US House, Senate Agree on Anti-Spam Bill

Folic_Acid writes "Rep. Billy Tauzin, chairman of the House Energy and Commerce committee, has announced that the House and the Senate have reached a deal to both pass an anti-spam bill, the first ever federal anti-spam law in the United States. Specifically, the law contains: opt-out, authority for the FTC to set up a "Do-Not-SPAM" registry, criminal charges for fraudulent spam, including five years in prison, statutory damages of $2 million for violations, tripled to $6 million for intentional violations, unlimited damages for fraud and abuse." News.com has a copy of the bill and a story.

more of the same

[mabu]

While I applaud the intent, unfortunately this is another totally ineffective anti-spam legislation. There are plenty of laws already on the books making 99.9% of spam illegal, but the problem is the government and related law enforcement agencies do not enforce the existing laws so why would anyone think this is any different? People need to realize that passing a law, and enforcing a law are entirely different. This is like going into a book store and buying a book, but not reading it! I hear next week Tauzin is going to solve the world hunger problem by passing a law making it illegal to throw out leftovers. Hurrah!

At this point, the only way you can realistically take action against a spammer based on these laws is by printing them out, finding the spammer and then hitting him over the head with the actual laws. Law enforcement agencies and district attorneys have repeatedly demonstrated an apathy towards pursuing and prosecuting spammers. The FBI has a monetary threshold of damages on any case of this nature it even elects to investigate. There are virtually no resources dedicated to enforcing this bill and there are no competent agencies available to even investigate! Please send a message to your political leaders that enforcement and not more laws are key to dealing with this problem.

The law looks good, but without dedicated provisions and a change in policy which will actually insure that these issues will be enforced, this is just a joke.

Re:SPAM fines

[Lxy]

The word is "intentional", as in "I was purposely breaking the law" as opposed to statutory, "I didn't know I was breaking the law".

This is to be consitent with DMCA's safe-harbor

[unassimilatible]

DCMA has a safe-harbor provision, which gives infringers an out if they take down the infringing material once notified by the IP owner.

From keytlaw [keytlaw.com]

• Digital Millennium Copyright Act Safe Harbor
  The simplest, cheapest and best way a web site owner may protect against liability for copyright infringement resulting from users' uploaded content is to comply with the safe harbor provisions of the Digital Millennium Copyright Act. Web site owners who comply with the requirements of the DMCA and who take appropriate action after receiving notice of copyright infringement from a copyright owner, will not be liable for money damages for users' uploaded content.

I think they just wanted to make it consitent with DMCA.

The closest distance between two points is a tunnel
- Lyndon Johnson.

Most spam *IS* from the USA

[Space cowboy]

I direct you to Spamhaus.org rokso list [spamhaus.org]

Have a quick scan down the list of countries...

Simon

It's better than nothing

[rossz]

Some will argue that it won't help because all the spam comes from China and South Korea. Wrong. A lot comes from those two countries, but the number one source of spam in the world is the U.S.

Then they'll argue that the spammers will move their mail servers to another country. So what? If the company doing business is still located in the U.S., the anti-spam laws will apply. I already block China and South Korea. I'm damn close to blocking Brazil. If the spammers move, it will be easier to block them.

Then they'll say the spammers will move their entire business to another country. Hell, that works for me. Maybe they'll move to the next country on the anti-terrorism hit list.

As for the idiots saying spam is protected by the Constutition. Bzzt! Wrong! Your right to free speech does not extend to breaking into my home to set up your soap box. Your right to free speech does not give you the right to make me pay to listen. Your right to free speech does not continue when I tell you to shut up and get the hell out of my house, nor does it mean you can sneak back in the next day to make me listen yet again.

That's the wrong bill

[Folic_Acid]

You're not looking at the right definition - look here [com.com] for the final version. For those too lazy to read, the definition is:

The term ''commercial electronic mail message'' means any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose).

Re:Unlimited damages

[Anonymous Coward]

typically, such verbage is part of the "injunction" clause.

