Skip to main content

U.S. SENATOR PATRICK LEAHY

CONTACT: Office of Senator Leahy, 202-224-4242

VERMONT

Statement Of Senator Patrick Leahy
On The Criminal Spam Act Of 2003
June 19, 2003

Mr. LEAHY.  Mr. President, I am pleased to be introducing, with Senators Hatch, Schumer, Grassley, Feinstein, DeWine, and Edwards, the Criminal Spam Act of 2003.  This bill is designed to counter the most objectionable forms of email marketing.  In an effort to clear electronic channels for legitimate communications, the bill targets those spammers who deceive Internet Service Providers (“ISPs”) and email recipients into thinking that messages come from someone other than a spammer -- a ploy many spammers use to increase the likelihood that their unwanted ads will evade filtering software and be opened.

THE PROBLEM

Without a doubt, spam is a serious problem today, one that is threatening to undermine the vast potential of the Internet to foster the free exchange of information and commerce.  Businesses and individuals currently wade through tremendous amounts of spam in order to access email that is of relevance to them—and this is after ISPs, businesses, and individuals have spent time and money blocking a large percentage of spam from reaching its intended recipients.

Email users are having the online equivalent of the experience of the woman in the Monty Python skit, who seeks to order a Spam-free breakfast at a restaurant.  Try as she might, she cannot get the waitress to bring her the meal she desires.  Every dish in the restaurant comes with Spam; it’s just a matter of how much.  There’s “egg, bacon and Spam”; “egg, bacon, sausage and Spam”; “Spam, bacon, sausage and Spam”; “Spam, egg, Spam, Spam, bacon and Spam”; “Spam, sausage, Spam, Spam, Spam, bacon, Spam, tomato and Spam”; and so on.  Exasperated, the woman finally cries out: “I don’t like Spam!… I don’t want ANY Spam!”

Individuals and businesses are reacting similarly to electronic spam.  A Harris poll taken late last year found that 80 percent of  respondents view spam as “very annoying,” and fully 74 percent of respondents favor making mass spamming illegal.  They are fed up.

ISPs are doing their best to shield customers from spam, blocking billions of spam each day, but the spammers are winning the battle.  Millions of unwanted, unsolicited commercial emails are received by American businesses and individuals each day, despite their own, additional filtering efforts.  A recent study by Ferris Research estimates that spam costs U.S. businesses $8.9 billion annually as a result of lost productivity and the need to purchase more powerful servers and additional bandwidth; to configure and run spam filters; and to provide help-desk support for spam recipients.  The costs of spam are significant to individuals as well, including time spent identifying and deleting spam, inadvertently opening spam, installing and maintaining anti-spam filters, tracking down legitimate messages mistakenly deleted by spam filters, and paying for the ISPs’ blocking efforts.

And there are other less prominent but equally important costs of spam.  It may introduce viruses, worms, and Trojan Horses into personal and business computer systems, including those that support our national infrastructure.  It is also fertile ground for deceptive trade practices.  The FTC recently estimated that 96 percent of the spam involving investment and business opportunities, and nearly half of the spam advertising health services and products, and travel and leisure, contains false or misleading information. 

This rampant deception has the potential to undermine Americans’ trust of valid information on the Internet.  Indeed, it has already caused some Americans to refrain from using the Internet to the extent that they otherwise would.  For example, some have chosen not to participate in public discussion forums, and are hesitant to provide their addresses in legitimate business transactions, for fear that their email addresses will be harvested for junk email lists.  And they are right to be concerned.  The FTC found spam arriving at its computer system just nine minutes after posting an email address in an online chat room.

THE NEED FOR FEDERAL INTERVENTION

At a recent FTC forum on spam, experts agreed that the issue is ripe for Federal action.  Some 30 states now have anti-spam laws, but the nature of email makes it difficult to discern where any given piece of spam originated, and, thus, what state has jurisdiction and what state law applies.  This may explain why spammers continue to flout state laws.  For example, several states require that spam begin the subject line with “ADV,” but the FTC has found that only 2 percent of spam contains this label.

