Yesterday I forwarded questions about spam from a friend who was speaking
before the FTC next week. Here are most of the replies I received, which
I've attached below. Some may have appeared here already.
From: glee harrah cady
A friend who's going to be on one of the FTC panels next week sent me a few questions about spam. Does anyone want to try their hand at answering them? I'll forward along all responses I get.
What are the costs to consumers of unsolicited e-mail? I guess the time it takes to delete it might be one, hard drive space might be another. I would
ALL/MULTIPLE USERS * cost of storage (ISP, user or both, depending on mail system) in disk space and memory (remember it takes RAM to load a mailbox into any modern email program). * severe degradation and sometimes destruction of forums as they are over-run by spammage. * reputational harm and loss of all usefulness of Internet account (after being subject to a spammer's header forgery listing the innocent victim as the sender, who then receives all the hatemail the spamming generates). INDIVIDUAL END USER ADDITIONAL COSTS * time to read/examine * time to delete * time to filter * time to unsubscribe, complain, or otherwise respond * increased ISP/online service subscription fees as provider costs are passed on to customers. * per byte, per minute or per message costs from ISP (not all users) * per minute costs from phone or other conduit provider (not all users) CORPORATE END USER ADDITIONAL COSTS * lost productivity due to time sinks mentioned above, frustration, etc. * missed opportunities, deadlines, etc., due to too much mail to sort thru resulting in important messages being missed. Major potential for corporate lossage here. CORPORATE ADMINISTRATOR ADDL. COSTS * time (often quite a lot) filtering dependent users' mail, blocking spamming sites, contending with filled up disks, and other wastes of stafftime due to spamming. ISP/ONLINE SERVICE ADDL. COSTS * Help desk and admins' time filtering/blocking by customer request (not all sites do this) * Help desk and admins' time filtering/blocking by necessity to prevent exceedingly abusive spammers sucking up all available disk space * admins' time in cleanup after one of their users engages is spamming or is perceived to have done so due to forged headers, and 1000s of angry victims send in complaints, threats, etc. * company's losses in market share and reputation after one of their users engages is spamming or is perceived to have done so due to forged headers * admins' time in cleanup after one of their users engages is spamming or is perceived to have done so due to forged headers, and 10s or more of angry victims become vigilantes, and hack the provider, SYN flood them, send them crippling emailbombs, etc. * company's losses in mkt. share and reputation after their service slows, crashes or otherwise is negatively affected by such attacks. * company's liability when other subscribers sue for breach of contract, for return of subscription fees, etc., due to such outtages or degradation of service * CEO & legal staff time researching if any recourse is available. * increased connectivity costs as 56K, T1, etc. high-speed connections are not fast enough to keep up with all the spam (e.g. it is currently physically impossible to carry a full "Big 8" and alt Usenet feed with only a T1 connection [verify with a major ISP if in doubt], largely due to the amount of spamming in the alt groups. * increased staffing costs as more people have to be hired or consulted to deal with the problems caused by spammers. Please feel free to send suggestions for addtions to this list, which I've made for other purposes than answering Declan's query. Remember that TIME = MONEY and RESOURCES = MONEY in all above formulations.
like to know how to quantify it, and
compare it with the cost of sending e-mail.
It costs roughly $20 for Net access[*], plus the cost of a spamming-targeted mailing list ($50?) to send multiple millions of messages. [Actually this is not really true - unless AOL has changed the capabilities of its trial accounts, it actaully costs NOTHING to set up a temporary account that is capable of massive spammage. Worse yet, the technology to MAKE massive email lists is trivially available and/or creatable, so one does not even have to buy such a list. ZERO cost at all.)
If you banned commercial e-mail, wouldn't it just affect legitimate commercial transactions? That is to say, wouldn't fly-by-night pyramid-scheme builders still be able to spam? I would think that if they are so untraceable that it's hard to block their spam that it wouldn't really matter if it were simply made illegal.
Certainly. There are many other problems:
1) Any ban is going to be very difficult to write in a way that will
survive constitutional scrutiny.
2) Banning all commercial email is obvioulys stupid and unconstitutional -
I have a First Amendment right to receive commercial messages if I want
to.
