From: Keith Lynch <kfl@clark.net>
Date: Fri, 13 Jun 1997 00:14:07 -0400 (EDT)
Newsgroups: news.admin.net-abuse.email,news.admin.net-abuse.misc,alt.stop.spamming
Subject: I went to the FTC spam hearing today (long)
Today I went to the FTC hearings on spam from 9 am until 12:30.
Here's what I observed.
Actually, the hearings were on "Consumer Online Privacy," and they are
lasting four days (June 10th-13th). Spam is just a small part of that.
I think it's unfortunate that spam is categorized as primarily a
privacy concern. I see it as primarily theft of services and fraud.
A burglar is not just a variety of peeping tom. Yes, he invades your
privacy, but that's not what's most objectionable about having your
household posessions stolen.
This message attempts to come as close to giving you the experience of
being at the hearings as possible.
I arrived at the FTC at about 9 am. The closest entrance was labelled
as being for employees and the handicapped, and a sign directed
visitors to another entrance, half a block away. I entered the
visitor entrance, walked through a metal detector (which didn't go
off, as I had nothing metal on me), and walked past the guard desk
to the elevators. There were no signs indicating where the privacy
hearings were. So I returned to the guard desk to ask.
The guard asked to see my ID. I told her I didn't have one. She
asked incredulously "what about your drivers license?" I told her
I took the Metro. And that I had called the previous day and been
assured the hearings were open to the general public. Surely I don't
need papers to prove I'm a member of the general public? She mulled
on this for a minute, as if I were the first person ever to attempt to
enter without an ID. (Rather ironic, since I was going to a privacy
hearing.) Finally, she just had me print and sign my name in a log
book, and walk through the metal detector again. She then gave me a
yellow cardboard nametag, good for all four days, with blanks for name
and company. I wrote in my name, left company blank, and put it in my
pocket.
I went to the fourth floor, where she told me the hearings were. In
the hall outside the room were two long tables filled with handouts
from various groups. There were also two cans of spam on the table.
As I attempted to enter the room, I was stopped by a door guard, who
told me that the room was full and I could view the proceedings via
closed circuit TV from the 3rd or 5th floor. I could see that there
were empty seats, but she said they were being saved for people still
to arrive.
Maybe I should have worn suit and tie. Almost every other man in the
whole building was dressed up.
I went to the third floor. The room was very cold, and had about
20 people in it, watching a blurry projection TV image with barely
audible sound. About 100 people could have fit in the room. After 5
minutes, I went to the fifth floor. That room was about the same size
and had about the same number of people in it. It wasn't as cold,
and it had a decent large TV set sitting on a table in the front. I
stayed there for about an hour, until there was a ten minute break.
At the end of the break, I slipped into the hearing room by mingling
with the returning crowd. There were plenty of empty seats labelled
"press only". I sat in one, and stayed there until the spam-related
hearings ended at 12:30.
Just because I'm not paid by a newspaper or radio or TV station
doesn't mean I'm not a reporter. I'm reporting right now. (Maybe
someday I should have a press pass printed up showing that I write for
"Usenet Netnews".)
There were about 80 people in the audience, and about 20 presenters.
Almost everyone in the audience appeared to be reporters. (Similarly
on the third and fifth floors.) About 20 seats were empty.
The room was roughly a half-circle shape. The presenters sat behind
several long tables set end-to-end roughly conforming to the curvature
of the half-circle part of the room. The audience sat with their
backs to the flat wall, which opened into the hallway. Behind the
presenters were a US flag and an FTC flag. The curved wall had seven
windows to the outdoors, all of which were curtained. When I was
watching from upstairs, Shabbir Safdar commented on how cold the
(4th floor) room was, but when I was in there it was reasonably warm,
perhaps because of all the people in it and the hot TV lights. There
were four TV cameras operating. Also ISP-TV, run by a guy wearing
a Digex T-shirt, who seemed to be the only man besides myself not
wearing a suit or tie. He told me that only about one image per 30
seconds was being sent. I don't know whether Digex was also providing
the live RealAudio feed to the net.
