January 2005

Phishing, spamming and spying. Sometimes you have to wonder if the Web will just self-destruct and take most of e-commerce with it. Take email. E-mail was the original "killer app" of the Internet. Some 12 trillion e-mail messages are estimated to be sent around the globe every year — with the U.S. accounting for about 65% of that traffic. There was a time, back in 2001 and before search engine marketing, when e-mail was one of the most effective marketing tools for e-commerce vendors. There was a time when people looked forward to receiving e-mail. Not anymore. CipherTrust, an enterprise email security provider, now estimates that in 2005, 79.2% of e-mail received by firms is spam, and only 19% is legitimate. The estimated loss in productivity in the U.S. will be about $15 billion, not counting an expenditure of $15 billion in telecommunications bandwidth required to carry this bogus traffic. Unfortunately, the problem has been growing six-fold every year since 2003. At home, the situation is no better. In late 2004, AOL reported that it had reduced the number of spam e-mails caught by its servers down to a paltry 1.6 trillion daily, and customer complaints to a mere 100 million a day! If you add in home-directed spam from MSN, Yahoo! and other ISPs, you end up with a very large number of spam sent to the house.

Aside from the sheer economic loss, people no longer trust their e-mail and as a result (here’s the hi-tech solution run amok) have turned up their spam blockers to maximum effectiveness. While the new spam blockers built into browsers such as Mozilla’s Firefox are better than their precursors, you better be careful about the words and phrases you use in your subject lines. Wonder why that friend or colleague did not respond to your recent e-mail? Millions of people are having to use the phone to find out why, and often, it is because the e-mail you sent went into the recipient’s spam or trash folder. Meanwhile, the response rate to e-mail marketing messages sent to general audiences has fallen below 1%, a far cry from the lofty 3%-4% achieved in previous years. Of course, e-mail sent to an opt-in, legitimately interested group of consumers has much high response rates. But that’s the point that so many mass e-mailers (spammers) just don’t get: by sending out so-called “blast emails,” they pollute the river that feeds them.

Another killer app that might just kill the Web and e-commerce is spyware (euphemistically called adware by the merchants who hawk this stuff). We first identified spyware in the first edition of the textbook in 2002 as an end of chapter case called “Ad Bombs, Ambush Marketing and other Invasive Marketing Techniques.” Spyware is a computer program that is automatically downloaded to a user’s computer when the user downloads music sharing programs such as Kazaa, free screen savers, toolbars, desktop weather services, or even just clicks on a sweepstakes offering or game. Spyware usually is downloaded to the user’s computer without notification and almost always without user awareness. When notification is given, it is usually opt-out (you need to say affirmatively you do not want the downloaded software) and written in small print so you would never notice the option to skip the download.

The computer program resides on the user’s computer and performs a number of tasks such as calling to outside servers to serve up ads from companies that pay the spyware creators for impressions. Other spyware programs log all the keystrokes of users and send them off regularly to external servers, and some spyware permanently diverts the user’s browser to a different home page where ads are served up continually.

Since we first wrote about spyware back in the relatively innocent days of 2002, it has grown into a multi-million dollar business. In 2004, according to online advertising network DoubleClick, about 439 billion ad impressions, paid for by thousands of firms, were flashed in front of users. No one has any idea how many of these billions of ads were served up by spyware but chances are good, given the level of complaints received by privacy groups, the Federal Trade Commission, and Congress, that about the number is at least 10%. The biggest manufacturers and distributors of spyware are Claria Corp. (formerly known as Gator), and WhenU, although there are many smaller players such as DigitalEdge. The biggest users of spyware advertising are Fortune 500 firms such as Verizon, Sprint, British Airways PLC, and Bank of America Corporation.

Why do big companies use spyware to contact us? According to DigitalEdge, spyware can be twice as effective as other forms of online advertising. How so? Because supposedly when a user searches for a product, or tries to go to a competitor’s Web site (indicating interest and willingness to purchase), the user can be hit immediately with either an ad for that product, or diverted to the competitor’s Web site. For example, type in "cell phone" on Google, and spyware may direct you to www.verizon.com's offer page. Enter www.attwireless.com as a url and spyware may divert you to www.verizon.com.

Congress tried to end spam by passing the CAN-SPAM Act of 2003 (S. 877), and the first prosecutions are just now being undertaken. The CAN-SPAM act made it a felony crime to send spam or engage in a variety of deceptive practices (such as hiding the sender's real address) with penalties of up to 5 years in prison. Along with much greater efforts at spam re-direction and detection by AOL, Yahoo, Microsoft and other large ISPs, this federal legislation is one factor in the roughly 30% decline in spam which occurred in 2004 compared to 2003. Congress currently is considering two new bills to knock off spyware. The Spy Act (H.R. 4661) passed the House of Representatives in 2003 with a vote of 399 to 1, but the Senate postponed consideration. The Spy Act prohibits unfair or deceptive practices related to spyware and requires opt-in notification, and consent for software that collects personal information. The Internet Spyware Prevention Act of 2004 (H.R. 2929) makes it a felony to intentionally access a computer without authorization or to intentionally exceed authorized access. The less-than active Federal Trade Commission is dragging its heals by not supporting either piece of legislation, claiming that existing anti-fraud laws are sufficient, and that the legislation, like CAN SPAM, really will not work because it’s too hard to find spyware vendors. With enforcement attitudes like this, why have laws? Fortunately, Congress and Justice Department Attorneys are actively pursuing both spammers and spyers. The first case against spammers was filed on April 28, 2004 in the U.S. District Court of Michigan. Federal attorneys contend that Daniel J. Lin, James J. Lin, Mark M. Sadek and Christopher Chung violated the terms of the Can-Spam Act by creating massive e-mail campaigns that marketed fraudulent weight loss products. According to court documents, the four men are accused of generating hundreds of thousands of different e-mails that hid their identities and advertised a weight loss patch. The e-mails were sent out under a variety of company names, including AIT Herbal, Avatar Nutrition and Phoenix Avatar, identified collectively as the Avatar Companies. The e-mails were allegedly sent to millions of e-mail accounts over the course of several years.

Also in April, the U.S. Sentencing Commission sent Congress sentencing guidelines for the Can-Spam Act, adding penalties for people convicted of sending spam via someone else's computer without permission or obscuring the message's origin. In that proposal, the commission retained a controversial proposal to compare spam offenses to theft, fraud and property destruction for the purposes of sentencing. It would appear Federal judges will have ample opportunity to increase sentences based on a variety of mitigating factors.

While legislation will not end spam, or end spyware, it should have the effect of raising the costs for perpetrators. If all the perpetrators move to rogue nations, then Congress will have to deal with that situation as it occurs. Right now, there seems to be plenty of domestic spammers and spyers to warm up the enforcement apparatus and fill the jail cells. Next we might consider legislation to discourage firms such as Verizon and Bank of America from paying the vendors of spyware. Why is it ethical, or legal, to employ others to do that which is illegal and unethical?