Testimony by Joe Rubin on H.R. 2214, the ?Reduction in Distribution (RID) Spam Act of 2003"

Testimony before the House Judiciary Committee, Subcommittee on Crime, Terrorism and Homeland Security on H.R. 2214, the "Reduction in Distribution (RID) Spam Act of 2003" for the U.S. Chamber of Commerce by Joseph Rubin

July 8, 2003

Mr. Chairman, Ranking Member Scott, and Members of the Subcommittee, my name is Joseph Rubin, and I am the Senior Director of Congressional and Public Affairs and Executive Director of Technology and e-Commerce for the U.S. Chamber of Commerce (Chamber). I appreciate the opportunity to appear before you this morning to discuss H.R. 2214, the Reduction in Distribution (RID) Spam Act of 2003.

The U.S. Chamber serves as the principal voice of the American business community here in the U.S. and around the world. Specifically, the Chamber is the world's largest business federation, representing more than three million businesses of every size, sector and region of the country. On behalf of the business community, therefore, let me thank you for your leadership in dealing with this issue, and in holding this timely and important hearing and moving this legislation.

The RID Spam Act is balanced, effective legislation that will play a significant role in reducing the amount of spam. The Chamber is pleased to support your efforts to pass this legislation expeditiously.

The U.S. has the largest and most dynamic economy in the world, particularly when it comes to consumer choice and control. At no other time in history have consumers been in such control over their economic domain. For example, e-commerce gives consumers the power to comparison shop with little or no cost, forcing business to respond instantly to changes in consumer demand. Businesses understand all too well that if they are not satisfying customer demands, other businesses will. No longer is a customer bound by geographic location to a business, but in a nano-second can travel anywhere in the world to purchase products and services that they want with just a click of the mouse.

However, the challenge of spam threatens to destroy many of the benefits of our e-commerce system. The proliferation of bulk, unsolicited, commercial email, commonly referred to as "spam," has become more than a nuisance. Increasingly, consumers are getting inundated with pornographic or false and misleading email that diminishes their faith in e-commerce, undermining many of the benefits that consumers derive from e-commerce.

It also has to be understood that there is a clear distinction between legitimate companies, those that do not spoof or mislead their customers, respect and honor opt-outs, seek to gain repeat customers, and who obtain email addresses through legitimate means, versus those who attempt to use fraud and deception to get consumers to open their emails or avoid Internet Service Provider (ISP) filters and obtain customer "leads" by, in effect, stealing addresses from other online service providers. This distinction has to be clearly recognized in any legislative attempts to address spam – legitimate companies will comply with the rules, even if they are extremely burdensome and unworkable, while spammers will continue to ignore legislative and judicial rules and edicts. Therefore, the rules must be carefully considered and balanced, so as not to unintentionally restrict the ability of legitimate companies to communicate effectively with their customers.

The amount of spam is growing exponentially, and imposes real costs on consumers, ISP businesses, and the economy generally. For example, Forrester Research estimates the cost of spam to the business community alone could be as high as $10 billion annually.

Spam imposes significant costs on consumers. Not only do consumers waste valuable time deleting unwanted email, but they are also subject to a bombardment of pornographic as well as false and misleading email. The Federal Trade Commission (FTC) estimates that 66 percent of spam contains at least some form of deception, and confirms that fraudulent operators have been among the first to use email to expand their reach in seeking to exploit the vulnerable and uneducated.

ISPs also suffer real losses as a result of spam. The sheer volume of spam, for example, forces them to divert valuable resources into creating additional bandwidth to carry unwanted messages to their customers. ISPs also invest millions of dollars in technology to stop spam. However, they ironically bear the brunt of customer frustration, as they are often the recipient of consumer complaints about spam. On the other hand, while ISPs have carefully crafted agreements with their users to enable them to block accounts that are used for spam, they are increasingly finding themselves the defendant in suits brought by account holders whose accounts were blocked for allegedly sending spam.

Retailers, marketers, financial services companies, travel providers, and other businesses that communicate with their customers via email also face serious challenges and expenses as a result of spam. For example, companies must ensure that their communications actually get to their customers, and then need to make sure that their legitimate communications are not deleted along with the spam and pornography that clog their users' email boxes.

Finally, employers are also growing increasingly concerned about the spread of spam. For example, even though it may take less than a second to delete an unwanted email, employers have growing concerns about lost productivity, as more time at the office is spent deleting unwanted spam. They are also concerned about the contents of the spam, including the threat of viruses and trojan horses contained in spam, as well as the potential for sexual harassment and other types of suits that offensive email may create. Also, because the sending of spam often uses spoofing, illegitimately using a well-known company's name and/or email address to avoid blocking and to entice end-users to open their email, companies are increasingly worried about the tremendous harm that a spammer could cause to a well-known brand.

