Can-Spam Act of 2003
CAN-SPAM ACT OF 2003
Mr. LEAHY. Mr. President, when the Senator from Arizona asked to make his unanimous consent request, I was in the process of answering the question of the Senator from Florida, who has spoken to me many times about his interest in these areas.
I appreciate what he has done to strengthen this legislation.
We keep the authority to set sentences where it belongs, with the Sentencing Commission, while remaining deferential, to the discretion of prosecutors.
The provisions from the Senator from Florida make it unmistakably clear that Congress expects this legislation to be used not just to punish spammers but also to dismantle criminal operations that are carried out with spam and other unsolicited bulk e-mail.
I also would note that the Senator from Florida has spoken about spam evolving from being just a nuisance. He is absolutely right. Serious crimes are being committed using this medium, which reaches a large number of people. Senior citizens are more and more often targeted to being bilked out of millions of dollars, and with very little effort on the part of the spammers.
Mr. President, I will engage in a colloquy with Senator Nelson because I think it is important for the purposes of the RECORD. With all the work the Senator from Florida has done, I want the RECORD to be very clear.
Mr. NELSON of Florida. Mr. President, would the Senator from Vermont be willing to engage me in a colloquy?
Mr. LEAHY. I would be pleased to engage in a colloquy with the Senator from Florida.
Mr. NELSON of Florida. Mr. President, I have been stunned, as have so many of my colleagues, by how pervasive spam has become in email traffic. We have all experienced the way clogged in-boxes, unwanted solicitations, and unwelcome pornographic material make a session on the computer less productive and less enjoyable. It is one of the top complaints that I receive from my constituents, and I am very pleased to be working with the Senators from Vermont and Utah to impose tough penalties on those who impose this garbage on others.
But I am also concerned with a type of spam that goes beyond the mere nuisance variety. It is becoming clearer with each passing month that many criminal enterprises have adopted spam as their method of choice for perpetrating their criminal schemes. Spammers are now frequently perpetrating fraud to cheat people out of their savings, stealing people's identities, or trafficking in child pornography. What spam allows them to do is to conduct these criminal activities on a much broader scale at dramatically reduced coststhey can literally reach millions of people at the push of a button.
Mr. LEAHY. The Senator from Florida is correct. Nowadays, we see that spam has moved far beyond being just a nuisance to people trying to use email on their personal computers. Serious crimes are being committed using this medium, which can reach large numbers of people in a matter of seconds. For example, if a person or organization seeks to commit fraud to bilk senior citizens out of their money, with spam they can reach millions of potential victims at very low, even negligible costs.
With such low costs, and such wide reach, even a small rate of success can make for a very profitable criminal enterprise.
Mr. NELSON of Florida. The Senator from Vermont has provided an excellent example of the problem that we are trying to address. And that is why I have sought, with the help of the Senator from Vermont and the Senator from Utah, to include provisions in this legislation that make clear our intent to treat the use of spam to commit large-scale criminal activity as the organized crime that it is.
We do this in two ways: First, by working with the U.S. Sentencing Commission toward enhanced sentences for those who use spam or other unsolicited bulk email to commit fraud, identity theft, obscenity, child pornography, or the sexual exploitation of children.
Second, we make the seriousness of our intentions clear by urging prosecutors to use all tools at their disposal to bring down the criminal enterprises that are facilitated by the use of spam. Among other things, we are talking about the RICO statute, which not only comes with some of the stiffest penalties in the criminal code, but also allows for the seizure of the assets of criminal organizations, and for civil suits brought by injured parties. It is tough enforcement like this that will help bring the worst of the spammers to their knees.
Mr. LEAHY. The Senator from Florida has made me aware of his interest in these provisions on several occasions, and I appreciate his contributions to this effort. They strengthen the legislation in important ways. While keeping the authority to set sentences where it belongswith the Sentencing Commissionand while remaining deferential to the discretion of prosecutors, these provisions makes unmistakably clear that Congress expects this legislation to be used not just to punish spammers, but also to dismantle the criminal enterprises that are carried out with spam and other unsolicited bulk e-mail.
