|
Chairman Stearns, Chairman Upton, and Members of the Subcommittees, on behalf
of America Online, Inc., I would like to thank you for the opportunity to
testify before the Subcommittees on the issue of junk e-mail-or
"spam." My name is Charles Curran, and I am an Assistant General
Counsel in the Legal Department at America Online, Inc., where much of my time
is spent battling spam. I have overseen AOL's extensive litigation efforts
against spam senders, and appreciate this opportunity to share with the
Subcommittees a perspective from the front lines of the anti-spam war.
I would like to describe the nature of the spam problem, its effect on ISPs
and Internet users, and some of the things that AOL is doing to help reduce
spam, and to explain the role that ISP enforcement and litigation play in
fighting the spam problem. But first, I would like to thank the full Committee
for making the spam problem a priority issue this year, and Chairman Tauzin,
Rep. Burr, and others for introducing a strong legislative vehicle that we
believe sets a solid foundation to address this problem. We believe that spam
has grown to present a critical threat to the Internet, and that the spam battle
must be fought on many fronts simultaneously in order to be truly
effective-including policy initiatives, ISP litigation, government enforcement,
spam filtering technologies, member tools and education, and industry
collaboration. While technology holds many of the answers to this problem, we
cannot succeed in the fight against spam without government working with ISPs to
play a strong and important enforcement role. We are anxious to work with you to
find a solution to this crisis for e-mail on the Internet.
1. The Reasons for the Spam Crisis
The principal drivers of the explosive growth in the spam problem are the
ease with which senders can transmit large quantities of e-mail, and the similar
ease with which spammers can conceal their identities as the source of this junk
e-mail.
First, the e-mail medium makes it possible for senders to transmit virtually
unlimited quantities of advertising messages at very low costs. Spammers do not
bear the costs of processing, sorting and delivering all these e-mails: instead,
it is the recipients and their ISPs who must absorb the costs of managing the
huge volume of unwanted mail. Spammers are limited in e-mail transmission volume
only by the low costs of Internet connectivity. And because e-mail is a nearly
costless medium for senders, spammers have every incentive to send out as many
e-mails as possible, even if virtually no recipients want or respond to the
promotions, and despite heavy costs to ISPs who have to process these huge
quantities of mail. These underlying economics are the principal cause of the
rapidly expanding volume of spam, and the reason that ISPs and businesses
everywhere are experiencing such a tremendous surge in junk e-mail-as spammers
send out even greater numbers of junk mail messages to which fewer and fewer
recipients will ever respond. AOL estimates that spam accounts for a staggering
60-80% of e-mail traffic that hits our e-mail filters from the Internet, and
external studies predict similar alarming trends in Internet e-mail as whole.
The second essential feature of the e-mail medium that contributes to the
spam problem is the fact that the technical protocols used to send e-mails on
the Internet can be manipulated by spammers, both to conceal their identities as
spam senders and to conceal the volume and scope of their e-mailing activities.
The "open" nature of the Internet and its underlying e-mail
transmission protocols lend themselves to abuse by spammers looking to evade
accountability for their activities, and undermine and evade the attempts of
consumers and ISPs to filter out or block their junk mail transmissions. In
AOL's experience, most spam is sent using such evasive, "outlaw"
transmission techniques.
A technical struggle is now taking place on the spam front, one which pits
consumers and ISPs using defensive spam filtering technologies against spammers
who seek to exploit any technical loophole that will allow them to get their
mail through to a recipient's e-mail box. A new and even more pernicious feature
of this technological war is the increasing adoption by spam senders of computer
hackers' tools-such as viruses and "Trojan horses"-to find ever more
untraceable ways to use innocent parties' computers to cover their tracks.
The combination of low sender costs and lack of sender authentication is
irresistible to unscrupulous junk mailers. As a result, Internet e-mail users
now find themselves being bombarded with an ever-increasing volume of spam in
their mailboxes, much of it containing objectionable or misleading content.
