Yesterday I forwarded questions about spam from a friend who was speaking before the FTC next week. Here are most of the replies I received, which I've attached below. Some may have appeared here already. From: glee harrah cady From: Wei Dai From: Stanton McCandlish From: Robert Moskowitz From: "Halpert, James - DC" From: Azeem Azhar From: Mark Grant From: Charlie Stross From: Bill Frantz From: "Shabbir J. Safdar" From: djones@insight.dcss.McMaster.CA (David Jones) From: wyang@ktel.osc.edu From: clinton@annoy.com (Clinton at Annoy) From: Eric Murray From: Ray Everett-Church From: Chris Poupart From: "Marius Loots" From: Roger Bohn -Declan *********** Date: Wed, 4 Jun 1997 15:26:33 -0700 (PDT) From: glee harrah cady To: Declan McCullagh A large amount of real costs are principally being borne not by the individual recipient but by the networks that are being abused in the process, which costs the users of the networks involved. Lots of spammers are not using "their own" networks to send out the spam, but using the open nature of the Internet to relay the messages off the mail servers of networks throughout the world. One really egregious instance of which I've been told is that someone used a mailserver in New Zealand as a relay for a large spam. I've heard that data charges in New Zealand are for info in AND out, the provider had to pay for the privilege. SInce this was a third-hand story, I can't cite you chapter and verse -- wish I could. When lots of spam hits a single network, email processing for all customers, whether or not they are recipients of that particular spam, is slowed. Lots of networks have this problem. Unlike email systems that stored one copy of an email, regardless of the number of recipients, the systems we're using on the Internet today send real physical bits for each message that take up space on mail queues. This, too, inhibits email of all involved. Then, folks have to deal with the fact that the spam is on their network: tech support folks are paid to answer queries about it, sysadmins are paid to toss it out (in cases where it hits large intranets -- one company local to here has two sysadmins that do nothing but get rid of spam coming into their local net) or to manage the disk space required to store the stuff. Smaller providers are getting killed with the stuff. The reason that many of us provider-types find more to like the Torricelli approach is that it goes after the deceptive practices that make it harder for us all to trace the sources of the spam: the hiding behind false or not accurate domain names; the hiding of the actual email address of the spammer; the harvesting of names and addresses from the open directories of whitepage services or of online providers, etc. This approach, we think will be more effective at getting to the root of the problem than labelling speech. After all, it's not only commercial speech that is being sent as spam and it's not responsible marketers who are doing it either. I'm not sure that legislation is actually needed to address the problem. I could make an argument that said that the deceptive practices that are making it difficult to go after the spammers actually fall into the purview of the FTC. I am concerned that we don't legislate something that we'll really be sorry about later. As usual, summarizing a complex and difficult policy and operational issue in one short email probably causes problems, too. I hope I've not left out anything, but probably I did. Ask if what I've said isn't clear. :-) ____________________________ glee harrah cady Manager, Public Policy, NETCOM +1.408.881.3227 1.800.NETCOM-1 glee@netcom.com co-author, _Mastering the Internet_, Sybex, 1995 & 1996 ********* Date: Wed, 4 Jun 1997 23:39:28 -0700 (PDT) From: Wei Dai To: Declan McCullagh Here's a cost that's seldomly counted: the occasionally useful spam that we delete without reading because most spam are simply garbage. I would argue that any spam protection system that does not allow useful spam to get through is flawed. ********* From: Stanton McCandlish To: declan@well.com Date: Wed, 4 Jun 1997 16:22:12 -0700 (PDT) Cc: fight-censorship-announce@vorlon.mit.edu, mech@eff.org (Stanton McCandlish) Feel free to send this to FC, etc. This response does not constitute and official EFF position, but I believe it acurately reflects thinking here that will become EFF position shortly. Declan McCullagh typed:

A friend who's going to be on one of the FTC panels next week sent me a few questions about spam. Does anyone want to try their hand at answering them? I'll forward along all responses I get.

