Fun_People Archive
19 Jun
Your government at work - I went to the FTC spam hearing today


Content-Type: text/plain
Mime-Version: 1.0 (NeXT Mail 3.3 v118.2)
From: Peter Langston <psl>
Date: Thu, 19 Jun 97 15:34:25 -0700
To: Fun_People
Subject: Your government at work - I went to the FTC spam hearing today

[An interesting description of the FTC hearings on spamming.  Your attention  
is directed particularly to the last two paragraphs which contain a small  
call-to-action and a mention of <http://www.clark.net/pub/kfl/toll.html>.   
-psl]

Forwarded-by: david mankins <dm@k12-nis-2.bbn.com>
Forwarded with permission.
From: Keith Lynch <kfl@clark.net>
Subject: I went to the FTC spam hearing today

Today I went to the FTC hearings on spam from 9 am until 12:30.  Here's what
I observed.

Actually, the hearings were on "Consumer Online Privacy," and they are
lasting four days (June 10th-13th).  Spam is just a small part of that.

I think it's unfortunate that spam is categorized as primarily a privacy
concern.  I see it as primarily theft of services and fraud.  A burglar is
not just a variety of peeping tom.  Yes, he invades your privacy, but that's
not what's most objectionable about having your household posessions stolen.

This message attempts to come as close to giving you the experience of being
at the hearings as possible.

I arrived at the FTC at about 9 am.  The closest entrance was labelled as
being for employees and the handicapped, and a sign directed visitors to
another entrance, half a block away.  I entered the visitor entrance, walked
through a metal detector (which didn't go off, as I had nothing metal on
me), and walked past the guard desk to the elevators.  There were no signs
indicating where the privacy hearings were.  So I returned to the guard desk
to ask.

The guard asked to see my ID.  I told her I didn't have one.  She asked
incredulously "what about your drivers license?"  I told her I took the
Metro.  And that I had called the previous day and been assured the hearings
were open to the general public.  Surely I don't need papers to prove I'm
a member of the general public?  She mulled on this for a minute, as if I
were the first person ever to attempt to enter without an ID.  (Rather
ironic, since I was going to a privacy hearing.)  Finally, she just had me
print and sign my name in a log book, and walk through the metal detector
again.  She then gave me a yellow cardboard nametag, good for all four days,
with blanks for name and company.  I wrote in my name, left company blank,
and put it in my pocket.

I went to the fourth floor, where she told me the hearings were.  In the
hall outside the room were two long tables filled with handouts from various
groups.  There were also two cans of spam on the table.  As I attempted to
enter the room, I was stopped by a door guard, who told me that the room
was full and I could view the proceedings via closed circuit TV from the
3rd or 5th floor.  I could see that there were empty seats, but she said
they were being saved for people still to arrive.

Maybe I should have worn suit and tie.  Almost every other man in the whole
building was dressed up.

I went to the third floor.  The room was very cold, and had about 20 people
in it, watching a blurry projection TV image with barely audible sound.
About 100 people could have fit in the room.  After 5 minutes, I went to
the fifth floor.  That room was about the same size and had about the same
number of people in it.  It wasn't as cold, and it had a decent large TV
set sitting on a table in the front.  I stayed there for about an hour,
until there was a ten minute break.  At the end of the break, I slipped into
the hearing room by mingling with the returning crowd.  There were plenty
of empty seats labelled "press only".  I sat in one, and stayed there until
the spam-related hearings ended at 12:30.

Just because I'm not paid by a newspaper or radio or TV station doesn't mean
I'm not a reporter.  I'm reporting right now.  (Maybe someday I should have
a press pass printed up showing that I write for "Usenet Netnews".)

There were about 80 people in the audience, and about 20 presenters.  Almost
everyone in the audience appeared to be reporters.  (Similarly on the third
and fifth floors.)  About 20 seats were empty.

