[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]



 
                SPAM AND ITS EFFECTS ON SMALL BUSINESS

=======================================================================

                                HEARING

                               before the

            SUBCOMMITTEE ON REGULATORY REFORM AND OVERSIGHT

                                 of the

                      COMMITTEE ON SMALL BUSINESS
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             FIRST SESSION

                               __________

                    WASHINGTON, DC, OCTOBER 30, 2003

                               __________

                           Serial No. 108-44

                               __________

         Printed for the use of the Committee on Small Business


 Available via the World Wide Web: http://www.access.gpo.gov/congress/
                                 house



                                 ______

93-042              U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001


                      COMMITTEE ON SMALL BUSINESS

                 DONALD A. MANZULLO, Illinois, Chairman

ROSCOE BARTLETT, Maryland, Vice      NYDIA VELAZQUEZ, New York
Chairman                             JUANITA MILLENDER-McDONALD,
SUE KELLY, New York                    California
STEVE CHABOT, Ohio                   TOM UDALL, New Mexico
PATRICK J. TOOMEY, Pennsylvania      FRANK BALLANCE, North Carolina
JIM DeMINT, South Carolina           DONNA CHRISTENSEN, Virgin Islands
SAM GRAVES, Missouri                 DANNY DAVIS, Illinois
EDWARD SCHROCK, Virginia             CHARLES GONZALEZ, Texas
TODD AKIN, Missouri                  GRACE NAPOLITANO, California
SHELLEY MOORE CAPITO, West Virginia  ANIBAL ACEVEDO-VILA, Puerto Rico
BILL SHUSTER, Pennsylvania           ED CASE, Hawaii
MARILYN MUSGRAVE, Colorado           MADELEINE BORDALLO, Guam
TRENT FRANKS, Arizona                DENISE MAJETTE, Georgia
JIM GERLACH, Pennsylvania            JIM MARSHALL, Georgia
JEB BRADLEY, New Hampshire           MICHAEL MICHAUD, Maine
BOB BEAUPREZ, Colorado               LINDA SANCHEZ, California
CHRIS CHOCOLA, Indiana               ENI FALEOMAVAEGA, American Samoa
STEVE KING, Iowa                     BRAD MILLER, North Carolina
THADDEUS McCOTTER, Michigan

         J. Matthew Szymanski, Chief of Staff and Chief Counsel

                     Phil Eskeland, Policy Director

                  Michael Day, Minority Staff Director

                                  (ii)
?

                            C O N T E N T S

                              ----------                              

                               Witnesses

                                                                   Page
Beales, Hon. J. Howard, III, Federal Trade Commission............     3
Cerasale, Jerry, The Direct Marketing Association................     8
Goldberg, Bruce, Weatherman Records..............................    10
Rizzi, John A., e-Dialog, Inc....................................    12
Giordano, Catherine, Women Impacting Public Policy...............    15
Ham, Shane, Progressive Policy Institute.........................    17
Crews, Clyde Wayne, Jr., Cato Institute..........................    20

                                Appendix

Opening statements:
    Schrock, Hon. Ed.............................................    33
Prepared statements:
    Beales, Hon. J. Howard, III..................................    35
    Cerasale, Jerry..............................................    53
    Goldberg, Bruce..............................................    59
    Rizzi, John A................................................    61
    Giordano, Catherine..........................................    74
    Ham, Shane...................................................    80
    Crews, Clyde Wayne, Jr.......................................    85

                                 (iii)


           HEARING ON SPAM AND ITS EFFECTS ON SMALL BUSINESS

                              ----------                              


                       THURSDAY, OCTOBER 30, 2003

                  House of Representatives,
                       Committee on Small Business,
           Subcommittee on Regulatory Reform and Oversight,
                                                   Washington, D.C.
    The Subcommittee met, pursuant to call, at 10:33 a.m. in 
Room 2360, Rayburn House Office Building, Hon. Ed Schrock 
[chairman of the Subcommittee] presiding.
    Present: Representatives Schrock and Gonzalez.
    Chairman Schrock. Good morning, everyone. I think we will 
go ahead and get started. I am sure other Members will come in. 
Rumor is we are supposed to have three votes at 10:30, but you 
know how that goes around here. It may be a little bit after 
that. I will go ahead and do my opening remarks. We will let 
Mr. Beales do his, and then we may have to go vote.
    Since inception of the Internet and electronic mail, 
businesses have found opportunities to use both as vehicles of 
marketing and advertising. Every day, Americans receive 
billions of e-mails, and its low cost allows marketers and 
business people to reach wider audiences than ever before.
    Unfortunately, like any business practice in the United 
States, there are those who abuse this technology by sending 
bulk, unsolicited e-mails to users without their permission. 
Spam, as it has been dubbed, is estimated to constitute over 40 
percent of commercial e-mail. It clogs e-mail servers, reduces 
productivity, inhibits growth and has a direct affect on small 
businesses in the U.S.
    There are, however, many small businesses in the United 
States who execute e-mail marketing campaigns legally and who 
use e-mail as a tool to inform and communicate with their 
customers.
    Several current legislative proposals exist to combat spam. 
Options include increasing the jurisdiction of the Federal 
Trade Commission, creating a Do Not E-Mail registry requiring 
opt in or opt out provisions, requiring all bulk e-mailers to 
have trusted identification or imposing harsher penalties on 
criminal spammers. Whatever the ultimate remedy, we want to 
make sure that the specific impact on small business in taken 
into account.
    Over a billion small businesses use e-mail as a marketing 
tool, and millions use more e-mail to communicate with 
employees, suppliers and others critical to their business. 
Criminal spam cannot be allowed to prevent e-mail from its 
legitimate uses, and as time passes the problem will get even 
worse if action is not taken.
    [Mr. Schrock's statement may be found in the appendix.]
    Chairman Schrock. Right now I want to thank all the 
witnesses for coming today, and I would like to recognize the 
Ranking Member, Mr. Gonzalez. We did not know if you were going 
to go first or what, so you can make comments, and then we will 
probably have to go vote.
    Mr. Gonzalez. Thank you very much, Mr. Chairman. My 
apologies for being a bit late. The fact that the bells are 
going off now is probably good because we will get that vote 
out of the way. I will keep my remarks very, very brief.
    Fact-finding. What is the purpose of any testimony is 
really for this Committee to get a better handle on what is 
going on out there in the small business world. Spam has 
created tremendous problems for individuals, government and 
businesses, but especially small businesses, as the chairman 
has already pointed out.
    The question is what is the appropriate remedy? I hope that 
we will have many of the witnesses who will be able to tell us 
what they are doing and what they see for the future. The 
question really comes down to one of regulation and what is the 
proper and appropriate role for the government to play in order 
to achieve what would be the maximum benefit that this e-world 
allowed us with the Internet.
    It is so important to balance I guess when you think of 
terms of free speech, because I do believe that some of these 
issues rise to the level of free speech and, as I have said, 
the regulatory scheme of things and then, of course, free 
enterprise if we can just somehow take all the factors into 
consideration and fashion something that makes a lot of sense.
    We know the Senate has acted. We know we have bills on the 
House side. It is a matter of working together to really 
fashion something that is effective and reasonable under the 
circumstances so that we do not reach a critical point where we 
overreact. That is the greatest danger here in Congress, and 
that is when a crisis arises and we act quickly and not 
necessarily prudently.
    Again, thank you, Mr. Chairman. I guess we should vote.
    Chairman Schrock. I think we will. That is a good idea. We 
will go vote, do our three votes, and we will be back quickly.
    Sorry, Mr. Beales. Those bells are compelling. Thank you.
    [Recess.]
    Chairman Schrock. We are told we are going to have no more 
votes until 1:00, but we also were told that we are going to 
vote all night, so a lot of silly things are going to happen 
today. We have one of those every once in a while, so we must 
endure it. Hopefully by 1:00 we will have accomplished a lot.
    Before we begin receiving testimony from the witnesses, I 
want to remind everyone that we would like each witness to keep 
their oral testimony to five minutes. In front of you on the 
table you will see a box that will let you know when your time 
is up. When the light is yellow, you have one minute remaining. 
When five minutes have expired, the red light will appear. Once 
the red light is on, the Committee would like you to wrap up 
your testimony as soon as you are comfortable. At the six 
minute mark your trap door will open, so keep that in mind.
    First I would like to introduce the Honorable J. Howard 
Beales, III, who is the Director of the Bureau of Consumer 
Protection for the Federal Trade Commission. Thank you for 
being here, and we are looking forward to your testimony.