To respond to the challenge of spam, government at all levels; consumers, ISPs, retailers and the experts across the political spectrum have all been working diligently to find a solution to the spam problem. While the success to date is impressive, the amount of spam continues to increase. The range of responses includes:

· ISPs have been on the forefront in their response to spam. First, they have invested millions of dollars in new and better technologies to block spam, and their success rates are significant – blocking billions of unwanted emails a day. ISPs have also filed lawsuits against dozens of companies and individuals who send out billions of spam emails a day, and have recovered millions of dollars in monetary penalties against these spammers. They are also forging alliances with other ISPs to combat spam, seeking to develop open technical standards and industry guidelines that will help fight spam, as well as discussing ways to better cooperate with law enforcement to stop large-scale spammers. Nonetheless, in spite of these efforts, the spam problem keeps increasing;

· The FTC Commission has sued spammers for sending false and misleading email, and has led the effort to educate consumers about the tools that they can use and simple steps that they can take to protect themselves from spammers;

· The states have also been active in attempting to devise ways to stop spammers, such as imposing increased criminal penalties, requiring labels on unsolicited commercial email, and providing ISPs and consumers with the ability to sue spammers;

· Providers of email programs include increasingly sophisticated filtering tools in their software to enable users to filter spam before it gets to their e-mailboxes;

· The U.S. Chamber of Commerce has been a leader and active participant in many of these endeavors, such as educating consumers and small businesses about how to protect themselves from spam through efforts like http://www.staysafeonline.info/, and by working with industry and the FTC to help craft cooperative solutions to the common problems created by spam.

Many of these efforts have been relatively successful; while others have been abject failures, but combined they have done little to stem the overwhelming tide of unwanted bulk email. They have, however, helped to point out many of the critical shortcomings of current efforts.

Any successful effort to stop spam will require several critical parts, including a range of tools, ideas, technology, market-based solutions, cooperation between businesses and with government, increased FTC enforcement, enhanced ability of ISPs to go after the bad actors, and increased and enhanced law enforcement, along with a strong, uniform, federal legislative standard. The crafters of this legislation, working with a wide range of experts, businesses, ISPs, consumer groups, law enforcement officials, and others, have identified these shortcomings, and have attempted to address them through this legislation. This legislation therefore, represents a critical and effective piece of the puzzle to combat spam, but does so in a narrowly targeted way that focuses on combating the clear abuses, while protecting the continued legitimate use of email. It also eliminates many of the mistakes in previous efforts, such as granting private rights of action for consumers or requiring labels for commercial email.

One provision that this legislation adds to the current stable of tools to fight spam is an enhanced ability of ISPs, who are in the best position to trace the source of spam, to sue spammers, and institutes a single, nation-wide standard to facilitate their efforts. It does so in a way, however, that protects the needs of legitimate businesses to communicate with their customers through email. For instance, the legislation requires that ISPs establish a "pattern or practice" of violations with regards to disregarding an opt-out, but has no similar requirements when suing for intentional acts like using false header and routing information or harvesting email addresses – activities that legitimate companies would not undertake, and therefore no additional protection is required.

The legislation will also help to empower the FTC giving the agency the tools it needs to improve its fight against spam and fraudsters who hock their wares through spam. The FTC has the experience and the ability to protect consumers from the dark underside of e-commerce, and it has the national, and in many cases, international, jurisdiction to stop spammers no matter where they reside.

The RID Spam Act also provides state law enforcement with the ability to protect state residents from intentionally harmful acts committed by spammers, such as using false header and routing information and harvesting email addresses. It is entirely appropriate to provide the states with the ability to stop these types of egregious activities, but because of the difficulty of enforcing this type of provision across state lines, to limit their jurisdiction to intentional acts of spammers. We also believe that the ability of State Attorneys General to bring suits against spammers should be further limited by removing their opportunity to recover attorney's fees in cases that they bring against spammers.

This legislation also draws an appropriate balance between state and federal standards and jurisdiction. There are currently 28 states that have enacted some form of spam legislation, from increased civil and criminal enforcement to regulation of the content of email. This legislation provides the states with the continued authority to stop false and misleading messages, but provides for a single, uniform standard regarding other regulation of email. This is the appropriate balance. States traditionally have the authority to protect their consumers, and that authority is retained in this legislation. However, state regulation of email content has created a patchwork system of differing and inconsistent standards and definitions, resulting in an unnecessarily complex compliance system. We need preemptive federal legislation to harmonize these standards and provide powerful tools to enforcement officials.

In addition to civil enforcement tools, the RID Spam Act also provides for criminal enforcement and criminal penalties in some cases, and we believe that these criminal provisions are carefully and narrowly drawn to target truly egregious, intentional behavior, and will provide an effective deterrent against criminals.

There is little stomach in the business community for spam, and we strongly support the civil elements of this legislation to go after those companies and individuals. However, the activities of spammers are sometimes so egregious and harmful, that they rise to the level of a potential criminal offense, and those activities should be treated accordingly. For example, this legislation provides for criminal penalties when a spammer uses false header and routing information or the harvesting of email addresses. These activities, which no legitimate company would use, harm the whole e-commerce system and undermine the faith and trust in e-commerce, taking advantage of the most vulnerable among us. Further, because these are intentional, fraudulent acts perpetrated on unsuspecting consumers, criminal penalties certainly may be appropriate.

