IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Given at a Full Committee Hearing:
Hearing on Spam (Unsolicited Commercial E-Mail)
Wednesday, May 21 2003 - 9:30 AM - SR-253
The Testimony of
Mr. J. Trevor Hughes
Executive Director, Network Advertising Initiative

Executive Summary

The NAI is a cooperative group of companies dedicated to resolving public policy concerns related to privacy and emerging technologies. In the past, the NAI has successfully launched self-regulatory solutions to online ad targeting, and the use of web beacons. The NAI has now turned its focus to the growing problem of spam and the related concern of deliverability of wanted emails. As part of this effort, a coalition has been formed within the NAI to represent the interests of email service providers (ESPs). The Email Service Provider Coalition ("ESP Coalition") is made up of 35 leading companies - all of which are struggling with the onslaught of spam, as well as the emerging problems related to the deliverability of legitimate and wanted email.

Email service providers enable their customers to deliver volume quantities of email messages. These messages originate from the full spectrum of the US economy - large and small businesses, educational institutions, non-profits, governmental agencies, publications, and affinity groups all use the services of ESPs to communicate with their customers, members, and constituents. While ESPs serve the marketing needs of the business community, it is by no means the only customer group served. Email service providers also deliver transactional messages (such as account statements, airline confirmations, and purchase confirmations); email publications; affinity messages; and relational messages. Within the ESP Coalition, we estimate that our members provide volume email services to over 250,000 customers.

The ESP Coalition sees spam as a threat to the long-term viability of the ESP industry. Indeed, spam presents a dire threat to all uses of email - marketing, transactional, affinity and relational -- as the continued growth of spam will lead to the widespread abandonment of email as a communications tool. Put simply, the spam problem will critically damage the ESP industry if it is not curtailed. Consumers and businesses will not use email if the system becomes so choked with misleading and deceptive messages that those messages that are actually wanted are lost in the fray.

The ESP Coalition strongly supports legislation to respond to the growing menace of spam. We believe that strong preemptive federal legislation will be a critical component (but not the only component) in the successful resolution of the spam problem.

In the United States today, we have 28 states that have enacted some form of spam legislation. Many more are considering spam legislation in their current legislative sessions. Unfortunately, the standards and definitions applied by these statutes (and proposed in pending bills) are not consistent. As a result, we have a crazy quilt of differing standards and definitions that has created an unnecessarily complex compliance system. To make matters worse, enforcement within the global medium of email is exceedingly difficult when limited by state boundaries. We need preemptive federal legislation to harmonize these standards and provide powerful tools to enforcement officials.

Federal legislation must carefully balance the legitimate use of email against the need to respond to spam. Email represents one of the most powerful drivers of efficiency and productivity in today's economy. Our response to spam must take into account and protect the widespread utility of email. Overly restrictive or poorly crafted solutions may end up "throwing the baby out with the bathwater" and damaging the very tool we hope to protect.

The NAI is very supportive of the current spam bill proposed in the Senate (the CAN-SPAM Act). While we continue to work on some minor technical details within the bill - such as the length of time available for processing unsubscribe requests and definitional issues - we are encouraged by the fundamental structure and approach taken by Senators Burns and Wyden. We feel that this bill endeavors to balance the continued use of email as a legitimate communications tool with strong standards and enforcement tools to prevent spam. TESTIMONY

Mr. Chairman and Members of the Committee, I want to thank you for inviting me to testify. My name is Trevor Hughes, and I am the Executive Director of the Network Advertising Initiative (NAI). The NAI is a cooperative group of companies dedicated to resolving public policy concerns related to privacy and emerging technologies. In the past, the NAI has created self-regulatory programs for online ad targeting, and the use of web beacons. The group has now turned its focus to the growing problem of spam and the related concern of deliverability of wanted emails. As part of this effort, a coalition has been formed within the NAI to represent the interests of email service providers (ESPs). The Email Service Provider Coalition ("ESP Coalition") is made up of 35 leading companies - all of which are struggling with the onslaught of spam, as well as the emerging problem related to the deliverability of legitimate and wanted email.

Let me begin my testimony by explaining the unique role that email service providers play in the search for solutions to the spam problem.

