June
13, 2003, 9:45 a.m.
Stop This Today!
Unsolicited
E-mail vs. Unsolicited Legislation
By Clyde Wayne
Crews Jr.
n a heartfelt argument in favor of regulating the Internet to conquer
the out-of-control e-mail-spam problem, The
Weekly Standard's
Christopher Caldwell took on policymakers' hands-off stance toward
the Internet, saying, "Libertarianism has proved an attractive creed
for the Internet generation in its lifestyle variant of live-and-let-live.
But as a market system it has proved a flop." Problems like spam
mean that "[a]n entire range of federal regulations is going to be
necessary if the Internet is to be kept usable."
Unsolicited commercial
junk e-mail, or "spam," is unquestionably a huge problem. Especially
the animal-kingdom porn; I have to shoo my kids out of the room when I check
any unfiltered e-mail accounts I use.
A
MAGIC PILL?
The increasingly apparent downside of an Internet on which you can contact
whomever you want is that anyone can contact you. Spammers, like the rest
of us, pay no postage or long-distance charges. Ultimately, the only resolution
is to shift costs back to the sender (as Caldwell suggests). The question
is whether the way to do that is legislatively, or through markets via
technology, pricing, industry consortia, or some combination.
There is a role for law. Peddling fraudulent merchandise, falsifying an
e-mail header, or impersonating somebody else (such as forging the name
of a person or organization as the sender of a spam), should be punished.
So should making phony "unsubscribe" promises and breaking agreements
with Internet-service providers (ISP) that prohibit bulk mailing. The
law also should go after those who invade computers, such as by launching
programs that hijack and send out spam from third-party computers. Some
abusive forms of spam seem related to hacking more than to commerce.
To a great extent, unfortunately, legislative solutions will be ignored
by the most egregious spammers, and alternative solutions are going to
become more urgent.
Maybe that's a blessing in disguise because even spam itself is not a
single dilemma and may require different responses anyway: For example,
solving the problem of kids seeing porn in your in-box is a different
than solving the problem of ISPs overwhelmed with Viagra ads.
Market solutions, unlike legislation, better lend themselves to cross-problem
application. For example, just as the emerging e-mail problem was anticipated
years ago, one might similarly predict problems emerging as costs imposed
on Internet-service providers by free file-sharing services like Kazaa
escalate. Spam (getting stuff) and piracy (taking stuff) alike are partly
fostered by a pair of broader features: The lack of tiered pricing for
network use, and the ability to hide one's identity or origin online.
The Internet's "all-you-can-eat" buffet may need to end for
email and file-sharing alike, which is a different proposition from passing
a law. And changing Internet plumbing to allow verification of sender
origin doesn't aid just the spam problem but also cybersecurity and hacking
concerns that industry needs to address perhaps more urgently even than
spam.
The Internet wasn't originally designed to be the mass commercial and
consumer medium that it is today. If one were to design a commercial network
today from the bottom up, it would probably incorporate authentication
of the senders of e-mail. That seems to be something law cannot do. Now
that we're in midstream, we wonder if law can get us there, or must technology
do it? Might legislation even impede that end?
Aside from basic rules of the road, we don't want legislation to stand
in for what ought to be (perhaps must be) a technical or market-driven
fix. But one thing is clear: If the industry doesn't solve such problems,
the law will step in, in ways some proponents may come to regret.
Proposed spam legislation, for example, would impose subject-line labeling
requirements for commercial e-mail (commercial messages would have to
say "ADV"); mandate an "unsubscribe" mechanism; ban
the use of software capable of collecting emails from the Internet; set
up stiff noncompliance fines; and establish an expensive (and likely hackable
and perhaps worse-than-useless) Do-Not-Spam list at the Federal Trade
Commission.
If a law sends the most offensive and egregious spammers offshore to continue
hammering us, all we'll have accomplished will be legal and regulatory
hassles for small businesses trying to make a go of legitimate e-commerce,
or mainstream companies that already follow "best practices"
like honoring "unsubscribe" requests. Commercial e-mail, even
if unsolicited, may be welcome if the sender is selling legal and legitimate
products and services in a non-abusive manner. Most of us can agree on
the outrageousness of the porn that hits our family in-boxes. But, on
the other hand, thousands of people bought "The World's Smallest
Radio-Controlled Car" at Christmastime.
