[Congressional Record Volume 149, Number 91 (Thursday, June 19, 2003)]
[Senate]
[Pages S8238-S8241]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. Hatch (for himself, Mr. Leahy, Mr. Schumer, Mr. Grassley, 
        Mrs. Feinstein, Mr. DeWine, and Mr. Edwards):
  S. 1293. A bill to criminalize the sending of predatory and abusive 
e-mail; to the Committee on the Judiciary.
  Mr. HATCH. Mr. President, I rise to introduce, with Senators Leahy, 
Schumer, Grassley, Feinstein, DeWine, and Edwards, the Criminal Spam 
Act of 2003. This legislation, which enjoys bipartisan support, targets 
the most egregious types of spammers--those who hijack computer systems 
and those who use other fraudulent means to send unsolicited commercial 
electronic mail.
  Over the course of the past several years, the amount of unsolicited 
commercial email, or spam, has grown at an exponential rate. During a 
recent Senate hearing before the Committee on Commerce, Science and 
Transportation, Brightmail Inc., a provider of spam filtering software 
that serves six of the ten largest U.S. Internet service providers, 
estimated that in April 2003, 46 percent of all email traffic was spam. 
This figure represented a nearly five fold increase in spam in merely 
18 months. At the same hearing, America Online testified that on any 
given day, it blocks approximately 2.3 billion spam messages.
  This tremendous growth rate is due in large part to sophisticated 
spammers who use abusive tactics to send millions of email messages 
quickly, at an extremely low cost. By using deceptive methods, these 
spammers conceal their identities, evade Internet service provider 
filters, and exploit the Internet by advertising and promoting 
pornographic web sites, illegally pirated software, questionable health 
products, pyramid schemes and other ``get rich quick'' or ``make money 
fast'' scams. The extraordinary volume of spam generated by their 
schemes imposes significant costs on Internet users, threatens to 
disrupt Internet services, and undermines the public's confidence in 
online commerce.
  A recent study conducted by the Federal Trade Commission demonstrates 
the alarming frequency with which spammers are using the Internet to 
conceal their true identities and the electronic paths of their 
messages. This study found that 40 percent of email messages contain 
indicia of falsity in the body of the message; approximately 33 percent 
contain indicia of falsity in the ``from'' lines of the spam; 22 
percent contain indicia of falsity in the ``subject'' line; and some 66 
percent contain at least one form of deception.
  The Criminal Spam Act of 2003 targets fraudulent and deceptive spam 
by enhancing the ability of federal law enforcement authorities to 
prosecute and punish the most egregious wrongdoers. Specifically, the 
Act makes it a crime to hack into a computer, or to use a computer 
system that the owner has made available for other purposes, as a 
conduit for bulk commercial email. The Act also prohibits sending bulk 
commercial email that conceals the true source, destination, routing or 
authentication information of the email, or is generated from multiple 
email accounts or domain names that falsify the identity of the actual 
registrant.
  The Act subjects violators to stiff criminal penalties of up to 5 
years' imprisonment where the offense is committed in furtherance of 
any felony, or where the defendant has previously been convicted of a 
similar Federal or state offense, and up to 3 years' imprisonment where 
other aggravating factors exist. It also contains criminal forfeiture 
provisions and directs the Sentencing Commission to consider 
enhancements for offenders who obtain email addresses through illegal 
means, such as harvesting.
  The strong deterrent effect of the legislation is further enhanced by 
civil enforcement provisions that authorize the Department of Justice 
and aggrieved Internet service providers to bring suit for violations 
of the Act. In appropriate cases, courts may grant injunctive relief, 
impose civil fines, and award damages of up to $25,000 per day of 
violation, or between $2 and $8 per email initiated in violation of the 
Act.
  Recognizing that spammers can send their fraudulent and deceptive 
messages from any location in the world, the Act directs the Department 
of Justice and the Department of State to work through international 
fora to gain the cooperation of other countries in investigating and 
prosecuting spammers worldwide and to report to Congress about their 
efforts and any recommendations for addressing international predatory 
spam.
  The Criminal Spam Act represents an important legislative step toward 
curbing predatory and abusive commercial email. However, broader 
legislative measures, coupled with technological

[[Page S8239]]

solutions, are also needed. Any effective solution to the spam problem 
requires cooperative efforts between the government and the private 
sector, as well as the assistance of our international partners.
  Recent years have witnessed extraordinary technological advances. 
These innovations, and electronic communications in particular, have 
significantly increased the efficiencies, productivity and conveniences 
of our modern world. The abusive practices of fraudulent spammers 
threaten to choke the lifeblood of the electronic age. This is a 
problem that warrants swift but deliberative legislative action. I am 
committed to working with my colleagues in both Houses to address the 
spam problem on all fronts.
  I ask unanimous consent that a section-by-section analysis be printed 
in the Record.
  There being no objection, the material was ordered to be printed in 
the Record, as follows:

                      Section-by-Section Analysis


                          SEC. 1. SHORT TITLE

       This bill may be cited as the ``Criminal Spam Act of 
     2003''.


   SEC. 2. PROHIBITION AGAINST PREDATORY AND ABUSIVE COMMERCIAL EMAIL

       This section targets the four principal techniques that 
     spammers use to evade filtering software and hide their 
     trails. It creates a new federal crime that prohibits hacking 
     into a computer, or using a computer system that the owner 
     has made available for other purposes, to send bulk 
     commercial email. It also prohibits sending bulk commercial 
     email that either conceals the true source, destination, 
     routing and authentication information of the email, or is 
     generated from multiple email accounts or domain names that 
     falsify the identity of the actual registrant. Penalties 
     range from up to 5 years' imprisonment where the offense was 
     committed in furtherance of any felony, or where the 
     defendant was previously convicted of a similar federal or 
     state offense, and up to 3 years' imprisonment where other 
     aggravating factors exist. The U.S. Sentencing Commission is 
     directed to consider sentencing enhancements for offenders 
     who obtained email addresses through improper means, such as 
     harvesting.
       In addition, this section provides for civil enforcement by 
     the Department of Justice and aggrieved Internet service 
     providers against spammers who engage in the conduct 
     described above. In appropriate cases, courts may grant 
     injunctive relief, impose civil penalties, and award damages.


   SEC. 3. REPORT AND SENSE OF CONGRESS REGARDING INTERNATIONAL SPAM.

