Statement Of Senator Patrick Leahy
On The Hatch-Leahy Amendment And
The CAN SPAM Act Of 2003
October 22, 2003
Mr. President, it is increasingly apparent that
unwanted commercial email, commonly known as “spam,” is more than a
just a nuisance. In the past few years, it has become a serious and
growing problem that threatens to undermine the vast potential of
the Internet.
THE PROBLEM
Businesses and individuals currently wade
through tremendous amounts of spam in order to access email that is
of relevance to them—and this is after ISPs, businesses, and
individuals have spent time and money blocking a large percentage of
spam from reaching its intended recipients.
In my home state of Vermont, one legislator
recently found that two-thirds of the 96 e-mails in his inbox were
spam. And this occurred after the legislature had installed new
spam-blocking software on its computer system that seemed to be
catching 80 percent of the spam. The Assistant Attorney General in
Vermont was forced to suggest to computer users the following means
to avoid these unsolicited commercial e-mails: “It’s very bad to
reply, even to say don’t send anymore. It tells the spammer they
have a live address….The best thing you can do is just keep deleting
them. If it gets really bad, you may have to change your address.”
This experience is echoed nationwide.
Email users are having the online equivalent of
the experience of the woman in the Monty Python skit, who seeks to
order a Spam-free breakfast at a restaurant. Try as she might, she
cannot get the waitress to bring her the meal she desires. Every
dish in the restaurant comes with Spam; it’s just a matter of how
much. There’s “egg, bacon and Spam”; “egg, bacon, sausage and
Spam”; “Spam, bacon, sausage and Spam”; “Spam, egg, Spam, Spam,
bacon and Spam”; “Spam, sausage, Spam, Spam, Spam, bacon, Spam,
tomato and Spam”; and so on. Exasperated, the woman finally cries
out: “I don’t like Spam!… I don’t want ANY Spam!”
Individuals and businesses are reacting
similarly to electronic spam. A Harris poll taken late last year
found that 80 percent of respondents view spam as “very annoying,”
and fully 74 percent of respondents favor making mass spamming
illegal. Earlier this month, more than 3 out of 4 people surveyed
by Yahoo! Mail said it was “less aggravating to clean a toilet” than
to sort through spam. Americans are fed up.
Some 30 States now have anti-spam laws, but the
globe-hopping nature of e-mail makes these laws difficult to
enforce. Technology will undoubtedly play a key role in fighting
spam, but a technological solution to the problem is not likely in
the foreseeable future. ISPs block billions of unwanted e-mails
each day, but spammers are winning the battle.
Millions of unwanted, unsolicited commercial
emails are received by American businesses and individuals each day,
despite their own, additional filtering efforts. A recent study by
Ferris Research estimates that spam costs U.S. firms $8.9 billion
annually in lost worker productivity, consumption of bandwidth, and
the use of technical support to configure and run spam filters and
provide helpdesk support for spam recipients.
The costs of spam are significant to
individuals as well, including time spent identifying and deleting
spam, inadvertently opening spam, installing and maintaining
anti-spam filters, tracking down legitimate messages mistakenly
deleted by spam filters, and paying for the ISPs’ blocking efforts.
And there are other prominent and equally
important costs of spam. It may introduce viruses, worms, and
Trojan horses into personal and business computer systems, including
those that support our national infrastructure.
The public has recently witnessed the
potentially staggering affects of a virus, not only through the
Blaster case I discussed earlier, but with the appearance of the
SoBigF virus just eight days after Blaster began chewing its way
through the Internet. This variant also infected Windows machines
via e-mail, then sent out dozens of copies of itself.
Anti-virus experts say one of the main reasons virus writers
continue to modify and re-release this particular piece of “malware”
is that it downloads a Trojan horse to infected computers, which are
then used to send spam.
Spammers are constantly in need of new machines
through which to route their garbage e-mail, and a virus makes a
perfect delivery mechanism for the engine they use for their mass
mailings. Some analysts said the SoBigF virus may have been created
with a more malicious intent than most viruses, and may even be
linked to spam email schemes that could be a source of cash for
those involved in the scheme.
The interconnection between computer viruses
and spam is readily apparent: Both flood the Internet in an attempt
to force a message on people who would not otherwise choose to
receive it. Criminal laws I wrote prohibiting the former have been
invoked and enforced from the time they were passed – it is the
latter dilemma we must now confront head-on.
Spam is also fertile ground for deceptive trade
practices. The FTC has estimated that 96 percent of the spam
involving investment and business opportunities, and nearly half of
the spam advertising health services and products, and travel and
leisure, contains false or misleading information.
This rampant deception has the potential to
undermine Americans’ trust of valid information on the Internet.
Indeed, it has already caused some Americans to refrain from using
the Internet to the extent that they otherwise would. For example,
some have chosen not to participate in public discussion forums, and
are hesitant to provide their addresses in legitimate business
transactions, for fear that their email addresses will be harvested
for junk email lists. And they are right to be concerned. The FTC
found spam arriving at its computer system just nine minutes after
posting an email address in an online chat room.
