Article7 April 2004

Can the law can spam?
Legislation is a blunt instrument with which to beat junk email.

by Sandy Starr

Spam - unsolicited bulk email - is the subject of ever-increasing concern and ever more aggressive debate. For many of us, it is a perpetual irritation.

Levels of spam continue to rise, and the spam itself has become more pernicious. We are all familiar with the '419' spam emails that tend to originate from West Africa, begging for money in return for a promised future fee (named after section 419 of the Nigerian criminal code, which prohibits advance fee fraud). There has also been a recent spate of 'phishing', where spammers pose as official organisations such as banks, and use a combination of bogus emails and bogus websites to try to defraud us. Some spam, containing HTML/images, adds to contemporary privacy woes by allowing spammers to track our internet use (1).

In recent years there has also been an increase in viruses transmitted via spam email, causing serious expense and inconvenience. Of particular concern are the self-replicating viruses known as 'worms', and 'Trojan horse' programmes, which infiltrate computers (particularly those with high-speed, always-on internet connections) to turn them into 'zombies' - that is, cause them to send spam email, or carry out other commands, without the computer owner's knowledge (2).

Spam's absorption into popular culture indicates that it has become a fact of life. Spam has inspired an album of songs (Outside the Inbox), a New York exhibition (Reimagining the Ordovician Gothic: Fossils From the Golden Age of Spam), and an ongoing series of poems (composed by blogger Kristin Thomas). Spammers even have their own support group (3).

Not many are sympathetic to their cause, however. San Francisco computer programmer Charles Booher was recently arrested after having a fit of 'spam rage', where he threatened to maim and send anthrax spores to those whom he suspected of emailing him offers of penis enlargement (4).

But while many of us feel strongly about spam, the battle lines in the spam wars have become confused. Anti-spam products and services are themselves now promoted with spam. One commentator complains that 'I'm now getting more than 10 times as many messages about the spam menace as spam messages' (5). When it comes to spam, it's not always easy to know who the good guys are.

To add to the confusion, some have argued that the automatic replies generated by spam filters and by 'challenge-response' systems, where senders of email are asked to prove their good faith by responding to a question, should themselves be classified as spam. Certainly, a possible scenario where one email user's challenge-response system issues an email to another user with a challenge-response system, and that second system then issues an email back to the first user, ad infinitum, is far from ideal.

The truth is, some of the spammers' opponents have reason to hope that spamming continues. Companies selling anti-spam products and services are thought to be making far more money at the moment than spammers are. And spam is doing a fine job of driving demand for secure content management (SCM) products - it is estimated that the SCM software market, a significant proportion of which will consist of anti-spam products, will be worth $6.4billion by 2007 (6).

If both spammers and their opponents in the marketplace have an interest in seeing spam continue to proliferate, what happens to policy and legislation? Over the past year a number of anti-spam laws have been implemented around the world, most notably the USA's Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003. This law has been dubbed the 'You Can Spam' Act, by critics who argue that it does more to legalise spam than to criminalise it (7).

Elsewhere, European Commission (EC) member states are one-by-one implementing a Directive on Privacy and Electronic Communications, which incorporates restrictions on spam. The EC is threatening those states that have been slow to implement the Directive with legal action. Australia has also passed stringent anti-spam laws, China is taking increasingly tough action against spam, while under Italian law spammers now face three-year jail sentences (8).

But this barrage of legislation has proved contentious, often causing more of a headache for law-abiders than for spammers. Those who wish to abide by the letter, or even just the spirit, of recent anti-spam laws have to contend with a bewildering array of terms and requirements, whose meaning is often ambiguous and disputed. As Observer technology columnist John Naughton remarks, 'methinks m'learned friends are going to have a field day' (9).

Businesses using email for promotional purposes now face a stark choice between implementing cumbersome procedures in an attempt to satisfy the law, or paying lip service to the law while effectively ignoring it. Many are pursuing the latter strategy, breeding widespread cynicism about the new anti-spam laws, that will persist until the authorities stop merely going after the obvious spammers, and an arbitrary test case makes a martyr of a lesser transgressor.

Meanwhile, spam continues to irritate us regardless of the new laws. And businesses on the receiving end of spam worry not just about lost productivity and threats to security, but about liability for the distress that pornographic spam causes to employees (10).

In short, it seems to be impossible to implement an anti-spam law without making a hash of it. Whenever a new law is announced, the anti-spam lobby tends to find the same faults with it. At best, the new law is criticised for being toothless, because the penalties imposed upon spammers are insufficient to provide them with a disincentive, and/or because the authorities lack a framework for effectively processing complaints. At worst, the new law is criticised for exacerbating the problem with narrow definitions, because by defining whatever spam is illegal, the law implicitly legitimises whatever spam is not illegal (11).

There are reasons why these flaws recur. For one thing, legislation only applies within a limited jurisdiction, and spammers are free to pursue their activities from any jurisdiction they choose - and can even spam at a distance, for instance through a zombie machine.

This is not a new problem, and it is not unique to spam. The legal theorist Lawrence Lessig has explored the troubled relationship between the internet, which he describes as an environment where people are in effect 'routinely living in multiple non-coordinating jurisdictions', and national sovereignty: 'A political judgement needs to be made about the kind of freedom that will be built into the net. Our problem is imagining how that decision could be made.' (12)

It remains to be seen 'how that decision could be made', when it comes to the effective regulation of a global communications tool such as email, and what the consequences of such a far-ranging decision might be. The United Nations has been looking into this question, but has yet to reach a conclusion; it is highly debatable whether greater UN involvement in the regulation and administration of the internet would be an improvement on the existing confusion (13).

Nevertheless, until a regulatory decision of such international scope is made, then legislation will be at best a quixotic tool for suppressing spam. Proponents of anti-spam legislation seem to be aware of this fact, and hope that their laws, although impractical, will perform a useful service by sending out an anti-spam message. Actually, the opposite is the case - such laws merely send out the message that the authorities are unwilling to grapple with the true dimensions of the spam problem.

Another flaw of anti-spam legislation is that the key components of any definition of spam - the categories 'unsolicited', 'bulk' and 'commercial' - do not lend themselves to universal definition in law (see Spam: put a lid on it, by Sandy Starr). What people understand by these three categories, as applied to the sending and receiving of email, differs widely in different circumstances. The most vocal anti-spam campaigners are presumptuous to think that their pet definitions of these categories equate to commonsense definitions shared by all at all times.

Those seeking to restrict or outlaw spam have attempted to characterise this argument that definitions of spam cannot be absolute as a disingenuous tactic by spammers seeking to wrongfoot critics and confuse legislators. 'The spam issue is not about content, it's solely about delivery method' is the riposte of one of the most prominent anti-spam organisations, the Spamhaus Project (14).

But regardless of the content of an email or the method used to deliver it, the fact is that the same email can have different value in the eyes of different people. What the Spamhaus Project is effectively saying, by trying to shift the focus back from content to delivery methods, is that the moral taint it attaches to particular delivery methods (with good reason, given the enormous burden that bulk email imposes upon technological systems) ought to override the dispositions and desires of individual email users. But while the Spamhaus Project does a lot of useful work tackling spam, nobody gave it the authority to decide on our behalf what email we want to read.

One useful resource provided by the Spamhaus Project is its register of known spam operations, according to which a mere 200 known spamming operations are responsible for 90 per cent of the spam received in North America and Europe (15). The people behind these 200 operations are the people whose latitude to spam us really needs to be curbed, if the spam problem is ever to be substantially ameliorated. And yet these are also the people whose evasiveness and unscrupulousness makes them the least likely to be affected by a geographically bounded anti-spam law.

Not only is anti-spam legislation a hopelessly blunt instrument for dealing with the world's worst spammers - it is also potentially a very sharp instrument if any of the rest of us happen to stumble on it. There is an inevitable degree of instinct and informality in the way people receive and send email, in both their private and professional lives, which cannot be captured by laws whose application is expected to be specific and practical. If one were to follow the logic of current anti-spam legislation to its conclusion, we would all be forced to restrict ourselves to emailing each other on a one-to-one basis, and to reorganise all of our email communication according to formal codes of consent.

If such a scenario were to transpire, the spammers really would have won - by leading us to transform email into an environment underpinned exclusively by commercial considerations, where we relate to one another instrumentally, rather than an environment where there is informal communication and collaboration and where unexpected connections occur.

