Home/red-rock-eater/FTC spam hearing

FTC spam hearingwriting

mediainternet-policyprivacylibrariestelecommunicationsdemocracyrrelawcommerceforwarded-contentgovernment-infoauto-importedrre-postadministrative
18 min read · Edit on Pyrite

Source

Automatically imported from: http://commons.somewhere.com:80/rre/1997/FTC.spam.hearing.html

Content

This web service brought to you by Somewhere.Com, LLC.

FTC spam hearing

``` [Forwarded with permission. At http://www.clark.net/pub/kfl/ftc.html is a hyperlinked version. Keith's tale reminded me of my one visit to a formal hearing in Washingon, a Senate Judiciary Committee hearing on one of the bills that was somewhat worse than the Communications Decency Act. I only remember one single detail of that hearing. Perhaps an hour into it, a couple of guys, lobbyist types, poked their heads in through the door and flashed knowing smiles at one another. I'll never forget the one of them who I could see clearly: a white guy in his early 40s with a very serious tan, wearing a suit that cost more than my car and a splendiferous yellow silk tie that was somehow like the one spot of color in a black-and-white movie. His body language was kinetic, even feline, joyously alert, so comfortably assured of dinner that he was going around pouncing on lizards just for fun, taking a moment out to smile at the longhairs and reporters who showed up at this hearing from principle, and who were probably taking the subway home.]

---

This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help@weber.ucsd.edu

---

Date: Fri, 13 Jun 1997 00:14:07 -0400 (EDT) From: Keith Lynch Newsgroups: news.admin.net-abuse.email,news.admin.net-abuse.misc,alt.stop.spamm ing Subject: I went to the FTC spam hearing today (long)

Today I went to the FTC hearings on spam from 9 am until 12:30. Here's what I observed.

Actually, the hearings were on "Consumer Online Privacy," and they are lasting four days (June 10th-13th). Spam is just a small part of that.

I think it's unfortunate that spam is categorized as primarily a privacy concern. I see it as primarily theft of services and fraud. A burglar is not just a variety of peeping tom. Yes, he invades your privacy, but that's not what's most objectionable about having your household posessions stolen.

This message attempts to come as close to giving you the experience of being at the hearings as possible.

I arrived at the FTC at about 9 am. The closest entrance was labelled as being for employees and the handicapped, and a sign directed visitors to another entrance, half a block away. I entered the visitor entrance, walked through a metal detector (which didn't go off, as I had nothing metal on me), and walked past the guard desk to the elevators. There were no signs indicating where the privacy hearings were. So I returned to the guard desk to ask.

The guard asked to see my ID. I told her I didn't have one. She asked incredulously "what about your drivers license?" I told her I took the Metro. And that I had called the previous day and been assured the hearings were open to the general public. Surely I don't need papers to prove I'm a member of the general public? She mulled on this for a minute, as if I were the first person ever to attempt to enter without an ID. (Rather ironic, since I was going to a privacy hearing.) Finally, she just had me print and sign my name in a log book, and walk through the metal detector again. She then gave me a yellow cardboard nametag, good for all four days, with blanks for name and company. I wrote in my name, left company blank, and put it in my pocket.

I went to the fourth floor, where she told me the hearings were. In the hall outside the room were two long tables filled with handouts from various groups. There were also two cans of spam on the table. As I attempted to enter the room, I was stopped by a door guard, who told me that the room was full and I could view the proceedings via closed circuit TV from the 3rd or 5th floor. I could see that there were empty seats, but she said they were being saved for people still to arrive.

Maybe I should have worn suit and tie. Almost every other man in the whole building was dressed up.

I went to the third floor. The room was very cold, and had about 20 people in it, watching a blurry projection TV image with barely audible sound. About 100 people could have fit in the room. After 5 minutes, I went to the fifth floor. That room was about the same size and had about the same number of people in it. It wasn't as cold, and it had a decent large TV set sitting on a table in the front. I stayed there for about an hour, until there was a ten minute break. At the end of the break, I slipped into the hearing room by mingling with the returning crowd. There were plenty of empty seats labelled "press only". I sat in one, and stayed there until the spam-related hearings ended at 12:30.

