Slashdot Mirror
David Sorkin on Internet Law and Spam
KC7GR writes "Cnet has published an interview with David Sorkin, associate professor at the John Marshall Law School. He's answering questions about the current state of cyberlaw, and he also has much to say about why current federal legislation being considered could make the problem of spam worse rather than curbing it."
I fail to see how the problem of spam could be much worse. Out of necessity an alias to my email is out on the net and I get 20-30 spam per day, most of the the incest/rape/animals varieties.
What would be worse? 100 spam a day would take no more effort to delete (thanks to spamassassin), and I fail to see worse topics showing up in my mailbox.
Kickstart
They can pass all the laws they want, but who's going to enforce them? It's illegal to send unsolicited faxes too, but my eFax number gets swamped by them daily.
to block spam. But I think we are going to have to "go nuclear" if we ever want to win this war. What I mean by that is we are going to have to start blacklisting *anyone* who runs a open relay and I don't just mean mail I mean everything. Cut them off from the rest of the world. Only at that point will people get off their butts and solve the problem. That at least is whay I think. No more playing around time to bring out the big guns.
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
What law does the Internet really need?
I don't think that the Internet really needs much law--it's really just a question of figuring out how best to apply more general laws to the online environment.
My man! Somebody nominate this guy for something. Like a legislature. Or the bench.
"We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)
for unauthorised use of my computing resources.
/SOFTWARE/Microsoft/Windows/CurrentVersion/Run $5.00 / month*
SPECIAL OFFER THIS MONTH ON DLL REPLACEMENT
DLL Replacement $2.00 / month (** NORMALLY $3.00 **)
Registry Entry in
Unrequested Email $5.00 / email
(additional "do you think I was born yesterday" penalty if the email contains the words "This is not spam.")
Application "Phone Home" Internet Access $0.50 / KB
When email was first designed it was a very open system with no real rules. What worked was good enough. The smtp protocol needs to be rewritten into something more advanced (amtp?) in order to prevent spam at the lowest (technological) level. If you can't sent spam you can't receive spam. It would all just disapear...
ender-iii
The Pro version is available for MS Outlook users, and works wonders.
This isn't a joke, really. Remember the TV exec who said that people who skip commercials are stealing television shows? I wonder if someday someone will effectively argue in the courts that by using a spamblocker, you are "stealing" the Internet. I know, and you know, that this doesn't make sense, but, well, look at DMCA, UCITA, ...
Could law legilate the need for utilities like Spam Interceptor?
ender-iii
Sure, spam's awful, but I find Sorkin's Don't Link cause (promoting the right to link on the net) fascinating. It was discussed here at slashdot last month.
All of this has a lot of common ground with Lawrence Lessig, who was the subject of a Wired article also discussed here. Good to see some law professors pursuing freedom on the internet.
If you're interested in following intellectual property arguments in more detail I recommend Negativland's IP page as a great starting point.
ancarett, historian and zombie gamer
The problem with email is there is no way to verify that what you are reading really came from BillyBob@foo.com - it could have been forged at any step of the way.
What we need is the idea of a "trusted server":
1) A trusted server only accepts mail from sources it can trust:
1a) Users - users are trusted because their mail is sent via SSL, and signed with a private key the user has (with the mail server having the public key).
1b) Other mail servers: they are trusted because they sign all mail they send with their private key. The public key is available via something like a DNS TXT record for that IP.
2) The message is signed by each mail server it moves through. Thus, at any step, you can verify the mail by checking each level by getting the public key for the sender and computing an MD5 hash. If it doesn't check, then you know:
2a) The message was bogus at that point,
2b) The mail server that accepted it didn't verify the message, so
2c) That mail server can no longer be trusted.
Now, all that does is make sure that that ad for "Viagra for Goats!" originated with Ralsky@spammers.net - of itself it does not solve the problem. However, I can tell my mail server that anything coming through spammers.net is to be rejected out of hand. Also, if some chickboner sends me a spam, I know exactly where it came from and can raise hell with his ISP (and if they don't solve the problem to my satisfaction, they get blocked too.)
This is the problem with blocklists now - you can blocklist the mainsleaze spammers, but the chickboners and the relay rapers will still crapflood you worse than reading at -1.
(note: support for old clients can be supplied either by a proxy program on the client's PC, or by using a RADIUS lookup to verify that the person the mail is purportedly from matches the person authenticated on that IP.)
www.eFax.com are spammers
" Which approach do you think produces the better results?
I happen to think the best approach is a balance somewhere in the middle, but as business practices seem to get more and more invasive, I find myself leaning closer to the European approach, even though I'm normally quite wary of regulation."
--
Even the left wing are getting scared because of unfair business practices. The real answer is in re-writing the Email protocol. It is simply too lax on security and too simple to accomodate todays needs and provide the level of 'security' people want with the Internet.
I propose that a working group be formed to incorporate the same type of Authentication we know works with email - and piggy back that authentication on an open platform like RFC 822's Email Protocol until it can be implemented as a required medium.
Any interested contributors to this working group should email us at inquiries@solidblue.biz. SolidBlue is a leader in networked communications and protocol development.
--Ace905
Ace
This guy is pretty smart and has a good grasp on things.
..."as business practices seem to get more and more invasive, I find myself leaning closer to the European approach, even though I'm normally quite wary of regulation. "
here are some gems.
"In the United States, one of the most important criteria used to evaluate any proposed restriction on the collection and use of personal information by businesses is the effect that it will have on industry. In Europe that's at most secondary to the individual and societal rights that are affected. "
<B>How about grading the legislators as well?</B> [he had said earlier that the courts do a good job of learning about technology when interpreting laws that govern it's use]
Unfortunately, I don't think that many legislatures have been anywhere near as scrupulous in learning about technology before trying to make laws to govern it. Take a look at all of the different state spam laws to see what I mean. Only one state has a law that is anywhere near consistent with the practices commonly followed on the Internet--Delaware, where it is a crime to send unsolicited bulk commercial e-mail. The other state spam laws don't focus on the central technical problem with spam, but instead deal with the symptoms, like forging message headers or failing to honor opt-out requests, or with completely different issues, like pornography and other content-related issues. "
<B>What about deep linking? </B>
"What about it? I guess I don't understand why everyone is so concerned about it. It's an inherent part of the Web, in the same way that nouns and verbs are essential parts of speech. If you don't want people linking to or accessing certain content on your Web site, you can implement whatever rules you want to in the design or configuration of your site. But if you put content in a public place with its own published address, it's pointless to pretend that the address is a secret, and you shouldn't expect the legal system to enforce that ridiculous notion. "
"I don't think that the Internet really needs much law--it's really just a question of figuring out how best to apply more general laws to the online environment. "
I'm glad to see a lawyer on our side for a change. Makes me want to move to europe though.
because I have been enjoined by this Holy Office to abandon the false opinion which maintains that the Sun is the centre
I'd like it if we all paid $0.01 per email sent (worldwide). The money could be used for internet hardware and research as well as giving ISPs a much needed boost in revenues with a percentage. The average user would pay less than $1 per month. Spammers however would be shut down quickly. SMTP relays could monitor emails passing through to make sure the charges were accurate. Hotmail and other free email providers would start charging customers, which would require billing info, making spammers using 'free' services trackable.
A pipe dream, unfortunately. Though I think any intelligent techie would be up for this.
Kickstart
.What's being stolen by the tv shows is your time, which should be more valueable than most of the crap out there, anyway.
Sorkin: Of course it doesn't make sense to regulate a relatively borderless environment with laws that vary according to geography.
The internet has borders and vulnerable spots - they're called ISPs. A federal law fining open relays would be a good start. ISPs can attach the the fine, and even a profit attached to it, onto their TOS when they or the government catch Joe DSL or Generic Company T1 with an open relay. The ISPs would have more of an incentive to attack the problem of open relays. Fining the ISP per email sent by a registered user running their own SMTP engine or the ISPs mail server would take care of those paying for one months service to send out gigabytes of mail.
A simple 'ADV' in the subject line for filters to find would take care of the first amendment issue. Advertising is not protected speech, its been ruled again and again that it can be legally limited.
