Lessig On Bounties For Spamhunters

An anonymous reader submits: "Digital rights (as in yours, not the RIAA's) guru Lawrence Lessig comes up with a Swiftian idea of how to fight spammers -- $10,000 for the first ubergeek to hunt the offender down. The column is at CIO Insight. Wonder if it'll reach its audience there."

well, it's a start

[Em Emalb]

but it will only catch the stupid ones. The "smarter" ones, and I use the term loosely, will endure.

The opposite is needed

[PD]

For a period of one month, all filters on spam and spam hunting should be suspended. Part of the problem is that anti-spam activities are masking the true magnitude of the problem. A wake-up call is needed. When people realize just how much spam is being sent out, the villagers will take to the streets with pitchforks and torches.

Privacy implications are dire

[I Am The Owl]

Why the sudden turn around in Slashdot rhetoric?

I can see the sense in promoting our rights to privacy online, as michael and timothy (bless them) are wont to do, but then we see a sudden reversal. Sure, I guess it's a real pain when spammers send hundreds of unwanted messages over the Internet every day, but is offering a bounty to rob them of their right to privacy really the answer? This is just the government turning citizen against fellow citizen in a foul ploy to get us to turn in our rights to online privacy. Let's look at what's happened so far:

• Spammers send spam
• Geek gets pissed, deletes spam

Now that isn't that terrible, is it? Do we really need to go out and promote a database state and tie together all a person's Constitutionally private information into one big heap of spying and ratting out? I dislike spam as much as the next man, but I draw the line at violating others' online rights. It's a line nobody should be willing to cross.

uhh, missing something here

[Telastyn]

from the article:

But at least with the spam problem, there is a much simpler solution that, so far, Congress has failed to see. Imagine a law that had two parts--a labeling part and a bounty part. Part A says that any unsolicited commercial e-mail must include in its subject line the tag [ADV:]. Part B says that the first person to track down a spammer violating the labeling requirement will, upon providing proof to the Federal Trade Commission, be entitled to $10,000 to be paid by the spammer.

From California Spam law:

(g) In the case of e-mail that consists of unsolicited advertising material for the lease, sale, rental, gift offer, or other disposition of any realty, goods, services, or extension of credit, the subject line of each and every message shall include "ADV:" as the first four characters. If these messages contain information that consists of unsolicited advertising material for the lease, sale, rental, gift offer, or other disposition of any realty, goods, services, or extension of credit, that may only be viewed, purchased, rented, leased, or held in possession by an individual 18 years of age and older, the subject line of each and every message shall include "ADV:ADLT" as the first eight characters.

and

(f) (1) In addition to any other action available under law, any electronic mail service provider whose policy on unsolicited electronic mail advertisements is violated as provided in this section may bring a civil action to recover the actual monetary loss suffered by that provider by reason of that violation, or liquidated damages of fifty dollars ($50) for each electronic mail message initiated or delivered in violation of this section, up to a maximum of twenty-five thousand dollars ($25,000) per day, whichever amount is greater.

Very similar...

Disgusting.

[Fat Casper]

I think I'm going to be sick.

The author compares the bill that the RIAA bought to allow them to crack any box they want with the "spam vigilantes" that blacklist sites that don't obey "proper" e-mail etiquette and then by organizing automated boycotts of the sites on the list.

His explanation of the bill is Through his bill, these vigilantes would be granted immunity from liability as they deployed tools to hack peer-to-peer systems that they "reasonably believe" violate copyright laws. He compares the two as unaccountable processes that wrongfully victimize people.

He then proposes (drum roll) a law that spammers would have to follow, and a reward for geeks who catch them if they don't. Like they'll follow laws. Blacklisting servers is better; it slaps the stupid admins pretty hard for victimizing everyone else. It also slaps folks like that stupid "internet lawyer" and Bernie Schifman. There's a public good- actual, relevant punishment for offenders.

