U.S. Attorney General John Ashcroft announced a major crackdown on e-mail scammers this week. Eileen Harrington, associate director of the Federal Trade Commission's consumer protection bureau, discussed the government's overall strategy to cut down on spam and online consumer fraud with washingtonpost.com reporter David McGuire.
A transcript follows.
Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.
Hi Eileen, thanks for joining us. The Justice Department this week unveiled details of a massive criminal crackdown on deceptive spammers. How does that crackdown fit in with the federal government's overall strategy to stem the tide of spam clogging our inboxes.
Eileen Harrington: I just came back to my office from the announcement of this crackdown at DOJ. FTC Chairman Deborah Majoras joined Attorney General Ashcroft and other law enforcement partners in making the announcement. The overall strategy on spam is to first stop the spam that is criminal or otherwise illegal, and today's announcement was about that. The second objective is to enforce the new consumer protections in the federal CANSPAM statute that give consumers the right to opt out of receiving further email form specific senders. The third step is to work to encourage the private sector to improve filtering and other technologies so people can choose to keep this stuff out of their inboxes. This is a big issue, and it requires big minds, big resources, big creativity.
You gotta love the "Do-Not-Call" list - my telemarketing calls have been eliminated. Why did the FTC reject a similar list for spammers?
Eileen Harrington: Simply stated: we don't think it would work, and it would actually give spammers the best imaginable directory of live email addresses.
Will a U.S. federal agency ever be able to reduce or prevent spam, since so much of it originates overseas?
Eileen Harrington: The government, and laws, are only part of the spam solution. You are right in observing that spam, email, the internet, are international systems. We are working cooperatively with the governments of many other nations to develop coordinated law enforcement and policy. But smarter technology, and well educated email users --- for example, users who make good use of their ISP's spam filters -- are also part of the solution.
When US authorities discover that nefarious online operations are based somewhere like Canada, can they take advantage of their relations with the RCMP to "get their man," as it were? Are there already cases like this on record?
Eileen Harrington: Yes, we can and do use those excellent relationships. There are many cases on record involving cross-border fraud from Canada. Most are in the telemarketing area, but we are beginning to see cooperative enforcement in the spam arena as well.
Do you believe these enforcement actions will have much of an impact on spam? Seems like after you slap one spammer on the wrist, there are hundreds of others eager to step in and take advantage of such a low-cost way to swindle people out of their money.
Eileen Harrington: One of the main objectives of law enforcement is deterrence; we'll have to see what effect the actions announced today have, but generally, we know that there is some deterrent effect from enforcement. It's true that spamming is a low cost business activity, but we aim to make the consequences to those who get caught high cost.
I can't say what the trend is nationally, but I haven't seen the spam in my box go down since the government passed that law last year. If anything I have more messages clogging my box. Do you think these criminal cases may actually start to have an effect?
Eileen Harrington: It's too early to tell. The new federal law -- the CAN-SPAM Act -- gives civil and criminal law enforcers some new tools. But it's a new law, we're just starting to bring cases under it, and we'll have to see what effect it has in either reducing illegal spam, or slowing its growth. It's important to note that not all spam is illegal!
Is there a difference in the threshold of monetary damages that leads the DOJ to take on a spam case over the FTC? How does that work? Do you think it makes any more of a difference if the case comes from the FTC vs. the DOJ?
Eileen Harrington: The Federal Trade Commission and the Department of Justice have different enforcement authority. The FTC is authorized to seek civil remedies --- orders for restitution or to take away the money obtained through illegal activity; orders to halt illegal activity; orders to pay money back to consumers. So we stop ongoing practices and get money away from bad guys and, where possible, back to consumers. DOJ is a criminal enforcement agency and it enforces an array of federal criminal statutes that impose criminal sanctions --- incarceration, fines, forfeiture. The burdens of proof that must be met are different. Thresholds sometimes are a matter of law, more often a matter of setting priorities. The short answer is that each agency has enforcement priorities, but both are interested in looking at cases involving illegal spam. I think for any spammer it's very bad news to have the U.S. government coming after him or her.
