The U.S. Federal Trade Commission has released Effectiveness and Enforcement of the CAN-SPAM Act (PDF), a congressionally-mandated report on the results achieved by the 2003 federal legislation designed to curtail spam and protect children from sexually-explicit email.
The FTC’s conclusions? The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (yes, that’s really what CAN-SPAM stands for!) has been effective in two main areas: getting legitimate email marketers to adopt industry-standard “best practices,” and in serving as an extra tool ISPs and governments can use when going after spammers in court.
Oh, the number of cases the FTC has pursued against spammers since the CAN-SPAM act went into effect? Fifty. The number of spammers still in operation? Thousands, if not millions.
The CAN-SPAM act essentially requires email marketers to use legitimate “from” addresses and not obfuscate the origin of their messages, as well as provide operational “opt-out” mechanisms for people who do not want to receive their messages. These measures were largely greeted as meaningless by the Internet community when the CAN-SPAM act was enacted, and the FTC’s own report lauding the Act’s success also highlights its numerous shortcomings: spammers are increasingly shielding themselves by operating outside the U.S., using “increasingly complex multi-layered business arrangements” designed to frustrate investigators and law enforcement officials, and registering domains using false information. The report also cites an increase in deliberately malicious spam, such as messages bearing worms, viruses, and other malware.
Indirectly, the FTC report also tries to take credit for the private sector’s efforts to combat the spam problem. “The volume of spam sent over the Internet has begun to level off, and, even more significantly, the amount reaching consumers’ inboxes has decreased, due to enhanced anti-spam technologies. There has been a significant decrease in the number of spam messages containing sexually-explicit material.” But, if borne out, these findings would have been true regardless of CAN-SPAM: in the absence of meaningful legislative remedies, filtering technologies have been forced to improve tremendously in order to maintain the viability of email. Following the FTC’s reasoning, spam filtering might be even better if CAN-SPAM hadn’t offered a (very small and very dim) ray of hope. Go figure.
From a legislative perspective, spam is a difficult problem. The international and interconnected nature of the Internet means a shady business in Florida can hire a shady spammer in Eastern Europe to register a domain under a false name and blast out millions of email messages, many of which might originate from captive (or “zombie”) computers all over the world. Geographic and national jurisdiction cannot be easily applied to the Internet. Until a meaningful legislative solution is found and implemented, spammers will have legal loopholes and geographic havens: combating spam on a technical level remains the only workable near-term option.