Speech Transcript – Ira Rubenstein, Statement of Ira Rubinstein – Testimony Before the Committee on Energy and Commerce

Statement of Ira Rubinstein, Associate General Counsel
Microsoft Corporation

Testimony Before the Committee on Energy and Commerce

Subcommittee on Commerce, Trade and Consumer Protection
and
Subcommittee on Telecommunications and the Internet

Hearing on Legislative Efforts to Combat Spam

July 9, 2003

Chairman Stearns, Chairman Upton, Ranking Member Schakowsky, Ranking Member Markey, and Members of the Subcommittees: My name is Ira Rubinstein and I am an Associate General Counsel at Microsoft Corporation. I want to thank you for the opportunity to share Microsofts views on an issue that needs the attention of Congress and the work of your subcommittees: the adoption of effective anti-spam legislation that complements technological and industry-based measures and strengthens existing enforcement tools. There are plenty of statistics that document with convincing evidence that spam presents an intolerable burden to consumers and network operators alike, but all the evidence most Americans need is to log on their computer in the morning and see a string of e-mails that are at best distractions and all too often are illegal or shocking.

Last year, an estimated 1.8 billion spam e-mails were sent each day, accounting for nearly 40 percent of all e-mail sent over the Internet. This year, that number is expected to climb to well over 10 billion a day. That is over half of all e-mail sent worldwide and is up from 7 percent in 2001 style=’font-size:12.0pt’>. See Jonathan Krim, Spams Cost to Business Escalates, Washington Post March 13, 2003 at A1 (citing study conducted by Brightmail Inc.).

Microsoft is here today because the risk of inaction and the risk of not combating spam will render this vital communications medium so cluttered with interference that it will no longer be seen as a reliable and efficient communications tool. Spam filters are doing their best; indeed, Microsofts filters block over 2.4 billion spam messages a day. But the filters cannot keep up with the ever-growing volume of spam. And consumers, understandably, are quickly losing confidence in the value of their inboxes. We welcome the important work of the Subcommittees and the sponsors of anti-spam legislation and look forward to working with you to see that strong anti-spam legislation is passed to preserve e-mail as an important link in our society.

Microsoft brings to the debate on spam a perspective that sees the problem from different angles and reflects the policy balance facing the Subcommittees. As a provider of Internet and e-mail based services, Microsoft currently bears the bandwidth, storage, and software costs of processing spam and spends countless hours responding to customer concerns about their receipt of ever-growing amounts of junk e-mail. As a developer of filtering technology, we are constantly trying to prevent spam from clogging our e-mail system and stay a step ahead of spammers who use a range of illicit practices to avoid detection. And, as a company that uses e-mail to responsibly communicate with customers, we worry that our messages are getting lost in the noise of spam.

This perspective drives us to recommend a balanced, multi-pronged approach to combating spam. This approach depends on the combined efforts of industry and government, and includes the following elements:

  1. Developing and implementing new and more sophisticated technological tools to combat spam;

  2. Aggressive enforcement campaigns by both the private and public sector to penalize illicit spaming practices and deter others from engaging in these activities; and

  3. Federal legislation that strengthens existing enforcement tools and encourages the widespread adoption of e-mail best practices and a means for filters and consumers to identify senders that adhere to such practices.

First, I address the focus of this hearing legislation to combat spam. I next turn to a discussion of technological developments and how we in industry are using our know-how to develop cooperative strategies to track down spammers. I then describe some of our recent enforcement actions against spammers and our work with law enforcement around the world to combat this growing problem.

Strong Federal Anti-Spam Legislation Is Needed

Microsoft supports strong federal anti-spam legislation because the current legal and regulatory regime is simply not up to the task. Although ISPs have achieved some success in using litigation and other techniques to police spam, existing laws need to be strengthened to focus on the problems raised by spam, such as the forging of sender information, that make it difficult to prosecute spammers successfully. Also, the spam problem is not one that can be eradicated through the efforts of Microsoft and other ISPs alone. For these reasons, we support federal anti-spam legislation that strengthens existing enforcement mechanisms, including the ability of ISPs to prosecute spammers on behalf of their customers, and provides both law enforcement and the FTC with additional means to penalize spammers. A number of important legislative proposals have been introduced along these lines, including H.R. 2214 and H.R. 2515, and we commend the sponsors of these bills for their insight and look forward to continuing to work with them to craft effective anti-spam legislation.

