ISPs in the fight against spam
Ideally, the job of an internet service provider (ISP) is
simply to pass along packets of data, with users of a network deciding what to
send and what to receive. However, things have changed dramatically as the
internet has developed into a complex network of networks, and nowadays there
are calls for ISPs to become more active in monitoring the content of the data
they transmit. In effect, they are in the position of gatekeepers to the
The curse of spam
E-mail and related forms of messaging on computers
and mobile phones, such as "blogs" (short for "web logs") and the short
message service (SMS), have become important and popular means of
communication around the world. These services are cheap, they have
global reach, and they are playing a key role in the development of
e-commerce. However, the modern world of cyberspace is increasingly
becoming cluttered by unwanted, and sometimes malicious, junk mail that
is stuffed into our electronic mail boxes — spam.
Spam has become the main delivery mechanism for all
e-mail security threats: phishing, endless permutations of scams,
advance fee fraud, and viruses. Spammers have developed skills that make
e-mails appear to be from your bank, for example, and provide believable
reasons for parting with private information. Major reports on this
topic suggest that more than half of the e-mails sent today are spam,
and the costs of cleaning it away are making e-mail services almost
useless for some businesses and consumers.
In many jurisdictions, ISPs still enjoy broad immunity from
claims based on what others do through their networks. For example, up to now
they have rarely faced claims relating to libel or copyright violations.
Increasingly, however, ISPs are being asked to play a role in protecting and
policing the internet.
ISPs have a strong incentive to fight spam. They bear a large
amount of the costs of spam and get nothing in return — unless they are charging
a premium to spammers in exchange for sending out junk mail on their behalf.
Many ISPs have taken an active role in attacking spam at its source, before
it clogs their customers’ inboxes. Also, many ISPs participate in relevant
industry-wide bodies such as the Messaging Anti-Abuse Working Group, or
cooperate with standards-setting organizations on developing technical
ISPs’ initiatives are often geared towards improving the
security of their networks, and thus reducing the chances of spam reaching
individual clients. Success in this effort can be a strong selling point for
ISPs. For example, Google’s free web-based e-mail service, Gmail, removes
hyperlinks from messages that it believes to be phishing attempts. In the United
States, the ISP Earthlink requires all e-mail messages to be routed through its
mail servers, in order to reduce the impact of "zombie" networks. Earthlink also
makes users’ e-mail programs submit passwords to transmit messages.
While these methods can reduce the burden of spam, consumers
too must take steps to protect themselves, or become unwitting purveyors of spam
themselves. This can happen when a person downloads from the internet programs
containing "malware" that hijacks their computer to relay spam to other
Spam: unsolicited or undesired bulk
Spim: a type of spam where the target is
instant messaging services.
Phishing: attempts to fraudulently acquire
such information as passwords and credit card details by masquerading as
the sender of an apparently legitimate e-mail. Also known as "spoofing."
Malware: Software designed to infiltrate or
damage a computer system, including computer viruses, Trojan horses,
spyware and adware.
Zombie: A zombie is a computer that has been infected by a
virus program that allows it to be taken over for remote use, without
the owner’s knowledge. The machine can then be used to send spam, for
example. It has been estimated that this is the way most e-mail spam is
What can be done?
While spammers are increasingly sophisticated in evading
tracking, a concerted effort among cooperating ISPs (and possibly law
enforcement officials and end users) can find the worst offenders. The routing
of spam can be traced and mapped at a network level.
Some of the most effective recent efforts have been lawsuits
undertaken by ISPs under a private right of action in spam legislation. In the
United States, for example, the CAN-SPAM Act of 2003 enables ISPs to sue
spammers directly. America Online (AOL), Microsoft and Earthlink — all
large-scale providers of electronic messaging services — have each brought
actions under this statute, as well as under state-level laws. This has resulted
in multi-million-dollar judgements and settlements against "spam king-pins" who
abuse their networks. Microsoft won a USD 7 million judgement that may well have
put an end to one spamming operation that allegedly distributed more than 38
billion unsolicited messages per year.
