[Senate Report 108-170]
[From the U.S. Government Publishing Office]



                                                       Calendar No. 288
108th Congress                                                   Report
                                 SENATE
 1st Session                                                    108-170

======================================================================



 
                     THE CRIMINAL SPAM ACT OF 2003

                                _______
                                

                October 22, 2003.--Ordered to be printed

                                _______
                                

Mr. Hatch, from the Committee on the Judiciary, submitted the following

                              R E P O R T

                         [To accompany S. 1293]

    The Committee on the Judiciary, to which was referred the 
bill (S. 1293) to criminalize the sending of predatory and 
abusive e-mail, having considered the same, reports favorably 
thereon, with an amendment in the nature of a substitute, and 
recommends that the bill, as amended, do pass.

                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and Need for the Legislation..........................2
III. Discussion.......................................................2
 IV. Legislative History..............................................5
  V. Votes of the Committee...........................................5
 VI. Section-by-Section Analysis......................................5
VII. Cost Estimate....................................................6
VIII.Regulatory Impact Statement......................................7

 IX. Changes in Existing Law..........................................7

                         I. Purpose and Summary

    The purpose of S. 1293, the ``Criminal Spam Act of 2003,'' 
is to criminalize the sending of bulk commercial e-mail 
(commonly known as ``spam'') through fraudulent and deceptive 
means. The bill amends title 18, United States Code, to 
prohibit five principal techniques that spammers use to evade 
filtering software and hide their trails. Penalties for 
violations of the new criminal prohibitions include 
imprisonment, fines, and forfeiture of proceeds. Offenders may 
also be subject to civil enforcement actions brought by either 
the Department of Justice or by an Internet Service Provider 
(``ISP'').

              II. Background and Need for the Legislation

    Sophisticated spammers send millions of e-mail messages 
quickly, at an extremely low cost, with no repercussions. The 
sheer volume of spam, which is growing at an exponential rate, 
is overwhelming entire network systems, as well as consumers' 
in-boxes. By the end of the year 2003, it is estimated that 
fifty percent of all e-mail traffic will be spam.
    The rapid increase in the volume of spam has imposed 
enormous costs on our economy. A recent study by Ferris 
Research estimates that spam will cost U.S. businesses more 
than $10 billion in 2003 as a result of lost productivity and 
the need to purchase more powerful servers and additional 
bandwidth, configure and run spam filters, and provide help-
desk support for spam recipients. The costs of spam are 
significant to individuals as well, including time spent 
identifying and deleting spam, inadvertently opening spam, 
installing and maintaining anti-spam filters, tracking down 
legitimate messages mistakenly deleted by spam filters, and 
paying for the ISPs' blocking efforts.
    And there are other prominent and equally important costs 
of spam. It may introduce viruses, worms, and Trojan horses 
into personal and business computer systems, including those 
that support our national infrastructure. It has become the 
tool of choice for those who distribute pornography and indulge 
in fraud schemes. Rarely a minute passes without American 
consumers and their children being bombarded with e-mail 
messages promoting pornographic web sites, illegally pirated 
software, bogus charities, pyramid schemes and other ``get rich 
quick'' or ``make money fast'' scams.
    Spam also offers fertile ground for deceptive trade 
practices. The Federal Trade Commission estimates that nearly 
66 percent of spam contains some kind of deception, either in 
the content, the ``subject'' line, or the ``from'' line. And an 
astonishing 90 percent of spam involving investment and 
business opportunities contains indicia of false claims. This 
rampant deception has the potential to undermine Americans' 
trust of valid information on the Internet and threaten the 
future viability of all e-commerce.
    ISPs are doing their best to shield customers from spam, 
blocking billions of unwanted e-mails each day, but the 
spammers are winning the battle. Among the barriers ISPs face 
when attempting to stop spam is that spammers use false and 
fraudulent means to avoid detection and identification. The 
Criminal Spam Act takes initial steps to address this problem.

                            III. Discussion

    The Criminal Spam Act prohibits five deceptive techniques 
that spammers use to evade filtering software and get their 
unwanted e-mails into America's inboxes.
    First, the bill prohibits hacking into another person's 
computer system and sending bulk spam from or through that 
system. This would criminalize the common spammer technique of 
obtaining access to other people's e-mail accounts on an ISP's 
e-mail network, for example by password theft or by inserting a 
``Trojan horse'' program--that is, a program that unsuspecting 
users download onto their computers and that then takes control 
of those computers--to send bulk spam.
    Second, the bill prohibits using a computer system that the 
owner makes available for other purposes as a relay or 
retransmission point for bulk spam, with the intent of 
deceiving recipients as to the origins of the spam. This 
prohibition would criminalize another common spammer 
technique--the abuse of third parties' ``open'' servers, such 
as e-mail servers that have the capability to relay mail, or 
proxy servers that have the ability to generate or retransmit 
e-mail, such as ``form'' e-mail utilities on Web servers. 
Spammers commandeer these servers to send bulk commercial e-
mail without the server owner's knowledge, either by 
``relaying'' their e-mail through an ``open'' e-mail server, or 
by abusing an ``open'' proxy server's capability to generate or 
retransmit e-mails as a means to originate spam. In some 
instances the hijacked servers are even completely shut down as 
a result of tens of thousands of undeliverable messages 
generated from the spammer's e-mail list.
    Third, the bill prohibits falsifying the header information 
that accompanies e-mail, and sending bulk spam accompanied by 
or containing that false header information. More specifically, 
the bill prohibits forging information regarding the origin of 
an e-mail message, the route through which the message 
penetrated, or attempted to penetrate, ISP filters, or 
information authenticating the user for network management or 
network security purposes--for example, as a ``trusted sender'' 
who abides by appropriate consumer protection rules. The last 
type of forgery will be particularly important in the future, 
as ISPs and legitimate marketers develop ``white list'' and 
similar rules and technologies whereby e-mailers who abide by 
self-regulatory codes of good practices will be allowed to send 
e-mail to users without being subject to anti-spamming filters. 
There is currently substantial interest among marketers and e-
mail service providers in ``white list'' technology solutions 
to spam. However, such ``white list'' systems would be useless 
if outlaw spammers are allowed to counterfeit the 
authentication mechanisms used by legitimate e-mailers.
    Fourth, the bill prohibits registering for multiple e-mail 
accounts or Internet domain names using information that 
falsifies the identity of the actual registrant, and sending 
bulk e-mail from those accounts or domains. This provision 
targets deceptive ``account churning,'' a common outlaw spammer 
technique that works as follows: The spammer registers (usually 
by means of an automatic computer program, or by means of 
individuals located in other countries) for large numbers of e-
mail accounts or domain names, using false registration 
information, then sends bulk spam from one account or domain 
after another. This technique stays ahead of ISP filters by 
hiding the source, size, and scope of the sender's mailings, 
and prevents the e-mail account provider or domain name 
registrar from identifying the registrant as a spammer and 
denying his registration request. Falsifying registration 
information for domain names also violates a basic contractual 
requirement for domain name registrations.
    Fifth, the bill addresses another significant hacker 
spammer technique for hiding identity that is a common and 
pernicious alternative to domain name registration--hijacking 
unused Internet Protocol (``IP'') addresses and using them as 
launch pads for spam. Hijacking large blocks of IP address 
space is not difficult: Spammers simply falsely assert that 
they have the right to use that space, and obtain an Internet 
connection for the addresses. Hiding behind those addresses, 
they can then send vast amounts of spam that is extremely 
difficult to trace.
    Penalties for violations of these prohibitions are 
graduated. Recidivist offenders under federal or state anti-
hacking or spam laws and those who send spam in furtherance of 
another felony may be imprisoned for up to five years. Large-
volume spammers, those who hack into another person's computer 
system to send bulk spam, those involved in offenses involving 
20 or more falsified e-mail accounts or 10 or more falsified 
domain names or any combination thereof, those who cause more 
than $5,000 in ``loss'' as defined in 18 U.S.C. Sec. 1030 
during a one-year period, those who, as a result of the 
offense, obtain anything of value aggregating $5,000 or more 
during a one-year period, and spam ``kingpins'' who use others 
to operate their spamming operations may be imprisoned for up 
to three years. Other offenders may be fined and imprisoned for 
no more than one year.
    Convicted offenders are also subject to forfeiture of 
proceeds and instrumentalities of the offense, and the U.S. 
Sentencing Commission is directed to consider sentencing 
enhancements for offenders who obtained e-mail addresses 
through improper means, such as harvesting and randomly 
generating e-mail addresses (in what is known colloquially as a 
``dictionary attack''), or who know that commercial e-mail 
addresses contain or advertise an Internet domain for which the 
registrant has provided false registration information.
    In addition, as a supplement to criminal enforcement, the 
bill provides for civil enforcement by the Department of 
Justice and aggrieved ISPs against spammers who engage in 
conduct that the bill prohibits, as well as anyone who 
conspires with them.
    Finally, because an effective solution to the spam problem 
requires the cooperation and assistance of our Nation's 
international partners, the Criminal Spam Act directs the 
Department of Justice and Department of State to report to 
Congress within 18 months regarding the status of their efforts 
to achieve international cooperation from other countries in 
investigating and prosecuting spammers worldwide.
    In approving the Criminal Spam Act, the Committee 
determined that it does not raise concerns under the First 
Amendment. First, rather than targeting speech, the bill 
instead targets e-mailing techniques used to steal computer 
services and trespass on private computers and computer 
networks. Second, to the extent that the bill implicates any 
First Amendment interest, it addresses only commercial e-mail 
messages (because the overwhelming majority of predatory and 
abusive e-mail is commercial), and only when such messages are 
misleading by virtue of falsifying their point of origin. It 
therefore fails the first prong of the test set forth in the 
Central Hudson Gas & Elec. Corp. v. Public Service Comm'n, 447 
U.S. 557, 566 (1980) (in commercial speech cases, court must 
first determine that the expression concerns lawful activity 
and is not misleading).