  STATEMENT OF THE HONORABLE J. HOWARD BEALES, III, DIRECTOR, 
    BUREAU OF CONSUMER PROTECTION, FEDERAL TRADE COMMISSION

    Mr. Beales. Thank you, Mr. Chairman. I really appreciate 
the opportunity to provide the FTC's testimony about spam and 
its effect on small businesses.
    The problems caused by unsolicited commercial e-mail go 
well beyond the annoyance that spam causes to the public. These 
problems include the fraudulent and deceptive content of most 
spam messages, the offensive content of many others, the sheer 
volume of spam being sent across the Internet and the security 
issues raised because spam can be used to disrupt service or as 
a vehicle for sending viruses.
    To gain a better understanding of the nature of spam, the 
FTC staff reviewed a sample of approximately 1,000 pieces of 
spam. Sixty-six percent contained facial elements of obvious 
deception in the From line, the Subject line or the text of the 
message. When these data are further analyzed to exclude 
sexually explicit e-mail and e-mail hawking products or 
services that are permeated with fraud like chain letters or 
cable descramblers, only 16.5 percent of the spam did not 
contain obvious deception and came from possibly legitimate 
marketers.
    We further analyzed a random sample of 114 of these spam, 
looking behind the header information to see who had registered 
the domain name for any Web sites that were connected to that 
e-mail by a hyperlink. We found none from Fortune 500 
companies, only one from a Fortune 1,000 company.
    The Commission also convened a three-day spam forum. 
Virtually all of the panelists opined that the volume of 
unsolicited e-mail is increasing exponentially and that we are 
at a tipping point, requiring some action to overt deep erosion 
of public confidence that could hinder or even destroy e-mail 
as a tool for communication and on-line commerce.
    A solution to the spam problem is critically important, but 
it cannot be found overnight. There is no quick or simple 
silver bullet. Rather, solutions must be pursued from many 
directions--technological, legal and consumer action.
    Two key characteristics of spam make the problem 
particularly difficult to solve. The first is anonymity. It is 
possible to send an e-mail from anywhere to anyone and make it 
appear as if it came from somewhere completely different. Once 
it passes through an open relay or an open proxy that could be 
anywhere in the world, spam is virtually impossible to trace.
    The second key characteristic is economics. For the 
spammer, sending out a few or a few thousand more messages is 
virtually cost free. Because it is so cheap, spamming can be 
profitable even if the response rate is very low. At our spam 
forum, one spammer said his business was profitable even if the 
response rate was as low as .0001 percent.
    The panelists at the forum also discussed the damaging 
effect that spam has on businesses and particularly on small 
businesses. Although a single piece of spam to a single 
consumer causes de minimis economic harm, the cumulative 
economic damage from spam is enormous and growing. Although 
there is a lack of firm research regarding cost, estimates--
maybe guesses is a better word--have ranged from $10 billion to 
$87 billion a year.
    The onslaught of fraudulent and offensive spam robs 
businesses that would like to use commercial e-mail messages as 
a cost effective way of marketing their goods and services. 
Legitimate sellers tend to be drowned out or overlooked by 
consumers who simply ignore commercial e-mail messages because 
so much spam is so distasteful.
    One panelist, the president of a small ISP in Little Rock, 
Arkansas, stated that spam is his number one customer complaint 
and that addressing the increasing amount of spam is placing 
the very existence of his business in peril. His company does 
not have the financial resources and large support staff found 
at large ISPs. When a deluge of spam arrives, e-mail is 
delivered more slowly and customer complaints increase 
dramatically, causing the small customer support team to 
struggle to address complaints.
    Spammers also harvest e-mail addresses from public places 
on the Internet such as Web sites. That poses a particular 
problem to small businesses because posting e-mail addresses on 
their Web sites facilitates the communication with existing or 
potential customers. In our spam harvest analyzing what on-line 
activities placed consumers at risk for receiving spam, we 
found that 86 percent of the e-mail addresses posted as web 
pages and in news groups received spam.
    In a recent Wall Street Journal article, a market research 
firm reports that spam makes up 31 percent of the e-mail that 
small businesses receive and that fighting spam is the top e-
mail priority for 84 percent of small businesses. Clearly, spam 
has real and significant impacts on small businesses that 
jeopardize the benefits of e-mail as a communication and 
marketing tool. These benefits can be preserved only through 
attacking spam through a balanced blend of technological fixes, 
business and consumer education, legislation and enforcement.
    The Commission will continue to combat spam through its 
research, consumer and business education and aggressive law 
enforcement.
    Thank you, and I look forward to your questions.
    [Mr. Beales' statement may be found in the appendix.]
    Chairman Schrock. Thank you very much.
    I was sitting here listening to what you were saying. My 
wife handles all her parents' affairs; her parents have reached 
the stage where she has to handle all their business and 
personal affairs. She will return home tonight from California 
after a month, and I guarantee you she will have 1,000 plus 
unwanted, some of them pretty nasty things. She complains about 
it all the time, but does not know what to do about it.
    One of the elements in the Senate spam bill includes a 
study of a Do Not Mail list, just like we have a Do Not Call 
list, and I know this is something you oppose. If you are 
eventually required to produce something like this, how will 
you protect legitimate contacts with previous or existing 
contacts? There certainly has been some controversy about that 
with the Do Not Call and the Do Not Fax.
    Mr. Beales. Well, I think our inclination would be to 
approach it the same way we have approached it with Do Not 
Call. If you have an existing business relationship with 
somebody, that is a circumstance in which consumers generally 
expect to be contacted. They are not upset by the contact, and 
that would apply to e-mail as well as to the telephone so I 
would think that would be our starting point.
    Of course, if we had to go ahead we would explore in a rule 
making how that has worked in Do Not Call and what changes or 
adjustments might be necessary or appropriate.
    Chairman Schrock. What will enforced enhancement powers 
allow you to do or not to do?
    Mr. Beales. Well, our key concern about the Do Not Spam is 
enforceability. As I mentioned in the kinds of e-mail that we 
find out there, these are not people that pay a lot of 
attention to legal rules. As a result, we are concerned that a 
Do Not Spam list would not make any appreciable reduction, any 
observable reduction in the volume of spam that people get.
    What legislation can do is we have asked for some 
procedural improvements that would help us get information and 
keep the existence of our investigations secret from the 
targets of those investigations.
    We think we need some legislative tools that would let us 
better cooperate with foreign law enforcement authorities 
because cross border fraud is particularly a problem in spam 
enforcement, and we think that legislation needs to include 
criminal penalties for the worst of spam because too often what 
we find is the people we find do not have any money, so civil 
penalties really would not enhance our ability to go after 
people all that much.
    Chairman Schrock. When you are talking about cross borders, 
state to state, do you see the need of federal preemption of 
state laws in favor of some national program that every state 
has to abide by?
    Right now I am sure all 50 have a different process, and 
for people who are legitimate it is very, very confusing to 
them.
    Mr. Beales. Well, I think that is right. I think the 
Internet is by its nature borderless, and it does not make 
sense to erect artificial borders that people then have to 
figure out and worry about how to comply with. The broader the 
set of rules, the better.
    Chairman Schrock. Now offshore. What could be done with 
businesses who send the spam offshore?
    Mr. Beales. Well, what we have done on a case by case basis 
is to build cooperative law enforcement relationships with 
foreign authorities.
    In one spam case that involved the sale of domain names 
that did not exist we cooperated with the British authorities. 
One was .usa and was heavily promoted in the wake of September 
11. They even sold .god domain names for a while. We shut down 
the operation from the servers in the United States, and they 
shut down the operation from there.
    There is another case where we just named a defendant in 
the Netherlands. We have referred that case to the Dutch 
authorities and are trying to help them in bringing action, so 
it really is a case by case attempt to build cooperative 
enforcement relationships, and that will become increasingly 
important.
    Chairman Schrock. Of course, there is a lot of technology 
being developed to try to solve some of this. Do you see that 
technology being part of the solution to spam, or they will 
find something, and there will be a way for them to find to 
counter that? Do you see good things coming down the pike in 
that arena?
    Mr. Beales. Well, I think that in the long run the 
solutions are going to have to be in significant part 
technological because I think that it is very difficult to 
imagine any real solution if we preserve the current level of 
anonymity.
    To change that anonymity so we can figure out who is doing 
it and trace e-mail back to its source, to do that is going to 
require technological solutions.
    Chairman Schrock. Some of the testimony I was reading last 
night said there is a way that people can block being found 
out. You have to be able to break that logjam, and I do not 
know how you do that. Even the new technology I do not think 
can do that yet.
    Mr. Beales. I think that is correct. I think it may require 
changes in the basic mail protocol to make sure there is 
information that authenticates where it came from, but I think 
in the long run that is essential because whatever the solution 
it is going to be extremely difficult to enforce unless we can 
find the violators.
    Chairman Schrock. I agree.
    Mr. Gonzalez?
    Mr. Gonzalez. Thank you very much, Mr. Chairman.
    Members of Congress are so fortunate because we, at least 
our office computers, live in a spam free world. I am going to 
tell you, it is wonderful.
    When I go back to my campaign office and turn that thing 
on, it is horrible, you know, what we have to clear out because 
you only have so much capacity. I am not even crazy about all 
the stuff that the server is telling me about.
    You get spoiled up here. I mean, it is just absolutely 
wonderful to go in there, and it is nice and clear. You are not 
constantly bombarded by stuff that you never asked for, are not 
interested in and offended by. If we feel that way, I can 
imagine just about anybody out there similarly situated, which 
is every American citizen with a computer.
    It is interesting. In today's Post there is a great 
article, E-Mail Providers Devising Ways to Stop Spam, and they 
are talking about the private sector, and they are talking 
about the servers. It seems to me there was something you said 
that was disturbing, and I guess I have kind of two questions.
    One of them is enforceability is going to be a problem 
period. I would like to think that we have established 
principles, legal and otherwise, that kind of point the way on 
how we are going to approach this, even when technology 
changes.
    I was making a note here. At one time they used to knock on 
your door, right, the solicitors and such, and we tried to do 
something about that. Then they came through the mail. Then 
they came by the phones. Then they came by the faxes. Now they 
come through the e-mail, right?
    I am not sure what is next. You know, something in the 
ether world. The question really comes down to do these 
principles still apply in how we try to regulate unsolicited 
contact with citizens when it comes to the electronic age and 
e-mail.
    The second part of my question is really the point of 
contact. We have to figure out where do we try to tackle this 
whole thing. That seems to me it is going to be the server. Of 
course, I am encouraged by what the servers are trying to do 
together to make sure, as you had pointed out, that anybody who 
is sending an e-mail has a legitimate address so that we can 
take action and then on the private sector how we establish 
what is a trusted sender and what is not. That can be difficult 
in and of itself.
    What you said about enforceability. All right. We are going 
to be able to identify them now, which is crucial, which I will 
admit is crucial, but are you still going to be able to enforce 
it? We will be able to trace back up as to who sent it, but are 
we still going to have enforcement problems if we have a no 
spam list or if we do criminalize the act itself?
    I guess those are the real questions here. Do the old 
principles still apply on how we try to regulate, enforce and 
punish? Secondly, even if we can identify it at the server 
point, which I think is the contact point where we can all say 
that is where we need to really concentrate our efforts, does 
it matter because whoever is in charge of regulating, whoever 
has a right to sue, and right now there is not a private cause 
of action, whether they are going to be frustrated in doing it.
    Mr. Beales. Well, I think the basic principles certainly 
remain the same. That is, it really is the same basic 
principles that apply to marketing communications in any 
medium. It is what we have used to go after spam so far, and we 
have brought nearly 60 cases against fraudulent and deceptive 
spam.
    I do not think it is a problem of basic principles or 
anything fundamental, that there needs to be fundamental 
changes in the principles there. It is just another form of 
marketing. If we could find people, it could be regulated in 
much the same way as other forms of marketing are.
    What is unique is partly the economics, but I think more 
fundamentally from an enforcement perspective the anonymity of 
e-mail. The phone system, whether it is used for a telephone 
call or a fax, contains information with the call about where 
it came from. E-mail does not work that way, and there is 
nothing in the message that lets us go back.
    If we could go back, I do not think enforcing the law would 
be any harder here than it is with telemarketing or with direct 
mail. You know, some of those messages are deceptive. We need 
to bring cases and we do bring cases in those areas, but most 
of the companies engaged in those activities are legitimate, 
and we can go after and prosecute the bad actors. When we 
cannot find anybody, then it is much more difficult.
    Mr. Gonzalez. So until technology allows us to identify the 
sender, as we have the servers at the present time attempting 
to do that, it does not matter what legislative scheme we come 
up with. It is going to be really difficult.
    Mr. Beales. It is going to be really difficult. It can be a 
little bit more. It can be a little bit less difficult or a 
little bit more difficult, but it is going to remain very 
difficult until we can figure out where it is actually coming 
from.
    Mr. Gonzalez. Thank you very much.
    Chairman Schrock. Well, you are lucky there are only two 
Members here today. We thank you for being here. We thank you 
for your testimony.
    Mr. Beales. I appreciate the opportunity.
    Chairman Schrock. Sure. Thank you very much.
    We will get ready for the second panel.
    [Pause.]
    Chairman Schrock. Thank you all for being here. As I said 
earlier, the five-minute rule, if you can do that, that would 
certainly be a help because we want to hear what you have to 
say, but we also have some questions as well.
    First, I would like to introduce Mr. Jerry Cerasale. He is 
the Senior Vice President for Government Affairs for the Direct 
Marketing Association. Prior to joining the DMA, he was Deputy 
General Counsel for the Committee on Post Office and Civil 
Service for the U.S. House of Representatives.
    Jerry, welcome.

