Stop This Today!

Wayne Crews In a heartfelt argument in favor of regulating the Internet to conquer the out-of-control e-mail-spam problem, The Weekly Standard's Christopher Caldwell took on policymakers' hands-off stance toward the Internet, saying, "Libertarianism has proved an attractive creed for the Internet generation in its lifestyle variant of live-and-let-live. But as a market system it has proved a flop." Problems like spam mean that "[a]n entire range of federal regulations is going to be necessary if the Internet is to be kept usable."

Unsolicited commercial junk e-mail, or "spam," is unquestionably a huge problem. Especially the animal-kingdom porn; I have to shoo my kids out of the room when I check any unfiltered e-mail accounts I use.

A MAGIC PILL?

The increasingly apparent downside of an Internet on which you can contact whomever you want is that anyone can contact you. Spammers, like the rest of us, pay no postage or long-distance charges. Ultimately, the only resolution is to shift costs back to the sender (as Caldwell suggests). The question is whether the way to do that is legislatively, or through markets via technology, pricing, industry consortia, or some combination.

There is a role for law. Peddling fraudulent merchandise, falsifying an e-mail header, or impersonating somebody else (such as forging the name of a person or organization as the sender of a spam), should be punished. So should making phony "unsubscribe" promises and breaking agreements with Internet-service providers (ISP) that prohibit bulk mailing. The law also should go after those who invade computers, such as by launching programs that hijack and send out spam from third-party computers. Some abusive forms of spam seem related to hacking more than to commerce.

To a great extent, unfortunately, legislative solutions will be ignored by the most egregious spammers, and alternative solutions are going to become more urgent.

Maybe that's a blessing in disguise because even spam itself is not a single dilemma and may require different responses anyway: For example, solving the problem of kids seeing porn in your in-box is a different than solving the problem of ISPs overwhelmed with Viagra ads.

Market solutions, unlike legislation, better lend themselves to cross-problem application. For example, just as the emerging e-mail problem was anticipated years ago, one might similarly predict problems emerging as costs imposed on Internet-service providers by free file-sharing services like Kazaa escalate. Spam (getting stuff) and piracy (taking stuff) alike are partly fostered by a pair of broader features: The lack of tiered pricing for network use, and the ability to hide one's identity or origin online. The Internet's "all-you-can-eat" buffet may need to end for email and file-sharing alike, which is a different proposition from passing a law. And changing Internet plumbing to allow verification of sender origin doesn't aid just the spam problem but also cybersecurity and hacking concerns that industry needs to address perhaps more urgently even than spam.

The Internet wasn't originally designed to be the mass commercial and consumer medium that it is today. If one were to design a commercial network today from the bottom up, it would probably incorporate authentication of the senders of e-mail. That seems to be something law cannot do. Now that we're in midstream, we wonder if law can get us there, or must technology do it? Might legislation even impede that end?

Aside from basic rules of the road, we don't want legislation to stand in for what ought to be (perhaps must be) a technical or market-driven fix. But one thing is clear: If the industry doesn't solve such problems, the law will step in, in ways some proponents may come to regret.

Proposed spam legislation, for example, would impose subject-line labeling requirements for commercial e-mail (commercial messages would have to say "ADV"); mandate an "unsubscribe" mechanism; ban the use of software capable of collecting emails from the Internet; set up stiff noncompliance fines; and establish an expensive (and likely hackable and perhaps worse-than-useless) Do-Not-Spam list at the Federal Trade Commission.

If a law sends the most offensive and egregious spammers offshore to continue hammering us, all we'll have accomplished will be legal and regulatory hassles for small businesses trying to make a go of legitimate e-commerce, or mainstream companies that already follow "best practices" like honoring "unsubscribe" requests. Commercial e-mail, even if unsolicited, may be welcome if the sender is selling legal and legitimate products and services in a non-abusive manner. Most of us can agree on the outrageousness of the porn that hits our family in-boxes. But, on the other hand, thousands of people bought "The World's Smallest Radio-Controlled Car" at Christmastime.

