Can laws block spam?

I just read a new white paper from Montreal-based Vircom, developer of Modus secure messaging products, on recent international anti-spam legislation efforts.

Entitled, “Can Laws Block Spam?” the paper quotes five experts on spam: Lindsay Barton, manager of online policy at the National Office for the Information Economy of Australia; Anne Mitchell, president and CEO of the Institute for SPAM and Internet Public Policy; Michael Osterman, principal of Osterman Research (and author of Network World’s Messaging Newsletter); Troy Rollo, chairman of the Coalition Against Unsolicited Bulk Email in Australia and executive director of the International Coalition Against Unsolicited Commercial Email; and Neil Schwartzman, editor and publisher of spamNEWS and chair of the Canadian Coalition Against Unsolicited Commercial Email.

The paper analyzes the CAN-SPAM Act in reasonable detail, but I have already pointed readers to that legislation and analyses of its weaknesses.

More interesting here is the analysis of the European Community Directive on Privacy and Electronic Communication Regulation 2003. This legislation provides for opt-in (not opt-out) restrictions on sending bulk e-mail. Much as with fax messaging, no one may initiate e-mail marketing without prior permission or prior business relationship – and there must be an easy way to refuse future junk e-mail at the time of initial data collection about an individual. In addition to enforcement actions initiated by the Information Commissioner in law courts, victims of spam may also sue for damages of up to £5,000 in cases heard before a judge (unlimited damages if heard before a jury). However, critics point out that the law does not regulate business-to-business spam, including spam sent to employees via their business e-mail addresses.

Another section covers the Australian Spam Act of 2003, which includes not only e-mail spam but also SMS junk messages. This law also advocates opt-in, in contrast with the U.S. approaches that depend on opt-out methods. There are clauses dealing with accurate origination addresses and restrictions on harvesting e-mail addresses automatically. Penalties are potentially much higher than in the U.S. or in Europe.

Although the Australian law has many admirable features, it founders on the reef of international spam. As commentators note in the white paper, national laws will inevitably fail to control spam sent from outside their borders. According to a U.N. Conference on Trade and Development report on the origins of spam in 2003, the sources of spam were:

* 58.4% U.S.

* 5.6% China

* 5.2% U.K.

* 4.9% Brazil

* 4.1% Canada

* 21.8% Other

On a side note, I have been receiving the most amazing junk e-mail from China lately – ads in comically bad English for everything from inflatable dolls the size of buildings to industrial flooring components and chemicals. Given that China has one-quarter of the world’s population and an economy that is growing at about 10% per year, this trickle bodes very badly for the future of our inboxes.

I think Osterman summed up the situation well in his commentary: “Spam legislation, while well intended, will not control spam alone. The only answer is to fight spammers with the same weapon they use: technology. The problem with spam will be better faced by IT staff then by legislators. To control spam, it must be rendered economically non-viable. Now that is difficult to achieve because it costs virtually nothing to send; however, if we can increase the cost of sending a spam message, we can make it nonviable and the only way we can do that is through the increased use of anti-spam tools… If an anti-spam filter can stop 95% of the spam that reaches an end user, the cost to the spammer of reaching that potential customer has risen by 20 times. Increasing the effectiveness of these filters to 97% increases the cost to the spammer by 33 times. The hope is that the potential revenue available to spammers drops by a corresponding amount, and equilibrium is reached.”

The Vircom White Paper is available through a simple registration process from

https://www.vircom.com/Products/Modus3/Whitepapers.asp

Editor’s Note: RSA Conference blog

The annual RSA Conference is one of the highlights of the year for security professionals. We’ll have you covered with breaking news from the show, of course. But this year, Fusion will also offer unique insights on the show from Rodney Thayer, a member of our Lab Alliance who has helped develop implementations of IPSec, SSL (TLS) and digital certificate systems. Once the show ends, Thayer will continue to write about key security issues in his new Adventures in Security Weblog. Look for his comments starting Tuesday at https://www.nwfusion.com/weblogs/adventures/index.html