Skip to main content

U.S. SENATOR PATRICK LEAHY

CONTACT: Office of Senator Leahy, 202-224-4242

VERMONT

Statement Of Senator Patrick Leahy
Ranking Member, Senate Committee On The Judiciary
On S. 1293, The "Criminal Spam Act Of 2003"
September 25, 2003

I am pleased that the Committee is taking up S.1293, the bipartisan Criminal Spam Act of 2003.  Chairman Hatch and I introduced this bill on June 19th along with several members of this Committee -- Senator Schumer, Senator Grassley, Senator Feinstein, Senator DeWine, and Senator Edwards.  I thank all of our cosponsors for their help and support on this bill and am grateful to Senators Hatch and Schumer for their efforts.  I hope we can report it to the floor without delay, and pass it before the end of the year.

BACKGROUND 

Without a doubt, spam is a serious problem today – one that threatens to undermine the vast potential of the Internet to foster the free exchange of information and commerce.  I have long recognized that we must be vigilant in keeping our computer crime laws up-to-date as new technologies spawn ever more sophisticated scams and frauds.  Computer security and unauthorized intrusions into responsible net commerce should be at the forefront of any discussion of information technology in the 21st Century.

Many of us on this Committee have worked on cyber crime issues for years. 

In 1984, we passed the Computer Fraud and Abuse Act, to criminalize certain conduct when carried out by means of unauthorized access to a computer. 

In 1986, we passed the Electronic Communications Privacy Act, which I was proud to sponsor, to criminalize tampering with electronic mail systems and remote data processing systems and to protect the privacy of computer users. 

In 1994, the Violent Crime Control and Law Enforcement Act included the Computer Abuse Amendments, which I authored, to make illegal the intentional transmission of computer viruses.  This statute was used last week to prosecute the Minnesota man who is charged with developing and releasing onto the Internet a variant of the Blaster computer worm, which is believed to have infected at least 7,000 individual Internet users’ computers, turning them into drones that attacked or attempted to attack Microsoft, and causing substantial financial damage.

In the 104th Congress, Senators Kyl, Grassley and I worked together to enact the National Information Infrastructure Protection Act, to increase protection under Federal criminal law for both government and private computers, and to address the problem of computer-age blackmail, in which a criminal threatens to harm or shut down a computer system unless his extortionate demands are met.  Senator Kyl and I also worked together in the 105th Congress on criminal copyright amendments that became law.

Most recently, in the 106th Congress, I worked with Senator DeWine to pass the Computer Crime Enforcement Act, which authorized grants to State and local law enforcement to investigate and prosecute computer crime.

 

The current bill is designed to address spam, the most objectionable form of email marketing.  In an effort to clear electronic channels for legitimate communications, the bill targets those spammers who deceive Internet Service Providers (“ISPs”) and email recipients into thinking that messages come from someone other than a spammer -- a ploy many spammers use to increase the likelihood that their unwanted ads will evade filtering software and be opened

 

THE PROBLEM

Businesses and individuals currently wade through tremendous amounts of spam in order to access email that is of relevance to them—and this is after ISPs, businesses, and individuals have spent time and money blocking a large percentage of spam from reaching its intended recipients.

 

Email users are having the online equivalent of the experience of the woman in the Monty Python skit, who seeks to order a Spam-free breakfast at a restaurant.  Try as she might, she cannot get the waitress to bring her the meal she desires.  Every dish in the restaurant comes with Spam; it’s just a matter of how much.  There’s “egg, bacon and Spam”; “egg, bacon, sausage and Spam”; “Spam, bacon, sausage and Spam”; “Spam, egg, Spam, Spam, bacon and Spam”; “Spam, sausage, Spam, Spam, Spam, bacon, Spam, tomato and Spam”; and so on.  Exasperated, the woman finally cries out: “I don’t like Spam!… I don’t want ANY Spam!”

 

Individuals and businesses are reacting similarly to electronic spam.  A Harris poll taken late last year found that 80 percent of respondents view spam as “very annoying,” and fully 74 percent of respondents favor making mass spamming illegal.  Earlier this month, more than 3 out of 4 people surveyed by Yahoo! Mail said it was “less aggravating to clean a toilet” than to sort through spam.  Americans are fed up.

