Forgot your password?
typodupeerror
Spam Your Rights Online

Lessig Wagers His Job On Anti-Spam Theory 409

Posted by timothy
from the sounds-like-a-safe-bet dept.
kien writes "Lawrence Lessig is betting his position at Stanford on his anti-spam legislative recommendations. From his blog:'First the analysis: Philip Jacob has a great piece about spam and RBLs. The essay not only identifies the many problems with RBLs, but it nicely maps a mix of strategies that could be considered in their place. But, alas, missing from the list is one I've pushed: A law requiring simple labeling, and a bounty for anyone who tracks down spammers violating the law. Here goes: So (a) if a law like the one I propose is passed on a national level, and (b) it does not substantially reduce the level of spam, then (c) I will resign my job. I get to decide whether (a) is true; Declan can decide whether (b) is true. If (a) and (b) are both true, then I'll do (c) at the end of the following academic year.' The Declan referred to in point (b) is Declan McCullagh." Update: 01/07 02:45 GMT by T : Speaking of whom, here is Declan's acceptance of Larry's bet.
This discussion has been archived. No new comments can be posted.

Lessig Wagers His Job On Anti-Spam Theory

Comments Filter:
  • by swordboy (472941) on Monday January 06, 2003 @09:18PM (#5029749) Journal
    Lawrence Lessig is betting his position at Stanford on his anti-spam legislative recommendations.

    Umm...

    You *don't* need LEGISLATION to fix this problem (isn't that what technology is for?). Fix the technology (or lack thereof), and you've fixed the problem. There are several very good ideas floating around out there that don't require an office of homeland spam in the whitehouse.

    Stupid lawyers...
    • by Anonymous Coward on Monday January 06, 2003 @09:19PM (#5029759)
      Name one technological measure which has a zero false-positive rate, a low false-negative rate, and a snowball's chance in hell of being adopted. The problem should address spam at the server side, since it's already wasting space by the time it's allowed onto a client machine.
      • by sfe_software (220870) on Monday January 06, 2003 @09:55PM (#5029947) Homepage
        Name one technological measure which has a zero false-positive rate

        Bayessian Classification

        a low false-negative rate

        Bayessian Classification

        and a snowball's chance in hell of being adopted.

        Mozilla has (very preliminary) Bayessian classification. So far, that part works great - not a single false-positive in weeks of use (I've been using it since 1.3a was released), and once they add the ability to auto-mark-as-read and move/delete SPAM, I'm all set.

        The problem should address spam at the server side, since it's already wasting space by the time it's allowed onto a client machine.

        I'm not sure if you are referring to the origin server, or the receiving server (in which case it has already wasted space/bandwidth), but the receiving server could easily implement Bayessian filtering as well. It would take some work on the part of the clients to make it work (or perhaps simply forward junk mail to a local address that classifies it as SPAM?)...

        I personally am okay with doing this in the client, as long as the Mozilla team continues to improve this feature. Currently I'm still interrupted and must mark the messages as "read", but eventually I won't have to ever see SPAM.

        I'm normally not all that fanatic about software or software-ideas, but Bayessian filtering just plain works. If some implementation were to add common word-groups instead of just word occurrances, it might even be more rock-solid, but even as it stands in Mozilla's implementation, it has serious promise.

        Implemented as a Perl script on the server-side, one could easily eliminate the problem all together for each user (since everyone has a different idea of what constitutes SPAM).

        A classic example of this: Yahoo mail uses a more global approach to SPAM classification (BrightMail I believe). Unfortunately the RedHat Eratta mails fall into the Junk folder, since apparently many Yahoo users consider it SPAM. Similarly, I still get "notification@mailsweeps.com" SPAM in my inbox, no matter how many times I report it as SPAM.

        This is where Bayessian filtering, which works on individual users, solves the problem.

        Anyway, if it isn't obvious, I'm all for using technology to solve the problem, especially now that a very promising technology is currently available. Legislation won't help, unless it's globally enforced, and even then it still won't help much. Bayessian lets the user define what he or she considers SPAM, which will vary from user to user, making it the most logical approach IMO.
        • by Mr Bill (21249) on Monday January 06, 2003 @10:15PM (#5030031)
          If a SPAM doesn't appear in my inbox, was it ever sent?

          By the time the SPAM gets filtered by your mail reader it has already done lots of damage. SPAM costs ISPs money in time, bandwidth, and storage space. Where do you think that extra cost is heading. Right back to the end user.

          There are many solutions out there that can limit the amount of SPAM that appears in your inbox (like bayessian filters), but that isn't enough to stop the SPAM problem. It just puts a band-aid over it...

          • by SpaceLifeForm (228190) on Monday January 06, 2003 @10:28PM (#5030084)
            It is a band-aid if few people use it.
            However, if enough people (and ISPs) use it, then the effectiveness of spam will be reduced, possibly to the point that many of the spammers give up. It's too soon to dismiss a possible solution.
            • by Mr Bill (21249) on Monday January 06, 2003 @10:43PM (#5030146)
              Do you think that the .002% of the morons that actually click through on these SPAMs are actually going to setup and maintain a filter? You have a higher regard for their intelligence than I do...

              The uptake of SPAM is so incredibly small, and yet it is still profitable for these pricks. End user implemented solutions will only help reduce the annoyance of SPAM for that user, but I don't believe it will ever eliminate SPAM.

              No spammer has ever made any money by spamming me yet, so do you think they will make less money if I filter their emails and never look at them?

              • by WatertonMan (550706) on Tuesday January 07, 2003 @12:50AM (#5030631)
                I believe that Apple's spam filter in their default client is Bayesian. I've written a lot of Bayesian and vector space categorizers in my time. Yet I'm still amazed at how well Apple eliminates the spam. Thus far I've not had one mistake. The difference between using my Mac at home and using Outlook on my PC at work is night and day. I have hundreds of pieces of spam that get through Outlook's spam filters. (Rule based I believe)
              • No spammer has ever made any money by spamming me yet, so do you think they will make less money if I filter their emails and never look at them?

                No, but they WILL send out more emails so they can continue making the same profit with the reduced response rates due to increased filtering.

                Filtering is a band-aid, no matter how accurate or how transparent it is. The only real solution is to stop spam at the source. And while legislation is itself another band-aid (at least until a better mail system, one that's not susceptible to spammers' tricks, is developed and universally implemented), it'll at least reduce the bleeding.
          • If a SPAM doesn't appear in my inbox, was it ever sent?