Technology will undoubtedly play a key role in fighting spam.  However, a technological solution to the problem is not predicted in the foreseeable future.  In addition, given the adroitness with which spammers adapt to anti-spam technologies, the development and implementation of technological fixes to spam entail constant vigilance and substantial financial investment.  This raises the question: Why should individuals and businesses be forced to invest large amounts of time and money in buying, installing, and maintaining generation after generation of anti-spam technologies?

I have often said that the government should regulate the Internet only when absolutely necessary.  Unfortunately, spammers have caused this to be one of those times.  Congress needs to address the spam problem quickly and prudently, and the Criminal Spam Act, by targeting the most injurious types of spam, is a good start.

THE CRIMINAL SPAM ACT

The bill that Senator Hatch and I introduce today would prohibit the four principal techniques that spammers use to evade filtering software and hide their trails.

First, our bill would prohibit hacking into another person’s computer system and sending bulk spam from or through that system.  This would criminalize the common spammer technique of obtaining access to other people’s email accounts on an ISP’s email network, whether by password theft or by inserting a “Trojan horse” program – that is, a program that unsuspecting users download onto their computers and that then takes control of those computers -- to send bulk spam.

Second, the bill would prohibit using a computer system that the owner makes available for other purposes as a conduit for bulk spam, with the intent of deceiving recipients as to the spam’s origins.  This prohibition would criminalize another common spammer technique -- the abuse of third parties’ “open” servers, such as email servers that have the capability to relay mail, or Web proxy servers that have the ability to generate “form” mail.  Spammers commandeer these servers to send bulk commercial email without the server owner’s knowledge, either by “relaying” their email through an “open” email server, or by abusing an “open” Web proxy server’s capability to generate form emails as a means to originate spam, thereby exceeding the owner’s authorization for use of that email or Web server.  In some instances the hijacked servers are even completely shut down as a result of tens of thousands of undeliverable messages generated from the spammer’s email list.

The bill’s third prohibition targets another way that outlaw spammers evade ISP filters:   falsifying the “header information” that accompanies every email, and sending bulk spam containing that fake header information.  More specifically, the bill prohibits forging information regarding the origin of the email message, the route through which the message attempted to penetrate the ISP filters, and information authenticating the user as a “trusted sender” who abides by appropriate consumer protection rules.  The last type of forgery will be particularly important in the future, as ISPs and legitimate marketers develop “white list” rules whereby emailers who abide by self-regulatory codes of good practices will be allowed to send email to users without being subject to anti-spamming filters.  There is currently substantial interest among marketers and email service providers in “white list” technology solutions to spam.  However, such “white list” systems would be useless if outlaw spammers are allowed to counterfeit the authentication mechanisms used by legitimate emailers.

Fourth and finally, the Criminal Spam Act prohibits registering for multiple email accounts or Internet domain names, and sending bulk email from those accounts or domains.  This provision targets deceptive “account churning,” a common outlaw spammer technique that works as follows.  The spammer registers (usually by means of an automatic computer program) for large numbers of email accounts or domain names, using false registration information, then sends bulk spam from one account or domain after another.  This technique stays ahead of ISP filters by hiding the source, size, and scope of the sender’s mailings, and prevents the email account provider or domain name registrar from identifying the registrant as a spammer and denying his registration request.  Falsifying registration information for domain names also violates a basic contractual requirement for domain name registration.

Penalties for violations of these provisions are tough but measured.  Recidivists and those who send spam in furtherance of another felony may be imprisoned for up to five years.  Large-volume spammers, those who hack into another person’s computer system to send bulk spam, and spam “kingpins” who use others to operate their spamming operations may be imprisoned for up to three years.  Other offenders may be fined and imprisoned for no more than one year.  Convicted offenders are also subject to forfeiture of proceeds and instrumentalities of the offense.

In addition to these criminal penalties, offenders are also subject to civil enforcement actions, which may be brought by either the Department of Justice or by an ISP.  Civil remedies are important as a supplement to criminal enforcement for several reasons.  First, bringing cases against outlaw spammers is very resource intensive because of the extensive forensic work involved in building a case; providing for civil enforcement will allow ISPs to assemble evidence to make prosecutors’ jobs easier.  Second, although criminal prosecutions are a critical deterrent against the most egregious spammers, the Justice Department is unlikely to prosecute all outlaw spam cases; civil enforcement, backed by strong financial penalties, will serve as a second layer of deterrence.  Third, criminal penalties may not be appropriate in all cases, as for example in the case of teenagers hired by professional outlaw spammers to send out email for them; civil enforcement gives the Justice Department a more complete and refined range of tools to address specific outlaw spam problems.

