|
Home
Professional
P.R.
Writing
Speaking
Geeking
Terms
Other areas
About Tom
Contact info
Tom's other sites
bandwidthpr.com
spamcon.org
openppc.org
popcomputers.com
Mailing lists:
Tgeller-personal
Tgeller-business
Suespammers
|
|
 Tom's correspondence with the Electronic Frontier Foundation re: spam
27 November 2000
On 1 November, I saw a presentation by Cindy Cohn of the Electronic Frontier Foundation at the Silicon Valley Linux Users Group. I asked her about the EFF's position on spam, and she basically said that the organization thinks legislation is counterproductive. That started an intense e-mail correspondence with Advocacy Director/Webmaster Stanton McCandlish, reprinted below with his permission.
Date: Thu, 2 Nov 2000
To: cindy@@eff.org
From: Tom Geller
Subject: On EFF's spam position
Cc: ssteele@@eff.org
Cindy (with Ms. Steele cc:d),
It was a pleasure to see you speak at the Silicon Valley Linux User's Group last night. Your talk was both compelling and informative: If the hat had been passed *after* the talk, I'll bet the take would have been even higher. :)
I'm writing now because of your statement regarding the EFF's position on unsolicited commercial/bulk e-mail, or "spam". You said something like, "The EFF is avoiding the matter because, while spam is annoying, we fear any restriction of free speech." I believe that linking spam to free speech is misinformed, in contradiction of legal precedent, and damaging both to EFF's platform and the Internet at large.
As you're a lawyer (unlike me), let's look first at legal precedent. A few points:
- There's a popular saying: "Free speech isn't free when it comes postage-due." That's true for unsolicited commercial faxes (outlawed by the Telephone Consumer Protection Act in 1991), and it's true for e-mail. A Gartner Group study discovered that 10 percent of ISP costs are due directly to spam attacks: My own anecdotal experience in the ISP world confirms that figure.
- Spam is invasive beyond the point the law allows: It's no more "free speech" than taking an ad for a rug-cleaning service, tying it to a brick, and throwing it through a window. Consider this excerpt from Rowan v. U.S. Post Office (U.S. Supreme Court):
"Nothing in the Constitution compels us to listen to or to view any unwanted communication, whatever its merit... We therefore categorically reject the argument that a vendor has the right under the Constitution or otherwise to send unwanted material into the home of another... We repeat, the right of a mailer stops at the outer boundary of every person's domain."
- In virtually every legal discussion of spam, the focus is on unsolicited *commercial* e-mail, which (as you probably know) can be regulated by the government.
- Finally, and as you know, only the government is proscribed from limiting speech: Individuals may limit what they hear and see however they like. AFAIK, *all* proposed antispam laws have supported the right of the recipient system administrators to filter mail as they see fit. This underscores the property trespass nature of spam: Again, the central point is that it uses others' resources without agreement or compensation.
Forgive me if you've heard these arguments before. I'd welcome clarification of EFF's position on this matter, or further discussion. And if there's anything I could do to help EFF prepare for a spam-related case, please let me know.
All the best,
--Tom Geller
P.S. I'm not asking that EFF take on antispam cases -- frankly, that seems somewhat incongruous with the rest of your activities. Rather, I ask that you reconsider the orginazation's position and clarify your understanding about the nature of spam.
Date: Thu, 2 Nov 2000 17:19:51 -0800
To: tom@tgeller.com
From: mech@@eff.org (Stanton McCandlish)
Subject: Re: Fwd: On EFF's spam position
Cc: cindy@@eff.org, ssteele@@eff.org
[Mr. Geller, your concerns were forwarded to me since I've covered spam
policy matters for EFF for a number of years now.]
Addressing these points in order:
- It's very unlikely that the junk fax law would withstand constitutional scrutiny, given the right plaintiffs. The law remains on the books (though largely unenforced, since it only enables civil actions) because no one with a legitimate complaint has challenged it. (The problem with it is overbreadth - it does not regulate ONLY truly commercial fax spam, and could affect political and religious fundraising, for example, which would probably trigger First Amendment safeguards). Spam is the same way. It is, as it turns out, very difficult to write an anti-spam law that will ONLY affect non-religious and non-political, purely commercial messages. No state (nor Congress) has done so successfully yet (though, again, most of the anti-spam laws so far passed remain in force because no one's been sufficiently motivated to challenge them). This is not to say that the First Amendment or the government would be or should be "endorsing" political or religious junk faxes (or spam). Rather, the issue is that the First Amendment exists to prevent the govt. having authority to censor political or religious expression generally, with virtually no exceptions, because it is dangerous to grant the state any power in this area at all, due to the "slippery slope" effect that leads to greater and greater restrictions. This is the essence of the problem with anti-spam laws. If they are allowed to stand, they open the door to more and more regulations (of explicit content, of "annoying" e-mail, of "dirty words", politically incorrect ideas, etc.)
- This case is oft-cited, but of questionable relevance. Unless you are your own ISP, your mail is not in your home, its on your ISP's servers. You then bring it into your home. It's just not quite the same. Your brick analogy doesn't hold water (what would be wrong with throwing ads tied to bricks through people's windows would be destruction of property and endangering people on the other side of the window, neither of which apply to spam.) The ISP damages argument is not particularly strong either. That ISPs have significant expenses incurred because of spam does not automatically make it a legislative issue. By way of analogy, nightclubs employ bouncers to deal with rowdy, tipsy patrons, and this is a very significant expense. Yet, being tipsy and rowdy (below the level of public nuissance, harassment or drunk & disorderly conduct) is not a crime and shouldn't be a crime. It's essentially a private matter between the patron and the club. The ISP expense dealing with spam is simply a fact of the marketplace, in many analyses. A closer-to-home analogy might be the expenses direct marketers sustain (which are definitely significant) weeding out incorrect information from their databases. Under the ISP-costs logic, it should also be illegal to give a fake name, address or other information to any web site that asks you for personal information. This is an example of the "slippery slope", otherwise known as "the raod to Hell is paved with good intentions." The real solution is probably for ISPs to have much better contracts with their users, and limits on new accounts, and to also have agreements with their upstream providers (NSPs) and for NSPs to have agreements with eachother, such that NSPs can take a complain from downstream system X that received a bunch of spam from system Y and expect actual results from system Y, because system Y's NSPs can cut them off if they don't deal with the problem. This is going to take some summits and meetings and the like to draft up good model policies, and an industry-wide push to get them into play. Couple something like that with increasingly effective filtering technologies like Brightmail, etc., and spam could pretty quickly be a thing of the past for the most part. (And that's all that's really needed. Spam is only a problem inasmuch as it is everywhere and constant. None of us would be particularly harmed by, say, 2 spams per week. It's 30 per day that causes problems.)
- See point 1 above.
- Precisely because ISPs and individuals can install filtering systems (many of which are free, and fairly effective - I've used a variety of freebie procmail filters myself for some time), there is less compelling government interest in regulating e-mail. Even though the courts support the notion that people have a right to avoid expression they do not want to hear/see, there is no right to "never see/hear anything you don't want to". As for the property trespass argument, it is one we do not fully agree with. The Intel v. Hamidi case is the principal reason why; while we do not entirely side with Hamidi, we cannot buy Intel's argument either, which amounts to "if we don't want you to send a message to one or more of our employees, you may be sued by us if you do so anyway." The potential negative consequences of that are immeasurable. But, I needn't get into the details of that right now. Suffice it to say that the property trespass argument is an excercise in metaphor. Like all metaphors, it breaks down, severely, at some point (several, actually). It can be useful in *beginning* to think about what to do about spam, who own's e-mail, what rights an ISP has vs. senders and recipients of traffic that pass through the ISP, what privacy rights someone has with regard to their e-mail inbox, etc., etc.; but the analogy to real estate is not the be-all and end-all of those debates, only a shaky starting point.
So, anyway, yes we have heard these arguments before (we've *made* several of them ourselves, early on), and many of the questions they raise remain unanswered. Ultimately it really comes down to a choice between having an open, free Internet in which there are some abusers who we can filter out, or having a closed, heavily regulated, censored SnoopNet in which no one has any privacy whatsoever (after all, you can't punish a spammer you can't identify.)
EFF's [anti-]spam policy, inasmuch as we have one at this point, could be summed up:
- This is a social and technical issue, not a legal one, in most aspects; not enough development has happened on the technical side yet, nor within existing legal structures (e.g., better and standardized ISP user agreements that hold spammers more directly liable for ISP damages.) The global nature of the net guarantees that a US legislative ban on spam will do nothing to solve the problem (just as existing state-level spam laws have done nothing.)
- While there probably is room for some new law (mostly tweaks to existing law), all of the anti-spam bills we have seen to date a) do not actually solve the problem, and b) are badly written and will harm legitimate free speech interests. We have yet to see one that we believe will pass constitutional examination.
- Spamming is a problem, but like other problems a knee-jerk and poorly crafted "solution" will cause more problems than it will solve; we do not want a "cure" that is worse than the "disease".
EFF is essentially advocating caution and research at this point, and indiviual and ISP action, not new laws, unless and until a *proper* avenue of legislative action can be agreed upon in a general consensus, and it is implemented in ways that do no impinge upon free expression.
Another way of looking at it: We do not support spam (and we do not believe that spam is "free speech"); but, we cannot and do not support any legislative effort so far, because they go too far - they are vague and overbroad, among other problems. EFF remains interested in fostering dialog on the issue so that actual solutions can be arrived at, instead of pretend solutions that legislators offer so they can look like hip "cyberlegislators", knowing full well that their proposals will do nothing useful and will be struck down eventually. (Cf. the various mandatory library censorware bills - it's the exact same pattern. It gets the sponsors' names in the paper and it lets them tell consitituents that they are "doing something" about this hot new topic, but it's basically a sham.)
P.S. Something I had forwarded to me from someone else (anonymized). This
is a state regulator/enforcer basically saying the same thing - it's a
global, technical problem and legislation isn't working:
Junk e-mail is an enormous problem on the internet, and it doesn't show any sign of abating. We receive numerous complaints every day about this, especially those concerned with either pornography, or obvious financial scams of one kind or another. Even legitimate business information can be a nuisance because of sheer volume. This problem is of a national and global nature, and doesn't lend itself well to action by a state agency like ours, which has limited jurisdiction and resources. Several states have enacted anti-spam legislation without much success. If the problem is to be solved, or at least lessened, it will have to be done through a combination of federal legislation and self-policing by the web community. So far legislation hasn't done much, so perhaps the latter option is the most viable. With that in mind, I was heartened to see an article in a recent Startribune, which told about a free, private outfit called Spamcop, which is dedicated to eliminating this scourge. You can reach them at: www.spamcop.net. Other organizations for citizens concerned about spam abuse are the Coalition Against Unsolicited E-Mail (CAUCE) and Junkbusters. They are sources of a great deal of useful information about the elimination of spam. I encourage you to check them out at: www.cauce.org and www.junkbusters.com. Please let me know if you have any success.
Sincerely,
[deleted] Consumer Protection Division
Office of [deleted], Attorney General
State of [deleted]
--
Stanton McCandlish mech@@eff.org http://www.@eff.org/~mech
Advocacy Director/Webmaster Electronic Frontier Foundation
voice: +1 415 436 9333 x105 fax: +1 415 436 9993
EFF, 454 Shotwell St. San Francisco CA 94110 USA
Date: Sat, 4 Nov 2000
To: mech@@eff.org (Stanton McCandlish)
From: Tom Geller
Subject: Re: Fwd: On EFF's spam position
Cc: cindy@@eff.org, ssteele@@eff.org
At 5:19 PM -0800 11/2/00, Stanton McCandlish wrote:
>1) It's very unlikely that the junk fax law would withstand
>constitutional scrutiny, given the right plaintiffs.
