I am quite content with the size of my penis. I don't want Vicodin through the mail. I have no plans to refinance my mortgage. Hell, I don't even have a mortgage. I don't care to see Sexy Farm Babes Getting It On. I don't care who was deposed in which African nation or how much they have squirreled away in a Bahamian bank; I'm not sending out my account information. No way. I don't need anti-fungal ointment. My teeth are white enough, thank you. I don't want to meet you tonight, I did not block your IM, and I don't even know what herbal Viagra is. Please. Can't I just be left alone?
Spam is more than a mere annoyance. Forrester Research estimates that spam costs U.S. businesses $10 billion a year. Brightmail, a San Francisco anti-spam technology company, found that as of July, 50 percent of all e-mail traffic on the Internet is made up of spam. Worms and viruses such as SoBig and more recently Mimail use spam technology to spread at alarming rates, and they threaten to cripple the whole of the Internet. Something needs to be done. Unfortunately, something was.
The Burns-Wyden anti-spam bill, or the so-called Can Spam Act, blew through the U.S. Senate two weeks ago and was heralded on front pages across the country as an anti-spam victory. "Senate Votes 97-0 to Restrict E-Mail Ads," the Washington Post announced. "Senate Votes to Crack Down on Some Spam," reported the New York Times. "Senate OKs Do-Not-Spam Plan," bellowed the Mercury News in giant type across the top of the page.
The House, which had been squabbling over competing anti-spam bills all year, is now under intense pressure to follow suit, and many observers expect Speaker Dennis Hastert to introduce the Can Spam Act directly on the floor this week, bypassing committee infighting and forcing a vote. There's just one problem: The Can Spam Act is going to make the scourge of spam worse and will effectively legitimize the practice of sending unsolicited bulk e-mail.
By eliminating a consumer's right to sue, overriding state legislation, and providing for truthful-yet-unwanted e-mail from so-called legitimate spammers, the Can Spam Act will create a flood of unsolicited commercial e-mail, all of it legal.
Can spam? More like spam can.
The Can Spam Act is a well-intentioned piece of legislation. Ninety-seven U.S. senators aren't out to flood your in box with Vicodin ads. It grew out of several decent pieces of legislation, cobbled together at the last minute to make a very bad one.
"We had some high hopes, but when we saw the actual legislation that came out of the Senate, we began to get concerned," says John Mozena, vice president and co-founder of the anti-spam Coalition Against Unsolicited Commercial Email, or CAUCE. "We were strongly supporting Senator Schumer's bill that would create the do-not-spam list at the FTC. That bill and the Burns-Wyden Can Spam Act, and also Senators Hatch and Leahy's bills, all got rolled together on the Senate floor.
"Our fundamental issue is that it fails the basic litmus test: It does not tell you not to spam. It says if you are sending unsolicited e-mail, here are the rules. Our concern is that any bill that tries to get rid of the current crop of spammers doesn't leave the door open for legitimate businesses."
And that's exactly what the Can Spam Act does: It makes it OK for businesses to spam you, as long as they play by the rules Congress set up. The Can Spam Act is an opt-out piece of legislation. It makes it OK to spam, as long as there's a way for consumers to opt out of future mailings. In other words, it's OK to spam everybody once. Consumer advocates are almost universally against an opt-out program. David Kramer, a spam-fighting attorney with Wilson Sonsini Goodrich & Rosati who has won landmark, precedent-setting cases against spammers, is practically apoplectic on the issue.
"If you want a law that ensures spam will be around for the next decade, than you should support the Can Spam Act," says Kramer. "The American people deserve better than this poor excuse, spawned by the marketing industry."
"There's a math game we play to illustrate the problem," Mozena says. "There are 24 million small businesses in the United States. If only 1 percent of those businesses got your e-mail address, and sent you one e-mail a year, you'd get 657 messages in your in box every day. Our worry is that if a couple of guys working out of backrooms and basements generate this much spam, what happens if we open it up [to large legitimate businesses]. One of these companies has more resources than all the spammers combined."