STATEMENT OF JERRY CERASALE, SENIOR VICE PRESIDENT, GOVERNMENT 
           AFFAIRS, THE DIRECT MARKETING ASSOCIATION

    Mr. Cerasale. Thank you very much, Mr. Chairman and Mr. 
Gonzalez. Thank you very much for inviting me here to speak on 
this important topic.
    The Direct Marketing Association is a trade association of 
4,500 corporate members, many of whom are small businesses, and 
they market directly to consumers for sales or their people who 
help support marketers marketing.
    E-commerce is very important to all marketers, especially 
small businesses, and there is a huge promise from e-commerce. 
It is a low barrier to entry. It is a way to find consumers 
quickly and efficiently.
    There has been, however, a huge growth in Web sites, and 
what happened early in the Internet was that you could have a 
Web site up, and a search engine would find your company, and 
consumers could find you. The search engines now are 
advertising media wherein you pay to get prominence in the 
search find.
    Many small businesses can no longer be part of that because 
it becomes cost prohibitive, so they have to look to go back to 
the old style of trying to get a list, trying to find customers 
rather than customers coming to find you, especially for a 
smaller business.
    What we have is a growth potential in e-commerce of small 
businesses needing e-mail much more than even larger 
businesses. You find a list, a targeted list, and you try to 
reach those customers who are interested. That is the way it 
should work, and that is the promise of e-mail because it is so 
inexpensive so that entrepreneurs can get in and try to find 
customers that are interested in them.
    There is, as my son would say, a dark side to e-mail, and 
the same thing that creates the promise, the low barrier to 
entry, creates the dark side. The dark side is it is very 
inexpensive. It does not pay.
    If you do not care about the attitude of customers and you 
are looking for, as what Mr. Beales said, a response rate of 
\1/1000\ of one percent is good enough, if that is the attitude 
that an individual has you are not going to spend the money to 
target, and you are just going to flood the system with e-mail. 
That is the dark side. That flood comes in with pornographic 
stuff, sexually explicit, things you are not interested in, get 
rich quick schemes, Nigerian scams and, sadly, even computer 
viruses.
    What we have to do is try and, from our perspective, save 
the promise. Kill the dark side without killing the promise I 
guess is the way to really look at it. What we have tried to 
show in testimony is the DMA has done a few studies to show 
does e-mail work? Are people at least even interested in it?
    We find that 36 percent of adults in our study actually 
responded to an e-mail and purchased something, $17.5 billion. 
Consumers alone spent $7.6 billion, and unsolicited e-mails to 
prospects--not even to customers--was sales of about $1.5 
billion. There were savings out of this e-mail marketing of 
$1.5 billion, and even the prospects said they said in a year 
$300 million, which is not tiny, especially for small 
businesses.
    We find in our study that 21 percent of the marketing 
budgets for small businesses went to e-mail versus 13 percent 
for larger companies. Excuse me. Their Internet, not their e-
mail. Their e-commerce budget. Small businesses are more 
dependent upon e-mail marketing than are larger businesses.
    The Internet sales. Twenty-one percent of small business 
Internet sales came from e-mail marketing, the rest coming from 
Web sites and so forth, but that is significantly larger than 
the 12 percent that came for larger businesses.
    What we need is a national standard. We have to try and 
avoid solutions that destroy the promise of the Internet, and 
destroying the promise of the Internet could be something like 
an opt in or even a very restrictive Do Not E-Mail list because 
there is no time then to try and correct the problem. People do 
not know the small business, the new business. They do not know 
them. They are not a customer of them already. You then would 
cut out this potential market.
    We have to get rid of the fraudulent, untargeted 
pornographic e-mails. We hope that the House will move quickly 
to pass some legislation, but the big key is also not just to 
pass the legislation, but to provide the resources to enforce 
the provision.
    The DMA is working with the FBI and others to try and get 
some money through the White Collar Crime area to try and get 
some enforcement, so we are doing that. Legislation is only one 
of those prongs, but we need it.
    Thank you very much.
    [Mr. Cerasale's statement may be found in the appendix.]
    Chairman Schrock. Thank you very much.
    The Subcommittee is now going to hear from Mr. Bruce 
Goldberg. Mr. Bruce Goldberg is the former president of 
Weathermen Records, an on-line music t-shirt company based 
outside of Dallas, Texas.
    After having several years of intensive marketing 
experience as an executive for Neiman Marcus, his passion for 
music and an eventual understanding of the Internet led Mr. 
Goldberg to become a very successful entrepreneur and founder 
and president of Weathermen Records.
    He is here today to share his personal experience as to how 
spam has affected him as a small business owner, and, for those 
of you who did not see it, he was featured in a Wall Street 
Journal article on August 19, a fascinating article that is 
entitled Spam's Easy Target: Floods of Unsolicited E-Mail 
Handicaps Small Businesses. How Some Are Fighting Back.
    I am looking forward to your testimony. Thank you for being 
here.

   STATEMENT OF BRUCE GOLDBERG, FORMER PRESIDENT, WEATHERMEN 
                  RECORDS, FARMER'S BRANCH, TX

    Mr. Goldberg. Thank you very much. Good afternoon. My name 
is Bruce Goldberg from Weathermen Music in Dallas, Texas. I am 
here to represent my business, but, more importantly, I am here 
to represent all the small businesses in the United States that 
are powerless against unsolicited e-mail.
    In college, I studied Business Marketing with the hopes 
that someday I would be able to work for myself and own my own 
company. After college, I worked my way up the ladder for 
Neiman Marcus, completing their executive development program 
and working as part of their buying staff.
    I have always had a passion for music. My passion soon 
turned into a hobby, and I started buying and selling records 
at monthly music conventions. I started to keep a list of names 
and addresses who wanted to receive notification when I got new 
stuff in. Before I knew it, I was mailing out 500 of these 
lists a week.
    I reinvested every dime I made and started to expand into 
music t-shirts. I put together a small mail order catalog, and 
before too long I was sending out 1,000 copies a month with the 
U.S. mail. Around the same time, I started to subscribe to a 
service that would allow me to communicate with people all over 
the world via the computer called Prodigy. Soon I was able to 
set up a tiny web page with a template that Prodigy supplied. 
This was the beginning of my on-line company.
    As my customer base grew, I decided to leave Neiman Marcus 
to concentrate on my mail order company. When domain names were 
first being offered, I quickly bought up the name The 
Weathermen, as my company name with the marketing idea of being 
a music forecaster.
    I invited my new customers to sign up for my free e-mail 
updates. My list quickly grew from the initial 1,000 to 60,000. 
Today, Weathermen Records is one of the largest on-line t-shirt 
music stores with over 50,000 regular worldwide customers and 
6,000 Web sites linked to our site. We carry about 4,000 
different music t-shirts from all over the world. We are still 
considered a small business with only three employees.
    Nine-five percent of our sales and communications are done 
over the Internet. When I first started, it never crossed my 
mind that I could get an e-mail that was bulk e-mailed to me 
about Viagra, lowering my mortgage payment, losing weight or 
getting rid of my debt. Throughout the years, I started getting 
more and more spam, but pretty much was able to just delete it 
as it came in.
    As my on-line presence grew, so did the amount of spam I 
received. I was finding that whereas most people get one of 
each spam, we were getting five to 10 of each, depending on how 
many of our e-mail addresses were hit.
    The hard part was distinguishing the legitimate e-mail from 
junk, as I have to treat each new e-mail as a potential 
customer. A lot of legitimate e-mails were being accidentally 
deleted. Even as careful as I was, I would still lose customers 
by accidentally deleting their messages.
    We were getting 15 spam e-mails to one legitimate e-mail. I 
needed to do something about this. It was getting worse. On 
more than one occasion, my company server was so overloaded by 
spam it shut itself down for several hours, costing me a day's 
business and its customers.
    The first thing I did was to set up my account so that 
anything intended for ex-employees went right into the trash 
bin. The second thing I did was employ a spam filtering service 
called Spam Cop that would filter out any e-mail that was 
previously reported by fellow Spam Cop members as spam, and it 
was put into a special separate spam holding tank for spam e-
mails. The problem with the service, however, is sometimes it 
grabs legitimate e-mail.
    In an average day, the spam mail folder will keep 1,000 
spam e-mails from reaching our system. Today, with all the 
filtering systems still in effect, we still get three spam 
mails for one legitimate e-mail. I spend at least an hour a day 
sending spam to my trash box. I get spam 24 hours a day, seven 
days a week.
    I was recently featured in an article in the Wall Street 
Journal about spam. Because of the article, I got spammed. I 
will probably get spammed from this testimony finding its way 
to the Internet.
    Chairman Schrock. Not from us you will not.
    Mr. Goldberg. Instead of spending my time dealing with my 
mail situation, I could use the time to better serve my 
customers, increasing my profits, which in turn would generate 
more tax dollars for my community.
    I believe something must be done about this situation that 
gets worse by the day. If the problem continues to grow at the 
rate it is currently growing, it will be impossible for 
businesses to rely on the Internet and e-mails as a form of 
communication.
    I believe that people that send spam and harvest and sell 
e-mail addresses should be fined and prosecuted. I believe our 
government should try to work with other governments to abolish 
spam sent from other countries to try to prey on the elderly 
and young by means of deception.
    I use my e-mail as a form of communication. Imagine if you 
used the telephone as a form of communication and your phone 
rang all day long with solicitors, but you still had to answer 
every call to see who it was before you could hang up because 
you were afraid you would lose legitimate customers.
    Imagine instead of spending your time before your hearings 
to make sure you were prepared to serve your community you had 
to take that hour to weed through thousands of e-mails to find 
the ones that you needed to start your work day. That is what I 
do every day.
    I also believe that if lawmakers were the targets of the 
same amount of excessive and unwanted spam as small businesses 
and had to go through all the mail themselves as a lot of small 
businesses do, spam would have already been outlawed.
    Chairman Schrock. Bite your tongue.
    Mr. Goldberg. I love my country. I grew my business from 
the ground up by using simple principles that consisted of good 
communication and providing a fair price, good quality product 
to people who would normally not be able to find it.
    You could say that spam finally shut me down. This past 
week, I sold my company and am currently unemployed. For the 
sake of the new owner, I hope that this testimony will result 
in a resolution and the end of deceptive, unwanted, unsolicited 
commercial e-mail.
    I hope whatever career I travel down next, I do not have to 
put up with the same frustration that plagued me and other 
small businessmen for years.
    Thank you for listening.
    [Mr. Goldberg's statement may be found in the appendix.]
    Chairman Schrock. Thank you very much.
    It is my pleasure now to introduce John Rizzi, who is the 
CEO of e-Dialog, a Boston based e-mail marketing firm that 
specializes in precision e-mail for companies like the NFL, 
Staples and Charles Schwab.
    Mr. Rizzi has over 14 years of executive leadership in 
successful start up businesses all related to e-mail 
technology, applications or marketing services. Prior to his 
experience as an information systems expert, many of his 
leadership and management skills were gained as an officer in 
the Navy.
    I can relate to that. I am a retired naval officer, and I 
think everything I learned I learned in the Navy too. Some not 
so good. Most of it good. Welcome.

