We have come a long way since we believed that the Internet could police itself.
In Lagos, the system administrator of a Nigerian Internet service provider shook his head with wonder as his visitor complained about all the “Nigerian scam” e-mails going around. “Who could be fool by dis ting?” he said. Well, a lot of people, apparently. The scam, called “the 419” after the section of the Nigerian criminal code that outlaws it, has been around for more than 30 years, first as snail mail, then as e-mail and now as spam. I get between two and a dozen 419s every day. The scam offers unimaginable wealth for those willing to pony up several thousand dollars to establish a money-laundering operation. There is, of course, no money to launder, and those who take the bait never see their own money again.
Like a lot of people in his country, the Nigerian SysAdmin wonders how supposedly sophisticated Americans could possibly be ensnared by a stunt so obviously silly that no Nigerian would ever fall for it. And so his position is that it’s a caveat-emptor world, in which it is not up to him to stop the scam — it’s up to everyone else to ignore it.
Yet such a cavalier attitude doesn’t work; if it did, the 419 would have died of sheer neglect a long time ago. It has instead proved to be remarkably durable, and reacting to it with bemused detachment is proving to be a defeatist response. A lot of people have taken this attitude, saying all you have to do is ignore scams such as this — as well as all the other kinds of spam out there — and hit the delete button: What’s the big deal?
The deal has become very big. A recent European study on spam calculated the cost of deleting and cleaning up after spam at $9 billion US a year. Administrators of many corporate networks are installing filters to stem the flood to speed up their systems and to protect employees, who would have to spend too much company time sorting through their inboxes with one finger on the delete key. And on a personal level, budget-conscious people with dial-up connections to the Internet find themselves resentful as they pay to download an enormous amount of it.
Though a lot of spam is merely offensive, much of it, like the 419, either borders on criminal activity (unguents and potions to improve sex lives, or offers of child pornography), or offers it outright (promoting pyramid selling schemes and no-risk money-making investments). Much more of it is best described as deceptive advertising, such as miracle diets and the benefits of human growth hormone, which is also illegal.
A working paper passed around in January by Industry Canada, a federal department with a strong interest in the Internet, says that as much as 30 per cent of the 31 billion e-mail messages that flew around the world in 2002 were spam, up from 10 per cent two years earlier.
The timing is critical: 1999 was the height of Internet frenzy, when the popular libertarian belief held that government could serve the Internet best by leaving it alone. On a practical level, Industry Canada — like many government agencies in Canada and the United States — developed a hands-off policy in the belief that existing laws against consumer fraud, invasion of privacy and criminal activities would be enough weaponry to use against spammers.
It was a dreamy idea, and one that was, alas, totally ignored by the spammers. As was the toughest part of a new Canadian law, which sought to mete out a 10-year prison sentence for anyone convicted of endangering public safety as a result of interfering with computer systems. Still, the spammers increased their activities, and not one spammer has ever faced charges under the act, much less done time in the hoosegow.
Spammers also ignored another law, which came into effect on Jan. 1, 2001, called the Personal Information Protection and Electronic Documents Act. That law declared e-mail addresses to be personal information, and anyone misusing them would be violating the privacy provisions of the act.
These meant nothing to U.S.-based spammers, of course, who argue they are protected by their constitutional guarantee of freedom of expression, even when their activities occur in countries that do not subscribe to the U.S. Constitution; besides, those spammers never read Canadian newspapers anyway, and live in blissful ignorance of a foreign country’s legal structures. Moreover, many spammers use offshore servers, most of them in the Orient, where lackadaisical legislation and erratic policing add another layer of apparent security.
The row over spam has been most uncomfortable for one professional group: the direct-mail marketing industry. Most of them do legitimate (if annoying) business by stuffing your mailbox with advertising flyers. But they are very careful about how much they send out and who gets their ads, and have elaborate mechanisms to accommodate people who take great offence in junk mail, measures not shared by their e-mail counterparts. The direct-mail people carefully and painstakingly collect and maintain their lists of addresses. Spammers, however, either buy their lists either from other spammers or collect them willy-nilly from software “spiders” that roam the Net and hoover up anything resembling an e-mail address.
By buying their lists from others, even those who collected the e-mail addresses legitimately, spammers are increasingly facing legal process for breaking the contractual obligation the original merchants struck with their customers; even if the customers had “opted in” to receive e-mail from third-party advertisers, they certainly had not agreed to have their e-mail addresses sold to spammers. This is a difficult charge to prosecute, however, and moreover the penalties are too small to make a spammer think twice.
Those who automate the collection of e-mail addresses, in the meantime, don’t even try to maintain this veneer of respectability. “The animosity between legitimate marketers and spammers is escalating, made increasingly worse by the fact that the legitimate direct-mail industry thinks of itself as successful with a response rate between one and two per cent, while e-mail spam has a response rate of one-tenth of one per cent.”
Legitimate junk-mail businesses, already in a cutthroat industry, are now getting their images tarnished even more by e-mail spam, which raises the negative reaction to the level of hysteria. “Insultingly, the direct-mail industry is being held hostage by a very small army. Spamhaus.org estimates that 90 per cent of all the spam on the Internet can be traced to 100 people.”