I think those last five words are the key. Junk fax laws (and by extension spam laws) are in a divided area of the law: Their fates rest largely with their test cases, and the judges that decide on them.
>The law remains on the books (though
>largely unenforced
I believe plaintiffs have prevailed -- and collected -- in several dozen cases, although many are in small-claims courts (and therefore set no precedent), and most seem to be settled before trial.
>since it only enables civil actions) because no one
>with a legitimate complaint has challenged it. (The problem with it is
>overbreadth - it does not regulate ONLY truly commercial fax spam, and
>could affect political and religious fundraising,
I'll have to reread the TCPA. (I'm writing this from a motel room with no data port on the phone.) All the spam laws IIRC are specific to commercial e-mail.
>for example, which
>would probably trigger First Amendment safeguards). Spam is the same
>way. It is, as it turns out, very difficult to write an anti-spam law
>that will ONLY affect non-religious and non-political, purely
>commercial messages.
Whyso? They seem to have already done so quite well, using established definitions of "commercial".
>No state (nor Congress) has done so successfully
>yet (though, again, most of the anti-spam laws so far passed remain in
>force because no one's been sufficiently motivated to challenge them).
>This is not to say that the First Amendment or the government would be
>or should be "endorsing" political or religious junk faxes (or spam).
>Rather, the issue is that the First Amendment exists to prevent the
>govt. having authority to censor political or religious expression
>generally, with virtually no exceptions, because it is dangerous to
>grant the state any power in this area at all, due to the "slippery
>slope" effect that leads to greater and greater restrictions. This is
>the essence of the problem with anti-spam laws. If they are allowed to
>stand, they open the door to more and more regulations (of explicit
>content, of "annoying" e-mail, of "dirty words", politically incorrect
>ideas, etc.)
You assert that antispam laws endanger political and/or religious speech, but my understanding is that the division between those and commercial speech has been largely settled for dozens of years. "Commercial" messages carry with them an offer to enact commerce (i.e. sell or buy), or lead to an offer to enact commerce. Please correct me with citations if I'm mistaken.
>2) This case is oft-cited, but of questionable relevance. Unless you
>are your own ISP, your mail is not in your home, its on your ISP's
>servers.
In this statement -- and many that follow it -- I believe you're mistaken about how many people get their mail. I'd estimate that there are tens of thousands of people in the U.S. running their own mail servers. And this number will only grow as inexpensive, consumer-grade high-speed connections (such as DSL) enable more people to run servers at home. And with the division between "mail client" and "mail server" blurring with every release of Outlook Express, more people will run servers without even knowing they're doing so. (Consider the spread of peer-to-peer systems such as Napster as an example.)
>You then bring it into your home. It's just not quite the
>same. Your brick analogy doesn't hold water (what would be wrong with
>throwing ads tied to bricks through people's windows would be
>destruction of property and endangering people on the other side of the
>window, neither of which apply to spam.)
Your inexperience about system administration undermines your point.
Spam, when practiced at a high enough level, is absolutely indistinguishable from a denial of service attack. I recently had to up my monthly bandwidth bill from $80 to $250/month, largely because of such attacks. If I were paying a system administrator, time lost would be in the hundreds of dollars per month. If only someone would take away the spam and replace it with a brick through my windown once in a while! It would impact me and my business much less.
>The ISP damages argument is
>not particularly strong either. That ISPs have significant expenses
>incurred because of spam does not automatically make it a legislative
>issue. By way of analogy, nightclubs employ bouncers to deal with
>rowdy, tipsy patrons, and this is a very significant expense. Yet,
>being tipsy and rowdy (below the level of public nuisance, harassment
>or drunk & disorderly conduct) is not a crime and shouldn't be a crime.
I'm glad we agree that it's a matter of quantity, not quality. Consider your phrase, "below the lever of public nuisance...". At what level must spam be before you'll consider it worthy of legislation? When I'm forced to upgrade to a $500/month connection? A $1,000/month connection?
[snip large section that uses the same logic]
>The real solution is
>probably for ISPs to have much better contracts with their users, and
>limits on new accounts, and to also have agreements with their upstream
>providers (NSPs) and for NSPs to have agreements with eachother, such
>that NSPs can take a complain from downstream system X that received a
>bunch of spam from system Y and expect actual results from system Y,
>because system Y's NSPs can cut them off if they don't deal with the
>problem.
Yep, and that's exactly the way the market works now. Unfortunately, it takes only one bad ISP to ruin it for everyone. Spammers quickly discover which ones are "bulk friendly" and flock to them. Sometimes UU.NET is a bit lax on enforcement, despite their antispam policies -- so the spammers go there. The next month, it might be Sprintlink... you get the picture.
>This is going to take some summits and meetings and the like
>to draft up good model policies, and an industry-wide push to get them
>into play. Couple something like that with increasingly effective
>filtering technologies like Brightmail, etc., and spam could pretty
>quickly be a thing of the past for the most part.
I led a panel at ISP Forum in Atlanta two years ago about this very point, "technical solutions for spam". What's become painfully clear since then is that even the best filtering systems are only partially effective, and that there's a constant arms race. Why should we be forced into it? Not even the folks at Brightmail believe their system eliminates spam -- or even that they cut it down to a level tolerable to all.
>(And that's all
>that's really needed. Spam is only a problem inasmuch as it is
>everywhere and constant. None of us would be particularly harmed by,
>say, 2 spams per week. It's 30 per day that causes problems.)
That's the current level. What's your point?
>4) Precisely because ISPs and individuals can install filtering systems
>(many of which are free, and fairly effective - I've used a variety of
>freebie procmail filters myself for some time), there is less
>compelling government interest in regulating e-mail.
See above. You're badly mistaken about (a) the effectiveness of filters, and (b) the cost issues involved. If you filter on the SMTP DATA level, the message has to completely come through before it can be blocked -- so the bandwidth is already stolen.
[snip section that largely repeats previous points]
>* This is a social and technical issue, not a legal one,
I would argue that social remedies in this case are ineffective without legislative backing.
>in most
>aspects; not enough development has happened on the technical side yet,
According to virtually all programmers and system administrators, it never will.
>nor within existing legal structures (e.g., better and standardized ISP
>user agreements that hold spammers more directly liable for ISP
>damages.)
Perhaps EFF should pair its antilegislative stance on spam with a call for responsibility on the ISP side.
>The global nature of the net guarantees that a US
>legislative ban on spam will do nothing to solve the problem (just as
>existing state-level spam laws have done nothing.)
The saddest part of the spam problem is this: The "technical solutions" you name above already cause *entire nations* to be blackholed in thousands of servers around the world. Many postmasters have received only spam from .cn and .kr, so they dump all mail from those TLDs in the trash.
>* While there probably is room for some new law (mostly tweaks to
>existing law), all of the anti-spam bills we have seen to date a) do
>not actually solve the problem, and b) are badly written and will harm
>legitimate free speech interests.
I agree that most are badly written, but for different reasons.
>We have yet to see one that we
>believe will pass constitutional examination.
We disagree. But hey, I'm just a dumb ol' layman.
>EFF is essentially advocating caution and research at this point,
I hope you'll learn to craft your messages better over time. That's not what's coming across.
>Another way of looking at it: We do not support spam (and we do not
>believe that spam is "free speech"); but, we cannot and do not support
>any legislative effort so far, because they go too far - they are vague
>and overbroad, among other problems.
Then why the hell hasn't EFF become involved in crafting legislative language? I'd be happy to make introductions that would make this possible.
[snip]
On another note, you quote [deleted], and write:
>Something I had forwarded to me from someone else (anonymized). This
>is a state regulator/enforcer basically saying the same thing - it's a
>global, technical problem and legislation isn't working:
Mr. []'s message is ill-informed in many ways. For one, he's rather
ignorant
of the purposes of CAUCE, Junkbusters and Spamcop.net. His understanding comes from reading an article about them: That's like saying you can fly a plane because you saw one once. I know people involved with all three organizations, and can guarantee that they'd disagree violently with his assertions and conclusions.
I hope that this discussion can continue, preferably in a public forum. In any case, thanks for writing and I look forward to hearing from you again.
--Tom Geller
[Ed note: Sorry, I don't have the time to convert the rest to HTML.]
X-Sender: mech@va.@eff.org
Date: Mon, 27 Nov 2000 14:49:03 -0800
To: Tom Geller
From: mech@@eff.org (Stanton McCandlish)
Subject: Re: Fwd: On EFF's spam position
Warning: Lo-o-o-ong message...
At 12:15 AM -0800 on 11/26/00, Tom Geller wrote:
> At 5:19 PM -0800 11/2/00, Stanton McCandlish wrote:
>
>>1) It's very unlikely that the junk fax law would withstand
>>constitutional scrutiny, given the right plaintiffs.
>
> I think those last five words are the key. Junk fax laws (and by
> extension spam laws) are in a divided area of the law: Their fates
> rest largely with their test cases, and the judges that decide on
> them.
Correct. There are almost zero non-commercial junk faxers, anywhere,
period. This is not true of spammers. There are a multitude of
religious and political spammers (as I'm sure you know - I think
everyone on the Net, pretty much, got political spam this election
season!) I believe any such defendant under a spam law modelled on the
junk fax law could easily knock the case out of the ballpark, because
the lower standard of First Am. scrutiny applied to "commercial speech"
(which really means advertising, not all speech that happens to be
commercial in some way) would not apply to them.
I don't see any point in passing, and cannot support, a law that will
simply be overturned. I don't see any point in passing and cannot
support a law that will not actaully solve, or even help, the problem
it attempts to address. The junk fax law does not stop junk faxers (we
get junk faxes every week). Even if an anti-spam law had criminal
provisions, it would not stop spamming. An increasing amount of spam
(about 40% or higher[*], judging by what I get in my own inbox) is
non-US, and not covered by US law. This percentage is increasing. And
even US spammers would hardly be deterred. Most of them are scam
artists running frauds and borderline frauds, anyway. They are already
scofflaws.
[* A typical "spam day" for me is, say, 15-25 English-language spams,
of which probably 90% are US-based entities' output, the rest from
Canada, UK, Australia, etc.; 5-12 Chinese; 3-5 Latin American; 1-3
Japanese; 1-2 Russian; 0-2 misc. Let's see... using these guestimates,
I get a low range of roughly 14 US spams to 11 foreign, and a high end
of about 23 US vs. 24 foreign. 40% wasn't too bad a guess.]
This is, at its heart, a technical, not legal, issue, in my opinion.
(Well, it is legal in the sense that ISPs need better contracts with
users, and NSPs/backbones needs better contracts with local ISPs, etc.;
I mean that it is not a problem needing, or soluble, with legislative
attention.)
>>The law remains on the books (though
>>largely unenforced
>
> I believe plaintiffs have prevailed -- and collected -- in several
> dozen cases, although many are in small-claims courts (and therefore
> set no precedent), and most seem to be settled before trial.
Which means squat. :) It is not a deterrent at all. It's not worth
much of anyone's time, money and effort to sue a fax-spammer, or
there'd be thousands of such cases, and it WOULD be a deterrent.
>>since it only enables civil actions) because no one
>>with a legitimate complaint has challenged it. (The problem with it is
>>overbreadth - it does not regulate ONLY truly commercial fax spam, and
>>could affect political and religious fundraising,
>
> I'll have to reread the TCPA. (I'm writing this from a motel room
> with no data port on the phone.) All the spam laws IIRC are specific
> to commercial e-mail.