3) Banning all unsolicited email is obviously stupid and unconstitutional
- I have a First Amendment right right to tell IBM that I like their web
page, even if they didn't ask me for my comments.
4) Banning all commercial unsolicited email is obviously stupid and
arguably unconstitutional. I probably have a right to send you a message
offering my product if something in an email or a post or web page by you
indicated you might be interested in what I'm offering. Additionally, such
a ban does not speak to the issue - commerciality is not the problem.
Religious and political rants are, to most people, an even more offensive
form of spamming that advertisements are.
5) Despite the optimism of some, no local (i.e. national) law will ever
stop spam, it will simply move spammers off-shore. That fewer
respondents will buy, due to distrust of foreign merchants, is irrelevant
- the spamming business model is successful if only 1 out of a million
people makes a purchase, because there are essentially no costs.
6) All such bans attack content. This makes them presumptively
unconstitutional right from the start. The issue of spamming cannot be
solved with a ban. Spamming as a problem is divisible into TWO problems:
a) Theft, abuse or usurpation of resources owned by specific parties (i.e.
ISP connectivity, staff time, etc., and your productivity), or owned by
everyone (tragedy of the commons). This is a matter of the right to not
be forced to bear the costs of another's expression (a component of the
right to freedom of speech and press), with shades of the right to use
public resources (i.e. offline if some bully, every time you try to go a
public park, blocks your entrance into the park, you can get an injunction
against this person. Hard to map this kind of thing to the offline world
though, on legal grounds even if the ethics of the situation are plain as
day.)
b) Violation of the recipient's right to be left alone (a component of the
right to privacy) and right to not be forced to read another's expression
(a component of the right to free speech and press). Spammers love to
contort this last into another *almost* opposite right - the right to
speak freekly in public even if it offends someone. They avoid the issue
of not having a right to do this in private spaces, and not having a right
to force others to bear their costs even for public expression.
Anyway, the privacy and freedom to not read issues seem to apply
principally if not only to private email, while the arguments in point a)
seem to apply to private mail, and forums (mailing lists, newsgroups).
These two problems require different solutions (and probably in fact both
require combinations of several different solutions, ranging from class
action suits to fraud prosecution to better filters to increased system
security to prevent forgery to tighter users contract to "don't route
spamming ISP's traffic" agreements between ISPs and NSPs, etc., etc.)
EFF is forming a working group to try to size up the various options and
possible solutions and see which ones are viable, which ones are best for
rights and for the Internet, which are expedient but would harm the public
interest, which are unconstitutional or otherwise bad, and so on.
We also have to look at this beyond the here-and-now. What about ISPs that
in the fine print say they sell their entire user base's contact info to
e-marketers? What about the use of "push" technology for spam-like
purposes? What about a MoU between all backbones and major NSPs to simply
drop service to any "spammer haven" ISP? What about calls for direct
regulation by the FTC or FCC? Or by a UN body? Many proposals are flying,
many problems envisioned (and some being missed by most), and many people
are getting increasingly hysterical about this so we need to find
some solutions quickly. None of the legislation produced so far does
anything but cause more damage.
--
Stanton McCandlish mech@eff.org
Electronic Frontier Foundation Program Director
http://www.eff.org/~mech +1 415 436 9333 x105 (v), +1 415 436 9333 (f)
Are YOU an EFF member? http://www.eff.org/join
*********
Date: Thu, 05 Jun 1997 06:52:36 -0400
To: declan@relay.pathfinder.com,
From: Robert Moskowitz
What are the costs to consumers of unsolicited e-mail?
Up to 150k of disk space, up to about 50 seconds of connect time for those who download it by modem (assuming 28.8k), a few seconds of time to delete it or a few minutes to send complaint mail back to their ISP. Worse is the indirect cost to consumers through the hassle it causes to their ISPs. They need faster links and more powerful mail servers to process the extra unwanted data and take time to install filters and deal with spammers. I've already had one spammer send out mail with a false unicorn.com return address which took a day of my time to sort out.
