Spammers continue to run circles around the anti-spam police. Dozens of countries have anti spam laws on the books, yet enforcement of the statutes is costly, infrequent, and rarely, if ever,has any meaningful net effect on the amount of spam sent and received the next day. Each enforcement action is complex, frequently involving multiple jurisdictions, and more expensive than most developing countries can afford to undertake. Anti-spam enforcement must take more innovative forms than simply the direct pursuit of individual spammers by over-burdened regulators. Most important, any anti-spam initiative must be pursued in the context of multiple modes of regulation, including law, technology, markets, and social norms. The least-intrusive,least-costly, and ultimately most effective anti-spam measures are relatively simple things that end-users can do to protect themselves, such as spam filters on e-mail clients. But these end-user controls alone have not solved the problem, for a variety of reasons, and, while preferable as a solution, there is no consensus to pursue an aggressive end-user education route as the answer.As the spam problem worsens, it is taking on increasingly troubling dimensions of fraud as well as threatening to undermine efforts in developing countries to provide access to citizens.Legislators and regulators believe that they are compelled to act against spam in the public interest.
This chapter primarily takes up the question of what – beyond coordinating with technologists and other countries’ enforcement teams and educating consumers – legislators and regulators might consider by way of legal mechanisms. First, the paper takes up the elements that might be included in an anti-spam law. Second, the paper explores one alternative legal mechanism which might be built into an anti-spam strategy, the establishment of enforceable codes of conduct for Internet Service Providers (ISPs). ISPs should be encouraged to establish and enforce narrowly drawn codes of conduct that prohibit their users from using that ISP as a source for spamming and related bad acts, such as spoofing and phishing, and not to enter into peering arrangements with ISPs that do not uphold similar codes of conduct. Rather than continue to rely upon chasing individual spammers, regulators in the most resource-constrained countries in particular would be more likely to succeed by working with and through the ISPs that are closer to the source of the problem, to their customers, and to the technology in question. The regulator’s job would be to ensure that ISPs within their jurisdiction adopt adequate codes of conduct as a condition of their operating license and then to enforce adherence to those codes of conduct. The regulator can also play a role in sharing best practices among ISPs and making consumers aware of the good works of the best ISPs. While effectively just shifting the burden of some of the anti-spam enforcement to ISPs is not without clear drawbacks, and cannot alone succeed in stemming the tide of spam, such a policy has a far higher likelihood of success in the developing countries context than the anti-spam enforcement tactics employed to date.