Slashdot Mirror
David Sorkin on Internet Law and Spam
KC7GR writes "Cnet has published an interview with David Sorkin, associate professor at the John Marshall Law School. He's answering questions about the current state of cyberlaw, and he also has much to say about why current federal legislation being considered could make the problem of spam worse rather than curbing it."
I fail to see how the problem of spam could be much worse. Out of necessity an alias to my email is out on the net and I get 20-30 spam per day, most of the the incest/rape/animals varieties.
What would be worse? 100 spam a day would take no more effort to delete (thanks to spamassassin), and I fail to see worse topics showing up in my mailbox.
Kickstart
They can pass all the laws they want, but who's going to enforce them? It's illegal to send unsolicited faxes too, but my eFax number gets swamped by them daily.
to block spam. But I think we are going to have to "go nuclear" if we ever want to win this war. What I mean by that is we are going to have to start blacklisting *anyone* who runs a open relay and I don't just mean mail I mean everything. Cut them off from the rest of the world. Only at that point will people get off their butts and solve the problem. That at least is whay I think. No more playing around time to bring out the big guns.
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
for unauthorised use of my computing resources.
/SOFTWARE/Microsoft/Windows/CurrentVersion/Run $5.00 / month*
SPECIAL OFFER THIS MONTH ON DLL REPLACEMENT
DLL Replacement $2.00 / month (** NORMALLY $3.00 **)
Registry Entry in
Unrequested Email $5.00 / email
(additional "do you think I was born yesterday" penalty if the email contains the words "This is not spam.")
Application "Phone Home" Internet Access $0.50 / KB
The Pro version is available for MS Outlook users, and works wonders.
This isn't a joke, really. Remember the TV exec who said that people who skip commercials are stealing television shows? I wonder if someday someone will effectively argue in the courts that by using a spamblocker, you are "stealing" the Internet. I know, and you know, that this doesn't make sense, but, well, look at DMCA, UCITA, ...
Ahh, but what exactly IS spam? Is it a mass mailing? Is it unauthorized use of server resources (spam and run)? Or is it UCE?
There are legit uses for mass mailings (ie, mailing lists.) Spam and run only works with the clueless who persist in running unsecured mail relays. And UCE is a subjective measure (no matter how good your adaptive filters are), and to restrict the ability to mail based on content is a dangerous step.
The most dangerous spammers today are not the whack-a-mole spammers that keep changing dialups, who relay-rape and advertise sites in Russia and China (whose admins could care less.) The most dangerous spammers are the big commercial outfits who sideline as legit operations, and who carry advertising from the likes of Amazon and AOL and run their own ISP feeds. These guys are hard to kill because they're semi-legit (ie, they tend to carry "legitimate" traffic), even though they're clearly spammers of the worst stripe.
The only way to deal with these guys is to blackhole whole IP blocks. For the whack-a-molers, you blackhole open-relays and known dialups. For everything else, use adaptive filters on the receiving end. If you're a server admin, restrict sending to known clients only, from a restricted list of IPs. I don't think there are a lot of mods you can make to SMTP that haven't been made already to fight spam - maybe standardizing the tarpitting of dictionary attacks (where the spammer tries to ferret out working e-mails by attempting bogus mailing connection attempts.) The tools are there. The key is to make sure everyone uses them.
The problem with email is there is no way to verify that what you are reading really came from BillyBob@foo.com - it could have been forged at any step of the way.
What we need is the idea of a "trusted server":
1) A trusted server only accepts mail from sources it can trust:
1a) Users - users are trusted because their mail is sent via SSL, and signed with a private key the user has (with the mail server having the public key).
1b) Other mail servers: they are trusted because they sign all mail they send with their private key. The public key is available via something like a DNS TXT record for that IP.
2) The message is signed by each mail server it moves through. Thus, at any step, you can verify the mail by checking each level by getting the public key for the sender and computing an MD5 hash. If it doesn't check, then you know:
2a) The message was bogus at that point,
2b) The mail server that accepted it didn't verify the message, so
2c) That mail server can no longer be trusted.
Now, all that does is make sure that that ad for "Viagra for Goats!" originated with Ralsky@spammers.net - of itself it does not solve the problem. However, I can tell my mail server that anything coming through spammers.net is to be rejected out of hand. Also, if some chickboner sends me a spam, I know exactly where it came from and can raise hell with his ISP (and if they don't solve the problem to my satisfaction, they get blocked too.)
