The following text is copyright 2003 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.


Can: to be enabled by law


By Scott Bradner


As I write this the U.S. Congress is just about to finish up the approval of the "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003" a.k.a the "CAN-SPAM Act of 2003.  The term "mixed bag" was coined to cover things like this bill.  On one hand the bill provides some potentially useful tools for law enforcement to fight some types of spam but, on the other hand, the bill specifically makes spam legal and preempts anti-spam laws, many of which are much stronger, in 35 or so states.


I hope that the congressional title-writer that came up with CAN-SPAM assumed that people would read the "can" as meaning "to put a stop to" but, sadly, it is better read to mean "to be enabled by law."  This bill defines spam as 'unsolicited commercial electronic mail messages' which, in turn, is defined as electronic mail messages whose primary purpose is to advertise a commercial product or service that is not a "transactional or relationship message" which is sent to a recipient who has not said they want to receive it.  The bill says that such spam is just fine as long as there is a working opt-out mechanism listed in the message and as long as the sender address and email header information is not forged.  Under this bill every division of every one of the millions of companies on earth can send you a message completely legally and you have the power to go through some undefined per-sender process to tell the individual sender to not do it again.  The bill was clearly heavily influenced by, if not actually written by, the commercial spammers.  Not exactly the mailbox protection that the politicians are claiming it to be.


The bill has significant negative value but is not quite worthless.  The requirements for working opt-out mechanisms and unforged source addresses along with a ban on using third party computers to forward spam without permission and a prohibition of selling email addresses of people who have opted out gives law enforcement officials and ISPs (the only people permitted to sue under this bill) some potentially useful ways to enforce it.  But, an example of the source of the bill is the provision in an early version that said that spammers did not have to include a working opt-out mechanism after they got what they interpreted as an opt-in response.  Once hooked, you could not get out -- ever.  That seems to have been dropped from the final version.


How useful will this actually be if it ever goes into effect?  A quick scan of the spam I received in last two days shows that a third of it would be totally unaffected -- it included Nigerian cons and mail from outside of the US and in languages I do not know.  Another third would be potentially impacted  -- it included ads for body part enlargement portions, porn sites and the like.  The final third would definitely fall within the effective coverage of the law -- it included ads from US companies for various things.


There is no way that this bill will significantly reduce the level of spam but it might change the ground rules enough to give the people developing anti-spam software a little bit better chance.


disclaimer: The bill will definitely provide Harvard-trained lawyers with a source of income but I did not ask the Law School its opinion - the above definition of "can" is mine (and Merriam-Webster's).