Consultation On Spam
Rapporteur's Report On a Meeting Convened July 15, 2004

Consultation Objectives

1. To provide a neutral, open forum for a frank discussion of viewpoints from participating groups with differing points of view.
2. To allow different groups to explore the basis for each other's positions on consultation topics, identifying points of consensus, points of contention, and points for further analysis.
3. To begin the project of producing a compendium of papers related to topics under discussion during the consultation that would be disseminated to Members of Congress, their staffs, advocates, experts, technologists and the business community with the goal of educating key decision makers and informing future policy-making.

Core Issues

1. The Status of Spam
   1. How has spam influenced the efficacy of email as a communication medium?
   2. What are the primary sources of spam?
   3. What challenges does industry face with spam prevention?
   4. What challenges do consumers face with spam prevention?
2. Enforcement
   1. What actions have been taken at the federal level, and what challenges does government face in enforcement actions?
   2. What initiatives has the private sector undertaken to reduce spam, and how does the private sector interface with government enforcement actions?
   3. How have states responded to constituent complaints, and what challenges do state governments face in enforcement actions?
   4. What level of cooperation exists at the global level, and how does such cooperation intersect with issues related to overall Internet governance?
3. Emerging technology solutions
   1. How should senders be identified and authenticated?
   2. What's the role of a sender's reputation with respect to the attribution of trust related to senders, and how do senders' reputations inform spam complaint investigation and resolution?
   3. What are the key vulnerabilities of anti-spam solutions, and how can those vulnerabilities be mitigated?
4. Implications for free expression
   1. To what extent should technology be concerned with mischaracterization of messages as spam?
   2. What are the implications on free speech of ISPs exercising sole discretion to block suspected spam messages?

Introduction

Since the CAN SPAM Act went into effect on January 1, 2004, consumers, advocates, businesses and government have watched closely to determine whether or not the law would have an appreciable impact on the amount of spam coming into email users mailboxes. At the same time, software developers have sought technological solutions to the problem of spam that would complement or take the place of legal solutions.

On July 15, 2004, the Center for Democracy and Technology convened a consultation to consider the state of the spam issue six months after the law's enactment. The consultation convened consumer advocates, industry representatives, technology developers, and government officials to engage in an off-the-record, candid discussion of the issues related to solving the spam problem. This consultation built upon earlier work undertaken by CDT related to spam including a report, Why Am I Getting All of This Spam, released in early 2003.

The discussion centered on four core issues. First, participants considered the status of the spam issue in general, including the current effect of spam on the efficiency and usefulness of email for business and personal communications, the primary sources of spam and the challenges faced by business and consumers in dealing with spam.

Second, a significant amount of time was devoted to exploring enforcement of the CAN SPAM Act. As both consumer advocates and businesses had expressed the belief that the success of the Act would depend in large part on the extent to which resources were devoted to enforcement, participants reacted to presentations by representatives of federal agencies and state attorney general offices about government actions brought under the statute. In addition, private sector efforts to enforce the act were discussed. Participants acknowledged the importance of global cooperation to address the spam problem and ways in which this cooperation involves issues related to Internet governance.

Emerging from all of these discussions were implications of law and technology for free expression, both as affected by business, technology and legal solutions. Participants examined the free speech effects both within the United States and beyond its borders, and discussed concerns about access to email for non-profit organizations and unpopular speech.

Core Issue One: The Status of Spam

Two participating organizations gave presentations to the group. Their presentations focused on the following substantive areas:

• Trends in the incidence of spam
• Industry issues relating to spam solutions
• Consumer issues relating to spam solutions

Trends In the Incidence of Spam

The bottom line, according to one presenter, is that spammers are doing better than ever, if the amount of spam being distributed is any indication. AOL and MSN are each blocking 2.5 billion messages a day. Brightmail recently indicated that 60% of all email is spam. The roadblocks for spammers that do exist tend to be small and temporary. It appears that as spam prevention techniques are deployed, spammers respond by developing circumvention mechanisms, resulting in an arms race between spammers and industry. One panelist illustrated this dynamic through anecdotal evidence suggesting that spammers have target metrics for each spam campaign, and can at no cost increase the volume of messages until the target is met. For example, if half of a spam campaign is blocked by ISPs, the spammer will simply double the next campaign's volume to compensate for the lost volume.