Just because I'm not paid by a newspaper or radio or TV station doesn't mean I'm not a reporter. I'm reporting right now. (Maybe someday I should have a press pass printed up showing that I write for "Usenet Netnews".)

There were about 80 people in the audience, and about 20 presenters. Almost everyone in the audience appeared to be reporters. (Similarly on the third and fifth floors.) About 20 seats were empty.

The room was roughly a half-circle shape. The presenters sat behind several long tables set end-to-end roughly conforming to the curvature of the half-circle part of the room. The audience sat with their backs to the flat wall, which opened into the hallway. Behind the presenters were a US flag and an FTC flag. The curved wall had seven windows to the outdoors, all of which were curtained. When I was watching from upstairs, Shabbir Safdar commented on how cold the (4th floor) room was, but when I was in there it was reasonably warm, perhaps because of all the people in it and the hot TV lights. There were four TV cameras operating. Also ISP-TV, run by a guy wearing a Digex T-shirt, who seemed to be the only man besides myself not wearing a suit or tie. He told me that only about one image per 30 seconds was being sent. I don't know whether Digex was also providing the live RealAudio feed to the net.

Sanford Wallace was one of the presenters. He is of average height, young, moderately fat, with medium length brown hair, thick wire-rimmed glasses, and a nearly absent chin.

Walt Rines of the IEMMC was another of the presenters. On the fifth floor, the reporter sitting next to me asked me if I had caught his name and affiliation. She had missed it when it was announced, his name plate was sideways to the camera, and he wasn't listed on the agenda. I told her who he was, and that he was total slime and not to believe a word he said. During the break, I briefly explained spam to her before heading for the fourth floor. I hope I contributed to making her article more accurate. Sorry, I don't know who she is or who she writes for.

Walt Rines looks much like Sanford Wallace. He's a little taller, but about equally fat, and appears to be about the same age. He doesn't wear glasses. He has brown hair and blue eyes. He and Wallace both have a slightly oily look about them, as if they'd been perspiring.

At no time did anyone in the audience have a chance to ask questions or make statements.

FTC Commissioner Christine Varney seemed to be in charge, and to ask the most questions.

Enough description. On to what they were saying.

When asked if he minded it being called "spam," Wallace said he didn't care one way or the other. "Spam," "spammer," and "spamming" were the terms used for the remainder of the hearings.

He emphasized that he uses nothing but "standard communications protocols defined by the founders of the net". I'm sure he does. And bank robbers use standard English when demanding money. And safe-crackers use the correct combination when stealing from a safe.

He said that "we don't decide who gets spammed". He just sells software to accumulate addresses, software to send spam to a list of addresses, and ISP access for spammers. His customers may purchase any or all of these three things. He does not censor his customers. He compared CyberPromo to a newspaper selling space to advertisers. If he is made aware of a fraudulent or threatening ad, he will get rid of that customer, but he takes no steps to do prior checks on his clients' advertising claims.

His customers are required to accept and honor remove requests. The ability to do this is built into the spamming software he sells.

Implicit in what he said was that he has no one remove list which is enforced on his customers. If someone wants to stop getting spammed by his customers, they have to write to each one individually, assuming they could get a complete list, which they can't.

His address harvesting software doesn't violate anyone's privacy, he claimed, because it only accumulates addresses from "public databases," such as AOL profiles, classified ads (?), web pages, and Usenet postings.

Jill Lesser, a presenter from AOL, objected that AOL profiles are not "public databases". They are for the use of AOL members only. Every AOL member signs an agreement not to spam those people, and not to provide such lists to others. She did mention, however, that AOL sells its membership list to advertisers "as is the industry standard". She apparently meant conventional US-mail advertisers. She pointed out that AOL members (why does she call them "members" instead of "users"?) get to decide whether to get ads, and in what categories. (I think those are banner ads for which AOL is paid.) She wasn't happy with spammers overriding those user preferences. She said AOL filters spam, but that these filters don't work very well, since spammers keep changing their headers.

Someone else brought up the fact that AOL had successfully sued Wallace to stop changing domains when spamming AOL. She said she didn't want to comment on that case, except to say that AOL was now satisfied with Wallace's current behavior.

In response to other questions, she mentioned that AOL does not track which of its members are children. They used to sell lists of users who used the "AOL store" but no longer do so.

She mentioned that "spam" is AOL members' number one complaint by far.

There was a prolonged digression into web sites which require people to give personal information for access, and whether spammers make use of such information.

Wallace and Rines both touted the IEMMC and its "universal" remove list. One or both of them claimed that 90% of all spammers are IEMMC members. It was conceded that this remove list wasn't working yet, but it was claimed in an IEMMC handout dated today (June 12th) that it would be working by the end of this month. It's clear that, rumors to the contrary, CyberPromo is still an IEMMC member.

AOL's Jill Lesser strongly disagreed with the claim that 90% of spam is from IEMMC members. (So do I.) She read a spammed ad for a "stealth mailer" that will send one million spams per hour and have ISPs "spinning their wheels" trying to figure out who is doing it, all for $400. She said that AOL members get 15 million e-mails per day, of which between 5% and 30% are spam. I am surprised the percentage is so low. My mailbox exceeded 50% spam months ago.

Eric Wenger, an Assistant Attorney General in New York, is also skeptical that 90% of all spam is from IEMMC members. He points out how easy it is for a spammer to set up shop. But he thinks the IEMMC code of ethics is reasonable.

Shabbir Safdar of VTW (Voters Telecommunications Watch) said that 25% of all e-mail is spam. He projects that spam will grow linearly.

I disagree. I project that it will continue grow exponentially, as it has been. That's the nature of self-replicating systems, whether they be noxious bacteria, chain letters, MLM schemes, or ads for lists of e-mail addresses that one can use to spam ads for lists of e-mail addresses. Exponential growth until the self-replicating system is killed off, or until it dies by having destroyed its growth medium (e.g. culture medium, medical patient, or the Internet) is the rule.

Safdar doesn't think people will stop using e-mail.

I disagree. Lots of people have already stopped. In a year or two, so will almost everyone else, if something isn't done about spam.

He favors technical solutions, and gives adding ".nospam" to one's address as a solution. Nobody brought up the fact that Wallace's software, among others, automatically strips off ".nospam" and other common spamblocks when accumulating addresses. Or the fact that spamblocks make it difficult to send legitimate replies. Impossible, for some mail software.

Wallace mentioned that CyberPromo has a firm policy of not allowing third-party relaying. Any CyberPromo customer who does this will be kicked off. When asked how long this policy had been in place, he replied "one week". That got some laughter from the audience.

When asked if there was a cost associated with receiving spam, Wallace conceded that there was. But he compared it with the cost of receiving third-class mail -- trash disposal! And with the cost of getting ads on TV -- electric bills! He said there was no comparison with junk fax, as that consumes paper. Nobody asked him whether he was formerly in the junk fax business.

As for the cost to ISPs, he said that they pay to receive e-mail anyway, so what makes his e-mail any different? These machines are set up to deliver e-mail to their users. That's exactly what they're for. So there is an "implied right" to spam.

When asked about spam being seen by children, he replied that he had never seen spam targeted to children. This sounds plausible to me, but unfortunately nobody thought to ask what keeps children from seeing pornographic spam. The answer, of course, is nothing.

Al Mouyal is the founder and head of the IMC (Internet Marketing Council). This is not to be confused with the IEMMC. Or perhaps it is to be confused with the IEMMC, as they sound much alike. It's another group of "ethical" spammers, which will have a spiffy logo and a "universal" remove list. Yawn. Oh yes, members are also required to put "advertisement" in the subject field of all spam.

He gave a surprisingly good explanation for why present-day spam is almost all for sleaze and worthless scams. Reputable companies won't go near spam -- or even use opt-in lists -- for fear of massive boycotts and loss of reputation. Many people who opt in later forget that they opted in, and flame the "spammer". I can believe this. I've come close to doing exactly that myself. After I complain about twenty consecutive messages, it's hard to notice that the twenty-first is not spam, and refrain from complaining. Especially if it is a commercial message.