As the Subcommittees consider these proposals and seek to write legislation, we urge you to adopt:

  • Incentives for legitimate marketers to distinguish themselves and thereby improve technology. Legislation has a role to play in supporting effective filtering technology by creating incentives for e-mail marketers to adopt e-mail best practices and to certify themselves as trusted senders who can be more easily identified by consumers and filters alike. Promoting technology in this fashion is an important addition to any anti-spam proposal.

  • Strong civil and criminal penalties for fraudulent e-mails. Anti-spam legislation should prohibit the use of false or misleading header information (including source, destination and routing information), false or misleading subject lines, and the misuse of third-party domain names and IP addresses. It also should capture all bad actors involved in the chain of sending fraudulent e-mail.

  • Effective ISP, State AG and FTC Enforcement. Enforcement is a critical component of attacking the spam problem. ISPs and law enforcement currently invest considerable time and effort to locate and prosecute spammers on behalf of their customers. Anti-spam legislation should support these efforts and not raise roadblocks such as burdens of proof or affirmative defenses that will inhibit meaningful enforcement.

  • Express language that preserves ISPs right to combat spam. ISPs have the incentive to combat spam; it is essential that ISPs maintain the ability to do so. Any anti-spam law should expressly state that its provisions do not impose an obligation upon ISPs to carry or block certain types of e-mail messages. Such a provision would not shelter ISPs from liability for filtering; rather, it would simply clarify that the anti-spam law does not grant senders of e-mail messages new rights that they do not have today.

  • Federal preemption with appropriate carve outs. Federal preemption of state statutes that regulate the sending of commercial e-mail messages is needed, provided the federal anti-spam law contains strong substantive requirements. However, ISPs rely heavily on state contract and trespass laws, as well as laws relating to computer fraud and theft, in their fight against spammers. Thus, preemption in any anti-spam law should carve out such important state laws.

Industry Best Practices Buttressed by Strong Enforcement

These legislative principles seek to enhance existing anti-spam technologies and leverage the self-regulatory features of a best-practices regime with serious, and necessary, enforcement mechanisms. To date, much of the effort in the fight against spam has been devoted to filtering, which involves the automatic analysis of e-mail messages to determine whether or not they are spam. Once a filter has determined that a message is spam, the e-mail system can take appropriate action, such as placing the message in a Junk Mail folder or deleting it prior to delivery. Filtering has proven to be a useful and necessary mechanism to reduce the volume of spam traveling over ISP and corporate networks.

An internal IT consultant at a Fortune 50 energy company conservatively estimates that filtering enables the company to save between $100 and $200 million per year. See Meredith Levinson, Seething Over Spam, CIO , Jan. 2003, available at http://www.cio.com/archive/111502/et_article.html.

Already, filters on the servers at MSN and Hotmail block more than 2.4 billion messages a day, before they ever reach our customers’ inboxes.

style=’line-height:200%’>Even with the passage of legislation, filtering will continue to play an essential role, both as a means of dealing with those who ignore or are beyond the scope of the law ( e.g ., foreign spam) and to help consumers manage their inboxes. But technology needs help. Today, because filters do not have detailed information about senders, they may misclassify legitimate e-mail as spam (producing so-called false positives) and mistakenly fail to catch all spam (producing false negatives). By providing filters with more information about senders of commercial e-mail, we can reduce the risk of these types of mistakes and we can improve consumers confidence in the e-mail messages they receive.

style=’line-height:200%’>Both industry and government have important roles to play in enabling filters to work better. Industry can help by creating independent e-mail trust authorities that will establish commercial e-mail guidelines and certify senders who follow such guidelines through seals that can be read by filters and understood by consumers. Similar authorities already help in protecting consumers privacy online, with organizations such as TRUSTe and BBBOnline providing certification for websites that follow certain privacy guidelines. Backed by sufficient industry support, e-mail best practices could similarly help distinguish between legitimate businesses and spammers.