Another observed trend is that spam is becoming more invasive. For example, many spam messages are designed to distribute malware, such as viruses, worms, spyware, and surreptitious spamware. Phishing is an identity-theft scheme involving sending spam made to appear to originate from legitimate companies, in order to trick the recipient into clicking through to a spammer website where the customer is asked to input identity-related information (e.g. name, social security number, account number, etc.). The incidence of phishing is rising at an alarming rate. Furthermore, spam is now appearing in non-HTML protocols, including instant messaging (IM), and SMS (wireless Internet).

Throughout the Consultation, representatives from the different groups described the sources of spam, including:

• Compromised end user machines, comprising between 40-80% of all spam (i.e. zombie spam);
• A small group of large-scale, organized, professional spammers, usually foreign-based; and
• A diffuse group of small-scale spammers of varying levels of technical proficiency, who are widely dispersed geographically.

Industry Issues Relating to Spam Solutions

The increasing volume spam and the associated cost poses significant challenges to Internet service providers (ISPs). Given that such a high percentage of email volume is spam, the associated costs for the requisite infrastructure and processing can be staggering (i.e. spam costs were estimated by one panelist as upwards of $1 billion.). One of the drawbacks of the most current spam solutions is that they fail to address the cost of spam to ISPs. Current solutions (e.g., blacklists, whitelists, and challenge/response mechanisms)chase the tail of spam by dealing with it after it has already been sent and when the expense of spam has already been incurred by ISPs, rather than by blocking it at the source.

According to an industry representative, email marketers and service providers are greatly concerned about the future efficacy of email as a communications medium. In addition to email marketers' widespread concern that they may be in violation of spam statutes, they are also concerned about the high rate at which their legitimate email messages are mischaracterized as spam, and therefore rejected by ISPs and/or filtering software. In short, the email marketing industry is concerned with delivery guarantees for legitimate commercial email.

ISPs are faced with two distinct categories of spam:

• Unidentified, or unauthenticated spam (referred to as black hat email by one panelist)
• Identified, authenticated messages that end users may nonetheless perceive as spam (referred to as grey hat email by one panelist)

According to an email advertiser, if industry can solve the dual problem of identification and authentication, other issues (e.g. protection of legitimate anonymity, improving legitimate marketers' practices to limit the volume and variety of messages, etc.) can be resolved afterwards. Project LUMOS has focused on some of these identification and authentication issues. Separately, industry has already made some progress on developing good practices vis a vis email marketing, such as committing to solely permission-based marketing lists, as well as changing the underlying strategy of email marketing away from acquisition of email subscribers and towards retention of existing subscribers.

Consumer Issues Relating to Spam Prevention

One consumer advocate reported that consumers are generally frustrated with the perceived lack of improvement in the level of spam observed since the passage of the CAN SPAM Act. Consumers thought the law would accomplish more than appears to have been the case. A state law enforcement agent stated that unlike the CAN SPAM Act, effective spam legislation would include a private right of action for consumers. The CAN SPAM legislation does not include a private right of action, in contrast to some state forms of similar legislation. The existence of a private right of action could shift some of the burden of enforcement from state and federal agencies to the aggrieved consumer and could also enhance the consumers' perception that anti-spam legislation protects them and affords them an opportunity to have her complaints effectively addressed. One counterargument is that the cost of enforcing spam legislation is generally higher than the fines the legislation permits and that many spammers are judgment proof, meaning that even if a judgment is obtained, no damages are likely to be collected, resulting in a net loss for a consumer who chooses to bring actions under spam laws. As a consequence, a private enforcement scheme may only serve to remove spam enforcement from the agenda of various enforcement authorities, resulting in little or no enforcement over all.

One email service provider representative cited the need for consumer education as one of many anti-spam initiatives. For instance, consumers need to know that if they post their email address on a publicly-available website, spammers will easily obtain it. The representative went on to say that industry should be responsible for consumer education, and that given industry's poor record of performance in this area, this will be a challenge.

