FTC backs spammer bounties (false)

Red Herring report

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

Analysis: A program to encourage members of the public to become "bounty hunters" tracking down email spammers received the luke warm backing of the US Federal Trade Commission (FTC) yesterday. In as far as it wants to do anything (and we think it'd rather do nothing), the FTC wants to create an elaborate spammer supergrass scheme with payouts of up to $250,000. Any alternative, such as relying on anti-spam activists for information, gets short shrift.

The FTC was required to conduct a study on a reward system by Congress following the introduction of US anti-spam laws (the CAN-SPAM Act) in January. The report highlights three perceived hurdles for the FTC and other law enforcers in anti-spam investigations. These are: identifying and locating the spammer, developing sufficient evidence to prove the spammer is legally responsible for sending the spam, and obtaining a monetary award.

"If a reward system could be designed so that it would generate information that helps clear those hurdles, it might improve the effectiveness of CAN-SPAM enforcement," the report concludes, with reservations. Plenty of reservations. The principal stumbling block, according to the FTC, is that those most likely to identify a spammer and provide evidence are "personal or business associates of the spammers themselves". It dismisses the idea that "so-called cybersleuths” could track down spammers as "unlikely".

Cybersleuths have ‘no role’ in spam prosecutions

"Cybersleuths may be able to employ their sometimes considerable talents and expertise to construct educated guesses linking seemingly unrelated spam to a common source. For example, it is sometimes possible for these individuals to identify similarities in factual patterns found in spam messages, websites, and header information. However, much of this sleuthing is based on intuition or other inadmissible perceptions, does not definitively identity the spammer, and would not constitute admissible evidence in an enforcement action," the report argues.

This comment seems to come from the consumer watchdog's experience of consumers forwarding spam emails to its database, something that is obviously not helping to identify spammers. But we digress.

The report continues, "because cybersleuths do not have the power to issue or enforce subpoenas, in most instances they cannot legally obtain and supply to the Commission admissible evidence of a spammer’s identity, whereabouts, or level of illegal activity. Many of the critical pieces of information necessary to prove these issues are in the possession of third parties – banks, payment processors, Internet service providers, and others – that will not or cannot provide them to private citizens like cybersleuths who have no subpoena power. Insiders, however, are often privy to this kind of evidence and would not need compulsory process to obtain it."

Will it hold up in court?

The FTC argues that individual cybersleuths would be unlikely to produce evidence that would stand up in court. On that it may have a point, but it applies this argument to anti-spam groups as well as individuals. We think this is all too glib a dismissal of organisations like Spamhaus, which has done an excellent job of cataloguing the activities of spammers for years. It has built up a substantial body of evidence (such as its Register of Known Spam Operations - ROKSO database) which would doubtless assist the FTC and other bodies in the fight against spammers had they but the wit to use it. From the report it seems the FTC has dismissed an idea of a partnership between itself and organisation like Spamhaus, which already has experience in assisting ISPs and Microsoft in anti-spam investigations, without much consideration.

The rise… and fall of the spam supergrass

Rather than tapping into this valuable source of information, the FTC reckons a spammer supergrass program is needed. Potential whistleblowers might be deterred by the possibility of losing income and the possibility of retaliation from spammers so rewards of "in the range of $100,000, and in some cases as much as $250,000" might be needed, the FTC concludes. Coincidentally this is around the same amount offered by Microsoft's Anti-Virus Reward programme.

And even with high-dollar rewards, whistleblowers may be reluctant to come forward. "To the extent an insider has 'unclean hands' and faces potential legal liability, it is questionable whether such a person would be willing to assume the significant personal risk of coming forward. Thus, the benefits of a reward system remain unclear,” the FTC report states.

FTC backs bounty scheme… up to a point

The Commission recommends that if Congress decides to go ahead with a reward system it should:

  • Tie eligibility to imposition of a final court order, rather than to collection of civil penalties
  • Fund reward payments through appropriations, rather than collected civil penalties (our emphasis)
  • Restrict eligibility to insiders with high-value information
  • Minimise eligibility disputes and associated costs by exempting the FTC’s decisions on reward eligibility from judicial or administrative review
  • Establish reward amounts high enough to attract insiders to provide high-value information

Between the lines

Note here that the FTC is saying Congress should establish a budget for the reward program rather than allowing it to be funded from fines taken from spammers themselves. If AOL can seize a car from a spammer and raffle it to the public, why can't a whistleblower program be funded with fines? Altogether the FTC seems to be looking for reasons why a spammer bounty programme would be difficult to administer - costly/ineffective - while maintaining the illusion that it’s amenable to the idea. Why can't it just come right out and say that the idea stinks - if that's what it thinks? A clearer report would be a better contribution to the debate.

The Commission vote to issue the report to Congress was 4-0-1 with Commissioner Jonathan Leibowitz not participating. The report can be found here. ®

Related stories

MS anti-spam proposal returned to sender
Spammers embrace email authentication
US tops junk mail Dirty Dozen - again
Spam King dodges $20m big stick
MS wins $4m from spammer scammmer
Big six unite to can spam
Spamhaus crowned Internet heroes of 2003
CAN-SPAM means we can spam
Congress passes anti-spam bill

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.