[Senate Report 108-170] [From the U.S. Government Publishing Office] Calendar No. 288 108th Congress Report SENATE 1st Session 108-170 ====================================================================== THE CRIMINAL SPAM ACT OF 2003 _______ October 22, 2003.--Ordered to be printed _______ Mr. Hatch, from the Committee on the Judiciary, submitted the following R E P O R T [To accompany S. 1293] The Committee on the Judiciary, to which was referred the bill (S. 1293) to criminalize the sending of predatory and abusive e-mail, having considered the same, reports favorably thereon, with an amendment in the nature of a substitute, and recommends that the bill, as amended, do pass. CONTENTS Page I. Purpose and Summary..............................................1 II. Background and Need for the Legislation..........................2 III. Discussion.......................................................2 IV. Legislative History..............................................5 V. Votes of the Committee...........................................5 VI. Section-by-Section Analysis......................................5 VII. Cost Estimate....................................................6 VIII.Regulatory Impact Statement......................................7 IX. Changes in Existing Law..........................................7 I. Purpose and Summary The purpose of S. 1293, the ``Criminal Spam Act of 2003,'' is to criminalize the sending of bulk commercial e-mail (commonly known as ``spam'') through fraudulent and deceptive means. The bill amends title 18, United States Code, to prohibit five principal techniques that spammers use to evade filtering software and hide their trails. Penalties for violations of the new criminal prohibitions include imprisonment, fines, and forfeiture of proceeds. Offenders may also be subject to civil enforcement actions brought by either the Department of Justice or by an Internet Service Provider (``ISP''). II. Background and Need for the Legislation Sophisticated spammers send millions of e-mail messages quickly, at an extremely low cost, with no repercussions. The sheer volume of spam, which is growing at an exponential rate, is overwhelming entire network systems, as well as consumers' in-boxes. By the end of the year 2003, it is estimated that fifty percent of all e-mail traffic will be spam. The rapid increase in the volume of spam has imposed enormous costs on our economy. A recent study by Ferris Research estimates that spam will cost U.S. businesses more than $10 billion in 2003 as a result of lost productivity and the need to purchase more powerful servers and additional bandwidth, configure and run spam filters, and provide help- desk support for spam recipients. The costs of spam are significant to individuals as well, including time spent identifying and deleting spam, inadvertently opening spam, installing and maintaining anti-spam filters, tracking down legitimate messages mistakenly deleted by spam filters, and paying for the ISPs' blocking efforts. And there are other prominent and equally important costs of spam. It may introduce viruses, worms, and Trojan horses into personal and business computer systems, including those that support our national infrastructure. It has become the tool of choice for those who distribute pornography and indulge in fraud schemes. Rarely a minute passes without American consumers and their children being bombarded with e-mail messages promoting pornographic web sites, illegally pirated software, bogus charities, pyramid schemes and other ``get rich quick'' or ``make money fast'' scams. Spam also offers fertile ground for deceptive trade practices. The Federal Trade Commission estimates that nearly 66 percent of spam contains some kind of deception, either in the content, the ``subject'' line, or the ``from'' line. And an astonishing 90 percent of spam involving investment and business opportunities contains indicia of false claims. This rampant deception has the potential to undermine Americans' trust of valid information on the Internet and threaten the future viability of all e-commerce. ISPs are doing their best to shield customers from spam, blocking billions of unwanted e-mails each day, but the spammers are winning the battle. Among the barriers ISPs face when attempting to stop spam is that spammers use false and fraudulent means to avoid detection and identification. The Criminal Spam Act takes initial steps to address this problem. III. Discussion The Criminal Spam Act prohibits five deceptive techniques that spammers use to evade filtering software and get their unwanted e-mails into America's inboxes. First, the bill prohibits hacking into another person's computer system and sending bulk spam from or through that system. This would criminalize the common spammer technique of obtaining access to other people's e-mail accounts on an ISP's e-mail network, for example by password theft or by inserting a ``Trojan horse'' program--that is, a program that unsuspecting users download onto their computers and that then takes control of those computers--to send bulk spam. Second, the bill prohibits using a computer system that the owner makes available for other purposes as a relay or retransmission point for bulk spam, with the intent of deceiving recipients as to the origins of the spam. This prohibition would criminalize another common