            In my opinion? No.

            See, my bandwidth isn't much of an issue. I have DSL that goes largely unused. My server sits on a DS3 that, again, goes largely unused.

            So for me personally, and all 300+ clients on my servers, the biggest problem with SPAM is the time spent manually classifying it, and deleting it. And being interrupted in the middle of something when the 'new mail' notification sounds.

            So for me personally, Bayessian filtering offers enough of a solution to eliminate the problem as I see it.

            I don't think we will ever fix the problem any further than that. Stopping SPAM will only happen when everything is controlled and regulated -- and I don't want to see that happen. I don't what "white lists", and I don't want to approve each sender, and I don't want to have to "sign" emails through a trusted authority.

            I want to decide what I personally want in my Inbox and what I don't, and let my client sort it out from there.

            Band-Aid(TM)? Perhaps. But anything further can potentially take away freedoms we currently have (like being able to send an email to an address found on a web site to ask a question or propose a business opportunity, without fear of being labeled a SPAMMER).
        • Mozilla has (very preliminary) Bayessian classification.

          Just as an aside it's "Bayesian". I'm not launching into pedantry but noticed that when I tried doing a search on it (good old Google and its suggestions).

          In any case, the success of Bayesian Filtering is because it is rare: Do you think that spammers couldn't dedicate some time and create a "norm" email if these filters were widespread? The only reason that they haven't is because users utilizing it as an anti-spam technique are rare, though if it took off it would be rendered impotent quite quickly. In other words if you like it so much, don't go around advertising it.

          • Just as an aside it's "Bayesian".

            Crap, I've made quite a few posts with the double-S up to now... ugh! Gotta love Google Suggestions though :)

            ...the success of Bayesian Filtering is because it is rare:...

            I'm not sure about this. The success of Bayesian filtering (rather, Classification) is that it learns what you, the end-user, considers SPAM. How does a SPAMmer learn what you, personally, don't consider to be SPAM?

            Currently I get a TON of SPAM with "jm4n" in the subject (my most common email username), and often it sounds like a reply to a personal email ("thanks for your email! Look at my web site and see me naked!").

            But the point is, since it learns, and it's completely based on individuals (rather than some generic description of what constitutes SPAM), it works rather well -- better than you might imagine. I suspect this will work in the future.

            I also mentioned:

            If some implementation were to add common word-groups instead of just word occurrances, it might even be more rock-solid

            Currently Bayesian classification is extremely simplistic. It classifies word-counts, and figures if the word "Viagra" never appears in "real" mail, and often appears in "Junk" mail, then this is a key indicator that this is SPAM.

            If this were extended to word groups (say, groups of words that appear together frequently, like "penis enlargement" or "work from home"), it could even be more effective. I'm tempted to work on some Perl scripts to implement this even further than what Mozilla does (and, being on the server-side, stop wasting bandwidth on my DSL; not to mention multiple-client compatibility)...
            • by ergo98 (9391) on Monday January 06, 2003 @11:05PM (#5030257) Homepage Journal
              I had a long winded reply regarding false positives and what they represent to even the best filtration (i.e. what happens when your filter is attuned to emails between you and your buddies, and suddenly a proposal comes in from an employer, or a partner, or a customer? This single lost email could be incredibly damaging) when I noticed this [jerf.org] page that says it eloquently and thoroughly.
              • ...what happens when your filter is attuned to emails between you and your buddies, and suddenly a proposal comes in from an employer, or a partner, or a customer? This single lost email could be incredibly damaging...

                Personally, I will always at least review the subjects of the 'junk mail' periodically. Currently the Mozilla implementation doesn't treat Junk any differently, other than setting the flag. When it's able to "Move to Junk Folder" I'll still double-check.

                The difference is, I can do that once per day. A quick scan of subject lines will rule out the vast majority at a glance (mentions of Viagra, Toner Cartridges, etc) and the questionable ones will get opened for further examination. I estimate about two minutes out of my day, on my own time, to make sure no false positives are in the Junk bin.

                Beyond that, Junk mail coming in won't interrupt me while I'm working. I do occasionally receive important mail that needs immediate attention, and the absolute worst case scenerio (in my plan) is that an important message will be marked as SPAM, and only be seen by me at the end of the day.

                In practice this would be very rare. So far, I've only had a couple false positives in the early beginning, and these were mailing lists I'd agreed to receive messages from that otherwise may have sounded like SPAM. Now these are getting through no problem.

                So, end result -- I don't think Bayesian filtering is the end-all solution, but to be able to classify email upon arrival, and later double-check its work, is the best solution I've seen yet. Sure, some users will end up "trusting" it and might get burned, but that's their fault for putting too much trust into Bayesian (or any) filtering.
            • I suspect Bayesian filter will only work for a while. Spammers have a lot of money, and they can use it to hire a lot of creativity. If Bayesian filters get very popular, spammers will engage in counter-counter measures, just like a lot of them have already done to other techniques (return address filtering, IP filtering, and these days, simple keyword filtering).

              I would bet that it is relatively easy to make a bit of spam that would pass most peoples' Bayesian filters... since most people are fairly alike in their email - or at least there are large subsets worth going after.

              Ultimately it will be sort of a Turing challenge - my spam filter vs. your spam trying to emulate any person (not every person) that I might ever want to get email from. Doesn't sound too hard to me!

              As many have pointed out, the real problem with Spam is that it as is an economic activity where people other than the spammer pay most of the costs (externalitites). The cost of mass email is only going to get cheaper unless some pretty stern measures are taken. I like Lessig's approach. Make the bastards pay. They are stealing resources!

              Of course, we should do the same thing to telephone spammers, but so far nothing has been done there. It is a lot easier to propose legislation than to get it passed.

              BTW... I got one of those TeleZapper things (disclaimer: I have not finanical interest in the product). It really does reduce telephone spam. Unfortunately, like most technological solutions, it also has false positives. When the library computer calls up to let me know a book is available, TeleZapper freaks it out before it delivers a message (I know this from watching caller ID). [another aside, the Phoenix, Arizona public library is so primitive that it still can't send you *email* notifications!]
      • by Sheetrock (152993) on Monday January 06, 2003 @10:08PM (#5029995) Homepage Journal
        A decent idea I've seen along these lines (barring your third criterion -- but I remind you we're still waiting for things as important as IPv6 to be deployed) has to do with requiring the sender of an e-mail to generate a computationally-expensive hash collision, dubbed 'hashcash', of the message that is computationally-inexpensive to verify by the systems forwarding the message to its destination. In a nutshell, a computer sending e-mail can be required to spend an arbitrary amount of time to generate this data, as the alternative would be to have the mail discarded by any mail server/relay implementing a check for the data.