Re:Privacy implications are dire

[Lord_Slepnir]

What about my rights to not have my inbox clogged up with offers for inkjets and penis enlargements. 10 spams a day is an annoyance, but my university account gets 50-60+ a day if i turn off the spam filters. So now not only do i have to configure my spam filters on my mail server and waste CPU time and disk space, (I know that they're small, but my mail server is a P/166 that i got for $30, so every bit counts) but I have to figure out which ones of the few that get through are legit and which ones aren't.

It wasn't so bad before, with spammers being blatent, but now that they are using more under-handed by disguising their addresses and subjects to look legit. Do you know how many times I've opened an e-mail that has a subject as just "hi" or "a quick question" and having some really disgusting porn pop up [goatse.cx] on my computer.

In short, a spammer does have a right to free speech, but that right ends where my right to not be harrassed begins. (yes, i know that the right to not be harrassed isn't a constitutionally protected right)

Re:The opposite is needed

[neuroticia]

No. For a period of one month, the Government needs to cease and desist anti-spam filters, and Bush needs to read his own email.

After the 908'th offer for viagra, he'll either cave and buy it (and then hire an intern) or get pissed off and do something about it.

Stopping the filters on the accounts of people who know about Spam isn't going to do a goddamned thing. WE're already pissed off by it. It's the gov't officials whose email is pre-filtered, sanitized, and delivered for their viewing pleasure, who need to experience the deluge.

Better yet- remove their filters, and put their email addresses on the internet. Someplace like Slashdot.

-Sara

Re:ADV tagging useless to real advertisers

[letxa2000]

The problem with tagging all commercial email with an identifier such as "ADV:" is that most recipients will simply create an email rule to auto-delete it and never even know it arrived.

I go one step better. My sendmail server hangs up on the SMTP connection as soon as it finds ADV: in the subject line of an incoming message. They don't even get to finish unloading their message. As soon as it says ADV:, they're gone.

That's great for the recipients, but it does nothing to reduce the load on ISP servers; in fact, it may increase it as the advertisers will have to send out MORE mail to make sure at least somebody opens it.

More ISPs can do what I'm doing and hang-up as soon as they see ADV: in the subject.

In the short term it doesn't solve the problem, but when absolutely no-one is reading spam then the response rate will drop to zero--at that point there will be no-one that WANTS to spam.

Also, such a solution does nothing to help legitimate advertisers, who need to know the demographics of who is actually reading their ad.

What is a "legitimate advertiser?" Anyone that is mailboming advertisements to me isn't legitimate regardless of whether they are selling penis cream or Norton products (seems to be the latest thing I've seen in spam) or discount airfares.

If there is an easy way to filter, they may buy a list that is 90% middle class professional office workers, but they have no way of telling what mix actually read their ad.

I also don't care if an advertiser "needs" to know if I read their advertisement. That's none of their business. They have no clue who reads their advertisements in a newspaper nor who hangs around during commercials on TVs... Why do they suddenly "need" to know if I click their email?

So they would never buy a service that operated under the "ADV" rules

Good! The idea isn't that the whole world does bombing runs with ADV:. The idea is that the ADV makes it so easy to filter that NO-ONE reads the spam and, in short order, spam as a method of advertising goes away.

Result: only the scam companies would ever send the mail.

Which is MOSTLY the case now. This is where the bounty comes in... If you get spam that isn't identified with ADV, the spammer has broken the law and under the law you're entitled to $10k from the spammer if you are the first to identify him. A few of those and the scam companies will stop sending spam because it's no longer a good business model. So "legitimate" companies don't spam because all their spam is filtered with ADV, and "illegal" spammers stop doing it because they'll be liable for $10k.

Of course, the idea won't work. As others have said, it's too easy to frame an innocent person or company. Unless the spammer shows you his email log, how can you really "prove" he did it? You could just be making up the logfile that shows a conection from 192.110.121.99, or whatever.

The problem is that most spam isn't prosecuted based on other violations of the law. Porn spam should be blatantly illegal since much of it goes directly to the inbox of minors. The owners of porn sites that spam should be sought out by the FBI and charged with corruption of minors. Most of the rest of the spam is fraudulent or deceptive in some way--it should be prosecuted by the FTC or FDA. The problem is they apparently don't have time, which is sad since it's currently one of the largest sources of blatant fraud operating in broad daylight, and so many of them would be open and shut cases. You just have to go get the perpetrator.

