[Senate Hearing 108-1024]
[From the U.S. Government Publishing Office]
S. Hrg. 108-1024
REVIEW OF THE CAN SPAM ACT
AND NEW ANTI-SPAM INITIATIVES
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED EIGHTH CONGRESS
SECOND SESSION
__________
MAY 20, 2004
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
21-618 PDF WASHINGTON : 2016
_______________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED EIGHTH CONGRESS
SECOND SESSION
JOHN McCAIN, Arizona, Chairman
TED STEVENS, Alaska ERNEST F. HOLLINGS, South
CONRAD BURNS, Montana Carolina, Ranking
TRENT LOTT, Mississippi DANIEL K. INOUYE, Hawaii
KAY BAILEY HUTCHISON, Texas JOHN D. ROCKEFELLER IV, West
OLYMPIA J. SNOWE, Maine Virginia
SAM BROWNBACK, Kansas JOHN F. KERRY, Massachusetts
GORDON H. SMITH, Oregon JOHN B. BREAUX, Louisiana
PETER G. FITZGERALD, Illinois BYRON L. DORGAN, North Dakota
JOHN ENSIGN, Nevada RON WYDEN, Oregon
GEORGE ALLEN, Virginia BARBARA BOXER, California
JOHN E. SUNUNU, New Hampshire BILL NELSON, Florida
MARIA CANTWELL, Washington
FRANK R. LAUTENBERG, New Jersey
Jeanne Bumpus, Republican Staff Director and General Counsel
Robert W. Chamberlin, Republican Chief Counsel
Kevin D. Kayes, Democratic Staff Director and Chief Counsel
Gregg Elias, Democratic General Counsel
C O N T E N T S
----------
Page
Hearing held on May 20, 2004..................................... 1
Statement of Senator Burns....................................... 4
Prepared statement........................................... 5
Statement of Senator McCain...................................... 1
Prepared statement........................................... 2
Statement of Senator Nelson...................................... 5
Statement of Senator Wyden....................................... 3
Witnesses
Akamine, Shinya, President and Chief Executive Officer, Postini,
Inc............................................................ 30
Prepared statement........................................... 32
Brondmo, Hans Peter, Senior Vice President, Digital Impact, Inc.. 40
Prepared statement........................................... 42
Guest, James, President, Consumers Union......................... 45
Prepared statement........................................... 47
Leonsis, Ted, Vice Chairman, America Online, Inc., and President,
AOL Core Service............................................... 25
Prepared statement........................................... 28
Monroe, Jana D., Assistant Director, Cyber Division, Federal
Bureau of Investigation; Accompanied by Dan Larkin, Unit Chief,
Internet Crime Complaint Center................................ 15
Prepared statement........................................... 16
Muris, Hon. Timothy, Chairman, Federal Trade Commission.......... 7
Prepared statement........................................... 8
Scelson, Ronald, President, Microevolutions.com.................. 49
Prepared statement........................................... 54
REVIEW OF THE CAN-SPAM ACT
AND NEW ANTI-SPAM INITIATIVES
----------
THURSDAY, MAY 20, 2004
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Committee met, pursuant to notice, at 10:20 a.m. in
room SR-253, Russell Senate Office Building, Hon. John McCain,
Chairman of the Committee, presiding.
OPENING STATEMENT OF HON. JOHN McCAIN,
U.S. SENATOR FROM ARIZONA
The Chairman. Good morning. I'd like to thank the witnesses
for their patience. The Republicans had a meeting with the
President this morning. I'm sure he'll schedule one with my
Democratic colleagues soon. And so I appreciate your patience,
and we'll now proceed with the hearing.
Today, the Committee will examine the effectiveness of the
CAN-SPAM Act of 2003 aimed at curtailing the proliferation of
spam in America. Since our review of this issue last May, the
volume of spam received by American consumers has risen
unabatedly. Spam now accounts for anywhere from 64 percent to
83 percent of all e-mail traffic on the Internet. Just a year
ago, spam constituted only 45 percent of e-mail traffic.
Additionally, a Pew survey on ``Internet & American Life''
released this past March found that 77 percent of e-mail users
are receiving the same amount or more spam since the law was
passed. As a result, 30 percent of those surveyed have reduced
their use of e-mail, up from 25 percent last year who did the
same. The rising tide of spam is driving nearly a third of
consumers away from using e-mail, a result that could well
impact Internet usage and, consequently, the future financial
health of our telecommunications online retail and information
technology industries.
I am reminded of Commissioner Swindle's apparently
prophetic testimony before us last year when he said, ``I am
concerned that spam is about to kill the killer app of the
Internet, specifically consumer use of e-mail and e-commerce.
If consumers lose confidence in web-based services and turn
away, tremendous harm will be done to the economic potential of
information technology.''
Fraud and the decline of e-commerce are not our only
concerns with spam, because spam is used as a delivery
mechanism for pornography, viruses, and applications enabling
identity threat and the hijacking of consumers' computers for
malicious purposes. Every percentage increase in the volume of
spam in turn increases the risks and prevalence of cybercrime
as well as cybersecurity threats to our Nation's critical
infrastructure. I thank the FBI for appearing today to discuss
its efforts to combat these dangers.
I voted with other Senators to unanimously pass the CAN-
SPAM Act by a vote of 97 to zero last fall. I reminded my
colleagues, at the time, of my repeated statements that
legislation alone would not solve the problem of spam. But the
fact there is no silver bullet to spam does not mean we should
stand idly by and do nothing.
We should, at the very least, enforce the Act by the most
effective means possible. If spammers continue to win a
technological game of hide-and-seek with ISPs, the FTC, and the
FBI, then the law will have little effect at stopping spam. I
do not believe, however, that authorizing broad private rights
of action will improve enforcement efforts. If industry and
government authorities spending vast resources in this effort
can only muster enough evidence to bring a grand total of eight
spam cases over the past 5 months, then private rights of
action will produce little more than expenses for legitimate
businesses to fend off opportunistic trial lawyers. Spammers
will remain at large.
If the FTC can't find the spammers, it should do the next
best thing, go after the businesses that knowingly hire
spammers to promote their goods and services. The Act gives the
FTC the tools to do so in Section 6. The FTC should use them.
The businesses promoted by spammers take credit cards. They are
established businesses, and they are liable under the Act for
using falsified e-mail to promote their sites, even if what
they sell there is not fraudulent or otherwise illegal. At a
minimum, the FTC could put thousands of businesses, many of
them online pornography retailers, on notice that using
anonymous spam is an illegal means of driving consumer traffic
to their websites. Using its authority to get out this message,
the FTC could help dry up the market for the use of deceptive
spam as a marketing tool, and, thereby, reduce the amount sent
to consumers.
In the long run, though, I continue to believe that dynamic
market-based efforts have a far better chance at defeating the
ever-changing global technological maneuvers of spammers than
anything we can write into our static laws.
[The prepared statement of Senator McCain follows:]
Prepared Statement of Hon. John McCain, U.S. Senator from Arizona
Today, the Committee will examine the effectiveness of the CAN-SPAM
Act of 2003 at curtailing the proliferation of spam in America. Since
our review of this issue last May, the volume of spam received by
American consumers has risen unabatedly. Spam now accounts for anywhere
from 64 percent to 83 percent of all e-mail traffic on the Internet.
Just a year ago, spam constituted only 45 percent of e-mail traffic.
Additionally, a Pew survey on Internet & American Life released this
past March found that 77 percent of e-mail users are receiving the same
amount or more spam since the law was passed. As a result, 30 percent
of those surveyed have reduced their use of e-mail, up from 25 percent
last year who did the same. The rising tide of spam is driving nearly a
third of consumers away from using e-mail, a result that could well
impact Internet usage and, consequently, the future financial health of
our telecommunications, online retail, and information technology
industries.
I am reminded of Commissioner Swindle's apparently prophetic
testimony before us last year, when he said, ``I am concerned that spam
is about to kill the ``killer app'' of the Internet, specifically
consumer use of e-mail and e-commerce. If consumers lose confidence in
web-based services and turn away, tremendous harm will be done to the
economic potential of information technology.''
Fraud and the decline of e-commerce are not our only concerns with
spam. Because spam is used as a delivery mechanism for pornography,
viruses, and applications enabling identity theft and the hijacking of
consumers' computers for malicious purposes, every percentage increase
in the volume of spam in turn increases the risks and prevalence of
cybercrime, as well as cybersecurity threats to our Nation's critical
infrastructure. I thank the FBI for appearing today to discuss its
efforts to combat these dangers.
While I voted with other Senators to unanimously pass the CAN-SPAM
Act by a vote of 97-0 last fall, I remind my colleagues of my repeated
statements last year that legislation alone would not solve the problem
of spam. But the fact that there is no silver bullet to spam does not
mean we should stand idly by and do nothing.
We should, at the very least, enforce the Act by the most effective
means possible. If spammers continue to win a technological game of
hide-and-seek with ISPs, the FTC, and the FBI, then the law will have
little effect at stopping spam. I do not believe, however, that
authorizing broad private rights of action will improve enforcement
efforts. If industry and government authorities spending vast resources
in this effort can only muster enough evidence to bring a grand total
of 8 spam cases over the past 5 months, then private rights of action
will produce little more than expenses for legitimate businesses to
fend off opportunistic trial lawyers. Spammers will remain at large.
If the FTC can't find the spammers, it should do the next best
thing: go after the businesses that knowingly hire spammers to promote
their goods and services. The Act gives the FTC the tools to do so in
Section 6--the FTC should use them. The businesses promoted by spammers
take credit cards; they are established businesses; and they are liable
under the Act for using falsified e-mail to promote their sites, even
if what they sell there is not fraudulent or otherwise illegal. At a
minimum, the FTC could put thousands of businesses--many of them online
pornography retailers--on notice that using anonymous spam is an
illegal means of driving consumer traffic to their websites. Using its
authority to get out this message, the FTC could help dry up the market
for the use of deceptive spam as a marketing tool, and thereby reduce
the amount sent to consumers.
In the long run, though, I continue to believe that dynamic,
market-based efforts have a far better chance at defeating the ever-
changing, global technological maneuvers of spammers than anything we
can write into our static laws. I thank the witnesses for being here
today and look forward to their testimony.
The Chairman. I thank the witnesses for being here today,
and look forward to their testimony.
And I am pleased to be with the two major sponsors of this
Act, Senators Burns and Wyden, who are here today, and I'll go
to Senator Wyden.
STATEMENT OF HON. RON WYDEN,
U.S. SENATOR FROM OREGON
Senator Wyden. Thank you, Mr. Chairman. I think you've
given an excellent statement to summarize where we are, and I'd
just make a couple of points in addition.
What Senator Burns and I have contended for some time is,
this is just the beginning, this is just the start of the
effort to drain the swamp. And the challenge is to send the
strongest possible message to the kingpin spammers, that
relatively small number of people, maybe 500 people, who are
generating a significant part of the problem. In the past, they
have been able to flood America with this garbage and face no
consequences. So the challenge now is to come down on the
kingpin spammers with hobnail boots so that, for the first
time, they understand that when they try to have their way with
our computers and America's technology, that they are going to
face, for the first time, real penalties.
In addition to that, what we have got to continue to focus
on is the correct combination of the legal tools, which is what
the Burns-Wyden legislation tried to zero in on, technological
measures, and international cooperation. And there have been
some new developments with respect to the international
cooperation issue that I'm interested in exploring. Mr. Muris
and I have already touched on one. Apparently, there is a new
U.K.-based anti-spam company that has found that between 57 and
60 percent, and 57 and 67 percent, depending on the methodology
that's being used, that that analysis found that the majority
of spam, that large amount, originated within the United
States. If that analysis is right, it suggests that most of the
kingpin spammers are, indeed, subject to U.S. law and within
the reach of U.S. enforcement authorities. But with the right
combination of legal tools, technological measures, and
international cooperation, I think that there are the
possibilities of generating a new day, a day when these kingpin
spammers face real consequences, serious risks, and no longer
can enjoy an easy ticket to a free lunch.
It is very helpful that you're holding this hearing, Mr.
Chairman, in order to be able to keep the heat on, and I look
forward to working with you and Senator Burns and Senator
Nelson, who's had a longstanding interest in this and added
some valuable components to our legislation. I'm glad we're
continuing this.
The Chairman. Senator Burns?
Thank you. Senator Wyden.
STATEMENT OF HON. CONRAD BURNS,
U.S. SENATOR FROM MONTANA
Senator Burns. Mr. Chairman, thank you for these hearings,
and I'll put my statement in the record, in the essence of
time, because we got----
The Chairman. Without objection.
Senator Burns.--pushed back a little bit.
But I'd like to make a couple of points here this morning.
You know, this Act has been in effect 141 days. And with all
the activity--the civil actions brought by the big ISPs, is one
of them--and then, in Detroit, whenever the U.S. Attorney's
Office in Detroit and the U.S. Postal Inspection Service went
through their joint effort of cracking down on some unlawful
spammers there, that was--and as long as these headlines hit
the newspapers, as long as we keep taking these people out, it
makes them a little more expensive to operate, we will finally
get to the bottom of all of this.
And so I think it has been effective, and it is a giant
first step. We didn't have this before. And as the law matures,
as we look at different actions that are being taken, both by
the states' attorney generals and the United States Attorney
General, and also it empowers the users of computers to also
file suits and to get into the Act and take care of part of
this, we will see what works and what doesn't work. And
maturity actually will tell us what we have to do in the
future. It will not be testimony, I think, or changing the law
at the present time.
But I still think CAN-SPAM will play a strong role in
reducing the amount of spam. I know mine's going down a little
bit, but not much. But I just--I'm a great guy on that delete
key.
But we said that this is not the law, the end-all of
spamming, because it's elusive and it's hard to identify, and
it's hard to get to the perpetrators. But today's--we should
learn some more with today's witnesses, and I look forward to
hearing from them.
And thank you, Mr. Chairman, for having this hearing.
[The prepared statement of Senator Burns follows:]
Prepared Statement of Hon. Conrad Burns, U.S. Senator from Montana
Mr. Chairman, thank you for holding today's hearing on the
implementation of the CAN-SPAM Act.
The proliferation of junk e-mail, or ``spam'' has been the scourge
of the digital age. Billions of e-mail messages per day, more than half
of e-mail traffic, are spam. Spam costs consumers and businesses an
estimated $10 billion per year due to expenses of anti-spam equipment,
manpower, and loss of productivity.
The high cost of spam and the frustration that has been felt by
businesses and individuals over the past few years are what prompted my
colleague, Senator Wyden, and I to author the CAN-SPAM Act, which was
signed into law by the President late last year and went into effect on
January 1. The CAN-SPAM Act has empowered consumers and given the
Federal Trade Commission and the Department of Justice the tools that
are necessary to curb the deluge of spam. Internet Service Providers
are also given strong tools to go after illegal kingpin spammers under
the Act. While it will still take time before the full effects of the
law are known, I would like to highlight the positive action that has
taken place since the law went into effect.
Three weeks ago the FTC filed criminal complaints against four
Detroit-area men accused of creating massive e-mail chains marketing
fraudulent weight loss products. Through the combination of old and new
investigative techniques, the authorities were able to gather enough
evidence to bring charges against four individuals. All the suspects
were surprised by the arrests, and one man in particular was described
by his lawyer as being ``absolutely shocked.''
Kingpin spammers should be shocked no longer that they must pay for
their actions. As more and more of these arrests occur and the word
gets out that illegal spamming can lead to massive financial and
criminal penalties, a significant deterrent effect will take place.
Already, some of the Nation's worst spammers have indicated that
because of the CAN-SPAM Act, they are looking for new lines of work. I
applaud the U.S. Attorney's Office in Detroit and the U.S. Postal
Inspection Service for their joint effort in cracking down on unlawful
spammers.
I would also like to highlight the civil lawsuits that were brought
against hundreds of spammers in March by America Online, EarthLink,
Microsoft and Yahoo. I am pleased that these companies were so quick to
use the provisions in the CAN-SPAM Act that allowed businesses to fight
back against spammers. I look forward to following these cases as they
play out in court.
The CAN-SPAM Act has been effective for a mere 141 days. In these
short few months, consumers, the Federal Trade Commission, the
Department of Justice, Internet Service Providers, and many others have
had to digest the new law and learn how to best utilize it to fight the
seemingly endless battle against spam. I am pleased that in this time,
the FTC, DOJ and others have begun to use the new law to tackle some of
the most vicious kingpin spammers. As time passes, I am confident that
CAN-SPAM will play a strong role in reducing the amount of spam that
Americans are forced to deal with on a daily basis.
The CAN-SPAM Act alone, however, is not the sole solution to
unsolicited e-mails. Technology has an important role to play in
cutting down on the spam that reaches an individual's inbox. I look
forward to hearing about the new anti-spam initiatives that companies
are developing to help block unwanted messages.
The CAN-SPAM Act is a valuable piece of legislation that provides
consumers, business and the government with the tools necessary to
fight spam. But the Act is only as good as the enforcement of the law.
Successful enforcement of CAN-SPAM along with new technological
advances will bring about the reduction in spam that so many Americans
need and deserve. Thank you, Mr. Chairman.
The Chairman. Senator Nelson?
STATEMENT OF HON. BILL NELSON,
U.S. SENATOR FROM FLORIDA
Senator Nelson. Thank you, Mr. Chairman. And my compliments
again to the leadership of these three gentlemen seated here at
the dais with me for bringing into public policy something that
the American people are so upset about. Thank you for doing all
that you've done.
Thank you for letting me participate in the process, of
which the Sentencing Commission still is working on their final
recommendation, which will be coming in a few months, with
regard to higher criminal penalties. And hopefully that will
just, all the more, make this legislation effective.
And although we've had some mixed results, clearly there
have been some very positive developments. And in the course of
this hearing, what I would like is--as the FTC speaks to us,
it's my understanding that half of the staff members of the
Bureau of Consumer Protection currently are working on CAN-SPAM
issues. And I understand that the staff in the regional
offices, a good portion of that staff, is working on these
issues. And I'm hopeful that these staff resources are adequate
to enforce this Act, and, if not, would like to know if you
need more resources.
I want to applaud the FBI, as well, the attention that they
have given to fighting spam. A lot of this spam originates
outside the United States, but it's sent to our folks here. And
so I'd like to know to what extent is the FBI able to partner
with its foreign counterparts in order to reduce spam? And what
do we do through such international crime organizations such as
Interpol? And to what degree have you found that spammers are
designing new technical methods to evade law enforcement? And
is the FBI able to keep up with the technological advances made
by spammers? And if the Sentencing Commission comes out with
stronger recommendation on sentences, will that help you in the
law enforcement community?
Thank you, Mr. Chairman.
The Chairman. Thank you.
We'd like to welcome our witnesses: Mr. Timothy Muris, who
is the Chairman of the Federal Trade Commission; and Mrs. Jana
D. Monroe, Assistant Director, Cyber Division, at the FBI.
Before we take your testimony--accompanied by Mr. Larkin,
for the record--is Mr. Larkin accompanying you, Ms. Monroe?
Ms. Monroe. Yes.
The Chairman. Would you identify his position, please?
Ms. Monroe. He is the Unit Chief with our Internet Crime
Complaint Center.
The Chairman. Thank you.
And before we proceed, Mr. Muris, I don't think this will
be the last time you testify before our Committee, because you
will remain a valuable asset and a source of information and
assistance to this Committee for many years, but this may be
the last time as Chairman of the Federal Trade Commission--I
hope not, but likely it may be--and I want to take this
opportunity to thank you for your outstanding service, your
honorable work, and your efforts on a broad variety of very
important issues to the American people. And I think you can
take great pride in the bipartisan support that you have
received and the way you have performed your duties, and we
thank you for that, and we wish you good luck in your future
endeavors.
Mr. Muris?
STATEMENT OF HON. TIMOTHY MURIS, CHAIRMAN,
FEDERAL TRADE COMMISSION
Chairman Muris. Thank you very much for those very kind
words, Mr. Chairman. I greatly appreciate your support and
leadership regarding the Federal Trade Commission; indeed, the
support of the whole Committee. I do understand, from the
newspapers, I actually may be staying a little longer, so I am
certainly willing to do that, and am always available to
testify. And I wanted to thank you for this chance to discuss
spam, and thank you and the Committee's leadership on these
issues.
Spam obviously creates problems well beyond the aggravation
that it causes. The problems include fraud and deception, the
offensive content, the sheer volume, the security issues that
are involved when spam includes spyware or viruses. Combating
spam has been one of our top priorities. We have over 50 staff
members working on CAN-SPAM. It's half of our largest unit
within the Bureau of Consumer Protection that's working on this
issue.
We've pursued a threefold strategy. First is a vigorous
program of law enforcement against spammers, both before and
since the enactment of CAN-SPAM. Second, we engage in extensive
education to consumers and businesses. And, third, we study
spam extensively, because there's a great lack of reliable
information about spam.
We've brought 62 law enforcement actions against alleged
fraudulent operations against spam, the vast majority of those
in the last few years, since we've--under my chairmanship and
the growing problem of spam. Most of these cases obviously
predate CAN-SPAM. And we use Section 5 of our statute, which
prohibits unfair or deceptive acts or practices.
Our two most recent cases, Phoenix Avatar and Global Web
Promotions, were filed last month, that involved extremely
prolific amounts of spam. We allege three violations of Section
5(a) of the CAN-SPAM Act, specifically that the defendants
failed to provide a clear and conspicuous notice of the
opportunity to opt out, they failed to disclose a valid
physical postal address, and they used materially false or
misleading header information. This last practice, known as
``spoofing,'' the spammers place the e-mail address or domain
names of unsuspecting third parties. The complaints also allege
violations of the Federal Trade Commission Act.
In Phoenix Avatar, we obtained a PI, preliminary
injunction, against the corporations, and a temporary
restraining order against the four principals. This stopped
further deceptive product sales, froze their assets, and
preserved their records. We worked closely with criminal
authorities, and the U.S. Attorney in Detroit filed a criminal
complaint, executed a criminal search warrant, and arrested the
four principals.
Global Web Promotions targets an Australian company and two
individuals living in New Zealand who were allegedly
responsible for massive amounts of spam to this country. They
used the spam to advertise a diet patch similar to the one in
Phoenix Avatar, as well as a growth hormone which purportedly
would extend your current biological age. Because they used
fulfillment houses in the United States to ship their products,
we obtained a PI to enjoin further delivery of those products,
and froze their assets that were located here.
Besides enforcement under CAN-SPAM, we've been working hard
to complete the rulemakings and reports that are required. On
April 13, we issued a final rule with a marker notice to
identify spam-containing sexually-oriented material. Effective
yesterday, all such messages have to include the warning
``sexually explicit'' in the subject line, and the rule
prohibits sexually explicit material in the subject line or in
the part of the message that recipients initially view. And
we've already begun searching for enforcement targets.
In March, we issued an advance notice of proposed
rulemaking to define the relevant criteria for determining the
primary purpose of e-mails subject to CAN-SPAM's provisions. At
the same time, we've requested comment on other issues that
gave us--for which the statute gave us discretionary rulemaking
authority.
