Why Spammers Laugh at CAN-SPAM


By Stephen H. Wildstrom On Jan. 4, it became a violation of federal law to send much of the junk that has been jamming our e-mail inboxes in ever-increasing quantities. Unfortunately, the spammers seem not to have noticed. On Jan. 5, the junk messages continued to roll into my account at the rate of 15 or so an hour.

The lack of response was in sharp contrast to Oct. 1, when the Federal Trade Commission's Do Not Call list took effect. My home phone stopped ringing, with at least a 95% reduction in junk calls. Why didn't the portentously named Controlling the Assault of Non-Solicited Pornography & Marketing (CAN-SPAM) Act of 2003 have a comparable effect? There are many reasons, but they boil down to the difference between a serious-minded FTC that really wanted to do something about a plague of junk calls and a Congress that desperately wanted to appear as though it had done something about spam.

SCOFFLAW LEGION. Do Not Call was the product of a long effort by the FTC (working together with the Federal Communications Commission, with which it shared jurisdiction), and the regulations were phased in over a period of months, accompanied by a public-education campaign. By the time the regs took effect, 50 million households, representing more people than vote in most elections (or even watch a Super Bowl), had signed up for the list.

This concentrated the minds of telemarketers wonderfully. Whatever denial they had been in about how the public regarded their activities couldn't survive a chorus of 50 million voices. Furthermore, many of the most aggressive telemarketers -- financial institutions, telecom companies, even licensed home-improvement contractors -- are under some pressure to live within the law.

Whatever spammers suffer from, it's not denial. They know that 99.999% of the people who receive their messages hate them, and they're willing to settle for the 0.001%. Much of what they do was of dubious legality before CAN-SPAM became law, and if they didn't worry about wire fraud then, a new statute is unlikely to affect them much.

NO GUARANTEES. More is wrong here, though, than a law hurriedly passed in the dying days of a congressional session and pushed into effect before government agencies, the public, or even the spammers themselves could get ready. The law itself is badly flawed in a number of respects.

With Do Not Call, you register once, and all covered telemarketers must stop calling. In a concession that won the support of the Direct Marketing Assn. but severely damaged the effectiveness of the bill, CAN-SPAM requires recipients to tell each sender they don't want mail, and they have no more assurance than in the past that the "opt out" links in messages are genuine -- and not just a trick to validate addresses so they can be sold for a higher price.

The law orders the FTC to come up with a plan for a Do Not Spam list within six months, but Chairman Tim Muris, who opposed the provision, has made a persuasive case for why differences between the phone system and the Internet make this an awful idea.

Consider: The law sets draconian penalties for violations -- damages of up to $2 million, fines, even jail terms. But neither the overburdened FTC nor hard-pressed U.S. Attorneys get any new enforcement resources. Do Not Call is practically self-enforcing: If a number is on the list and phone-company records show that a telemarketer made the call, there's not much of a defense.

SPITZER OF SPAM? On the other hand, the lack of Internet records usable as evidence, not to mention the use of offshore cutouts and other means of disguising the source of messages, makes spam enforcement much harder. The law specifically bars class actions on behalf of individuals. Internet service providers (ISPs) can sue for damages -- but only under limited circumstances.

The law actually has some very good provisions, mostly the technical ones that require valid return addresses and make it illegal to forge other routing information that accompanies each message. Coupled with some changes in the architecture of Internet mail handling and increased antispam vigilance by ISPs and network operators, these could, over time, have real impact on spam's volume.

Perhaps the best hope for enforcement is the power given to state attorneys general to bring suits on behalf of their citizens. (Anybody out there want to be the Eliot Spitzer of spam?) A couple of successful, high-profile prosecutions could have a wonderfully salutary effect on many spammers.

Until then, unlike the immediate and stunning effect of Do Not Call, the impact of CAN-SPAM will reveal itself only over months or perhaps years. The bottom line: Don't hold your breath waiting for the spam to stop. Wildstrom is Technology & You columnist for BusinessWeek. Follow his Flash Product Reviews, only on BusinessWeek Online


Later, Baby
LIMITED-TIME OFFER SUBSCRIBE NOW

(enter your email)
(enter up to 5 email addresses, separated by commas)

Max 250 characters

 
blog comments powered by Disqus