Additionally, to further deter and punish this type of egregious behavior, the legislation contains significant civil penalties ISPs can enforce against spammers. Because ISPs are in the best position to find spammers and shut them down, providing them with the tools and incentives to undertake what may be an expensive and time consuming undertaking to thwart criminal activity is appropriate.

In addition to strengthening the enforcement provisions used to stop spammers, this legislation will be effective because it eliminates many of the failed provisions that states have attempted to use to stop spam. For example, the RID Spam Act expressly requires that cases related to spam be heard in federal court, and it prohibits class actions by ISPs or causes of action by individual plaintiffs. These limitations provide necessary protection for legitimate companies while at the same time ensure that spammers will be subject to a wide range of enforcement activity from a host of levels. For instance, while it may be relatively easy to file a frivolous lawsuit against a legitimate company, it is often difficult to find and identify spammers. Therefore, it is vital to protect legitimate companies from exploitive suits for allegedly spamming. Further, granting consumers an individual right of action could ironically impede the ability of ISPs to find and sue spammers, because they would be forced to respond to a flood of discovery requests by consumers seeking to find spammers.

The State of Utah provides a case study of why a consumer private cause of action should be excluded from a spam statute. Utah has enacted a "tough" spam statute that allows for a consumer private cause of action and class action suits. A single plaintiff's firm in Utah has now filed hundreds of class action lawsuits under this statute. However, the firm is not pursuing spammers. Given the cost and complexity of finding actual spammers, this firm has targeted the low-hanging fruit – deep pocket, leading companies and brands who do not spam their customers, but simply have a presence online and in Utah.

The legislation also explicitly rejects the use of labels, such as "ADV", and expressly forbids the FTC from requiring such labeling. The rationale behind this restriction is simple: legitimate companies will comply with regulations, even if they are burdensome and ineffective, but spammers will continue to ignore any and all regulations that they see as restricting their ability to mislead consumers. The goal of legislation should not be to give spammers and criminals a competitive advantage over legitimate companies, but should seek to reign in the fraudulent and misleading activities of spammers.

Finally, while the Chamber believes that this legislation will be an effective tool in the overall fight against spam, as with any complex legislation in a fast-changing technological environment, a few modifications could help to improve the final product.

For instance, during the first six months the legislation gives companies 20 business days to honor an opt-out, then reduces that time to 10 business days. No company wants to be labeled a spammer, and therefore companies will do their best to comply with all opt-out requests. However, not all companies are completely integrated, and many companies have multiple lists of customers that often do not speak to one another, making it impossible for a company to remove a customer within the requisite 10 business days. Further, given the "pattern and practice" language in Section 101 (b), if a company routinely fails to comply with the 10 business days, even if the company's attempts are clearly good faith efforts, that still makes it vulnerable to suit by an enterprising ISP, and provides little or no defense for a company, subjecting them to a minimum of $75,000 in damages in each suit. Conversely, technology may enable many companies to comply with an opt-out request instantaneously, and therefore the 10 business days may prove to be too long. The goal of this legislation should be to protect legitimate companies. Therefore, we would suggest providing the FTC with the ability, through rulemaking, to determine the appropriate number of days, so that enforcement can reflect the realities of each company's business, rather than an arbitrary period for compliance.

Enforcement could also be enhanced by giving the FTC the ability and authority to go after those businesses that actually benefit from the use of spam. Generally, spammers are not promoting their own products, but are acting on behalf of businesses that hire them to bring in customers. These are the companies that hire spammers to sell their products. These so-called "promoted businesses," whose products are hawked through a deluge of spam, are responsible for most of the spam that permeates the Internet.

The FTC should be given the power and authority to pursue these promoted businesses. The FTC knows how to "follow the money" and such a provision would give the FTC the ability to do just that, but would circumvent its difficultly of finding actual "spammers." The Chamber supported such a provision in the Burns-Wyden bill, and believes that such an addition would enhance the FTC's ability to target spammers.

Finally, we believe that spam should be enforced by functional regulators, rather than by the FTC, in industries where that is feasible. Again, we believe that spam legislation should minimize the burdens on legitimate companies while targeting spammers. Functional regulation would provide strong enforcement in cases where it is required, but would minimize the burden otherwise, because functional regulators are more familiar with the industries that they oversee, and there is less possibility of "getting it wrong" against legitimate companies if a functional regulator is involved.

Mr. Chairman, again thank you for the opportunity to testify regarding this important issue. The RID Spam Act is balanced, effective legislation that will have a serious impact on the amount of spam, without adversely effecting the ability of companies to communicate with their customers and potential customers through whatever means the customer most desires, including through email communications. I look forward to working with you as this legislation moves to the House floor, and I am happy to answer any questions.