We've received over 12,000 comments, and our staff is
incorporating the suggestions and recommendations for these
comments into the proposed notice of--notice of proposed
rulemakings, which they will forward to the Commission for its
review.
The Commission is also preparing several reports under CAN-
SPAM, and the March ANPR solicited comments on them,
particularly a plan and timetable for establishing a National
Do Not E-Mail Registry, and an explanation of any--under the
statute, any practical technical security, privacy,
enforceability, or other concerns about such a registry. We
will meet the June 16 deadline, and will obviously be available
at your will, Mr. Chairman, to discuss that issue privately or
publicly.
We've also engaged in a lot of other endeavors to
supplement our knowledge regarding that in our other reports.
We've transcribed interviews of dozens--with dozens of
interested organizations. We've used compulsory process to
several ISPs and other entities. And we've issued a Request for
Information from vendors for creating a Do Not E-Mail Registry.
We've retained expert consultants. We're also gathering
information for other reports.
To conclude, e-mail clearly provides enormous benefits. I
think your quotation from my colleague, Commissioner Swindle,
was completely on point. The increasing volume of spam, coupled
with the use of spam to perpetuate fraud and benefits had put
the benefits of e-mail at serious risk, and we will continue
our law enforcement education and research efforts to protect
consumers and businesses.
Thank you.
[The prepared statement of Chairman Muris follows:]
Prepared Statement of Hon. Timothy Muris, Chairman,
Federal Trade Commission
Mr. Chairman, the Federal Trade Commission appreciates this
opportunity to provide information to the Committee on the agency's
efforts to address the problems that result from unsolicited commercial
e-mail (``spam''), its activities undertaken to date to fulfill the
various mandates contained in the Controlling the Assault of Non-
Solicited Pornography and Marketing Act of 2003 (``CAN-SPAM'' or the
``Act''), and its efforts to enforce the Act's substantive
provisions.\1\
---------------------------------------------------------------------------
\1\ The views expressed in this statement represent the views of
the Commission. My oral statements and responses to any questions you
may have represent my own views, and not necessarily the views of the
Commission or any other Commissioner.
---------------------------------------------------------------------------
Spam creates problems well beyond the aggravation it causes to the
public. These problems include the fraudulent and deceptive content of
a large percentage of spam messages, the offensive content of many spam
messages, the sheer volume of spam being sent across the Internet, and
the security issues raised when spam is used to disrupt service or to
send spyware or viruses carrying malicious code.
The Commission has pursued a three-fold strategy to combat the
plague of spam. First, it has pursued a vigorous program of law
enforcement against spammers, both before the enactment of CAN-SPAM and
since it became effective on January 1, 2004. Second, we have an
extensive education program to alert consumers and businesses about
self-help measures they can take against spam. Third, we have studied
the problem of spam to inform our enforcement and consumer education
efforts, and to remedy the paucity of reliable data about spam.
Law Enforcement
The Commission has brought 62 law enforcement actions in recent
years against alleged fraudulent operations using spam as an integral
component of their scams. Most of these cases predate CAN-SPAM, and
were brought under Section 5 of the FTC Act.\2\ Two of our most recent
spam cases, filed in Federal district court in April, target extremely
prolific spammers and allege violations of both CAN-SPAM and the FTC
Act.\3\
---------------------------------------------------------------------------
\2\ 15 U.S.C. Sec. 45. The Federal Trade Commission Act prohibits
unfair methods of competition and unfair or deceptive acts or practices
in or affecting commerce. See 15 U.S.C. Sec. 41 et seq. The Commission
has limited or no jurisdiction over specified types of entities and
activities. These include banks, savings associations, and Federal
credit unions; regulated common carriers; air carriers; non-retail
sales of livestock and meat products under the Packers and Stockyards
Act; nonprofit corporations; and the business of insurance. See, e.g.,
15 U.S.C. Sec. Sec. 44, 45, 46 (FTC Act); 15 U.S.C. Sec. 21 (Clayton
Act); 7 U.S.C. Sec. 227 (Packers and Stockyards Act); 15 U.S.C.
Sec. Sec. 1011 et seq. (McCarran-Ferguson Act).
\3\ See .
---------------------------------------------------------------------------
The Commission's complaint in the first of these cases, FTC v.
Phoenix Avatar, LLC, et al.,\4\ alleges that the Defendants used
materially false or misleading header information in their e-mail
messages, in violation of Section 5(a)(1) of the CAN-SPAM Act;
specifically, the Defendants placed the e-mail addresses or domain
names of unsuspecting third parties in the ``reply-to'' and/or ``from''
fields of their spam (a practice known as ``spoofing''). The complaint
also alleges that the Defendants failed to provide the disclosures
required by Sections 5(a)(5)(A)(ii) and (iii) of the Act, including the
required notice of an opportunity to decline to receive further
commercial e-mail from the sender. Further, the complaint alleges that
the Defendants made false and unsubstantiated claims about diet patches
marketed in part through the e-mail messages, in violation of Section 5
of the FTC Act. The Commission has obtained a temporary restraining
order that, among other things, stops further deceptive product sales,
freezes the Defendants' assets, and preserves their records.
---------------------------------------------------------------------------
\4\ Case No. 04C 2897 (N.D. Ill. filed Apr. 23, 2004).
---------------------------------------------------------------------------
In investigating and filing this matter, the Commission worked
closely with the U.S. Attorney for the Eastern District of Michigan and
the Detroit Office of the Postal Inspection Service, who are pursuing a
concurrent criminal prosecution of the principals of this scheme. The
U.S. Attorney filed a criminal complaint, executed a criminal search
warrant, and arrested four principals.\5\ The principals have been
charged with violations of the Federal mail fraud laws as well as with
criminal violations of the CAN-SPAM Act.
---------------------------------------------------------------------------
\5\ The caption and case number for the criminal complaint are:
United States v. Daniel J. Lin, James J. Lin, Chris Chung, and Mark M.
Sadek, Case No. 04-80383 (E.D. Mich.).
---------------------------------------------------------------------------
The second case, FTC v. Global Web Promotions Pty Ltd.,\6\ targets
an Australian company that the FTC alleges is responsible for massive
amounts of spam sent to consumers in the United States. According to
the complaint, the Defendants used spam to advertise a diet patch
similar to the one in Phoenix Avatar, as well as purported human growth
hormone products ``HGH'' and ``Natural HGH'' that Defendants claimed
could, among other things, ``maintain [a user's] appearance and current
biological age for the next 10 to 20 years.'' The Defendants sold the
diet patch for $80.90 and the HGH products for $74.95. The FTC alleged
that these claims are false and unsubstantiated, and therefore
deceptive in violation of Section 5 of the FTC Act.
---------------------------------------------------------------------------
\6\ Case No. 04C 3022 (N.D. Ill. filed Apr. 28, 2004)
---------------------------------------------------------------------------
The complaint alleges that the Defendants also used materially
false or misleading header information of unsuspecting third parties
(spoofing), in violation of Section 5(a)(1) of the CAN-SPAM Act, and
failed to include required disclosures in their e-mail messages,
including disclosure of an opportunity not to receive further e-mail,
in violation of Sections 5(A)(5)(a)(ii) and (iii) of CAN-SPAM. Because
the Defendants shipped their products using fulfillment houses in the
United States, the Commission has obtained a preliminary injunction
that, among other things, will enjoin the fulfillment houses from
further delivery of the Defendants' deceptively-marketed products. In
investigating this case, the Commission received invaluable assistance
from the Australian Competition and Consumer Commission and the New
Zealand Commerce Commission.
The CAN-SPAM cases the Commission is currently pursuing follow an
extended Commission effort to target spam under Section 5 of the FTC
Act. One aspect of this effort has been the Commission's two-year
Netforce law enforcement partnership with other Federal and state
agencies, which has targeted deceptive spam. This partnership includes
the Department of Justice, FBI, Postal Inspection Service, Securities
and Exchange Commission, and Commodities Futures Trading Commission, as
well as state Attorneys General, and local enforcement officials. In
four regional law enforcement sweeps, the most recent announced in May
2003, the Netforce partners filed more than 150 criminal and civil
cases against allegedly deceptive spam and other Internet fraud.\7\ In
one recent sweep case, for example, the Commission obtained a permanent
spam ban against defendants who allegedly used deceptive ``From'' lines
in their spam to claim affiliation with Hotmail and MSN in touting a
fraudulent work-at-home envelope-stuffing scheme.\8\
---------------------------------------------------------------------------
\7\ More information about the Netforce law enforcement sweeps is
available on the FTC's website: (Northwest Netforce); (Midwest Netforce); (Northeast Netforce); and (Southwest Netforce).
\8\ FTC v. Patrick Cella, et al., No. CV-03-3202, (C.D. Cal.
entered Nov. 21, 2003). See ; .
---------------------------------------------------------------------------
The Commission remains committed to aggressive pursuit of spammers
who violate Section 5 of the FTC Act and the CAN-SPAM Act, and we
remain committed to working with our law enforcement partners to find
and take action against spammers.
Consumer and Business Education
The Commission's educational efforts include a spam home page with
links to 15 pamphlets for consumers and businesses, including one in
Spanish, and summaries of our partnership enforcement efforts to halt
deceptive spam.\9\ One of the most important business education efforts
was ``Operation Secure Your Server,'' announced on January 29, 2004.
Through this initiative, the Commission partnered with 36 agencies in
26 countries to highlight the problem of ``open proxies'' \10\ on
third-party servers that spammers use to hide the true source of their
spam.\11\ This project was an outgrowth of last year's ``Open Relay
Project,'' in which 50 law enforcers from 17 agencies identified 1,000
potential open relays.\12\ The agencies sent a letter, signed by 14
different U.S. and international agencies and translated into 11
languages, urging the organizations with these open relays to close
them and explaining how to do so.
---------------------------------------------------------------------------
\9\ The home page is located at .
\10\ Most organizations have multiple computers on their networks,
but have a smaller number of ``proxy'' servers--the only machines on
the network that directly interact with the Internet. This system
provides more efficient web browsing for the users within that
organization and secures the organization's network against
unauthorized Internet users from outside the organization. If the proxy
is not configured properly, it is considered to be ``open,'' and may
allow an unauthorized Internet user to connect through it to other
hosts (computers that control communications in a network or administer
databases) on the Internet. In this way, open proxies provide one of
several methods that spammers use to hide their identities.
\11\ The press release can be found at . Tens of thousands of owners or operators of
potentially open relay or open proxy servers around the world received
the Operation Secure Your Server business education letter.
\12\ An open relay is an e-mail server that is configured to accept
and transfer e-mail on behalf of any user anywhere, including unrelated
third parties, which allows spammers to route their e-mail through
servers of other organizations, disguising the origin of the e-mail. By
contrast, a ``secure'' server accepts and transfers mail only on behalf
of authorized users. See FTC Facts for Business, Open Relays--Close the
Door on Spam (May 2003), available at .
---------------------------------------------------------------------------
Studies and Workshops
Everybody receives spam, but there is little known about it.
Reliable information about spam is extremely limited, although there is
much ``spam lore'' that has little if any basis in fact. For example,
some sources in Europe claim that the vast majority of spam originates
in the United States.\13\ Similarly, some sources in the U.S. opine
that most spam in Americans' in-boxes arrives from Asia, South America,
or Eastern Europe.\14\ In fact, nearly all spam is virtually
untraceable, either because it contains falsified routing information
or because it comes through open proxies or open relays.\15\ Moreover,
``spoofing'' and ``forging'' \16\ of an e-mail message's ``from'' line
and header information are common spammer stratagems.\17\ Even with
incredibly painstaking, expensive, and time-consuming investigation, it
is often impossible to determine where spam originates. Spammers are
extremely adroit at concealing the paths that their messages travel to
get to recipients' in-boxes. Typically, the most that can be
ascertained with certainty is the last computer through which the spam
traversed immediately before arriving at its final destination. To
frustrate law enforcers, clever spammers may arrange for this
penultimate computer to be outside the country where the spam's
ultimate recipient is located.
---------------------------------------------------------------------------
\13\ See .
\14\ In fact, some sources estimate that anywhere from 30-80
percent of spam is routed through open relays and open proxies, and
many of these machines are scattered throughout the world. See ;
.
\15\ In testimony presented to this Committee last year, Brightmail
estimated that 90 percent of the e-mail that it analyzed was
untraceable. . At the FTC's May 2003 Spam Forum two
panelists representing ISPs estimated that 40 percent to 50 percent of
the e-mail they analyzed coming to or through their networks made use
of open relays or open proxies, making it virtually impossible to
trace. FTC Spam Forum transcript, Day 1, Open Relay, Open Proxies, and
Formmail Scripts Panel, pp. 257, 274, available at .
\16\ ``Spoofing'' and ``forging'' involve manipulating an e-mail's
``from'' line or header information to make it appear as if the message
were coming from an e-mail address from which it did not actually
originate.
\17\ At the FTC Spam Forum, Margot Koschier from AOL conducted a
live demonstration of how to forge header information. In several
minutes, she was able to send a message that appeared to come from FTC
Chairman Tim Muris in the year 2024. Other Spam Forum panelists also
discussed the prevalence of false ``sender'' information in spam. For
example, an MCI representative stated that 60 percent of the spam
complaints received at MCI have false headers, false e-mail addresses,
deceptive subject lines, or a combination of all three. See FTC Spam
Forum transcript, Day 1, Falsity in Spam Panel, available at .
---------------------------------------------------------------------------
Another example of ``spam lore'' is the notion that a handful of
``kingpin'' spammers are responsible for the vast majority of spam.
This may or may not be true, but nobody knows for sure. The Commission
recently used its compulsory process authority under Section 6(b) of
the FTC Act to require the production of information on an exhaustive
list of spam topics from various ISPs and other entities. The Section
6(b) specifications included items focusing on the ``kingpin'' theory.
These requests yielded wildly varying estimates, ranging from the
familiar ``200 spammers'' figure to ``thousands'' of individuals
responsible for the majority of spam.\18\ In fact, the low barriers to
entry suggest that many individuals, and not just a handful, may engage
in spamming and contribute significantly to the volume of spam
traversing the Internet.\19\
---------------------------------------------------------------------------
\18\ This uncertainty is reflected, for example, in six lawsuits
jointly announced by several ISPs on March 10, 2004. They sued nine
individuals, and over 200 unknown ``John Does.'' See Joint press
release of AOL, Earthlink, Microsoft, and Yahoo!, available at . Similarly, in
60 separate FTC cases targeting schemes that used spam as an integral
part of the scam, no two cases had the same spammer.
\19\ See remarks of Laura Betterly at the FTC Spam Forum. Betterly
stated that she paid $15,000 for her e-mail business and broke even
within 3 months. FTC Spam Forum transcript, Day 2, Economics of Spam
Panel, pp. 28-29, available at .
---------------------------------------------------------------------------
The prevalence of ``spam lore'' of questionable validity and the
corresponding paucity of reliable data on spam has prompted the FTC's
staff to perform research on the issue. In one of the first of these
efforts, the Commission's staff, working with a partnership of law
enforcement officials in several states and Canada,\20\ conducted a
``Remove Me'' surf in 2002 to test whether spammers were honoring
``remove me'' or ``unsubscribe'' options in spam. From e-mail that the
partnership had forwarded to the FTC's spam database, the Commission's
staff selected more than 200 messages that purported to allow
recipients to remove their names from a spam list. To test these
``remove me'' options, the partnership set up unique e-mail accounts
that had never been used before and submitted ``remove me'' requests
from these accounts. The staff found that 63 percent of the removal
links and addresses in the sample did not function. If a return address
does not work to receive return messages, it is unlikely that it could
be used to collect valid e-mail addresses for use in future spamming.
In no instance did we find that any of our unique e-mail accounts
received more spam after attempting to unsubscribe. This finding is
inconsistent with the common belief that attempting to unsubscribe
guarantees that consumers will receive more spam.
---------------------------------------------------------------------------
\20\ The ``Remove Me'' surf was conducted as part of the Northwest
Netforce, an enforcement sweep in which the FTC was joined by the
Alaska Attorney General, the Alaska State Troopers, Government Services
of the Province of Alberta, the British Columbia Securities Commission,
the British Columbia Solicitor General, the Canadian Competition
Bureau, the Idaho Attorney General, the Montana Department of
Administration, the Oregon Department of Justice, the Washington
Attorney General, the Washington State Department of Financial
Institutions, and the Wyoming Attorney General. See .
---------------------------------------------------------------------------
Another study in 2002, the ``Spam Harvest,'' examined what online
activities place consumers at risk for receiving spam.\21\ We
discovered that all of the e-mail addresses that we posted in chat
rooms received spam. In fact, one address received spam only eight
minutes after the address was posted. Eighty-six percent of the e-mail
addresses posted in newsgroups and Web pages received spam, as did 50
percent of addresses in free personal Web page services, 27 percent in
message board postings, and 9 percent in e-mail service directories.
The ``Spam Harvest'' also found that the type of spam received was not
related to the sites where the e-mail addresses were posted. For
example, e-mail addresses posted to children's newsgroups received a
large amount of adult-content and work-at-home spam.
---------------------------------------------------------------------------
\21\ The``Spam Harvest'' was conducted as part of the Northeast
Netforce, an enforcement sweep in which the FTC was joined by the
Connecticut Attorney General, the Maine Attorney General, the
Massachusetts Attorney General, the New Hampshire Department of
Justice, the New Jersey Division of Consumer Affairs, the New York City
Department of Consumer Affairs, the New York State Attorney General,
the New York State Consumer Protection Board, the Rhode Island Attorney
General, the United States Attorney for the District of Massachusetts,
the United States Postal Inspection Service, and the Vermont Attorney
General. See .
---------------------------------------------------------------------------
A third study focused on false claims in spam by analyzing a sample
of 1,000 messages drawn from three sources.\22\ The Commission staff
issued a report on April 30, 2003, explaining that two-thirds of the
sample contained indicia of falsity in the ``from'' lines, ``subject''
lines, or message text,\23\ and that in a smaller random sample of 114
pieces of spam taken from the same set of data, only one came from an
established business in the Fortune 1000.\24\ This study, the first
extensive review ever conducted of the likely truth or falsity of
representations in spam, underscores both the potential harm to
consumers from spam and spammers' willingness to ignore the law.
---------------------------------------------------------------------------
\22\ The study's sources were the FTC's database of millions of
spam forwarded to the Commission by consumers, messages received in the
``Spam Harvest,'' and messages delivered to FTC employees' e-mail
accounts.
\23\ False Claims in Spam: A Report by the FTC's Division of
Marketing Practices (April 30, 2003), available at .
\24\ None of the spam in this sample was sent by a Fortune 500
company. The sample provides 95 percent confidence that less than 5
percent of the 11.6 million pieces of spam then in the FTC's database
of spam forwarded by consumers came from a Fortune 1000 company, and a
95 percent confidence that less than 3 percent of the e-mail in our
database was sent by or on behalf of a Fortune 500 company. The
database now contains approximately 100 million messages.
---------------------------------------------------------------------------
One of the most important projects in our ongoing effort to study
and understand the phenomenon of spam and its impact on the Internet
and the economy at large was the Spam Forum, a three-day public forum
from April 30 to May 2, 2003. This Forum provided a wide-ranging public
examination of spam from all viewpoints.
The Spam Forum was organized into twelve panel discussions covering
the mechanics of spam, the economics of spam, and potential ways to
address the problem of spam.\25\ Panelists at the Forum brought forward
an enormous amount of information about spam and how it affects
consumers and businesses. Several primary themes emerged from the
various panels. First, there was much discussion about the increasing
amount of spam. Second, spam imposes real costs. The panelists offered
concrete information about the costs of spam to businesses and to ISPs.
Specifically, ISPs reported that costs to address spam increased
dramatically in the two years immediately preceding the forum. ISPs
bear the cost of maintaining servers and bandwidth necessary to channel
the flood of spam, even that part of the flood that is filtered out
before reaching recipients' mail boxes. At the Forum, America Online
reported that it blocked an astonishing 2.37 billion pieces of spam in
a single day.\26\ Third, spam is an international problem. The panel
discussing open proxies and open relays and the international panel
described spam's cross-border evolution and impact. Most panelists
agreed that any solution will have to involve an international effort.
---------------------------------------------------------------------------
\25\ In addition to the 87 panelists who participated,
approximately 400 people were present each day in the audience at the
FTC Conference Center, with many more individuals participating via a
video link or teleconference. Questions for the panelists were accepted
from the audience and via a special e-mail address from those attending
through video link or teleconferencing.
\26\ FTC Spam Forum transcript, Day 1, Introduction to Spam Panel,
p. 39, available at .
---------------------------------------------------------------------------
The Commission convened this event for two principal reasons.
First, as noted above, spam is frequently discussed, but facts about
how it works, its origins, and what incentives drive it are elusive.
The Commission anticipated that the Forum would generate an exchange of
useful information about spam to help inform the public policy debate.
Second, the Commission sought to act as a potential catalyst for
solutions to the spam problem. Through the Forum, the Commission
brought together representatives from as many sides of the issue as
possible to explore and encourage progress toward possible solutions to
the detrimental effects of spam.
The Commission believes that the Forum advanced both goals. The
panelists contributed valuable information from various viewpoints to
the public record. In addition, the Forum spurred both cooperation and
action among a number of participants. Most notably, on the eve of the
Forum, industry leaders Microsoft, America Online, Earthlink, and
Yahoo! announced a collaborative effort to stop spam. This promising
effort continues today with participation from additional industry
leaders.\27\ Moreover, several potential technological solutions to
spam were announced either at or in anticipation of the Forum. The
Commission intends to foster this dialogue, and, when possible, to
encourage other similar positive steps on the part of industry. We
believe that the Forum contributed significantly to the ongoing effort
on the part of industry, consumers, and government to learn how to
control spam.
---------------------------------------------------------------------------
\27\ See, e.g., ``ISPs Sue Spammers,'' Article dated March 12,
2004, reporting on CAN-SPAM cases brought by four ISPs, available at
.
---------------------------------------------------------------------------
Efforts Since CAN-SPAM Went Into Effect
To provide additional tools to fight spam, Congress enacted the
CAN-SPAM Act on December 16, 2003.\28\ The Act took effect on January
1, 2004, and the Commission immediately sought to enforce the Act, to
meet the aggressive deadlines it set for the completion of several
rulemakings and reports, and to develop national and international
partnerships to help combat deceptive spam. The Commission filed its
first two CAN-SPAM cases within four months of the Act's effective
date. As mentioned earlier, combating spam has been one of the
Commission's top priorities for several years, and currently half of
the staff members in the Bureau of Consumer Protection's largest
enforcement division work on CAN-SPAM issues, as do staff in all of the
Commission's regional offices and additional lawyers, investigators,
and technologists throughout the FTC.
---------------------------------------------------------------------------
\28\ Pub. L. 108-187 (codified at 15 U.S.C. Sec. 7701 et seq.).
---------------------------------------------------------------------------
Moreover, to facilitate enforcement by other law enforcement
agencies, we have consulted with our partners at the Department of
Justice and have organized a task force with state officials to bring
cases. The Task Force is co-sponsored by the FTC and the Attorney
General of Washington, and is comprised of 136 members representing 36
states, several units within the Department of Justice, and the
FTC.\29\ The FTC staff so far has conducted two training sessions on
investigative techniques for the Task Force, each of which was attended
by approximately 100 individuals representing about 35 different
states. The Task Force conducts monthly conference calls to share
information on spam trends, technologies, investigative techniques,
targets, and cases.
---------------------------------------------------------------------------
\29\ The Commission continues to try to recruit representatives
from the remaining states.
---------------------------------------------------------------------------
The Commission is also on target to complete the rulemakings and
reports required by CAN-SPAM. On January 28, 2004, the Commission
issued a Notice of Proposed Rulemaking for a mark or notice that will
identify spam containing sexually oriented material.\30\ The Commission
received 89 comments in response.\31\ We issued a final rule in advance
of the statutory deadline of April 14.\32\ Effective May 19, the rule
requires all messages containing sexually oriented material to include
the warning ``SEXUALLY-EXPLICIT: '' in the subject line. This rule also
prohibits these messages from presenting any sexually explicit material
in the subject line or in the portion of the message initially viewable
by recipients when the message is opened.
---------------------------------------------------------------------------
\30\ 69 Fed. Reg. 4263 (Jan. 29, 2004). Section 5(d)(3) of CAN-SPAM
requires that ``[n]ot later than 120 days after the date of the
enactment of this Act, the [Federal Trade] Commission in consultation
with the Attorney General shall prescribe clearly identifiable marks or
notices to be included in or associated with commercial electronic mail
that contains sexually oriented material, in order to inform the
recipient of that fact and to facilitate filtering of such electronic
mail. The Commission shall publish in the Federal Register and provide
notice to the public of the marks or notices prescribed under this
paragraph.'' (codified at 15 U.S.C. Sec. 7704(d)(3)). Under CAN-SPAM,
the term ``sexually oriented material'' is ``any material that depicts
sexually explicit conduct (as that term is defined in Sec. 2256 of
title 18, United States Code), unless the depiction constitutes a small
and insignificant part of the whole, the remainder of which is not
primarily devoted to sexual matters.'' See 15 U.S.C. Sec. 7704(d)(4).
18 U.S.C.Sec. 2256, in turn, provides that ``sexually explicit conduct
means actual or simulated (A) sexual intercourse, including genital-
genital, oral-genital, anal-genital, or oral-anal, whether between
persons of the same or opposite sex; (B) bestiality; (C) masturbation;
(D) sadistic or masochistic abuse; or (E) lascivious exhibition of the
genitals or pubic area of any person.''
\31\ Available at .
\32\ See .
---------------------------------------------------------------------------
In addition, on March 11, 2004, the Commission issued an Advance
Notice of Proposed Rulemaking (``ANPR'') to define the relevant
criteria to be used in determining ``the primary purpose'' of a
commercial electronic mail message subject to CAN-SPAM's
provisions.\33\ The ANPR requested comment on this issue, as well as a
number of other issues for which CAN-SPAM has provided the Commission
discretionary rulemaking authority, such as modifying the definition of
``transactional'' e-mail messages;\34\ changing the 10-business-day
statutory deadline for e-mailers to comply with consumers' opt-out
requests;\35\ and implementing other CAN-SPAM provisions.\36\ The
Commission received over 12,000 comments in response.\37\ Commission
staff is incorporating suggestions and recommendations from these
comments into its Notice of Proposed Rulemaking.
---------------------------------------------------------------------------
\33\ Pub. L. 108-187, Sec. 3(2)(A) (codified at 15 U.S.C.
Sec. 7702(2)(A)). The rulemaking is required by Sec. 3(2)(C) (codified
at 15 U.S.C. Sec. 7702(2)(C)), and is on track for completion by the
statutory deadline of December 16, 2004.
\34\ Pub. L. 108-187 Sec. 3(17) (codified at 15 U.S.C.
Sec. 7702(17)). Transactional messages must comply with the Act's
prohibition against deceptive headers, Id., Sec. 5(a)(1) (codified at
15 U.S.C. Sec. 7704(a)(2), but are otherwise exempt from the Act. Id.,
Sec. 3(2)(B) (codified at 15 U.S.C. Sec. 7702(2)(B)). A rulemaking is
permitted by Sec. 3(17)(B) (codified at 15 U.S.C. Sec. 7702(17)(B)).
\35\ Id., Sec. 5(a)(4)(A)-(B) (codified at 15 U.S.C.
Sec. 7704(a)(4)(A)-(B)). A rulemaking is permitted by Sec. 5(c)(1)
(codified at 15 U.S.C. Sec. 7704(c)(1)).
\36\ Id., Sec. 13(a) (codified at 15 U.S.C. Sec. 7711).
\37\ Available at: .
---------------------------------------------------------------------------
The Commission is also actively preparing several reports required
by the CAN-SPAM Act. The March 11 ANPR solicited comment from
interested parties on a plan and timetable for establishing a national
Do-Not-E-mail Registry, and an explanation of any practical, technical,
security, privacy, enforceability, or other concerns commenters may
have about the creation of such a registry, for a report to Congress
due on June 16.\38\ To supplement information collected from this
public comment process, the staff has used additional tools to enhance
its understanding of all relevant issues. First, the staff has held
meetings on the record with more than 80 interested parties
representing more than 60 organizations to explore all aspects of the
concept of a ``Do-Not-E-mail Registry'' from as many viewpoints as
possible. Second, the Commission also issued compulsory process to a
number of ISPs and other entities under Section 6(b) of the FTC Act to
obtain information relevant to this report and other reports required
by CAN-SPAM. Third, the Commission issued a Request for Information
from vendors for creation of such a registry, and obtained assistance
of expert consultants to assess vendors' submissions. Through these
efforts, the Commission has received invaluable information that will
allow us to prepare a comprehensive report.
---------------------------------------------------------------------------
\38\ Id., Sec. 9 (codified at 15 U.S.C. Sec. 7708).
---------------------------------------------------------------------------
In addition, the staff is actively gathering information for and
preparing:
a report due September 16, 2004, setting forth a system of
monetary rewards to encourage informants to report the
identities of violators of CAN-SPAM;\39\
---------------------------------------------------------------------------
\39\ Id., Sec. 11(1) (codified at 15 U.S.C. Sec. 7710(1)).
a report due June 16, 2005, recommending whether or not
commercial electronic mail should be identified as such in its
subject line by the use of a label like ``ADV'';\40\ and
---------------------------------------------------------------------------
\40\ Id., Sec. 11(2) (codified at 15 U.S.C. Sec. 7710(2)).
a report due December 16, 2005, on the efficacy of the Act
.\41\
---------------------------------------------------------------------------
\41\ Id., Sec. 10 (codified at 15 U.S.C. Sec. 7709). The agency is
gathering baseline data for this report through the Sec. 6(b) requests
for information and other activities.
---------------------------------------------------------------------------
Conclusion
E-mail provides enormous benefits to consumers and businesses as a
communication tool. The increasing volume of spam, coupled with the use
of spam as a means to perpetrate fraud and deception, has put these
benefits at serious risk. The Commission intends to continue its law
enforcement, education, and research efforts to protect consumers and
businesses from the current onslaught of unwanted spam messages. The
Commission appreciates this opportunity to describe its efforts to
address the problem of spam and its activities to fulfill the mandates
of CAN-SPAM.
The Chairman. Thank you very much.
Ms. Monroe, welcome.
STATEMENT JANA D. MONROE, ASSISTANT DIRECTOR,
CYBER DIVISION, FEDERAL BUREAU OF INVESTIGATION;
ACCOMPANIED BY DAN LARKIN, UNIT CHIEF, INTERNET CRIME COMPLAINT
CENTER
Ms. Monroe. Thank you.
Good morning, Chairman McCain and other Members of the
Committee. On behalf of the FBI, I would like to thank you for
this opportunity to address the FBI's role in anti-spam
initiatives.
Cybercrime in its many forms continues to receive priority
attention from the FBI. A paramount objective of the Cyber
Division has been to arm field investigators with the necessary
resources to identify and combat evolving cybercrime matters.
Over the past 18 months, the FBI has supported the
establishment of more than 50 multi-jurisdictional task forces
nationwide. Partnerships with Federal, state, and local law
enforcement are vital to the success of these teams, because
cybercrime, by its nature, does not respect jurisdictional
boundaries, and we need to leverage existing resources to
effectively and efficiently fight cybercrime.
In addition to law enforcement partnerships, another prime
objective of the FBI's Cyber Division is to develop active
partnerships with subject matter experts from the private
sector. Such experts are often better equipped to identify
cybercrimes at their earliest stages. Early identification of
cybercrime is an absolute must, and directly correlates to
ultimate success in investigating and prosecuting
cybercriminals.
In keeping with this approach, and even before passage of
the CAN-SPAM Act by Congress, the FBI had begun work in a
public/private alliance to specifically target the growing spam
problems. The Internet Crime Complaint Center, working in
coordination with the industry, developed Slam Spam, an
initiative that began operation last fall. This initiative
targets significant criminal spammers, as well as companies and
individuals that use spammers and their techniques to market
their products. This initiative also investigates the
techniques and tools used by spammers to expand their targeted
audience, to circumvent filters and other countermeasures
implemented by consumers and industry, and to defraud customers
with misrepresented or nonexistent products.
Before Congress passed the CAN-SPAM Act of 2003, some
schemes perpetrated by spam could have been pursued as
violations of statutes such as Title 18 United States Code
Section 10-30, which is fraud and related activity in
connection with computers; Title 18 U.S. Code Section 23-19,
criminal infringement of a copyright; or Title 18 U.S. Code
Section 13-43, which is wire fraud; as well as through several
other existing criminal or civil statutes. However, no existing
statute directly addressed some typical behaviors of spammers,
including widely used available open proxies to bounce e-mail
traffic through intermediary computers with the intent to hide
the true location of the sender, the abuse of free e-mail
services to send out spam from accounts with false registration
information, and the use of tools to forge the return address
and other headers associated with the e-mail.
Prior to the CAN-SPAM Act, law enforcement lacked the legal
tools to address the spam problem directly. Because of this,
many investigators and prosecutors viewed cases primarily on
the sending of spam as unlikely to result in successful
investigations and prosecutions. However, as the economic
impact attributable to spam and the use of spam to send
unwanted pornographic images became known, law enforcement
interest increased.
Similarly, investigations of computer intrusions and
viruses have uncovered that infecting computers with viruses is
now often being done to facilitate spam. In the Sobig.F
computer intrusion investigation, we learned that millions of
computers were infected globally, primarily to convert those
computers into spam relays. The CAN-SPAM Act now allows law
enforcement to apply criminal leverage to spammers who
previously were viewed as facilitators or fraudulent schemes,
but who would disclaim any knowledge of the fraudulent or
pornographic nature of the products they were advertising. CAN-
SPAM's provisions address the most significant fraudulent and
sexually explicit spam, and both provide civil and criminal
tools to combat them.
Once again, I appreciate the opportunity to come before you
today and share the work that the FBI's Cyber Division has
undertaken to begin to address the problem of spam. Our work in
this area will continue, and we will keep Congress informed
about our progress in overcoming the challenges in this area.
[The prepared statement of Ms. Monroe follows:]
Prepared Statement of Jana D. Monroe, Assistant Director,
Cyber Division, Federal Bureau of Investigation
Introductory Statement
Good morning Chairman McCain, and other members of the Committee.
On behalf of the FBI, I would like to thank you for this opportunity to
address the FBI's role in anti-spam initiatives.
Cyber crime, in its many forms, continues to receive priority
attention from the FBI. A paramount objective of the Cyber Division has
been to arm field investigators with the necessary resources to
identify and combat evolving cyber crime matters. Over the past 18
months, the FBI has supported the establishment of more than 50 multi-
jurisdictional task forces nationwide. Partnerships with federal,
state, and local law enforcement are vital to the success of these
teams, because cyber crime, by its nature, does not respect
jurisdictional boundaries and we need to leverage existing resources to
effectively and efficiently fight cybercrime.
In addition to law enforcement partnerships, another prime
objective of the FBI's Cyber Division is to establish active
partnerships with subject matter experts from the private sector. Such
experts are often better equipped to identify cyber crimes at their
earliest stages. Early identification of cyber crimes is an absolute
must, and directly correlates to ultimate successes in investigating
and prosecuting cyber criminals.
In keeping with this approach, and even before passage of the CAN-
SPAM Act by Congress, the FBI had begun work in a Public/Private
Alliance to specifically target the growing spam problem. The Internet
Crime Complaint Center (IC3), working in coordination with industry,
developed ``SLAM-Spam,'' an initiative that began operation last fall.
This initiative targets significant criminal spammers, as well as
companies and individuals that use spammers and their techniques to
market their products. It also investigates the techniques and tools
used by spammers to expand their targeted audience, to circumvent
filters and other countermeasures implemented by consumers and
industry, and to defraud customers with misrepresented or non-existent
products.
Enforcement Before and After the CAN-SPAM Act
Before Congress passed the CAN-SPAM Act of 2003, some schemes
perpetrated by spam could have been pursued as violations of statutes
such as Title 18, United States Code, Section 1030 (fraud and related
activity in connection with computers) Title 18, United States Code,
Section 2319 (criminal Infringement of a copyright) or Title 18, United
States Code, Section 1343 (wire fraud), as well as through several
other existing criminal or civil statutes. No existing statute,
however, directly addressed some typical behaviors of spammers,
including: using widely-available ``open proxies'' to bounce e-mail
traffic through intermediary computers with the intent to hide the true
location of the sender, the abuse of free e-mail services to send out
spam from accounts with false registration information, and the use of
tools to forge the return address and other headers associated with the
e-mail. Prior to the CAN-SPAM Act, law enforcement lacked the legal
tools to address the spam problem directly. Because of this, many
investigators and prosecutors viewed cases based primarily on the
sending of spam as unlikely to result in successful investigations and
prosecutions. As the economic impact attributable to spam, and the use
of spam to send unwanted pornographic images have become known,
however, law enforcement interest increased. Similarly, investigations
of computer intrusions and viruses have uncovered that infecting
computers with viruses is now often being done to facilitate spam. In
the SoBig.F computer intrusion investigation, we learned that millions
of computers were infected globally, primarily to convert those
computers into spam relays.
The CAN-SPAM Act now allows law enforcement to apply criminal
leverage to spammers, who previously were viewed as ``facilitators'' of
fraudulent schemes, but who would disclaim any knowledge of the
fraudulent or pornographic nature of the products they were
advertising. CAN-SPAM's provisions address the most significant
fraudulent and sexually explicit spam, and provide both civil and
criminal tools to combat them.
Project SLAM-Spam
In response to the growing number of complaints it was receiving
about fraudulent and pornographic spam, the Internet Crime Complaint
Center began development of a project to address the spam problem. The
Center has developed extensive experience in taking complaints relating
to all types of crime occurring over the Internet, analyzing them for
significant patterns, and then referring appropriate case leads out to
the field for further investigation. The IC3 receives more than 17,000
complaints every month from consumers alone, and additionally receives
a growing volume of referrals from key e-commerce stakeholders. The use
of spam is a substantial component of these schemes, which includes
reports of identity theft schemes, fraudulent pitches and ``get rich
quick'' schemes, and unwanted pornography. Currently, over 25 percent
of all complaints to the IC3 involve some use of spam electronic mail.
To develop the project, the IC3 coordinated with industry Subject
Matter Experts and representatives of the Direct Marketing Association
(DMA), which have provided essential expertise and resources to the
project. The IC3 has also consulted with the Federal Trade Commission,
which has several years of working with consumers on the spam problem.
This project has also identified a significant list of the methods used
by subjects to advance their individual schemes. I will describe some
of the efforts and summarize the primary accomplishments of this
project over the past six months, and project future accomplishments,
consistent with the overall project plan. This include a national
initiative in which suitable cases developed or advanced through this
project, will be highlighted as part of our overall effort against
those who have committed criminal and civil violations of the CAN-SPAM
Act.
The first several months of the project focused on building support
structures to support the initiative. The IC3 identified and consulted
with Subject Matter Experts from Internet Service Providers, anti-spam
organizations, and other groups. They defined responsibilities of
participants, and began weekly strategy meetings to ensure that
progress and priorities were consistent and clear. Experts developed
communications channels and databases to exchange information quickly
and robustly among the experts in the alliance. Finally, a list of
potential subjects was developed by analysts from the Internet Crime
Complaint Center (IC3), and compared against existing IC3 referrals to
determine if law enforcement had already initiated investigations of
subjects, and if those investigations were making progress.
After the effective date of the CAN-SPAM Act, the IC3 helped
organize and participated in three regional training conferences on a
number of subjects relating to cybercrime. At these conferences,
representatives of the FBI and Department of Justice gave presentations
designed to familiarize agents specializing in cyber crime with the
SLAM-Spam initiative, the techniques used by spammers to falsify their
identity, and the additional criminal prohibitions in the CAN-SPAM Act.
Identifying the most significant subjects involved in criminal spam
scenarios is a prime objective of the SLAM-Spam initiative. Equally
significant has been developing those cases so that they can be further
investigated and prosecuted by field offices, cyber task forces, and
United States Attorneys' Offices around the United States. Accordingly,
while a growing number of Internet crime schemes use spam to target
larger pools of victims, the Cyber Division's task force capabilities
have increased as well. Cyber Crime squads in our field divisions are
trained in quickly investigating computer intrusions and virus attacks.
When they are available, these resources can also be used to
investigate the source of unwanted fraudulent and pornographic spam.
Project SLAM-Spam is on course and on schedule to achieve
substantial results against individuals and organizations that are
complicit in criminal (and potentially civil) schemes where spam is
used. As a result of these activities, more than 20 Cyber Task Forces
are actively pursuing criminal and in some cases joint civil
proceedings against subjects identified to date. We expect that this
number will continue to rise, as successful actions are brought under
this act.
We are also improving our cooperation with the FTC, State Attorneys
General, and industry partners, because we understand that criminal
enforcement is only one aspect of the fight against spam. While we
cannot share every detail of ongoing criminal investigations, we can
and will share our knowledge about tools and techniques used by
spammers, their current primary targets of opportunity, and the types
of schemes they are favoring.
Notable Early Accomplishments of SLAM-Spam
The SLAM-Spam initiative has now moved beyond the planning stages,
and has begun identifying and packaging investigations from the field.
Within the last few months, the Initiative has:
Identified over 100 significant spammers
Targeted 50 Spammers so identified as points of focus for
the SLAM-Spam project.
Developed ten primary subject packets developed and for
referral to Law Enforcement
Linked three groups of subjects into potential organized
criminal enterprises
Referred five significant ongoing investigations linked to
spammers.
Over 350 compromised and misconfigured resources identified,
including 50 government sites.
Engaged military criminal investigators to help identify
criminal acts associated with compromised Government sites.
Identified common denominators relating to spam both
domestically and internationally.
Catalogued numerous exploits and techniques being used by
spammers, including e-mail harvesting, use of viruses, and
turn-key tools to bypass filters.
Future Initiatives
The FBI, via the IC3, periodically coordinates National
Investigative Initiatives, together with our Federal, State, and Local
partners. Such initiatives are designed to highlight escalating areas
of cyber crime, and demonstrate decisive action taken by law
enforcement to combat it. These events also serve to alert the public
to new and evolving cyber crime schemes, such as criminal spam. Three
such initiatives have been carried out over the last 2 \1/2\ years,
including Operation Cyber Loss, Operation E-Con, and most recently
Operation Cyber Sweep. A succeeding initiative is being projected for
later this year in which it is anticipated that criminal and civil
actions under the CAN-SPAM Act of 2003 will be included.
We have begun preliminary notification to our field offices of our
newest initiative, underscoring our emphasis on cases involving
criminal uses of spam. Such cases may be investigated and prosecuted as
computer intrusion matters, or as on-line cyber frauds which may lend
themselves to a variety of existing state and/or Federal statutes,
including the recently passed CAN-SPAM Act. Similar notifications have
been or will be made through appropriate channels to the U.S. Secret
Service, U.S. Postal Inspection Service, the FTC, the Department of
Justice, and in the state and local agencies that are members of the
National White Collar Crime Center. We are already planning meetings to
ensure that this initiative is on track, and to further define the
scope and packaging of this activity are being planned. We will be
happy to brief you on the results of this initiative when it has been
completed.
Conclusion
Once again, I appreciate the opportunity to come before you today
and share the work that the Cyber Division has undertaken to begin to
address the problem of spam. Our work in this area will continue, and
we will continue to keep Congress informed about our progress in
overcoming the challenges in this area.
The Chairman. Thank you very much.
Chairman Muris, I mentioned, in my opening statement, that
in the CAN-SPAM Act we gave you the authority to go after the
businesses that hire spammers to promote their goods and
services. The intent of that provision, as you know, is to
allow you to more quickly respond to spam by allowing them to
stop chasing spammers and directly enforce the law against
their clients. Why haven't you acted more in that direction?
Chairman Muris. Well, in fact, Mr. Chairman, we have. Of
our 62 cases, 59 were against sellers. Many of them were
against sellers and spammers. We've also found, in our first
two cases, which are initially primarily against sellers--we
believe we'll find out who the--there's an enormous amount of
spam in those two CAN-SPAM cases--we believe we'll find out who
the spammers were. But one reason that Section 6 was put in
there was--and we thought there might be some difficulty in
using Section 5 against sellers, and at least with our initial
cases and initial investigations, that did not turn out to be
the case. I think going against sellers is an important road.
We will continue to do that.
Of course, the underlying problems of spam, the very low
cost, and the absence of effective enforcement, and effective
ISP screening, and the anonymity of the Internet are not
directly addressed.
I do agree with the remarks that we just heard, that the
criminal parts of spam, in the end of the day--I mean, of CAN-
SPAM--may be the most important aspects of the statute.
The Chairman. Ms. Monroe, how significant a problem is the
promotion of child pornography in spam?
Ms. Monroe. Very significant. I think that is one of the
primary means in doing that. It's a significant problem.
The Chairman. As we all know, the U.S. Supreme Court has
said that child pornography is beyond any constitutional
protections. It seems to me, then, that you would really want
to make that a priority for--in your efforts.
Ms. Monroe. Yes, sir. We are making it--it has been a
priority, and we're continuing to make it a priority.
The Chairman. Have you undertaken any special efforts?
Ms. Monroe. In what means?
The Chairman. To eradicate the promotion of child
pornography in spam?
Ms. Monroe. Well, in working on this whole spam issue, what
we have done is, we're in the process of providing training to
our field offices. And, as I had indicated, we have
approximately 50 task forces that we have trained, and we're
continuing to do this in our 20 field offices, and that is a
part of the pornography that's included in our training, and
are addressing the issue.
The Chairman. Well, I hope you'll give it some special
priority. It's obviously the most disgusting aspect of this
whole spam situation.
Ms. Monroe. Yes, sir.