Sanford Wallace was one of the presenters. He is of average
height, young, moderately fat, with medium length brown hair,
thick wire-rimmed glasses, and a nearly absent chin.
Walt Rines of the IEMMC was another of the presenters. On the fifth
floor, the reporter sitting next to me asked me if I had caught his
name and affiliation. She had missed it when it was announced, his
name plate was sideways to the camera, and he wasn't listed on the
agenda. I told her who he was, and that he was total slime and not to
believe a word he said. During the break, I briefly explained spam to
her before heading for the fourth floor. I hope I contributed to
making her article more accurate. Sorry, I don't know who she is or
who she writes for.
Walt Rines looks much like Sanford Wallace. He's a little taller, but
about equally fat, and appears to be about the same age. He doesn't
wear glasses. He has brown hair and blue eyes. He and Wallace both
have a slightly oily look about them, as if they'd been perspiring.
At no time did anyone in the audience have a chance to ask questions
or make statements.
FTC Commissioner Christine Varney seemed to be in charge, and to ask
the most questions.
Enough description. On to what they were saying.
When asked if he minded it being called "spam," Wallace said he didn't
care one way or the other. "Spam," "spammer," and "spamming" were the
terms used for the remainder of the hearings.
He emphasized that he uses nothing but "standard communications
protocols defined by the founders of the net". I'm sure he does.
And bank robbers use standard English when demanding money. And
safe-crackers use the correct combination when stealing from a safe.
He said that "we don't decide who gets spammed". He just sells
software to accumulate addresses, software to send spam to a list of
addresses, and ISP access for spammers. His customers may purchase
any or all of these three things. He does not censor his customers.
He compared CyberPromo to a newspaper selling space to advertisers.
If he is made aware of a fraudulent or threatening ad, he will get
rid of that customer, but he takes no steps to do prior checks on his
clients' advertising claims.
His customers are required to accept and honor remove requests. The
ability to do this is built into the spamming software he sells.
Implicit in what he said was that he has no one remove list which is
enforced on his customers. If someone wants to stop getting spammed
by his customers, they have to write to each one individually,
assuming they could get a complete list, which they can't.
His address harvesting software doesn't violate anyone's privacy,
he claimed, because it only accumulates addresses from "public
databases," such as AOL profiles, classified ads (?), web pages,
and Usenet postings.
Jill Lesser, a presenter from AOL, objected that AOL profiles are
not "public databases". They are for the use of AOL members only.
Every AOL member signs an agreement not to spam those people, and
not to provide such lists to others. She did mention, however, that
AOL sells its membership list to advertisers "as is the industry
standard". She apparently meant conventional US-mail advertisers.
She pointed out that AOL members (why does she call them "members"
instead of "users"?) get to decide whether to get ads, and in what
categories. (I think those are banner ads for which AOL is paid.)
She wasn't happy with spammers overriding those user preferences.
She said AOL filters spam, but that these filters don't work very
well, since spammers keep changing their headers.
Someone else brought up the fact that AOL had successfully sued
Wallace to stop changing domains when spamming AOL. She said she
didn't want to comment on that case, except to say that AOL was now
satisfied with Wallace's current behavior.
In response to other questions, she mentioned that AOL does not track
which of its members are children. They used to sell lists of users
who used the "AOL store" but no longer do so.
She mentioned that "spam" is AOL members' number one complaint by far.
There was a prolonged digression into web sites which require people
to give personal information for access, and whether spammers make use
of such information.
Wallace and Rines both touted the IEMMC and its "universal" remove
list. One or both of them claimed that 90% of all spammers are IEMMC
members. It was conceded that this remove list wasn't working yet,
but it was claimed in an IEMMC handout dated today (June 12th) that it
would be working by the end of this month. It's clear that, rumors to
the contrary, CyberPromo is still an IEMMC member.
