US anti-spam laws won't stop spam, but create confusion. Sophos comments

November 24, 2003 Sophos Press Release

House of Representatives, Washington DC
The new legislation designed to stop spam is unlikely to be successful, says Sophos

Anti-spam legislation that could send spammers to jail has been approved by the US House of Representatives in an overwhelming vote.

However, Sophos, a world leader in protecting businesses against viruses and spam, believes that the legislation will not help, and - if anything - has the potential to create confusion and encourage even more companies to send unsolicited emails.

In a vote on Saturday, the House of Representatives passed a vote of 392-5 in favour of the bill. The Senate is expected to follow next week, with President George W Bush expected to sign the bill into law on 1 January.

The bill, which is known as CAN-SPAM ("Controlling the Assault of Non-Solicited Pornography and Marketing") proposes an "opt-out" standard rather than the more vigorous "opt-in" process proposed by anti-spam experts such as Sophos.

Under the terms of the proposed law, certain forms of spam will be legal. The bill states that spammers may send as many "commercial electronic mail messages" as they wish - provided that the messages are obviously advertisements with a valid US postal address, and an unsubscribe link is present at the bottom. It would then be the responsibility of every individual to unsubscribe from any mailing list they did not wish to receive spam from, rather than only legalising email from mailing lists to which users have explicitly chosen to "opt-in".

"This legislation will be bad news for all computer users. The US authorities had the opportunity to make a real stand against spam, but through attempting to come to a compromise with the direct mail industry they have only managed to create an enormous fudge," said Graham Cluley, senior technology consultant for Sophos. "This bill acts as a green light for any company considering sending unsolicited email to millions of innocent users. Now they know they can go ahead, completely legally, as long as they include a message offering 'opt-out' at the end. This won't reduce the amount of spam people are likely to receive at all. If anything, it may make things worse."

Sophos is also concerned that the proposed new law conflicts with state-level laws already in place in some areas of the USA. For instance, a stricter "opt-in" law scheduled to be enforced in California will be overridden by this federal legislation.

"Confusion reigns as to which laws apply in which states - this was a wonderful chance for the House of Representatives to put in place a stringent law country-wide," continued Cluley. "The USA should have followed the precedents set by some other countries, and adopted tougher laws to crack down on spammers. As most spam originates from the United States it is likely we will all suffer from this muddy-headed legislation."

Although Sophos welcomes some aspects of the new legislation (making the use of stolen open proxies to relay spam illegal, for instance) it believes that many companies will view it as an endorsement of their current spam marketing initiatives, and encourage them to continue.

Sophos recommends companies protect themselves with a consolidated solution which can defend businesses from the threats of both spam and viruses.