Written
Comments:
|
Comments
for Consumer Privacy 1997 - P954807
Submitted by Ray Everett-Church
Introductory Statement:
"Guerrilla Warfare: A System Administrator's Perspective on
Unsolicited Commercial E-Mail"
This document contains my written comments addressing several of the specific
questions posed in your Invitation to Comment for Sessions Two and Three as
part of your Workshop on Consumer Information Privacy. Before addressing the
specific questions posed by the Commission, I would like to briefly introduce
myself and provide a brief overview of the unsolicited commercial e-mail problem.
In presenting these comments, I wish to help the Commission see life from
the perspective of those technology professionals whose roles as Internet
systems administrators put them at the forefront of the unsolicited commercial
e-mail (UCE) issue. As a computer consultant and law student, I have been
extremely active for several years in the legal and technical issues involving
Internet abuse, particularly unsolicited commercial postings on USENET newsgroups
("Spam") and UCE. While I do not seek to represent the interests
of any one particular organization before the Commission, I offer my perspective
as one who has worked for several years as a consultant to the online services
industry dealing primarily with the issue of unauthorized use of e-mail for
commercial advertising. My most recent assignment has been as a contractor
for America Online's Postmaster Services Team participating in the development
and implementation of procedures for managing complaints regarding Spam and
UCE. I wish to note, however, that I submit these comments representing only
my own personal views as a technology professional; I do not seek and am not
authorized to represent the views of my past or present clients.
In my individual capacity as a technology professional, I was recently requested
by the New York State Attorney General's office to supply evidence and an
affidavit in their current prosecution of Kevin Lipsitz, alleging fraud in
a magazine subscription scheme advertised via unsolicited commercial e-mail.
As the operator of several Internet mailing lists that were targeted by Mr.
Lipsitz, my affidavit dealt specifically with the technical issues surrounding
e-mail forgery and network address spoofing.
I wish to share with the Commission a different perspective from the usual
variety of advocates you're likely to hear from on this issue. The perspective
I seek to present is that of one who is regularly faced with both the technological
and functional problems caused by the proliferation of UCE. I believe it is
very important for the Commission to understand the techniques employed by
UCE purveyors, and the variety of damage done. I also wish to share with the
Commission my knowledge of the "self-help" techniques employed by
hundreds of system administrators and network technologists to protect their
resources from damage caused by UCE.
Too often, the problem of UCE is characterized as merely a conflict pitting
entrepreneurs engaged in legitimate business versus nerdish "computer
geeks" zealously protecting their private playground in Cyberspace. This
is a dangerously myopic view that clouds real issues of theft, fraud, deception,
unfair trade issues such as false designation of origin and trademark infringement,
and other impediments to consumer access to trustworthy information. The world
of Internet e-mail is a realm of guerrilla warfare where technology professionals
like me deal on a daily basis with generators of unsolicited e-mail who:
- Use
UCE software incorporating "hacker" techniques to gain unauthorized
access to mail servers for sending their e-mail;
- Falsify
the "sender" information on e-mail, causing damage to computer
systems when massive amounts of undeliverable e-mail are unable to be
returned to the "sender";
- Damage
the reputation of the organizations identified as the source of unsolicited
mail;
- Defraud
Internet service providers by obtaining service with the intent to violate
the provider's usage contract, often defrauding the same providers numerous
times by providing false names and billing data in order to open new accounts
after previous accounts have been terminated; and
- Create
elaborate software packages to conceal e-mail origins and automated mail
processors to avoid detection and to wreak vengeance on those who dare
to complain.
As
one who regularly participates in a wide variety of online discussion groups
dedicated to coping with the ever-growing onslaught of UCE, this comment presents
a variety of problems experienced by system administrators. Those problems
are the underlying basis for my primary argument: severe restrictions on UCE
an appropriate and timely consideration for the Commission.
It may come as a surprise to those who are not skilled in Internet usage,
but simplicity is at the core of the Internet. In the world of computing,
information is distilled down to individual bits of data and computer programs
are comprised of little more than a few dozen simple instructions chained
together in different ways to process that data. Internet protocols are similarly
simplistic in order to facilitate interoperability between different types
of machines and in order to increase efficiency in transmitting or processing
the data stream. With this simplicity comes the opportunity for abuse. Unfortunately,
in order to make inherently simple systems less prone to abuse, they become
less simple and less efficient. Therefore, in order to maintain optimal functioning
of computers and networks, less complicated solutions are preferred.
Bearing in mind the desire to maintain simplicity, the key to solving the
problem presented by UCE is two-fold. First, regulators should assure that
the law adequately discourages the elements of the UCE marketplace that are
based on fraud and deception against service providers and consumers. Second,
consumers and system administrators should have adequate remedies under law
to avoid being forced to bear the costs which UCE purveyors displace onto
them.
Many in the anti-abuse community believe that the solution to the problems
posed by UCE can be found in modifying the ban on unsolicited facsimile ("fax")
transmissions (see 47 USC 227 and 47 CFR § 64.1200) to include UCE. I
believe very strongly that this simple modification would eliminate the cost
shifting problem inherent in UCE. By outlawing the practice and giving victims
a direct cause of action, unsolicited facsimiles are very rare. In fact, it
is informative to note that one of the most successful UCE purveyors on the
scene today began his career in the unsolicited facsimile business immediately
prior to the ban. While fax technology and e-mail technology are very different,
the problem of cost-shifting which Congress recognized in the unsolicited
faxing is even greater in the area of unsolicited e-mailing.
While such modifications to the telecommunications statutes may be beyond
the scope of the FTC's jurisdiction, the Commission has a recognized expertise
in prosecuting trade practices which cause harm to consumers, unfairly shift
costs to innocent parties, inflict damages upon legitimate businesses, and
perpetuate fraudulent activities. All of these evils are present in the current
UCE marketplace.
It is my sincerest desire that the Commission will review the attached Comments
and agree that a ban on the techniques of unsolicited e-mailing is the most
simple and effective solution. The Commission would not be alone in this consideration;
several state legislatures, including Ohio, Connecticut, New York, and Nevada,
are currently considering bans on UCE within their states. However, give the
interstate nature of most Internet UCE transmissions, such state-by-state
approaches may not prove very effective. I hope the Commission will take this
opportunity to assess the damage to consumers and to the Internet marketplace
caused by the proliferation of UCE and endorse a complete ban on the practice.
Respectfully submitted,
/s/
Ray Everett-Church
Attached: Comments in Response to Session Two Questions 2.16, 2.17, 2.18,
2.19, 2.20 and Session Three Questions 3.16, 3.17, 3.18, and 3.19.