One program that has established guidelines for e-mail communications is described at http://www.postiva.com/article/sitemap.

Government can help by jump starting the creation of and participation in independent e-mail trust authorities. Today, few industry members follow broadly adopted e-mail guidelines and even fewer utilize technology to show that their messages adhere to such guidelines. An effective way to encourage marketers to adopt e-mail best practices is to give them an incentive to do so. Our proposal is that an advertisement or ADV: label be put on all unsolicited commercial e-mail unless the sender comes within a Safe Harbor that requires membership in an FTC-approved self-regulatory organization that complies with certain e-mail best practices. We want to make it clear that we are not proposing a stand-alone ADV: requirement but rather see it as a means to drive the widespread adoption of e-mail best practices. There may be other sound ideas on giving industry incentives to adopt e-mail best practices but use of the ADV: label has the additional benefit of allowing consumers to easily identify unsolicited commercial e-mail and to customize their spam filters to either deliver such mail or automatically delete it.

Without mandating a technology or one-size-fits-all solution, this Safe Harbor proposal identifies several basic components that industry guidelines must incorporate, such as notice to consumers regarding the use and disclosure of their e-mail addresses. But the proposal is market-based, permitting industry to take the lead in developing specific guidelines that go above and beyond the basic e-mail best practices identified. This will allow industry self-regulatory organizations to emerge and compete on the basis of the strength of the e-mail practices they certify and on their enforcement. The Safe Harbor proposal also gives the FTC the authority to ensure e-mail trust authorities adopt e-mail practices that satisfy legislative requirements. Participants that fail to live up to the guidelines would face involuntary termination and mandatory public reporting. In addition, such participants would be referred to the FTC, thus providing the FTC with an additional enforcement tool.

Critics claim that industry can do this on its own and therefore legislation is not necessary. But without appropriate incentives, there is no guarantee that a critical mass of industry members will certify their adherence to industry e-mail best practices. Without a critical mass, makers and users of spam filtering software will not bother to modify their software to recognize senders that participate in e-mail best practice programs. If only a few makers of email software modify their software to recognize such participants, few, if any, senders will comply because it would not be worth the expense.

On the other hand, with a critical mass of participants, developers and users of spam filtering software would find it very useful to use a certificate of compliance with e-mail best practices as a means to help them avoid filtering good mail. In addition, legitimate senders would find it worth their cost to sign up. Better yet, if most or all legitimate mail senders sign up, then any remaining commercial e-mail would be from those unlawful spammers who do not abide by e-mail best practices and such e-mail could be filtered aggressively. In the end, filters would work as intended and block unlawful spam from reaching consumers inboxes.

Microsoft believes that the widespread adoption of e-mail best practices along with a method to associate e-mail communications from businesses that adopt such best practices will ameliorate many of the problems currently associated with spam. Consumers will be able to exercise choice since they can recognize e-mails from businesses that follow e-mail practices with which they are comfortable; businesses will be able to distinguish their legitimate electronic communications from spam; and filters will be better equipped to identify e-mail communications from legitimate senders, thereby reducing false-positive and false-negative problems.

Spam Threatens Viability of E-mail As A Communications Medium

The reason why strong federal anti-spam legislation is needed is because spam plainly threatens the viability of what has become a critical communications medium. The anti-spam software company Brightmail has projected that at least half of all e-mails individuals and businesses receive will be spam by September 2003 or earlier.

PR Newswire, Spam on Course to Be Over Half of All E-mail This Summer, July 1, 2003.

By 2007, unless significant changes are made, it is estimated that more than 70 percent of all e-mail messages will be spam.

ePrivacy Group, Spam: By the Numbers (2003), available at http://www.eprivacygroup.com (citing Radicati Group).

The reason for this exponential growth is simple: spam is cheap and easy to send. For roughly ten dollars a month, a spammer can obtain an ISP account and for another thirty dollars, websites such as BulkBarn.com offer all of the following: 300,000 fresh bulk e-mail addresses a week, bulk e-mail starter kits, and free bulk e-mail software.