The Chairman. Mr. Muris, what accounts, in your view, for
the continuing rapid increase in the volume of spam?
Chairman Muris. The reason spam is such a difficult target
are the two problems that I alluded to a few minutes ago. In
the absence of effective screening and enforcement--and that's
related to the second problem that I'll get to--the additional
cost of sending spam is very close to zero. When you make an
additional--if you're a marketer and you make an additional
10,000 phone calls or send out an additional 10,000 letters,
that costs real money. In the absence of those factors that I
discussed, sending out an additional 10,000 spam does not,
which means that--and your testimony has alluded to this, as
our 3-day spam forum did--that the response rates can be
extraordinarily trivial, and spam can still be a profitable
endeavor.
The second problem is the anonymity. The Internet was set
up to be anonymous, and it's why going after the seller is an
important thing to do. The problem is, is that the overwhelming
amounts of the spam are--involve obviously fraudulent products
or products that are otherwise offensive or illegal--you know,
pornography--and there's a lot of spam that will sell you
prescription drugs without a prescription, which is illegal. So
you have people who have the incentive to hide and the
anonymity of the Internet allows them to hide.
There are technological solutions, perhaps. The filtering
is clearly better. There is a movement toward authentication,
at least at the domain level, which will be helpful. But there
is--and you alluded to this--there's an arms race obviously
going on between the spammers and the ISPs, and the spammers
are certainly at least holding their own.
The Chairman. Senator Wyden?
Senator Wyden. Mr. Muris, what's the strategy for going
after the kingpin spammers? I think it's clear that people can
differ how many of them there are, and there has been some
discussions of 500 or 1,000. It's not an unlimited universe.
What's the strategy for going after the kingpin spammers?
Chairman Muris. Well, the underlying point is obviously an
excellent one. We've asked--I mean, as in so many areas of
spam, no one knows--we ask, as part of the compulsory process
that I mentioned--we asked ISPs, and we got--you know, we got
differences of opinion that ranged by a factor of ten.
An example of how hard this is, one of the many good parts
of CAN-SPAM was to allow this right of action by the ISPs. When
they filed--a bunch of them have filed actions recently--they
were almost all against John Doe defendants, because they don't
know who they are.
We are collecting spam. We ask to receive spam. We get
200,000 to 300,000 a day. One of the ways we found these
targets was looking at the extraordinarily large volume. There
are organizations out there that claim that they know who some
of these large spammers are. We're working with them, we're
working with ISPs. Quite frankly, there are still some
problems, some statutory problems, that could be corrected.
Some of those are corrected in our proposed Cross-Border Fraud
legislation, which I know you support and this Committee
supports, and we hope that we can move that legislation very
quickly, because it will help us cooperate internationally,
which is becoming very important, and it will help us reduce
these barriers. Right now, the ISPs have some limits on what
they can share with us, and we think the Cross-Border Fraud
legislation will help there.
Senator Wyden. In addition to using the large volume as a
criteria for selecting a case, what can you tell us about the
criteria you're going to choose from this point on, in terms of
bringing cases?
Chairman Muris. We will continue to--as the Chairman asked,
we will continue to follow the money trail and go after the
sellers. And that, unfortunately--I mean, there's both the good
news and bad news there. The good news is that you can
sometimes find the sellers. The bad news is, it can be very
cumbersome. In our two CAN-SPAM cases, we, surprisingly, only
had to use six, what amounts to subpoenas, each, which is much
lower than in the typical case.
And a reason, Senator, to focus on the volume is, when you
do these cases--unlike when someone robs a bank and you know
how much money they've taken, when you do these cases, you
don't know, until you get to the end, how much commerce is
involved.
We've done two phishing cases--you know, phishing, with a
``ph''--where someone is sending you spam, claiming they're
AOL. We've worked with criminal authorities. In one case, we
found a minor, on a lark, who had stolen a grand total of
$8,000. Criminal authorities do not normally prosecute minors
for that kind of offence. The other case, it involved much
larger sales, and there have been criminal penalties assessed,
and we just--a very long sentence was just entered into.
But we will continue to look at the volume, look at the
amount of commerce, look at the sellers, work with other
people, especially the ISPs. Unfortunately, it takes all those
tools, Senator.
Senator Wyden. I was pleased that one of the cases you
filed targeted a company based in Australia. And so it seems to
me, with that kind of message, we say, ``Look, we're not just
going to let you leap offshore, and you can go about your dirty
deeds that way.'' Even before we get the cross-border
legislation--which I do support, and there's strong bipartisan
support for--can you commit to trying to continue those kinds
of actions? Because, of the three pieces--enforcement in the
United States, international cooperation, and technology-based
solutions--we don't want to throw up our hands and just say,
``There's nothing we can do.''
Chairman Muris. Senator, absolutely. We have an enormously
large number of people working on this effort. International
enforcement against fraud--and spam is one of the main ways to
transmit the fraud--has been one of the highest priorities I've
had as Chairman. That's why I've spent so much time working
with you on the Cross-Border Fraud legislation, and we greatly
appreciate your support.
I was recently in Europe. The European Commission in the
European Union is about to require individual member states to
have enforcement agencies. We provided technical assistance to
some of the new members. We've engaged in massive training of
people all over the United States. We've created a task force
working with criminal and state partners on spam. And I can
guarantee that it will continue to be a major effort of ours.
Senator Wyden. A last question, if I might. I think I
described in my opening statement that I see this as the
beginning of the long march to get the swamp drained. I mean,
this is going to be a problem where we're up against sleazy
characters who are not technological simpletons. I mean, what
they're going to constantly be trying to do is get out in front
of any kind of piece of legislation or any kind of enforcement
action. So as part of this effort to try to get out in front of
what the next approach will be, tell us, if you would, Ms.
Monroe and Mr. Muris, what you've learned--what are the most
important lessons you've learned thus far, in terms of trying
to tackle this scourge?
Ms. Monroe, why don't you start, and then we'll have Mr.
Muris.
Ms. Monroe. Sir, the FBI----
Senator Wyden. Wouldn't want to leave you without a
question.
Ms. Monroe. I'm sorry. The FBI met recently with the G8 and
Interpol in, I think, addressing what you said in your opening
statement. They are very willing to work and cooperate with the
spam issue. They had not necessarily viewed it as spam or call
it spam, so I think, at this point, we're in the initial stages
of educating them and bringing them onboard as to how we define
our problem, and what it means, and globally how they can be of
some assistance. And they are extremely encouraged by that.
And on the technical aspect of it, I think, within our
Cyber Division within the FBI, we have our Special Technologies
Applications section and our Investigative Technology Division,
which are very technologically advanced and have provided tools
to us to help combat this. And I'm very confident that, as an
investigative agency, we are ahead of the game on that.
Senator Wyden. Mr. Muris, what have we learned so far?
Chairman Muris. Well, we've learned a lot, but a couple of
things. On enforcement, we've learned that because of the
anonymity problem, we have to follow the money trail. We've
learned that it's difficult. I think we are gaining experience
and learning by doing.
I recently met--I forgot to mention--I made a significant
pitch to a group of United States attorneys about this problem
and about the problem of fraud, in general. And I talked to
them about how this problem is not just in the English
language. We're actually now looking at Spanish language. We're
about to start a pilot program--and, Mr. Chairman, we're going
to Phoenix as one of our cities in the pilot program--to try to
get more interest in the Spanish-speaking media and the
Spanish-speaking community about telling us--the Hispanic
community--about telling us the problems of fraud. And spam is
a significant part of that in that language, as well.
The other thing that we've learned is that law enforcement
itself--and I think you've all echoed this--is not the only
solution. We've learned a lot about the potential of domain-
level authentication as helping. I expect that our report to
you next month will discuss those issues.
Senator Wyden. Thank you, Mr. Chairman.
The Chairman. Senator Burns?
Senator Burns. Thank you, Mr. Chairman.
I want to continue along the same lines as my friend from
Oregon. If estimates point to the stark fact that 200 spam
operations are responsible for nine-tenths of the spam, it
would seem like it would contradict some arguments that it's
not as widespread as one would think, and we could probably
narrow and zero in on these larger spammers and take care of
the situation.
I want to say that Senator Wyden and I, we have had
conversations with the British--the Parliamentarians in
Britain, also in Australia and in Japan. The U.S./Asian network
is aware of this problem--and that includes a lot of the
Pacific Rim countries, including the PRC--that we have a
problem here. And I think those discussions could continue to
move forward and to coordinate yourself with some international
organizations, agencies, for the fight.
Let me ask--as of yesterday, the Commission issued the
final ruling on--it requires that all sexually oriented spam be
labeled with the warning ``sexually explicit'' on the subject
line. Are you confident that that will withstand a court
challenge, Mr. Muris?
Chairman Muris. I am not a constitutional scholar, and I
have no basis to be confident or not confident. We have made
what we think are sound constitutional arguments, but this is
an area where the efforts to write law have frequently been
overturned.
Senator Burns. Well, I just noticed that, and I
congratulate you for your bold step. I congratulate you for
that.
And tell me, again--you know, when we started talking about
the Do Not Spam list, after 141 days and after you've seen the
law into effect, would you--are you more confident now, or less
confident, that that approach is technically feasible? And how
would the list be maintained? And what would happen to such a
list if it were to become available to spammers?
Chairman Muris. Well, we have--let me give you a very
preliminary answer----
Senator Burns. Yes.
Chairman Muris.--because the staff has just sent a report
to the Commission, and the Commission needs to digest that
report, and I would be--as I mentioned in my opening remarks, I
would be more than glad to come and discuss it privately or
publicly, however the Committee desires.
On the last point, it is clear that--from the evidence I've
seen, that a list of valid e-mail addresses is very valuable to
spammers, and that's obviously one of the serious issues about
a Do Not E-Mail Registry that the report addresses, and that
we'll be reporting to you on soon.
Senator Burns. Well, but are--have you solidified--found
out anything different than, say we--when we studied that
before the law was actually put into effect?
Chairman Muris. Well, I think we will have--the report
contains--and, again, we haven't passed on it. It just--it
literally went to the Commission--today is Thursday--I think
Monday or Tuesday. We have learned a fair amount about the
ISPs' efforts in the--you know, which have occurred in the last
year, and the report, you know, will comment on that. There are
efforts underway at authentication at the domain level, and
that, I think, could be a very useful step, although nothing is
a silver bullet here, and that would not be, as well, given the
so-called zombie drone problem.
Senator Burns. Well, I--again, I want to applaud your
working so far. I don't know of anything that we've hit the
ground running--141 days is not very many days, as you well
know, and so I appreciate that.
Ms. Monroe, I understand that the--every time we start
talking about Internet, marketing on the Internet, Internet
taxes, all this such thing, we always come up with the
organization called the Direct Marketing Association. And I
understand--and, to their credit, have been very instrumental
in working with the National White Collar Crime Center to begin
in your Slam Spam. Can you explain how that information is
useful in prosecuting spammers, the information that reaches
the FBI?
Ms. Monroe. I'm going to ask Dan Larkin to respond to that
question, since he works directly with that on a daily basis.
Senator Burns. OK, thank you.
Mr. Larkin. Yes, Senator. The information that we--or the
partnership we developed with industries through the Direct
Marketing Association enabled us to leverage very significant
industry intelligence on the crime problem. As we've found, and
I think one of the foundations of the FBI's cyber strategy is
that we've got to partner with industry much more regularly and
effectively than we have in the past. And this subject is one
of the ones that they have significant intelligence and
resources that have helped us identify the spammers, the
techniques that spammers are using, and to help us kind of
refine the list of priority subjects to go after.
Senator Burns. Well, I applaud the Direct Marketing folks,
and as they--you know, when Senator Wyden and I were talking
about this--it only took us 4 years to pass the bill. We've had
a lot of time to talk about it. But we thought, you know,
basically if the industry comes together, because the industry
understands that they've got a problem, the ISPs think that
they have a problem in dealing with this. And it was to bring
people together to formulate some standards of marketing on the
Internet. Other words, there is a market out there, and
legitimate marketers who identify themselves, we don't have any
problem with that. And the general American public does not
have a problem with that. It's the unwanteds--like the Chairman
wants to do away--and child pornography, and he's right on
point on that--is to take this illegitimate and this trash
stuff off of there. So I just wanted to congratulate the Direct
Marketing in the actions of partnering up with the FBI and the
industry to clean that up.
And thank you for coming today. I appreciate all the
remarks that all of you have made.
The Chairman. I thank you.
Thank you for coming, and we appreciate all your efforts.
And I guess your message is that we should keep hope alive?
Ms. Monroe. Definitely so.
The Chairman. OK.
Chairman Muris. And please pass the Cross-Border Fraud
legislation.
The Chairman. Thank you.
Ms. Monroe. Thank you all very much.
The Chairman. Thank you for coming today.
Our next panel is Mr. Ted Leonsis--he is the Vice Chairman
of American Online, and President of AOL Core Service; Mr.
Shinya Akamine, who is President and CEO of Postini,
Incorporated; Mr. Hans Peter Brondmo, Senior Vice President of
Digital Impact, Incorporated; Mr. James Guest, the President of
the Consumers Union; and Mr. Ronald Scelson, the President of
MicroEvolutions. And would you all please come forward?
[Pause.]
The Chairman. We'll begin with you, Mr. Leonsis. Welcome
back, and I see your old friend, Mr. Scelson, is here, as well.
[Laughter.]
Mr. Leonsis. Thank you, Mr. Chairman.
The Chairman. We look forward to the testimony of all the
witnesses. And, again, I want to apologize for the delay, and
we hope we haven't disrupted your schedule for the day because
of the meeting with the President this morning.
Mr. Leonsis?
STATEMENT OF TED LEONSIS, VICE CHAIRMAN, AMERICA ONLINE, INC.,
AND PRESIDENT, AOL CORE SERVICE
Mr. Leonsis. On behalf of the people of America Online and
our 31 million worldwide members, I'd like to thank you for the
opportunity to testify again before the Committee on the issue
of unsolicited commercial e-mail.
My name is Ted Leonsis. I'm Vice Chairman of America
Online, Incorporated, and President of the America Online
Service. I want to thank the Committee for inviting me back to
testify again, almost one year to the day after my first
appearance. And let me tell you what a positive difference a
year makes.
When I was here last year, we all sounded an alarm for
action. Spam was exploding exponentially, and online users were
drowning in a torrent of spam. We elevated the call for action
against spam, and you responded, and you did a great service to
the online medium and online consumers by adopting the CAN-SPAM
law, and we thank you for that.
I want to thank you for doing so. In particular, I want to
commend the leadership of Senator Burns and Wyden on this
issue. CAN-SPAM was the right bill at the right time for all
the reasons that we've discussed, and we look forward to
measuring its success with more time.
But I am here to tell you, very affirmatively, that we've
also done our part as a company. We're now veteran spam-
fighters, and we've gone to the next level in our battle
against spam.
First of all, we joined all of our members on a crusade
against this blight. We turned our members into spam-fighters.
We launched very comprehensive and expensive education and
awareness campaigns to tell our customers how to fight spam in
their own terms and on their own time, creating an anti-spam
community where members help other members roll back spam by
clicking on their ``Report Spam'' buttons. AOL members
responded so enthusiastically to our call for action that, as
we just announced this morning, two million of them signed our
online spam-fighters petition in the past year alone in order
to make their voices heard on spam.
And while we gave our members hope on the one hand, with
the other we were arming them with great anti-spam tools. We
launched new software last fall, and, in so doing,
revolutionized spam-fighting on our service. We did so with
adaptive spam filtering that is tailored to each member. We
improved mail controls with an individualized permit/deny list.
We unveiled a spam folder for every inbox. And we introduced a
custom word list to block the most reviled spam terms.
And because you know and I know how critical it is to
protect our children from porn and predators, we gave our
members the ability to disable offensive images in their e-
mail, and we enhanced our parental controls to allow parents to
determine who can and can't contact their children by e-mail.
We provided a report-card feature called AOL Guardian that
tells parents who their children have communicated with each
time they've gone online.
Second, we enhanced and improved our spam filtering, making
the process the most accurate, effective, and efficient that it
has ever been, thanks to our mail operations and anti-spam
teams. And we expanded our postmaster team to a 24/7/365
operation to help to deliver the good mail to our members while
keeping the spammers at bay.
We learned from spammers, and we're using their own tricks
and ploys against them. Instead of strictly being in a reactive
position, we are now, today, doing things proactively to disarm
them before they try and click on the ``Send'' button.
Third, we are aggressively pursuing spammers in a series of
lawsuits. We successfully concluded about a half-dozen Federal
lawsuits against spammers, filed last April. We sued a group of
spam conspirators in Florida, known as the Sunshine State
Spammers in February of this year. We've collaborated with the
Attorney General of Virginia on the first ever criminal state
indictments of spammers. And, most importantly, we filed the
first ever industry lawsuit using the new Federal CAN-SPAM law
in March of this year, in cooperation with Earthlink,
Microsoft, and Yahoo. Bottom line, we're finding the spammers,
we're taking their spam gear and their spam toys, like their
Porsches, and helping to put them in jail one by one.
Fourth, AOL is diligently and passionately working in state
capital after state capital to encourage the swift adoption of
tough, targeted anti-spam laws that mirror the Federal CAN-SPAM
law at the state level. This is very important, because it
provides the one-two punch against spammers by also empowering
state law enforcement to pursue spammers with criminal charges.
Already, we're showing results, as Maryland has now just
adopted the toughest state spam law in our country.
Fifth, we've even cast aside our competitive differences
and come together as an industry, with partners, in conjunction
with Microsoft, Yahoo, and Earthlink. We've teamed up for the
sake of the entire online medium to fight the spammers with one
voice, and combined our talents and resources in the areas of
enforcement and technical solutions to spam.
As you know, Yahoo and Microsoft have developed their own
technical proposals regarding e-mail authentication, and we're
proud to say that AOL was at the forefront of testing new
identity technologies, announcing last January, not today, that
we would begin testing a new technology called SPF to help
prevent domain-name spoofing.
As you can tell, Mr. Chairman and Members of the Committee,
we've been very, very busy. And I'm optimistic. We had to be.
Spammers aren't taking a break, and we aren't either.
Now, why are we doing this? We have to. We don't have a
choice. Inaction on spam is a luxury we cannot afford at AOL,
and it's something our members don't tolerate. And the action
is paying dividends. Eighty percent of our members are now
aware of our anti-spam efforts and agree that we are making
efforts to reduce spam. That's up from about a 40 percent level
in February of 2003. And clearly, the more we do on spam, the
more we can positively impact customer satisfaction. And member
satisfaction with our service is up, because the amount of spam
reaching members has gone down.
Since this time last year, the volume of spam e-mails
getting through to our members' inbox has dropped by up to 30
percent, even while the number of attempted spam messages has
still increased. This means one thing. While the spammers are
getting more desperate and aggressive, AOL spam-fighting is
getting better. But, make no mistake, we're not going to rest,
we're not in any way finished. My confidence is high. But the
mission is not complete, and there's much more work to be done.
The menace of bad spam still lingers.
As you may hear this morning, spammers and direct marketers
would still like you to think that they are innocently trying
to make a buck and live out the American dream, and that ISPs
aren't delivering their goods. Don't be fooled. Many of them
break the rules. They violate the integrity of our covenant
with our members. They plague our children. And they cause
millions and millions of online complaints every day. They are
not part of the American dream. They are cause of a long, long,
long nightmare for our consumers. Most of all, many of these
outlaw spammers are still out there, and they're using the same
old devious, deceitful, fraudulent, and evasive maneuvers.
They're lurking and threatening, and they're not giving up. But
we're ready and prepared. We have more tools, we have more
weapons, and we're making the investment. But, most
importantly, we have the passion and the will to do this, and
we have 31 million foot soldiers, our customers, leading the
way.
In conclusion, while we still have a long way to go, these
efforts are starting to pay off. Thanks to the hard work of you
and your colleagues, in partnership with the industry and our
consumers, many spammers are on the run. We look forward to
building on the success in the year ahead.
Thank you very much.
[The prepared statement of Mr. Leonsis follows:]
Prepared Statement of Ted Leonsis, Vice Chairman, America Online, Inc.
and President, AOL Core Service
Chairman McCain, Senator Hollings, and Members of the Committee, my
name is Ted Leonsis, and I am Vice Chairman of America Online, Inc. and
President of the AOL Core Service. I appreciate the opportunity to
testify before the Committee on the issue of unsolicited commercial e-
mail, or ``spam.'' I testified before this Committee last year on this
matter, and I am grateful for the Committee's continued attention to
this important issue.
Although spam continues to be a huge problem facing Internet users
and Internet service providers (ISPs), I believe that there have been
significant developments in fighting spam over the past year that
demonstrate that progress is being made. Thanks to Senator Burns,
Senator Wyden, and other key Members of this Committee, a new Federal
law known as the ``CAN-SPAM Act'' has provided some important
enforcement tools in the fight against spam, as well as a heightened
awareness of the need for cooperation between industry and government
in the fight against spam. I would like to describe some of the ways in
which these tools are starting to be used, as well as some other
technology and policy initiatives that are helping to address the spam
problem.
At this time last year, it appeared that the onslaught of spam was
growing exponentially in a manner that threatened the vitality of
Internet networks. Surveys at that time indicated that spam was
doubling in overall volume every 4-6 months. While the statistics of
spam volume have historically shown some ebb and flow, AOL spam data in
the past several months has shown a decline in the spam growth rate
that we are hopeful signals progress in the anti-spam war.
AOL continues to devote significant resources to the battle against
spam. We have a team of anti-spam fighters on call 24x7 to fight
spammers' varied and changing tactics. We continually adapt the strong
technologies on our network to block and filter spam. Since the hearing
last year, AOL has introduced new tools in the 9.0 version of our
software to help our members, both in the U.S. and internationally,
reduce spam to their inbox. AOL's Mail Controls allow our members to
block e-mail from specific mail addresses or entire domains, or to
create a ``permit list'' of addresses from which they will accept mail.
We also are providing our members with important consumer safety tips
that can help them reduce spam and improve the security of their online
experience.
Included in AOL 9.0 is our ``spam folder'' feature. Beginning in
October of 2003, AOL began transferring e-mail messages with
characteristics indicating that the e-mail was likely to be spam to the
``spam folder.'' This feature separates spam from the user inbox and
allows the recipient to view such messages in a separate folder, or not
view them at all. Between our spam folder and our anti-spam filters, we
are now keeping up to 2.5 billion pieces of unwanted mail per day out
of our members' inboxes.
We believe that our members' experience with spam is improving,
based on information gathered through customer satisfaction surveys, as
well as the number of complaints we are receiving through our ``Report
Spam'' feature. However, even though subscribers to the AOL service may
experience a decrease in the amount of spam that reaches their inbox,
the total volume of spam that senders attempt to deliver to our
networks continues to increase. Spam is still a major problem for
online users and ISPs.
Last year, I testified that it is our belief that a large part of
the overall spam problem is caused by ``outlaw spammers,'' those who
engage in fraudulent tactics such as hiding their true identity or the
true source of their messages. We believe that outlaw spammers continue
to be responsible for the majority of the spam problem that consumers
and ISPs face today.