Trying to clamp down upon spammers with ever-more pedantic legislation could penalise email users while having a negligible effect on spam. If legislation consistently fails to meet the expectations of those seeking to suppress spam, then perhaps those expectations are being invested in the wrong thing. Maybe they should be invested in technology instead.

Attempts to devise a technological solution to spam are ongoing, and admittedly difficult. It is by no means certain that 'two years from now, spam will be solved', as Microsoft chairman Bill Gates confidently told the World Economic Forum in January 2004 (16). And some technological solutions to spam, not least Microsoft's, are as problematic as the legal solutions. But at least technology allows for solutions to spam that accommodate, and even enhance, our individual email preferences - rather than ironing these preferences out and making us all tread cautiously when we use email, as wrongheaded law threatens to do.

Sandy Starr has consulted and written on internet regulation for the Organisation for Security and Cooperation in Europe, and for the European Commission research project RightsWatch. He is a contributor to Spreading the Word on the Internet: Sixteen Answers to Four Questions, Organisation for Security and Cooperation in Europe, 2003 (download this book (.pdf 576 KB)); From Quill to Cursor: Freedom of the Media in the Digital Era, Organisation for Security and Cooperation in Europe, 2003 (download this book (.pdf 399 KB)); and The Internet: Brave New World?, Hodder Murray, 2002 (buy this book from Amazon (UK) or Amazon (USA)).

(1) See the 419 Coalition website; the definition of phishing, on the website; Embedded HTML 'bugs' pose potential security risk, Heather Harreld, InfoWorld, 5 December 2000

(2) See the definitions of a worm, a Trojan horse programme, and a zombie, on the website

(3) See Outside the Inbox, on the Brad Sucks website; Reimagining the Ordovician Gothic: Fossils From the Golden Age of Spam, on the Tank website; the Spam poetry section of the website; the Bulk Club website

(4) See Male enlargement ads prompt spam rage, Reuters, 24 November 2003

(5) Second sight, Dave Birch, Guardian, 13 November 2003

(6) See Anti-spam companies raking it in, Amit Asaravala, Wired News, 9 September 2003; Anti-spam products to drive the secure content management software market to $6.4billion by 2007, according to IDC, IDC, 6 August 2003

(7) See the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003 (.pdf 74.0 KB), United States Congress, 16 December 2003; United States set to legalise spamming on 1 January 2004, Spamhaus Project, 22 November 2003; United States heads towards legalisation of spam, Spamhaus Project, 24 May 2003

(8) See Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive On Privacy And Electronic Communications) (.pdf 161 KB); EC: implement e-privacy directive - or else, Jan Libbenga, Register, 2 April 2004; Act about Spam, and for Related Purposes (Spam Act 2003) (.rtf 791 KB), Parliament of Australia, 12 December 2003; Act to Deal with Consequential Matters Relating to the Enactment of the Spam Act 2003, and for Related Purposes (Spam (Consequential Amendments) Act 2003) (.rtf 715 KB), Parliament of Australia, 12 December 2003; China threatens to block junk emailers, Zen Lee, CNET, 20 February 2004; Italian spammers face jail, BBC News, 4 September 2003

(9) Expect to keep hitting that delete button, John Naughton, Observer, 14 December 2003

(10) Sexual spam could spark lawsuits, Mark Ward, BBC News, 3 December 2003

(11) See, for example, Anti-spam laws 'lack bite', Jo Twist, BBC News, 23 September 2003; Spam keeps cookin' - despite new laws, Declan McCullagh, CNET, 17 February 2004

(12) Code and Other Laws of Cyberspace, Lawrence Lessig, Basic Books, 1999, p94, 203 (buy this book from Amazon (UK) or Amazon (USA))

(13) See Spam gets its claws in the UN, Michelle Delio, Wired News, 27 March 2004; Who should govern the net?, Declan McCullagh, CNET, 26 March 2004; Developing IT, by James Woudhuysen

(14) The spam definition and legalisation game, Spamhaus Project, 14 May 2003

(15) See Register of known spam operations, on the Spamhaus Project website

(16) We'll kill spam in two years - Gates, John Leyden, Register, 26 January 2004

Reprinted from :

spiked sections | central | culture | essays | health | life | liberties | politics | risk | science | IT

spiked, Signet House, 49-51 Farringdon Road, London, EC1M 3JP
Email: spiked 2000-2005 All rights reserved.
spiked is not responsible for the content of any third-party websites.