CPSC 457 Sensitive Information in a Wired World

  • Slides: 22
Download presentation
CPSC 457: Sensitive Information in a Wired World Anti – Spam Legislation and Technology

CPSC 457: Sensitive Information in a Wired World Anti – Spam Legislation and Technology Jeannie Wong

Costs of Spam n n n n n In the U. S. and the

Costs of Spam n n n n n In the U. S. and the E. U. , half of all email are unsolicited commercial emails. The Federal Trade Commission maintains and monitors a spam database, and has set up a special mailbox that receives 40 thousand junk emails a day. Spam is used not only to peddle merchandise and various money-making scams, but also to disseminate computer viruses. FTC: spam costs between $10 billion and $87 billion annually. 7 billion pieces of spam are sent daily, which drains bandwidth and productivity. ISPs pass the increased cost along to their customers. Schumer: NYC residents receive 8. 25 million pieces of spam daily and spend 4. 2 million hours annually deleting them. Jupiter Research: n in 2002, $1. 4 billion spent on email marketing campaigns n in 2007, $8. 3 billion will be spent Anti-spam technology is an $88 million industry.

Spam originates mainly from: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Spam originates mainly from: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. United States - 33% China - 18% Korea - 9% Brazil - 4% Canada - 3% United Kingdom - 2% Italy - 2% Mexico - 2% Germany - 2% Taiwan - 1%

Anti-spam Legislation n 107 th Congress: 8 bills 106 th Congress: 11 bills 108

Anti-spam Legislation n 107 th Congress: 8 bills 106 th Congress: 11 bills 108 th Congress: 9 bills n n n n n Anti-Spam Act of 2003 Ban on Deceptive Unsolicited Bulk Electronic Mail Act 0 f 2003 CAN-SPAM Act of 2003 Computer Owners’ Bill of Rights Criminal Spam Act of 2003 REDUCE Spam Act of 2003 Reduction in Distribution of Spam Act of 2003 Stop Pornography and Abusive Marketing Act Wireless Telephone Spam Protection Act

CAN-SPAM Act of 2003 n n n Controlling the Assault of Non-Solicited Pornography and

CAN-SPAM Act of 2003 n n n Controlling the Assault of Non-Solicited Pornography and Marketing Act Reintroduced for the third time in April 2003 by Sen. Conrad R. Burns (R-MT) and Sen. Ron Wyden (D-OR) Requires unsolicited commercial email messages to be labeled, to include opt-out instructions, workable return email addresses, and the sender’s physical address Preempts state laws that prohibit unsolicited commercial email outright Imposes fines of up to $10 per email on spammers if the receiver has opted out, up to $500, 000, and a fine of up to $1. 5 million for spammers who willingly and knowingly violated the law

CAN-SPAM Act of 2003 n n Imposes fines of up to $1 million for

CAN-SPAM Act of 2003 n n Imposes fines of up to $1 million for delibrately deceptive email A criminal penalty of up to a year in jail for spammers who include deceptive subject lines and misleading header information.

Criminal Spam Act of 2003 n n n Introduced June 19, 2003 by Sen.

Criminal Spam Act of 2003 n n n Introduced June 19, 2003 by Sen. Orrin Hatch (R-UT) Cosponsors: Senators Leahy, Schumer, Grassley, Feinstein, De. Wine, Edwards, Wyden, Burns, Pryor, Miller, and Nelson. Prohibits unauthorized or deceptive use of a third party’s computer for relaying bulk commercial email messages Prohibits the use of false header information in bulk commercial messages Regulates the use of multiple email accounts or domain names for the purposes of sending such messages. Applies only to quantities or more than 100 messages within 24 hours, or 1000 within 30 days, or 10000 within one year. Senders of email with misleading headers may fined up to $25, 000 each day or receive up to five years in federal prison

SPAM Act n n n Stop Pornography and Abusive Marketing Act Introduced in June

SPAM Act n n n Stop Pornography and Abusive Marketing Act Introduced in June 2003, Sen. Charles Schumer (D-NY) Establishes a national “no-spam” registry, administered by the FTC, using fees paid for marketers for access to the list FTC would be empowered to prohibit explicit commercial messages to minors even if they are not on the list Requires full disclosure in email headers and addresses, require working unsubscribe mechanisms, ban the use of false sender names, and automated harvesting of email addresses

SPAM Act n n All messages that contain commercial content must have the letters

SPAM Act n n All messages that contain commercial content must have the letters ADV in the subject line, except those sent in compliance with an FTC-approved self-regulatory program, and must include the sender’s physical address. Jail time of up to 2 years for severe repeat offenders. $75 million needed to create the system, including the FTC registry and for enforcement. Supports domain-wide opt-out

REDUCE Spam Act of 2003 n n n Restrict and Eliminate the Delivery of

REDUCE Spam Act of 2003 n n n Restrict and Eliminate the Delivery of Unsolicited Commercial Electronic Mail or Spam Act of 2003 Introduced in May 2003 by Rep. Zoe Lofgren (D-CA) Unsolicited bulk commercial email messages would be required to include a valid reply address and opt-out instructions, and a label (“ADV: ” or “ADV: ADLT” or some other form of recognized standard identification) Applies to messages send in the same or similar form to 1000 or more email addresses within a two-day period False or misleading headers and deceptive subject lines would be prohibited in all unsolicited commercial email messages, whether or not sent in bulk

REDUCE Spam Act 0 f 2003 n n Similar to the Burns-Wyden bill with

REDUCE Spam Act 0 f 2003 n n Similar to the Burns-Wyden bill with the addition of a reward of 2 percent of the civil fine levied by the U. S. Federal Trade Commission against the spammer to the first person to report a spam offender. Gives Internet service providers the right to bring civil actions against marketers who violate those requirements and disrupt their networks, and it allows for criminal fines and up to a year in prison for fraudulent spam.