Are the busts that we read about based on the Can-spam law? It seems like that law needs a serious public relations boost as it has been trounced nearly everywhere and by nearly everyone. Is Can-Spam working? Is that the message we should derive from this news?
Eileen Harrington: Some of the actions were brought under the CAN-SPAM law. Others were brought under a variety of other federal statutes. It's too early for us to know what effect CAN-SPAM is having on the overall prevalence of illegal spam. From my own inbox, I see it's had a huge effect on legitimate companies that use email --- most now carry the CAN-SPAM-required opt-out mechanism, and in my own experience, I've used it often and it seems to work.
At what point to consumers bear some of the responsibility for falling prey to some of these schemes? Who's buying herbal "male enhancement" pills from spammers anyway?
Eileen Harrington: Well, I am not buying those products!(I'm a woman). Yes, consumers bear some responsibility. The kinds of enforcement actions that were announced today, however, involved serious injury to consumers who weren't in a good position to know they were being scammed, or otherwise compromised (in the case of the phishing and identity theft cases).
Snapdragon Creek, ME:
Do the FTC or FBI ever hire "hackers" (either full-time or as consultants) to try to outwit spammers and online thieves in their attempts to ascertain their real identities?
Eileen Harrington: We have very good investigators. We don't need to hire hackers.
Has the FTC given any kind of credence to the idea of paying people a bounty to catch spammers? Or do you think that's the sort of idea that the spammers themselves would try to take advantage of?
Eileen Harrington: The CAN-SPAM Act directed the FTC to prepare a report to Congress on that very issue. Our report will be delivered to Congress on September 16, 2004, which is the date required by the statute. So,yes, we have been giving a lot of thought to that idea, and we'll be issuing a very interesting, thoughtful report on it in just a few weeks.
Is the FTC doing anything about blacklisters? It seems like these organizations, many of which are located overseas - i.e., SPEWs and SpamHaus - are forcing ISPs to operate by rules that are more restrictive than what CAN SPAM requires. For instance, some ISPs have taken down websites used by legitimate e-mail marketers to allow consumers to opt-out because the blacklister claims the marketer is a spammer, when in fact, the marketer is just trying to comply with CAN SPAM. This does not seem right. What recourse do legitimate marketers have against the unreasonable actions of blacklisters? These organizations seem to wield great influence over many ISPs. Can the FTC help legitimate marketers from this serious problem?
Eileen Harrington: The FTC convened a three-day forum on various aspects of the spam issue in the spring of 2003. Blacklisting, whitelisting, and other self-help approaches, received a lot of attention. The transcript of the entire three-day forum is online at www.ftc.gov. The questions you raise are discussed very well in those materials.
How much of the spam that hits my inbox is actually criminal? I find it all obnoxious, but I dunno if it rises to the standards of being an outright crime. How do you combat the simply annoying stuff?
Eileen Harrington: A lot of the spam you see is not criminal, or illegal in any way, but it can be very annoying. Here are some ways to reduce the annoying spam you receive:
1. use your spam filter
2. report spam so you don't get more from the same sender
3. forward your spam to firstname.lastname@example.org, the ftc's spam database. The spam you send us is available to the FTC, FBI, and many of our law enforcement partners. Even if it's only annoying to you, it helps us detect trends and can be useful in law enforcement investigations.
It seems to me that you guys are attacking the symptom rather than the cause of the disease. As long as spammers can make money from the unbelievably cheap medium of e-mail -- they'll continue to do so. Are there any proposals at a macro level to eliminate the financial motivation for spam?
Eileen Harrington: That's a suggestion that has long been discussed and proposed by some. This is really a market-place issue --- changing the fundamental cost burden of the email system is a change that needs to come from the marketplace, I think. Of course, I should be clear in stating that this and all of the views I express are my views, not necessarily those of the Federal Trade Commission.
Ulysses' Rise, Iowa:
Good afternoon and thanks for coming online. I am curious about why these actions are only happening now. Why has it taken so long to take action against criminals who seem to have operated with impunity until now?
