On Thursday, I went the Institute for Spam and Internet Public Policy (ISIPP) conference on spam, the International Spam Law and Policies: The Global Case. This conference was run by the simply amazing Anne Mitchell, who organized every detail. Read on for my notes...
Each speaker had about 45 minutes, and most were at least leaning toward spam policy. There was much less focus on the technical than at CEAS later in the weekend, which also included a good deal of policy. My choice for the best speech goes to John Praed, a last minute addition. So I will write my notes on his speech first, even though it was actually last
Jon Praed is a Yale Law graduate and founder of the Internet Law Group. His firm has represented AOL and other clients in civil lawsuits against spammers for years. Praed started out with a few points that would have been nice to see earlier in the conference, but he made them well: spammers are nothing more than crooks, and both filters and enforcement are needed to stop spam. In defending a legal approach, blasted earlier in the conference, he noted that murder laws do not stop murder. Instead, the law has a deterrent effect and give society a moral way to deal with violations after the fact.
Praed outlined his huge victories against spammers, noting that though the effect may not have shown up in inboxes, he has saddled spammers with huge amounts of non-dischargeable debt. Even bankruptcy could not stop these obligations. He also measured the success of legal action with anecdotal evidence that the spam industry, starting with pornography, has started moving assets and presence offshore.
He analogized his legal approach to a knife fight. He was not trying to kill spammers exactly, just to make them bleed and rattle them enough to quit fighting. His legal claims usually involve fraud, and he made a great summary of some high profile cases with some great precedent, noting the ability to sue where spam lands, to break webmaster affiliates, and to punish spammers with bad faith in discovery. His anecdotes about these characters were clever, and his often subtle responses to barbs against law were intelligent and convincing.
At the end of his talk, Praed discussed zoning of the Internet to avoid lawless or unsavory areas, but the real takeaway point was his victories. At the end of his talk, this group felt like Praed and those similar to him were worth rallying around.
Michael Osterman is a consultant on spam policy. His Powerpoint presentation threw lots of surveys, and he used his rather convincing statistics in a coherent crescendo concluding spam legislation (1) does not work and (2) the best laws block 5% of spam while the worst technology blocks 80% of spam.
This was a case against legislation and for more technology, despite his own deafeningly grumbling statistics about current IT costs for processing spam (2.7 full-time IT staff per 1000 e-mail users, costing $175 in staff plus $26 in software per user per year). Osterman suggests continuing--escalating even--the spam arms war and not relying on legislation; he claims we “have to change the economics of spam,” and only then will direct marketing change. He does not believe postage-style implementations will work, but believes that the sophistication of spam filters can at some point in the future outpace the cleverness of spammers.
John Levine is a great speaker who gives plenty of talks about spam (and spyware). He claims to be both political and technical, meaning he views all approaches to spam as "equally bad." He talked at length about the ITU conference about spam, which was widely reported to be at the UN. ITU was actually founded before the UN to coordinate telegraph systems but is now a UN agency. The consensus, he claimed was that (1) spam is bad (2) most spam is already illegal, e.g. fraudulent (3) law enforcement must cooperate (4) IT professionals need education and (5) the world needs model laws.
After outlining some spam hotpots, Levine discussed what identity means to e-mail. With a set of clever comparisons to the real world, Levine claimed that there is no way to determine identity online. After expressing some skepticism about the MADRID/LMAP plans, he proposed a reputation system based on practices and behavior of domain names. In this system, whitehat.net should be rated highest, hotfarmbabes.ws lowest, with somewhat questionable mailers such as gevalia.com somewhere between. This system would require lawyers and technologists to establish a reputation clearinghouse, like a credit bureau with systems to challenge rankings and ensure data is impartial, unlike the current whitelists and blacklists.
Jean-Christophe Le Toquin is council for Microsoft in France; he supervises spam efforts in Europe, Middle East, Africa. His discussion of spam prosecution started with creative actually used legal strategies which seem overly academic, even in theory: property rights, unfair competition, tort liability, computer misuse, database right management. He noted a Microsoft win in a European ruling that pornographic spam was unfair competition against Hotmail.