Ram Avrahami (who sued a newspaper for selling his name) claimed to have a "universal" opt-out list, which would solve the spam problem once and for all. He claims that Wallace uses his list. Why am I getting such a strong sense of deja vu here? At least he admits that 80% of the one thousand (!) spammers he's aware of ignore his list. In response to a question, he replied that 2% of all spam is religious rather than commercial. He has a collection of 2000 distinct spams. There is no overlap between DMA (Direct Marketing Association) members and these spammers. He points out that spammers can buy a list of one million e-mail addresses for $11, which is one thousand times less expensive than a list of that many street addresses.

DMA's H. Robert Wientzen said his organization was developing -- you'll never guess -- a "universal" remove list! It will be ready in the US in 6 months, and worldwide in a year. How could it possibly fail? He says it's "too early for legislation".

Safdar mentioned the irony of discussing giant databases of millions of e-mail addresses at a privacy conference. Wientzen responded that this was not a privacy violation since opt-out lists are always opt-in! In other words, nobody is ever added to such a list except by their own request. (We had to destroy privacy to save it?)

Someone quoted part of a spam from one of Wallace's customers. I happen to have saved that January 5th spam, so here is the part that was quoted:

To keep up with the respect of internet users who wish their names removed from Noci Marketing's emailing list, simply mail to: noci@cyberpromo.com and type "remove" in the subject field or message body. It's that simple. NOTE TO FLAMERS:DON'T DO IT! We will comply with and respect all REMOVE requests, but if we are flamed we will (a)FLAME YOU 1000 times as much (b)email to 3 million people a questionable item with your return email address. We want respect as much as anyone else, so if you give it, you shall receive it.

Wallace replied that he had immediately terminated that customer. He did indeed claim at the time to have done so. However, I happen to know that this is Yuri Rutman, and that his account name was simply changed from noci to italivest. As far as I know, he is still a CyberPromo customer.

Simona Nass of Panix described filtering as a never-ending "arms race". Spammers keep finding ways around the filters, which then have to be constantly updated. She said that spam labelling requirements, as required by the Murkowski bill (S.771), and as suggested by Mouyal's IMC, would be asking the "offenders to police themselves". She didn't see how such a law would be enforcable. How could the spammers be tracked down? And how would anyone prove that they really received the spam they claimed to have received?

I agreed with everything she said, until she went on to claim that people were "researching opt-in". What's to research? There have been opt-in lists on the net for at least 22 years. (See my Internet timeline at http://www.clark.net/pub/kfl/timeline.html.)

Raymond Everett of CAUCE compared spam to environmental pollution. Both save the spammer or polluter money, but only at the expense of shifting costs to uninvolved people. He claimed that technical solutions won't work.

Wallace mentioned that AOL is filtering out all messages with fake domains in the headers. AOL's Jill Lesser responded that this filtering only works for domains which are not registered, not for real domains which are forged.

Wenger agreed with someone's question that fraudulent headers tend to go with fraudlent contents. He gave as an example a spammer named Lipsitz, who was prosecuted for magazine subscription fraud.

Rosalind Resnick, the President of NetCreations, says that NetCreations is now 100% opt-in, with 3000 topic lists and 3 million subscribers. She claims they get two to three times the postal response rate for half to a third the cost. She says that spammers who hijack SMTP ports should be prosecuted for theft of services and fraud.

FTC Commissioner Christine Varney seemed to misunderstand what was meant by SMTP hijacking. What it means is the spammer telnets to someone else's computer's SMTP port, and has that machine send their e-mail until it crashes, invariably losing real e-mail in the process, and leaving a hell of a mess for sysadmins to clean up. Varney seemed to think that e-mail just naturally bounces around from one system to another in the course of getting to the recipient, and the spammer has little control over this. Nobody corrected this misunderstanding. Wallace said something to confuse the situation further.

Nass mentioned that there's a two-line fix to prevent SMTP hijacking, but that it wasn't usable on sites that host virtual domains such as your-name-here.com. Technical fixes to those SMTP servers are possible, but rather involved, and would generally void the maintenance agreement. She didn't seem to notice that Varney was totally misunderstanding was SMTP hijacking is.