Proposed legislative penalties can easily be onerous or expansive enough
to keep many businesses out of Internet marketing altogether, out of fear
of a misstep. Is that really our goal? Regulating the ability to communicate
freely isn't something to be done lightly.
FAST
FWD:
As the market works to shift costs of commercial e-mail back to the sender,
we must be on guard against unintended consequences, especially given
the difficulty of enforcing legislation against the actual culprits. How
might the definition of "spam" expand? Is it just "bulk
unsolicited commercial" mail, or is it "anything you didn't
ask for?" However tailored much of today's legislation tries to be,
many believe it's the latter and want to go further.
What will be the consequences of legislation be for noncommercial e-mailers
like nonprofit groups that send in bulk? If we need "ADV" for
commercial advertisements, then what about "REL" for religious
"spam" like a piece I got the other day about the coming apocalypse?
Many things aren't commercial but are still unwanted: press releases,
resume blasts, and charitable solicitations. I've even seen the term "scholarly
spam" for material like that sent by organizations like my own.
Notably, politicians exempt themselves as possible offenders under anti-spam
legislation, remaining free to send us "junk" campaign material.
Will orthodox anti-spammers put up with unsolicited political e-mail?
If not, that means further regulation of political speech.
And don't discount the creativity of lawyers looking to sue easy marks,
given the fact that the bad guys will often be out of reach. Will lawyers
go after newsletters that contain embedded ads but that might have failed
to put "ADV" in the subject line? What about small startups
that occasionally slip up when implementing "unsubscribe" requests?
What about those of us who occasionally send an e-mail to strangers with
a link to our company affiliation in our e-mail signature line, in the
vague hope that someone will click on it, or will forward it to somebody
who will? That's a subtle solicitation, whether we admit it or not.
Aggressive pop-up ads may become targets in the aftermath of spam legislation,
too (they already are in Germany). They're not e-mail. But they are unsolicited
and commercial, and getting more insistent than ever, employing animation
and sound. But like e-mail, pop-ups can be essential for survival to some
online businesses.
Legal bans on "pseudonymous" e-mail return addresses, as well
as bans on software capable of hiding such information, can affect untrammeled
speech and anonymity for individuals, and will be ignored by spammers
anyway. Well-meaning individuals can use "spamware" to create
the contemporary version of the anonymous pamphlets that have played such
an important role in our history. Safeguarding anonymity can be important
to a mass communications tool like e-mail. In an era in which so many
people are concerned about online privacy, legislation outlawing software
that can protect such privacy would be curious indeed.
That said, while I don't want the government to outlaw anonymity and private
e-mailing online, the private sector may prohibit it on private networks
if that's what canning spam requires.
Another worrisome issue is the tendency of legislation to set up "rules"
for advertising. I want to permit ruthless blocking by ISPs. Would anti-spam
laws get in the way of such blocking if government sets up minimum standards
for e-mail solicitation, such as using "ADV" and providing a
street address? What if a bulk mailer obeys the law and allows opt-out
but the ISP would prefer not to deal with them?
Either the industry
or Congress can set terms, but hardly both. The
Coalition Against Unsolicited Commercial Email indicated in the New
York Times that it regards some proposed legislation as a license
to spam: "ISPs won't be able to terminate spammers if they spam with
their real address." Surely, post-legislation, marketers will feel
that they have met federal requirements and therefore ISPs have no right
to block their messages. (One commenter said the "CAN SPAM"
bill meant that you "can spam.") In that environment, would
advertisers then be able to sue whenever their mail gets filtered or blacklisted,
even in the absence of a contract with the ISP? Blacklists are one of
the key means of dealing with spam today. I'm obviously in no way opposed
to marketing online, but contracts, not legislation, must rule here. ISPs
must retain the right to end such unwanted relationships.
DIRECT
YOUR TRAFFIC
There's good news that's not widely enough known. If the desire is to
stop spam in personal inboxes, one can do it already, without legislation.