       Recognizing that an effective solution to the spam problem 
     requires the cooperation and assistance of our international 
     partners, this section asks the Administration to work 
     through international fora to gain the cooperation of other 
     countries in investigating and prosecuting spammers 
     worldwide, and to report to Congress about its efforts.
  Mr. LEAHY. Mr. President, I am pleased to be introducing, with 
Senators Hatch, Schumer, Grassley, Feinstein, DeWine, and Edwards, the 
Criminal Spam Act of 2003. This bill is designed to counter the most 
objectionable forms of email marketing. In an effort to clear 
electronic channels for legitimate communications, the bill targets 
those spammers who deceive Internet Service Providers, ``ISPs'', and 
email recipients into thinking that messages come from someone other 
than a spammer--a ploy many spammers use to increase the likelihood 
that their unwanted ads will evade filtering software and be opened.
  Without a doubt, spam is a serious problem today, one that is 
threatening to undermine the vast potential of the Internet to foster 
the free exchange of information and commerce. Businesses and 
individuals currently wade through tremendous amounts of spam in order 
to access email that is of relevance to them--and this is after ISPs, 
businesses, and individuals have spent time and money blocking a large 
percentage of spam from reaching its intended recipients.
  Email users are having the online equivalent of the experience of the 
woman in the Monty Python skit, who seeks to order a spam-free 
breakfast at a restaurant. Try as she might, she cannot get the 
waitress to bring her the meal she desires. Every dish in the 
restaurant comes with Spam; it's just a matter of how much. There's 
``egg, bacon and Spam''; ``egg, bacon, sausage and Spam''; ``Spam, 
bacon, sausage and Spam''; ``Spam, egg, Spam, Spam, bacon and Spam''; 
``Spam, sausage, Spam, Spam, Spam, bacon, Spam, tomato and Spam''; and 
so on. Exasperated, the woman finally cries out: ``I don't like Spam! . 
. . I don't want ANY Spam!''
  Individuals and businesses are reacting similarly to electronic spam. 
A Harris poll taken late last year found that 80 percent of respondents 
view spam as ``very annoying,'' and fully 74 percent of respondents 
favor making mass spamming illegal. They are fed up.
  ISPs are doing their best to shield customers from spam, blocking 
billions of spam each day, but the spammers are winning the battle. 
Millions of unwanted, unsolicited commercial emails are received by 
American businesses and individuals each day, despite their own, 
additional filtering efforts. A recent study by Ferris Research 
estimates that spam costs U.S. businesses $8.9 billion annually as a 
result of lost productivity and the need to purchase more powerful 
servers and additional bandwidth; to configure and run spam filters; 
and to provide help-desk support for spam recipients. The costs of spam 
are significant to individuals as well, including time spent 
identifying and deleting spam, inadvertently opening spam, installing 
and maintaining anti-spam filters, tracking down legitimate messages 
mistakenly deleted by spam filters, and paying for the ISPs' blocking 
efforts.
  And there are other less prominent but equally important costs of 
spam. It may introduce viruses, worms, and Trojan Horses into personal 
and business computer systems, including those that support our 
national infrastructure. It is also fertile ground for deceptive trade 
practices. The FTC recently estimated that 96 percent of the spam 
involving investment and business opportunities, and nearly half of the 
spam advertising health services and products, and travel and leisure, 
contains false or misleading information.
  This rampant deception has the potential to undermine Americans' 
trust of valid information on the Internet. Indeed, it has already 
caused some Americans to refrain from using the Internet to the extent 
that they otherwise would. For example, some have chosen not to 
participate in public discussion forums, and are hesitant to provide 
their addresses in legitimate business transactions, for fear that 
their email addresses will be harvested for junk email lists. And they 
are right to be concerned. The FTC found spam arriving at its computer 
system just nine minutes after posting an email address in an online 
chat room.
  At a recent FTC forum on spam, experts agreed that the issue is ripe 
for Federal action. Some 30 States now have anti-spam laws, but the 
nature of email makes it difficult to discern where any given piece of 
spam originated, and, thus, what State has jurisdiction and what State 
law applies. This may explain why spammers continue to flout State 
laws. For example, several States require that spam begin the subject 
line with ``ADV,'' but the FTC has found that only 2 percent of spam 
contains this label.
  Technology will undoubtedly play a key role in fighting spam. 
However, a technological solution to the problem is not predicted in 
the foreseeable future. In addition, given the adroitness with which 
spammers adapt to anti-spam technologies, the development and 
implementation of technological fixes to spam entail constant vigilance 
and substantial financial investment. This raises the question: Why 
should individuals and businesses be forced to invest large amounts of 
time and money in buying, installing, and maintaining generation after 
generation of anti-spam technologies?
  I have often said that the government should regulate the Internet 
only when absolutely necessary. Unfortunately, spammers have caused 
this to be one of those times. Congress needs to address the spam 
problem quickly and prudently, and the Criminal Spam Act, by targeting 
the most injurious types of spam, is a good start.
  The bill that Senator Hatch and I introduce today would prohibit the 
four principal techniques that spammers use to evade filtering software 
and hide their trails.
  First, our bill would prohibit hacking into another person's computer 
system and sending bulk spam from or through that system. This would 
criminalize the common spammer technique of obtaining access to other 
people's email accounts on an ISP's email network, whether by password 
theft or by inserting a ``Trojan horse'' program--that is, a program 
that unsuspecting users

