The recent US Federal Trade Commission (FTC) report on the futility of establishing a national 'do not email' registry contains a number of interesting observations related to spam control and to the so-called CAN-SPAM Act.
In a nutshell, the FTC rejects the registry because it would become a weapon that spammers could use to fortify their ever-growing lists of victims, as we reported here.
But there are a number of related points in the report that deserve attention. One is an indirect critique of the CAN-SPAM Act, recent legislation that promises lawsuits and even jail time for incontinent spammers. The Act is meant as a deterrent, and in order for it to work as such, it will obviously have to be used, and spammers will have to be made examples.
Unfortunately this is an expensive and often futile business, as the FTC observes:
"A prosecutor in Washington State spent four months and sent out 14 pre-suit civil investigative demands (CIDs) just to identify the spammer in one lawsuit. Likewise, in another case, it took the Virginia Attorney General, over the course of four months, multiple subpoenas to domain registrars, credit card companies, and Internet providers, and the execution of a search warrant, before having enough information to file a case against a spammer."
And these are mere individual cases. The spam industry is very much decentralized and scattered. Only a small fraction of spammers can be identified, the report explains:
"One major ISP reports that, after collecting and analyzing over 45 million spam messages...during 2003, it linked only about 2.6 million to a person responsible for them. In all, this ISP identified 271 parties responsible for these 2.6 million spam messages..."
And this process is time consuming and very expensive. The ISP "acquired sufficient information to file a lawsuit or send a warning letter to only 91 of the 271 parties. To identify these 91 parties, the ISP estimates that its internal and outside legal teams expended approximately 12,100 hours, or an average of 133 hours per spammer. The ISP expended these resources solely to identify the spammers; these costs do not include litigation expenses."
That's 12,000 very billable hours spent to identify 91 spammers, or roughly a third of those responsible for 2.6 million spam messages out of 45 million. And then comes the cost of taking action against this drop-in-the-bucket sample. Once a spammer is identified, the costs of litigation start to kick in, and they mount fast.
Legislative window dressing
Just filing the suit can be tremendously inconvenient. According to the FTC report, many lawsuits "must be filed as 'John Doe' lawsuits because the ISPs cannot identify the spammer prior to filing. For instance, Microsoft, AOL, Yahoo! and Earthlink recently announced six lawsuits against 225 defendants, charging violations of the CAN-SPAM Act. These ISPs charged all but nine of the defendants as John Does at the time the suits were filed. In previous John Doe lawsuits, ISPs have needed to issue up to ten subpoenas to determine the identity of the spammer."
"According to one ISP that has sued numerous spammers, litigation costs can range from $100,000 or less (when the spammer is easily identifiable), to more than $2 million (when the spammer mounts an aggressive defense). Not surprisingly, some ISPs believe that lawsuits against spammers are an expensive and often fruitless way to stop spam."
Indeed, with this sort of expense and level of difficulty, it would be reasonable to expect spammers to threaten an aggressive defense in order to obtain a settlement or a light punishment. It's obvious that prosecutions and lawsuits are far more trouble than they're worth. Spending perhaps a half million dollars to sue someone who produces maybe one or two per cent of the spam clogging your pipes, knowing that there are thousands of other spammers ready to take up the slack for him, is bound to be discouraging - only to the ISPs, not to the spammers.
It appears that the CAN-SPAM Act is destined to remain an example of legislative window dressing - the sort of useless law that Congress passes periodically to create the impression that it cares about issues that ordinary people care about. But as a tool for cutting down on spam, it's practically worthless. Some ISPs may have supported the legislation originally, but now that they've had a taste of the actual costs of using it, it's a safe bet that the Act itself will be canned, at least after Ashcroft and Company have prosecuted a few pornographers with it and enjoyed a few triumphal press conferences. ®
Thomas C Greene is the author of Computer Security for the Home and Small Office, a comprehensive guide to system hardening, online anonymity, encryption, and data hygiene for Windows and Linux.