>
That's a laugh. EVERY spam law/bill I have looked at, which is
probably 90% of them, fails dismally to define "commercial" or
"advertising" (or whatever term it uses) in a way that will not affect
political, religous and other speech. Just because they use the word
"commercial" somewhere does not mean that they definitions are
adequate. I've yet to see one that I believe will withstand
constitutional muster. I rather suspect it may be impossible to write
one, frankly. And even if it did, it is not responsive to the problem,
anyway. Spam is not problematic because it is commercial (lots of
speech is commercial, and lots of spam is not commercial). It is
problematic because it is a) bulk, b) unsolicited (and not opted IN to
rather than OUT of), and c) sent by almost entirely unaccountable and
unresponsive parties (when they can be identified at all).
>>for example, which
>>would probably trigger First Amendment safeguards). Spam is the same
>>way. It is, as it turns out, very difficult to write an anti-spam law
>>that will ONLY affect non-religious and non-political, purely
>>commercial messages.
>
> Whyso? They seem to have already done so quite well, using
> established definitions of "commercial".
They may look like good definitions to the layperson.[*] I assure you
they are not.
[* NB: I am not an attorney, but I know more about First Am. law, from
7+ years direct experience with cases and legislation, than probably
90% of lawyers who are not First Amendment specialists or legal
scholars, and I work daily with several who are, so I have some basis
from which to consider myself a non-layman.]
>>No state (nor Congress) has done so successfully
>>yet (though, again, most of the anti-spam laws so far passed remain in
>>force because no one's been sufficiently motivated to challenge them).
>>This is not to say that the First Amendment or the government would be
>>or should be "endorsing" political or religious junk faxes (or spam).
>>Rather, the issue is that the First Amendment exists to prevent the
>>govt. having authority to censor political or religious expression
>>generally, with virtually no exceptions, because it is dangerous to
>>grant the state any power in this area at all, due to the "slippery
>>slope" effect that leads to greater and greater restrictions. This is
>>the essence of the problem with anti-spam laws. If they are allowed to
>>stand, they open the door to more and more regulations (of explicit
>>content, of "annoying" e-mail, of "dirty words", politically incorrect
>>ideas, etc.)
>
> You assert that antispam laws endanger political and/or religious
> speech, but my understanding is that the division between those and
> commercial speech has been largely settled for dozens of years.
This is not really true or applicable here for a number of reasons,
including a bad fit between new media and old laws, new issues raised
by the Internet, the nature of the speech in question, and the exact
differences between legal categories and the agencies responsible for
enforcing them. For example, the FCC has the authority to enforce
"indecency" restrictions in broadcasting and telephonic services, where
such restrictions would not be constitutional in print; etc. - The
Supreme Court is fallible, and First Amendment law is a very tricky,
messy snarl of conflicting and often rather impenetrably reasoned
precendents from multiple jurisdictions and in widely divergent media.
Some recent examples of "no brainer" First Amendment cases gone
horrible awry include the Finley v. NEA case, and various "pedmount"
newspaper rack cases, and the failed (so far) challenge against the
"morphed child porn" law, among many others. (None of them are directly
relevant to the spam law issue, but that's not the point. The point is
that First Amendment law is constantly changing, often for the worse -
typically drawing on questionable analogies from one area, field, or
medium and another, and one cannot accurately predict what strange
decisions the courts will come up with. Things have come (fallen?) a
long way since the time of Bradeis, and we do not have a consistently
First Amendment-friendly Court today.
So, it is not nearly so black and white and commonly believed.
And again, there is no principle that any/all commercial speech is less
protected than other kinds of speech; only advertising is, which leaves
anti-spam laws vulnerable if they do not adequately define
"advertising" (which none that I know of do, at present.)
Anti-spam laws/bills are typically flawed in many other ways. Some
examples include enabling only civil actions (no real deterrent),
failing to enable civil actions as well as criminal ones (no way for
ISPs to recover costs), failing to enable any action by users, only by
ISPs, consistent failure to define spam as unsolicited [commercial]
BULK e-mail (remember, spam is only a problem because it is BULK,
unsolicited, and unaccountable; Congress has precisely zero legit
interest in regulating single, personally-targeted business-to-person
messages, whether they are advertising or not), and often major, major
technological problems, such as attempting to dictate new Internet
technical standards such as new headers (this is IETF's job) or
dicating what must go in the Subject line. I could go on. The typical
spam bill I look at has about 10-40 such problems.
> "Commercial" messages carry with them an offer to enact commerce
> (i.e. sell or buy), or lead to an offer to enact commerce. Please
> correct me with citations if I'm mistaken.
Frankly, I don't have time to do a full paper/analysis on this. If
there is a huge public outcry for EFF to take an official position on
spam and defend that position, I'll write a white paper or something.
The short version of what's wrong with your argument is that the
definition (which is usually less precise than what you write above) is
not a ding an sich, but is dependent on its context. Even a fairly
good definition like yours will be unconstitutional if it does not
specifically exempt political, religious and personal expression (or so
narrowly define what sort of entities it applies to as to effectively
exclude such categories). I'm aware of NO anti-spamming legislation,
anywhere, that has come close. And again, the very fact that none of
these bills apply to bulk-only mailings makes them Constitutionally
suspect right off the bat, no matter what the definitions in them are.
One of the main problems with EVERY anti-spam bill I've examined to
date is that they inadequately definite to whom they apply, not just to
what kind of speech they apply. Both of these things matter, a lot, for
First Amendment analysis (especially the vagueness and overbreadth
doctrines). Speaking of doctrines, prior restraint is also possibly at
play her, more or less likely depending on how vague or specific the
legislation in question is.
Another problem is the effectiveness test. Even the Supreme
Court-permitted restrictions here and there on commercial advertising
are tied to a requirement that they *effectively* address a legitimate
government concern. No spam bill will, or can, be effective, for
fairly obvious reasons of insufficient deterrence and lack of
jurisdiction, so such is a bill is automatically constitutionaly
suspect again. Laypersons are often confused on this point.
Effectiveness requirements are not frequently encountered (for example,
laws against murder are constitutional, even though there are still
lots of murders that go undeterred.) They are a feature of First
Amendment jurisprudence however. (One surmises that this is part of
the compromise the Supreme Court came to when bastardizing the clear
words, "Congress shall make no law...") The effectiveness clause does
apply to intermediate scrutiny (as in regluation of commercial
advertising), as well as strict scrutiny.
>>2) This case is oft-cited, but of questionable relevance. Unless you
>>are your own ISP, your mail is not in your home, its on your ISP's
>>servers.
>
> In this statement -- and many that follow it -- I believe you're
> mistaken about how many people get their mail. I'd estimate that
> there are tens of thousands of people in the U.S. running their own
> mail servers.
Just like tens of thousands have their own fax machines, but there are
only a handful of junkfax cases per year (mostly by corporations, last
I looked, not individuals), and the law servers no deterrent purpose.[*]
[* Actually this is not quite true, and the difference is important, as
it has a lot to do with why the junk fax law is a bad model for
anti-spam legislation (though I do not believe there is any good
model). The junk fax law was not passed to protect you and me. It was
authored specifically to protect corporations who, in the days of
expensive thermal paper fax, were experiencing painful expenditures on
wasted fax paper due to receiving many, sometimes hundreds, of junk
faxes per day. While the law is written broadly enough to enable
individual actions, the law is not specifically geared for them. This
is perhaps a moot point from my perspective, because I do not believe
that a individual-empowering spam law, such as one enabling a minimum
recovery of $10000 per spam if you win your case against a spammer
(which would have both an encouraging effect on enforcement, and a
significant deterrent effect), whether or not there is a
company-protecting anti-spam law that lets companies recover actual
damages for system harm and other spam-related expenses, will ever be
useful, due to the global nature of the Net and the likelihood of any
such law being unconstitutional anyway.]
> And this number will only grow as inexpensive,
> consumer-grade high-speed connections (such as DSL) enable more
> people to run servers at home. And with the division between "mail
> client" and "mail server" blurring with every release of Outlook
> Express, more people will run servers without even knowing they're
> doing so. (Consider the spread of peer-to-peer systems such as
> Napster as an example.)
Fine and I may have to concede this one point in a few years, but I
don't think it makes much difference in the larger analysis.
>>You then bring it into your home. It's just not quite the
>>same. Your brick analogy doesn't hold water (what would be wrong with
>>throwing ads tied to bricks through people's windows would be
>>destruction of property and endangering people on the other side of the
>>window, neither of which apply to spam.)
>
> Your inexperience about system administration undermines your point.
I AM a system administrator. I disagree with your analogy, as an
apples and oranges problem on several levels. I do understand the
point behind it, which is that spam harms system operators as well as
users, of course. It is a different issue. Some spam bills attempt to
address it, others do not (some are entirely user-empowerment, others
ISP-empowerment, while some are both).
I think there is *possibly* some room for some VERY fine-tuned
adjustments to the law that could help out ISPs against spammers,
though in the end I think it is mostly going to be contractual, and not
a matter of new laws. I'd like to see the industry deal with the
problem in contact law as much as possible (this was beginning to
happen, but has somewhat petered out at least for the time being,
largely because everyone's been focused on all this pointless
legislation, ironically!
> Spam, when practiced at a high enough level, is absolutely
> indistinguishable from a denial of service attack.
Certainly (well, legally it is distinguishable, in that d.o.s. attacks
involve criminal intent to sabotage the system in question, where as
spam "attacks" simply want a lot of mail delivered, and do not intend
to crash or render inopeprable the system. There's a scienter
difference.)
> I recently had to
> up my monthly bandwidth bill from $80 to $250/month, largely because
> of such attacks. If I were paying a system administrator, time lost
> would be in the hundreds of dollars per month. If only someone would
> take away the spam and replace it with a brick through my windown
> once in a while! It would impact me and my business much less.
I'm sure. I'll play quasi-devil's advocate, though, and suggest that
this is just tough cookies. It is the reality, the market conditions,
the wind as it blows. "Wouldn't it be nice if my bar didn't have to
employ bouncers; all these drunks sure are a pain in the ass". "I
really hate all these compulsive, cheating gamblers. Sure wish my
casino didn't have to spend so much money training our dealers and
floor people to spot them." You makes your bed and you lies in it. As
an ISP, part of the fact of doing business is that one's system will
have ebbing and flowing tides of traffic, which will sometimes include
very large waves. I don't necessarily advocate this point of view, but
it's an increasingly common one, and worth mentioning since it is a
valid part of the debate. But, I am begining to lean toward thinking
this too is a technical problem, not a legal one, in the same way that
rowdy drunks at a bar are a "technical" (get some bouncers) problem,
not a legal one. Systems need to be better able to detect and throttle
or cut off spamming attempts, both internal and external. Development
on this front has been badly retarded by the hooplah surrounding the
various state & federal anti-spam bills, as if they'll actually do
anything useful. And personally, I have far more sympathy for the
spam-harms-end-users arguments. It costs money to be in business, and
that's just a tough fact. (And for this particular part of the
analysis there's no effective difference between users that use
mail.yahoo.com and users who run their own real mail servers, since
they are not ISPs and do not get hit with the waves of spam than an ISP
does. Well, I suppose they could, if they decided to run open mail
relays, which is not a good idea anyway, and is likely to get your
blacklisted by the 2 or 3 anti-spam blacklisting groups out there.
(FYI, I have a rather neutral opinion about those. A friend of mine's
had trouble with them mislabelling him a spam haven because he keeps an
open relay that he closely monitors for abuse, but every so often some
spammers gets thru. But, it's not mandatory to use those blacklists on
your system. A toss up?)
As for the end-user problem, that again is principally a technical
problem (a need for better, easier filters).