spammer technique--the abuse of third parties' ``open'' servers, such as e-mail servers that have the capability to relay mail, or proxy servers that have the ability to generate or retransmit e-mail, such as ``form'' e-mail utilities on Web servers. Spammers commandeer these servers to send bulk commercial e- mail without the server owner's knowledge, either by ``relaying'' their e-mail through an ``open'' e-mail server, or by abusing an ``open'' proxy server's capability to generate or retransmit e-mails as a means to originate spam. In some instances the hijacked servers are even completely shut down as a result of tens of thousands of undeliverable messages generated from the spammer's e-mail list. Third, the bill prohibits falsifying the header information that accompanies e-mail, and sending bulk spam accompanied by or containing that false header information. More specifically, the bill prohibits forging information regarding the origin of an e-mail message, the route through which the message penetrated, or attempted to penetrate, ISP filters, or information authenticating the user for network management or network security purposes--for example, as a ``trusted sender'' who abides by appropriate consumer protection rules. The last type of forgery will be particularly important in the future, as ISPs and legitimate marketers develop ``white list'' and similar rules and technologies whereby e-mailers who abide by self-regulatory codes of good practices will be allowed to send e-mail to users without being subject to anti-spamming filters. There is currently substantial interest among marketers and e- mail service providers in ``white list'' technology solutions to spam. However, such ``white list'' systems would be useless if outlaw spammers are allowed to counterfeit the authentication mechanisms used by legitimate e-mailers. Fourth, the bill prohibits registering for multiple e-mail accounts or Internet domain names using information that falsifies the identity of the actual registrant, and sending bulk e-mail from those accounts or domains. This provision targets deceptive ``account churning,'' a common outlaw spammer technique that works as follows: The spammer registers (usually by means of an automatic computer program, or by means of individuals located in other countries) for large numbers of e- mail accounts or domain names, using false registration information, then sends bulk spam from one account or domain after another. This technique stays ahead of ISP filters by hiding the source, size, and scope of the sender's mailings, and prevents the e-mail account provider or domain name registrar from identifying the registrant as a spammer and denying his registration request. Falsifying registration information for domain names also violates a basic contractual requirement for domain name registrations. Fifth, the bill addresses another significant hacker spammer technique for hiding identity that is a common and pernicious alternative to domain name registration--hijacking unused Internet Protocol (``IP'') addresses and using them as launch pads for spam. Hijacking large blocks of IP address space is not difficult: Spammers simply falsely assert that they have the right to use that space, and obtain an Internet connection for the addresses. Hiding behind those addresses, they can then send vast amounts of spam that is extremely difficult to trace. Penalties for violations of these prohibitions are graduated. Recidivist offenders under federal or state anti- hacking or spam laws and those who send spam in furtherance of another felony may be imprisoned for up to five years. Large- volume spammers, those who hack into another person's computer system to send bulk spam, those involved in offenses involving 20 or more falsified e-mail accounts or 10 or more falsified domain names or any combination thereof, those who cause more than $5,000 in ``loss'' as defined in 18 U.S.C. Sec. 1030 during a one-year period, those who, as a result of the offense, obtain anything of value aggregating $5,000 or more during a one-year period, and spam ``kingpins'' who use others to operate their spamming operations may be imprisoned for up to three years. Other offenders may be fined and imprisoned for no more than one year. Convicted offenders are also subject to forfeiture of proceeds and instrumentalities of the offense, and the U.S. Sentencing Commission is directed to consider sentencing enhancements for offenders who obtained e-mail addresses through improper means, such as harvesting and randomly generating e-mail addresses (in what is known colloquially as a ``dictionary attack''), or who know that commercial e-mail addresses contain or advertise an Internet domain for which the registrant has provided false registration information. In addition, as a supplement to criminal enforcement, the bill provides for civil enforcement by the Department of Justice and aggrieved ISPs against spammers who engage in conduct that the bill prohibits, as well as anyone who conspires with them. Finally, because an effective solution to the spam problem requires the cooperation and assistance of our Nation's international partners, the Criminal Spam Act directs the Department of Justice and Department of State to report to Congress within 18 months regarding the status of their efforts to achieve international cooperation from