Email service providers enable their customers to deliver volume quantities of email messages. These messages originate from the full spectrum of the US economy - large and small businesses, educational institutions, non-profits, governmental agencies, publications, and affinity groups all use the services of ESPs to communicate with their customers, members, and constituents. While ESPs serve the marketing needs of the business community, it is by no means the only customer group served. Email service providers also deliver transactional messages (such as account statements, airline confirmations, and purchase confirmations); email publications; affinity messages; and relational messages.

The ESP industry is robust and growing. Within the ESP Coalition, we estimate that our 35 members provide volume email services to over 250,000 customers. These customers represent the full breadth of the U.S. marketplace - from the largest multi-national corporations to smallest local businesses; from local schools to national non-profit groups and political campaigns; from major publications with millions of subscribers to small affinity-based newsletters. Even my local soccer association uses an email service provider to deliver schedules and standings to the players in the league.

Jupiter Research estimates that the email marketing industry (which, again, is only a portion of the total spectrum of ESP customers) will grow in size to 2.1 billion dollars in 2003 (up from 1.4 billion dollars in 2002). By 2007, Jupiter estimates that the size of the email marketing industry will reach 8.2 billion dollars. All of these numbers are for the US market alone. Expanding the scope of this research to include all customers served by ESPs and foreign markets would increase these numbers significantly.

But the size and importance of email in the marketplace should not be measured by dollars alone. Email is indeed the "killer app". Over the past ten years, email has been a strong driver of productivity and efficiency in the marketplace. It has also been an important social tool. Email has shortened distances in the world - allowing communication to occur with unprecedented speed and detail. Email has created affinity within groups that previously were too widely separated geographically to effectively recognize their common interests and positions.

As an example of the importance of email, a recent study by the META Group showed that, given a choice between email or telephones, 74% of business people would give up their phones before email. In other words, 74% of people now find email to be more critical than the telephone in their daily work.

The Threat of Spam and the Solution(s) to Spam

The ESP Coalition sees spam as a threat to the long-term viability of the email service provider industry. Indeed, spam presents a dire threat to all uses of email - marketing, transactional, affinity and relational -- as the continued growth of spam will lead to the widespread abandonment of email as a communications tool. Put simply, the spam problem will critically damage the ESP industry if it is not curtailed. Consumers and businesses will not use email if the system becomes so choked with misleading and deceptive messages that those messages that are actually wanted are lost in the fray.

I will not belabor the statistics on the growth of spam or the costs associated with handling spam. Surely all of the panelist can agree that we are presented with an enormous problem. Without an expedient solution, spam may end up killing the "killer app" of email.

The media and marketplace have been replete with spam solutions for many years. Important vendors, such as Brightmail, have done a tremendous job at stemming the tide of spam. But the problem still exists and continues to grow. Increasingly, we are presented with the question: can anything be done?

The NAI believes that much can be done to solve the problem of spam. At the most fundamental level, we believe that we need to create accountability within the email delivery system. Spammers spend their days concocting new methods to obscure and falsify their identity in order to sneak past existing filters and avoid accountability. In many ways, our existing tools are merely reacting to the spam received today - and not preparing for or combating the spam that will arrive tomorrow. Stated differently, our efforts to cure spam are responding to the symptoms (the actual spam received) and not the cause (the lack of accountability on the part of spammers).

So how do we create accountability within the email system?

We believe that the solution to spam exists in three components: legislative, technological, and social. Let me address the technological and social components quickly and then focus on the part of the solution for which we look to you: federal legislation.

The Technological Component

Part of the problem in treating the spam epidemic is that spammers enjoy the impunity of anonymity. Spammers hide behind open relays, they spoof identity, and they deceive recipients with misleading "from" and "subject" lines. Make no mistake; the business of spamming is one of fraud and deception.

The recent efforts of the FTC in relation to open relays and deception in spam should be commended. It is critical that we have strong deterrents to dissuade spammers from their trade. But the fundamental architecture of the Internet and email protocols still allows for the deception to occur.

The NAI recently proposed an architectural "blueprint" to respond to this problem. I will submit a description of the effort along with this testimony. Essentially, the NAI's blueprint, called "Project Lumos", is designed to force senders of volume email to incorporate authenticated identification into every message sent. The use of authenticated identity, along with a rating of sending practices over time, prevents spammers from hiding behind the technology of email and forces all senders to be accountable for their sending practices. We have engaged with many of the major ISPs and other groups on this effort and are greatly encouraged by the traction our effort has gained since our launch just one month ago.

