Slashdot Mirror
Paper: Technical and Legal Approaches to Spam
tgeller writes: "David Sorkin, a Chicago-based law professor who also runs spamlaws.com, just published "Technical and Legal Approaches to Unsolicited Commercial Electronic Mail" in the University of San Francisco Law Review. I think it's well-thought-out, intelligent and complete. Spam litigation (which The Suespammers Project tracks) has been slow, partly because few lawyers know much about the issue; this paper will have an impact on legal community cluefulness."
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Oooh! Let me, let me!
My suggestion: a BountyQuest-like program targeting spammers. Heck, if we all kicked in a buck each, we could hire the world's finest assassins.
[I'm not entirely sure I'm not serious...]
--
--
Don't like it? Respond with words, not karma.
--Tom "MasterTroll" Geller, Suespammers.org Founder and Administrator
Tom Geller
I think that exception covers all cases you mention above, no?
--Tom Geller, Suespammers.org Founder and Administrator.
Tom Geller
For email, the recipient pays, so email is "no different" from junk faxes (which are already illegal).
However, email is substantially different from telemarketing and direct (paper) mail. Email's cost-shifting nature makes all the difference.
--Tom Geller, Suespammers.org Founder and Administrator
Tom Geller
--Tom Geller, Suespammers.org Founder and Administrator
Tom Geller
--Tom Geller, Suespammers.org Founder and Administrator
Tom Geller
But because the cost of sending is also lower for email, it doesn't make sense to compare them 1:1. Penny-ante spammers regularly send out millions of email messages per incident; few junk faxers send out 1/1,000th of that amount. So a 1:1,000 comparison is more appropriate.
Do 1,000 email messages cost as much as one fax? Demonstrably so. (Remember, you also have to include costs from the NNN recipients who pay per-minute phone charges, the NN recipients who get the spam on their cell phone, and the N recipients calling in from a $1-a-minute hotel phone.) So the total damage per junk spam run is at least as great as per junk fax run.
Incidentally, most spam laws have pegged statutory damages at $50/message or less; the 1991 Telephone Consumer Protection Act pegs the statutory damage for junk faxes at $500 per.
--Tom Geller, suespammers.org Founder and Administrator
Tom Geller
Godwin.
--Tom
Tom Geller
But it's clear that technical solutions alone have a limited effect. Filtering solutions may stop up to 95 percent of the spam, but that doesn't keep it from clobbering those who can't install a filtering system, whether due to lack of ability or lack or resources.
The technical community has been guilty of terrible arrogance in this area. Spam is both a technical and a social problem. If you don't address both causes, you'll never get anywhere. Of course, lots of policy folks don't know squat about technology, and their short-sightedness is just as much of a problem. ("When all you have is a hammer, everything looks like a nail.")
--Tom Geller, Suespammers.org Founder and Administrator
P.S. Full disclosure: Brightmail is a P.R. client of mine, and I wrote the press release referenced above :). I see systems like Brightmail's as important and worthwhile tools, but not the complete answer.
Tom Geller
This point needs to be reiterated.
"Freedom of Assembly" has always been held to mean two things. You can have a meeting with like-minded people, and you can eject all others. This protected the NAACP membership list in the 50s and 60s, and the KKK membership list a few years ago.
"Freedom of Religion" means that you can attend the church of your choice - or none at all. At the same time you can refuse to attend any or all churches.
"Freedom of the Press" means that you can print truthful information that embarasses the government. You can also refuse to publish things that the government wants you to publish. <u>High Times</u> Magazine does not have to include a monthly message from the Drug Czar, etc.
"Freedom to Petition for Redress" means that you can ask your Congressional delegates to pass a law, etc. But it doesn't require you to write them about every passing thought you have.
So why do so many people think that "Freedom of Speech," the final element of the First Amendment, means that you have to listen to every idiot standing on a soapbox?! OF COURSE "Freedom of Speech" includes the right to ignore the other person. And not just passively - unwanted guests at assemblies can be forcefully removed by the police and prosecuted for 'trespassing,' so it's not unreasonable to invoke the power of the state to suppress people who just won't accept that their message is unwanted.
