Slashdot Mirror
Anti-Spam law Passed in Colorado
MadShark wrote to us about a new
anti-spam law passed in Colorado. It means that any commercial e-mail must have an "ADV:" label, as well as providing an easy way to opt out. But what's even more interesting is that politicians and non-profit groups must do the same as well. If a spammer violates the law, individuals can sue for $10 per e-mail, but ISPs can collect all the messages and sue the spammers for potentially millions. The question, of course, is the enforceability of the law.
Disclaimer: I am a laywer, but this is not legal advice. If you need legal advice, contact an attorney licensed in your state.
s
People are missing the most important part here. It's not the ADV, or
the $10, but "joinder."
Joinder is the legal concept governing what actions and parites may be joined in a single piece of litigation. Today, a spam going to ten sepaarte individuals is actionable as trespass, but would require ten separate actions. This law allows the ISP to join them all as a single action, making it economically feasible to litigate them privately.
I'd actually prefer a narrow law just providing that actions regarding email to members of the smae ISP may be joined, and that an ISP may file a single action against multiple spammers. Leave the decisions on exactly what constitutes the tort, or which (if any) tort it is to the courts and common law, which can handle it far better than a legislature could (the only case where I've found an improvement by moving from common law to statutes is the Uniform Commercial Code [which is arguable], and URESA [interstate inforcement for child support]).
This is a task at which the courts have done well for centuries; they decide
on the basis of actual cases, and look for simularities, eventually coming up with a general rule.
As far a jurisdiction, anyone committing a wrongful act that lands in another jurisdiction is subject to that jurisdiction. "I shot him on the cliff and didn't know the body would land in your state where murder is illegal" just doesn't cut it.
Bottom line: the law is already equipped to deal with spam; it's just to expensive at the moment. Letting ISP's file large actions will make it practical, and give us better rules than would come from a legislature.
hawk, esq.
Well, I'm going to setup as many email accounts as I can on the various free email services and put those email addresses everywhere for the spambots. Then I'll just start suing. Judging by the amount of spam I get now, I could retire in a few years.
>So you get Spam -- now what? It's usually
>difficult to trace
All you have to do is visit www.spamcop.net
I know that this sounds silly, but I don't know them, and I don't trust them. Remember the service -- can anybody back this up with facts? -- that popped up about a year ago? Report spam, get a $10 gift certificate at CDNow? As it turned out, the company running this program was a huge marketer and spammer.
So now I'm wary of sites like SpamCop. Anybody know anthing about the history of it, or the person that runs it, Julian Haight?
To be honest, from what I've seen, it looks trustworthy. But you know: once bitten, twice shy.
Man, isn't anyone here old enough to remember schoolhouse rock? This isn't a law, it's just a law-to-be. Which means, for you that live in CO, you should read the bill and let your rep know what you think.
(Even you young 'uns should remember the simpsons episode: "I'm an amendment-to-be, yes an amendment to be..." child:"But couldn't we just pass a law against those dirty hippies burning the flag?" amendment:"Actually, the constitution forbids that. But if we change the constitution..." child:"We can pass any crazy law we want! Hooray!")
Preferential Voting: easy as 1-2-3
With all the cheering, I am surprised that this usually pro-civil liberties crowd seems to think that compelled speech of any kind by government is acceptable. For what its worth, the case law on compelled speech is pretty clear -- the first amendment opponents of this bill have an excellent case.
The difficulty is that this bill require the INCLUSION of content. There is another way, which I have been advocating, that I believe would pass constitutional muster, but it requires we tech-heads to build some infrastructure:
(1) PUNISH any e-mail message that falsely makes representations concerning the manner in which the message (and substantially similar messages) had been distributed. Thus, if an e-mail contained the following:
"This e-mail, or e-mails substantially similar to this e-mail, was sent to fewer than 20 addresses within the past few months by me or persons affiliated with me; excluding those persons who have given to me, and have not withdrawn, their express consent to send unsolicited mail."
And the statement was false, book 'em Dan-O. Punish the crap out of them -- criminal sanctions, civil actions with attorney fees and fixed statutory damages, whatever. The Constitution does not protect false speech.
(2) Of course, that doesn't help anything. Now, establish a convention, say an "X-DISTRIBUTION30" tag that means the same thing. the convention should be designed so it is unambiguous (at least as unambiguous as the preceding message). X-DISTRIBUTION should expressly exclude automatic consenters, including subscribers to listservs that have not unsubscribed.
