ITU Home Page International Telecommunication Union Franšais Espa˝ol 
  Print Version 
ITU Home Page
Home : ITU News magazine
  
PROMOTING CYBERSECURITY — ISPs IN THE FIGHT AGAINST SPAM

 


ITU

ISPs in the fight against spam

Ideally, the job of an internet service provider (ISP) is simply to pass along packets of data, with users of a network deciding what to send and what to receive. However, things have changed dramatically as the internet has developed into a complex network of networks, and nowadays there are calls for ISPs to become more active in monitoring the content of the data they transmit. In effect, they are in the position of gatekeepers to the internet.

The curse of spam

E-mail and related forms of messaging on computers and mobile phones, such as "blogs" (short for "web logs") and the short message service (SMS), have become important and popular means of communication around the world. These services are cheap, they have global reach, and they are playing a key role in the development of e-commerce. However, the modern world of cyberspace is increasingly becoming cluttered by unwanted, and sometimes malicious, junk mail that is stuffed into our electronic mail boxes — spam.

Spam has become the main delivery mechanism for all e-mail security threats: phishing, endless permutations of scams, advance fee fraud, and viruses. Spammers have developed skills that make e-mails appear to be from your bank, for example, and provide believable reasons for parting with private information. Major reports on this topic suggest that more than half of the e-mails sent today are spam, and the costs of cleaning it away are making e-mail services almost useless for some businesses and consumers.

 

In many jurisdictions, ISPs still enjoy broad immunity from claims based on what others do through their networks. For example, up to now they have rarely faced claims relating to libel or copyright violations. Increasingly, however, ISPs are being asked to play a role in protecting and policing the internet.

ISPs have a strong incentive to fight spam. They bear a large amount of the costs of spam and get nothing in return — unless they are charging a premium to spammers in exchange for sending out junk mail on their behalf. Many ISPs have taken an active role in attacking spam at its source, before it clogs their customers’ inboxes. Also, many ISPs participate in relevant industry-wide bodies such as the Messaging Anti-Abuse Working Group, or cooperate with standards-setting organizations on developing technical solutions.

ISPs’ initiatives are often geared towards improving the security of their networks, and thus reducing the chances of spam reaching individual clients. Success in this effort can be a strong selling point for ISPs. For example, Google’s free web-based e-mail service, Gmail, removes hyperlinks from messages that it believes to be phishing attempts. In the United States, the ISP Earthlink requires all e-mail messages to be routed through its mail servers, in order to reduce the impact of "zombie" networks. Earthlink also makes users’ e-mail programs submit passwords to transmit messages.

While these methods can reduce the burden of spam, consumers too must take steps to protect themselves, or become unwitting purveyors of spam themselves. This can happen when a person downloads from the internet programs containing "malware" that hijacks their computer to relay spam to other unsuspecting consumers.

 

Some definitions

Spam: unsolicited or undesired bulk electronic messages.
Spim:
a type of spam where the target is instant messaging services.
Phishing:
attempts to fraudulently acquire such information as passwords and credit card details by masquerading as the sender of an apparently legitimate e-mail. Also known as "spoofing."
Malware:
Software designed to infiltrate or damage a computer system, including computer viruses, Trojan horses, spyware and adware.
Zombie:
A zombie is a computer that has been infected by a virus program that allows it to be taken over for remote use, without the owner’s knowledge. The machine can then be used to send spam, for example. It has been estimated that this is the way most e-mail spam is now transmitted.

What can be done?

While spammers are increasingly sophisticated in evading tracking, a concerted effort among cooperating ISPs (and possibly law enforcement officials and end users) can find the worst offenders. The routing of spam can be traced and mapped at a network level.


EyeWire

 

Some of the most effective recent efforts have been lawsuits undertaken by ISPs under a private right of action in spam legislation. In the United States, for example, the CAN-SPAM Act of 2003 enables ISPs to sue spammers directly. America Online (AOL), Microsoft and Earthlink — all large-scale providers of electronic messaging services — have each brought actions under this statute, as well as under state-level laws. This has resulted in multi-million-dollar judgements and settlements against "spam king-pins" who abuse their networks. Microsoft won a USD 7 million judgement that may well have put an end to one spamming operation that allegedly distributed more than 38 billion unsolicited messages per year.

