The following text is copyright 2009 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
The CAN-SPAM Act as a warning
By: Scott Bradner
It is widely expected that the new congress and administration will be passing a lot of new regulations in an attempt to deal with all sorts of perceived problems. It may be that the now 5-year-old CAN-SPAM act is one of the better examples of what not to do as far as regulations go.
When it was passed, the CAN-SPAM Act was touted, by the politicians at least, as a tool to help control the growth of spam. Few of us in the tech world thought it would do any good and, in fact, the general feeling was that it was actually designed to legitimize unsolicited email. (See "Can: to be enabled by law" http://www.sobco.com/nww/2003/bradner-2003-12-08.html)
Back in October Carolyn Duffy Marsan reviewed the CAN-SPAM act in this publication and asked "What went wrong." (http://www.networkworld.com/news/2008/100608-can-spam.html) The article did a good job of covering the act and its status as a failure. But, it may be that some of the important lessons were more hinted at than articulated.
I think that the most important lesson to be learned from the CAN-SPAM experience is to not let the industry that you are claiming to regulate write the regulations. The CAN-SPAM act was written to legitimize the business of spam and it was written to satisfy the spammers themselves. Any spam-related regulations actually aimed at providing relief for the Internet user would have started with an opt-in requirement as a basic tenant -- an opt in requirement that did not have an exemption for a theoretical previous business relationship.
The next most important lesson is to give enforcement to somebody that cares. Carolyn reported that the Federal Trade Commission (FTC) had brought about 30 law enforcement actions as of a year ago. Thirty actions in the face of more than 100 billion spam messages per year hardly qualifies as a pin prick. It is clear that the FTC either just does not care about the law or has actively decided that they should ignore spam. Along the same line, it might not be a good thing for federal regulations to override stronger state regulations.
Another lesion is to address the people who benefit from bad behavior. A far more effective anti spam act would have gone after the companies using spam to advertise their wares and services as well as the ISPs supporting the spamers.
Having a anti-spam act that was actually designed to fight spam would not have stopped spam but one can see what could have happened if there were a concerned enforcement agency and a law that went after the supporters of spam by looking at what happened when McColo was taken down last November. (The spam problem was mostly solved last Tuesday - http://www.networkworld.com/newsletters/gwm/2008/111708msg1.html)
Government regulations all too frequently do far more damage than good - as the CAN-SPAN Act did. Thus it's often better to not regulate, but not regulating in view of the lessons from the banking and too many other crises is essentially a non-option. So I expect that the Obama crowd will have plenty of chances over the next few years to do better than CAN-SPAM. How well they do will be a good indicator of the relative strengths of the impulse to do something good for Internet users and well heeled lobbyists promising campaign donations.
disclaimer: I know of no university position on the CAN-SPAM Act or on the altruism of the lobbyists that helped shape it so the above is my own set of lessons to be learned.