The Problem"Spamming is the scourge of electronic-mail and newsgroups on the Internet. It can seriously interfere with the operation of public services, to say nothing of the effect it may have on any individual's e-mail mail system. ... Spammers are, in effect, taking resources away from users and service suppliers without compensation and without authorisation."
Table of Contents
IntroductionUnsolicited Bulk Email (UBE), commonly known as email spam, is a unique form of advertising which has no incremental cost to the sender, imposes real and measurable costs on the recipients, and has the potential to destroy the value of electronic mail. Advertising that has no incremental cost to the sender - how attractive would an average business find that idea? This is the one feature of UBE which leads to all the consequences which make UBE uniquely destructive to the medium is uses - electronic mail. It must be stressed that while there are numerous problems associated with UBE, any one of them has the potential to impact the value of electronic mail to the point of destruction. What the problems areAll problems of UBE stem from the fact that the UBE advertiser, or spammer, can transmit one million message for no more cost than transmitting one. The result is that there is no natural limit on the amount of UBE that will be transmitted, that UBE can significantly increase the processing and storage requirements of Internet Service Providers (ISPs) and businesses, that UBE has the potential in costing people unlimited amounts of time to deal with, and that UBE has the potential to drown out legitimate communications, thus making electronic mail useless for its original purpose. Statistics collected by CAUBE.AU show that the volume of spam is increating at an alarming rate, and some people report that they are abandoning their email accounts because of it [1], [2]. A Korean survey in January 2002 found that spam made up over half of an average email user's email content. This document discusses only the most objective of the problems. There are further problems caused by UBE, some of which are discussed in the references. UBE is not like other forms of advertisingWhen dealing with the issue of UBE, you will often hear spammers claim that UBE is "just like paper junk mail, and that's not regulated, so we shouldn't regulate UBE." In fact, UBE is significantly different from paper junk mail. The most significant difference with UBE is that it costs almost nothing to send large amounts of junk mail. Internet access is available in Australia from as little as $19.95 per month. A spammer can send UBE to millions of recipients without any ongoing costs other than ISP access - and all they usually need to make a profit is one response. One spammer has indicated that they get a response rate of around 1 in 1000. All other forms of advertising have a cost to the sender that increases with volume. It costs much more to send advertising by paper direct mail to one million recipients than it costs to send it to one thousand recipients. These increasing costs force advertisers to consider their return on investment, and result in a natural limit on the volume of direct mail solicitations. When spammers try to tell you that UBE is not different and does not need its own regulation, remember the lack of incremental cost that exists for UBE and the consequence that there is a potentially infinite demand by advertisers for UBE. This is an inescapable fact that the spammers cannot hide from - in fact their responses when you ask them about it are almost invariably to either pretend the question was never asked or to pretend that a different question was asked and answer that different question. No cost to the sender means unlimited UBEAt first glance that statement sounds excessive. In fact it is perfectly simple to see why this statement is true. Start with the assumption that UBE is a perfectly acceptable way of advertising - that's what spammers want us to believe, so there can be no fairer way for us to begin analysing the situation. If UBE is acceptable, every advertiser should be allowed to use it. To get an idea of how many potential advertisers in your city there are, take a look at your Yellow Pages (both A-K and L-Z volumes for residents in the largest cities). Every entry in that publication represents something that an individual vendor might like to advertise to as many people as they can. If UBE is an acceptable advertising method, and it costs nothing, can you guess how many of those advertisers will use it? Once you have checked the Yellow Pages, pick up your Saturday morning broadsheet newspaper. In Sydney that's the Sydney Morning Herald, whose Saturday edition weighs more than the Yellow Pages - that's both volumes of the Yellow Pages put together. Remember that the advertisers in these newspapers have paid money for as little as fifteen words, in a newspaper that is distributed to a few hundred thousand people at the most - but with UBE they can get the same advertisement to millions of people for effectively no cost. Now that you have picked up the newspaper, count all the advertisements - even the classified ones. You should be able to do this in roughly the same time it would take to delete the same number of advertisements from your electronic mailbox while still keeping the mail that you really want. OK, just take a rough guess. You now have a fairly basic idea of how many potential UBE advertisements might be sent by people in your city in a typical