Le Toquin outlined the Consumer Law and Data Protection as relevant to the debate, but he was pessimistic about consumer complaints because of poor enforcement. He heralded a MS joint lawsuit with AOL France, which won €22,000. Though quite a small award, he acknowledged, it was a record award against an individual. Also, Microsoft "didn’t want to kill his business because he was selling electric scooters." This was also the only joint lawsuit in same case and the first case to involve the reluctant French Data Protection Authority. Two other victories were for €53,000 in Denmark, and a €20,000 SMS award.
He discussed the difficulty togather evidence in these cases. To get sufficient information, Microsoft had to establish honeypots (which he called "trap accounts") and rely on other unreliable sources of data. He referenced a case pending in South Africa and problems tracking the origin of Nigerian spam. He showed the audience the Hotmail based system of managing the monstrous amount of data, attorney contact information, complete with folders for each active country. Le Toquin claims the EU spam fight needs a European database of spam complaints, ultimately becoming an international database. Microsoft's problem in spam prosecutions is a shortage of data, he claims.
This presentation was more interesting in what it was missing. Though he mentioned national authorities and European Commission efforts, he did not even mention the groundbreaking Directive on Privacy and Electronic Communicationsby name. He did not even discuss whether this revolutionary and quite strict set of laws, in effect for ten months now, has changed Microsoft’s outlook on managing spam. As he acknowledged, CAN-SPAM gives Microsoft in Washington a right of action, so it does not require this kind of, um, creativity in prosecutions. It is sadly ironic that a unified international body with such a strong stand on spam, requiring opt-in, privacy, and data protection is still relying on chattel theory for spam prosecution. This seems to really undermine the previous speakers' calls for model legislation. The EU model legislation is even stronger than that; it is from an inflexible mandatory directive. Yet nothing seems to have worked, and based on this presentation, you would think that despite consensus, annoyance and burdens from spam, and good model legislation no solution has manifested. Or perhaps this presentation just made the EU appear to be in 1999 in spam prosecution.
Neil Schwartzman wears many hats: SpamNEWS, Canada CAUSE, Canadian Anti-Spam Task Force. His sketch about Canadian spam history highlighted an old case won by an ISP for computer trespass. He bemoaned the lack of action by Canadian government agencies and the inadequate action plan based on administrative orders. He expressed some hope that policy will soon change, following the Task Force’s decisions, “despite a decade of doing nothing.” In part, Canada plans to examine existing legislation to see how it may apply to spam, initiate cases, and then evaluate effectiveness after a year.
Schwartzman’s largest caveat to spam action was that much spam is routed through zombie networks, insecure computers infected with viruses by spammers. This, he claims, can make it impossible to find a spammer. He also blames the lack of complaints and of data for government agencies to act. Canada is now setting up honeypots (he called them "reverse engineering") to gather data.
In Canada, an e-mail address is private data which cannot be transferred without permission. Schwartzman claimed even Air Canada leaked his address, but stopped after a complaint. He then extolled the virtue of the Canadian porn industry, which didn’t quite seem sarcastic until he explained his test case against a pornographer who might be trading private data.
This speech seemed strange in a similar way to the previous EU speech. Is Canada really just starting test cases about spam in 2004? This really made Canada look like it is dragging its feet, but in fairness Canada has already litigated plenty about spam with mixed results and Prof. Geist claims Canadian law already applies to most spam.
Scott Frewing litigates Computer Fraud and Abuse Act and other cases for Baker & McKensie. He discussed issues about transfer of private information and speech issues, which affect non-profits and individuals also. Mailers have to deal with hundreds of jurisdictions. Frewing described that spam law is hard to enforce because of how difficult it is to gather international data, even in criminal context. Most cases, even after CAN-SPAM, are combined with other offenses to give a traditional prosecution cause. CAN-SPAM still doesn’t solve collection and jurisdiction problems. Frewing notes that though CAN-SPAM provides no private right of action, many traditional causes of action remain for individuals: Lanham Act, chattel, conversion for individuals, trademark, copyright, unfair business practices.
William Plante is the Director of Symantec Security and Brand Protection. He presented a slew of unsurprising Symantec/Brightmail statistics about how much spam there is, where it comes from, and what language it is in. After questioning the effectiveness of best practices, he reminded the audience about the problem of zombie networks. He had some good insight into phishing methods and ways to avoid them.
