It's Open Season on Spammers

WASHINGTON, D.C. -- The problem of spam--how to get rid of it, how to track down the senders, and whether to prosecute those spammers--has dominated many discussions at the third annual Privacy and Data Security Summit here this week.

The summit, which has attracted legislators, regulators, and a litany of privacy and data-security experts, carries the theme of "implementing and managing privacy in a complex environment." More than any single topic, unsolicited commercial e-mail appears to be a major privacy issue for many of the presenters and attendees. A close second are the fairly complex Health Insurance Portability and Accountability Act rules, which regulate health information privacy and take effect April 12.

Spam Denounced

Clearly, spam is on people's minds. Data privacy has become a mainstream concern among the constituents of Representative Cliff Stearns (R-Florida), who made an opening presentation.

"Spam threatens to ruin the only truly killer app in existence: e-mail," said Federal Trade Commissioner Orson Swindle in another presentation. He made an impassioned call for widespread public education about the risks posed by privacy violations--including those made by spammers.

"Spam continues to do major damage to consumer confidence," Swindle said. "This is an abuse problem [caused by] people who delight in flouting the law."

Douglas R. Miller, AOL's executive director of integrity assurance, went further.

"We should be supporting legislation that, frankly, puts spammers behind bars," Miller told a packed room. He participated in a panel discussion entitled "Will E-Mail Survive the Spam Wars?"

"We want to make spamming a crime," Miller added.

Outside the Law

But while many here agree that spam causes great difficulties, not all concur that new laws will put an end to it.

"We have achieved more widespread public understanding of privacy practicalities through vigorous debate" than through legislation, Swindle said.

Brian Huseman, an attorney with the FTC's Bureau of Consumer Protection, cautioned against broad rules that could be unwieldy. For example, it might seem appropriate to require businesses to alert customers every time a privacy breach is detected, no matter how small the potential risk to consumers.

"The cost of notifying 8 million customers [over a possibly trivial breach]--and the panic that can cause among consumers--points to the risk of blunderbuss legislation that tries to address all circumstances, including those that may change over time," Huseman said.

Others noted that many spammers already ignore state laws restricting spam, and are unlikely to be intimidated by similar federal legislation.

In fact, a blow in one privacy battle might stoke another skirmish, said Bruce Johnson, a technology lawyer. The fallout of the FTC's Do Not Call lists, which will restrict who telemarketers can contact, "might be more spam," Johnson said. "Advertisers might move [from the phone] to the unregulated medium of spam" to promote their messages.

Enlisting ISPs

Plugging spam at the network level has potential, several attendees suggested.

"The way to ensure privacy is to make sure it's built into [Internet] systems, in the same ways generally accepted accounting principles are built into accounting systems," said David Stampley, an assistant U.S. attorney general.

In fact, squashing spam has been named a priority by several leading ISPs, including America Online and Microsoft.

If the industry doesn't adequately attack the problem, the issue could become a regulatory matter, warned the FTC's Swindle.

"If [businesses] don't make privacy and security part of the corporate culture, the FTC will be a part of your future," Swindle said.

Congress is also eyeing the issue, Stearns noted. "In a civilized world, privacy is very important," he said.