Evaluation of the CAN SPAM Act: Testing Deterrence and Other Influences of E-mail Spammer Legal Compliance Over Time

Abstract

E-mail spam has been growing since its inception. The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN SPAM Act) is U.S. federal legislation that was passed in response to the growing spam problem. A series of evaluations followed after the Act, most of which reported that compliance with the Act’s requirements among spammers had not been affected. However, none of these evaluations used methods that were sufficiently rigorous, failing to capture the continuous nature of CAN SPAM Act’s enforcement, using a limited number of measures of noncompliance, and ignoring a variety of possible spurious influences. This research addresses all of these limitations by analyzing a sample of 5,490,905 spam e-mails sent between 1998 and 2013. Ten measures of spammer compliance with the CAN SPAM Act were operationalized to test the impact the Act had. Thirteen measures of CAN SPAM Act enforcement were coded from news articles and included in a time-series regression. Findings suggest that the Act may in fact be a deterrent, but in such a way as to increase CAN SPAM Act violations of header forgery as a precaution against being caught.

Keywords

CAN SPAM Act spam cybercrime deterrence e-mail

Get full access to this article

View all access options for this article.

References

Arora

(2006). The CAN-SPAM Act: An inadequate attempt to deal with a growing problem. Columbia Journal of Law and Social Problems, 39, 299–330.

Bachmann

(2010). The risk propensity and rationality of computer hackers. International Journal of Cyber Criminology, 4, 643–656.

Beccaria

. (1963). On crimes and punishments (trans Paolucci

). Indianapolis, IN: Bobbs-Merrill.

Bowring

(1962). The works of Jeremy Bentham published under the superintendence of his executor John Bowring 1833-1844. New York, NY: Russell & Russell Inc.

CAN SPAM Act: Controlling the Assault of Non-Solicited Pornography and Marketing Act. (2003), 15 U.S.C. Sec 7701 (2005).

Chun

(2011). Warfare and security: Deterrence and dissuasion in the Cyber Era. Information Security Management Handbook, 5, 391.

FRED Economic Data. (2013a). All employees: Professional and business services: Computer systems design and related services. Retrieved December 17, 2013, from http://research.stlouisfed.org/fred2/series/CES6054150001

FRED Economic Data. (2013b). Wilshire Internet total market index. Retrieved December 17, 2013, from http://research.stlouisfed.org/fred2/series/WILLWWW

FRED Economic Data. (2013c). Real disposable personal income: Per capita. Retrieved December 18, 2013, from http://research.stlouisfed.org/fred2/series/A229RX0Q048SBEA

10.

FRED Economic Data. (2013d). Civilian unemployment rate. Retrieved December 17, 2013, from http://research.stlouisfed.org/fred2/series/UNRATE

11.

FRED Economic Data. (2013e). Civilian labor force participation rate—Bachelor's Degree and Higher, 25 years and over. Retrieved December 25, 2013, from http://research.stlouisfed.org/fred2/series/LNU01327662

12.

FRED Economic Data. (2013f). Consumer price index for all urban consumers: All items. Retrieved December 18, 2013, from http://research.stlouisfed.org/fred2/series/CPIAUCSL/

13.

FRED Economic Data. (2013g). St. Louis fed financial stress index. Retrieved December 18, 2013, from http://research.stlouisfed.org/fred2/series/STLFSI/

14.

FRED Economic Data. (2013h). Total population: All ages including armed forces overseas. Retrieved December 17, 2013, from http://research.stlouisfed.org/fred2/series/POP

15.

FRED Economic Data. (2013i). Working age population: Aged 15-24: All persons for the United States. Retrieved December 17, 2013, from http://research.stlouisfed.org/fred2/series/LFWA24TTUSM647S

16.

Gibbs

J. P.

(1975). Crime, punishment, and deterrence (p. 58). New York, NY: Elsevier.

17.

Goles

Jayatilaka

George

Parsons

Chambers

Taylor

Brune

(2007). Softlifting: Exploring determinants of attitude. Journal of Business Ethics, 77, 481–499.

18.

Grimes

G. A.

(2007 2). Compliance with the CAN-SPAM Act of 2003: Studying the application of the of the CAN-SPAM Act and its effect on controlling unsolicited email messages. Communications of the ACM, 50, 56–62.

19.

Gross

. (1 13, 2004). Is the CAN-SPAM law working? PC World. Retrieved September 19, 2014, from http://www.pcworld.com/article/114287/article.html

20.

Gudkova

. (1 2013). Kaspersky security bulletin: Spam evolution 2012. Securelist. Retrieved April 29, 2013, from http://www.securelist.com/en/analysis/204792276/Kaspersky_Security_Bulletin_Spam_Evolution_2012

21.

Guitton

(2012). Criminals and cyber attacks: The missing link between attribution and deterrence. International Journal of Cyber Criminology, 6, 1030–1043.