What are the costs to consumers of unsolicited e-mail? I guess the time it takes to delete it might be one, hard drive space might be another. I would

ALL/MULTIPLE USERS * cost of storage (ISP, user or both, depending on mail system) in disk space and memory (remember it takes RAM to load a mailbox into any modern email program). * severe degradation and sometimes destruction of forums as they are over-run by spammage. * reputational harm and loss of all usefulness of Internet account (after being subject to a spammer's header forgery listing the innocent victim as the sender, who then receives all the hatemail the spamming generates). INDIVIDUAL END USER ADDITIONAL COSTS * time to read/examine * time to delete * time to filter * time to unsubscribe, complain, or otherwise respond * increased ISP/online service subscription fees as provider costs are passed on to customers. * per byte, per minute or per message costs from ISP (not all users) * per minute costs from phone or other conduit provider (not all users) CORPORATE END USER ADDITIONAL COSTS * lost productivity due to time sinks mentioned above, frustration, etc. * missed opportunities, deadlines, etc., due to too much mail to sort thru resulting in important messages being missed. Major potential for corporate lossage here. CORPORATE ADMINISTRATOR ADDL. COSTS * time (often quite a lot) filtering dependent users' mail, blocking spamming sites, contending with filled up disks, and other wastes of stafftime due to spamming. ISP/ONLINE SERVICE ADDL. COSTS * Help desk and admins' time filtering/blocking by customer request (not all sites do this) * Help desk and admins' time filtering/blocking by necessity to prevent exceedingly abusive spammers sucking up all available disk space * admins' time in cleanup after one of their users engages is spamming or is perceived to have done so due to forged headers, and 1000s of angry victims send in complaints, threats, etc. * company's losses in market share and reputation after one of their users engages is spamming or is perceived to have done so due to forged headers * admins' time in cleanup after one of their users engages is spamming or is perceived to have done so due to forged headers, and 10s or more of angry victims become vigilantes, and hack the provider, SYN flood them, send them crippling emailbombs, etc. * company's losses in mkt. share and reputation after their service slows, crashes or otherwise is negatively affected by such attacks. * company's liability when other subscribers sue for breach of contract, for return of subscription fees, etc., due to such outtages or degradation of service * CEO & legal staff time researching if any recourse is available. * increased connectivity costs as 56K, T1, etc. high-speed connections are not fast enough to keep up with all the spam (e.g. it is currently physically impossible to carry a full "Big 8" and alt Usenet feed with only a T1 connection [verify with a major ISP if in doubt], largely due to the amount of spamming in the alt groups. * increased staffing costs as more people have to be hired or consulted to deal with the problems caused by spammers. Please feel free to send suggestions for addtions to this list, which I've made for other purposes than answering Declan's query. Remember that TIME = MONEY and RESOURCES = MONEY in all above formulations.

like to know how to quantify it, and

compare it with the cost of sending e-mail.

It costs roughly $20 for Net access[*], plus the cost of a spamming-targeted mailing list ($50?) to send multiple millions of messages. [Actually this is not really true - unless AOL has changed the capabilities of its trial accounts, it actaully costs NOTHING to set up a temporary account that is capable of massive spammage. Worse yet, the technology to MAKE massive email lists is trivially available and/or creatable, so one does not even have to buy such a list. ZERO cost at all.)

If you banned commercial e-mail, wouldn't it just affect legitimate commercial transactions? That is to say, wouldn't fly-by-night pyramid-scheme builders still be able to spam? I would think that if they are so untraceable that it's hard to block their spam that it wouldn't really matter if it were simply made illegal.