other countries in investigating and prosecuting spammers worldwide. In approving the Criminal Spam Act, the Committee determined that it does not raise concerns under the First Amendment. First, rather than targeting speech, the bill instead targets e-mailing techniques used to steal computer services and trespass on private computers and computer networks. Second, to the extent that the bill implicates any First Amendment interest, it addresses only commercial e-mail messages (because the overwhelming majority of predatory and abusive e-mail is commercial), and only when such messages are misleading by virtue of falsifying their point of origin. It therefore fails the first prong of the test set forth in the Central Hudson Gas & Elec. Corp. v. Public Service Comm'n, 447 U.S. 557, 566 (1980) (in commercial speech cases, court must first determine that the expression concerns lawful activity and is not misleading). IV. Legislative History During the past several Congresses, committees in both the House and the Senate have examined various issues raised by the proliferation of junk commercial e-mail. Additionally, government agencies, industry representatives, and other interested parties have participated in numerous public forums on spam, including a three-day ``Public Spam Workshop'' hosted by the FTC earlier this year. On June 19, 2003, after extensive consultation with experts in this area, Senators Hatch, Leahy Schumer, Grassley, Feinstein, DeWine, and Edwards introduced S. 1293, the Criminal Spam Act of 2003. V. Votes of the Committee On September 25, 2003, the Committee on the Judiciary, with a quorum present, met in open session and ordered favorably reported the bill, S. 1293, by unanimous consent, with an amendment in the nature of a substitute sponsored by Senators Hatch and Leahy. The substitute amendment made four changes to the bill: (1) Added proposed 18 U.S.C. Sec. 1037(a)(5), which targets spammers who falsely represents the right to use five or more IP addresses, and intentionally initiate the transmission of spam from such addresses; (2) amended proposed 18 U.S.C. Sec. 1037(a)(4), to clarify that the Government may prove its case by showing that the requisite number of e-mails went through ``any combination of'' falsely registered e-mail accounts or domain names; (3) narrowed the definition of ``header information'' in proposed 18 U.S.C. Sec. 1037(e)(4), to address concerns that it was overbroad; and (4) made technical changes to the criminal forfeiture provisions, rendering them more consistent with existing laws. The substitute amendment was accepted by unanimous consent. VI. Section-by-Section Analysis Section 1. Short title This bill may be cited as the ``Criminal Spam Act of 2003''. Section 2. Prohibition against predatory and abusive commercial e-mail This section targets the five principal techniques that spammers use to evade filtering software and hide their trails. It creates a new federal crime that prohibits hacking into a computer, or using a computer system that the owner has made available for other purposes, to send bulk commercial e-mail. It also prohibits sending bulk commercial e-mail that either conceals the true source, destination, routing or authentication information of the e-mail, or is generated from multiple e-mail accounts or domain names that falsify the identity of the actual registrant, or from Internet Protocol (IP) addresses that have been hijacked from their true assignees. Penalties range from up to 5 years' imprisonment where the offense was committed in furtherance of any felony, or where the defendant was previously convicted of a similar federal or state offense, to up to 3 years' imprisonment where other aggravating factors exist, to up to 1 year of imprisonment where no aggravating factors exist, plus criminal forfeiture. The U.S. Sentencing Commission is directed to consider sentencing enhancements for offenders who obtained e-mail addresses through improper means, such as harvesting. In addition, this section provides for civil enforcement by the Department of Justice and aggrieved Internet service providers against spammers who engage in the conduct described above. In appropriate cases, courts may grant injunctive relief, impose civil penalties, and award damages. Section 3. Report and sense of Congress regarding international spam Recognizing that an effective solution to the spam problem requires the cooperation and assistance of our international partners, this section asks the Administration to work through international fora to gain the cooperation of other countries in investigating and prosecuting spammers worldwide, and to report to Congress about its efforts. VII. Cost Estimate U.S. Congress, Congressional Budget Office, Washington, DC, October 1, 2003. Hon. Orrin G. Hatch, Chairman, Committee on the Judiciary, U.S. Senate, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for S. 1293, the Criminal Spam Act of 2003. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Mark Grabowicz. Sincerely, Elizabeth M. Robinson (For Douglas Holtz-Eakin, Director). Enclosure. S. 1293--Criminal Spam Act of 2003 CBO estimates that implementing S. 1293 would have no significant cost to the federal government. Enacting the bill could affect direct spending and revenues, but CBO estimates that any such effects would not be significant. S. 1293 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act and would impose no costs on state, local, or tribal governments. S. 1293 would make it illegal to use electronic mail to send deceptive or unauthorized messages regarding commercial products or services. Because the bill would establish a new federal crime, the government would be able to pursue cases that it otherwise would not be able to prosecute. However, we expect that S. 1293 would apply to a relatively small number of offenders, so any increase in costs for law enforcement, court proceedings, or prison operations would not be significant. Any such costs would be subject to the availability of appropriated funds. Because those prosecuted and convicted under S. 1293 could be subject to civil and criminal fines, the federal government might collect additional fines if the legislation is enacted. Collections of civil fines are recorded in the budget as revenues. Criminal fines are recorded as revenues, then deposited in the Crime Victims Fund and later spent. CBO expects that any additional revenues and direct spending would not be significant because of the small number of cases involved. In addition, persons prosecuted and convicted under the bill also could be subject to the seizure of certain assets by the federal government. Proceeds from the sale of such assets would be deposited in the Assets Forfeiture Fund and spent from that fund, mostly in the same year. Thus, enacting S. 1293 could increase both revenues deposited into the fund and direct spending from the fund. However, CBO estimates that any increased revenues or spending would not be significant. The CBO staff contact for this estimate is Mark Grabowicz. This estimate was approved by Peter H. Fontaine, Deputy Assistant Director for Budget Analysis. VIII. Regulatory Impact Statement In compliance with paragraph 11(b)(1), rule XXVI of the Standing Rules of the Senate, the Committee, after due consideration, concludes that S. 1293 will not have significant regulatory impact. IX. Changes in Existing Law In compliance with paragraph 12 of rule XXVI of the Standing Rules of the Senate, changes in existing law made by S. 1293, as reported, are shown as follows (existing law proposed to be omitted is enclosed in black brackets, new matter is printed in italic, and existing law in which no change is proposed is shown in roman): UNITED STATES CODE * * * * * * * TITLE 18--CRIMES AND CRIMINAL PROCEDURE Part Section I. CRIMES................................................. 1 * * * * * * * PART I--CRIMES Chapter Section 1. General provisions..................................... 1 * * * * * * * 47. Fraud and false statements............................ 1001 * * * * * * * CHAPTER 47--FRAUD AND FALSE STATEMENTS Sec. 1001. Statements or entries generally. * * * * * * * 1036. Entry by false pretenses to any real property, vessel, or aircraft of the United States or secure area of any airport. 1037. Fraud and related activity in connection with electronic mail. * * * * * * * Sec. 1036. Entry by false pretense to any real property, vessel, or aircraft of the United States or secure area of any airport (a) Whoever, by any fraud or false pretense, enters or attempts to enter-- (1) any real property belonging in whole or in part to, or leased by, the United States; * * * * * * * (c) As used in this section-- (1) the term ``secure area'' means an area access to which is restricted by the airport authority or a public agency; and (2) the term ``airport'' has the meaning given such term in section 47102 of title 49. Sec. 1037. Fraud and related activity in connection with electronic mail (a) In General.--Whoever, in or affecting interstate or foreign commerce, knowingly-- (1) accesses a protected computer without authorization, and intentionally initiates the transmission of multiple commercial electronic mail messages from or through such computer; (2) uses a protected computer to relay or retransmit multiple commercial electronic mail messages, with the intent to deceive or mislead recipients, or any Internet access service, as to the origin of such messages; (3) falsifies header information in multiple commercial electronic mail messages and intentionally initiates the transmission of such messages; (4) registers, using information that falsifies the identity of the actual registrant, for 5 or more electronic mail accounts or online user accounts or 2 or more domain names, and intentionally initiates the transmission of multiple commercial electronic mail messages from any combination of such accounts or domain names; or (5) falsely represents the right to use 5 or more Internet protocol addresses, and intentionally initiates the transmission of multiple commercial electronic mail messages from such addresses; or conspires to do so, shall be punished as provided in subsection (b). (b) Penalties.