A new tool In the spam war
Call in the arbitrators!
Arbitration is part of the next wave of security measures, and can be effective against spammers who illegally harvest email addresses from a honeypot on your website, writes Ethan Preston.
Anti-spammers have a new weapon in their arms race with the spammers. A robot recently rummaged through Mike Wendland's website, harvesting email addresses to spam. But, as a participant of Project Honeypot, Wendland was prepared with an anti-spam honeypot. (Project Honeypot is coordinated by Matthew Prince, CEO of unspam.)
The script automatically generates bogus web pages (like this) that contain a control email address for the robot to collect. Project Honeypot both records the robot's IP address, the date and time the bogus web page is downloaded, and also receives any email sent to the control email address. The control email addresses are unique, so the Project can positively correlate a robot's IP address and time-stamp with any spam sent to the control email addresses. The end result: Wendland was able to identify the illicit harvester, an ostensibly legitimate marketing company.
By identifying illicit harvesters, Project Honeypot opens up a new front in the war on spam. Webmasters can now identify and block robots that harvest email addresses from their websites. Indeed, because the Project collects participants' data and publishes a list of IP addresses associated with spam harvesters, webmasters and ISPs can block all the harvesting robots identified through Project Honeypot.
Moreover, once harvesters have been identified, they can be prosecuted and sued under the CAN SPAM Act of 2004. And the states have their own anti-spam statutes, whose penalties as seen recently can be quite severe.
Given these new advances, the model license used in Project Honeypot's bogus web pages is one aspect of Project Honeypot that might get overlooked. Even though a harvester's use of a website might be illicit, the bogus web pages' license is nonetheless legally binding. This model license contains a number of interesting provisions:
- The model license states that the harvester, as the owner of the robot, agrees to the license's terms when the harvester collects, stores, transfers to the third party, or sends email to, a control email address.
- The model license also prohibits robots from using more system resources than a human visitor would, or from collecting or storing any email address from the participant's website. The harvester also agrees each email address on the participant's website has a $50 value.
- Finally, when a harvester agrees to the web page's license, it also consents to litigate in the courts where the participant resides.
The model license is meant to provide Project Honeypot's participants with effective legal remedies against harvesters. The last provision lets the Project's participants haul harvesters from anywhere in the country into the participant's local courts. This is both convenient and more economical for the Project's participants, and may put a harvesting company at a considerable disadvantage by forcing it to litigate in a distant court.
But is litigation an adequate remedy against harvesters? To indulge in stereotypes for a moment, the anti-spam movement (like the computer security discipline generally) has two sides: the geeks and the lawyers. The geeks are often skeptical about the lawyers and the legal system - compared with technical solutions, the legal system is slow, expensive, uncertain and limited by national boundaries. And although geeks will applaud Project Honeypot's technical innovation, they could be skeptical about whether the Project's participants can actually collect money from harvesters that might be half way around the world. Even if a network operator obtains a judgment from a local court, enforcing a domestic judgment (especially if the domestic court is American) in a foreign jurisdiction can be difficult and uncertain.
Is arbitration the next step for computer security?
What else can the lawyers add to Project Honeypot? Keep in mind that Project Honeypot has already shown a good deal of legal acumen (PDF): once again, even though a robot's access to a Project participant's website is illicit, the robot nonetheless contractually binds its owner to the terms of the Project's model license. In turn, harvesters are liable for breaching the license, and may have to defend themselves in the Project participant's local court. But the Project's model license actually can do more: virtually every document that contains a contract can also incorporate an arbitration agreement as well.
Arbitration is a dispute resolution process similar to litigation, except that the arbitrating parties privately agree to the rules of arbitration and select private individuals (called arbitrators) to administer and decide the arbitration (rather than public officials, like judges). The parties in arbitration can (within limits) use their own procedural rules to make the proceeding shorter, simpler and less expensive than litigation. Parties can also use IT professionals with training in computer security as arbitrators, rather than judges with no computer science background. Finally, arbitration agreements can provide penalties for unauthorized disclosure of information about the arbitration proceedings, while litigation is open to the public.
Arbitration also has another significant advantage over litigation: most of the countries around the world have signed the New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards, which requires the signatory countries to recognize and enforce foreign arbitration awards except in very limited circumstances. Thus, arbitration awards can be enforced more readily than domestic court judgments.
The international enforcement of arbitration awards has implications well beyond Project Honeypot. Today, most networks have some kind of contractual language in their login banners, or otherwise require users accessing the network to agree to the terms of a network license. For instance, more traditional honeypot operators use "consent banners" to insulate themselves from liability under wiretapping laws. Anywhere network operators use licenses or contracts, they can include arbitration provisions. The ability to enforce arbitration awards against foreign spammers, harvesters, and other network intruders could mean a more prominent role for the legal system in modern computer security practice.
Flies in the ointment
Although any contract can contain an arbitration agreement, there's a wrinkle. To be enforceable, network licenses (like Project Honeypot's model license) must be recognized as valid arbitration agreements in both the network operator's jurisdiction and the network intruder's jurisdiction. The New York Convention only requires signatory countries to recognize written arbitration agreements. Unfortunately, the New York Convention was written in 1958, and its definition of a written agreement includes contracts or arbitration agreements "signed by the parties or contained in an exchange of letters or telegrams."
Fortunately, many countries have updated their arbitration laws to include electronic agreements like Project Honeypot's model license. Other countries have generally updated their contract laws, so that electronic agreements must be treated like any other written contract. Nevertheless, making sure an arbitration agreement is enforceable against a particular network intruder involves more than checking to see whether the intruder's home jurisdiction is a New York Convention signatory.
Used properly, arbitration could be an important refinement of modern computer security practices - but it is not a silver bullet. Network intruders still have to be identified, and electronic arbitration agreements must be enforceable in both the network operator's jurisdiction and the network intruder's jurisdiction. Moreover, once an arbitration award is made, it still has to be enforced in network intruder's jurisdiction, where the intruder may attempt to challenge the award. Nevertheless, arbitration against network intruders can still be cheaper and more convenient than litigation, and valid arbitration awards are much easier to enforce abroad than domestic court judgments. And the options to make arbitration confidential or to use technically experienced arbitrators may also drive network operators to arbitration. At the very least, arbitration is another legal option that savvy computer security professionals need to know about.
Ethan Preston is an attorney in Chicago, Illinois, whose practice includes information technology, intellectual property, and privacy law. His publication credits include The Global Rise of a Duty to Disclose Information Security Breaches and Computer Security Publications: Information Economics, Shifting Liability and the First Amendment.
Sponsored: The Nuts and Bolts of Ransomware in 2016