Feeds

FTC backs spammer bounties (false)

Red Herring report

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

Analysis: A program to encourage members of the public to become "bounty hunters" tracking down email spammers received the luke warm backing of the US Federal Trade Commission (FTC) yesterday. In as far as it wants to do anything (and we think it'd rather do nothing), the FTC wants to create an elaborate spammer supergrass scheme with payouts of up to $250,000. Any alternative, such as relying on anti-spam activists for information, gets short shrift.

The FTC was required to conduct a study on a reward system by Congress following the introduction of US anti-spam laws (the CAN-SPAM Act) in January. The report highlights three perceived hurdles for the FTC and other law enforcers in anti-spam investigations. These are: identifying and locating the spammer, developing sufficient evidence to prove the spammer is legally responsible for sending the spam, and obtaining a monetary award.

"If a reward system could be designed so that it would generate information that helps clear those hurdles, it might improve the effectiveness of CAN-SPAM enforcement," the report concludes, with reservations. Plenty of reservations. The principal stumbling block, according to the FTC, is that those most likely to identify a spammer and provide evidence are "personal or business associates of the spammers themselves". It dismisses the idea that "so-called cybersleuths” could track down spammers as "unlikely".

Cybersleuths have ‘no role’ in spam prosecutions

"Cybersleuths may be able to employ their sometimes considerable talents and expertise to construct educated guesses linking seemingly unrelated spam to a common source. For example, it is sometimes possible for these individuals to identify similarities in factual patterns found in spam messages, websites, and header information. However, much of this sleuthing is based on intuition or other inadmissible perceptions, does not definitively identity the spammer, and would not constitute admissible evidence in an enforcement action," the report argues.

This comment seems to come from the consumer watchdog's experience of consumers forwarding spam emails to its database, something that is obviously not helping to identify spammers. But we digress.

The report continues, "because cybersleuths do not have the power to issue or enforce subpoenas, in most instances they cannot legally obtain and supply to the Commission admissible evidence of a spammer’s identity, whereabouts, or level of illegal activity. Many of the critical pieces of information necessary to prove these issues are in the possession of third parties – banks, payment processors, Internet service providers, and others – that will not or cannot provide them to private citizens like cybersleuths who have no subpoena power. Insiders, however, are often privy to this kind of evidence and would not need compulsory process to obtain it."

Will it hold up in court?

The FTC argues that individual cybersleuths would be unlikely to produce evidence that would stand up in court. On that it may have a point, but it applies this argument to anti-spam groups as well as individuals. We think this is all too glib a dismissal of organisations like Spamhaus, which has done an excellent job of cataloguing the activities of spammers for years. It has built up a substantial body of evidence (such as its Register of Known Spam Operations - ROKSO database) which would doubtless assist the FTC and other bodies in the fight against spammers had they but the wit to use it. From the report it seems the FTC has dismissed an idea of a partnership between itself and organisation like Spamhaus, which already has experience in assisting ISPs and Microsoft in anti-spam investigations, without much consideration.

The rise… and fall of the spam supergrass

Rather than tapping into this valuable source of information, the FTC reckons a spammer supergrass program is needed. Potential whistleblowers might be deterred by the possibility of losing income and the possibility of retaliation from spammers so rewards of "in the range of $100,000, and in some cases as much as $250,000" might be needed, the FTC concludes. Coincidentally this is around the same amount offered by Microsoft's Anti-Virus Reward programme.

And even with high-dollar rewards, whistleblowers may be reluctant to come forward. "To the extent an insider has 'unclean hands' and faces potential legal liability, it is questionable whether such a person would be willing to assume the significant personal risk of coming forward. Thus, the benefits of a reward system remain unclear,” the FTC report states.

FTC backs bounty scheme… up to a point

The Commission recommends that if Congress decides to go ahead with a reward system it should:

  • Tie eligibility to imposition of a final court order, rather than to collection of civil penalties
  • Fund reward payments through appropriations, rather than collected civil penalties (our emphasis)
  • Restrict eligibility to insiders with high-value information
  • Minimise eligibility disputes and associated costs by exempting the FTC’s decisions on reward eligibility from judicial or administrative review
  • Establish reward amounts high enough to attract insiders to provide high-value information

Between the lines

Note here that the FTC is saying Congress should establish a budget for the reward program rather than allowing it to be funded from fines taken from spammers themselves. If AOL can seize a car from a spammer and raffle it to the public, why can't a whistleblower program be funded with fines? Altogether the FTC seems to be looking for reasons why a spammer bounty programme would be difficult to administer - costly/ineffective - while maintaining the illusion that it’s amenable to the idea. Why can't it just come right out and say that the idea stinks - if that's what it thinks? A clearer report would be a better contribution to the debate.

The Commission vote to issue the report to Congress was 4-0-1 with Commissioner Jonathan Leibowitz not participating. The report can be found here. ®

Related stories

MS anti-spam proposal returned to sender
Spammers embrace email authentication
US tops junk mail Dirty Dozen - again
Spam King dodges $20m big stick
MS wins $4m from spammer scammmer
Big six unite to can spam
Spamhaus crowned Internet heroes of 2003
CAN-SPAM means we can spam
Congress passes anti-spam bill

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.