 

ISPs are doing their best to shield customers from spam, blocking billions of spam each day, but the spammers are winning the battle.  Millions of unwanted, unsolicited commercial emails are received by American businesses and individuals each day, despite their own, additional filtering efforts.  A recent study by Ferris Research estimates that spam costs U.S. businesses $8.9 billion annually as a result of lost productivity and the need to purchase more powerful servers and additional bandwidth; to configure and run spam filters; and to provide help-desk support for spam recipients.  The costs of spam are significant to individuals as well, including time spent identifying and deleting spam, inadvertently opening spam, installing and maintaining anti-spam filters, tracking down legitimate messages mistakenly deleted by spam filters, and paying for the ISPs’ blocking efforts.

 

And there are other prominent and equally important costs of spam.  It may introduce viruses, worms, and Trojan horses into personal and business computer systems, including those that support our national infrastructure. 

 

The public has recently witnessed the potentially staggering affects of a virus, not only through the Blaster case I discussed earlier, but with the appearance of the SoBigF virus just eight days after Blaster began chewing its way through the Internet.  This variant also infected Windows machines via e-mail, then sent out dozens of copies of itself.  Anti-virus experts say one of the main reasons virus writers continue to modify and re-release this particular piece of “malware” is that it downloads a Trojan horse to infected computers, which are then used to send spam. 

 

Spammers are constantly in need of new machines through which to route their garbage e-mail, and a virus makes a perfect delivery mechanism for the engine they use for their mass mailings.  Some analysts said the SoBigF virus may have been created with a more malicious intent than most viruses, and may even be linked to spam email schemes that could be a source of cash for those involved in the scheme. 

 

The interconnection between computer viruses and spam is readily apparent:  Both flood the Internet in an attempt to force a message on people who would not otherwise choose to receive it.  Criminal laws I wrote prohibiting the former have been invoked and enforced from the time they were passed – it is the latter dilemma we must now confront head-on.

 

Spam is also fertile ground for deceptive trade practices.  The FTC has estimated that 96 percent of the spam involving investment and business opportunities, and nearly half of the spam advertising health services and products, and travel and leisure, contains false or misleading information.

 

This rampant deception has the potential to undermine Americans’ trust of valid information on the Internet.  Indeed, it has already caused some Americans to refrain from using the Internet to the extent that they otherwise would.  For example, some have chosen not to participate in public discussion forums, and are hesitant to provide their addresses in legitimate business transactions, for fear that their email addresses will be harvested for junk email lists.  And they are right to be concerned.  The FTC found spam arriving at its computer system just nine minutes after posting an email address in an online chat room.

 

THE NEED FOR FEDERAL INTERVENTION

At a recent FTC forum on spam, experts agreed that the issue is ripe for Federal action.  Some 30 states now have anti-spam laws, but the nature of email makes it difficult to discern where any given piece of spam originated, and, thus, what state has jurisdiction and what state law applies.  This may explain why spammers continue to flout state laws.  For example, several states require that spam begin the subject line with “ADV,” but the FTC has found that only 2 percent of spam contains this label.

 

Technology will undoubtedly play a key role in fighting spam.  However, a technological solution to the problem is not predicted in the foreseeable future.  In addition, given the adroitness with which spammers adapt to anti-spam technologies, the development and implementation of technological fixes to spam entail constant vigilance and substantial financial investment.  This raises the question: Why should individuals and businesses be forced to invest large amounts of time and money in buying, installing, and maintaining generation after generation of anti-spam technologies?

 

THE CRIMINAL SPAM ACT

I have often said that the government should regulate the Internet only when absolutely necessary.  Unfortunately, spammers have caused this to be one of those times.  Congress needs to address the spam problem quickly and prudently, and the Hatch-Leahy-Schumer Criminal Spam Act, by targeting the most injurious types of spam, is a good start.  Our bill would prohibit five principal techniques that spammers use to evade filtering software and hide their trails.