2.16
How widespread is the practice of sending unsolicited commercial e-mail? Are
privacy or other consumer interests implicated by this practice? What are
the sources of e-mail addresses used for this purpose?
Exact statistics in the world of unsolicited commercial e-mail (UCE) are difficult
to come by because it can be transmitted from virtually any Internet connection
to thousands of destinations all over the globe. Both UCE and legitimate e-mail
are processed by mail servers in exactly the same manner and it would take
a detailed item-by-item search through voluminous mail server transmission
logs from all of the receiving sites in order to determine accurate numbers.
In this area, however, it is instructive to look at the claims made by UCE
"professionals."
Many
UCE purveyors claim to have lists of over 10 million addresses, and some sell
software for collecting e-mail addresses, claiming to add thousands to your
database in a matter of an hour. Others sell UCE software packages and claim
that the average user can mail upwards of 150,000 e-mails per hour over a
28.8 kbps modem. Preliminary data from a study by system administrator Michael
Rathbun indicated that UCE amounts are growing every day. Mr. Rathbun's experiment
involved replicating the actions of a typical consumer to determine how much
UCE an average consumer might receive. He established an account with America
Online, through which he obtained a total of five e-mail addresses.
Over the course of five weeks in March and April 1997, Mr. Rathbun studied
the flow of mail into these test mailboxes. His full reports, originally posted
to the SPAM-L mailing list, are attached as Exhibit
1, however a brief summary of his data for a five week period indicated:
- Week
One: His five "screen names" accumulated a total of 49 pieces
of UCE and zero legitimate e-mail, requiring almost 10 minutes of online
time to download.
- Week
Two: His addresses accumulated 62 pieces of UCE and zero legitimate e
mail. (Total UCE received for two weeks: 111)
- Week
Three: His addresses accumulated 88 pieces of UCE and zero legitimate
e mail. (Total UCE received for three weeks: 199)
- Week
Four: His addresses accumulated a total of 102 pieces of UCE and one (1)
legitimate e-mail. (Total UCE received for four weeks: 301)
- Week
Five: His addresses accumulated a total of 63 pieces of UBE and one (1)
partially legitimate e-mail. (Total UCE received for five weeks: 364)
There
are many ways that distributors of UCE obtain their lists of e-mail addresses.
They may (1) obtain a list of addresses from one who collects and sells such
lists, or (2) they may "harvest" addresses from a variety of online
locations including capturing them from online service chat rooms, copying
them from postings to USENET and other varieties of online discussion groups,
and conducting random searches of online service Member Directories. Several
enterprising individuals market specialized programs that will accomplish
these tasks for people who wish to go into the UCE list-making business for
themselves. By their very nature, these lists are collected without the permission
of the addressees. Moreover, despite claims that such lists are "targeted"
to those with particular interests, when e-mail addresses are gathered in
a haphazard fashion by simple automated collection programs, there is little
to support such claims.
Exhibit 2 is an example of an advertisement
for a software program called "Floodgate," which claims to offer
the means of gathering e-mail addresses from the major online services and
directly from the Internet. As the manufacturer of Floodgate advertises, addresses
are gathered from:
- "1.
Compuserve Classifieds: Send your marketing letter to everyone who is
running a classified ad. I'll teach you how to download all of the classifieds
from any single ad category. This is one of the most responsive list of
buyers. . . .
"2. America Online Classifieds: Download 2,500 addresses in 15 minutes.
These are excellent lists of business-to-business sales.
"3. Compuserve Forums: You can join a forum and download hundreds
of forum messages in a matter of minutes.
"4. America Online Forums: Choose from dozens of forums. All good
targeted lists.
"5. Prodigy Forums: Prodigy allows you to easily export any group
of forum messages. More targeted lists.
"6. Internet Newsgroups: These are all targeted lists. You'll be
able to send your marketing letter to everyone who posts a message in
any newsgroup. Easily collect 1,000's of addresses an hour.
"7. America Online Member Directory: Most member directories only
allow you to search by city and state, with AOL, you can search by business
type, hobbies, computer type, etc. This is the gem of all member directories.
Build huge targeted lists.
"8. Compuserve Member Directory: This is a major resource. If you're
willing to target your mailing to a single city, you can collect about
1,000 e-mail addresses an hour.
"9. Delphi Member Directory: The Delphi Member Directory allows you
to search for people based on key words. These are good targeted mailing
lists. A single search can easily generate 5,000 addresses.
"10. Genie Member Directory: Similar to the Compuserve Member Directory,
only you can download names much quicker. You can easily pull hundreds
of thousands of addresses out of each of these member directories. . .
."
It should be noted that "harvesting" e-mail addresses in this way
is a violation of the Terms of Service of most of the online services named
above. For example, America Online's "Rules of the Road" §
(C)(iii)(g) states:
- Advertising,
Solicitation and Name Harvesting. Unless you obtain express permission
from the Member in advance, you may not use AOL to send unsolicited advertising,
promotional material or other forms of solicitation to another Member
except in areas designated for such a purpose (e.g., the classified area).
You may not use AOL to collect or "harvest" screen names
of other Members without the express prior permission of the Member. .
. . (emphasis added)
Unfortunately,
while the use of programs like Floodgate may be prohibited by an online service's
user agreement, enforcing such provisions is extremely difficult because such
programs exploit many of the features of online services that make them so
popular to the public. Floodgate, for example, operates along side your online
service's software and captures e-mail addresses anywhere they appear on your
screen. It also provides "scripts" which automatically activate
the online service's software, mimicking the steps a normal user would perform
in, for example, searching for a friend's e-mail address in a Member Directory.
However, this script can perform these searches hundreds of times, substituting
any number of search parameters in order to broaden the variety of names captured
and then automatically dumps each address into its database files. These programs
can also cruise automatically through message boards, file libraries, and
move sequentially through every online chat room, snatching every available
address it finds.
"Harvesting" programs of this type are specifically designed to
assist individuals in violating their contract with online service providers.
They capitalize on the most popular features of online service, the features
most utilized by consumers, and use the consumers' participation in those
online activities against them. Although these programs are banned by many
online services, enforcement is nearly impossible. This is because, from the
online service's end of the connection, it is impossible to tell whether there
is a real person looking for messages or chat rooms of interest, or if it
is one of these automated programs -- from the online service's perspective,
the activity on their machines appears virtually identical. Consequently,
the only truly effective means for an online service to control this method
of collecting user e-mail addresses is to disable such features -- denying
legitimate users access to these popular features.