        There are more details here [cypherspace.org]. Obviously, there's more to creating a workable system than this, because such an atmosphere would make it impossible to run a large-distribution mailing list, but it should be possible to get around such problems with a little ingeniuity, such as allowing the recipient of such mail to exempt certain IP addresses at the mail server from having to generate hashcash. My favorite part of this scheme is that, implemented properly, it could stop spam before it leaves the originating ISP.

    • by Mike the Mac Geek (182790) on Monday January 06, 2003 @09:19PM (#5029762) Journal
      Yes, but the laws give it teeth. Software can cut spam, but more will come, in a never ending cycle. If we make it financially hurt people to send out pure spam, then we don't need to have software that could possible filter out vald mail at a prohibitive cost.
    • by achurch (201270) on Monday January 06, 2003 @09:27PM (#5029809) Homepage

      Fix the technology (or lack thereof), and you've fixed the problem.

      Right up until someone comes up with new technology to get around your technology.

    • Show me one technological solution that will stop spam, that doesn't involve a constant cat-and-mouse game.
      • While it's not completely free of the "cat-and-mouse game", Mozilla's Junk Mail Controls [mozilla.org] are cutting my spam down by about 90% and it only requires a single mouse click for each of the few spam messages that gets through to keep the filter trained at that level.

        --Asa
      • Show me one technological solution that will stop spam, that doesn't involve a constant cat-and-mouse game.

        Mail storage should be the responsibility of the sender [cr.yp.to]. The sender only actually sends email notifications.

        Mail notifications should include a digital signature of some sort. Users can choose which signing authorities to trust. Signing authorities may require a deposit before issuing a signature certificate and may gain trust from potential recipients by offering to split the deposit 50-50 with the first person to receive spam from the account.

        So it boils down to a whitelist of ISPs. If you want to send legitimate mail, you need to use an ISP that other people trust to enforce the spam rules.

        How will spammers get around that? The only thing I can think of is by forging certificates, but preventing certificate forgeries is something that I assume has already been solved.

    • by BigBlockMopar (191202) on Monday January 06, 2003 @09:32PM (#5029837) Homepage

      You *don't* need LEGISLATION to fix this problem (isn't that what technology is for?).

      Especially since the legislation will do nothing.

      Here goes: So (a) if a law like the one I propose is passed on a national level, and (b) it does not substantially reduce the level of spam, then (c) I will resign my job.

      The problem is it's being addressed on a national level. That won't stop the African scam artists "whose money is tied up" - hopefully their oppressors will beat them in the face with a rusty camshaft - or the Chinese wishes of good fortune and prosperity that I was continually getting from some shitty company selling latex products until I finally decided to blackhole China from my mailserver.

      This might keep the Florida 21-year-old unwed mother of 6 children from spamming me from her dial-up ISP of the week. But the funny thing about national laws is that they don't apply outside the nation...

      • The problem is it's being addressed on a national level.

        That's a valid point. It leads to what I personally call a "slashdot paradox". I'm outraged that a Russian programmer (and then, the company that employed him) was prosecuted here in the US for software that is legal in Russia. Yet if Prof. Lessig's law is passed in the US...paradox. It could be argued that laws passed in the US have typically been adopted in one form or another around the world (which sucks...ref: DMCA) but that could be countered by the jurisdictional nightmare that the RIAA/MPAA have run into while trying to prosecute Kazaa.

        The blessing and (for right now at least) the curse of the Internet is that it globalizes the public commons. We're only now beginning to confront all of the issues that are raised by this fact.

        --K.
    • by Guppy06 (410832) on Monday January 06, 2003 @09:37PM (#5029860)
      "There are several very good ideas floating around out there that don't require an office of homeland spam in the whitehouse."

      What amazing reflexes you have in your knee-jerk reactions. You could have a future in television news. Just because there is a federal law passed on something doesn't mean there will have to be federal enforcement of that law.

      Consider federal anti-junk-fax laws. If you get an unsolicited advertisement on your fax machine, the sender owes you $500, collectable through your local small claims court/justice of the peace/etc (if need be). Essentially, all this law does is explicitly spell out the rights of the owner of the receiving equipment and make it easier for the recipient to claim damages without having to carefully explain how junk faxing is essentially trespassing each and every time.

      The FCC doesn't enforce this law. The FBI doesn't enforce this law. You enforce this law.

      I personally think the idea of expanding the existing junk fax law to include spam [iwancio2002.org] would be easier to enact (add three or four words to existing law) and easier to enforce (track down spammers for a guranteed $500 instead of just a chance at $10,000), but I'm obviously biased.

      Now calm down before you shatter your kneecap.
      • by swordboy (472941) on Monday January 06, 2003 @09:49PM (#5029915) Journal
        Consider federal anti-junk-fax laws. If you get an unsolicited advertisement on your fax machine, the sender owes you $500.

        If long distance faxing did not cost anything to the sender, then we'd all be getting spam via fax from China. US laws mean nothing to spammers.

        Hell, there is nary a US provider that will carry a major spammer. How is a law going to fix that?
        • "Hell, there is nary a US provider that will carry a major spammer."

          Then explain to me how this guy [nola.com] manages to make all his money. Or is Louisiana no longer part of the US?

          Just because spam comes through off-shore relays doesn't mean it originated off-shore.
      • Take a look at their web site http://www.fcc.gov/eb/tcd/ufax.html

        If they get enough properly formatted complaints, they will issue citations. While generally it is a 'cease and desist', they still will follow through if it continues.

        The TCPA (Telephone Consumer Protection Act of 1991) will never be used to cover spam, not should it. If it were to be changed, then it would be challeneged by every major Ralwasky wannabe, thus possibly rendering the whole thing dead for the duration. Telemarketers would love to for this to happen. An often used defense (yet still struck down every time) is the suggestion that it (TCPA) violates the First Admendment. It is struck down because the Supreme Court has repeatedly said that commercial speech is not protected speech. The TCPA has teeth because of the FCCs constant review (they just ended comment period concerning the effectiveness thus far and recommendations for changes).