In answer to some of the proposed spam solutions, several other issues arise, including the need for identified and authenticated senders and some kind of allowance for anonymous email. Furthermore, end users still want some degree of control over the level of filtering and spam protection afforded them. One consumer advocate noted that some of the proposed spam solutions discussed below do not truly provide the end user with any greater degree of control.

Core Issue Two: Enforcement

Five participating organizations gave presentations dealing with the topic of enforcement. The presentations discussed different perspectives on the following substantive areas:

• The status of enforcement among state, federal, and international agencies
• Key issues in bringing enforcement actions
• Recommendations for improving enforcement effectiveness

The Status of Enforcement Among State, Federal, and International Agencies

Prior to the passage of the federal CAN SPAM Act, thirty-seven (37) states had enacted their own spam legislation. The CAN SPAM Act pre-empted several state laws, but some state laws, particularly those of Washington, Utah, and Maryland, survived preemption. Statutes dealing specifically with protecting consumers from false advertising and deceptive trade practices have survived preemption. The number of complaints filed at the state level by consumers is rising exponentially. Pursuant to the enforcement provisions of the CAN SPAM Act, several states, such as Massachusetts, have brought cases against spammers under the law. At the federal level, at least sixty-two (62) cases have been brought by the FTC, under authority of § 5 of the FTC Act, against spammers. Most of the cases brought against spammers cited deceptive trade practices as the cause of action. One industry representative observed that the amount of resources and the level of skill brought to the task of fighting spam recently increased quite dramatically, and that perhaps this trend signifies a sea change in the commitment and ability of governments to fight spam.

Among the sixty countries (mostly industrialized) participating in the recent United Nations spam conference, few countries have brought as many spam enforcement actions as the United States. Accordingly, the general consensus among the international community is that most countries' spam laws have not been very effective. The UN conference identified the following list of countries most successful in dealing with spam, in order of effectiveness:

1. Australia
2. South Korea
3. United States
4. United Kingdom

China and Romania were two countries identified as the least effective enforcers of spam laws. The United States, the United Kingdom, and Australia recently signed a memorandum of understanding (MOU) laying the foundation for formal cooperation in spam enforcement actions across international borders. Other countries have proposed developing a comprehensive MOU for a larger set of participating countries, but these proposals have been frustrated by the wide variance of international legal regimes. Some international bodies have proposed linking international spam enforcement with Internet governance to combine the ability to set technical standards and policy with enforcement techniques. These proposals have not gained much traction due to ongoing questions about which agency(ies) should be invested with this authority.

Key Issues in Bringing Enforcement Actions

Identifying spammers is a key challenge to efforts to enforce spam legislation. One representative of a law enforcement agency reported that in one action, the agency filed fourteen (14) pre-suit subpoenas over a period of four months, in an effort to identify just one prospective defendant. Given the fact that spammers often operate on a fly-by- night basis, long delays in identification can easily result in spending significant resources to identify a spammer who has since moved on to another jurisdiction, has begun employing more sophisticated spamming techniques, or has even assumed a new identity. Further, many spammers are small-time players, and have little if any assets with which to pay damages. Without the prospect of real losses to spammers' assets, the deterrence value of spam enforcement is significantly reduced.

Another key issue is the experience, training and core skill set of enforcement agents. Many states' attorney general's offices don't have the money or the resources to train their staff to adequately enforce spam laws. Furthermore, working with out-of-state authorities is challenging and resource-consuming. A federal task force is being established to consider cases being brought against spammers, training across the state and federal boundaries, and enforcement targets. ISPs have begun to participate in enforcement actions, albeit in small numbers, but in the future such cooperation may help alleviate some of the burden on enforcement agencies and increase the overall number of cases brought against spammers.

Recommendations for Improving Enforcement Effectiveness

Since spam crosses jurisdictional borders, both domestically and internationally, enforcement agencies need mechanisms designed to facilitate cooperation between governments. Legislation, MOUs, and other policy channels were suggested to provide funding for joint projects, create authority for different agencies to cooperate, and establish common legal rules for conducting investigations (e.g. such as allowing enforcement agencies to request a gag order on ISPs so that investigations are kept secret).

