Prepared Statement of Randall Boe.
Re: House Telecommunications Subcommittee Hearing on Spam.
Date September 28, 1998.
Source:  Randall Boe.  This document was created by scanning a paper copy of the statement, and converting it to HTML.

TESTIMONY OF
RANDALL BOE
ASSOCIATE GENERAL COUNSEL
AMERICA ONLINE, INC.

before the

COMMITTEE ON COMMERCE
UNITED STATES HOUSE OF REPRESENTATIVES

SEPTEMBER 28, 1998

Mr. Chairman, members of the Subcommittee, my name is Randall Boe, and I am Associate General Counsel of America Online, Inc. In my position, I helped develop AOL's policy on unsolicited bulk e-mail, and I head up AOL's litigation efforts against spammers.

America Online is the world's largest online service, with over thirteen million members. We offer our members a range of services, including e-mail, instant messages and access to the world-wide web and proprietary content developed by AOL and our partners. We also provide a range of tools that allow members to customize their and their children's online experience.

As you might expect, AOL has very broad experience with spam, or unsolicited bulk email (UBE), experience which I hope will be of help as the Committee looks at this problem and carefully crafts targeted legislation to help deal with the problem.

Junk e-mail is a difficult issue facing not only AOL, but the Internet as a whole. The reasons are straightforward:

• Junk e-mail is irritating or worse for our customers and thus an important "member experience" issue for those on or wanting to get on the Internet; and
• The senders of junk e-mail misappropriate the network and computer resources of Internet Service Providers

It is unfortunate that even brand new Internet users are confronted with junk e-mail--almost as soon as they go online. The problem is not just that junk e-mail tends to promote hoaxes, scams and get-rich quick schemes --- it is the sheer volume that confronts many users every time they open their mailbox. Lately, another worrisome trend has emerged --- junk e-mailers indiscriminately sending messages promoting pornographic Web sites without regard to the age or sensibilities of the recipients.

Over the past year, the amount of e-mail traffic on AOL has continued to explode as consumers and business subscribers discover the benefits of the online medium, and the utility of electronic messages. We handle some 30 million messages a day, approximately half of those are internal to our system, with the other half coming from the Internet. You may be surprised to learn that from 5 percent to 30 percent of our Internet e-mail traffic is unsolicited bulk e-mail on any given day.

AOL has attacked the UBE problem on three fronts.

First, AOL has deployed some of the most stringent anti-spam policies in cyberspace. We strictly prohibit the use of AOL accounts to send junk e-mail, to harvest names or to promote or facilitate the practice of "spamming." It is also AOL's policy not to sell or otherwise distribute lists our Members' e-mail addresses, and we take extensive precautions to maintain our Members' privacy.

Second, we have developed technology for both our systems operators and our Members to block and filter spam. AOL's Mail Controls are easy to use and allow our Members to block email from specific mail address, or entire domains. They can also block all mail from the Internet (accepting only mail from AOL Members) and create a "permit list" of address they will accept mail from. Finally, they can block mail with attachments. While these tools do stop some UBE, junk e-mailers are proficient at subverting consumer safeguards and have no qualms about doing so. This willingness to game the system is one of the central problems with junk e-mailers and is discussed in greater detail below.

Third, AOL has been a leader in the battle against unsolicited bulk e-mail that is being fought online and Internet service providers. AOL receives thousands of complaints about junk e-mail each and every day. In the last 12 months, AOL has brought eight lawsuits against more than 40 junk e-mailers. AOL has sued the promoters of "get-rich-quick" schemes, companies selling access to pornographic materials and those who proliferate the practice of spamming by authoring and selling computer software that is designed deliberately to circumvent AOL's mail controls.

So far, AOL has obtained orders from federal court barring 16 of the defendants from ever sending junk e-mail to AOL members. Additionally, several of these defendants have entered into agreements to compensate AOL for the damage that they have caused to AOL and its members. AOL is pursuing claims for damages against the remaining defendants, and AOL believes it is entitled to millions of dollars of damages from these unscrupulous individuals and companies.

One excellent example of AOL's litigation campaign against junk e-mail is AOL's case against a company called Over the Air Equipment. Over The Air used deceptive practices, including falsifying e-mail transmission data, to avoid AOL's mail controls and to repeatedly transmit vast quantities of unsolicited e-mail to AOL members-all of it promoting a "cyber-stripper" service. To further confuse AOL subscribers, Over the Air copied an America Online trademark fraudulently suggesting that their site had AOL's approval. Over the Air Equipment blatantly ignored AOL member requests to be removed from Over the Air's spamming lists and continued to transmit unwanted junk email to frustrated AOL members.