Mr. NELSON of Florida. I thank the Senator from Vermont for his outstanding leadership on this issue, and for his cooperation in including my amendments in the legislation.
Mr. LEAHY. Mr. President, it is increasingly obvious that unwanted commercial e-mail is more than just a nuisance.
Businesses and individuals sometimes have to wade through hours of spam. It makes it impossible for them to do their work. It slows down whole enterprises.
In my home State of Vermont, one legislator logged on to his server and found that two-thirds of the e-mails in his inbox were spam. Our legislator is a citizen or legislature. He does not have staff or anything else. This was after the legislator had installed spam-blocking software. His computer stopped about 80 percent of it. But even after he blocked 80 percent, two-thirds of the e-mail he had was spam.
The e-mail users are having the online equivalent of the experience of the woman in the classic Monty Python skit. She wanted to order a Spam-free breakfast at a restaurant. Try as she might, she cannot get the waitress to bring her the meal she wants. Every dish in the restaurant comes with Spam; it is just a matter of how much. There is eggs, bacon, and Spam; eggs, bacon, sausage, and Spam; Spam, bacon, sausage, and Spam; Spam, egg, Spam, Spam, bacon, and Spam; Spam, sausage, Spam, Spam, Spam, bacon, Spam, tomato, and Spam, and so on. Finally, the customer said: I don't like Spam. I don't want Spam. I hate Spam.
Now, I repeat that with apologies to John Cleese and everybody else in the Monty Python skit.
Mr. President, anybody who goes on e-mail, including every member of my family down to my 5-year-old grandchild, knows how annoying spam can be.
A Harris poll taken last year found that 80 percent of the respondents viewed spam as "very annoying" and 74 percent wanted to make it illegal.
Some 30 States now have anti-spam laws but it is difficult to enforce them.
There are actually billions of unwanted e-mails that are blocked by ISPs every day. Hundreds of millions of spam e-mails get through just the same.
Now, we have to be very careful when we regulate in cyberspace. We must not forget that spam, like more traditional forms of commercial speech, is protected by the first amendment. We cannot allow spam to result in the "virtual death" of the Internet, as one Vermont newspaper put it.
So what Senator Hatch and I have offered and is being acceptedthe Hatch-Leahy-Nelson-Schumer amendmentwould, first, prohibit hacking into another person's computer system and sending bulk spam from or through that system.
Second, it would prohibit using a computer system that the owner makes available for other purposes as a conduit for bulk spam, with the intent to deceive the recipient as to where the spam came from.
The third prohibition targets another way that outlaw spammers evade ISP filters: falsifying the "header information" that accompanies every e-mail and sending bulk spam containing that fake header information. The amendment prohibits forging information regarding the origin of the e-mail message.
Fourth, the Hatch-Leahy-Nelson-Schumer amendment prohibits registering for multiple e-mail accounts or Internet domain names and sending bulk mail from those accounts or domains.
Fifth, and finally, our amendment addresses a major hacker spammer technique for hiding identity that is a common and pernicious alternative to domain name registrationthat is, hijacking unused expanses of Internet address space and using them to launch junk mail.
Now, penalties under the amendment are tough, but they are measured. Recidivists and those who send spam in furtherance of another felon may be imprisoned for up to 5 years. The sound of a jail cell closing for 5 years should focus their attention.
Large-volume spammers, those who hack into another person's computer system to send bulk spam, and spam "kingpins" who use others to operate their spamming operations may be imprisoned for up to 3 years, and so on.
Then, of course, we direct the Sentencing Commission to look at other areas.
So, Mr. President, I see my colleagues on the floor, Senator Burns and Senator Wyden, who have done yeoman work on this legislation. I compliment all those who worked together. I certainly compliment the two of them, as well as Senator Hatch, Senator Nelson, and Senator Schumer. I think we are putting together something that is worth passing.
Mr. WYDEN. Will the Senator yield?
Mr. LEAHY. Sure.
Mr. WYDEN. Mr. President, just before he leaves the floor, I thank the distinguished Senator from Vermont for all his help. I have already told Senator Hatch how incredibly important the enforcement provision is. You can write bills forever, but without the enforcement to which the Senator from Vermont and the Senator from Utah are committed, those bills are not going to get the job done.
Suffice it to say, when there were a lot of people in public life who thought their computers were somehow a TV screen, the Senator from Vermont was already leading the Senate and those who work in the public policy arena to understand the implications of the medium.
There is nobody in public life whose counsel I value more on telecommunications and Internet policy than the distinguished Senator from Vermont. I appreciate his giving me this opportunity to work with him on the enforcement provisions. It will be the lifeblood of making this bill work.
Mr. LEAHY. Mr. President, I thank my dear friend from Oregon for his far too generous words. I have enjoyed working with him. He has carried over from his service in the other body. He has a strong interest in this. Just as important as his strong interest is the fact he has extraordinary expertise in this area. That is very helpful.
If you would allow me one quick personal story. This sort of humbles you. I like to think I am very knowledgeable on this.
My 5-year-old grandson climbed in my lap and asked me to log on to a particular interactive site for children. It is something he could do himself, but we don't let him log on himself because of the problems with some sites that appear to be for children, and are anything but.
So I log on for him, and he climbs up on my lap, takes the mouse out of my hand and says: I better take over now because it gets very complicated.
In some ways we are protecting those 5-year-olds because they are the next generation using this technology. I thank my friend from Oregon and good friend from Montana for the enormous amount of work they have done here.
I yield the floor.
BREAK IN TRANSCRIPT
Mr. LEAHY. Mr. President, it is increasingly apparent that unwanted commercial e-mail, commonly known as "spam," is more than just a nuisance. In the past few years, it has become a serious and growing problem that threatens to undermine the vast potential of the Internet.
Businesses and individuals currently wade through tremendous amounts of spam in order to access e-mail that is of relevance to themand this is after ISPs, businesses, and individuals have spent time and money blocking a large percentage of spam from reaching its intended recipients.
In my home State of Vermont, one legislator recently found that two-thirds of the 96 e-mails in his inbox were spam. And this occurred after the legislature had installed new spam-blocking software on its computer system that seemed to be catching 80 percent of the spam. The assistant attorney general in Vermont was forced to suggest to computer users the following means to avoid these unsolicited commercial e-mails: "It's very bad to reply, even to say don't send anymore. It tells the spammer they have a live address . . . The best thing you can do is just keep deleting them. If it gets really bad, you may have to change your address." This experience is echoed nationwide.
E-mail users are having the online equivalent of the experience of the woman in the Monty Python skit, who seeks to order a Spam-free breakfast at a restaurant. Try as she might, she cannot get the waitress to bring her the meal she desires. Every dish in the restaurant comes with Spam; it's just a matter of how much. There's "egg, bacon and Spam"; "egg, bacon, sausage and Spam"; "Spam, bacon, sausage and Spam"; "Spam, egg, Spam, Spam, bacon and Spam"; "Spam, sausage, Spam, Spam, Spam, bacon, Spam, tomato and Spam"; and so on. Exasperated, the woman finally cries out: "I don't like Spam! . . . I don't want ANY Spam!"
Individuals and businesses are reacting similarly to electronic spam. A Harris poll taken late last year found that 80 percent of respondents view spam as "very annoying," and fully 74 percent of respondents favor making mass spamming illegal.
Earlier this month, more than 3 out of 4 people surveyed by Yahoo! Mail said it was "less aggravating to clean a toilet" than to sort through spam. Americans are fed up.
Some 30 States now have antispam laws, but the globe-hopping nature of e-mail makes these laws difficult to enforce.
Technology will undoubtedly play a key role in fighting spam, but a technological solution to the problem is not likely in the foreseeable future. ISPs block billions of unwanted e-mails each day, but spammers are winning the battle.