Because
the use of such programs is difficult or impossible to detect by the online
service provider, I believe that software designed to facilitate this harvesting
should be outlawed. Such restrictions would not impair the ability of online
marketers to gather lists of e-mail addresses, however it would restrict them
to collecting addresses using methods that would not breach online service
agreements. It would also encourage UCE marketers to seek methods of attracting
consumers into affirmatively requesting addition to their marketing lists,
rather than being added without permission and forced to bear the costs of
receiving UCE.
Restricting such harvesting programs would also reduce the incentive for dedicated
UCE generators to open online service accounts with the intention to breach
their contractual agreement with that service. For example, in instances where
breaches of the service agreement are discovered, the abuser's account is
typically terminated. However, the need for new e-mail addresses drives dedicated
UCE mailers to obtain new accounts with those online services, often using
fraudulent subscription information to avoid their applications being intercepted
and denied. By banning the use of such harvesting programs, there would be
reduced incentive to defraud online services and a reduced incentive to breach
the usage contract. Online marketers would still be able to collect e-mail
addresses, however they would be forced to employ methods which do not involve
fraud or breaches of contract.
It should be noted that there is a "new" program for harvesting
e-mail addresses that has recently been advertised by Cyber Promotions, a
leading purveyor of UCE lists and services. Exhibit
3 is an advertisement posted on the World Wide Web home page of Cyber
Promotions touting its "Web Collector" software which allows anyone
to "harvest fresh, targeted e-mail addresses right off the web."
Using this software, any e-mail address posted on a Web site may be harvested
and added to their UCE databases. As Cyber Promotions boasts:
-
- "The
significance of "Web Collector" is that it will provide you
with a brand new opportunity. For the first time, you can tap into an
*untapped* database of qualified email addresses right off the web! And,
no one can accuse you of "violating their privacy" because you
will be adding email addresses that are posted in a PUBLIC AREA! . . ."
The
problem with such a collection technique is that many business, schools, government
agencies, and public interest organizations provide staff contact lists, feedback
addresses, customer service and support addresses, and other information for
the benefit of consumers on their web sites. While businesses and organizations
provide these addresses for the convenience of their customers, a program
like Web Collector turns such attempts at added convenience into added liability.
For example, a company could find every member of its staff on UCE databases,
clogging the mailboxes designated for providing customer service and support.
If any e-mail address available on the Web is at risk for being added to UCE
lists, the incentive for companies to provide easy customer service may be
significantly reduced, to the detriment of all consumers. For those addresses
remaining, over time it will become more and more difficult to provide effective
service via those accounts. This will ultimately work to discourage businesses
from making themselves more accessible, resulting in less access to information
and services for consumers.
At least with a program like Web Collector, an individual might have a chance
of keeping their e-mail address out of UCE databases by not posting contact
information on their personal Web sites. In the case of harvesting programs
like Floodgate, users who may only have momentarily visited a chat room or
posted a request for help to a Customer Support message board may find themselves
wedged firmly on a UCE list with little or no understanding how they got there
-- until, perhaps, they receive a UCE advertising Floodgate.
According to many participants in UCE-related discussion groups on the Internet,
many people have abandoned their accounts with the major online services because
the rates of UCE received made their e-mail effectively unusable. For those
who haven't fled the online services, many report that they restrict their
online activities in order to avoid being captured and added to UCE lists.
Given the advertised tactics of UCE purveyors and confirmed by the evidence
of the Rathbun study, consumers' fears about participating in the online world
are fulfilled when they receive an e-mail announcing, "Our research indicates
that this information may be of interest to you." As the volume of UCE
grows, as indicated by the Rathbun research, consumers usage of information
technology may be severely chilled. When a consumer is constantly afraid to
use features of online services for fear that their name will be spread widely
among UCE mailers, their interests are definitely not served.
2.17
What are the risks and benefits, to both consumers and commercial entities,
of unsolicited commercial e-mail? What are consumers' perceptions, knowledge,
and expectations regarding the risks and benefits of unsolicited commercial
e mail?
To understand the risks and benefits to consumers, you must first understand
what is most often advertised via UCE. There are many places on the Internet
where copies of UCE are reposted by recipients and system administrators in
order to help notify the Internet community about where UCE is originating.
Surveying mailing lists like SPAM-L@EVA.DC.LSOFT.COM and USENET newsgroups
in the news.admin.net-abuse.* hierarchy, you will see that there are very
few reputable marketers using UCE to advertise goods and services. To the
contrary, the most commonly seen UCEs advertise:
- Chain
letters
- Pyramid
schemes (including Multilevel Marketing, or MLM)
- Other
"Get Rich Quick" or "Make Money Fast" (MMF) schemes
- Offers
of phone sex lines and ads for pornographic web sites
- Offers
of software for collecting e-mail addresses and sending UCE
- Offers
of bulk e-mailing services for sending UCE
- Stock
offerings for unknown start-up corporations
- Quack
health products and remedies
- Illegally
pirated software ("Warez")
Many who are engaged in the UCE business claim that large numbers of recipients
are enthusiastic about receiving their advertisements and claim that consumers
benefit from receiving the information contained in their UCE. The Federal
Trade Commission has a long and distinguished history of promoting the distribution
of trustworthy and accurate information in the marketplace. However, if there
is a benefit to consumers in being exposed to information about new products
and services in the marketplace, the types of offers indicated above are not
the sort usually encouraged by the Commission. Given the dubious nature of
much that is advertised via UCE, the dissemination of information of this
sort carries few benefits and tremendous risks.
Beyond
the recent computer/telephone phone sex fraud incidents recently uncovered
by the Commission, many consumers have been affected by less sophisticated
attempts to defraud them via UCE. For example, the New York State Attorney
General's office is currently prosecuting Kevin Lipsitz for an allegedly fraudulent
magazine subscription scheme which he advertised by UCE. I was asked by the
New York State Attorney General's office to provide an affidavit which discussed
the technical issues involving Mr. Lipsitz's attempts to evade the security
features of hundreds of academic discussion lists. For those mailing lists
whose security features were inadequate, his voluminous messages -- often
the equivalent of 8-10 pages of single spaced text -- were distributed to
the hundreds or thousands of discussion list subscribers. For example, on
numerous occasions each of his advertisements was sent to hundreds of mailing
lists at once, which then were redistributed by the list servers to every
subscriber of each list, clogging servers and mail systems all over the Internet.
One message became thousands, even hundreds of thousands of copies. The costs
of such episodes to consumers and organizations can be extremely high, as
will be discussed below in the comments for question 2.18. While the lists
I administer had been configured with adequate security precautions, a similar
magazine UCE of unknown origin was identified as contributing to the crash
of a mail server at George Washington University, where I attend law school.
