SecondWave Information Systems
« Prev
Home >> Press Archives >> LA Daily Journal
Next »

On-Line Spam Raises Plateful of Legal Issues 

Los Angeles Daily Journal

By Chris Ford, Daily Journal Staff Writer


September 12, 1997 06:54 AM

Spam has been known to scare many people, usually because they fear eating it -- not being put out of business by it.

But that's the reaction it caused in a West Los Angeles lawyer last month when threatening e-mail messages were fraudulently disseminated in his name -- providing a wake-up call to lawyers and other to be aware of Internet "spoofs" and "spams." While they are not yet a common practice in the legal community, Internet experts warn their time is coming.

Russell Allyn of the West Los Angeles firm of Katz, Hoyt, Siegel and Kapor learned in mid-August that he had been the target of an Internet hoax in which his e-mail identity was stolen -- in Internet jargon, he was "spoofed" -- and used in the threatening messages.

Then the messages were sent, unsolicited to and estimated tens of thousands of on-line addresses, and action Internet regulars call "spamming."

Recipients Threatened

The messages threatened anyone who "responded adversely," saying, "You may be one of the people who has performed fraudulent and actionable transgressions, causing severe harm to our client." The messages then instructed readers to direct "future correspondences" to Allyn.

Allyn told the Daily Journal in August that the man he suspects perpetrated the hoax was unhappy with the way Samsung America Inc. designed his World Wide Web page. Samsung is a client of Allyn's

The hoax turned Alyn's life upside down for the next week. He said he immediately was bombarded with hundreds of phone calls, e-mail's and "two inches worth" of faxes, denouncing the e-mail messages that were sent under his name.

Apparently, the e-mail fraud against Allyn and Samsung continued at least through the end of August. Samsung, through subsidiary SAILAhead Internet Service, maintains a World Wide Web site listing alleged fraudulent e-mail's sent in the name of Allyn, Samsung and others and the approximate dates they were sent.

A Widespread Problem?

There is agreement that the problems caused by Internet spams -- which by themselves are not against the law unless they are sent fraudulently -- are on the rise, but views differ on the extent of the increase.

Assistant U.S. Attorney Chris Painter said e-mail fraud is rising as a function of greater public use of the Internet

"There has been an increase in things like this and more sophisticated crimes committed over the Internet," Painter said. Internet crime more frequently involves solicitations for phony financial schemes than revenge e-mail's like those sent under Allyn's name, he said.

Palo Alto attorney John J. Steele, a partner at Fenwick & West who specializes in antitrust and intellectual property litigation, said that while he does not consider e-mail fraud to be particularly commonplace, it is a problem that rates attention.

"I don't think it's so rare that it should be ignored," Steele said.

On the other hand, Internet specialist Maureen Dorney voiced concern that e-mail fraud is "widespread" and "easier to do that most people realize.

"There is a minority of Internet-savvy people who know how to do this... It is a blessing that it is not more widespread than it is," said Dorney, and associate at Gray Cary Ware & Freidenrich in Palo Alto. "I think people should be aware that it is a risk."

Some commit e-mail fraud by breaking into another's computer and using the computer owner's password -- which according to Steele, underlines the importance of keeping the e-mail application of limits, with its own password if necessary.

"You have to shout off your e-mail when you leave your desk. You wouldn't leave your wallet on your desk," Steele said.

However, in Allyn's case, the perpetrator managed to steal the attorney's identity without using his computer. Instead, Allyn said, he forged the "headers," or the character string at the top of the e-mail message that includes the originator's e-mail address and routing information.

"[He] sent the e-mail from his own account and played around with the headers to make it appear as thought the e-mail emanated from my account, when in fact it did not," Allyn said.

Internet technology specialist Jeff Fischbach, whom Allyn's firm hired to help it respond to the spoof and spam, said "it was immediately obvious" that the perpetrator left some clues to his identity, or at least that of his Internet service provider, in the forged headers, said Fischbach, president of SecondWave Information Systems in Chatsworth, California. "[He] didn't even make a full, concerted effort to hide that it was a spoof."

Fischbach said that if technology that already is currently available were in widespread use, Allyn might have been spared his Internet nightmare.
According to Steele, digital signatures and encryption, which allow the user to authenticate who sent an e-mail message and ascertain that the message was not changed during transmission, are "very powerful solutions" to prevent e-mail fraud.

"There are ways to make it prohibitively expensive, if not impossible, [for] someone to create a false message," Steele said. "The technological solutions are coming so that only the more sophisticated and determined people will be able to [forge e-mail messages].

Dorney explained that the digital signature is based on mathematical calculations. The sender runs a "hash function" to authenticate the message, then "signs" or encrypts the "result" of the hash function with information from a "private key".

When the message is received, according to Dorney, the recipient runs the document through the same hash function to ascertain that it was not altered during transmission, then accesses the sender's "public key" to verify the digital signature.

Currently, the Massachusetts Institute of Technology maintains the repository for public keys, according to Fischbach. Private keys, he said, are maintained on a user's local system -- they can be kept in encrypted form -- and often are accessed on through a "pass phrase," a higher level of security than a password.

Fischbach added that digital signature technology is easy to use and available to consumers via recent releases or upgrades of e-mail applications such as Qualcomm Inc.'s Eudora.

According to Dorney, the primary purpose of digital signatures is to facilitate the creation of "valid, enforceable contracts on-line."

Legislation to regulate the use of digital signatures is pending in many states, including California, and may be contemplated on the federal level, Dorney said.

She said Utah enacted a detailed regulation for certifying digital signature authentication, but that when California lawmakers considered a similar bill, they concluded it could tie the state to technical standards "that weren't going to be dominant in the long term."

She noted that contract law typically is enforced on the state, rather than federal, level. But given the worldwide nature of the Internet, she said, "There may be practical problems in [regulating digital signatures] state-by-state.

But since digital-signature technology this far is used by few, the average computer user continues to face the prospect of being spammed, an action that is perfectly legal.

"Spamming is not illegal in and of itself, and it raises all sorts of First Amendment issues for the Internet service providers" who would restrict e-mail service in an attempt to hault spams, Assistant U.S. Attorney Painter said.

However, some businesses use spammed e-mail messages as a means of advertising cheaply.. Such messages, called "unsolicited commercial e-mails," or UCEs, are the Internet equivalent of junk mail.

Furthermore, Fischbach said sometimes UCE senders create a kind of spoof: They place fake return e-mail addresses in the heaters so they "don't have to put up with receiving flames [vitriolic e-mail messages] as a result of their UCE."

Such spoofs also are legal, Painter points out.

"Is it illegal to give an incorrect e-mail address? No," Painter said.

The advent of UCEs has inspired a number of groups to post Web pages decrying the commercial spams and calling for support of legislation to outlaw or regulate them.

"Unwanted junk [e-mail] is an area of true consumer aggravation," says Internet Service Providers Consortium president Deb Howard in an introduction to the group's position paper on UCE. The paper, which is posted on the Internet, states that UCE senders shift the cost of carrying their advertisements onto the customer, in the form of increased connect times necessary to receive the unwanted messages.

While the consortium "would prefer to see as little government intrusion by legislation as possible," the group says in its position paper that there exists "some Internet user support for amending the existing...federal junk fax law to explicitly include e-mail in its prohibition of unsolicited advertising transmissions.

A bill in Congress, introduced in May by Rep. Christopher Smith, RNJ., would do just that, and it received support in a June 3 opinion piece in the Seattle Times that can be seen at the newspaper's Web site.

The Coalition Against Unsolicited Commercial E-mail also backs such legislation. CAUCE's chair, Scott Hazen Mueller, additionally participates in what he calls a "loose coalition of anti-spammers without a name" whose Web site urges Internet users to "promote responsible net commerce: Fight spam!"

The site includes links to "practical tools to boycott spam" and a "blacklist of Internet advertisers."


Copyright 2004. SecondWave Information Systems. All rights reserved. Privacy Statement

Forensic Examination Expert Witness Services Technology Consulting eCommerce Consulting SecondWave Home About SecondWave Documents / Resources Contact SecondWave