Slashdot Mirror
David Sorkin on Internet Law and Spam
KC7GR writes "Cnet has published an interview with David Sorkin, associate professor at the John Marshall Law School. He's answering questions about the current state of cyberlaw, and he also has much to say about why current federal legislation being considered could make the problem of spam worse rather than curbing it."
Who is David Sorkin, and what is Spam?
I fail to see how the problem of spam could be much worse. Out of necessity an alias to my email is out on the net and I get 20-30 spam per day, most of the the incest/rape/animals varieties.
What would be worse? 100 spam a day would take no more effort to delete (thanks to spamassassin), and I fail to see worse topics showing up in my mailbox.
Kickstart
They can pass all the laws they want, but who's going to enforce them? It's illegal to send unsolicited faxes too, but my eFax number gets swamped by them daily.
Been a pretty busy day for the FreeBSD people
"he also has much to say about why current federal legislation being considered could make the problem of spam worse rather than curbing it."
I doubt it...
-Tolerate my intolerance
Govenment not interfering with the net or government interfering with the net? Let's see: DMCA, bad. Laws against spam, good. Government using Microsoft Word, bad. Government mandating Open Source OS, good.
I am confused.
We need meatspace laws because it is impractical to construct a concrete bunker around your house to gain security. On the other hand in cyberspace it is possible to construct something as strong as 10 light-years of titanium allow. Meatspace analogies don't apply to cyberspace. We don't need any cyberspace law, just good implementation of proven security techniques.
Your Rights Online: David Sorkin on Internet Law and Spam
Posted by michael on Friday September 20, @03:34PM
from the fifty-spams-today-and-counting dept.
KC7GR writes "Cnet has published an interview with David Sorkin, associate professor at the John Marshall Law School. He's answering questions about the current state of cyberlaw, and he also has much to say about why current federal legislation being considered could make the problem of spam worse rather than curbing it."
I would like to see more initiaves in self-moderation in the internet. Any suggestions? I rather hear /.ers instead of the courts on this.
"There is no teacher but the enemy."-Mazer Rackham
to block spam. But I think we are going to have to "go nuclear" if we ever want to win this war. What I mean by that is we are going to have to start blacklisting *anyone* who runs a open relay and I don't just mean mail I mean everything. Cut them off from the rest of the world. Only at that point will people get off their butts and solve the problem. That at least is whay I think. No more playing around time to bring out the big guns.
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
Hurt the spammers here!
It is illegal to use spamassassin, and you go to jail for not reading your spam?
Just a Tuna in the Sea of Life
What law does the Internet really need?
I don't think that the Internet really needs much law--it's really just a question of figuring out how best to apply more general laws to the online environment.
My man! Somebody nominate this guy for something. Like a legislature. Or the bench.
"We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)
for unauthorised use of my computing resources.
/SOFTWARE/Microsoft/Windows/CurrentVersion/Run $5.00 / month*
SPECIAL OFFER THIS MONTH ON DLL REPLACEMENT
DLL Replacement $2.00 / month (** NORMALLY $3.00 **)
Registry Entry in
Unrequested Email $5.00 / email
(additional "do you think I was born yesterday" penalty if the email contains the words "This is not spam.")
Application "Phone Home" Internet Access $0.50 / KB
When email was first designed it was a very open system with no real rules. What worked was good enough. The smtp protocol needs to be rewritten into something more advanced (amtp?) in order to prevent spam at the lowest (technological) level. If you can't sent spam you can't receive spam. It would all just disapear...
ender-iii
The Pro version is available for MS Outlook users, and works wonders.
Of more interest to me was the fact that the EU too has plans to legislate against spammers... I wonder whether these will prove to have any effectiveness whatsoever... I can't help but feel that technology will help separate more unsolicited email than legislation...
Could law legilate the need for utilities like Spam Interceptor?
ender-iii
I tried to read the article but a damn cellphone ad was blocking the article and I couldn't get it to close. Oh well.
