CAN-SPAM Act of 2003

The U.S. Congress has created the “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003“, otherwise known as the “CAN-SPAM Act of 2003″ (wonder how late someone stayed up coming up with that title) in an attempt to regulate unsolicted commercial email proliferation (otherwise known as UCE or spam). This act has passed through the Senate and the House, and if signed by the President (which is expected), it will most likely take effect on January 1, 2004. Several reports in the technical industry blast this Act as being too lenient and undermining existing attempts at controlling spam, while the politicians stand behind this Act and say it is a big step forward. So I decided to take a look at the actual Act myself and form my own opinion.

First of all, I am not a lawyer, and I don’t play one on TV, so I may be interpreting some of this incorrectly (and make no claims about the accuracy of the following information… if you are a mass mailer yourself, or want to know the exact details, I recommend reading the Act directly). I’m also a big supporter of minimal government interference in the ongoings of the Internet, but believe some laws do need to be in place for controlling extreme cases like spam. However, as a recipient of spam (over 200 spams per day and climbing are sent to my personal mailbox) and a mass mailer (I work for a company and handle the transmission of over a million solicited emails a week), I do have a lot of interest in email and laws effecting it.

I have to give the creators of this Act credit in that he does understand the limitations of creating a federal law as they say in the findings of Sec. 2 (a)(12) (quoted from the Act):

The problems associated with the rapid growth and abuse of unsolicited commercial electronic mail cannot be solved by Federal legislation alone. The development and adoption of technological approaches and the pursuit of cooperative efforts with other countries will be necessary as well.

This is very true as a large amount of spam originates outside of the US, often on hijacked mail servers of countries with less strict security practices and/or prosecution laws.

Moving on, Sec. 4 amends Chapter 47 (Fraud and False Statements) of title 18 (Crimes and Criminal Procedure), United State Code, prohibiting unauthorized use of another’s computer system to transmit emails, or to decieve a recipient about who the actual sender of the message is, via a hijacked mail host/relay, fake headers, or other means of masking the true identify of the sender.

So far, so good.

Then we get into the true meat of the Act, Sec. 5… This section defines the new requirements for commercial email use in the United States. (The emphasized lines are my summary of the major components of this section).

Headers need to clearly identify the person or organization that originated the email and the legal host that the email was initiated on.

This covers probably the lionshare of spams that plague the Internet. Most spammers will hide behind fake addresses and spoofed mail hosts in order to protect themselves from angry recepients and to avoid mail blocks that attempt to stop spams from being delivered.

Subject names must not be deceptive.

How many spam messages have you gotten that just said “Hi” or “Re: your message”, or one of my recent favorites… “I’m tired of your bullshit!” This is another good addition to make it more obvious what the emails are about before you open them, especially if the email is adult or obscene in nature.

The message must contain clear and conspicuous information on a working method of how the recipient may chose to opt out of any future mailings, and those requests must be honored.

This section is important because it makes valid unsubscribes legally required. However, and this is one of the largest complaints I’ve seen about this Act because it does not make illegal the sending of the email unsolicted in the first place, as long as an appropriate opt-out method is included and adhered to. However, it does require the sender to include a valid physical postal address if the email being sent is unsolicited… It’s not a ban on unsolicited email, but it’s at least starting to attempt to make sendors more responsible (if only slightly).

Looking beyond this, though, there are some strong components to this section, all focused on opt-out (unsubscribe) handling. Besides requiring a valid method of unsubscribing from the email that was sent out, the sender must also provide the option for and honor requests to be removed from all future mailings from that sender. Anyone who’s unsubscribed from one mailing list of a company only to be mailed by another from the same company can appreciate the intent of this. In addition, the Act prohibits the distribution of a person’s email address to third parties after that person has opted out of all future mailings.

