CAN-SPAM Act Congressional Testimony
Testimony of Jana Monroe, Assistant Director of the Federal Bureau of
Investigation before the Senate Committee on Commerce, Science,
and Transportation, May 20, 2004.
Good morning Chairman McCain, and other members of the
Committee. On behalf of the FBI, I would like to thank you for this
opportunity to address the FBI's role in anti-spam initiatives.
Cyber crime, in its many forms, continues to receive
priority attention from the FBI. A paramount objective of the Cyber Division
has been to arm field investigators with the necessary resources to identify
and combat evolving cyber crime matters. Over the past 18 months, the FBI has
supported the establishment of more than 50 multi-jurisdictional task forces
nationwide. Partnerships with federal, state, and local law enforcement are
vital to the success of these teams, because cyber crime, by its nature, does
not respect jurisdictional boundaries and we need to leverage existing
resources to effectively and efficiently fight cybercrime.
In addition to law enforcement partnerships, another prime
objective of the FBI's Cyber Division is to establish active partnerships with
subject matter experts from the private sector. Such experts are often better
equipped to identify cyber crimes at their earliest stages. Early
identification of cyber crimes is an absolute must, and directly correlates to
ultimate successes in investigating and prosecuting cyber criminals.
In keeping with this approach, and even before passage of
the CAN-SPAM Act by Congress, the FBI had begun work in a Public/Private
Alliance to specifically target the growing spam problem. The Internet Crime
Complaint Center (IC3), working in coordination with industry, developed "SLAM-Spam,"
an initiative that began operation last fall. This initiative targets
significant criminal spammers, as well as companies and individuals that use
spammers and their techniques to market their products. It also investigates
the techniques and tools used by spammers to expand their targeted audience,
to circumvent filters and other countermeasures implemented by consumers and
industry, and to defraud customers with misrepresented or non-existent
Before Congress passed the CAN-SPAM Act of 2003, some
schemes perpetrated by spam could have been pursued as violations of statutes
such as Title 18, United States Code, Section 1030 (fraud and related activity
in connection with computers) Title 18, United States Code, Section 2319 (criminal
Infringement of a copyright) or Title 18, United States Code, Section 1343 (wire
fraud), as well as through several other existing criminal or civil statutes.
No existing statute, however, directly addressed some typical behaviors of
spammers, including: using widely-available "open proxies" to bounce e-mail
traffic through intermediary computers with the intent to hide the true
location of the sender, the abuse of free e-mail services to send out spam
from accounts with false registration information, and the use of tools to
forge the return address and other headers associated with the e-mail. Prior
to the CAN-SPAM Act, law enforcement lacked the legal tools to address the
spam problem directly. Because of this, many investigators and prosecutors
viewed cases based primarily on the sending of spam as unlikely to result in
successful investigations and prosecutions. As the economic impact
attributable to spam, and the use of spam to send unwanted pornographic images
have become known, however, law enforcement interest increased. Similarly,
investigations of computer intrusions and viruses have uncovered that
infecting computers with viruses is now often being done to facilitate spam.
In the SoBig.F computer intrusion investigation, we learned that millions of
computers were infected globally, primarily to convert those computers into
The CAN SPAM Act now allows law enforcement to apply
criminal leverage to spammers, who previously were viewed as "facilitators" of
fraudulent schemes, but who would disclaim any knowledge of the fraudulent or
pornographic nature of the products they were advertising. CAN-SPAM's
provisions address the most significant fraudulent and sexually explicit spam,
and provide both civil and criminal tools to combat them.
In response to the growing number of complaints it was
receiving about fraudulent and pornographic spam, the Internet Crime Complaint
Center began development of a project to address the spam problem. The Center
has developed extensive experience in taking complaints relating to all types
of crime occurring over the Internet, analyzing them for significant patterns,
and then referring appropriate case leads out to the field for further
investigation. The IC3 receives more than 17,000 complaints every month from
consumers alone, and additionally receives a growing volume of referrals from
key e-commerce stakeholders. The use of spam is a substantial component of
these schemes, which includes reports of identity theft schemes, fraudulent
pitches and "get rich quick" schemes, and unwanted pornography. Currently,
over 25 percent of all complaints to the IC3 involve some use of spam
To develop the project, the IC3 coordinated with industry
Subject Matter Experts and representatives of the Direct Marketing Association
(DMA), which have provided essential expertise and resources to the project.
The IC3 has also consulted with the Federal Trade Commission, which has
several years of working with consumers on the spam problem. This project has
also identified a significant list of the methods used by subjects to advance
their individual schemes. I will describe some of the efforts and summarize
the primary accomplishments of this project over the past six months, and
project future accomplishments, consistent with the overall project plan. This
include a national initiative in which suitable cases developed or advanced
through this project, will be highlighted as part of our overall effort
against those who have committed criminal and civil violations of the CAN-SPAM
The first several months of the project focused on building
support structures to support the initiative. The IC3 identified and consulted
with Subject Matter Experts from Internet Service Providers, anti-spam
organizations, and other groups. They defined responsibilities of
participants, and began weekly strategy meetings to ensure that progress and
priorities were consistent and clear. Experts developed communications
channels and databases to exchange information quickly and robustly among the
experts in the alliance. Finally, a list of potential subjects was developed
by analysts from the Internet Crime Complaint Center (IC3), and compared
against existing IC3 referrals to determine if law enforcement had already
initiated investigations of subjects, and if those investigations were making
After the effective date of the CAN-SPAM Act, the IC3
helped organize and participated in three regional training conferences on a
number of subjects relating to cybercrime. At these conferences,
representatives of the FBI and Department of Justice gave presentations
designed to familiarize agents specializing in cyber crime with the SLAM-Spam
initiative, the techniques used by spammers to falsify their identity, and the
additional criminal prohibitions in the CAN-SPAM Act.
Identifying the most significant subjects involved in
criminal spam scenarios is a prime objective of the SLAM-Spam initiative.
Equally significant has been developing those cases so that they can be
further investigated and prosecuted by field offices, cyber task forces, and
United States Attorneys' Offices around the United States. Accordingly, while
a growing number of Internet crime schemes use spam to target larger pools of
victims, the Cyber Division's task force capabilities have increased as well.
Cyber Crime squads in our field divisions are trained in quickly investigating
computer intrusions and virus attacks. When they are available, these
resources can also be used to investigate the source of unwanted fraudulent
and pornographic spam.
Project SLAM-Spam is on course and on schedule to achieve substantial results
against individuals and organizations that are complicit in criminal (and
potentially civil) schemes where spam is used. As a result of these activities,
more than 20 Cyber Task Forces are actively pursuing criminal and in some
cases joint civil proceedings against subjects identified to date. We expect
that this number will continue to rise, as successful actions are brought
under this act.
We are also improving our cooperation with the FTC, State
Attorneys General, and industry partners, because we understand that criminal
enforcement is only one aspect of the fight against spam. While we cannot
share every detail of ongoing criminal investigations, we can and will share
our knowledge about tools and techniques used by spammers, their current
primary targets of opportunity, and the types of schemes they are favoring.
The SLAM-Spam initiative has now moved beyond the planning
stages, and has begun identifying and packaging investigations from the field.
Within the last few months, the Initiative has: