Law Won't Fix Spyware Problem

Ever get the feeling you’ve been cheated? If you thought the federal anti-spam law was going to lower the amount of spam in your inbox, you should be feeling that way right about now. Expect to feel cheated again if Congress moves similar legislation to outlaw spyware.

It has been more than a year since a federal law called Controlling the Assault of Non-Solicited Pornography and Marketing (search) (CAN-SPAM for short) went into effect. In that time, unsolicited e-mails have increased 50 to 60 percent. According to the New York Times, 80 percent of all e-mail sent is spam.

Apologists for the federal law say it will take a while to be effective. But the expiration date on this plea is drawing near. A credible law would have slowed spam immediately as people fearing punishment curbed their actions.

True, some successful cases have been brought against spammers. A Virginia spammer named Jeremy Jaynes received a nine-year sentence. But Jaynes was sentenced under Virginia law, not CAN-SPAM.

Lawsuits brought under the federal statute invariably have a variety of other claims appended to them, suggesting that existing law was up to the task when CAN-SPAM passed, even if tech attorneys were laggard in applying it.

Going forward, CAN-SPAM backers will seek harsher enforcement efforts from the Federal Trade Commission. Senator Conrad Burns, the law's chief sponsor, has been quoted saying, “I’ll be working to make sure the FTC utilizes the tools now in place to enforce the act and effectively stem the tide of this burden.”

Others want to add more laws to the existing regime. The Coalition Against Unsolicited Commercial Email holds out two lodestars for the spam problem: an opt-in policy and a private right of action. They think the law should require e-mails to be sent only based on permission and, if permission is not given, individuals should be able to sue.

Piling on more laws misses the lessons that are available, and that were available long ago. In 2001, technology writer Declan McCullagh noted that two of the five Internet service providers most complained about for allowing spam were offshore. Twenty-five of the 50 network administrators most sluggish in replying to spam complaints were also overseas. Predictably, domestic spam law has created a market for spam service providers who set up offshore to pour e-mail onto the Internet from beyond the reach of U.S. law.

The growth of zombie networks was less predictable, but not surprising. Spam service providers have exploited the thousands of computers left online and unsecured by their owners, turning them into a widely spread network of spamming machines.

The controllers of these networks are completely masked and will remain so as long as the Internet remains the open medium that it is today. Proposals to do away with this openness are abundant but they would kill the goose that laid the golden egg.

Though CAN-SPAM has failed, Congress is using it as a model for spyware control. “Spyware” is the name for software that is surreptitiously downloaded onto computers and that collects and transmits information without the knowledge of the user. Real spyware is a bad thing, though a variety of different software practices have been pushed under that loose heading.

As with spam, perpetrators of true spyware are, and will continue to be, beyond the reach of the law. More laws on either spam or spyware will be daggers thrust into thin air.

Would more law help? Before the federal law preempted it, Utah had a private right of action with statutory damages. The defendants were mostly deep-pocketed companies that tripped over details of the legislation rather than actual spammers.

What about more enforcement? Expect the focus of the Federal Trade Commission to drift toward collecting scalps. Small businesses that have not met the letter of the law are likely targets. The public often falls for this regulatory bait-and-switch, where enforcement actions substitute for real, beneficial results.

Anti-spyware legislation would be a similar legal minefield for software innovators. As currently styled, a federal anti-spyware law would make the Federal Trade Commission the national software regulatory authority. It would pull entrepreneurs out of their garages and send them into tall glass buildings to talk with their lawyers. Meanwhile, real spyware writers would operate much like spammers: offshore, out-of-reach, and unfazed.

The solutions for spam and spyware are in the technologies now being brought to bear and constantly under improvement. For spam: filters, sender verification, white-listing, and alternative platforms like Instant Messaging. A welter of anti-spyware tools is already available and more come online all the time.

Of course, technical and market-based solutions like these are never as satisfying as the promise of legislation. But they are real, and the promise of legislation is false.

Jim Harper is director of information policy studies at the Cato Institute.