 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
Prepared Witness Testimony The House Committee on Energy and Commerce
Legislative Efforts to Combat Spam
Subcommittee on Commerce, Trade, and Consumer Protection
Mr. Kenneth Hirschman
Mr. Chairman and Members of the Committee, I want to thank you for inviting me to testify. My name is Ken Hirschman, and I am Vice President and General Counsel of Digital Impact, Inc. Digital Impact is the premier provider of online direct marketing solutions for enterprises, including numerous Fortune 500 companies who have embraced permission-based email as a viable and efficient customer communications and marketing tool. Digital Impact is also a founding member of the Email Service Provider Coalition of the Network Advertising Initiative (NAI), which was formed to represent the interests of email service providers. Thirty-four other email service providers have joined Digital Impact in the ESP Coalition, all of which are struggling with the onslaught of spam and the emerging problems related to the deliverability of legitimate and wanted email. The NAI is a cooperative group of companies dedicated to resolving public policy concerns related to privacy and emerging technologies. In the past, the NAI has created self-regulatory programs for online ad targeting and the use of web beacons. The group has now turned its focus to the growing problem of spam and the related concern of email deliverability. Let me begin my testimony by explaining the unique role that email service providers play in the search for solutions to the spam problem. Email service providers enable their customers to deliver volume quantities of email messages. These messages originate from the full spectrum of the US economy - large and small businesses, educational institutions, non-profits, government agencies, publications, and affinity groups all use the services of ESPs to communicate with their customers, members and constituents. While ESPs often serve the marketing needs of the business community, we also deliver transactional messages (such as account statements, airline confirmations, and purchase confirmations), email publications, affinity messages and relational messages. The ESP industry is robust and growing. Within the ESP Coalition, we estimate that the 35 members provide volume email services to over 250,000 clients. These customers represent the full breadth of the U.S. marketplace - from the largest multi-national corporations to smallest local businesses; from local PTAs to national non-profit groups and political campaigns; from major publications with millions of subscribers to small affinity-based newsletters. Jupiter Research estimates that the email marketing industry (which, again, is only a portion of the total spectrum of ESP customers) will grow in size to 2.1 billion dollars in 2003 (up from 1.4 billion dollars in 2002). By 2007, Jupiter estimates that the size of the email marketing industry will reach 8.2 billion dollars. All of these numbers are for the US market alone. Expanding the scope of this research to include all customers served by ESPs and foreign markets would increase these numbers significantly. But the size and importance of email in the marketplace should not be measured by dollars alone. Email is indeed the "killer app". Over the past ten years, email has been a strong driver of productivity and efficiency in the marketplace. It has also been an important social tool. Email has shortened distances in the world - allowing communication to occur with unprecedented speed and detail. Email has created affinity within groups that previously were too widely separated geographically to effectively recognize their common interests and positions. As an example of the importance of email, a recent study by the META Group showed that, given a choice between email or telephones, 74% of business people would give up their phones before email. In other words, 74% of people now find email to be more critical than the telephone in their daily work. The Threat of Spam and the Solution(s) to Spam The ESP Coalition sees spam as a threat to the long-term viability of the email service provider industry and to legitimate commercial email. Indeed, spam presents a dire threat to all uses of email - marketing, transactional, affinity and relational - as the continued growth of spam could lead to the widespread abandonment of email as a communications tool. Consumers and businesses will not use email if the system becomes so choked with misleading and deceptive messages that those messages that are actually wanted are lost in the fray. Put simply, the spam problem will critically damage the ESP industry and the use of legitimate commercial email if it is not curtailed. I will not belabor the statistics on the growth of spam or the costs associated with handling spam. Surely all of the panelist can agree that we are presented with an enormous problem. Without an expedient solution, spam may end up killing the "killer app" of email. The media and marketplace have been replete with spam solutions for years. Some of these solutions have performed commendably in the fight against spam. But the problem still exists and continues to grow. Increasingly, we are presented with the question: can anything be done? We believe that much can be done to solve the spam problem. At the most fundamental level, we believe that we need to create accountability within the email delivery system. Spammers spend their days concocting new methods to obscure and falsify their identity in order to sneak past existing filters and avoid accountability. In many ways, our existing tools are merely reacting to the spam received today - and not preparing for or combating the spam that will arrive tomorrow. Stated differently, our efforts to cure spam are responding to the symptoms (the actual spam received) and not the cause (the lack of accountability on the part of spammers). So how do create accountability within the email system? The solution to spam exists in three components: legislative, technological and social. Let me address the technological and social components quickly and then focus on