Eileen Harrington: This is actually the third coordinated enforcement crackdown on Internet fraud and crime. Today's crackdown is the first, however, to make use of the new CAN-SPAM law. Here at the FTC, we brought our first law enforcement action against illegal online activity in 1994, before there was a World Wide Web. We have brought close to 400 actions against online fraudsters since then.
follow-up from Maine:
Hello again - Are your investigators hackers? Were they ever hackers before they became FTC investigators?
Eileen Harrington: Our investigators are very skilled, highly trained professionals. That's all I'll say on that subject.
Is the FTC looking at the growing trend of "spim," the practice of sending spam messages through instant messaging services? Any ideas about how to handle that problem? Any enforcement actions on the way?
Eileen Harrington: We brought a case earlier this year involving a similar set of facts --- spam that used pop-ups to sell software to block pop-ups. The problem you raise is of interest.
Do you think junk mail will continue to be such a problem that people will quit using e-mail as much? Also, what do you think of e-mail verification/challenge services, such as Mailblocks (which was recently bought by AOL).?
Eileen Harrington: We think that email is a vital medium -- vital to our economy, and increasingly vital in the daily lives of many citizens. We are determined to do what we can to keep spammers from running this wonderful medium into the ground -- but it will take a lot of innovation and discipline from the private sector, as well as wise government action, to make sure we protect email. We are going to hold a summit in November on the matter of email authentication, to bring interested parties together to spur development of meaningful authentication that could dramatically improve email filtration.
It is encouraging that the federal government is doing so much to try and fight spam. Are other countries doing more or less than the U.S. to help battle spam? It seems that international cooperation and efforts would be key since spam is a global problem. If other countries are active, could you detail some of those activities?
Eileen Harrington: Just today at the Justice Department announcement of the crackdown, a representative from Nigeria spoke of the serious problem of criminal email originating from within his country. He praised the United States for providing much needed training and technical assistance to his government to help it more effectively deal with that problem. The FTC represents the U.S. in many international forums -- the OECD, for one -- where problems of illegal spam and other internet activities, and international cooperation to address these, are being worked on. The FTC also helped form the International Consumer Protection Enforcement Network, which brings together the consumer protection law enforcement agencies from many nations to work together on coordinated investigations, information sharing, and law enforcement directed at these problems. Many other countries are active with us in these efforts.
I'm curious? About how much spam do you have to deal with on a daily basis? (including work, home email, etc). How long do you spend each day dealing with spam?
Eileen Harrington: On my personal email account, my spam filter works very well. Every morning I scan the contents of my bulk email box to make sure I don't want anything that's there -- probably I spend two minutes on that. Then I forward all of it to the FTC's spam data base, email@example.com, and delete. At work, I receive very little spam. We have good virus protection software, and the bigger problem with my work email are the notices that someone has tried to send me an email containing a virus, but we've stopped it. I would guess that I spend no more than ten minutes a day dealing with my own spam ----- but I spend hours dealing with yours! The spam problem is a very high priority issue for us at the FTC.
The spam scam of the lawyer, prince, or whatever (usually in Nigeria, but I've also received these ostensibly from Angola, Sierra Leone, South Africa and Dubai) saying they have come across your name in some directory and hope you can help them take care of millions of dollars from the account of someone who just passed away, are well known. Yet I still get these regularly at work (at an address that has no individual's name on it). Why do these folks keep trying? Are people still biting? Gee, I hope it's a scam-- I could be passing up a chance for easy riches by not replying.
Eileen Harrington: It's a scam. I don't know whether anyone is still biting.
Has it gotten easier or harder to find/locate/catch spammers than it was a year/two year(s) ago? Do we have any better tools for catching spammers? Since most spam is sent through virus- or worm-infected home PCs that have been hijacked by hackers, and since enough new PCs get online for the first time today that there is always a constant pool of vulnerable machines out there - it doesn't seem like this is a problem that will soon go away, or even hold any hope of diminishing.