May no camel spit in your yogurt soup.
Sure, spam's awful, but I find Sorkin's Don't Link cause (promoting the right to link on the net) fascinating. It was discussed here at slashdot last month.
All of this has a lot of common ground with Lawrence Lessig, who was the subject of a Wired article also discussed here. Good to see some law professors pursuing freedom on the internet.
If you're interested in following intellectual property arguments in more detail I recommend Negativland's IP page as a great starting point.
ancarett, historian and zombie gamer
The problem with email is there is no way to verify that what you are reading really came from BillyBob@foo.com - it could have been forged at any step of the way.
What we need is the idea of a "trusted server":
1) A trusted server only accepts mail from sources it can trust:
1a) Users - users are trusted because their mail is sent via SSL, and signed with a private key the user has (with the mail server having the public key).
1b) Other mail servers: they are trusted because they sign all mail they send with their private key. The public key is available via something like a DNS TXT record for that IP.
2) The message is signed by each mail server it moves through. Thus, at any step, you can verify the mail by checking each level by getting the public key for the sender and computing an MD5 hash. If it doesn't check, then you know:
2a) The message was bogus at that point,
2b) The mail server that accepted it didn't verify the message, so
2c) That mail server can no longer be trusted.
Now, all that does is make sure that that ad for "Viagra for Goats!" originated with Ralsky@spammers.net - of itself it does not solve the problem. However, I can tell my mail server that anything coming through spammers.net is to be rejected out of hand. Also, if some chickboner sends me a spam, I know exactly where it came from and can raise hell with his ISP (and if they don't solve the problem to my satisfaction, they get blocked too.)
This is the problem with blocklists now - you can blocklist the mainsleaze spammers, but the chickboners and the relay rapers will still crapflood you worse than reading at -1.
(note: support for old clients can be supplied either by a proxy program on the client's PC, or by using a RADIUS lookup to verify that the person the mail is purportedly from matches the person authenticated on that IP.)
www.eFax.com are spammers
" Which approach do you think produces the better results?
I happen to think the best approach is a balance somewhere in the middle, but as business practices seem to get more and more invasive, I find myself leaning closer to the European approach, even though I'm normally quite wary of regulation."
--
Even the left wing are getting scared because of unfair business practices. The real answer is in re-writing the Email protocol. It is simply too lax on security and too simple to accomodate todays needs and provide the level of 'security' people want with the Internet.
I propose that a working group be formed to incorporate the same type of Authentication we know works with email - and piggy back that authentication on an open platform like RFC 822's Email Protocol until it can be implemented as a required medium.
Any interested contributors to this working group should email us at inquiries@solidblue.biz. SolidBlue is a leader in networked communications and protocol development.
--Ace905
Ace
This guy is pretty smart and has a good grasp on things.
..."as business practices seem to get more and more invasive, I find myself leaning closer to the European approach, even though I'm normally quite wary of regulation. "
here are some gems.
"In the United States, one of the most important criteria used to evaluate any proposed restriction on the collection and use of personal information by businesses is the effect that it will have on industry. In Europe that's at most secondary to the individual and societal rights that are affected. "
<B>How about grading the legislators as well?</B> [he had said earlier that the courts do a good job of learning about technology when interpreting laws that govern it's use]
Unfortunately, I don't think that many legislatures have been anywhere near as scrupulous in learning about technology before trying to make laws to govern it. Take a look at all of the different state spam laws to see what I mean. Only one state has a law that is anywhere near consistent with the practices commonly followed on the Internet--Delaware, where it is a crime to send unsolicited bulk commercial e-mail. The other state spam laws don't focus on the central technical problem with spam, but instead deal with the symptoms, like forging message headers or failing to honor opt-out requests, or with completely different issues, like pornography and other content-related issues. "
<B>What about deep linking? </B>
"What about it? I guess I don't understand why everyone is so concerned about it. It's an inherent part of the Web, in the same way that nouns and verbs are essential parts of speech. If you don't want people linking to or accessing certain content on your Web site, you can implement whatever rules you want to in the design or configuration of your site. But if you put content in a public place with its own published address, it's pointless to pretend that the address is a secret, and you shouldn't expect the legal system to enforce that ridiculous notion. "
"I don't think that the Internet really needs much law--it's really just a question of figuring out how best to apply more general laws to the online environment. "
I'm glad to see a lawyer on our side for a change. Makes me want to move to europe though.
