Feeds

FTC backs spammer bounties (false)

Red Herring report

  • alert
  • submit to reddit

Protecting against web application threats using SSL

Analysis: A program to encourage members of the public to become "bounty hunters" tracking down email spammers received the luke warm backing of the US Federal Trade Commission (FTC) yesterday. In as far as it wants to do anything (and we think it'd rather do nothing), the FTC wants to create an elaborate spammer supergrass scheme with payouts of up to $250,000. Any alternative, such as relying on anti-spam activists for information, gets short shrift.

The FTC was required to conduct a study on a reward system by Congress following the introduction of US anti-spam laws (the CAN-SPAM Act) in January. The report highlights three perceived hurdles for the FTC and other law enforcers in anti-spam investigations. These are: identifying and locating the spammer, developing sufficient evidence to prove the spammer is legally responsible for sending the spam, and obtaining a monetary award.

"If a reward system could be designed so that it would generate information that helps clear those hurdles, it might improve the effectiveness of CAN-SPAM enforcement," the report concludes, with reservations. Plenty of reservations. The principal stumbling block, according to the FTC, is that those most likely to identify a spammer and provide evidence are "personal or business associates of the spammers themselves". It dismisses the idea that "so-called cybersleuths” could track down spammers as "unlikely".

Cybersleuths have ‘no role’ in spam prosecutions

"Cybersleuths may be able to employ their sometimes considerable talents and expertise to construct educated guesses linking seemingly unrelated spam to a common source. For example, it is sometimes possible for these individuals to identify similarities in factual patterns found in spam messages, websites, and header information. However, much of this sleuthing is based on intuition or other inadmissible perceptions, does not definitively identity the spammer, and would not constitute admissible evidence in an enforcement action," the report argues.

This comment seems to come from the consumer watchdog's experience of consumers forwarding spam emails to its database, something that is obviously not helping to identify spammers. But we digress.

The report continues, "because cybersleuths do not have the power to issue or enforce subpoenas, in most instances they cannot legally obtain and supply to the Commission admissible evidence of a spammer’s identity, whereabouts, or level of illegal activity. Many of the critical pieces of information necessary to prove these issues are in the possession of third parties – banks, payment processors, Internet service providers, and others – that will not or cannot provide them to private citizens like cybersleuths who have no subpoena power. Insiders, however, are often privy to this kind of evidence and would not need compulsory process to obtain it."

Will it hold up in court?

The FTC argues that individual cybersleuths would be unlikely to produce evidence that would stand up in court. On that it may have a point, but it applies this argument to anti-spam groups as well as individuals. We think this is all too glib a dismissal of organisations like Spamhaus, which has done an excellent job of cataloguing the activities of spammers for years. It has built up a substantial body of evidence (such as its Register of Known Spam Operations - ROKSO database) which would doubtless assist the FTC and other bodies in the fight against spammers had they but the wit to use it. From the report it seems the FTC has dismissed an idea of a partnership between itself and organisation like Spamhaus, which already has experience in assisting ISPs and Microsoft in anti-spam investigations, without much consideration.

The rise… and fall of the spam supergrass

Rather than tapping into this valuable source of information, the FTC reckons a spammer supergrass program is needed. Potential whistleblowers might be deterred by the possibility of losing income and the possibility of retaliation from spammers so rewards of "in the range of $100,000, and in some cases as much as $250,000" might be needed, the FTC concludes. Coincidentally this is around the same amount offered by Microsoft's Anti-Virus Reward programme.

And even with high-dollar rewards, whistleblowers may be reluctant to come forward. "To the extent an insider has 'unclean hands' and faces potential legal liability, it is questionable whether such a person would be willing to assume the significant personal risk of coming forward. Thus, the benefits of a reward system remain unclear,” the FTC report states.

FTC backs bounty scheme… up to a point

The Commission recommends that if Congress decides to go ahead with a reward system it should:

  • Tie eligibility to imposition of a final court order, rather than to collection of civil penalties
  • Fund reward payments through appropriations, rather than collected civil penalties (our emphasis)
  • Restrict eligibility to insiders with high-value information
  • Minimise eligibility disputes and associated costs by exempting the FTC’s decisions on reward eligibility from judicial or administrative review
  • Establish reward amounts high enough to attract insiders to provide high-value information

Between the lines

Note here that the FTC is saying Congress should establish a budget for the reward program rather than allowing it to be funded from fines taken from spammers themselves. If AOL can seize a car from a spammer and raffle it to the public, why can't a whistleblower program be funded with fines? Altogether the FTC seems to be looking for reasons why a spammer bounty programme would be difficult to administer - costly/ineffective - while maintaining the illusion that it’s amenable to the idea. Why can't it just come right out and say that the idea stinks - if that's what it thinks? A clearer report would be a better contribution to the debate.

The Commission vote to issue the report to Congress was 4-0-1 with Commissioner Jonathan Leibowitz not participating. The report can be found here. ®

Related stories

MS anti-spam proposal returned to sender
Spammers embrace email authentication
US tops junk mail Dirty Dozen - again
Spam King dodges $20m big stick
MS wins $4m from spammer scammmer
Big six unite to can spam
Spamhaus crowned Internet heroes of 2003
CAN-SPAM means we can spam
Congress passes anti-spam bill

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.