A Briefing On Public Policy Issues Affecting Civil Liberties Online
from
The Center For Democracy and Technology
(1) New CDT Report Shows How Spammers Can Get Your E-Mail Address
(2) Spam "Harvesters" Target Web Sites, Newsgroups
(3) Privacy Policies and Exercising Choice Can Help Users Limit Spam
A new report from the Center for Democracy & Technology entitled "Why Am I Getting All This Spam?" sheds some light on one of the Internet's most pressing issues -- unsolicited commercial e-mail, a.k.a. spam.
Armed with lists of e-mail addresses, "spammers" send billions of e-mail messages every day, mostly to users who don't want them. As it mounts up, this spam inconveniences tens of millions of Internet users and imposes huge costs on ISPs.
Part of what has made spam such a difficult issue is that it's often impossible to tell how a spammer acquired a user's e-mail address. To address this, CDT embarked on a project to begin to determine the source of spam. We set up hundreds of single-use e-mail addresses and posted or disclosed them on Web sites and newsgroups, and to a variety of corporate and organizational online service providers.
It should come as no surprise to most e-mail users that many of the addresses CDT created for this study attracted spam (nearly 9,000 spam messages in all), but it is interesting to see the different ways that the addresses attracted spam depending on where the e-mail addresses were placed.
The project's results offer Internet users some insight about how certain online behaviors can result in spam, as well as tips to help users reduce the spam that they receive.
"Why Am I Getting All This Spam?" is available at http://www.cdt.org/speech/spam/030319spamreport.shtml [HTML] http://www.cdt.org/speech/spam/030319spamreport.pdf [PDF]
Additional information about spam, and the policy issues associated with it, is available at http://www.cdt.org/speech/spam/
Over 97% of the spam we received was delivered to addresses that had been posted on public Web pages. Spammers use software harvesting programs such as "robots" or "spiders" to record e-mail addresses listed on Web sites, including both personal Web pages and institutional (corporate or non-profit) Web pages. These programs scour the code of Web pages looking for anything that looks like an e-mail address. When they find one, they add it to a list for future spamming.
Spammers' use of harvesting programs is not limited to Web pages. We found that they are also used to siphon e-mail addresses from the headers of postings to USENET newsgroups. We received spam to 85% of the addresses we used to post on USENET.
In order to understand how these harvesting programs work, we tested two methods of "obscuring" e-mail addresses to prevent their harvesting. We found that be posting an address in "human-readable" form -- i.e., the address "user@example.com" could be written "user at example dot com" -- or in HTML-obscured form -- a form that Internet browsers can read, but harvesting programs can't, i.e. "user@example.com" becomes "user@ex ;ample.com" -- is an effective way to avoid spam. None of the obscured addresses we used in our postings, either on Web pages or in USENET postings, received a single piece of spam.
As technology advances, harvesters may gain the ability to see through these methods of obscuring an e-mail address. For the time being, obscuring is an effective way to avoid spam.
Our project also examined whether disclosing an e-mail address to popular Web companies and other organizations could lead to an increase in spam. We also looked at whether "opting-out" of e-mail from these Web sites would have an impact on the amount of e-mail received by an e-mail address. We found that both privacy policies and "opt-outs" can play an important role in helping users control the amount of spam they receive.
Many of the Web sites to which we disclosed e-mail addresses had posted policies describing how those addresses would be handled, including whether they would be shared with third parties, used for marketing purposes, or other important details. While the terms of the policies we encountered varied, we found that almost all sites followed the policies they had posted on their Web sites. Users who are concerned about spam should review the privacy policies of any Web sites to which they consider disclosing their e-mail address.
In addition, when users were offered the opportunity to "opt-out" of future e-mail communications, that choice was respected in the majority of cases. In most cases, within a few days of "opting-out" of future communications for a given e-mail address, the flow of e-mail to that address stopped. There were, however, a few instances in which we tried to "opt-out" of future e-mail communications to a certain e-mail address, only to have the flow of spam continue.
More information about these exceptions and additional data from the project are available in our report, "Why Am I Receiving All This Spam?".
Currently there is no foolproof way to prevent spam. Based on our research, we recommend that Internet users try the following methods to prevent spam:
Detailed information about online civil liberties issues may be found at http://www.cdt.org/.
This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_9.08.shtml.
Excerpts may be re-posted with prior permission of ari@cdt.org
Policy Post 9.08 Copyright 2003 Center for Democracy and Technology