Basically, "because your violation of the NDA might cause damages that money alone can't fix...blah blah blah...you agree that a judge should grant us an immediate injunction against you if we believe you're in violation of this agreement."

Normally the judge would have to find that (a) the plaintiffs are likely to win the case, and (b) the activity in question is likely to cause irreparable harm to the plaintiff. This clause shortcircuits that test. Basically, they go to a judge, file their motion indicating how they feel you are violating the NDA, and the judge (if he believes them) can grant the injunction (barring you from doing further business with whatever is being disputed) without having to find (b), which can sometimes be hard to prove.

Re:Another attempt to kill capitalism

[Archangel Michael]

Spam is profitable at such a low rate of response that it will NEVER disappear, even if it pisses 99.98% of the people. It is the stupid .02% of the people who make spam work.

Spam will NOT be profitable if it generates NOISE. In order for Spam to work, it must leave behind a point of contact of some sort. If we collectively fill that point of contact with JUNK responses, spam will disappear because it cost MORE to the spammers than it is worth. Imagine a spammer having to sort through millions of fake responses to find the one that is legit?

That is how spam will be defeated.

Re:Finally!

[dougmc]

(1.) U.S. Laws only reach as far as U.S. borders. Where does 95% of spam come from?

95% of my spam does not come from any one country.

However, I'd say that at least 60% comes from within the US (and yes, I'm in the US.)

I don't think legislation is a magic bullet, but it may just help. Certainly, the `do not call' lists have reduced the telemarking phone calls we receive by over 95%.

Re:The RIAA/MPAA has their mitts in this one too!

[Greyfox]

#include <obIANAL.h>

Last time I checked, the only way to be sure was to send a registered letter via the USPS. E-Mail is not a very reliable delivery mechanism, certainly not good enough for sending legal notices. I doubt such an E-Mail would hold up in a court of law, should a lawsuit be filed with just E-Mail notifications, so it's kind of pointless to be sending them.

Re:Finally!

[Anonymous Coward]

U.S. Laws only reach as far as U.S. borders. Where does 95% of spam come from?

U.S.

Almost every big time profitable spammer I've heard tracked down has been in the U.S., except one Aussie. They use a lot of off-shore computers, thanks to proxies. I want to see one spammer go to jail. Most are breaking computer security and fraud laws, yet all the ever get is civil penalties. Put a few in jail and you'll see spam drop very fast.

Re:Finally!

[Anonymous Coward]

"(1.) U.S. Laws only reach as far as U.S. borders. Where does 95% of spam come from?"

And where are the businesses that the spam advertises for?

Think about it.

Wouldn't most people be less likely to buy things from some random place in Nigeria, or at the very least wouldn't the the foreign placement of the business arouse some suspicion?
Not to mention overseas shipping charges.

Re:How?

[pjrc]

The SPAM wars will be fought and won with innovative technology

Really? Filters perhaps, but certainly not anything fundamental at the protocol level.

The simplest and most backwards compatible approaches under consideration are IP-number-based sender authentication. These don't require any significant changes to SMTP/ESMTP, and they can be adopted gradually and interoperate with systems not yet deploying them. SPF [pobox.com] is probably one most likely to be adopted. The basic idea is to provide a mechanism for a receipient to check if the IP number of the transmitting SMTP server is one of the IP numbers authorized to transmit messages for that domain (existing MX records only tell you the IP number which is to receiving incoming messages).

But there has been considerable resistance to even these relatively simple, very compatible, easily implemented ideas.

The ugly truth is that LOTS of legitimate email takes advantage of SMTP's complete lack of sender authentication. Adding even very simple and relatively weak sender authentication is going to create a LOT of pain for everyone with improperly configured outgoing mail, and for message forwarding.

Re:more of the same

[Eric Savage]

"...why would anyone think this is any different?"

Basically because it's a federal law. This means all of the issues of jurisdiction that the state laws face are gone. There are certainly lots of issues left, but having some sort of federal law is a big step IMO.

