the role of public policy in the fight against spam
Download
Skip this Video
Download Presentation
The Role of Public Policy in the Fight Against Spam

Loading in 2 Seconds...

play fullscreen
1 / 36

The Role of Public Policy in the Fight Against Spam - PowerPoint PPT Presentation


  • 226 Views
  • Uploaded on

The Role of Public Policy in the Fight Against Spam. Jacob Scott UC Berkeley IEEE August 3rd, 2004. Spam Threatens the Viability of E-Mail. “Spam is about to kill the ’killer app’ of the Internet - specifically, consumer use of e-mail and e-commerce.”

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'The Role of Public Policy in the Fight Against Spam' - Sharon_Dale


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the role of public policy in the fight against spam

The Role of Public Policy in the Fight Against Spam

Jacob Scott

UC Berkeley

IEEE

August 3rd, 2004

spam threatens the viability of e mail
Spam Threatens the Viability of E-Mail

“Spam is about to kill the ’killer app’ of the Internet - specifically, consumer use of e-mail and e-commerce.”

FTC Commissioner Orson Swindle, June 2003

incredible growth
Incredible Growth

“Since Hotmail deployed it six months ago, SmartScreen has been blocking more than 95 percent of all incoming spam — an average of nearly 3 billion messagesevery day.”

Bill Gates, June 2004

wide ranging effects
Wide-ranging Effects
  • Businesses
  • Consumers
  • ISPs
  • Legitimate E-Mail Marketers

“Today, it is estimated that 80% of email traffic is spam and the costs of spam to the global economy amounts to USD 25 billion annually.”

Press Release, UN ITU, July 2004

example phishing
Example: Phishing

Anti-Phishing

Working Group

“Direct losses from identity theft fraud against these phishing attack victims cost U.S. banks and credit card issuers about $1.2 billion last year”.

Press Release, Gartner Research, May 2004

good spam
Good Spam
  • Annoying
  • Identifiable
  • Legitimate
  • Possibly Requested
  • Big Business

“This translates into an excess of $19 billion spent in response to commercial e-mails in 2003.”

Direct Marketing Association, March 2004

bad spam
Bad Spam
  • Untraceable
  • Deceptive
  • Fraudulent
  • Pornographic
  • Illegitimate
  • The Problem
the spam profit numbers
The Spam Profit Numbers
  • 5% of e-mail users have purchased from UCE
  • Cost to send one e-mail: $.0005
  • Profit possible with .0001% response rate

AOL’s captured spammer Porsche

anti spam technology
Anti-Spam Technology

Filters look at incoming e-mail and sort spam from legitimate messages

filtering mechanisms
Filtering Mechanisms
  • IP Blacklists
  • Header/Routing Analysis
  • Heuristics
  • Adaptive (Bayesian)
  • URL Filtering
  • Checksums/Signatures
  • Collaborative Networks
  • Challenge-Response
  • Many more…
filtering success
Filtering Success
  • Brightmail advertises that their filter catches 95% of all spam, and mislabels only 1 in a million false positives
  • CRM114, open source spam “classifier” reports over 99% accuracy rate in spam/ham sorting
  • Vibrant R&D, commercial implementations
the spam arms race
The Spam “arms race”
  • Increased volume
  • Evasive techniques
  • Concern over false positives
  • The worst spam (sent by “outlaw spammers”) are the hardest to defeat technologically

“Knowing that only a small percentage of their output will get past today's filters, spammers have responded by significantly cranking up the volume of emails they send. So networks are burdened with even more junk than before.”

Bill Gates, June 2004

introduction
Introduction
  • First national anti-spam law
  • Originated as S877
  • Passed Senate 97-0
  • Passed House 392-5
  • Signed December 16, 2003

Senator Burns

Senator Wyden

motivation
Motivation

“senders of commercial electronic email should not mislead recipients as to the source or content of such mail; and recipients of commercial electronic mail have a right to decline to receive additional commercial electronic mail from the same source.”

CAN-SPAM Act of 2003

  • Strong on fraud and deception
  • Weak on privacy
  • Consumer protection law – Federal Trade Commission is point
opt in opt out
Opt-In, Opt-Out
  • CAN-SPAM is single-source opt-out
    • Ask each e-mailer to stop, one at a time
  • Chosen over opt-in
    • marketers have to ask before they send
    • Popular in Europe
  • Does the difference matter?

