groups will not remove the blacklist even if you prove to them that you are compliant with the new legislation. These organizations are not government backed or funded. They do not identify themselves like we do so pursuing legal action against them is nearly impossible. Many of these groups are not even on US soil. These are the same people who want our information published on the web. Nothing is done to stop them or interfere with them. The ultimate blow for the mailing company however is how many of these groups also use automated systems to generate multiple complaints to the Internet service providers. They make it look like one person received numerous copies of the advertisement, or like the mailing company has generated a large amount of complaints and thus should be shut down. For the Backbones and the ISPs the issue has always been how to engage in business without generating too many complaints. Since, with most of these groups, the number of complaints is the determining factor on when to leave services on or when to shut them off, many of the vigilante groups now have set up anonymous and multiple complaint sending automated systems. In fact, you will find that very few of the complaints that are generated today come from the intended recipient of the email as compared to the number that come from the automated anonymous complaint-sending systems. Interestingly, there are some vigilante groups that encourage people to purchase and use their software with proxies to prevent detection when sending in complaints! In February of this year, the ISP I am currently with (WorldCom) received notice that I had joined AOL's whitelist and was mailing non-unsolicited email and had AOL's full permission to send mail into their domain. This was not spam. Because AOL’s automated remove system sent a copy of the undeliverable emails not only to us but also to WorldCom, WorldCom told us to stop mailing or they were going to shut us down. What was the logic in this action by WorldCom? AOL had granted us permission to mail into their domain. We were fully compliant with the law, and we were offering products and services that were a) in great demand and b) not fraudulent. And this was not even because of complaints. It was ONLY non-deliverable addresses in our list. WHAT ABOUT THAT COMMON CARRIER LAW? When we review the FCC Communication Act, the above actions show that the ISPs are unjustly denying us service. In many cases, these groups are in fact common carriers providing us nothing more than a way to connect to the Information Highway. WorldCom is in violation of the FCC Communication Act, which clearly states that common carriers cannot tamper with, read, or alter the communications that they transmit. This includes communications across data lines. The issue of whether or not an ISP is a common carrier has been argued in the courts as far back as 1997. In one suit, AOL claimed that they were a common carrier, yet just a short while later they claimed that they were not a common carrier. The FCC supported AOL’s claim that they were not common carriers and thus set a precedent that many ISPs have followed since. Interestingly, as we understand the charter of the FCC, they do not have the authority to determine who is or is not a common carrier. This is the job of Congress. According to section 3 47 USC 153 – Section Ten of this act: “Common Carrier: the term of a “common carrier” or “carrier” means any person engaged as a common carrier for hire in interstate or foreign communication by wire or radio or in interstate or foreign radio transmission of energy, except where reference is made to common carriers not subject to this act; the persons engaged in radio broadcasting shall not, insofar as such person is so engaged, be determined the common carrier.” At the time of this submission, I have yet to locate any ISP not subject to this act. I located more information on common carriers at a website that detailed a lawsuit against Western Union a while ago. “A ‘common carrier’ has a legislatively-granted monopoly over a particular route, region, or type of communications. In return, the carrier must carry everything and has no right to reject particular passengers or communications. “Congress made Western Union a common carrier, for example, when it refused to carry cables from reporters to their newspapers because they competed with its own news service. “It seems obvious that services which sell only a connection to the internet should be treated as common carriers. While Compuserve and AOL should have a right to edit and refuse to carry speech they do not like, ISPs should have no more right to do so than Western Union or the phone companies.” Of course, this statement was made about AOL and Compuserve before they owned their own carrier lines. Thus it no longer holds true for these groups either. LET THEM BE REMOVED The Can Spam Act also calls for the FTC to implement the Global Remove System. Absence of this removal system has allowed problems with removal to persist; its implementation could result in a much calmer internet environment much faster than anything else we have available to us today. For example: 1. A recipient who wishes to receive no advertisements at all must remove himself from any advertisement that arrives in his inbox. This could quickly add up to a lot of extra work. With the Global Removal system, he would have to only remove himself once. 2. An Internet Service Provider continually gets complaints from the same person who enjoys sending such complaints and will not remove himself from a mailing list – the ISP can enter his email address into the removal system, thus putting an end to the problem, while maintaining his privacy. 