Well, the CAN-SPAM act finally passed through the its final hurdles in Congress, and with Bush promising a signature within the year, it will be law soon. But will it protect you?. . .

Well, the CAN-SPAM act finally passed through the its final hurdles in Congress, and with Bush promising a signature within the year, it will be law soon. But will it protect you?

Not if you ask CAUCE, or some of the other major anti-spam groups out there. While many mainstream news sources will point out that 'experts' see this as insufficient protection against foreign spam, that really misses the point. It seems clear that this bill is a response to the massive public outcry against spam, but not a serious attempt to stem the tide, even from the United States. That is to say, it is insufficient protection againt any spam.

In this age of easily crafted mail-headers, home PCs being used as spammer's drones, and phantom spammer accounts appearing and disappearing like the morning dew, the real problem is one of enforcement. Simply put, there is no real non-repudiation technology in IP, and the federal and state DAs openly admit that they do not have the resources to even begin to tackle the incredible problem that anonymous spammers pose to law enforcement. In other words, unless we can help ourselves, the government can do little to help.

Nor can one simply go after the companies who use the spammers' services. It is all too easy to imagine that a disgruntled former-employee could spam on a company's "behalf" in order to get the company punished. Nor could this victim company do anything whatsoever to prevent this from occuring. Thus the presence of the spam itself is clearly insufficient evidence to implicate the company, and naturally, any company questioned on it will deny involvment in the spamming campaigns they order. It will be absolutely impossible to prove otherwise (even to the point of finding a 'preponderance of evidence' necessary in a civil suit) unless the spammers are caught and testify against their employers.

Even worse, the CAN-SPAM act will give any spammer a free shot at our inboxes. So long as they use honest headers, they are allowed to send us as much spam as they want, until we opt out. Now, everyone will claim to allow opt-out, but if this is put to the test, it will be easy to claim that multiple marketing companies were hired. (If this responsibility is pegged to the company that supposedly ordered the spam sent, then the disgruntled former-employee will now have that easy attack against the company in their sights). In other words, there is no reasonable way to enforce opt-out!

It goes without saying, of course, that without massive law-enforcement resources, or the clear ability of private ISPs and businesses to sue for damages, the 'honest-header' part is also meaningless drivel. However, this leads us to the final point; the capstone, if you will.

Specifially allowing opt-out spam does have the effect of making it nearly impossible to privately sue spammers, both for ISPs and for end-users. Why? Because now, everyone will claim to allow opt-out, and for various obvious reasons, it will be virtually impossible to prove otherwise. What does this mean to you? That this law is actually pro-spam. It pretends to try to protect us, but really all it does is shield spammers from liability. Its hard to imagine that the bill's sponsors did not realize this. It is also impossible to imagine a Congressperson voting against a measure that is supposed to help protect us from spam. In essence, Congress has done the bidding of the DMA, which lobbies them quite heavily, while cynically pretending to be protecting the interests of the people.

So hold on and get protection, people. Its going to be a rough ride.

The link for this article located at ZDNet.com is no longer available.