IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Given at a Full Committee Hearing:
Hearing on Spam (Unsolicited Commercial E-Mail)
Wednesday, May 21 2003 - 9:30 AM - SR-253
The Testimony of
The Honorable Mozelle W. Thompson
Commissioner, Federal Trade Commission

Mr. Chairman, the Federal Trade Commission appreciates this opportunity to provide information to the Committee on the FTC's efforts to address the problems that result from bulk unsolicited commercial email. This statement discusses the Commission's law enforcement efforts against spam, describes our efforts to educate consumers and businesses about the problem of spam, and focuses particularly on the Commission's recent Spam Forum and several studies on the subject that the Commission's staff has undertaken in recent months.

As the federal government's principal consumer protection agency, the FTC's mission is to promote the efficient functioning of the marketplace by acting against unfair or deceptive acts or practices and increasing consumer choice by promoting vigorous competition. To fulfill this mission, the Commission enforces the Federal Trade Commission Act, which prohibits unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce. Commerce on the Internet, including unsolicited commercial email, falls within the scope of this statutory mandate.

Unsolicited commercial email ("UCE" or "spam") is any commercial electronic mail message that is sent - typically in bulk - to consumers without the consumers' prior request or consent. The extreme speed, anonymity and negligible cost of sending spam differentiate it from other forms of unsolicited marketing, such as direct mail or telemarketing. Those marketing techniques, unlike spam, impose costs on marketers that limit their use.

There are two basic problems with spam. First, deception and fraud appear to characterize the vast majority of spam. Indeed, spam appears to be the vehicle of choice for many fraudulent and deceptive marketers. Second, a serious Internet infrastructure problem flows from the sheer volume of spam that is now being sent. Spam, even if not deceptive, may lead to significant disruptions and inefficiencies in Internet services, and may constitute a significant problem for consumers and businesses using the Internet. In addition, spam can spread viruses that wreck havoc for computer users. These problems together pose a threat to consumers' confidence in the Internet as a medium for electronic commerce.

Virtually all of the panelists at the Commission's recent Spam Forum, described in more detail below, opined that the volume of unsolicited email is increasing exponentially and that we are at a "tipping point," requiring some action to avert deep erosion of public confidence in email that could hinder, or even destroy, it as a tool for communication and online commerce. In other words, as some have expressed it, spam is "killing the killer ap." The consensus of all participants in the workshop was that a solution to the spam problem is critically important, but cannot be found overnight. There is no quick or simple "silver bullet." Rather, solutions must be pursued from many directions - technological, legal, and consumer action. The Forum helped to suggest paths to follow toward solutions to the spam problems. These solutions will depend on cooperative efforts between government and the private sector. In fact, the Forum is only the most recent example of the FTC's role as convener, facilitator, and catalyst to encourage that activity. But the Commission also plays another important role - that of law enforcer.

The Commission has pursued a vigorous law enforcement program against deceptive spam, and to date has brought 53 cases in which spam was an integral element of the alleged overall deceptive or unfair practice. Most of those cases focused on the deceptive content of the spam message, alleging that the various defendants violated Section 5 of the FTC Act through misrepresentations in the body of the message. More recently, the Commission has expanded the scope of its allegations to encompass not just the content of the spam but also the manner in which the spam is sent. Thus, FTC v. G. M. Funding, and F.T.C.v. Brain Westby allege (1) that email "spoofing" is an unfair practice, and (2) that failure to honor a "remove me" representation is a deceptive practice. In these cases, the defendants' email removal mechanisms did not work and consumers' emailed attempts to remove themselves from defendants' distribution lists were returned as undeliverable.

Westby is also the first FTC case to allege that a misleading subject line is deceptive because it tricks consumers into opening messages they otherwise would not open. In other cases, the Commission has alleged that the defendants falsely represented that subscribing to defendants' service could stop spam from other sources or that purchasers of a spamming business opportunity could make substantial profits. Thus, through our law enforcement actions the Commission has attacked and will continue to attack deception and unfairness in every aspect of spam.