3. By giving the rights back to the individuals, there is no need for any ISP to subscribe to the vigilante groups that filter and file multiple reports anonymously. Yet, many of the anti-spam groups are strongly opposed to such a system. There are reasons for this: Just as commercial bulk email is big business, so is anti-spamming. With software and services to be sold to stop the flow of commercial email, their sales would be interrupted if the public had an easy and effective way to remove themselves from receiving internet email advertisements. Additionally, the anti-spammers claim that there are people who would mail to the remove list – I have never met one however. Yes, there is a solution to this problem if it did exist. When a recipient of an email receives unwanted advertisements they click the remove link. This link takes them to a government site where they submit their email address, which will be encrypted. Software would be available to the mailers for doing removes. The software would retrieve the remove list while encrypted and remove the people without the mailer ever seeing the actual email address. A program could be implemented where bulk mailers could sign up with the government and their IP address and Domains would be whitelisted with the ISPs allowing people who send compliant mail to get in while being able to stop spam. ABOVE THE LAW? While we worked to get whitelisted with AOL, here is what we experienced: Things started out well, AOL was willing to work with us as we worked to deliver our list into their domain and get our non-deliverables removed. After just 3 mailings we were receiving virtually no undeliverable emails and very few complaints. The majority of this list was undeliverable mainly because the list had been built since I started mailing years ago. Obviously many email addresses changed over the years. The only way to get the bad addresses out of the list was to deliver into AOL and pick up their non-deliverable reports back to us. WorldCom stepped in and tried to shut me down even after AOL sent proof of our whitelist classification. However, it seems that AOL found out who I was and denied me the whitelisting after this exchange of information between AOL and WorldCom. Charles Stiles, postmaster for AOL denied the whitelisting based on my list not being “true opt-in” and threatened to bring in their legal department. Yet, Opt-In had never been a part of the original whitelisting agreement with AOL. The problem I have with this is just last year Ted Leonsis with AOL stated in front of congress that they send bulk email but they provided a way for there receivers to opt-out, which of course I do too. I fail to see the difference. While small companies are often thwarted in their attempts to follow the laws of the land and the rules of the ISP, which do not align at this time, they are hard-pressed to stay in business. Large corporations however, not only disregard the laws of the land as passed by Congress, they ignore rulings by judges. Recently I hired an attorney to sue the large carrier Covista. This resulted in an injunction that demanded they turn my service back on. Covista just ignored it. AOL was recently sent an order to allow CI host to send mail to AOL’s network. AOL just like Covista is ignoring the judge’s order. Scott Richter of Opt-In Real Big has been involved in an ongoing legal battle to allow him to send compliant email through his two providers. He too was awarded an injunction against one of his carriers. I do not know if his provider is abiding by the injunctions or not. Evidence suggests that the ISPs think they are above the law and can sue us for failure to abide by the law while they simply ignore them. All the large companies like AOL, Hotmail, Yahoo, Msn, Charter, and others are working together on an anti-spam system, while they continue to send email advertisements. If bulk mailing is so bad and so wrong, why are they engaged in it? Is it bad and wrong as they say or is it merely that we needed to curtail fraudulent practices? If the problem was that of fraudulent practices, then that problem was solved with the new law. Yet ISPs stop our compliant mailings while they mail themselves. Begins to look like small business against big business . . . It has long been said that the internet is the first place where small business had the opportunity to play in the same field as big business . . . perhaps this is the threat? President Bush is sending non opt-in bulk email, abiding by the new laws, into Hotmail and AOL. His message ended up in the bulk folder at hotmail and the spam folder at AOL. In my mind, a message from the president should be given a level of courtesy and respect in keeping with his position. Apparently, AOL and Hotmail do not hold the same respect. BONDS DO NOT SOLVE ANY PROBLEMS A new trend is popping up for companies like Hotmail and Yahoo. They are contracting with third party companies such as Habius, and Bonded Sender. These third party companies are charging as much as 25,000.00 a year, non refundable to bond your IP addresses. However, there is no guarantee other than to take your money with only the possibility of allowing your mail in. It seems no different than paying the mafia for protection to do legitimate business (legal definition of racketeering and fraud). TRUTH IN REPORTING – TRUTH IN DELIVERING Although we have a law against fraudulent practices on the internet, it seems, that this law is not written well enough to include those who are using automated systems to identify, and file multiple complaints anonymously (often with proxies) against people who are sending email. Also, with ISPs any complaint is taken as a good reason to shut down services. Following are some recommendations of what could be done. 1. Complaints should be limited to being classified as valid only if they come directly from the intended recipients. 2. Automated reporting systems should be limited to one complaint and not sent with the use of proxies. Complaining Agency should be clearly identified. 3. ISPs and their providers should show respect toward the CAN SPAM law by only classifying as a valid complaint those which do not comply with the law. 4. Those Agencies or individuals doing the complaining or with any kind of ability to interfere with legal mail should have to fully identify themselves just like we have to identify ourselves. Appropriate email address should be provided for removal. 5. ISPs should not be allowed to filter what is required by law to be in our email advertisements. 6. ISP’s should not be allowed to shut our circuits down and discriminate against us when we send legal mail. SUMMARY The CAN SPAM Act of 2003 has brought promise and hope to the internet, yet adjustments still need to be made: 1. Rapid implementation of a Global removes system, which ISPs are required to add chronic complainers to. 2. ISPs to be treated as common carriers or minimally respect the laws that Congress has passed. 3. Companies interfering with these laws like Spews, Spam Cop etc. should be made to file only one complaint and reveal their identity. 4. People complaining should have to identify themselves (email address). 5. Mailing companies who comply with the law should not be at risk of losing their systems or services. They should not be forced into non-compliance due to instant shutdowns, and violation of 30-day remove systems.