the part of the solution for which we look to you: federal legislation. The Technological Component Part of the problem in solving spam is that spammers enjoy impunity through anonymity. Spammers hide behind open relays, they falsify their online identities (a practice popularly known as "spoofing") and they deceive recipients with misleading "from" and "subject" lines. Make no mistake - the business of spamming is one of fraud and deception. The recent efforts of the FTC in relation to open relays and deceptive spam should be commended. It is critical that we have strong deterrents to dissuade spammers from their trade. But the fundamental architecture of the internet and email protocols still allow for the deception to occur. The NAI recently proposed an architectural "blueprint" to respond to this problem. Essentially, the NAI's blueprint, called "Project Lumos," is designed to force senders of volume email to incorporate authenticated identification into every message sent. The use of authenticated identity, along with a rating of sending practices over time, prevents spammers from hiding behind the technology of email and forces all senders to be accountable for their sending practices. We have engaged with many of the major ISPs and other groups on this effort and are greatly encouraged by the traction our effort has gained since our launch of project Lumos in April of this year. Other technological solutions also hold promise. The NAI is actively working with other constituencies in the marketplace to bring about such solutions. I hope that we will have much more to share with you before the end of this year. The Social Component One part of the spam problem that has not been actively discussed is the need for consumer education around the appropriate use of email addresses. The Center for Democracy and Technology (www.cdt.org) recently released a study on the consumer actions that result in exposure of email addresses and, subsequently, spam. The results were compelling: the CDT report found that appropriate management of an email address by the holder of that address can drastically reduce the amount of spam received. Further, the study found that there are a few actions that can create enormous amounts of spam. Specifically, the CDT reported that posting an email address on a public website and posting an email address in a public newsgroup or chatroom both resulted in huge amounts of spam. This is due to the use of "spiders" or "bots" - programs that scour the web for email addresses and harvest them into a spammer's database. Clearly, one component in the total solution to spam is the education of consumers on issues such as those raised by the CDT report. If consumers understand those practices that result in spam, they will be much better equipped to control the amount of spam in their in-boxes. The Legislative Component The ESP Coalition strongly supports federal legislation to respond to the growing menace of spam. We believe that strong preemptive federal legislation will be a critical component (but not the only component) in the successful resolution of the spam problem. In the United States today, 33 states have enacted some form of spam legislation. Many more are considering spam legislation in their current legislative sessions. Unfortunately, the standards applied by these statutes (and proposed in pending bills) are not harmonized. As a result, we have a crazy quilt of differing standards that has created an unnecessarily complex compliance system. To make matters worse, enforcement within the global medium of email is exceedingly difficult when limited by state boundaries. We need preemptive federal legislation to unify these standards and provide powerful tools to enforcement officials. We believe that the RID SPAM Act strikes the appropriate balance with regard to preemption. The RID SPAM Act would allow for a national standard to be set for the delivery of unsolicited commercial email. Given the incentives provided within the bill, most businesses will move to a fully consent-based model for email delivery. This is particularly true where the standard set by the bill will be uniform across the entire country. To combat spammers, the bill provides strong enforcement tools to the FTC, state attorneys general, and ISPs. We strongly support enforcement by all of these groups. One issue that has been raised in discussions regarding spam legislation, and may be raised again, is that of a private cause of action. Such a solution, while tempting, would do nothing to stop spam and would definitely create a morass of litigation against legitimate companies. Spammers spend their days looking for ways to technologically obscure their identities. Pursuing spammers requires enormous technological, financial and investigative resources. Individuals do not have such resources, but governments and ISPs do. We have a very real example of what a private cause of action means when included in a spam statute. In the state of Utah, a spam statute was passed last year that allows for a private cause of action and class action suits. A single plaintiff's class action law firm in Utah has filed hundreds (and by some accounts, over a thousand) class action lawsuits under this statute. But the firm is not pursuing spammers. Given the cost and complexity of finding actual spammers, this firm has targeted leading companies and brands - using firm employees as plaintiffs and offering pre-complaint settlements for several thousands of dollars - knowing that companies would rather pay the nuisance value of these suits than submit to the costly process of proving their innocence. Perhaps most telling is the fact that there is no data to suggest that the amount of spam in Utah has been reduced by even one message. Another issue that has been raised in relation to spam legislation is that of "opt-in" versus "opt-out". Over the past few years, our industry has lost critical time debating this issue, while spam has been allowed to proliferate. Let me make one thing perfectly clear: the debate over "opt-in" or "opt-out", regardless of what standard is eventually adopted, will not result in the reduction of