Establishing Digital Trust: Don't Sacrifice Security for Convenience
The U.S. House of Representatives approved Congress' final version of the Can Spam Act of 2003 Monday, sending the landmark anti-spam legislation to the White House for President Bush's promised signature.
The bill establishes the first national standards for the sending of commercial e-mail and charges the Federal Trade Commission (FTC) with enforcing the Act. The FTC is required to report back to Congress within two years on the effectiveness of the Act and the need, if any, for modifications.
Wireless spam is also covered by the bill with the Federal Communications Commission (FCC) required to promulgate rules within nine months to shield consumers from "unwanted mobile service commercial messages."
"The problems of spam have been accumulating over the years to a point where everyone has seen the affects of this frustrating junk mail," said Montana Republican Sen. Conrad Burns, who sponsored the original legislation along with Democratic Sen. Ron Wyden of Oregon. "The Can-Spam bill will finally offer consumers the ability to put an end to the bothersome e-mail they see each day in their in-boxes."
The bill permits e-mail marketers to send unsolicited commercial e-mail (UCE) as long as the message contains an opt-out mechanism, a functioning return e-mail address, a valid subject line indicating it is an advertisement and the legitimate physical address of the mailer.
Pre-empting any existing state anti-spam laws, the bill makes it a misdemeanor crime subject to up to one year in jail to intentionally send UCE with falsified header information and sets out civil penalties for a host of other common spamming practices used to obtain e-mail addresses, including harvesting, dictionary attacks and spoofing. Hijacking computers or open relays for the purpose of sending unlawful spam are also proscribed.
A late amendment to the bill by Sen. John McCain, R.-Ariz., makes businesses knowingly promoted in UCE with false or misleading header information subject to FTC penalties and enforcement remedies, regardless of whether the FTC is able to identify the spammer who initiated the e-mail.
Another section of the legislation prohibits the sale or other transfer of an e-mail address obtained through an opt-out request. This provision is designed to prevent the treatment of this class of e-mail as a confirmation of a "live" e-mail address and the sale of that information to would-be spammers.
Spammers also face civil penalties for using automated means to register for multiple e-mail accounts from which to send unlawful UCE, a technique commonly used by spammers to cycle rapidly through different originating addresses, making the spammers hard to track down and the UCE they send more difficult for Internet service providers and other e-mail service providers to filter.
In addition, the bill requires the FTC to produce several reports on other proposed solutions to slowing UCE, including a national do-not-spam list similar to the FTC's popular do-not-call registry. The FTC has six months after the enactment of the bill to come up with a plan for creating the e-mail registry or else explain to Congress why the creation of such a list is not currently feasible.
Earlier this year, the FTC testified at Senate hearings on the legislation that a do-not-spam list raises significant technical, security and privacy questions that would need to be resolved before such a list could be implemented.
The agency also has nine months to draft suggestions for the implementation of a system to grant a reward of not less than 20 percent of the total civil penalty for the first person to report the identity of a false header source, a bounty plan supported by Rep. Zoe Lofgren, D.-Calif.
Within 18 months of the bill enactment, the FTC must also produce a report on possible mandated subject line labeling, such as ADV for advertising. As currently drafted, the Can Spam Act requires UCE to carry information identifying it as an advertisement or solicitation but does not mandate any specific language.