  STATEMENT OF JOHN RIZZI, CEO, E-DIALOG, INC., LEXINGTON, MA

    Mr. Rizzi. Thank you, Mr. Chairman and Members of the 
Committee. I am very delighted to be here today and certainly 
grateful that the voice of the small businessman is respected 
in these halls.
    My name is John Rizzi, and I run a business of 51 people in 
Lexington, Massachusetts, called e-Dialog. My business is 100 
percent dependent on the effective use of e-mail as a marketing 
and communication channel. I am an e-mail service provider. Put 
simply, my company acts like the e-mail marketing department 
for other large companies that are really finding the 
relationship with their customers to be very important and 
certainly want to do e-mail right.
    Our clients include well-respected companies like John 
Deere, Charles Schwab, Schering-Plough, Reuters, Harvard 
Business School Publishing and the NFL. In fact, if you enjoyed 
reading your Redskins newsletter this morning, the one from 
your favorite team, perhaps the Patriots, it came from e-
Dialog.
    I am also a veteran of the e-mail industry, starting with a 
company over 14 years ago in an old laundromat that developed 
and sold e-mail technologies before they were available to 
anybody in the networks in small businesses.
    For my entire post Navy career, I have been a part of the 
e-mail industry and in fact have been very proud to participate 
in the creation of the e-mail revolution. However, I am not so 
proud over the last couple years where our mailboxes have 
become polluted with spam.
    E-mail is a wonderful, vibrant, economically valuable 
communications tool that is suffering critically right now with 
this infection. I could not be more pleased that so much 
legislative effort is going into finding a cure. What is most 
important now is we quickly act and stop this epidemic. The 
CAN-SPAM bill passed last week by the Senate is a giant step in 
the right direction, and I would urge the House to pass it as 
soon as possible.
    The key value e-mail brings to businesses is that it 
cheaply expands their reach to customers outside their local 
area to everywhere in America, if not beyond. It makes them 
competitive with the big guys at a very low cost. For example, 
I personally buy tea for my wife from a company, a small shop 
called Special Teas in Connecticut, I buy parts for my car from 
3X Performance in North Carolina, and I buy toys for my 
daughter from a place called Suzi's Dollhouses in Idaho.
    I enjoy my relationship with each one of these customers, 
and I have these relationships because of the e-mail they send 
me. It is good for their business, and it meets my personal 
needs. They are all clearly e-mailing across state lines. While 
I do not know for sure, it is very possible that somewhere 
unwittingly they are breaking the law.
    This binder--I had to bring a little show and tell; my 
daughter recommended it--contains the briefings of 37 different 
state laws, their anti-spam laws. On the one hand I am 
delighted that action has been taken. On the other hand, 
imagine the confusion and how overwhelmed I am and my company 
is to comply. This binder would scare the dickens out of Suzi 
and her dollhouse store in Idaho, wondering and worrying that 
every time she presses the Send button she might be a 
lawbreaker.
    In my business, I have the focus and the expense of three 
employees that spend all day every day worrying about the state 
laws, industry regulations that we support and compliance and 
deliverability issues. I have to say, I am really glad I have 
these three people because when I go through this binder I get 
stuck at C.
    I can only get that far because when I come to C, I find a 
state that has a hastily approved anti-spam law approved during 
some real political turmoil that is a disaster waiting to 
happen for any e-mailer in America that is trying to mail into 
that state and certainly any small business in that state 
trying to do e-mail. We have to stop that. More state laws like 
this are on the way. There are at least 13 more states to go.
    Since e-mail is inherently an interstate medium, small 
businesses need one federal law that is predictable, manageable 
and enforceable. The CAN-SPAM Act, with any weaknesses it may 
have, solves this problem. As you can tell, I am very 
supportive of the preemptive conditions of the law.
    As happy as I am about the prospect of an anti-spam law, we 
have to talk about the stark reality that we face, which is the 
worst spammers today are already lawbreakers. If not actually 
breaking the law, they are unethical business people that will 
happily take your money for their latest form and brand of 
snake oil.
    The trouble is that spammers can hide on the Internet. They 
can falsify their identities and do their work with impunity. 
The law can only be effective when the perpetrator of a crime 
can be found, and to do that we need technology.
    I am happy to say my company is part of an industry group 
of legitimate e-mail marketers called the E-Mail Service 
Provider Coalition, nearly all of these businesses small 
businesses, that are working together to develop a universal 
technology to provide an authentication system for large e-
mailers that will effectively remove the hidden identities of 
spammers.
    I brought copies of a white paper about this issue called 
Project Lumos which I would offer for review and to be entered 
into this record. Simply, either the sender of the mail will be 
automatically authenticated as an identifiable and legitimate 
e-mailer or the mail does not go through. This, combined with 
other initiatives, will drive spammers out of their holes where 
the law can find them.
    Coincidentally, as Mr. Gonzalez mentioned, a very good 
article about this is in today's Washington Post.
    I and my colleagues in the industry are extremely confident 
that this will work, and it is only months ago. We need to be 
realistic that this is part of the solution, and the law alone 
cannot solve the problem.
    The final critical factor for the protection of small 
businesses is the subject of a Do Not E-Mail registry. I have 
to admit, this sounds intuitively obvious and like a good idea, 
but I have to tell you with all my experience that this is a 
disaster waiting to happen, especially for small businesses.
    Look deeply, and you will find enormous technology 
challenges that small businesses will not be able to adopt. You 
will see security challenges that if compromised will allow 
this big list to go into the wrong hands, and I dare say you 
will be spammed within hours, if not minutes, when that 
happens.
    You will see business people confused as to why they can 
mail fewer and fewer of their customers, and you will see 
consumers frustrated and confused when they are getting less 
and less mail from their favorite companies, but no less spam. 
Remember, spammers are lawbreakers. They are not going to take 
their lists and match it and clean it against a registry. They 
are already breaking the law.
    The good guys will do it though, so they are going to have 
fewer and fewer people to mail to, but no one will get any less 
spam. The Do Not E-Mail registry I am afraid will backfire, and 
small businesses will lose.
    To summarize, please act quickly and approve the CAN-SPAM 
bill that came from the Senate. Give the industry time to 
develop the technology that will make spammers identifiable, 
support consumer education on how to avoid spam, and, very 
importantly, please do not hurt small businesses by mandating a 
Do Not E-Mail registry.
    Thank you.
    [Mr. Rizzi's statement may be found in the appendix.]
    Chairman Schrock. Thank you. I like the idea of your 
Redskins thing, but my guess is Mr. Gonzalez would prefer the 
Dallas Cowboys, right?
    Mr. Rizzi. We do their newsletter too.
    Chairman Schrock. It is my pleasure to introduce Catherine 
Giordano. Catherine is the president and CEO of Knowledge 
Information Systems, which is a Virginia Beach based technology 
training and research firm. She is here today representing 
Women Impacting Public Policy, WIPP.
    Ms. Giordano has more than 24 years' experience in the 
operation, management and coordination of major projects, 
management, supervision and training of personnel.
    I have known Catherine for many years. We live in the same 
city. When I first decided to run for the state Senate, she was 
one of the first people I went to. She gave me that are you 
crazy look then, and when I saw her at breakfast this morning 
that look was still on her face.
    We are glad to have you here, Catherine. Thanks.

 STATEMENT OF CATHERINE GIORDANO, PRESIDENT AND CEO, KNOWLEDGE 
  INFORMATION SYSTEMS, VIRGINIA BEACH, VA, ON BEHALF OF WOMEN 
                 IMPACTING PUBLIC POLICY (WIPP)

    Ms. Giordano. Thank you very much. Good morning, Mr. 
Chairman and Mr. Gonzalez. My name is Catherine Giordano. I am 
the president of Knowledge Information Solutions, Inc. located 
in Virginia Beach, Virginia, and I am appearing today on behalf 
of Women Impacting Public Policy, a national bipartisan public 
policy organization advocating on behalf of women in business 
representing 460,000 members nationwide. I serve as co-chair of 
WIPP's procurement committee.
    K.I.S., my company, is a woman-owned, 8(a) certified small 
business which employs 47 workers. We provide computer products 
and IT services such as ISP Internet and wireless connectivity 
and network design and consulting. We supply IT products and 
services to the federal government through 11 government wide 
acquisition vehicles to approximately 47,000 customers.
    I would like to thank you, Mr. Chairman, for inviting me to 
speak on a subject that my company deals with on a daily basis 
and one that I believe is very costly to small businesses--
spam. Coincidentally, KIS just recently completed an internal 
analysis of the effect of spam on our business, so this 
testimony is timely to our company.
    Most business environments are now computer based and 
dependent on e-mail as the essential form of business 
communications. At KIS, our small business is reliant on a 
communication system to our customers that is by electronic 
mail and correspondence predominantly through computer 
technology.
    Small businesses are always interested in attracting new 
customers, and we are ever mindful and concerned about annoying 
current or prospective customers. Therefore, KIS offers a form 
of permission based customer marketing that will readily remove 
their name from any KIS mailing list upon request. This 
practice is typical of most other small businesses. Legitimate 
businesses take these requests seriously and honor requests to 
remove names from the list.
    Unsolicited commercial electronic mail, spam, represents 30 
percent of KIS' inbound correspondence. It is an ongoing 
process, and it becomes more expensive as the innovation of 
global spam capabilities has shifted the burden of cost from 
the sender of the spam to the small businesses, ISP providers 
and the customer.
    Since spammers continuously change their methods of 
operation, we spend additional employee time to find just the 
right mix of settings to adjust. Our review shows that KIS' 
small business customers spend an average of seven minutes per 
day per person dealing with spam.
    Since KIS provides 250 small businesses in the southeastern 
Virginia region information technology management and ISP 
support services, we estimate that the total cost in lost 
productivity to these customers is estimated to be $2.9 million 
annually. Mr. Chairman, $2.9 million could be used much more 
productively by small businesses on items such as equipment 
purchases, creation of jobs or providing health care to 
employees.
    The spam filtering methods KIS currently utilizes is DNS or 
domain naming services, the protocol for translating names into 
IP addresses. For example, an address like www.google.com must 
be converted into a numeric 216.239.41.99. One of the options 
to filter spam through DNS, called blacklisting, typically 
catches only 25 percent of these e-mails. Filters utilizing key 
word searches will catch an additional 5 percent of the e-mail.
    The number of false positives, which are e-mails that are 
wrongfully identified as spam, raises daily as more and more 
companies are inadvertently submitted to blacklist servers. Of 
these e-mails caught by DNS blacklisting, the keyword 
searching, two to five percent are false positives.
    The cost associated with identifying false positives is 
roughly $2,499 annually and an estimated yearly cost of 
employee productivity after KIS current anti-spam measures to 
my company is an estimated $93,750.
    To implement a KIS internal, full-blown, perimeter e-mail 
server incorporated spam detection system costs our customers 
$4,500 plus the cost of equipment. Their return on investment 
after implementation of a full-blown spam detection software is 
estimated at 5.5 months, and that only catches 85 percent.
    As the Committee knows, the Senate in the last several 
weeks passed an anti-spam measure by 97-0. Although WIPP has 
not had a chance to review the proposals pending before the 
House in depth, our thoughts are twofold. One, spam is a costly 
expense for small businesses. Two, when enacting legislation to 
limit spam, Congress should take into account the effect of its 
actions on small businesses for compliance.
    When considering a new law to prevent spam, our members do 
not want the burden of seeking permission from every customer 
in order to send an e-mail. The FCC's proposed legislation on 
the Do Not Fax rule is a good example of good intentions by the 
government agency, but bad consequences for small business. The 
proposed rule would require every business to seek permission 
from every customer before faxing things like invoices and 
other necessary business communications.
    We have heard from our small businesses, and they are 
simply not practical when trying to restrict unsolicited faxes. 
Similarly, such a system for e-mail communications would be 
onerous for small businesses. Compliance with an opt in is 
problematic for small businesses with limited resources.
    In closing, I would like to paraphrase a quote from Ms. 
Paula Seles, Senior Counsel, Washington State Attorney General, 
delivered before the Committee on Energy and Commerce on July 
9:
    Strong legislation is only one part of the solution. If 
legislation is passed, it must be flexible enough to allow new 
technologies that may ultimately be more effective than any 
law. There is no easy fix to this problem, and it will take all 
the tools we have to address it.
    Ms. Seles' statement summarizes WIPP's approach on spam. 
There is no question in our minds that limiting spam is good 
for small businesses. The solution, however, must take into 
consideration the compliance cost to small business.
    Thank you.
    [Ms. Giordano's statement may be found in the appendix.]
    Chairman Schrock. Thank you, Catherine.
    We are voting. Mr. Ham, Mr. Crews, the two votes will be 
quick. We will be back and then let you do your testimony.
    I am sorry. I thought for sure this would not happen until 
1:00, but anything happens. We will be right back.
    [Recess.]
    Chairman Schrock. My apologies, and thank you for your 
patience.
    Mr. Rizzi, we would have never allowed this in the Navy, 
would we?
    Mr. Rizzi. No, sir.
    Chairman Schrock. It is not efficient.
    We are going to hear next from Shane Ham. He is the senior 
policy analyst for the Technology and New Economy Project at 
the Progressive Policy Institute here in D.C. He Progressive 
Policy Institute is a think tank affiliated with the Democratic 
Leadership Council. Mr. Ham writes and lectures on a number of 
technology and new economy policy issues.
    We are glad to have you here, and thanks for your patience.