>From the *user* perspective spam is quite a different problem that from
the ISP perspective. There, the problem is that you did not opt in
(you get at least one spam from every spammer who mails you, even in a
happy, magical world in which they would all remove you from their
lists if you asked them), and (in reality) can't opt out. The first
problem is extremely thorny from a legal perspective, and enters both
very dangerous First Amendment territory and foggy, rough privacy
territory. It opens the can-of-worms question of whether opt-in should
be required for all "commercial" use of personally idenfitiable contact
information, and this is a huge, raging debate that is far bigger than
the spam question, both nationally and internationally (cf. the EU Data
Protection Directive contoversies), and not likely at all to be
resolved through dealing with the spam question because it is so broad.
The second problem, however, is a much simpler matter in theory,
because we already have law (harassment law, probably among others)
that already address it. Ironically, this "solution" shows precisely
why the typical user-empowerment anti-spam bill (just like
user-empowering use of the junk fax law) is effectively useless - it is
just too much bother for people to go after the harassing spammers who
won't opt you out, just like it is with junk faxers. Only a handful of
people will do it (more direct, rather than junk-fax-analogy-based,
proof of this is in the very, very little use the WA and other
on-the-books anti-spam laws have gotten, and the lack of any deterrent
effect they have had, whatsoever.) To a quasi-libertarian like me this
begs an important question: Yes, everyone hates spam, but as a market
issue, is the demand for personal legal recourse high enough to warrant
legislative attention, and its attendant costs (of various sorts)?
Obviously not. Another way of putting it: The world would be almost
precisely the same if the junk fax law had been more narrowly written
to provide remedies only to corporations, because almost no individuals
ever use it.
>>The ISP damages argument is
>>not particularly strong either. That ISPs have significant expenses
>>incurred because of spam does not automatically make it a legislative
>>issue. By way of analogy, nightclubs employ bouncers to deal with
>>rowdy, tipsy patrons, and this is a very significant expense. Yet,
>>being tipsy and rowdy (below the level of public nuissance, harassment
>>or drunk & disorderly conduct) is not a crime and shouldn't be a crime.
>
> I'm glad we agree that it's a matter of quantity, not quality.
Which is indeed one of the crux problems of every anti-spam bill I've
seen to date. They all go after the "quality" (the commercial nature)
of spam, which they always misdefine, rather than it's quantity (the
bulk nature of real spam).
> Consider your phrase, "below the lever of public nuisance...". At
> what level must spam be before you'll consider it worthy of
> legislation? When I'm forced to upgrade to a $500/month connection? A
> $1,000/month connection?
Notably, the public nuissance, harassment, and drunk-and-disorderly
laws are not intended to, and are not written to, protect bars'
business interests at all, but rather those of individual members of
the public, "end users" by way of analogy. The law takes no account of
the fact that, and does not care that, bar incur significant expense to
"police" their patrons internally, keep already-drunk people out of the
bar, etc. In fact (and this is quite important) it is not only
expected but REQUIRED in most jurisidictions. Bars, typically, are
legally liable if they knowingly serve alcohol to an
already-intoxicated person, should that person then do something
bad[*]. In many jurisdictions, inlucing San Francisco, where I live,
bars can lose their liquor, entertainment and-or after-hours licenses,
if they do not employ enough security people to control drug
trafficking, gang violence, sexual assaults in the restrooms, etc.
Bars are just one example. It is a fairly general underlying principle
of our legal system that people need to deal with their own problems to
the extent possible, and to continue trying even if new, special legal
recourse is made available to them. One gets the sense that ISPs want
to have their cake and eat it too - they "want" [or are forced by how
the Internet works] to have open systems to which anyone can send and
from which anyone can receive mail, but they want the government to
police use of these systems, instead of them having to police it
themselves. While I'm not 100% convinced of the argument I'm
advocating here, I am left feeling, "If you can't take the heat get out
of the kitchen [out of the ISP business]" about the matter.
[* I know this only too well; my grandmother who owned a bar was almost
ruined by a lawsuit by family members of a victim of someone allegedly
served well past the point of intoxication in her bar. Had it been
provable, there could have been criminal charges and loss of liquor
license too.]
Again, just because ISPs incur costs does not make it automatically an
issue that deserves legislative action or in which the govt. has any
legitimate interest. The opposite could even theoretically be the case
- in a future dysopia in which the FCC has authority over the [US
portion of] the Net and in which ISPs are licensed, like radio
stations, the govt. could decide, as with bars or concert halls being
required to have security, or car manufactures being required to do
product recalls on unsafe vehicles, that ISPs have *a legal
responsibility to deal with the issue themselves*, to protect their
customers!
>>[snip large section that uses the same logic]
>
> The real solution is
>>probably for ISPs to have much better contracts with their users, and
>>limits on new accounts, and to also have agreements with their upstream
>>providers (NSPs) and for NSPs to have agreements with eachother, such
>>that NSPs can take a complain from downstream system X that received a
>>bunch of spam from system Y and expect actual results from system Y,
>>because system Y's NSPs can cut them off if they don't deal with the
>>problem.
>
> Yep, and that's exactly the way the market works now. Unfortunately,
> it takes only one bad ISP to ruin it for everyone.
This is not quite what I envision.
Here's what happens now:
Ima Major Asshole gets a free e-mail account, that she didn't have to
provide any legit contact information to get.
She sends out a massive spam.
Her ISP does not detect or throttle it, and neither does much of anyone else.
1,000,000 users get her spam.
Users and ISPs complain en-masse to her ISP.
Her ISP gives her a warning.
A handful of of ISPs & users complain to her ISP's NSP or backbone.
The NSP/backbone ignores this.
She does it again.
Repeat cycle from spam send, until her ISP finally cuts her off.
Repeat cycle from start indefinitely, as she just gets a new, unlimited
newbie account for free from anywhere she wants one. She is effective
unaccountable unless and until someone tracks her down in meatspace,
which may prove impossible if she's a fly-by-nighter, which is very
likely.
In a better, tighter, system, it might go something like this:
Ima Major Asshole gets an free e-mail account that she didn't have to
provide any legit contact infomration to get.
She attempts to send out a massive spam.
Her ISP does not permit it, because free, unverified newbie accounts
have limits.
She gets a real account that she had to provide at least some probably
real information to get.
She sends out a massive spam.
Her ISP detects and throttles it; very little gets out.
Her ISP terminates her on the spot, bans her from the system, and
blacklists her.
Only 200 people go her spam, which was annoying to them (though they
won't get any more for a while, so it balances out), but didn't harm
any ISPs.
After a long search she finds an ISP that will accept her despite the
blacklisting. It's a spam haven.
See sends out a massive spam.
Most ISPs detect and throttle it. Only 10,000 people get the spam.
ISPs and end users complain to her ISP. They do nothing. She does it again.
ISPs and user complain to her ISP's NSP.
They threaten the ISP, and nuke it right off the Net if they don't deal
with problem within X amount of time.
If they don't, ISPs and user take up a formal complaints with their
backbones. The backbones complain to the NSP's backbone (or some
intermediary "fat pipe".) The backbone harboring the spammer has ZERO
interest in protecting a spam haven NSP and it's spam haven ISPs, and
faces major connectivity lossage if they don't kill the NSP. So they
do. Of course it shouldn't ever get this far up. NSPs would be on
(contractual) notice that they must kill spam haven ISPs or be killed
themselves, no questions asked.
She gets another freebie account, fake info.
She sends mini-spams, to 10 people per spam.
Her ISP detects and throttles this, kills the account.
She tries again, using another fake-info freebie account
She sends out crafty mini-spams, with different content in each. After
weeks of labor at this, she realizes that she's getting a .001% return
just like always, but it's taking 400x longer to reach as many people.
After some quick math, she realizes she'd make better money begging on
the street corner and gets a real job.
This system would deal with rogues systems all the way up to the
national backbone level.
It's not happening because the user base and the ISP industry have some
pipe dream in their heads that Congress can magically fix a global
technical and contract-insufficiency problem.
> Spammers quickly
> discover which ones are "bulk friendly" and flock to them. Sometimes
> UU.NET is a bit lax on enforcement, despite their antispam policies
> -- so the spammers go there. The next month, it might be
> Sprintlink... you get the picture.
Yes, that is a problem, but with a better inter-system agreements
system in place, this would encourage better enforcement (expensive at
first, but not so later on, when the problem dies down; far cheaper in
the long run than perpetuation of the status quo). Complementarily, it
would so reduce the amount of spam received by individuals AND systems,
that the few spams that did get through would no longer be problematic.
(Remember, spam is a problem because it is bulk - it's bulk all-at-once
on a per-spam basis for ISPs, and bulk in the aggregate on an
all-spam-you-get-each-day basis for end-user recipients.)
>>This is going to take some summits and meetings and the like
>>to draft up good model policies, and an industry-wide push to get them
>>into play. Couple something like that with increasingly effective
>>filtering technologies like Brightmail, etc., and spam could pretty
>>quickly be a thing of the past for the most part.
>
> I led a panel at ISP Forum in Atlanta two years ago about this very
> point, "technical solutions for spam". What's become painfully clear
> since then is that even the best filtering systems are only partially
> effective, and that there's a constant arms race. Why should we be
> forced into it?
Because that is market reality.
> Not even the folks at Brightmail believe their system
> eliminates spam -- or even that they cut it down to a level tolerable
> to all.
You can't please everyone, anyway, so the point of the last comment
escapes me. It also does for the reason that we do not have an
abosolute right to be let alone, nor an absolute right to freedom from
other's expression, only limited and narrow rights in these areas.
>>(And that's all
>>that's really needed. Spam is only a problem inasmuch as it is
>>everywhere and constant. None of us would be particularly harmed by,
>>say, 2 spams per week. It's 30 per day that causes problems.)
>
> That's the current level. What's your point?
That all that is really needed is a major reduction in spam, not total
or near-total elimination. Just some efforts in system-to-system
contracting to go a long way toward that goal, while and anti-spam law
will take us approximately .0001% closer to that goal.
>>4) Precisely because ISPs and individuals can install filtering systems
>>(many of which are free, and fairly effective - I've used a variety of
>>freebie procmail filters myself for some time), there is less
>>compelling government interest in regulating e-mail.
>
> See above. You're badly mistaken about (a) the effectiveness of
> filters,
I beg to differ. Before I ran out of time to maintain my procmail
filter with weekly TAG and Spam Bouncer upgrades, only about 2 spams
per day got through, which is quite manageable. If we were an ISP, we
could have someone on staff do this job, for all users. *I* ran out of
time for it because I'm a sysadmin, and a webmaster, and policy
analyst, AND and activist, AND...
See top of message - I think we need better and easier filters.
Procmail is hardcore unix geek toy, and not suitable for general public
use. But it does demonstrate that you can effectively filter out the
vast majority of spam.
> and (b) the cost issues involved. If you filter on the SMTP
> DATA level, the message has to completely come through before it can
> be blocked -- so the bandwidth is already stolen.
You forget that it can be filtered on the OUTGOING end, too. And there
is more to it that just filtering in the usual sense. Heuristics to
detect sneaky 10-at-a-time (or 1-at-a-time, or whatever) mass mailings
by spam scripts can help a lot. They could help even more if they were
smart enough to detect, say, 95% similar messages and the like. If
most ISPs did this sort of thing, spam would already probably be a
non-problem. Recipient-ISP filtering is not intended to stop spam for
the ISP, but for the ISP's end users, obviously, even today. It is a
customer service, a market differentiator (and, as you probably know,
BrightMail's business model - they provide this service so the ISP
doesn't have to.)
Which brings me back to my earlier point that all the attention and
hopes pinned on the anti-spam bills has mollified people away from
actually working on these other, potentially far more effective,
solutions as well.
>>[snip section that largely repeats previous points]
>
>>* This is a social and technical issue, not a legal one,
Sorry, that should have said "legislative", not "legal".
