• United States



by Jon Surmacz

Should We Can the CAN-SPAM Act?

Feb 02, 20053 mins
CSO and CISOData and Information Security

If theres money to be made, people will break the law to make it even on the Internet. Make that especially on the Internet. The CAN-SPAM Act, federal legislation that made certain unsolicited bulk e-mailing activities illegal, is just a little more than one-year-old. And although supporters can point to a few legal victories, the wins pale in comparison to the mounting costs of living with spam.

According to one estimate, spam will cost U.S. businesses about $17 billion in 2005 in lost productivity and network maintenance. A recent survey by Stanford University found that a typical Internet user spends about 10 working days a year dealing with spam. Figures from some anti-spam companies show that there is more spam today than there was before the legislation was passed. E-mail security firm Postini reported at the beginning of 2004 that about 22 percent of all e-mail it monitored was legitimate (78 percent was spam). By the end of the year, just 12 percent of monitored e-mail was legitimate (88 percent was spam). Another e-mail security firm, MX Logic, estimates that 97 percent of spam is not compliant with the law.

Critics argue that Congress bowed to pressure from groups like the Direct Marketing Association, which lobbied for a provision that puts the burden on consumers to opt-out of unwanted e-mails. Anti-spam groups wanted the opposite, putting the burden on marketers to obtain permission from consumers before sending the first e-mail message. The DMA won, and as a result, some say, consumers lost.

CAN-SPAM, however, can claim a few victories. In September, Nicholas Tombros, the so-called wireless spammer became the first person to be convicted under CAN-SPAM. Tombros pleaded guilty to charges that he sent unsolicited e-mails from his car by hijacking other users wireless connections. In November, Jeremy Jaynes was sentenced to nine years in prison under the Virginias anti-spam law for sending millions of spam messages to America Online customers. And at least one ISP, AOL, reported in December that spam on its networks actually decreased from the previous year.

Senator Conrad Burns (R-Mont.) told The New York Times that if the Federal Trade Commission would enforce the law as written, more spammers would be prosecuted and consumers would see some relief. As we progress into the next legislative session, he said. Ill be working to make sure the FTC utilizes the tools in place to enforce the act and effectively stem the tide of this burden.

What do you think? Is CAN-SPAM worth the paper its written on? Should Congress take another crack at anti-spam legislation, or should it opt out and look to the private sector to answer our spam woes?