        The TCPA will never be adjusted to include e-mail. Any attempt to do so will be very destructive. I used to think it would be a good way to do it as well until I researched the whole law and went through a couple of my own court cases.
    • If (a) Every man on earth has a penis pump in his home, and (b) Africa sees an end to corrupt Juntas that need to hide money in overseas bank accounts then (c) I will stop sending spam.

      I'm about as likely to stop spamming as Lawrence is to lose his job.
    • Fine then: what is your technical solution? Consider that a technical solution that doesn't permit someone like Larry Lessig to post his address publicly, so that interested people can write to him, without having to cope with 1k spams/day isn't a solution. So forget about proposing whitelisting solutions. Also, forget about proposing ISP-blocking; if the FCC has its way soon we'll only have two ISPs per city, max, and the RBL folks will lose their coercive power (since if you subscribe to an RBL you won't get any mail, everyone will be blocked).

      The best thing I've tried is bogofilter [sourceforge.net], but even that just deletes spam after it gets here. It doesn't cope with the exponential increase in mail volume, and the spammers are working very hard to defeat bogofilter and the like. For example, did you notice a sudden increase in spam that base64-encoded ordinary ASCII HTML? Guess why? To try to evade spam filters.

      • Consider that a technical solution that doesn't permit someone like Larry Lessig to post his address publicly, so that interested people can write to him, without having to cope with 1k spams/day isn't a solution.

        I don't think there's much choice he has in the matter.

        1 minute of looking revealed:

        1) llessig@stanford.edu
        2) lessig@pobox.com
      • by tsg (262138) on Monday January 06, 2003 @10:38PM (#5030129)
        Filtering and legislation are just band-aids treating the symptoms. The real disease is the protocol. We need to let go of SMTP and design a mail delivery protocol that has some form of sender verification. Then modify the "I'll carry your traffic if you carry mine" agreement into one that carries penalties for abusing the system.

        As someone else pointed out, the only reason we're not getting junk faxes from China is the cost of the phone call. Put the cost of delivery entirely on the sender and the problem will go away.

    • You *don't* need LEGISLATION to fix this problem (isn't that what technology is for?). Fix the technology (or lack thereof), and you've fixed the problem. ... Stupid lawyers...

      In the copyright context, we say "you can't enforce copy-protection with technology because someone will always break it given enough time". Do you think Spammers are any less motivated to circumvent technological measures?

      In copyright, we say that a better solution lies in a new balance of rights between producers and consumers, on a business model everyone can live with. Why is it so "stupid" to use legislation to stop an undesirable commercial behavior? Spammers are motivated by money. So punish them monetarily.
    • by fermion (181285) on Monday January 06, 2003 @11:31PM (#5030372) Homepage Journal
      The fact is that, in the US, legislations is not working lately. For years parents begged the cigarette industry not to advertise to children and not to lie to consumers in general. The congress was asked to legislate this, but to no avail. It took lots of lawyers to make this happen. The cigarette industry spent untold amounts of money to buy legislators so they could continue to kill to children and lie to consumers, and then complained when they had to pay the lawyers. The fact is that if the cigarette industry came clean to begin with, they could have probably created a much cheaper agreement.

      Currently we have SUVs that are ignoring the basic physics of (1/2)mv^2 and the benefit of dissipating energy through deformation of metal rather than the deformation of living flesh. Groups have been begging legislators to protect people from SUVs, but no legislation is forthcoming. Even with the lawsuits from the Explorer flaws, be they in the original engineerring or the integration of the tires, the auto industry are standing their ground. There is a large number of lawyers waiting to profit off the auto industry's greed. The lawyers will likely succeed, and, when they do, you can be sure the industry will blame lawyers and a tort system that is forced to compensate for an ineffective legislature, rather than the industry's own incompetence and greed,.

      In the case of spammers, all that most rational people ask is that they be honest. Use their own bandwidth to send the mail. Identify themselves in the header and the text of the email with electronic and physical contact information. Do not lie in the text of the message. The best case would use verified opt-in, but any kind of real opt-n would be a improvement as long as it included a real opt out procedure with a verifiable audit trail. It is not unreasonable. After years of questionable behavior, even the tele-marketers have seen reason. I attribute quite a bit of intelligence to that industry for realizing that it was cheaper to give in than to continue siphoning profits to pay bribes, lawyers, and settlements.

      The fact is that proper regulations allows an industry to run effectively by creating a predictable environment. A good legal system allows parties to create deals that they would never think of creating in the absence of one. The oft misquoted Shakespeare line tells of destroying civilization by killing all the lawyers.

      So this is my prediction. The spammer will continue to cheat, lie, and steal, When there is enough money to be made, the lawyers will step in and file suite against a few of the major players,. The spammers will lose, and will hold a press conference blaming the greedy lawyers, a corrupt tort system, and a judicial branch that finds the need to legislate from the bench. They, like many industries will realize that the judicial branch cannot be bought, but can be controlled by the executive and legislative branch, which can be bought. This will result in a new flood of bribes into Washington and a whole new wave of rhetoric about evil lawyers and the greedy people who use them.

      • The best case would use verified opt-in, but any kind of real opt-n would be a improvement as long as it included a real opt out procedure with a verifiable audit trail. It is not unreasonable.

        The trouble with opt-out is that it doesn't really scale. Even if every person or company that wanted to send their "important message" had a working out-out, we'd still get snowed under by the spam. Also spammers tend to have file drawers full of disposable companies. You might opt-out of BarfMarketing's spam, but not BarfMarketing2's spam.

        And what are the chances of working opt-outs being used after so many spammers have peed in the pool by using them to verify harvested addresses? (Some spammers do have working opt-out, but I only test that from my hotmail spam-trap. I never opt-out from a real email address.)

  • YES! (Score:4, Interesting)

    by Evil Adrian (253301) on Monday January 06, 2003 @09:18PM (#5029751) Homepage
    Well I'll be damned, someone with prestige putting his money where his mouth is! Now, all we need to do is hope for legislation. Anyone know of any "annoy-your-representative-with-a-form-letter" sites that deal with spam legislation??
  • by RumGunner (457733) <rumgunner.hotmail@com> on Monday January 06, 2003 @09:20PM (#5029769) Homepage
    Not after making thousands of dollars from his OWN HOME on the INTERNET!!!