 

First, the bill would prohibit hacking into another person’s computer system and sending bulk spam from or through that system.  This would criminalize the common spammer technique of obtaining access to other people’s email accounts on an ISP’s email network, whether by password theft or by inserting a “Trojan horse” program – that is, a program that unsuspecting users download onto their computers and that then takes control of those computers -- to send bulk spam.

 

Second, the bill would prohibit using a computer system that the owner makes available for other purposes as a conduit for bulk spam, with the intent of deceiving recipients as to the spam’s origins.  This prohibition would criminalize another common spammer technique -- the abuse of third parties’ “open” servers, such as email servers that have the capability to relay mail, or Web proxy servers that have the ability to generate “form” mail.  Spammers commandeer these servers to send bulk commercial email without the server owner’s knowledge, either by “relaying” their email through an “open” email server, or by abusing an “open” Web proxy server’s capability to generate form emails as a means to originate spam, thereby exceeding the owner’s authorization for use of that email or Web server.  In some instances the hijacked servers are even completely shut down as a result of tens of thousands of undeliverable messages generated from the spammer’s email list.

 

The bill’s third prohibition targets another way that outlaw spammers evade ISP filters:   falsifying the “header information” that accompanies every email, and sending bulk spam containing that fake header information.  More specifically, the bill prohibits forging information regarding the origin of the email message, the route through which the message attempted to penetrate the ISP filters, and information authenticating the user as a “trusted sender” who abides by appropriate consumer protection rules.  The last type of forgery will be particularly important in the future, as ISPs and legitimate marketers develop “white list” rules whereby emailers who abide by self-regulatory codes of good practices will be allowed to send email to users without being subject to anti-spamming filters.  There is currently substantial interest among marketers and email service providers in “white list” technology solutions to spam.  However, such “white list” systems would be useless if outlaw spammers are allowed to counterfeit the authentication mechanisms used by legitimate emailers.

 

Fourth, the Criminal Spam Act prohibits registering for multiple email accounts or Internet domain names, and sending bulk email from those accounts or domains.  This provision targets deceptive “account churning,” a common outlaw spammer technique that works as follows.  The spammer registers (usually by means of an automatic computer program) for large numbers of email accounts or domain names, using false registration information, then sends bulk spam from one account or domain after another.  This technique stays ahead of ISP filters by hiding the source, size, and scope of the sender’s mailings, and prevents the email account provider or domain name registrar from identifying the registrant as a spammer and denying his registration request.  Falsifying registration information for domain names also violates a basic contractual requirement for domain name registration falsification. 

 

Fifth and finally, our bill addresses a major hacker spammer technique for hiding identity that is a common and pernicious alternative to domain name registration – hijacking unused expanses of Internet address space and using them as launch pads for junk email.  Hijacking Internet Protocol (“IP”) addresses is not difficult:  Spammers simply falsely assert that they have the right to use a block of IP addresses, and obtain an Internet connection for those addresses.  Hiding behind those addresses, they can then send vast amounts of spam that is extremely difficult to trace.

 

Penalties for violations of the bill’s new criminal prohibitions are tough but measured.  Recidivists and those who send spam in furtherance of another felony may be imprisoned for up to five years.  Large-volume spammers, those who hack into another person’s computer system to send bulk spam, and spam “kingpins” who use others to operate their spamming operations may be imprisoned for up to three years.  Other offenders may be fined and imprisoned for no more than one year.  Convicted offenders are also subject to forfeiture of proceeds and instrumentalities of the offense.

 

In addition to these criminal penalties, offenders are also subject to civil enforcement actions, which may be brought by either the Department of Justice or by an ISP.  Civil remedies are important as a supplement to criminal enforcement for several reasons.  First, bringing cases against outlaw spammers is very resource intensive because of the extensive forensic work involved in building a case; providing for civil enforcement will allow ISPs to assemble evidence to make prosecutors’ jobs easier.  Second, although criminal prosecutions are a critical deterrent against the most egregious spammers, the Justice Department is unlikely to prosecute all outlaw spam cases; civil enforcement, backed by strong financial penalties, will serve as a second layer of deterrence.  Third, criminal penalties may not be appropriate in all cases, as for example in the case of teenagers hired by professional outlaw spammers to send out email for them; civil enforcement gives the Justice Department a more complete and refined range of tools to address specific outlaw spam problems.