Deirdre Mulligan of the CDT (Center for Democracy and Technology) mentioned that there's lots of confusion as to what spam is. She mentioned that a congressional staffer was complaining about getting 500 "spam" e-mail messages (from 500 different senders) on the topic of upcoming legislation.

IEMMC's Walt Rines is totally in favor of opt-in. Opt-out, too. "Let opt-in and opt-out coexist," he says in a voice of sweet reasonableness. (What is wrong with this picture?)

David Sorkin, a law professor, discussed the Smith bill and several similar state bills, all of which would outlaw spam. He opposes the Murkowski bill, saying it would be an unfunded mandate on ISPs. (The Murkowski bill would mandate that all spam is labelled as such, and that ISPs offer all users free filtering of same.) He suggests that spammers could be prosecuted under existing harassment laws.

He suggests that if nothing is done we will soon get "trillions" of spams per day. (Assuming 50 million users, that would be 20,000 spams per day per user.) I think this is indeed quite likely in two or three years, unless e-mail simply stops being used first. Nobody else seemed to think that spam would grow at all, at least not very much or very quickly.

George Nemeyer, of Tigerden Internet Services, and Internet Service Providers Consortium, favors the Smith bill which would ban spam. (After the hearing ended, I saw him in a heated argument with Walt Rines about spam, and about its cost to ISPs. Rines insisted that processing all incoming e-mail was simply what ISPs are supposed to do and supposed to pay for.)

FTC Commissioner Christine Varney said she wanted to go after a few of the worst fraudulent spammers and prosecute them for fraud. But she says they're virtually impossible to find. (Really? They always mention a phone number or P.O. box.) She said she liked the IEMMC's code of ethics. (Sigh.) At the close, she thanked Wallace and Rines for their "courage" in coming there.

After the hearing, I went up to Walt Rines and congratulated him. "Very slick," I said. "I think you just bought yourself another six months. I guess you can take the web page down now that it's served its purpose." He didn't reply.

I handed Sanford Wallace a list of my e-mail addresses, with the word REMOVE in very large letters at the top. The sheet of paper says I don't want to get spam from him, his customers, or anyone else, on any of those addresses. He replied "it's a deal". He really is slick as a snake in person. If you didn't know what he's really like, you'd find yourself buying a used car from him -- even if you don't drive.

I also talked to Al Mouyal. He is a non-stop talker, hardly letting me get a word in edgewise. He claims to have legitimate businesses such as GNC as customers, and to mostly send solicited e-mail, but also some spam. He says he has a remove list, with confirmation. And his own personal 800 number which appears in every spam. And a spam label in each spam. He seemed to be skeptical when I told him how much spam I get. He asked me to look at his site, edmarketing.com I haven't done so yet.

I also talked to Blair Richardson of Aristotle. They are developing -- hold onto your hats -- a "universal" remove list! Which Stanford Wallace will not only respect, but will forfeit a million dollars if he abuses! Color me skeptical. They have changed their mind about the limit of five addresses per person, but not about the requirement that one be a registered voter. Apparently they also require lots of personal information. He said Aristotle will refer non-voters, and those who refuse to divulge personal information, to Jason Catlett of Junkbusters. They too have a "universal" remove list, he explained. (Lost count yet?)

This message can also be found as http://www.clark.net/pub/kfl/ftc.html. Within a couple days, I plan to turn every mention of an person or organization into a link to that person or organization's web page. [ Done ] While I have your attention, please also consider downloading http://www.clark.net/pub/kfl/toll.html, my list of toll-free numbers recently seen in spam, and giving each of them a call.

I wish I could get that list, and this message, to everyone interested in fighting spam. I also wish I could have spoken at those FTC hearings. But then, that's precisely the problem, isn't it? Everyone who has something to say can't force it on everyone, or else everyone would be buried in unwanted excess information. That's the real spam problem.

---

Keith Lynch, kfl@clark.net http://www.clark.net/pub/kfl/ I boycott all spammers. ```

This web service brought to you by Somewhere.Com, LLC.