Spam has been known to scare many people,
usually because they fear eating it --
not being put out of business by it.
But that's the reaction it caused in
a West Los Angeles lawyer last month when
threatening e-mail messages were fraudulently
disseminated in his name -- providing
a wake-up call to lawyers and other to
be aware of Internet "spoofs" and "spams."
While they are not yet a common practice
in the legal community, Internet experts
warn their time is coming.
Russell Allyn of the West Los Angeles
firm of Katz, Hoyt, Siegel and Kapor learned
in mid-August that he had been the target
of an Internet hoax in which his e-mail
identity was stolen -- in Internet jargon,
he was "spoofed" -- and used in the threatening
messages.
Then the messages were sent, unsolicited
to and estimated tens of thousands of
on-line addresses, and action Internet
regulars call "spamming."
Recipients Threatened
The messages threatened anyone who "responded
adversely," saying, "You may be one of
the people who has performed fraudulent
and actionable transgressions, causing
severe harm to our client." The messages
then instructed readers to direct "future
correspondences" to Allyn.
Allyn told the Daily Journal in August
that the man he suspects perpetrated the
hoax was unhappy with the way Samsung
America Inc. designed his World Wide Web
page. Samsung is a client of Allyn's
The hoax turned Alyn's life upside down
for the next week. He said he immediately
was bombarded with hundreds of phone calls,
e-mail's and "two inches worth" of faxes,
denouncing the e-mail messages that were
sent under his name.
Apparently, the e-mail fraud against
Allyn and Samsung continued at least through
the end of August. Samsung, through subsidiary
SAILAhead Internet Service, maintains
a World Wide Web site listing alleged
fraudulent e-mail's sent in the name of
Allyn, Samsung and others and the approximate
dates they were sent.
A Widespread Problem?
There is agreement that the problems
caused by Internet spams -- which by themselves
are not against the law unless they are
sent fraudulently -- are on the rise,
but views differ on the extent of the
increase.
Assistant U.S. Attorney Chris Painter
said e-mail fraud is rising as a function
of greater public use of the Internet
"There has been an increase in things
like this and more sophisticated crimes
committed over the Internet," Painter
said. Internet crime more frequently involves
solicitations for phony financial schemes
than revenge e-mail's like those sent
under Allyn's name, he said.
Palo Alto attorney John J. Steele, a
partner at Fenwick & West who specializes
in antitrust and intellectual property
litigation, said that while he does not
consider e-mail fraud to be particularly
commonplace, it is a problem that rates
attention.
"I don't think it's so rare that it should
be ignored," Steele said.
On the other hand, Internet specialist
Maureen Dorney voiced concern that e-mail
fraud is "widespread" and "easier to do
that most people realize.
"There is a minority of Internet-savvy
people who know how to do this... It is
a blessing that it is not more widespread
than it is," said Dorney, and associate
at Gray Cary Ware & Freidenrich in Palo
Alto. "I think people should be aware
that it is a risk."
Some commit e-mail fraud by breaking
into another's computer and using the
computer owner's password -- which according
to Steele, underlines the importance of
keeping the e-mail application of limits,
with its own password if necessary.
"You have to shout off your e-mail when
you leave your desk. You wouldn't leave
your wallet on your desk," Steele said.
However, in Allyn's case, the perpetrator
managed to steal the attorney's identity
without using his computer. Instead, Allyn
said, he forged the "headers," or the
character string at the top of the e-mail
message that includes the originator's
e-mail address and routing information.
"[He] sent the e-mail from his own account
and played around with the headers to
make it appear as thought the e-mail emanated
from my account, when in fact it did not,"
Allyn said.
Internet technology specialist
Jeff Fischbach, whom Allyn's firm hired
to help it respond to the spoof and spam,
said "it was immediately obvious" that
the perpetrator left some clues to his
identity, or at least that of his Internet
service provider, in the forged headers,
said Fischbach, president of SecondWave
Information Systems in Chatsworth, California.
"[He] didn't even make a full, concerted
effort to hide that it was a spoof."
Fischbach said
that if technology that already is currently
available were in widespread use, Allyn
might have been spared his Internet nightmare.
