Why the new federal 'CAN Spam' law probably won't work
By Anita Ramasastry
(FindLaw) -- Both the House and the Senate have now approved anti-spam legislation. ("Spam," of course, is unsolicited e-mail.) First, the House approved an anti-spam bill, 392-5. Then, the Senate unanimously approved a version of that bill with minor technical changes, the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, which is also referred to as the CAN Spam Act.
In early December, due to these changes, the House will have to vote once again on the CAN Spam Act, but it seems a foregone conclusion that it will pass. Moreover, it appears very likely that President Bush will sign the bill into law.
In theory, that's a good thing: Congress's findings noted that "[u]nsolicited commercial electronic mail is currently estimated to account for over half of all electronic mail traffic, up from an estimated 7 percent in 2001, and the volume continues to rise." At this point, there's little question that spam is a big, and growing, problem.
Indeed, some reports estimates that industry loses up to $10 billion a year in terms of lost productivity and investment in software and other resources to filter spam. And the Pew Internet & American Life Project recently reported that 70 percent of e-mail users say spam has made their online experience unpleasant or annoying.
Unfortunately, in practice, the new anti-spam law -- while well-intentioned -- may be ineffective. The sad news is that the new legislation is unlikely to achieve its goal of eliminating the bulk of the spam we receive.
The specifics as to what the anti-spam legislation will prohibit
To begin, the new law will not prohibit all spam.
Instead, it will require that spam be truthful, and it will provide the government with enforcement mechanisms to go after fraudulent or deceptive spammers. They would face fines of $250 for each e-mail pitch -- fines that could total up to $6 million for the most serious offenders.
It would also forbid senders of commercial e-mail from disguising themselves by using incorrect return e-mail addresses or misleading subject lines, and sets criminal penalties for those who do. (E-mail containing pornography would also have to be specially labeled in the subject line.)
In addition, it would prohibit "harvesting" e-mail addresses. ("Harvesting" is the practice whereby spammers grab email addresses from Internet chat rooms, blogs and other sources without the permission of the Web site or its members/users.)
Who would enforce these provisions? The federal law does not allow individual e-mail users to sue spammers. Instead, the Federal Trade Commission (FTC), other federal agencies, Internet Service Providers , and state attorneys general can sue on behalf of Internet users.
In theory, these provisions should have a big impact. An FTC study conducted earlier this year found that two-thirds of spam contains a false claim. At most, according to the FTC, only 16.5 percent of spam is from legitimate advertisers peddling legal products.
What about that final 16.5 percent, though? Under the new law, consumers can choose to "opt out" of receiving it. Spammers will be required to provide an "opt out" mechanism within the email itself.
And ultimately, the FTC may be asked to establish a "Do Not Spam Registry" similar to the recently created federal "Do Not Call Registry." (If passed, the current bill would require the FTC to come back to Congress within six months with recommendations on how to set up such a registry.)
In theory, registering with a Do Not Spam Registry ought to mean that one will never be spammed again. By adding one's email address to a central directory, a consumer would theoretically notify all potential email marketers that he wished to receive no unsolicited commercial email.
In reality, however, that almost certainly won't be the case -- for several reasons.
Why the anti-spam legislation may well be ineffective
Why won't the spam law work?
First, much of the illegal or deceptive spam that we receive in the United States comes from overseas. (For example, many of us have received letters from purported relatives of Nigerian dictators -- part of a wave of fraudulent spam that is initiated from overseas.)
It will be difficult to find international spammers and to bring them to justice – even when we do know who they are, which is rare. Last week, the Nigerian government announced last week that it has set up a presidential panel to tackle economic crimes committed via the Internet, which is a step in the right direction. International measures will be necessary to truly eradicate fraudulent spam.
Second, even U.S.-based spammers will similarly be able to move their operations offshore and continue to operate from there.
Third, even if spammers stay within the U.S., it may be still hard to enforce the law against them. It is one thing to sue a spammer; getting him to pay a fine or judgment is quite another matter. Individuals or small businesses may not have the deep pockets to pay even if they are inclined to, which is unlikely.
Fourth, spammers may simply ignore the Do Not Spam registry -- as FTC Chairman Timothy Muris predicts.
A downside of federal legislation: Sweeping away state anti-spam laws
In some states, the federal law may even make the spam situation worse. The new law expressly preempts existing state anti-spam laws – which often provide greater protections for consumers.
Thirty-five states currently have such laws. Unlike the federal law, many of these existing state laws allow individual email recipients to sue spammers directly -- whether or not the state attorney general agrees.
California's new law -- which was scheduled to go into effect on January 1, 2004 -- is an example of a state anti-spam law more restrictive than the new federal law. It would have banned even truthful spam, as long as it was unsolicited (unless it was from a business with which the customer had an existing relationship). It would have made not only spammers, but also the advertisers who use spammers' services, liable. The scope of the California law was controversial and provided an impetus for marketers to push for new federal legislation instead.
The Do Not Spam Registry may be subject to First Amendment challenge
There's no First Amendment problem, of course, with restricting or penalizing lies or fraud. But what about restricting truthful commercial speech?
The First Amendment protects commercial speech. And the Do Not Spam Registry restricts commercial speech. (Indeed, it singles out unsolicited commercial e-mails – rather than unsolicited charitable or political email, which may be equally unwanted and annoying to some.)
The Do Not Call Registry has been subject to a similar legal challenge. Currently, its status is still unresolved. Thus, the fate of a similar do-not-spam registry is similarly an open question
In the end, the best solution will likely be technological, not legal
Ultimately, the real solution to spam, I believe, will be more likely technological than legal, or some combination of these two, and potential other, approaches.
Current technological solutions are only partial. As filters have improved, spammers have responded by sending even more mail to ensure that at least some gets through. Filtering and antivirus companies often seem one step behind the rapidly evolving methods of clever spammers. For instance, recently, messages masquerading as security notices from software companies -- and including viruses -- have managed to work their way through filters.
The best way to solve the intractable problem may be changing the very architecture of e-mail itself. Internet-standard-setting bodies are examining ways of revising the code for delivering email so that ISPs can check whether the origin of incoming e-mail has been faked. Such "spoofing" is a main reason spam goes undetected. Such changes would take years to be implemented and deployed by every network around the world.
In the short run, some technologists have recommended "challenge/response" systems as a solution. These systems allow users to send direct messages only to people who have the sender's email address in their address books. When you e-mail a stranger, the system sends back a puzzle/question to which only a human, not an automated spam program, can respond with a solution. Give the correct response, and the e-mail goes through; if not, it doesn't.
Such systems are not without critics, however. Some say they create additional email traffic – thus congesting networks further.
On a more basic level, every e-mail user can take basic steps to fight spam: Activate available spam filters. Never reply to spam, even in order to "unsubscribe," unless you are sure the sender is a legitimate business. Do not give out your primary email address too broadly, and review the privacy policies of Web sites where you register, to make sure they won't sell or circulate your email address to third parties.
At this point, self-help may still be the best remedy for the headache caused by spam. And unfortunately, that will probably still be the case even after the federal "CAN Spam" law goes into effect.
Anita Ramasastry, a FindLaw columnist, is an associate professor of law at the University of Washington School of Law in Seattle and a director of the Shidler Center for Law, Commerce & Technology.