Melissa Solomon, The Other Side, Computerworld , November 11, 2002, available at http://www.computerworld.com/softwaretopics/software/groupware/story/0,10801,75736,00.html.

Using such systems, spammers can send 650,000 e-mails per hour from an inexpensive mail server. And given that 100 responses for every 10 million messages sent can generate a profit, spammers have no financial incentive to stop the massive junk mailings.

ePrivacy Group, Spam: By the Numbers (2003), available at http://www.eprivacygroup.com (citing the Detroit Free Press ); Mylene Mangalindan, For Bulk E-mailer, Pestering Millions Offers Path to Profit, Wall Street Journal , November 13, 2002.

There is little reason for a spammer to limit the number of messages sent, or be selective about the chosen recipients, since the marginal cost of every additional message is effectively zero.

Of course, spam is cheap to send, but not to receive. Ferris Research estimates that spam will cost U.S. corporations more than $10 billion in 2003.

Scott Bekker, Spam to Cost U.S. Companies $10 Billion in 2003, ENT News , January 9, 2003, available at http://www.entmag.com/news/article.asp?EditorialsID=5651 (citing conclusions of Ferris Research study). [ can we cite to actual Ferris Report? ]

This figure includes productivity losses and the additional equipment, software, and manpower needed to combat the problem. According to some analysts, it costs roughly $250 to send a million spam messages, but it costs about $2,800 in lost wages, at the federal minimum wage, for those same million spam messages to be deleted .

Theo Emery, Meeting Takes Aim at Spam, Associated Press (citing researcher at MIT), available at http://www.ohio.com/mld/beaconjournal/business/5028845.htm.

And spam impacts all organizations, big and small. IDC estimates that for a company with 14,000 employees, the annual cost to fight spam is $245,000.

Jonathan Krim, Spams Cost to Business Escalates, Washington Post, March 13, 2003 at A1, available at http://www.washingtonpost.com/ac2/wp-dyn/A17754-2003Mar12 .

ISPs are hit particularly hard by the spam problem. They spend millions of dollars each year because of spam, implementing and updating filtering software, providing additional server space and processor power to deal with the high volumes of e-mail, and giving support to customers frustrated by the receipt of a barrage of unwanted messages.In addition, the transport and delivery of spam places significant stress on ISPs mail servers, delaying the speed and effectiveness of all e-mail communications and causing system outages.

Spam also harms the ability of legitimate businesses to use e-mail to communicate with existing customers. Many businesses are simply afraid to use e-mail to contact their customers for fear of being branded spammers. Others are concerned that their e-mails will not be found among the mass of spam filling up most consumers in-boxes. This is of particular concern for critical service industries such as security and insurance firms, where customer contact is regulated and necessary and the communication vehicle they use must be reliable.

The economies of spam favor the abusers and disfavor the victims i.e. , consumers. Consumers are forced to spend time and energy assessing, reviewing, and discarding spam. In a study recently released by Symantec Corporation, 65 percent of the 1,000 people surveyed reported spending more than 10 minutes each day dealing with spam.

News Release, Symantec Survey Reveals Growing Concerns Over Spam, http://www.symantec.com/press/2002/n021202.html.

And 37 percent of the survey respondents indicated that they received more than 100 spam messages each week.

Id .

Consumers also must contend with e-mail messages that use misleading subject lines to induce them or, worse, their children into viewing messages that contain sexually explicit material. According to Symantecs survey, 69 percent of respondents agreed or strongly agreed that spam is generally harmful to e-mail users. In addition, 77 percent of respondents with children under the age of 18 noted that they are concerned or very concerned about their children reading spam.

Id .

From virtually any perspective, spam has become a significant problem that threatens to cripple the worldwide e-mail system. Consumers are walking away from their e-mail accounts because they simply cant deal with the problem. It is time for the private and public sectors to come together to preserve the viability of this critical communications medium.

Industry Is Developing New Technological Tools To Combat Spam

We recognize that federal legislation alone is not sufficient to combat spam. This is why a critical element of Microsofts multi-faceted anti-spam strategy focuses on developing new and more sophisticated technological tools. Recognizing the increasing importance of fighting spam on behalf of our customers, we recently created a new Anti-Spam Technology and Strategy Group that brings together specialists from across the company and integrates all of our anti-spam strategy and R & D efforts. The combined efforts and expertise of this group has enabled us to create new anti-spam technologies that are even more precise, easier to use, and adaptable. We are working to integrate them into more of our products, particularly MSN, Hotmail, Outlook and Exchange.

For example, MSN 8 employs machine-learning technology to enable customers to train their filters to separate desirable e-mail from undesirable spam. It also uses a collection of more than 200 million e-mail addresses, called a Probe Network, to attract spam before it is delivered to a customers e-mail inbox. Finally, it allows customers to choose from three levels of filtering protection to capture certain types of incoming e-mails, or they can choose to receive e-mails only from individuals who are on their safe lists. Microsoft also recently updated MSN 8 with further improvements in its spam technologies, giving customers an option to block offensive images in e-mail, and adding the ability to filter mail in languages besides English.

Microsoft also recently announced the inclusion of new anti-spam technologies in our new Exchange Server 2003 for partners. One tool allows partners to integrate their anti-spam solutions with Exchange Server 2003 functions. Partner solutions will be able to scan incoming e-mail messages and attach a numeric score, or Spam Confidence Level (SCL), to each message. The SCL indicates the probability that the message is spam, and based on a threshold set by an administrator, the message will be forwarded to either the recipients inbox or junk mail folder. Exchange 2003 also allows administrators to assign enterprise-wide allow/deny lists and to integrate real-time black hole list services, which provide immediate spam blocking if a sender is a known spammer. In addition to its anti-spam tool, Exchange Server 2003 works with junk mail filters in Microsoft Office Outlook 2003. These filters allow users to block content using default settings, assign safe and block lists, automatically file junk mail to their trash folders, and profile spam by assigning points or scores to certain keyword identifiers.

Microsoft has also joined forces with other ISPs to better enable systems operators and consumers to block and filter spam. In April, Microsoft, AOL and Yahoo! announced a wide-ranging set of initiatives to fight spam together. Since then, Earthlink has joined the effort, which involves promoting business guidelines, best practices and technical standards that can help curb spam sent or received via any online service or computing platform.

As an example of our combined work in this regard, we are working on a new initiative aimed at eliminating the common practice of domain spoofing where spammers substitute fictitious sending addresses and even remove all origination data to mask their true identity and location. Under this initiative, software used in transmitting and receiving e-mail will be able to determine whether a message that claims to originate from was actually sent from example.com . Spam filters can then take into account evidence of a spoofed domain when deciding whether or not a message is spam. This simple change alone will help filter out a significant percentage of spam.

ISPs are working together to support other anti-spam technological advancements, including restricting e-mails from systems determined to be open to unauthorized use (such as open relays, open routers, or open proxies). We are also working together to share information about spammers who set up many different e-mail accounts to avoid detection. This will help put an end to this game and shut spammers down more effectively.

Enforcement Is A Critical Component of Combating Spam

Enforcement is another critical element of our multi-pronged approach to fighting spam. On June 16, Microsoft filed 15 lawsuits in the United States and the United Kingdom against companies and individuals alleged to be responsible for billions of spam messages sent in violation of state and federal laws. We have undertaken this enforcement campaign in response to the thousands of subscriber complaints received every day. Like other providers or Internet access and e-mail services, our top priority is ensuring that our subscribers feel comfortable using e-mail to communicate.

Our aggressive litigation campaign is targeted at stopping some of the most offensive e-mail practices affecting Microsoft customers. In some cases, defendants are alleged to have used deceptive and misleading subject lines to disguise e-mail messages that actually contained pornographic images, dating service solicitations and other adult services. One case involves e-mail messages that include a false virus warning. Recipients are instructed to download an update purported to protect their system, when in fact the download is nothing more than a toolbar that appears to track their movements on the Internet. In other cases, defendants are alleged to have spoofed the senders e-mail address, making it seem that the spam originated from hotmail.com or other recognized senders. Among the defendants in the lawsuits are several individuals and entities that are listed as known spammers on Internet registries that monitor spam activities worldwide.

