Spam and its Effects on Small Business


The increasingly apparent downside of an Internet on which youcan contact whomever you want, is that anyone can contact you.

Unsolicited commercial email, or "spam," is unquestionably ahuge problem. Bulk spammers pay no postage. Ultimately, theresolution is to shift costs back to the sender. The question iswhether that should happen legislatively, or via technology,pricing, industry consortia, or some combination.

Ironically, a recent Reuters story indicated that filtering insome ways is becoming too powerful, as even friends are required tojump hurdles to get into their acquaintances' whitelisted,moat-surrounded mailboxes. It seems the "openness" that was centralto the "Internet experience," as the marketers like to say, is nowa bug. It seems no longer the case that everybody necessarily needsor wants to be connected to everybody else, or shares conformingviews of what acceptable online etiquette entails.

However, the real issue isn't merely that legislation likelywon't rid us of spam (given the Net's global pool of scofflaws);rather, legislation like "ADV" mandates or "do- not-spam" listsdon't address the fundamental factors at the root of the spamproblem: (1) lack of authentication of senders, and (2) the abilityof spammers to shift the costs of sending bulk email torecipients.

As for those legal attacks on spam being debated, some areappropriate and necessary. Such misdeeds as peddling fraudulentmerchandise, or forging the name of a person or organization as thesender of a spam should be punished, as should phony "unsubscribe"promises, as should breaking an agreement made with an Internetservice provider that prohibits bulk mailing. The law also shouldgo after those that invade computers, such as by launching programsthat hijack and send out spam from third party computers. Abusiveforms of spam like "dictionary attacks" and spoofing seem relatedto hacking more than to commerce. Such behavior is already illegalof course.

To a great extent, unfortunately, legislative commands will beignored by the most egregious spammers, and alternative solutionsare going to become more urgent.

Maybe that's a blessing in disguise, because even spam itself isnot a single dilemma and may require different responses anyway:for example, solving the problem of kids seeing porn in the inboxis a different than solving the problem of ISPs overwhelmed withViagra ads.

Market solutions, unlike legislative decrees, better lendthemselves to cross-problem application, beyond spam. For example,just as the emerging email problem was anticipated years ago, onemight similarly predict problems emerging as costs imposed onInternet service providers by free file-sharing services like Kazaaescalate. Spam (getting stuff) and piracy (taking stuff) alike arepartly fostered by a pair of broader features: the lack of tieredpricing for network use, and the ability to hide one's identity ororigin online. The Internet's "all you can eat" buffet may need toend for email and file-sharing alike, a different proposition frompassing a law.

The Internet wasn't originally designed to be the masscommercial and consumer medium that it is today. If one were todesign a commercial network today from the bottom up, it wouldprobably incorporate authentication of the senders of email.Indeed, changing Internet plumbing in midstream to allowverification of sender origin wouldn't aid just the spam problembut also cybersecurity and hacking concerns that industry needs toaddress perhaps more urgently even than spam.

Legislation shouldn't stand in for or delay the day of reckoningfor what should be (perhaps must be) a technical or organizationalor market-driven fix. But one thing is clear: If the industrydoesn't solve spam, the law will step in, in ways some legislativeproponents may come to regret.

Proposed legislation, for example, would impose subject- linelabeling requirements for commercial email (commercial messageswould have to say "ADV"); mandate an "unsubscribe" mechanism; banthe use of "harvesting" software; set up stiff non-compliance finesor even bounties; and establish an expensive (and likely hackable)Do-Not-Spam list at the Federal Trade Commission.

But if legislation sends the worst spammers offshore, all we'llhave accomplished is legal and regulatory hassles for smallbusinesses trying to make a go of legitimate e-commerce, andmainstream companies that already follow "best practices" likehonoring "unsubscribe" requests.

Besides, commercial e- mail, even if unsolicited, may be welcomeif the sender is selling legitimate wares in a non-abusive manner.Most of us can agree on the outrageousness of the porn that hitsour family in-boxes. But, on the other hand, thousands of peoplebought "The World's Smallest Radio-Controlled Car" atChristmastime, or the Most-Wanted card deck during the Iraqiwar.

Proposed legislative penalties can easily keep many smallbusinesses out of Internet marketing altogether, for fear of amisstep. Is that really our goal? (It takes effort to unsubscribeaddressees, and inadvertent mistakes will happen.)

We should guard against unintended consequences, especiallygiven the difficulty of enforcing legislation against the actualculprits. How might the definition of "spam" expand? Is it just"bulk unsolicited commercial" mail, or is it "anything you didn'task for?" Many say the latter.

What will be the consequences of legislation for noncommerciale-mailers like nonprofit groups that send in bulk? Many thingsaren't commercial but are still unwanted: press releases, resumeblasts, and charitable solicitations. I've even seen the term"scholarly spam" for material like that sent by organizations likemy own.

Notably, politicians exempt themselves from anti-spamlegislation, remaining free to send campaign material. But if weneed "ADV" for commercial advertisements, then what about "REL" forreligious "spam" like a piece I received warning of the comingapocalypse?

We shouldn't discount the creativity of lawyers looking to sueeasy marks, given that the bad guys will often be out of reach.Rest assured lawyers will go after those who occasionally slip upwhen implementing "unsubscribe" requests, or after newsletters thatcontain embedded ads but that might have failed to put "ADV" in thesubject line. Navigating the treacherous email commerce of tomorrowwill be easier to handle for large firms relative to small firms.Is this fair?