week, assuming that UBE is an acceptable method of advertising. There is no way for a spammer to know what city you are in, and no reliable way for them to know what country you are in. Even if it were possible and reliable to eliminate out of area customers, this is the era of e-commerce, and a customer can be anybody, anywhere in the world. So add estimates for all the other cities of the world to figure out how much UBE advertising you would get every week. By now you should be able to see that, for all practical purposes, the amount of advertising you would get is unlimited. UBE costs the recipient moneyYou might not realise it, but when you receive UBE it costs you money. This makes a certain amount of sense - if the spammer isn't paying for their advertising to be transmitted, somebody else must be paying for it. There are at least two ways the UBE costs you money. Firstly, most ISPs in Australia charge by either the amount of time you connect or by the amount of data you download. UBE increases the time you have to spend downloading mail, as well as the amount of data you download. This makes a difference to your ISP bill at the end of the month. Even if your ISP does not charge by time connected or data downloaded, they have to have sufficient equipment and personnel to handle all traffic. It is not possible for the ISP to distinguish between UBE traffic and legitimate person to person messages. This means they have to accept and process all messages, including the UBE. America Online has publicly stated that about half of all the electronic mail they process is UBE. That is, half of their costs for handling electronic mail is UBE. Other large ISPs have reported that as much as 10% of their operating costs are related to processing UBE. The ISPs pass these costs on to their customers as higher prices. There is another way of viewing this 10% cost. In the 1998 election the Liberal government proposed a 10% GST, but promised other benefits in return for that - mostly in the form of tax cuts. Even so, there was a lot of opposition to the GST. Spammers are right now imposing a GST on people who use electronic mail - and those who do use electronic mail have no say in the matter. Right now, UBE may represent 10% of the operating costs of a large ISP, but ISPs report that this proportion is rapidly increasing. The GST imposed by spammers is getting larger with time. UBE costs the recipient timeEven if all you do is delete UBE, it costs you time. If you have your email program set up to notify you when more email arrives, it costs you more time and interrupts the flow of whatever else you are doing. Even to an individual, these are real costs and represent lost opportunities to do other things you would like to. This time has effectively been stolen from you. The loss of time represents even more tangible costs when an employee receives UBE. The cost of UBE to a large company due to lost time and productivity can easily reach millions of dollars. UBE destroys the value of emailUBE easily has the potential to exceed the volume of legitimate mail. In fact some people report that this is already the case for them. Once the volume of UBE significantly exceeds the volume of legitimate email, it becomes difficult or impossible to find the legitimate email amongst all the junk. Once this point has been reached, the value of email has been destroyed. UBE denies you the choice of how your electronic mailbox can be usedWith UBE, the recipient is the one who owns the mailbox, and ought to be the one who gets to decide what that mailbox is used for. Spammers are effectively making a unilateral decision that the mailbox that somebody else pays for is to be used for the spammers' advertising material. What's more, there is no effective way of avoiding spam, and consequently the person who pays for the mailbox has no say in the matter. Even highly trained computing professionals who thought they had kept their mailbox address well hidden have been caught in the spammers' nets. This leaves little hope of escape for people who are taking tentative first steps into a new and unfamiliar medium. UBE stifles other communicationsMany users now avoid making their email address public in order to avoid the spammers from discovering their email address. There are several steps people will take to do this. With USENET, people will either post with a fake address, making personal replies difficult, or will avoid posting to USENET at all, thus depriving the fora of their input. People now avoid putting their email address on their web pages, because web crawling robots search for email addresses on behalf of the spammers. Solutions that don't workA number of alternatives to legislation have been suggested, however all of them have fundamental flaws that make them useless as a tool for combating the problems of UBE, and all have already proven to be spectacularly ineffective in practice. Why "just hit delete" doesn't workSome people say that when you get UBE you should "just hit delete." There are a number of problems with this idea. Firstly, how many times should we have to "just hit delete" every day? Five? Ten? Fifty? Five Hundred? Five Thousand? "Just hit delete" ignores the scaling problem of UBE. Secondly, by the time you get to "just hit delete", much of the damage has been done. Your ISP has incurred the cost of facilities to cope with the volume of UBE and passed them on to you. You have had to spend time downloading useless messages, which may be charged by either time