Modernizing Authentication — What It Takes to Transform Secure Access
President George W. Bush signed a landmark anti-spam bill into law Tuesday, setting into motion the first national standards for sending bulk unsolicited commercial e-mail (UCE).
Bush signed the bill ahead of a planned event with Federal Trade Commission Chairman Tim Muris, who was slated to appear in a "Ask the White House" online discussion to discuss the anti-spam bill. (Details are available at www.whitehouse.gov).
The law becomes effective Jan. 1.
Pre-empting many tougher state anti-spam laws, the Can Spam Act aims to curb the most egregious practices of spammers by targeting e-mail with falsified headers, but allows e-marketers to send UCE as long as the message contains an opt-out mechanism, a functioning return e-mail address, a valid subject line indicating the e-mail is an advertisement and the legitimate physical address of the mailer.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
The Federal Trade Commission (FTC) is charged with enforcing the new law. In addition, the FTC is required to report back to Congress within two years on the effectiveness of the law and the need, if any, for modifications.
Wireless spam is also covered by the law with the Federal Communications Commission (FCC) required to promulgate rules within nine months to shield consumers from "unwanted mobile service commercial messages."
While Bush had no official comment on the Can Spam Act, U.S. Sen. Ron Wyden, D.-Ore., who co-sponsored the legislation with Sen. Conrad Burns, R.-Mont., said, "Kingpin spammers will now face tough rules and harsh consequences for sending unwanted, offensive e-mails to unwilling recipients. Swift and aggressive enforcement will be essential, and Senator Burns and I will continue to push the Federal Trade Commission and others to use the tools this law gives them to fight against spam."
To encourage "quick and strong enforcement," Burns and Wyden wrote to Muris last week requesting that the agency move promptly to prepare enforcement cases against high-volume spammers. The senators urged the FTC to "put established spammers on notice that the game has changed, and to discourage new ones from entering the sleazy business."
The new law makes it a misdemeanor crime subject to up to one year in jail for intentionally sending UCE with falsified header information and sets out civil penalties for a host of other common spamming practices used to obtain e-mail addresses, including harvesting, dictionary attacks and spoofing.
Hijacking computers or open relays for the purpose of sending unlawful spam are also proscribed.
Under the law, businesses knowingly promoted in UCE with false or misleading header information are also subject to FTC penalties and enforcement remedies, regardless of whether the FTC is able to identify the spammer who initiated the e-mail.
The new law was not warmly received by consumer groups that urged Congress to follow the tougher state laws that, in some cases, required opt-in standards.
"This bill does not stop a single spam from being sent. It only makes that spam slightly more truthful. It also gives a federal stamp of approval for every legitimate marketer in the U.S. to start using unsolicited e-mail as a marketing tool," Scott Hazen Mueller, chairman of the Coalition Against Unsolicited Commercial E-Mail, said in a statement.
"Congress has listened to the marketers and not to consumers, and we have no faith that this law will significantly reduce the amount of spam that American Internet users receive."
Despite a number of Senate and House hearings on the measure, Mueller said the law was "written and passed solely through back-room compromises and with the input of the marketing industry and Internet service provider lobbies, but with scant regard for the interests of America's consumers and business Internet users."
Another section of the legislation prohibits the sale or other transfer of an e-mail address obtained through an opt-out request. This provision is designed to prevent the treatment of this class of e-mail as a confirmation of a "live" e-mail address and the sale of that information to would-be spammers.
Spammers also face civil penalties for using automated means to register for multiple e-mail accounts from which to send unlawful UCE, a technique commonly used by spammers to cycle rapidly through different originating addresses, making the spammers hard to track down and the UCE they send more difficult for Internet service providers and other e-mail service providers to filter.
In addition, the law requires the FTC to produce several reports on other proposed solutions to slowing UCE, including a national do-not-spam list similar to the FTC's popular do-not-call registry. The FTC has six months after the enactment of the bill to come up with a plan for creating the e-mail registry or else explain to Congress why the creation of such a list is not currently feasible.
Earlier this year, the FTC testified at Senate hearings on the legislation that a do-not-spam list raises significant technical, security and privacy questions that would need to be resolved before such a list could be implemented.
"I have previously expressed reservations about the registry because our studies have shown that almost all spammers are already violating various laws," Muris stated during the White House online discussion. "As you know, the FTC develops and is now enforcing, along with the FCC and the states, the national do-not-call registry. Most telemarketers are legitimate businesses. Because most spammers are not legitimate, the attractiveness of a do-not-spam registry is in doubt. We will perform an objective study to see if the difficulties of a registry can be overcome so that consumers would benefit."
The agency also has nine months to draft suggestions for the implementation of a system to grant a reward of not less than 20 percent of the total civil penalty for the first person to report the identity of a false header source, a bounty plan supported by Rep. Zoe Lofgren, D.-Calif.
Within 18 months of the bill enactment, the FTC must also produce a report on possible mandated subject line labeling, such as ADV for advertising. As currently drafted, the Can Spam Act requires UCE to carry information identifying it as an advertisement or solicitation but does not mandate any specific language.