Feeds

Feds seek input on spammer sentencing

Help us calculate the actual harm

  • alert
  • submit to reddit

New hybrid storage solutions

A formula that would sentence deceptive spammers to more time in prison for each e-mail address spammed is among the proposals under consideration by the presidentially-appointed commission responsible for setting federal sentencing rules, which this week sought the public's input on how to punish violators of the newly-enacted CAN-SPAM Act.

"Arguably the more e-mails you've sent out, the greater the social harm-- just like arguably distributing more drugs is worse that distributing fewer drugs," says Michael O'Neill, a law professor at George Mason University Law School, and a member of the seven-member United States Sentencing Commission (USSC). "The problem is, it's so incredibly easy to send out massive e-mails now, I'm not sure [it] is going to get at the harm the way you want it."

The USSC publishes the Federal Sentencing Guidelines that carve out narrow ranges of sentences a court can choose from when punishing violators of federal criminal law. The guidelines work off of a point system that sets a starting value for a particular crime, and then adds or subtracts points for specific aggravating or mitigating circumstances.

A convicted kidnapper, for example, starts off with 24 sentencing points -- which maps to 51 to 63 months imprisonment for a first-time offender. But if the culprit held his victim for 30 days or more, he gets two bonus points, translating to an additional 12 to 15 months. The criminal earns another six points if he demanded a ransom, and two points for injuring a victim -- but can shave off two points for pleading guilty and accepting responsibility for the crime.

If sentencing kidnappers is relatively straightforward, the Commission is finding it more challenging to erect an appropriate framework for punishing deceptive spammers. Should spammers be sentenced from the same table that decides the fate of thieves and con artists, based on the amount of financial losses inflicted on the victims? If so, what counts as a loss -- if a forged e-mail address makes an innocent company look bad, a "Joe job," in the parlance of anti-spammers -- should that reputational harm earn the spammer more time in stir. "This is one of the places that the Commission is having a difficult time, in determining how to calculate the actual harm," says O'Neill.

More Time for Harvesting?

The CAN-SPAM Act, which took effect January 1st, doesn't criminalize unsolicited bulk commercial e-mail, but it does outlaw most of the deceptive practices used by spammers. Senders are prohibited from breaking into someone else's computer to send spam (which was probably illegal already); deliberately crafting spammy messages to disguise the origin; materially falsifying the headers in spam; spamming from five or more e-mail accounts established under fake names; or hijacking five or more IP addresses, and spamming from them.

A first-time violator face up to one year in federal stir for a small-time operation-- three years if he or she meets one of several minimum standards of bad behavior, like leading a spam gang of at least three people, sending over 2,500 messages in one day, or using 10 or more falsely-registered domain names. Repeat offenders can get up to five years in prison.

Exactly where spammers are sentenced within that range will be decided by an amendment to the Federal Sentencing Guidelines. In a formal request for comments published in the Federal Register this week, the Commission is asking the public's opinion on such questions as:

  • Should deceptive spammers get an "enhancement," i.e., a little more prison time, if they employ "sophisticated means" to send the spam?
  • Should the method the offender used to gather the targeted addresses be a consideration in sentencing? Under one proposal, spammers could face an enhancement for harvesting e-mail addresses from Web forums, or generating them randomly.
  • Should criminals who commit fraud, identify theft, child porn trafficking or other serious crimes be sentenced more severely if they sent unsolicited bulk e-mail in the course of the crime?
  • Comments are due by March 15th, and can be sent by snail mail to the United States Sentencing Commission, One Columbus Circle, NE., Suite 2-500, Washington, DC 20002-8002, Attention: Public Affairs. Perhaps not surprisingly, the Commission is not inviting comments by e-mail.

    Copyright © 2004, SecurityFocus logo

Secure remote control for conventional and virtual desktops

More from The Register

next story
Leak of '5 MEELLLION Gmail passwords' creates security flap
You should be OK if you're not using ANCIENT password
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Enigmail PGP plugin forgets to encrypt mail sent as blind copies
User now 'waiting for the bad guys come and get me with their water-boards'
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.