(3) Now, get e-mail clients to routinely generate e-mail with the X-DISTRIBUTION30 tag, except when they are actually distributing to more than 30 people. Because it is an anti-spam measure, the market desire to have this feature should be strong.
Now, voila! We can filter spam simply by punting all mail without the X-DISTRIBUTION tag, or putting them aside so we can still receive e-mail from folks with older clients.
The TRICK here is that we are punishing only those who have affirmatively ADDED false information, while still retaining the ability to filter. By having everyone ubiquitously saying their e-mail is non-spam, we aren't requiring anyone to say that they are.
And there you have it: a constitutional law that actually admits affirmative spam-filtering. The neat thing is that we don't need to wait for the legislature. Current unfair competition law may already provide remedies for false spammers if we can get the tech going promptly, and Congress will quickly follow our lead to "beef up" the downside for yicky spammers.
Of course it doesn't work unless we create a decent net standard, and make it fairly ubiquitous. Anyone want to teach me how to do an RFC?
And it won't really stop spam from happening -- it will, however remove the incentive, since most e-mail clients will probably be coded to filter out or down-grade priority for the mass-distribution stuff.
I am very interested in any comments the community might have on this.
> of Subject: labelling, the CO law will have the same problem]
>
> The whole point of this is that if all the spam starts containing ADV: that
> makes for a very easy text filter, which most email programs support.
So what?
By the time the Subject: line is read, the damage is already done - the SMTP transaction is complete, the bandwidth has been consumed to send it, and the diskspace wasted to store it.
I have no desire to live in a world in which 30% of /var/spool/mail is composed of spam which only gets filtered after it's transmitted. I want a world in which the spam doesn't get sent in the first place.
A law that says "Go ahead, spam all you want as long as you put ADV: in the Subject: header" doesn't solve the fundamental problem, namely that spam is theft of privately-owned resources.
Would you say that all junk faxes are OK if labelled "Junk Fax! Throw me out!"? That telemarketing calls, regardless of "get me off your list" preferences, can be made at all hours of the day or night, so long as the droid who calls you at 3 in the morning says "I'm a telemarketer! I guess you just want another hour to think about our exciting offer!" before calling you again at 4am?
The junk fax law isn't too bad. In the US, junk faxes are worth $500 for the first offence. The TCPA isn't great (as it allows telemarketers the first call free) and it's hard to collect evidence and sue, but it's still possible. Both of these laws got watered down from what the general public wanted (extermination) due to the influence of pro-harassment organizations such as the DMA.
Consequently, despite the aforementioned laws, I still see junk faxes and get telemarketers calling me. I'm drawing my line in the sand here. I don't want to see more spam and filter it out - I want it, and those who send it, exterminated. I want the cost of spamming driven so high that today's spammers will be forced to find honest ways of making a living, like pimping their grandmothers for crack.
Any law that allows someone to abuse my resources, but denies me the right to sue his ass into the stone age, isn't worth passing. It's my FAX machine, my phone line, and my mail spool.
I support laws which say "Fsck with the private property of our citizens at your peril". I oppose laws which say "You can abuse other people's property as long as you follow a few rules". I vote and contribute to campaigns accordingly.
> maybe we could pull a social engineering trick here:
>
> * Concede that certain kinds of spam (eg. JCPenny sales) are less agressive and annoying than other forms of spam (eg. porn/get-rich-quick)
> [
> * Public opinion will become more negative towards the get-rich-quickers (because they're not playing by the rules), and perhaps that'd be enough to keep the "bad spam" to a dull roar.
My apologies if I've misunderstood your post, but what the ring-tailed rambling fsck!?!
If you think there's a distinction to be made between "good spam" (from "good companies") and "bad spam" (from "scamming scuzzballs", you're playing straight into the hands of the DMA. The only "social engineering trick" here is that the DMA is trying to pull the wool over our eyes by making us believe that theft of service is OK as long as the thief wears a suit.
Spam is not about content. It never has been. Spam is about theft. JC Penney has no more right to consume my diskspace and network bandwidth (and if I'm on a wireless link, reading mail through a cellphone, my money) than Joe Chickenboner in his beer-can-littered trailer.