Anti-Spam Act of 2003 n n n Introduced June 18, 2003 by Rep. Heather

Anti-Spam Act of 2003 n n n Introduced June 18, 2003 by Rep. Heather Wilson (R-NM) Cosponsors: Rep. Rick Boucher (D-VA) & Rep. Ed Markey (D-MA) Commercial email messages must be identified as such, must include the sender’s physical street address, and an opt-out mechanism. Messages relating to a specific transaction and consented to by the recipient would be exempt from the requirements Sexually explicit messages must be identified with a standard label Commercial email messages with false or misleading message headers or misleading subject lines are prohibited.

Anti-Spam Act of 2003 n n n Sending commercial email messages to addresses generated

Anti-Spam Act of 2003 n n n Sending commercial email messages to addresses generated by an automated dictionary attack would be illegal. Preempts state laws that restrict the sending commercial email, regulate opt-out procedures, or require subject-line labels. Laws that regulate falsification of message headers would remain in place

Reduction in Distribution of Spam Act of 2003 n n n n RID-Spam Act

Reduction in Distribution of Spam Act of 2003 n n n n RID-Spam Act Introduced in May 2003 by Rep. Richard Burr (R-NC) Cosponsors: Rep. Billy Tauzin (R-LA) and Rep. James Sensenberger (R-WI) Requires all commercial email messages to be identified as such, include the sender’s physical address, and an optout mechanism. Unsolicited sexually explicit messages must be identified with a standard label. Prohibits the use of false or misleading headers in commercial messages. Preempts state laws that prohibit unsolicited commercial email, regulate opt-out procedures, or require subjectline labels. Lets ISPs (but not individuals) sue spammers for damages

Problems with proposed legislation n Definition of spam as fraudulent email n Andrew Barrett,

Problems with proposed legislation n Definition of spam as fraudulent email n Andrew Barrett, executive director of Spam. Con: RID-SPAM Act = “The Spammer’s Bill of Rights” n No distinction between content and consent n Implementation barriers n FTC Chairman Tim Muris: "A do-not-spam list is an intriguing idea, but it is unclear we can make it work. " how

Problems with proposed legislation n High cost of enforcement n Makes it more difficult

Problems with proposed legislation n High cost of enforcement n Makes it more difficult to prosecute spammers n n RID-Spam Act makes suing spammers more complicated than it is under the FTC Act Criminal Spam Act of 2003 requires that federal prosecutors prove a spammer falsified his identity in 10 thousand different emails to bring a felony charge Opt-out puts the burden on consumers Better to have legislation favoring permission-based email

Anti-spam legislation in the EU and UK n n In May 2002, the European

Anti-spam legislation in the EU and UK n n In May 2002, the European Parliament passed anti-spam legislation requiring companies to receive consumer opt-in permission before sending them commercial email In the U. K. , starting December 11, under a new directive which starts on December 11, companies and individuals can be fined up to $8200 for sending unsolicited commercial e-mail and SM text messages to mobile phones without prior agreement.

World’s Fourth Largest Spammer n Details Magazine October, 2003 Issue: 9 th Most Powerful

World’s Fourth Largest Spammer n Details Magazine October, 2003 Issue: 9 th Most Powerful Men i America under Age 37

World’s Premier Spammer n n n n Alan Ralsky Settled a lawsuit brought against

World’s Premier Spammer n n n n Alan Ralsky Settled a lawsuit brought against him by Verizon Internet Services in 2002 Now sends most of his spam mails from overseas Control 190 e-mail servers: 110 in Southfield, 50 in Dallas and 30 more in Canada, China, Russia and India Charges a commission on sales or a flat fee of up to $22, 000 Has a master list of 250 million valid addresses Response rate of 0. 25 percent

Spam blocking technology n n n Bill Conner of Entrust: digital credentials Brightmail Solution

Spam blocking technology n n n Bill Conner of Entrust: digital credentials Brightmail Solution Suite Internet Engineering Task Force: n n implementing a single architecture that will allow receivers to express consent or non-consent Destroy the spammer’s business model Bayesian filters Other client-side filters

Spam Tricks n The online Field Guide to Spam n n n Lost-in-space Slice-and-dice

Spam Tricks n The online Field Guide to Spam n n n Lost-in-space Slice-and-dice Message encoding

Steps individuals can take n n Choose an email address name that is hard

Steps individuals can take n n Choose an email address name that is hard to guess Don’t post your email online Get a spam filter Don’t reply to spam n n spam-baiting is inadvisable Be careful when installing free software Don’t sign up for free web services Report spam to your ISP or to the FTC at UCE@FTC. gov