That would more or less take care of American spam. The anti-legislation crowd can cry 'but they will go overseas' all day long, but certainly cannot prove that they will ALL go overseas. Not to mention if this works, other internet heavy countries might take notice and try the same thing. Less spam is better than more spam, especially now that dummy-proof spam software and mailing lists can freely be downloaded via kazaa.
The downside is that your ISP would need your credit card info if you were to get an email account with them in case they do get fined, but chances are they have that information already and is it such a terrible price to pay for spam free mail?
Imagine ISPs encouraging stronger passwords, email limits(500 emails a month - want more then ask and tell why), shutting down open relays, and blocking port 25 to customers not authorized to run a mail server. Horrible I know.
John Marshall is basically well known for two things: Trial Advocacy and Computer Law. I think they have one of the first programs dedicated to computers and the law in the country. They have a computer law journal and recently hosted the American Bar Association's first conference on computer crime. They also host the American Bar Association Mock Trial Competition every year.
It's really a relatively small school without the cutthroat competition of places like Harvard or Stanford. On the one hand, this means you'll have a better chance to pick apart the law. On the other hand, it doesn't have the Harvard or Stanford name.
I'm not a lawyer (ironically) and so I don't know what John Marshall's reputation is in the legal world. The ABA seems to like it.
Hope this helps.
Finding God in a Dog
I'll bet if we called them terrorists things would get a lot easier. ;-)
So close and yet so far from the world's perfect ID number
I might be a little off the subject, but I think the issue is less the fact that you get spammed, and more the fact that your email address is sold over and over and over again, just because you were dumb enough to fill it out on your credit card application. Even if you signed up for an internet site and didn't check any "spam me" boxes they can still sell your contact info to other businesses. Just read the fine print on their sites.
An Actual Privacy Policy:
"However, without your consent, we do not make your, or your gift or message recipient's email addresses available to third parties (except for subsidiaries, subcontractors or agents acting on our behalf in compliance with this Privacy Policy)or any Successor (see below) to our business."
Wait... what was that about except for subsidiaries, and who?
The same thing happens with your phone number and your home address.
You get spammed with email, spammed with phone calls, spammed with faxes, and spammed in your mailbox.
I think a better solution to the problem is to make it illegal to sell people's contact information for the purpose of making money.
Not "If you check here" or "If you agree to these terms", not for any reason.
When you give your contact information to a business, you are giving it to them with the trust that they will use that information only to contact you if necessary. I can guarantee you that 0% of the people that sign up for a service are actually glad that their contact information is sold or traded so that they can get phone calls about low home equity loan rates.
At least from a legal perspective it would be easier to enforce. If you determined that a corporation or a business was selling people's contact information, just notify the authorities and have Uncle Sam come down on their ass. If they're actually getting paid for it they can't correctly report it on their taxes, and we know how much the government gets pissed off when they find out you've been hiding money from them.
The extreme alternative is to become so paranoid about your personal information that you won't give it out to anyone for any reason! Imagine buying a house and telling the bank financing your loan that you can't give them your phone number or home address because you know they're going to sell that information to a third party. Either that or you want royalties from them every time they make money from selling your information.
Hey, now we're talking about information ownership, right?
That sounds like intellectual property, kinda like music, right?
That means we can get it covered under the DMCA, right? Right??
Yeah... RIIIGHT.
Dude, by now what I'm doing is having spamprobe filtering all my e-mail using Paul Graham's much mentioned bayesian techniques. There's even a way to have spamassassin cooperate with spamprobe, making a filter that I guess will be all but impenetrable for those pesky spams.
Someone pointed out that, by the point my filters get to "read" and categorize e-mail, the spammer's already used up my bandwidth and storage space. I don't care too much, as long as I don't have to see the spam myself. Also, this makes spammer's life a little harder. Maybe if we all had some sort of spam filter the spammers would realize they're not even getting that 0.1% response rate they want and finally go away or die. Cuz man, they can make all the laws they want, but someone will always break them. You don't leave your house's door open hoping the mere existence of laws will prevent people from coming in and stealing your stuff!
Hmm... If this became standard, I wonder how long it would take for a spammer to make a system that would OCR the image and respond appropriatly.
My guess is that the only reason it is working now is that it is uncommon/non-standard. The great advantage of standardization is its downfall in this case; standardization enables machine-comprehension.