There's no "good spam" vs. "bad spam". It's unsolicited. It's commercial. It's email. It's theft. If you steal my resources, you get your connectivity yanked. If you're Joe Chickenboner, you lose your dialup. If you're a big mainstream company considering spamming, search for the term "mainsleaze". Look up what "RBL" stands for too. Big companies who spam get the same treatment, it just costs them more and takes a little bit longer.
Legitimate businesses do not steal potential customers' resources in order to market their products. Legitimate businesses which attempt to do so cease to be legitimate. Spamming will cost you your reputation and ultimately sales.
In defence of JC Penney, (to the best of my knowledge), they're only being mentioned here as a hypothetical example. The only spam I ever received from JC Penney's was when their insecure relay was raped a few years ago and used to send me a Make Money Fast. I looked them up on whois, and reported it (and the originating IP address of the spammer) to JC Penney's registered technical contact. The administrator wrote back within a few hours, and was quite embarassed and eager to secure his company's server to prevent such abuse in the future.
I agree that the spam laws are generally pretty worthless to anyone except the large ISPs (big surprise there - a law that only benefits large corporations).
That being the case, why is it so "neat" that these laws are being passed? To my eyes, it is an example of politicians currying favor with voters by appearing to be taking a strong stance on something that they :
Okay, I'm a cynic, I know. But would someone please explain why these laws are truly "neat" and not just a waste of taxpayer time and money?
-----
Klactovedestene!
Bulk is the issue, not content. Focusing on "commercial" email ignores religious, political, or nonprofit (RPN) bulk email. What about spam for web pages with political content that include a link to a bumper-sticker store. Illegal? Without the link, somehow less annoying?
Discriminating against "commercial" speech will be unconstitutional. Spam about Zeus: OK. Spam for a book about Zeus: illegal? Spam is nasty horrible stuff, but can you persuade the Supreme Court that spam is yelling "fire" in a theater? Inciting imminent riots? Obscene with no artistic, scientific, or political value? That's the hurdle. Better to focus on feasible solutions. However...
Better tech is the only realistic solution to spam, but this type of bill could hypothetically make some anti-spam technology less effective or even illegal. Already there are some emerging solutions to catch bulk email as bulk mail (compared to "mail from a bad address" blocking or "mail with the wrong words" filtering) and catch it at the ISP level. What happens if a RPN organization complains that 1. their spam is legal and 2. their spam has more protection than commercial speech? If content is what matters, does RPN spam, which is somehow less evil than comm. spam, get more protection against ISP level filtering?
This law only gets the really stupid and naive spammers, who generally don't spam very much and more than once. They pay someone to run their ad (with a real phone # and address); they get a thousand nasty calls; they give up and go back to their classified ads or whatever they were doing before. The person they hired to do the computer work is long gone. Sure, ignorance & no excuse and all that, but you've only stopped 0.01 percent of the spam. The satisfaction of watching them pay will last about as long as it takes you to get back to your inbox.
Real spammers hide their tracks, hijack resources, change mail-drops frequently, use offshore credit card processing, and if they're really into it move everything out of the country. And if they're in the U.S., they're probably already violating the law. Why would they care about new laws? Laws already violated include:
And as others have written, this topic isn't a state issue, as state lines are essentially invisible to the internet. State standards for internet tech would be as useful as state standards for TV and radio signals, cell phones or electrical equipment.
We really, really don't want legislators fiddling with internet standards right now, no more than I'd want my (wonderful person but can't program a VCR) grandmother to insist on "helping" me in fixing the innards of my computer. Good intentions don't cause competence, and with legislators good intentions can be bought with a few donations and a sob story. Let them think that they helped with spam, and next thing you know they'll want to help with other things. library filters. ipv6. dsl vs cable modems. things they don't understand but by gosh a new law should fix everything. Call them in if the technology fails. It hasn't.
Here in Washington state, we have had a law against unsolicited commercial e-mail since 1998. Washington's law does not flatly prohibit the sending of unsolicited e-mail, but it does make it illegal in Washington to send an unsolicited commercial e-mail using: (a) False information identifying the point of origin of the message or that hides the true origin of the sender (False Header). (b) False or misleading information in the subject line (False Subject Line). (c) A third party's e-mail address (domain name) without permission.
There is an in-state registry, where you can identify your e-mail address as being in WA state (not really effective, but it at least handles an initial hurdle on filing claims later).