Eileen Harrington: We've gotten better at finding spammers, but it hasn't gotten easier. Finding spammers is time-consuming, often requiring many rounds of subpoenaes to trace back to the sender. Our lawyers and investigators are the best of the best, if I might brag on them. We are always finding new and better tools, not necessarily ones developed for the purpose of finding spammers, but rather to analyze lots of data, which sometimes is what's needed to figure out the connections. With regard to vulnerable machines, it's important for folks to have good firewalls, to use anti-virus software, to get security patches and updates.
When John Ashcroft enthusiastically supports something, it usually means he has found another way to further erode our civil liberties and spy on/control his fellow countrymen.
So please get to the point, if you would: what is the privacy downside to this protection from spam? I would appreciate your being as specific and candid as possible.
Thank you for taking the time to talk with us today.
Eileen Harrington: Most of the protections from spam that exist in the law place tools in the hands of email users like you and me. The opt-out mechanism is the best privacy protection we have, under the law.
The Electronic Communications Privacy Act, which has been on the books for a long time, actually erects some obstacles to the government obtaining records and information relating to electronic communications. It's harder for us to get information from an ISP than it is from many other kinds of businesses. I honestly think that the greater privacy threats to you come from those who try to steal your identity by sending bogus emails that look like they're from Citibank (phishing) or those who are trying to load viruses on your computer. I'm really happy to be talking with all of you today -- it is a great pleasure and honor to be a public servant. I really mean that.
What can the FTC do to go after spammers who are directing people to visit Web sites that load spyware (basically detected as trojan horses by antivirus software b/c they take advantage of Windows vulnerabilities)? Is there anything the FTC can do in this regard, or is this more the bailiwick of the Justice Dept? Do you anticipate going after these guys?
Eileen Harrington: The FTC recently held a workshop on various aspects of the spyware problem. Depending on the facts, both the FTC and DOJ have jurisdiction. It's a complicated problem -- we at the FTC try to get really smart on these issues before we unleash law enforcement, to make sure we aren't bringing actions that produce untended, harmful consequences.
It seems like one of the biggest sources of spam is unprotected PCs running Microsoft Windows that have been exploited and set up to run as spam-spewing "zombies". Do the FTC and Justice Department have any plans to hold Microsoft accountable for the awful security problems of Windows that contribute to the spam problem? Similarly, will ISPs that allow thousands and thousands of spam messages to flow from their networks be held accountable?
Eileen Harrington: Good questions. One of the most interesting things about this work is the online culture that produces such interesting monikers as "zombie drones." Broadly speaking, Internet security is a very high priority for the entire federal government. We regularly meet privately with many different kinds of stakeholders to discuss their roles in strengthening security and helping to solve the spam problem. We have already brought actions against companies that failed to take necessary steps to protect information and systems security.
Full disclosure - I work for washingtonpost.com. I used to get about 120 spam messages daily until we got a new Filter here. For three years I dutifully sent every one of those messages to uce-ftc.gov. I know you guys have a different address for that now - but how many spam e-mails have people forwarded to you since you set up that address? Has it ever in fact been used to target spammers?
Eileen Harrington: Yes, it often is used to target spammers, so thanks for your contributions. I believe we have 650 million pieces of spam, and are receiving another 300,000 each day. Keep it coming -- we want your spam!!
In my opinion, pop-up ads are a far worse scourge than spam e-mails, which are bad enough. What can be done about pop-ups?
Eileen Harrington: Pop-ups are an example of a problem that has spurred some great market-place solutions. There are many pop-up blockers available for free on the Internet. They are annoying, but there are some choices out there for keeping them off your screen -- just shop around.
Ann Arbor, MI:
Can you prosecute the people who distribute viruses over e-mail? That to me seems like the biggest threat.
Eileen Harrington: That's handled by our colleagues at the Department of Justice -- that's criminal activity.
Please provide details about the Authentication Summit that was mentioned in the Do Not EMail Registry report to Congress. See Footnote 197 and accompanying text. When is it? Where is it? Who is attending?
Eileen Harrington: Stay tuned. It will be held this fall, here in DC. The Commission will be announcing it shortly --- watch our website, www.ftc.gov, for the announcement.
Unfortunately we're out of time. Thanks to all our readers for their great questions and to Eileen Harrington for taking the time to join us today.