Indeed, the Federal Trade Commission's May 2003 spam survey indicated that at
least two-thirds (66%) of junk e-mail contains falsified header or subject line
information, and spam filtering companies like Brightmail estimate that as many
as 90% of spam messages contain falsified header or routing information that
make them untraceable to a specific source. And so the spam problem is not just
a problem in terms of the increasing volume of spam that businesses must process
and deliver, but also a challenge for all consumers whose confidence in Internet
e-mail is being steadily eroded by incessant waves of spam in their email
in-boxes.
2. What AOL Is Doing to Fight Spam
AOL fights the ongoing spam war using a combination of technological and
legal countermeasures, as well as policy initiatives and collaboration with
others in industry. In lawsuits involving well over a hundred defendants, AOL
has used the legal process to penetrate the secret world of spam senders, not
only to help ensure that spammers face accountability for their actions, but
also to better understand and combat the techniques of concealment used by the
spammers. AOL's goal is to improve the experience of our more than 35 million
account holders, and to deter would-be spammers from sending huge quantities of
junk e-mail in the first place.
On the technology front, AOL uses a comprehensive set of filtering
technologies at the network level to limit the tide of spam entering AOL's
e-mail system and our members' mailboxes. In recent months, these anti-spam
filters have blocked as much as 2.4 billion pieces of unwanted e-mail in a
single day, which amounts to stopping almost 70 spam e-mails per account per day
from reaching our members. To counter the flood of spam, AOL dedicates not only
significant computer resources to filtering junk mail, but also a large staff of
technologists, who give AOL the ability to respond on a 24-hour basis to the
ever-changing tactics used by spam senders to attempt to penetrate the AOL
network.
AOL also empowers its members to fight spam through a combination of robust
e-mail controls and a "Report Spam" tool that lets them report and
delete unwanted junk e-mail directly from their mailboxes. Using the
"Report Spam" button, members have reported more than 10 million spam
complaints to AOL in a single day. AOL uses these member complaints not only to
help identify and filter in real-time the spam being sent to the AOL network,
but also to identify large-scale abusers for law enforcement purposes.
Starting later this summer, AOL 9.0, the latest version of AOL's online
service software, will provide AOL members with a completely revamped suite of
spam-fighting tools. These tools include a new "Spam" folder that is
separate from a member's mailbox for incoming e-mail, and to which suspected
spam is automatically routed. Not only will spam filtering be enhanced at the
network level; members also will be provided personalized and adaptive spam
filtering tools that adjust to the individual preferences of each user, as well
as word-specific and URL filters that a member can use to route potentially
objectionable mail to their "Spam" folder. AOL's overall mail controls
and Parental Controls will offer additional features to help protect users of
all ages from objectionable spam and the content it contains, such as blocks on
the display of embedded images. And AOL will continue to provide our members
with other important consumer safety tips and tools that can help them reduce
spam and improve the security of their online experience-particularly in the
broadband environment, where it is critical that consumers know how to protect
themselves in the world of "always-on" high-speed connections that
spammers sometimes attempt to abuse.
On the legal front, AOL has been active in suing spammers since 1997. AOL has
filed 25 lawsuits against more than 100 companies and individuals responsible
for the transmission of spam advertising pornographic Web sites, get-rich-quick
schemes, and other dubious products. These lawsuits have demonstrated the
ever-greater lengths to which spammers go to conceal their activities and
continue their theft of resources from the Internet community. The suits have
resulted in court decisions that not only prohibit further spamming by the
defendants, but also awarded significant financial damages that have bankrupted
many spam senders. AOL's most recent suits, announced earlier this year,
targeted more than a dozen companies and individuals responsible for sending
more than a billion spam messages to our consumers. AOL continues to investigate
other spam senders, sending hundreds of cease-and-desist letters to suspected
spam senders and even the vendors of spamming software, so as to deter others
from entering the spamming business. And we have cooperated with federal and
state enforcement authorities in separate enforcement proceedings, sharing our
technical expertise to help widen the overall scope of deterrence.
We're also building alliances with others in our industry to think creatively
and constructively about how to curb the overall spam problem. We've joined with
Microsoft, Yahoo! and Earthlink to drive a dialogue with other industry
stakeholders necessary to the development of open technical standards and
industry guidelines that will help fight spam. We also welcome the actions that
Earthlink, Microsoft, and other ISPs have taken to fight spam on the legal
front, and look forward to finding new ways that industry can work together to
collect the technical evidence necessary to bring spammers to justice.
Finally, AOL works with federal and state policymakers to support efforts to
reduce spam by enacting laws that specifically target the deceptive,
"outlaw" tactics used by spam senders, and that deter the sending of
spam by establishing appropriate financial and criminal penalties. For example,
we worked with Virginia legislators, the Attorney General, and the Governor to
get a tough new law enacted in Virginia earlier this year that provides
felony-level penalties for spammers who send significant quantities of spam by
fraudulent means. AOL is grateful to the Members of the Subcommittees for their
willingness to consider similar tough remedies in federal legislation.
3. The Critical Role of ISP Enforcement
Currently, the anti-spam litigation campaigns of ISPs like AOL, Earthlink and
Microsoft complement the vigorous efforts of the Federal Trade Commission and
State Attorneys General in this regard. ISPs have a critical role to play in
anti-spam enforcement efforts, not only because we have a wealth of member
complaints and evidence to support effective legal action, but also knowledge
from the front lines of the spam battle of the complex and rapidly changing
technologies used by most spam senders to evade detection.
It is very important that federal anti-spam legislation provide for ISP civil
enforcement of both civil and criminal anti-spam prohibitions. The spam problem
has reached a sufficient magnitude that government enforcement alone cannot stem
the tide, and must be complemented by sustained, industry-wide enforcement by
ISPs. In many cases, ISP assistance not only helps provide an important source
of evidence for criminal and other government enforcement-including uncovering
the identities of "king pin" spammers: it also is critical to
unmasking "state-of-the-art" technological exploits used by spammers
to avoid any kind of accountability.
ISPs like AOL aim to litigate against large-scale spammers, but the spammers
making the greatest profits from their activities naturally expend significant
efforts to conceal not only how they transmit their spam, but also how they
receive revenue from their activity. Consequently, tracking down such spammers
through litigation is often highly complex, resource intensive, and time
consuming. To provide one example, some large-scale pornography spammers against
whom AOL had originally obtained a federal injunction tried to circumvent that
prohibition by transferring ownership of their pornography domains through shell
companies and offshore entities. A sustained, two-year investigative process was
needed to demonstrate the "vast . . . cyber-oriented, multi-state and
multi-national conspiracy" that a federal court concluded warranted a $6.9
million damages award against the defendants.
Similarly, large-scale sponsors of spam often use complex business structures
to attempt to distance themselves from the actual transmission of spam. For
example, AOL engaged in extensive litigation against pornographic Web site
operators who used a so-called "Webmaster" business model. Under this
model, the Webmasters obtained a share of the revenue derived at the pornography
operator's Web sites, based upon traffic driven to these sites by spam. The site
operators claimed, unsuccessfully, that the spam senders were "independent
contractors" for whose actions they were not responsible.
Most spammers also conceal or dissipate the profits of their activity and, as
a consequence, legal judgments against them often are difficult to collect. The
difficulty in holding such spammers accountable financially, combined with the
complexity and expense necessary to even identify their activities, mean that
spam enforcement is far from a source of profits for ISPs.
But despite these obstacles, ISPs still have very strong incentives to bring
enforcement actions. First, such actions help to improve the online experience
of our individual members. Our members help us identify the most objectionable
forms of spam through their spam complaints, and rightly expect us to take
action to stop it. Second, spam forces ISPs to make significant network and
personnel expenditures to process truly gigantic volumes of unwanted mail. ISP
enforcement thus not only serves to improve the member experience, but to create
deterrence to spam senders whose large-scale e-mail transmissions pose the
biggest burden to the Internet as a whole.
