New anti-spam law of little help
Row between EU and US on opt-in vs. opt-out doesn't help.
By Laura Rohde, IDG news service | Published: 00:00, 12 December 2003
It's a no-brainer: People hate spam and politicians in the US and Europe were shrewd enough this year to respond to their constituents' growing frustration over the increasing barrage of unwanted e-mail with anti-spam legislation. But will the new laws really be able to thwart junk e-mail?
"No legislation alone will solve the spam problem," said Brian Huseman, a staff attorney for the US Federal Trade Commission (FTC), the federal agency charged with enforcing the anti-spam regulations. "One of the reasons is because it's very difficult to apprehend spammers and it's very resource intensive for law enforcement officials to not only pinpoint spammers but to also build the case needed for punishing them."
Along with the systemic difficulties in apprehending and punishing those who send spam, the differing approaches that the laws in the US and Europe take to combat spam also make fashioning an international approach to the borderless nature of spam problematic.
An "opt-in" directive was added to the statute books of the 15 European Union (EU) member states in October, and laws complying with the EU directive are starting to come into effect. For example, from yesterday, the UK's updated Telecoms Data Protection Directive will impose fines of up to £5,000 (US$8,700) on companies and individuals caught sending unsolicited commercial e-mail and SMS (short messaging service) text messages to mobile phones without prior agreement.
But despite the efforts of European politicians to get their Washington counterparts on the opt-in bandwagon, US lawmakers this week passed the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003, an "opt-out" piece of legislation that puts the onus on individual users to let companies know that they do not wish to receive spam. The bill will become law on 1 January.
Downplaying previous predictions of dire consequences should the US adopt opt-out policies, European politicians welcomed the Can-Spam legislation - after three years of effort on the part of Congress - as an important first step.
"Though I would have preferred an opt-in law, the most important message is that the US does something against spam, even if it is different from the EU's approach," said Erika Mann, a German member of the European Parliament and chairwoman of the European Internet Foundation. "There was a time when just the idea of creating a law to deal with spam was quite controversial in Congress, as I understand it, so to actually have a law is real progress."
Having the two different philosophies of opt-in and opt-out makes it more difficult for the international community to deal with spammers, Mann said, "but at least with the new U.S. law there is an understanding that something must be done."
Back in the UK, MP Brian White, Treasurer of the All-Party Parliamentary Internet Group (APIG), a group that travelled to Washington, in October on a "fact finding mission" to work on solutions to unwanted e-mail, echoed that sentiment.
"We got a very positive response from the people we met on Capitol Hill. Yes, the approaches are different (between the UK and the US); they think they're right (to embrace opt-out solutions to spam), and we know we're right," White said. "We had a very interesting debate and could continue to do so for quite a long time."
In some cases, opt-out laws in the US will protect US-based spammers from the more stringent European opt-in rules, according to Marten Nelson, director of business analysis and strategy for e-mail security company CipherTrust, in Alpharetta, Georgia.
"The US has a tremendous surplus in spam, but EU laws don't mean a lot to US spammers and vice versa," Nelson said. "Any legislation will have a limited effect as it's so hard to track spammers to prosecute them."
Even with its limitations, anti-spam legislation is "an important piece in the puzzle to resolve the problem," Nelson said.
White stressed that despite the differing approaches, it was important to focus on other aspects of prosecuting spammers, namely punishing the activities that are defined as illegal under all versions of the spam laws.
"Let's get most of the spammers under antipornography laws, under deceptive-trade laws, under the (13-year-old UK) Computer Misuse Act, and the like. That way we can deal with the majority of spam and with this approach, the US opt-out laws actually don't, in my view, make it more difficult to enforce UK and EU laws," White said.
The UK has had some success working with the FBI and according to White, when APIG representatives spoke with FBI officials in October about extraditing Americans who violate UK anti-spam laws, the FBI had no problem with the idea.
But stopping the flood of messages at the source is unlikely, no matter which anti-spam laws are used, said Gartner analyst Anthony Allan.
"The laws in the UK and EU will not have the effect of reducing spam in the EU, just as the Can-Spam Act will not have the effect of reducing spam in the US. For one thing, there is the issue of China, where more and more spam is originating from," Allan said. "Our latest estimates is that 30 percent of spam is now coming from Asia."
While there have been efforts in Asia, notably by the Internet Society of China to block e-mail sent from servers that have been identified as sources of spam, and a revised law in South Korea designed to regulate unsolicited commercial e-mail, the reduction is spam has been limited. Most corporations and businesses, including Gartner's corporate clients, have taken a technical response to the problem of spam, Allan said.
"In the next two or three years at least, only the technical solutions will have any real effect on slowing down the flow of spam," Allan said.
In addition to new offerings from smaller security-technology vendors, major companies such as Microsoft are becoming more aggressive in providing technical solutions to spam. For example, at the Comdex trade show in Las Vegas last month, Microsoft chairman Bill Gates announced that the Redmond, Washington, company will add heuristics-based anti-spam capabilities to future releases of Exchange Server 2003 in an effort to keep spam e-mail messages from reaching users' inboxes.
But individuals may not be able to afford the technical anti-spam measures that enterprises are increasingly relying upon, so in the longer term, technology will be only one part of a multipronged approach required for containing the levels of spam.
Companies, as well as politicians like White and Mann, see the need for international guidelines for handling Internet issues on a global basis.
"A legal framework would help among states worldwide," Mann said. "I'm not sure that an international body would be so good, but a framework would be useful. As part of that framework, we could use minimal standards and principles that could then be incorporated into national laws."
Mann had hoped that the World Summit on the Information Society, meeting this week in Geneva, could have been the forum for developing a framework within the United Nations. But rather than coming up with specific activity to be taken against the spread of spam, the group was only able to agree to a brief statement in its Declaration of Principles saying: "Spam is a significant and growing problem, for users, networks and the Internet as a whole. Spam and cyber-security should be dealt with at the appropriate national and international levels."
The International Telecommunication Union (ITU) is often named as the group that may be most suitable for drawing the various states together to tackle the spam issues.
"There is no real 'body' that can enact international legislation on spam. However, I believe the ITU is well positioned to draft guidelines and recommendations for a baseline for national legislation," said CipherTrust's Nelson.
Nelson believes that the global nature of the spam problem should motivate the ITU to establish an international forum for how ISPs and telcos can effectively cooperate in tracking and shutting down spammers.
"There is wide recognition in the international community that international initiatives to address spam are needed sooner rather than later," said Robert Shaw, the ITU's Internet strategy and policy advisor. "The ITU is exploring exactly what can and should be done to fight this growing threat to the viability of Internet communications."
He added that the ITU is planning an international conference on spam in 2004, potentially in cooperation with the Organisation for Economic Co-operation and Development (OECD) and the Asia-Pacific Economic Cooperation.
Shaw, as well as the FTC's Huseman, expressed enthusiasm for a conference being co-hosted in February by the OECD and the European Commission, as a good starting point, as did the MP White.
"At the OECD meeting, the various states will be able to establish guidelines and the meeting will also make sure that we keep talking," White said.
Gartner's Allan warned that the effectiveness of the OECD meeting will depend on how responsive the various parties are willing to be.
"With opt-in verses opt-out, the US and the EU are already at odds," Allan said. "Will the meeting change policy? I am dubious about that."