Think Globally, Block Locally

MILLBRAE, Calif. — Spam is a global problem: Even though most of it originates in the United States, the bulk of it
is sent from overseas on behalf of American spammers. Is law or technology the best way to solve the problem?

That’s the question considered by privacy experts at a conference called “International Spam Law & Policies:
The Global Case.” Most speakers firmly came down against legislation, promoting a mix of private legal action and

The conference, held here Thursday, was sponsored by the Institute for Spam and Internet
Public Policy, an industry organization providing analysis, information and consulting.

Depending on which anti-spam provider you ask, spam represents 65 percent to 79 percent of all messages. The
United Nations estimates the figure will reach 98 percent of all e-mail by the end of next year if current
trends continue and if the economics of spam remain unchanged.

In a survey conducted by Osterman Research, U.S. businesses differed from international companies on the best
way to deal with spam.

According to Michael Osterman, president of the research firm, 45 percent of those surveyed
in the United States thought technology could solve most of the problem, compared to
25 percent of companies abroad. Only 53 percent of global companies thought there should be a single set of anti-spam
laws worldwide, with 42 percent in the United States agreeing.

While the International Telecommunication Union has a proposal for harmonizing
international anti-spam laws, Osterman said, “Even a
harmonized set of laws internationally will not be as effective as technology solutions. The best anti-spam
legislation can stop no more than 5 percent of spam, while the worst spam-blocking technology stops at least 80 percent.”

John Levine, co-chair of the Anti-Spam Research Group of the Internet Research Task Force, reported on the
recent United Nation’s anti-spam World Summit on the Information Society meeting.

“We need technology to make laws more enforceable,” he said, adding that, after
considerable political horse-trading, the group agreed that spam is “really, really bad.”

It’s particularly bad
for less-developed countries, because they still have expensive internet connections, so spam costs them more. Also,
he continued, their citizens aren’t as informed about the Internet, so they can more easily be victimized
by spam and Internet
fraud. For example, in Africa, spammers sell fake AIDS drugs.

All countries have laws against fraudulent spam, but Levine said there needs to be more cooperation to catch
the bad guys, such as the recent
memorandum of understanding (MOU)
deal inked by the United States, the UK and Australia.

“Simply knowing who to call up to subpoena the records for a domain sending spam is a good start,” he said.

At the meeting, less developed countries were in favor of one grand agreement, while most developed countries
preferred smaller, individual agreements, such as the MOU.

Levine said that while most spam originates from the United States, it’s sent under contract from other countries,
where stuttering economies, technically educated workers and lax laws make contracts to send spam attractive
business propositions. For example, he continued, there’s reason to believe that most of the viruses showing up are custom
written in Russia, where there are lots of underemployed programmers who need all the work they can get and no
laws to stop them. China, as well, has been a major generator of spam sent under contract with American spammers.
Now, Levine said, these countries are beginning to understand that spam isn’t a viable long-term development strategy.

“But they have a huge base of contract spammers to clean up.”

Jean-Christophe Le Toquin, an attorney for Microsoft Europe-Middle East-Africa (EMEA) in charge of coordinating
its anti-spam efforts in the region, said there is definitely a small EU-based industry, with spammers blasting out
their own messages rather than subcontracting. In some cases, Le Toquin said, these are small companies that aren’t
aware that their activities are unacceptable.

Microsoft has taken the legal route, bringing several legal actions against spammers in the
EU, using a variety of legal grounds. The EU’s Data Protection Act and consumer protection laws are by far the most
efficient and deterrent legal grounds, Le Toquin said. But they’re not relevant for ISPs. Most of Microsoft’s suits
are based on breach of contract and trademark infringement laws, which also can be used when spam is sent from a
fake Hotmail account. Property right laws can be used for a complaint against someone who sends spam to an ISP.
Microsoft has experimented with other laws, such as bringing an unfair competition action on behalf of Hotmail.

Microsoft was awarded a record amount of civil damages for Europe in a case it brought with AOL; it’s also won
actions against a cell phone store and an individual. He said ISPs that pool their resources can be more effective.

But cases against spammers who cross international borders can be tough to win, Le Toquin said, and ISPs have
to choose their battles.

Microsoft recently failed in a case against 52 Nigerian citizens living in the Netherlands
whom it suspected of perpetrating the “Nigerian widow” scam; the court ruled that e-mails generated from their home
computer wasn’t strong enough evidence to convict them of a crime that would have led to deporting them. The strongest
cases, he said, can be made against spammers who spam within their own countries.

So far, Microsoft hasn’t been able to identify enough strong leads. It’s pushing for a European database of
complaints. “Everybody wants to do something, but nobody wants to spend money, so it makes it difficult,” Le Toquin
said. Having one tool for many nations would minimize the cost and allow suits to be brought across borders.

In the mid 1990s, a Canadian ISP successfully sued a spammer using trespass laws, but the Canadian government
only began looking at the problem in 2000, according to Neil Schwartzman, chair of the Coalition Against Unsolicited
Commerce E-mail Canada. A year ago, the government formed a committee that developed a plan that starts with
legislation and enforcement.

“We’re examining existing policy to see how it applies to spam and initiating actions where possible. Then,
we’ll determine if we need new legislation, rather than going for the knee-jerk reaction of writing a new law.”

The plan also includes information sharing, such as white and black lists. He said one legislator’s attempt to
mandate certain types of block lists and spam filtering technology was misguided.

“Laws are fine, technology is fine, international negotiations are fine,” Schwartzman said. “But until we get
Joe and Jane Public educated as to how to secure their computers, we’ll continue to have vast difficulties
controlling the problem of spam. The virus writers did update their viruses today. The responsibility
lies with the ISP and the consumer to shut these things down.”

News Around the Web