Lessig Wagers His Job On Anti-Spam Theory

kien writes "Lawrence Lessig is betting his position at Stanford on his anti-spam legislative recommendations. From his blog:'First the analysis: Philip Jacob has a great piece about spam and RBLs. The essay not only identifies the many problems with RBLs, but it nicely maps a mix of strategies that could be considered in their place. But, alas, missing from the list is one I've pushed: A law requiring simple labeling, and a bounty for anyone who tracks down spammers violating the law. Here goes: So (a) if a law like the one I propose is passed on a national level, and (b) it does not substantially reduce the level of spam, then (c) I will resign my job. I get to decide whether (a) is true; Declan can decide whether (b) is true. If (a) and (b) are both true, then I'll do (c) at the end of the following academic year.' The Declan referred to in point (b) is Declan McCullagh." Update: 01/07 02:45 GMT by T : Speaking of whom, here is Declan's acceptance of Larry's bet.

First problem with this solution:

[swordboy]

Lawrence Lessig is betting his position at Stanford on his anti-spam legislative recommendations.

Umm...

You *don't* need LEGISLATION to fix this problem (isn't that what technology is for?). Fix the technology (or lack thereof), and you've fixed the problem. There are several very good ideas floating around out there that don't require an office of homeland spam in the whitehouse.

Stupid lawyers...

Re:First problem with this solution:

Name one technological measure which has a zero false-positive rate, a low false-negative rate, and a snowball's chance in hell of being adopted. The problem should address spam at the server side, since it's already wasting space by the time it's allowed onto a client machine.

Re:First problem with this solution:

[Mike+the+Mac+Geek]

Yes, but the laws give it teeth. Software can cut spam, but more will come, in a never ending cycle. If we make it financially hurt people to send out pure spam, then we don't need to have software that could possible filter out vald mail at a prohibitive cost.

Re:First problem with this solution:

[Guppy06]

"There are several very good ideas floating around out there that don't require an office of homeland spam in the whitehouse."

What amazing reflexes you have in your knee-jerk reactions. You could have a future in television news. Just because there is a federal law passed on something doesn't mean there will have to be federal enforcement of that law.

Consider federal anti-junk-fax laws. If you get an unsolicited advertisement on your fax machine, the sender owes you $500, collectable through your local small claims court/justice of the peace/etc (if need be). Essentially, all this law does is explicitly spell out the rights of the owner of the receiving equipment and make it easier for the recipient to claim damages without having to carefully explain how junk faxing is essentially trespassing each and every time.

The FCC doesn't enforce this law. The FBI doesn't enforce this law. You enforce this law.

I personally think the idea of expanding the existing junk fax law to include spam would be easier to enact (add three or four words to existing law) and easier to enforce (track down spammers for a guranteed $500 instead of just a chance at $10,000), but I'm obviously biased.

Now calm down before you shatter your kneecap.

Re:First problem with this solution:

[swordboy]

Consider federal anti-junk-fax laws. If you get an unsolicited advertisement on your fax machine, the sender owes you $500.

If long distance faxing did not cost anything to the sender, then we'd all be getting spam via fax from China. US laws mean nothing to spammers.

Hell, there is nary a US provider that will carry a major spammer. How is a law going to fix that?

Re:First problem with this solution:

[sfe_software]

Name one technological measure which has a zero false-positive rate

Bayessian Classification

a low false-negative rate

Bayessian Classification

and a snowball's chance in hell of being adopted.

Mozilla has (very preliminary) Bayessian classification. So far, that part works great - not a single false-positive in weeks of use (I've been using it since 1.3a was released), and once they add the ability to auto-mark-as-read and move/delete SPAM, I'm all set.

The problem should address spam at the server side, since it's already wasting space by the time it's allowed onto a client machine.

I'm not sure if you are referring to the origin server, or the receiving server (in which case it has already wasted space/bandwidth), but the receiving server could easily implement Bayessian filtering as well. It would take some work on the part of the clients to make it work (or perhaps simply forward junk mail to a local address that classifies it as SPAM?)...

I personally am okay with doing this in the client, as long as the Mozilla team continues to improve this feature. Currently I'm still interrupted and must mark the messages as "read", but eventually I won't have to ever see SPAM.

I'm normally not all that fanatic about software or software-ideas, but Bayessian filtering just plain works. If some implementation were to add common word-groups instead of just word occurrances, it might even be more rock-solid, but even as it stands in Mozilla's implementation, it has serious promise.

Implemented as a Perl script on the server-side, one could easily eliminate the problem all together for each user (since everyone has a different idea of what constitutes SPAM).

A classic example of this: Yahoo mail uses a more global approach to SPAM classification (BrightMail I believe). Unfortunately the RedHat Eratta mails fall into the Junk folder, since apparently many Yahoo users consider it SPAM. Similarly, I still get "notification@mailsweeps.com" SPAM in my inbox, no matter how many times I report it as SPAM.