[[Page S8240]]

download onto their computers and that then takes control of those 
computers--to send bulk spam.
  Second, the bill would prohibit using a computer system that the 
owner makes available for other purposes as a conduit for bulk spam, 
with the intent of deceiving recipients as to the spam's origins. This 
prohibition would criminalize another common spammer technique--the 
abuse of third parties' ``open'' servers, such as email servers that 
have the capability to relay mail, or Web proxy servers that have the 
ability to generate ``form'' mail. Spammers commandeer these servers to 
send bulk commercial email without the server owner's knowledge, either 
by ``relaying'' their email through an ``open'' email server, or by 
abusing an ``open'' Web proxy server's capability to generate form 
emails as a means to originate spam, thereby exceeding the owner's 
authorization for use of that email or Web server. In some instances 
the hijacked servers are even completely shut down as a result of tens 
of thousands of undeliverable messages generated from the spammer's 
email list.
  The bill's third prohibition targets another way that outlaw spammers 
evade ISP filters: falsifying the ``header information'' that 
accompanies every email, and sending bulk spam containing that fake 
header information. More specifically, the bill prohibits forging 
information regarding the origin of the email message, the route 
through which the message attempted to penetrate the ISP filters, and 
information authenticating the user as a ``trusted sender'' who abides 
by appropriate consumer protection rules. The last type of forgery will 
be particularly important in the future, as ISPs and legitimate 
marketers develop ``white list'' rules whereby emailers who abide by 
self-regulatory codes of good practices will be allowed to send email 
to users without being subject to anti-spamming filters. There is 
currently substantial interest among marketers and email service 
providers in ``white list'' technology solutions to spam. However, such 
``white list'' systems would be useless if outlaw spammers are allowed 
to counterfeit the authentication mechanisms used by legitimate 
emailers.
  Fourth and finally, the Criminal Spam Act prohibits registering for 
multiple email accounts or Internet domain names, and sending bulk 
email from those accounts or domains. This provision targets deceptive 
``account churning,'' a common outlaw spammer technique that works as 
follows. The spammer registers, usually by means of an automatic 
computer program, for large numbers of email accounts or domain names, 
using false registration information, then sends bulk spam from one 
account or domain after another. This technique stays ahead of ISP 
filters by hiding the source, size, and scope of the sender's mailings, 
and prevents the email account provider or domain name registrar from 
identifying the registrant as a spammer and denying his registration 
request. Falsifying registration information for domain names also 
violates a basic contractual requirement for domain name registration.
  Penalties for violations of these provisions are tough but measured. 
Recidivists and those who send spam in furtherance of another felony 
may be imprisoned for up to five years. Large-volume spammers, those 
who hack into another person's computer system to send bulk spam, and 
spam ``kingpins'' who use others to operate their spamming operations 
may be imprisoned for up to three years. Other offenders may be fined 
and imprisoned for no more than one year. Convicted offenders are also 
subject to forfeiture of proceeds and instrumentalities of the offense.
  In addition to these criminal penalties, offenders are also subject 
to civil enforcement actions, which may be brought by either the 
Department of Justice or by an ISP. Civil remedies are important as a 
supplement to criminal enforcement for several reasons. First, bringing 
cases against outlaw spammers is very resource intensive because of the 
extensive forensic work involved in building a case; providing for 
civil enforcement will allow ISPs to assemble evidence to make 
prosecutors' jobs easier. Second, although criminal prosecutions are a 
critical deterrent against the most egregious spammers, the Justice 
Department is unlikely to prosecute all outlaw spam cases; civil 
enforcement, backed by strong financial penalties, will serve as a 
second layer of deterrence. Third, criminal penalties may not be 
appropriate in all cases, as for example in the case of teenagers hired 
by professional outlaw spammers to send out email for them; civil 
enforcement gives the Justice Department a more complete and refined 
range of tools to address specific outlaw spam problems.
  That describes the main provisions of our bill. In addition, because 
commercial email can be, and is being, sent from all over the world 
into the virtual mailboxes of Americans, the bill directs the 
Administration to report on its efforts to achieve international 
cooperation in the investigation and prosecution of outlaw spammers.
  Again, the purpose of the Criminal Spam Act is to deter the most 
pernicious and unscrupulous types of spammers--those who use trickery 
and deception to induce others to relay and view their messages. 
Ridding America's inboxes of deceptively delivered spam will 
significantly advance our fight against junk email. But the Criminal 
Spam Act is not a cure-all for the spam pandemic.
  The fundamental problem inherent to spam--its sheer volume--may well 
persist even in the absence of fraudulent routing information and false 
identities. In a recent survey, 82 percent of respondents considered 
unsolicited bulk email, even from legitimate businesses, to be 
unwelcome spam. Given this public opinion, and in light of the fact 
that spam is, in essence, cost-shifted advertising, it may be wise to 
take a broader approach to our fight against spam.
  One approach that has achieved substantial support is to require all 
commercial email to include an ``opt out'' mechanism, that is, a 
mechanism for consumers to opt out of receiving further unwanted spam. 
At the recent FTC forum, several experts expressed concerns about this 
approach, which permits spammers to send at least one piece of spam to 
each email address in their database, while placing the burden on email 
recipients to respond. People who receive dozens, even hundreds, of 
unwanted emails each day would have little time or energy for anything 
other than opting-out from unwanted spam.
  According to one organization's calculations, if just one percent of 
the approximately 24 million small businesses in the U.S. sent every 
American just one spam a year, that would amount to over 600 pieces of 
spam for each person to sift through and opt-out of each day. And this 
figure may be conservative, as it does not include the large businesses 
that also engage in on-line advertising.
  A second possible approach to spam--a national ``Do Not Spam'' 
registry--raises a different but no less difficult set of concerns. The 
two FTC Commissioners who testified last month at the Senate Commerce 
Committee's hearing on spam both questioned the potential of a national 
registry to alleviate the spam problem. Although this approach would 
place a smaller burden on consumers than would an opt-out system, it 
would entail immense costs, complexity, and delay, all of which work in 
the spammers' favor.
  A third way of attacking spam--and one that was favored by many 
panelists and audience members at the FTC forum--is to establish an 
opt-in system, whereby bulk commercial email may only be sent to 
individuals and businesses who have invited or consented to it. This 
approach has strong precedent in the Telephone Consumer Protection Act 
of 1991, TCPA, which Congress passed to eliminate similar cost-
shifting, interference, and privacy problems associated with 
unsolicited commercial faxes. The TCPA's ban on faxes containing 
unsolicited advertisements has withstood First Amendment challenges in 
the courts, and was adopted by the European Union in July 2002.
  I have discussed three possible approaches to the spam problem, and 
there are several others, some of which have already been codified in 
state law. I encourage the consideration of all these anti-spam 
approaches in the weeks and months to come.
  Reducing the volume of junk commercial email, and so protecting 
legitimate Internet communications, will

[[Page S8241]]

not be easy. There are important First Amendment interests to consider, 
as well as the need to preserve the ability of legitimate marketers to 
use email responsibly. If Congress does act, it must get it right, so 
as not to exacerbate an already terribly vexing problem.
  The Criminal Spam Act is a first step in countering spam. If we can 
shut down the spammers who use deception to evade filters and confuse 
consumers, we will give the next generation of anti-spam technologies a 
chance to do their work. Our bill targets the most egregious offenders, 
it provides a much-needed federal cause of action, and it allows the 
states to continue to serve as a ``laboratory'' for tough anti-spamming 
regulation. I urge its speedy enactment into law.
                                 ______