Feeds

FTC backs spammer bounties (false)

Red Herring report

  • alert
  • submit to reddit

Intelligent flash storage arrays

Analysis: A program to encourage members of the public to become "bounty hunters" tracking down email spammers received the luke warm backing of the US Federal Trade Commission (FTC) yesterday. In as far as it wants to do anything (and we think it'd rather do nothing), the FTC wants to create an elaborate spammer supergrass scheme with payouts of up to $250,000. Any alternative, such as relying on anti-spam activists for information, gets short shrift.

The FTC was required to conduct a study on a reward system by Congress following the introduction of US anti-spam laws (the CAN-SPAM Act) in January. The report highlights three perceived hurdles for the FTC and other law enforcers in anti-spam investigations. These are: identifying and locating the spammer, developing sufficient evidence to prove the spammer is legally responsible for sending the spam, and obtaining a monetary award.

"If a reward system could be designed so that it would generate information that helps clear those hurdles, it might improve the effectiveness of CAN-SPAM enforcement," the report concludes, with reservations. Plenty of reservations. The principal stumbling block, according to the FTC, is that those most likely to identify a spammer and provide evidence are "personal or business associates of the spammers themselves". It dismisses the idea that "so-called cybersleuths” could track down spammers as "unlikely".

Cybersleuths have ‘no role’ in spam prosecutions

"Cybersleuths may be able to employ their sometimes considerable talents and expertise to construct educated guesses linking seemingly unrelated spam to a common source. For example, it is sometimes possible for these individuals to identify similarities in factual patterns found in spam messages, websites, and header information. However, much of this sleuthing is based on intuition or other inadmissible perceptions, does not definitively identity the spammer, and would not constitute admissible evidence in an enforcement action," the report argues.

This comment seems to come from the consumer watchdog's experience of consumers forwarding spam emails to its database, something that is obviously not helping to identify spammers. But we digress.

The report continues, "because cybersleuths do not have the power to issue or enforce subpoenas, in most instances they cannot legally obtain and supply to the Commission admissible evidence of a spammer’s identity, whereabouts, or level of illegal activity. Many of the critical pieces of information necessary to prove these issues are in the possession of third parties – banks, payment processors, Internet service providers, and others – that will not or cannot provide them to private citizens like cybersleuths who have no subpoena power. Insiders, however, are often privy to this kind of evidence and would not need compulsory process to obtain it."

Will it hold up in court?

The FTC argues that individual cybersleuths would be unlikely to produce evidence that would stand up in court. On that it may have a point, but it applies this argument to anti-spam groups as well as individuals. We think this is all too glib a dismissal of organisations like Spamhaus, which has done an excellent job of cataloguing the activities of spammers for years. It has built up a substantial body of evidence (such as its Register of Known Spam Operations - ROKSO database) which would doubtless assist the FTC and other bodies in the fight against spammers had they but the wit to use it. From the report it seems the FTC has dismissed an idea of a partnership between itself and organisation like Spamhaus, which already has experience in assisting ISPs and Microsoft in anti-spam investigations, without much consideration.

The rise… and fall of the spam supergrass

Rather than tapping into this valuable source of information, the FTC reckons a spammer supergrass program is needed. Potential whistleblowers might be deterred by the possibility of losing income and the possibility of retaliation from spammers so rewards of "in the range of $100,000, and in some cases as much as $250,000" might be needed, the FTC concludes. Coincidentally this is around the same amount offered by Microsoft's Anti-Virus Reward programme.

And even with high-dollar rewards, whistleblowers may be reluctant to come forward. "To the extent an insider has 'unclean hands' and faces potential legal liability, it is questionable whether such a person would be willing to assume the significant personal risk of coming forward. Thus, the benefits of a reward system remain unclear,” the FTC report states.

FTC backs bounty scheme… up to a point

The Commission recommends that if Congress decides to go ahead with a reward system it should:

  • Tie eligibility to imposition of a final court order, rather than to collection of civil penalties
  • Fund reward payments through appropriations, rather than collected civil penalties (our emphasis)
  • Restrict eligibility to insiders with high-value information
  • Minimise eligibility disputes and associated costs by exempting the FTC’s decisions on reward eligibility from judicial or administrative review
  • Establish reward amounts high enough to attract insiders to provide high-value information

Between the lines

Note here that the FTC is saying Congress should establish a budget for the reward program rather than allowing it to be funded from fines taken from spammers themselves. If AOL can seize a car from a spammer and raffle it to the public, why can't a whistleblower program be funded with fines? Altogether the FTC seems to be looking for reasons why a spammer bounty programme would be difficult to administer - costly/ineffective - while maintaining the illusion that it’s amenable to the idea. Why can't it just come right out and say that the idea stinks - if that's what it thinks? A clearer report would be a better contribution to the debate.

The Commission vote to issue the report to Congress was 4-0-1 with Commissioner Jonathan Leibowitz not participating. The report can be found here. ®

Related stories

MS anti-spam proposal returned to sender
Spammers embrace email authentication
US tops junk mail Dirty Dozen - again
Spam King dodges $20m big stick
MS wins $4m from spammer scammmer
Big six unite to can spam
Spamhaus crowned Internet heroes of 2003
CAN-SPAM means we can spam
Congress passes anti-spam bill

Intelligent flash storage arrays

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.