Feeds

Can CAN-SPAM can spim?

New law required to address IM spam?

  • alert
  • submit to reddit

Reducing security risks from open source software

On 15 February an 18-year-old man from Cheektowaga, New York was charged with creating tens of thousands of fraudulent IM accounts and using these accounts to send unsolicited instant messages (you know the type, "my boyfriend just dumped me, and I am alone with a webcam" or "get great rates on a mortgage".) According to the complaint, filed in federal court in Los Angeles, Anthony Greco sent more than 1.5m IMs from October to November 2004 to members of the MySpace.com online community.

According to the criminal complaint and the Justice Department's press release, Greico even asked MySpace.com for "exclusive" rights to spam their customers, and threatened to show other spammers how to spam the site. He claimed that this would "open a Pandora's box of Spam" on MySpace.com's computer system and potentially take them down.

For his efforts, Greico was charged with threatening to cause damage to the company's computers with the intent to extort them, causing damage to a protected computer, and with violating the new CAN-SPAM law. The alleged damages and losses to MySpace.com consisted of the time and money the company spent deleting the messages from its servers, and working to prevent the IMs from reaching their intended recipients.

New threats, old law

The Greico case illustrates a new threat to the peaceful use of the Internet. Not SPAM, but SPIM - unsolicited commercial Instant Messages. Just as computer viruses migrated from stand-alone computers to networked computers, and now to cell phones, new threats permeate new technologies. SPIM, like its older cousin, can clog IM sessions, prevent the proper use of communications media, and is just downright annoying.

It can also be costly - as MySpace learned. It takes employee time and energy to delete the unwanted messages, and disk space to store and transmit them. Most importantly, it turns people off. Deluged by unwanted emails or IMs, people may just decide not to adopt the new technologies, or simply to ignore messages that may be important.

Entire new businesses have developed from the need to block, analyze and prevent spam, and legal careers can now be made just on suing (and hopefully collecting judgments from) spammers.

But one of the problems with law, is that it means what it says - and nothing more. Whenever a new law is written to deal with a specific problem, legislators can either write statutes very broadly and run the risk of criminalizing conduct that should not be a crime (and hope that prosecutors don't use it in unintended ways) or write the statute narrowly and run the risk of not criminalizing enough wrongful conduct.

Thus, I don't argue whether SPIN should be a crime. I simply wonder whether, under the CAN-SPAM law, it actually is one.

CAN-SPAM, enacted in 2003, makes it a crime to send deceptive bulk unsolicited email messages. The key word here is "email" messages. In fact, the statute defines "email" as "a message sent to a unique electronic mail address". So, under this definition, is SPIM spam?

The little case law that exists on this issue suggests not.

Canning SPIM

In May of 2002, Jesse Riddle was surfing the Los Angeles Times' online travel section from his law office in Salt Lake City when an unsolicited electronic communication was sent to him from Celebrity Cruise Lines, enticing Riddle to "enter to win a free cruse".

The message consisted of a series of TCP/IP packets transmitted from Celebrity Cruise's server to Riddle's machine. But the message was not an email per se. Rather, it was a pop-up ad. Undeterred, the Utah lawyer did what lawyers do best - he sued Celebrity Cruise lines for violating the now defunct Utah version of CAN-SPAM, claiming that the pop-up ad was the functional equivalent of an email message.

The Utah law had an even more expansive definition of email than does the federal law, defining email as "an electronic message, file, data, or other information that is transmitted: (a) between two or more computers, computer networks, or electronic terminals; or (b) within a computer network". Despite the broad definition, the Utah Court of Appeals on 30 December, 2004 held that the pop-up ad was not an email because it was not sent to an email address, defined by the statute as "a destination, commonly expressed as a string of characters, to which email may be sent or delivered".

Essentially, the Utah appellate court held that when the legislature says "email" it means "email".

This Utah comparison does not bode well for the federal prosecution of Mr. Greco for his SPIM. Surely if Congress wanted to outlaw SPIM, it could have. CAN-SPAM by its terms continually refers to the sending of unsolicited "email" messages. The legislative history makes it clear that it is intended to prevent unsolicited email. Nowhere in the statute, or the Congressional debate, is the term "Instant Messaging" referenced, despite the fact that IM was broadly available (though not widely used for SPIM) in 2003 when the statute went into effect.

To make CAN-SPAM into an anti-SPIM tool, the courts will have to conclude that SPIM is "sent to a unique electronic mail address".

Instant messages can either be associated or disassociated with an electronic mail address. For example, if you are an AOL member, your AOL software enables you to receive both email and instant messages essentially at the same address (well, a very similar address, while the protocols are different.) But even though the IMs go to your AOL client, they don't actually go to your e-mail inbox. And if you use the AOL IM client called AIM, you need not have or use any email address at all.

Yahoo and Hotmail work in similar fashion, with the IM system using a truncated version of the user's email address, but delivering the packets to the IM client and not the email client.

Therefore, reading the statute narrowly, the messages are not sent to "a unique email address," and applying the logic of the Utah case, you are not technically sending spam.

Perhaps the United States Attorney in California is hoping to answer the question posed to Lewis Carroll's Alice when the Humpty said about the meaning of words: "The question is - which is to be master - that's all."

While I sympathize with the government, and wish the prosecution well, the statutes themselves may not be so accommodating. It may be time to consider new legislation aimed more directly at SPIMmers.

Copyright © 2004, SecurityFocus logo

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

NY teen charged over IM spam attack
Is spim worse than spam?
Look out spam, here comes spim

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
L33t haxxors compete to p0wn popular home routers
EFF-endorsed SOHOpelessly Broken challenge will air routers' dirty zero day laundry
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.