A local ISP has provided a sort of "how-to" on chasing down the spammers and making money. One of the more interresting link is a step-by-step guide to getting the spammers to pay.
These laws can be effective; the catch is that it's time consuming to follow thru on them. In Colorado, at only $10 per message, it won't be worthwhile for most individuals to invest their time. Although the ISP's stand to make quite a bit if they can satisfy the courts that the spammer has reasonable knowledge or means to learn that the destination addresses were in that state.
Still, these laws don't do too much against non-US spammers. Many of them couldn't care less about a state's law since they're relatively safe from any prosecution.
Uh, no. Maybe you should REAL the bill before commenting on it.
(4) IT SHALL BE A VIOLATION OF THIS ARTICLE FOR ANY PERSON THAT SENDS A COMMERCIAL ELECTRONIC MAIL MESSAGE TO FAIL TO USE THE EXACT CHARACTERS "ADV:" (THE CAPITAL LETTERS "A", "D", AND "V", IN THAT ORDER, FOLLOWED IMMEDIATELY BY A COLON) AS THE FIRST FOUR CHARACTERS IN THE SUBJECT LINE OF AN UNSOLICITED COMMERCIAL ELECTRONIC MAIL MESSAGE UNLESS THE SENDER:
(a) IS A TAX EXEMPT NONPROFIT ORGANIZATION; OR
(b) IS A POLITICAL OR POLLING ORGANIZATION; OR
(c) IS AN ORGANIZATION USING ELECTRONIC MAIL TO COMMUNICATE EXCLUSIVELY WITH ITS MEMBERS; OR
(d) IS AN ORGANIZATION USING ELECTRONIC MAIL TO COMMUNICATE EXCLUSIVELY WITH ITS EMPLOYEES OR CONTRACTORS, OR BOTH; OR
(e) HAS A CURRENT OR PRIOR BUSINESS RELATIONSHIP WITH THE RECIPIENT, AS DEFINED IN SECTION 6-2.5-102 (1).
-pf
Make affiliate bucks
I'm not a spammer. I think spam is despicable, horrid, and otherwise bad. But you know what's worse? Trying to decide what kind of e-mail can be sent and what can't. It's far, far easier just to set up a spamtrap filter on my e-mail AT HOME. Not by the ISP, not by the government.
r ary/weekly/aa092398.htm?iam=mt
I don't need or want the government telling me what e-mail I can and can't receive or send legally.
Think about it, folks. Spam is one of the negatives you MUST live with if the Internet is truly to be free of censorship. What is this, other than censorship? If you want ideas to flow freely, you must take the bad with the good.
Where do you draw the line? If we agree that spam is bad and should be limited, how can we say that others are wrong to make transmission of other things -- such as DVD playback software, or commercial software in general, or "indecent" e-mails and web pages -- illegal as well? We hate one thing, so we make it illegal. They hate another thing, so they make that illegal. Then this group feels that they need to protect their children. That group wants the law to protect themselves. Soon, only the lawyers are making money, and no one can say ANYTHING over the internet. It will become as restricted as radio, and all of the freedom of communication that we lost to that device will be lost to the internet.
Slashdotters, we should be OPPOSING this law, not supporting it.
"I disapprove of what you say, but I will defend to the death your right to say it."
-Voltaire
"If we don't believe in freedom of expression for people we despise, we don't believe in it at all."
-Noam Chomsky
"Free speech is the whole thing, the whole ball game. Free speech is life itself."
-Salman Rushdie
"Only the suppressed word is dangerous."
-Ludwig Börne
"Censorship reflects a society's lack of confidence in itself."
-Potter Stewart
"If there had been a censorship of the press in Rome we should have had today neither Horace nor Juvenal, nor the philosophical writings of Cicero."
-Voltaire
"Without free speech no search for truth is possible... no discovery of truth is useful... Better a thousandfold abuse of free speech than denial of free speech. The abuse dies in a day, but the denial slays the life of the people, and entombs the hope of the race."
-Charles Bradlaugh
http://quotations.about.com/arts/quotations/lib
Here in VA, I was excited when the anti-spam law passed here. But the problem here is the same as anywhere else: So you get Spam -- now what? It's usually difficult to trace, or, if you do trace it, it comes from some big spam-factory that, if you complain to, will just add you to all of their lists.
Since it's a crime in VA, do I just call the police? ("Hello, police? I'd like to report a drive-by spamming!") I don't think that I'd get far with that.