Certainly. There are many other problems: 1) Any ban is going to be very difficult to write in a way that will survive constitutional scrutiny. 2) Banning all commercial email is obvioulys stupid and unconstitutional - I have a First Amendment right to receive commercial messages if I want to. 3) Banning all unsolicited email is obviously stupid and unconstitutional - I have a First Amendment right right to tell IBM that I like their web page, even if they didn't ask me for my comments. 4) Banning all commercial unsolicited email is obviously stupid and arguably unconstitutional. I probably have a right to send you a message offering my product if something in an email or a post or web page by you indicated you might be interested in what I'm offering. Additionally, such a ban does not speak to the issue - commerciality is not the problem. Religious and political rants are, to most people, an even more offensive form of spamming that advertisements are. 5) Despite the optimism of some, no local (i.e. national) law will ever stop spam, it will simply move spammers off-shore. That fewer respondents will buy, due to distrust of foreign merchants, is irrelevant - the spamming business model is successful if only 1 out of a million people makes a purchase, because there are essentially no costs. 6) All such bans attack content. This makes them presumptively unconstitutional right from the start. The issue of spamming cannot be solved with a ban. Spamming as a problem is divisible into TWO problems: a) Theft, abuse or usurpation of resources owned by specific parties (i.e. ISP connectivity, staff time, etc., and your productivity), or owned by everyone (tragedy of the commons). This is a matter of the right to not be forced to bear the costs of another's expression (a component of the right to freedom of speech and press), with shades of the right to use public resources (i.e. offline if some bully, every time you try to go a public park, blocks your entrance into the park, you can get an injunction against this person. Hard to map this kind of thing to the offline world though, on legal grounds even if the ethics of the situation are plain as day.) b) Violation of the recipient's right to be left alone (a component of the right to privacy) and right to not be forced to read another's expression (a component of the right to free speech and press). Spammers love to contort this last into another *almost* opposite right - the right to speak freekly in public even if it offends someone. They avoid the issue of not having a right to do this in private spaces, and not having a right to force others to bear their costs even for public expression. Anyway, the privacy and freedom to not read issues seem to apply principally if not only to private email, while the arguments in point a) seem to apply to private mail, and forums (mailing lists, newsgroups). These two problems require different solutions (and probably in fact both require combinations of several different solutions, ranging from class action suits to fraud prosecution to better filters to increased system security to prevent forgery to tighter users contract to "don't route spamming ISP's traffic" agreements between ISPs and NSPs, etc., etc.) EFF is forming a working group to try to size up the various options and possible solutions and see which ones are viable, which ones are best for rights and for the Internet, which are expedient but would harm the public interest, which are unconstitutional or otherwise bad, and so on. We also have to look at this beyond the here-and-now. What about ISPs that in the fine print say they sell their entire user base's contact info to e-marketers? What about the use of "push" technology for spam-like purposes? What about a MoU between all backbones and major NSPs to simply drop service to any "spammer haven" ISP? What about calls for direct regulation by the FTC or FCC? Or by a UN body? Many proposals are flying, many problems envisioned (and some being missed by most), and many people are getting increasingly hysterical about this so we need to find some solutions quickly. None of the legislation produced so far does anything but cause more damage. -- Stanton McCandlish mech@eff.org Electronic Frontier Foundation Program Director http://www.eff.org/~mech +1 415 436 9333 x105 (v), +1 415 436 9333 (f) Are YOU an EFF member? http://www.eff.org/join ********* Date: Thu, 05 Jun 1997 06:52:36 -0400 To: declan@relay.pathfinder.com, From: Robert Moskowitz Morning Declan. In today's Internet charging scheme, there are two costs to the Internet consumer: Time to retrieve mail, and time to process scams. The first will fade as higher bandwidth solutions come into play. The later may never fade. Most users are not email savy, even if their email software is. People do dumb things like post to USENET groups and then get on the big spam lists, further increasing their mail filtering efforts. But let's put this into perspective. Today, I might send 5 - 10 minutes everyday, sorting through my USMail. Now I am a good recycler, and I open everyone and put all of the papers into the proper bins; some days this can take me 20 minutes. Despite my Eudora Pro filters that color flag suspected spams (I don't delete them, the filters might be in error) for easy delete, I have dozens of emails among my hunderds of messages to read before trashing. Maybe 5 - 10 minutes a day. I really do not think spam is all that bad unless.... What I have discovered is that recreational email, ie use of USENET and recreational LISTSERVs is the way that people get on spam lists. Us techies thus may have a very low spam to message ratio. But poor johnQpub, naively posts to alt.rec.sailboats and then gets 100 spams a day semi-related to sailing (Sherri would LOVE to go sailing with you...). Interestingly, the answer to spam is NOT filters to block it, but filters to move ligitamate mail into folders for processing and leave your IN box for quick scan/trashing. Thus the cost of spam to the user is education and GOOD (read not free) email software. Now the cost to mail handlers is different, but they can and should fight back. Look at the lawsuit by flowers.com. Tracy and her husband run a small time operation. The spam that used their domain name as the reply-to cost them time and business. They are going after the kid. This is costing them, but it will get them on a list of 'do not spam' sights, we hope. Robert Moskowitz Chrysler Corporation (810) 758-8212 ********* From: "Halpert, James - DC" Date: Wed, 04 Jun 97 17:00:00 DST Declan, Very high volume spam can and does burden service providers' systems. Remember the cost of sending a million or so e-mails is very low, but engineering a network to handle, say, 200,000 improperly addressed e-mails that collect on a service provider's mail server costs a good deal more. Herein lies an economic problem. This is not to say that the Constitution shouldn't be sacrificed on the altar of an economic problem, but the concern about high volume spam should not be dismissed as trivial. -- Jim Halpert ********* Date: Thu, 5 Jun 1997 00:10:54 +0100 To: declan@well.com From: Azeem Azhar Declan, Here are a variety of costs: 1. phone costs (non-us) 2. traffic costs (if you are one of the customers on metered useage that e.g. UUnet and BBNplanet offer) 3. hard-drive costs (my mac crashed a few weeks ago losing data in another application because an incoming e-mail took up my last bit of drive space. technically myu fault, i know, but a cost nonetheless.) 4. my time (to write and check anti-spam filters. it took me over an hour to construct a good system in eudora. my charge out rate is GBP100 an hour, minimum 8 hours.) 5. CPU time on mail-relays on the way. e-mail *does* impose a measurable load on an SMTP host. Azeem Azeem Azhar vx: +44 171 830 7133 The Economist fx: +44 171 681 1358 25 St James Street e-mail: aja@economist.com London SW1A 1HG www: http://www.economist.com/ Disclaimer: The views expressed in this email do not necessarily represent those of my employer. ********* Date: Thu, 5 Jun 1997 02:43:02 -0700 (PDT) From: Mark Grant To: declan@well.com