If you banned commercial e-mail, wouldn't it just affect legitimate commercial transactions?
Of course. Banning it is dumb and will cause all sorts of unexpected
problems. A few class-action suits should eliminate most of them.
Mark
(postmaster@unicorn.com)
*********
Date: Thu, 5 Jun 1997 11:02:49 +0100 (BST)
From: Charlie Stross
What are the costs to consumers of unsolicited e-mail? I guess the time it takes to delete it might be one, hard drive space might be another.
Those are minimal.
Here in the UK, there are NO free local phone calls (unless you're lucky
enough to live in Hull, or have a cableco who want to let you yack to your
neighbours - it's a long and boring story). Furthermore, if you receive
email via SMTP or UUCP (rather than via a mailbox reader protocol like
POP3 or whatever) you can't filter the junk out before it reaches you.
Thus, receiving spam costs money, in terms of dialup connect time.
Moreover, some spammers use really poor, munged, address lists; I've
seen 100Kb mails (a couple of minutes of download time on an old 14.4K
modem, which is what many people still use) with maybe a 1K payload at
the end of the headers.
Given that I've got three or four users on my dialup site, and we get
an average of 5 UCEs/person/day, it's probably costing us 5-15 pence/day
extra on the phone bill. Not significant for _one_ site, but if you
multiply by two million (est. number of UK internet users) you get
a plague that's costing about 20 million UK pounds/year -- to the
unwilling victims.
This is before you factor in the online services like Compuserve or CIX
that charge per unit connect time, or charge for mail received from the
internet.
The real victims, though, are the people whose addresses the spammers bung
in the Reply-to: fields, so that they get mailbombed by indignant
recipients.
-- Charlie Stross
*********
Date: Wed, 4 Jun 1997 23:17:10 -0700
To: Declan McCullagh
What are the costs to consumers of unsolicited e-mail? I guess the time it takes to delete it might be one, hard drive space might be another. I would like to know how to quantify it, and compare it with the cost of sending e-mail.
I don't think the costs of the 1-3 spam messages I get each day is significant. (But I don't post to Usenet.)
If you banned commercial e-mail, wouldn't it just affect legitimate commercial transactions? That is to say, wouldn't fly-by-night pyramid-scheme builders still be able to spam? I would think that if they are so untraceable that it's hard to block their spam that it wouldn't really matter if it were simply made illegal.
Can you say regulatory arbitrage? The current social controls on spam are
good enough that no one with any positive reputation wants to have anything
to do with it. This means that spammers have to use anonymous offshore
answering services. The widespread hatred of spam and spammers should keep
the total amount under control without the legal action and in spite of the
very low cost of spamming.
The recent problems Spamford has been having with denial of service attacks
is just one example of the social control process. The flood of hostile
email spammers who include real email addresses receive are another.
Legitimate commercial email does not evoke these strong reactions.
-------------------------------------------------------------------------
Bill Frantz | The Internet was designed | Periwinkle -- Consulting
(408)356-8506 | to protect the free world | 16345 Englewood Ave.
frantz@netcom.com | from hostile governments. | Los Gatos, CA 95032, USA
*********
Date: Wed, 4 Jun 1997 16:15:27 -0400
To: Declan McCullagh
What are the costs to consumers of unsolicited e-mail? I guess the time it takes to delete it might be one, hard drive space might be another. I would like to know how to quantify it, and compare it with the cost of sending e-mail.
To many people, the cost of spam is simply the time and tedium wasted deleted unwanted messages. Pretty minimal. A burdensome set of regulatory restrictions would also be an annoyance as people waste time and effory making sure reasonable email correspondence "complies" with the new rules. To some users of certain online services, they must pay for email messages or disk space and must pay for connect time. In these cases, there is a real and measurable monetary cost of spam. I'm sorry, I can't quantify that for you. At the organizational level, some companies may pay for Internet traffic bandwidth. If a significant fraction of the traffic is wasted on spam (actually I *really* doubt this is the case) then it could be calculated.
If you banned commercial e-mail, wouldn't it just affect legitimate commercial transactions? That is to say, wouldn't fly-by-night pyramid-scheme builders still be able to spam? I would think that if they are so untraceable that it's hard to block their spam that it wouldn't really matter if it were simply made illegal.