or data. If your email program notifies you of new messages, your flow of work has already been interrupted, costing you not only in time but in productivity. Thirdly, "just hit delete" does nothing to discourage more and more vendors to advertise by UBE, and effectively speeds us along the path to making email useless. Why technical solutions have failedTechnical solutions largely concern filtering technology. These solutions are unworkable, and have failed to work. Filters can only be imposed after you have received UBE from each source. Effectively you have to manually respond to every single spammer. Even when filters are applied, spammers regularly change their email addresses in order to bypass those filters. Existing laws may treat this as harassment, however dealing with this problem in that way is difficult. While in the United States, large ISPs have had success prosecuting cases on these grounds, such action is costly, and for smaller ISPs and individuals, each recipient can rarely show sufficient damage from any one spammer to make costly court action worthwhile. The damage from spam to the individual comes from the cumulative effects, not from isolated incidents. There are "qualitative" filters available which attempt to detect UBE from unknown sources, however every single qualitative filter in existence sometimes discards legitimate mail, and frequently lets UBE mail through. In fact these filters are now becoming a serious problem in themselves - aside from accidentally rejecting person to person messages, they often inadvertently reject legitimate opt-in email broadcasts. Even America Online has accidentally rejected opt-in newsletters because their filters mistook them for spam. A study by ZDNet's eTesting Labs found that even the best filter available still let more than a quarter of the spam through. Why enforcement by ISPs has failedInternet Service Providers continue to stop service to spammers. Unfortunately, the ISP only knows they have a spammer connected once the spam has already gone out, and all that the spammer loses is approximately $20 in service fees. This is still amazing value to the spammer for sending millions of copies of an advertisement all over the Internet. Once an ISP has terminated service to a spammer, the spammer has a vast array of "next victims" to select from. The type of spammer that does this is called a "whack-a-mole" spammer, because as soon as one ISP disconnects the spammer they pop up elsewhere, and eventually resurface at the the original ISP using different credit card details or a prepaid account - the whole exercise becomes an electronic version of the arcade game of the same name. Whack-a-mole spamming is the standard mode of operation for low budget spammers, and it makes ISP based enforcement impossible. In Australia, there is one further problem - the Telecommunications Act as currently in force covers ISPs, and it is possible to read the Act in such a way that it prevents ISPs from disconnecting customers based on their own policy decisions. Telstra BigPond Direct, the largest Internet backbone in Australia, have cited this problem when responding to complaints about UBE. While technically speaking ISPs can disconnect customers for any breach of contract, the current state of the Act causes some ISPs significant difficulty in terminating service to spammers, and legal counsel likes to err on the side of caution. Telstra currently has a third problem - because they are still two-thirds government owned they are bound by the Privacy Act. This Act prevents them from providing any form of feedback on action taken against individuals. In theory they could disclose action taken against a company, however if they do this then lack of feedback would reveal that an individual is involved and thus have provided a tiny amount of information regarding the offender. The lack of effective feedback means that it is impossible for any external party to effectively monitor Telstra BigPond Direct's performance or actions in preventing UBE. To say that the Australian ISPs cannot effectively prevent UBE is a massive understatement. The whack-a-mole problem cannot be made to go away without supporting legislation, and the current legislation leads many ISPs to perceive, rightly or wrongly, that there are legislative impediments to them effectively enforcing a "No UBE" policy. Why self-regulation and industry codes cannot workWhile industry codes and self regulation are different things under Australian law, in this case they amount to the same thing - it is unlikely that spammers are "content-providers" under the Telecommunications Act, and this means that even when a suitable code of practice exists, spammers cannot be directed to comply with it. Even if spammers could legally be directed to comply with it, there is no provision for a penalty for non-compliance prior to a direction, so as long as a spammer can evade a direction to comply, they can operate with impunity. Even if a spammer could be and were delivered with a direction to comply, codes of practices themselves rarely have any real enforcement power. There are no real consequences to a spammer who refuses to comply with a code of practice. Self regulation and industry codes rely on one of two things to ensure compliance:
The whole concept of spamming is completely at odds with the notion of responsibility, and the substance of the spammer's ongoing investment is precisely zero, given that they expect to have their $20 ISP service terminated at some point anyway. Spammers have no investment to protect, hence no reason to adhere to any industry code of practice. Why opt-out lists have failedOpt out lists have been tried several times in the past few years. There have even been several calling themselves "global opt-out lists" or "global remove lists." Despite grandiose names, such lists are completely voluntary, and there is no reason for spammers to use them. Few spammers even claim to use such lists, and fewer still actually do use them. Some people have even supplied brand new, never-used-for-anything email addresses to these opt-out lists and soon after that have received UBE from those addresses. One major opt-out list, the IEMMC opt-out list, was put together by some of the largest spamming companies on the Internet at the time. Evidence showed over time that even some of the people involved in forming that list were not using it. Even when a spammer decides to use an opt-out list, they have to decide which one. There are many to choose from, and their administrators are not willing to cede any portion of their perceived power by combining the services. Consequently even a spammer that uses such a list will not clean it of everybody who thinks they have opted out with the "global remove list." Almost all the opt-out lists are operated by spammers. Few if any people are registered with all of these lists - not surprising since some of them have resulted in UBE to virgin addresses.A list that is operated by spammers is fundamentally untrustworthy. It is not in the spammer's interest to remove addresses - it is only in their interest to add them. There is one opt-out list that is operated by somebody who is not a spammer and who key opponents of spam trust - unfortunately, few if any spammers appear to use SAFEeps. Perhaps this is because SAFEeps operates in such a way that the spammers cannot get any new addresses out of it. Opt-out lists have been thoroughly discredited by past events as being ineffective for stopping spam, and sometimes even for resulting in new spam. Why individual opt-out is unworkableThere are so many reasons why this doesn't work that we've had to devote an entire page to it. Individual opt-out requires each spammer to maintain their own list of removal requests and to honour those requests. This means that you would have to reply to every individual spammer and ask them to remove you from their lists. Obviously if UBE were acceptable this would take even more time than "just hit delete". Why "It's not a problem here now" doesn't cut itFirstly, UBE is a problem here and now. Some people already suffer from unmanageable amounts of UBE. Many people have actually stopped using the Internet because of all the UBE. These people found that email had already become unworkable for them. While UBE might not seem like a problem to you right now, it's certainly a major problem for others. UBE is already costing Internet users the equivalent of a GST. It has already taken control of electronic mail boxes away from their rightful owners, it is already stifling other communications, and it is already costing recipients significant amounts of time. UBE is a problem now. Secondly, the only reason the problem of UBE is not hundreds or thousands of times worse than it already is, is that dedicated people are donating significant amounts of time to holding UBE back, and through the efforts of such people it is fairly widely known that UBE is unacceptable. Due to these efforts, ethical vendors do not use UBE. Finally, allowing some to spam with impunity while their more ethical counterparts cannot has the effect of granting privileges to those that behave unethically. Fly-by-night operators who have no reputation to protect, and only need a handful of sales are able to continue spamming, while ethical businesses hold back. It is probably redundant to call this entire concept unaustralian. Why we shouldn't just say "we can't control it, let's ignore the problem"The theory that "we can't control the problem" goes like this:
This is circular reasoning at its finest. It says "Nobody else has done it, so it won't be effective, so it's a waste of time for us to do it, so we shouldn't do it, and still nobody would have done it, so still no legislation will be effective, so...." Some jurisdiction has to be first. And another has to be second. Over time, as jurisdictions are added, legislation becomes more effective and more pressure can be applied on uncooperative countries. In fact, there are many positive effects that legislation can have even without equivalent legislation overseas. Legislation in Australia can:
It is important not to underestimate the value of the last point. While people here are looking at other countries to see what they are doing, we must realise that many other countries, including major world powers, examine what Australia does when considering their own policies. While Australia is rarely the sole reason for another country following the same path, it is frequently an important contributing factor. The solution that can workThe only solution that can effectively stop the Australian contribution to the problems of UBE is simple and direct legislation. While doing this, we need to accept that there is some UBE activity which originates outside our borders which we will not be able to control, however this is no reason for avoiding our responsibility to eliminate our own UBE output. Direct legislation is required which:
Other ReferencesFor other more information, see:
|