Time to can the CAN-SPAM Act

Despite the FTC's declaration of success, spam isn't getting better, and it's partly the CAN-SPAM Act's fault

Anyone who hated spam also hated the CAN-SPAM Act of 2003. Its core opt-out policy doomed it for failure. It superseded stronger state laws, made it impossible for individual lawsuits, and provided woefully inadequate penalties when applied in the court. And worse, by following a few simple rules, it literally made spam … er … "unsolicited commercial e-mail" legal.

It’s been two years now. Who was right, the critics or the Congress?

As part of the CAN-SPAM Act, the Federal Trade Commission (FTC) is required to report to Congress on the Act's success. The 116-page report looks like one of those first-year-of-college essays in which the writer uses big margins and abnormally large line spacing (I’m not kidding about this) to say a lot of nothing. It’s obvious the preparers were reaching for something good to say, and even then could not find much to brag about.

Sadly, Congress won’t read the Patriot Act, much less the CAN-SPAM report. More sadly, mainstream media bought the success stories touted by the FTC. The three-page Executive Summary actually concludes by saying that the CAN-SPAM Act needs no modification. Hey, now we can all sleep better at night.

If you don’t have time to read the FTC’s report, let me give you my Executive Summary of whether CAN-SPAM has led to a decrease in spam: No!

Gee, I didn't even need multiple pages to say that.

The real question is whether or not the percentage of spam as compared with total e-mail sent is decreasing. Although several entities report drops in the amount of spam reaching end-users because of improved filtering capabilities, the real rate of spam is leveling off at between 50 percent and 70 percent of e-mail traffic, depending on which statistics you read.

And if spam reaching the end-user has decreased because of better filtering devices, then the CAN-SPAM Act has had no part in any so-called success. The CAN-SPAM Act did not dictate spam filtering techniques or technologies. If anything, as predicted, the CAN-SPAM Act led to more spam being considered legal unsolicited e-mail.

Phishing, targeted e-mail attacks, and spam bots were up enormously in 2005. The criminals are still doing their thing, and a few dozen lawsuits under the statute haven’t changed that. In fact, every spammer caught has cloaked his or her defense in the cloth of the CAN-SPAM Act.

According to every statistic I can gather, today’s spam levels still haven’t fallen to pre-CAN-SPAM levels. When the Act took effect in January 2004, MessageLabs, which processes Internet e-mail for 12,000 clients, reported that spam accounted for 50 percent of all e-mails. It immediately shot up for the next year and a half: Today, although spam is “leveling off,” the total spam percentage is 68 percent, or 18 percent higher than it was before the act.

Maybe the FTC found some good news in Brightmail's break-even analysis. Brightmail reported a 60 percent spam rate in January 2004. Acquired by Symantec in June 2004, Brightmail/Symantec’s spam detection rate in June 2005 was 61 percent -- just a minor increase.

Some real good news, if you can call it that, comes from Postini, which processes 3.5 billion messages a week. Although its spam rate stayed level at 80 percent during the entire year of 2004 (and is one of the few services that did not have significant increases after the CAN-SPAM Act was enacted), its 2005 spam rate was around 59 percent. That might seem a reason to celebrate until you realize that its current spam rate is still up 65 percent from January 2002.

The real proof of CAN-SPAM's effectiveness is your own e-mail inbox. Does it look any better these days? If it does, I’ll bet it’s because you or your company has multiple anti-spam filters. One guy in the Netherlands, Paul Wouter, says his personal spam increased seven-fold in 2004, and was twice that in 2005.

Even though I don’t see any statistics that lead me to believe that spam is getting better, let’s suppose that the CAN-SPAM Act has actually cut the spam rate to 50 percent. So at best, after two years of work, only half of all messages on the Internet are spam. Is that victory?

I agree with those who say CAN-SPAM shouldn’t be modified. It should be killed and reborn with an opt-in policy, just like the Federal Trade Commission’s Do-Not-Call list.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies