The CAN-SPAM Act as a warning

Congress could learn at least three valuable lessons from the act that has done little to curb spam

It is widely expected that the new Congress and administration will be passing a lot of regulations to deal with all sorts of perceived problems. It may be that the now 5-year-old CAN-SPAM Act is one of the better examples of what not to do as far as regulations go.

When it was passed, the act (official name: Controlling the Assault of Non-Solicited Pornography and Marketing Act) was touted -- by the politicians at least -- as a tool to help control the growth of spam. Few of us in the tech world thought it would do any good, and in fact, the general feeling was that it was actually designed to legitimize unsolicited e-mail (see "Can: to be enabled by law").

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

Back in October, Network World's Carolyn Duffy Marsan reviewed the legislation and asked, "What went wrong?" Her article did a good job of covering the act and its status as a failure. It may be, however, that some important lessons were more hinted at than articulated.

The most important lesson is to not let the industry you are claiming to regulate write the regulations. The CAN-SPAM Act was written to legitimize the business of spam, and it was written to satisfy the spammers themselves. A spam-related regulation that really was aimed at providing relief for Internet users would have started with an opt-in requirement -- an opt-in requirement that did not have an exemption for a theoretical previous business relationship.

The next most important lesson is to give enforcement to somebody who cares. The Network World article reported that as of a year ago, the Federal Trade Commission had brought about 30 law-enforcement actions. In the face of more than 100 billion spam messages per year, 30 actions barely qualify as a pin prick. It is clear that the FTC either just does not care about the law or has actively decided it should ignore spam. (Along the same line, it might not be a good thing for federal regulations to override stronger state regulations.)

Yet another important lesson is that legislation should address the people who benefit from bad behavior. A far more effective antispam act would have gone after the companies using spam to advertise their wares and services, as well as after the ISPs supporting the spammers.

Having an antispam act that really was designed to fight spam would not have stopped it, but in looking at what happened when McColo was taken down last November (see "The spam problem was mostly solved last Tuesday"), one can see what could have happened if there had been a concerned enforcement agency and a law that went after spam supporters.

Government regulations all too frequently do far more damage than god -- as the CAN-SPAN Act did. Thus it's often better not to regulate -- but in view of the lessons from the banking and too many other crises, not regulating essentially is a non-option.

So, I expect the Obama crowd will have plenty of chances over the next few years to do better than CAN-SPAM. How well they do will be a good indicator of the relative strengths of the impulse to do something good for Internet users and the impulse to do something good for well-heeled lobbyists promising campaign donations.

Disclaimer: I know of no university position on the CAN-SPAM Act or on the altruism of the lobbyists who helped shape it, so the above is my own set of lessons to be learned.

Network World is an InfoWorld affiliate.

This story, "The CAN-SPAM Act as a warning" was originally published by Network World.

From CIO: 8 Free Online Courses to Grow Your Tech Skills