Mushy spam law's IDEAL for toothless watchdog: Spamhaus slams CAN-SPAM
One in 10 non-compliance? It's worse than that, even in the US
Antispam organisation Spamhaus has reacted phlegmatically to a recent survey that one in 10 of the world’s largest online retailers are still violating the CAN-SPAM Act, a full 10 years after the US anti-spam legislation went into effect.
Richard Cox, CIO of The Spamhaus Project, suggested the Online Trust Alliance (OTA)'s figures of one in 10 e-tailers failing to abide by CAN-SPAM because of failures in honouring unsubscribe requests is probably optimistic.
He also said he believes the law is skewed against private spam victims, whom he said have no redress under the legislation.
"Looking across our thousands of spamtrap addresses, none of which have ever opted in to any e-tailer, what we see suggests that their 10 per cent may be, ehrm, somewhat optimistic - even in terms of CAN-SPAM compliance," Cox told El Reg
"However if considered on the basis of Canada’s new Anti-Spam Legislation (CASL), that number is probably significantly off. Because CASL has an 'opt-in' requirement - in order to give the email user control of their inboxes - it sets a bar very much higher than just removing email users' addresses from spam lists after they have been spammed."
The lax and/or inadequate enforcement regime of North American anti-spam regimes is a root cause of the problem, according to Cox.
"If anything the issue in the USA as things stand is the unenforceability of the regime, [rather] than just the inadequacy of its enforcement. There have been only a handful of actions in the entire 10 years this law has been in force: and even those actions were limited to the most egregious cases, and mostly just 'add-ons' to other enforcement actions."
Things are even worse in the UK, he added.
"The problem is the law made no provision for additional funding to the US FTC with which to enforce it, thus making it toothless - a situation similar to that in the UK. Many companies know this, and just ignore it," Cox explained.
The veteran anti-spam campaigner argued that the system is tilted against the private businesses and individuals constantly bombarded with junk mail. Only service providers can sue, and even if they do, it's unlikely that they will ever able to obtain damages.
"The goal of the larger corporate backers of CAN-SPAM seems to have been to reduce or eliminate any right of private legal action by spam victims against those who spammed them. Only ISPs are allowed to take matters to the courts - and only a handful ever have. It's not worth the money, as extracting actual damages from spammers is usually a fruitless quest," he concluded.
The Spamhaus Project has been tracking email spammers and spam-related gangs for over 15 years. It produces DNS-based blocklists and other information about spamming operations that are widely used as one of the layers of defence in spam filtering products and services. ®
Sponsored: Becoming a Pragmatic Security Leader