The room was roughly a half-circle shape.  The presenters sat behind several
long tables set end-to-end roughly conforming to the curvature of the
half-circle part of the room.  The audience sat with their backs to the flat
wall, which opened into the hallway.  Behind the presenters were a US flag
and an FTC flag.  The curved wall had seven windows to the outdoors, all of
which were curtained.  When I was watching from upstairs, Shabbir Safdar
commented on how cold the (4th floor) room was, but when I was in there it
was reasonably warm, perhaps because of all the people in it and the hot TV
lights.  There were four TV cameras operating.  Also ISP-TV, run by a guy
wearing a Digex T-shirt, who seemed to be the only man besides myself not
wearing a suit or tie.  He told me that only about one image per 30 seconds
was being sent.  I don't know whether Digex was also providing the live
RealAudio feed to the net.

Sanford Wallace was one of the presenters.  He is of average height, young,
moderately fat, with medium length brown hair, thick wire-rimmed glasses,
and a nearly absent chin.

Walt Rines of the IEMMC was another of the presenters.  On the fifth floor,
the reporter sitting next to me asked me if I had caught his name and
affiliation.  She had missed it when it was announced, his name plate was
sideways to the camera, and he wasn't listed on the agenda.  I told her who
he was, and that he was total slime and not to believe a word he said.
During the break, I briefly explained spam to her before heading for the
fourth floor.  I hope I contributed to making her article more accurate.
Sorry, I don't know who she is or who she writes for.

Walt Rines looks much like Sanford Wallace.  He's a little taller, but about
equally fat, and appears to be about the same age.  He doesn't wear glasses.
He has brown hair and blue eyes.  He and Wallace both have a slightly oily
look about them, as if they'd been perspiring.

At no time did anyone in the audience have a chance to ask questions or make
statements.

FTC Commissioner Christine Varney seemed to be in charge, and to ask the
most questions.

Enough description.  On to what they were saying.

When asked if he minded it being called "spam," Wallace said he didn't care
one way or the other.  "Spam," "spammer," and "spamming" were the terms used
for the remainder of the hearings.

He emphasized that he uses nothing but "standard communications protocols
defined by the founders of the net".  I'm sure he does.  And bank robbers
use standard English when demanding money.  And safe-crackers use the
correct combination when stealing from a safe.

He said that "we don't decide who gets spammed".  He just sells software to
accumulate addresses, software to send spam to a list of addresses, and ISP
access for spammers.  His customers may purchase any or all of these three
things.  He does not censor his customers.  He compared CyberPromo to a
newspaper selling space to advertisers.  If he is made aware of a fraudulent
or threatening ad, he will get rid of that customer, but he takes no steps
to do prior checks on his clients' advertising claims.

His customers are required to accept and honor remove requests.  The ability
to do this is built into the spamming software he sells.

Implicit in what he said was that he has no one remove list which is
enforced on his customers.  If someone wants to stop getting spammed by his
customers, they have to write to each one individually, assuming they could
get a complete list, which they can't.

His address harvesting software doesn't violate anyone's privacy, he
claimed, because it only accumulates addresses from "public databases," such
as AOL profiles, classified ads (?), web pages, and Usenet postings.

Jill Lesser, a presenter from AOL, objected that AOL profiles are not
"public databases".  They are for the use of AOL members only.  Every AOL
member signs an agreement not to spam those people, and not to provide such
lists to others.  She did mention, however, that AOL sells its membership
list to advertisers "as is the industry standard".  She apparently meant
conventional US-mail advertisers.  She pointed out that AOL members (why
does she call them "members" instead of "users"?) get to decide whether to
get ads, and in what categories.  (I think those are banner ads for which
AOL is paid.) She wasn't happy with spammers overriding those user
preferences.  She said AOL filters spam, but that these filters don't work
very well, since spammers keep changing their headers.

Someone else brought up the fact that AOL had successfully sued Wallace to
stop changing domains when spamming AOL.  She said she didn't want to
comment on that case, except to say that AOL was now satisfied with
Wallace's current behavior.

In response to other questions, she mentioned that AOL does not track which
of its members are children.  They used to sell lists of users who used the
"AOL store" but no longer do so.

She mentioned that "spam" is AOL members' number one complaint by far.

There was a prolonged digression into web sites which require people to give
personal information for access, and whether spammers make use of such
information.