  STATEMENT OF SHANE HAM, SENIOR POLICY ANALYST, PROGRESSIVE 
                        POLICY INSTITUTE

    Mr. Ham. Thank you, Mr. Chairman. At the Progressive Policy 
Institute, we have been advocating for the advancement of the 
Internet economy for six years because we think it is important 
to the future growth of the entire U.S. economy, and that is 
why for almost that long we have been pushing for spam control. 
We have been involved in this debate since all the way back in 
the 1990s, back even when the DMA was opposed to legislation on 
it.
    We have been moderate on the subject. We have never called 
for a complete ban on all unsolicited commercial e-mail or for 
an opt in standard, which is effectively the same thing as a 
complete ban because if you have opted in it is no longer 
unsolicited e-mail. I feel that if you opt in it is no longer 
unsolicited. You say I am requesting the e-mail, so it cannot 
technically be spam anymore, which that is the same thing as a 
ban.
    I think the opposition to an effective spam legislation by 
the marketing industry and others is increasingly becoming a 
Pyrrhic victory. We now have a patchwork quilt of state laws 
that it is very, very difficult for businesses to comply with. 
There is a law out there in that seaward state that is going to 
just give all e-mail businesses fits.
    I think, more importantly, the real tipping point that we 
are looking at now in spam is that people are beginning to 
understand and become upset about the fact that spam is 
destroying the entire e-mail system in general.
    A recent report by the Pew Internet Foundation, and I cite 
this in my written testimony, indicates that we are now 
officially at the point where more than half of Internet users 
believe that spam has caused them to trust the e-mail system in 
general less, and I think that is a real tragedy.
    It is becoming harder and harder for moderates like us to 
find a balanced solution to the problem that will, you know, 
benefit consumers, that will benefit Internet users and protect 
the people who rely on e-mail to run their businesses and their 
small businesses.
    I think when you are thinking about what to do about spam 
with regard to small businesses, there are a couple things you 
need to keep in mind. First of all, it is perfectly clear, as 
we have heard already today, that small businesses are much 
more the victims of spam than they are ever going to be 
utilizers of spam in order to grow their businesses. It does 
really more harm to small business overall than it could ever 
really do good.
    The main reason for that obviously is that small businesses 
cannot take the steps to protect themselves that individual 
users can. You cannot have a white list that only lets your 
friends and family e-mail you because you have to get e-mail 
from complete strangers if you want to grow your customer base. 
You cannot just set up a filter that throws out anything that 
is vaguely suspicious because you will be throwing out 
customers too.
    That is why I think, as Howard Beales said, 84 percent of 
small businesses say that fighting spam is their top priority, 
but not nearly that many would say continuing to spam 
themselves as a business strategy is a top priority.
    I think another problem that small businesses face is that 
it is getting harder and harder for the average Internet user 
to distinguish between legitimate and illegitimate spam. That 
is increasingly becoming a false dichotomy.
    There is a clear legal line between fraudulent and non-
fraudulent spam, and there may be a moral line between senders 
who follow industry best practices and those who do not, but to 
the average users they are just distrustful of any kind of 
unsolicited e-mail that they find in their in box in general.
    The idea, as Jerry was citing some numbers about how many 
businesses are using e-mail in order to expand their customer 
base, but I think you will find as the spam problem continues 
to get worse and worse and people trust the system less and 
less, there will be fewer and fewer people that are willing to 
respond to spam not only to make a purchase, but even to do 
something like click an opt out link as it becomes more and 
more clear that clicking that link that says Remove Me From 
Your Mailing List is a good way to get 10 times as many spam as 
you were getting before.
    People are just going to completely tune out from it, and 
it will, I believe, disadvantage small businesses because the 
only kind of e-mail marketing that is going to work is going to 
be from the large, brand name firms that people already know 
and trust, but trying to find new customers for a small 
business that nobody has ever heard of, tragically those small 
businesses are going to be lumped in with the scam artists and 
the pornographers and all the other spammers that end up 
straight in the trash.
    We have over the years advocated different solutions, but 
we think that we have gotten to the point where we really need 
to take a radical look at this. The problem has just gotten too 
bad to take the smaller steps that might have worked four or 
five years ago.
    The Do Not E-Mail list is one that has been talked about a 
lot. I know that even the FTC is opposed to that, and there is 
no doubt that there is tremendous technical problems with 
implementing a Do Not E-Mail list, but we still think it is a 
good idea, but it has to be done completely.
    The way it happened in the Senate bill that just asked the 
FTC to do a study and then sort of gave them permission to go 
forward with it if they so choose after the study is not going 
to work. It is going to take significant research with probably 
millions of dollars to hire the staff and equipment that will 
be necessary to keep a Do Not E-Mail list safe from hackers and 
from spammers.
    The other thing that PPI has long advocated, and we really 
think this will work, is requiring a standard label in the 
subject line identifying spam not just for pornographic e-mail 
sent to make it automatically filterable, but for all e-mail 
that fits the definition of unsolicited commercial e-mail.
    All three of the major bills right now just indicate that 
there has to be a clear and conspicuous--it has to be obvious 
basically that an e-mail is spam. You cannot make the subject 
line fraudulent. That is not going to allow technology in the 
computerized, automated filters to do the work that is 
necessary to keep the spam out of in boxes and protect small 
businesses from the flood of spam in their in boxes that they 
have to wade through.
    I think that everything else, you know, regarding private 
right of action, those are details that can be negotiated. I 
think preemption is something that everybody is in favor of, 
but if we do not get I think these two things, a truly 
effective Do Not E-Mail list and a standard label for all 
unsolicited commercial e-mail, I do not think we are actually 
going to solve the problem.
    Thanks for your time.
    [Mr. Ham's statement may be found in the appendix.]
    Chairman Schrock. Thank you very much.
    Wayne, you are a very patient man. Wayne Crews is the 
Director of Technology Studies for the Cato Institute. He is an 
expert on new economy regulatory issues, including antitrust 
policy, privacy, spam and intellectual property.
    Before he went to Cato, he was the Director of Competition 
and Regulation Policy at the Competitive Enterprise Institute, 
and we are glad to have you here. Thank you.

