The U.S. Federal Trade Commission expects to release this week its first study about the feasibility of a Do Not E-Mail registry, similar to the Do Not Call registry that has proved a popular deterrent to telemarketers. And spam remains the commission's top priority tech issue, says Howard Beales, director of the FTC's Bureau of Consumer Protection. He spoke in San Francisco at the International Association of Privacy Professionals' Truste Symposium recently, describing the challenges of enforcing spam laws and privacy policies.
Spam is the toughest problem the FTC has ever confronted because enforcement is difficult, Beales said. Spammers can conceal an e-mail address and make the message look like it came from anyone, anywhere. And the cost, even when there are low responses, makes it profitable.
"A spammer in one of our workshops said that even if one in ten thousand responds, it's a profitable venture," Beales said.
The FTC estimates that two-thirds of spam is deceptive or false and violates the law. The rest are pitches for porn and prescriptions. Beales estimates only about 16 percent of spam offers something that might be legitimate.
The FTC tries to track spam through the URLs in e-mail, he said.
"We follow the money," he said. "We can issue a subpoena to see what payment method was used for the URL and usually after six or more sequential subpoenas, we can find a real person."
But the payoff often is poor. Tracking spam takes enormous upfront resources but often doesn't lead to a worthwhile target, Beales said. Most spammers are small operations; in one FTC study of 114 messages, only one message was from a Fortune 1000 company.
Still, armed with the new CAN-SPAM Act and fortified by Congressional and citizen complaints, the FTC is developing new weapons against spam.
It is developing an open relay project that should help identify insecure mail servers. Beales also cited Operation Secure Your Server, a worldwide effort to close access to spammer anonymity.
Tougher law enforcement is the answer, suggest some others.
"The reason we have so much spam is because law enforcement is not doing its job," says Steven B. Adler, program director of IBM Corp. enterprise privacy solutions. "It's mail fraud. If we want to control spam, we don't need caller ID, we need training for law enforcement. Make the penalty more costly than reward."
Spam is also related to another FTC priority: Privacy. The commission is charged with making sure organizations implement and follow privacy policies.
"Security is a process. There are always going to be new threats," Beales said. "Companies need to have a system of updating according to vulnerabilities. And it's important companies don't make [more] vulnerabilities in the process."
He cited a recent case in which Tower Records, after a system upgrade, omitted authentication code--which meant that anyone could get access to information about purchases.
Skimping on security isn't just unwise, it's illegal, he said.
"Deceptive or unfair practices are illegal," Beales said. "When security is inadequate, we think promises are deceptive."
The technical tools aren't inadequate, they simply aren't implemented as they should be, says John T. Sabo, manager of security, privacy, and trust initiatves with Computer Associates.
"Security is a component of privacy, yet we don't look at it holistically," Sabo says.
Others say standards aren't the answer.
"We have a lot of research work at IBM, but there's a dearth of actual implementations," Adler says. "There's no lack of standards, but a lack of implementations." Rather, diligence and better funding for privacy projects are the answer.
"Privacy is inadequately funded," Adler says. Companies consider the risk remote. "We don't think it will happen to us."