Monday, January 14, 2008


Is CAN-SPAM useless?

Earlier this month, the famous spammer Alan Ralsky was indicted for his fraudulent email, using anti-fraud laws as well as the CAN-SPAM Act of 2003.

A man described as one of the nation’s most prolific senders of spam e-mail was among 11 people accused in a federal indictment of defrauding people by manipulating Chinese stock prices.

The man accused, Alan Ralsky, 52, of West Bloomfield Township, Mich., made about $3 million through the scheme in the summer of 2005 alone, a United States attorney, Stephen Murphy, said.

A 41-count indictment accuses Mr. Ralsky and other defendants of sending tens of millions of e-mail messages to computers worldwide, trying to inflate prices for Chinese penny stocks. The defendants then sold the stocks at inflated prices, Mr. Murphy said.

His lawyer, Philip Kushner of Cleveland, told The Detroit News that Mr. Ralsky would fight the charges.

Here’s a New York Times article about Alan Ralsky from when the CAN-SPAM Act was signed into law. At the time, he had this to say:
He stopped sending e-mail offers for everything from debt repayment schemes to time-share vacations even before President Bush, on Dec. 16, signed the new Can Spam Act, a law meant to crack down on marketers like Mr. Ralsky.

He plans to resume in January, he said, after he overcomes some computer problems, and only after he changes his practices to include in his messages a return address and other information required by the law, the title of which stands for Controlling the Assault of Non-Solicited Pornography and Marketing.

That is quite a switch for Mr. Ralsky, who has earned a reputation as a master of cyberdisguise. By his own admission, he once produced more than 70 million messages a day from domains registered with fake names, largely by way of foreign countries — or sometimes even by way of hijacked computers — so that the recipients could not trace the mail back to him.

Most experts in junk e-mail, known as spam, have dismissed the new federal law as largely ineffectual. And many high-volume e-mailers say the law may even improve the situation for them because it wipes away a handful of tougher state laws.

But Mr. Ralsky, who lives in a Detroit suburb, says the law’s potential penalties — fines of up to $6 million and up to five years in jail — are making him rethink his business.

“Of course I’m worried about it,” he said after the law was signed. “You would have to be stupid to try to violate this law.”

This isn’t the first time CAN-SPAM has been used in a criminal indictment. But John Levine, one of those “experts in junk e-mail”, comments on the indictment, questions whether CAN-SPAM is really of any use here:

The thing that strikes me about this indictment is that although it includes a lot of CAN SPAM charges, everything Ralsky and Co. did was already illegal under conventional fraud and computer tampering laws. Lying about who you are to tout worthless stock is already illegal, hijacking other people’s computers is illegal, and collecting the money for fraudulent actions is illegal, too. Sure, they’re throwing the book at them for CAN SPAM violations about fraudulent mail headers and domain registrations, but by my reading, they’d have just as strong a case without CAN SPAM, and the conventional charges will be a lot easier to explain to a judge and a jury.

So it’s a relief that Ralsky, who spent the better part of a decade as the country’s highest profile spammer, is finally headed back to jail. (He’s been there before, for insurance fraud.) But it’s yet another reminder that the US needs effective anti-spam laws, and CAN SPAM isn’t one.

So what are the problems with CAN-SPAM that limit its usefulness? Is it of any use at all?

The principal problem with CAN-SPAM is the most obvious one: it sets up what we call an “opt out” system. It requires email marketers to identify themselves in their messages, and to provide working “unsubscribe” mechanisms. That allows you to “opt out” of future email for that vendor. But such a system means that anyone is legally allowed to send you unsolicited junk email until you opt out. There are some major problems with such a system:

  1. Something where spam is allowed by default is clearly not what most users want nor expect. That might be different if most spam were, say, coupons for the local store. But as long as most of it offers to make you a monster in bed or help you get rich with bogus stock tips, an opt-in system is a better answer.
  2. Most people are afraid to use the opt-out mechanisms, and with good reason. We’ve been told that responding to spam in any way will only prove that they have a live address and will get you more spam, not less. Even if that’s not so true these days, there are reasons not to try unsubscribing. The ones that tell you to reply to the email message will wind up spamming an innocent party, if the spam is (illegally) using a bogus reply address. The ones that use a web site often have the site set up with software to turn your computer into a “zombie”, if you don’t have the right security patches installed. It’s usually not worth the risk.
  3. Even if you do try to unsubscribe, the sender has 10 days to legally continue sending you spam before it has to stop. That might have been necessary in the past, with paper-mail systems, but there’s no good reason to give them that long now. All this stuff is on computers, after all.
  4. After you’ve opted out, the senders can use any number of excuses to put you back in. Most commonly, every time you contact the company, they’ll re-subscribe you to all their garbage and you’ll have to opt out all over again. We, the consumers, can help that situation by refusing to do business with companies that do that. But that’s hard, because it’s not usually most people’s priority, and we often don’t know they’ve done it until a while afterward.
  5. Email provides “plausible deniability” of receipt. An opt-out system that works by email and that doesn’t send a confirmation can easily be repudiated in court. “Oh, yes, our opt-out system works — here’s proof of that. We probably just never received these requests because of block lists or spam filtering or whatever.” There are, of course, ways to counter those arguments, but it makes it harder to prove, and it makes it a great deal harder to explain to juries of non-technical people.
  6. Even though there are clearly stated rules for legal use, any system that allows spamming by default makes it easier for illegal use to get by. Imagine if the law said that you could walk into a store and steal any item valued under $10, unless the store explicitly told you not to. Each store would have to tell each person this, individually. It’d be an impossible mess, and thieves could get away with ignoring the law because of the confusion.

The European Union laws, in contrast, use opt-in provisions — companies may not send you advertising by email unless you explicitly ask for it. Australia’s law works that way too, and it’s often held up as one of the best anti-spam laws in the world. It forbids companies from automatically opting you in under many circumstances, and that sort of thing.

The situation in the U.S. is as it is, of course, because of industry lobbying. There are organizations, such as the Direct Marketing Association, that try to foster proper use of email for marketing, but they’re only giving advice to members, and, however well intentioned they may be, they’re still pushing hard for the retention of opt-out rules.

There are other things wrong with CAN-SPAM, going into details of the definitions and the specifications of what is and isn’t allowed, and I won’t talk about those details here. But as John Levine points out, even when we apply CAN-SPAM, the things it's forbidding are often illegal already under other anti-fraud statutes. And one of the major criticisms of CAN-SPAM when it was passed was that it invalidated a number of state laws that were stricter, broader, and cleaner.

So is there anything good about CAN-SPAM? Well, there’s one, at least, and Mr Ralsky referred to it back in 2003. Repeating the point:

But Mr. Ralsky, who lives in a Detroit suburb, says the law’s potential penalties — fines of up to $6 million and up to five years in jail — are making him rethink his business.
What CAN-SPAM adds to a fraud prosecution is the possibility of stronger penalties. That was meant as a deterrent, though it’s clearly not effective as such. Mr Ralsky might, therefore, get a stiffer prison term and a higher fine, additional penalties prescribed by CAN-SPAM beyond what the fraud charges alone would bring.

But in the end, John’s right when he says that we need more effective anti-spam laws in this country. Something modelled on Australia’s law would be nice.

No comments: