IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled


Given at a Full Committee Hearing:
CAN-SPAM Act
Thursday, May 20 2004 - 10:15 AM - SR - 253

The Testimony of Mr. Ted Leonsis
Vice Chairman, America Online, Inc., and President, AOL Core Service

Chairman McCain, Senator Hollings, and Members of the Committee, my name is Ted Leonsis, and I am Vice Chairman of America Online, Inc. and President of the AOL Core Service. I appreciate the opportunity to testify before the Committee on the issue of unsolicited commercial e-mail, or “spam.” I testified before this Committee last year on this matter, and I am grateful for the Committee’s continued attention to this important issue.

At this time last year, it appeared that the onslaught of spam was growing exponentially in a manner that threatened the vitality of Internet networks. Surveys at that time indicated that spam was doubling in overall volume every 4-6 months. We asked for your help in passing strong legislation that would help us target spammers and curb their ability to abuse our network and our users.

Mr. Chairman, we are grateful that you and your colleagues responded to this plea. Thanks to Senator Burns, Senator Wyden, and other key Members of this Committee, a new federal law known as the “CAN-SPAM Act” has provided some important enforcement tools in the fight against spam, as well as a heightened awareness of the need for cooperation between industry and government in the fight against spam. Where are we one year later? Have we made any progress in reducing spam and restoring the integrity of the online experience?

Although spam continues to be a huge problem facing Internet users and Internet service providers (ISPs), I believe that there have been significant developments in fighting spam over the past year, in the areas of legislation, enforcement, and technology. Although we still have much more work to do, I believe that we have made substantial progress in combating spam. I would like to describe some of the steps that we, along with our partners in government and industry, have taken in recent months to address the spam problem, and the results that we are seeing from some of these initiatives. AOL has continued to devote significant resources to the battle against spam over the past year. We have a team of anti-spam fighters on call 24x7 to fight spammers’ varied and changing tactics. We have worked continuously to adapt the strong technologies on our network to block and filter spam, and we have launched an awareness campaign to provide our members with important consumer safety tips that can help them reduce spam and improve the security of their online experience.

Since the hearing last year, AOL has introduced new tools in the 9.0 version of our software to help our members, both in the U.S. and internationally, reduce spam to their inbox. AOL’s Mail Controls allow our members to block e-mail from specific mail addresses or entire domains, or to create a “permit list” of addresses from which they will accept mail. Our adaptive spam filters allow members to personalize their spam blocking experience, based on specific words or types of e-mails that they do not wish to receive. And we have included a feature that blocks images and Web links from displaying in e-mails from unknown senders unless a member chooses to see them.

Also included in AOL 9.0 is our “spam folder” feature. Beginning in October of 2003, AOL began transferring e-mail messages with characteristics indicating that the e-mail was likely to be spam to the “spam folder.” This feature separates spam from the user inbox and allows the recipient to view such messages in a separate folder, or not view them at all. Between our spam folder and our anti-spam filters, we are now keeping up to 2.5 billion pieces of unwanted mail per day out of our members’ inboxes.

We are pleased that there has been a downward trend in the amount of spam in AOL members’ inboxes, which we believe is based primarily on our technical countermeasures and new product features. We believe that our members’ experience with spam is improving, based on information gathered through customer satisfaction surveys, as well as the number of complaints we are receiving through our popular “Report Spam” feature. However, even though subscribers to the AOL service may now be experiencing less spam in their inbox, the total volume of spam that senders attempt to deliver to our networks has not decreased. Spammers are continuing to attack the AOL network, and spam is still a major problem for online users and ISPs.

Last year, I testified that it is our belief that a large part of the overall spam problem is caused by “outlaw spammers,” those who engage in fraudulent tactics such as hiding their true identity or the true source of their messages. We believe that outlaw spammers continue to be responsible for the great majority of the spam problem that consumers and ISPs face today.

The “outlaw” spam problem includes: 1) e-mail that is sent using falsified means of technical transmission; 2) e-mail sent using hacked e-mail accounts; and 3) e-mail sent by spammers who intentionally abuse legitimate e-mail service providers by registering for multiple e-mail accounts or Internet domain names using a false identity for the sole purpose of transmitting spam.

We believe that more than 80% of the current spam problem comes from other ISPs and hosting companies that are infested with viruses. These software viruses, or “trojans” as we refer to them, typically make their way onto machines via vulnerabilities in end-user software and the absence of firewalls or anti-virus software. These viruses/trojans infect users’ computers without their knowledge and allow spammers to use the infected machines to initiate or relay spam. We believe that most of the viruses/trojans are developed by the spammers themselves or hackers being paid by spammers.

Last fall, we supported the CAN-SPAM Act because it offered critical tools to ISPs and law enforcement to deter “outlaw” spam by imposing strict penalties on spammers who engage in techniques of fraud and falsification. Now that these tools are being utilized, we are optimistic that this new law will produce some positive results. Developing criminal cases against spammers and preparing civil litigation against them take time. However, we and our ISP colleagues, as well as the Federal Trade Commission and Department of Justice, have announced major actions in the months following enactment of CAN-SPAM. Several recent announcements provide a glimpse of the significant efforts underway in this regard:

In March of this year, AOL, Earthlink, Microsoft, and Yahoo! announced the coordinated filing of the first major industry lawsuits under the CAN-SPAM Act. The country’s four leading e-mail and Internet service providers filed six lawsuits against hundreds of defendants, including some of the nation’s most notorious large-scale spammers.

Similarly, the FTC, DOJ, and U.S. Postal Service made a major announcement at the end of April of its first set of enforcement actions using the CAN-SPAM Act against two spam operations that the FTC had found to have clogged the Internet with millions of deceptive messages in violation of CAN-SPAM and other federal laws. AOL was pleased to cooperate in these investigations, and we look forward to continued cooperation with both the FTC and DOJ on other spam enforcement cases.

AOL is pursuing other civil actions aggressively, and is also expanding its cooperation with state law enforcement to assist them in prosecuting spammers. In December of 2003, AOL collaborated with Virginia Attorney General Jerry Kilgore and others to announce the first-ever indictments under Virginia’s tough, new anti-spam statute. Two out-of-state spammers from North Carolina who stand accused of spamming AOL members could face jail time, asset forfeiture, and monetary penalties in these cases.

Thanks to the attention and efforts of lawmakers on this issue last year, new legislation like the CAN-SPAM Act has spurred increased enforcement initiatives by ISPs and government. We are also seeing the level of enforcement on the rise in Europe, with the FTC cooperating with European agencies to bring legal action against spammers.

We are continuing to work with state lawmakers to support legislation to reduce “outlaw” spam. We are delighted that Maryland has passed a criminal spam law modeled on the criminal provisions of CAN-SPAM and that other states, including New Jersey and Ohio, are likely to follow suit later this year. These legislative initiatives show increasing recognition that the spam problem can best be addressed by providing specific enforcement tools that can be used to pursue outlaw spammers who engage in fraud and deception.

Ultimately, in order to radically reduce spam, we must know who the senders are. Spammers could not do what they do without hiding behind false names, trojan horses, and the like. That’s why, in addition to enforcement and legislation, we are excited about the development of promising new technological advancements focused on authentication of senders. These technologies would allow ISPs to identify e-mail in order to prevent spam from entering our networks. A variety of different technologies and approaches are now being tested, all with the same goal of eliminating spam. AOL is participating in a number of working groups to discuss the development and application of new industry standard technologies for email identity.

Specific technologies that appear promising are SPF (Sender Permitted From), CallerID, and DomainKeys, as well as variations or combinations of these approaches. These technologies aim to reduce the domain name spoofing that is central to many forms of spam by confirming that an email is actually coming from the domain it claims to be from. The Internet Engineering Task Force (IETF), which is the standard-setting body for the Internet, is working to set technical standards using a combination of these technologies. AOL is currently testing the SPF technology, and we believe it can be implemented quickly due to its readily available software and already widespread adoption. Our assessment is that all three technologies can work well together and should be implemented quickly on a broad scale.

AOL has joined with other leading ISPs, including Earthlink, Microsoft, and Yahoo, to study ways in which we can make use of new technologies to reduce spam. In addition to working together to test authentication approaches, this ISP working group is discussing other types of best practices that industry can employ to fight spam. Potentially effective spam fighting methods that deserve further attention include: (1) for all ISPs to confirm that their members who are sending e-mail have accounts and are allowed to send mail; and (2) for abuses indicated by ISP members to be handled as quickly as they arise. We are continuing to work with our ISP colleagues to develop additional solutions to the spam problem, both from a technology and enforcement perspective.

In conclusion, we believe that industry and government have made great strides in fighting the spam problem over the past year, although there is much more work to be done. Professional spammers are always on the cutting edge of technology, which means that staying ahead of them requires extensive time, resources, and cooperation. The CAN-SPAM Act has provided some important tools for pursuing spammers; we believe we will start to see additional progress in the war against spam as these tools start to be employed.

AOL is committed to protecting our members and maintaining our leadership role in the fight against spam. We recognize that the goodwill and trust of our members depend on our continued focus on developing solutions to the spam problem. We continue to believe that the spam battle must be fought on many fronts simultaneously in order to be successful. From technology to education, from legislation to enforcement, industry and government can work together to reduce spam significantly and give consumers control over their e-mail inboxes. We look forward to continuing to work with this Committee and other lawmakers, as well as with our Internet service provider colleagues, to stop spammers in their tracks.

Thank you again for the opportunity to testify; I would be happy to answer any questions you may have on this topic.