(I haven't read this particular law yet, since its 55 pages long)

Opt-out and Do Not email l Lists don't work

[Joe Wagner]

I am really disappointed this is looking like it will make it into law. In 1991, Congress authorized the telephone "do not call list" by the FTC. That list took more than a decade to go into effect. How long do you think you'll wait for this one?

As far as the effectiveness of asking spammers to "remove" email addresses, we have done some study on the matter. Below is a partly snipped declaration I made regarding some Florida spammers who use "remove" requests as a source to harvest new requests.

1. From Thursday, [date snip] through Saturday, [date snip], a number of unique email addresses were submitted to approximately 35 different email address "Remove me," "Unsubscribe," "Opt-out," etc. web pages whose URLs were found in various unsolicited commercial email (UCE or "spam). The email addresses submitted were created solely for this purpose and had never before nor since been given out nor used in any manner. Each unique address was submitted to only a single "opt-out" page, allowing easy tracking of the origin of that email should it ever receive email in spite of the opt-out request.
2. By the following Tuesday morning, [date snip], our mail servers began receiving UCE/spam to those same unique addresses, advertising software found on [snip]'s website, e.g. http://www.allthebestsoftware.com/mcafee007.htm
3. [snip]' UCE/spam messages contained a disclaimer at the bottom of the email asserting, e.g.: "Your personal email address was obtained from an opt-in list. Opt-in UEC (United Ecommerce Coalition) Approved List - Type NNS Suffix = zT%22d%H&EUSA. To unsubscribe from this list, please Click here . You need to allow 5 Business days for removal. We do not condone spam in any shape or form. Thank You kindly for your cooperation. " The statements in the [snip]' disclaimer are thus clearly false as explained above in Declaration #1.
4. The "unsubscribe" link in the [snip]' UCE messages was to other [snip]' web sites, e.g.: http://www.upgradesrus.net/remove.asp
5. As chance would have it, and indicative of the prolific nature of [snip]' email marketing practices, that exact URL ( http://www.upgradesrus.net/remove.asp ) was one of the 35 used in Declaration #1. Thus a number of unique email addresses were submitted to upgradesrus.net. Those unique addresses, submitted only to upgradesrus.net, have since received hundreds and hundreds of UCE/spam.
6. Hypertouch, Inc. never requested any email from [snip].
7. Hypertouch, Inc. had no relationship with [snip] prior to receiving their email.
8. [snip] in their unsolicited emails offer to remove the recipient's email address from [snip]' lists. This offer is demonstrably made in bad faith. [snip] do not merely ignore removal requests, they apparently use such opt-out requests rather as a source to harvest fresh addresses to send more UCE/spam.
9. Hypertouch, Inc. continues to receive email from the [snip].
10. As is common industry practice, Hypertouch, Inc. routinely advises its clients NOT to reply nor attempt to "opt-out" to UCE/spam because such requests often result in an email address receiving even more UCE/spam as a confirmed "live address." Hypertouch, Inc.'s first hand experience with the [snip]' unethical, fraudulent and illegal behavior demonstrates conclusively the soundness of this advice.
11. Without exception, every one of [snip]' emails violated both Section 17538.4 and 17538.45 of the California Business and Professions Code.

You can imagine once spammers all go to internationally registered and thus untraceable domain names tracking this sort of trickery will become tougher. We tell our users that we know from first hand experience that responding to and attempting to opt out of spammers lists are a bad idea. This law is just a license to spam.

Hasn't passed the House yet. Call Congress now.

[Animats]

This bill (referred to S.877, even by the Clerk of the House) hasn't actually passed the House yet. The House is still in session, at 2:30 AM. There was a voice vote, but it wasn't decisive, and a roll call vote was scheduled. To save time, all the roll call votes today will be run at the end of the "day". The roll call vote is on the calendar, but it hasn't happened yet. At this moment, the House is voting on whether to recommit the Medicare prescription drug benefit bill back to committee.

This bill could still die. Call your Congressional office. [house.gov] The staff is still there, very tired, and answering the phone.