A few years ago, spam was tolerated because the social cost of hitting "delete" a couple times each day was less than the cost of fighting it. It was often compared to the effort involved in tossing a couple of pieces of daily junk mail in the trash.
But now many people are seeing three or four times more spam than real messages. It's not unreasonable to expect this ratio to be much worse in the next few years. Imagine finding your snail mail box full of mail, with hundreds of envelopes, each and every day. You have to spend at least an hour, each and every day, looking for your bills, correspondence, etc. Many of the envelopes are intentionally disguised to look like important messages. (E.g., it's a letter from the IRS - announcing an "Inventory Reduction Sale" at the local "Herb Tarlek" Car Lot!")
If this isn't unreasonable, what is?
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Ok, but all unsolicited *commercial* email (ie., one with the intent of making money off you) is spam. Every single god damn one.
In the same vein, e-commerce companies emailing their loyal customers about limited time offers and promotions is far different from the crapflood-esque pyramid schemes from .nl addresses that put 10,000 emails in your box by raping a mail relay, or porn promotions that include web bugs to check when you've opened the email and start spamming you with a message a minute.
No. If it's unsolicited, it's no different. It's only ok if you agreed to their mailings.
Only commercial offers are spam? Come ON. Direct marketing is as American as apple pie. The Internet is no different.
Bullshit. All unsolicited marketing should be illegal. If I want to hear about your product, I'll find about it myself. Otherwise, fuck off. I deserve the freedom to be left alone from you fucks.
--
All glory to the hypno-toad!
Not likely, since nobody really sees that. Microsoft can't put an HTML comment into their Windows Update page that says that I give them permission to wipe my partition.
------
mail.dlitz.net - Spammers will be shot. Resistance is futile.
------
>
1. People who found/bought/were given (by you) your email address. These people will really take you off the list if you ask. Call this "Legitimate opt-out" spam. These people respect you as a customer.
The problem with this category is that there's no way to distinguish it from #2.
That is, if I'm a marketer, can I spam you on behalf of my three clients: "Tackhead's Bait and Tackle Shop", "Tackhead's Bait & Tackle Shop", "Tackhead's Bait/Tackle Shoppe?"
If you're gonna argue that by using that route in bad faith, I've become part of your #2 category ("2. People who won't let you opt out, just use opt out as a legal cover/way to verify your address. "Real" businesses."), I've got one word for you: EBay.
Since I - as a recipient of email - have no way of telling whether a company is in #1 or #2, I must treat them both the same way. For me, that means LARTing their upstreams.
I don't have to imagine that.
Sickest one I saw yet was some credit card company that sent me a full-size (10x12") envelope done up to look like a FedEx package, complete with fake "express delivery" labels and machine-generated "signature" on it. The logo wasn't FedEx's, but the colors were identical.
I had half a mind to grab a couple of Pantone swatches, a FedEx envelope, see if they matched, and if so, mail it off to FedEx's corporate counsel, asking them if they had a trademark on their color scheme, and if this direct marketer wasn't somehow diluting their brand with its misleading packaging.
Then I realized the cure would've been as bad as the disease ;)
*sigh*
Rule #1 ("Spammers lie") in action - applies to telemarketers and junk mail spammers as well as spam. At least the pigfucking credit card bottom-feeder had to pay to send it to me.
OK, so this is a bit offtopic.
I see very little about fax spam, which bothers me much more. I don't even have a fax, but previous owner of the number probably did. The fax calls come at all hours, and often wake me up at night. After a year I rigged up my modem to get some of the faxes. They all have an opt out number you can call. But that seemed to increase the calling even more.
Any ideas?
I tried that. Had to keep a log of all the calls.
Their harassment policies are geared toward stalkers. These calls don't match that profile. There aren't that many calls from a harassment standpoint, and they come from many different numbers.
How about in Europe, where there is a per-minute charge for use of the line, and the time taken to download the spam is charged to the user?
Not everyone uses HotMail, you know...
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Yes, let's wage the war on all fronts. I'd support making telemarketing, direct mail, and spam all opt-in.
