It’s a no-brainer: People hate spam and politicians in the U.S. and Europe were shrewd enough this year to respond to their constituents’ growing frustration over the increasing barrage of unwanted e-mail with antispam legislation. But will the new laws really be able to thwart junk e-mail?
“No legislation alone will solve the spam problem,” said Brian Huseman, a staff attorney for the U.S. Federal Trade Commission (FTC), the federal agency charged with enforcing the antispam regulations. “One of the reasons is because it’s very difficult to apprehend spammers and it’s very resource-intensive for law enforcement officials to not only pinpoint spammers but to also build the case needed for punishing them.”
Along with the systemic difficulties in apprehending and punishing those who send spam, the differing approaches that the laws in the U.S. and Europe take to combat spam also make fashioning an international approach to the borderless nature of spam problematic.
An “opt-in” directive was added to the statute books of the 15 European Union (EU) member states in October, and laws complying with the EU directive are starting to come into effect. For example, beginning Thursday, the U.K.’s updated Telecoms Data Protection Directive will impose fines of up to £5,000 (US$8,700) on companies and individuals caught sending unsolicited commercial e-mail and SMS (short messaging service) text messages to mobile phones without prior agreement.
But despite the efforts of European politicians to get their Washington D.C. counterparts on the opt-in bandwagon, U.S. lawmakers this week passed the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003, an “opt-out” piece of legislation that puts the onus on individual users to let companies know that they do not wish to receive spam. The bill will become law on Jan. 1.
Downplaying previous predictions of dire consequences should the U.S. adopt opt-out policies, European politicians welcomed the Can-Spam legislation — after three years of effort on the part of Congress — as an important first step.
“Though I would have preferred an opt-in law, the most important message is that the U.S. does something against spam, even if it is different from the EU’s approach,” said Erika Mann, a German member of the European Parliament and chairwoman of the European Internet Foundation. “There was a time when just the idea creating a law to deal with spam was quite controversial in Congress, as I understand it, so to actually have a law is real progress.”
Having the two different philosophies of opt-in and opt-out makes it more difficult for the international community to deal with spammers, Mann said, “but at least with the new U.S. law there is an understanding that something must be done.”
Brian White, a U.K. Member of Parliament (MP) and Treasurer of the All-Party Parliamentary Internet Group (APIG), a group that traveled to Washington, D.C., in October on a “fact finding mission” to work on solutions to unwanted e-mail, echoed that sentiment.
“We got a very positive response from the people we met on Capitol Hill. Yes, the approaches are different (between the U.K. and the U.S.); they think they’re right (to embrace opt-out solutions to spam), and we know we’re right,” White said. “We had a very interesting debate and could continue to do so for quite a long time.”
In some cases, opt-out laws in the U.S. will protect U.S.-based spammers from the more stringent European opt-in rules, according to Marten Nelson, director of business analysis and strategy for e-mail security company CipherTrust Inc., in Alpharetta, Georgia.
“The U.S. has a tremendous surplus in spam, but E.U. laws don’t mean a lot to U.S. spammers and visa-versa,” Nelson said. “Any legislation will have a limited effect as it’s so hard to track spammers to prosecute them.”
Even with its limitations, antispam legislation is “an important piece in the puzzle to resolve the problem,” Nelson said.
White stressed that despite the differing approaches, it was important to focus on other aspects of prosecuting spammers, namely punishing the activities that are defined as illegal under all versions of the spam laws.
“Let’s get most of the spammers under antipornography laws, under deceptive-trade laws, under the (13-year-old U.K.) Computer Misuse Act, and the like. That way we can deal with the majority of spam and with this approach, the U.S. opt-out laws actually don’t, in my view, make it more difficult to enforce U.K. and EU laws,” White said.
The U.K. has had some success working with the U.S. Federal Bureau of Investigation (FBI) and according to White, when APIG representatives spoke with FBI officials in October about extraditing Americans who violate U.K. antispam laws, the FBI had no problem with the idea.
But stopping the flood of messages at the source is unlikely, no matter which antispam laws are used, said Gartner Inc. U.K. analyst Anthony Allan.