because I have been enjoined by this Holy Office to abandon the false opinion which maintains that the Sun is the centre
you didn't click on the "publish my e-mail address" or sign up for stupid newsletters while creating you e-mail address, you wouldn't get spam. We don't need laws to regulate it. If you get spam, it's your fault. I have two e-mail addresses, and I never get spam and I've had one of them (my hotmail account) for over 3 years.
I'd like it if we all paid $0.01 per email sent (worldwide). The money could be used for internet hardware and research as well as giving ISPs a much needed boost in revenues with a percentage. The average user would pay less than $1 per month. Spammers however would be shut down quickly. SMTP relays could monitor emails passing through to make sure the charges were accurate. Hotmail and other free email providers would start charging customers, which would require billing info, making spammers using 'free' services trackable.
A pipe dream, unfortunately. Though I think any intelligent techie would be up for this.
Kickstart
Sorkin: Of course it doesn't make sense to regulate a relatively borderless environment with laws that vary according to geography.
The internet has borders and vulnerable spots - they're called ISPs. A federal law fining open relays would be a good start. ISPs can attach the the fine, and even a profit attached to it, onto their TOS when they or the government catch Joe DSL or Generic Company T1 with an open relay. The ISPs would have more of an incentive to attack the problem of open relays. Fining the ISP per email sent by a registered user running their own SMTP engine or the ISPs mail server would take care of those paying for one months service to send out gigabytes of mail.
A simple 'ADV' in the subject line for filters to find would take care of the first amendment issue. Advertising is not protected speech, its been ruled again and again that it can be legally limited.
That would more or less take care of American spam. The anti-legislation crowd can cry 'but they will go overseas' all day long, but certainly cannot prove that they will ALL go overseas. Not to mention if this works, other internet heavy countries might take notice and try the same thing. Less spam is better than more spam, especially now that dummy-proof spam software and mailing lists can freely be downloaded via kazaa.
The downside is that your ISP would need your credit card info if you were to get an email account with them in case they do get fined, but chances are they have that information already and is it such a terrible price to pay for spam free mail?
Imagine ISPs encouraging stronger passwords, email limits(500 emails a month - want more then ask and tell why), shutting down open relays, and blocking port 25 to customers not authorized to run a mail server. Horrible I know.
John Marshall is basically well known for two things: Trial Advocacy and Computer Law. I think they have one of the first programs dedicated to computers and the law in the country. They have a computer law journal and recently hosted the American Bar Association's first conference on computer crime. They also host the American Bar Association Mock Trial Competition every year.
It's really a relatively small school without the cutthroat competition of places like Harvard or Stanford. On the one hand, this means you'll have a better chance to pick apart the law. On the other hand, it doesn't have the Harvard or Stanford name.
I'm not a lawyer (ironically) and so I don't know what John Marshall's reputation is in the legal world. The ABA seems to like it.
Hope this helps.
Finding God in a Dog
I have two "free" e-mail addresses -- one that I use whenever I register (and carefully turn off all newsletter, list, and other options on) and one that only family and friends have. I do get more spam from the first, but I get spam on the second as well.
Spammers get very creative in finding addresses to add to their lists. Why else do we see Joe DOT Blow AT kickme DOT com or JoeREMOVE.Blow@UNSUBSCRIBEkickme.com?
Some sites won't let you register unless they have permission to add your address to a list to be used only by them and their "business affiliates". If you need to download a file (Borland??) you have to agree or look elsewhere.