This is where Bayessian filtering, which works on individual users, solves the problem.

Anyway, if it isn't obvious, I'm all for using technology to solve the problem, especially now that a very promising technology is currently available. Legislation won't help, unless it's globally enforced, and even then it still won't help much. Bayessian lets the user define what he or she considers SPAM, which will vary from user to user, making it the most logical approach IMO.

Re:First problem with this solution:

[Mr+Bill]

If a SPAM doesn't appear in my inbox, was it ever sent?

By the time the SPAM gets filtered by your mail reader it has already done lots of damage. SPAM costs ISPs money in time, bandwidth, and storage space. Where do you think that extra cost is heading. Right back to the end user.

There are many solutions out there that can limit the amount of SPAM that appears in your inbox (like bayessian filters), but that isn't enough to stop the SPAM problem. It just puts a band-aid over it...

Re:First problem with this solution:

[SpaceLifeForm]

It is a band-aid if few people use it.
However, if enough people (and ISPs) use it, then the effectiveness of spam will be reduced, possibly to the point that many of the spammers give up. It's too soon to dismiss a possible solution.

Re:First problem with this solution:

[Mr+Bill]

Do you think that the .002% of the morons that actually click through on these SPAMs are actually going to setup and maintain a filter? You have a higher regard for their intelligence than I do...

The uptake of SPAM is so incredibly small, and yet it is still profitable for these pricks. End user implemented solutions will only help reduce the annoyance of SPAM for that user, but I don't believe it will ever eliminate SPAM.

No spammer has ever made any money by spamming me yet, so do you think they will make less money if I filter their emails and never look at them?

Re:First problem with this solution:

[ergo98]

I had a long winded reply regarding false positives and what they represent to even the best filtration (i.e. what happens when your filter is attuned to emails between you and your buddies, and suddenly a proposal comes in from an employer, or a partner, or a customer? This single lost email could be incredibly damaging) when I noticed this page that says it eloquently and thoroughly.

Since sentiment, but...

[Chester+K]

While I appreciate Lessig's intentions here, it usually takes a bit more than a wager to get Congress to pass a law. Perhaps if he backed it up with some cash, Capitol Hill might pay attention.

He's no fool... international?

[angst_ridden_hipster]

Because he knows that the legislation won't pass.

But if it *did*, he'd be majorly screwed, since a large percentage of the spam I receive, for example, comes from regions outside of the jurisdiction of U.S. National Legislation.

The spammers who are U.S.-based would merely move offshore. (Just think of the headlines -- evil legislation driving away lucrative American internet jobs ... joke, joke).

Re:He's no fool... international?

[JoeBuck]

Even today, a large fraction spam that appears to come from China, that arrives in Americans' email boxes, really comes from the US. It's US spammers bouncing it off of open relays in China.

Under Lessig's bill these US spammers can still be prosecuted.

Re:He's no fool... international?

[smallpaul]

The spammers who are U.S.-based would merely move offshore.

It isn't the person pulling the trigger on the spam that matters. It is the business sponsoring it. For most of these marginally profitable businesses, (penis extenders?) it would be easier to do something else rather than move offshore. Plus, the money has to get from US consumers to the people offshore. There may be legislative ways to make this difficult.

NATIONAL law will stop third-world spammers?

[BigBlockMopar]

You *don't* need LEGISLATION to fix this problem (isn't that what technology is for?).

Especially since the legislation will do nothing.

Here goes: So (a) if a law like the one I propose is passed on a national level, and (b) it does not substantially reduce the level of spam, then (c) I will resign my job.

The problem is it's being addressed on a national level. That won't stop the African scam artists "whose money is tied up" - hopefully their oppressors will beat them in the face with a rusty camshaft - or the Chinese wishes of good fortune and prosperity that I was continually getting from some shitty company selling latex products until I finally decided to blackhole China from my mailserver.

This might keep the Florida 21-year-old unwed mother of 6 children from spamming me from her dial-up ISP of the week. But the funny thing about national laws is that they don't apply outside the nation...

Do Bounties Actually Work

[CptnKirk]

Did bounties do anything to curb crime in the Wild West? Significantly? Plus way back then people only cared if the bounty was high. $100, $500, $1000 was a boatload of money back then. Heck if I could make that much now per message I'd be happy. But it won't happen.

We already have $50 per message laws on the books (at least in CA) and with the exception of a hand full of publicized cases, there has been little uptake.

In a world where one should be able to retire off the earnings of a family AOL account, it's a wonder existing laws aren't enough. It's simply too much work for too little return. It's too time consuming to plow through the forged headers, sue Yahoo for account information for user 123jlk213lkj and then still get nowhere.

If there was a tough national anti-spam law I'd support it. But for the love of God, give it teeth. Include a sliding scale for infractions ($500 for first, $5000 second, $50000 third). Include jail time for forged headers, and force persons operating under the "business relationship" clause to offer proof of such relationship in the message (at least a link one can follow to verify the relationship as well as request that the relationship be terminated). Require that the transfer of such a relationship be opt-in.