Lessig needs someone to whack him with a cluestick

[silentbozo]

Read the article. The 10k bounty for not labeling spam as spam isn't what you should be paying attention to. It's his attack on volunteer efforts to block spam relays, whom he calls "spam vigilantes", in the worst sense of the word. Essentially, he says that efforts to blackhole servers (presumably, because the admin of that server also needs to be whacked repeatedly with a cluestick) do more harm than good, and that we should just use filtering.

The 10k bounty is supposed to convince spammers to label their spam so we can effectively filter it.

Finished laughing? Let's dissect his thinking, shall we? He says we can handle spam just by making sure the spammers label it. This is the thinking behind a lot of bad legislation - it legitimizes it, instead of eradicating it. Second of all, he implies that vigilantism can work with government (finding spammers who don't comply with the ADV: rule) to fix what vigilantism by itself (blacklists) cannot do. Well, blacklists are meant to eliminate spammer havens - and we have plenty of anti-spam people hunting spammers as it is, FOR FREE. What the hell does he think 10k is going to do, if all the bounty-hunter does is turn the spammer's info over to the government? I mean, the FTC doesn't do much to the existing fax-spammers who are in violation of federal law. (The fax.com lawsuit was filed by a private individual, the FTC just levies paltry fines.) Or worse, what is the US government gonna do to foreign spammers who don't comply with our "label law"?

Essentially, Lessig says we should discard our current system of blocklists and anti-spam tech, in favor of simple client-side filters and a federal mandate to label spam, with a bounty to catch anyone who fails to label their spam. The threat is so feeble, and the undeserved side-effects so beneficial, I'm sure that spammers will love this idea.

Re:This problem cannot be solved!

[Alsee]

The problem with spam is that the cost is basicly zero per-message. $X to send Y pieces of spam, X divided by Y works out to zero point zero cents per spam.

The only way to make it die is for people to stop buying from it

Not possible. Spam works at a response rate of 1 in 10,000. The general population contains a far higher rate of mental illness, senility, and retardation, not to mention just plain gullibility and stupidity.

To to missquote something P.T. Barnum never said, [historybuff.com]
The internet: a million suckers log on every minute.

It seems to me that the only solution will come by a switch over to a new E-mail system that can link a non negligible co$t to all E-mail, or just to offending E-mail. This could be done with crypographicly signed "stamps".

Would you be willing to attach 2 cents to each E-mail where the recipient of the mail gets the money? Send mail to your friend and he gets 2 cents, he send you mail and you get the 2 cents back.

The other proposal I saw has much more expensive stamps, from 32 cents up to a few dollars. In that plan you you can keep re-using your stamps unless the recipient "redeems" the stamp. The idea is that it is generally "rude" to redeem a stamp. If you get legitimate mail from a friend or stranger you do nothing and it costs the sender nothing, if you get spam or otherwise offensive mail you click a button to redeem the stamp and the sender is out the money.

-

Re:well, it's a start

[Vinum]

Hmm... that kind of gave me a crazy idea.. but I am sure a lot of these spammers are also into credit card fraud. A corporation like VISA could collect spam and use a dummy credit card number that would validate normally... except that instead of them getting a check with money at the end of the month... the companies ability to clear cards through visa would be revoked. Furthermore, if the government would just make spam a freaking crime... this would be a nice way to bust the people doing this stuff..

Because face it, most of these spammers are located in America even if they are going through Chinese relays and such.

I am sure someone will reply to this and give me 10 reasons why this will never work. But either way, its fun for discussion. :)

Oregon's Anti-Telemarketer Law

[sleepingsquirrel]

Here is one ray of sunshine though. In the state of Oregon you sign up on the No Call List [ornocall.com] and

"A telemarketer who unlawfully calls a telephone number on the 'No Call' List violates Oregon's Unlawful Trade Practices Act (ORS 646.605 - 646.656), and is subject to civil penalties of up to $25,000 per violation."