What are the costs to consumers of unsolicited e-mail?

Up to 150k of disk space, up to about 50 seconds of connect time for those who download it by modem (assuming 28.8k), a few seconds of time to delete it or a few minutes to send complaint mail back to their ISP. Worse is the indirect cost to consumers through the hassle it causes to their ISPs. They need faster links and more powerful mail servers to process the extra unwanted data and take time to install filters and deal with spammers. I've already had one spammer send out mail with a false unicorn.com return address which took a day of my time to sort out.

If you banned commercial e-mail, wouldn't it just affect legitimate commercial transactions?

Of course. Banning it is dumb and will cause all sorts of unexpected problems. A few class-action suits should eliminate most of them. Mark (postmaster@unicorn.com) ********* Date: Thu, 5 Jun 1997 11:02:49 +0100 (BST) From: Charlie Stross To: Declan McCullagh On Wed, 4 Jun 1997, Declan McCullagh wrote:

What are the costs to consumers of unsolicited e-mail? I guess the time it takes to delete it might be one, hard drive space might be another.

Those are minimal. Here in the UK, there are NO free local phone calls (unless you're lucky enough to live in Hull, or have a cableco who want to let you yack to your neighbours - it's a long and boring story). Furthermore, if you receive email via SMTP or UUCP (rather than via a mailbox reader protocol like POP3 or whatever) you can't filter the junk out before it reaches you. Thus, receiving spam costs money, in terms of dialup connect time. Moreover, some spammers use really poor, munged, address lists; I've seen 100Kb mails (a couple of minutes of download time on an old 14.4K modem, which is what many people still use) with maybe a 1K payload at the end of the headers. Given that I've got three or four users on my dialup site, and we get an average of 5 UCEs/person/day, it's probably costing us 5-15 pence/day extra on the phone bill. Not significant for _one_ site, but if you multiply by two million (est. number of UK internet users) you get a plague that's costing about 20 million UK pounds/year -- to the unwilling victims. This is before you factor in the online services like Compuserve or CIX that charge per unit connect time, or charge for mail received from the internet. The real victims, though, are the people whose addresses the spammers bung in the Reply-to: fields, so that they get mailbombed by indignant recipients. -- Charlie Stross ********* Date: Wed, 4 Jun 1997 23:17:10 -0700 To: Declan McCullagh , cypherpunks@toad.com From: Bill Frantz At 12:45 PM -0700 6/4/97, Declan McCullagh asked:

What are the costs to consumers of unsolicited e-mail? I guess the time it takes to delete it might be one, hard drive space might be another. I would like to know how to quantify it, and compare it with the cost of sending e-mail.

I don't think the costs of the 1-3 spam messages I get each day is significant. (But I don't post to Usenet.)

If you banned commercial e-mail, wouldn't it just affect legitimate commercial transactions? That is to say, wouldn't fly-by-night pyramid-scheme builders still be able to spam? I would think that if they are so untraceable that it's hard to block their spam that it wouldn't really matter if it were simply made illegal.