I use a so-called "handshake" or "challenge-and-response"
e-mail account that doesn't allow any e-mail through to me from strangers
unless they respond to a "challenge" (such as supplying a generated
password or answering a query). In over two years, I've never received
a spam in this account. That doesn't mean I won't. But because the most-offensive
spam is sent by automatic bulk mailing programs that aren't capable of
receiving a reply, spam no longer appears in the inbox. I happen to think
that whatever legislators do, white-lists or such challenge-style systems
are essential for children's accounts.
Changing the default expectation from today's "everything comes in
unless you say 'no'" to "nothing comes in unless you say "yes,"
seems a step forward rather than backward. There are costs to either approach,
of course. Business needs will be different from that of personal or home
use, and "challenging" customers who email them may be less
appropriate. But, then again, perhaps not. There may emerge a culture
of tolerance, an expectation that e-mailer recipients from now on will
ask, "Who's there?"
That isn't to say there aren't problems. Technology discussion groups
are abuzz over the problems that challenge-response systems pose for mailing
lists. But these issues appear transitory to me, and less problematic
than legislation in any event.
Eventually spambots may be capable of bypassing challenges. In that sense
the industry is in the position of the movie industry and its piratable
DVDs. They have some lead-time, but it's not clear how much. Meanwhile,
service providers need to get busy on standards, such as for authentication
of senders. Identifiers or ''seals'' for trusted commercial e-mail could
be a critical means of helping tomorrow's ISPs block unwanted e-mail,
but it could require major reworking of Internet protocols, and unprecedented
industry coordination. A new consortium including America Online, Microsoft,
and Yahoo to establish certified email would bolster this approach.
Such major overhaul of the Net architecture has been likened to widening
all the nation's roads six inches. It is a monumental undertaking. But
if it truly is the case that lack of authentication is at the root of
the spam problem, it's also likely that legislation doesn't directly solve
it. It may be that a system in which originators of messages remain anonymous
is altogether inappropriate for a commercial information society of tomorrow.
If so, neither is it appropriate to expect law to accomplish what ultimately
must be a technological and market undertaking.
Solving the problem may require "collusion" among service providers
of the very sort that is going to enrage the "open Internet"
advocates, and thus result in new hearings and scrutiny form Congress.
But Commissioner Orson Swindle of the Federal Trade Commission thinks
the industry can do far more to address the problem on its own, such as
by granting users more control over their inboxes. ISPs might also limit
the number of outgoing messages per subscriber account, for example. Yahoo
did it long ago and MSN Hotmail recently did so. Tiered pricing for email
and bandwidth itself may be in the offing. (The flat fees of today aren't
a fact of nature or a natural right.) Ultimately, email "postage"
or protocols that allow users or ISPs to charge fractions of a cent for
receiving unsolicited email would end spam once and for all. Bonded sender
programs are already being set up that might anticipate such a sea change.
IMPORTANT,
READ NOW
Leaving the avenue open for private, technical, and contractual solutions,
and avoiding laws that get in the way, is urgent. In embracing legislation
we're embracing collective "solutions" that may be hard to correct.
That's why, unlike Caldwell, I'd exercise far more caution before advocating
central planning for the Net, especially because his most immediate concern
— the hostile environment for kids — is easily solvable with
a challenge-and-response account or a white list. (That said, there's
still no substitute, nor can there be, for parents' supervision. E-mail
is just one concern. Other concerns are which websites kids are visiting,
and what that video clip was that Junior just downloaded from Kazaa.)
Given the understandable desire to stop outrageous unsolicited e-mail,
it is all too easy for Congress to undermine legitimate commerce, communications,
and free speech while not solving the problem. Hampering Internet commerce
would be pointless if spam continued pouring in from overseas. We don't
need more anti-spam organizations and legislative attempts. We need locked
inboxes, authentication, and perhaps "postage" to allow users
to customize their in-boxes to reflect their own conceptions of "spam."
Industry, get busy, please, before Washington does.
<% dim printurl
printurl = Request.ServerVariables("URL")%>
n a heartfelt argument in favor of regulating the Internet to conquer
the out-of-control e-mail-spam problem, 