And, of course, spammers have no idea of where I'm physically located -- not that I have any sympathy for 'em -- so can't limit their spam based on geographic limitations.
It's neat that we're passing these laws. But, as best I can tell, they're pretty much worthless.
$ gpslookup makemoneyfast.com | launch-tlam
missile launched...
$ ping makemoneyfast.com
host is unreachable
$ exit
Mea navis aericumbens anguillis abundat
There are just a few of the matters which should have been addressed; all of them are equally difficult to overcome and are large enough stumbling blocks that, in my opinion, the bill is worthless.
It's my humble prediction that you're going to see people hacking boxes (if you can't trace the source, who can you sue?) to spam from as well as people outsourcing their direct e-mail marketing to ISPs in foreign countries.
I hate spam. Yet I don't see how ANY law could stop spam. First of all, I'd wager that most spam that citizens of Colorado receive does not originate in Colorado. Secondly, how would you enforce this law? How do you collect your $10 from some loser who can't even afford to pay for a full month of Internet access and has just sent 15,000 e-mails from his free NetZero account? Most of the spam I get is very obviously (at least to me) from individuals that really could care less about the legality or ethics of what they are doing.
The part that really bothers me is giving government a precedent where they are allowed to regulate communications over the Internet. Anti-spam legislation just seems like a good way to get their foot in the door.
I honestly believe that spam CAN be stopped by technology. We need to protect ourselves. I wrote a great procmail filter a couple years ago that filtered all my spam based on required keywords. If the e-mail was filtered out, procmail sent an e-mail back explaining that all mail without the required keyword was filtered--please include [keyword] in your e-mail to get through the filter.
Once someone sent the e-mail with a valid keyword they would be added to the "never" filter list. Everyone I showed it to thought it was way cool, however I got my ass flamed to cinders when I proposed the idea on Usenet.
Using a procmail filter like mine was NOT an ideal solution. For instance, bounce messages from mail daemons were lost so I wouldn't know if I sent e-mail to an invalid address. However, I can see fairly clearly in my mind how a new e-mail system could be implemented that would be easier and more reliable.
I'd really like to get some people to put some brain-power behind an e-mail system that could display a "terms of use" or any message before letting an unknown user into your system. No, your average spammer won't give a sh*t about your terms of use message. However, the average spammer is not going to read through 15,000 "terms of use" messages and type in 15,000 keywords just to get you to send him $5.
Anyone have any insight on how this might be implemented? I'd rather put a 'password' on my account for security than risk trading my liberty for it.
numb
- At $10/pop, no individual recipient of non-ADV-tagged spam is going to pursue legal action. The Washington state law that allows recipients of spam to sue for $500 is infinitely superior to the CO law.
- Remember Murkowski's bill? Now that we've got the Colorado law, we'll see tons of spam with "ADV:" in the subject line, and the language "Since we used ADV: this isn't spam, nyaah nyaah nyaah". This law legitimizes spam, rather than prohibiting it.
- ISPs can sue for $10/message. Sure, that's millions of dollars. But how many ISPs are gonna spend the bucks on lawyers just to sieze some spammer's 1965 trailer, collection of beer cans, and a few rotting buckets of chicken bones?
Good:Hear me out on this; I'm not advocating open relays. Just a relay that's "open enough to give the spammer enough rope to hang himself". Sendmail on such a box could be configured to allow the first 100 spams to go through, (resulting in minimal harm to end users), and to then silently drop the next few thousands of spams on the floor. While spammers don't have the millions of dollars required to make it worth an ISP's while to sue, many probably do have $1000 or so in seizable assets, which makes it worth the while of individual Coloradans operating specially-configured relay "honey traps" to hunt the spammers down for fun and profit.
What to do next is obvious -- use the logs to grab the spammer's IP address, contact the NOC at the spammer's ISP and mention that your relay has been attacked, and that you'd like to sue the spammer under the Colorado law. Even if you require a lawyer to obtain the spammer's identity, the cost should be minimal, particularly with the overwhelming weight of evidence of the spammer's guilt on your side.
Once you have the spammer's identity, send a demand letter to the spammer for $500 to settle out of court - if he ignores the demand letter, drag him into court for the full $1000.
Repeat, once for every spammer who attacks the relay. Finally, you too can make money fast with responsible bulk email!