Feeds

Can CAN-SPAM can spim?

New law required to address IM spam?

  • alert
  • submit to reddit

SANS - Survey on application security programs

On 15 February an 18-year-old man from Cheektowaga, New York was charged with creating tens of thousands of fraudulent IM accounts and using these accounts to send unsolicited instant messages (you know the type, "my boyfriend just dumped me, and I am alone with a webcam" or "get great rates on a mortgage".) According to the complaint, filed in federal court in Los Angeles, Anthony Greco sent more than 1.5m IMs from October to November 2004 to members of the MySpace.com online community.

According to the criminal complaint and the Justice Department's press release, Greico even asked MySpace.com for "exclusive" rights to spam their customers, and threatened to show other spammers how to spam the site. He claimed that this would "open a Pandora's box of Spam" on MySpace.com's computer system and potentially take them down.

For his efforts, Greico was charged with threatening to cause damage to the company's computers with the intent to extort them, causing damage to a protected computer, and with violating the new CAN-SPAM law. The alleged damages and losses to MySpace.com consisted of the time and money the company spent deleting the messages from its servers, and working to prevent the IMs from reaching their intended recipients.

New threats, old law

The Greico case illustrates a new threat to the peaceful use of the Internet. Not SPAM, but SPIM - unsolicited commercial Instant Messages. Just as computer viruses migrated from stand-alone computers to networked computers, and now to cell phones, new threats permeate new technologies. SPIM, like its older cousin, can clog IM sessions, prevent the proper use of communications media, and is just downright annoying.

It can also be costly - as MySpace learned. It takes employee time and energy to delete the unwanted messages, and disk space to store and transmit them. Most importantly, it turns people off. Deluged by unwanted emails or IMs, people may just decide not to adopt the new technologies, or simply to ignore messages that may be important.

Entire new businesses have developed from the need to block, analyze and prevent spam, and legal careers can now be made just on suing (and hopefully collecting judgments from) spammers.

But one of the problems with law, is that it means what it says - and nothing more. Whenever a new law is written to deal with a specific problem, legislators can either write statutes very broadly and run the risk of criminalizing conduct that should not be a crime (and hope that prosecutors don't use it in unintended ways) or write the statute narrowly and run the risk of not criminalizing enough wrongful conduct.

Thus, I don't argue whether SPIN should be a crime. I simply wonder whether, under the CAN-SPAM law, it actually is one.

CAN-SPAM, enacted in 2003, makes it a crime to send deceptive bulk unsolicited email messages. The key word here is "email" messages. In fact, the statute defines "email" as "a message sent to a unique electronic mail address". So, under this definition, is SPIM spam?

The little case law that exists on this issue suggests not.

Canning SPIM

In May of 2002, Jesse Riddle was surfing the Los Angeles Times' online travel section from his law office in Salt Lake City when an unsolicited electronic communication was sent to him from Celebrity Cruise Lines, enticing Riddle to "enter to win a free cruse".

The message consisted of a series of TCP/IP packets transmitted from Celebrity Cruise's server to Riddle's machine. But the message was not an email per se. Rather, it was a pop-up ad. Undeterred, the Utah lawyer did what lawyers do best - he sued Celebrity Cruise lines for violating the now defunct Utah version of CAN-SPAM, claiming that the pop-up ad was the functional equivalent of an email message.

The Utah law had an even more expansive definition of email than does the federal law, defining email as "an electronic message, file, data, or other information that is transmitted: (a) between two or more computers, computer networks, or electronic terminals; or (b) within a computer network". Despite the broad definition, the Utah Court of Appeals on 30 December, 2004 held that the pop-up ad was not an email because it was not sent to an email address, defined by the statute as "a destination, commonly expressed as a string of characters, to which email may be sent or delivered".

Essentially, the Utah appellate court held that when the legislature says "email" it means "email".

This Utah comparison does not bode well for the federal prosecution of Mr. Greco for his SPIM. Surely if Congress wanted to outlaw SPIM, it could have. CAN-SPAM by its terms continually refers to the sending of unsolicited "email" messages. The legislative history makes it clear that it is intended to prevent unsolicited email. Nowhere in the statute, or the Congressional debate, is the term "Instant Messaging" referenced, despite the fact that IM was broadly available (though not widely used for SPIM) in 2003 when the statute went into effect.

To make CAN-SPAM into an anti-SPIM tool, the courts will have to conclude that SPIM is "sent to a unique electronic mail address".

Instant messages can either be associated or disassociated with an electronic mail address. For example, if you are an AOL member, your AOL software enables you to receive both email and instant messages essentially at the same address (well, a very similar address, while the protocols are different.) But even though the IMs go to your AOL client, they don't actually go to your e-mail inbox. And if you use the AOL IM client called AIM, you need not have or use any email address at all.

Yahoo and Hotmail work in similar fashion, with the IM system using a truncated version of the user's email address, but delivering the packets to the IM client and not the email client.

Therefore, reading the statute narrowly, the messages are not sent to "a unique email address," and applying the logic of the Utah case, you are not technically sending spam.

Perhaps the United States Attorney in California is hoping to answer the question posed to Lewis Carroll's Alice when the Humpty said about the meaning of words: "The question is - which is to be master - that's all."

While I sympathize with the government, and wish the prosecution well, the statutes themselves may not be so accommodating. It may be time to consider new legislation aimed more directly at SPIMmers.

Copyright © 2004, SecurityFocus logo

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

NY teen charged over IM spam attack
Is spim worse than spam?
Look out spam, here comes spim

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.