The wave of disgust over unwanted, unsolicited, offensive and fraudulent e-mail is reaching a fever pitch in the United States as Congress faces pressure from consumer groups and state attorneys general to take a hard-line approach to curbing these annoyances. Americans overwhelming response to the federal Do-Not-Call list earlier this summer has added fuel to the fire, giving Congress the incentive it needs to tackle an issue that creates just as much consumer anger and backlash as unsolicited telemarketing calls.
The ISP industry primarily is to blame. ISPs have failed to combat spam using a thoughtful and consistent approach that is born from an industry consensus. Instead, individual service providers have reacted irrationally to spam through fragmented and often draconian anti-spam policies. Such policies have left legitimate businesses and customers caught in the crossfire. Their policies have increased the cost of spam for the entire industry because backbone providers and ISPs are spending their valuable time and money resolving disputes and countering other ISPs anti-spam efforts.
The irrational behavior of some ISPs is reflected in the fact that some providers simply block all e-mail from Asia as they attempt to stop a number of spam messages coming from that region. As one Asian resident complained, his e-mail has a one-in-five chance of reaching the United States. Most ISPs and their backbone providers have implemented strict acceptable use policies that block bulk e-mail after just one spam warning. Such practices have a dampening effect on businesses that need to use e-mail as a legitimate means to reach customers. For example, magazine publishers with e-mailbased publications are fending off spam complaints by the spouses of shared e-mail boxholders. As a result, such businesses are forced to become nomads, jumping from one service provider to another.
Other ISPs have implemented anti-spam solutions that require proper reverse name lookups to avoid tagging e-mail as spam. Proper reverse name lookup means the senders email address must match the reverse name lookup (i.e. domain name) of the IP address identified in the e-mails message headers. The problem is, most service providers do not, or cannot (in the case of name-based, shared Web hosting providers), provide accurate reverse name lookups. This creates a very unstable environment for legitimate e-mail that is falsely identified and filtered as spam, as well as e-mail incompatibility between service providers. The alternative is to close the doors of name-based, shared Web hosting providers and open up the other ISPs to customer poaching by their competitors.
In this ad hoc environment, it doesnt matter whether an accused spammer is guilty or not. Anyone can generate a spam complaint, and very rarely does the accused receive a fair hearing about whether the complaint is legitimate. Backbone providers usually lump spam complaints into one category regardless of whether the complaints are justified or not and rationalize backbone termination, or the threat thereof, simply based on the number of complaints received. Just about every ISP or Web hosting company has had to contend with inappropriate blacklisting and its devastating consequences when another ISP uses blacklists at the router level to the detriment of one or more of its customers.
The ISP industry must move swiftly and collectively to show that it can work together to effectively combat spam in a proactive way rather than implementing illogical reactionary policies that hurt legitimate users. The industrys unified voice and input into anti-spam legislation is needed now more than ever. Otherwise, ISPs face some devastating consequences. Congress now is considering 10 different federal spam-related bills (see story on page 62). All miss the mark in terms of providing solid safe-harbor provisions for ISPs and Web-hosting companies, neither do they account for the realities of transnational borders and ISP industry practices. If the ISP industry does not provide clear guidance to government bodies creating legislation, these untested and imprecise laws are sure to be litigated in the courts.
Consider the Anti-Spam Act of 2003 (H.R. 2515) introduced on June 18 by Rep. Heather Wilson (R-NM). This bill appears to have the most momentum in Congress and, if it becomes law, requires all commercial e-mail be identified as such and include the senders physical street address and an opt-out mechanism. The bill would prohibit e-mail with false or misleading message headers or misleading subject lines, and would make it illegal to send commercial email to addresses generated by an automated dictionary attack. This proposed law, however, contains inadequate safe-harbor provisions for ISPs or Web hosting companies. In fact, the bill offers a cause of action to ISPs against spammers or other ISPs, and lacks clarification of key definitions such as pattern or practice of violations or initiator. These vague references easily could be applied to a number of scenarios where ISPs find themselves the subject of a lawsuit. For example, could an ISP with 50,000 customers and an average of five spam violations a week be considered to show a pattern of violations? Suppose the same ISP provided some tools to facilitate legitimate bulk e-mailing?