These lawsuits — although few and far between, and limited to
certain jurisdictions — represent a ray of hope that enforcement by ISPs, with
help from customers, might be able to stem the flow of spam. The challenge for
lawmakers is how to create a fair, effective regulatory regime that takes
advantage of ISPs’ ability to help end spam, without placing an undue burden on
Codes of conduct
National laws can mandate the development of codes of conduct
for ISPs, outlining acceptable behaviour for those companies and their
customers. Preferably, the codes would include suggestions on how best to use
spam filters and other tools (see article
Australia’s response to spam). Adherence to a code could be a licence condition, or it could be
achieved through regulations that are developed with industry participation. The
regulatory agency, however, would approve and, in many cases, enforce the code.
Are market forces the answer?
In February 2006, AOL announced a new plan for
fighting spam, working with Goodmail Systems of the United States. It is
to introduce a charge of up to one US cent per message for sending
legitimate e-mails via a special "certified" service that bypasses junk
mail filters on recipients’ computers. This will guarantee that the
messages arrive with a stamp of authentication from AOL, and without
having had images and weblinks removed as potential hazards. Another
major ISP, Yahoo, has also said that it will provide a similar service.
Guaranteed e-mails — at a price — could make sense
for companies (such as banks) that want to send messages to many
customers, and which are specially vulnerable to phishing attacks.
However, the step towards a two-tier system for e-mail has been
criticized by non-profit groups, among others, as potentially having a
serious effect on publicity and fundraising efforts. AOL has answered
this by promising to keep its system of special treatment for bulk users
of free e-mail services (such as charities) that are known to be
Other commentators have said that market forces should be allowed to
play their part in improving the security of the internet: if people are
willing to pay for "stamped" e-mail, they should be allowed to do so. At
present, spammers flood the system because all messages are free; the
hope is that by charging fees, spam might be reduced.
An enforceable code of conduct is not without drawbacks. The
code must be tailored to curb spam and should not be used as a back-door measure
to overburden ISPs, such as by:
- imposing anti-spam obligations where no technical
solution yet exists;
- using anti-spam measures as a means to limit
legitimate free speech;
- infringing citizens’ rights to privacy.
An industry-led approach
It is essential that the industry helps to develop codes of
conduct, and takes part in the frequent updating that will be required to
reflect new developments in spamming practices and anti-spam technologies.
One possibility is for national administrations to establish
an industry-led regulatory approach for ISPs that provides a mechanism for
taking action against the worst spammers. This need not mean a wholesale shift
in the role of ISPs; rather, the goal is to reduce spam in a way that protects
responsible ISPs. Those that implement responsible, effective anti-spam
measures, while preserving the civil liberties of their users, should be
rewarded. One means of doing so is for regulators to hold irresponsible ISPs
accountable for the damage caused by spam.
The voluntary model
As an alternative to a code mandated by national laws and
enforced by regulators, governments might encourage ISPs to develop their own,
industry-enforced codes of conduct. In fact, many ISPs are already taking this
for customers and peering arrangements. Under this voluntary model, regulators
could advise the industry in developing the codes, and then help consumers find
the ISPs that have agreed to them. People could then choose ISPs that are
actively fighting to reduce spam.
Cooperation is the key
Regardless of whether ISPs are compelled to establish codes
of conduct, or do so voluntarily, regulators have an important role to play in
educating and raising awareness. Individuals and businesses need up-to-date
information on technical solutions, as well as warnings about viruses and
fraudulent activities that have been detected. There is much to be gained from
cooperation between government and the ISP industry in protecting consumers from
Main source: ITU Report, Trends in
Telecommunication Reform 2006: Regulating in the Broadband World,
Chapter 7 "Stemming the International Tide of Spam," by John G. Palfrey,
Jr., Executive Director, Berkman Center for Internet and Society and
Clinical Professor of Law, Harvard Law School.