                        IV. Legislative History

    During the past several Congresses, committees in both the 
House and the Senate have examined various issues raised by the 
proliferation of junk commercial e-mail. Additionally, 
government agencies, industry representatives, and other 
interested parties have participated in numerous public forums 
on spam, including a three-day ``Public Spam Workshop'' hosted 
by the FTC earlier this year.
    On June 19, 2003, after extensive consultation with experts 
in this area, Senators Hatch, Leahy Schumer, Grassley, 
Feinstein, DeWine, and Edwards introduced S. 1293, the Criminal 
Spam Act of 2003.

                       V. Votes of the Committee

    On September 25, 2003, the Committee on the Judiciary, with 
a quorum present, met in open session and ordered favorably 
reported the bill, S. 1293, by unanimous consent, with an 
amendment in the nature of a substitute sponsored by Senators 
Hatch and Leahy.
    The substitute amendment made four changes to the bill: (1) 
Added proposed 18 U.S.C. Sec. 1037(a)(5), which targets 
spammers who falsely represents the right to use five or more 
IP addresses, and intentionally initiate the transmission of 
spam from such addresses; (2) amended proposed 18 U.S.C. 
Sec. 1037(a)(4), to clarify that the Government may prove its 
case by showing that the requisite number of e-mails went 
through ``any combination of'' falsely registered e-mail 
accounts or domain names; (3) narrowed the definition of 
``header information'' in proposed 18 U.S.C. Sec. 1037(e)(4), 
to address concerns that it was overbroad; and (4) made 
technical changes to the criminal forfeiture provisions, 
rendering them more consistent with existing laws. The 
substitute amendment was accepted by unanimous consent.

                    VI. Section-by-Section Analysis


Section 1. Short title

    This bill may be cited as the ``Criminal Spam Act of 
2003''.

