The Can-Spam Act – Communications of the ACM

On December 16, 2003 President Bush signed the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act of 2003) to counter the massive increase in spam. The Act proposes to regulate interstate commerce by imposing limitations and penalties on the transmission of unsolicited commercial email via the Internet [2]. According to the Act, email marketers must comply with the following rules: label their messages as advertisements; include an Internet-based opt-out feature for the recipient that is active for 30 days; and provide the marketing company’s physical mailing address in the message. Under the new Act, spammers that are caught will face significant financial penalties and possible jail time.

Despite the new Act, unscrupulous spammers have not been dissuaded from being caught and punished and continue to send spam. Without having much knowledge regarding what is wrong with the Act, email users are exposed to the onslaught of spam. This commentary provides rationale for the enforcement of the Act from an economic perspective, explaining why the Act does not function as intended, and proposes four countermeasures—deterrence, prevention, detection, and disciplinary measures—to make it more effective.

The Act is expected to reduce the total volume of spam by threatening major spammers, such as Synergy6, Inc. and OptinRealBig.com, as well as increase the spammers’ cost for creating and delivering spam messages. However, some have criticized the Act because it legalizes certain forms of spam while, simultaneously, including provisions that make it easier for spammers to continue their spam-sending activities. The effective enforcement of the Act, according to anti-spam experts, will determine whether this new Act can survive [1].

The rationale behind the Act can be explained by the expected utility theory from the realm of economics. Expected utility theory posits that a rational, self-interested spammer will choose a course of action that will maximize his or her expected utility when faced with risky choices. The expected utility of sending spam is the expected benefit gained from the action (sales) less the expected cost (financial penalty or jail time). Since the Act increases the cost without increasing the benefit, it is expected that spammers will send less spam. Table 1 lists benefits to email users (or ISPs) and the expected increases in cost to spammers resulting from the enforcement of the Act. For example, users who are not burdened by differentiating between their non-spam email from their spam email will save time. More effective enforcement of the Act will also increase the spammers’ costs to conduct their spam-related activities.

Contrary to expectations, it turned out that spam continues to fill email inboxes in increasing numbers despite the Act taking effect January 1, 2004. One spam-filtering company cited in a New York Times article last February stated that 80% of its customers’ email was spam, up from 60% at the beginning of 2004 [3]. In addition, 90% of the spam did not comply with the Act’s rules. It would seem the spammers have not been intimidated by the new Act.

Although these results were unexpected, we offer three possible explanations. First, spammers can adapt their methods quickly to circumvent the conditions imposed by the Act. For instance, spammers can move to a new geographic location that falls outside the Act’s jurisdiction. Spammers can also find ways to send spam by acquiring legitimate email addresses. Spammers can also prevent their messages from being filtered or tracked by employing a variety of techniques such as randomization, origin concealment (zombie networks), and the use of open proxies. In addition, major ISPs often sell their customer information for millions of dollars to spammers. They will be reluctant to support the Act considering how much revenue they receive from spammers. Finally, spammers do not feel intimidated by the threat of financial penalties and jail time. Historically, lawsuits filed against computer-related criminals usually led to the equivalent of slap-on-the-wrist punishment. Most spammers know that investigating their activities often takes several years. They do not cease their malicious actions even while being investigated.

The Act, despite its shortcomings, promises to be a cornerstone in the fight against unsolicited spam. Several actions are undertaken after launching the Act. For example, a coalition of the leading ISPs including AOL, Yahoo, Earthlink, and Microsoft filed hundreds of lawsuits against spammers. The FTC issued a rule of sexually explicit labeling (April 2004), an order protecting consumers from receiving spam on their wireless devices (August 2004), and a Federal Register notice determining commercial versus transactional email messages (December 2004). Companies including Microsoft have developed advanced anti-spam technologies such as Smart Screen, SenderID, and Computational proof to engage in the battle against spam. Other alternative actions to make the Act effective are described in Table 2.

The launching of CAN-SPAM Act is an important first step but its destiny is uncertain. Whether the Act will be a silver bullet in effectively curtailing spam is dependent upon the Act’s strong support and enforcement by anti-spam software companies, the FTC, ISPs, and email users.