--The punishment for an offense under subsection (a) is-- (1) a fine under this title, imprisonment for not more than 5 years, or both, if-- (A) the offense is committed in furtherance of any felony under the laws of the United States or of any State; or (B) the defendant has previously been convicted under this section or section 1030, or under the law of any State for conduct involving the transmission of multiple commercial electronic mail messages or unauthorized access to a computer system; (2) a fine under this title, imprisonment for not more than 3 years, or both, if-- (A) the offense is an offense under subsection (a)(1); (B) the offense is an offense under subsection (a)(4) and involved 20 or more falsified electronic mail or online user account registrations, or 10 or more falsified domain name registrations; (C) the volume of electronic mail messages transmitted in furtherance of the offense exceeded 2,500 during any 24-hour period, 25,000 during any 30-day period, or 250,000 during any 1-year period; (D) the offense caused loss to 1 or more persons aggregating $5,000 or more in value during any 1-year period; (E) as a result of the offense any individual committing the offense obtained anything of value aggregating $5,000 or more during any 1- year period; or (F) the offense was undertaken by the defendant in concert with 3 or more other persons with respect to whom the defendant occupied a position of organizer or leader; and (3) a fine under this title or imprisonment for not more than 1 year, or both, in any other case. (c) Forfeiture.-- (1) In general.--The court, in imposing sentence on a person who is convicted of an offense under this section, shall order that the defendant forfeit to the United States-- (A) any property, real or personal, constituting or traceable to gross proceeds obtained from such offense; and (B) any equipment, software, or other technology used or intended to be used to commit or to facilitate the commission of such offense. (2) Procedures.--The procedures set forth in section 413 of the Controlled Substances Act (21 U.S.C. 853), other than subsection (d) of that section, and in Rule 32.2 of the Federal Rules of Criminal Procedure, shall apply to all stages of a criminal forfeiture proceeding under this section. (d) Civil Remedies.-- (1) In general.--The Attorney General, or any person engaged in the business of providing an Internet access service to the public aggrieved by reason of a violation of subsection (a), may commence a civil action against the violator in any appropriate United States District Court for the relief set forth in paragraphs (2) and (3). No action may be brought under this subsection unless such action is begun within 2 years of the date of the act which is the basis for the action. (2) Attorney general action.--In an action by the Attorney General under paragraph (1), the court may award appropriate relief, including temporary, preliminary, or permanent injunctive relief. The court may also assess a civil penalty in anamount not exceeding $25,000 per day of violation, or not less than $2 or more than $8 per electronic mail message initiated in violation of subsection (a), as the court considers just. (3) Other actions.--In any other action under paragraph (1), the court may award appropriate relief, including temporary, preliminary, or permanent injunctive relief, and damages in an amount equal to the greater of-- (A) the actual damages suffered by the Internet access service as a result of the violation, and any receipts of the violator that are attributable to the violation and are not taken into account in computing actual damages; or (B) statutory damages in the sum of $25,000 per day of violation, or not less than $2 or more than $8 per electronic mail message initiated in violation of subsection (a), as the court considers just. (e) Definitions.--In this section: (1) Commercial electronic mail message.--The term ``commercial electronic mail message'' means any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website or online site operated for a commercial purpose). (2) Computer and protected computer.--The terms ``computer'' and ``protected computer'' have the meaning given those terms in section 1030(e) of this title. (3) Domain name.--The term ``domain name'' means any alphanumeric designation which is registered with or assigned by any domain name registrar, domain name registry, or other domain name registration authority, and that is included in an electronic mail message. (4) Header information.--The term ``header information'' means the source, destination, and routing information attached to an electronic mail message, including the originating domain name, the originating electronic mail address, and technical information that authenticates the sender of an electronic mail message for network security or network management purposes. (5) Initiate.--The term ``initiate'' means to originate an electronic mail message or to procure the origination of such message, regardless of whether the message reaches its intended recipients, and does not include the actions of an Internet access service used by another person for the transmission of an electronic mail message for which another person has provided and selected the recipient electronic mail addresses. (6) Internet access service.--The term ``Internet access service'' has the meaning given that term in section 231(e)(4) of the Communications Act of 1934 (47 U.S.C. 231(e)(4)). (7) Loss.--The term ``loss'' has the meaning given that term in section 1030(e) of this title. (8) Message.--The term ``message'' means each electronic mail message addressed to a discrete addressee. (9) Multiple.--The term ``multiple'' means more than 100 electronic mail messages during a 24-hour period, more than 1,000 electronic mail messages during a 30- day period, or more than 10,000 electronic mail messages during a 1-year period.