AOL's Jill Lesser strongly disagreed with the claim that 90% of spam
is from IEMMC members. (So do I.) She read a spammed ad for a
"stealth mailer" that will send one million spams per hour and have
ISPs "spinning their wheels" trying to figure out who is doing it, all
for $400. She said that AOL members get 15 million e-mails per day,
of which between 5% and 30% are spam. I am surprised the percentage
is so low. My mailbox exceeded 50% spam months ago.
Eric Wenger, an Assistant Attorney General in New York, is also
skeptical that 90% of all spam is from IEMMC members. He points out
how easy it is for a spammer to set up shop. But he thinks the IEMMC
code of ethics is reasonable.
Shabbir Safdar of VTW (Voters Telecommunications Watch) said that 25%
of all e-mail is spam. He projects that spam will grow linearly.
I disagree. I project that it will continue grow exponentially, as it
has been. That's the nature of self-replicating systems, whether they
be noxious bacteria, chain letters, MLM schemes, or ads for lists of
e-mail addresses that one can use to spam ads for lists of e-mail
addresses. Exponential growth until the self-replicating system is
killed off, or until it dies by having destroyed its growth medium
(e.g. culture medium, medical patient, or the Internet) is the rule.
Safdar doesn't think people will stop using e-mail.
I disagree. Lots of people have already stopped. In a year or two,
so will almost everyone else, if something isn't done about spam.
He favors technical solutions, and gives adding ".nospam" to one's
address as a solution. Nobody brought up the fact that Wallace's
software, among others, automatically strips off ".nospam" and other
common spamblocks when accumulating addresses. Or the fact that
spamblocks make it difficult to send legitimate replies. Impossible,
for some mail software.
Wallace mentioned that CyberPromo has a firm policy of not allowing
third-party relaying. Any CyberPromo customer who does this will be
kicked off. When asked how long this policy had been in place, he
replied "one week". That got some laughter from the audience.
When asked if there was a cost associated with receiving spam,
Wallace conceded that there was. But he compared it with the cost of
receiving third-class mail -- trash disposal! And with the cost of
getting ads on TV -- electric bills! He said there was no comparison
with junk fax, as that consumes paper. Nobody asked him whether he
was formerly in the junk fax business.
As for the cost to ISPs, he said that they pay to receive e-mail
anyway, so what makes his e-mail any different? These machines are
set up to deliver e-mail to their users. That's exactly what they're
for. So there is an "implied right" to spam.
When asked about spam being seen by children, he replied that he had
never seen spam targeted to children. This sounds plausible to me,
but unfortunately nobody thought to ask what keeps children from
seeing pornographic spam. The answer, of course, is nothing.
Al Mouyal is the founder and head of the IMC (Internet Marketing
Council). This is not to be confused with the IEMMC. Or perhaps it
*is* to be confused with the IEMMC, as they sound much alike. It's
another group of "ethical" spammers, which will have a spiffy logo and
a "universal" remove list. Yawn. Oh yes, members are also required
to put "advertisement" in the subject field of all spam.
He gave a surprisingly good explanation for why present-day spam is
almost all for sleaze and worthless scams. Reputable companies won't
go near spam -- or even use opt-in lists -- for fear of massive
boycotts and loss of reputation. Many people who opt in later forget
that they opted in, and flame the "spammer". I can believe this.
I've come close to doing exactly that myself. After I complain about
twenty consecutive messages, it's hard to notice that the twenty-first
is not spam, and refrain from complaining. Especially if it is a
commercial message.
Ram Avrahami (who sued a newspaper for selling his name) claimed to
have a "universal" opt-out list, which would solve the spam problem
once and for all. He claims that Wallace uses his list. Why am I
getting such a strong sense of deja vu here? At least he admits that
80% of the one thousand (!) spammers he's aware of ignore his list.
In response to a question, he replied that 2% of all spam is religious
rather than commercial. He has a collection of 2000 distinct spams.
There is no overlap between DMA (Direct Marketing Association) members
and these spammers. He points out that spammers can buy a list of one
million e-mail addresses for $11, which is one thousand times less
expensive than a list of that many street addresses.
DMA's H. Robert Wientzen said his organization was developing --
you'll never guess -- a "universal" remove list! It will be ready in
the US in 6 months, and worldwide in a year. How could it possibly
fail? He says it's "too early for legislation".
Safdar mentioned the irony of discussing giant databases of millions
of e-mail addresses at a privacy conference. Wientzen responded
that this was not a privacy violation since opt-out lists are always
opt-in! In other words, nobody is ever added to such a list except
by their own request. (We had to destroy privacy to save it?)
Someone quoted part of a spam from one of Wallace's customers. I
happen to have saved that January 5th spam, so here is the part that
was quoted:
To keep up with the respect of internet users who wish their names
removed from Noci Marketing's emailing list, simply mail to:
noci@cyberpromo.com and type "remove" in the subject field or message
body. It's that simple. NOTE TO FLAMERS:DON'T DO IT! We will comply
with and respect all REMOVE requests, but if we are flamed we will
(a)FLAME YOU 1000 times as much (b)email to 3 million people a
questionable item with your return email address. We want respect
as much as anyone else, so if you give it, you shall receive it.
Wallace replied that he had immediately terminated that customer. He
did indeed claim at the time to have done so. However, I happen to
know that this is Yuri Rutman, and that his account name was simply
changed from noci to italivest. As far as I know, he is still a
CyberPromo customer.
Simona Nass of Panix described filtering as a never-ending "arms
race". Spammers keep finding ways around the filters, which then have
to be constantly updated. She said that spam labelling requirements,
as required by the Murkowski bill (S.771), and as suggested by
Mouyal's IMC, would be asking the "offenders to police themselves".
She didn't see how such a law would be enforcable. How could the
spammers be tracked down? And how would anyone prove that they really
received the spam they claimed to have received?
I agreed with everything she said, until she went on to claim that
people were "researching opt-in". What's to research? There have
been opt-in lists on the net for at least 22 years. (See my Internet
timeline at http://keithlynch.net/timeline.html.)
Raymond Everett of CAUCE compared spam to environmental pollution.
Both save the spammer or polluter money, but only at the expense of
shifting costs to uninvolved people. He claimed that technical
solutions won't work.
Wallace mentioned that AOL is filtering out all messages with fake
domains in the headers. AOL's Jill Lesser responded that this
filtering only works for domains which are not registered, not for
real domains which are forged.
Wenger agreed with someone's question that fraudulent headers tend to
go with fraudlent contents. He gave as an example a spammer named
Lipsitz, who was prosecuted for magazine subscription fraud.
Rosalind Resnick, the President of NetCreations, says that
NetCreations is now 100% opt-in, with 3000 topic lists and 3 million
subscribers. She claims they get two to three times the postal
response rate for half to a third the cost. She says that spammers
who hijack SMTP ports should be prosecuted for theft of services and
fraud.
FTC Commissioner Christine Varney seemed to misunderstand what was
meant by SMTP hijacking. What it means is the spammer telnets to
someone else's computer's SMTP port, and has that machine send their
e-mail until it crashes, invariably losing real e-mail in the process,
and leaving a hell of a mess for sysadmins to clean up. Varney seemed
to think that e-mail just naturally bounces around from one system to
another in the course of getting to the recipient, and the spammer has
little control over this. Nobody corrected this misunderstanding.
Wallace said something to confuse the situation further.
Nass mentioned that there's a two-line fix to prevent SMTP hijacking,
but that it wasn't usable on sites that host virtual domains such
as your-name-here.com. Technical fixes to those SMTP servers
are possible, but rather involved, and would generally void the
maintenance agreement. She didn't seem to notice that Varney was
totally misunderstanding was SMTP hijacking is.
Deirdre Mulligan of the CDT (Center for Democracy and Technology)
mentioned that there's lots of confusion as to what spam is. She
mentioned that a congressional staffer was complaining about getting
500 "spam" e-mail messages (from 500 different senders) on the topic
of upcoming legislation.
IEMMC's Walt Rines is totally in favor of opt-in. Opt-out, too.