The
risk to consumer perceptions from UCE can be substantial. A frequent feature
of UCE is a statement to the effect of: "Our research indicated that
this information might be of interest to you," or "Your name was
provided to us as one who might be interested in the following information."
For those unfamiliar with the processes of collecting UCE databases of e-mail
addresses, a natural assumption is that their online provider is providing
their confidential information to UCE mailers. For those who are especially
concerned with issues of online privacy, many recipients of these UCEs begin
to fear that someone is monitoring their online travels. In fact, I have seen
large numbers of users accuse the online services of revealing their private
billing information, monitoring their private online conversations, and screening
their e mail. While online services may endeavor to assure customers that
their privacy has not been violated by the company, such unpleasant episodes
heighten their suspicions and weakens their confidence in the security of
the online experience, which translates into a severe chilling effect on those
consumers.
2.18
What costs does unsolicited commercial e-mail impose on consumers or others?
Are there available means of avoiding or limiting such costs? If so, what
are they?
The costs imposed on consumers can be considerable, both directly and indirectly.
For those who subscribe to Internet service on a metered basis, the direct
cost of the online time spent reading and downloading those messages can be
significant. As noted in Exhibit 1, it took nearly 10 minutes to download
the 49 pieces Mr. Rathbun received in just one week. Even when services provide
unlimited access for a set price, many Internet Service Providers charge extra
for the storage of mail in excess of a certain quantity. Subscribers who have
to sort through large quantities of UCE looking for their personal mail find
this process extremely frustrating. Such mail, even if deleted by the consumer
before being read or downloaded, cannot be rejected by the consumer until
it as consumed resources and imposed costs on the receiving site. Obviously
for those users who have metered payment plans, the costs of storage and access
can accrue rapidly. However, even if the consumer has unlimited usage and
storage for a fixed price, the transmission and storage costs do not disappear.
They are instead borne by a host of people, including the receiving ISP, the
ISP from which the e-mail originated, every network service provider whose
bandwidth carried the mail, and any third-party relay points whose equipment
was used in the effort to disguise the point of origin.
Beyond
the direct hardware, software, and bandwidth resources consumed by UCE, other
costs to Internet Service Providers can also be quite substantial, including
frustration for other ISP customers whose service may suffer degradation due
to high UCE volumes. To understand the collateral costs to any Internet site
who receives UCE, you must first understand how UCE mailers most often operate.
According
to numerous reports on the USENET and on anti-abuse discussion forums, Mr.Kevin
Lipsitz (referenced in my comments to question 2.17) allegedly employed a
practice similar to that of many UCE mailer marketing campaigns. Many people
who generate UCE follow a pattern of creating numerous accounts with online
services such as America Online under fictitious names and with fraudulent
billing information. Using these "throw-away" accounts, they will
send massive amounts of UCE until the abuse is discovered and the account
is terminated. For the next installment in the UCE campaign, a new "throw-away"
account is opened with more fraudulent information and that one is used until
termination, and so forth.
In
May and June of 1996, Mr. Lipsitz carried on an extended campaign of UCE mailing
from nearly a dozen separate America Online accounts which were reportedly
opened using false names and billing information. As the UCE flowed from each
account systematically over the course of many weeks, academic discussion
lists became jammed with his UCE. A huge influx of complaints from these people
flooded into America Online's "Postmaster" mailbox, causing extreme
hardship for AOL staff and severe technical problems with the machines used
to store Postmaster mail. Angry recipients railed publicly against AOL across
the Internet and despite prompt action by AOL in terminating the accounts,
their reputation suffered.
Another
case involving damage to reputation resulted in an injunction against UCE
purveyor Cyber Promotions. In that case, Cyber Promotions had allegedly configured
their outgoing e-mail server to display the domain name and address information
of a CompuServe e mail server, causing recipients to believe that CompuServe
was the source of the UCE. CompuServe successfully obtained an injunction
against Cyber Promotions use of CompuServe's trademarks or addresses in the
sending of UCE.
One
of the methods that service providers and system administrators have employed
in order to defend against such systematic abuse is to trade information about
individuals and organizations involved in generating UCE. Discussion lists
like SPAM-L and a variety of USENET newsgroups allow system administrators
to share information about the names and tactics of UCE generators, and serve
as a form of "distant early warning" for ISPs who might unwittingly
give accounts to people with a track record of violating service agreements.
To
understand the scope of the UCE problem, one need only see the modest claims
of Cyber Promotions about their program called "Cyber-Bomber." As
shown in Exhibit 4,
Cyber Promotions claims their software allows anyone to:
- "SEND
OVER 150,000 E-MAILS AN HOUR WITH A 28.8 MODEM!
- YOUR
LOCAL DIALUP ACCOUNT WON'T BE SHUT OFF!
- YOUR
EMAIL CAMPAIGN WILL BE COMPLETELY LEGAL!"
"Cyber-Bomber"
is a particularly interesting example because the marketing material (the
text of which was also recently sent out by Cyber Promotions as a massive
UCE) makes it clear that their software enables UCE generators to deceive
recipients as to the true origins of the mail and to avoid detection of the
abuse by Internet Service Providers. This product, as Cyber Promotions claims,
introduces invalid information into the e-mail "headers" making
it difficult to locate the Internet Service Providers (ISP) through which
the user has connected.
These
programs conceal their user's location by corrupting e-mail "headers."
Every e-mail carries in its "header" information comparable to that
found on an envelope travelling via the U.S. Mail. The header contains the
address of the sender, the address of the recipient, a date and time stamp,
and a record of each server through which the mail passes. By purposely mangling
the routing information, the UCE sender can conceal where the mail originated
and avoid the cancellation of their ISP account, allowing them to violate
their service agreement with a reduced fear of discovery.
For
UCE generators, it is critical to avoid the detection of where they receive
their internet connection because most ISPs prohibit use of their systems
for the generation of UCE. (See AOL's "Rules of the Road" excerpt
in the comments for question 2.16.) ISPs restrict this activity because the
generation of such huge volumes of mail consume precious CPU time on their
mail servers and consume large amounts of expensive "bandwidth."
Bandwidth is the term for the amount of data capacity which a service provider
purchases from a larger "backbone" provider in order to connect
to the Internet. Because computers can only process a finite number of actions
per second, and because only a certain amount of data can be passed along
the bandwidth of an Internet connection, massive quantities of e-mail (either
outgoing or incoming) can severely disrupt an ISPs service to its other subscribers.