It’s clear that existing laws are not really doing the trick, and that more are required. And indeed there have been a few encouraging cases recently which may not lower our spam intake, but which do make us feel like something is being done.
In New York in January, a spam house called Monsterhut.com was convicted of sending 500 million e-mails to people who did not solicit them. Ah, but the customers had indeed, asked for them, Monsterhut.com countered, arguing that it had bought the e-mail addresses in question from legitimate companies; those companies had originally asked their customers for permission to send advertising from third-party organizations. New York State Supreme Court Judge Lottie Wilkins decided that such a “permission-based” agreement did not, in fact, conform to any known industry “opt-in” protocols, and ruled in favour of the 750,000 computer users who had complained.
And in December, America Online was awarded $7 million US against CN Productions and its notorious owner, Jay Nelson, who had spammed AOL subscribers. Nelson had ignored a 1999 court injunction to stop targeting AOL with spam, but then fell afoul of a Virginia law which stated that anyone who ignored the injunction had to pay $25,000 for each day of sending junk mail in violation of the rule.
At the time, CN Productions had been accused of sending nearly a billion e-mail advertisements promoting adult websites, and of forging return e-mail addresses that made it appear that AOL itself had sent the ads. The junk e-mail piled up between 1999 and 2001, and AOL argued that it had generated as much as $8-million in illegal gains, the figure Judge Wilkins used in her decision.
AOL has dropped the gloves in this confrontation. The company has filed more than 20 anti-spam lawsuits with more than 100 defendants over the years, and heavily promoted its own spam-filtering technology. That technology allows users to report spam to AOL at the click of a button; as a result, AOL’s filters have cut down the spam flood by 20 per cent, a huge number in absolute terms, but in reality, AOL’s individual subscribers have hardly noticed the difference.
Anti-spam technology has developed remarkably over the past couple of years, in direct response to the increased efforts of the spammers. Some have created PC-based anti-spam filters, and some have products that sit on an Internet service provider’s servers, filtering spam before it even gets into the system.
Unfortunately, the filters don’t seem to be able to stop more than about a fifth of the spam, the same amount that AOL spent millions to stop. The rest slips through as a result of the cagey and sharp-witted efforts of spammers who are constantly looking for ways to get around whatever technology or legal process crops up to stop them.
I once found myself in the middle of such a porn-spam problem. Someone had put an e-mail address that I always monitor but almost never use as the return address in a series of three different mailings promoting porn sites. It came to my attention when I started receiving automated notices from mail servers warning me that certain e-mail addresses were not valid, and included the original spam.
I checked into it, and discovered that of the three different mailings, two were for one site and one for another, but both were subdirectories of a larger, slicker commercial porn website. Large outfits, I learned, can get sizeable incomes from small-time porn operators renting these subdirectories to them, and the small-timers in turn seek to draw customers by contracting with a spammer to put the word out.
The spammer cobbles together as many e-mail advertisements as the customer demands, and sends out the (almost illiterate) ads to millions of recipients, with a fake return e-mail address. In this case, mine: I received close to 3,000 notices from mail servers about non-functioning e-mail addresses, which made me wonder how many actually reached their intended recipients.
In this system, spam recipients have become savvy enough to complain to the service providers who host the small-time operators, and the more offensive sites are almost immediately shut down. And so the rip-offs become circular: The slick porn site gets up-front cash renting sub-directory space to would-be pornographers who want to get rich quick, and the spammers get up-front cash for the services they sell to the same putative pornographers. But when a service provider, under pressure from spam victims, shuts the sub-directory sites down, the small-time operators are out of pocket. It seems like poetic justice, but the supply of get-rich-quick artists waiting to be fleeced for their own sleaze seems to be as endless as the spam they send out.
This is simple churn in the world of pornography, and although it may appear to be a self-policing system, it is closer to chaos. It’s the dog-eat-dog world in which smut peddlers discover the Darwinian theories as they apply to weak pornographers, leaving all the marbles to the meanest and toughest operators.
And it will continue to eat its young until something stops it. Increasingly, we are concluding that the only way to do it is through the legislative process, even draconian laws — anything to stem the flood of unwanted, unsolicited and offensive e-mail piling up in front of us and our children. And we’re even considering legislation using unprecedented cooperation among otherwise unfriendly nations.
It’s a dramatic reversal of attitude from 1999, when it seemed blindingly obvious that the Internet should be left to police itself. Could we really have believed that market forces, or the forces of reason, would stop online abuses such as spam? Could we really have believed that the moment the Internet became the wide-open marketplace we imagined it to be, that hawkers and snake-oil salesmen would not be attracted to it? How could we have been so naïve?
So our idealistic and romantic notions of the unfettered Internet have collapsed amid our own pathetic bleating for serious government intervention. Some governments have reacted. The European Union, which never subscribed to quixotic American notions of market forces in the first place, passed legislation recently requiring e-mail marketers to obtain recipients’ consent before sending messages. More than half of the U.S. states — 26 of them — have followed suit.
And now Industry Canada is carefully floating out its study paper outlining the options it is considering for drafting anti-spam legislation.It’s going to be interesting to see how it all works out. In the meantime, we should shed a tear for the passing of our innocent dreams.
