• PC World
• »Software
• »Browsers & Add-Ons

It's a no-brainer: People hate spam. Politicians in the U.S. and Europe were shrewd enough this year to respond to the growing frustration over the increasing barrage of unwanted e-mail with antispam legislation. But will the new laws really be able to thwart junk e-mail?

"No legislation alone will solve the spam problem," says Brian Huseman, a staff attorney for the U.S. Federal Trade Commission, the federal agency charged with enforcing the antispam regulations. "One of the reasons is because it's very difficult to apprehend spammers and it's very resource-intensive for law enforcement officials to not only pinpoint spammers but to also build the case needed for punishing them."

Opt In or Opt Out?

Along with the systemic difficulties in apprehending and punishing those who send spam, the differing approaches that the laws in the U.S. and Europe take to combat spam also make fashioning an international approach to the borderless nature of spam problematic.

An "opt-in" directive was added to the statute books of the 15 European Union member states in October, and laws complying with the EU directive are starting to come into effect. For example, the UK's updated Telecoms Data Protection Directive will impose fines of up to $8700 on companies and individuals caught sending unsolicited commercial e-mail and SMS text messages to mobile phones without prior agreement.

But despite the efforts of European politicians to get their Washington, D.C. counterparts on the opt-in bandwagon, U.S. lawmakers passed the CAN-SPAM Act of 2003. This is an "opt-out" piece of legislation that puts the onus on individual users to let companies know that they do not wish to receive spam. The bill will become law on January 1.

The First Step

Downplaying previous predictions of dire consequences should the U.S. adopt opt-out policies, European politicians welcomed the CAN-SPAM legislation--after three years of effort on the part of Congress--as an important first step.

"Though I would have preferred an opt-in law, the most important message is that the U.S. does something against spam, even if it is different from the EU's approach," says Erika Mann, a German member of the European Parliament and chair of the European Internet Foundation.

Having the two different philosophies of opt-in and opt-out makes it more difficult for the international community to deal with spammers, Mann says, "but at least with the new U.S. law there is an understanding that something must be done."

Brian White, a UK Member of Parliament and treasurer of the All-Party Parliamentary Internet Group, a group that traveled to Washington, D.C. in October on a "fact finding mission" to work on solutions to unwanted e-mail, echoes that sentiment.

"We got a very positive response from the people we met on Capitol Hill. Yes, the approaches are different [between the UK and the U.S.]; they think they're right [to embrace opt-out solutions to spam], and we know we're right," White says. "We had a very interesting debate and could continue to do so for quite a long time."

Working Together

In some cases, opt-out laws in the U.S. will protect U.S.-based spammers from the more stringent European opt-in rules, according to Marten Nelson, director of business analysis and strategy for e-mail security company CipherTrust, in Alpharetta, Georgia.

"The U.S. has a tremendous surplus in spam, but EU laws don't mean a lot to U.S. spammers and visa-versa," Nelson says. "Any legislation will have a limited effect as it's so hard to track spammers to prosecute them."

The UK has had some success working with the U.S. Federal Bureau of Investigation. According to White, when APIG representatives spoke with FBI officials in October about extraditing U.S. citizens who violate UK antispam laws, the FBI had no problem with the idea.

But stopping the flood of messages at the source is unlikely, no matter which antispam laws are used, says Gartner UK analyst Anthony Allan.

"The laws in the UK and EU will not have the effect of reducing spam in the EU, just as the CAN-SPAM Act will not have the effect of reducing spam in the U.S. For one thing, there is the issue of China, where more and more spam is originating from," Allan says. "Our latest estimate is that 30 percent of spam is now coming from Asia."

While there have been efforts in Asia, notably by the Internet Society of China, to block e-mail sent from servers that have been identified as sources of spam, and a revised law in South Korea designed to regulate unsolicited commercial e-mail, the reduction in spam has been limited.

Getting Technical

"In the next two or three years at least, only the technical solutions will have any real effect on slowing down the flow of spam," Allan says.

In addition to new offerings from smaller security-technology vendors, major companies such as Microsoft are becoming more aggressive in providing technical solutions to spam. For example, at the Comdex trade show in Las Vegas in November, Microsoft Chair and Chief Software Architect Bill Gates announced that the company will add heuristics-based antispam capabilities to future releases of Exchange Server 2003 in an effort to keep junk e-mail messages from reaching users' in-boxes.

But individuals may not be able to afford the technical antispam measures that enterprises are increasingly relying upon, so in the longer term, technology will be only one part of a multipronged approach required for containing the levels of spam.

"There must be a combination of technology, such as antispam filters; education; working with ISPs; as well as legislation," according to Helen Roberts, chief operating officer at Responsys, a provider of outsourced e-mail marketing services, in Palo Alto, California. "There is no single solution or approach to dealing with spam."

The Worldwide Web

Companies such as CipherTrust and Responsys, as well as politicians like White and Mann, see the need for international guidelines for handling Internet issues on a global basis.

"A legal framework would help among states worldwide," Mann says. "I'm not sure that an international body would be so good, but a framework would be useful. As part of that framework, we could use minimal standards and principles that could then be incorporated into national laws."

Mann had hoped that the World Summit on the Information Society, which met earlier this month in Geneva, could have been the forum for developing a framework within the United Nations. But rather than coming up with specific activity to be taken against the spread of spam, the group was only able to agree to a brief statement in its Declaration of Principles saying: "Spam is a significant and growing problem, for users, networks and the Internet as a whole. Spam and cybersecurity should be dealt with at the appropriate national and international levels."

The International Telecommunication Union is often named as the group that may be most suitable for drawing the various states together to tackle the spam issues.

"There is wide recognition in the international community that international initiatives to address spam are needed sooner rather than later," says Robert Shaw, the ITU's Internet strategy and policy advisor, in an e-mail response to questions. "The ITU is exploring exactly what can and should be done to fight this growing threat to the viability of Internet communications."

He adds that the ITU is planning an international conference on spam in 2004, potentially in cooperation with the Organization for Economic Co-operation and Development and the Asia-Pacific Economic Cooperation.

Shaw, as well as the FTC's Huseman, expressed enthusiasm for a conference being cohosted in Paris on February 2 and 3 by the OECD and the European Commission, as a good starting point, as did the MP White.

"At the OECD meeting, the various states will be able to establish guidelines and the meeting will also make sure that we keep talking," White says.

Gartner's Allan warned that the effectiveness of the OECD meeting will depend on how responsive the various parties are willing to be.

"With opt-in verses opt-out, the U.S. and the EU are already at odds," Allan says. "Will the meeting change policy? I am dubious about that."