There
is another interesting aspect to Cyber Promotions' claims about Cyber-Bomber,
regarding the use of Cyber Promotions' own mail network in order to avoid
stealing the mail server resources of unwitting ISPs. The theft of mail server
resources is growing at an alarming rate. Of the 5-8 pieces of UCE which I
typically receive every day, the percentage passing through third-party relay
sites has gone from 50% to more than 80% in the last month. An example of
one of these is attached as Exhibit 5. This piece
of UCE was received on AOL and advertises the "STEALTH MASS MAILER,"
a product similar to Cyber-Bomber. This e-mail has extensively forged headers
which attempt to trick the reader into believing the mail originated at an
IP address that does not exist. The mail in this example was relayed via a
server belonging to CWIA.COM, in all likelihood without their permission.
Exhibit 6 is also an example of UCE being relayed
from a site in Japan. I was recently contacted by the administrator of the
site, explaining that their mail relay was indeed being abused. That e-mail
message is also included in Exhibit 6.
In
pitching the features of their Cyber-Bomber software, Cyber Promotions explains
in the materials attached as Exhibit
4 that:
- ".
. . bulk emailers discovered a new "trick". They realized that
many computers on the Internet could be used to relay their mail. Even
better, many of those relays did not identify the IP address of the origin's
computer.
- "But
this tactic went sour, too. . . . [T]he owners of many of these unwilling
relays quickly caught onto this tactic and reconfigured their computers
to reject relay connections. Furthermore, it was established in some precedent-setting
court cases (one of which Cyber Promotions was involved in) that sending
mail through an unwilling party's relay could be considered a trespass
of private property and could be actionable."
While
Cyber Promotions has discovered that theft of resources is actionable, their
Cyber Bomber program claims to allows users to avoid that crime but in doing
so conceals actions that may constitute a breach of a UCE mailers contract
with an ISP.
Many
Internet sites which use a particular server program called "sendmail"
have been able to reconfigure their machines to avoid being hijacked in this
way. However, a large number of innocent third-party sites are using mail
server software packages that do not allow the "relay" feature to
be easily turned off. Only the newest version of sendmail has adequate security
features to accomplish this and not every ISP is in a position to upgrade
their server's software to the more secure version. For example, some hardware
vendors will not provide support for new versions of that software, which
leaves some ISPs to either suffer the abuse or lose their factory support
by upgrading. This issue is discussed in more detail under question 2.19.
Cyber-Bomber
is extremely new on the market and its price is likely beyond the means of
many small-time, individual UCE mailers. Many of these individual mailers
use less expensive kinds of UCE software that are available on the market
despite their being much less sophisticated. These programs are referenced
in Exhibit 4 and allow UCE mailers to exploit any number of unwilling sites.
However, the vast majority of do-it-yourself UCE mailers use no special UCE
software, preferring to make do with free mail software packages which may
be obtained anywhere on Internet. In these older and more simplistic programs,
the UCE mailer cannot perform the complicated deceptions that are advertised
features of the specially designed UCE programs. Their attempts to disguise
their location usually amount to simply inserting false addresses in the outgoing
mail's "From" line.
This
practice is to a great extent even more problematic for services providers,
particularly those who have large subscriber bases and are consequently the
destination for a great percentage of any UCE campaign. To illustrate the
problems, the following is a scenario which is played out sometimes twice
or three times every week at many of the large internet service providers
and has even been at issue in recent litigation:
A
UCE mailer sends a large mailing to several million addresses. For purposes
of this example, let us estimate that approximately 1 million of the addresses
are for subscribers located at one large ISP. The UCE mailer's list is several
months old and contains a large number, say 20%, of e-mail addresses that
are no longer valid. In order to avoid being inundated with angry responses
from unwilling recipients, and in order to avoid being easily identified by
the offenders service provider, the mailer sends UCE with a bogus entry as
the "From" address, such as "nobody@nowhere.com." When
the million messages arrive at the ISP's mail server, 20% or 200,000 of them
are rejected as undeliverable-- a process called "bouncing."
Normally
when mail arrives from a real site bearing a valid return address, a delivery
problem would cause a simple return of the message back to the original sender.
However, when the mail server attempts to "bounce" the 200,000 messages
back to their origin, it searches in vain for "nowhere.com." Because
this is a fictitious address, the server cannot return the mail to its alleged
point of origin. When a server accepts a message with an address indicating
"nowhere.org," the server processes it as if it expects that "nowhere.org"
would be a valid site if a return bounce is called for. In the absence of
trickery, any error re-establishing contact with the origin site for mail
is a sign of severe networking problems. Consequently, the ISP's server reacts
as if a potential disaster has occurred and delivers the original message,
along with a report of the error, to the "Postmaster" of the ISP.
When the mail arrives for boxes that are no longer valid, the Postmaster of
the ISP suddenly finds herself with an additional 200,000 messages arriving
in her mailbox. As one might expect, such a flood of mail is more than enough
to overload a single computer and crash its hard drive.
More
than the issue of damaging a piece of hardware and inconveniencing the administrator
of the site, the Postmaster mailbox itself is of critical importance to the
functioning of the any Internet site. Internet protocols require that
every mail site not only accept all mail sent to "Postmaster" but
that such mail be read by a human administrator. This requirement assures
that there is one uniform e-mail address at every Internet site to which emergency
problems, errors, and other system-critical information can be routed for
quick action. If an ISP's Postmaster machine is out of service for even brief
periods this can have serious ramifications -- so serious that the failure
to maintain compliance with the Postmaster-related Internet protocols can
be grounds for termination of their connectivity from their upstream network
service provider.
For
many smaller ISPs, the problem may be compounded by the fact that Postmaster
mail is often routed into the same server that provides other system services,
such as a web, mail, or file transfer services. The crash of such a system,
in the absence of redundancies, can mean the irrevocable deletion of e-mail
and web files for all of an ISPs customers. The potential damage to the ISP,
both in terms of hardware and in business goodwill, as well as the loss of
time and business opportunities to an ISP's clients, can be enormous.
Unlike
abuse of relays which can sometimes be cured by implementing the newly secured
version of sendmail, the scenario just described is not easily avoidable.
The Postmaster mailbox must by definition bear the brunt of such abuse
because, as was alluded to above, bouncing mail can often be the sign of a
real problem with a network. There are other options for filtering which will
be described below in response to question 2.19, however these can place a
severe burden on the efficient function of an ISP's systems and can often
require significant financial investments by an ISP in both hardware and technical
expertise in defending against such attacks.