“The laws in the U.K. and EU will not have the effect of reducing spam in the EU, just as the Can-Spam Act will not have the effect of reducing spam in the U.S. For one thing, there is the issue of China, where more and more spam is originating from,” Allan said. “Our latest estimates is that 30 percent of spam is now coming from Asia.”
While there have been efforts in Asia, notably by the Internet Society of China to block e-mail sent from servers that have been identified as sources of spam, and a revised law in South Korea designed to regulate unsolicited commercial e-mail, the reduction in spam has been limited. Most corporations and businesses, including Gartner’s corporate clients, have taken a technical response to the problem of spam, Allan said.
“In the next two or three years at least, only the technical solutions will have any real effect on slowing down the flow of spam,” Allan said.
In addition to new offerings from smaller security-technology vendors, major companies such as Microsoft Corp. are becoming more aggressive in providing technical solutions to spam. For example, at the Comdex trade show in Las Vegas last month, Microsoft Chairman and Chief Software Architect Bill Gates announced that the Redmond, Washington, company will add heuristics-based antispam capabilities to future releases of Exchange Server 2003 in an effort to keep spam e-mail messages from reaching users’ inboxes.
But individuals may not be able to afford the technical antispam measures that enterprises are increasingly relying upon, so in the longer term, technology will be only one part of a multipronged approach required for containing the levels of spam.
“There must be a combination of technology, such as antispam filters; education; working with ISPs (Internet service providers); as well as legislation,” according to Helen Roberts, chief operating officer at Responsys Inc., a provider of outsourced e-mail marketing services, in Palo Alto, California. “There is no single solution or approach to dealing with spam.”
Responsys advises its customers, including Continental Airlines Inc. and the clothing catalogue provider Lands’ End Inc., to follow permission-based, opt-in guidelines, so as to avoid the “tremendous consumer backlash to the spam problem.”
“We tell our customers to get permission (from end users to send e-mail advertisements) and to also insure that your message is meaningful and timely. But uncontrolled spam will hurt legitimate marketers. Though the Can Spam Act is opt-out, we look at the federal solution as a positive first step,” Roberts said.
Companies such as Responsys and CipherTrust, as well as politicians like White and Mann, see the need for international guidelines for handling Internet issues on a global basis.
“A legal framework would help among states worldwide,” Mann said. “I’m not sure that an international body would be so good, but a framework would be useful. As part of that framework, we could use minimal standards and principles that could then be incorporated into national laws.”
Mann had hoped that the World Summit on the Information Society, meeting this week in Geneva, could have been the forum for developing a framework within the United Nations. But rather than coming up with specific activity to be taken against the spread of spam, the group was only able to agree to a brief statement in its Declaration of Principles saying: “Spam is a significant and growing problem, for users, networks and the Internet as a whole. Spam and cyber-security should be dealt with at the appropriate national and international levels.”
The International Telecommunication Union (ITU) is often named as the group that may be most suitable for drawing the various states together to tackle the spam issues.
“There is no real ‘body’ that can enact international legislation on spam. However, I believe the ITU is well positioned to draft guidelines and recommendations for a baseline for national legislation,” said CipherTrust’s Nelson.
Nelson believes that the global nature of the spam problem should motivate the ITU to establish an international forum for how ISPs and telcos can effectively cooperate in tracking and shutting down spammers.
“There is wide recognition in the international community that international initiatives to address spam are needed sooner rather than later,” said Robert Shaw, the ITU’s Internet strategy and policy advisor, in an e-mail response to questions. “The ITU is exploring exactly what can and should be done to fight this growing threat to the viability of Internet communications.”
He added that the ITU is planning an international conference on spam in 2004, potentially in cooperation with the Organization for Economic Co-operation and Development (OECD) and the Asia-Pacific Economic Cooperation.
Shaw, as well as the FTC’s Huseman, expressed enthusiasm for a conference being co-hosted in Paris on Feb. 2-3 by the OECD and the European Commission, as a good starting point, as did the MP White.
“At the OECD meeting, the various states will be able to establish guidelines and the meeting will also make sure that we keep talking,” White said.
Gartner’s Allan warned that the effectiveness of the OECD meeting will depend on how responsive the various parties are willing to be.
“With opt-in verses opt-out, the U.S. and the E.U. are already at odds,” Allan said. “Will the meeting change policy? I am dubious about that.”