Michael Grow of Arent Fox was one of the first spam litigators. His clever and knowledgeable analysis of the legal answer to spam noted that the rights likely to be infringed are intellectual property. Most complaints are for infringement in trademark, trade dress, or copyright.
He outlined trademark violations in spam. It is not enough to have disclaimer that an e-mail is not affiliated with a registered trademark. The test for misuse of a trademarked logo, domain, etc is a likelihood of confusion. Exact imitation or counterfeiting has harsh penalties, and often it is possible to recover fees. Unregistered trademarks are protected if the message contains false statements. Famous marks, including domain names, are also protected by trademark dilution regulation. Cybersquatting statutes also prevent close domain names to sell competing products by spam. State intellectual property laws and trademark common law can be even stronger. They at least usually have similar trademark remedies requiring state and not federal registration.
Copyright theory used against spam has had mixed results. The WhenU and Gator pop-up battle has had mixed results with respect to whether pop-up ads are a violation of the copyright of the website. Using a famous person’s name or persona could also trigger liability under the right of publicity or right of privacy. Grow also have a great primer on jurisdiction for international cases, particularly in trademark. He outlined some interesting cases about international infringement and summarized cases around the world.
Ian Sweedler, the California Deputy Attorney General told a riveting story about his first spam prosecution long before CAN-SPAM. After finding a California spammer, he had to locate California users who relieved the e-mail, serve a reclusive violent defendant, and prove a technically difficult case line by line. Shutting down a small southern California spammer took months and plenty of technical expertise. Sweedler expressed some confidence in the deterrent nature of spam law, but noted how difficult it was to prove most elements of the then-current California spam law.
Matthew Prince of John Marshall Law School and Unspam was technically speaking about European spam law, but the part of the talk actually had the least data (none) and the least time. Prince went through a brief history of state spam law and then blasted CAN-SPAM as watering down the state law he previously showed to be ineffective yet viewed as the basis for all subsequent law including CAN-SPAM. He claimed federal spam law pitted individual state sovereignty against the commons, and argued for a patchwork of laws. He used nation-states as the examples to affirm states’ right to make spam laws. He analyzed “jurisdictional hooks” used to impose laws on senders to a set of addressees. He viewed these listings of users, in Washington state for example, as a good way to notify senders of the jurisdiction they are entering. He suggested that domains (address@host.kr) could be markers for geography and corresponding jurisdictions.
Prince made a great deal of generalizations about European spam law and attitudes to spam. Among other claims, he claimed Europeans were less concerned with governments having access to private data and that they receive less spam. These generalities were intended to be anecdotal, I believe, and his legal analysis did not refer to any part of the Directive on Privacy and Electronic Communications. He then praised the Australian spam law without noting any real differences between it and and the EU and projected future spam law would be modeled on Australia.
He outlined a model for whether a spam policy will be enforced (by state actors, I assume, since he praised the bureaucratic Australian model):
B_success – (C_identifying +C_prosecuting/P_sucess) – C_society
If the costs outweigh the benefit, he claimed, the law will not be enforced, so cases must have high perceived benefit or cost of evidence production and prosecution must be less. He threw some numbers into this equation, claiming they could be francs or dollars or “units”. These numbers were scaled strangely; he initially chose 1000, 100, 200, .2, and 50 for no apparent reason. He then tweaked the numbers to show how a policy might have positive benefit. Luckily, he did not attempt this feat of math for the technical audience at CEAS a few days later. This equation would have been much more convincing without arbitrary numbers which feel strangely rigged or perhaps with application to other unenforced law. As he advocated lowering costs by increasing “success” probability, he ignored a concept often discussed by spam experts: false positives.
The heart of Prince’s advice to mailers was that they make a good effort to comply with all laws. His example was that he did not speak Korean and could not read the Korean spam law, but he would do his best to comply with what he believed Korean law to be. This advice struck me as not especially meaningful and as a bit reckless coming from a lawyer, especially one that believes mailers should be responsible to inquire at a pile of registries subjecting them to any jurisdiction.