    .
  • by PotatoHead (12771) <doug.opengeek@org> on Monday January 06, 2003 @09:21PM (#5029773) Homepage Journal
    he is doing a fine job trying like hell to do what he believes is true.

    This act from the same person who asks: "Why do they not fight?"

    I may not agree with him on all positions, but do agree completely with his zeal to persue them.

    Why not indeed.

    We all need a little more backbone...
  • by LennyDotCom (26658) <Lenny@lenny.com> on Monday January 06, 2003 @09:22PM (#5029776) Homepage Journal
    If you goto overture.com and search on bulk email each link you click will cost the people that sell spam software and spam services several dolars each. LETS /. THIER BANK ACCOUNT!!

  • something missed (Score:3, Informative)

    by neildogg (119502) on Monday January 06, 2003 @09:25PM (#5029798) Homepage
    They missed the link to his idea [cioinsight.com]
  • by Chester K (145560) on Monday January 06, 2003 @09:25PM (#5029800) Homepage
    While I appreciate Lessig's intentions here, it usually takes a bit more than a wager to get Congress to pass a law. Perhaps if he backed it up with some cash, Capitol Hill might pay attention.
  • Larry, I like you and all, but what on earth has email over the *internet* got to do with the national level?

    KFG
  • by angst_ridden_hipster (23104) on Monday January 06, 2003 @09:28PM (#5029819) Homepage Journal
    Because he knows that the legislation won't pass.

    But if it *did*, he'd be majorly screwed, since a large percentage of the spam I receive, for example, comes from regions outside of the jurisdiction of U.S. National Legislation.

    The spammers who are U.S.-based would merely move offshore. (Just think of the headlines -- evil legislation driving away lucrative American internet jobs ... joke, joke).

    • by JoeBuck (7947) on Monday January 06, 2003 @09:49PM (#5029916) Homepage

      Even today, a large fraction spam that appears to come from China, that arrives in Americans' email boxes, really comes from the US. It's US spammers bouncing it off of open relays in China.

      Under Lessig's bill these US spammers can still be prosecuted.

    • I doubt the legislation would pass, and particularly that it would pass in the clean, simple form he recommends without getting lots of gunk added to it. Even if it does, it won't be too effective unless the _bounty_ is available not only to Americans, but to _anybody_, anywhere in the world, who succeeds in tracking down the spammer, which I consider to be unlikely.

      Some of the non-US spam you get is really sent by non-Americans, but lots of it is sent by Americans abusing non-US machines (either by abusing open relays, or by buying cheap services.) US law can't touch the non-Americans effectively, but it can touch Americans using non-US ISPs. The entertaining thing that would happen if the bill were to pass and non-Americans could collect would be an instant market in Korea and China for mail servers that simultaneously forward mail, track down the sender, and log the recipients so that they can document it for the US authorities. Pretty soon, everybody in Korea with a broadband connection (which appears to be just about everybody) will start getting email ads for servers like this, because for a little while, it'll actually be possible to M4K3 M0n3Y F4$$7 on the Net by tracking American spammers. And $10K per successful event, minus US lawyer commissions, is pretty nice for something that doesn't take too much work.

    • by smallpaul (65919) <paul@@@prescod...net> on Monday January 06, 2003 @10:10PM (#5030011)

      The spammers who are U.S.-based would merely move offshore.

      It isn't the person pulling the trigger on the spam that matters. It is the business sponsoring it. For most of these marginally profitable businesses, (penis extenders?) it would be easier to do something else rather than move offshore. Plus, the money has to get from US consumers to the people offshore. There may be legislative ways to make this difficult.

  • Why I'd take the bet (Score:2, Interesting)

    by stand (126023)

    What I don't understand about Lessig's proposal is how would he enforce the bounty part of the law against off-shore spammers. Suppose I get an unlabelled spam from someone and I manage to track down the spammer as originating in Mauritania. How do I get my $10,000 from this guy. Is the US going to invade Mauritania to get it?

  • Because the politicians in DC would never pass a bill that would so blatently please American consumers. The average American doesn't have much money for campaign donations.

    And hm, I wish we saw Lawrence Lessig post on Slashdot more, like the way Bruce Perens does. That would be cool.
    • Or more likely...

      It's only bits on a wire. That's all. Nothing more. Little bits.

      No one cares. It's a minor annoyance to most (>90% of people), and that's it.

      You got piss off a lot of people to get a law passed. Spam doesn't have wide spread appeal.
  • by Greyfox (87712) on Monday January 06, 2003 @09:33PM (#5029844) Homepage Journal
    I'd say that's a safe bet since Congress has shown no inclination to legislate anything about spam. Even if they did, they would undoubtedly go for some half assed bill with no teeth which would not qualify as anything he suggested. And even if they did, the next day every spammer on the planet would relocate to china.

    A cute gesture, true, but ultimately pointless.

  • Rubbish (Score:4, Insightful)

    by CaptainSuperBoy (17170) on Monday January 06, 2003 @09:38PM (#5029862) Homepage Journal
    Those are the same tired old complaints against blacklists, but now it looks like a 'visionary' has blessed them so everyone's going to ooh and aah all over again - "Now I get it, blacklists are bad!" Except they're not, and all the arguments he presents against them have been refuted in the past.

    The point is, receiving mail is voluntary and blacklists are voluntary. If I'm an ISP, I damn well have a right to block all e-mail from China and Argentina and it has nothing to do with "geopolitics and democracy." Gimme a break! He's saying that developed countries are actually preventing more troubled countries from entering the democratic utopia that's supposed to be the Internet. Because 99% of the e-mail coming from those countries happens to be spam. The way he puts it, RBLs might as well be responsible for all the poverty and oppression in the world - how can we blame people, after all we took away their God-given right to send e-mail!

    Listen to him complain about collateral damage - collateral damage is the point of blackhole lists! Damaging a rogue ISP's users is the solution, not the problem. If we didnt' punish these ignorant subscribers they would continue supporting spammers. Every subscriber to a spam-friendly ISP is voting with their dollars - for spam. Rogue ISPs have proven that they will not act against spammers until they are financially threatened, and the only way to do that is to damage their user base to the point that they start losing subscribers. Collateral damage IS the point of blacklists - otherwise they're useless.