My company's e-mail has been added to lists by such random occurences as an out-dated web address that was taken over by a p0rn site. Killing the browser and all the pop-ups didn't prevent them from picking up the main address for the computer - and adding it to every list they could.
Some of the FW: jokes/rumors I get from family and friends are little better than spam as well.
I was taking one day at a time, but then several days got together and ambushed me. (from a Rhymes with Orange comic)
I'll bet if we called them terrorists things would get a lot easier. ;-)
So close and yet so far from the world's perfect ID number
I might be a little off the subject, but I think the issue is less the fact that you get spammed, and more the fact that your email address is sold over and over and over again, just because you were dumb enough to fill it out on your credit card application. Even if you signed up for an internet site and didn't check any "spam me" boxes they can still sell your contact info to other businesses. Just read the fine print on their sites.
An Actual Privacy Policy:
"However, without your consent, we do not make your, or your gift or message recipient's email addresses available to third parties (except for subsidiaries, subcontractors or agents acting on our behalf in compliance with this Privacy Policy)or any Successor (see below) to our business."
Wait... what was that about except for subsidiaries, and who?
The same thing happens with your phone number and your home address.
You get spammed with email, spammed with phone calls, spammed with faxes, and spammed in your mailbox.
I think a better solution to the problem is to make it illegal to sell people's contact information for the purpose of making money.
Not "If you check here" or "If you agree to these terms", not for any reason.
When you give your contact information to a business, you are giving it to them with the trust that they will use that information only to contact you if necessary. I can guarantee you that 0% of the people that sign up for a service are actually glad that their contact information is sold or traded so that they can get phone calls about low home equity loan rates.
At least from a legal perspective it would be easier to enforce. If you determined that a corporation or a business was selling people's contact information, just notify the authorities and have Uncle Sam come down on their ass. If they're actually getting paid for it they can't correctly report it on their taxes, and we know how much the government gets pissed off when they find out you've been hiding money from them.
The extreme alternative is to become so paranoid about your personal information that you won't give it out to anyone for any reason! Imagine buying a house and telling the bank financing your loan that you can't give them your phone number or home address because you know they're going to sell that information to a third party. Either that or you want royalties from them every time they make money from selling your information.
Hey, now we're talking about information ownership, right?
That sounds like intellectual property, kinda like music, right?
That means we can get it covered under the DMCA, right? Right??
Yeah... RIIIGHT.
Dude, by now what I'm doing is having spamprobe filtering all my e-mail using Paul Graham's much mentioned bayesian techniques. There's even a way to have spamassassin cooperate with spamprobe, making a filter that I guess will be all but impenetrable for those pesky spams.
Someone pointed out that, by the point my filters get to "read" and categorize e-mail, the spammer's already used up my bandwidth and storage space. I don't care too much, as long as I don't have to see the spam myself. Also, this makes spammer's life a little harder. Maybe if we all had some sort of spam filter the spammers would realize they're not even getting that 0.1% response rate they want and finally go away or die. Cuz man, they can make all the laws they want, but someone will always break them. You don't leave your house's door open hoping the mere existence of laws will prevent people from coming in and stealing your stuff!
We already have anti-spam laws, heck, we could modify 47USC227 for prohibition of spam, but it doesn't do anything unless the laws are actually enforced. Lets try enforcing a few first and see how it goes.
Unfortunately, this would require billing in advance. How would an ISP determine in advance how many emails will be sent if they don't know who is a spammer? Do you want a bill for $100,000.00 up front just in case you might be a spammer?
The only way I can see this working is with a system that has a pre-established deposit amount and a way of cutting off service if that amount hits $0.00. Sadly I am sure spammers will find a way to hack this or piggy-back on some business account.
I was taking one day at a time, but then several days got together and ambushed me. (from a Rhymes with Orange comic)
is a TTT.
Hmm... If this became standard, I wonder how long it would take for a spammer to make a system that would OCR the image and respond appropriatly.
