Cybercrime and abuse are massive problems on the Internet, and on social media in particular. While many of these problems are yet to be solved, we can learn from the example of the fight against spam, which is by far the most mature of these battles.
Spam filtering was the first widespread success for artificial intelligence, and illustrates both AI’s strengths and limitations. In parallel, legislators also attempted to help with this problem, particularly including the CAN-SPAM Rule. Courts were also helpful in taking down various networks responsible for sending massive quantities of spam.
I personally worked on this problem at Microsoft, including the spam filters in Microsoft Outlook and outlook.com, among others. I often participated in Microsoft’s efforts to get courts to take down botnets, such as providing the data needed to make the case. As such, I have a unique perspective on both the technical and legal approaches taken in this space.
In this post, I’m taking a look specifically at the legal approaches to stopping spam: do they help?
The trajectory of spam
Spam is a nuisance. The first spam email was sent in 1978, but it really took off around 2000-2002, when spam rose from 8% of all email to over 40%.
At its peak, around 2008, over 90% of all email on the Internet was spam, and this number is actually an underestimate. Since then, spam has been in long-term decline. It has gone from the vast majority of all email sent on the Internet to less than a third.
In this time, spam filters have also gotten much better. For many people, spam has gone from clogging up half of their inbox to an occasional nuisance. To be clear, it’s still far from solved—and a third of all email sent being malicious still imposes large costs and risks.
CAN-SPAM be solved by law?
The CAN-SPAM Act was an attempt to solve spam with laws. The law effectively made it illegal to send commercial email without giving recipients an easy way to opt out of future messages. Since there are a limited number of people sending spam and recipients can unsubscribe, this sounds like a plausible solution. Unfortunately, it had almost no impact on spam.
One of the biggest challenges for spammers is to curate a list of email addresses to send to who are likely to read and respond to the messages. Most people skip over or delete spam emails without opening them.
The spammers were required, by law, to provide an easy way to unsubscribe from future emails. The spammers, however, happily accepted this unsubscribe notice and took it as a sign that the email address belonged to someone who read spam messages—a great future target.
The spammer could no longer send to that recipient, but this was easily circumvented without even breaking the law. It’s very inexpensive to create a new company, and the same spammer could then rotate through a large number of legal entities to continue sending messages to this captive audience.
This is a frequent problem encountered in the world of cybercrime. You can get a US-based company for $89 in Delaware. There are likely other places around the world that are cheaper.
Let’s say a spammer has a list of tens of millions of email addresses—a small fraction of the billions active around the world—and could only send one email to each person on the list before needing to create a new company.
The cost of establishing the company would work out to less than 0.001 cents per email, and that ignores sending multiple emails to people who don’t unsubscribe. Spammers make something like 0.1 cent per email sent, so this is a small cost to their operation.
Spam is a business, not a hobby. These economic factors drive the decisions the spammers make. While this economic incentive doesn’t apply to all cybercrime, it is common across most of the prevalent forms.
Taking down botnets
While the CAN-SPAM law was misguided and easy for spammers to work around, another approach showed the law can be effective—though in this case the impact was still moderate.
As indicated, spammers treat their operation as a business. One way they would reduce costs is to infect tens to hundreds of millions of computers around the world with computer viruses, and send spam from this network.
When spammers run their own infrastructure it costs money, so this saves costs for some of them. Of course, taking over people’s computers is blatantly illegal, unlike spam, so most of the more effective spammers avoid this approach. But it’s still a meaningful portion of the overall spam in the world.
When Microsoft worked with courts to take down Necurs, it found a single computer in the network sent spam to over 40 million people. And there were around 9 million computers infected.
In my experience, takedowns like this change the total amount of spam out there, but spam sent via botnets is much more likely to be caught by spam filters at major email providers, so the impact on inboxes is less.
Is the legal approach viable?
So far, legal approaches to stop spam have been hit-or-miss. CAN-SPAM had virtually no impact, while botnet takedowns have meaningfully reduced the amount of spam sent.
While legal approaches have had a low impact on how much spam makes it through to your inbox at major email providers, it has helped people and businesses who have their own email infrastructure. It shows legal approaches can meaningfully help, even if their impact to date has been limited. We can draw lessons from this experience.
Attempting to define the problem is often among the most challenging problems. CAN-SPAM attempted to solve this by recognizing most spam is commercial and imposing requirements on all businesses sending emails.
We should assume the bad guys have access to as many companies as they need, and can “sell” information across these companies. Limits that go away if you establish a new company will not be effective.
The bad guys also break into computers on a massive scale. Detecting coordination among millions hacked computers is an effective means of identifying malicious activity, and action can be taken against these networks.
It’s easier to identify and stop large coordinated activity than individual companies, which are easy to replace.
The legal approach is a viable one, but its impact to date has been small. We need substantial improvements to make progress here.
In future posts, I’ll take a look at the technical solutions to spam, showing how AI helps with these problems. These techniques also have major gaps, which will enable us to circle back and show where the legal system could most effectively complement these approaches to solve the problem.