Experience in these cases shows that the primary law enforcement challenges are to identify and locate the targeted spammer. Of course, finding the wrongdoers is an important aspect of all law enforcement actions, but in spam cases it is a particularly daunting task. Spammers can easily hide their identity, forge the electronic path of their email messages, or send their messages from anywhere in the world to anyone in the world. Tracking down a targeted spammer typically requires an unusually large commitment of staff time and resources, and rarely can it be known in advance whether the target's operation is large enough or injurious enough to consumers to justify the resource commitment.

To complement its law enforcement efforts, the Commission endeavors to educate consumers and businesses on ways they can reduce the amount of unwanted spam they receive, and about particular types of scams commonly disseminated through spam, such as illegal chain letters and "Nigerian" scams. These materials are available on the FTC's spam website, www.ftc.gov/spam.

Another aspect of the Commission's approach to spam is to investigate and research the problems it poses to understand them better. Through this research, the Commission can refine and better focus its law enforcement and consumer and business education efforts.

Studying the Spam Problem The Commission has engaged in several research projects to explore how spam affects consumers and online commerce. These projects include a "Remove Me" surf, a "spam Harvest," and a study of False Claims in Spam.

The "Remove Me" Surf Last year the Commission announced the results of the "Remove Me" surf, in which the FTC and law enforcement partners tested whether spammers where honoring the "remove me"or "unsubscribe" options in spam. From email that participating agencies had forwarded to the FTC's spam database, the Commission's staff selected more than 200 messages that purported to allow recipients to remove their names from a spam list. The agencies set up dummy email accounts to test the pledges. We found that 63 percent of the removal links and addresses in our sample did not function. If a return address does not work to receive return messages, it is unlikely that it could be used to collect valid email addresses for use in future spamming. This finding tends to disprove the common belief that responding to spam guarantees that you will receive more of it.

The "Spam Harvest" In its "Spam Harvest," the Commission's staff conducted an examination of what online activities place consumers at risk for receiving spam. The examination discovered that one hundred percent of the email addresses posted in chat rooms received spam; one received spam only eight minutes after the address was posted. Eighty-six percent of the email addresses posted at newsgroups and Web pages received spam, as did 50 percent of addresses at free personal Web page services, 27 percent from message board postings, and 9 percent of email service directories. The "Spam Harvest" also found that the type of spam received was not related to the sites where the email addresses were posted. For example, email addresses posted to children's newsgroups received a large amount of adult-content and work-at-home spam. As part of this project, the staff developed consumer education material, including a publication, "E-mail Address Harvesting: How Spammers Reap What You Sow," that provides tips, based on the lessons learned from the Spam Harvest, to consumers who want to minimize their risk of receiving spam. The tips advise, among other things, that consumers can minimize the chances of their addresses being harvested by using at least two email addresses--one for use on web sites, newsgroups and other public venues on the web, and another email address solely for personal communication. Another suggested strategy to reduce spam is "masking" (disguising) email addresses posted in public.

The "False Claims in Spam" Study An additional FTC staff study examined false claims in spam. The staff examined 1,000 spam messages selected randomly from three sources: our spam database of consumer-forwarded messages, the spam received at the addresses used in the Spam Harvest, and spam that reached FTC employee computers. The staff analyzed the messages based upon the types of products or services offered, the indicia of deception in the content of the messages, and the indicia of deception in the "from" and "subject" lines of the messages.

The Types of Products or Services Offered - The staff found that 20 percent of the spam contained offers for investment or business opportunities, which include such things as work-at-home offers, franchise opportunities, or offers for securities. Another 18 percent of the spam offered adult-oriented products or services. Of those adult messages, about one-fifth included images of nudity that appeared automatically in the body of the message. Further, 17 percent of the spam messages involved finance, including credit cards, mortgages, refinancing, and insurance. All together, the investment/business opportunity, adult, and finance offers comprised 55 percent of our sample.

Indicia of Falsity in the Content of Spam Messages - The staff also determined how many spam messages appeared misleading. Using expertise gleaned from past law enforcement actions and recent research efforts, the staff identified specific representations likely to be false. The staff found that 40 percent of all the combined categories of spam messages contained indicia of falsity in the body of the message. An astonishing 90 percent of the investment/business opportunity category of spam contained indicia of false claims.