As discussed above, many enforcement agencies are hampered by the ability of spammers to spoof their identification, as well as their ability to spoof the path of communication and delivery. Enforcement actions would be greatly simplified, they maintained, by a more robust, secure identification approach in email systems.

Participants drew a distinction between domain name authentication and individual authentication. For some enforcement agencies, if at least the domain name of email messages is authentic, the agencies can use their subpoena authority to obtain an individual sender's information.

With respect to both identification and authentication approaches, one of the key issues to resolve from an industry perspective is to ensure that the additional overhead expense created by new anti-spam requirements do not give a competitive advantage to larger companies at the expense of smaller ones. Further, cooperation among competitors will be key to ensuring that standards are developed to maintain open networks.

Core Issue Three: Emerging Technology Solutions

Spammers' use of increasingly sophisticated technology and aggressive hacking techniques has generated a growing need for ever more sophisticated anti-spam solutions. Some of the spammer techniques that have recently been particularly troubling include IP spoofing and distributed denial of service (DDOS). During the consultation, industry representatives discussed three distinct but interoperable initiatives designed to address the SPAM problem. The three initiatives are in varying stages of development, and each offers unique methods of addressing the anti-SPAM issues of identification, authentication, and reputation.

Sender Policy Framework (SPF)

Sender Policy Framework contemplates an infrastructure that relies upon identity and evidence to assure that a sender is who he says he is; prevention agents that detect denial of service attacks, assess sender reputation and filter outbound messages; and protection filters that prevent spam from reaching the end user's inbox. SPF is a technical standard that works in conjunction with a program that includes government-industry partnerships, strong spam laws, interagency cooperation in enforcement efforts; industry standards and policies. Industry associations will develop standards and policies to effectively implement new anti-spam approaches. Educational programs will work to inform end users of tools and best practices for dealing with spam, as well as utilizing the framework to ensure deliverability of their own messages.

The key goal of SPF is to deal with spam proactively, rather than reactively. The SPF infrastructure is primarily designed to stop spam from entering and disseminating through the email infrastructure, and secondarily designed to handle spam once it is in the system.

SPF could function as part of a broader anti-spam strategy that would include:

1. Proof: Identity and Evidence
2. Prevention Agents
3. Protection Filters

Proof: Identity and Evidence

The first element would involve identifying and authenticating the sender. Example solutions include Microsoft's proposed Sender ID (a solution for countering domain spoofing, where senders register the servers authorized to send email from their domains, and the system authenticates messages purportedly from that domain against the registered server list), computational postage (i.e. an algorithm that requires a pre-determined number of CPU cycles to elapse before a single message can be sent), certificates, and sender safelists. These solutions would work to reduce spam by dramatically increasing the cost basis of sending spam, and ultimately making the majority of spam uneconomical. The framework would allow senders a variety of solutions to choose from, each with different cost factors and feature sets. The identity and authentication function will not distinguish commercial and non-commercial email. Therefore, solutions will have to be accessible to non-commercial users.

Prevention Agents

The second element would involve additional defenses to messages believed to be identified and authenticated. Solutions address the need to detect denial of service (DOS) attacks, assess sender reputation (e.g. Bonded Sender, Brightmail), and filter outbound messages.

Protection Filters

The third element would function close to the end user, with the intent of preventing spam from reaching the end user's inbox. Solutions include SmartScreen and other filtering solutions, residing at the gateway, server, and desktop. Filtering solutions would also include update services to allow users to stay current with evolving spam techniques.

The SPF proposal could be used in conjunction with the following:

1. Industry best practices
   1. Accredited safelist programs (e.g. Bonded Sender)
   2. Domain spoofing solutions (e.g. SenderID)
   3. ISP efforts (e.g. Port 25 monitoring, rate limiting, zombie detection)
2. Cooperation among industry associations
   1. Internet Engineering Task Force (IETF), working with MARID and ASRG on Internet standards and best common practices
   2. Anti-SPAM Technology Alliance, working on technology solutions, best practices, data exchange and enforcement