According to Steele, digital signatures
and encryption, which allow the user to
authenticate who sent an e-mail message
and ascertain that the message was not
changed during transmission, are "very
powerful solutions" to prevent e-mail
fraud.
"There are ways to make it prohibitively
expensive, if not impossible, [for] someone
to create a false message," Steele said.
"The technological solutions are coming
so that only the more sophisticated and
determined people will be able to [forge
e-mail messages].
Dorney explained that the digital signature
is based on mathematical calculations.
The sender runs a "hash function" to authenticate
the message, then "signs" or encrypts
the "result" of the hash function with
information from a "private key".
When the message is received, according
to Dorney, the recipient runs the document
through the same hash function to ascertain
that it was not altered during transmission,
then accesses the sender's "public key"
to verify the digital signature.
Currently, the Massachusetts
Institute of Technology maintains the
repository for public keys, according
to Fischbach. Private keys, he said, are
maintained on a user's local system --
they can be kept in encrypted form --
and often are accessed on through a "pass
phrase," a higher level of security than
a password.
Fischbach added that
digital signature technology is easy to
use and available to consumers via recent
releases or upgrades of e-mail applications
such as Qualcomm Inc.'s Eudora.
According to Dorney, the primary purpose
of digital signatures is to facilitate
the creation of "valid, enforceable contracts
on-line."
Legislation to regulate the use of digital
signatures is pending in many states,
including California, and may be contemplated
on the federal level, Dorney said.
She said Utah enacted a detailed regulation
for certifying digital signature authentication,
but that when California lawmakers considered
a similar bill, they concluded it could
tie the state to technical standards "that
weren't going to be dominant in the long
term."
She noted that contract law typically
is enforced on the state, rather than
federal, level. But given the worldwide
nature of the Internet, she said, "There
may be practical problems in [regulating
digital signatures] state-by-state.
But since digital-signature technology
this far is used by few, the average computer
user continues to face the prospect of
being spammed, an action that is perfectly
legal.
"Spamming is not illegal in and of itself,
and it raises all sorts of First Amendment
issues for the Internet service providers"
who would restrict e-mail service in an
attempt to hault spams, Assistant U.S.
Attorney Painter said.
However, some businesses use spammed
e-mail messages as a means of advertising
cheaply.. Such messages, called "unsolicited
commercial e-mails," or UCEs, are the
Internet equivalent of junk mail.
Furthermore, Fischbach said sometimes
UCE senders create a kind of spoof: They
place fake return e-mail addresses in
the heaters so they "don't have to put
up with receiving flames [vitriolic e-mail
messages] as a result of their UCE."
Such spoofs also are legal, Painter points
out.
"Is it illegal to give an incorrect e-mail
address? No," Painter said.
The advent of UCEs has inspired a number
of groups to post Web pages decrying the
commercial spams and calling for support
of legislation to outlaw or regulate them.
"Unwanted junk [e-mail] is an area of
true consumer aggravation," says Internet
Service Providers Consortium president
Deb Howard in an introduction to the group's
position paper on UCE. The paper, which
is posted on the Internet, states that
UCE senders shift the cost of carrying
their advertisements onto the customer,
in the form of increased connect times
necessary to receive the unwanted messages.
While the consortium "would prefer to
see as little government intrusion by
legislation as possible," the group says
in its position paper that there exists
"some Internet user support for amending
the existing...federal junk fax law to
explicitly include e-mail in its prohibition
of unsolicited advertising transmissions.
A bill in Congress, introduced in May
by Rep. Christopher Smith, RNJ., would
do just that, and it received support
in a June 3 opinion piece in the Seattle
Times that can be seen at the newspaper's
Web site.
The Coalition Against Unsolicited Commercial
E-mail also backs such legislation. CAUCE's
chair, Scott Hazen Mueller, additionally
participates in what he calls a "loose
coalition of anti-spammers without a name"
whose Web site urges Internet users to
"promote responsible net commerce: Fight
spam!"
The site includes links to "practical
tools to boycott spam" and a "blacklist
of Internet advertisers."
|