My guess is that the only reason it is working now is that it is uncommon/non-standard. The great advantage of standardization is its downfall in this case; standardization enables machine-comprehension.
McFly777
- - -
"What do people mean when they say the computer went down on them?" -Marilyn Pittman
Funny you should mention that. I just got a bounced email with my address on it. It was sent from South Korea, OXLED.COM going through HANANET to be exact. I can easily imagine the same happening from China with kiddyporn, copyright violation offers, or general fraud.
The way the US legislature has been writing laws, it's also easy to imagine a bill being passed that would land me in jail until I prove my innocence or the SC shoots it down eight to ten years later.
So, while I think spam is bad, I don't think the US Congress is capable of making a law that wouldn't screw over the innocent while restricting the guilty.
"One man can change the world with a bullet in the right place."
- Mick Travis, "If..."
But ISPs could make it part of their Terms of Service that they periodically do unannounced scans of port 25 of their customers' IPs. Anything that answers is given an automated open relay test. If it proves not to be an open relay, fine, it's left alone. If it is an open relay, an operator is notified and handles the problem. An equally effective and much less restrictive solution to that problem.
-----Chaz
this post hurts my feeble brain - what was the subject about again?
I thought we had killed
spam dead by using haiku
I guess I was wrong
Lesson. They monitor domain names and try all the short email names. So much for my desire to have my own domain for a short email name :-(
Actually, the lower ranked the school is, the more cut-throat it is. Even people graduating at the bottom at Harvard and Stanford will have little problem finding a 6-figure job at a big law firm. Meanwhile, at John Marshall, you'll basically need to graduate in the top 5% (if not the top 5) to land a similar job as the bottom-dwellers at Harvard. What this means is that John Marshall is actually much more cut-throat than at Harvard, where people won't have to compete as hard. (If anything, Harvard competes over the top clerkships, not jobs).
Hey this isnt the spamassasin its a pathetic ca$hwear rippoff trying to cash in on the open source versions name
and he also has much to say about why current federal legislation being considered could make the problem of spam worse rather than curbing it."
Errr could that be because the average legislator is a MORON and has his/or her head jammed up a contributing sponsors colon ? Has the US governmant EVER successfully regulated, or EVEN DE-REGULATED and industry ? Trucking went to hell, the Phone/Cable companies have been screwing the public for years now under government de-regulation. We ALL know how well the government has been regulating and monitoring the Airlines....
errr....umm...*whooosh* *whoosh* Is this thing on ?
Well, if you are taking out $45k/yr for 3 years studying law ($30k/yr + living expenses) then you really don't have much choice but to look for a job that pays well.
I think we, the Internet technical community, have to face up to the fact that we fucked up. We committed ourselves to an email system (SMTP) that is extremely vulnerable to abuse and exploitation.
Of course we didn't intend to do this. Microsoft probably didn't intend the scripting "features" of Outlook to be exploited by virii either.
This is a technical problem in need of a technical solution. Laws will have no effect (spammers just move out of the jurisdiction). Smarter spam filters are a good band-aid, but they only mask the problem.
There are plenty of possibilities for building a spam-proof email infrastructure - charging money to receive an email from an unknown sender, forcing senders to perform some expensive action for each recipient, etc. Some of these ideas probably won't work, but some will.
The biggest problem will be encouraging wide-spread adoption of the best solution. It can't just be geeks in the open-source community; we really need the likes of Microsoft, Apple, and co. to push this technology to the masses. (cf the failed adoption of email encryption)
Credit card accounts and other billing methods require average consumers to have good credit in order to send e-mail. Right now, it is possible for someone to have a hotmail or yahoo account and keep in touch with family even though this person has lousy credit and no home address or computer (libraries and friends). This is another case of hurting users while not stopping a spammer, who will find a way around it.
It is bad enough to see spurious charges on a phone bill, without some spammer linking through my account and getting socked with that $100,000 bill.
I was taking one day at a time, but then several days got together and ambushed me. (from a Rhymes with Orange comic)