Section 2. Prohibition against predatory and abusive commercial e-mail

    This section targets the five principal techniques that 
spammers use to evade filtering software and hide their trails. 
It creates a new federal crime that prohibits hacking into a 
computer, or using a computer system that the owner has made 
available for other purposes, to send bulk commercial e-mail. 
It also prohibits sending bulk commercial e-mail that either 
conceals the true source, destination, routing or 
authentication information of the e-mail, or is generated from 
multiple e-mail accounts or domain names that falsify the 
identity of the actual registrant, or from Internet Protocol 
(IP) addresses that have been hijacked from their true 
assignees.
    Penalties range from up to 5 years' imprisonment where the 
offense was committed in furtherance of any felony, or where 
the defendant was previously convicted of a similar federal or 
state offense, to up to 3 years' imprisonment where other 
aggravating factors exist, to up to 1 year of imprisonment 
where no aggravating factors exist, plus criminal forfeiture. 
The U.S. Sentencing Commission is directed to consider 
sentencing enhancements for offenders who obtained e-mail 
addresses through improper means, such as harvesting.
    In addition, this section provides for civil enforcement by 
the Department of Justice and aggrieved Internet service 
providers against spammers who engage in the conduct described 
above. In appropriate cases, courts may grant injunctive 
relief, impose civil penalties, and award damages.

Section 3. Report and sense of Congress regarding international spam

    Recognizing that an effective solution to the spam problem 
requires the cooperation and assistance of our international 
partners, this section asks the Administration to work through 
international fora to gain the cooperation of other countries 
in investigating and prosecuting spammers worldwide, and to 
report to Congress about its efforts.

                           VII. Cost Estimate

                                     U.S. Congress,
                               Congressional Budget Office,
                                   Washington, DC, October 1, 2003.
Hon. Orrin G. Hatch,
Chairman, Committee on the Judiciary,
U.S. Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 1293, the Criminal 
Spam Act of 2003.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Mark 
Grabowicz.
            Sincerely,
                                      Elizabeth M. Robinson
                               (For Douglas Holtz-Eakin, Director).
    Enclosure.

S. 1293--Criminal Spam Act of 2003

    CBO estimates that implementing S. 1293 would have no 
significant cost to the federal government. Enacting the bill 
could affect direct spending and revenues, but CBO estimates 
that any such effects would not be significant. S. 1293 
contains no intergovernmental or private-sector mandates as 
defined in the Unfunded Mandates Reform Act and would impose no 
costs on state, local, or tribal governments.
    S. 1293 would make it illegal to use electronic mail to 
send deceptive or unauthorized messages regarding commercial 
products or services. Because the bill would establish a new 
federal crime, the government would be able to pursue cases 
that it otherwise would not be able to prosecute. However, we 
expect that S. 1293 would apply to a relatively small number of 
offenders, so any increase in costs for law enforcement, court 
proceedings, or prison operations would not be significant. Any 
such costs would be subject to the availability of appropriated 
funds.
    Because those prosecuted and convicted under S. 1293 could 
be subject to civil and criminal fines, the federal government 
might collect additional fines if the legislation is enacted. 
Collections of civil fines are recorded in the budget as 
revenues. Criminal fines are recorded as revenues, then 
deposited in the Crime Victims Fund and later spent. CBO 
expects that any additional revenues and direct spending would 
not be significant because of the small number of cases 
involved.
    In addition, persons prosecuted and convicted under the 
bill also could be subject to the seizure of certain assets by 
the federal government. Proceeds from the sale of such assets 
would be deposited in the Assets Forfeiture Fund and spent from 
that fund, mostly in the same year. Thus, enacting S. 1293 
could increase both revenues deposited into the fund and direct 
spending from the fund. However, CBO estimates that any 
increased revenues or spending would not be significant.
    The CBO staff contact for this estimate is Mark Grabowicz. 
This estimate was approved by Peter H. Fontaine, Deputy 
Assistant Director for Budget Analysis.

                   VIII. Regulatory Impact Statement

    In compliance with paragraph 11(b)(1), rule XXVI of the 
Standing Rules of the Senate, the Committee, after due 
consideration, concludes that S. 1293 will not have significant 
regulatory impact.