The invective around spam is so heated that you don't know whoseline you're going to cross. Some of us occasionally send anunrequested email to strangers with a link to our companyaffiliation in our email signature line. That's a subtlesolicitation, whether we admit it or not. Remember, "spam" is amade- up word, subject to interpretation.

Aggressive pop-up ads may become targets in the aftermath ofspam legislation, too (they already are in Germany). They're not e-mail, but they are unsolicited and commercial, and getting moreinsistent than ever, employing animation and sound. Some ads aren'tmerely popup but take over the screen.

As for 1st Amendment concerns, legal bans on "pseudononymous" e-mail return addresses can affect untrammeled speech and anonymityfor individuals, and will be ignored by spammers anyway.Well-meaning individuals can use "spamware" to create thecontemporary version of the anonymous pamphlets that have playedsuch an important role in our history.

That said, while I don't want the government to outlaw anonymousemailing, the private sector may need to prohibit it on privatenetworks if that's what canning spam requires.

Another worrisome issue is the tendency of legislation to set up"rules" for advertising. Indeed, much of the Internet industry'snewfound support of email "spam" legislation seems defensive andaimed at protecting the right and ability to send legitimatecommercial email. Those motives are understandable andappropriate.

But there can be a downside to seeing legislation as the avenueto legitimacy. Surely, post-legislation, marketers will feel thatthey have met federal requirements, like ADV and a street address,and therefore ISPs have no right to block their messages even ifthe ISP would prefer not to deal with them. (One commenter said the"CAN SPAM" bill meant that you "can spam.") In that environment,would advertisers be able to sue whenever their mail gets filteredor blacklisted, even in the absence of a contract with the ISP?Blacklists are one of the key means of dealing with spam today. Iwant to permit and retain ruthless blocking by ISPs, not have thatability over-ridden by the fact that a business followed somelegislative checklist. Contracts, not legislation, must rule here.ISPs must retain the right to end such unwanted rela tionships.

Either the industry or Congress can set terms, but hardlyboth.

There's some good news. If the desire is to stop spam inpersonal inboxes, one can do it already, without legislation.So-called "handshake" or "challenge-and-response" email accounts donot allow any email through from strangers unless they respond to a"challenge," such as supplying a generated password or answering aquery. In over two years, I've never received a spam in one suchaccount that I use: That doesn't mean I won't. But because the mostoffensive spam is sent by automatic bulk mailing programs thataren't capable of receiving a reply, spam no longer appears in theinbox. Whatever legislators do, however, white- lists or suchchallengestyle systems are essential for children's accounts.

There are significant transitional costs to changing the defaultexpectation from today's "everything comes in unless you say 'no'"to "nothing comes in unless you say "yes," but the spam problem isso bad that there may well emerge a culture of tolerance, anexpectation that email recipients from now on will ask you, "Who'sthere?" at least the first time you come knocking.

Meanwhile, service providers need to get busy on standards, suchas for authentication of senders. Identifiers or "seals" fortrusted commercial e- mail could be a critical means of helpingtomorrow's ISPs block unwanted e- mail, but it could require majorreworking of Internet protocols, and unprecedented industrycoordination. A new consortium including America Online, Microsoft,and Yahoo to establish Trusted Sender standards like those longcalled for by TRUSTe would bolster this approach.

Such major overhaul of the Net architecture has been likened towidening all the nation's roads six inches. It is a monumentalundertaking. But if it truly is the case that lack ofauthentication and pricing is at the root of the spam problem,legislation doesn't directly solve those issues. It may be that asystem in which originators of messages remain anonymous isaltogether inappropriate for a commercial information society oftomorrow. Maybe it needs to be impossible, not merely illegal, tosend a commercial email if the network owner can't discern who youare via some form of origin certification or digital signature. Ifso, that's a job for the industry that can't be replicated bypassing a law.

Already Commissioner Orson Swindle of the Federal TradeCommission has indicated he thinks the industry can do far more toaddress the problem on its own, such as by granting users morecontrol over their inboxes. ISPs might also limit the number ofoutgoing messages per subscriber account, for example. MSN Hotmailrecently did so, and Yahoo did it long ago. Yahoo also recentlyimplemented a sort of reverse challenge-response. Users whosuddenly started sending in bulk found themselves challenged byYahoo.

Today's flat fees for sending email aren't a fact of nature or anatural right. Ultimately, email "postage" or protocols that allowusers or ISPs to charge fractions of a cent for receivingunsolicited email would end bulk spam once and for all. Bondedsender programs are already being set up that might anticipate sucha sea-change. But such innovations would be a long way off.

Given the understandable desire to stop outrageous unsolicitedemail, it is all too easy for Congress to undermine legitimatecommerce, communications, and free speech, and delay needed changesin industry structure, relationships, practices and technologies.Meanwhile spam could continue pouring in from overseas. We needlocked inboxes, authentication, and perhaps "postage" to allowusers to customize their inboxes to reflect their own conceptionsof "spam." Those solutions are even better if they are harmoniouswith other priorities like cybersecurity. The industry needs to getbusy before Washington does.

Whether or not Washington passes an anti-spam law this session,the industry must still grapple with what are fundamentallytechnological and economic dilemmas rather than legislative ones.If industry doesn't resolve sender authenticating issues and endcost shifting, Congress will act-but without solving eitherproblem.

Subcommittee on Regulatory Reform and Oversight
Committee on Small Business
United States House of Representatives