New Spam Legislation Won't End Unwanted Mail

On Nov. 22, the U.S. House of Representatives voted 392 to 5 to pass the Can Spam Act of 2003, which is designed to put controls on the distribution of spam.

For once, the House and Senate saw eye to eye, more or less: The House version is an only slightly modified version of the Can Spam Act (S.877) passed by the Senate in October, and it's expected to be signed by the president early next year.

But the word can may be interpreted in two ways--obliterate spam, or allow it. And that pretty much sums up how the legislation can be interpreted. It puts some limitations on unsolicited commercial e-mail, but it doesn't disallow spam completely. It allows for creation of a Do Not Spam Registry, equivalent to the successful Do Not Call Registry, but it trumps stronger laws that have been passed by state legislatures--California's spam law, for example, has an opt-in requirement and gives individuals the right to sue spammers.

More on the Plus Side

The new Can Spam Act contains some other potentially effective components. Specifically, it prohibits false or misleading transmission information and deceptive subject headings, and it requires a valid functioning return address or comparable mechanism to which recipients can respond. It also mandates that the sender of commercial e-email include information identifying the message as an advertisement or solicitation, as well as opt-out and physical addresses.This means spammers can no longer use open relays without permission. It doesn't mean you should cancel your subscriptions to blacklist services that detect and prohibit incoming messages from open relays, but at least those services that target "legitimate" spammers will become more effective because it will be easier to identify the legitimate solicitors.

More on the Minus Side

The legislation may ultimately prove ineffective, because it puts even informed end users in a catch-22: It requires recipients to opt out of future mailings if they don't want to be contacted again, but how can you opt out if you don't answer? Suddenly, after training ourselves to simply delete unsolicited e-mail because spammers interpret even negative responses as positive, we're supposed to respond to every single message, opting in or opting out.

In a recent Washington Post column, Bill Gates advised against responding to spam unless you're absolutely sure the sender is legitimate. Given the new legislation, Gates should have advised users to respond to every piece of spam.

Meanwhile, by responding, we're telling the senders that we do, in fact, read their mail, which encourages them to add our names to the lists they sell to other spammers. To make matters worse, most users don't have a clue how to determine whether a sender is legitimate, so they're spammed if they do and spammed if they don't.In the Undecided Column

The proposed Do Not Spam Registry could solve part of this problem. Once users sign up for it, they could safely assume that most, if not all, the unsolicited e-mail they receive is indeed spam and report it to their service providers. This registry doesn't exist yet, so there's a window of at least six months for every marketer in the nation to send unsolicited pitches to every e-mail address available. And even if the registry is implemented eventually, there's no guarantee it will be as effective as the Do Not Call Registry. The economic barrier to a phone call is much higher than to an e-mail message, and tracing an e-mail message to its source can be all but impossible.

Ultimately, as editor in chief Rob Preston pointed out in his May 15, 2003 column, spam is a technical problem that demands a technical solution. We need to lock our doors, instead of posting signs that say "Keep Out."

Mike Lee is Network Computing's editor.