Info/Law

Spam is one of those problems that everyone (except Derek) despairs of ever solving; indeed, Cory Doctorow’s check-box form letter response to anti-spam proposals remains as salient as ever. So it’s hard to know what, if anything, to make of today’s news that the United States now accounts for nearly one-quarter of the world’s spam (originally noted on Slashdot here). Somewhat buried in the article, but worth emphasizing, is that the statistics don’t necessarily indicate where the spammers are, but rather where the computers they are using to send the spam (including, most likely, if you’re running an unpatched version of Windows, yours) are. The spammers themselves may be anywhere in the world and, if they happen to be living in one of the small number of world jurisdictions that actively fights spammers, may be presumed to be adequately adept at covering their tracks.

So battling spam at the supply side means battling an unknown, but very large, array of zombified PCs whose owners are not themselves spammers. How to change the behavior of thousands of computers when their owners are most likely not even aware that anything is amiss? It’s a desperately vexing conundrum, made worse by the propensity of proposed technological fixes to compound, rather than ameliorate, the problem.

The new article offers little hope; it recommends “that computer users ensure they keep their security software up-to-date, as well as using a properly configured firewall and installing the latest operating system security patches.” In other words, precisely the prescription that has thus far failed to stem the tide of spam.

Is there even a colorable opportunity here for the legal system to step in? The answer is yes, it seems to me, but the alternative that would have the greatest likelihood of success is the most politically unpalatable: to wit, impose monetary liability on owners of zombified PCs. Liability rules can channel individual behavior in socially useful ways in proper circumstances, and owners of unpatched Windows PCs are, if nothing else, arguably at least negligent, so there wouldn’t seem to be any due process objection based solely on lack of culpability. Forcing owners of infected Windows PCs to bear more of the costs that their conduct imposes on the rest of us might even drive more users to alternative operating systems that don’t suffer from the same security flaws.

This will never happen, because it would be an unmitigated disaster from a PR perspective — just imagine the parade of tearful parents explaining to Congress how they just bought their kids a computer to help them with their homework and can’t understand why they’re now being forced to pay because some Russian mafioso hacked into their kid’s PC and used it to hawk herbal Viagra. But it’s hard not to conclude that, if there is to be any form of effective legal response to the spam epidemic, it will have to be something much closer to that end of the spectrum and farther away from the justly ridiculed CAN-SPAM Act.

Filed under: Spam