22.

Higgins

G. E.

Fell

B. D.

Wilson

A. L.

(2007). Low self-control and social learning in understanding students’ intentions to pirate movies in the United States. Social Science Computer Review, 25, 339–357.

23.

Hui

K. L.

Kim

S. H.

Wang

Q. H.

(2013). Marginal deterrence in the enforcement of law: Evidence from distributed denial of service attack. Retrieved September 19, 2014, from http://home.ust.hk/˜davcook/marginal%20deterrence.pdf

24.

Jacobsson

Carlsson

(2004). Privacy and spam: Empirical studies of unsolicited commercial e-mail. In Proceedings of IFIP Summer School on Risks & Challenges of the Network Society.

25.

Judge

G. G.

Griffiths

W. E.

Hill

R. C.

Lütkepohl

Lee

T.-C.

(1986). The theory and practice of econometrics (2nd ed.). New York, NY: John Wiley.

26.

Kigerl

A. C.

(2009). CAN SPAM Act: An empirical analysis. International Journal of Cyber Criminology, 3, 566–589.

27.

Kunreuther

Heal

(2005). Interdependent security. Journal of Risk and Uncertainty, 26, 231–249.

28.

Lachhwani

Ghose

(2012). Online information seeking for prescription drugs. International Journal of Business and Systems Research, 6, 1–17.

29.

Landis

J. R.

Koch

G. G.

(1977). The measurement of observer agreement for categorical data. Biometrics, 159–174.

30.

Lee

(2005, 6). The CAN-SPAM Act: A silver bullet solution? Communications of the ACM, 48, 131–132.

31.

Maimon

Alper

Sobesto

Cukier

(2014). Restrictive deterrent effects of a warning banner in an attacked computer system. Criminology, 52, 33–59.

32.

Majoras

D. P.

Leary

T. B.

Harbour

P. J.

Leibowitz

(2005, 12). Effectiveness and enforcement of the CAN-SPAM Act: A report to Congress. Federal Trade Commission. Retrieved September 2, 2009, from http://www.ftc.gov/reports/canspam05/051220canspamrpt.pdf

33.

McCain

Sen

. (2003, 10 22). CAN SPAM Act of 2003. In Congressional Record 149, S13020.

34.

McDowall

McCleary

Meidinger

E. E.

Hay

R. A.

(1980). Interrupted time series analysis. Iowa City, IA: Sage.

35.

McLeod

A. I.

Mahdi

. (2011). Time Series Analysis with R. Handbook of Statistics. Retrieved July 24, 2013, from http://uic.edu.hk/˜kentsang/fyp2014/Time%20Series%20Analysis%20with%20R.pdf

36.

Muris

T. J.

Thompson

M. W.

Swindle

Leary

T. B.

Harbour

P. J.

(2004, 6). National do not email registry: A report to Congress. Federal Trade Commission.

37.

NACJD. (2013). Uniform crime reporting program resource guide. Retrieved December 25, 2013, from http://www.icpsr.umich.edu/icpsrweb/content/NACJD/guides/ucr.html

38.

Organization for Economic Cooperation and Development. (2013). Quarterly National Accounts MetaData: Quarterly Growth Rates of real GDP, change over previous quarter. Retrieved December 26, 2013 from http://stats.oecd.org/Index.aspx?QueryId=350

39.

Pew Internet Research. (2013). Retrieved March 25, 2013, from http://pewinternet.org/Trend-Data-(Adults)/Internet-Adoption.aspx

40.

Png

I. P. L.

Wang

C.-Y.

(2007). The deterrent effect of enforcement against computer hackers: Cross-country evidence. Paper presented at the Workshop on the Economics of Information Security, Pittsburgh, PA.

41.

Rao

J. M.

Reiley

D. H.

(2012). The economics of spam. The Journal of Economic Perspectives, 26, 87–110.

42.

Resnick

. (Ed.). (10, 2008). Internet message format, RFC 5322. Retrieved September 9, 2014, from http://www.rfc-editor.org/info/rfc5322

43.

Shumway

R. H.

Stoffer

D. S.

(2011). Time series analysis and its applications: with R examples. New York, NY: Springer.

44.

Taipale

K. A

. (2010). Cyber-deterrence. Law, policy and technology: Cyberterrorism, information, warfare, digital and internet immobilization, IGI Global. Retrieved June 14, 2013, from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1336045

45.

Wood

(2009). Programming Internet Email. Sebastopol, CA: O’Reilly Media.

46.

(2011). Email spam and the CAN-SPAM Act: A qualitative analysis. International Journal of Cyber Criminology, 5, 715–735.

47.

Zeller

(2 1, 2005). Law barring junk email allows a flood instead. New York Times, A1.

48.

Zimring

F. E.

Hawkins

(1973). Deterrence: The legal threat in crime control (p. 29). Chicago, IL: University of Chicago Press.