Proposed legislative penalties can easily be onerous or expansive enough to keep many businesses out of Internet marketing altogether, out of fear of a misstep. Is that really our goal? Regulating the ability to communicate freely isn't something to be done lightly.

FAST FWD:

As the market works to shift costs of commercial e-mail back to the sender, we must be on guard against unintended consequences, especially given the difficulty of enforcing legislation against the actual culprits. How might the definition of "spam" expand? Is it just "bulk unsolicited commercial" mail, or is it "anything you didn't ask for?" However tailored much of today's legislation tries to be, many believe it's the latter and want to go further.

What will be the consequences of legislation be for noncommercial e-mailers like nonprofit groups that send in bulk? If we need "ADV" for commercial advertisements, then what about "REL" for religious "spam" like a piece I got the other day about the coming apocalypse?

Many things aren't commercial but are still unwanted: press releases, resume blasts, and charitable solicitations. I've even seen the term "scholarly spam" for material like that sent by organizations like my own.

Notably, politicians exempt themselves as possible offenders under anti-spam legislation, remaining free to send us "junk" campaign material. Will orthodox anti-spammers put up with unsolicited political e-mail? If not, that means further regulation of political speech.

And don't discount the creativity of lawyers looking to sue easy marks, given the fact that the bad guys will often be out of reach. Will lawyers go after newsletters that contain embedded ads but that might have failed to put "ADV" in the subject line? What about small startups that occasionally slip up when implementing "unsubscribe" requests? What about those of us who occasionally send an e-mail to strangers with a link to our company affiliation in our e-mail signature line, in the vague hope that someone will click on it, or will forward it to somebody who will? That's a subtle solicitation, whether we admit it or not.

Aggressive pop-up ads may become targets in the aftermath of spam legislation, too (they already are in Germany). They're not e-mail. But they are unsolicited and commercial, and getting more insistent than ever, employing animation and sound. But like e-mail, pop-ups can be essential for survival to some online businesses.

Legal bans on "pseudonymous" e-mail return addresses, as well as bans on software capable of hiding such information, can affect untrammeled speech and anonymity for individuals, and will be ignored by spammers anyway. Well-meaning individuals can use "spamware" to create the contemporary version of the anonymous pamphlets that have played such an important role in our history. Safeguarding anonymity can be important to a mass communications tool like e-mail. In an era in which so many people are concerned about online privacy, legislation outlawing software that can protect such privacy would be curious indeed.

That said, while I don't want the government to outlaw anonymity and private e-mailing online, the private sector may prohibit it on private networks if that's what canning spam requires.

Another worrisome issue is the tendency of legislation to set up "rules" for advertising. I want to permit ruthless blocking by ISPs. Would anti-spam laws get in the way of such blocking if government sets up minimum standards for e-mail solicitation, such as using "ADV" and providing a street address? What if a bulk mailer obeys the law and allows opt-out but the ISP would prefer not to deal with them?

Either the industry or Congress can set terms, but hardly both. The Coalition Against Unsolicited Commercial Email indicated in the New York Times that it regards some proposed legislation as a license to spam: "ISPs won't be able to terminate spammers if they spam with their real address." Surely, post-legislation, marketers will feel that they have met federal requirements and therefore ISPs have no right to block their messages. (One commenter said the "CAN SPAM" bill meant that you "can spam.") In that environment, would advertisers then be able to sue whenever their mail gets filtered or blacklisted, even in the absence of a contract with the ISP? Blacklists are one of the key means of dealing with spam today. I'm obviously in no way opposed to marketing online, but contracts, not legislation, must rule here. ISPs must retain the right to end such unwanted relationships.

DIRECT YOUR TRAFFIC There's good news that's not widely enough known. If the desire is to stop spam in personal inboxes, one can do it already, without legislation. I use a so-called "handshake" or "challenge-and-response" e-mail account that doesn't allow any e-mail through to me from strangers unless they respond to a "challenge" (such as supplying a generated password or answering a query). In over two years, I've never received a spam in this account. That doesn't mean I won't. But because the most-offensive spam is sent by automatic bulk mailing programs that aren't capable of receiving a reply, spam no longer appears in the inbox. I happen to think that whatever legislators do, white-lists or such challenge-style systems are essential for children's accounts.

Changing the default expectation from today's "everything comes in unless you say 'no'" to "nothing comes in unless you say "yes," seems a step forward rather than backward. There are costs to either approach, of course. Business needs will be different from that of personal or home use, and "challenging" customers who email them may be less appropriate. But, then again, perhaps not. There may emerge a culture of tolerance, an expectation that e-mailer recipients from now on will ask, "Who's there?"

That isn't to say there aren't problems. Technology discussion groups are abuzz over the problems that challenge-response systems pose for mailing lists. But these issues appear transitory to me, and less problematic than legislation in any event.

Eventually spambots may be capable of bypassing challenges. In that sense the industry is in the position of the movie industry and its piratable DVDs. They have some lead-time, but it's not clear how much. Meanwhile, service providers need to get busy on standards, such as for authentication of senders. Identifiers or ''seals'' for trusted commercial e-mail could be a critical means of helping tomorrow's ISPs block unwanted e-mail, but it could require major reworking of Internet protocols, and unprecedented industry coordination. A new consortium including America Online, Microsoft, and Yahoo to establish certified email would bolster this approach.

Such major overhaul of the Net architecture has been likened to widening all the nation's roads six inches. It is a monumental undertaking. But if it truly is the case that lack of authentication is at the root of the spam problem, it's also likely that legislation doesn't directly solve it. It may be that a system in which originators of messages remain anonymous is altogether inappropriate for a commercial information society of tomorrow. If so, neither is it appropriate to expect law to accomplish what ultimately must be a technological and market undertaking.

Solving the problem may require "collusion" among service providers of the very sort that is going to enrage the "open Internet" advocates, and thus result in new hearings and scrutiny form Congress. But Commissioner Orson Swindle of the Federal Trade Commission thinks the industry can do far more to address the problem on its own, such as by granting users more control over their inboxes. ISPs might also limit the number of outgoing messages per subscriber account, for example. Yahoo did it long ago and MSN Hotmail recently did so. Tiered pricing for email and bandwidth itself may be in the offing. (The flat fees of today aren't a fact of nature or a natural right.) Ultimately, email "postage" or protocols that allow users or ISPs to charge fractions of a cent for receiving unsolicited email would end spam once and for all. Bonded sender programs are already being set up that might anticipate such a sea change.

IMPORTANT, READ NOW

Leaving the avenue open for private, technical, and contractual solutions, and avoiding laws that get in the way, is urgent. In embracing legislation we're embracing collective "solutions" that may be hard to correct. That's why, unlike Caldwell, I'd exercise far more caution before advocating central planning for the Net, especially because his most immediate concern — the hostile environment for kids — is easily solvable with a challenge-and-response account or a white list. (That said, there's still no substitute, nor can there be, for parents' supervision. E-mail is just one concern. Other concerns are which websites kids are visiting, and what that video clip was that Junior just downloaded from Kazaa.)

Given the understandable desire to stop outrageous unsolicited e-mail, it is all too easy for Congress to undermine legitimate commerce, communications, and free speech while not solving the problem. Hampering Internet commerce would be pointless if spam continued pouring in from overseas. We don't need more anti-spam organizations and legislative attempts. We need locked inboxes, authentication, and perhaps "postage" to allow users to customize their in-boxes to reflect their own conceptions of "spam." Industry, get busy, please, before Washington does.

Clyde Wayne Crews Jr. is director of technology studies at the Cato Institute.

Print page