This is the problem with blocklists now - you can blocklist the mainsleaze spammers, but the chickboners and the relay rapers will still crapflood you worse than reading at -1.
(note: support for old clients can be supplied either by a proxy program on the client's PC, or by using a RADIUS lookup to verify that the person the mail is purportedly from matches the person authenticated on that IP.)
www.eFax.com are spammers
" Which approach do you think produces the better results?
I happen to think the best approach is a balance somewhere in the middle, but as business practices seem to get more and more invasive, I find myself leaning closer to the European approach, even though I'm normally quite wary of regulation."
--
Even the left wing are getting scared because of unfair business practices. The real answer is in re-writing the Email protocol. It is simply too lax on security and too simple to accomodate todays needs and provide the level of 'security' people want with the Internet.
I propose that a working group be formed to incorporate the same type of Authentication we know works with email - and piggy back that authentication on an open platform like RFC 822's Email Protocol until it can be implemented as a required medium.
Any interested contributors to this working group should email us at inquiries@solidblue.biz. SolidBlue is a leader in networked communications and protocol development.
--Ace905
Ace
This guy is pretty smart and has a good grasp on things.
..."as business practices seem to get more and more invasive, I find myself leaning closer to the European approach, even though I'm normally quite wary of regulation. "
here are some gems.
"In the United States, one of the most important criteria used to evaluate any proposed restriction on the collection and use of personal information by businesses is the effect that it will have on industry. In Europe that's at most secondary to the individual and societal rights that are affected. "
<B>How about grading the legislators as well?</B> [he had said earlier that the courts do a good job of learning about technology when interpreting laws that govern it's use]
Unfortunately, I don't think that many legislatures have been anywhere near as scrupulous in learning about technology before trying to make laws to govern it. Take a look at all of the different state spam laws to see what I mean. Only one state has a law that is anywhere near consistent with the practices commonly followed on the Internet--Delaware, where it is a crime to send unsolicited bulk commercial e-mail. The other state spam laws don't focus on the central technical problem with spam, but instead deal with the symptoms, like forging message headers or failing to honor opt-out requests, or with completely different issues, like pornography and other content-related issues. "
<B>What about deep linking? </B>
"What about it? I guess I don't understand why everyone is so concerned about it. It's an inherent part of the Web, in the same way that nouns and verbs are essential parts of speech. If you don't want people linking to or accessing certain content on your Web site, you can implement whatever rules you want to in the design or configuration of your site. But if you put content in a public place with its own published address, it's pointless to pretend that the address is a secret, and you shouldn't expect the legal system to enforce that ridiculous notion. "
"I don't think that the Internet really needs much law--it's really just a question of figuring out how best to apply more general laws to the online environment. "
I'm glad to see a lawyer on our side for a change. Makes me want to move to europe though.
because I have been enjoined by this Holy Office to abandon the false opinion which maintains that the Sun is the centre
Sorkin: Of course it doesn't make sense to regulate a relatively borderless environment with laws that vary according to geography.
The internet has borders and vulnerable spots - they're called ISPs. A federal law fining open relays would be a good start. ISPs can attach the the fine, and even a profit attached to it, onto their TOS when they or the government catch Joe DSL or Generic Company T1 with an open relay. The ISPs would have more of an incentive to attack the problem of open relays. Fining the ISP per email sent by a registered user running their own SMTP engine or the ISPs mail server would take care of those paying for one months service to send out gigabytes of mail.
A simple 'ADV' in the subject line for filters to find would take care of the first amendment issue. Advertising is not protected speech, its been ruled again and again that it can be legally limited.
That would more or less take care of American spam. The anti-legislation crowd can cry 'but they will go overseas' all day long, but certainly cannot prove that they will ALL go overseas. Not to mention if this works, other internet heavy countries might take notice and try the same thing. Less spam is better than more spam, especially now that dummy-proof spam software and mailing lists can freely be downloaded via kazaa.
The downside is that your ISP would need your credit card info if you were to get an email account with them in case they do get fined, but chances are they have that information already and is it such a terrible price to pay for spam free mail?