The ``outlaw'' spam problem includes: 1) e-mail that is sent using
falsified means of technical transmission; 2) e-mail sent using hacked
e-mail accounts; and 3) e-mail sent by spammers who intentionally abuse
legitimate e-mail service providers by registering for multiple e-mail
accounts or Internet domain names using a false identity for the sole
purpose of transmitting spam.
We believe that more than 80 percent of the current spam problem
comes from other ISPs and hosting companies that are infested with
viruses. These software viruses, or ``trojans'' as we refer to them,
typically make their way onto machines via vulnerabilities in end-user
software and the absence of firewalls or anti-virus software. These
viruses/trojans infect users' computers without their knowledge and
allow spammers to use the infected machines to initiate or relay spam.
We believe that most of the viruses/trojans are developed by the
spammers themselves or hackers being paid by spammers.
Last fall, we supported the CAN-SPAM Act because it offered
critical tools to ISPs and law enforcement to deter ``outlaw'' spam by
imposing strict penalties on spammers who engage in techniques of fraud
and falsification. Now that these tools are being utilized, we are
optimistic that this new law will produce some positive results.
Developing criminal cases against spammers and preparing civil
litigation against them take time. However, we and our ISP colleagues,
as well as the Federal Trade Commission, have announced major actions
in the months following enactment of CAN-SPAM. Several recent
announcements provide a glimpse of the significant efforts underway in
this regard:
In March of this year, AOL, Earthlink, Microsoft, and Yahoo!
announced the coordinated filing of the first major industry lawsuits
under the CAN-SPAM Act. The country's four leading e-mail and Internet
service providers filed six lawsuits against hundreds of defendants,
including some of the Nation's most notorious large-scale spammers.
Similarly, the FTC made a major announcement at the end of April of
its first set of enforcement actions using the CAN-SPAM Act against two
spam operations that the FTC had found to have clogged the Internet
with millions of deceptive messages in violation of CAN-SPAM and other
Federal laws. AOL was pleased to cooperate in these investigations, and
we look forward to continued cooperation with both the FTC and DOJ on
spam enforcement.
AOL is pursuing other civil actions aggressively, and is also
expanding its cooperation with state law enforcement to assist them in
prosecuting spammers. In December of 2003, AOL collaborated with
Virginia Attorney General Jerry Kilgore and others to announce the
first-ever indictments under Virginia's tough, new anti-spam statute.
Two out-of-state spammers from North Carolina who stand accused of
spamming AOL members could face jail time, asset forfeiture, and
monetary penalties in these cases.
Thanks to the attention and efforts of lawmakers on this issue last
year, new legislation like the CAN-SPAM Act has spurred increased
enforcement initiatives by ISPs and government. We are also seeing the
level of enforcement on the rise in Europe, with the FTC cooperating
with European agencies to bring legal action against spammers.
We are continuing to work with state lawmakers to support
legislation to reduce ``outlaw'' spam. We are delighted that Maryland
has passed a criminal spam law modeled on the criminal provisions of
CAN-SPAM and that other states, including New Jersey and Ohio, are
likely to follow suit later this year. These legislative initiatives
show increasing recognition that the spam problem can best be addressed
by providing specific enforcement tools that can be used to pursue
spammers who engage in fraud and deception.
Ultimately, in order to radically reduce spam, we must know who the
senders are. Spammers could not do what they do without hiding behind
false names, trojan horses, and the like. That's why, in addition to
enforcement and legislation, we are excited about the development of
promising new technological advancements focused on authentication of
senders. These technologies would allow ISPs to identify e-mail in
order to prevent spam from entering our networks. A variety of
different technologies and approaches are now being tested, all with
the same goal of eliminating spam. AOL is participating in a number of
working groups to discuss the development and application of new
industry standard technologies for e-mail identity.
Specific technologies that appear promising are SPF (Sender
Permitted From), CallerID, and DomainKeys, as well as variations or
combinations of these approaches. These technologies aim to reduce the
domain name spoofing that is central to many forms of spam by
confirming that an e-mail is actually coming from the domain it claims
to be from. The Internet Engineering Task Force (IETF), which is the
standard-setting body for the Internet, is working to set technical
standards using a combination of these technologies. AOL is currently
testing the SPF technology, and we believe it can be implemented
quickly due to its readily available software and already widespread
adoption. Our assessment is that all three technologies can work well
together and should be implemented quickly on a broad scale.
AOL has joined with other leading ISPs, including Earthlink,
Microsoft, and Yahoo, to study ways in which we can make use of new
technologies to reduce spam. In addition to working together to test
authentication approaches, this ISP working group is discussing other
types of best practices that industry can employ to fight spam.
Potentially effective spam fighting methods that deserve further
attention include: (1) for all ISPs to confirm that their members who
are sending e-mail have accounts and are allowed to send mail; and (2)
for abuses indicated by ISP members to be handled as quickly as they
arise. We are continuing to work with our ISP colleagues to develop
additional solutions to the spam problem, both from a technology and
enforcement perspective.
In conclusion, we believe that industry and government have made
great strides in fighting the spam problem over the past year, although
there is much more work to be done. Professional spammers are always on
the cutting edge of technology, which means that staying ahead of them
requires extensive time, resources, and cooperation. The CAN-SPAM Act
has provided some important tools for pursuing spammers; we believe we
will start to see additional progress in the war against spam as these
tools start to be employed.
AOL is committed to protecting our members and maintaining our
leadership role in the fight against spam. We recognize that the
goodwill and trust of our members depend on our continued focus on
developing solutions to the spam problem. We continue to believe that
the spam battle must be fought on many fronts simultaneously in order
to be successful. From technology to education, from legislation to
enforcement, industry and government can work together to reduce spam
significantly and give consumers control over their e-mail inboxes. We
look forward to continuing to work with this Committee and other
lawmakers, as well as with our Internet service provider colleagues, to
stop spammers in their tracks.
Thank you again for the opportunity to testify; I would be happy to
answer any questions you may have on this topic.
The Chairman. Thank you very much.
Mr. Akamine?
OPENING STATEMENT OF SHINYA AKAMINE, PRESIDENT AND CHIEF
EXECUTIVE OFFICER, POSTINI, INC.
Mr. Akamine. My name is Shinya Akamine. I'm President and
CEO of an e-mail security company called Postini. We are a
leading provider of e-mail security technologies. In my
testimony today I'd like to comment on our experience with the
effectiveness of the CAN-SPAM Act, as well as some suggestions
for future improvements, what directions we'd like to see it
go. And I'd like to spend the bulk of my time speaking about
the state-of-the-art and recent technical developments in anti-
spam technology. We're at the forefront of it in Silicon Valley
and I'd like to share some of that with you. And just to
summarize here, the point of view that I'd like to get across
is that the technical solutions that are being presented by the
private sector today already work, and for the customers who
are using them there is no spam problem. For our customers,
we're seeing a decrease of 90 to 99 percent of spam.
I'm going to base the rest of my testimony today on the
data that we collect by operating the world's largest e-mail
security system. We process about 1.5 billion e-mails a week;
only AOL, Yahoo and Microsoft process more mail than Postini.
By processing that much mail, we can see the kind of attacks
and techniques that spammers are using, and our customers,
including companies like Merrill Lynch, Circuit City, The
Washington Post, United Nations and even, interestingly enough,
Hormel, the makers of the canned Spam variety, are using our
technologies to basically protect themselves from the Internet.
But in the process, we get to see what the spammers are up to.
Okay so, in terms of commenting on the CAN-SPAM Act, we
believe that it's very valuable, and of the 37 or so other laws
that I've seen, this has been one of the most well-conceived
and well-thought out statutes out there. And in particular, one
of the reasons that I like it a lot is that it's one of the few
laws that comprehends not only dangerous and objectionable spam
content, like sexual content, but it's one of the few laws that
also comprehends and prohibits abusive e-mail activities that
are not related to content, and specifically by that I mean
things like Directory Harvest Attacks, where a spammer will
connect to a mail server and try to steal, essentially harvest,
valid e-mail addresses, not for the purpose of sending a
message at that time but to sell those addresses on the
Internet and cause spam attacks to happen. So that is a threat
that is not related to the content of the e-mail, it's related
to the transport behavior of SMTP e-mail on the Internet, and
this law is one of the few laws that comprehends and prohibits
those kinds of abusive behaviors.
Paradoxically, although we think it's a good law, the spam
rate that we have been observing, based on our 1.5 billion
messages a week, has increased from 78 percent just prior to
the enactment of the law to 83 percent as of this month. So in
one sense the spam rate has increased 5 percent in 141 days but
I think that the effectiveness of the law is basically
indicated by the fact that without the law I think the spam
rate would have increased faster.
Looking forward, there's kind of a couple of suggestions
that people make about improving the CAN-SPAM Act and I think a
large number of casual observers of the industry say, ``It's a
great law but you need to beef up the enforcement aspect.'' We
actually don't agree with that. We think that it's a great law;
it prohibits illegal activities, or defines illegal activities,
now we believe it's the role of the private sector to actually
go out and secure the customers' mail servers. In fact, one of
the things, with all due respect, I'd like to comment on is
earlier, two of the Senators commented about the idea of
kingpin spammers or, I often hear at cocktail parties, there
are ten spammers that make up 90 percent of all the spam in the
world. It could be true. However, I've yet to see any data that
actually supports that viewpoint and we are the fourth largest
processor of e-mail in the United States and we don't have the
evidence to support that viewpoint. The reason I make this
point is that if one believes that there are ten, 100 or even
1,000 spammers responsible 90 percent of spam, enforcement may
be the right way to go. But imagine is the world looks another
way, which is, there are tens and thousands of spammers out
there using cable modems and DSL lines to do distributed spam
attacks. In that case, enforcement may not be the way to go. In
that case, making private sector technological advances may
actually be the right way to go. This is our viewpoint.
Okay, last I'd like to touch on where the state-of-the-art
of spam technology is. Point number one, we believe that spam
is a symptom. It's one of the most visible and painful symptoms
but we think it's a symptom of the fact that e-mail today is
fundamentally not secure. And so to use an analogy, if you have
a dark house and you don't have any locks on your house, you
may have problems with burglary, with vandalism and
trespassing. But do you have a burglary problem or do you
actually have a security problem? E-mail servers today are
completely open to the Internet and so without security and
management layers, symptoms like spam come about. But if you
think about it, there are other symptoms that are indicating
the same root problem. There are e-mail-borne viruses, there
are Directory Harvest Attacks, there are attachments that are
being sent along with e-mails in all kinds of violation of
corporate e-mail policy. So we would like to address the
problem technology at the root level, which is the fundamental
security of e-mail.
Second of all, there was a comment earlier about the fact
that there is a bit of tit-for-tat, or an arms race aspect of
the spam wars. So you know, when the spam filter companies
figure out that spammers are trying to spam about Viagra, then
spammers turn around and they start misspelling the word Viagra
so that our filters won't catch them. So it's a bit of an arms
race. But something fundamentally is changing in the private
sector, and that fundamental change is the rise of companies
like Postini which are taking a service model to the anti-spam
problem. And by doing that we can aggregate so many customers
and so much traffic that we've turned the scale advantage on
its head and now we have more scale than the spammers. So,
another way to think about it is, if you're a big spammer and
you're sending hundreds of millions of messages a week, Postini
is seeing 1.5 billion messages a week so the chances of being
able to slip something by us is actually much more difficult
today than it was before companies of our scale came into
being.
So in the interest of time I'm going to wrap up here. But
essentially I'd like to just summarize by saying that we think
it was a very well written law. We think the value of it going
forward is going to be not to enhance enforcement but rather to
stay on top of new kinds of abusive behaviors and categorize
them and include them in the law so that they are legally
prohibited. Then, we think that the private sector, with
technologies like the ones I've described today that Postini is
providing, can essentially provide the locks to the doors of
the Internet.
[The prepared statement of Mr. Akamine follows:]
Prepared Statement of Shinya Akamine, President
and Chief Executive Officer, Postini Inc.
1. Effectiveness of the CAN-SPAM Act
To date, the CAN-SPAM act has had no beneficial impact on the flow
of spam. In fact, in the four months since CAN-SPAM went into effect,
spam has increased from 78 percent to 83 percent of messages processed
by Postini. Postini processes 1.3 billion messages per week, so the
numbers are statistically significant.
Suing John Doe
Although they have garnered headlines, ISPs' recent lawsuits
against alleged spammers are mostly ``John Doe'' lawsuits--215 out of
the 220--highlighting the root problem: proficient spammers know how to
hide their identities by using a variety of techniques including:
Spoofed, or forged, message headers.
Open relays to send messages.
Open proxies to send messages.
Viruses like Mydoom to infect people's PCs, turning them
into ``spam zombies,'' that send spam for the spammer.
Jurisdiction
In addition, many spammers are offshore, so they're beyond the
reach of U.S. law enforcement.
Arrests Catch Small Spammers
Recent arrests (Virginia and Detroit) are catching smalltime
operators who are sending an insignificant amount of spam compared to
the daily deluge clogging mailboxes. For example, the Virginia couple
were charged with sending 100,000 spams in one month. Even if all of
those messages were sent through Postini, it would represent just
0.0025 percent of all the spam we catch every day.
2. Suggestions to Improve CAN-SPAM
CAN-SPAM is a good law to have. The government should continue to
enforce it and punish those spammers that can be found. CAN-SPAM should
be left as is. Postini does not see any ways at this time to improve
it. But Americans should not rely solely on laws. Although it's
beneficial to have the laws on the books making spamming a crime, most
spammers are criminals who are unconcerned about breaking the law. To
use an analogy, even though burglary is illegal, private citizens still
buy locks and alarms for their homes. Similarly, e-mail users need to
take steps to protect themselves from spam and other e-mail threats.
The nature of Internet e-mail protocols make sit easy for committed
spammers to hide themselves from detection.
3. Recent Developments in E-mail Threats and Anti-Spam Technology
The problem with e-mail goes beyond just spam. Other malicious
threats hurt the utility of e-mail, which is the most important form of
communication in the world today.
Viruses are delivered primarily via e-mail, and they are
getting more frequent and
more destructive. Many new viruses turn people's PCs into ``spam
zombies'' that send out more spam.
Denial of Service (DoS) attacks, aka ``e-mail bombs,'' are
malicious attempts to crash e-mail servers and disrupt
communications.
Directory Harvest Attacks (DHA) are attempts to steal
corporate directory information. They lead and fuel spam
attacks.
Spammers Are Changing Their Tactics
Spammers are aggressively modifying their messages to defeat
traditional, or first-generation, anti-spam technologies that were
primarily based on content analysis. They use techniques like:
Hash Busting--making slight changes to spam messages to fool
signature, or hash, based spam filters.
Bayesian Poisoning--inserting innocuous words into spam to
fool Bayesian spam filters.
These techniques are relatively easy to spot and program around,
but spammers are becoming even more covert.
Spam is becoming more personalized and unique. The following
example has very few typical spam identifiers in it, making it
difficult for ordinary content-based spam filters to catch.
Spammers are putting less and less content in their messages. Less
content means less context for typical spam filters to assess, making
it harder for such filters to accurately assess whether a message is
spam or not.
Directory Harvest Attacks
Directory Harvest Attacks (DHAs) are designed to net spammers lists
of valid e-mail addresses to which they can send spam. They have a very
nasty side effect: consuming enormous amounts of e-mail server
resources while they deal with the DHA. Postini's average customer
receives 40,000 invalid address lookups every day from attempted DHAs.
(Postini blocks all of them.) In the last six months, Postini has
observed spammers attempting to ``fly under the radar'' by launching
more, but smaller, DHAs at their victims, in hopes of stealing data
before being caught.
These DHAs are often launched simultaneously, from many different
computers. The spike in traffic from the DHAs can knock a mail server
offline.
Second-Generation Solutions Are Here Today
Private sector companies like Postini have developed second-
generation E-mail Security & Management solutions that render the spam
problem, as well the other e-mail threats, moot for their customers.
Managed Services Are More Secure
Postini is a managed service provider (MSP). By sitting ``out in
the cloud'' of the Internet, Postini can protect its customers from
threats before they ever reach their firewall. This means reduced
traffic, reduced burden on mail servers, and better protection against
threats.
Three Layers of Protection
Postini has combined Connection Management, Content Filtering, and
Delivery Assurance to provide powerful, effective protection to its
customers.
Connection Management detects and blocks Directory Harvest Attacks
and Denial of Service Attacks, as well as some spam, all without ever
looking at the message contents. This is possible by looking at the
behavior of the sending computer. Certain SMTP connection patterns are
indicative of malicious behavior, enabling Postini to block connections
without seeing the actual message. Currently, Postini blocks 53 percent
of SMTP connections without examining the message itself. This is a
powerful way to deal with spam messages with little content in them.
Content Filtering looks at messages for viruses and spam, using
thousands of rules, or heuristics, constantly updated by Postini to
reflect new spam types. New rules are always immediately available to
customers without the need for them download or install any software.
Delivery Assurance ensures that when legitimate messages are
delivered by Postini to our customers, they are delivered in a way that
helps their mail servers perform at peak efficiency.
Sender Authentication Schemes Won't Actually Stop Anti-Spam
Much has been made lately of ``sender authentication'' by industry
giants like Microsoft, AOL and Yahoo. While all of them have proposed
different variations, they all have the same basic idea: if you can
confirm that the sender of a message is permitted to send messages from
the machine he's using, then you can eliminate a lot of spam. Bill
Gates is apparently so excited by the idea that he made a speech in
February, 2004 in which he said that spam would be eliminated in two
years. There are many faults with these proposals that make them, we
believe, unrealistic solutions to today's spam problem.
Each big company is pushing a different alternative that isn't
compatible with the others. This lack of a unified standard will hinder
widespread adoption. Microsoft is supporting ``Caller ID''; AOL is
putting its weight behind ``SPF''; Yahoo has announced ``Domain Keys''.
All of the proposals require changes to every mail relay and domain
name server on the Internet. A massive change like that takes a minimum
of 5-10 years to happen. Until such a protocol change is fully
deployed, it won't work--too many legitimate messages, sent from non-
Caller ID computers, will be rejected by receiving mail servers.
If and when Caller ID is adopted, it won't actually stop spam. It
is designed to authenticate that the sender of a message is allowed to
send the message through the mail relay he's using to send it. The idea
is to prevent the use of open relays by spammers. But spammers already
have techniques to get around this type of defense.
Spammers set up accounts with ISPs and use those to send
their spam. Eventually the ISP may shut down their account, but
they just move on to another ISP and another account. Just
because something comes from its proclaimed domain, that
doesn't mean its not spam. ``Just because you are who you say
you are, doesn't mean I want to listen to you.''
Spammers use viruses like Sobig and MyDoom to infect
peoples' PCs, turning them into ``spam zombies.'' The spam can
be created to be ``Sent From'' the PC's owner, so it will be
allowed to be sent, even under the sender authentication
schemes.
The sender authentication proposals also have flaws that will block
some legitimate e-mail. If you send e-mail from a Starbucks or an
Internet cafe, whose mail relays belong to an ISP other than your
normal one, your message will be rejected by the receiving mail relay.
In summary, it makes no sense for anyone to postpone the purchase
of an enterprise class spam filter. Spam will continue to get worse
during the next 5-10 years. Sender authentication is interesting, and
probably useful, but it can't do what some people claim it.
4. Summary
Spam is a problem today only for companies and organizations that
are unaware of--or unwilling to implement--one of today's second-
generation spam blocking solutions. Spam filters can cost just $1 per
user per month, and the payback period for companies installing such
filters is typically just 3 months.
Postini has more than 3,000 customers today, with more than 5
million users, who have no spam problem. The bad guys are still out
there, sending spam and other malicious forms of e-mail, but they can't
get past Postini's defenses to attack its customers.
Postini appreciates the Senate's recognition of the important role
that e-mail plays in our world today and the passage of CAN-SPAM. Free
enterprise will do the rest.
Postini, Inc.
http://www.postini.com
Overview: Postini, Inc. is the industry's leading provider of e-
mail security and management solutions that protect e-mail
communications infrastructure by preventing spam and other SMTP attacks
from reaching the enterprise gateway. Postini's patented managed
services model utilizes exclusive preEMPTTM technology to
eliminate spam and viruses, stop DoS and directory harvest attacks,
safeguard content, and improve e-mail performance. Founded in 1999,
Postini processes more than one billion e-mail messages per week for
more than 3,000 companies. By blocking spam, viruses and attacks before
they can reach the enterprise e-mail gateway, Postini Perimeter
ManagerTM assures complete e-mail security while saving
bandwidth, conserving server capacity and minimizing administrative
costs.
Services: Postini Perimeter Manager provides preemptive e-mail
management solutions that secure the productivity of your e-mail
communications by eliminating threats before they impact your network.
Unlike any other vendor, our patented managed service provides
connection management, content security, and delivery assurance--
offering the most comprehensive protection available.
Over the past four years, our customers, analysts, and the media
have recognized Postini for its innovative leadership in e-mail
security and management.
Recognized by Gartner as Leader: Postini has been designated
as a Leader in both vision and execution in Gartner Group's
Enterprise Spam Filtering 1Q 2004 Magic Quadrant.
Assured accuracy in blocking spam and viruses: Postini
Perimeter Manager customers typically see 98 percent or better
accuracy in blocking spam using our exclusive Preemptive E-mail
Protection Technology (preEMPT).
Rated #1 in reviews and tests: Several major industry
publications--including Network World, InfoWorld and PC
Magazine--have given Postini Perimeter Manager top ratings for
accuracy and effectiveness.
Superior administrative control and user flexibility: Postini's
spam and virus filtering engines apply e-mail security policy at highly
granular levels that can be configured to user groups or individual
users--all managed through a convenient web-based console. Users have
the flexibility to review quarantined e-mails and customize filter
settings as permitted by the administrator.
Rapid activation with no upfront capital expense or ongoing
maintenance: A simple MX redirect activates the Postini e-mail security
and management service. There is no hardware or software to buy, and no
ongoing maintenance.
No security or latency issues: Because Postini does not rely on a
store-and-forward process typical of other vendors, you avoid security
and privacy issues. Our exclusive ``zero-drag'' pass-through technology
eliminates any latency concerns.
Ideal for heterogeneous and complex e-mail environments: Larger
enterprises gain the simplicity of blocking spam and viruses at the
SMTP connection point before they can enter the network. For example, a
recent USA Today article featured Postini as the ideal anti-spam e-mail
security solution for Merrill Lynch.
Confirmed policy enforcement: Postini provides highly granular
enforcement of policies for both inbound and outbound e-mail traffic.
You can determine and enforce policy violations according to attachment
types, message content, size and count limits, as well as specific
recipient lists.
E-mail Processing Statistics: Postini processes more than 1 billion
e-mail messages every week, sent to over 5 million e-mail users. More
than 80 percent of these messages are classified as unsolicited e-mail
or ``spam.''