For telemarketing, it's already quite feasible. Just add a record to my data in the telco switch setup, next to the "block 900 calls" and "block collect calls" fields, that says "block telemarketing calls". Add a record to the telemarketer's entry indicating they are a telemarketer (this actually already exists, it's called "subscriber service class" and is a part of Signaling System 7 (what the phone system uses)), and problem solved.
Ditto for snail mail: allow me to have the USPS set a flag over my box that says "no junk", and have them mark all junk "return to sender, recepient refuses bulk mail" (and charge their account for postage).
Back these up with some strong policies that prohibit abuse (telco's will shut off the idiots who telemarket from home, USPS will terminate the third-class accounts of companies that don't correctly mark their mail as bulk advertising, ISPs will terminate charge abusers...)
NOTE: Not once in the above did I advocate making LAWS. I am for policies enforced by the private sector (and the USPS, dispite the name, is nominally private sector now.)
sllort, I cannot help but notice that you do not list your company in your
www.eFax.com are spammers
I hate spam. No. I DISPISE Spam. It makes me want to kill people. Chop them into little bits, even.
But everytime I catch myself thinking that spam should be made illegal, I start to wonder where we would draw the line at?
If we let them outlaw spam, pretty soon we won't be able to e-mail people we don't know on some formal basis, or at least, not without fear of being turned in and penalized.
Rather than allowing them to use our hatred for spam against us, I think we should find some way to fight spammers. Perhaps if we were to create some organization that profiled and listed the personal information of people caught spamming, we could all collectively violate their privacy in the same way they have violated ours (by writing them millions of personal hate letters and flooding their paper mailbox to the point of uselessness... or other perfectly legal forms of retaliation.)
I hate spam. I just wish we didn't have to resort to creating more laws just to get rid of it.
Spam is Bad. Laws are worse.
"Everything you know is wrong. (And stupid.)"
"Everything you know is wrong. (And stupid.)"
Moderation Totals: Wrong=2, Stupid=3, Total=5.
The key to FCC regulations on bandwitdh is 'restrictions'. Why are there restrictions? Because we need to regulate usage of a public limited resource. The internet is no different.
Someone you trust is one of us.
Imagine an internet of the future with billions of world wide users. If I send 10 billion solicitations a day (at a click of my mouse), and only 1/100th of a percent buy the hair tonic (at $20 a bottle) I'd rake in $20 million in revenues. At what cost? Practically no cost to me, but such schemes could render the internet useless overnight if enough people did it. Spamming software might be a feature of MS Office on day. Imagine, if everyone did this.
Is SPAM free speech? Of course not. If SPAM is free speech, why can't I broadcast my thoughts on 101.1 FM without an FCC licence?
Someone you trust is one of us.
I think that one of the biggest problems with fighting spam is that the problem is ill defined.
I think it will take a totally different set of approaches to stop, for instance, a fortune 500 company from sending spam (some do) vs. stopping some d00d with a stolen AOL account fishing for credit card numbers through some jokers cable modem connected to a box with some default Linux install with Sendmail running wide open.
I think the first step has been taken. The clue bell rang, and most MTAs (and packagers) are shipping deny-relay by default.
Anyway, "spam" is clearly applied to some very different activities, how should they be defined so we can work on them? Maybe:
0. Opt in. I have no pity for you.
1. People who found/bought/were given (by you) your email address. These people will really take you off the list if you ask. Call this "Legitimate opt-out" spam. These people respect you as a customer.
2. People who won't let you opt out, just use opt out as a legal cover/way to verify your address. "Real" businesses.
3. People selling snakeoil, but trying to stay within the law.
4. People who steal other peoples resources to send spam (you can argue every spammer is stealing your resources when you recieve spam.)
I think that (1) can be addressed with a standardized header. (2) is tough. The only approaches I can think of are a. filters and b. trying to make it so that "spam doesn't pay" (which in the end is what filters are all about.) c. (ugh) legislation. (3) is tougher still. You can use a and b, but legislation doesn't work on criminals. (by definition.) Finally (4) CLOSE THOSE RELAYS! And use of black holes. (which is ultimately to make people close relaying.)