 

That describes the main provisions of our bill.  In addition, because commercial email can be, and is being, sent from all over the world into the virtual mailboxes of Americans, the bill directs the Administration to report on its efforts to achieve international cooperation in the investigation and prosecution of outlaw spammers.

 

OTHER APPROACHES

Again, the purpose of the Criminal Spam Act is to deter the most pernicious and unscrupulous types of spammers – those who use trickery and deception to induce others to relay and view their messages.  Ridding America’s inboxes of deceptively delivered spam will significantly advance our fight against junk email.  But the Criminal Spam Act is not a cure-all for the spam pandemic.

 

The fundamental problem inherent to spam -- its sheer volume – may well persist even in the absence of fraudulent routing information and false identities.  In a recent survey, 82 percent of respondents considered unsolicited bulk email, even from legitimate businesses, to be unwelcome spam.  Given this public opinion, and in light of the fact that spam is, in essence, cost-shifted advertising, it may be wise to take a broader approach to our fight against spam.

 

One approach that has achieved substantial support is to require all commercial email to include an “opt out” mechanism, that is, a mechanism for consumers to opt out of receiving further unwanted spam.  At the recent FTC forum, several experts expressed concerns about this approach, which permits spammers to send at least one piece of spam to each email address in their database, while placing the burden on email recipients to respond.  People who receive dozens, even hundreds, of unwanted emails each day would have little time or energy for anything other than opting-out from unwanted spam. 

 

According to one organization’s calculations, if just one percent of the approximately 24 million small businesses in the U.S. sent every American just one spam a year, that would amount to over 600 pieces of spam for each person to sift through and opt-out of each day.  And this figure may be conservative, as it does not include the large businesses that also engage in on-line advertising.

 

A second possible approach to spam – a national “Do Not Spam” registry – raises a different but no less difficult set of concerns.  The FTC has questioned the potential of a national registry to alleviate the spam problem.  Although this approach would place a smaller burden on consumers than would an opt-out system, it would entail immense costs, complexity, and delay, all of which work in the spammers’ favor.

 

A third way of attacking spam – and one that was favored by many panelists and audience members at the FTC forum -- is to establish an opt-in system, whereby bulk commercial email may only be sent to individuals and businesses who have invited or consented to it.  This approach -- which has already been adopted by the European Union -- has strong precedent in the Telephone Consumer Protection Act of 1991, which Congress passed to eliminate similar cost-shifting, interference, and privacy problems associated with unsolicited commercial faxes, and which has withstood First Amendment challenges in the courts.

 

CONCLUSION

I have discussed three possible approaches to the spam problem, and there are several others, some of which have already been codified in state law.  I encourage the consideration of all these anti-spam approaches in the weeks and months to come.

 

Reducing the volume of junk commercial email, and so protecting legitimate Internet communications, will not be easy.  There are important First Amendment interests to consider, as well as the need to preserve the ability of legitimate marketers to use email responsibly.  If Congress does act, it must get it right, so as not to exacerbate an already terribly vexing problem. 

 

The Criminal Spam Act is a first step in countering spam.  If we can shut down the spammers who use deception to evade filters and confuse consumers, we will give the next generation of anti-spam technologies a chance to do their work.  Our bill targets the most egregious offenders, it provides a much-needed federal cause of action, and it allows the states to continue to serve as a “laboratory” for tough anti-spamming regulation.  I urge its speedy enactment into law.

 

# # # # #

Related Links:

Senate Panel OKs Hatch-Leahy Bill Aimed At Internet Spammers September 25, 2003

 

 

 Return to Home Page Senator Leahy's Biography For Vermonters Major Issues Press Releases and Statements Senator Leahy's Office Constituent Services Search this site