In
the case of mail bouncing into the Postmaster mailbox, however, the cheapest
avoider of the costs is the UCE mailer. By externalizing the effect of bouncing
mail onto the ISP, the UCE mailer profits at the expense of the ISP and their
clients. By using fake addresses, the UCE mailer perpetuates an inefficiency:
he has no incentive to "clean" his lists by removing dead addresses
or the addresses of recipients who do not wish to receive further mail. In
many examples of UCE, the mailer gives no valid address for contacting him
via e-mail, imposing additional costs in time and effort on unwilling recipients
to call the UCE mailer or contact them by other means. By shirking any responsibility
for the contents of the list, it is entirely possible that a UCE mailer could
continually mail massive quantities of UCE, the vast majority of which ends
up in only one mailbox -- the Postmaster's.
The
most effective means of curbing the high costs of UCE to consumers and service
providers is to prohibit the sending of UCE. This avoids the problem of shifting
costs away from the UCE mailer and onto the recipients and their service providers.
The problem with allowing the marketplace to govern the usage of UCE is that
the costs are distributed widely among ever increasing numbers of UCE recipients
(massive amounts of bouncing e-mail onto Postmasters notwithstanding). UCE
mailers depend on the diffusion of the costs among a wide base to avoid having
to be held to the consequences of their activities. As the cost is distributed
among a larger base, the transactional costs of organizing that diffuse population
into an effective campaign against UCE is quite substantial. As we have seen,
only when UCE purveyors are careless and costs are concentrated on one organization
(such as court cases like America Online v. Cyber Promotions and CompuServe
v. Cyber Promotions), can the costs be redirected back at the source of
the UCE. But as long as UCE mailers avoid situations such as those which have
been litigated, they may still profit at the expense of many hundreds, thousands,
and even millions of UCE recipients.
2.19
Are there technological developments that might serve the interests of consumers
who prefer not to receive unsolicited commercial e-mail? If so, please describe.
For those technologically-savvy Internet users operating from sophisticated
systems, the constant flood of UCE can still be extremely maddening, but with
experience and skill a significant amount of UCE can be filtered from one's
e-mail box. In the UNIX environment, users can employ programs like "procmail"
in conjunction with the UCE "early warning" information provided
on discussion groups like SPAM-L, to provide relatively effective filtering
of the most well known UCE sites.
For
the average Internet user who has an account with a local ISP, they may have
e-mail software like Pegasus, Eudora, or Claris Emailer, which contains sophisticated
filtering routines. Such filters allow knowledgeable users to route a substantial
amount of the UCE from previously known sites directly into their trash file.
Unfortunately, these software packages can only filter mail after it has already
been downloaded from the ISP's server over the traditional dial-up connection,
which means that the ISP has already been forced to store the UCE and the
consumer has already spent time and money downloading it.
Although
many UCE mailers claim to remove unwilling recipients from their databases,
this happens far fewer times than is advertised. In my own experience, the
vast majority (approaching 90%) of addresses to which you are requested to
respond are invalid. The reason those accounts are most often invalid is that
the flood of e-mail coming into those addresses usually alerts an ISP administrator
to the fact that the address is being used in conjunction with UCE and the
account is terminated. In those rare instances where a "remove"
request is even received and acknowledged, additional mail advertising the
identical products and services begins again after a brief respite -- often
because the same harvesting procedures which turned up that e-mail address
have been employed again, and the address has been added to the database once
again. Additionally, because many UCE purveyors resell their databases to
large numbers of independent mailers, "remove" requests sent to
one mailer have no bearing on the lists held by other mailers.
America
Online has led the online industry in empowering consumers with the ability
to block mail from established UCE sources. AOL's "PreferredMail"
effectively blocks all mail from any listed site (see Exhibit
7). PreferredMail is active by default on all AOL accounts, but may be
deactivated easily by the consumer. However it cannot block mail if the site
is not listed, making the domain forgeries and mail relay abuses an effect
means of avoiding PreferredMail. As is noted in Mr. Rathbun's study (see Exhibit
1), even during a one week period where he had PreferredMail activated on
his account, he still received 29 pieces of UCE. In a more recent example
from my own mailbox which is attached as Exhibit
8, PreferredMail failed to intercept UCE from a new Cyber-Bomber user.
As
discussed in my response to question 2.18, innocent third-party mail relays
may be able to avoid having their servers hijacked by UCE mailers. The most
popular mail server software is called "sendmail" and it is used
by the vast majority of Internet sites as the basis of their mail system.
The authors of sendmail recently released a revised version of sendmail which
incorporates significant new security measures in order to prevent such abuses.
Unfortunately most sites have not yet upgraded to this most recent version,
and indeed many hardware manufacturers do not even provide service or support
for the newer version. A perverse benefit of massive relay abuses is that
as sites discover their servers under attack, they are forced to upgrade and
implement the new security configurations. However, not all sites are able
to do this because upgrading and reconfiguring the mail server can sometimes
invalidate their support agreements with their hardware providers. In addition,
some of the security features have a significant impact on the performance
of their servers, reducing the overall speed and capacity of their machine
because of the processing time consumed when each incoming piece of e-mail
is compared against the list of filtered sites. For many sites, this filtering
may double or triple the time needed to process each piece of e-mail, making
it a substantial burden on high volume mail sites.
It
is also important to note that sendmail operates only on the UNIX-based operating
systems. While UNIX machines far outnumber Macintosh and IBM-based machines
for use as Internet mail servers, these other platforms are gaining marketshare
and the mail software currently available for them is not as easy to secure.
As
the anti-UCE community becomes more organized, system administrators and interested
individuals have developed a variety of venues for sharing information on
how to track and block UCE. Attached as Exhibit
9 is the "SPAM-L FAQ" (Frequently Asked Questions) which provides
basic information to anyone on how to track UCE to its source, how to lodge
complaints with ISPs who provide service to UCE mailers, and more.
As
§ 4.1 of the SPAM-L FAQ recommends, when UCE is received from a site,
recipients should file a complaint with the system administrator. ISPs who
have anti-abuse provisions in their service agreements will often invoke those
clauses and sanction the user. In some instances, system administrators are
uncooperative or the ISP may have a pro-abuse policy. In those cases, lodging
such complaints is not without its perils. For example, on March 25, 1997,
Cyber Promotions announced that it would introduce a software package called
"Hypocrite." According to their Web site:
-
- "Any
email flame containing profanities or sent from the same source more than
20 times in the same day will automatically redirect to the hypocrite's
postmaster, root, abuse, and UPSTREAM - along with a message that recommends
that the ISP take action against the offender! AND SINCE MANY FLAMERS
FORGE THEIR HEADERS, HYPOCRITE SOFTWARE WILL AUTOMATICALLY TRACEROUTE
BACK TO THEIR IP ADDRESS. The best part is that it will repeat itself
50 times per offending message! The flamers will finally get a taste of
their own medicine! Maybe their providers will now say, "Hey, your
account is TERMINATED with no prior notice!" This new software will
automatically be installed in all Cyber Promotions maintained autoresponders,
and will also soon be available for pop accounts on any system! Updates
will be posted here regularly! The software will be distributed free of
charge. This is Cyber Promotions' way of saying thank you for supporting
everyone's right to conduct business through email! Hypocrite software
may discourage the few nerds out there that believe the Internet is some
sort of sacred ground, where business is wrong, but where illegal interference
should run rampant."
