[Politech] An insider's analysis of the Senate's anti-spam bill

From: Declan McCullagh (declan@private)
Date: Tue Oct 28 2003 - 06:21:40 PST

  • Next message: Declan McCullagh: "[Politech] A mild defense of the RIAA and "anti-piracy" caucus [ip]"

    [[Greets, Declan.  Thought you could use a comprehensive, _somewhat_ concise
    summary of the Senate's spam bill.  Please only UNATTRIBUTED/ANONYMOUS if
    you wish to share with Politech.]]
    The Senate passed an amended version of S.877, the Wyden-Burns anti-spam
    bill that has been percolating through Senate committee for the past few
    Contrary to what you are seeing in most press, this is not the "first"
    anti-spam bill to pass the Senate.  Bills have made it out of both the House
    and Senate in the past.
    (S.1618 in the 105th Senate, and HR 3113 in the 106th House, among others.)
    (Just a reminder, the Senate passing a bill is a big deal, but not nearly as
    big as if/when the President signs it into law _after_ the House passes it
    But that's not to say this passage is not meaningful, such consensus in the
    more "legislatively reserved" Senate likely means that even if the House
    doesn't pass the exact same bill, at least some of the language of this bill
    could show up in the appropriations bills Congress is rushing to finish
    right now.
    The bill that passed the Senate has three main parts; (1) criminal
    prohibitions, (2) spam labeling requirements and civil prohibitions, and (3)
    several studies and reports, including requiring "plans" for an FTC
    "do-not-spam" list.
    (1) CRIMINAL prohibition
    The criminal part comprehensively prohibits a list of "bad acts" if they are
    done in the act of intentionally sending more than 100 commercial email/day;
    things like registering multiple accounts, obscuring or forging headers,
    logging on to or using computers without access.
    A sexually explicit labeling and content prohibition amendment was added by
    Sens. Santorum and Enzi on the floor at passage. It requires that
    unsolicited commercial email be labeled in the subject line, (in a manner
    the FTC will decide) and no sexually explicit content be visible when the
    email is opened.
    Violate the criminal provision and you face fines, asset forfeiture and up
    to 5 years in federal prison, depending on volume, severity, prior offences,
    and prior or concurrent crimes committed.  The bill also provides for
    sentence enhancements if the "spamming" was done with "harvested" addresses
    or stolen address lists, or by "dictionary attack" auto-generation of email
    [[ comments - anonymous or pseudonymous accounts and anonymous remailing
    aren't prohibited outright, but only if they are used to send commercial
    email.  The labeling of sexually explicit content could get messy, if done
    in a way other than what the FTC prescribes, (say labeling ADLT if the FTC
    required "ADULT") that would seem to be a violation resulting in a fine or
    The second part of the bill contains civil prohibitions and labeling
    requirements, including sexual content labeling, for commercial email.
    Materially misleading or falsified header or subject information in ANY
    commercial email is prohibited.  MOST commercial email must have a valid
    reply address or reply mechanism. ("Transactional emails" like billing
    notifications and "update/patch available" emails from existing business
    relationships are exempt)
    UNSOLICITED commercial email must have clear notice (somewhere) that it is
    an advertisement, and an opt-out mechanism, and a valid physical postal
    address of the sender.
    Once a sender has received an opt-out, UNSOLICITED commercial email cannot
    be sent to someone who has exercised their right to opt-out. (Several of the
    more common ways to get around this, such as hiring someone else to send, or
    reselling an opted-out address, are also prohibited.)
    Similar to the criminal provisions, scripting or auto-generating email
    accounts, harvesting email addresses, or autogenerating email addresses is
    also prohibited, if those acts are part of sending unsolicited commercial
    email that doesn't follow the rules above.
    Violations of these requirements can be pursued by the FTC and in some cases
    other federal agencies. (i.e. SEC, FCC)  State Attorneys General and ISPs
    can also sue, but individual recipients cannot. In most cases, damages are
    capped at $1 million.  State laws dealing specifically with unsolicited
    email would be mostly pre-empted - NOTABLY California's recently-adopted
    "opt-in" anti-spam law.
    These civil provisions also target 3rd parties who knowingly "let" their
    products be promoted in someone else's illegal spam, (HYPOTHETICAL example -
    Pfizer "knowingly" benefiting from spammers promoting Viagra) but only the
    FTC can enforce against these 3rd party violators.
    [[ comments - The short summary is: the bill sets up an "opt-out" regime
    that allows any spammer one free spam.
    Consumer enforcement is (except for a few state laws that aren't preempted)
    left only in the hands of FTC employees and 50 state Attorneys General.
    ISPs can sue, and are given rather strong standards and penalties.  The bill
    actually removes individual consumers' access to redress in court under
    several state laws. The "3rd party" section, an amendment by Sen. McCain in
    committee, aims at companies who hire out spammers or separate themselves
    from spammers by shell corporations, but knowingly benefit nonetheless.
    Although this part of the bill is extensively tailored, the Viagra
    hypothetical indicates it could still potentially be problematic.]]
    The bill requires the FTC to develop a plan for a national "Do Not Spam"
    email address registry, including documenting potential problems.  The FTC
    "may" implement the plan, but doesn't have to, and can't for at least 9
    The bill requires the FTC to develop a plan for a "bounty" system of a
    portion of any fine collected for people who report spam to the FTC.  The
    FTC is similarly not required to implement such a bounty plan, but it "may,"
    after 12 months.
    The bill also requires the FTC to study and report (but doesn't authorize
    action) on a whole slew of issues, including "ADV" labeling, the efficacy of
    any enforcement actions, newly emerging bad business practices, etc.
    [[ comments - The email address registry plan, required in an amendment by
    Senator Schumer, has been reported as a major sticking point for passage.
    The bounty plan is similar to the Rep. Lofgren House bill associated with
    Prof. Lessig's proposal to allow individual users to collect a bounty on
    identifying spammers.  Sen. Corzine introduced a similar Senate bill, and
    when this bill came up, attached his language as a "study" amendment.  Draw
    your own conclusions about these two amendments and the press they will get
    the respective Senators, but in the end, the Senate didn't "require" the FTC
    to implement either.  ]]
    Politech mailing list
    Archived at http://www.politechbot.com/
    Moderated by Declan McCullagh (http://www.mccullagh.org/)

    This archive was generated by hypermail 2b30 : Tue Oct 28 2003 - 08:02:30 PST