    He also exhibits a fundamental misunderstanding of blackhole lists, lumping them in with open relay lists. SPEWS doesn't list open relays, and this entire rant is tainted by the fact that he seems to think all blackhole lists do is block open relays. Relays are just one small source of spam. Spam-friendly ISPs are a greater threat to the well-being of e-mail, by far.

    Answer me this Mr. Jacob, where will our utopian "geopolitics" be when the entire e-mail system is destroyed by spam? Hey, at least we didn't silence any of the poor starving people in third-world countries who were just dying to send their democratic message of hope and peace. Oh, what was that inspirational message from that wide-eyed Argentinian eager to join the global village? The message is "CUM-GUZZLING SLUTS LOVE THESE HORSES."
    • Re:Rubbish (Score:5, Insightful)

      by PMuse (320639) on Monday January 06, 2003 @10:40PM (#5030134)
      Listen to him complain about collateral damage - collateral damage is the point of blackhole lists! Damaging a rogue ISP's users is the solution, not the problem. If we didnt' punish these ignorant subscribers they would continue supporting spammers. . . . Rogue ISPs have proven that they will not act against spammers until they are financially threatened, and the only way to do that is to damage their user base to the point that they start losing subscribers. Collateral damage IS the point of blacklists - otherwise they're useless.

      How is the collateral damage caused by blacklisting any better than what the RIAA proposed to do under Berman-Coble? If we're the good guys, we have to do it right.

      We condemn the government when it punishes innocent people because of whom they associate with. We condemn our neighbors when they deride people solely because of where they live or shop. We do not punish the innocent for the actions of the guilty just because the innocent are easier to find and hurt.

      Collateral damage is a poor justification for blacklists. Do we evict tenants who rent from slum-lords because the slum-lords are slum-lords? Do we burn down the apartments and cast the tenants out on the street hoping they'll exercise better judgment in choosing a landlord next time?

      Of course not. We write laws guaranting tenants rights and do our darndest to see them enforced as often as possible. Spamming ISPs should be required to behave or face a the usual penalty -- fines or jail. If the fines are too low, raise them. If the (net)cops are too slow, set a bounty for private enforcement. Are there no geeks who will turn bounty hunter? I'll bet some of those who maintain blacklists would be just as happy with the business model of suing spammers for $500 /message. Collateral damage is NOT the only way to "financially threaten" spammers. If we can find a way to bomb them out of business and not explode so many civilians, isn't that a good thing?
    • If your solutions were working, our visionary would have nothing to talk about. As it is your nice little list and many consolidated clueless ISPs blacklist my computer because I use a dial up. Nice fix, turkey. As things are, I have to use some "official" mail relay to write my own mother email.
      MAPS does not work for me, or the spam heavy ISPs that bounce my mail.

      Lessig's position is clear and postive. Yours is negative and confused. I'm glad someone is pushing forward a solution that's more than a tool of consolidation. Thanks for telling me about the equestrophiles. So many trolls, so little time.

    • Re:Rubbish (Score:5, Interesting)

      by Guppy06 (410832) on Monday January 06, 2003 @11:02PM (#5030245)
      "Listen to him complain about collateral damage - collateral damage is the point of blackhole lists!"

      And this is a good thing?

      Let me modify a few of the nouns in your rant and see if you still agree with it.

      Killing US citizens is the solution, not the problem. If we didn't punish these ignorant civilians they would continue supporting Israel. Every citizen of an Israel-friendly country is voting with their silence - for persecution. The US government has proven that they will not act against Israel until they are threatened, and the only way to do that is to kill civillians to the point that they start losing votes. Collateral damage IS the point of terrorism - otherwise its useless.

      The ends do not justify the means. Innocent until proven guilty unless spam is involved? No thanks.

      (Do I think RBLs are a form of terrorism? No. But I do not accept the idea that collateral damage is OK.)
      • Dude! (Score:3, Insightful)

        by edunbar93 (141167)
        It's information, not people.

        Information is replaceable. That's what backups are for. People are not.

        If someone nukes Los Angeles, then people are going to have more than just a little bit of a headache sending their e-mail. If someone nukes your mail server, then mail gets bounced for a few days, and that's it. It's not that important.

        Collateral damage is *good* in this instance. Yes, people will have problems sending mail. Yes, people will complain to their ISP's about the REALLY IMPORTANT E-MAIL THAT MUST GET THROUGH. Yes, Tech support at said ISP (if there is any) will live through hell. Yes, customers will go elsewhere when the ISP doesn't fix the problem. And yes, people will be irritated, annoyed, and even lose money, but it's all because the ISP in question is run by boneheads who don't want to hire a sysadmin, and think that the spammer market is an untapped resource. Companies like this *deserve* to go broke. People who sell services to scammers are running around with huge blinking neon signs on their backs that say "kick me!"

        The collateral damage we're looking for is exactly the sort of thing that unions do when they go on strike. They go out of their way to scare away the very customers that feed them in the hopes that upper management will starve first. When the workers go back to work, the company *will* be damaged in some way by the strike, but in the end, things advance, life goes on, and things improve for the better for everyone. The sooner people see the cluetrain coming, the better, but sometimes the whistle has to blow loud and long before anyone notices.
    • Re:Rubbish (Score:4, Insightful)

      by sfe_software (220870) on Monday January 06, 2003 @11:06PM (#5030259) Homepage
      If I'm an ISP, I damn well have a right to block all e-mail from China and Argentina and it has nothing to do with "geopolitics and democracy."

      And if I'm your customer, do I have a right to disable this blocking? I sell shareware and a lot of support email (and, though infrequently, legit registrations) come from these countries.

      This is why I'm all for Bayesian filtering, since it's customized to each individual user. Not all customers of any ISP, no matter how small, will have the exact same idea of what constitutes SPAM... I don't want my email blocked because it comes from an RBL or a particular country.
      • Re:Rubbish (Score:3, Insightful)

        by djmurdoch (306849)
        And if I'm your customer, do I have a right to disable this blocking?

        Of course not. But you do have the right to take your business elsewhere, if they don't give you that option.
        • Re:Rubbish (Score:3, Insightful)

          by sfe_software (220870)
          And if I'm your customer, do I have a right to disable this blocking?

          Of course not. But you do have the right to take your business elsewhere, if they don't give you that option.