Customers: Over 3,000 companies, representing a wide range of
industries, and ISPs. Postini has developed a very satisfied customer
base, with nearly 100 percent of customers renewing their services each
year.
The Chairman. Thank you very much. Mr. Brondmo.
OPENING STATEMENT OF HANS PETER BRONDMO, SENIOR VICE PRESIDENT,
DIGITAL IMPACT, INC.
Mr. Brondmo. Mr. Chairman, Senator Burns, thank you for
inviting me to participate in the review of the CAN-SPAM Act
today. My name is Hans Peter Brondmo and I'm a Senior Vice
President with Digital Impact, the Nation's largest e-mail
service provider. Our company powers the customer
communications and marketing e-mail infrastructure for over 100
large organizations, ranging from The Gap, Hewlett Packard,
Yahoo, Marriott, Washington First Mutual Bank and many others.
I'm also the Co-Chair of the Technology Working Group for the
E-mail Service Provider Coalition, representing over 45 e-mail
service providers, in turn representing over 250,000 American
businesses.
Let me begin my remarks with a very simple observation;
we've heard some of this already this morning. Spam exists
because it is very, very easy to fake the origin of the e-mail,
making it impossible to determine whether an e-mail comes from
a good or a bad source. The consequence is that there is no way
for senders to establish a reliable history of behavior;
there's no trust and there's no accountability. It is not
possible to hold those sending e-mail accountable for their
actions because anyone who wants to avoid accountability can
simply morph and change their identity at will. In order to
stop spam, organizations sending legitimate e-mail must be able
to step into the light, be securely identified, earn
reputations and be held accountable for their actions. By
leveraging the openness of the Internet, we can ensure that
those abusing the e-mail medium for what amounts to e-mail
broadcasting can no longer do so while hiding in the dark
corners of cyberspace.
The CAN-SPAM Act is an important contribution to the war on
spam and I commend Senator Burns and Wyden for their leadership
in this effort. Still, while modifying the code of law to
impact behavior of spammers is necessary, it is not sufficient.
Regrettably, the CAN-SPAM Act is unlikely to eliminate the
hardcore spammers, especially those sending viruses and, as
we've heard about earlier, perpetrating the phishing attacks,
the most dangerous forms of spam, in my opinion.
I recently received a fraudulent e-mail pretending to be
from CitiBank. It was a cleverly designed attempt at identity
theft. I dug around the bid and discovered that the
perpetrators of the scheme were running their operations from
an ISP in Russia. I mention this example because it illustrates
the breadth and severity of the threats to e-mail and reminds
us that cyberspace knows no boundaries. E-mail is a very
simple, open and vulnerable system. If the chairman would give
me his e-mail address after this hearing, I could, from my
laptop computer, with no special software and minimal technical
expertise, send an e-mail that looks like you sent it yourself.
If we cannot trust the sender of a message that may contain
important, sensitive, personal or harmful information, that
that message is in fact from who they say they are, we cannot
trust the medium itself. The only way to solve spam is to
change the e-mail infrastructure to support authentication and
to facilitate accreditation and reputation services; credit
scores for e-mailers, if you like.
Consider the evolution of another important communications
infrastructure--air travel. Not long ago, I'm sure most of the
people in the room remember, all you needed to board an
airplane was a valid ticket. It didn't even have to have your
name on it. A ticket was simply a proof of purchase, there were
no security checkpoints and no I.D. checks. Then one day people
realized that they could board airplanes carrying guns and
explosives and hijack the planes. The response was to erect
security barriers, yet just scanning people and their bags was
not enough. Travelers are now asked to show government-issued
identification, travelers' identities are matched against
databases of known suspected people who could represent a
future threat. The Internet's evolution has striking parallels
to air transportation. Both the Internet and air travel
infrastructure started out insecure and unregulated; both grew
to become mission critical to the way we communicate and
conduct business; both were abused due to security
vulnerabilities. Yet we are still living in a world where no
I.D. check is required in order to board a computer with an e-
mail message. In the future, I posit it will be different. Just
like we must present a valid I.D. in order to board an
airplane, the e-mail infrastructure will require the equivalent
of an I.D. to be presented by the sending computer in order to
deliver its e-mail. If my computer tried to deliver the above
e-mail to the chairman, using his own e-mail address under the
scenario described earlier, it would fail because my computer
would not be able to present legitimate credentials.
Several solutions, as we've heard referenced earlier, are
in fact under development to support new authentication,
accreditation and reputation services for e-mail, spearheaded
by industry players such as Microsoft, with their Caller I.D.
proposal; Yahoo, with domain keys; SPF, as we heard referenced
to, adopted by AOL, an open source initiative; Verisign, Bright
Mail and Bond send it with accreditation and reputation
services; Good Mail, with e-mail stamps, and others. Pre-market
forces are alive and well and addressing the problem. The
United Engineering Task Force of the ITF is in fact meeting in
San Jose, California, as we speak to discuss, coordinate and
review existing initiatives. And I got an e-mail this morning
indicating that those conversations are going very well and
that there's some very good progress being made between SPF and
Microsoft's Caller I.D. proposal to create a single, unified
standard to address this problem.
In closing, making hijacking a crime does not make our air
transportation infrastructure safe. To make e-mail secure we
must upgrade the e-mail ecosystem to support authentication,
accreditation and reputation while also protecting the power of
open, anonymous access to the information and communication
services that makes the Internet what it is. Only then can we
give back control of the in-box to the individual user. The
emerging structural changes to e-mail will have wide-ranging
consequences. In fact, accreditation and reputation systems
have many similarities to credit ratings. There will be a need
for transparency, fair and equal access, and this is better
guaranteed through regulation and technology. While far to
early to act, I believe this is where lawmakers should be
focusing on e-mail as they set their sights to the future.
Thank you again for inviting my participation. I look
forward to your questions and comments.
[The prepared statement of Mr. Brondmo follows:]
Prepared Statement of Hans Peter Brondmo, Senior Vice President,
Digital Impact, Inc.
My name is Hans Peter Brondmo and I am a Senior Vice President with
Digital Impact the largest e-mail service provider in the country. Our
company powers the customer communications and marketing e-mail
infrastructure for over one hundred large organizations such as the
Gap, Hewlett Packard, Yahoo, Washington Mutual Bank and Verizon. In
other words, we send e-mails that notify you about sales at your local
Gap store, updates to your Hewlett Packard printer software and keeps
you in touch with your bank. I am also the co-chair of the technology
working group for the E-mail Service Provider Coalition, an industry
coalition representing over 45 e-mail services providers.
It goes without saying that the spam problem is of great
significance to Digital Impact, our customers and the ESPC. When we
began to understand the scope of this problem a few years ago we
decided that spam can be solved and that the solution can be summarized
in one word: accountability. In order to stop spam, organizations
sending legitimate e-mail must be able to step into the light to be
identified and held accountable for their behavior. Any organization
sending e-mail but not willing to be identified can then be treated
with suspicion or may simply be blocked altogether. By leveraging the
openness of the Internet we can ensure that those abusing the e-mail
medium can no longer do so while hiding in the dark corners of
cyberspace.
In order to hold senders accountable for the e-mail they send we
need to update the e-mail infrastructure to support a new set of
authentication, accreditation and reputation services. I will share
some of the most recent developments in this space and describe why I
agree with the claim made recently by Bill Gates that we will rid the
world of the spam plague within two to three years. My perspective on
how this is done differs slightly from Mr. Gates, but we agree on the
objective and timeframe.
E-mail is a powerful, timely, efficient, cost effective, convenient
and environmentally friendly way to communicate. Those abusing the e-
mail infrastructure to spew out unwanted, unsolicited commercial e-
mails by the billions and using e-mail to attack computer users with
viruses and identity theft schemes are abusing a public commons for
personal gain. I have been an e-mail user since 1982 and have come to
rely on it more than any other tool of communication. E-mail has in
fact become the number one preferred medium for business communications
and one of the top three for personal communication. The abuse by those
using e-mail to broadcast nefarious payloads is threatening the medium.
We all agree it must be stopped. Yet the question still remains: how?
The CAN-SPAM Act is an important contribution to the war on spam
and I commend Senators Burns and Wyden for their leadership in this
effort. While modifying the code of law to impact the behavior of
spammers is necessary, it is not sufficient. It is probably too early
to determine the effectiveness of the CAN Spam Act, but there does seem
to be evidence that the new law has turned up the heat on spammers who
prior to January 1st 2004 were able to operate with impunity. Recently
there have been media reports of spammers who have taken down their
``shingles'' because they do not want to risk jail time. Yet according
to anti-spam firm Brightmail 64 percent of all e-mail in April was
spam, a record high number. Regrettably the CAN Spam Act is unlikely to
eliminate the hard core spammers, especially those sending viruses and
perpetrating ``phishing'' attacks--the most dangerous form of spam.
I received an e-mail recently regarding my Citibank credit card. It
claimed that there was a problem with my account and requested that I
click on a link verifying my username and password. This cleverly
designed message--a phishing e-mail--was designed to capture my
username and password to steal personal account information. It was an
attempt at identity theft. As I clicked on the link in the e-mail it
took me to a fake web page that looked identical to the Citibank web-
site. I dug around a bit and discovered that the page was hosted by an
ISP in Russia. I have received similar e-mails over the past year
purportedly from eBay, Visa, Earthlink and several other companies with
whom I have business relationships. As you may be aware the IRS was
recently attacked in similar fashion. Unsolicited and deceptive spam,
while annoying and offensive, is no longer my biggest concern. My
greatest worry is spam's evil cousins, phishing and computer viruses.
E-mail is a carrier of payloads. These payloads take many different
forms. They may take the form of a written message from a colleague or
a long lost friend, a digital photo from a family member, or a web page
with clickable links and images from a company we do business with. As
we all know, e-mails can also contain payloads that we don't expect,
welcome or desire including offers for body altering herbs or undesired
lewd images. The worst payloads contain computer worms and viruses that
rapidly infect millions of computers and cause enormous economic harm
and they contain schemes designed to play on our fears or abuse our
trust while attempting to steal our identity in order to defraud us.
I mention these examples because they illustrate the breadth and
severity of the threats to the e-mail infrastructure and to remind us
that cyberspace knows no boundaries. A recent study conducted by the
Anti-Phishing Working Group described 282 unique e-mail phishing
attacks in the month of February 2004 alone. Brightmail reports a ten-
fold increase in the volume of fraudulent e-mails from August 2003 to
April 2004. Even if the law were to be effective in reducing
unsolicited, deceptive commercial e-mail solicitations, the really bad
guys will continue to operate without regard for U.S. law. Laws alone
will not enable us to solve the core problems we are facing--we must
look to changes to the technology infrastructure to address the
structural vulnerabilities of e-mail.
E-mail is currently a very simple and open system. The simplicity
of the e-mail protocols is probably responsible for its explosive
growth and broad adoption. Yet with the simplicity of e-mail come
vulnerabilities. The engineers that designed the protocols used by
every e-mail system could not have foreseen the types of uses and the
scale of deployment we have today. The vulnerabilities of e-mail are
being exploited by spammers and only a change to the e-mail
infrastructure can solve this problem and ultimately rid the world of
spam, making it safe from identity thieves and making it much more
difficult to distribute computer viruses. Such structural changes to e-
mail will have wide ranging consequences. I believe that the current
discussion needs to shift, and that the legal debate should now be
focused on the new changes happening to the way e-mail will work in the
future.
Consider the Nation's air transportation infrastructure. It was not
very long ago when getting on an airplane was as simple as having a
valid ticket and showing up at the airport on time. The ticket did not
even have to have your name on it. It was simply required as a proof of
purchase. No ID was necessary to fly, nor were there security checks
and luggage scans. Today things are very different. Why? Because the
security of the infrastructure was compromised by passengers with anti-
social motives. They carried dangerous payloads, hijacking planes for
financial and political gain. A few bad passengers and their payloads
threatened our safety by compromising air transportation. Airplanes
were eventually even used as weapons threatening our very national
security.
Making hijacking a crime does not make our air transportation
infrastructure safer. While it is illegal to carry a weapon onboard a
commercial airplane, it does not protect us from true harm. A multitude
of security measures have been put in place to ensure that it is
difficult to compromise the safety of the air transportation
infrastructure. In order to board an airplane today we must present a
valid government issued ID and we may be subject to screening to ensure
that we don't have a history of anti-social or threatening behavior.
Returning to e-mail, we are still living in a world where no ID
check is required in order to ``board'' a computer with an e-mail
message. We do have the equivalent of airport screeners for e-mail in
the form of computer programs, typically called filters, that scan the
content of our e-mails attempting to determine whether the mail is spam
or not. In essence, a computer is ``guessing'' whether e-mails are spam
based on statistical analysis and rules applied to the contents of the
message. Unfortunately, screening is far less effective for e-mails
than for passengers boarding an airplane. Even if a great filter
catches 99 percent of all spam, hundreds of millions of junk e-mails
will still get through. Unlike a scanner at the airport, it is not
economically feasible for a filter scanning electronic mail to request
that a person look at every suspicious e-mail. When a computer is left
to guess whether a message is spam based on scanning the content of an
e-mail message it will not only miss unwanted messages, but also
misclassify wanted mail as spam resulting in a false positives problem.
Like spam itself, false positives reduce the value of e-mail and make
the medium less reliable. According to research recently commissioned
by Goodmail, sixty eight percent of e-mail users reported not having
received important e-mails due to spam filters. A staggering forty
eight percent reported not having received personal e-mails, twenty
five percent said they had lost order and shipment confirmations and
seventeen percent missed important work e-mail.
Spam continues to persist because it is impossible to trust the
origin of e-mail and therefore impossible to determine with certainty
whether an e-mail is from a good or bad source. The computer protocols
that power our the foundation of our e-mail infrastructure are flawed
because they make it very easy for any sender of e-mail to pretend to
be whomever they want to be and to continuously change their identity.
I can from my laptop computer, with no special software and minimal
technical expertise send an e-mail that looks like it comes from any e-
mail address of my choosing. In other words, it is trivial to spoof, or
fake, the identity of the sender of an e-mail message. If we cannot
trust that the sender of a message that may contain important,
sensitive, personal or harmful information is in fact who they say they
are, we cannot trust the medium. This is the essence of the problem we
are faced with, a problem that legislation cannot address. Until we can
trust and rely on a message in our inbox to be from the sender that
shows up on our computer screen, we will not solve the spam problem.
Worse we will continue to be vulnerable to the really bad stuff:
phishing and virus attacks.
As mentioned above we can solve the e-mail security and spam
problem by making a few changes to the Internet, upgrades that in fact
are under way. Here is how it will work: Just like we must present a
valid ID in order to board an airplane, the e-mail infrastructure will
require the equivalent of an ID be presented by the sending computer in
order to deliver mail. If I try to send e-mail using an e-mail from-
address that I do not have control of under this scenario it will no
longer work because my computer has to present its secure credentials
and those credentials will not match the sending address. When I am
sending from my own e-mail address, my secure credentials would
validate that I am indeed who I claim to be. This is a good first step
but the recipient may still not know who I am and therefore not know
whether to trust me not to be a spammer or virus hacker. It is
therefore also necessary to keep track of the history and reputation of
senders, so all recipients can look up the past behavior of unknown
senders once they've been authenticated. By checking the reputation of
a sender, his e-mail credit score if you like, a determination would be
made as to whether to let messages from that sender through, quarantine
them for further investigation or simply reject them outright. Over
time good senders would earn a good score (a good reputation) and
spammers with their bad scores would fail to get their mail delivered.
We would have accountability because we would have an accessible
history of behavior.
Let me emphasize that this is not some academic pipe dream. A
number of solutions are already under development by large and small
industry players such as Microsoft with its Caller-ID proposal, Yahoo!
with Domain Keys, Verisign, Brightmail and Bonded Sender with
accreditation and reputation services, Goodmail with e-mail stamps and
others such as Sender Policy Framework (SPF) being spearheaded through
an open source initiative. The Internet Engineering Task Force (IETF)
is playing an active role to standardize the various authentication
proposals currently being discussed. As a matter of fact, the IETF is
meeting in San Jose, California as we speak to discuss these very
issues and coordinate and review existing initiatives.
Let me in closing point out that the authentication proposals
outlined above are not intended to track the behavior of individuals.
They are intended to authenticate computers and domains, not individual
e-mail users and addresses.
The real challenge we face is to facilitate the continued evolution
of an e-mail eco-system that supports authentication, accreditation and
reputation services, while also protecting the power of open access to
information that makes the Internet what it is. Technology and market
forces will solve, in fact are now solving, the authentication and
reputation problem. Authentication will enable law enforcement to do a
better job and in combination with emerging accreditation and
reputation services it will also allow the Internet to be more informed
and individuals or organizations to make decisions about what sources
of e-mail they should trust. The emerging accreditation and reputation
systems have many similarities to credit ratings, and there will be a
need for transparency, fairness, and equal access that is better
guaranteed through regulation than technology. While too early to act,
I believe this is where regulatory action and oversight in the e-mail
space should be setting its sights.
Updating the Internet as I have described in my comments means that
we must create an infrastructure that supports accreditation of
senders, implements authentication of the computers sending e-mail and
provides generally accessible reputation services. This is no small
task, but it can and will be done. And once computers have identities
and reputations, we will be able determine whether to trust the source
of incoming e-mail allowing desired messages into our inbox or throwing
junk it the proverbial bit-bucket based on the recipients' personal
preferences and taste, not laws and regulation.
The Chairman. Thank you very much. Mr. Guest, welcome back.
OPENING STATEMENT OF JAMES GUEST, PRESIDENT, CONSUMERS UNION
Mr. Guest. Thank you, Mr. Chairman, for the chance to
appear here again, and members of the Committee. I'm Jim Guest,
President and CEO of Consumers Union, Publisher of Consumer
Reports and ConsumerReports.org. And this is an issue of great
interest and importance to consumers, obviously, around the
country.
We start with the key question, are consumers today getting
less unsolicited commercial e-mail since the anti-spam law went
into effect in January? And it's--as you point out, Senator
Burns--it's too early to have definitive results on something
like this but at least the early returns are that there
certainly has not been a substantial reduction in e-mail and in
fact, there is indication that consumers are receiving even
more spam than ever, as your earlier witnesses alluded. This
past March Consumer Reports did a survey, commissioned a survey
on spam drawn from a nationally represented panel of more than
2,000 on-line users and here's what we found, kind of
supplementing and confirming the Pew study that you referred to
earlier, Mr. Chairman. In our study, four out of five
respondents, 80 percent, reported that they had not seen any
reduction of spam compared to 3 months earlier, before the CAN-
SPAM Act went into effect. More than two out of three of the
respondents, 69 percent, noted that spam comprised at least
half of their e-mails, and a majority of respondents found that
the unsubscribe, or opt-out links, were not very effective in
stopping spam from reaching their mail boxes.
When we did the article last August in Consumer Reports on
spam, this issue here, which I think we provided to members of
the Committee, our recommendation to policymakers for
legislation attempting to reduce spam, was to create two
things--an opt-in system coupled with a private right of action
to allow individuals to bring suits. Obviously, the law that
passed Congress went a different direction with a mechanism for
opt-out rather than opt-in. In that same article, and today as
well, our recommendation to consumers is that they not click on
unsubscribe or opt-out links because this may well signal to
the spammer hey, I've found a live e-mail address, and that can
lead to more spam rather than less spam. There's simply no way
for consumers, as you've heard from all of us here, to
distinguish from legitimate marketers and rogue spammers who
will misuse that unsubscribe link. And so there is a catch-22
really, for consumers, where the main remedy that the law
provides, which is an opportunity to opt out, is a remedy that
we advise against and caution against because it can invite
more spam, not less.
So imagine, for example, that you put a sign out on the
front door of your house, ``Do not solicit.'' But still, every
company in the world was allowed, nevertheless, to knock on
your door once, but to knock on your door despite the sign and
then, at that point, you can tell the salesperson, ``Please
don't knock again.'' And then you wait for the next salesperson
to knock on the door. Obviously this is an absurd burden to
place on people; we all know that ``do not solicit'' means
exactly that--you do not want to be solicited--and you ought to
be able to say that once and clearly and have that block
unwanted solicitations. Consumers can say ``no'' to advertising
at their front door, period, but not so in the case of spam.
And I'll take another example, which we have talked about
earlier, the ``Do Not Call'' list and the enactment of the
FTC's implementation of that, where consumers now have a real,
effective tool to say, ``No advertising at the dinner table.''
Congress should provide consumers with the same ability to say
``No advertising on our computers.'' If we can stop people from
ringing our doorbell, if we can stop people from ringing our
phone at dinner, if we can stop people from sending unwanted
faxes, all by an opt-in or just a one-step-blocks-all, there
ought to be the same protections, in our view, with regard to
spam. So the Congress should put the burden on spammers to get
permission to intrude, not on consumers to fend off the
intrusions and the filter of junk mail.
Now, the ingenuity of spammers appears to be bottomless and
it will be an enormous challenge for Congress to keep pace, as
you've heard from all of us here. They're finding novel ways to
spam us; they've figured out myriad methods to avoid being
filtered by the ISPs and consumers; they've discovered how to
commandeer our computers to send spam for them, and they're
even now finding new ways to use devices besides computers
where they can send spam. We're looking, for example--a hard
look--now at wireless spam, the act of spamming cell phones and
pagers. Congress, with the leadership of this committee, was
wise to attempt to ban wireless spam completely in the CAN-SPAM
Act; we've actually submitted comments early this week to the
FCC about the problem, where we urge the Commission to insure
that certain kinds of wireless spam don't fall through the
cracks, and it's a danger that they will.
So we would suggest, Mr. Chairman and members of the
Committee, and we're pleased to see that you are monitoring the
progress here and we think you're going to need to monitor
during the rest of the year, because there's not a lot of time.
The studies are all showing spam is still going up and the
early returns, I think, may well turn into a lasting trend. So
Congress needs to take fine-tuning this law seriously, as I
know you are, because spam may not only make wireless devices
less useful but e-mail in general. And that gets into the
situation where--you gave the numbers earlier--52 percent of
users a year ago said they are less trusting of e-mail because
of spam; today 63 percent, up from 52 to 63 percent, are less--
well, 63 percent are less trusting of e-mail due to the in-box
that's crammed with spam. And that has all kinds of potential
implications about trust in the Internet, trust in doing
business over the Internet, e-commerce, all kinds of
implications farther on.
So our bottom line, speaking for consumers, Consumers
Union, is that Congress should not place the burden on
consumers to fight the flood or spam. No matter how skillfully
you try to provide more and more tools to the consumers, it
should place the burden on the marketers. And again, if you can
stop faxes and phone calls and visits, knocks on the front
door, by one step to block all those unwanted intruders, there
ought to be a similar response on spam. You talked about
keeping hope alive. Well, our hope is that you will, in fact,
and I'm confident that you will, continue to monitor this, make
the further adjustments that are needed so consumers finally
can say no to spam, generally, and it means no.
Thank you.