Evidence of Falsity in the "From" and "Subject" Lines - The staff also looked at evidence of deception in the "from" and "subject" lines of the spam. One third of the messages contained indicia of falsity in the "from" line. Messages falling into this category included "from" lines connoting a business or personal relationship, such as using a first name only, or stating "Your Account@XYZ.COM." Another common instance of misleading "from" lines occurs when spammers make the sender's name the same as the recipient's address, so it appears that one has sent the message to oneself.

In addition, the staff found that 22 percent of the spam messages contained indicia of falsity in the subject line, such as using "Re:" to indicate familiarity or a subject line that was unrelated to the content of the message, such as "Hi" or "Order Confirmation." Over one third of adult-content spam contained false information in the subject line. Further, only two percent of the analyzed spam contained the label "ADV:" in the "subject" line, even though such a label is required by the laws of several states.

Conclusions of the False Claims in Spam Study - Adding up the various forms of deception, the staff found that 66 percent of the spam appeared to contain at least one form of deception. This Spam Study confirms the Commission's earlier belief that fraud operators, who are often among the first to exploit any technological innovation, have seized on the Internet's capacity to reach millions of consumers quickly and at a low cost through spam. Not only are fraud operators able to reach millions of individuals with one message, but they also can misuse technology to conceal their identity. The Commission believes the proliferation of fraudulent or deceptive spam on the Internet poses a threat to consumer confidence in online commerce and, therefore, views the problem of deception as a significant issue in the debate over spam.

The FTC Spam Forum Building upon our research, education, and law enforcement efforts, the FTC held a three-day public forum from April 30 to May 2, 2003 on spam email. This was a wide-ranging public examination of spam from all viewpoints. The Commission convened this event for two principal reasons. First, spam is frequently discussed, but facts about how it works, its origins, what incentives drive it, and so on, are not widely known. The Commission anticipated that the Forum would generate an exchange of useful information about spam to help inform the public policy debate. This could help the Commission determine what more it might do to more effectively fulfill our consumer protection mission in this area. Second, the Commission sought to act as a potential catalyst for solutions to the spam problem. Through the Forum, the Commission brought to the table representatives from as many sides of the issue as possible to explore and encourage progress toward possible solutions to the detrimental effects of spam.

The Commission believes that the Forum advanced both goals. As described below, the panelists contributed valuable information from a variety of differing viewpoints to the public record. In addition, the Forum spurred a number of participants into cooperation and action. Most notably, on the eve of the Forum, industry leaders Microsoft, America Online, and Yahoo! announced a collaborative effort to stop spam. Moreover, several potential technological solutions to spam were announced either at or in anticipation of the Forum. The Commission intends to foster this dialogue, and, when possible, to encourage other similar positive steps on the part of industry.

The strong interest in addressing spam is shared by: consumers, Internet Service Providers ("ISPs"), law enforcement authorities, marketing services, bulk email marketers, anti-spammers, and retailers and manufacturers. These interest groups were represented at the Forum by 87 different panelists collectively possessing a tremendous range of expertise, and coming from all over the globe to participate in this discussion. Distinguished representatives from the European Commission, Canada, Australia, Korea, and Japan offered their views on how spam affects their countries and how they are trying to tackle the problem. On the domestic front, panelists included prominent representatives from all sectors affected by spam, such as the president of the consumer group, the SpamCon Foundation, the president of the Direct Marketing Association, vice presidents of America Online and Microsoft, and the Washington State Attorney General. Distinguished members of Congress - Senators Burns, Wyden, and Schumer, and Representative Lofgren - also addressed Forum attendees.

The Spam Forum was organized into twelve panel discussions that were conducted over the course of three days. In addition to the 87 panelists, approximately 400 people were present each day in the audience at the FTC Conference Center, with many more individuals participating via a video link or by teleconference. Questions for the panelists were accepted from the audience and via a special email address from those attending through video link or teleconferencing.