          This is why I like Yahoo mail's method. Though it uses BrightMail, which isn't perfect, mail classified as "Junk" goes in the Bulk folder. I can then scan the subject lines or, if warranted, the email itself, to see if I agree with the classification.

          But if I found that my ISP were doing some sort of filtering, keeping me from seeing email sent to me, I'd be furious (luckily I run my own servers so this isn't an issue). It's more like censorship in my opinion.

          At the very least it should be *optional* and opt-in. Simply rejecting mail coming from a particular country is rediculous (what if I have friends/relatives there?).

          Anyway, I certainly hope this practice is clearly disclosed upon signup for Internet service... and not buried in an EULA-type of document.
  • I hope he has plans for retirement. Or a good explanation of how a U.S. law will affect spam coming from China.

    I think his idea is great, and will (if implemented) have the intended effect on spam originating from inside the U.S. It will have a converse effect on spam from outside the U.S, though - we'll continue to get the same amount of spam, it'll just all come from China. Actually, we might get more spam, since I bet it's cheaper to send the shit from China.

    The problem here is not that there aren't ways to stop spam (although that's part of the problem), but that spam makes money. As long as that's true, people will find a way to send it. C'mon - it's a freaking felony to carry a gram of cocaine, but hundreds of people do it every day, and few of them are caught.

    Unless Lessig can get laws passed in literally every country with as much as a ISDN link to the U.S, this approach won't help much.
    • by Goonie (8651) <robert,merkel&benambra,org> on Monday January 06, 2003 @10:47PM (#5030166) Homepage
      Whereas spam, from all reports, isn't all that profitable. In fact, it's only profitable because of the insanely low cost of doing business.

      If the cost could be driven up just a bit by legal and technical means, that would make it unprofitable and therefore it would disappear.

      Finally, whilst pr0n can be served up from anywhere it's legal, there are a lot of products that require a US presence, and thus present a target for civil and criminal law.

  • by VORNAN-20 (318139)
    Don't bother making spam illegal - it's a waste of time, there are too many ways around it even with a bounty. Instead, make it illegal to sell a product using spam ads (we need a careful definition of electronic trespass here). AND make it illegal to collaborate in financial transactions for companies that use spam. In other words VISA, MC, Discover, Amex etc, can't collect for any transaction for a product or service that used spam to advertise it.

    Hit them where it hurts - in the pocketbook. And don't bother with the senders, it's the people that employ the senders that should be targeted.
  • Assuming Lessig really wants to leave Stanford, this is a Win-Win for him. If he "loses" the bet he sticks to his word and can spin himself as a "man of integrity". If he wins the bet he can quit for some other reason. So, the real question in my mind is "What does Lessig want to do after he leaves Stanford?".

  • by CptnKirk (109622) on Monday January 06, 2003 @09:43PM (#5029891)
    Did bounties do anything to curb crime in the Wild West? Significantly? Plus way back then people only cared if the bounty was high. $100, $500, $1000 was a boatload of money back then. Heck if I could make that much now per message I'd be happy. But it won't happen.

    We already have $50 per message laws on the books (at least in CA) and with the exception of a hand full of publicized cases, there has been little uptake.

    In a world where one should be able to retire off the earnings of a family AOL account, it's a wonder existing laws aren't enough. It's simply too much work for too little return. It's too time consuming to plow through the forged headers, sue Yahoo for account information for user 123jlk213lkj and then still get nowhere.

    If there was a tough national anti-spam law I'd support it. But for the love of God, give it teeth. Include a sliding scale for infractions ($500 for first, $5000 second, $50000 third). Include jail time for forged headers, and force persons operating under the "business relationship" clause to offer proof of such relationship in the message (at least a link one can follow to verify the relationship as well as request that the relationship be terminated). Require that the transfer of such a relationship be opt-in.

    If this type of bounty system was put into place, the war on spam may actually be effective. Otherwise, good luck.
  • Some time ago I found that spammers had managed to hijack the Windows proxy set up by one company that I worked for. When I found it, they were essentially using the full 1.5Megabit pipe to pump spam into the universe. Given that they were hijacking the computers for financial benefit, this was clearly illegal -- both in Canada (where I live) and in the US (where they were doing most of their business).

    This leaves me thinking: shouldn't it be possible to use the ham-fisted anti-hacking laws against these bastares??? Not for spamming, but for hijacking peoples' computers to do the spamming with. I'd love to treat these bastards to 6-10 behind bars. Far better than a $100K fine that would be little more than a locense fee.

    I tried to get an agreement with the company for the right to sue on their behalf in return for me helping to lock down their systems... They didn't go for it. My alternative approach is that I'd like to set up a similar system, wait for them to hack into it, and then do a hunt for the bastards running the scam. Any holes in this plan? (other than the probable difficulty in properly trackingg these people down?)

    • Did they exploit the proxy or was it merely open?

      I would contend that if someone configures a machine to provide services to the Internet than that person shouldn't be surprised if people start using it - invited or not.

      I don't want to see legislation that turns a typo in your web browser into a federal crime.
    • by Anonymous Coward
      As someone who hypothetically works at a Tier-1 provider who hypothetically has many spammers buying bandwidth, I can tell you that any spammers relaying off a 1.5 Mbps pipe are small fish. Most big fish spammers purchase 10-100 Mbps of pipe to the core at a time and use all of it. They don't bum bandwidth off other people's relays.

      Of course, this highlights another point I think most people are not aware of. For network providers, spammers can be big business. Many of the bigger spammers purchase fatter pipes than many of the big technology-centric companies out there. As much as ISPs despise the headaches spammers bring them, spammers are also among their biggest clients. Spammers consume backbone bandwidth at rates that few other businesses do and this is translated into profits at a time when the ISP business is pretty rough. Since most ISPs require spammers to pay upfront for their bandwidth, this is a welcome addition to the bottom line. Obviously there are people sending spammers money or they wouldn't be able to afford these network pipes.
  • What will Lessig do when nearly all the spam comes through anonymised concat(relays,proxies)[rand] overseas, where the legislation has a value somewhere between "nil" and "dick"?

    It's a worldwide problem. Unless you advocate a world-government that can kick ass on local countries (and I certainly don't), legislation will NOT solve the problem, it simply CAN'T.

  • by theLOUDroom (556455) on Monday January 06, 2003 @10:21PM (#5030053)
    that is, even if the law was ever passed.