Microsoft will continue to work with law enforcement around the world to enhance their enforcement efforts against spammers who rely on fraudulent means of transmission to circumvent anti-spam filters and mislead recipients. Such efforts will include: (1) developing better mechanisms for preserving electronic evidence relating to spammers activities; (2) coordinating among ISPs and industry members to help ensure that anti-spam enforcement efforts are most effectively deployed against spam senders who cause the greatest impact on consumers; and (3) similarly coordinating in referring spammers for civil or, where appropriate, criminal enforcement actions. The goal of this effort will be to make spammers more accountable and to deter would-be spammers from using such outlaw techniques to send e-mail to consumers.

***

Spam is a serious problem and the public and private sectors must coordinate on a broad response if we are going to be effective in addressing it. We believe that a multi-faceted approach is needed: better technology tools to enable consumers to keep spam from getting to their computer screens; more collaboration among the industry leaders so we can combine our resources; aggressive enforcement against people who are breaking the law; and effective federal anti-spam legislation that strengthens enforcement tools and enables technology to work better for the benefit of consumers. We commend the Subcommittees for holding this hearing today and appreciate your determination to seek strong legislation to help combat spam. And we thank you for extending us an invitation to share our experience and recommendations with you. Microsoft is committed to working with you to craft effective federal anti-spam legislation that will thwart the efforts of those who abuse e-mail and preserve the viability of the medium.

[1] Last year, an estimated 1.8 billion spam e-mails were sent each day, accounting for nearly 40 percent of all e-mail sent over the Internet. This year, that number is expected to climb to well over 10 billion a day. That is over half of all e-mail sent worldwide and is up from 7 percent in 2001 style=’font-size:12.0pt’>. See Jonathan Krim, Spams Cost to Business Escalates, Washington Post March 13, 2003 at A1 (citing study conducted by Brightmail Inc.).

[2] An internal IT consultant at a Fortune 50 energy company conservatively estimates that filtering enables the company to save between $100 and $200 million per year. See Meredith Levinson, Seething Over Spam, CIO , Jan. 2003, available at http://www.cio.com/archive/111502/et_article.html.

[3] One program that has established guidelines for e-mail communications is described at http://www.postiva.com/article/sitemap.

[4] PR Newswire, Spam on Course to Be Over Half of All E-mail This Summer, July 1, 2003.

[5] ePrivacy Group, Spam: By the Numbers (2003), available at http://www.eprivacygroup.com (citing Radicati Group).

[6] Melissa Solomon, The Other Side, Computerworld , November 11, 2002, available at http://www.computerworld.com/softwaretopics/software/groupware/story/0,10801,75736,00.html.

[7] ePrivacy Group, Spam: By the Numbers (2003), available at http://www.eprivacygroup.com (citing the Detroit Free Press ); Mylene Mangalindan, For Bulk E-mailer, Pestering Millions Offers Path to Profit, Wall Street Journal , November 13, 2002.

[8] Scott Bekker, Spam to Cost U.S. Companies $10 Billion in 2003, ENT News , January 9, 2003, available at http://www.entmag.com/news/article.asp?EditorialsID=5651 (citing conclusions of Ferris Research study). [ can we cite to actual Ferris Report? ]

[9] Theo Emery, Meeting Takes Aim at Spam, Associated Press (citing researcher at MIT), available at http://www.ohio.com/mld/beaconjournal/business/5028845.htm.

[10] Jonathan Krim, Spams Cost to Business Escalates, Washington Post, March 13, 2003 at A1, available at http://www.washingtonpost.com/ac2/wp-dyn/A17754-2003Mar12 .

[11] News Release, Symantec Survey Reveals Growing Concerns Over Spam, http://www.symantec.com/press/2002/n021202.html.

[12] Id .

[13] Id .