Spam Law and Legal Definition
Spam is a term used to refer to junk email. Various federal and state laws, which vary by state, regulate spam. The main federal legislation is the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) Act of 2003 (Public Law 108-187), which took effect on January 1, 2004.
The Controlling the Assault of Non-Solicited Pornography and Marketing Act requires unsolicited commercial e-mail messages to be labeled (though not by a standard method) and to include opt-out instructions and the sender's physical address. It prohibits the use of deceptive subject lines and false headers in such messages. The FTC is empowered to establish a "do-not-email" registry. State laws that require labels on unsolicited commercial e-mail or prohibit such messages entirely are pre-empted, although provisions merely addressing falsity and deception would remain in place.
Spam is a slang term that describes unsolicited commercial advertisements sent by e-mail over the Internet. Spam, which can be used as a noun or as a verb, is also known as junk e-mail or unsolicited bulk e-mail. According to Heather Newman in the Detroit Free Press, the term comes from a skit by the Monty Python comedy troupe, in which a group of Vikings chants "spam, spam, spam, spam," to drown out all other conversation. It was adopted by early Internet users to describe annoying, unsolicited e-mail advertisements that crowd out legitimate communication. "Spam is an overwhelming fact of life for nearly every e-mail user," Newman wrote. "Some Internet webmasters say that more than half the traffic their computers handle is spam."
THE COSTS OF SPAM
"The financial and psychological costs of spam are eroding the Internet's goodwill," Karen Rodriguez wrote in the Phoenix Business Journal. Spam causes problems for both e-mail users and the Internet Service Providers (ISPs) that offer access to the Internet to customers for a fee. Most email users resent receiving spam messages because they fill up electronic mailboxes and are time-consuming to sort through. In addition, a large proportion of spam messages contain material that could be considered offensive or fraudulent. A survey of spam content conducted on behalf of Representative Gary Miller of California, co-sponsor of proposed legislation to ban spam, found that 30 percent consisted of pornographic materials, another 30 percent consisted of get-rich-quick schemes, and the remainder included a variety of questionable business proposals and gambling opportunities.
According to Ryan P. Wallace, Adam M. Lusthaus, and Jong Hwan Kim in their book Computer Crimes, "Estimates put the total cost of spam to American businesses in 2003 at more than $10 million in lost productivity and anti-spam measures."
Companies that send out bulk e-mail defend the practice on several grounds. For example, they say that some small businesses cannot afford other forms of marketing. Sending bulk e-mail helps these businesses reach potential customers and compete with larger firms. Proponents of e-mail marketing also claim that their advertisements are a constitutionally protected form of free speech. Spammers try to justify their actions by claiming that companies should be allowed to take advantage of the online market and that people have no right to filter their mail.
But opponents of spam argue that Internet users end up paying to receive unwanted advertisements. By sending bulk e-mail to thousands of recipients, spammers create an increase in the load placed on ISP mail servers. ISPs must purchase bandwidth in order to connect their servers to the Internet. They buy bandwidth based on expected usage by their paying customers, and the cost accounts for a large percentage of their operating budgets. Spam ties up bandwidth and reduces processing speed, which causes an increase in costs for ISPs and a decrease in performance for their customers. So while it may cost a spammer only a few dollars to create and send an advertisement via e-mail, it may cost an ISP thousands of dollars to accommodate the spam. These costs are usually passed on to the ISP's customers, most of whom did not want to receive the spam in the first place.
LEGISLATION TO CURB SPAM
Complaints from ISPs and Internet users have prompted several states to pass laws regulating spam. In 2003 the federal government also took action. Spam came under relatively mild regulation with the passage of the Controlling the Assault of Non-Solicited Pornography and Marketing Act, also officially called the CAN-SPAM Act of 2003 (Public Law 108-197). It became effective in December of 2003 and took effect on January 1, 2004. The Act requires that senders of unsolicited commercial e-mail label their messages, but Congress did not require a standard labeling language. Such messages are required to carry instructions on how to opt-out of receiving such mail; the sender must also provide its actual physical address. Misleading headers and titles are prohibited. Congress authorized the Federal Trade Commission to establish a "do-not-mail" registry but did not require that the FTC do so. As of 2006 the FTC has not taken action to create a do-not-mail registry. CAN-SPAM also prevents states from outlawing commercial e-mail or to require their own labeling. Since 2003 other bills have been proposed but have not been enacted.
In effect, based on the provisions of CAN-SPAM, spam is not a computer crime unless, according to U.S. Code, Title 18, No. 1037, violation is committed "in furtherance of any felony under the laws of the United States or of any State." Despite its legal status, spam is both a major annoyance and extracts a cost.