> I would argue that social remedies in this case are ineffective
> without legislative backing.
I'm not automatically opposed to ALL legislative backing. I do believe
that most if not all of the necessary backing already exists
(harassment is unlawful, sometimes illegal; contracts are enforceable;
etc.) I do not have objections to legislative fine-tuning where
appropriate, to support the kind of system I've outlined. Such
fine-tuning would be done on a case by case basis in context, as
necessary. That is not the current kind of legislative proposal, which
is a stupid "silver bullet" pretend-solution to the entire spamming
problem (well, the entire spamming problem as badly misconceived by
legislators and the staffs, who have no real idea what they are talking
about 99% of the time when it comes to the Internet and computers.)
>>in most
>>aspects; not enough development has happened on the technical side yet,
>
> According to virtually all programmers and system administrators, it
> never will.
"Virtually all"? How do you know? I know plenty who think otherwise.
It's not like I dreamed up "my" solutions in a vacuum.
I do not put much stock in such prognostications. Programs are written
and systems are designed within market forces and real-world needs.
Spam laws will not stop spam, so those pressure will remain.
>>nor within existing legal structures (e.g., better and standardized ISP
>>user agreements that hold spammers more directly liable for ISP
>>damages.)
>
> Perhaps EFF should pair its antilegislative stance on spam with a
> call for responsibility on the ISP side.
That's under discussion internally (and has been for 2 years. I'd like
to see some resolution on it, but this would be a big enough project
we'd need significant project-specific funding for it, and new hires.)
>>The global nature of the net guarantees that a US
>>legislative ban on spam will do nothing to solve the problem (just as
>>existing state-level spam laws have done nothing.)
>
> The saddest part of the spam problem is this: The "technical
> solutions" you name above already cause *entire nations* to be
> blackholed in thousands of servers around the world. Many postmasters
> have received only spam from .cn and .kr, so they dump all mail from
> those TLDs in the trash.
The credit system works on a similar basis. So does the stock market.
So do trade embargoes. So does much of real life. Ideally, I think
this kind of pressure needs to be fine tuned - specific systems, not
TLDs need to be blocked, and specific ISPs targeted for peer pressure
from ISPs around the world. Blocking the TLD is just plain stupid,
which I think anyone would realize on a moment's notice. ISPs that
blackhole significant chunks of the world are going to lose customers,
more and more as the world gets more and more "globalized". User X is
going to get mighty pissed when all of a sudden his great aunt, who
just finally got online, in Russia can't e-mail him at his current ISP
any more. And so on. Some people, included sysadmins, will always do
stupid things. It's a market issue. The number of ISPs blackholing
entire country TLDs can't be very large, and must almost certainly be
declining (or destined to decline very soon, after a hypothetical
upcoming peak in the trend before people get pissed and complain more.)
This really doesn't worry me. It's a short-term trend, and if done a
little more sanely, on a system-level, rather than nation-level, basis,
it already would begin to set in motion precisely the system I've
outlined. The first step must be getting ISPs who don't give a shit,
and users at those ISPs, who can pressure them, to start giving a shit,
because there are real consequences for being a spam haven.
>>* While there probably is room for some new law (mostly tweaks to
>>existing law), all of the anti-spam bills we have seen to date a) do
>>not actually solve the problem, and b) are badly written and will harm
>>legitimate free speech interests.
>
> I agree that most are badly written, but for different reasons.
Oh, I'd bet we'd agree on all of those reasons too!
>>We have yet to see one that we
>>believe will pass constitutional examination.
>
> We disagree. But hey, I'm just a dumb ol' layman.
Hardly a dumb one - you evidently know a lot more about First Amendment
law than most non-lawyers, I'll definitely grant you that. The reasons
we think they're unconstitutional are pretty technical and non-obvious
at first glance.
As for the disagreeing, yes [though perhaps less so, now?], but I'm
used to disagreeing on this issue with the majority. CAUCE seems to
have won the world's hearts and minds (though at Spam Roundtable II in
SoCal, their rep (forget his name; the more moderate co-founder, not
Hazen-Muller) called for much of what I'm calling for here, and was far
less gung ho about the legislative angle, though still in support of
it. A coalition that could have gotten "my" ball rolling started to
form there, but the self-appointed leader of it completely dropped the
ball. Given more time I would probably do this myself, but if EFF's
going to do it, it's got to be with more staff and more funding. It'd
be a HUGE project.
>>EFF is essentially advocating caution and research at this point,
>
> I hope you'll learn to craft your messages better over time. That's
> not what's coming across.
OK. I can take that. :)
>>Another way of looking at it: We do not support spam (and we do not
>>believe that spam is "free speech"); but, we cannot and do not support
>>any legislative effort so far, because they go too far - they are vague
>>and overbroad, among other problems.
>
> Then why the hell hasn't EFF become involved in crafting legislative
> language?
It's not something we do, really. We used to do that historically (ca.
1991-5) but it burned us almost every time. We are OK with consulting
a little bit on legislative language (mostly what's wrong with it,
rather than recommending legislation), but we've been more or less
totally cut out of this issue on The Hill, and undermined in efforts to
get egregiously problematic language changed. Another factor against us
"becom[ing] involved in crafting legislative language" on this issue
is that we by-and-large don't agree with the notion that this problem
can be fixed legislatively. And there are disagrements on the Board as
to what our position should be.
> I'd be happy to make introductions that would make this
> possible.
I'll keep that in mind. (Seriously; I'm going to file this in my
eff-spam mbox so I don't lose it, should the Board ever agree and we do
move on this issue.)
> [snip]
>
> In another message you quote [deleted], and write:
>
>>Something I had forwarded to me from someone else (anonymized). This
>>is a state regulator/enforcer basically saying the same thing - it's a
>>global, technical problem and legislation isn't working:
>
> Mr. []'s message is ill-informed in many ways. For one, he's
> rather ignorant of the purposes of CAUCE, Junkbusters and
> Spamcop.net. His understanding comes from reading an article about
> them: That's like saying you can fly a plane because you saw one
> once. I know people involved with all three organizations, and can
> guarantee that they'd disagree violently with his assertions and
> conclusions.
Fair enough.
> I hope that this discussion could continue, preferably in a public
> forum. In any case, thanks for writing and I look forward to hearing
> from you again.
Hope this doesn't drown you...
--
Stanton McCandlish mech@@eff.org http://www.@eff.org/~mech
Advocacy Director/Webmaster Electronic Frontier Foundation
voice: +1 415 436 9333 x105 fax: +1 415 436 9993
EFF, 454 Shotwell St. San Francisco CA 94110 USA
From: tom@tgeller.com
To: mech@@eff.org
Date: 4 December 2000
>Warning: Lo-o-o-ong message...
I'll say! :) Mine will be much, much shorter. But again, I appreciate
your attention. It's obvious you care about this issue: To me, that's
more important than whether we're on the same side of it. :)
(I snipped some parts of your message throughout for brevity.) You
write:
>There are almost zero non-commercial junk faxers, anywhere,
>period. This is not true of spammers.
Our experiences differ tremendously. A quick look through my Spam
archives shows that I received about 200 spams in November: I can't
remember a single one of them being non-commercial. So your statements
distinguishing fax abuse from e-mail abuse by content, in my
experience, don't stand up.
Besides which, I believe we agree on one point: The content is
irrelevant, as it's the *medium* that's abusive. Going back to my
brick-through-the-window analogy, I don't care whether that brick
carries news of the second coming or an ad for car tires. My window's
still broken.
Which brings us to the crux of the problem: defining abuse. As you
know, there are two commonly given definitions for spam: unsolicited
COMMERCIAL e-mail, and unsolicited BULK e-mail. I'm more in favor of
legislation that allows recipients to go after the second... but
there's a problem. If you receive only one copy, and your brother only
receives only one copy, how can you prove it's "bulk"?
>I don't see any point in passing, and cannot support, a law that will
>simply be overturned. I don't see any point in passing and cannot
>support a law that will not actaully solve, or even help, the problem
>it attempts to address. The junk fax law does not stop junk faxers (we
>get junk faxes every week).
Did you have a fax machine in 1989, before the TCPA was passed? I
think those who have seen its effects would disagree with your
assessment of the law's benefits. (I've received maybe a handful of
junk faxes in the years I've had a fax machine, but that was since the
TCPA.)
>Even if an anti-spam law had criminal
>provisions, it would not stop spamming. An increasing amount of spam
>(about 40% or higher[*]
How are you judging these national figures? By the last relay raped?
In my experience, about 40 percent comes through foreign relays, but
*over 95 percent advertises U.S.-based businesses*. These are
prosecutable.
>EVERY spam law/bill I have looked at, which is
>probably 90% of them, fails dismally to define "commercial" or
>"advertising" (or whatever term it uses) in a way that will not affect
>political, religous and other speech.
And I'm fine with that. Again, the medium is where the abuse lies, not
the content. Besides, I'm sure you've heard the old saw: If we feared
passing laws because of potential abuses, we'd have no laws at all.
But let's look through a few, just for fun. California's B&P 17538.45
says:
"Electronic mail advertisement" means any electronic mail message, the
principal purpose of which is to promote, directly or indirectly, the
sale or other distribution of goods or services to the recipient.
HR 3113 (passed House, died in Senate) says:
COMMERCIAL ELECTRONIC MAIL MESSAGE.--The term "commercial electronic
mail message" means any electronic mail message that primarily
advertises or promotes the commercial availability of a product or
service for profit or invites the recipient to view content on an
Internet web site that is operated for a commercial purpose. An
electronic mail message shall not be considered to be a commercial
electronic mail message solely because such message includes a
reference to a commercial entity that serves to identify the
initiator.
One state law chosen at random (Illinois) says:
"Electronic mail advertisement" means any electronic mail message, the
principal purpose of which is to promote, directly or indirectly, the
sale or other distribution of goods or services to the recipient.
...and finally, the TCPA says:
The term "unsolicited advertisement" means any material advertising
the commercial availability or quality of any property, goods, or
services which is transmitted to any person without that person's
prior express invitation or permission.
These all look good to me. In what way would ANY of these unduly
restrict non-commercial speech?
In short, I believe the potential for abuse of laws like these is too
small to stand in the way of their benefits.
>Spam is not problematic because it is commercial (lots of
>speech is commercial, and lots of spam is not commercial). It is
>problematic because it is a) bulk, b) unsolicited (and not opted IN to
>rather than OUT of), and c) sent by almost entirely unaccountable and
>unresponsive parties (when they can be identified at all).
Agreed.
>Anti-spam laws/bills are typically flawed in many other ways.
I agree, although I think California's Business and Professions Code
17538.45 probably comes closest to being "right". (If only it gave
private right of action to end recipients...)
So, O.K. You think the laws stink. What have you done about it, other
than stand on the sidelines and done a Jay Sherman ("The Critic")
impression? ("It STINKS! It STINKS! It STINKS!" :) )
>The short version of what's wrong with your argument is that the
>definition (which is usually less precise than what you write above) is
>not a ding an sich, but is dependent on its context. Even a fairly
>good definition like yours will be unconstitutional if it does not
>specifically exempt political, religious and personal expression (or so
>narrowly define what sort of entities it applies to as to effectively
>exclude such categories).
This is one reason I take the "property damage" line rather than the
softer "privacy" line, myself. Back to the brick analogy, freedom of
religious or political speech has nothing to do with it. My $5,000 of
computer equipment and $400/month telco bill is what's at issue.
>Another problem is the effectiveness test.
Since we disagree on the effectiveness of the closest living relative
to proposed spam bills (the TCPA), we again have to disagree here.
>I think there is *possibly* some room for some VERY fine-tuned
>adjustments to the law that could help out ISPs against spammers,
>though in the end I think it is mostly going to be contractual, and not
>a matter of new laws.