I have often said
that Congress must exercise great caution when regulating in
cyberspace. Any legislative solution to spam must tread carefully
to ensure that we do not impede or stifle the free flow of
information on the Internet. The United States is the
birthplace of the Internet, and the whole world watches whenever we
decide to regulate it. Whenever we choose to intervene in the
Internet with government action, we must act carefully, prudently,
and knowledgeably, keeping in mind the implications of what we do
and how we do it. And we must not forget
that spam, like more traditional forms of commercial speech, is
protected by the First Amendment.
At the same time, we
must not allow spam to result in the “virtual death” of the
Internet, as one Vermont newspaper put it.
The Internet is a valuable asset to our nation,
to our economy, and to the lives of Americans, and we should act
prudently to secure its continued viability and vitality.
THE CRIMINAL SPAM ACT
On June 19 of this year, Senator Hatch and I
introduced S.1293, the Criminal Spam Act, together with several of
our colleagues on the Judiciary Committee. On September 25, the
Committee unanimously voted to report the bill to the floor. Today,
Senators Hatch, Nelson, Schumer, Grassley and I offered the criminal
provisions of S.1293 as an amendment to S.877, the CAN SPAM Act.
The amendment was adopted by voice vote.
I thank the lead cosponsors of S.877 for
working with us on this amendment, and for their support and
co-sponsorship of the Criminal Spam Act. I also want to thank
Senator Bill Nelson, for his contribution to the amendment.
The Hatch-Leahy amendment prohibits five
principal techniques that spammers use to evade filtering software
and hide their trails.
First, our amendment prohibits hacking into
another person’s computer system and sending bulk spam from or
through that system. This criminalizes the common spammer technique
of obtaining access to other people’s email accounts on an ISP’s
email network, whether by password theft or by inserting a “Trojan
horse” program – that is, a program that unsuspecting users download
onto their computers and that then takes control of those computers
-- to send bulk spam.
Second, our amendment prohibits using a
computer system that the owner makes available for other purposes as
a conduit for bulk spam, with the intent of deceiving recipients as
to the spam’s origins. This prohibition criminalizes another common
spammer technique -- the abuse of third parties’ “open” servers,
such as email servers that have the capability to relay mail, or Web
proxy servers that have the ability to generate “form” mail.
Spammers commandeer these servers to send bulk commercial email
without the server owner’s knowledge, either by “relaying” their
email through an “open” email server, or by abusing an “open” Web
proxy server’s capability to generate form emails as a means to
originate spam, thereby exceeding the owner’s authorization for use
of that email or Web server. In some instances the hijacked servers
are even completely shut down as a result of tens of thousands of
undeliverable messages generated from the spammer’s email list.
The
amendment’s third prohibition targets another way that outlaw
spammers evade ISP filters: falsifying the “header information”
that accompanies every email, and sending bulk spam containing that
fake header information. More specifically, the amendment prohibits
forging information regarding the origin of the email message, and
the route through which the message attempted to penetrate the ISP
filters.
Fourth, the Hatch-Leahy amendment prohibits
registering for multiple email accounts or Internet domain names,
and sending bulk email from those accounts or domains. This
provision targets deceptive “account churning,” a common outlaw
spammer technique that works as follows. The spammer registers
(usually by means of an automatic computer program) for large
numbers of email accounts or domain names, using false registration
information, then sends bulk spam from one account or domain after
another. This technique stays ahead of ISP filters by hiding the
source, size, and scope of the sender’s mailings, and prevents the
email account provider or domain name registrar from identifying the
registrant as a spammer and denying his registration request.
Falsifying registration information for domain names also violates a
basic contractual requirement for domain name registration
falsification.
Fifth and finally, our amendment addresses a
major hacker spammer technique for hiding identity that is a common
and pernicious alternative to domain name registration – hijacking
unused expanses of Internet address space and using them as launch
pads for junk email. Hijacking Internet Protocol (“IP”) addresses
is not difficult: Spammers simply falsely assert that they have the
right to use a block of IP addresses, and obtain an Internet
connection for those addresses. Hiding behind those addresses, they
can then send vast amounts of spam that is extremely difficult to
trace.
Penalties
for violations of these new criminal prohibitions are tough but
measured. Recidivists and those who send spam in furtherance of
another felony may be imprisoned for up to five years. Large-volume
spammers, those who hack into another person’s computer system to
send bulk spam, and spam “kingpins” who use others to operate their
spamming operations may be imprisoned for up to three years. Other
offenders may be fined and imprisoned for no more than one year.
Convicted offenders are also subject to forfeiture of proceeds and
instrumentalities of the offense.
In addition to these penalties, the Hatch-Leahy
amendment directs the Sentencing Commission to
consider providing sentencing
enhancements for those convicted of the new criminal provisions who
obtained e-mail addresses through improper means, such as
harvesting, and those who knowingly sent spam containing or
advertising a falsely registered Internet domain name. We have also
worked with Senator Nelson on language directing the Sentencing
Commission to consider enhancements for those who commit other
crimes that are facilitated by the sending of spam.
