1 / 36

The Role of Public Policy in the Fight Against Spam

The Role of Public Policy in the Fight Against Spam. Jacob Scott UC Berkeley IEEE August 3rd, 2004. Spam Threatens the Viability of E-Mail. “Spam is about to kill the ’killer app’ of the Internet - specifically, consumer use of e-mail and e-commerce.”

Sharon_Dale
Download Presentation

The Role of Public Policy in the Fight Against Spam

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Role of Public Policy in the Fight Against Spam Jacob Scott UC Berkeley IEEE August 3rd, 2004

  2. Spam Threatens the Viability of E-Mail “Spam is about to kill the ’killer app’ of the Internet - specifically, consumer use of e-mail and e-commerce.” FTC Commissioner Orson Swindle, June 2003

  3. Incredible Growth “Since Hotmail deployed it six months ago, SmartScreen has been blocking more than 95 percent of all incoming spam — an average of nearly 3 billion messagesevery day.” Bill Gates, June 2004

  4. Wide-ranging Effects • Businesses • Consumers • ISPs • Legitimate E-Mail Marketers “Today, it is estimated that 80% of email traffic is spam and the costs of spam to the global economy amounts to USD 25 billion annually.” Press Release, UN ITU, July 2004

  5. Example: Phishing Anti-Phishing Working Group “Direct losses from identity theft fraud against these phishing attack victims cost U.S. banks and credit card issuers about $1.2 billion last year”. Press Release, Gartner Research, May 2004

  6. Good Spam versusBad Spam

  7. Good Spam • Annoying • Identifiable • Legitimate • Possibly Requested • Big Business “This translates into an excess of $19 billion spent in response to commercial e-mails in 2003.” Direct Marketing Association, March 2004

  8. Bad Spam • Untraceable • Deceptive • Fraudulent • Pornographic • Illegitimate • The Problem

  9. The Reasons for Spam:Profit and Anonymity

  10. The Spam Profit Numbers • 5% of e-mail users have purchased from UCE • Cost to send one e-mail: $.0005 • Profit possible with .0001% response rate AOL’s captured spammer Porsche

  11. E-Mail: Exactly the Same Since 1982

  12. SMTP Provides No Authentication, Enables Anonymity

  13. Anti-Spam Technology Filters look at incoming e-mail and sort spam from legitimate messages

  14. Filtering Mechanisms • IP Blacklists • Header/Routing Analysis • Heuristics • Adaptive (Bayesian) • URL Filtering • Checksums/Signatures • Collaborative Networks • Challenge-Response • Many more…

  15. Filtering Success • Brightmail advertises that their filter catches 95% of all spam, and mislabels only 1 in a million false positives • CRM114, open source spam “classifier” reports over 99% accuracy rate in spam/ham sorting • Vibrant R&D, commercial implementations

  16. The Spam “arms race” • Increased volume • Evasive techniques • Concern over false positives • The worst spam (sent by “outlaw spammers”) are the hardest to defeat technologically “Knowing that only a small percentage of their output will get past today's filters, spammers have responded by significantly cranking up the volume of emails they send. So networks are burdened with even more junk than before.” Bill Gates, June 2004

  17. The CAN-SPAM Act of 2003

  18. Introduction • First national anti-spam law • Originated as S877 • Passed Senate 97-0 • Passed House 392-5 • Signed December 16, 2003 Senator Burns Senator Wyden

  19. Motivation “senders of commercial electronic email should not mislead recipients as to the source or content of such mail; and recipients of commercial electronic mail have a right to decline to receive additional commercial electronic mail from the same source.” CAN-SPAM Act of 2003 • Strong on fraud and deception • Weak on privacy • Consumer protection law – Federal Trade Commission is point

  20. Opt-In, Opt-Out • CAN-SPAM is single-source opt-out • Ask each e-mailer to stop, one at a time • Chosen over opt-in • marketers have to ask before they send • Popular in Europe • Does the difference matter? “Imagine that you put a ‘do not solicit’ sign at the front door of your home, and every company in the world could only ring your doorbell once, at which point you could tell the salesperson not to bother you anymore…” Consumers Union, May 2004

  21. Probably Not “the practical difference between opt-in and opt-out laws in terms of real enforcement is virtually nonexistent. If a spammer wishes to convert the strongest opt-in law into an opt-out law, all he or she needs to do is tell one lie: ‘The recipient requested to receive my messages.’” Matthew Prince, July 2004 • The worst “outlaw” spammers will not care either way

  22. Compromise? • Do Not E-Mail Registry • Provides global opt-out • Anyone who sends to e-mails in the registry is in trouble • Modeled after the Do Not Call Registry

  23. Probably Not “This Report concludes that a National Do Not Email Registry, without a system in place to authenticate the origin of email messages, would fail to reduce the burden of spam and may even increase the amount of spam received by consumers.” FTC DNE Registry Report, July 2004 • How can you not e-mail someone without knowing who not to e-mail? • How can use of the registry be required and enforced?

  24. The Ways in Which You Can Spam Under CAN-SPAM

  25. Good Spam, Bad Spam Again

  26. What You Must Do • In commercial e-mail • Include an opt-out mechanism • Include a real physical address • Clear notice that the message is an advertisement • No requirement for this to be machine readable, but does give good hints to filters

  27. What You Cannot Do • Falsify header or route information of your e-mail messages • Hack into other computers and send spam from them • Harvest e-mail addresses from the web or in a directory harvest attack • Hire other people to spam for you • Send adult-oriented spam without a subject line label (FTC rulemaking)

  28. Penalties • Quite stiff • Violations of CAN-SPAM are considered violations of the FTC Act, $11,000 per violation • Some violations are criminal, with up to five year prison terms • ISPs and State AGs can sue under CAN-SPAM for civil damages (caps in some cases)

  29. Getting Tough on Enforcement

  30. Importance of Enforcement • CAN-SPAM has teeth, but does it bite? • Outlaw spammers will not follow law if not enforced • Provides an avenue to recoup spammer profits • Creates a deterrent effect, makes spammers think twice

  31. Compliance and Enforcement • Average CAN-SPAM compliance over first six months only 2.3% • FTC has brought only two actions under CAN-SPAM (62 total spam cases in history) • Roughly a half dozen ISP CAN-SPAM based lawsuits pending • Maybe one or two state cases

  32. Enforcement Difficulties • Three ways to pursue, generally • Trace communications • Follow the money • Follow the goods • With spam • Communications notoriously difficult • Money gets tricky if stolen credit card, or overseas • Goods may not be physical (software, identity theft)

  33. Spam Enforcement Generally • Computer misuse, identity theft, fraud laws can all apply to spam • ISP lawsuits pre CAN-SPAM (AOL Porsche) • States have further laws • New York’s “Buffalo Spammer” case • Virginia’s recent case against Texan • Not insignificant enforcement, but certainly not enough • CAN-SPAM compliance numbers

  34. Enforcement Inhibitors • CAN-SPAM did two things that made enforcement harder • Pre-empted most state spam laws • Only (state) laws which do not deal specifically with spam or only deal with fraud are still in force • Denied private right of action • Bad experience with frivolous lawsuits under Utah Law • Individuals and businesses cannot sue spammers • Tradeoffs in both cases, but bottom line is enforcement was softened

  35. CAN-SPAM Bottom Line • Strong in some areas, weak in others • Not as horrible a law as it is made out to be in the press • Nonetheless, ineffective due to lack of enforcement • If CAN-SPAM were followed, there would probably be less spam in your inbox

  36. Recommendations • Moreenforcement • Considerprivate right of action • Conducttechnology oversight • Revisitprivacy concerns • Help withuser education

More Related