AOL won a preliminary injunction against Over the Air from a federal judge in Virginia. In December of last year, Over the Air Equipment agreed to a court order which prohibits the company from ever sending unsolicited e-mail to AOL members again. Over the Air Equipment also agreed to pay AOL a substantial sum of money in damages.

This case adds to a growing body of precedent that spammers do not have the right to appropriate the computer network of companies and bombard Internet users with unwanted and objectionable email in disregard of that networks policy against spam.

Despite these efforts, UBE remains a problem for service providers and their customers. These efforts have not been more successful because junk e-mailers are willing to game the system.

They forge the return addresses on UBE and they do not respond to requests to be removed from their lists. In fact, they use remove requests to compile lists of active addresses to spam. They are not concerned with the cumulative effect of UBE from all sources, either on the network itself, or on prospective customers.

They bear virtually none of the costs of sending their mail: in fact, the cost of sending one million messages is the same as the expense of one, so they see no need to differentiate target groups. At the same time, ISP's and their customers are forced to shoulder those expenses. Among AOL's subscribers, 15 percent are on plans which meter, and charge for, time spent online. This group has to pay directly for the chore of personally screening and deleting messages most don't want in the first place.

There are several common tactics spammers use:

One popular practice is called "dynamic" sender UBE, in which the sender address changes after every few messages while the domain remains the same, to prevent detection as a bulk mailing. Another common practice is to rotate the mail among several sites or domains making the activity difficult to identify as a bulk mailing. Yet another includes the use of forged or fictitious Internet domains. Increasingly the problem of relaying messages through unaffiliated servers for the purpose of disguising the source of message (which has been a problem for some time) has taken a tam towards the International arena -- more and more senders are relaying off of foreign sites. Harvesting and distributing e-mail addresses. Distributing software that facilitates spammers and the falsification of transmission data.

To protect ourselves and our subscribers, we have experimented with software techniques to screen all messages from broad Internet addresses or domains which are known sources of UBE, but it is easy for a spammer to obtain a new address and move the business there in a matter of hours. And even when the hosting ISP is willing to cooperate with us in confronting the spammer, it is also a quick and easy matter to change ISP's. We have also screened out individual messages with sender addresses of known UBE mailers. However, they have become expert not only in substituting fictitious sending addresses, but indeed in removing all external origination data.

We continue to use these approaches, and to confront identified spammers with demands that they cease unauthorized use of our network and unauthorized e-mail access to our members. If they persist, we have taken them to court and will continue to do so. Our litigation has been groundbreaking and successful. However, the ease, anonymity and proliferation of spamming ensure that we're always playing catch-up.

Consequently, we have had to invest considerable resources to handle the explosion of Internet email.

For these reasons, AOL is willing to work with Congress and other branches of the government to see whether legislation may help remedy this problem that may be beyond the capacity of any single company or industry to address, a problem that threatens the utility and appeal of the Internet, and, ironically, may diminish its potential as a true mass medium. Before I identify those areas in which we believe the government could play a constructive role, however, let me make a few critical points about the risk of over broad governmental remedies.

Where can the government make a positive contribution? First, by choosing its approaches carefully and wisely. Government restrictions based on content may raise not only privacy but First Amendment concerns as well. In addition, given the elusive nature of junk e-mailers, and the tremendous effort involved in actually locating them, there is no reason to believe that they would comply with such a requirement. We do not believe such suggestions are appropriate.

AOL's litigation efforts against spammers have achieved a substantial level of success--but the problem is not one that can be solved by one company's efforts. What we have seen is that there are gaps in existing law that make it more difficult to successfully prosecute cases against spammers. AOL and other Internet Service Providers have been successful in applying existing statutes and common law to the practice of junk e-mail--but these provisions could be strengthened and focused more specifically on the issues raised by junk e-mailing. Second, the jurisdiction of the FTC is largely predicated on the content of the e-mail.

Specifically, AOL believes legislative action can be taken to:

• Outlaw the forging of sender identification information;
• Strengthen the Computer Fraud and Abuse Act, making it a stronger weapon against junk e-mail; and
• Add statutory civil penalties and the opportunity for ISPs to recover court costs and attorneys fees.

These steps, supported by the industry litigation and technological efforts, will have real benefits for consumers. At the same time, legislation of this scope will not jeopardize legitimate business growth on the Internet and the attendant consumer benefits.

Unsolicited bulk email is a serious consumer and business issue on the Internet. The continued growth of the medium depends, in part, on ensuring UBE does not overwhelm service providers' computer software and consumers' mailboxes. AOL and the rest of the industry are committed to doing everything we can to thwart the efforts of those who abuse the Internet and ignore the clearly expressed desires of Internet users.

Again, thank you for inviting AOL to testify. I'll be happy to answer any questions you or other members of the Committee may have.