    How can this guy forget that the internet is not contained entirely within the jurusduction of the US?

    It's nor like the spammers need to move elsewhere anyways, all they need is some non-logging proxy outside US borders and they can post with impunity.

    Let's not forget the number of spammers already located outside of the US, either.

    The internet just does not work the way this guy thinks it does: there is never going to be a day when everyone just follows the rules and plays fair

    The way to handle spam is not with laws, it's with technology. Legislative bodies move too slowly and don't understand the technology, nor the scope of the internet.

    What needs to be used is a combination of many different technologies: filtering, blacklists, whitelist, etc.

    The internet is a huge shared network. So big, that prentending that you can trust every node on it is moronic. Software needs to be designed to recognize when a node is misbehaving and deal with it as well as possible. This goes for not just spam but other types of internet abuse, such as DOS attacks, trying 100 passwords in a row, etc. If a computer is going to be connected to an untrusted network it needs to be able to properly handle all kinds of unwanted data. To me that's just common sense.

    Fraud laws don't stop me from getting Nigerian scam emails, do they?

    The best way to fight spam is to develop software that isn't vulnerable to it, just like we fix other vulnerabilities. The reason we have spam is because our software isn't good enough.

    Think of an unfiltered email systen as accepting input from a web form without doing any checking on the data it's recieving. It leaves you open to tons of really easy attacks. (If someone puts a meg of text in a field and submits it, your cgi scripts are probably going to go apeshit.) It's just bad design and it's about time we fixed it.
  • I'm surprised! (Score:5, Insightful)

    by Helpadingoatemybaby (629248) on Monday January 06, 2003 @10:44PM (#5030153)
    That there's so much negative reaction to this. The posts fall into two categories:

    1) The internet is international, so you can't have a US law.

    2) A technological fix will fix everything.

    These are silly arguments and here's why:

    1) The US contains a large quantity of pc's and internet connections (if not most internet connections anymore). A law in the US alone will reduce the flow of spam massively, as these 300 million people use the internet disproportionately. Remember: he's just betting on reducing the flow, no eliminating it.

    2) The second argument is a false dichotomy -- you can have both a law and a technological fix. There's no harm in having both, as often neither is a comprehensive solution. Why so negative?

  • by Anand_S (638598) on Monday January 06, 2003 @11:09PM (#5030276)
    What a great idea Mr. Lessig has. I've adapted his legislation to be Slashdot-specific. I'm convinced that if my legislation is passed, there will be a significant reduction in "In Soviet Russia" posts. If a) the legislation is passed, and b) it doesn't work, then I'll forfeit all my karma.
  • by tlambert (566799) on Tuesday January 07, 2003 @01:06AM (#5030676)
    Start Stopping SPAM Right Now...

    Lobby for a change to the SMTP protocol, where the order of operation is no longer:

    -> MAIL FROM:
    RCPT TO:
    RCPT TO: DATA ...
    -> .
    MAIL FROM:
    DATA ...
    -> .
    RCPT TO:
    RCPT TO: DLVR
    - 250 Accepted for delivery

    This would permit decisions about verification of email addresses to be made based on the content of the messages (e.g. "disallow delivery of all `Precedence: Bulk' email"), instead of blindly verifying the the email addresses (via a "250 OK" response) before the contents are known, so that SPAM'mers would have a much harder time accumulating lists of valid email addresses to which to send SPAM.

    -- Terry
  • by iamacat (583406) on Tuesday January 07, 2003 @04:23AM (#5031155)
    Let's say, I saw a nice Java applet on your home page and peronally sent you a nice e-mail asking if I can use it on my web site, in exchange for 25% of whatever profits I get from it. Technically, you could say it's spam, because I don't any business relationship with you and you didn't invite people to send this kind of e-mail. But should this kind of personal contact be illegal? Should I have to shell out $10K because you got offended.

    Now imagine I sent similar e-mails to 200 users. How will you know if I wrote each one personally or if I am running a web scanner that just detects all Java applets? How can I prove I didn't use a scanner.

    Worse yet, let's see I really hate you. Then I can just send a nice spam that appears to come from your account. How are you going to prove you are not the author?

    If this law was enacted, it would in fact reduce spam. But it will also prevent people from making first-time business, political etc contacts on the Internet. And there would be innocent victims who just misunderstood the law or got framed by a good forgery.

    • "But should this kind of personal contact be illegal?"

      Obviously not. Rethink from first principles: the sorts of mail you want to block are the *un*targetted *bulk* irrelevant-to-some-recipients junk mails whose bulkiness costs ISPs money.

      The question is, does extreme relevance (as in your example) and extreme non-bulkiness (me-to-you as individuals) not make it unspammy?
      Does having a website with a webmaster@ link not make your *kind* of response "solicited", anyway?

      "How are you going to prove you are not the author?"

      Good ol' GPG plus a review of the headers. *Educate* the courts that spoofing-of-emails is possible, and cast significant doubt on the mail in question.

      "But it will also prevent people from making first-time business, political etc contacts on the Internet."

      Nah, it just has to be well worded.

      More to the point, it also has to have international acceptance.

      It may well be that "most spam" *you* see is written in American sent via Asian open relays, but around here it's Korean language sent from Korean boxes, plain and simple. I don't see one yankee law having a jot of difference on that.
  • Bad bet (Score:3, Interesting)

    by T.E.D. (34228) on Tuesday January 07, 2003 @10:34AM (#5032249)
    A US law can't have much effect, for the simple reason that most of my spam these days comes from outside the US. If you could wave a magic wand and stop all US-based spam, you'd hardly make a dent in it.

    In fact, the majority of my spam these days comes in using one of the various eastern pictographic fonts. Not only can't I read it, I can't even make out the symbols. I might as well be getting 50 emails a day of line noise.
  • Bet? (Score:3, Funny)

    by po8 (187055) on Tuesday January 07, 2003 @10:10PM (#5036979)

    Technically, this is not a "bet". A wager requires that a potential direct consideration accrue to the winning party. Lessig more accurately labeled it a "guarantee", although it isn't clear how his resignation would be helpful to those who might harmed by ineffectiveness of his law.

    I hope Larry doesn't have to resign: he doesn't seem to have much future as a professional gambler :-).

Man is the best computer we can put aboard a spacecraft ... and the only one that can be mass produced with unskilled labor. -- Wernher von Braun

Working...