Spinning Can-Spam

The FTC says federal anti-spam legislation is effective. Experts disagree.

Is CAN-SPAM working to unclog enterprise inboxes? The legislation (technically known as the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003) was meant to stem the tide of spam. According to many experts, however, the law has had little or no effect.

Nevertheless, the Federal Trade Commission (FTC), which enforces CAN-SPAM and must report on the law’s effectiveness to Congress, last month released a report recommending no CAN-SPAM modifications, and essentially finding the law is working.

Many experts, however, disagree. “The fact that the CAN-SPAM Act has not been very effective is pretty obvious, but you have to start somewhere, and CAN-SPAM represents a bona fide start in the United States,” notes Eugene Schultz, director of research for The SANS Institute.

Even so, how did the FTC reach its conclusions? The commission says it interviewed a number of individuals and organizations, including “consumer group representatives, e-mail marketers, Internet service providers (ISPs), law enforcers, and technologists.” Furthermore, the FTC says it used “its compulsory process powers to require the nine ISPs that collectively control over 60 percent of the market for consumer e-mail accounts to provide detailed information concerning their experiences with spam.”

Based on those interviews, the FTC claims CAN-SPAM victory on two fronts. “First, the substantive provisions of the act have mandated adoption of a number of commercial e-mail ‘best practices’ that many legitimate online marketers are now following. Second, the act has provided law enforcement agencies and ISPs with an additional tool to use when bringing suit against spammers. The more than 50 cases brought to date by the FTC, the Department of Justice, state Attorneys General, and ISPs demonstrate CAN-SPAM’s enforcement efficacy.”

CAN-SPAM Reality Check

Yet are those two things actually CAN-SPAM victories? To the first point, CAN-SPAM requires companies sending e-mail to customers to include such things as company contact information, including a legitimate mailing address, and to honor opt-outs. Though these provisions may be followed by “many legitimate e-mailers,” the problem was never legitimate e-mailers but spammers. As Roland Grefer noted in a SANS newsletter posting last month, “I have yet to see even a single piece of CAN-SPAM compliant spam.” By contrast, if consumers need to know how to discontinue e-mail from an Amazon.com or eBay, they usually know where to go.

As to the effectiveness of CAN-SPAM as a prosecutorial tool, the jury is still out. “Certain state laws appear to have made spammers think twice about spamming, but not the federal CAN-SPAM Act,” notes Ferris Research analyst Richi Jennings. Even if CAN-SPAM has had an affect, that can’t be measured for at least several more years, until there have been more CAN-SPAM prosecutions, he says. Furthermore, “recent well-publicized punishments imposed on spammers—large fines and confiscations of property—came from prosecutions under state laws, such as those in Virginia.”

How Spam is Changing

Beyond claiming those two victories, the FTC does concede that “some aspects of the spam problem, such as its international dimension, have not changed materially since enactment of CAN-SPAM.” The FTC also claims that “the volume of spam sent over the Internet has begun to level off, and, even more significantly, the amount reaching consumers’ in-boxes has decreased, due to enhanced anti-spam technologies.”

While technology is improving, however, the assertion that spam is leveling off is false, says Jennings. “The number of spam messages sent continues to rise. It’s possible that spam might be leveling off as a percentage of all e-mail, but the number of legitimate messages is rising, too. That means the amount of spam is still rising.”

While people might be receiving less spam in their e-mail in-boxes, that has nothing to do with the FTC, he says. Rather, “it has everything to do with better spam filters protecting more inboxes.”

Making CAN-SPAM Better

More help is needed, especially in the international arena. As the SANS Institute’s Schultz argues, “The most critical advance in the war against spam would be to pass legislation in countries that currently have no anti-spam legislation.” Otherwise, spammers can simply move their operations to spam-enforcement-free zones.

To that end, the FTC recommends Congress pass the US SAFE WEB Act (yet another unwieldy acronym: Undertaking Spam, Spyware, and Fraud Enforcement with Enforcers Beyond Borders), which promotes international information sharing and enforcement. As this underscores, the FTC is moving to stop spam on multiple fronts.

So why is the FTC spinning CAN-SPAM’s effectiveness? Are bureaucrats afraid to tell Congress its CAN-SPAM law isn’t actually tough on spammers?

The twist is, the law may one day help. Furthermore many experts concede that the law, while so far ineffective, is at a necessary start. As Jennings notes, “Even though the FTC has made itself look foolish, CAN-SPAM isn’t all bad, as we’ve said several times before.”

Related Article:

Spyware Distributor Settles

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.