Following up from my previous post on the requirements for the CAN SPAM Act, John Levine has written an article about why there are so few spam lawsuits when the law has been in effect for almost seven years. Levine’s point (in this article) essentially is that antispam lawsuits are difficult to win. Here’s an excerpt:
There are a couple of reasons, but by far the largest one is that, unless the recipient is unusually lucky, anti-spam lawsuits are difficult to prosecute and win. The evidence in such suits is very technical--mail headers, WHOIS data, traceroutes, ASN numbers, affiliate codes and HTTP redirections that tie a sender to a particular message, or more likely, a thousand messages. Judges tend to be reasonably smart, but few of them have a technical background. That means that before a judge can rule sensibly on a spam case, he or she needs to learn about the statutes and case law that apply, and also enough about e-mail technology to understand the evidence and evaluate the credibility of the lawyers' arguments on each side. Ideally (at least from the point of view of someone filing a suit), the judge would take a continuing legal education (CLE) course that covered the topic, and be well-informed and ready to go when the case starts. What this means is that the only cases that are likely to be filed are very easy ones, where the spammer didn't hide his identity or use affiliates, so the connection from the spam to the spammer is easy to show, or ones where the plaintiff has the legal skills to do a lot of the case work himself to keep the costs affordable.
What this means is that the only cases that are likely to be filed are very easy ones, where the spammer didn't hide his identity or use affiliates, so the connection from the spam to the spammer is easy to show, or ones where the plaintiff has the legal skills to do a lot of the case work himself to keep the costs affordable.
I’m not sure whether or not I agree with Levine since I don’t have much background in legal cases. To be sure, unless a judge is familiar with technology then they might be aware of what technology can and cannot do, what works and what doesn’t.
But I think I would add another reason to the mixture and that it can be difficult to actually arrest and charge spammers, let alone prosecute. I will speak of the case of Dmitry Golubov, now the leader of the Internet Party of Ukraine, a political party based in the Ukraine. Golubov is the alleged kingpin (or at the very least, very high ranking officer) of the illegal group known as CarderPlanet. CarderPlanet was a phishing and hacking operation that dealt in stolen financial information of westerners (among others, but mostly westerners). Participants of Carder could buy and sell financial credentials with which to commit online fraud. It was just like out of those bad movies where online criminals can do what they want.
Western authorities, including the FBI, had been chasing Golubov for years but couldn’t get officials in the country to take action. Finally, in late 2004 and early 2005 saw regime change in the country and a pro-western government came to power. For months, no action was taken but finally, Golubov was arrested and spent a few months in jail. However, he was sprung out by two Ukrainian politicians and decided to form his own political party. If elected, he is not liable for past crimes (that is, he doesn’t have to serve a prison sentence). Pretty good deal if you’re a spammer.
Some of the worst criminals in spamming underworld are located in eastern Europe and Russia. Many of them are known to the authorities but they are not pursued by legal authorities. The thinking is that they have a degree of protection. Yes, defrauding westerners is a bad thing, but these characters are handy to have around in case they need to launch a cyber-attack upon a rogue state like Estonia or Georgia. Whether or not they are actively protected by governments, they are at least passively protected in that they are not being pursued.
The problem, then, is complex and again it is cultural. Legal authorities in Russia can have, how do we say it, problems with corruption. Some parts of Russia can be an expensive place to live and law enforcement doesn’t have the highest salary. Their services are available to the highest bidders as well. And when the government decides that spammers might be useful for a geopolitical purpose, there is low chance indeed that western officials will ever get their day in court.
Remember, I've been an expert in a lot of spam cases. When I talk about educating judges, I speak from experience. They're smart, but they don't know much about technology.
You're right that it's a challenge to arrest people in countries where the authorities don't want to arrest them, but there are plenty of spammers right here in the US.