Hang on. A true "pyramid scheme" requires the victims to send money to the folks operating the scheme. Therefore, they can't be entirely anonymous ... or they'd never be able to cash in! Banning "commercial email" is just nuts. Should we also ban "business-related email" ? Or "advertising email" ? .... or what about "political advertising on the Net" ?? The Canadian government just made the front page of HotWired's online magazine for being foolish enough to ban certain political advertisements on the Net. Surely the U.S. won't make the same mistake. -- David Jones, PhD president, Electronic Frontier Canada -- djones@efc.ca ********* Date: Wed, 4 Jun 1997 18:15:59 -0400 (EDT) From: wyang@ktel.osc.edu To: declan@well.com Hi. I run a Free-Net -- a community outreach project of the Ohio State University and the Ohio Supercomputer Center, which gives free access to anyone who lives in our service area (we're serving about 20,000 people right now -- I understand that, in our service area, Compuserve only has about 12,000 customers). I don't read the censorship fighting list, but someone who does forwarded me your message. I don't know about user costs... but I do know about network-level (provider-level) costs. Disk space is only PART of the computational problem. There's also the swallowing of network bandwidth, and the drain on compute resources (CPU/RAM). My site normally carries about 25,000 unique message ID's per day. Our estimates (these are eyeball numbers, not based on hard-and-fast numbers) make it look as though 10% to 20% of those messages are spam. That's ten to twenty percent of our e-mail operation cost being immediately put toward spam. Beyond that, our users complain about spam. A lot. Right now, about an hour of my time every day is spent dealing with spam complaints (about other sites spamming us, mind). That's 1/8th of my work time, with a massive opportunity cost (as well as a real cost). The other staff members are *also* getting similar time drains. We currently estimate that between $500 and $2000 per month is completely lost to spammers -- funds redirected away from our community outreach/service mission, SUBSIDIZING COMMERCIAL OPERATIONS which generally do not enrich our community. That monthly cost is being drained out of a very small ($150k - $200k per year) project budget which is only getting smaller because people only donate to our donation-driven budget when they like what's going on, and they don't like spam. You might try to call it the cost of doing business... except for the fact that I'm not a normal network carrier. I'm a Free-Net, one of those community-minded sites that's trying to make sure that access to the informational wealth on the Internet is available at price that everyone can afford (free). Universal access is being threatened by this kind of activity, which has a massive user-level costs and implications. Most Free-Nets are incapable of handling the constant barrage of spam, and the complaints they generate.
If you banned commercial e-mail, wouldn't it just affect legitimate commercial transactions? That is to say, wouldn't fly-by-night pyramid-scheme builders still be able to spam? I would think that if they are so untraceable that it's hard to block their spam that it wouldn't really matter if it were simply made illegal.
Everything can be traced on the 'net. The question is what the cost
of tracing it is going to be.
You need to remember that there's virtually NO cost associated with
*sending* spam. ISP connectivity costs, maybe bandwidth metering for
a couple of messages.
Those messages, however, can be expanded (1:1,000,000 kinds of ratios
are potentially possible; one message can theoretically generate a
MILLION spam messages; in practice, I've seen 1:10,000 ratios). The
networks that carry the traffic are taking that computational and
network-bandwidth cost. And they get hit by complaints from their
users.
I recognize that no matter what the law is going to do, you're not
going to *stop* spam. The issue is to reduce the volume of spam
enough to make sure that the cost is reduced to acceptable and
absorbable cost-levels. That may mean making spamming tools such as
"e-mail blaster" criminal tools.
Free speech is great... but it's only free when it's not invasive into
the rights of others. Spam *is* invasive, and there are clear,
acceptable, and frankly more effective alternative methods for
communicating commercial messages.
-Bill
System Manager, Lead System Administrator
The Greater Columbus Free-Net
********
From: clinton@annoy.com (Clinton at Annoy)
To: "'declan@well.com'"
A friend who's going to be speaking on one of the FTC panels next week sent me a few questions about spam. Does anyone want to try their hand at answering them? I'll forward along all responses I get.
What are the costs to consumers of unsolicited e-mail? I guess the time it takes to delete it might be one, hard drive space might be another. I would like to know how to quantify it, and compare it with the cost of sending e-mail.
Also there's the cost of network transport of spam, both from the spammer's host to the recipient's ISP, and from the ISP to the recipients PC. The last is often the worst, as it eats up time the victim could be using to do something productive. In addition, most spam is bounced through an innocent third party who has a good network connection, like a university. Sending out a lot of spam takes much bandwidth, so the spammer steals the bandwidth and processing power from the innocent third party.
If you banned commercial e-mail, wouldn't it just affect legitimate commercial transactions? That is to say, wouldn't fly-by-night pyramid-scheme builders still be able to spam? I would think that if they are so untraceable that it's hard to block their spam that it wouldn't really matter if it were simply made illegal.
Spammers need to have a way that you can respond to them.
Since spam is legal, and they don't want email in return, they
include phone numbers, fax numbers, or snail-mail addresses
for people to reply to. If spam were illegal, then spammers
could be tracked via the phone numbers. It's only the email's
return path that's difficult to trace- spam, because it is selling
something, must have a way for potential customers to respond.
Most of the purported 'anti-spam' legislation is thinly-disguised
LEGITIMIZATION of spam!! Anything that puts the burden on ISPs
or recipients to filter out 'tagged' messages legitimizes
spam. As annoying as spam is, I would much prefer that nothing
be done rather than a poorly-thought-out law. So far, all the proposed
laws I have seen have had flaws in them that make me unable to
support them. To be honest, I can not myself come up with a law that
I would find acceptable. It's a hard problem.
--
Eric Murray ericm@lne.com Privacy through technology!
Network security and encryption consulting. PGP keyid:E03F65E5
***********
Date: Wed, 4 Jun 97 16:10:07 -0400
From: Ray Everett-Church
A friend who's going to be speaking on one of the FTC panels next week sent me a few questions about spam. Does anyone want to try their hand at answering them? I'll forward along all responses I get.
What are the costs to consumers of unsolicited e-mail? I guess the time it takes to delete it might be one, hard drive space might be another. I would like to know how to quantify it, and compare it with the cost of sending e-mail.
I also will be speaking at the FTC next week and address that question in my FTC filing which can be seen at http://www.smart.net/~everett/comment.html The short version of the answer is that UCE is difficult to assign a clear cost to in part because it is spread over such an ever widening base that the more people you spam, the harder it is to know where the costs are concentrated. However there are costs to the bandwidth provider for the site originating the spam in terms of consumed bandwidth, there's also costs of consumed bandwidth leading into every site that receives the mail. Once it arrives at an ISP, there are costs in terms of the CPU time and system efficiency issues, and disk space consumed, and costs for the consumers who may have to spend more time and money (if they pay on a metered basis) to download and sort through the stuff. It's hard to quantify in dollars and cents, but lets look at the quantities we're talking about. AOL has publically estimated that they process about 30 million pieces of email a day and further they've publically estimated that 40-45% of that is spam. I recently sampled 3 days of my regular spam load and the average piece was a hair over 5000 bytes. 5k * 13 million messages, you're talking roughly 65 million kilobytes a day. (somebody please correct my math... i'm a lawyer not an accountant). Since people don't read their email every day, some of that must be stored for several days. And if it is bouncing back to an invalid sender address, the rest ends up in the postmaster mailbox. Assuming that those same figures and costs are spread among other ISPs as well, that's a heck of a lot of data to transmit and store...which translates into costs for ISPs and their customers.
If you banned commercial e-mail, wouldn't it just affect legitimate commercial transactions? That is to say, wouldn't fly-by-night pyramid-scheme builders still be able to spam? I would think that if they are so untraceable that it's hard to block their spam that it wouldn't really matter if it were simply made illegal.