[The prepared statement of Mr. Guest follows:]
Prepared Statement of James Guest, President, Consumers Union
Chairman McCain, Ranking Member Hollings, and other distinguished
members of this committee, I would like to thank you for inviting me to
address you again today on behalf of Consumers Union,\1\ the non-profit
publisher of Consumer Reports magazine.
---------------------------------------------------------------------------
\1\ Consumers Union is a nonprofit membership organization
chartered in 1936 under the laws of the State of New York to provide
consumers with information, education and counsel about goods,
services, health, and personal finance; and to initiate and cooperate
with individual and group efforts to maintain and enhance the quality
of life for consumers. Consumers Union's income is solely derived from
the sale of Consumer Reports, its other publications and from
noncommercial contributions, grants and fees. In addition to reports on
Consumers Union's own product testing, Consumer Reports and Consumer
Reports Online (with approximately 5 million paid circulation)
regularly carry articles on health, product safety, marketplace
economics and legislative, judicial and regulatory actions which affect
consumer welfare. Consumers Union's publications carry no advertising
and receive no commercial support.
---------------------------------------------------------------------------
Are consumers getting less unsolicited commercial e-mail since the
new anti-spam law went into effect in January? While it is still early
to have definitive results, the answer unfortunately seems to be no--in
fact, consumers appear to be receiving even more spam than ever. And
just to provide some perspective on the volume of spam consumers are
barraged with on a daily basis, Brightmail, a producer of anti-spam
software, recently measured 63 percent of all Internet e-mail as spam,
compared to just seven percent in March of 2001.
The CAN-SPAM law has not yet achieved its intended aim, but we
should all acknowledge that this is a dynamic process. Much as it took
a decade to enact a meaningful Federal ``do not call'' list, in passing
the spam law, this Committee needs to monitor developments with spam
carefully and continually look for ways to fine-tune the ``CAN-SPAM''
Act. In order to truly ``CAN-SPAM,'' Congress will need to update the
law to keep abreast of new developments in technology, such as wireless
spam, and keep on the trail of elusive spammers who are every day
finding new ways to beat spam filters and evade anti-spam technologies.
But first, let's look at what's happened since the law went into
effect in January.
This March, Consumer Reports commissioned a survey on spam drawn
from a nationally representative panel of more than 2,000 online users.
Our September 2004 issue of the magazine will include more in-depth
reporting and spell out more details from the survey, but I wanted to
provide a snapshot of what we found to help inform the discussion
today:
Most (80 percent) respondents reported that they had not
seen any reduction of spam compared to three months ago--before
the CAN-SPAM law went into effect.
About two thirds (69 percent) of all respondents noted that
spam comprised at least half of their e-mails.
A majority of respondents found that the ``unsubscribe'' or
``opt-out'' links were not very effective in stopping spam from
reaching their mailboxes.
Another survey conducted in March by the Pew Internet & American
Life Project also shows that spam does not appear to be on the decline.
They found that:
24 percent of respondents are receiving more spam than
before January 1
53 percent have not noticed any change
3 percent do not know
Only 20 percent report that they are receiving less spam.
When our magazine reported on spam last August, our recommendation
to policymakers for any legislation attempting to reduce spam was to
create an opt-in system coupled with a private right of action to allow
individuals to bring suit. We were pushing this solution rather than
legislation relying on Internet service providers (ISPs), the Federal
Trade Commission (FTC), and state attorneys general for enforcement.
The law that this Congress passed went a different direction, with a
mechanism for consumers to ``opt-out'' of unsolicited commercial e-
mail.
Our recommendation to consumers at the time was that they not click
on unsubscribe or ``opt-out'' links, as this may signal a spammer that
the user's e-mail address works and cause them to get more spam. And
our recommendation has not changed--leaving users in a difficult
position with perhaps no real remedy against spam for the time being.
We still believe that ``opt-out'' creates a tremendous burden on
consumers, because they have to say no to each and every piece of
unwanted e-mail--which results in a big loss in time and a big increase
in frustration. And as I indicated earlier, our survey results show
that ``opting out'' has not even been effective in stopping the flow of
spam.
But even worse, there's simply no way for consumers to distinguish
between legitimate marketers and rogue spammers who will misuse an
unsubscribe link. The result is a consumer catch-22, where the main
remedy the law provides--an opportunity to opt-out--is one consumers
shouldn't use.
We believe the core improvement necessary in the spam law is to
change the model from ``opt-out'' to ``opt-in.'' The law as it stands
puts too much burden on consumers to block spam and makes it too
difficult to hold spammers legally accountable for their inappropriate
interference with consumers' e-mail.
Imagine that you put a ``do not solicit'' sign at the front door of
your home, and every company in the world could only ring your doorbell
once, at which point you could tell that salesperson not to bother you
anymore. You would need to keep track of each company you told not to
solicit you, and if a company violated your request, you could petition
the Federal Trade Commission to take up your case. Of course, this is
an absurd burden to place on people. We all know that ``do not
solicit'' means exactly that. Consumers can say no to advertising at
their front door, period. The Federal Trade Commission's enactment of a
robust ``do not call'' list means that now consumers have a real tool
to say no advertising at the dinner table. Congress should provide
consumers with a similar tool to say no to advertising on our
computers.
To be clear, the law as passed had several excellent achievements:
it prohibited senders from falsifying their identities, using
misleading subject lines, and from harvesting e-mail addresses in
certain ways. By requiring that spam is clearly labeled and that
pornographic e-mail is effectively in an ``e-mail envelope,'' over time
this law may reduce the amount of obscene and objectionable content
that parents and children have to see.
However, the ingenuity of spammers appears to be bottomless and it
will be an enormous challenge for Congress to keep pace with them. They
find our addresses in novel ways. They have figured out myriad methods
to avoid being filtered by ISPs and consumers. They have discovered how
to commandeer our computers to send spam for them, and they are even
finding new devices, besides our computers, where they can send us
spam.
For example, Consumers Union is also taking a hard look at wireless
spam--the act of spamming cell phones and pagers. It's a practice
that's more distracting and invasive than computer spam, since phones
receiving messages beep or vibrate with each message. And the economics
of wireless spam are different, since the costs of these messages are
often borne solely by the consumer--at the rate of up to 15 cents per
message.
Congress was wise to attempt to ban wireless spam completely in the
CAN-SPAM Act. Consumers Union submitted comments in the Federal
Communications Commission's wireless spam proceeding this week, where
we urged the Commission to ensure that certain kinds of wireless spam
don't fall through the cracks. While wireless spam sent to an e-mail
address is prohibited under the CAN-SPAM Act, and wireless spam sent to
a telephone number is under the purview of the National Do Not Call
Registry (under the Telephone Consumer Protection Act), wireless spam
sent to a 5-digit ``short code'' that some wireless carriers now use
may fall into a regulatory no-man's land. Wireless carriers are now
pushing to explicitly exempt these 5 digit ``short codes,'' though our
position is that they should be covered either by the Do Not Call
Registry or covered by the CAN-SPAM Act.
However, cell phone carriers may have a way around even these
protections. Wireless companies are aggressively trying to get
consumers to ``opt-in'' to business relationships with marketers, for
example by getting them to vote on the TV program American Idol using 5
digit ``short codes.'' Consumers should beware that simply by playing
along with a TV show, they may unwittingly be signing up for loads of
wireless spam.
Congress needs to take fine-tuning this law seriously because spam
may not only make wireless devices less useful, but e-mail in general
as people are trusting it less--spam may ``kill the killer
application,'' as FTC Commissioner Swindle put it. The Pew survey shows
a jump in e-mail users who have reduced their use of e-mail because of
spam--from 25 percent last June to 29 percent at present. A year ago,
52 percent of users said that they are less trusting of e-mail because
of spam; today, 63 percent of users report they are less trusting of e-
mail due to inboxes crammed with spam.
As our Consumer Reports investigation last August confirmed,
spammers are difficult to prosecute because they are often impossible
to find. They hide behind an untraceable tangled web transcending
national borders, leaving few--if any--virtual footprints. Right now,
national opt-out legislation is trying to curb an international problem
perhaps without the full resources necessary to track violators of the
law. An opt-in system would mean spammers would be forced out of hiding
and forced into accountability.
Our bottom line is that Congress should not place the burden on
consumers to fight the flood of spam, it should place the burden on
marketers to woo consumers in a permission-based marketing model,
enticing them with attractive, selective offers, not bludgeoning them
with an enormous volume of junk. We look forward to continuing to work
with this Committee to keep pace with technology and to help this law
achieve its full potential. Thank you.
The Chairman. Thank you very much, Mr. Guest. Mr. Scelson.
Welcome back.
OPENING STATEMENT OF RONALD SCELSON, PRESIDENT,
MICROEVOLUTIONS.COM
Mr. Scelson. Hello, Senator McCain, Chairman. This is going
to be long.
The FBI, as far as enforcing and trying to catch people
sending pornographic spam, etcetera, AOL, Hot Mail, MSN, all
these people pay top dollar to some of the top people in the
world to stop them. They don't do really good. The FBI pays
minimum wage to people that, for the most part, that really
aren't that computer savvy. We had our systems hacked in
heavily about 3 years ago. I went to the FBI with logs and
everything to prosecute this. I've seen the best people the FBI
has for computers. You're going to get the little mailers but
the people that really know what they're doing--the FBI--needs
a lot of training. And they need to employ people that know
what they're doing to catch these type of people.
Last year when I was here, I was sending 100 percent spam
because I was forced into it. Since December 15 until now, I am
now sending within canned spam 100 percent legal mail. Now,
just working my way down the line, from the order the people
came in, AOL gives a nice representation of such a perfect,
innocent company doing everything it can to help stop spam.
Just last year, Mr. Leonsis stood up in front of everybody and
admitted they do send bulk e-mail like us but they provide,
quote, ``opt-out.'' Those were his own words. Well, my company
went to AOL for a white list, not letting them know it was me,
of course. And they put us on their white list. Now, the white
list says you have to be opt-in, which is not what the law says
and not what Mr. Leonsis admits they do. Once again, the big
companies are taking added power to this than what they should
be doing. When we sent mail into AOL we only sent mail for 4
days. We had a 98 million database that had been gathered and
built since I started mailing. Part of this was sold, as
everyone knows, from AOL years ago when they did this. And
those mailings, it was reduced down to 27 million, with less
than 1,000 complaints per million. That is a significant
increase of how much the lists were cleaned and how much the
law did help. When AOL found out it was me--and I have the
gentleman's name that's their head postmaster--basically I was
told that either I have to prove 100 percent opt-in, they don't
care who we are or how light we mail, and they're going to send
it over to their legal department. Now, when I was contacted
about coming here I started researching all this stuff. And I
found out that AOL has seven injunctions against them since
this new law. Mandatory court orders to accept mail. And they
have totally ignored every one of these court orders. And I've
passed some evidence files to you of this today from these
court orders. So the company that wants to look the best and
try to act like they're the best and so innocent, when the law
works against them, they don't want to hear that because
they're so big. And this is not fair to bulk companies.
As far as the new spam filters. You know, it was really
getting annoying every 2 or 3 weeks to have to update our
mailers and figure out a new way to get in. This was really
getting old quick; it was a pain in the butt for a while there.
So we sat down and looked at Bayesian and how the system works;
we actually dissected a bunch of games like Dune because the IA
system that it all works on is all the same thing. Well, we
know have a new mailer, it's 98 percent complete--we're still
debugging parts of the code in it--but this new mailer
basically generates anywhere to one sentence to 30 sentences,
perfect punctuation, perfect words, all of which are not in the
blacklisting or key spam words, and adapts to compensate for
any filter they put against it. We also found out a new system
that we work with that gives us IP addresses, legally, of
voice-over IP telephone systems, which are worldwide. We have
roughly five e-mails per IP address goes out before we hit that
IP again in a month; there are that many IPs available to us.
So based on this, no e-mail we send will ever be identical. But
we still stay 100 percent in compliance with the law. The IPs
are ours to use, we are paying for the right to use them.
Headers being forged. There are 5 true standards of ways to
send mail. Our system changes our headers constantly but like
the ``received from'' line of the header, we'll have our own IP
addresses in there. So even though we're changing the headers
to get through the filters, all the information that's being
used is 100 percent ours, we own and paid for.
I'm so tired of hearing so many people stand up and say,
``No matter how much mail you send it doesn't cost anymore.''
Gentlemen, you all have made it very far in life and are very
intelligent. Simple math will tell you, if it takes a T-1 to
send a million e-mails a day, if I pump out 50 million, I need
a lot more T-1s. T-1s can cost anywhere from $350 to $3,000,
$4,000, depending on loop charges, etcetera. So obviously, the
cost for me to send e-mail does not stay the same; the more I
send, the more it costs. From the smaller mailers in the
industry that don't develop own software and all and they buy
the stuff that's available, spam for them has gone up 200 to
300 times more than what they used to send. Because these
people do not know how to penetrate most of the filters, their
logic is, OK, if I sent one million e-mails last time to make X
amount of dollars, well because the filters, even when they
sent legal were tearing them up so bad, they decided, OK, we'll
send three to four times as much e-mail to still make the same
amount of money. So spam in that sense is on a major increase.
A lot of the carriers, like WorldCom, there has been a
debate back and forth whether or not they're a common carrier,
if they are or are not, AOL got the standard that they're not a
common carrier. In 1997, there was a little girl in a sexual
incident that occurred and a lawsuit placed against AOL. And I
think this was before Mr. Leonsis was at his position over
there. And AOL stood up and said, ``We're a common carrier, we
can't do anything about it.'' And they won the lawsuit. In
2000, FCC stood up on behalf of AOL and testified that they are
not a common carrier. Well, at that time they didn't own an
Internet company like Charter, so technically no, I guess they
wouldn't be a common carrier. Now they have their own dial-up
in Internet service and cable lines. The carrier I was on,
WorldCom, when I was mailing to AOL and under their white list,
AOL was nice enough to send me a letter saying that we are on
their white list, we are not spamming, this is not unsolicited
and I have full permission to mail there, which a copy of this
was also given to you. WorldCom's reply was, they don't care
what your law is, they don't care what they do or how they do
it--meaning AOL--we cannot send bulk mail. Period. And if we
send another piece of it they're going to pull the plug on us.
Well, WorldCom is definitely, without a doubt, a phone carrier.
They provide me not Internet service but they provide me
bandwidth, loop charge basically, as far as the pipe to me,
which under the FCC regulations is a common carrier. Another
thing in the research I found out on common carriers is, FCC
does not have the right to decide if AOL is a common carrier or
not, or any Internet company; only an act from Congress can
make this difference. And to my knowledge and in all the
research I've found, Congress has made no acts to this. So if
this is the case then the filtering, reading and destroying the
people private e-mail is wrong.
As far as the forging headers and forging subjects. One of
my other IP ranges that I mail to AOL is not blacklisted--or
Hot Mail or any of these--which is MicroEvolutions. If I use my
valid from address of MicroEvolutions.com, AOL is blocking
this, which by law I'm supposed to do. If I use my company
signature and a disclaimer at the bottom with a remove link, I
cannot deliver into AOL without taking that out of there. Once
again, they're interfering with the new law. But they turn
around and say spam's on an increase. Well, does the government
want us to mail legal or not? And if they do want us to mail
legal, the laws don't necessarily need to be increased toward
us as they do toward the ISPs that are interfering with us to
do legal business.
As far as a way to solve the problem. The new ways are
definitely a good way to go. Personally, the reason that most
of the ISPs and spam groups and anti-spam groups don't want a
global remove is because, as these gentlemen said, if some
stupid mailers--and that's the only way I can word it--in the
world will take these addresses and mail to it. Now personally,
when I mail to carriers like AOL, I get as undeliverables. I
know who's a good user and who's not a good user. If I mail to
Hot Mail, their server tells me whether this user's good or
not. So I know without a doubt if your address is good or not;
I don't need a remove to tell me that's a good address. I need
a remove to take people off my list. Well, the anti-spammers
don't want mailers to use this. The mailing association don't
want us to upload our list to you because now you have all of
our data bases and you can make money with this. The solution I
found is a system that we can put together very shortly, that
the minute a person submits a remove address to a government
server--government site--it encrypts this data, 128 bits, same
stuff your military works on right now. A program is given to
the bulk mailers, which is what they use to do their removes.
When the addresses are sent to this remove program, they're all
encrypted, the mailers themselves never get to see the
addresses; all it does is remove those users out of their list.
This protects the identity of the person being removed and
gives the mailers a way to be removed. With the current law,
AOL has a nice little system they're working on in place they
call their SCOMP system, or report spam button. Now, to stay in
compliance with the law, if I send e-mail to them, they send me
a message back, telling me this person reported spam. Not
staying in compliance with the law, AOL does not tell me who
this user is that complained, thus I cannot remove this user.
If you can't remove the people then I'm violating the law but
AOL's not telling me who it is that wants this. So it makes it
really hard to pull these people out of the list.
On the remove side of things the--I'm sorry, I lost track
for a second--the government basically needs a way to make
things look good to the people. Right now you passed a law that
looked good but it hasn't done a whole lot and this isn't what
you're looking for. You're looking for the people to praise
you. That's what it all boils down to. If I send--3,000 bulk
mail companies send you e-mail, you don't want to go to each of
these people and be removed. That's a real time consuming pain
in the butt. So by having the global remove, you remove
yourself once, problem solved. People sending mail not using
that system would be in violation. Another thing that would be
really nice to add to this is--Hot Mail and MSN and a few other
companies like Yahoo--they're using third party companies, like
Bonded Sender, that white list your IPs. The problem with these
companies are--I'm sure you remember back in the days of the
mafia. I have a legitimate business, sending e-mail 100 percent
legal. But I've got to pay this third party company--the
mafia--to give me protection in order to mail into their
network. The problem is, for $25,000 a year, there's no
guarantee they're even going to let you send mail there. They
can shut you down at any time so you have no guarantee. And
they talk about us scamming people?
The Chairman. Are you paying that now?
Mr. Scelson. No sir, I will be at the end of this week,
though. I was actually just working with them so--I'm trying
every way I can to stay white listed. I'm still working with
AOL's department on getting re-white listed. The last
conversation I had was either back off or we're going to sue
you. I'm not afraid of people. The worst they can do is take
everything I have and auction it away and what's this do? It
puts me back on food stamps. I've lived that life already so
this is no big fear to me. If I go to jail over this, to me
it's the stupidest thing you can go to jail on but because I am
staying in compliance with the law I don't see any, at this
point, criminal actions that I'm doing wrong to be put in jail
for. Now, they on the other hand, are ignoring court orders. To
me, this is wrong.
Bonded Sender has one feature that is nice about them. If
the government was to do this type of global remove, the
company that's using the remove would have to post all their
information to the government, provided they get their updates
daily to do the removes for the people, and the government
white lists their IPs so that carriers like AOL and stuff know
these people are working with the government, they're getting
the government's removes and these people are mailing legally,
to let the mail in. Everyone else out in the world is spamming,
and it's a lot easier to track down people that are spamming
than ones that are not spamming. But as long as we're doing it
the right way we're going to be blocked, interfered and shut
down, people are going to go around it. Right now there's a
major security leak we recently came across. In Windows XP 2003
and Linux, we are now 100 percent of not only forging the
person's from e-mail address, whatever IP your computer is on
in your office, I can make the originating IP that IP. Now, if
I can become any IP in the world, how do you block or stop
that? Now, luckily we don't do this as of yet; we stumbled on
this by accident. But it's a matter of time before some other
company realizes this as well. And not only can this technology
be used for mail, credit cards, hacking, anything, if you can
forge your originating IP you can't find that person.
Thank you, gentlemen, for your time.
[The prepared statement of Mr. Scelson follows:]
Prepared Statement of Ronald Scelson, President, Microevolutions.com
To the Honorable Senator McCain and the Subcommittee on Commerce:
I am greatly honored to be invited to speak before this
subcommittee today and would like to thank Senator McCain for inviting
me.
As we have worked under the new CAN-SPAM Law a few issues have
arisen.
CAN-SPAM Can Work
I would like to begin however by stating that there are a few
reasons why the new CAN-SPAM Act is working and working well.
It is very promising to see our government working to do something
about fraudulent activities on the Internet. It is very good to see
companies that are identifying themselves. It has helped tremendously
in the following areas:
Repeat business and
New business for the mailing companies.
It has helped the recipients who are familiar with the law
to identify U.S. companies working to be legitimate from non-
compliant companies both abroad and in the US.
Finally, it has helped those Internet Service Providers who
do wish to work with mailing companies to know whom they can
offer services to without violating any laws themselves.
All New Things Have A Rough Time
Despite all this good news, there are still many problems with
implementation, cooperation, interpretation, and fraudulent or
misleading practices--many stemming from the ISPs or their providers.
Following are some examples and issues that need to be looked at
and resolved for the Internet community to work in harmony.
Since the enactment of the CAN-SPAM Act, my company and several
others have all worked in compliance of the new law, which has been an
extremely difficult task each day.
When we mail under the new law the major ISPs focus on our from
addresses, subjects lines, our company information, and our disclaimers
on the bottom of the e-mail as well as our IP address. They use this
information to block our e-mails. Thus the Act that is to curtail
fraud, is in fact curtailing our ability to engage in free enterprise
and our business is greatly hindered.
With this situation, many mailers--especially in foreign countries
still have not been able to fully implement all steps of the new law.
They are faced with the problem of how to comply with the law when the
ISPs and backbones themselves are not being respectful of the new law.
Although it is clear that the CAN-SPAM law does not dive into the
legalities or illegalities of the practices of ISPs, many mailing
companies are still--simply put--backed into a corner. Shall they
comply and go out of business due to ISP filtering or shall they
attempt to comply partially, hoping that it will be clear that they
have the intent to follow the law and remain out of trouble with the
U.S. regulating bodies. This is the dilemma for many.
Of course foreign companies have mainly chosen to follow the laws
of their land and disregard the laws of the United States--especially
with the actions of the ISPs to put all bulk e-mail in the trash.
Shut Down = Automatic Non-Compliance
Every time a registrar shuts off a domain, an ISP closes a
connection, or a hosting company shuts off or blocks an IP Address of a
mailing company, there is a non-compliance issue. According to CAN-SPAM
of 2003, all mailing companies are to keep their removal systems active
for 30 days after the e-mail was sent. Every company including my own
has had a major situation complying to this part of the law because
ISPs, Registrars or hosting companies shut down the services without
providing 30 day notice and keeping our connections active so that we
can remain in compliance. Often we even lose our remove lists that were
contained on the equipment that they now deny us access to.
Block, Tackle and Throw
Here is an example of what our company and many others have
experienced.
AOL, Hotmail, Yahoo and other major carriers have blocked our
network based on our company information. The larger anti-spam groups
have done the same.
These anti-spam groups act like vigilantes now more than ever
before. They put you on their blacklists--often networking these
blacklists to other anti-spam groups as well. It is possible to have
both your company name and IP addresses completely blocked in as little
as 4 hours, thus preventing you from delivering your mail to more than
\1/2\ the Internet. These groups will not remove the blacklist even if
you prove to them that you are compliant with the new legislation.