Anti-harvesting and anti-random address generation provisions…

Another weak part of this law is that it presents harvesting of email addresses (collecting addresses from websites or other online services) if that site or service expressly states that it will not distribute email addresses (why should a site have to have that notice, it should be inherent), and random address generation (to attempt to guess valid email addresses) as only aggravated violations. What this means, is that at least according to this Act, it will still be technically legal to harvest addresses and attempt to guess valid addresses through an address generator for the purpose of sending unsolicited email as long as that email satisfies the other rules of this Act (mainly provides a valid opt out process).

Warning labels are required on unsolicited commercial email that contains sexually oriented material.

Pretty much self explanatory, and I doubt anyone would disagree that this is a good and important addition… Ever open up an email at work thinking it was a work related message only to find a pair of breasts staring back at you?

Sec. 6 adds liability to businesses that knowingly allow their products or services to be advertised in a message that breaks these rules.

The rest of the Act covers items such as enforcement, mobile messaging, and effects on other laws that I won’t really get into, but there are a couple important specific points in the later parts of the Act to bring up, the first being that this Act will supersede state law. I understand (and it’s stated) that the intent of this is to create a uniform law across the United States which will make it easier for emailers to understand and conform to the law, however, the downside is that this effectively bars states from being able to create more strict laws against unsolicted electronic mail.

There is also, though, a paragraph that explicity states the following:

NO EFFECT ON POLICIES OF PROVIDERS OF INTERNET ACCESS SERVICE- Nothing in this Act shall be construed to have any effect on the lawfulness or unlawfulness, under any other provision of law, of the adoption, implementation, or enforcement by a provider of Internet access service of a policy of declining to transmit, route, relay, handle, or store certain types of electronic mail messages.

This is important because this means that providers of Internet access services are still free to implement their own polices of how they will handle email, and allows the Internet to continue to police themselves above and beyond the limitations of this Act. It’s also why I strongly disagree with statements I’ve seen made such as the following in a Wired article:

But even with vigorous enforcement, the act undermines other efforts to fight spam, activists say. Take, for instance, Yahoo’s recently announced plans for authenticating e-mail through the use of “tokens” that are issued to verified senders.

“If a sender complies with the Can-Spam act, there is no legal basis for denying that sender an authentication token, and so any spammer can trivially circumvent authentication,” said Yerazunis. “This ‘legitimate spam’ loophole makes the cryptographic authentication-based systems proposed by VeriSign, F-Secure and CipherTrust meaningless.”

I don’t see anything in this Act that makes existing and future progress in technical solutions to spam blocking and control meaningless, or for that matter any less meaningful than it currently is. Changing the landscape of they way emails are handled I think will still largely be handled by the Internet society as a whole, as I think it should be, and I don’t see this Act affecting that. With some notable exceptions above, I think this Act provides a framework that can be built into something effective to work in concert with other spam fighting methods. Right now I see it as primarily law to go after the most grievous offenders of misleading or fraudulant spam, while forcing a little more responsibility by mass mailers in general.

This Act has some major challenges, primarily in enforcement, as this covers only one country in a society (the Internet) that is global, but with other countries passing similar laws, and coordinating with each other, this could be a step in the right direction. However, in order to make these laws effective, gross violaters have to be pursued vigorously and the penalties need to be significant, and tracking violaters down as they move their processing from country to country makes this a difficult process.

In conclusion, based on my actual reading of the Act and not the media’s fragmented snapshots, I actually support this Act as a whole. I agree that this Act has some weaknesses (including leaving a lot of responsibility on the recipient to provide the proof and history in the event of violations) and am displeased that it doesn’t go as far as making all unsolicited commercial email illegal, but from a commercial standpoint, I can understand why they wouldn’t go that far, and that is something that I believe can still be handled by the Internet society as a whole without governments’ intervention. Do I think this Act alone will have a significant effect on stopping spam? Not really. But combine it with existing and future spam fighting techniques, and I do believe it can help.

I am interested in others’ opinions on this Act, too, so if you have one, please leave a comment.

Comments are closed.