Oddly enough, the Can Spam Act is similar to laws already on the books in many states where opt-out programs proved utterly ineffectual.
"The legislative approach in California heretofore was to require that it be labeled and to require that unsolicited commercial e-mail have a valid opt-out mechanism," says Joanne McNabb, chief of the California Office of Privacy Protection. "That's been the law in California. It produced one action."
Recently, however, California passed S.B. 186, an opt-in law with a private right of action for consumers, which was to take effect in January 2004. Many observers cited S.B. 186 as the impetus behind the federal Can Spam Act.
"What [S.B. 186 sponsor California state Sen. Kevin] Murray did," says McNabb, "was go for an outright ban on unsolicited commercial e-mail, and made it binding on not only the marketer, but also the advertiser. His thinking is that the advertiser is more likely to be findable than the spammer."
Indeed, most spam is already illegal, based on fraud and trespass-to-chattels laws. You cannot sell Vicodin and Viagra without a prescription. Child pornography is illegal in all 50 states, even Nevada. Spammers get around this, however, by spoofing e-mail header information, which makes finding them particularly hard.
"We recently did a false-claim study, and we found that in two-thirds of the cases, there was some indication of falsity in the header," says Brian Huseman, staff attorney with the Federal Trade Commission's Bureau of Consumer Protection. While the Can Spam Act specifically bans such practices, and provides for criminal penalties for those who violate them, the FTC does not have the resources to go after most spammers. Once again it's a numbers game.
Which is exactly why a private right of action, which would give those on the receiving end of a spam message the right to sue, is the only real means of putting a dent in the volume of spam. Unfortunately, the Can Spam Act provides for a private right of action only for e-mail service providers, not individual consumers. When anyone can take a spammer to small claims court, as Californians would be able to do under S.B. 186, it creates, as Kramer says, "an army of enforcement."
Even worse, the Can Spam Act stipulates that an advertiser must knowingly violate the rules, which makes the already overtaxed FTC's job even harder.
"If a federal spam law is going to be passed, we don't want it to increase the burden of our existing enforcement," says Huseman. "We don't want to have to prove knowledge, or the intent to violate. Burns-Wyden would add knowledge requirements, which is a hurdle that does not exist [under current FTC rules]."
Yet don't hold your breath waiting for the House to correct the Senate's mistake. "A private right of action is a nonstarter in a Republican House and Senate," one source told Salon off the record. "Consumers would like an opt-in, the real world is opt-out."
But what about that do-not-spam list tacked onto the bill at the last minute? Won't that protect your e-mail address in much the same way that the federal do-not-call list protects your phone line from telemarketers?
No.
"Unfortunately, a lot of the reasons a do-not-call list works do not translate well to a do-not-spam list," says David Baker, vice president for law and public policy for EarthLink, one of the most active ISPs in the fight against spam. Spam costs EarthLink millions of dollars a year, and the company is on record supporting the Can Spam Act. Baker believes the act will help in the fight against spam, but he cites several reasons that a do-not-spam list won't work, most notably the difficulties in finding spammers and the low overhead involved in sending spam. Moreover, the requirement is not that the FTC create a do-not-spam list, but that it study the feasibility of doing so, just as it did with the do-not-call list in 1991, 12 years before the list was finally set up. Worse, the FTC doesn't even think that it can enforce a do-not-spam list.
"This is the key issue we have with a do-not-spam list," says Huseman. "It would be very difficult to enforce. We really don't see that a registry would amount to a big reduction in the amount of e-mail." And in a nightmare scenario, Huseman and others worry that spammers could access the do-not-spam registry to obtain valid e-mail addresses.
Meanwhile, across the pond, the European Union implemented an opt-in anti-spam law on Friday, leaving the United States behind. "If we don't pass a good anti-spam law in the United States," says Mozena, "we're going to run the risk of being the last big Internet nation without one."
Shares