These organizations are not government backed or funded. They do not
identify themselves like we do so pursuing legal action against them is
nearly impossible. Many of these groups are not even on U.S. soil.
These are the same people who want our information published on the
web. Nothing is done to stop them or interfere with them.
The ultimate blow for the mailing company however is how many of
these groups also use automated systems to generate multiple complaints
to the Internet service providers. They make it look like one person
received numerous copies of the advertisement, or like the mailing
company has generated a large amount of complaints and thus should be
shut down.
For the Backbones and the ISPs the issue has always been how to
engage in business without generating too many complaints. Since, with
most of these groups, the number of complaints is the determining
factor on when to leave services on or when to shut them off, many of
the vigilante groups now have set up anonymous and multiple complaint
sending automated systems. In fact, you will find that very few of the
complaints that are generated today come from the intended recipient of
the e-mail as compared to the number that come from the automated
anonymous complaint-sending systems. Interestingly, there are some
vigilante groups that encourage people to purchase and use their
software with proxies to prevent detection when sending in complaints!
In February of this year, the ISP I am currently with (WorldCom)
received notice that I had joined AOL's whitelist and was mailing non-
unsolicited e-mail and had AOL's full permission to send mail into
their domain. This was not spam. Because AOL's automated remove system
sent a copy of the undeliverable e-mails not only to us but also to
WorldCom, WorldCom told us to stop mailing or they were going to shut
us down. What was the logic in this action by WorldCom? AOL had granted
us permission to mail into their domain. We were fully compliant with
the law, and we were offering products and services that were a) in
great demand and b) not fraudulent. And this was not even because of
complaints. It was ONLY non-deliverable addresses in our list.
What About That Common Carrier Law?
When we review the FCC Communication Act, the above actions show
that the ISPs are unjustly denying us service. In many cases, these
groups are in fact common carriers providing us nothing more than a way
to connect to the Information Highway. WorldCom is in violation of the
FCC Communication Act, which clearly states that common carriers cannot
tamper with, read, or alter the communications that they transmit. This
includes communications across data lines.
The issue of whether or not an ISP is a common carrier has been
argued in the courts as far back as 1997. In one suit, AOL claimed that
they were a common carrier, yet just a short while later they claimed
that they were not a common carrier. The FCC supported AOL's claim that
they were not common carriers and thus set a precedent that many ISPs
have followed since. Interestingly, as we understand the charter of the
FCC, they do not have the authority to determine who is or is not a
common carrier. This is the job of Congress.
According to section 3 47 USC 153--Section Ten of this act:
``Common Carrier: the term of a ``common carrier'' or ``carrier'' means
any person engaged as a common carrier for hire in interstate or
foreign communication by wire or radio or in interstate or foreign
radio transmission of energy, except where reference is made to common
carriers not subject to this act; the persons engaged in radio
broadcasting shall not, insofar as such person is so engaged, be
determined the common carrier.'' At the time of this submission, I have
yet to locate any ISP not subject to this act.
I located more information on common carriers at a website that
detailed a lawsuit against Western Union a while ago.
``A `common carrier' has a legislatively-granted monopoly over
a particular route, region, or type of communications. In
return, the carrier must carry everything and has no right to
reject particular passengers or communications.
``Congress made Western Union a common carrier, for example,
when it refused to carry cables from reporters to their
newspapers because they competed with its own news service.
``It seems obvious that services which sell only a connection
to the Internet should be treated as common carriers. While
Compuserve and AOL should have a right to edit and refuse to
carry speech they do not like, ISPs should have no more right
to do so than Western Union or the phone companies.''
Of course, this statement was made about AOL and Compuserve before
they owned their own carrier lines. Thus it no longer holds true for
these groups either.
Let Them Be Removed
The CAN-SPAM Act also calls for the FTC to implement the Global
Remove System. Absence of this removal system has allowed problems with
removal to persist; its implementation could result in a much calmer
Internet environment much faster than anything else we have available
to us today.
For example:
1. A recipient who wishes to receive no advertisements at all must
remove himself from any advertisement that arrives in his
inbox. This could quickly add up to a lot of extra work. With
the Global Removal system, he would have to only remove himself
once.
2. An Internet Service Provider continually gets complaints from the
same person who enjoys sending such complaints and will not
remove himself from a mailing list--the ISP can enter his e-
mail address into the removal system, thus putting an end to
the problem, while maintaining his privacy.
3. By giving the rights back to the individuals, there is no need
for any ISP to subscribe to the vigilante groups that filter
and file multiple reports anonymously.
Yet, many of the anti-spam groups are strongly opposed to such a
system. There are reasons for this: Just as commercial bulk e-mail is
big business, so is anti-spamming. With software and services to be
sold to stop the flow of commercial e-mail, their sales would be
interrupted if the public had an easy and effective way to remove
themselves from receiving Internet e-mail advertisements.
Additionally, the anti-spammers claim that there are people who
would mail to the remove list--I have never met one however. Yes, there
is a solution to this problem if it did exist. When a recipient of an
e-mail receives unwanted advertisements they click the remove link.
This link takes them to a government site where they submit their e-
mail address, which will be encrypted. Software would be available to
the mailers for doing removes. The software would retrieve the remove
list while encrypted and remove the people without the mailer ever
seeing the actual e-mail address.
A program could be implemented where bulk mailers could sign up
with the government and their IP address and Domains would be
whitelisted with the ISPs allowing people who send compliant mail to
get in while being able to stop spam.
Above The Law?
While we worked to get whitelisted with AOL, here is what we
experienced:
Things started out well, AOL was willing to work with us as we
worked to deliver our list into their domain and get our non-
deliverables removed. After just 3 mailings we were receiving
virtually no undeliverable e-mails and very few complaints. The
majority of this list was undeliverable mainly because the list
had been built since I started mailing years ago. Obviously
many e-mail addresses changed over the years. The only way to
get the bad addresses out of the list was to deliver into AOL
and pick up their non-deliverable reports back to us.
WorldCom stepped in and tried to shut me down even after AOL
sent proof of our whitelist classification. However, it seems
that AOL found out who I was and denied me the whitelisting
after this exchange of information between AOL and WorldCom.
Charles Stiles, postmaster for AOL denied the whitelisting
based on my list not being ``true opt-in'' and threatened to
bring in their legal department. Yet, Opt-In had never been a
part of the original whitelisting agreement with AOL.
The problem I have with this is just last year Ted Leonsis with
AOL stated in front of Congress that they send bulk e-mail but
they provided a way for there receivers to opt-out, which of
course I do too. I fail to see the difference.
While small companies are often thwarted in their attempts to
follow the laws of the land and the rules of the ISP, which do not
align at this time, they are hard-pressed to stay in business. Large
corporations however, not only disregard the laws of the land as passed
by Congress, they ignore rulings by judges.
Recently I hired an attorney to sue the large carrier Covista. This
resulted in an injunction that demanded they turn my service back on.
Covista just ignored it.
AOL was recently sent an order to allow CI host to send mail to
AOL's network. AOL just like Covista is ignoring the judge's order.
Scott Richter of Opt-In Real Big has been involved in an ongoing
legal battle to allow him to send compliant e-mail through his two
providers. He too was awarded an injunction against one of his
carriers. I do not know if his provider is abiding by the injunctions
or not.
Evidence suggests that the ISPs think they are above the law and
can sue us for failure to abide by the law while they simply ignore
them.
All the large companies like AOL, Hotmail, Yahoo, MSN, Charter, and
others are working together on an anti-spam system, while they continue
to send e-mail advertisements. If bulk mailing is so bad and so wrong,
why are they engaged in it?
Is it bad and wrong as they say or is it merely that we needed to
curtail fraudulent practices? If the problem was that of fraudulent
practices, then that problem was solved with the new law. Yet ISPs stop
our compliant mailings while they mail themselves. Begins to look like
small business against big business . . . It has long been said that
the Internet is the first place where small business had the
opportunity to play in the same field as big business . . . perhaps
this is the threat?
President Bush is sending non opt-in bulk e-mail, abiding by the
new laws, into Hotmail and AOL. His message ended up in the bulk folder
at Hotmail and the spam folder at AOL. In my mind, a message from the
President should be given a level of courtesy and respect in keeping
with his position. Apparently, AOL and Hotmail do not hold the same
respect.
Bonds Do Not Solve Any Problems
A new trend is popping up for companies like Hotmail and Yahoo.
They are contracting with third party companies such as Habius, and
Bonded Sender. These third party companies are charging as much as
25,000.00 a year, non refundable to bond your IP addresses. However,
there is no guarantee other than to take your money with only the
possibility of allowing your mail in.
It seems no different than paying the mafia for protection to do
legitimate business (legal definition of racketeering and fraud).
Truth In Reporting--Truth In Delivering
Although we have a law against fraudulent practices on the
Internet, it seems, that this law is not written well enough to include
those who are using automated systems to identify, and file multiple
complaints anonymously (often with proxies) against people who are
sending e-mail. Also, with ISPs any complaint is taken as a good reason
to shut down services. Following are some recommendations of what could
be done.
1. Complaints should be limited to being classified as valid only if
they come directly from the intended recipients.
2. Automated reporting systems should be limited to one complaint
and not sent with the use of proxies. Complaining Agency should
be clearly identified.
3. ISPs and their providers should show respect toward the CAN-SPAM
law by only classifying as a valid complaint those which do not
comply with the law.
4. Those Agencies or individuals doing the complaining or with any
kind of ability to interfere with legal mail should have to
fully identify themselves just like we have to identify
ourselves. Appropriate e-mail address should be provided for
removal.
5. ISPs should not be allowed to filter what is required by law to
be in our e-mail advertisements.
6. ISP's should not be allowed to shut our circuits down and
discriminate against us when we send legal mail.
Summary
The CAN-SPAM Act of 2003 has brought promise and hope to the
Internet, yet adjustments still need to be made:
1. Rapid implementation of a Global removes system, which ISPs are
required to add chronic complainers to.
2. ISPs to be treated as common carriers or minimally respect the
laws that Congress has passed.
3. Companies interfering with these laws like Spews, Spam Cop etc.
should be made to file only one complaint and reveal their
identity.
4. People complaining should have to identify themselves (e-mail
address).
5. Mailing companies who comply with the law should not be at risk
of losing their systems or services. They should not be forced
into non-compliance due to instant shutdowns, and violation of
30-day remove systems.
The Chairman. As always, very interesting.
Mr. Scelson. Sorry I rushed through.
The Chairman. Can you tell us what has happened to you
since you testified before this committee?
Mr. Scelson. Well, so far the only carrier that has been at
all willing to work with people until they found out who I was,
was AOL. I give them full credit there. As of right now,
unfortunately for the first time ever, Hot Mail MSN's filters
appear to be a whole lot better than AOL's, and this is a first
ever. Once AOL realized who I was is when they sent me to this
postmaster that's like, oh well, you are a spammer, you can't
use us. I'm mailing legal now; that's the reason the law got
passed, so I wouldn't have to spam.
The Chairman. What has happened to you since you appeared
here last? You changed your address.
Mr. Scelson. Yes sir. Not too long after the reporters and
incidents like, you know, dealing with the press and all,
someone went to my house, set a doll out on my front door, said
this would be my children if you don't quit spamming. So
basically what I did was, the government has--I'm sure you're
familiar with, in Conroy, Texas--an underground fallout shelter
there that we just recently leased and turned into an ISP. We
can run up to 4 years on generator power. It's pretty much
undefeatable, we have five gigabite fiber connections there.
Eventually where I'm going with my company is, we'll be out of
the e-mail business and people that want to also secure servers
and things will be delivered and safe underneath the ground.
And we're safe under there as far as anyone threatening us or
doing harm to us.
The Chairman. Mr. Leonsis, as usual, this is your turn to
respond to--and if you'd mention the issue of the injunctions
as well.
Mr. Leonsis. There are no injunctions against us. He's
misinformed. I enjoy the theater, I admire your patience. We
would put him on the white list. We have thousands of companies
on our white list. He was on our white list; he mailed his
mail, got 137 times the complainant standard than our typical
white mail mailers. So we said, obviously there's something
you're doing that isn't meeting the standard of our community
so just work with our postmaster. And this is a much bigger
issue than Ronnie's beef with our postmaster; this is about the
quality of life.
The Chairman. Could I interrupt. Your previous answer--my
staff hands me a news article from April 23, says CI Host, one
of the world leader's--web hosting and Internet system was
awarded temporary restraining order against America On Line to
keep it from illegally blocking all e-mail from CI Host IP
addresses to AOL subscribers.
Mr. Leonsis. April 23 of this year or last year, sir?
The Chairman. April 23, 2004.
Mr. Leonsis. Well, I've been given a note from our staff
that there are no active injunctions against us to actively
deliver the mail. We've complied with all of the court orders.
The Chairman. All right. I think that's important for the
record. Thank you.
Mr. Scelson. And you see where I've got this information
from was a straight--normal, everyday newspaper.
Mr. Leonsis. And we know the newspapers never misinform,
either.
The Chairman. Please proceed, Mr. Leonsis.
Mr. Leonsis. So, CAN-SPAM Act was terrific. And as we
talked about a year ago that it really is to work in
conjunction what the technology providers would do in the ISPs.
And we've looked at the CAN-SPAM Act as kind of being a
baseline. And there were places above that baseline where
carriers such as ourselves will be very, very aggressive and
our white lists work. And our spam complaints are down; our
mail being delivered into our mail boxes is down. We feel we
are making progress. And I'm not sure what all the points
Ronnie is trying to make; we would like for him to be on our
white lists. We don't consider him the worst of the bad actors;
we are more concerned with the bad actors.
Mr. Scelson. Like I say, when I did mail there, we started
out with 98 million in the database that goes all the way back
from when I first started mailing. From 98 million to 27
million in three mailings is a significantly high number. I
don't deny that one bit. But AOL's white list is supposed to
give you 30 days to get your list straight, and in three
mailings we went from 98 to 27 million. That is a significant--
--
Mr. Leonsis. What he is referring to, Senator, is that our
basis is that if you have a relationship with a recipient that
you should be able to do business with them. So when someone
comes to us and says, ``We have a relationship here. We should
be allowed to mail,'' we believe them. When 40 percent of the
mail is undeliverable, I would submit if you had a database of
Christmas card respondents of your good friends and 40 percent
came back, you would have to say they're not your friends. And
so, that's what we're dealing with here.
The Chairman. Mr. Guest, do you have a comment on this
exchange? From the consumer's standpoint?
Mr. Guest. Well my comment, listening to all the back and
forth and the different ways that people might be able to
filter out some of the spam messages and let other unsolicited
e-mail go through, is to step back and say, ``That's not what
consumers are looking for.'' Consumers are looking for the
ability to just simply no longer get unsolicited commercial e-
mail. And so, you know, kind of rather than haggling about the
details, that's why we recommend an opt-in policy or ways I've
said before, as we can do with faxes and we can do with phone
calls and things like that by taking one action, we can block
it all. And that's really, from a consumer point of view, the
bottom line.
The Chairman. Go ahead, Mr. Akamine.
Mr. Akamine. You can see from this conversation that this
kind of discussion of ``I'm a spammer'' or ``You're a spammer''
could go on for days. But if I can take kind of the
technological viewpoint and kind of break the discourse here.
The way that Postini offers a solution to this kind of
problem--whether somebody should be on the white list or not--
is we actually give the power to the recipient. So we have
maybe five or six million end users on our system and those end
users can set their own spam filters. So if a person is a civil
libertarian and wants to see everything, they can turn their
spam filters completely off, regardless of what the ISP setting
is. On the other hand, if you happen to be working for a law
firm like Baker McKenzie, and your client is a real estate
company, you might want to turn your mortgage spam filter so
you can be reading e-mails about mortgage, but turn your sexual
filters all the way up so you don't get objectionable sexual
filters. Once you give the power, the technological power, to
the end user like that, you don't have the discussion between
somebody who claims they're a spammer and the administrator of
the mail system trying to keep white lists updated. So, this is
the kind of example of working, real world private solutions
that are in place today.
The Chairman. Mr. Brondmo.
Mr. Brondmo. Just building on those comments for a moment.
There's no filter that works today. A filter, however good your
technologists are, a filter is still guessing. It's making an
educated guess and those guesses are getting increasingly good.
And when I hear numbers like 90 to 99 percent, those are
impressive numbers but even 99 percent of billions and billions
of messages lets a lot through. And occasionally the filters
guess wrong and they put an important mail in your in-box--that
should have gotten into your in-box into the bit bucket. There
was some recent research by Good Mail Systems that indicated
that 68 percent of all e-mail users have seen a drop-off in e-
mail, legitimate e-mail, e-mail they wanted, because of spam
filters, of which 50 percent were personal e-mail. So the point
being, what we need to do is we need to fix the infrastructure.
We need to make changes so that when I get an e-mail from
Scelson, I know who he is, I can turn it on or I can turn it
off. AOL can do that for me at their gateway, at their filters,
or I can do it on my desktop. But the choice has to be with the
consumer. A ``do not e-mail'' list is not a good idea because
guys like Scelson will not honor that list, a lot of people out
there will not, and the ones who do will have increasing
problems with getting their mail through in legitimate fashion.
The Chairman. I'd like to just have the panel, beginning
with you, Mr. Brondmo, discuss very briefly, the severity of
the problem of wireless spam and how we're going to confront
that issue.
Mr. Brondmo. Well, very briefly on wireless, the wireless
network itself is a closed network. So the devices themselves
cannot receive spam unless you get the gateway, say the e-mail
gateway, into that network. Once it's in the network it can be
controlled, not unlike the AOL network where internally at AOL
they can control the network, but it's when they open it up to
the broader Internet they have a problem. Again I get back to
my core thesis--authentication is the answer. If we can
authenticate and if we can build histories--if I need a
persistent identity in order to send mail and if I have a
history of behavior, then I can basically make decisions at the
gateway, when I make the handshake to the incoming server. Do I
trust you or do I not? And based on that I can determine
whether to make the bridge. It's not very different from the e-
mail problem.
The Chairman. Mr. Akamine.
Mr. Akamine. Specifically to your question about wireless
devices, everything that we're seeing today in spam at your
desktop will also happen at the wireless devices. I mean,
that's what makes them useful. So, there is no Blackberry
device out there that's closed to itself, or if I have a cell
phone that has an SMS message system. They all have gateways to
the Internet and to SMTP e-mail; that's what makes them useful.
Therefore, all the kind of content abuses, as well as Directory
Harvest Attacks and all the transport abuses will also occur.
The Chairman. So it's just a matter of time.
Mr. Akamine. Well, unless the system operators basically
start to protect their mail systems. And again, it's not about
protecting the end hand devices; it's not about putting a
little piece of software there, it's actually about securing
the system at the core.
Mr. Leonsis. I think it'll be less aggressive on wireless,
less graphics. Usage in the handset is, you know, the footprint
is smaller. With AOL, if you're an AOL member, its mail is
mail. And so we won't have that issue. And I think I'm more
optimistic, I think there are more companies, the
authentication movement in technologies will be helpful and I
think that we have the willpower and the dollars to invest and
that we will make progress. We'll come here a year from now and
it will be better, not worse.
Mr. Akamine. Senator McCain, I just want to make one point
of fact here.
The Chairman. Yes.
Mr. Akamine. We do have one antecedent that we can point
to, which is in Japan, the largest Internet service provider is
actually a wireless provider called NTT DoCoMo. They have
something on the order of 50 million wireless cell phones that
are all Internet-enabled. They approached us a couple of years
ago and told us that in that period of time they were getting
one billion e-mail connections today to their wireless users,
just to deliver 5 percent of those to be legitimate messages.
So when I say that I'm concerned about all of the current e-
mail abuses occurring to wireless, we have one model in Japan
that already has gone that way.
The Chairman. Mr. Guest.
Mr. Guest. Wireless Week, just this week, has a survey
which says, and I'm quoting, ``Adult content for wireless
devices is a billions of dollars business in Europe and Asia,''
close quote. And they pose the question, who should be the
gatekeeper when it comes to the United States? We know that
it's coming; I don't have a solution to propose today but it is
certainly something, clearly you're aware of, Mr. Chairman, and
the Committee is aware of, that you're going to have to pursue
along with the other problems that spam is still going up.
The Chairman. Mr. Scelson.
Mr. Scelson. Mr. Postini--how do you pronounce it?
Mr. Akamine. Akamine from Postini.
Mr. Scelson. Postini. Remember last year when I was in here
I was telling you gentlemen that as long as ISPs are reading
and filtering peoples' mail, it's taking away from the user?
And the only filter that will ever work and ever have any
fighting chance is a filter that each user controls their own
filters; there's no reason for ISPs to filter this. So the
system that he's working on, if any system has a chance as far
as that filtering method, his is the best one. I don't see
where ISP should decide who's going to get what mail. Just
recently Google and the government had a little battle over
what information Google was taking from people in order to
advertise to these people. Well, a spam filter reads your mail
without your permission to decide what you're going to get.
It's no different than what Google's proposing. But the
government's coming down on Google. It's the same thing.
As far as the wireless industry of it, personally I can see
it being a total nuisance going down the store and having a
pager or something go off. As much as I believe in advertising
and marketing, as far as the cell phones, that is one that
should be just straight illegal, you cannot advertise on it.
And it's just because of the nuisance, everywhere, no matter
where you're at, even driving down the road, it can cause
accidents, people thinking it's something important. So I'm in
agreement that something should be done before it even gets
here.
The Chairman. Well, Mr. Scelson, I had heard because of
your appearance before this committee that it had caused you
some serious problems and I want to apologize for that. And I
thank you for coming back and I hope that your future is bright
and that you will not suffer any repercussions because of your
willingness to come forward and help us with the information
that's vitally necessary if we're going make proper decisions.
So again, please accept my apologies on behalf of the Committee
for anything that happened to you as a result of your testimony
before this committee.
Mr. Scelson. Thank you, Senator McCain.
The Chairman. I want to thank the witnesses and I'll turn
to Senator Burns but it seems to me that in a couple or 3
months, Senator Burns, we better have another hearing since
this thing is evolving in a rather rapid fashion.
Senator Burns. Well, it is, and we thought it would because
any time that you--there is cause and effect, as you well know,
around here, and for every action there's an opposite and equal
reaction to it. So that should not surprise anybody. I'm a
great admirer of Mr. Scelson for the simple reason I don't
think he has to build anymore bomb shelters or do anything; I
think the FBI ought to hire him. I think your employment is--or
I think maybe Ted will hire him.
Mr. Leonsis. We're fully staffed right now.
[Laughter.]
Senator Burns. So, I think, you know, your employment is
secure for the rest of your life, as a young man, I can see
that. I have no questions other than the fact that I just take
all the information that I've heard here; I think the Chairman
asked all the right questions. And are you going to shut this
thing down or am I going to shut this thing down? Sounds like
I'm going to shut.
Thank you all for coming today. If we have questions from
other members of this committee, please respond to them and the
Committee. And thank you for coming. We're adjourned.
[Whereupon, at 12:05 p.m., the hearing was adjourned.]
[all]
This page intentionally left blank.