Day One of the Forum focused on the mechanics of spam. Panelists discussed in detail how spammers find email addresses and how deception in the sending of spam affects consumers and online commerce. Discussions then focused upon security weaknesses that enable or facilitate spam, such as open relays and open proxies. Day Two explored the economic costs of spam. Panelists participated in an in-depth discussion of economic incentives inherent in spam and the costs of spam to marketers, ISPs, and consumers, and its effects on emerging technologies. Specifically, panelists discussed spam blacklists, email marketers, and wireless spam (unsolicited text messages received via cell phone). Day Three focused on potential solutions to spam. Panelists discussed three potential avenues to a solution: legislation, litigation, and technology. Specific topics covered included: state, federal, and international legislation; civil and criminal law enforcement and private litigation against spammers; and various technological approaches.

Panelists at the Forum bought forward an enormous amount of information about spam and how it affects consumers and businesses. Several primary themes emerged from the various discussions. First, the volume of spam is increasing sharply. Many panelists reported that the rate of increase is accelerating. For example, one ISP reported that in 2002 alone it experienced a 150 percent increase in spam traffic. Second, spam imposes real costs. The panelists offered concrete information about the costs of spam to businesses and to ISPs. Specifically, ISPs reported that costs to address spam have increased dramatically over the past two years. ISPs bear the cost of servers and bandwidth necessary to channel the flood of spam, even that part of the flood that is being filtered out before reaching recipients' mail boxes. America Online reported that it recently blocked an astonishing 2.37 billion pieces of spam in a single day. Third, spam is an international problem. According to our international panelists, most of the spam received in their countries is in English and advertises American products or companies. Most panelists agreed that any solution to stopping spam will have to involve an international effort.

Our law enforcement experience has taught that the path from a fraudulent spammer to a consumer's in-box typically crosses at least one international border and frequently several. Thus, fraudulent spam exemplifies the growing problem of cross-border fraud. To enhance our effectiveness in the fight against fraudulent spam and other kinds of fraudulent schemes that cross international borders, the Commission will be asking this Committee, as part of our forthcoming reauthorization testimony, for additional legislative authority in a number of areas, including measures that would: allow the agency to share such information on targeted schemes with our overseas counterparts; provide investigative assistance to them in appropriate cases; improve our ability to obtain information from U.S. criminal agencies and federal financial regulators, who are often investigating the same types of fraudulent conduct that we are; and improve the agency's ability to obtain consumer redress in cross-border cases by clarifying the Commission's authority to take action in such cases, and by expanding the agency's ability to use foreign counsel to pursue assets offshore. Legislation expanding the Commission's authority in these ways is essential to improve the agency's ability to fight fraudulent spam in particular, as well as other manifestations of the more general problem of cross-border fraud.

Approaches to Solving the Spam Problem The broad themes that emerged from the Forum panel discussions depict the spam problem as increasing volume, increasing costs, and increasing international effects. This confirms that finding solutions to the problems posed by spam will not be quick or easy; moreover, the consensus of panelists was that no single approach will likely cure the problem. Some panelists at the Forum stated that a large scale technological change in the email protocol system is not likely to occur. Nevertheless, others indicated that there are incremental technical changes that can be grafted onto the existing email protocol to ease the burden of unwanted email on ISPs and consumers. In addition, consumer representatives stressed that any solution should include consumer empowerment - to allow email recipients to decide what messages they want to receive in their inbox, and to give recipients the technical tools to effectuate those decisions. Some panelists, but by no means all, advocated additional federal legislation and law enforcement efforts as a means to provide needed accountability and deterrence.

All Spam Forum participants agreed that solving the problem of bulk unsolicited commercial email will likely necessitate an integrated effort involving a variety of technological, legal, and consumer action, rather than one single solution. Through the Forum and the follow-up efforts it suggested, the Commission hopes to act as a catalyst for technologists, industry, law enforcement, and policy officials to work together to find a solution.

Conclusion Email provides enormous benefits to consumers and businesses as a communication tool. The increasing volume of spam to ISPs, to businesses, and to consumers, coupled with the use of spam as a means to perpetrate fraud and deception put these benefits at serious risk. The Commission looks forward to continuing its research, education, and law enforcement efforts to protect consumers and businesses from the current onslaught of unwanted messages.

The Commission appreciates this opportunity to describe its efforts to address the problem of spam, and the outcome of its recent Spam Forum.