Imagine ISPs encouraging stronger passwords, email limits(500 emails a month - want more then ask and tell why), shutting down open relays, and blocking port 25 to customers not authorized to run a mail server. Horrible I know.
John Marshall is basically well known for two things: Trial Advocacy and Computer Law. I think they have one of the first programs dedicated to computers and the law in the country. They have a computer law journal and recently hosted the American Bar Association's first conference on computer crime. They also host the American Bar Association Mock Trial Competition every year.
It's really a relatively small school without the cutthroat competition of places like Harvard or Stanford. On the one hand, this means you'll have a better chance to pick apart the law. On the other hand, it doesn't have the Harvard or Stanford name.
I'm not a lawyer (ironically) and so I don't know what John Marshall's reputation is in the legal world. The ABA seems to like it.
Hope this helps.
Finding God in a Dog
I'll bet if we called them terrorists things would get a lot easier. ;-)
So close and yet so far from the world's perfect ID number
I might be a little off the subject, but I think the issue is less the fact that you get spammed, and more the fact that your email address is sold over and over and over again, just because you were dumb enough to fill it out on your credit card application. Even if you signed up for an internet site and didn't check any "spam me" boxes they can still sell your contact info to other businesses. Just read the fine print on their sites.
An Actual Privacy Policy:
"However, without your consent, we do not make your, or your gift or message recipient's email addresses available to third parties (except for subsidiaries, subcontractors or agents acting on our behalf in compliance with this Privacy Policy)or any Successor (see below) to our business."
Wait... what was that about except for subsidiaries, and who?
The same thing happens with your phone number and your home address.
You get spammed with email, spammed with phone calls, spammed with faxes, and spammed in your mailbox.
I think a better solution to the problem is to make it illegal to sell people's contact information for the purpose of making money.
Not "If you check here" or "If you agree to these terms", not for any reason.
When you give your contact information to a business, you are giving it to them with the trust that they will use that information only to contact you if necessary. I can guarantee you that 0% of the people that sign up for a service are actually glad that their contact information is sold or traded so that they can get phone calls about low home equity loan rates.
At least from a legal perspective it would be easier to enforce. If you determined that a corporation or a business was selling people's contact information, just notify the authorities and have Uncle Sam come down on their ass. If they're actually getting paid for it they can't correctly report it on their taxes, and we know how much the government gets pissed off when they find out you've been hiding money from them.
The extreme alternative is to become so paranoid about your personal information that you won't give it out to anyone for any reason! Imagine buying a house and telling the bank financing your loan that you can't give them your phone number or home address because you know they're going to sell that information to a third party. Either that or you want royalties from them every time they make money from selling your information.
Hey, now we're talking about information ownership, right?
That sounds like intellectual property, kinda like music, right?
That means we can get it covered under the DMCA, right? Right??
Yeah... RIIIGHT.
I think we, the Internet technical community, have to face up to the fact that we fucked up. We committed ourselves to an email system (SMTP) that is extremely vulnerable to abuse and exploitation.
Of course we didn't intend to do this. Microsoft probably didn't intend the scripting "features" of Outlook to be exploited by virii either.
This is a technical problem in need of a technical solution. Laws will have no effect (spammers just move out of the jurisdiction). Smarter spam filters are a good band-aid, but they only mask the problem.
There are plenty of possibilities for building a spam-proof email infrastructure - charging money to receive an email from an unknown sender, forcing senders to perform some expensive action for each recipient, etc. Some of these ideas probably won't work, but some will.
The biggest problem will be encouraging wide-spread adoption of the best solution. It can't just be geeks in the open-source community; we really need the likes of Microsoft, Apple, and co. to push this technology to the masses. (cf the failed adoption of email encryption)
People who skip commercials *are* stealing tv shows. How do you think that stuff get's (sic) paid for?
In the U.S., television broadcasters are allocated radio spectrum (TV channels) essentially without payment (except for certain regulatory fees), because they are presumed to be providing a public service in return.
When the broadcasters pay market rates for the radio spectra (as wireless telephone providers have in recent years in the U.S.), and when they contract with viewers to provide services in exchange for viewing commericals, perhaps they can argue that not watching some portion of their signal is theft.
Until then, they use their spectra public trust, and without any contract with their viewers.
Or shall I argue that since you've read this far, you're obligated to read my sig?
Opinions on the Twiddler2 hand-held keyboard?