STATEMENT OF WAYNE CREWS, DIRECTOR OF TECHNOLOGY STUDIES, CATO 
                           INSTITUTE

    Mr. Crews. Thank you. It is my pleasure. Good morning, Mr. 
Chairman. I appreciate the opportunity to appear today.
    Chairman Schrock. It used to be morning, but it is not 
anymore.
    Mr. Crews. It is afternoon now. We can have some Spam for 
lunch.
    The increasingly apparent downside of an Internet on which 
you can contact anyone you want is that anyone can contact you. 
The openness that was once central to the Internet experience, 
as the marketers like to call it, is now a drawback.
    However, the dilemma is not just that legislation likely 
will not rid us of spam, given the net global pool of 
scofflaws. Rather, legislation like ADV mandates and Do Not 
Call lists still do not address the root problem of spam. One, 
the lack of authentication of senders, and, two, the ability of 
spammers to shift the cost of bulk e-mail to the recipients.
    Clearly, such misdeeds as peddling shoddy goods, forging 
the name of the sender and phony unsubscribe promises should be 
punished. Abuses like dictionary attacks and spoofing often 
commandeer unwitting computers, and they resemble hacking more 
than they do commerce.
    To a great extent, these are already illegal, and 
alternative market driven solutions by a technology pricing and 
industry consortia are going to become more urgent. Maybe that 
is a blessing in disguise because spam is not a single dilemma. 
Kids seeing porn in the in box is a different problem than ISPs 
overwhelmed with ricocheting Viagra ads.
    Moreover, the industry must coalesce to address cyber 
security and hacking concerns that need remedying perhaps more 
urgently even than spam. Actually solving such problems is a 
different proposition from passing a law.
    Proposed legislation, for example, would impose subject 
line labeling like ADV for commercial e-mail, mandate 
unsubscribe mechanisms, ban harvesting software, set up fines 
or even bounties and contemplates an extensive and likely 
hackable, in my view, Do Not Spam list.
    If the legislation merely sends the worst spammers 
offshore, we have only created regulatory hassles for small 
businesses trying to make a go of legitimate commerce and 
mainstream companies that already followed best practices like 
honoring unsubscribe requests.
    Proposed legislative penalties can easily keep many small 
businesses out of Internet marketing altogether for fear of a 
costly misstep. Is that our goal? Commercial e-mail, even if 
unsolicited, may not always be unwelcome, yet how might the 
definition of spam expand after legislation? Is it just bulk 
unsolicited commercial mail, or is it anything you did not ask 
for?
    Numerous questions arise. Many e-mails are not commercial, 
but are still unwanted--press releases, resume blasts, 
political and charitable solicitations. I have even seen the 
term scholarly spam used for e-mails sent by groups like my 
own. Even the signature lines we all put in our e-mails are a 
subtle solicitation, whether we admit it or not. If we need ADV 
for advertisements, why not REL for religious appeals?
    We should not discount the creativity of lawyers looking to 
sue the easy marks in the wake of legislation like the small 
business that will inevitably slip up when he is implementing 
an unsubscribe request or trying to adhere to the Do Not Call 
list and Do Not Spam list and makes an error.
    Navigating e-commerce regulations after legislation like 
this could be relatively easier for large firms, and that is 
something to consider with regard to small business impact. 
Much of the marketing industry's newfound support of spam 
legislation seems defensive and aimed at protecting the ability 
to send legitimate commercial e-mail. That is understandable.
    Post legislation, marketers are surely going to feel that 
they have met federal requirements like ADV and a street 
address. Therefore, ISPs have no right to block their messages. 
One cynic said that the CAN-SPAM Act meant that you can spam.
    Blacklists, despite their problems, are one of the key 
means of dealing with spam today. Contracts and rights of ISPs 
and consumers to end unwanted relationships, rather than 
federal guidelines, still need to play a big role in the 
future, especially as technology catches up with the problem.
    There is some good news. If your fundamental desire is to 
stop spam totally in your personal in box, you can do it 
already using a handshake or a challenge and response account, 
and that might be something we talk about later. There is a 
movement in the industry towards that.
    Meanwhile, the entire industry needs to get busy on 
standards such as digital signatures or seals for trusted e-
mail as a means of helping tomorrow's ISPs block spam, but it 
could require unprecedented industry coordination. At bottom, 
the flat fees and free e-mail of today are not a fact of nature 
or natural right.
    Ultimately, e-mail postage or protocols that allow ISPs and 
users to charge fractions of a cent for unsolicited mail would 
allow users to impose their own conceptions of spam. Emerging 
bonded sender programs anticipate this kind of sea change.
    It may be that today's e-mail system in which originators 
of messages remain anonymous is altogether inappropriate for 
the commercial information society of tomorrow. While the 
government must not outlaw anonymous e-mailing, maybe it needs 
to be impossible, not merely illegal, to send a commercial e-
mail if the network owner cannot discern who you are or charge 
you. If so, those are jobs for the industry that cannot be 
replicated by passing a law.
    Thank you very much.
    [Mr. Crews' statement may be found in the appendix.]
    Chairman Schrock. Thank you, Wayne, and thank you all very 
much.
    If we do not get this spam under control, what do you see 
as the largest long-term effect on your businesses? Obviously 
Bruce Goldberg, we heard what happened to him. Are we going to 
hear more stories like him or what? I am curious what you might 
think.
    Mr. Cerasale. If I may start, Mr. Chairman, I think you are 
going to get a growing lack of trust and lack of use of e-mail. 
What is happening today is there is so much spam. Even from 
large companies, a legitimate e-mail that is a confirmation of 
an order is not opened because they are just being deleted.
    I think from the point of view of looking at it at the 
consumer's side, you are going to see the non-economic, non-
commercial use of e-mail from the consumer side, and I think 
that that is a real problem that faces all marketers trying to 
use e-mail.
    Chairman Schrock. Bruce?
    Mr. Goldberg. I believe the problem, in my opinion, keeps 
growing because there are a lot of companies out there who see 
how easy it is to get away with it, and they just keep jumping 
on the bandwagon whereas before they would not do it. Now they 
see how easy it was.
    I had one company that sent me an e-mail about selling 
beepers, beeper service, free beepers. They put their 800 
number in there. I decided to call them to see what they would 
say.
    I called them, and I said do you really sell beepers 
through your spam e-mails? I mean, are people that stupid that 
they would trust you by going through this? They said yes. I 
mean, we get tons of orders every day. I was amazed. I was 
thinking wow, maybe I should do this.
    Chairman Schrock. We will have you up here for a different 
reason, right?
    Mr. Goldberg. I mean, there is still the ethical belief 
that I do not think it should be done, but I just think that a 
lot of people are jumping on the bandwagon because they see 
they can get away with it, and it just keeps multiplying every 
day more and more. It is never going to end.
    Chairman Schrock. John?
    Mr. Rizzi. The line between being a good e-mailer and a 
spammer are getting blurrier and blurrier every day. We see 
companies frozen with making their decisions about how to do e-
mail right, even companies with budgets to do it, because they 
do not want to be mixed up in the mailbox with all the Viagra 
ads and so on.
    Already there is an impact on business. There is an impact 
on our business with clients that are slowing down or just 
freezing where they are as far as how much mail they want to 
do.
    Many companies today that, you know, were heading down that 
path to doing e-mail more effectively have stopped to wait to 
see, you know, what kind of technology comes out, what kind of 
legislation comes out. The future is very predictable. There 
will be less and less and less of the good stuff.
    Chairman Schrock. Catherine?
    Ms. Giordano. From my perspective, it would be the fact 
that we communicate with our customer base through the system 
itself, and it is usually marketing information that they have 
requested.
    We have become more and more hesitant to do that kind of 
communication, but I can tell you it is very onerous on a 
business owner to have to stop that ease of communication and 
pick up the phone, call the individual and say I am now going 
to fax you this information. Will you pick it up on the other 
end so it is not considered a junk fax? It is usually 
information they have requested.
    The second thing it is going to do for me is I now 
currently have one person dedicated--it is actually one and a 
half people dedicated, about a $40,000 a year salary--to 
monitor this system, and I am going to have to add additional 
people to just take the load to monitor what we receive and 
what we receive for our customers.
    It is kind of a double edged sword for me. It means I 
cannot do business as usual, and it means I have to spend more 
money to assist the small businesses that are receiving the 
other end of that burden.
    Chairman Schrock. Shane?
    Mr. Ham. I think over the very long term probably the worst 
case scenario would be sort of a Balkanization of the entire e-
mail system. Rather than having the simple open system that we 
have today, more and more people will start to get into little 
mini e-mail systems that only their friends and family are in 
and leave everybody else out. The e-mail as we know it just 
will cease to exist.
    Chairman Schrock. Wayne?
    Mr. Crews. You can see I am skeptical of legislation, but 
it may come to pass that we need--the states, 30 of the states, 
already have legislation, and the e-mails are still coming in. 
It is not stopping it. We may see that ramp up to another level 
if things go global and the e-mail still comes in.
    You are already seeing some of the big players take new 
steps that they could have taken a long time ago, in my 
opinion, and I think if the industry does not get its act 
together and solve this the legislation is going to come and be 
more onerous with limiting the amount of outbound e-mail that 
an individual can send, things of that sort that you have seen, 
or if you do send e-mail and your pattern changes you suddenly 
get a challenge response, a challenge from the provider, things 
of that sort.
    You are seeing those kinds of things start to happen. You 
are seeing movement on making a seal work or a trusted sender 
seal work. It is a tremendous undertaking. I have heard that 
kind of thing be compared to widening all the nation's roads 
six inches.
    On the other hand, if that is what Commerce requires, if it 
is the case that an anonymous e-mail system like we have is 
unsuitable for a commercial world where you have to do a lot of 
things, you want to do your anonymous speaking, but you have to 
have secure commerce. You have to have financial transactions, 
insurance, purchases, all kinds of things.
    It may be that we are still six years into the popular 
Internet, and if we need to make those fundamental changes they 
need to be thought about now. We should be careful that 
legislation does not unintentionally make folks say well, the 
government is taking care of this problem. We do not really 
worry about moving forward.
    Chairman Schrock. Unfortunately, the government would 
probably just add to the complication of the thing if they did 
it.
    You peaked my interest when you said handshake. Would you 
go into that briefly?
    Mr. Crews. Okay. It is not an answer for everybody, but I 
will just mention it really quickly. I am sure a lot of the 
folks on the panel already know what it is and folks here know 
what it is, but for two and a half years I have had an account 
like this.
    EarthLink has just come out with a major roll-out of what 
they call a challenge and response e-mail system for its users. 
In other words, you sign up for this account. You can dump your 
white list in, all of your contacts and things of that sort. 
Any of those who e-mail you will come through.
    If you get any e-mail from a stranger, that stranger gets a 
response not from you, but from the system, that asks him to 
enter a certain password that is generated there or look at an 
image because typically a spam box cannot decipher images and 
things like that, and then put that into the reply, and then 
the message will go through. That stops spam.
    In two years, I have not gotten a spam in that account. It 
does not mean I will not. It does not mean you cannot set up, 
you know, spam sweatshops where people just answer the 
challenge. It can still happen, but in general what it does is 
it changes the focus. In a way it is a proof of concept. The 
reason we have spam is because it is costless for the sender.
    In a way a challenge and response, despite all of its 
problems, because it throws wrenches in the mailing list and 
things like that, because it causes real problems there, but it 
is a proof of concept that if you shift the cost back to the 
sender it does put a real damper on what they do.
    Now, if I am an individual and I have this at home, I do 
not want my kids to see, you know, an unprotected e-mail 
account pop up because now they contain graphics and 
everything. This protects you from that.
    If you are a business and you need to get solicitations 
from customers, you need to get customers to come right through 
or if you are a media company and you need press releases to 
come right through, it is not going to be appropriate for you.
    Then again, as time goes by, maybe it will be. The ethic 
may very well change from everything comes in unless you say no 
to nothing comes in unless you say yes. That is what challenge 
and response does.
    Remember, once you do it you only do the challenge one 
time. If I get an e-mail from a stranger and he answers the 
challenge, any future e-mail he sends me will come through 
without being impeded so long as I have not blocked him, so 
every for businesses it might be appropriate if they think 
their customers are willing to put up with that.
    Chairman Schrock. So you have the choice of whether to 
block or not to block?
    Mr. Crews. Right.
    Chairman Schrock. All right. You are all familiar with 
that, I guess.
    Mr. Gonzalez?
    Mr. Gonzalez. Thank you very much.
    The first thing I want to point out is that we really 
appreciate your testimony and your patience. Many times we have 
the witnesses, and they only see a couple of Members up here 
and get discouraged. Please understand that your testimony 
forms the basis for a lot of things that we do here because 
obviously we are taking it down. It is being recorded. Your 
written statements will be disseminated among all of the 
Members.
    When I was voting, I saw Ranking Member Velazquez, and she 
reminded me that we were having an Hispanic caucus meeting and 
I was on the agenda. Of course, she understood that I was here. 
This is our first priority.
    Please understand that the Chairman and Mr. Manzullo and 
the Ranking Member, Congresswoman Velazquez, will join us in 
thanking you for your presence here this morning. It is very, 
very important, and it is a great education.
    I am going to start off with maybe benchmark things that we 
can agree on, things that are not clear even in my mind. The 
problem that Congress faces right now is that we do have a 
cure, as they say. The good news is that we have a cure. The 
bad news is it kills you. That is the real fear.
    I think Mr. Crews understands what I am talking about. It 
is a delicate balance, as I have already said, and I am hoping 
that we move quickly because if the market does not do it then 
the abuses, and we reach the crisis, and then we overreact.
    The first thing I am going to ask all the witnesses is what 
is your definition of spam? I am getting the impression that 
they will be different. Maybe I am just wrong about that.
    I will start with the first witness. Is it Mr. Cerasale?
    Mr. Cerasale. Cerasale. Mr. Gonzalez, thank you. We have 
tried to define spam, and you get even within our membership 
lots of different versions. I think that the way we look at it, 
it is unsolicited, bulk, untargeted e-mail.
    Some people would add there is fraudulent stuff in it, but 
that is probably just a fact that it is that. Ninety percent of 
the spam that comes into AOL I have heard them testify violates 
some current law already, so I would say you would look at 
bulk, unsolicited, untargeted e-mail.
    Mr. Gonzalez. Thank you.
    Mr. Goldberg. I have to agree. The mail does not 
necessarily have to have a deceptive product in it because I 
have seen some legitimate e-mails come through, but it is just 
anything that basically comes out that you do not ask for that 
can go to like if it hits a domain they can put 100 different 
@theweathermen.com, like they can put sales, owner, webmaster, 
Mike, John, Steve, and you will get every single one of those. 
That is I guess what I would consider it.
    Mr. Rizzi. It is definitely a challenge to define spam. 
Often it comes down to a question of opt in versus opt out. In 
our industry, many, many think tanks and many, many resources 
have been spent on the question of opt in versus opt out. I 
have to tell you, it is very important and largely academic 
until we can find the spammers.
    There are 100 definitions that are important. The fact of 
the matter is lawbreakers do not care, so we have to find a way 
to identify them, and then once we identify them we can start 
dividing it down to well, was this spam or was it not, and was 
it opt in or was it not.
    There are technologies that can be developed that can even 
have triggers in them for that level of sensitivity, so I think 
that is where we need to head, but it is still very hard to 
define.
    Ms. Giordano. In my business microcosm, the best way to 
define it is if it does not relate to my business environment, 
it is spam. That is how I have defined it for the folks that 
actually monitor our system.
    We have received everything from solicitations from people 
in foreign countries to help them because their father died and 
they need money and will you please enter your bank account 
number, like I am really going to do that, to the Viagra ads or 
sunscreen. You name it, it comes in.
    They know that from a personal perspective in my little 
space, which is KIS, whatever does not relate to my business 
does not belong there. Therefore, they block.
    Mr. Ham. I think that a key element of spam is it 
definitely has to have a commercial purpose, and it has to be 
unsolicited in a sense not only that it was not asked for, but 
from a business that you really had no prior interactions with.
    If you have been given a chance to opt out in a previous 
