An insider's analysis of the Senate's anti-spam bill

[Declan McCullagh <declan () well com>]

[[Greets, Declan.  Thought you could use a comprehensive, _somewhat_ concise
summary of the Senate's spam bill.  Please only UNATTRIBUTED/ANONYMOUS if
you wish to share with Politech.]]
-----

The Senate passed an amended version of S.877, the Wyden-Burns anti-spam
bill that has been percolating through Senate committee for the past few
years.

Contrary to what you are seeing in most press, this is not the "first"
anti-spam bill to pass the Senate.  Bills have made it out of both the House
and Senate in the past.
(S.1618 in the 105th Senate, and HR 3113 in the 106th House, among others.)
(Just a reminder, the Senate passing a bill is a big deal, but not nearly as
big as if/when the President signs it into law _after_ the House passes it
too.)

But that's not to say this passage is not meaningful, such consensus in the
more "legislatively reserved" Senate likely means that even if the House
doesn't pass the exact same bill, at least some of the language of this bill
could show up in the appropriations bills Congress is rushing to finish
right now.

---
The bill that passed the Senate has three main parts; (1) criminal
prohibitions, (2) spam labeling requirements and civil prohibitions, and (3)
several studies and reports, including requiring "plans" for an FTC
"do-not-spam" list.

SUMMARY
---
(1) CRIMINAL prohibition
The criminal part comprehensively prohibits a list of "bad acts" if they are
done in the act of intentionally sending more than 100 commercial email/day;
things like registering multiple accounts, obscuring or forging headers,
logging on to or using computers without access.

A sexually explicit labeling and content prohibition amendment was added by
Sens. Santorum and Enzi on the floor at passage. It requires that
unsolicited commercial email be labeled in the subject line, (in a manner
the FTC will decide) and no sexually explicit content be visible when the
email is opened.

Violate the criminal provision and you face fines, asset forfeiture and up
to 5 years in federal prison, depending on volume, severity, prior offences,
and prior or concurrent crimes committed.  The bill also provides for
sentence enhancements if the "spamming" was done with "harvested" addresses
or stolen address lists, or by "dictionary attack" auto-generation of email
addresses.

[[ comments - anonymous or pseudonymous accounts and anonymous remailing
aren't prohibited outright, but only if they are used to send commercial
email.  The labeling of sexually explicit content could get messy, if done
in a way other than what the FTC prescribes, (say labeling ADLT if the FTC
required "ADULT") that would seem to be a violation resulting in a fine or
jail.]]

(2) GENERAL LABELING AND OPT OUT REQUIREMENTS
The second part of the bill contains civil prohibitions and labeling
requirements, including sexual content labeling, for commercial email.

Materially misleading or falsified header or subject information in ANY
commercial email is prohibited.  MOST commercial email must have a valid
reply address or reply mechanism. ("Transactional emails" like billing
notifications and "update/patch available" emails from existing business
relationships are exempt)

UNSOLICITED commercial email must have clear notice (somewhere) that it is
an advertisement, and an opt-out mechanism, and a valid physical postal
address of the sender.
Once a sender has received an opt-out, UNSOLICITED commercial email cannot
be sent to someone who has exercised their right to opt-out. (Several of the
more common ways to get around this, such as hiring someone else to send, or
reselling an opted-out address, are also prohibited.)

Similar to the criminal provisions, scripting or auto-generating email
accounts, harvesting email addresses, or autogenerating email addresses is
also prohibited, if those acts are part of sending unsolicited commercial
email that doesn't follow the rules above.

Violations of these requirements can be pursued by the FTC and in some cases
other federal agencies. (i.e. SEC, FCC)  State Attorneys General and ISPs
can also sue, but individual recipients cannot. In most cases, damages are
capped at $1 million.  State laws dealing specifically with unsolicited
email would be mostly pre-empted - NOTABLY California's recently-adopted
"opt-in" anti-spam law.

These civil provisions also target 3rd parties who knowingly "let" their
products be promoted in someone else's illegal spam, (HYPOTHETICAL example -
Pfizer "knowingly" benefiting from spammers promoting Viagra) but only the
FTC can enforce against these 3rd party violators.

[[ comments - The short summary is: the bill sets up an "opt-out" regime
that allows any spammer one free spam.
Consumer enforcement is (except for a few state laws that aren't preempted)
left only in the hands of FTC employees and 50 state Attorneys General.
ISPs can sue, and are given rather strong standards and penalties.  The bill
actually removes individual consumers' access to redress in court under
several state laws. The "3rd party" section, an amendment by Sen. McCain in
committee, aims at companies who hire out spammers or separate themselves
from spammers by shell corporations, but knowingly benefit nonetheless.
Although this part of the bill is extensively tailored, the Viagra
hypothetical indicates it could still potentially be problematic.]]


(3) "DO NOT SPAM" LIST AND "BOUNTY" STUDIES
The bill requires the FTC to develop a plan for a national "Do Not Spam"
email address registry, including documenting potential problems.  The FTC
"may" implement the plan, but doesn't have to, and can't for at least 9
months.
The bill requires the FTC to develop a plan for a "bounty" system of a
portion of any fine collected for people who report spam to the FTC.  The
FTC is similarly not required to implement such a bounty plan, but it "may,"
after 12 months.
The bill also requires the FTC to study and report (but doesn't authorize
action) on a whole slew of issues, including "ADV" labeling, the efficacy of
any enforcement actions, newly emerging bad business practices, etc.

[[ comments - The email address registry plan, required in an amendment by
Senator Schumer, has been reported as a major sticking point for passage.
The bounty plan is similar to the Rep. Lofgren House bill associated with
Prof. Lessig's proposal to allow individual users to collect a bounty on
identifying spammers.  Sen. Corzine introduced a similar Senate bill, and
when this bill came up, attached his language as a "study" amendment.  Draw
your own conclusions about these two amendments and the press they will get
the respective Senators, but in the end, the Senate didn't "require" the FTC
to implement either.  ]]

_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)