Millions of unwanted, unsolicited commercial e-mails are received by American businesses and individuals each day, despite their own, additional filtering efforts. A recent study by Ferris Research estimates that spam costs U.S. firms $8.9 billion annually in lost worker productivity, consumption of bandwidth, and the use of technical support to configure and run spam filters and provide helpdesk support for spam recipients.
The costs of spam are significant to individuals as well, including time spent identifying and deleting spam, inadvertently opening spam, installing and maintaining antispam filters, tracking down legitimate messages mistakenly deleted by spam filters, and paying for the ISP's blocking efforts.
And there are other prominent and equally important costs of spam. It may introduce viruses, worms, and Trojan horses into personal and business computer systems, including those that support our national infrastructure.
The public has recently witnessed the potentially staggering effects of a virus, not only through the Blaster case I discussed earlier, but with the appearance of the SoBigF virus just 8 days after Blaster began chewing its way through the Internet.
This variant also infected Windows machines via e-mail, then sent out dozens of copies of itself. Antivirus experts say one of the main reasons virus writers continue to modify and re-release this particular piece of "malware" is that it downloads a Trojan horse to infected computers, which are then used to send spam.
Spammers are constantly in need of new machines through which to route their garbage e-mail, and a virus makes a perfect delivery mechanism for the engine they use for their mass mailings. Some analysts said the SoBigF virus may have been created with a more malicious intent than most viruses, and may even be linked to spam e-mail schemes that could be a source of cash for those involved in the scheme.
The interconnection between computer viruses and spam is readily apparent: Both flood the Internet in an attempt to force a message on people who would not otherwise choose to receive it. Criminal laws I wrote prohibiting the former have been invoked and enforced from the time they were passed it is the latter dilemma we must now confront headon.
Spam is also fertile ground for deceptive trade practices. The FTC has estimated that 96 percent of the spam involving investment and business opportunities, and nearly half of the spam advertising health services and products, and travel and leisure, contains false or misleading information.
This rampant deception has the potential to undermine Americans' trust of valid information on the Internet. Indeed, it has already caused some Americans to refrain from using the Internet to the extent they otherwise would. For example, some have chosen not to participate in public discussion forums, and are hesitant to provide their addresses in legitimate business transactions, for fear that their e-mail addresses will be harvested for junk e-mail lists. And they are right to be concerned.
The FTC found spam arriving at its computer system just 9 minutes after posting an e-mail address in an online chat room.
I have often said that Congress must exercise great caution when regulating in cyberspace. Any legislative solution to spam must tread carefully to ensure that we do not impede or stifle the free flow of information on the Internet. The United States is the birthplace of the Internet, and the whole world watches whenever we decide to regulate it. Whenever we choose to intervene in the Internet with government action, we must act carefully, prudently, and knowledgeably, keeping in mind the implications of what we do and how we do it. And we must not forget that spam, like more traditional forms of commercial speech, is protected by the first amendment.
At the same time, we must not allow spam to result in the "virtual death" of the Internet, as one Vermont newspaper put it.
The Internet is a valuable asset to our Nation, to our economy, and to the lives of Americans, and we should act prudently to secure its continued viability and vitality.
On June 19 of this year, Senator Hatch and I introduced S.1293, the Criminal Spam Act, together with several of our colleagues on the Judiciary Committee. On September 25, the committee unanimously voted to report the bill to the floor.
Today, Senators HATCH, NELSON, SCHUMER, GRASSLEY and I offered the criminal provisions of S. 1293 as an amendment to S. 877, the CAN SPAM Act. The amendment was adopted by voice vote.
I thank the lead cosponsors of S. 877 for working with us on this amendment, and for their support and cosponsorship of the Criminal Spam Act. I also thank Senator Bill Nelson for his contribution to the amendment.
The Hatch-Leahy amendment prohibits five principal techniques that spammers use to evade filtering software and hide their trails.
First, our amendment prohibits hacking into another person's computer system and sending bulk spam from or through that system. This criminalizes the common spammer technique of obtaining access to other people's e-mail accounts on an ISP's e-mail network, whether by password theft or by inserting a "Trojan horse" programthat is, a program that unsuspecting users download onto their computers and that then takes control of those computersto send bulk spam.
Second, our amendment prohibits using a computer system that the owner makes available for other purposes as a conduit for bulk spam, with the intent of deceiving recipients as to the spam's origins. This prohibition criminalizes another common spammer techniquethe abuse of third parties' "open" servers, such as e-mail servers that have the capability to relay mail, or Web proxy servers that have the ability to generate "form" mail. Spammers commandeer these servers to send bulk commercial e-mail without the server owner's knowledge, either by "relaying" their e-mail through an "open" e-mail server, or by abusing an "open" Web proxy server's capability to generate form e-mails as a means to originate spam, thereby exceeding the owner's authorization for use of that e-mail or Web server. In some instances the hijacked servers are even completely shut down as a result of tens of thousands of undeliverable messages generated from the spammer's e-mail list.
The amendment's third prohibition targets another way that outlaw spammers evade ISP filters: falsifying the "header information" that accompanies every e-mail, and sending bulk spam containing that fake header information. More specifically, the amendment prohibits forging information regarding the origin of the e-mail message, and the route through which the message attempted to penetrate the ISP filters.
Fourth, the Hatch-Leahy amendment prohibits registering for multiple e-mail accounts or Internet domain names, and sending bulk e-mail from those accounts or domains. This provision targets deceptive "account churning," a common outlaw spammer technique that works as follows. The spammer registersusually by means of an automatic computer programfor large numbers of e-mail accounts or domain names, using false registration information, then sends bulk spam from one account or domain after another. This technique stays ahead of ISP filters by hiding the source, size, and scope of the sender's mailings, and prevents the e-mail account provider or domain name registrar from identifying the registrant as a spammer and denying his registration request. Falsifying registration information for domain names also violates a basic contractual requirement for domain name registration falsification.
Fifth and finally, our amendment addresses a major hacker spammer technique for hiding identity that is a common and pernicious alternative to domain name registrationhijacking unused expanses of Internet address space and using them as launch pads for junk e-mail. Hijacking Internet ProtocolIPaddresses is not difficult: Spammers simply falsely assert that they have the right to use a block of IP addresses, and obtain an Internet connection for those addresses. Hiding behind those addresses, they can then send vast amounts of spam that is extremely difficult to trace.
Penalties for violations of these new criminal prohibitions are tough but measured. Recidivists and those who send spam in furtherance of another felony may be imprisoned for up to 5 years. Large-volume spammers, those who hack into another person's computer system to send bulk spam, and spam "kingpins" who use others to operate their spamming operations may be imprisoned for up to 3 years. Other offenders may be fined and imprisoned for no more than one year. Convicted offenders are also subject to forfeiture of proceeds and instrumentalities of the offense.
In addition to these penalties, the Hatch-Leahy amendment directs the Sentencing Commission to consider providing sentencing enhancements for those convicted of the new criminal provisions who obtained e-mail addresses through improper means, such as harvesting, and those who knowingly sent spam containing or advertising a falsely registered Internet domain name. We have also worked with Senator Nelson on language directing the Sentencing Commission to consider enhancements for those who commit other crimes that are facilitated by the sending of spam.
I should note that the Criminal Spam Act, from which the amendment is taken, enjoys broad support from ISPs, direct marketers, consumer groups, and civil liberties groups alike. It is also supported by the administration: In its September 11, 2003, views letter regarding the CAN SPAM Act, the administration advocated the addition to CAN SPAM of felony triggers similar to those proposed in the Criminal Spam Act. The administration further supported our proposal, advanced in the Hatch-Leahy amendment, to direct the Sentencing Commission to consider sentencing enhancements for convicted spammers that have additionally obtained e-mail addresses by harvesting.
