NEW YORK -- California enacted into law Wednesday what might be the nation's toughest anti-spam measure, promising big penalties for those spammers. But past experience shows how difficult spammers are to catch -- even if they're breaking the law.
Currently, 35 states have anti-spam measures on the books, and Congress is debating eight different federal laws to address the problem. However, pursuing spammers to enforce existing laws has proven a difficult task.
Renard Francois, a staff attorney with the Federal Trade Commission, said the Commission had brought just 54 cases in two years. In one case, a mass e-mailer sent messages informing receivers they won a free Sony PlayStation from a Yahoo! sweepstakes -- but the link to redeem the prize actually took people to a pornographic Web site. The investigation took over a year, spanned two continents, and involved over a dozen shell companies. It took four months of daily investigative work just to find out the spammer's identity.
"We have found it's very time-consuming and expensive to find these spammers," Francois said at the DoubleClick Spam Summit on Wednesday. "Anonymity doesn't really bode well for a law enforcement officer."
In the end, the FTC filed a complaint in late March against a number of individuals for the scam. Francois is confident the FTC ended that particular spam ring, but doubted whether any damages would be collected. He said a yearlong case was considered typical at the FTC.
Sizeable monetary damages are rarely collected from the spammers, who for the most part have few assets, Francois said. For that reason, the attorney favors federal spam legislation giving the FTC more ammunition.
Legislation "needs to allow for civil penalties and some type of criminal penalty," Francois said.
Internet service providers report similar problems in their pursuit of spammers. Despite success in high-profile cases like the one that netted Buffalo Spammer Howard Carmack, EarthLink has run into trouble finding those it's suing. In late August, it announced lawsuits against 100 individuals it claims are responsible for using stolen credit cards to set up EarthLink accounts for spamming. However, all of the defendants were unnamed; the company said it would issue subpoenas to find their identity.
Mary Youngblood, EarthLink's abuse team manager, said the suits were having an effect, albeit a subtle one, by showing that ISPs would use their resources to punish spammers.
"They're first steps," she said. "We're trying to protect the industry. Some of the cases are more cut and dry than others."
EarthLink, AOL and MSN have all filed actions against major spammers, claiming their actions act as a deterrent to other spammers and wipe out a big chunk of spam. Yet the amount of spam continues to grow, according to monthly figures compiled by anti-spam company Brightmail. Francois doubted the notion sometimes heard that just 200 spammers are responsible for 90 percent of fraudulent spam.
"There's so many people -- almost anybody can become a spammer.... We haven't seen a Kaiser Soze of spam," he said, referring to the criminal mastermind character in the 1995 film, The Usual Suspects.
To get around this, California's new law allows for individuals and the state attorney general to sue advertisers as well. E-mail marketing industry officials have blasted the provision as unfair and likely to lead to a flurry of frivolous lawsuits.
"It ultimately, because it's so poorly written, is anti-business," said Bennie Smith, DoubleClick's chief privacy officer.
Smith said the proliferation of state laws has neither stopped nor slowed the amount of spam to or from those states.
"You could argues it's well-intentioned, but it's generally been ineffective," he said. "It's very difficult to regulate technology in a borderless environment."