Wallace and Rines both touted the IEMMC and its "universal" remove list.
One or both of them claimed that 90% of all spammers are IEMMC members.  It
was conceded that this remove list wasn't working yet, but it was claimed
in an IEMMC handout dated today (June 12th) that it would be working by the
end of this month.  It's clear that, rumors to the contrary, CyberPromo is
still an IEMMC member.

AOL's Jill Lesser strongly disagreed with the claim that 90% of spam is from
IEMMC members.  (So do I.)  She read a spammed ad for a "stealth mailer"
that will send one million spams per hour and have ISPs "spinning their
wheels" trying to figure out who is doing it, all for $400.  She said that
AOL members get 15 million e-mails per day, of which between 5% and 30% are
spam.  I am surprised the percentage is so low.  My mailbox exceeded 50%
spam months ago.

Eric Wenger, an Assistant Attorney General in New York, is also skeptical
that 90% of all spam is from IEMMC members.  He points out how easy it is
for a spammer to set up shop.  But he thinks the IEMMC code of ethics is
reasonable.

Shabbir Safdar of VTW (Voters Telecommunications Watch) said that 25% of
all e-mail is spam.  He projects that spam will grow linearly.

I disagree.  I project that it will continue grow exponentially, as it has
been.  That's the nature of self-replicating systems, whether they be
noxious bacteria, chain letters, MLM schemes, or ads for lists of e-mail
addresses that one can use to spam ads for lists of e-mail addresses.
Exponential growth until the self-replicating system is killed off, or until
it dies by having destroyed its growth medium (e.g. culture medium, medical
patient, or the Internet) is the rule.

Safdar doesn't think people will stop using e-mail.

I disagree.  Lots of people have already stopped.  In a year or two, so will
almost everyone else, if something isn't done about spam.

He favors technical solutions, and gives adding ".nospam" to one's address
as a solution.  Nobody brought up the fact that Wallace's software, among
others, automatically strips off ".nospam" and other common spamblocks when
accumulating addresses.  Or the fact that spamblocks make it difficult to
send legitimate replies.  Impossible, for some mail software.

Wallace mentioned that CyberPromo has a firm policy of not allowing
third-party relaying.  Any CyberPromo customer who does this will be kicked
off.  When asked how long this policy had been in place, he replied "one
week".  That got some laughter from the audience.

When asked if there was a cost associated with receiving spam, Wallace
conceded that there was.  But he compared it with the cost of receiving
third-class mail -- trash disposal!  And with the cost of getting ads on TV
-- electric bills!  He said there was no comparison with junk fax, as that
consumes paper.  Nobody asked him whether he was formerly in the junk fax
business.

As for the cost to ISPs, he said that they pay to receive e-mail anyway, so
what makes his e-mail any different?  These machines are set up to deliver
e-mail to their users.  That's exactly what they're for.  So there is an
"implied right" to spam.

When asked about spam being seen by children, he replied that he had never
seen spam targeted to children.  This sounds plausible to me, but
unfortunately nobody thought to ask what keeps children from seeing
pornographic spam.  The answer, of course, is nothing.

Al Mouyal is the founder and head of the IMC (Internet Marketing Council).
This is not to be confused with the IEMMC.  Or perhaps it *is* to be
confused with the IEMMC, as they sound much alike.  It's another group of
"ethical" spammers, which will have a spiffy logo and a "universal" remove
list.  Yawn.  Oh yes, members are also required to put "advertisement" in
the subject field of all spam.

He gave a surprisingly good explanation for why present-day spam is almost
all for sleaze and worthless scams.  Reputable companies won't go near spam
-- or even use opt-in lists -- for fear of massive boycotts and loss of
reputation.  Many people who opt in later forget that they opted in, and
flame the "spammer".  I can believe this.  I've come close to doing exactly
that myself.  After I complain about twenty consecutive messages, it's hard
to notice that the twenty-first is not spam, and refrain from complaining.
Especially if it is a commercial message.

Ram Avrahami (who sued a newspaper for selling his name) claimed to have a
"universal" opt-out list, which would solve the spam problem once and for
all.  He claims that Wallace uses his list.  Why am I getting such a strong
sense of deja vu here?  At least he admits that 80% of the one thousand (!)
spammers he's aware of ignore his list.  In response to a question, he
replied that 2% of all spam is religious rather than commercial.  He has a
collection of 2000 distinct spams.  There is no overlap between DMA (Direct
Marketing Association) members and these spammers.  He points out that
spammers can buy a list of one million e-mail addresses for $11, which is
one thousand times less expensive than a list of that many street addresses.