interaction--if you were to go to TicketMaster and buy concert 
tickets and you are given a chance to opt out and you choose 
not to do so and then TicketMaster sends you an e-mail saying 
guess what, your favorite band is coming back to town, even if 
I never really wanted that e-mail in my in box it would not be 
spam because I had the chance to avoid it and chose not to do 
so.
    Mr. Crews. I agree with a lot of what I have heard here. I 
mean, the definition of spam can vary, and it can change over 
time. I mean, as commercial solicitations, if they were to go 
down, you can imagine non-commercial ones would increase.
    The key point, though, is it does not matter how 
legislation defines spam. People need to be able to define it 
themselves and decide what they are going to filter out. I 
mean, even ISPs filtering out and blacklisting things, you 
know, is one of the big hammers we have now to deal with the 
problem, but you can lose important messages that way.
    The more individuals can decide through trusted sender or 
through eventually if there is a way to charge to look at an 
unsolicited mail, ultimately the road you want to go to is to 
let people decide for themselves, and you want to make sure the 
legislation does not in any kind of way impede that.
    I will just point out something extra on the Do Not Call 
list because it occurred to me as I was hearing some of the 
commentary on it that there is a big reason why it would not 
help. If one of the main problems we are having now is 
dictionary attacks, it would not matter that you put your name 
on the Do Not Call list because the bad guys are simply going 
to go johnsmith1, johnsmith2, [email protected], and it is 
not going to matter if your name is on the Do Not Call list.
    Ultimately people have got to be able to filter out all of 
that kind of stuff that is going to come through, and it is 
going to require industry getting its act together.
    Mr. Gonzalez. I guess the important point is that I am not 
sure that Members of Congress--we all have our own definitions 
of spam, just as you do. I think it is important what Mr. Crews 
pointed out, and that is you give the consumer, the citizen, 
the ability to define spam in their own world and then to 
proceed to exclude that which they equate to spam.
    I mean, that is the perfect world if we can reach it, and 
we have to remember that because that which empowered really 
Mr. Goldberg to be a success very well would be complained by 
others because they are being solicited for one reason or 
another about music t-shirts or whatever the business was. We 
do not want to do that. We want to see more success stories 
like Mr. Goldberg.
    Let us see if we can agree on something that is basic. Do 
we all agree, and then go down, and you tell me if any of you 
disagree, that there has to be a federal preemption so that you 
do not have to deal with 50 different sets of rules? I mean, we 
do that all the time, and you already know what it is like.
    Do we all agree that we are going to have to have some sort 
of sender ID mechanism, and the technology has to be there for 
the enforceability portion of it--also, it allows some 
filtering and such--and that we should not have an opt in 
because that would be unworkable?
    I will just start again. Mr. Cerasale?
    Mr. Cerasale. I agree with those three points.
    Mr. Gonzalez. Okay. Mr. Goldberg?
    Mr. Goldberg. Definitely. I agree, too.
    Mr. Gonzalez. Mr. Rizzi?
    Mr. Rizzi. I agree.
    Mr. Gonzalez. Ms. Giordano?
    Ms. Giordano. I agree as well.
    Mr. Gonzalez. Mr. Ham?
    Mr. Ham. I agree with all three.
    Mr. Gonzalez. Mr. Crews?
    Mr. Crews. I am just putting on my legislation critic hat, 
that is all.
    You know, federal preemption is something debating in a lot 
of areas in on-line privacy and all sorts of areas, but again 
just passing the law or setting up a Do Not Spam list or 
mandating the ADV, it does not do any good to preempt the 
states with that kind of law if it is not doing any good. That 
is my only concern.
    Mr. Gonzalez. But if it is a good law, in other words, the 
best that we can fashion----.
    Mr. Crews. As I said in the testimony, you go after the bad 
actors, the fraudulent stuff. If someone is impersonating 
someone else in an e-mail and things like that or impersonating 
another domain name, things of that sort, sure, that is 
appropriate to go after, but it is not something that can be 
micromanaged in any kind of way.
    You have to be careful about ADV requirements and Do Not 
Spam list requirement and their impacts on small business and 
who can manage that, you know, whether that is something that a 
small company can really deal with.
    Mr. Gonzalez. Okay. Thank you all very much.
    Chairman Schrock. Let me follow on to what Mr. Gonzalez 
said as it involves Congress. What is the worst thing that 
Congress and the FTC can do in this situation? So many times we 
create legislation here that we think is going to help, but we 
think there are so many unintended consequences that we do more 
harm than help.
    That is why I, frankly, wish the market would take care of 
this instead of people in Washington because you know when 
Washington gets involves it is probably going to put more 
hamstrings on you than you want.
    What is the worst thing that we could do so we do not do 
it?
    Mr. Cerasale. Okay. Because of what has happened in your 
home state, I think if you do nothing would be very problematic 
because California's law, which will go into effect on January 
1, will effectively put an opt in regime across the nation 
because of the way the law is set up that you violate it even 
if you send an e-mail to an account that is billed in 
California.
    For example, I live in California. My son is in college in 
Connecticut and uses my AOL account, which is billed in 
California. If you send an e-mail there, that would be a 
violation. There is a real problem.
    Chairman Schrock. You have to rethink that, letting your 
son have your AOL account.
    Mr. Cerasale. That is true, but that is a problem. I think 
doing nothing would be awful at this point in time, not 
preempting California.
    The Do Not E-Mail list also just is not going to work. 
There is no way to keep it fully secure because if I give you a 
list with two million e-mails on it and someone scrubs it for 
me and I get back a million e-mails that are not on the list, I 
sudden have at least a million e-mails that are on the list 
because I have the old list, so it does not even need to be 
hacked to be able to get that list.
    Chairman Schrock. Bruce?
    Mr. Goldberg. I believe that the solution would be that I 
do not think that unsolicited e-mails should be completely 
banned because a lot of problems will come into play.
    I had my server hacked into one time. I have an open script 
in there. I am not an HTML expert, but somebody somehow got in 
and found a loophole in my system where they can send their e-
mail out using my system to make it look like it was coming 
from me.
    When I reported it to the ISP that I use, they basically 
said well, you need to tighten up that hole that is in there so 
that they cannot send out mail anymore. If there was a Do Not 
Spam list--I mean if there was an unsolicited law, I would have 
been probably in a lot of trouble for that, even though I did 
not even know it was going out.
    I think that the solution, in my opinion, is somebody needs 
to come up with some kind of technology kind of like what 
EarthLink is using to just kind of--you know, a nationwide, 
across the board everybody uses the same thing.
    I know a couple states now have a thing where if you call 
you have to identify yourself. If it does not recognize your 
name, you have to say who you are, and then the person on the 
line gets to decide whether or not they want to take that call.
    I think that if all the states did that with e-mail, I 
think that we probably would not even have to go any further 
with the Do Not Call list or anything like that because 
somebody came up with a product that already took care of the 
situation before it got that far.
    Mr. Rizzi. I would agree that doing nothing is the biggest 
problem, particularly because of preemption in all the states, 
the 37 states now. The California situation is very threatening 
to the business.
    Let me give you a little anecdote about Utah. Utah has a 
private cause of action condition in their law, which means 
pretty much any lawyer can go after anybody that may have made 
a mistake in the way they sent their e-mail. If there is even 
one percent of the small businesses in America that understand 
that that law exists when they are mailing somebody in Utah, I 
would be surprised. It does not happen.
    What has happened there is that one law firm in Utah has 
now placed over 1,200 lawsuits. One law firm. Most of the 
people that have received this spam are staff members of that 
law firm, and they were simply what we refer to in the industry 
now as ``spambulance chasers'' and going after--you know, it is 
no different. Going after small businesses that do not have the 
resources to do the investigation, hire their lawyers. It is 
much easier to comply and submit and write their check and say 
go away.
    That will happen more and more. I am sure there are just 
stacks of lawyers in California right now wringing their hands 
for January 1 to put on their own ``spambulance'' process, and 
that is a problem. There will be millions of small businesses 
breaking the law on January 1, and they will not know it.
    Chairman Schrock. Unintentionally.
    Mr. Rizzi. Completely unintentionally with their heart in 
it like Bruce here to go do the right thing for their 
customers, but they will not know it. They will be breaking the 
law.
    Legislation, if it does not happen in this session, our 
industry and small businesses everywhere are going to be 
lawbreakers.
    Chairman Schrock. Catherine?
    Ms. Giordano. Big ditto on that. My 47,000 customer list is 
not contained within the borders of Virginia, and my biggest 
fear is that what it will do if there is not some uniform code 
of compliance. I am not sure I understand what the uniform code 
is.
    I would like it to be a technological advancement that 
would rid the problem as well, but it is going to be at the 
ultimate end state, the cost of doing business and indeed 
putting small businesses like mine out of that business 
completely.
    Chairman Schrock. Legal costs could kill you.
    Ms. Giordano. Exactly.
    Chairman Schrock. Yes. Shane?
    Mr. Ham. I agree with all of the other witnesses on this 
preemption thing, but I think probably even worse would be to 
implement a Do Not Spam list without the resources to do it 
correctly because it could turn into a complete disaster if it 
is not done right, or it would probably involve a very 
complicated technical situation where the FTC has to set itself 
up as a remailer.
    There are hurdles that need to be challenged, but if it is 
not done right then the spam problem will get worse literally 
within minutes after implementing----.
    Chairman Schrock. So what I hear you saying is maybe a 
federal guideline would be more appropriate than California 
doing their thing, Utah doing their thing?
    Mr. Ham. Definitely. Definitely.
    Chairman Schrock. Okay. Wayne?
    Mr. Crews. Just be cautious about small business bearing 
the brunt of this. They will be the easy mark.
    Chairman Schrock. They will be.
    Mr. Crews. I mean, it is the case that big companies have 
been targeted too by ambitious lawyers because they are easy to 
get to, and you cannot get to a lot of these bad guys.
    Also watch out for loopholes. I mean, a lot of the reasons 
the spam you are getting has these random characters in it is 
because of the state laws that say you cannot send the same 
message to everybody. They shift it a little bit and send the 
stuff out anyway.
    Whatever is done, it is not just preemption of the states. 
That does not concern me so much as preemption of what the 
market needs to do because ultimately the problem cannot be 
solved here. It is a technological, organizational industry 
problem that has to be solved that way, and it is not just 
spam. It is issues over cyber security and things of that sort 
that are even more fundamental than spam, but have to do with 
bad actors that you do not want getting onto your networks.
    Also, another thing here. You asked about what is the worst 
you could do. You have to watch out for what liability 
provisions could emerge here. There was spam legislation last 
year and that had been debated this year that would give ISPs 
immunity from liability.
    Now, I think negotiating something like that in the 
marketplace is perfectly appropriate, but if you have an 
evolving market where questions of who is liable if a message 
does not go through needs to be worked out through commerce, 
through the commercial process. It is inappropriate for 
Congress to stipulate that.
    Similarly, in the House the spam legislation, of course, 
Zoe Lofgren's bill, for example, who did not want legislation a 
couple years ago, but now does. At that time she thought people 
could deal with it in a lot of ways, but the problem has gotten 
a lot worse.
    She would set up a bounty for consumers to go after spam. 
Now, if I am a small business person I am terrified then 
because I am scared to use e-mail because I know how vindictive 
and malicious people can get sometimes. If they know that the 
law is going to let them sue $500 for every unsolicited e-mail 
or something like that, I am not going to work anymore. I am 
just going to look for spams too and hope I get them.
    You have to be careful. Spam is a huge problem, but, on the 
other hand, if it is a small business that has sent out an 
unsolicited e-mail, you know, the harm that they have caused is 
far less.
    If you were talking about a legitimate company that is 
using its fax list or its members who bought its products and 
things, the harm caused by them sending out an e-mail is far 
below what some of those penalties could be.
    Chairman Schrock. It seems like the greatest harm is the 
time and money it costs a company to address it. As Catherine 
said, she has a person and a half who has to address this. She 
has to pay them, and that is a cost she has. If some regulation 
was put in place, she might not have to.
    Charlie?
    Mr. Gonzalez. I do have to comment on the private cause of 
action because I am still a believer that it is appropriate in 
certain circumstances.
    I understand what you are saying. I think a lawyer that 
basically gets his staff together and says okay, let us make a 
list of all the things so we have a cause of action is 
deplorable. I think it is sanctionable and I think what is left 
of what used to be a great profession even further down.
    What we are talking about is you have a remedy, and the 
consumer, the small business or whatever communicates to the 
sender. I am not on your list. I do not want to be on your 
list. I am rejecting it. You are ignored. Now, do you have to 
wait for the government to act on that? Do you really believe 
you are going to get your Attorney General or the appropriate 
agency or department of the United States Government to move 
quickly enough on this?
    If they are doing it to you, they are doing it to thousands 
and thousands of other people, so I think it is appropriate 
that in certain circumstances, which is pretty outrageous, that 
the individual have that cause of action.
    Now, what is a measure of damages? I think you are right. 
How is an individual harmed? Do you have groups, parties that 
come together for that purpose and go after the bad actors? I 
think there is a legitimate role for the private sector there 
because the profession, the private lawyer and the private 
practice is part of that private sector.
    I do not want to dismiss that out of hand. I think it can 
be appropriate again in limited and very specific 
circumstances. I do appreciate what you are saying here on the 
abuses and the fact that I do not want a huge target being 
drawn on every small businessman and woman in this country by 
anybody who is litigious.
    Thank you again for your concerns and your testimony this 
morning and afternoon.
    Chairman Schrock. Let me just ask one final question. Do 
you have any comments on what Howard Beales talked about when 
he was here?
    Mr. Cerasale. Well, I think Howard did talk about needing 
enforcement, needing funds for enforcement, and I think that 
that is very appropriate.
    One of the things that he did say, however, was a 
difficulty in trying to find people. A lot of times if we are 
looking at really commercial stuff, the pornography stuff is 
more difficult, but to try to give funds to follow the money. 
Even though people can hide right now, if they are trying to 
sell something you can try to follow the money. That takes 
resources.
    We understand, and it is hard for me to believe this 
figure, but from of the Federal Bureau of Investigation when we 
have been working with them trying to set up and get some 
people who are currently violating the law with spam, they said 
that really they think there are about between 150 and 300 
really bad actors that produce most of the stuff.
    Now, I do not know. It is hard for me to believe that, but 
that is what they have told us, and they have told others that. 
It may be that some funds to try, and I think Howard's thing 
was funds to give them enforcement authority to go after them 
now.
    I mean, the saddest thing about this whole spam debate is 
that the FTC found that two-thirds on their face when they are 
looking at the spam study were fraudulent. AOL says that 90 
percent that they receive are fraudulent. They are already 
violating laws, and we are not going to get them, which means 
that there is a real enforcement problem.
    I think that that is someplace that Congress should look at 
very closely to see if we can get some funds into some 
enforcement to go get some of these people now.
    Chairman Schrock. Did you say FBI?
    Mr. Cerasale. FBI, yes.
    Chairman Schrock. If they know it is that number, how do 
they know who it is? If they know who they are, why can they 
not stop it?
    Mr. Cerasale. That is a good question that we have asked.
    Chairman Schrock. Yes.
    Mr. Cerasale. Now, we are working with them on a project 
called Slam Spam actually. The DMA is working with them. We are 
giving them some money to get some agents directly focused on 
spam because it is hard. It is intensive. It needs lots of 
resources, and it is not necessarily the glory arrest.
    We would hope to get some arrests soon with some spammers, 
but I think that enforcement money is probably a good way to 
spend some resources because we can go get some people that are 
already breaking laws.
    Chairman Schrock. Any others of you have comments on 
Howard?
    [No response.]
    Chairman Schrock. Let me join Mr. Gonzalez in saying thank 
you very much. You have been very patient. Your testimony and 
answers to questions have been very helpful.
    I feel certain something very useful will come out of this 
and help you prevent the problems you have been having so that 
it will not happen again and again.
    Thank you very much for being here. This hearing is 
adjourned.
    [Whereupon, at 1:13 p.m. the Subcommittee was adjourned.]