TRUSTe, Bonded Sender

Bonded sender is a program that identifies and authenticates legitimate email. The program identifies senders who are pre-qualified through the Ironport service. Ironport certifies senders, based on Ironport's review of senders' email practices against a set of generally accepted email practices (e.g. sender uses only permission-based marketing lists, and has established accountability mechanisms for its email communications). When a sender is certified, the sender must post a bond with IEF for a specified amount, which is based on anticipated email volume. The Bonded Sender program will debit the bond amount based on customer complaints. Senders are allowed a minimum threshold of complaints, and Bonded Sender will not debit the bond until the number of complaints exceeds the minimum threshold. The purpose of the minimum threshold is to systematically allow for situations where receivers use complaint mechanisms as a proxy for unsubscribing, as well as other types of erroneous or illegitimate complaints. Bonded Sender is currently establishing a reasonable baseline for complaints based on a limited pool of complainants and certified senders. In the future, as more potential complainants enter the system, the threshold will likely be increased.

Once a sender is certified, Bonded Sender puts the sender on its Whitelist, and if there's a substantial problem, (e.g. a sudden rash of complaints, or other significant cause for concern) the sender is temporarily suspended. Bonded Sender has developed a dispute resolution process, which is effectively a business to business (B2B) process. The resolution process is not customer facing.

One objection to the Bonded Sender program that's often cited is that companies have to pay to ensure deliverability, in contrast to the notion that deliverability should be free. Bonded Sender's response to this objection is that their pricing is very modest, and accessible even to small business and non-profit organizations.

Currently approximately 18,000 business users, network administrators, and ISPs are participating recipients. Some of these include MSN, RoadRunner, Hotmail, and Stanford University. Approximately sixty (60) certified senders, including Motley Fool and Match.com are also participating.

Habeas

The key focus of the Habeas solution, which is targeted to the small and middle market, is promoting sender best practices, providing feedback, and ensuring deliverability of messages. Habeas perceives the sender universe in 3 broad categories:

• Black hat sender (e.g. a spammer in Uzbekistan)
• Grey hat sender (e.g. a legitimate sender with questionable email practices)
• White hat sender (e.g. a legitimate sender with legitimate email practices)

Habeas' goal is to transform grey hat senders into white hat senders. Habeas works with the sender to help them establish sound identification and authentication practices, while also encouraging them to adopt best practices (e.g. permission-based email lists, distinguishing different types of communication, feedback mechanisms) for their business. Habeas uses a complaint resolution process that currently investigates every complaint that comes in. To date, many investigations have found that many complaints are actually proxies for unsubscribing. Going forward, user education programs should aim to address this trend so the reliability and accuracy of the complaint resolution process can be improved.

Core Issue Four: Implications for Free Expression

Two non-governmental organizations (NGOs) presented a discussion of free expression issues related to anti-spam solutions. The presenters raised several issues for future consideration:

1. Type I errors (false positives) should be the focus of any error-control mechanisms built into SPAM solutions. From the public interest perspective, it is much more important that no legitimate messages be blocked than that spam erroneously make its way through the system.
    
2. End users should retain some control over their inboxes. It's conceivable that some solutions may not allow user control over the filtering schemes purportedly designed to protect them.
    
3. The ability to remain anonymous should be preserved in anti-spam solutions. Anonymous speech is a time-honored right in our society, and cannot be sacrificed for technological efficiency.
    
4. The needs of non-commercial listservs must be considered in whatever framework is developed. For political groups, time constraints can become a barrier to speech. If senders are required to wait even a few days to gain access to the email infrastructure and ensure deliverability, the point of the proposed communication may be lost. For example, if a political group needs to organize constituents in a certain region over a weekend to stop a government action from happening on Monday, using email to accomplish this task may not be feasible in some of the proposed solutions.
    
5. Senders should have the benefit of due process in resolving complaints and disputes when accused of sending spam. In effect, complainants should be held accountable just as senders are held accountable.
    
6. Spam solutions should be conducive to open and interoperable networks. Users should not be locked into one network or one architecture.

The panel generally agreed the above issues were serious concerns, and resolved to discuss methods to address them in future meetings.

Free Speech | Data Privacy | Government Surveillance | Cryptography | Domain Names | International | Bandwidth | Security | Internet Standards, Technology and Policy Project | Terrorism | Authentication | Right to Know | Spam

Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action! Previous Headlines | Legislative Tracking | CDT's Privacy Policy