Again, the purpose of the Hatch-Leahy amendment is to deter the most pernicious and unscrupulous types of spammersthose who use trickery and deception to induce others to relay and view their messages. Ridding America's inboxes of deceptively delivered spam will significantly advance our fight against junk e-mail. But it is not a cure-all for the spam pandemic.
The fundamental problem inherent to spamits sheer volumemay well persist even in the absence of fraudulent routing information and false identities. In a recent survey, 82 percent of respondents considered unsolicited bulk e-mail, even from legitimate businesses, to be unwelcome spam. Given this public opinion, and in light of the fact that spam is, in essence, cost-shifted advertising, we need to take a more comprehensive approach to our fight against spam.
While I am generally supportive of the CAN SPAM Act, and will vote in favor of passage, it does raise some concerns. The bill takes an "opt out" approach to spamthat is, it requires all commercial e-mail to include an "opt out" mechanism, by which e-mail recipients may opt out of receiving further unwanted spam. My concern is that this approach permits spammers to send at least one piece of spam to each e-mail address in their database, while placing the burden on e-mail recipients to respond. People who receive dozens, even hundreds, of unwanted e-mails each day may have little time or energy for anything other than opting-out from unwanted spam.
According to one organization's calculations, if just one percent of the approximately 24 million small businesses in the U.S. sent every American just one spam a year, that would amount to over 600 pieces of spam for each person to sift through and opt out of each day. And this figure may be conservative, as it does not include the large businesses that also engage in online advertising.
I am also troubled by the labeling requirement in the CAN SPAM Act, which makes it unlawful to send an unsolicited commercial e-mail message unless it provides, among other things, " clear and conspicuous identification that the message is an advertisement or solicitation," and "a valid physical postal address of the sender". While we all want to curb spam, we must be mindful of its status as protected commercial speech, and ensure that any restrictions we impose on it are as narrowly tailored as possible.
Reducing the volume of junk commercial e-mail, and so protecting legitimate Internet communications, is not an easy matter. There are important First Amendment interests to consider, as well as the need to preserve the ability of legitimate marketers to use e-mail responsibly. We must be sure we get this right, so as not to exacerbate an already terribly vexing problem. This is especially important given the preemption provisions of the CAN SPAM Act, which will override many of the tough anti-spamming laws already enacted by the States.
My distinguished colleagues from Wyoming and Pennsylvania offered an amendment requiring "warning labels" on certain commercial electronic mail. While I appreciate my colleagues' efforts to protect our children from the on-line assault of internet pornographyan important goal that we all shareI fear the amendment has been drafted in haste and raises significant constitutional issues that require further analysis.
First, the amendment incorporates broad and vague phrases such as "devoted to sexual matters" that are not otherwise defined in the law. I expressed similar concerns during debate on the Communications Decency Act, CDA, which the Supreme Court struck down as unconstitutional in 1996. The CDA also punished as a felony anyone who transmitted "obscene" or "indecent" material over the Internet. The CDA was deemed too vague as to what was "indecent" or
"obscene." Some of the terms and phrases used in the Enzi-Santorum amendment may be deemed equally vague when subjected to judicial scrutiny.
There are also first amendment concerns to regulating commercial electronic mail in ways that require specific labels on protected speech. Such requirements inhibit both the speaker's right to express and the listener's right to access constitutionally protected material.
More importantly, existing laws already ban obscenity, harassment, child pornography and enticing minors into sexual activity.
As a father and a grandfather, I well appreciate the challenge of limiting a child's exposure to sexually inappropriate material. Yet, no legislation we could pass would be an effective substitute for parental involvement. We must be vigilant about feel-good efforts to involve government, either directly or indirectly, in regulating the content of the Internet.
For these reasons, the Enzi-Santorum amendment raises serious legal issues that mandate further exploration before a determination can be made on the proposed law's constitutional viability.
I look forward to continuing to work with the sponsors of the CAN SPAM Act on these issues as the bill proceeds to conference.