WASHINGTON -- "What are we going to do about spam?"
It was a deceptively simple question posed by CNN's Lou Dobbs to a panel of software company chief executives here discussing policy with top government officials.
As expected, the CEOs denounced unsolicited commercial e-mail and some used the opportunity to talk up their company's antispam products.
Digital credentials are one antidote to the growing problem, suggested Bill Conner, CEO of Entrust. "At some point, you won't accept noncredentialed e-mails," he said.
Borland Software's CEO Dale Fuller suggested erecting economic barriers. "If you're going to put out a piece of junk, we're going to charge you."
George Samunek, Network Associates' CEO, believes some kind of penalty should apply to spammers.
Squashing spam has no easy single answer. After all, Congress has tried to pass antispam legislation since 1995.
Bills Gain Momentum
Yet, no fewer than six antispam bills are still pending on Capitol Hill, several of them making slow but steady progress.
"The problem with most of these bills, however well intentioned, is they provide a big fig leaf of legitimacy for spam," says Andrew Barrett, executive director of the Spamcon Foundation, a watchdog group. "Frankly, they protect the status quo, and the language in the bill tends to frame spam as fraud."
Two Senate antispam bills have cleared committee, but some say their progress is stalled by Sen. Charles Schumer (D-New York). He wants to attach a national do-not-spam registry to the final bills.
Critics of Schumer's proposal cite implementation barriers, including the high costs related to maintaining such a list. Ari Schwartz, associate director of the Center for Democracy and Technology, calls the costs prohibitive. "And we don't even know where these spammers are coming from," he adds.
The Federal Trade Commission also questions a list's feasibility. "A do-not-spam list is an intriguing idea, but it is unclear how we can make it work," FTC Chairman Tim Muris said in an August speech. Most spam is already so clearly illegitimate that the senders are no more likely to comply than with the...laws they now ignore."
While acknowledging the hurdles, Spamcon's Barrett likes the Schumer bill and the idea of a national no-spam registry. He says his bill supports domain-wide opt-out. For instance, AOL or Yahoo could opt out entirely, so all users of their e-mail services would receive no spam.
The CAN-SPAM Act and the Criminal Spam Act are the two bills that have passed committee and are destined for the Senate floor. Under the CAN-SPAM Act, federal prosecutors and ISPs can sue spammers who use misleading e-mail subject lines, do not let recipients unsubscribe, or send e-mail using dictionary attacks (a spammer practice that randomly generates e-mail addresses for a domain).
The Criminal Spam Act also subjects senders of e-mail with misleading headers to civil and criminal penalties, including up to five years in federal prison and fines as high as $25,000 each day.
Stalled by Differences
In the House, progress is slowed by two competing bills, the Wilson-Green bill and the Tauzin bill. Both bills require users to opt out to avoid getting unwanted e-mail. Rep. Heather Wilson (R-New Mexico) proposes enlisting state attorneys general to enforce her antispam law, which Rep. Billy Tauzin (R-Louisiana) opposes. Wilson's bill also prohibits affiliates or subsidiaries of companies from spamming users who have opted out once.
Calling the Tauzin bill a "train wreck," Spamcon's Barrett says the measure "gives a veneer of legitimacy to spam." The RID-SPAM Act bans deceptive messages, prohibits harvesting e-mail addresses, and lets ISPs (but not individuals) sue spammers for damages. But Barrett says network administrators and consumer groups call this plan the "Spammer Bill of Rights."
He considers the Wilson bill little better. The principal problem is that all the bills put the onus on users to opt out, giving spammers free rein until then, Barrett says.
If every one of America's 23 million small businesses sent you an e-mail just once each year, you would have to opt out of 640 e-mail messages every day, he notes.
Also, the bills are problematic because they define spam as fraud, Barrett adds. To him, the message is, "as long as you tell the truth, you may spam away to your heart's content. But most these legislations make no distinction between content and consent."
It's unclear whether differences can be resolved in time to pass an antispam bill this year. A Wilson spokesperson says dialogue with Tauzin's office continues, but won't put a time frame on the resolution.
"There is no one piece of legislation that will solve the problem overnight," Schwartz says. Identifying spammers is complicated, especially when it involves overseas senders, he notes. Stopping spam completely is too ambitious, he says. "If technology and legislation can turn the tide, then we've made some progress," Schwartz says.
Spam and Consequences
Every e-mail has a price tag. The mass volume of e-mail created by spam increases the cost to the ISP, which passes it along to its customers in fees. In contrast, with traditional direct mail, the sender pays for the cost of sending the mail. According to the FTC, spam costs between $10 billion and $87 billion yearly.
Besides costing businesses big bucks, spam is changing the way Americans use the Internet.
"Some people are diminishing their use of e-mail because of spam," says Lee Rainie, director of the Pew Internet and American Life Project. His organization is releasing a report on spam and its effects on people's behavior this week, Rainie says.