After two plus years in force, the CAN-SPAM law appears to have done little to reduce the volume of spam that clutters cyberspace. As Roger A. Grimes reports in Info World, much of the problem with the law is the fact that it requires e-mail recipients to opt-out of receiving mail by replying to a spam note and asking to be removed from the mailing list. Grimes provides in his article a rather stark assessment of the CAN-SPAM law and its likelihood to ever curb spam. "If you don't have time to read the FTC's report [on the first two year's impact of CAN-SPAM], let me give you my Executive Summary of whether CAN-SPAM has led to a decrease in spam: No!… The real question is whether or not the percentage of spam as compared with total e-mail sent is decreasing. Although several entities report drops in the amount of spam reaching end-users because of improved filtering capabilities, the real rate of spam is leveling off at between 50 percent and 70 percent of e-mail traffic, depending on which statistics you read. And if spam reaching the end-user has decreased because of better filtering devices, then the CAN-SPAM Act has had no part in any so-called success." Grimes concludes with the suggestion that the law be abolished and a new one written which would criminalize the practice and add teeth to the legislation.
WAYS TO REDUCE SPAM
As Grimes' assessment of the CAN-SPAM Act suggests, strides have been made to curtail the number of spam messages that reach their intended audience. These strides appear to be the result, however, of companies spending time and money on spam filtering systems. The market for spam filtering and blocking services and software has grown rapidly in the last 5 years and is likely to continue growing. And while choice is good, the plethora of anti-spam options can be confusing.
"Before attempting to sift through the various anti-spam approaches, companies should make a few key decisions to help guide their search. Are you comfortable outsourcing your spam headache to a service provider, which means letting your e-mail traffic flow through their data centers before hitting your corporate network? If you prefer an in-house solution, should it sit at your mail gateway to ward off spam before it enters your network, saving valuable resources, or at the mail server where it can perform additional tasks as well? Or does a dedicated appliance that can't be tampered with sound more secure? And what about offerings from established messaging security vendors?" This is how the authors, Cara Garretson and Ellen Messmer, of an article in Network World begin a lengthy review of anti-spam products. Three options exist for implementing an anti-spamming program: anti-spam services provided by a third party; server software that can be loaded onto the company server, and a dedicated server used for this purpose only called a gateway appliance. For most small companies, one of the first two options is probably the most cost effective, the third being costly for smaller installations.
Anti-spam services are a good choice for companies that wish to dedicate minimal information technology resources to handling spam. Providers of this service divert a company's incoming mail to their own data centers, where a number of techniques are used to quarantine unwanted e-mail messages, and the remainder of the traffic is passed on to the customer. The benefits of anti-spam services can be put in place very quickly but over time they may prove to be more costly than a software option. Contracts with service providers usually cost between $1.50 and $4.00 per e-mail account per month after the minimum monthly charge.
Spam filtering software packages vary and provide a differing level of functionality and customization options. Anti-spam software packages usually sit at a company's mail gateway to filter spam out of the incoming messages. These products give companies many options for handling spam once it's caught, options like quarantine areas managed by end users where spam messages are held. Many products also offer lists, which dictate e-mail senders that should always be blocked and those who should never be blocked, respectively.
Other actions which can be taken to reduce the volume of incoming spam messages all have to do with limiting the ways in which your e-mail address is exposed to the public. Spammers obtain e-mail addresses from a wide range of legal sources, including business cards, newspaper articles, Web pages, member lists, customer lists, and message postings. They even collect jokes, chain letters, and other frequently forwarded e-mail messages that have hundreds of addresses on the top. Prudent rules to follow to minimize e-mail address exposure include: never replying to an e-mail message from spammers, even in order to use their "opt-out" buttons; hiding the addresses of recipients if you forward e-mail messages to large groups of people, and not including linked e-mail addresses in the company Web site.
Finally, it may be helpful to inform your own ISP when you receive spam, so that the system administrator can filter out future messages from that address. Many e-mail programs also feature filtering capabilities. Finally, if you are bombarded with e-mail from a company with which you have done business, or you find out that such a company has sold your e-mail address to a spammer, you can boycott the company's products or send an e-mail of protest to the company president.
SEE ALSO Computer Crime; Electronic Mail
Garretson, Cara, and Ellen Messmer. "How To: Fighting Spam." Network World. 1 December 2003.
Gordon, Lawrence A., Martin P. Loeb, William Lucyshyn, and Robert Richardson. 2005 CSI/FBI Computer Crime and Security Survey. Computer Security Institute. Available from www.gocsi.com. Retrieved on 29 January 2006.
Grimes, Roger A. "SECURITY ADVISER: Time to Can the CAN-SPAM Act—Despite the FTC's Declaration of Success, Spam Isn't Getting Better, and It's Partly the CAN-SPAM Act's Fault." Info World. 23 January 2006.
Hinde, Stephen. "Smurfing, Swamping, Spamming, Spoofing, Squatting, Slandering, Surfing, Scamming, and Other Mischiefs of the World Wide Web." Computers and Security. May 2000.
Newman, Heather. "Do a Little Work to Give Spammer Unhappy Returns." Detroit Free Press. 28 February 2001.
Rodriguez, Karen. "Federal Lawmakers Propose Bill to End Spamming." Phoenix Business Journal. 12 May 2000.
Wallace, Ryan P., Adam M. Lusthaus, and Jong Hwan Kim. "Computer Crimes." American Criminal Law Review. Spring 2005.
Hillstrom, Northern Lights
updated by Magee, ECDI