This discussion has definitely made me think more seriously about the
responsibilities of the *originating* ISP. I agree that they have
failed in several duties, namely:
1) To get good information from their users. (It's too easy
to sign up for a "free trial" with fake info.)
2) To throttle outgoing messages until an "online credit history"
is established.
3) To filter outgoing messages against spam signatures. (Here a
heuristics company such as Brightmail might be of help.)
This last point is, of course, the stickiest, as it could definitely
be seen as an invasion of privacy. I think it can work only as long as
ISPs continue to be considered NOT common carriers. I suspect that
will change in the coming years.
But whether you focus on send-side legislation or receive-side
legislation, it's clear that legislation is needed, or the problem
will only get worse. Of course, that's probably not within the EFF's
mandate. :-/
>[Devil's advocate position]
>As an ISP, part of the fact of doing business is that one's system will
>have ebbing and flowing tides of traffic, which will sometimes include
>very large waves.
An interesting argument, and actually a fairly compelling one... for
those who are comparatively new to the 'net. Maybe I'm nostalgic, but
I remember when folks left their front doors unlocked, allowed their
MTAs to relay, and bought hamburgers for only a nickel. A nickel! And
it was THIS BIG. ;)
>As for the end-user problem, that again is principally a technical
>problem (a need for better, easier filters).
Sorry, self-managed filters that require updates are worthless.
Managed services (such as Brightmail) make individuals dependent on a
central third party... which offends the libertarian in me. (Yes,
there's a little libertarian in me! :) )
>From the *user* perspective spam is quite a different problem that from
>the ISP perspective.
A very good point. I tend to look at the ISP side more, myself, but
only because it's easier to show pecuniary damages.
>The second problem, however, is a much simpler matter in theory,
>because we already have law (harassment law, probably among others)
>that already address it.
And I wish people would *use* those laws! I'd gladly list them at
suespammers.org -- if effective instructions on their use could be
devised.
Philosophically, I'm in favor of fewer laws, prosecuted absolutely.
That's why I'd rather have courts recognize spam as a
harassment/property invasion issue, and rule accordingly. But building
up that precedent takes more work on the part of litigators, and there
are very few (approaching zero) who are willing to do the creative
work necessary.
> > Consider your phrase, "below the lever of public nuisance...". At
> > what level must spam be before you'll consider it worthy of
> > legislation? When I'm forced to upgrade to a $500/month connection? A
> > $1,000/month connection?
>
>Notably, the public nuissance, harassment, and drunk-and-disorderly
>laws are not intended to, and are not written to, protect bars'
>business interests at all, but rather those of individual members of
>the public, "end users" by way of analogy. The law takes no account of
>the fact that, and does not care that, bar incur significant expense to
>"police" their patrons internally, keep already-drunk people out of the
>bar, etc.
Good points. Antispam advocates have pointed out that end-users pay
the costs of this additional "protection" (10 percent of their bills,
according to Gartner), and that that protection wouldn't be necessary
if spamming were curtailed. That argument hasn't flown well because,
it seems to me, end users don't care. They ultimately accept those
additional costs, just as they might pay $4 for a drink instead of
$3.75. You can't argue with the market.
>In many jurisdictions, inlucing San Francisco, where I live,
No kidding! I'm in Duboce Triangle, on 14th Street, between Noe and
Sanchez. I see you're at 454 Shotwell, right?
>- in a future dysopia in which the FCC has authority over the [US
>portion of] the Net and in which ISPs are licensed, like radio
>stations...
Mark my words about ISPs becoming common carriers. This will happen.
>In a better, tighter, system, it might go something like this:
>[snip]
A very good description. I'm going to forward it to a private mailing
list for ISP execs and sysadmins to get their comments.
>It's not happening because the user base and the ISP industry have some
>pipe dream in their heads that Congress can magically fix a global
>technical and contract-insufficiency problem.
I think you ascribe too much ambition to both the user base and ISP
industry. :-/ In reality, it doesn't happen that way because ISPs are
too busy scraping for customers to check newbies very closely, and
never thought of developing systems to throttle their output --
systems which would, after all, create major marketing hurdles. ("Come
to XYZ ISP! You'll pay full price, but we won't give you full service
for several months!")
>we do not have an
>abosolute right to be let alone, nor an absolute right to freedom from
>other's expression, only limited and narrow rights in these areas.
I would argue that an e-mail account is part of one's domain, and
therefore considerably more absolute, but this is a minor point.
>That all that is really needed is a major reduction in spam, not total
>or near-total elimination. Just some efforts in system-to-system
>contracting to go a long way toward that goal, while and anti-spam law
>will take us approximately .0001% closer to that goal.
I certainly don't think legislation is the only, or even the majority,
part in solving spam problems. That's why the suespammers.org mandate
is to examine litigation, not legislation. But I do think it's an
important part, and that you hold too much faith in technical
measures.
> > See above. You're badly mistaken about (a) the effectiveness of
> > filters,
>
>I beg to differ. Before I ran out of time to maintain my procmail
>filter with weekly TAG and Spam Bouncer upgrades, only about 2 spams
>per day got through, which is quite manageable. If we were an ISP, we
>could have someone on staff do this job, for all users. *I* ran out of
>time for it because I'm a sysadmin, and a webmaster, and policy
>analyst, AND and activist, AND...
If you think others have more free time than you... well, there's
nothing I can say to that. :) They don't. So in other words, it's not
a solution.
> >>in most
> >>aspects; not enough development has happened on the technical side yet,
> >
> > According to virtually all programmers and system administrators, it
> > never will.
>
>"Virtually all"? How do you know? I know plenty who think otherwise.
>It's not like I dreamed up "my" solutions in a vacuum.
O.K., I'm referring to people in my admittedly limited circle. OTOH,
spam is clearly viral in nature: It mutates constantly. Build a better
mousetrap, and nature will build a better mouse. It's a game of
leapfrog.
(Damn, there are a lot of fauna references in that paragraph...)
> > Perhaps EFF should pair its antilegislative stance on spam with a
> > call for responsibility on the ISP side.
>
>That's under discussion internally (and has been for 2 years. I'd like
>to see some resolution on it, but this would be a big enough project
>we'd need significant project-specific funding for it, and new hires.)
Well, keep me informed. I've been in discussions about various new
forms of ISP industry organizations, and think some sort of "ISP
responsibility pledge" (with teeth for enforcement) should be a part
of it.
>Blocking the TLD is just plain stupid,
>which I think anyone would realize on a moment's notice. ISPs that
>blackhole significant chunks of the world are going to lose customers,
>more and more as the world gets more and more "globalized".
Not really. If you have one user in a thousand who can't get mail from
her friend in Korea, that's an acceptable loss in order to stop tens
of megabytes of traffic per day from hitting your servers. Again, it's
a cost-benefit analysis. And with phone infrastructure (and politics)
being what it is, it'll be twenty years before some large Asian
countries have a significant percentage of their populations using
e-mail.
>As for the disagreeing, yes [though perhaps less so, now?], but I'm
>used to disagreeing on this issue with the majority. CAUCE seems to
>have won the world's hearts and minds (though at Spam Roundtable II in
>SoCal, their rep (forget his name; the more moderate co-founder, not
>Hazen-Muller) called for much of what I'm calling for here, and was far
>less gung ho about the legislative angle, though still in support of
>it.
Possibly Ray Everett-Church?
> >>Another way of looking at it: We do not support spam (and we do not
> >>believe that spam is "free speech"); but, we cannot and do not support
> >>any legislative effort so far, because they go too far - they are vague
> >>and overbroad, among other problems.
> >
> > Then why the hell hasn't EFF become involved in crafting legislative
> > language?
>
>It's not something we do, really.
That's understandable.
>We used to do that historically (ca.
>1991-5) but it burned us almost every time.
That's because it's a very, Very, VERY difficult issue, with a lot of
passion about it. Practically every Internet user, no matter how
green, has an opinion on it -- usually with very little information or
understanding of how the Internet works, or what the Constitution is.
You thought getting Mitnick out of jail was hard? ;)
> > I'd be happy to make introductions that would make this
> > possible.
>
>I'll keep that in mind. (Seriously; I'm going to file this in my
>eff-spam mbox so I don't lose it, should the Board ever agree and we do
>move on this issue.)
Sounds good.
> > P.S. You might be interested in a mailing list I run, where system
> > administrators and email marketers meet to discuss their differences
> > in hopes of a resolution. See
> > http://www.tgeller.com/mailman/listinfo/email-detente to sign up.
>
>On this particular issue, or just in general?
It started out around the foundation of RECA (http://www.ResponsibleEmail.org/),
the e-marketer organization that's
ostensibly antispam. I found a some parts of their orgazination
difficult to swallow, but was able to better understand them through
discussion. It became apparent that the level of noise between
ISPs/end-users and e-mail marketers was too great to allow real
conversation: The list is a "quiet place for better understanding", so
to speak. If you sign up, you can read the archives. It's been pretty
dormant lately, but you give me a thought: Their statement of
principles is *all about egress control*! Perhaps there's something
there that could be adapted for ISPs.
Yep, this message is about three times as long as I intended... thanks
for listening. :) You've given me some things to think about, and
perhaps act upon. I still disagree with some of your points (as you
can see), but they're well-made.
Warmest regards,
--Tom
This comment came from John Levine, author of "Internet for Dummies":
Date: Tue, 5 Dec 2000 13:13:38 -0500 (EST)
From: John R Levine
To: Tom Geller
cc: Spam Digest
Subject: Re: Egress filtering?
Status:
> Part of his message, excerpted here with permission, made a lot of
> sense. It's basically a call for more ISP responsibility over its own
> users.
I think it's a swell idea, and puts the onus where it belongs. With
sufficient outbound spam control, you wouldn't need inbound spam control.
But if you look at the consequences of what he proposes, I suspect you end
up at a place he wouldn't like at all.
In contrast to what JD said elsewhere, I think that port 25 filtering is
an idea that works quite well. You hear a lot of moaning and groaning
about it here, but the anti-spam community is full of very atypical people
who know immense amounts about e-mail technology and want to control every
bit of their Internet connection. (Me, for example.) The vast majority
of dialup users don't even notice, and a simple rule like unblocking on
request once you've been in good standing for a month solves that. We've
seen spammers fleeing to ISPs and dialup pools without port filtering as
proof of how effective it is.
Cheap T1's pose a different problem (and they cost $800/mo around here,
not $3000.) Every ISP has anti-spam rules in its AUP, but I don't know
how Stanton proposes to detect outgoing T1 spam without requiring that the
ISP read all of the customer's mail. Counting outgoing port 25 connects
(which would already be pretty expensive) would let them see how much mail
a customer was sending, but wouldn't tell legit majordomo traffic from
spam.
Finally, at this stage you need inbound spam filtering in order to put
pressure on ISPs to do outbound control. That's what the RBL is, after
all.
Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner
Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
Date: Wed, 3 Jan 2001 18:51:24 -0800
To: tom@tgeller.com
From: mech@@eff.org (Stanton McCandlish)
Subject: Another one
Hey there, Lord of the Youthful Canines,
I'm not sure I actually got this one from you in my e-mail (I don't
find it now), but I was able to rip the text from your site, and reply
to it here.
[Part 1 of 2]
>>There are almost zero non-commercial junk faxers, anywhere,
>>period. This is not true of spammers.
>
> Our experiences differ tremendously. A quick look through my Spam
> archives shows that I received about 200 spams in November: I can't
> remember a single one of them being non-commercial. So your statements
> distinguishing fax abuse from e-mail abuse by content, in my
> experience, don't stand up.
