The Federal Trade Commission (FTC) has issued an ambivalent report on the likely efficacy of boosting its CAN-SPAM enforcement efforts through the creation of a bounty reward system.
In the document, the FTC looks closely at how bounties might help overcome the three primary obstacles to successful spammer prosecution under the nine-month-old law: identifying and locating spammers; amassing evidence that links them to spam they send; and collecting monetary penalties levied against them in court.
The report suggests insider parties, or "whistleblowers," can help with the first two problems, at least. It said these individuals are far more likely than "cybersleuth" members of the public to legally identify spammers and provide information that's admissible in court. However, whistleblowers' willingness to provide that information is likely to be compromised by fear of jeopardizing their own incomes and exposing themselves to legal liability, among other concerns.
A bounty reward could overcome such reservations, the FTC finds, but it didn't reach any hard fast conclusions on how large such a reward should be.
"The Commission is unable to establish with any degree of certainty the dollar amount that might be high enough to overcome these countervailing considerations, but believes that reward amounts in the range of $100,000, and in some cases as much as $250,000, are reasonable estimates," the report reads.
The findings were in many ways a blow to the advocates of a bounty system that would leverage citizens' efforts.
Following the passage of CAN-SPAM, the FTC was given nine months to issue recommendations on the viability of bounties in exchange for information leading to the prosecution of spammers. The idea echoed a bill introduced in 2003 that had public cybersleuths in mind as the beneficiaries of such rewards. Stanford law professor Lawrence Lessig, who famously offered to quit his job if it didn't work, first pushed this bounty concept.
The FTC report isn't kind to Lessig's idea. While it agrees members of the public can often track down spammers based on educated guesses that link seemingly unrelated messages to a single source, it says such information often does not constitute actionable evidence for an enforcement action.
And because these individuals can't issue or enforce subpoenas, they also can't legally obtain the evidence needed to verify a spammer's identity or whereabouts, even if information does link an individual to illegally sent e-mail.
"Many of the critical pieces of information necessary to prove these issues are in the possession of third parties -- banks, payment processors, Internet service providers, and others -- that will not or cannot provide them to private citizens Insiders, however, are often privy to this kind of evidence and would not need compulsory process to obtain it," the FTC said.
In the report, the Commission issues several recommendations to Congress on the set-up of such a reward program. It says if a system is created, it should link eligibility for a bounty payment to the final court order in a case, not the collection of penalties. Other recommendations include: eligibility should be limited to insiders with high-value information; bounty seekers should be accorded anonymity in cases where testimony is not required; and eligibility disputes should be exempt from judicial or administrative review.
Ultimately, the FTC is non-committal about whether a reward system should be established at all: "To the extent an insider has 'unclean hands' and faces potential legal liability, it is questionable whether such a person would be willing to assume the significant personal risk of coming forward," it says.
All 77 pages of the report were submitted to Congress in a 4-0-1 vote, with Commissioner Jonathan Leibowitz abstaining.