                      IX. Changes in Existing Law

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, changes in existing law made by 
S. 1293, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italic, and existing law in which no 
change is proposed is shown in roman):

UNITED STATES CODE

           *       *       *       *       *       *       *


                TITLE 18--CRIMES AND CRIMINAL PROCEDURE

Part                                                             Section
    I. CRIMES.................................................         1
     * * * * * * *

                             PART I--CRIMES

Chapter                                                          Section
    1. General provisions.....................................         1
     * * * * * * *
    47. Fraud and false statements............................      1001
     * * * * * * *

                 CHAPTER 47--FRAUD AND FALSE STATEMENTS

Sec.
1001. Statements or entries generally.
     * * * * * * *
1036. Entry by false pretenses to any real property, vessel, or aircraft 
          of the United States or secure area of any airport.
1037. Fraud and related activity in connection with electronic mail.
     * * * * * * *

Sec. 1036. Entry by false pretense to any real property, vessel, or 
                    aircraft of the United States or secure area of any 
                    airport

    (a) Whoever, by any fraud or false pretense, enters or 
attempts to enter--
          (1) any real property belonging in whole or in part 
        to, or leased by, the United States;

           *       *       *       *       *       *       *

    (c) As used in this section--
          (1) the term ``secure area'' means an area access to 
        which is restricted by the airport authority or a 
        public agency; and
          (2) the term ``airport'' has the meaning given such 
        term in section 47102 of title 49.

Sec. 1037. Fraud and related activity in connection with electronic 
                    mail