DMA's H. Robert Wientzen said his organization was developing -- you'll
never guess -- a "universal" remove list!  It will be ready in the US in 6
months, and worldwide in a year.  How could it possibly fail?  He says it's
"too early for legislation".

Safdar mentioned the irony of discussing giant databases of millions of
e-mail addresses at a privacy conference.  Wientzen responded that this was
not a privacy violation since opt-out lists are always opt-in!  In other
words, nobody is ever added to such a list except by their own request.
(We had to destroy privacy to save it?)

Someone quoted part of a spam from one of Wallace's customers.  I happen to
have saved that January 5th spam, so here is the part that was quoted:

  To keep up with the respect of internet users who wish their names removed
  from Noci Marketing's emailing list, simply mail to:  noci@cyberpromo.com
  and type "remove" in the subject field or message body. It's that simple.
  NOTE TO FLAMERS:DON'T DO IT! We will comply with and respect all REMOVE
  requests, but if we are flamed we will (a)FLAME YOU 1000 times as much
  (b)email to 3 million people a questionable item with your return email
  address. We want respect as much as anyone else, so if you give it, you
  shall receive it.

Wallace replied that he had immediately terminated that customer.  He did
indeed claim at the time to have done so.  However, I happen to know that
this is Yuri Rutman, and that his account name was simply changed from noci
to italivest.  As far as I know, he is still a CyberPromo customer.

Simona Nass of Panix described filtering as a never-ending "arms race".
Spammers keep finding ways around the filters, which then have to be
constantly updated.  She said that spam labelling requirements, as required
by the Murkowski bill (S.771), and as suggested by Mouyal's IMC, would be
asking the "offenders to police themselves".  She didn't see how such a law
would be enforcable.  How could the spammers be tracked down?  And how would
anyone prove that they really received the spam they claimed to have
received?

I agreed with everything she said, until she went on to claim that people
were "researching opt-in".  What's to research?  There have been opt-in
lists on the net for at least 22 years.  (See my Internet timeline at
http://www.clark.net/pub/kfl/timeline.html.)

Raymond Everett of CAUCE compared spam to environmental pollution.  Both
save the spammer or polluter money, but only at the expense of shifting
costs to uninvolved people.  He claimed that technical solutions won't work.

Wallace mentioned that AOL is filtering out all messages with fake domains
in the headers.  AOL's Jill Lesser responded that this filtering only works
for domains which are not registered, not for real domains which are forged.

Wenger agreed with someone's question that fraudulent headers tend to go
with fraudlent contents.  He gave as an example a spammer named Lipsitz,
who was prosecuted for magazine subscription fraud.

Rosalind Resnick, the President of NetCreations, says that NetCreations is
now 100% opt-in, with 3000 topic lists and 3 million subscribers.  She
claims they get two to three times the postal response rate for half to a
third the cost.  She says that spammers who hijack SMTP ports should be
prosecuted for theft of services and fraud.

FTC Commissioner Christine Varney seemed to misunderstand what was meant by
SMTP hijacking.  What it means is the spammer telnets to someone else's
computer's SMTP port, and has that machine send their e-mail until it
crashes, invariably losing real e-mail in the process, and leaving a hell
of a mess for sysadmins to clean up.  Varney seemed to think that e-mail
just naturally bounces around from one system to another in the course of
getting to the recipient, and the spammer has little control over this.
Nobody corrected this misunderstanding.  Wallace said something to confuse
the situation further.

Nass mentioned that there's a two-line fix to prevent SMTP hijacking, but
that it wasn't usable on sites that host virtual domains such as
your-name-here.com.  Technical fixes to those SMTP servers are possible,
but rather involved, and would generally void the maintenance agreement.
She didn't seem to notice that Varney was totally misunderstanding was SMTP
hijacking is.

Deirdre Mulligan of the CDT (Center for Democracy and Technology) mentioned
that there's lots of confusion as to what spam is.  She mentioned that a
congressional staffer was complaining about getting 500 "spam" e-mail
messages (from 500 different senders) on the topic of upcoming legislation.