In fact, none of the anti-spam legislation proposed or actual at the state and federal level takes into account that ISPs are in the unfortunate position of enforcing and responding to private or ISP-based causes of action. Most true spam contains forged headers, hides the sender and can be routed through anonymous servers or compromised relays. ISPs will be called to the task of proving, defending or validating actual senders, recipients, relays or forgeries. False positives are a lingering problem today between backbone providers and ISPs. Imagine applying false positives in a legal context with plaintiff attorneys who dont have a lawsuit without a U.S.-based defendant, and judges with little patience for the business practices of service providers. Moreover, most ISPs do not store e-mail logs because the heavy volume of e-mail that travel over their systems makes the logs extremely large and onerous, but the proposed legislation could force ISPs to maintain, store and archive e-mails for use in litigation or other defensive purposes.
Any federal legislation enacted also must trump the fragmented standards set by various state laws. Today, a service provider, such as my company, FatCow Web Hosting in New Mexico, can be sued in another state using the New Mexico Anti-Spam Statute, and that other state can be put into the position of interpreting New Mexicos law. This creates significant unpredictability for an ISPs ability to manage spam legislation requirements. As seen with state legislation, safe-harbor provisions for ISPs and Web hosting companies are not absolute. An inadvertent open relay, which occurs when an e-mail mail server processes an e-mail message where neither the sender nor the recipient is a local user, could result in a cause of action in Wyoming and a few other states.
Dialogue among ISPs and Web hosting companies must start now. Various ISPs, through their contrasting testimonies on Capitol Hill, already have given Congress the message that the industry is not unified on how best to combat spam. Suggestions have ranged from legal-only solutions at the federal level to technology-only solutions at the option of the industry and consumers.
The truth of the matter is, the best solution will be an appropriate mix of law and technology. From the legal perspective, only an international, multilateral treaty sponsored by the World Trade Organization (WTO) or the United Nations (UN) will do. This treaty should then be enforced and enacted by federal law. From the technology perspective, the federal government (perhaps through DARPA) should work on new technology standards that the industry can embrace, as well as fund research for commercial-based solutions that dont create incompatibilities within the network.
No governmental body can act across all borders of the Internets international network. Thats why the ISP industry must strongly advocate and lobby government leaders to fund research into a new and more-effective mail transport protocol (MTP). Simple Mail Transport Protocol (SMTP) originally designed for open, free and efficient e-mail communications no longer is a viable solution. SMTP was designed under the presumption that the burden of cost was equally shared among all participants, but the influx of spam now creates inequities in cost sharing. A new MTP that contemplates cost shifting while continuing to support the benefits of e-mail must be considered because it can address the Internets diverse cultures, laws and costs.
The financial ATM network serves as an example of this capability. Although the network is proprietary, it was created with trust relationships in mind, enabling it to transfer trillions of dollars around the world without losing a penny. The concepts behind the ATM network could shed light on what a new MTP might look like: A network system that supports e-mail by properly allocating costs among the participants in proportion to their use and benefit, without regard for borders or cultures.
Neither the public nor the government fully understands nor appreciates the challenges facing ISPs. Its up to the Internet industry to define common approaches to dealing with spam, lobby for more effective legislation and facilitate new technical solutions that effectively combat spam, such as the creation of a new MTP. Without this collective voice and effort from the industry, service providers and Web hosting companies could face mounting lawsuits under legislation that will largely be ineffective in combating spam.
Laurence S. Donahue, Esq. is COO and corporate counsel for FatCow Web Hosting. With about 17 years of Internet development expertise for Fortune 500 companies, he is an Illinois-registered patent attorney specializing in intellectual property, contracts and Internet law.