“Imagine that you put a ‘do not solicit’ sign at the front door of your home, and every company in the world could only ring your doorbell once, at which point you could tell the salesperson not to bother you anymore…”

Consumers Union, May 2004

probably not
Probably Not

“the practical difference between opt-in and opt-out laws in terms of real enforcement is virtually nonexistent. If a spammer wishes to convert the strongest opt-in law into an opt-out law, all he or she needs to do is tell one lie: ‘The recipient requested to receive my messages.’”

Matthew Prince, July 2004

  • The worst “outlaw” spammers will not care either way
compromise
Compromise?
  • Do Not E-Mail Registry
    • Provides global opt-out
    • Anyone who sends to e-mails in the registry is in trouble
    • Modeled after the Do Not Call Registry
probably not23
Probably Not

“This Report concludes that a National Do Not Email Registry, without a system in place to authenticate the origin of email messages, would fail to reduce the burden of spam and may even increase the amount of spam received by consumers.”

FTC DNE Registry Report, July 2004

  • How can you not e-mail someone without knowing who not to e-mail?
  • How can use of the registry be required and enforced?
what you must do
What You Must Do
  • In commercial e-mail
    • Include an opt-out mechanism
    • Include a real physical address
    • Clear notice that the message is an advertisement
  • No requirement for this to be machine readable, but does give good hints to filters
what you cannot do
What You Cannot Do
  • Falsify header or route information of your e-mail messages
  • Hack into other computers and send spam from them
  • Harvest e-mail addresses from the web or in a directory harvest attack
  • Hire other people to spam for you
  • Send adult-oriented spam without a subject line label (FTC rulemaking)
penalties
Penalties
  • Quite stiff
    • Violations of CAN-SPAM are considered violations of the FTC Act, $11,000 per violation
    • Some violations are criminal, with up to five year prison terms
    • ISPs and State AGs can sue under CAN-SPAM for civil damages (caps in some cases)
importance of enforcement
Importance of Enforcement
  • CAN-SPAM has teeth, but does it bite?
    • Outlaw spammers will not follow law if not enforced
  • Provides an avenue to recoup spammer profits
  • Creates a deterrent effect, makes spammers think twice
compliance and enforcement
Compliance and Enforcement
  • Average CAN-SPAM compliance over first six months only 2.3%
  • FTC has brought only two actions under CAN-SPAM (62 total spam cases in history)
  • Roughly a half dozen ISP CAN-SPAM based lawsuits pending
  • Maybe one or two state cases
enforcement difficulties
Enforcement Difficulties
  • Three ways to pursue, generally
    • Trace communications
    • Follow the money
    • Follow the goods
  • With spam
    • Communications notoriously difficult
    • Money gets tricky if stolen credit card, or overseas
    • Goods may not be physical (software, identity theft)
spam enforcement generally
Spam Enforcement Generally
  • Computer misuse, identity theft, fraud laws can all apply to spam
    • ISP lawsuits pre CAN-SPAM (AOL Porsche)
  • States have further laws
    • New York’s “Buffalo Spammer” case
    • Virginia’s recent case against Texan
  • Not insignificant enforcement, but certainly not enough
    • CAN-SPAM compliance numbers
enforcement inhibitors
Enforcement Inhibitors
  • CAN-SPAM did two things that made enforcement harder
  • Pre-empted most state spam laws
    • Only (state) laws which do not deal specifically with spam or only deal with fraud are still in force
  • Denied private right of action
    • Bad experience with frivolous lawsuits under Utah Law
    • Individuals and businesses cannot sue spammers
  • Tradeoffs in both cases, but bottom line is enforcement was softened
can spam bottom line
CAN-SPAM Bottom Line
  • Strong in some areas, weak in others
  • Not as horrible a law as it is made out to be in the press
  • Nonetheless, ineffective due to lack of enforcement
  • If CAN-SPAM were followed, there would probably be less spam in your inbox
recommendations
Recommendations
  • Moreenforcement
  • Considerprivate right of action
  • Conducttechnology oversight
  • Revisitprivacy concerns
  • Help withuser education
ad