Other technological solutions also hold promise. The NAI is actively working with other constituencies in the marketplace to bring about such solutions. I hope that we will have much more to share with you before the end of this year.

The Social Component

One part of the spam problem that has not been actively discussed is the need for consumer education around the appropriate use of email addresses.

The Center for Democracy and Technology (www.cdt.org) recently released a study on the consumer actions that result in exposure of email addresses and, subsequently, spam. The results were compelling: the CDT report found that appropriate management of an email address by the holder of that address can drastically reduce the amount of spam received. Further, the study found that there are a few actions that can create enormous amounts of spam. Specifically, the CDT reported that posting an email address on a public website and posting an email address in a public newsgroup or chatroom both resulted in huge amounts of spam. This is due to the use of "spiders" or "bots" - programs that scour the web for email addresses and harvest them into a spammer's database.

Clearly, one component in the total solution to spam is the education of consumers on issues such as those raised by the CDT report. If consumers understand those practices that result in spam, they will be much better able to control the amount of spam in their in-boxes.

The Legislative Component

The ESP Coalition strongly supports federal legislation to respond to the growing menace of spam. We believe that strong preemptive federal legislation will be a critical component (but not the only component) in the successful resolution of the spam problem.

In the United States today, we have 28 states that have enacted some form of spam legislation. Many more are considering spam legislation in their current legislative sessions. Unfortunately, the standards and definitions applied by these statutes (and proposed in pending bills) are not consistent. As a result, we have a crazy quilt of differing standards that has created an unnecessarily complex compliance system. To make matters worse, enforcement within the global medium of email is exceedingly difficult when limited by state boundaries. We need preemptive federal legislation to harmonize these standards and provide powerful tools to enforcement officials.

We believe that the current spam bill before the Senate, the CAN-SPAM Act, sponsored by Senators Burns and Wyden, strikes the appropriate balance with regard to preemption. The CAN-SPAM Act would allow for a national standard to be set for the delivery of unsolicited commercial email. Given the incentives provided within the bill, most legitimate businesses will move to a fully consent-based model for email delivery. This is particularly true where the standard set by the bill will be uniform across the entire country. To combat spammers, the bill provides strong enforcement tools to the FTC, state attorneys general, and ISPs. We strongly support enforcement by all of these groups.

As a coalition made up of legitimate businesses in the email industry, the NAI also strongly supports the inclusion of an affirmative defense for good faith compliance efforts within the CAN SPAM Act. Such tools help to ensure that litigation is properly targeted towards true spammers, and offers important protections for businesses working diligently to maintain approved best practices.

One issue that has been raised in discussions regarding spam legislation, and may be raised again, is that of a private cause of action. Such a solution, while tempting, would do nothing to stop spam and would definitely create a morass of litigation against legitimate companies. Spammers spend their days looking for ways to technologically obscure their identities. Pursuing spammers requires enormous technological, financial and investigative resources. Individuals do not have such resources, but governments and ISPs do. In fact, if a private cause of action existed, ISPs would be drawn away from their enforcements efforts by a flood of discovery requests generated through consumer litigation.

We have a very real example of what a private cause of action means when included in a spam statute. In the state of Utah, a spam statute was passed last year that allows for a private cause of action and class action suits. A single plaintiffs' firm in Utah has now filed hundreds (and by some accounts, over a thousand) class action lawsuits under this statute. But the firm is not pursuing spammers. Given the cost and complexity of finding actual spammers, this firm has targeted leading companies and brands - using law firm employees as plaintiffs and seeking out "gotcha" moments as the basis of their complaints. Perhaps most telling is the fact that there are no data to suggest that the amount of spam in Utah has been reduced by even one message.

Another issue that has been raised in relation to spam legislation is that of "opt-in" versus "opt-out". Over the past few years, our industry has lost critical time debating this issue, while spam has been allowed to proliferate.

Let me make one thing perfectly clear: the debate over "opt-in" or "opt-out", regardless of what standard is eventually adopted, will not result in the reduction of spam. A spammer's stock and trade is in deception. They do not care about whether they have permission from the recipient of the message. They pay no heed to all of the existing state laws regarding spam. The most restrictive "opt-in" spam statute will do nothing to dissuade spammers from sending their messages.

A recent FTC study conveys this point succinctly. By reviewing a large body of spam received within the agency, the FTC estimated that fully two thirds of spam is fraudulent, misleading or deceptive. This means that the majority of spam is already violating an existing law in the United States.