As you said in another (later, I think) message, our spam profiles just
seem to significantly differ. I genuinely do get a lot of political
spam. It's probably because I'm at a .org, at a guess.
Makes me wonder if people at .edu sites get a lot more spam of the
"NEW! DOWNLOADABLE RESEARCH AND BOOK REPORTS ONLY $8!!!!!!", "STEEP
DISCOUNT ON BOOKS AND SCHOOL SUPPLIES!!!!!!!", etc., varieties.
> Besides which, I believe we agree on one point: The content is
> irrelevant, as it's the *medium* that's abusive.
Not sure I'd agree with that precisely, but this may just be a
definitional thing. If you mean "bulk, unsolicited and unaccountable
e-mail" by "medium" then we agree. "Medium" to me means something more
like "e-mail in general" or "TCP/IP packet routing" or "the Web or
Usenet" or "the Internet", depending on context.
> Going back to my
> brick-through-the-window analogy, I don't care whether that brick
> carries news of the second coming or an ad for car tires. My window's
> still broken.
For whatever reason, I still don't like that metaphor, but I experience
spam more from a user than a sysadmin perspective. As a user I might
see the analogy as more like, "I don't care if your message is
political, commercial, religious, or just personal, your screaming it
in my face is getting REALLY annoying."
> Which brings us to the crux of the problem: defining abuse. As you
> know, there are two commonly given definitions for spam: unsolicited
> COMMERCIAL e-mail, and unsolicited BULK e-mail.
Or, rather, three: UCE, UCB, and UCBE.
UCE is the "stupid legislator" definition, and the "newbie user"
definition. The problem (from a constitutional perspective) with UCE
is that it is not tied to bulk, ergo it is overbroad, as it will
improperly regulation one-to-one business-to-customer communications
(something the govt. has no legit. interest in.)
UBE is the "smart sysadmin" and "savvy user" definition. The legal
problem with UBE is that it is overbroad in a different direction and
will regulate political, religious, personal, and non-advertising
commercial expression, with the First Amendment doesn't permit.
UCBE is a hybrid. Call it the "crafty lawyer" definition - it's evolved
in an attempt to get a fairly technically accurate definition that
might, in theory, be legislatively actionable. The arguable legal
problem with UCBE is that would appear to fail the effectiveness test,
because a noticeable, and noticeably increasing, amount of spam is not
commercial, ergo an anti-UCBE law won't actually solve the spam
problem, only a decreasing percentage of it.
All three, from a legislative perspective, have the further, and
definite, effectiveness problem that they will only be enforceable
against identifiable US-based parties, which leaves a lot (and an
increasing amount) of spam unhindered.
This in a nutshell is why I don't think the "brute force" legislative
angle can work. Instead, I think we need a "light touch" legislative
angle that tweaks existing law where loopholes arrive (if any), after
the industry and the user community come up with better technical,
social and contract-legal solutions than we have right now.
By way of another analogy, it's very similar (in my mind) to the notion
that it is preferrable for cable companies to offer channel lock-out
and parental passcodes for non-"family" channels, than have the FCC
assume stronger regulatory control and impose the airwave broadcasting
indecency standards on cable stations (or satellite stations).
Government restriction on communications is a very, very broad sword
that almost inevitably has massive unintended (or at least unexpected
by the public; I can't actually speak to true legislative intent!)
consequences.
> I'm more in favor of
> legislation that allows recipients to go after the second... but
> there's a problem. If you receive only one copy, and your brother only
> receives only one copy, how can you prove it's "bulk"?
An interesting question, and yet another reason why these laws aren't
likely to be useful. :) There could be some answers though. Maybe a
site like your could take "spam reports" from any/all members of the
public, and thereby gather evidence that this mail or that was bulk.
Of course, one still has to define "bulk" too, both from a
tech/industry solution perspective, and from a legal one. I think this
is really the hardest question, though it is far, far easier to settle
(by way of a defacto netiquette "standard", and by user/ISP contract)
in the former realm than the latter, which would necessarily entail
creating an arbitrary legal limit, regardless of context, for how many
copies of one ad can be sent to someone.
Then there're the hyper-privacy nuts who think that ANY unsolicited ad,
even if totally one-to-one, is some kind of "violation" and should be
illegal.
I don't pretend that even a Net-generated general consensus arrival at
any kind of solution will please everyone. But it doesn't have to. It
just has to be functional enough that they painful, exasperating
spectre of the spam problem dissipates. I think we can all tolerate a
handful of spams here and there. It's the deluge that is driving us all
batty.
>>I don't see any point in passing, and cannot support, a law that will
>>simply be overturned. I don't see any point in passing and cannot
>>support a law that will not actaully solve, or even help, the problem
>>it attempts to address. The junk fax law does not stop junk faxers (we
>>get junk faxes every week).
>
> Did you have a fax machine in 1989, before the TCPA was passed? I
> think those who have seen its effects would disagree with your
> assessment of the law's benefits. (I've received maybe a handful of
> junk faxes in the years I've had a fax machine, but that was since the
> TCPA.)
I didn't, no, so the point's well taken, but... I'm not sure it affects
anything but the ISP-enabling angle (since the junk fax law really doesn't
do much in the real world for the end user). Maybe ISPs DO need some
new, fairly major, legislation that helps them out. Then again, maybe
putting up with spam is just a fact of business life for ISPs. As I
say, I'm kind of neutral on this issue, though leaning toward the
latter interpretation.
I do think there's a major difference here though that we've not looked
at in this discussion yet. The junk fax law was created principally to
help out large businesses like IBM that were incurring rather massive
costs - costs that were not related to their business. By contrast,
ISPs are *in the business of routing e-mail* and other TCP/IP traffic,
just as bars get people drunk (cf. bouncer discussion in previous
mail). ISPs are in effect asking for laws that allow them to hammer
people who use their services in ways the ISPs don't like or are not
prepared for. That just doesn't seem right. If ISPs have a problem
with [ab]uses of their capacity and facilities, they need to first try
to address them, in concert, with the legal tools already available to
them (and stop doing stupid foot-shooting things like giving away
unaccountable freebie accounts without limits, etc.)
>>Even if an anti-spam law had criminal
>>provisions, it would not stop spamming. An increasing amount of spam
>>(about 40% or higher[*]
>
> How are you judging these national figures? By the last relay raped?
>
> In my experience, about 40 percent comes through foreign relays, but
> *over 95 percent advertises U.S.-based businesses*. These are
> prosecutable.
I accounted for that in my earlier rough numbers. I'm not talking
about spam from foreign relays when I talk about foreign spam. I mean
foreign-language spam advertising foreign-based sites and businesses.
I get REAMS of this stuff, especially from China and South America,
every single day of the week. Every day I delete probably 10-20 spams
I can't even read.
As you say, our spam profiles are obviously different, and the real
numbers are uncertain. But my point was that foreign spam is real, and
it is increasing very rapidly in raw amount and at least fairly rapidly
as a percentage of spam.
>>EVERY spam law/bill I have looked at, which is
>>probably 90% of them, fails dismally to define "commercial" or
>>"advertising" (or whatever term it uses) in a way that will not affect
>>political, religous and other speech.
>
> And I'm fine with that. Again, the medium is where the abuse lies, not
> the content.
But this is extremely problematic, legally. If the restriction is
written content neutral (i.e., not limited purely to truly commercial
advertising), then it automatically triggers strict scrutiny, which it
will most certainly fail. Congress effectively cannot write any
anti-spam law that stands a change of being found constitutional unless
it is against U*C*BE (which still leaves effectiveness questions).
> Besides, I'm sure you've heard the old saw: If we feared
> passing laws because of potential abuses, we'd have no laws at all.
Well, I'm someone who feels very strongly that we already have FAR too
many laws (see the "Things I've Written" section in my
http://www.@eff.org/~mech page.
Look for "McCandlish's Law of Unjust
Bureaucracy"). Actually, I have another Stantonism which,
coincidentally, addresses precisely this kind of use of an old saw. :)
See "McCandlish's Law of Aphorisms" at the same part of my personal
pages. Tee hee. (Actually, we're having some tech probs with the
proxying of the personal pages. If ~mech doesn't work, there are ASCII
copies of both at
http://www.@eff.org/Net_culture/Folklore/Humor/
along
with the classic Godwin's Law of Nazi Analogies and other funny
stuff.)
ANYWAY, the political fact of the matter is that potential abuses are
a
major factor in authoring, revising, and considering the passage of,
all legislation, both on the part of legislators and their staffs, and
on the part of NGOs and activists. We don't kill a bill because of
EVERY and ALL possible abuses, but major and obvious ones are usually
looked at...
> But let's look through a few, just for fun. California's B&P 17538.45
> says:
>
> "Electronic mail advertisement" means any electronic mail message, the
> principal purpose of which is to promote, directly or indirectly, the
> sale or other distribution of goods or services to the recipient.
This one has many devils in other details, notably its failure to
properly limit *who* it applies to as well as *what* it applies to.
For example, if Professor X at University Y is putting together a
conference, and that conference is not free to attend, then Y has
violated the CA statute if she sends to a colleague, Prof. A at College
B, an invitation, and doesn't personally know B or have a pre-existing
business relationship with him.
This is a common problem with many anti-spam laws/bills. They
completely fail to account for context and circumstance, including such
things as differing professional and other ethics, norms and
expectations.
Again, I'm not and never have argued that anti-spam laws are
unconstitutional because all spam should be free speech. Rather, they
are unconstitutional because they inevitably impact protected
expression that no one in their right minds would think of as spam (as
well as some expression that nearly everyone considers spam, such as
political and religious junk mail, that the govt. has no constitutional
authority to regulate because of the "slippery slope").
Not to mention that the CA law has no bulk requirement, and applies to
one-to-one, personal mailings simply because they are "commercial".
> HR 3113 (passed House, died in Senate) says:
>
> COMMERCIAL ELECTRONIC MAIL MESSAGE.--The term "commercial electronic
> mail message" means any electronic mail message that primarily
> advertises or promotes the commercial availability of a product or
> service for profit or invites the recipient to view content on an
> Internet web site that is operated for a commercial purpose.
This one almost certainly exceeds the (relevant) extent of the
intermediate scrutiny level of commercial speech regulation as
established by the Sup.Ct., which only applies to advertising (a point
many people don't understand; many, like the authors of this bill
apparently, think it applies to any "commercial" communications.
> An
> electronic mail message shall not be considered to be a commercial
> electronic mail message solely because such message includes a
> reference to a commercial entity that serves to identify the
> initiator.
Not good enough! Hell, a huge amount of e-mail these days has blatant
ads inserted by the ISP at the end of every message, esp. on freemail
sites. These don't "identify the initiator", they identify and promote
the initiator's ISP.
Note the lack of a bulk aspect to the definition.
> One state law chosen at random (Illinois) says:
>
> "Electronic mail advertisement" means any electronic mail message, the
> principal purpose of which is to promote, directly or indirectly, the
> sale or other distribution of goods or services to the recipient.
No bulk again, and same problems as the CA bill, if I remember this one
correctly.
It has its own problems, too. The "principal purpose" thing is very slippery.
How do you determine that? And wouldn't it be absurd to have an
"anti-spam" law that, for example, was interpreted as saying that a
50-line e-mail, 40 lines of which were Happy Holidays well-wishing,
followed by a 10-line ad, was not an "electronic mail advertisement",
because the "principal purpose" was to say Merry Christmas? Things
like this immediately raise effectiveness test questions.
Or it might be interpreted differently, to mean that sending a free
sample of your e-publication to someone is an elec. mail ad., because
it's "primary purpose" would be to impress you with the publication so
that you become a paying subscriber. Would this be just? (Yes it's
spam to you and me, but remember this is not truly an antispam bill, it
is a bill against "elec. mail advertisements", and must be examined and
weight for legit. govt. interest and effectiveness on that basis alone).