Can you say regulatory arbitrage? The current social controls on spam are good enough that no one with any positive reputation wants to have anything to do with it. This means that spammers have to use anonymous offshore answering services. The widespread hatred of spam and spammers should keep the total amount under control without the legal action and in spite of the very low cost of spamming. The recent problems Spamford has been having with denial of service attacks is just one example of the social control process. The flood of hostile email spammers who include real email addresses receive are another. Legitimate commercial email does not evoke these strong reactions. ------------------------------------------------------------------------- Bill Frantz | The Internet was designed | Periwinkle -- Consulting (408)356-8506 | to protect the free world | 16345 Englewood Ave. frantz@netcom.com | from hostile governments. | Los Gatos, CA 95032, USA ********* Date: Wed, 4 Jun 1997 16:15:27 -0400 To: Declan McCullagh , fight-censorship@vorlon.mit.edu From: "Shabbir J. Safdar" The combined EF-Florida/EFF-Austin/VTW filings for the FTC workshop will contain an exhaustive examination of the costs associated with junk email and the technology paradigms for addressing it. It's a technology paper, and doesn't take any particular political agenda. -S ********* Date: Wed, 4 Jun 97 16:11:58 EDT From: djones@insight.dcss.McMaster.CA (David Jones)

What are the costs to consumers of unsolicited e-mail? I guess the time it takes to delete it might be one, hard drive space might be another. I would like to know how to quantify it, and compare it with the cost of sending e-mail.

To many people, the cost of spam is simply the time and tedium wasted deleted unwanted messages. Pretty minimal. A burdensome set of regulatory restrictions would also be an annoyance as people waste time and effory making sure reasonable email correspondence "complies" with the new rules. To some users of certain online services, they must pay for email messages or disk space and must pay for connect time. In these cases, there is a real and measurable monetary cost of spam. I'm sorry, I can't quantify that for you. At the organizational level, some companies may pay for Internet traffic bandwidth. If a significant fraction of the traffic is wasted on spam (actually I *really* doubt this is the case) then it could be calculated.

If you banned commercial e-mail, wouldn't it just affect legitimate commercial transactions? That is to say, wouldn't fly-by-night pyramid-scheme builders still be able to spam? I would think that if they are so untraceable that it's hard to block their spam that it wouldn't really matter if it were simply made illegal.

Hang on. A true "pyramid scheme" requires the victims to send money to the folks operating the scheme. Therefore, they can't be entirely anonymous ... or they'd never be able to cash in! Banning "commercial email" is just nuts. Should we also ban "business-related email" ? Or "advertising email" ? .... or what about "political advertising on the Net" ?? The Canadian government just made the front page of HotWired's online magazine for being foolish enough to ban certain political advertisements on the Net. Surely the U.S. won't make the same mistake. -- David Jones, PhD president, Electronic Frontier Canada -- djones@efc.ca ********* Date: Wed, 4 Jun 1997 18:15:59 -0400 (EDT) From: wyang@ktel.osc.edu To: declan@well.com Hi. I run a Free-Net -- a community outreach project of the Ohio State University and the Ohio Supercomputer Center, which gives free access to anyone who lives in our service area (we're serving about 20,000 people right now -- I understand that, in our service area, Compuserve only has about 12,000 customers). I don't read the censorship fighting list, but someone who does forwarded me your message. I don't know about user costs... but I do know about network-level (provider-level) costs. Disk space is only PART of the computational problem. There's also the swallowing of network bandwidth, and the drain on compute resources (CPU/RAM). My site normally carries about 25,000 unique message ID's per day. Our estimates (these are eyeball numbers, not based on hard-and-fast numbers) make it look as though 10% to 20% of those messages are spam. That's ten to twenty percent of our e-mail operation cost being immediately put toward spam. Beyond that, our users complain about spam. A lot. Right now, about an hour of my time every day is spent dealing with spam complaints (about other sites spamming us, mind). That's 1/8th of my work time, with a massive opportunity cost (as well as a real cost). The other staff members are *also* getting similar time drains. We currently estimate that between $500 and $2000 per month is completely lost to spammers -- funds redirected away from our community outreach/service mission, SUBSIDIZING COMMERCIAL OPERATIONS which generally do not enrich our community. That monthly cost is being drained out of a very small ($150k - $200k per year) project budget which is only getting smaller because people only donate to our donation-driven budget when they like what's going on, and they don't like spam. You might try to call it the cost of doing business... except for the fact that I'm not a normal network carrier. I'm a Free-Net, one of those community-minded sites that's trying to make sure that access to the informational wealth on the Internet is available at price that everyone can afford (free). Universal access is being threatened by this kind of activity, which has a massive user-level costs and implications. Most Free-Nets are incapable of handling the constant barrage of spam, and the complaints they generate.

If you banned commercial e-mail, wouldn't it just affect legitimate commercial transactions? That is to say, wouldn't fly-by-night pyramid-scheme builders still be able to spam? I would think that if they are so untraceable that it's hard to block their spam that it wouldn't really matter if it were simply made illegal.

Everything can be traced on the 'net. The question is what the cost of tracing it is going to be. You need to remember that there's virtually NO cost associated with *sending* spam. ISP connectivity costs, maybe bandwidth metering for a couple of messages. Those messages, however, can be expanded (1:1,000,000 kinds of ratios are potentially possible; one message can theoretically generate a MILLION spam messages; in practice, I've seen 1:10,000 ratios). The networks that carry the traffic are taking that computational and network-bandwidth cost. And they get hit by complaints from their users. I recognize that no matter what the law is going to do, you're not going to *stop* spam. The issue is to reduce the volume of spam enough to make sure that the cost is reduced to acceptable and absorbable cost-levels. That may mean making spamming tools such as "e-mail blaster" criminal tools. Free speech is great... but it's only free when it's not invasive into the rights of others. Spam *is* invasive, and there are clear, acceptable, and frankly more effective alternative methods for communicating commercial messages. -Bill System Manager, Lead System Administrator The Greater Columbus Free-Net ******** From: clinton@annoy.com (Clinton at Annoy) To: "'declan@well.com'" It is vital to distinguish between "unsolicited email" and "spam". Spam is essentially considered mass e-mailing for commercial purposes, (usually such as the selling of a product or service). If "unsolicited e-mail" is rendered illegal, what will happen to someone who mistakenly sends an email to the wrong address? It's like prosecuting someone for dialing the wrong number. What about a deliberately targeted, but unsolicited email that is crafted to express displeasure to a politician, for instance? To be potentially prosecuted on such a basis could (and will) place a severe chill on the rights of people to communicate freely with elected officials - the cornerstone of democracy. A protocol to deal with spamming is by no means unwelcome, but to confuse it with unsolicited email is potentially very dangerous. Especially with a government so intent on censoring the free flow of information and thought. Perhaps the first place to start would be to clearly define spam. Clinton Fein Publisher and Editor annoy.com ************* From: Eric Murray Subject: Re: Spam costs and questions To: declan@well.com Date: Wed, 4 Jun 1997 14:09:42 -0700 (PDT) Declan McCullagh writes:

A friend who's going to be speaking on one of the FTC panels next week sent me a few questions about spam. Does anyone want to try their hand at answering them? I'll forward along all responses I get.

What are the costs to consumers of unsolicited e-mail? I guess the time it takes to delete it might be one, hard drive space might be another. I would like to know how to quantify it, and compare it with the cost of sending e-mail.

Also there's the cost of network transport of spam, both from the spammer's host to the recipient's ISP, and from the ISP to the recipients PC. The last is often the worst, as it eats up time the victim could be using to do something productive. In addition, most spam is bounced through an innocent third party who has a good network connection, like a university. Sending out a lot of spam takes much bandwidth, so the spammer steals the bandwidth and processing power from the innocent third party.

If you banned commercial e-mail, wouldn't it just affect legitimate commercial transactions? That is to say, wouldn't fly-by-night pyramid-scheme builders still be able to spam? I would think that if they are so untraceable that it's hard to block their spam that it wouldn't really matter if it were simply made illegal.

Spammers need to have a way that you can respond to them. Since spam is legal, and they don't want email in return, they include phone numbers, fax numbers, or snail-mail addresses for people to reply to. If spam were illegal, then spammers could be tracked via the phone numbers. It's only the email's return path that's difficult to trace- spam, because it is selling something, must have a way for potential customers to respond. Most of the purported 'anti-spam' legislation is thinly-disguised LEGITIMIZATION of spam!! Anything that puts the burden on ISPs or recipients to filter out 'tagged' messages legitimizes spam. As annoying as spam is, I would much prefer that nothing be done rather than a poorly-thought-out law. So far, all the proposed laws I have seen have had flaws in them that make me unable to support them. To be honest, I can not myself come up with a law that I would find acceptable. It's a hard problem. -- Eric Murray ericm@lne.com Privacy through technology! Network security and encryption consulting. PGP keyid:E03F65E5 *********** Date: Wed, 4 Jun 97 16:10:07 -0400 From: Ray Everett-Church To: "Declan McCullagh" , On 6/4/97 3:44 PM, Declan McCullagh (declan@well.com) wrote:

A friend who's going to be speaking on one of the FTC panels next week sent me a few questions about spam. Does anyone want to try their hand at answering them? I'll forward along all responses I get.

What are the costs to consumers of unsolicited e-mail? I guess the time it takes to delete it might be one, hard drive space might be another. I would like to know how to quantify it, and compare it with the cost of sending e-mail.

I also will be speaking at the FTC next week and address that question in my FTC filing which can be seen at http://www.smart.net/~everett/comment.html The short version of the answer is that UCE is difficult to assign a clear cost to in part because it is spread over such an ever widening base that the more people you spam, the harder it is to know where the costs are concentrated. However there are costs to the bandwidth provider for the site originating the spam in terms of consumed bandwidth, there's also costs of consumed bandwidth leading into every site that receives the mail. Once it arrives at an ISP, there are costs in terms of the CPU time and system efficiency issues, and disk space consumed, and costs for the consumers who may have to spend more time and money (if they pay on a metered basis) to download and sort through the stuff. It's hard to quantify in dollars and cents, but lets look at the quantities we're talking about. AOL has publically estimated that they process about 30 million pieces of email a day and further they've publically estimated that 40-45% of that is spam. I recently sampled 3 days of my regular spam load and the average piece was a hair over 5000 bytes. 5k * 13 million messages, you're talking roughly 65 million kilobytes a day. (somebody please correct my math... i'm a lawyer not an accountant). Since people don't read their email every day, some of that must be stored for several days. And if it is bouncing back to an invalid sender address, the rest ends up in the postmaster mailbox. Assuming that those same figures and costs are spread among other ISPs as well, that's a heck of a lot of data to transmit and store...which translates into costs for ISPs and their customers.

If you banned commercial e-mail, wouldn't it just affect legitimate commercial transactions? That is to say, wouldn't fly-by-night pyramid-scheme builders still be able to spam? I would think that if they are so untraceable that it's hard to block their spam that it wouldn't really matter if it were simply made illegal.

I don't think anybody wants to ban all commercial mail, just the unsolicited advertisements for which the advertisers don't bear the real costs. If you're truly trying to operate a moneymaking business, you've got to have someplace for people to send the money... So regardless of how you disguise the headers, you still have a means of tracking down the culprit... and in the case of the Smith legislation you'd have the chance to recover up to $1500 per message. There is at least one major national collection agency that I know of who is chomping at the bit to recover that for you. -Ray ------------------------------------------------------------------------- Ray Everett-Church, Esq. www.everett.org/~everett This mail isn't legal advice. Opinion(RE-C) != Opinion(clients(RE-C)) (C)1997 Ray Everett-Church ** Help outlaw "spam"=> http://www.cauce.org ------------------------------------------------------------------------- ******** Date: Wed, 04 Jun 1997 19:20:36 -0400 From: Chris Poupart To: declan@well.com <quote> If you banned commercial e-mail, wouldn't it just affect legitimate commercial transactions? That is to say, wouldn't fly-by-night pyramid-scheme builders still be able to spam? I would think that if they are so untraceable that it's hard to block their spam that it wouldn't really matter if it were simply made illegal. </quote> making spam illegal would be a futile plan, unless the authorities were given the power to persue not just the sender, but the people for whome it advertises. Not only could the fly-by-night pyramid-schemes work, but there are programs out there that allow you to route your e-mail so that it is Anonymous, now these programs can also do bulk mailing... I think you get my picture. If you could also press charges against the advertised company (providing it was authorised by them), then that might work. If not, well then with all the free e-mail available (www.hotmail.com and www.netaddress.com or .net I can't remember), people might want to set up an e-mail account to use with Usenet and to give as pw, ect, and then they could keep one privit and "secret" amongst their friends. The internet has flourished w/out government help and I beleive that it will continiue to do so. Chris Poupart Montreal, Canada -- Chris Poupart mailto:chris@peacefire.org Support Freedom of Speech and visit: http://www.peacefire.org | http://www.eff.org http://www.geocities.com/Colosseum/Field/6078/censor-index.html ********** From: "Marius Loots" To: Declan McCullagh Date: Thu, 5 Jun 1997 11:16:21 GMT+2 Hallo Declan I really enjoy your list. The mailings are very interesting and relevant. Thanks. My thoughts on the two questions:

What are the costs to consumers of unsolicited e-mail? I guess the time it takes to delete it might be one, hard drive space might be another. I would like to know how to quantify it, and compare it with the cost of sending e-mail.

It would be extremely difficult to quantify in monetary terms. It has been long since I had one of those BIG things in my mailbox. Most of these has lately been smaller emails that compare well in size to some of the material I send around. Because harddrives are not that expensive anymore, storage space is IMO, not a factor at all. The irritation factor is my biggest concern. You have to sort it from the valuable mail, that takes time. You have to delete it, that takes time. And some people has to download it, that takes time. This eating up of my time, irritates me. And with the present information overload, time is one of the few things we definitely don't have.

If you banned commercial e-mail, wouldn't it just affect legitimate commercial transactions? That is to say, wouldn't fly-by-night pyramid-scheme builders still be able to spam? I would think that if they are so untraceable that it's hard to block their spam that it wouldn't really matter if it were simply made illegal.

You are not going to be able to ban it. As long as email is email, there will be people using it to spam. Even if you make it illegal, it will still happen. A few quick thoughts or ideas to be kicked around: 1. What could be made illegal is the selling of email addresses. 2. Ban *unsolicited* commercial email 3. Make ISP who supply service for free or without proper checking liable for prosecution if spam comes from their system. 4. Black-list people that are caught spamming (use in tandem with 3). A number of these spammers are not once-only fly-by-nighters. They strike again and again. Because it is not illegal at the moment, no-one can do anything. I am not able to write the legalese but these are some rough thoughts on the matter. Unsolicited email is unsolicited email, and the sooner we get that out of the system, the better. Groetnis Marius Loots ------------------------------------------------------- Maestro mloots@medic.up.ac.za +27-12-319-2144 pgp2.6 TOP 50 on the SA WebChart - Have a look and vote NOW!!! http://www.geocities.com/Athens/6398 Add some Chaos to your Life and put the World in Order ------------------------------------------------------- ********* Date: Wed, 4 Jun 1997 13:28:38 -0700 To: declan@relay.pathfinder.com From: Roger Bohn Subject: Re: Spam costs and questions At 3:47 PM -0400 6/4/97, Declan McCullagh wrote:

A friend who's going to be speaking on one of the FTC panels next week sent me a few questions about spam. Does anyone want to try their hand at answering them? I'll forward along all responses I get.

What are the costs to consumers of unsolicited e-mail? I guess the time it takes to delete it might be one, hard drive space might be another. I would like to know how to quantify it, and compare it with the cost of sending e-mail.

A big cost is that it reduces the S/N ratio of e-mail. As the amount of spam goes up, sooner or later you start missing legitimate messages that you should have read, because you do blanket erases, don't read carefully, close down entire accounts, etc. Personally I've not reached that point, but spam is growing exponentially so I give it 2 years. Cost of telephone connect time is also a consideration for most users. Even if you are on a flat phone rate, there is an opportunity cost from having your phone tied up longer. (Yes, even if you have 2 lines--the members of my household are always fighting over the second line.)

If you banned commercial e-mail, wouldn't it just affect legitimate commercial transactions? That is to say, wouldn't fly-by-night pyramid-scheme builders still be able to spam? I would think that if they are so untraceable that it's hard to block their spam that it wouldn't really matter if it were simply made illegal.

Yes and no. Fly by nights would continue, certainly. But look how successful the mail fraud laws have been at limiting (not eradicating) mail based pyramid schemes, for example. Laws, if carefully drawn, would have an effect. I think mandatory labeling is much better than banning commercial e-mail, by the way. An outright ban has several problems, in the U.S. at least. A mandatory label deals with the S/N issue cited above (you can filter commercial messages), and as mail packages get smarter they can be set to not download messages selectively, thus dealing with the other problems. Something as draconian as an outright ban also encourages lawbreaking more than a labeling provision would. Roger Bohn ###