What do you think?
-Peter
To those who argue that direct mailing should be easily opted out of, consider this: how easy is it to opt out of the existing direct mail offers you receieve via snail mail? It usually takes some real effort.
Yes, it does. I've tried to get off paper junk mailing lists for ten years and it doesn't make a scrap of difference. I've written to the Direct Mail Association, followed every instruction the Post Office has for stopping junk mail, and all it does is leave me out of breath. You can't possibly stop the flow of crap once it starts. Use a credit card for something and you go right back on all the lists the marketers share with each other. It's hopeless.
Trees keep dying to print junk mail for me that goes straight to the recycle bin. Every bit of effort that goes into producing, delivering, carting away and recycling that junk mail is wasted. Every bit.
It's fucking idiotic.
Please, if you want me to take you seriously, explain how you're not using the stupid actions of others to justify your own stupid actions. I don't want your direct mail. You should believe me when I say that. And I shouldn't have to keep telling you, and all the other "direct mailers" and spammers, "no, no, no, no, no, no, no" all my fucking life just to keep my mailbox clear.
Why can't this apply to the web?
Why on earth should it? And we're not talking about the web here, we're talking about email.
TomatoMan
-- http://frobnosticate.com
Other than peer pressure, there is no system of checks and balances to force a spammer to behave rationally. If someone decides to spam one hundred people, it is just as easy to spam a million. In the absence of natural enemies, spammers are worse than the semi-mythical rabbits in Australia: Only shoot-on-sight antispam efforts have kept the bulk mailers from consuming the commons down to bare earth.
--
"Ain't no right way to do a wrong thing."
You think the lawyers are not clueful ? Folks, if a Troll is one who makes inflammatory remarks to provoke comment, then the author of this submission was a MasterTroll.
This is not a signature.
This just made me think of something...
What if you set your SMTP banner to something like:
mail.dlitz.net - We reserve the right to charge US$500 per message transmitted to us. If you do not agree, disconnect now or do not send any messages to us.
One could probably boil it down to something a little more concise, but would it not give you a concrete standing in a small-claims case?
--
A "quality food product"? Did you type that with a straight face? Quite possibly the only thing funnier than that, associated with SPAM, is this oldy but goody.
Need XML expertise? crism consulting
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
The problem is $$$ and damages. It is very hard to quantify the damages. Most of the spammers claim you make millions of $$ from following their scheme, but they don't have money to make a lawsuit worthwhile.
The district attorneys won't do anything unless lots of damages can be shown, or the complainant and the spammer are in the same jurisdiction.
Fight Spammers!
I'm almost all the way through the document, and it still hasn't degenerated into name-calling....
Well put together basic review of the issues, but it leaves out the level at which action, if it could be well-defined, might do the most good right now. I'm one of those folks who take care of their morning need to indulge in a bit of aggression by complaining to the providers of each bit of spam received. More often than not, they assure me accounts are closed. But for a few months most spam was coming from Phoenix or Tucson on the same provider. Now there's a lot coming from the Miami area. If they're shutting accounts, they're happily selling new ones the next day to replace 'em.
... well, you can see the problem, this will encourage the spammers to more often use stolen credit cards. Still, it should be illegal at least for the same firm to keep selling new accounts to the same spammer whose old account it just shut down. Or are we talking kids in the barrio who get their whole gang to sign up one at a time to keep their little business going?
If there were a law requiring providers to maintain a central database of credit cards used to purchase spam accounts, and then use that as a basis to run cross checks with the credit agencies so that no one person who ever bought an account to spam could ever buy access to the Net again
Hmm, how about a clause in the sign-up process for any Net access account wereby the buyer agrees to have their card charged $100 for each instance of spam (per recipient) - a simple service contract: you can send spam from your account, this is what we'll charge you for it. Let the ISP keep the money to offset their anti-spam efforts. Of course, you'll get some cheating ISP faking the evidence to collect the charges, but public review of their practices through boards like dslreports.com can steer us away from that kind of theft.