In short, ISP civil enforcement serves the interests of Internet users and
the entire Internet community by helping identify the most appropriate targets
for enforcement, illuminating the technologies and subterfuges used by spammers
to evade detection, and complementing and supporting the actions taken by
federal and state law enforcement. Consequently, the ability of ISPs to sue for
spam-related activity is vital, in conjunction with government enforcement, to
controlling the spam problem.
4. The Need for Strong Criminal and Civil Penalties Against
"Outlaw" Spammers
While ISPs have used existing law to attempt to stem the tide of spam,
stronger legislative enforcement tools are needed not only to keep up with the
ever-evolving techniques of transmission evasion used by spammers, but also to
establish the kinds of criminal penalties and civil damages necessary to deter
spammers from engaging in such activities. Additionally, strong penalties
prohibiting such "outlaw" techniques are essential to ensuring that
future technologies promoting "trusted" e-mail can be used to help
improve consumers' e-mail experience.
The "outlaw" techniques that spammers typically have used to
conceal their activities include: (1) the falsification of e-mail transmission
information and misappropriation of innocent third parties' domain names in such
e-mails; (2) the transmission of e-mail from hacked e-mail accounts belonging to
innocent users; and (3) registration for multiple e-mail accounts or domain
names that are then used to establish false identities for transmitting spam.
More recently, spammers have resorted to hijacking vast blocks of Internet
addresses-so-called "zombie netblocks"-from which spammers attempt to
hide the scope of their activities by sending their e-mail in small quantities
from literally thousands of different places. Additionally, there has been a
sharp upsurge in spammers' surreptitious use of innocent parties' Internet
servers-the so-called "open proxies"-by which spammers convert
computer servers to e-mail processing facilities for their spam, once again
concealing both the true source and scope of their e-mail activities. The most
alarming recent development is spammers' increasing use of computer viruses to
turn the computers of consumers with residential broadband connections into an
unwitting "stealth" network for spam transmission.
"Outlaw" spam has increased alarmingly in the past year, and we
believe that this dramatic growth underlies the astonishing increase in overall
spam volume. These spammers are hijacking the computer resources and bandwidth
of private consumers and businesses large and small, threatening to overwhelm
the entire online medium. We are particularly pleased that both H.R. 2214 and
H.R. 2515 contain criminal prohibitions addressing these abuses, as well as ISP
civil remedies that set statutory damage penalties. We look forward to working
with the Subcommittees, this Committee and the Judiciary Committee on several
refinements to make these prohibitions even more effective.
Federal legislation also can serve an additional important purpose by
establishing baseline rules of the road for those advertisers who use the e-mail
medium to reach consumers, but who do not use "outlaw" transmission
tactics. Such rules, combined with industry standards and new spam-fighting
technologies developed by relevant stakeholders, will help ensure that marketers
use e-mail responsibly, and also will enhance the ability of consumers to make
choices, through the use of technology filters, about the kinds of email they
wish to receive.
We are pleased that Members of the Subcommittees and the full Committee have
taken an interest in addressing the spam problem and are working to advance
legislative solutions.
In the meantime, AOL is committed to maintaining a leadership role in the
fight against spam. The goodwill and trust of our members depends on our
continued focus on developing solutions to this problem. Spam continues to be
the number one issue that we hear about from our members, and is AOL's number
one customer satisfaction priority. AOL will continue to pursue strong
enforcement actions and innovate our spam fighting tools-giving our members even
greater control. But ultimately, we believe the spam battle must be fought on
many fronts simultaneously in order to be successful. From technology to
education, from legislation to enforcement, industry and government can work
together to reduce spam significantly and give consumers control over their
e-mail inboxes.
Thank you for the opportunity to testify; I am happy to answer any questions
you may have on this topic.
|