That describes the main provisions of our bill.  In addition, because commercial email can be, and is being, sent from all over the world into the virtual mailboxes of Americans, the bill directs the Administration to report on its efforts to achieve international cooperation in the investigation and prosecution of outlaw spammers.

OTHER APPROACHES

Again, the purpose of the Criminal Spam Act is to deter the most pernicious and unscrupulous types of spammers – those who use trickery and deception to induce others to relay and view their messages.  Ridding America’s inboxes of deceptively delivered spam will significantly advance our fight against junk email.  But the Criminal Spam Act is not a cure-all for the spam pandemic.

The fundamental problem inherent to spam -- its sheer volume – may well persist even in the absence of fraudulent routing information and false identities.  In a recent survey, 82 percent of respondents considered unsolicited bulk email, even from legitimate businesses, to be unwelcome spam.  Given this public opinion, and in light of the fact that spam is, in essence, cost-shifted advertising, it may be wise to take a broader approach to our fight against spam.

One approach that has achieved substantial support is to require all commercial email to include an “opt out” mechanism, that is, a mechanism for consumers to opt out of receiving further unwanted spam.  At the recent FTC forum, several experts expressed concerns about this approach, which permits spammers to send at least one piece of spam to each email address in their database, while placing the burden on email recipients to respond.  People who receive dozens, even hundreds, of unwanted emails each day would have little time or energy for anything other than opting-out from unwanted spam. 

According to one organization’s calculations, if just one percent of the approximately 24 million small businesses in the U.S. sent every American just one spam a year, that would amount to over 600 pieces of spam for each person to sift through and opt-out of each day.  And this figure may be conservative, as it does not include the large businesses that also engage in on-line advertising.

A second possible approach to spam – a national “Do Not Spam” registry – raises a different but no less difficult set of concerns.  The two FTC Commissioners who testified last month at the Senate Commerce Committee’s hearing on spam both questioned the potential of a national registry to alleviate the spam problem.  Although this approach would place a smaller burden on consumers than would an opt-out system, it would entail immense costs, complexity, and delay, all of which work in the spammers’ favor.

A third way of attacking spam – and one that was favored by many panelists and audience members at the FTC forum -- is to establish an opt-in system, whereby bulk commercial email may only be sent to individuals and businesses who have invited or consented to it.  This approach has strong precedent in the Telephone Consumer Protection Act of 1991 (TCPA), which Congress passed to eliminate similar cost-shifting, interference, and privacy problems associated with unsolicited commercial faxes.  The TCPA’s ban on faxes containing unsolicited advertisements has withstood First Amendment challenges in the courts, and was adopted by the European Union in July 2002. 

CONCLUSION

I have discussed three possible approaches to the spam problem, and there are several others, some of which have already been codified in state law.  I encourage the consideration of all these anti-spam approaches in the weeks and months to come.

Reducing the volume of junk commercial email, and so protecting legitimate Internet communications, will not be easy.  There are important First Amendment interests to consider, as well as the need to preserve the ability of legitimate marketers to use email responsibly.  If Congress does act, it must get it right, so as not to exacerbate an already terribly vexing problem. 

The Criminal Spam Act is a first step in countering spam.  If we can shut down the spammers who use deception to evade filters and confuse consumers, we will give the next generation of anti-spam technologies a chance to do their work.  Our bill targets the most egregious offenders, it provides a much-needed federal cause of action, and it allows the states to continue to serve as a “laboratory” for tough anti-spamming regulation.  I urge its speedy enactment into law.

# # # # #

Related Links:

Hatch, Leahy Target Most Egregious Computer Spammers June 19, 2003

Bill Text Of S. 1293, The Criminal Spam Act Of 2003 [Link To Library Of Congress]

 

 

 Return to Home Page Senator Leahy's Biography For Vermonters Major Issues Press Releases and Statements Senator Leahy's Office Constituent Services Search this site