"Let opt-in and opt-out coexist," he says in a voice of sweet
reasonableness. (What is wrong with this picture?)
David Sorkin, a law professor, discussed the Smith bill and several
similar state bills, all of which would outlaw spam. He opposes the
Murkowski bill, saying it would be an unfunded mandate on ISPs. (The
Murkowski bill would mandate that all spam is labelled as such, and
that ISPs offer all users free filtering of same.) He suggests that
spammers could be prosecuted under existing harassment laws.
He suggests that if nothing is done we will soon get "trillions" of
spams per day. (Assuming 50 million users, that would be 20,000 spams
per day per user.) I think this is indeed quite likely in two or
three years, unless e-mail simply stops being used first. Nobody else
seemed to think that spam would grow at all, at least not very much
or very quickly.
George Nemeyer, of Tigerden Internet Services, and Internet Service
Providers Consortium, favors the Smith bill which would ban spam.
(After the hearing ended, I saw him in a heated argument with Walt
Rines about spam, and about its cost to ISPs. Rines insisted that
processing all incoming e-mail was simply what ISPs are supposed to
do and supposed to pay for.)
FTC Commissioner Christine Varney said she wanted to go after a few of
the worst fraudulent spammers and prosecute them for fraud. But she
says they're virtually impossible to find. (Really? They always
mention a phone number or P.O. box.) She said she liked the IEMMC's
code of ethics. (Sigh.) At the close, she thanked Wallace and Rines
for their "courage" in coming there.
After the hearing, I went up to Walt Rines and congratulated him.
"Very slick," I said. "I think you just bought yourself another six
months. I guess you can take the web page down now that it's served
its purpose." He didn't reply.
[ In fact, he and Wallace were offline just four months later -- KFL 1998 ]
I handed Sanford Wallace a list of my e-mail addresses, with the word
REMOVE in very large letters at the top. The sheet of paper says I
don't want to get spam from him, his customers, or anyone else, on any
of those addresses. He replied "it's a deal". He really is slick as
a snake in person. If you didn't know what he's really like, you'd
find yourself buying a used car from him -- even if you don't drive.
[ As of June 27th, I've been spammed by CyberPromo every single day
since the hearing on the 12th. I've been spammed by them almost
every day since last August. ]
I also talked to Al Mouyal. He is a non-stop talker, hardly letting
me get a word in edgewise. He claims to have legitimate businesses
such as GNC as customers, and to mostly send solicited e-mail, but
also some spam. He says he has a remove list, with confirmation. And
his own personal 800 number which appears in every spam. And a spam
label in each spam. He seemed to be skeptical when I told him how
much spam I get. He asked me to look at his site, edmarketing.com
I haven't done so yet.
I also talked to Blair Richardson of Aristotle. They are developing
-- hold onto your hats -- a "universal" remove list! Which Stanford
Wallace will not only respect, but will forfeit a million dollars if
he abuses! Color me skeptical. They have changed their mind about
the limit of five addresses per person, but not about the requirement
that one be a registered voter. Apparently they also require lots of
personal information. He said Aristotle will refer non-voters, and
those who refuse to divulge personal information, to Jason Catlett of
Junkbusters. They too have a "universal" remove list, he explained.
(Lost count yet?)
This message can also be found as http://keithlynch.net/ftc.html.
Within a couple days, I plan to turn every mention of an person or
organization into a link to that person or organization's web page. [ Done ]
While I have your attention, please also consider downloading
http://keithlynch.net/toll.html, my list of toll-free numbers
recently seen in spam, and giving each of them a call.
I wish I could get that list, and this message, to everyone interested
in fighting spam. I also wish I could have spoken at those FTC
hearings. But then, that's precisely the problem, isn't it? Everyone
who has something to say can't force it on everyone, or else everyone
would be buried in unwanted excess information. That's the real spam
problem.
--
Keith Lynch, kfl@keithlynch.net
http://keithlynch.net/
I boycott all spammers.
[ As of August, a complete transcript of these spam hearings is available
at consumer.net. Part 1. Part 2. Part 3. ]