IEMMC's Walt Rines is totally in favor of opt-in.  Opt-out, too.  "Let
opt-in and opt-out coexist," he says in a voice of sweet reasonableness.
(What is wrong with this picture?)

David Sorkin, a law professor, discussed the Smith bill and several similar
state bills, all of which would outlaw spam.  He opposes the Murkowski bill,
saying it would be an unfunded mandate on ISPs.  (The Murkowski bill would
mandate that all spam is labelled as such, and that ISPs offer all users
free filtering of same.)  He suggests that spammers could be prosecuted
under existing harassment laws.

He suggests that if nothing is done we will soon get "trillions" of spams
per day.  (Assuming 50 million users, that would be 20,000 spams per day
per user.)  I think this is indeed quite likely in two or three years,
unless e-mail simply stops being used first.  Nobody else seemed to think
that spam would grow at all, at least not very much or very quickly.

George Nemeyer, of Tigerden Internet Services, and Internet Service
Providers Consortium, favors the Smith bill which would ban spam.  (After
the hearing ended, I saw him in a heated argument with Walt Rines about
spam, and about its cost to ISPs.  Rines insisted that processing all
incoming e-mail was simply what ISPs are supposed to do and supposed to pay
for.)

FTC Commissioner Christine Varney said she wanted to go after a few of the
worst fraudulent spammers and prosecute them for fraud.  But she says
they're virtually impossible to find.  (Really?  They always mention a phone
number or P.O. box.)  She said she liked the IEMMC's code of ethics.
(Sigh.)  At the close, she thanked Wallace and Rines for their "courage" in
coming there.

After the hearing, I went up to Walt Rines and congratulated him.  "Very
slick," I said.  "I think you just bought yourself another six months.  I
guess you can take the web page down now that it's served its purpose."  He
didn't reply.

I handed Sanford Wallace a list of my e-mail addresses, with the word REMOVE
in very large letters at the top.  The sheet of paper says I don't want to
get spam from him, his customers, or anyone else, on any of those addresses.
He replied "it's a deal".  He really is slick as a snake in person.  If you
didn't know what he's really like, you'd find yourself buying a used car
from him -- even if you don't drive.

I also talked to Al Mouyal.  He is a non-stop talker, hardly letting me get
a word in edgewise.  He claims to have legitimate businesses such as GNC as
customers, and to mostly send solicited e-mail, but also some spam.  He says
he has a remove list, with confirmation.  And his own personal 800 number
which appears in every spam.  And a spam label in each spam.  He seemed to
be skeptical when I told him how much spam I get.  He asked me to look at
his site, edmarketing.com I haven't done so yet.

I also talked to Blair Richardson of Aristotle.  They are developing - --
hold onto your hats -- a "universal" remove list!  Which Stanford Wallace
will not only respect, but will forfeit a million dollars if he abuses!
Color me skeptical.  They have changed their mind about the limit of five
addresses per person, but not about the requirement that one be a registered
voter.  Apparently they also require lots of personal information.  He said
Aristotle will refer non-voters, and those who refuse to divulge personal
information, to Jason Catlett of Junkbusters.  They too have a "universal"
remove list, he explained.  (Lost count yet?)

This message can also be found as http://www.clark.net/pub/kfl/ftc.html.
Within a couple days, I plan to turn every mention of an person or
organization into a link to that person or organization's web page.  [Done]
While I have your attention, please also consider downloading
http://www.clark.net/pub/kfl/toll.html, my list of toll-free numbers
recently seen in spam, and giving each of them a call.

I wish I could get that list, and this message, to everyone interested in
fighting spam.  I also wish I could have spoken at those FTC hearings.  But
then, that's precisely the problem, isn't it?  Everyone who has something
to say can't force it on everyone, or else everyone would be buried in
unwanted excess information.  That's the real spam problem.
- --
Keith Lynch, kfl@clark.net
http://www.clark.net/pub/kfl/
I boycott all spammers.

[Keith mentions that he's still getting Spam from Cyberpromotions as of
 June 16. --- dm]


prev [=] prev © 1997 Peter Langston []