As currently written, the CAN-SPAM Act will provide important incentives for legitimate businesses to raise their email standards. The NAI firmly believes that email must be sent with the consent of the recipient, or within a pre-existing business relationship. Furthermore, we believe that email should be sent with informed consent - meaning that recipients have clear and conspicuous notice as to the results of providing their email address. This is a meaningful and workable standard.

Again, the NAI is very supportive of the CAN-SPAM Act. We will continue to work with staff on a few technical issues details of the bill (such as the need for longer processing periods for unsubscribe requests), but look forward to seeing a federal law enacted this year.

The Threat of Filtering and Blacklists

Before I conclude today, I want to raise one growing problem in the fight against spam. While spam clearly represents a serious threat to the continued viability of email, the problems created by some of the current tools used to combat spam are equally threatening. Internet Service Providers (ISPs) are aggressively building filtering technologies to limit the amount of spam entering their systems. Conceptually, this is a positive development. However, the spam filters currently in place are creating a new problem: wanted email is not being received.

According to a report by Assurance Systems, in the 4th quarter of 2002, an average of 15% of permission based email was not received by subscribers to the major ISPs. Some ISPs had non-delivery rates that were startling:

NetZero 27% Yahoo 22% AOL 18% Compuserve 14% AT&T 12%

The same report for the 3rd quarter of 2002 showed an average of 12% non-delivery rate for the major ISPs - meaning that the filtering of permission based email increased 25% from the third to fourth quarters of 2002. Some of the email campaigns within the Assurance Systems report had non-delivery rates as high as 38%.

Non-delivery of wanted messages due to filtering (called "false positives" within the industry) represents an enormous threat to the ongoing viability of email as an effective communications tool. The market will stop using email for important communications if email delivery is unreliable. It is critical that false positives be eliminated if email is to survive as an efficient and productive means for communication.

One of the main drivers in the false positive problem is the emergence and use of blacklists. These are lists of alleged spammers that ISPs - and any network administrator -- can use to filter incoming email. The blacklist operators build registries of IP addresses that they believe are associated with spam and make the lists available publicly. Currently, there are an estimated 300 blacklists in operation.

Again, the concept of a blacklist may seem to make sense at first glance. Unfortunately, the reality of blacklists in today's marketplace is far different.

Many blacklists operate without standards and operate behind a veil of anonymity. For example, one of the leading blacklists, SPEWS (www.spews.org), offers no contact information: no phone numbers, no names, no addresses, and no email address for the organization. The website has purportedly been registered in Irkutsk, Russia. SPEWS has no defined standards for posting to its blacklist - evidence has shown that a single complaint can result in the blocking of an entire range, or "neighborhood", of IP addresses. Further, for those innocent senders that become listed on SPEWS, the only way to resolve the problem is to post their request for removal to a public spam forum available through Google (http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&group=news.admin.net-abuse.email).

All of these efforts are designed to combat spam. But in their zeal to eliminate the problem, they have created a potentially disastrous "ricochet" effect: false positives. Going forward, our solution to spam must carefully balance the need for strong action against spammers with a determination to preserve the deliverability of legitimate email.

Conclusion

The NAI believes that the problem of spam will be best resolved through three powerful forces: legislation (and enforcement); technology; and consumer education. Our group is actively working with ISPs and solutions providers to craft architectural solutions to spam that will drive accountability into the dark recesses of the Internet. We strongly feel that technology must be used to force spammers to identify themselves and be held accountable for their practices. We also believe that consumers must understand the need for careful management of their email addresses. We could drastically reduce the amount of spam received by average consumers through educational efforts on what not to do with an email address.

But the technological and educational solutions are not enough. We need a strong federal statute to raise the standards for email practices across the entire country. Legitimate businesses will respond to such a statute by raising their practices to meet or exceed the standard set by law. Enforcement officials at both the state and federal level and ISPs will have powerful tools to seek out and bring to justice those individuals responsible for spam. And we can do it while maintaining the balance necessary to preserve the legitimate use of email.

Mr. Chairman, on behalf of the NAI Email Service Provider Coalition, I want to pledge that we will continue to work to fight spam and preserve email with you and members of your staff. Spam is a complex problem and our efforts to craft solutions must be thoughtful, robust and effective.

Thank you and I look forward to any questions you may have.