I should
note that the Criminal Spam Act, from which the amendment is taken,
enjoys broad support from ISPs, direct marketers, consumer groups,
and civil liberties groups alike. It is also supported by the
Administration: In its September 11, 2003 views letter regarding
the CAN SPAM Act, the Administration advocated the addition to CAN
SPAM of felony triggers similar to those proposed in the Criminal
Spam Act. The Administration further supported our proposal,
advanced in the Hatch-Leahy amendment, to direct the Sentencing
Commission to consider sentencing enhancements for convicted
spammers that have additionally obtained e-mail addresses by
harvesting.
CAN SPAM ACT
Again, the purpose of the Hatch-Leahy amendment
is to deter the most pernicious and unscrupulous types of spammers –
those who use trickery and deception to induce others to relay and
view their messages. Ridding America’s inboxes of deceptively
delivered spam will significantly advance our fight against junk
email. But it is not a cure-all for the spam pandemic.
The fundamental problem inherent to spam -- its
sheer volume – may well persist even in the absence of fraudulent
routing information and false identities. In a recent survey, 82
percent of respondents considered unsolicited bulk email, even from
legitimate businesses, to be unwelcome spam. Given this public
opinion, and in light of the fact that spam is, in essence,
cost-shifted advertising, we need to take a more comprehensive
approach to our fight against spam.
While I am generally supportive of the CAN SPAM
Act, and will vote in favor of passage, it does raise some
concerns. The bill takes an “opt out” approach to spam – that is,
it requires all commercial email to include an “opt out” mechanism,
by which e-mail recipients may opt out of receiving further unwanted
spam. My concern is that this approach permits spammers to send at
least one piece of spam to each e-mail address in their database,
while placing the burden on e-mail recipients to respond. People
who receive dozens, even hundreds, of unwanted emails each day may
have little time or energy for anything other than opting-out from
unwanted spam.
According to one organization’s calculations,
if just one percent of the approximately 24 million small businesses
in the U.S. sent every American just one spam a year, that would
amount to over 600 pieces of spam for each person to sift through
and opt-out of each day. And this figure may be conservative, as it
does not include the large businesses that also engage in on-line
advertising.
I am also troubled by the labeling requirement
in the CAN SPAM Act, which makes it
unlawful send an unsolicited
commercial e-mail message unless it provides, among other things, “
clear and conspicuous identification that the message is an
advertisement or solicitation,” and “a valid physical postal address
of the sender”. While we all want to curb spam, we must be mindful
of its status as protected commercial speech, and ensure that any
restrictions we impose on it are as narrowly tailored as possible.
Reducing the volume of junk commercial email,
and so protecting legitimate Internet communications, is not an easy
matter. There are important First Amendment interests to consider,
as well as the need to preserve the ability of legitimate marketers
to use e-mail responsibly. We must be sure we get this right, so as
not to exacerbate an already terribly vexing problem. This is
especially important given the preemption provisions of the CAN SPAM
Act, which will override many of the tough anti-spamming laws
already enacted by the States.
THE ENZI-SANTORUM AMENDMENT
My distinguished
colleagues from Wyoming and Pennsylvania offered an amendment
requiring “warning labels” on certain commercial electronic mail.
While I appreciate my colleagues’ efforts to protect our children
from the on-line assault of internet pornography - an important goal
that we all share – I fear the amendment has been drafted in haste
and raises significant constitutional issues that require further
analysis.
First, the
amendment incorporates broad and vague phrases such as “devoted to
sexual matters” that are not otherwise defined in the law. I
expressed similar concerns during debate on the Communications
Decency Act (CDA), which the Supreme Court struck down as
unconstitutional in 1996. The CDA also punished as a felony anyone
who transmitted ‘obscene’ or ‘indecent’ material over the Internet.
The CDA was deemed too vague as to what was ‘indecent’ or
‘obscene’. Some of the terms and phrases used in the Enzi-Santorum
amendment may be deemed equally vague when subjected to judicial
scrutiny.
There are also
First Amendment concerns to regulating commercial electronic mail in
ways that require specific labels on protected speech. Such
requirements inhibit both the speaker's right to express and the
listener's right to access constitutionally protected material.
More importantly,
existing laws already ban obscenity, harassment, child pornography
and enticing minors into sexual activity.
As a father and a
grandfather, I well appreciate the challenge of limiting a child’s
exposure to sexually inappropriate material. Yet, no legislation we
could pass would be an effective substitute for parental
involvement. We must be vigilant about feel-good efforts to involve
government, either directly or indirectly, in regulating the content
of the Internet.
For these reasons, the Enzi-Santorum amendment
raises serious legal issues that mandate further exploration before
a determination can be made on the proposed law’s constitutional
viability.
I look forward to continuing to work with the
sponsors of the CAN SPAM Act on these issues as the bill proceeds to
conference.
# # #
# #
