Spam hasn't declined significantly since CAN SPAM took effect more than three months ago. But will new legislation ultimately help security managers keep malicious, inappropriate or unwanted e-mails, viruses and worms out of the enterprise?
The energy is certainly there. CAN SPAM, which regulates commercial e-mail, took effect Jan. 1, and the Federal Trade Commission (FTC) currently is revising it. Pending federal and state legislation would likewise tackle spyware and regulate adware.
Yet security experts say legislators should learn from the successes and failures of CAN SPAM before enacting new security legislation.
First, spam hasn't declined, although since Jan. 1 Ferris Research has seen "a 30% decrease in the amount of spam that had been bounced off of open proxies, open relays and zombies, compared with sent-directly," said Richi Jennings, a research analyst for Ferris Research. He said the results are either a "temporary blip" or reaction to the law.
Still, "legislation is good for setting the bar, and telling legitimate e-mail marketers what they should or shouldn't do," he said.
In January, Jupiter Research surveyed more than 50 major e-mail marketers and found two-thirds weren't in compliance with the CAN SPAM requirement to include a physical address, and one in six didn't honor "unsubscribe" requests within 10 days.
At the same time, a "conservative estimate" is that 50% of e-mail flowing through ISPs is spam, "and it's probably more like 75%," said Jennings. Spam equals high bandwidth costs for ISPs.
On that note, CAN SPAM "allows not only the federal and state governments to prosecute spammers, but also ISPs to bring civil action against spammers -- that's a particularly well-worded part of the law," says Jennings. Recently America Online, Earthlink, Microsoft and Yahoo filed CAN SPAM lawsuits.
Third, information security laws need teeth. "The CAN SPAM Act provides only the most minimal protections to the public," Joe Wagner, president of ISP Hypertouch, which filed the first CAN SPAM lawsuit, said in a statement. He criticized the law for "requiring recipients to reply to the spam they receive."
By contrast, Britain's e-privacy law, enacted in December, prohibits companies from e-mailing people who haven't explicitly opted in.
Likewise, laws aimed at curbing spyware, adware and other damaging software could tackle the larger issue: privacy. "In the context of a broader privacy bill, you can put together rules for how this works and how privacy information is being used, and software just fits into the picture," said Ari Schwartz, an associate director of the Center for Democracy and Technology, a privacy rights group.
The alternative is wading through semantics; trying to define "spyware" and "adware." "We're concerned about pulling it out separately and creating words that are harder to interpret," says Schwartz.
In fact, the FTC is currently struggling with how to define "commercial" -- as in the e-mail regulated by CAN SPAM.