I don't think anybody wants to ban all commercial mail, just the
unsolicited advertisements for which the advertisers don't bear the real
costs. If you're truly trying to operate a moneymaking business, you've
got to have someplace for people to send the money... So regardless of
how you disguise the headers, you still have a means of tracking down the
culprit... and in the case of the Smith legislation you'd have the chance
to recover up to $1500 per message. There is at least one major national
collection agency that I know of who is chomping at the bit to recover
that for you.
-Ray
What are the costs to consumers of unsolicited e-mail? I guess the time it takes to delete it might be one, hard drive space might be another. I would like to know how to quantify it, and compare it with the cost of sending e-mail.
It would be extremely difficult to quantify in monetary terms. It has been long since I had one of those BIG things in my mailbox. Most of these has lately been smaller emails that compare well in size to some of the material I send around. Because harddrives are not that expensive anymore, storage space is IMO, not a factor at all. The irritation factor is my biggest concern. You have to sort it from the valuable mail, that takes time. You have to delete it, that takes time. And some people has to download it, that takes time. This eating up of my time, irritates me. And with the present information overload, time is one of the few things we definitely don't have.
If you banned commercial e-mail, wouldn't it just affect legitimate commercial transactions? That is to say, wouldn't fly-by-night pyramid-scheme builders still be able to spam? I would think that if they are so untraceable that it's hard to block their spam that it wouldn't really matter if it were simply made illegal.
You are not going to be able to ban it. As long as email is email, there
will be people using it to spam. Even if you make it illegal, it will
still happen.
A few quick thoughts or ideas to be kicked around:
1. What could be made illegal is the selling of email addresses.
2. Ban *unsolicited* commercial email
3. Make ISP who supply service for free or without proper checking liable
for prosecution if spam comes from their system.
4. Black-list people that are caught spamming (use in tandem with 3).
A number of these spammers are not once-only fly-by-nighters. They strike
again and again. Because it is not illegal at the moment, no-one can do
anything. I am not able to write the legalese but these are some rough
thoughts on the matter.
Unsolicited email is unsolicited email, and the sooner we get that out of
the system, the better.
Groetnis
Marius Loots
-------------------------------------------------------
Maestro mloots@medic.up.ac.za +27-12-319-2144 pgp2.6
TOP 50 on the SA WebChart - Have a look and vote NOW!!!
http://www.geocities.com/Athens/6398
Add some Chaos to your Life and put the World in Order
-------------------------------------------------------
*********
Date: Wed, 4 Jun 1997 13:28:38 -0700
To: declan@relay.pathfinder.com
From: Roger Bohn
A friend who's going to be speaking on one of the FTC panels next week sent me a few questions about spam. Does anyone want to try their hand at answering them? I'll forward along all responses I get.
What are the costs to consumers of unsolicited e-mail? I guess the time it takes to delete it might be one, hard drive space might be another. I would like to know how to quantify it, and compare it with the cost of sending e-mail.
A big cost is that it reduces the S/N ratio of e-mail. As the amount of spam goes up, sooner or later you start missing legitimate messages that you should have read, because you do blanket erases, don't read carefully, close down entire accounts, etc. Personally I've not reached that point, but spam is growing exponentially so I give it 2 years. Cost of telephone connect time is also a consideration for most users. Even if you are on a flat phone rate, there is an opportunity cost from having your phone tied up longer. (Yes, even if you have 2 lines--the members of my household are always fighting over the second line.)
If you banned commercial e-mail, wouldn't it just affect legitimate commercial transactions? That is to say, wouldn't fly-by-night pyramid-scheme builders still be able to spam? I would think that if they are so untraceable that it's hard to block their spam that it wouldn't really matter if it were simply made illegal.
Yes and no. Fly by nights would continue, certainly. But look how successful the mail fraud laws have been at limiting (not eradicating) mail based pyramid schemes, for example. Laws, if carefully drawn, would have an effect. I think mandatory labeling is much better than banning commercial e-mail, by the way. An outright ban has several problems, in the U.S. at least. A mandatory label deals with the S/N issue cited above (you can filter commercial messages), and as mail packages get smarter they can be set to not download messages selectively, thus dealing with the other problems. Something as draconian as an outright ban also encourages lawbreaking more than a labeling provision would. Roger Bohn ###