    [GRAPHIC] [TIFF OMITTED] T2986.001
    
    [GRAPHIC] [TIFF OMITTED] T2986.002
    
    [GRAPHIC] [TIFF OMITTED] T3042.001
    
    [GRAPHIC] [TIFF OMITTED] T3042.002
    
    [GRAPHIC] [TIFF OMITTED] T3042.003
    
    [GRAPHIC] [TIFF OMITTED] T3042.004
    
    [GRAPHIC] [TIFF OMITTED] T3042.005
    
    [GRAPHIC] [TIFF OMITTED] T3042.006
    
    [GRAPHIC] [TIFF OMITTED] T3042.007
    
    [GRAPHIC] [TIFF OMITTED] T3042.008
    
    [GRAPHIC] [TIFF OMITTED] T3042.009
    
    [GRAPHIC] [TIFF OMITTED] T3042.010
    
    [GRAPHIC] [TIFF OMITTED] T3042.011
    
    [GRAPHIC] [TIFF OMITTED] T3042.012
    
    [GRAPHIC] [TIFF OMITTED] T3042.013
    
    [GRAPHIC] [TIFF OMITTED] T3042.014
    
    [GRAPHIC] [TIFF OMITTED] T3042.015
    
    [GRAPHIC] [TIFF OMITTED] T3042.016
    
    [GRAPHIC] [TIFF OMITTED] T3042.017
    
    [GRAPHIC] [TIFF OMITTED] T3042.018
    
    [GRAPHIC] [TIFF OMITTED] T3042.019
    
    [GRAPHIC] [TIFF OMITTED] T3042.020
    
    [GRAPHIC] [TIFF OMITTED] T3042.021
    
    [GRAPHIC] [TIFF OMITTED] T3042.022
    
    [GRAPHIC] [TIFF OMITTED] T3042.023
    
    [GRAPHIC] [TIFF OMITTED] T3042.024
    
    [GRAPHIC] [TIFF OMITTED] T3042.025
    
    [GRAPHIC] [TIFF OMITTED] T3042.026
    
    [GRAPHIC] [TIFF OMITTED] T3042.027
    
    [GRAPHIC] [TIFF OMITTED] T3042.028
    
    [GRAPHIC] [TIFF OMITTED] T3042.029
    
    [GRAPHIC] [TIFF OMITTED] T3042.030
    
    [GRAPHIC] [TIFF OMITTED] T3042.031
    
    [GRAPHIC] [TIFF OMITTED] T3042.032
    
    [GRAPHIC] [TIFF OMITTED] T3042.033
    
    [GRAPHIC] [TIFF OMITTED] T3042.034
    
    [GRAPHIC] [TIFF OMITTED] T3042.035
    
    [GRAPHIC] [TIFF OMITTED] T3042.036
    
    [GRAPHIC] [TIFF OMITTED] T3042.037
    
    [GRAPHIC] [TIFF OMITTED] T3042.038
    
    [GRAPHIC] [TIFF OMITTED] T3042.039
    
    [GRAPHIC] [TIFF OMITTED] T3042.040
    
    [GRAPHIC] [TIFF OMITTED] T3042.041
    
    [GRAPHIC] [TIFF OMITTED] T3042.042
    
    [GRAPHIC] [TIFF OMITTED] T3042.043
    
    [GRAPHIC] [TIFF OMITTED] T3042.044
    
    [GRAPHIC] [TIFF OMITTED] T3042.045
    
    [GRAPHIC] [TIFF OMITTED] T3042.046
    
    [GRAPHIC] [TIFF OMITTED] T3042.047
    
    [GRAPHIC] [TIFF OMITTED] T3042.048
    
    [GRAPHIC] [TIFF OMITTED] T3042.049
    
    [GRAPHIC] [TIFF OMITTED] T3042.050
    
    [GRAPHIC] [TIFF OMITTED] T3042.051
    
    [GRAPHIC] [TIFF OMITTED] T3042.052
    
    [GRAPHIC] [TIFF OMITTED] T3042.053
    
    [GRAPHIC] [TIFF OMITTED] T3042.054
    
    [GRAPHIC] [TIFF OMITTED] T3042.055
    