If this type of bounty system was put into place, the war on spam may actually be effective. Otherwise, good luck.

Sting the bastards into oblivion

[Black+Copter+Control]

Some time ago I found that spammers had managed to hijack the Windows proxy set up by one company that I worked for. When I found it, they were essentially using the full 1.5Megabit pipe to pump spam into the universe. Given that they were hijacking the computers for financial benefit, this was clearly illegal -- both in Canada (where I live) and in the US (where they were doing most of their business).

This leaves me thinking: shouldn't it be possible to use the ham-fisted anti-hacking laws against these bastares??? Not for spamming, but for hijacking peoples' computers to do the spamming with. I'd love to treat these bastards to 6-10 behind bars. Far better than a $100K fine that would be little more than a locense fee.

I tried to get an agreement with the company for the right to sue on their behalf in return for me helping to lock down their systems... They didn't go for it. My alternative approach is that I'd like to set up a similar system, wait for them to hack into it, and then do a hunt for the bastards running the scam. Any holes in this plan? (other than the probable difficulty in properly trackingg these people down?)

Re:Rubbish

[PMuse]

Listen to him complain about collateral damage - collateral damage is the point of blackhole lists! Damaging a rogue ISP's users is the solution, not the problem. If we didnt' punish these ignorant subscribers they would continue supporting spammers. . . . Rogue ISPs have proven that they will not act against spammers until they are financially threatened, and the only way to do that is to damage their user base to the point that they start losing subscribers. Collateral damage IS the point of blacklists - otherwise they're useless.

How is the collateral damage caused by blacklisting any better than what the RIAA proposed to do under Berman-Coble? If we're the good guys, we have to do it right.

We condemn the government when it punishes innocent people because of whom they associate with. We condemn our neighbors when they deride people solely because of where they live or shop. We do not punish the innocent for the actions of the guilty just because the innocent are easier to find and hurt.

Collateral damage is a poor justification for blacklists. Do we evict tenants who rent from slum-lords because the slum-lords are slum-lords? Do we burn down the apartments and cast the tenants out on the street hoping they'll exercise better judgment in choosing a landlord next time?

Of course not. We write laws guaranting tenants rights and do our darndest to see them enforced as often as possible. Spamming ISPs should be required to behave or face a the usual penalty -- fines or jail. If the fines are too low, raise them. If the (net)cops are too slow, set a bounty for private enforcement. Are there no geeks who will turn bounty hunter? I'll bet some of those who maintain blacklists would be just as happy with the business model of suing spammers for $500 /message. Collateral damage is NOT the only way to "financially threaten" spammers. If we can find a way to bomb them out of business and not explode so many civilians, isn't that a good thing?

I'm surprised!

[Helpadingoatemybaby]

That there's so much negative reaction to this. The posts fall into two categories:

1) The internet is international, so you can't have a US law.

2) A technological fix will fix everything.

These are silly arguments and here's why:

1) The US contains a large quantity of pc's and internet connections (if not most internet connections anymore). A law in the US alone will reduce the flow of spam massively, as these 300 million people use the internet disproportionately. Remember: he's just betting on reducing the flow, no eliminating it.

2) The second argument is a false dichotomy -- you can have both a law and a technological fix. There's no harm in having both, as often neither is a comprehensive solution. Why so negative?

Re:Rubbish

[Guppy06]

"Listen to him complain about collateral damage - collateral damage is the point of blackhole lists!"

And this is a good thing?

Let me modify a few of the nouns in your rant and see if you still agree with it.

Killing US citizens is the solution, not the problem. If we didn't punish these ignorant civilians they would continue supporting Israel. Every citizen of an Israel-friendly country is voting with their silence - for persecution. The US government has proven that they will not act against Israel until they are threatened, and the only way to do that is to kill civillians to the point that they start losing votes. Collateral damage IS the point of terrorism - otherwise its useless.

The ends do not justify the means. Innocent until proven guilty unless spam is involved? No thanks.

(Do I think RBLs are a form of terrorism? No. But I do not accept the idea that collateral damage is OK.)

Bayes can create your own whitelist and RBL

[yerricde]

To add to the problem, you can't really make an effective commercial email without mentioning your product and where to get it.

Unless the spammer makes an HTML e-mail and puts the entire ad spiel in a PNG image.

You can't sell me a mortgage without mentioning mortgages in some way

You can't discuss your mortgage with your banker without mentioning mortgages in some way.

You can't ask me to help get your mail out of Nigeria without mentioning Nigeria

Your middle-school daughter can't ask you for help on a geography report on Nigeria without mentioning Nigeria.

I agree that an e-mail classification system can reduce false positives by including headers in the formula. In fact, applying Bayesian classification to specific header lines emulates the already-known spam blocking techniques, possibly with weaker drawbacks. For instance, Bayes on From: and Reply-To: creates a personal whitelist. Bayes on Received: creates a personal RBL.