AND this would raise immediate First Amendment questions under ACLU v.
Reno, in which the Sup.Ct. held that the Internet (this ruling was no
limited to the Web, but applies to online comms in general) cannot be
more restricted than other media; yet sending offline sample issues is
both legal and common.
Just raises lots of questions, whichever way it would be interpreted.
> ...and finally, the TCPA says:
>
> The term "unsolicited advertisement" means any material advertising
> the commercial availability or quality of any property, goods, or
> services which is transmitted to any person without that person's
> prior express invitation or permission.
Which, as I've suggested, could probably be easily challenged
successfully by anyone other than a true junk faxer, such as Professor
X faxing an entirely unreasonably litigious Professor A about X's
conference.
> These all look good to me. In what way would ANY of these unduly
> restrict non-commercial speech?
See above. And it's not just unduly restricting "non-commercial"
(advertising) speech, but also unduly restricting political/religious
advertising (i.e. stuff we hate but which the govt. is powerless to
regulate), unduly restricting non-advertising commercial speech
(protected under strict, not intermediate, scrutiny), failing to be
effective at addressing legitimate/compelling govt. interests, doing
stupid things like dictating new Internet technical standards with
regards to headers, etc., etc.
> In short, I believe the potential for abuse of laws like these is too
> small to stand in the way of their benefits.
Even if the potential for abuse were minimal, this is enough. The
framers of the constitution, and the courts who rely on their guidance
in the form of the Bill of Rights, have heretofore considered the sheer
risk of harm of government censorship and control of communications to
be just about the most dangerous thing government can do at all, and
the most antidemocratic, except in cases of dire "compelling government
interest" (or less dire "legitimate government interest", in the case
of intermediate scrutiny), and even then only under very controlled and
limited circumstances. Regardless of the alleged benefits, however
wonderful they might be. This is really the cornerstone of all First
Amendment jurisprudence. The 1A exists not to endorse expression that
is protected, but to remove government, as much as is possible, from
any determination of whether expression is or isn't valid, good,
worthy, permissable, etc., because such power is too dangerous and
easily corruptible into increased and intolerable levels of direct
censorship of everything.
And what benefit? The existing anti-spam laws simply have had no effect.
No matter how good the idea seemed to some, it simply hasn't been working.
Consider a medical treatment: If we, as hypothetical psychiatrists,
find that a patient is not responding to electroshock, we don't keep
shocking him year after year just for the hell of it. We try a
different treatment. If we find that electroshock doesn't work much at
all for much of anyone, we abandon it for the most part (or
completely), in favor of other, better treatments, for all patients.
And we [or rather the pharmaceutical industry - every metaphor breaks
down at some point] find better treatments by study and experimentation.
[To be cont'd. I'd originally replied to almost the whole thing, then
had a disk crash and lost the last half, since I hadn't saved in a
while. Doh!]
--
Stanton McCandlish mech@@eff.org http://www.@eff.org/~mech
Advocacy Director/Webmaster Electronic Frontier Foundation
voice: +1 415 436 9333 x105 fax: +1 415 436 9993
EFF, 454 Shotwell St. San Francisco CA 94110 USA
To: mech@@eff.org (Stanton McCandlish)
From: Tom Geller
Subject: Re: Another one
>Hey there, Lord of the Youthful Canines,
:)
As usual, I'm going to respond at much less length than you,
especially as it's been a busy day at work. Before touching upon
specific issues, I'd like to suggest I post your last two messages and
let that be the end of what goes on the Web site. I think there's
already more there than any sane person would want to read ;), and I'm
content to let you have the last word. Sound Good?
O.K., on to your note:
>This in a nutshell is why I don't think the "brute force" legislative
>angle can work. Instead, I think we need a "light touch" legislative
>angle that tweaks existing law where loopholes arrive (if any), after
>the industry and the user community come up with better technical,
>social and contract-legal solutions than we have right now.
More and more, I'm tending to agree with you, with the addendum that
people should be using existing laws more actively in antispam
prosecutions. That's been a failing of suespammers.org: It should list
some laws commonly broken by spammers (forgery, trespass, hacking) in
addition to spam-specific laws. I've asked for help in getting those
up, but no-one's responded. And I just don't have the time. :( :( :(
As it happens, there have been more and more cases using those "other"
laws lately. See, for example:
Fraud-related spam
http://www.nandotimes.com/technology/story/
0,1643,500295714-500470817-503181936-0,00.html
Forgery of mailorder.com:
http://www.mailorder.com/news/acg_spamcomplaint.htm
Forgery of ibm.net
http://www.topica.com/lists/tipworld-gossip-html/read/
message.html?mid=1600761288&sort=d&start=103
None of this addresses the issue of whether my mail server is my
property... but I have to admit, cases like these will cut down on
most spam. My fear is that it'll legitimize non-forged, non-fraudulent
spam (such as from Real Networks and Network Solutions, from whom I've
received 100-percent spam to scraped addresses).
>An interesting question, and yet another reason why these laws aren't
>likely to be useful. :) There could be some answers though. Maybe a
>site like your could take "spam reports" from any/all members of the
>public, and thereby gather evidence that this mail or that was bulk.
See http://www.spamrecycle.com. They're working on making the data
more useful, but they've been collecting it for a while.
>I do think there's a major difference here though that we've not looked
>at in this discussion yet. The junk fax law was created principally to
>help out large businesses like IBM that were incurring rather massive
>costs - costs that were not related to their business.
I disagree here. I run a private network, but the network is not the
point of my business. It is to me no more a part of my business than
IBM's fax machines are to it.
In your other message, you wrote:
> > I'd agree with that. Whether the private sector has the tools they
> > need yet... that's a good question.
>
>Personally, I think it's even more a matter of too many of the key
>players not having the temperament they need. It's very instructive to
>stand on the sidelines of the alternate DNS root debate (I mean the
>people who are now trying to compete with ICANN, though most of them
>are the same people that wanted to compete with InterNIC/NSI and IANA
>before ICANN existed). Lots of "big personalities", rancorous
>interpersonal relations, lots of miscommunication, lots of seeming
>inability to agree even on some basic premises, and a general failure
>to see the forest for all the nitpicky trees in it. :)
I agree wholeheartedly, and may be contacting you for help in
educating technologists about the human side of spam, as part of a
project that's in its formative stages. Watch the skies.
[private matter cut here]
Best,
--Tom
Date: Fri, 5 Jan 2001 14:41:18 -0800
To: Tom Geller
From: mech@@eff.org (Stanton McCandlish)
Subject: Re: Another one
At 3:12 PM -0800 on 1/4/01, Tom Geller wrote:
>>Hey there, Lord of the Youthful Canines,
>
>:)
>
>As usual, I'm going to respond at much less length than you,
>especially as it's been a busy day at work. Before touching upon
>specific issues, I'd like to suggest I post your last two messages
>and let that be the end of what goes on the Web site. I think there's
>already more there than any sane person would want to read ;), and
>I'm content to let you have the last word. Sound Good?
Well, I did want to respond to the 2nd half of your last communique -
it raises some interesting stuff (and not all of it agumentational :)
Other than that, sure; I've been feeling like the debate was winding
down of its own accord anyway, and some of it got a little circular.
>O.K., on to your note:
>
>>This in a nutshell is why I don't think the "brute force" legislative
>>angle can work. Instead, I think we need a "light touch" legislative
>>angle that tweaks existing law where loopholes arrive (if any), after
>>the industry and the user community come up with better technical,
>>social and contract-legal solutions than we have right now.
>
>More and more, I'm tending to agree with you, with the addendum that
>people should be using existing laws more actively in antispam
>prosecutions. That's been a failing of suespammers.org: It should
>list some laws commonly broken by spammers (forgery, trespass,
>hacking) in addition to spam-specific laws. I've asked for help in
>getting those up, but no-one's responded. And I just don't have the
>time. :( :( :(
It would be a good idea, indeed.
>
>As it happens, there have been more and more cases using those
>"other" laws lately. See, for example:
>
[snip]
Right, and I certainly have NO problem with domain name forging
spammers being sued into oblivion by the real owners of the domain
names they sued, nor with illegal frauds being criminally prosecuted.
>None of this addresses the issue of whether my mail server is my
>property... but I have to admit, cases like these will cut down on
>most spam. My fear is that it'll legitimize non-forged,
>non-fraudulent spam (such as from Real Networks and Network
>Solutions, from whom I've received 100-percent spam to scraped
>addresses).
Yeah, that issue is going to take a long time to resolve. I mean,
sure, it's clear that the box, the server, is your property. But what
about less tangible things? Bandwidth. Time. It gets pretty
philsophical, which means it'll be a long debate, at the very least.
>>An interesting question, and yet another reason why these laws aren't
>>likely to be useful. :) There could be some answers though. Maybe a
>>site like your could take "spam reports" from any/all members of the
>>public, and thereby gather evidence that this mail or that was bulk.
>
>See http://www.spamrecycle.com. They're working on making the data
>more useful, but they've been collecting it for a while.
Good, good.
>>I do think there's a major difference here though that we've not looked
>>at in this discussion yet. The junk fax law was created principally to
>>help out large businesses like IBM that were incurring rather massive
>>costs - costs that were not related to their business.
>
>I disagree here. I run a private network, but the network is not the
>point of my business. It is to me no more a part of my business than
>IBM's fax machines are to it.
Point taken. Maybe a site like your would or should have a better case
against a spammer than an ISP like Netcom. ?? It's interesting.
>In your other message, you wrote:
>
>> > I'd agree with that. Whether the private sector has the tools they
>> > need yet... that's a good question.
>>
>>Personally, I think it's even more a matter of too many of the key
>>players not having the temperament they need. It's very instructive to
>>stand on the sidelines of the alternate DNS root debate (I mean the
>>people who are now trying to compete with ICANN, though most of them
>>are the same people that wanted to compete with InterNIC/NSI and IANA
>>before ICANN existed). Lots of "big personalities", rancorous
>>interpersonal relations, lots of miscommunication, lots of seeming
>>inability to agree even on some basic premises, and a general failure
>>to see the forest for all the nitpicky trees in it. :)
>
>I agree wholeheartedly, and may be contacting you for help in
>educating technologists about the human side of spam, as part of a
>project that's in its formative stages. Watch the skies.
Dokey okey.
[snip private matter]
I was out the Spam Roundtable II, and Sunil Paul gathered a lot of key
people to start up a sort of coalition (not a CAUCE clone; it was
going to do other things, like public education - not the MOST
important part, I don't think, but it wouldn't been a start). But,
that never happened. Paul just got too busy, but since he'd sort of
set himself up as the defacto leader, no one else got the ball rolling
either. Time to start again from scratch, I think. I don't know if
EFF should be "in charge" of such a coalition, or whether any one
organization should. It should probably be a more jointly organized
entity (though, of course some specific individual or two has to be
"in charge" enough to get and keep the ball rolling.) And it does
actually have to get organized. Everyone was amped at that first
meeting, but enthusiasm wanes rapidly in the absence of a plan and
time and energy on someone's part to begin executing it.
--
Stanton McCandlish mech@@eff.org http://www.@eff.org/~mech
Advocacy Director/Webmaster Electronic Frontier Foundation
voice: +1 415 436 9333 x105 fax: +1 415 436 9993
EFF, 454 Shotwell St. San Francisco CA 94110 USA
[At this point, we decided that our conversation was going off-topic. Many thanks to Stanton for his continued involvement in the issue, even if we continue to disagree in some fundamental ways. --Tom]
This page was last updated on Monday, February 09, 2004 at 2:22pm CST.
All contents copyright 2005 by Tom Geller.
|