So define spam as acceptable use that will be charged to your card, and at rates where we can hire serious collection agents to go after you if you try to stiff us. And we won't even notify you when the complaints start to come in, we'll just run up your charges. Any sane ISP would start paying small fees for spam reports from recipients. Setting a minimal threshold, say 50 reports before the clause kicks in, would protect folks from spurious reports. And we have a thoroughly capitalist solution without need for new laws.
"with their freedom lost all virtue lose" - Milton
This concept solves one of the major problems in trying to nab spammers... Locating them. Spammers can hide. They can move. They can generally stay safe forever. But there is that one common thread... Someone wants to get their hands on your money. To do that they need to provide contact info of some sort. BINGO!!! You have someone you can nail.
Disclosure: I believe it should be loegal to kill telemarketers and spammers. Don't give me that "It's only their job" shit. It didn't work in Nuremberg, it won't work here.
And the "freedom speech" angle doesn't work here either. I demand to be allow to exercise by freedom of speech by not being afflicted with these people. The freedom of speech does not give you the constitutional right to an audience.
Damn. I started this thinking that I wasn't going to foam at the mouth. Sigh.
anti spam law (I can't stand PDF files)
360 degrees of Karma
Yes, that was already clear from your attempt to call what your company does something different than spam. However, if your company adds addresses to lists without the informed consent of the address owner, no matter how your company got ahold of the address, your company is spamming.
I will put it quite simply: I decide what kind of mail companies can send me. It's my mailbox. It's my property. It's my personal space. So my rules apply.
Offer me a chance to opt-in to a useful information source (deals on a particular type of book, etc.), but refrain from slamming my address into the list without my permission, and you'll be my friend.
Slam me into a list against my will, where you think you can decide what I'm interested in, then force it down my throat until I plead with you to stop (this is called opt-out), and you'll be my enemy.
When I opt out after being slammed by an enemy, I myself ensure that the opt-out works, permanently. That's because I have yet to see a company that's willing to slam me into a list without my permission in the first place ever manage to take me off that list successfully, even if they say they want to.
So I handle the opt-out myself, by banning all email from the list bombing slammer on domains and networks under my control. I've found through harsh personal experience that that's the only successful way to opt out once an unethical mainsleazer has slammed your address.
I strongly urge you to ensure that your company runs its lists without slamming addresses. Do confirmed opt-in, and you'll be my friend.
http://www.river.com/users/share/cluetrain/
The thing I see missing from all the discussion of spam on /., as well as this paper, is the quantified difference between true spam and helpful courtesy emails & alerts.
.nl addresses that put 10,000 emails in your box by raping a mail relay, or porn promotions that include web bugs to check when you've opened the email and start spamming you with a message a minute.
Right in the abstract, the author lays down his bias: "Unsolicited Electronic Mail, also called 'spam'". Not all unsolicited electronic mail is spam! To make a simplistic example, If someone from way back in your past (like high school) sends you an email from out of the blue, it's unsolicited (you didn't ask for it) but it's hardly spam.
In the same vein, e-commerce companies emailing their loyal customers about limited time offers and promotions is far different from the crapflood-esque pyramid schemes from
Spam is malicious, and has a penetration rate under 1 in a million. Direct mailing from web vendors to their customers has a much higher penetration rate because they are sending their customers information about stuff they are used to buying!!.
To those who argue that direct mailing should be easily opted out of, consider this: how easy is it to opt out of the existing direct mail offers you receieve via snail mail? It usually takes some real effort. Why can't this apply to the web? Is it truly so awful that Amazon tries to find other things you're interested in based on your interests, and lets you know?
My company participates in direct mailing, and a lot of customers respond. Far, far, far, far less write us up angrily for sending them direct offers (I can count the number of times it's happened on one hand).
From the paper:
"Some definitions of spam include only messages that are commercial in nature. "Commercial" is generally defined in terms of message content rather than the sender's actual or presumed motivation for sending the message; a typical definition includes any message that promotes the sale of goods or services."
Only commercial offers are spam? Come ON. Direct marketing is as American as apple pie. The Internet is no different.
If you're going to wage war on direct marketing, wage it on all fronts: telemarketing, direct mail, direct email. There's no need to single out email.