After signing up, the number of unsolicited phone calls I get has dropped to zero.

Re:Privacy implications are dire

[Anonymous Coward]

"I can see the sense in promoting our rights to privacy online"

1. 
   Advertisers have no such right. They are legally obligated to both identify theselves and to truthfully describe the product they are selling
   
2. 
   Violators of the rights of others have no such right. Both the government and the individuals violated have the right to use such information to seek a remedy.
   

Spammers gave up their right to privacy when they used my e-mail account (which I, not they, pay for) without my express permission. At the very least, as the rightful owner of the account and all e-mails therein, I should be free to distribute and use the information I have on spammers as I see fit.

"Spammer sends spam, Geek gets pissed, deletes spam Now that isn't that terrible, is it?"

Geek owns e-mail account. Geek pays for upkeep of e-mail server, be it directly or indirectly. Geek works for a living to pay for these luxuries. Spammers use other peopless property without either permission or compensation for personal gain.

Yes, it is that terrible

"I draw the line at violating others' online rights"

Huh? Do you work for a spammer or something?

Stop trying to sugar-coat this issue with words like "free speech" and "on-line privacy." Spam boils down to the even more basic right of property ownership. The First Amendment doesn't say you can spraypaint your speech on somebody else's wall. The Fourth Amendment doesn't prevent Blockbuster Video from requiring you to identify yourself before renting you their movies.

When you start violating other peoples' rights, including property rights, you "lose" many of your own. The owner of the property has the right to seek compensation from the violator and the government exists to help them. Suddenly, seizures like putting a lien on a spammer's car become "reasonable" in the eyes of the courts.

The only person's rights who have been violated are my own. If anything, the Fourth Amendment is on my side, guaranteeing my right to track down and bill/sue the spammers for using my personal effects unreasonably.

My Letter to Mr. Lessig / editors@cioinsight.com

[Anonymous Coward]

Dear Mr. Lessig,

I am surprised that even after researching the subject, that you
believe that people that maintain and use block lists as a means of
coping with spam are "vigilantes". You would probably consider me to be
a vigilante, and I am writing this to you in order to try to understand
your perception, or perhaps even to change it.

I operate a very small but fully functional mail server that has several
users - friends and family members. I am not a commercial service provider,
but the services that I provide to a few people are indistinguishable from
those offered by a commercial service provider. A significant portion of
my network resources are abused by spammers, to an extent that I am forced
to implement various means of blocking and filtering to avoid being overrun
with spam. This includes the use of block lists.

As an email user and admin, here are some of the things that I do:

Upon receiving a spam, I often examine its headers and body and send
complaints to the sysadmins of the computer that was used to send it to me
and the computer hosting an advertised URL. Just hitting delete is
not an option, as the hundreds of spams that my home DSL-connected email
server receives per day is constantly increasing and thus cannot be ignored.
I cannot wait for a law, because spammers do not obey laws. The sheer
volume of spam arriving with "ADV:" in its subject lines is also increasing
and cannot be ignored. Even if all spammers used "ADV:", the cost of
receiving all of the unsolicited bulk email would mandate action on
my part, and no doubt on the parts of other victimized recipients.

Upon receiving a spam, I sometimes connect back to the computer that sent
it to me and do my own relay probe to see if it is an open relay or is
hosting an active spammer. This helps me send a complaint that is more
appropriate to the situation - in the case of open relays for example,
people at the site often do not know they are open, but in the case of
the spammer having an account on the system, people at the site are
often willfully allowing the machines to spam.

Upon receiving a spam, I usually add the IP address of the computer that
sent it to me to my own block list. My users know that I block, and they
know that there's some risk of blocking legitimate mail. They are not
technical, so I have explained to them in laymen's terms as best I can how
mail systems work and how the blocking is done, and they have chosen to
accept that risk.

Maintaining lists is very time consuming, and my own lists block only a
small percentage of the spam. To reduce the amount of received spam
to tolerable levels without spending too many hours per day at it, I seek
out and make voluntarily use of block lists that others are gracious enough
to make available to me. Unlike your RIAA example, this is entirely
voluntary. No one has pressured me to use any one particular blocklist.
The only pressure I am under to block at all comes from the spammers
themselves.

I am willing to reveal my own block list to anyone that wants to see it,
as long as they're aware of the risk of it blocking wanted mail.
I am aware that they might make a copy of my list and use it to try to
block spam on their mail server in precisely the same manner that I use
other's lists to block spam on my own mail server. Again, entirely
voluntary. I pressure no one else to block an IP address that I block.

I do not view myself as a "self-appointed doer of justice." I am
trying to reduce the amount of unwanted and unsolicited bulk email that
threatens to flood my DSL line and choke my mail boxes, and that ultimately
costs me time and money.

I think that you think that I became a vigilante somewhere along the
line, but I don't understand precisely where. If you think I am a
vigilante, can you tell me at what point I became one? If you don't
think I am a vigilante, then what is it that distinguishes me from those
who you do think are vigilantes?

publish their names, addresses, and phone numbers

[jchristopher]

I've suggested before, and I still believe, that spam would greatly decrease if a few spammers were killed. If that's too harsh for you, how about slashing their tires, urinating on their lawn, or keying their car?

Every time you find a spammer, you should anonymously publish their name, address, and phone number, so that they can be "dealt with". Yes, I'm serious.

Re:uhh, missing something here

[Random Data]

That part of the law is severely broken. They hit the $25,000 cap after the first 500 spams per day. The bigger spammers send MILLIONS of spams per day. At 1 millions spams per day the fine is 2.5 cents per spam, and at 10 millions spams per day the fine is one-fourth of a cent.

IANAL, nor do I play on on /. . But I did notice that this is applicable to "any electronic mail service provider whose policy... is violated". Run your own mail server? Then you've got the right to seek civil damages. Unless you're getting in excess of 500 messages a day from a single source, you're not going to hit that cap. If the admin of every server the mail passed through sought damages the expenses mount up very quickly. And realistically $25K a day is going to pay for a shitload of bandwidth in receiving that spam. Now I'm just waiting for the 1) Receive spam post....

It's about consent, not content!

[Erik Fish]

So much for "Lawrence Lessig: Superlawyer". Doesn't he realize that by the time his little idea gets passed into law it will have morphed into the Direct Marketing Association's wet dream?! Even the original is a law that fully legitamizes spam! Does anyone think that the $10k fine will make it through? Even if the figure itself is still around there's no chance of anything resembling teeth being left in it!

So what if it forces a majority of the spammers into using the [ADV] tag in their Subject headers? What is that going to accomplish? Yes, most ISPs will instantly block anything with [ADV] in the subject header but the spammers will still be using bandwidth to bounce endless waves of spam off of your filters in an attempt to get at the remaining mail servers which don't filter for one reason or another!

Beyond that, an [ADV] flag is content. As the subject of this post points out: The fight against spam needs to be firmly grounded in a lack of consent -- not the slippery slope which any argument based on content quickly becomes!

It's not enough money

[herbierobinson]

It can't be just the first one. It has to be a bounty to everyone who tracks the spammer down and take them to court. Otherwise, it just wouldn't pay to do it. A better scheme:

1. Allow anyone to take spammers to small claims court for around $2K.

2. Make the person selling whatever is advertised in the spam be responsible for unless they are willing to file a criminal complaint against the spammer.

3. Explicitly make is illegal to advertise someone else's product without authorization (it's probably already illegal...). This is to enable #2.

4. If an ISP cannot identify the spammer, the ISP must pay the fine. This may already be the case, but making is explicit would help.

Re:Could someone explain this to me?

[Peer]

The reason they're hard to catch is that for legal action, money and time is required. There has to be a real prove to have VISA lock you out. Otherwise a smart spammer could spam around your URL, and you'd be in trouble. So just whois records won't do.

Also, what about foreign spammers using foreign hosting-companies and banks. They're not likely to stop spamming.