These lawsuits — although few and far between, and limited to certain jurisdictions — represent a ray of hope that enforcement by ISPs, with help from customers, might be able to stem the flow of spam. The challenge for lawmakers is how to create a fair, effective regulatory regime that takes advantage of ISPs’ ability to help end spam, without placing an undue burden on law-abiding companies.

Codes of conduct

National laws can mandate the development of codes of conduct for ISPs, outlining acceptable behaviour for those companies and their customers. Preferably, the codes would include suggestions on how best to use spam filters and other tools (see article Australia’s response to spam). Adherence to a code could be a licence condition, or it could be achieved through regulations that are developed with industry participation. The regulatory agency, however, would approve and, in many cases, enforce the code.

Are market forces the answer?

In February 2006, AOL announced a new plan for fighting spam, working with Goodmail Systems of the United States. It is to introduce a charge of up to one US cent per message for sending legitimate e-mails via a special "certified" service that bypasses junk mail filters on recipients’ computers. This will guarantee that the messages arrive with a stamp of authentication from AOL, and without having had images and weblinks removed as potential hazards. Another major ISP, Yahoo, has also said that it will provide a similar service.

Guaranteed e-mails — at a price — could make sense for companies (such as banks) that want to send messages to many customers, and which are specially vulnerable to phishing attacks. However, the step towards a two-tier system for e-mail has been criticized by non-profit groups, among others, as potentially having a serious effect on publicity and fundraising efforts. AOL has answered this by promising to keep its system of special treatment for bulk users of free e-mail services (such as charities) that are known to be legitimate.

Other commentators have said that market forces should be allowed to play their part in improving the security of the internet: if people are willing to pay for "stamped" e-mail, they should be allowed to do so. At present, spammers flood the system because all messages are free; the hope is that by charging fees, spam might be reduced.

 

 

An enforceable code of conduct is not without drawbacks. The code must be tailored to curb spam and should not be used as a back-door measure to overburden ISPs, such as by:

  • imposing anti-spam obligations where no technical solution yet exists;
  • using anti-spam measures as a means to limit legitimate free speech;
  • infringing citizens’ rights to privacy.


PhotoDisc

 

An industry-led approach

It is essential that the industry helps to develop codes of conduct, and takes part in the frequent updating that will be required to reflect new developments in spamming practices and anti-spam technologies.

One possibility is for national administrations to establish an industry-led regulatory approach for ISPs that provides a mechanism for taking action against the worst spammers. This need not mean a wholesale shift in the role of ISPs; rather, the goal is to reduce spam in a way that protects responsible ISPs. Those that implement responsible, effective anti-spam measures, while preserving the civil liberties of their users, should be rewarded. One means of doing so is for regulators to hold irresponsible ISPs accountable for the damage caused by spam.

The voluntary model

As an alternative to a code mandated by national laws and enforced by regulators, governments might encourage ISPs to develop their own, industry-enforced codes of conduct. In fact, many ISPs are already taking this step for themselves. For example, terms of use are often included in policies for customers and peering arrangements. Under this voluntary model, regulators could advise the industry in developing the codes, and then help consumers find the ISPs that have agreed to them. People could then choose ISPs that are actively fighting to reduce spam.

Cooperation is the key

Regardless of whether ISPs are compelled to establish codes of conduct, or do so voluntarily, regulators have an important role to play in educating and raising awareness. Individuals and businesses need up-to-date information on technical solutions, as well as warnings about viruses and fraudulent activities that have been detected. There is much to be gained from cooperation between government and the ISP industry in protecting consumers from spam.

Main source: ITU Report, Trends in Telecommunication Reform 2006: Regulating in the Broadband World, Chapter 7 "Stemming the International Tide of Spam," by John G. Palfrey, Jr., Executive Director, Berkman Center for Internet and Society and Clinical Professor of Law, Harvard Law School.

 

 

Top - Feedback - Contact Us - Copyright ę ITU 2020 All Rights Reserved
Contact for this page : Corporate Communication Unit
Generated : 2020-07-15