McFly777
- - -
"What do people mean when they say the computer went down on them?" -Marilyn Pittman
Funny you should mention that. I just got a bounced email with my address on it. It was sent from South Korea, OXLED.COM going through HANANET to be exact. I can easily imagine the same happening from China with kiddyporn, copyright violation offers, or general fraud.
The way the US legislature has been writing laws, it's also easy to imagine a bill being passed that would land me in jail until I prove my innocence or the SC shoots it down eight to ten years later.
So, while I think spam is bad, I don't think the US Congress is capable of making a law that wouldn't screw over the innocent while restricting the guilty.
"One man can change the world with a bullet in the right place."
- Mick Travis, "If..."
I still think that the television executive's claim is quite a stretch, because no one signs a contract to watch TV, and also because television is broadcast, whereas spammers target us personally. However, a spammer might claim that by allowing your email address to be viewed openly on the Internet, you have effectively "broadcast" it out.
Those are just some thoughts I had. I'm still at the conclusion that avoiding commercials is not stealing and spamming is.
But ISPs could make it part of their Terms of Service that they periodically do unannounced scans of port 25 of their customers' IPs. Anything that answers is given an automated open relay test. If it proves not to be an open relay, fine, it's left alone. If it is an open relay, an operator is notified and handles the problem. An equally effective and much less restrictive solution to that problem.
-----Chaz
If you came by and dropped a laptop in my lap for no reason nor did i ask nor was anything said between us, you lose the right to ask me for payment at a later date.
Noone even ever told me i had to pay to watch tv, short of owning a tv set.
How do i think that stuff gets paid for? Why should i think about it when it is not my concern. If they wanted money in exchange for it they should sell it like cable.
Then you get into the issue of 'they are transmitting their signal through me, so its not up to them to decide what happens with that signal any longer'
I thought we had killed
spam dead by using haiku
I guess I was wrong
and he also has much to say about why current federal legislation being considered could make the problem of spam worse rather than curbing it."
Errr could that be because the average legislator is a MORON and has his/or her head jammed up a contributing sponsors colon ? Has the US governmant EVER successfully regulated, or EVEN DE-REGULATED and industry ? Trucking went to hell, the Phone/Cable companies have been screwing the public for years now under government de-regulation. We ALL know how well the government has been regulating and monitoring the Airlines....
errr....umm...*whooosh* *whoosh* Is this thing on ?
I think we, the Internet technical community, have to face up to the fact that we fucked up. We committed ourselves to an email system (SMTP) that is extremely vulnerable to abuse and exploitation.
Of course we didn't intend to do this. Microsoft probably didn't intend the scripting "features" of Outlook to be exploited by virii either.
This is a technical problem in need of a technical solution. Laws will have no effect (spammers just move out of the jurisdiction). Smarter spam filters are a good band-aid, but they only mask the problem.
There are plenty of possibilities for building a spam-proof email infrastructure - charging money to receive an email from an unknown sender, forcing senders to perform some expensive action for each recipient, etc. Some of these ideas probably won't work, but some will.
The biggest problem will be encouraging wide-spread adoption of the best solution. It can't just be geeks in the open-source community; we really need the likes of Microsoft, Apple, and co. to push this technology to the masses. (cf the failed adoption of email encryption)
People who skip commercials *are* stealing tv shows. How do you think that stuff get's (sic) paid for?
In the U.S., television broadcasters are allocated radio spectrum (TV channels) essentially without payment (except for certain regulatory fees), because they are presumed to be providing a public service in return.
When the broadcasters pay market rates for the radio spectra (as wireless telephone providers have in recent years in the U.S.), and when they contract with viewers to provide services in exchange for viewing commericals, perhaps they can argue that not watching some portion of their signal is theft.
Until then, they use their spectra public trust, and without any contract with their viewers.
Or shall I argue that since you've read this far, you're obligated to read my sig?
Opinions on the Twiddler2 hand-held keyboard?
How do you think that stuff get's paid for?
Commercials is not the only possible way to pay for the TV shows. In Denmark we have to buy a license if we want to own a television. But with our new government that might change. (So much for the commercial free TV.)
Do you care about the security of your wireless mouse?