As I write this (Nov. 30, 2003), both houses of Congress have passed the so-called "CAN-SPAM" bill, and President Bush has declared his intent to sign it. The results will be disastrous. The bill should properly be called the "You Can Spam" bill.
What does it offer us? According to Representative Heather Wilson, Americans "will have the right to say 'Take me off your list, I don't want this in my house.'" We have the right to say that right now -- for all the good it does us. But once this bill becomes law, we will be expectedto say that -- over and over again to each new spammer that invades our mailbox. And since most spam operations have their Internet presence outside the United States, our government won't be able to do a thing to stop them. The bill overrides state laws such as California's, which currently make spamming illegal, and gives spammers permission to flood people's mailboxes as long as they provide an "opt-out" procedure. Aside from setting aside state laws, the existence of this law will constitute a federal endorsement of spamming that follows its guidelines, and probably make it very difficult to sue spammers for the costs which they impose on unwilling recipients.
But opting out is as bad an idea as it ever was. While I've never seen conclusive evidence for the claim that responding to opt-out addresses actually increases your spam, there is no reason to believe that it decreases it. Even US-based spammers, who are bound by the law, will be very difficult to track; if the spammer spends $10 to register a new domain, how can you tell it's the same one you told to stop sending you mail the week before?
The bill provides for, but doesn't mandate, a national "don't spam me" list. It would be foolish to submit addresses to this list. Even if every spammer in the US respects it (which is doubtful), no spammer outside the US is bound by it -- and it represents a huge collection of email addresses, all conveniently available in one place, probably at no coast. Posting your address in any public place on the Internet -- on a newsgroup, in a Web page, on a mailing list which is archived on the Web, or on a public "opt-out" list -- is an invitation to be spammed.
The bill prohibits spamming address lists, if the spammer knows that they were obtained by automated procedures ("harvesting"). But if someone in China sells a CD of addresses and just doesn't bother to mention how they were gathered, or falsely claims (as is frequently done) that it's an "opt-in" list, the spammer appears to be off the hook.
Most of the provisions of the bill are specific to commercial email, instead of addressing the issue as one of unsolicited bulk mail. This raises First Amendment issues, and depicts the spam problems as one of unsolicited commercial mail (UCE) rather than the sheer data burden of UBE, unsolicited bulk mail. Spam is fundamentally the same problem whether it's from sex-aid pushers, nonprofit organizations, or politicians; it burdens end users and carriers with huge amounts of mail that no one wants. While fraudulent spam raises additional concerns, there is no reason to draw a distinction between commercial and non-commercial spam.
On the positive side, the bill does contain provisions prohibiting some of the falsified headers and deceptive subject lines which are commonly found in spam. This may help to bring criminal action against the spammers who engage in "joe jobs" -- defamatory campaigns of sending bulk mail that appears to come from the intended defamation victim. It may also make it easier to filter out a certain percentage of spam, even as it makes filtering a necessity.
A great deal of misinformation about this bill has been circulated on the Internet. There have been claims that this is bill will stop spam, and claims that it prohibits private companies from refusing to provide services to spammers. Both are false. No matter how bad a piece of legislation is, hysteria and exaggeration don't help to cast light on it. In the December 2 revision of this page I've corrected some previous errors which I had made, principally with regard to the harvesting provisions.
There is little to be done except to exercise the standard cautions more stringently than ever. Avoid letting your email address become visible to the public on the Internet. Don't give your email address to businesses you don't absolutely trust, or use a special address which you don't care much about just for that purpose (free mail services are good for that). Consider "whitelist" filtering -- setting up your account to accept mail only from senders whom you have approved. But be careful -- certain spammers offer whitelist services, and gather every address confirmation which passes through their hands for spamming. You'll become unpopular quickly if people discover that your spam protection is at their expense.
As I have written before, spam is not the kind of problem which governments can deal with effectively; it is too diffuse and internationalized for governments to do more than a little about. You might as well outlaw disease bacteria (which I'd say have many similarities to spammers, except that the Bacteria Anti-Defamation League would complain). Technically, spam is a security problem, and the primary means of solving it needs to be a technical one. The anti-fraud positions of the YOU-CAN-SPAM bill are good, but are greatly outweighed by the sanction which the bill gives to spamming.
Note, February 21, 2004: As expected, spammers are starting to claim that their mailings are authorized by the "Can Spam Act." Those which I've seen are fraudulent; for example, ecom-universe.net uses forged IP addresses and spams harvested addresses, both violations of the law, while claiming its protection.
Return to Gary McGath's self-defense page