spam. Spammers rely on deception, not permission. They do not care about whether they have any sort of relationship with the recipient of the message. They pay no heed to all of the existing state laws regarding spam. The most restrictive "opt-in" spam statute will do nothing to dissuade spammers from sending their messages. A recent FTC study conveys this point succinctly. By reviewing a large body of spam received within the agency, the FTC estimated that fully two thirds of spam is fraudulent, misleading or deceptive. This means that the majority of spam already violates existing law. As currently written, the RID SPAM Act will provide important incentives for legitimate businesses to raise their email standards. Digital Impact and the NAI firmly believe that email must be sent with the consent of the recipient, or within a pre-existing business relationship. Furthermore, we believe that email should be sent with informed consent - meaning that recipients have clear and conspicuous notice as to the results of providing their email address. This is a meaningful and workable standard. Again, we strongly support the RID SPAM Act. We will continue to work with staff on a few issues we have with the bill, but look forward to seeing a law enacted this year. The Threat of Filtering and Blacklists Before I conclude today, I want to raise one growing problem in the fight against spam. While spam clearly represents a serious threat to the continued viability of email, the problems created by some of the current tools used to combat spam are equally threatening. Internet Service Providers (ISPs) are aggressively building filtering technologies to limit the amount of spam entering their systems. Conceptually, this is a positive development. However, the spam filters currently in place are creating a new problem: wanted email is not being received. According to a report by Assurance Systems, in the fourth quarter of 2002, an average of 15% of permission-based email was not received by subscribers to the major ISPs. Some ISPs had non-delivery rates that were startling: NetZero 27% The same report for the third quarter of 2002 showed an average of 12% non-delivery rate for the major ISPs - meaning that the filtering of permission-based email increased 25% in a single calendar quarter. Some of the volume email campaigns within the Assurance Systems report had non-delivery rates as high as 38%. Non-delivery of wanted messages due to filtering (called "false positives" within the industry) represents an enormous threat to the ongoing viability of email as an effective communications tool. The market will stop using email for important communications if email delivery is unreliable. It is critical that false positives be eliminated if email is to survive as an efficient and productive means for communication. One of the main drivers in the false positive problem is the emergence of blacklists. These are lists of alleged spammers that ISPs can use to filter incoming email. The blacklist operator builds a registry of IP addresses that they believe are associated with spam and makes it available publicly. Currently, there are an estimated 300 blacklists in operation. Again, the concept of a blacklist may seem to make sense at first glance. Unfortunately, the reality of blacklists in today's marketplace is far different. Many blacklists are without standards and operate behind a veil of anonymity. For example, one of the leading blacklists, SPEWS (www.spews.org), offers no contact information, no phone numbers, no names, no addresses, and no email for the organization. The website has purportedly been registered in Irkutsk, Russia. SPEWS has no defined standards for posting to their blacklist - evidence has shown that a single complaint can result in the blocking of an entire range, or "neighborhood," of IP addresses. Further, for those senders listed on SPEWS, the only way to resolve the problem is to post your request for removal to a public spam forum available through Google (http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&group=news.admin.net-abuse.email). All of these efforts are designed to combat spam. But in their zeal to eliminate the problem, they have created a potentially disastrous "ricochet" effect: false positives. Going forward, our solution to spam must carefully balance the need for strong action against spammers with a determination to preserve the deliverability of legitimate email. Conclusion Digital Impact and the NAI believe that the problem of spam will be best resolved through three powerful forces: legislation (together with vigorous enforcement), technology and consumer education. The NAI is actively working with ISPs and solutions providers to craft architectural solutions to spam that will shine the bright light of accountability into the dark recesses of the internet. We strongly feel that technology must be used to force spammers to identify themselves and be held accountable for their practices. We also believe that consumers must understand the need for careful management of their email addresses. We could drastically reduce the amount of spam received by average consumers through educational efforts on what not to do with an email address. But the technological and educational solutions are not enough. We need a strong federal statute to raise the standards for email practices across the entire country. Legitimate businesses will respond to such a statute by raising their practices to meet or exceed the standard set by law. Enforcement officials at both the state and federal level and ISPs will have powerful tools to seek out and bring to justice those individuals responsible for spam. And we can do it while maintaining the balance necessary to preserve the legitimate use of email. Mr. Chairman, on behalf of Digital Impact and the other members of the NAI Email Service Provider Coalition, I want to pledge that we will continue to work to fight spam and preserve email with you and members of your staff. Spam is a complex problem and our efforts to craft solutions must be thoughtful, robust and effective. Thank you and I look forward to any questions you may have.
|
|||||||||||
|
