There is an article on The Register about a phisher was was convicted of phishing AOL employees. You can go to the article to read the whole story. The part that I thought was amazing was not that he was phishing employees, or that he got caught, but that it was the first conviction under the Can Spam Act by a jury (there has been other convictions, but not by a jury).
Why CAN SPAM? Why now? CAN-SPAM defines SPAM as a “commercial electronic mail message” How is phishing a commercial electronic message? It may be fraud, but it’s certainly not commercial. To me it seems like a pretty worthless law, now moreso than ever. To me this law has always seemed like an easy out to explain why certain people are allowed to spam and why others aren’t without rhyme or reason. Yet have we seen a drop in spam? Do you feel comfortable putting your email address online without anti-spam filters in place to defend against the onslaught? I think not. Herein lies the failures of a useless law. This guy could have been convicted under a dozen other laws.
I felt the same way when I first read the law. One major problem with it is that it doesn’t deal with international spam. Instead of saying that anyone who spams is culpable and letting extradition treaties deal with the aftermath, CAN SPAM only applies to US citizens. How is that changing the problem? What if a US citizen is using offshore companies to do the deed for them? Clearly the CAN SPAM act needs a serious re-think in my opinion. Let’s either scrap it, or get a real law with some teeth. Perhaps one that holds ISPs financially responsible for hosting verified spam relays and hacked machines?