    (a) In General.--Whoever, in or affecting interstate or 
foreign commerce, knowingly--
          (1) accesses a protected computer without 
        authorization, and intentionally initiates the 
        transmission of multiple commercial electronic mail 
        messages from or through such computer;
          (2) uses a protected computer to relay or retransmit 
        multiple commercial electronic mail messages, with the 
        intent to deceive or mislead recipients, or any 
        Internet access service, as to the origin of such 
        messages;
          (3) falsifies header information in multiple 
        commercial electronic mail messages and intentionally 
        initiates the transmission of such messages;
          (4) registers, using information that falsifies the 
        identity of the actual registrant, for 5 or more 
        electronic mail accounts or online user accounts or 2 
        or more domain names, and intentionally initiates the 
        transmission of multiple commercial electronic mail 
        messages from any combination of such accounts or 
        domain names; or
          (5) falsely represents the right to use 5 or more 
        Internet protocol addresses, and intentionally 
        initiates the transmission of multiple commercial 
        electronic mail messages from such addresses;
or conspires to do so, shall be punished as provided in 
subsection (b).
    (b) Penalties.--The punishment for an offense under 
subsection (a) is--
          (1) a fine under this title, imprisonment for not 
        more than 5 years, or both, if--
                  (A) the offense is committed in furtherance 
                of any felony under the laws of the United 
                States or of any State; or
                  (B) the defendant has previously been 
                convicted under this section or section 1030, 
                or under the law of any State for conduct 
                involving the transmission of multiple 
                commercial electronic mail messages or 
                unauthorized access to a computer system;
          (2) a fine under this title, imprisonment for not 
        more than 3 years, or both, if--
                  (A) the offense is an offense under 
                subsection (a)(1);
                  (B) the offense is an offense under 
                subsection (a)(4) and involved 20 or more 
                falsified electronic mail or online user 
                account registrations, or 10 or more falsified 
                domain name registrations;
                  (C) the volume of electronic mail messages 
                transmitted in furtherance of the offense 
                exceeded 2,500 during any 24-hour period, 
                25,000 during any 30-day period, or 250,000 
                during any 1-year period;
                  (D) the offense caused loss to 1 or more 
                persons aggregating $5,000 or more in value 
                during any 1-year period;
                  (E) as a result of the offense any individual 
                committing the offense obtained anything of 
                value aggregating $5,000 or more during any 1-
                year period; or
                  (F) the offense was undertaken by the 
                defendant in concert with 3 or more other 
                persons with respect to whom the defendant 
                occupied a position of organizer or leader; and
          (3) a fine under this title or imprisonment for not 
        more than 1 year, or both, in any other case.
    (c) Forfeiture.--
          (1) In general.--The court, in imposing sentence on a 
        person who is convicted of an offense under this 
        section, shall order that the defendant forfeit to the 
        United States--
                  (A) any property, real or personal, 
                constituting or traceable to gross proceeds 
                obtained from such offense; and
                  (B) any equipment, software, or other 
                technology used or intended to be used to 
                commit or to facilitate the commission of such 
                offense.
          (2) Procedures.--The procedures set forth in section 
        413 of the Controlled Substances Act (21 U.S.C. 853), 
        other than subsection (d) of that section, and in Rule 
        32.2 of the Federal Rules of Criminal Procedure, shall 
        apply to all stages of a criminal forfeiture proceeding 
        under this section.
    (d) Civil Remedies.--
          (1) In general.--The Attorney General, or any person 
        engaged in the business of providing an Internet access 
        service to the public aggrieved by reason of a 
        violation of subsection (a), may commence a civil 
        action against the violator in any appropriate United 
        States District Court for the relief set forth in 
        paragraphs (2) and (3). No action may be brought under 
        this subsection unless such action is begun within 2 
        years of the date of the act which is the basis for the 
        action.
          (2) Attorney general action.--In an action by the 
        Attorney General under paragraph (1), the court may 
        award appropriate relief, including temporary, 
        preliminary, or permanent injunctive relief. The court 
        may also assess a civil penalty in anamount not 
exceeding $25,000 per day of violation, or not less than $2 or more 
than $8 per electronic mail message initiated in violation of 
subsection (a), as the court considers just.
          (3) Other actions.--In any other action under 
        paragraph (1), the court may award appropriate relief, 
        including temporary, preliminary, or permanent 
        injunctive relief, and damages in an amount equal to 
        the greater of--
                  (A) the actual damages suffered by the 
                Internet access service as a result of the 
                violation, and any receipts of the violator 
                that are attributable to the violation and are 
                not taken into account in computing actual 
                damages; or
                  (B) statutory damages in the sum of $25,000 
                per day of violation, or not less than $2 or 
                more than $8 per electronic mail message 
                initiated in violation of subsection (a), as 
                the court considers just.
    (e) Definitions.--In this section:
          (1) Commercial electronic mail message.--The term 
        ``commercial electronic mail message'' means any 
        electronic mail message the primary purpose of which is 
        the commercial advertisement or promotion of a 
        commercial product or service (including content on an 
        Internet website or online site operated for a 
        commercial purpose).
          (2) Computer and protected computer.--The terms 
        ``computer'' and ``protected computer'' have the 
        meaning given those terms in section 1030(e) of this 
        title.
          (3) Domain name.--The term ``domain name'' means any 
        alphanumeric designation which is registered with or 
        assigned by any domain name registrar, domain name 
        registry, or other domain name registration authority, 
        and that is included in an electronic mail message.
          (4) Header information.--The term ``header 
        information'' means the source, destination, and 
        routing information attached to an electronic mail 
        message, including the originating domain name, the 
        originating electronic mail address, and technical 
        information that authenticates the sender of an 
        electronic mail message for network security or network 
        management purposes.
          (5) Initiate.--The term ``initiate'' means to 
        originate an electronic mail message or to procure the 
        origination of such message, regardless of whether the 
        message reaches its intended recipients, and does not 
        include the actions of an Internet access service used 
        by another person for the transmission of an electronic 
        mail message for which another person has provided and 
        selected the recipient electronic mail addresses.
          (6) Internet access service.--The term ``Internet 
        access service'' has the meaning given that term in 
        section 231(e)(4) of the Communications Act of 1934 (47 
        U.S.C. 231(e)(4)).
          (7) Loss.--The term ``loss'' has the meaning given 
        that term in section 1030(e) of this title.
          (8) Message.--The term ``message'' means each 
        electronic mail message addressed to a discrete 
        addressee.
          (9) Multiple.--The term ``multiple'' means more than 
        100 electronic mail messages during a 24-hour period, 
        more than 1,000 electronic mail messages during a 30-
        day period, or more than 10,000 electronic mail 
        messages during a 1-year period.

                                