This
notice was posted at 8:00 p.m. on March 25, 1997, on the Cyber Promotions
Web site but disappeared within just a few days. It is unknown whether the
threatened mailbombing of Postmaster and other administrative contact addresses
has actually been incorporated into their autoresponder service, however many
in the anti-abuse community believe that Cyber Promotions' lawyers may have
advised them to rescind that plan.
Many
of the major network service providers such as MCI and Sprint have explicit
anti abuse provisions in their service contracts with smaller ISPs and they
will often force those smaller providers to sanction the offending UCE mailer.
Unfortunately, other network service providers have policies which allow UCE
mailers to operate freely. For example, the service provider AGIS publicly
refuses to intervene in most abuse situations, including instances where forgeries
and relay abuses abound. In the case of AGIS, they also provide the network
connection for Cyber Promotions' Cyber-Bomber software. AGIS has received
many complaints about the problems caused by Cyber Promotions' use and sale
of UCE products, however AGIS's policy as stated in their e-mail responses
regarding UCE is that unless it can be proven that a law has been broken,
they will not take action against UCE purveyors.
As
§ 4.5 and 4.6 of the SPAM-L FAQ discuss, recalcitrant UCE sites can be
identified and system administrators may implement gateway-level blocking.
Such blocking is currently being widely discussed as a response to AGIS's
refusal to respond to abuse issues. Gateway-level blocking is also called
the "Internet Death Penalty" or IDP. It usually takes an extensive
and severe problem with UCE emanating from a site before an IDP is even considered
by system administrators. However the numbers of sites declared as "rogue"
and thus receiving IDP-style blocks is increasing. As noted in § 4.5
of the SPAM-L FAQ, IBM.NET was faced with an IDP for failure to deal expeditiously
with UCE abuses from its bandwidth. An IDP is highly effective because it
is so complete: when all traffic from a particular site is blocked at the
gateway, the router ignores every data packet from that site regardless of
the type of data being transmitted. No mail, no files, not even Web pages
from that site may be accessed.
The
reason this approach is often successful is precisely because of the inconvenience
imposed on the customers of the recalcitrant sites. From a consumer protection
perspective, such procedures are obviously distasteful, however IDP is an
incredibly successful means of bringing rogue sites into acceptable standards.
For many system administrators, when balancing the inconvenience of a few
hundred or a few thousand customers of a rogue site against the security of
their own resources, enlightened self-interest prevails. And eventually as
consumer pressure builds against the rogue site -- by the rogue site's own
customers -- these sites eventually conform to Internet protocols and generally
accepted behavior. Once the problems at the rogue site are eliminated, individual
sites switch off their blocking and full access can be restored.
IDP
is more of a bludgeon than a scalpel, however, and only works against UCE
sites who are large enough to have purchased dedicated Internet connections
via a network service provider. Neither IDPs nor many of the security measures
added to the recent upgrade of sendmail can handle UCE mailers who use the
"throw-away" account system, or who can successfully violate their
usage contracts by concealing their identity behind systems like Cyber-Bomber.
Until
a comprehensive ban on UCE is law, consumers who wish to be free from the
onslaught of UCE must train themselves in the online equivalent of guerrilla
warfare. Even then, such protections are only partially successful. Clever
system administrators may be able to locate and eliminate a number of the
fixed conduits of UCE, however as indicated above, those methods of self-help
are only partially successful at best and can come at significant cost to
consumers and providers.
As
stated in my response to question 2.18, system administrators are increasingly
being forced to expend extra efforts, and assume greater costs in defending
their systems. These are defensive costs incurred solely in an attempt to
avoid the costs that UCE purveyors attempt to shift to them. Unfortunately,
in attempting to avoid these costs, system administrators wind up bearing
yet more costs in their often futile attempt to shield their systems from
abuse -- a classic Catch-22. System administrator, like many technology professionals
involved in other aspects of Internet communications, are not eager to see
more governmental regulation of the communications industry. However, it is
well-settled that when the market fails to adequately regulate, the government
is most justified in stepping in.
As
can be seen in the unabashed claims of UCE software vendors, the growth trends
in UCE show few signs of slowing. It is true that a handful of court cases
are helping to define the egregious outer limits of behavior in the UCE industry,
but the continual diffusion of costs among all recipients and their service
providers makes consumer-driven litigation too difficult and expensive to
be relied upon as a realistic method of controlling the UCE marketplace. In
the absence of clear statutory or regulatory standards, UCE purveyors will
continue to push the limits of legality in their quest to extract profit at
the cost of consumers. Unless the victims of UCE are protected by law and
given a recognized cause of action, there will be no incentive for UCE mailers
to ever consider bearing their own costs. UCE mailers depend on an ever-widening
base of consumers upon whom they can spread their costs and they diffuse their
costs across a wider population in order to lessen the potential of being
held accountable for the costs and consequences of their activities.
The
handful of well-organized UCE purveyors, and the hundreds of small-time UCE
mailers have been very successful in large part because when they are able
to spread the costs among a larger base, the transactional costs involved
in UCE recipients recouping their losses become tremendously high. Only when
these costs become focused on one entity, as we have seen with the legal battles
waged by the major online service providers, is there the possibility for
a few victims to successfully recoup some portion of their losses. Unfortunately,
in today's absence of regulation, UCE databases swell and UCE mailers make
significant profits at the ultimate expense of consumers.
2.20
How many commercial entities have implemented the Principles for Unsolicited
Marketing E-mail presented at the June 1996 Workshop by the Direct Marketing
Association and the Interactive Services Association?
While
I do not have any figures regarding how many entities have implemented the
"Principles for Unsolicited Marketing E-mail," for the vast majority
of UCE generators, those principles are unknown or irrelevant. The proliferation
of do-it-yourself spam tools (Floodgate, Cyber-Bomber, etc.) makes it unlikely
that a newly experimenting UCE mailer will have even heard of the Direct Marketing
Association (DMA) much less have any incentive to adhere to their policies.
One of the largest UCE purveyors, Cyber Promotions, makes no mention of DMA
policies on their web site. In fact, their President Sanford Wallace openly
disagreed on many points with a DMA representative at a recent George Washington
University conference on UCE marketing techniques.
