Feeds

FTC backs spammer bounties (false)

Red Herring report

  • alert
  • submit to reddit

SANS - Survey on application security programs

Analysis: A program to encourage members of the public to become "bounty hunters" tracking down email spammers received the luke warm backing of the US Federal Trade Commission (FTC) yesterday. In as far as it wants to do anything (and we think it'd rather do nothing), the FTC wants to create an elaborate spammer supergrass scheme with payouts of up to $250,000. Any alternative, such as relying on anti-spam activists for information, gets short shrift.

The FTC was required to conduct a study on a reward system by Congress following the introduction of US anti-spam laws (the CAN-SPAM Act) in January. The report highlights three perceived hurdles for the FTC and other law enforcers in anti-spam investigations. These are: identifying and locating the spammer, developing sufficient evidence to prove the spammer is legally responsible for sending the spam, and obtaining a monetary award.

"If a reward system could be designed so that it would generate information that helps clear those hurdles, it might improve the effectiveness of CAN-SPAM enforcement," the report concludes, with reservations. Plenty of reservations. The principal stumbling block, according to the FTC, is that those most likely to identify a spammer and provide evidence are "personal or business associates of the spammers themselves". It dismisses the idea that "so-called cybersleuths” could track down spammers as "unlikely".

Cybersleuths have ‘no role’ in spam prosecutions

"Cybersleuths may be able to employ their sometimes considerable talents and expertise to construct educated guesses linking seemingly unrelated spam to a common source. For example, it is sometimes possible for these individuals to identify similarities in factual patterns found in spam messages, websites, and header information. However, much of this sleuthing is based on intuition or other inadmissible perceptions, does not definitively identity the spammer, and would not constitute admissible evidence in an enforcement action," the report argues.

This comment seems to come from the consumer watchdog's experience of consumers forwarding spam emails to its database, something that is obviously not helping to identify spammers. But we digress.

The report continues, "because cybersleuths do not have the power to issue or enforce subpoenas, in most instances they cannot legally obtain and supply to the Commission admissible evidence of a spammer’s identity, whereabouts, or level of illegal activity. Many of the critical pieces of information necessary to prove these issues are in the possession of third parties – banks, payment processors, Internet service providers, and others – that will not or cannot provide them to private citizens like cybersleuths who have no subpoena power. Insiders, however, are often privy to this kind of evidence and would not need compulsory process to obtain it."

Will it hold up in court?

The FTC argues that individual cybersleuths would be unlikely to produce evidence that would stand up in court. On that it may have a point, but it applies this argument to anti-spam groups as well as individuals. We think this is all too glib a dismissal of organisations like Spamhaus, which has done an excellent job of cataloguing the activities of spammers for years. It has built up a substantial body of evidence (such as its Register of Known Spam Operations - ROKSO database) which would doubtless assist the FTC and other bodies in the fight against spammers had they but the wit to use it. From the report it seems the FTC has dismissed an idea of a partnership between itself and organisation like Spamhaus, which already has experience in assisting ISPs and Microsoft in anti-spam investigations, without much consideration.

The rise… and fall of the spam supergrass

Rather than tapping into this valuable source of information, the FTC reckons a spammer supergrass program is needed. Potential whistleblowers might be deterred by the possibility of losing income and the possibility of retaliation from spammers so rewards of "in the range of $100,000, and in some cases as much as $250,000" might be needed, the FTC concludes. Coincidentally this is around the same amount offered by Microsoft's Anti-Virus Reward programme.

And even with high-dollar rewards, whistleblowers may be reluctant to come forward. "To the extent an insider has 'unclean hands' and faces potential legal liability, it is questionable whether such a person would be willing to assume the significant personal risk of coming forward. Thus, the benefits of a reward system remain unclear,” the FTC report states.

FTC backs bounty scheme… up to a point

The Commission recommends that if Congress decides to go ahead with a reward system it should:

  • Tie eligibility to imposition of a final court order, rather than to collection of civil penalties
  • Fund reward payments through appropriations, rather than collected civil penalties (our emphasis)
  • Restrict eligibility to insiders with high-value information
  • Minimise eligibility disputes and associated costs by exempting the FTC’s decisions on reward eligibility from judicial or administrative review
  • Establish reward amounts high enough to attract insiders to provide high-value information

Between the lines

Note here that the FTC is saying Congress should establish a budget for the reward program rather than allowing it to be funded from fines taken from spammers themselves. If AOL can seize a car from a spammer and raffle it to the public, why can't a whistleblower program be funded with fines? Altogether the FTC seems to be looking for reasons why a spammer bounty programme would be difficult to administer - costly/ineffective - while maintaining the illusion that it’s amenable to the idea. Why can't it just come right out and say that the idea stinks - if that's what it thinks? A clearer report would be a better contribution to the debate.

The Commission vote to issue the report to Congress was 4-0-1 with Commissioner Jonathan Leibowitz not participating. The report can be found here. ®

Related stories

MS anti-spam proposal returned to sender
Spammers embrace email authentication
US tops junk mail Dirty Dozen - again
Spam King dodges $20m big stick
MS wins $4m from spammer scammmer
Big six unite to can spam
Spamhaus crowned Internet heroes of 2003
CAN-SPAM means we can spam
Congress passes anti-spam bill

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.