This
is not surprising, given the nature of the policies and practices of employed
by Cyber Promotions to evade attempts by system administrators to protect
their resources. Many of these practices, including deliberate forgery of
CompuServe server addresses (to make it appear that CompuServe was sending
Cyber Promotions' mail) have prompted network service providers to immediately
terminate services and earned Cyber Promotions injunctions in several courts.
Other practices have been the subject of numerous lawsuits.
Undoubtedly
because of these legal setbacks, Cyber Promotions has been indicating more
concern for legal liability. However this concern is not present among many
other vendors who market UCE programs or services. For example, the vendor
selling Stealth Mass Mailer (see Exhibit 5) touts
its ability to disguise the unauthorized use of resources, defending their
tactics by claiming that "unlimited service," in their opinion,
should include that practice as well. In fact, the marketing materials for
both Stealth and Cyber-Bomber compare and contrast their relative abilities
to breach anti-UCE provisions of ISP contracts while forging information in
order to prevent detection of the breach. As I understand the Principles for
Unsolicited Marketing E-mail, they do not condone such breaches of service
agreements nor do they endorse any theft of resources.
Consequently,
I have very little confidence that the DMA policies will have any effect on
the vast majority of the do-it-yourself, small-time UCE generators. Even if
a few large organizations agree to adhere to the DMA's policy, which to my
knowledge they have not done, these independent UCE mailers have no incentive
to follow such policies -- even as they generate volumes of UCE that rival
the large purveyors. As long as companies are allowed to market software which
facilitates the breach of service contracts, conceals or forges point-of-origin
data, or facilitates the unauthorized use of resources, the UCE problem will
continue to grow at the ultimate expense of consumers.
3.16
How widespread is the practice of sending children unsolicited commercial
e-mail? Are privacy or other consumer interests implicated by this practice?
What are the sources of e-mail addresses used for this purpose?
Given
the indiscriminate methods for collecting e-mail addresses discussed in my
response to question 2.16, it is highly likely that a significant number of
children's addresses can be found among those collected by UCE mailers. Just
as it is nearly impossible to get accurate figures on the actual amount of
UCE sent, it is similarly unlikely to determine the number of those addresses
which are used by children. Exhibit 1, the Rathbun
study, replicates the way a typical family might use an AOL account, with
several account created for the parents and the children, and indicates a
high volume of UCE to all of the different screen names.
3.17
What are the risks and benefits, to children, parents and commercial entities,
of unsolicited e-mail directed to children? What are parents' perceptions,
knowledge and expectations of the risks and benefits?
Incorporating
by reference my comments in response to question 2.17, the materials most
often advertised via UCE present a significant risk that children may fall
prey to the volumes of money making schemes and pornographic UCEs that are
continually reported on the anti-abuse discussion groups.
Many
parents have, in good faith, purchased Internet blocking software or activated
parental control features that are a part of many online services. Unfortunately,
many parents are not aware of the procedures employed by UCE purveyors and
may have a level of confidence in parental control features that may not be
entirely well-founded. Even though parents may believe that they have protected
their children from surfing onto questionable Internet sites, UCE may bring
that very same information directly into their personal e-mail. In my comments
on question 3.19, I go into some greater detail on the availability and inadequacies
of current blocking technology in the area of UCE.
The
over all question of UCE blocking is particularly difficult, as I discuss
in my response to question 2.19. The problem for parents is even more vexing
considering that despite their best efforts, UCE advertising pornography or
other questionable items may still get through.
3.18
What costs does unsolicited commercial e-mail directed to children impose
on children, parents, or others? Are there available means of avoiding or
limiting such costs? If so, what are they?
As
I described in my comments for question 2.18, UCE generates significant costs
to consumers, online services, and Internet Service Providers. While the economic
costs are most often visited upon the parents who are paying for the services,
rather than on the children, there may be psychological costs involved, about
which I am unqualified to speak. Certainly given the frequency of money making
and pyramid schemes advertised via UCE, older children who may have access
to money may fall prey. While it is possible that losing one's allowance money
in an illegal Ponzi scheme may be a good lesson for children to learn, there
are better ways to teach children than via UCE and more appropriate instructors
that UCE mailers who use trickery and deceit to distribute their "informative"
mailings.
An
extremely effective means of avoiding costs to parents, children, and to Internet
providers is to ban the practice of harvesting e-mail addresses in an indiscriminate
manner and to prohibit the distribution of UCE. I discuss these suggestions
further in my responses to questions 2.16, 2.18, and 2.19.
3.19
Are there technological developments that might serve the interests of parents
who prefer that their children not receive unsolicited commercial e-mail?
Significant
advances have been made in developing robust screening and filtering software
for use by parents in protecting children from questionable material on the
Internet. Programs like "CyberSitter," "SurfWatch," and
"Net Nanny" provide protection against problematic Internet Web
sites. The major online services also have added the ability for parents to
restrict their children's access to areas of their service which might not
be suitable. Unfortunately, even for those children whose parents have engaged
filtering devices or activated access restrictions such as AOL's "Parental
Controls," such censoring devices are mostly designed to restrict children's
exploration. However, children don't go looking for UCE -- it comes looking
for them. UCE advertising moneymaking schemes, pornography, or other questionable
subjects may still get through.
On
America Online it is possible for parents to completely shut off all e-mail
access, but many parents may not choose to do that and will rely on something
like PreferredMail to prevent unwanted e-mail. However, the pornographic UCE
mailers in particular have gone to extreme lengths to avoid blocking. For
example, more than a dozen of the domains blocked by AOL's PreferredMail filters
have been used by one particular pornographic vendor in Nevada to avoid blocking
software and evade PreferredMail filtering. Each time one of their domains
was blocked, they obtained a new domain name and resumed their UCE mailing.
This particular vendor has obtained more than a dozen different domain names
in order to keep mailing. The difficulty in blocking such persistent UCE mailers
is that experience has shown they are willing and able to obtain new IP addresses
and new domain names on a virtually a daily basis -- sometimes mailing from
two entirely new sites in a single day.
Given
the difficulty in blocking a moving target, UCE from people determined to
evade blocking technology is nearly impossible to control unless UCE of all
varieties is restricted. As stated in my response to question 2.19, a prohibition
avoids the problem of UCE mailers shifting costs away from themselves and
onto children, parents, and service providers. The difficultly in leaving
UCE to be controlled by the marketplace is that there are few incentives for
UCE mailers to ever bear their own costs. And as we see in the case of some
pornographic UCE mailers, the costs of filtering may ultimately be futile.
**** END OF DOCUMENT ****
Last update:
04/29/03
|
|