CSC 379: Ethics in Computing  
  Summer II 2006  
 
 
 
  CSC 379  
 
HOME
  
 
Announcements
  
 
Homework & Grading
 
 
TEXTBOOK
  
  COURSE OVERVIEW  
  This course is is a survey of the ethical issues involved in computing. It discusses the way that computers and software pose new ethical questions or pose new versions of standard moral problems and dilemmas. It stresses case studies that relate to ethical theory.  
     
  INSTRUCTOR  
  Edward F. Gehringer
Office: 2301 Partners I
(919) 515-2066
Office hours:
MW 2:45-3:45
efg@ncsu.edu		  
     
  TEACHING ASSISTANT  
     
  Lecture 2: Netiquette
 
   
Lecture 2: Netiquette
  
   

This week, we turn our attention to netiquette. I haven't prepared a lecture on this topic in general. Instead, please read The Core Rules of Netiquette, and peruse the rest of Netiquette, by Virginia Shea. Next, we will concentrate on two specific areas of netiquette, spam and chain letters.

The problem of spam. To say that spam has become an epidemic would be a serious understatement. It has proliferated in the past few years, and it now constitutes an estimated 90% of all e-mail sent. This causes several problems.

First, there is the volume of spam. According to Ferris Research Inc., a San Francisco consulting group, spam cost American business more than $10 billion last year. This total includes lost productivity and the additional equipment, software and manpower needed to combat the problem. The sheer volume may disrupt other traffic. There are signs that it is even causing computer users to reduce their use of e-mail.

Then there is the content. About 2/3 of all commercial spam is fraudulent. This includes 90% of the spam that advertised investment and business opportunities. Fraudulent or not, pornographic spam abounds, accounting for about 18% of all spam. One-fifth of these messages include images of nudity that appear automatically in the body of the message. Even though delivering sexually explicit material to minors is against the law, e-mail addresses posted to children's newsgroups receive a large amount of pornographic spam. It is no wonder that parents are concerned about their children's use of e-mail.

In late 2003, a new kind of fraudulent spam came to the fore. Called "phishing," it aims to trick users into visiting a fake Web site of a trusted financial institution and providing account information and passwords that the "phisherman" can then use to masquerade as the user and charge merchandise or withdraw money. The attacks have quickly increased in number and sophistication. Some new phishing attacks place viruses on victims' computers that will log keystrokes whenever the victim visits any of a list of major financial institutions.

A legislative solution? There have been many attempts to ban spam. Thirty-six states have some kind of legislation. One of the toughest laws is in Virginia. The worst violations carry a prison term of one to five years and various fines. The law also permits seizure of ill-gotten profits and income from the sale of spam advertising. In late 2003, President Bush signed the CAN-SPAM Act, an acronym that stands for "Controlling the Assault of Non-Solicited Pornography and Marketing Act." This law requires all commercial e-mail to provide "clear and conspicuous" identification that the message is an advertisement, and give the user a way to opt out of further e-mails from the sender. It also requires senders to include their valid "physical postal address," and prohibits forging of mail headers. It bans spam that perpetrates fraud or identity theft, obscenity, or child pornography.

Such laws, however, may not be very effective. First, there is the obvious fact that spam hops effortlessly across state and national boundaries, making it impossible for any one jurisdiction to close its floodgates against spam. Also, the origin of spam is often difficult to determine. Spammers rotate the domains from which they send mail and even change the key terms in a message to avoid detection. Up to 95% of spam is estimated to be untraceable. Even when spammers can be located, enforcement is unlikely because there are so many of them and other crimes often take priority.

"Opt out" vs. "opt in". The CAN-SPAM Act itself may be part of the problem, as it pre-empts virtually all state spam laws. These include the strict California and Delaware laws that allowed commerical e-mail only if a recipient opted in, by signing up for the communication. With the opt-out approach of the federal law, any spammer is allowed to send you any number of e-mails until you opt out. Given the fact that there are 25 million businesses in the US alone, users could be faced with the gargantuan task of opting out of dozens or hundreds of e-mail lists per day.

However, opt-in lists are not without their problems. Third parties can (and do) add others to lists. This can be prevented by "double opt-in"--asking for permission and then sending an e-mail to the requestor asking for confirmation of the request. Opt-in also poses hurdles for legitimate marketers of new products--people cannot become interested in new products until they have heard about them. The Direct Marketing Association notes that an opt-in requirement has never applied to direct ("junk") mail, which constitutes about 40% of postal mail, and takes much more effort to dispose of than e-mail.

Then there is the problem of "affiliate marketing." If a customer has not opted in to receive e-mail from company x, what happens if (s)he gets unsolicited e-mail from another company that markets company x's products? Under the California law, company x would have been liable. The law was written that way so that consumers could easily avoid unwanted solicitations, but it obviously would have created a tremendous liability problem for any manufacturer who did not market directly to consumers.

Approaches that could backfire. Another popular idea is a an official "do-not-spam" list, similar to the "do-not-call" list that was established in 2003 for telemarketing calls. Under the CAN-SPAM Act, the Federal Trade Commission was given six months to decide whether to establish such a list. On June 15, 2004, it decided not to do so, saying that spammers could simply mine such a registry looking for new victims. "A registry that identified accounts used by children, for example, could assist legitimate marketers to avoid sending inappropriate messages to children," the FTC said. "At the same time, however, the Internet's most dangerous users, including pedophiles, also could use this information to target children."

Similarly, requirements that e-mail be labeled as advertising are criticized as a requirement that spammers could easily ignore, that would instead penalize legitimate marketers because recipients or ISPs will filter out e-mail labeled "ADV." Finally, spammers could legally acquire domains, set them up to authenticate e-mail, and then abandon them when they appear on anti-spam lists. Another objection is that mail-forwarding services, such as that supplied by ACM, would no longer work because mail sent through them doesn't actually come from the address it appears to come from.

Bounties. Enough users are upset enough about spam that perhaps a technological fix isn't necessary. How about just rewarding users for information leading to the conviction of spammers? The FTC is considering a "bounty system" that would pay tipsters a percentage of the civil penalty the government is able to collect based on their information. The proposal is to pay them "not less than 20 percent of the total civil penalty" collected by the FTC, which could run into the millions. Objections range from saying the FTC already knows who the spammers are to doubting the ability of computer users to find any, or that legitimate mailers would be sued due to inaccurate information provided by vigilantes.

Charging for e-mail. The economics of advertising by spam are the opposite of traditional direct marketing. With junk snailmail, each communication costs money, so it helps to target your audience. With spam, once you've written the program, the addresses are free; trying to determine anything about the recipient is more costly. This observation has led to suggestions that senders be charged for e-mail. The simplest approach would be for ISPs to charge a set amount for each outgoing message. Users could be allocated a monthly quota of free e-mail so they wouldn't worry about being "on the meter" for each message sent. Bill Gates supported this idea in a talk at the World Economic Forum last year. However, a big issue is who would do the charging. ISPs could charge, but spammers could then set up their own ISPs to avoid the charge. And charging for e-mail might put ISPs at a competitive disadvantage; anti-spam advocate John Levine notes that in the early '90s, there were systems that charged 10 cents per message. "And they are all dead," he concludes.

In any event, a charging scheme could be defeated by spammers who hijack other computers--called zombies--to send their spam. Up to 80% of all spam is now sent by such machines, and it would be their owners, not the spammers, who would be billed for the spam. While this might make them more vigilant in blocking and removing viruses from their computers, it would also be an administrative headache for ISPs, who would have to deal with a gaggle of angry overcharged users. Instead, the Federal Trade commission urges ISPs to monitor outgoing e-mail traffic from their customers' computers and disconnect those that seem to be acting as zombies.

In early 2006, a variant of the paid e-mail plan was adopted by AOL and Yahoo. Instead of charging for mail delivery per se, they contracted with Goodmail to deliver--for a price--authenticated e-mail to users' mailboxes, bypassing spam filters. Non-paying senders could still e-mail AOL and Yahoo users, but they would have no guarantee that their missives would not be filtered out by the users' spam filters. Non-profit groups across the political spectrum immediately united to denounce the plan, saying they could not afford the postage, and the establishment of a two-tiered e-mail system would cause much of their mail to be trashed before it ever reached the recipient. Goodmail responded with an offer to deeply discount services to nonprofits, but the critics still worried about Goodmail's ability to filter out "free speech" at any time.

Another tack is to let the recipient determine how much to charge the sender to read the sender's message. Each user's e-mail client would maintain a "white list" of parties with whom (s)he exchanges e-mail; mail from these entities is delivered without charge. Any other mail would be delivered only if the sender posts a certain "bond" with an escrow agency. If the recipient subsequently reads the e-mail and decides it is spam, the recipient collects the bond, minus a small anount to cover the cost of the escrow agency. However, if the recipient collects the bond "too often," then (s)he will probably be blacklisted by legitimate marketers and receive no more ads of any kind.

CPU time as "postage". The Camram proposal is a way to charge "postage" for e-mail without using money. It works this way: Each user's e-mail client maintains a "white list" of parties with whom (s)he exchanges e-mail; mail from these entities is delivered normally. A spam filter is also employed to reject mail from known spammers and other objectionable senders. Other mail--that isn't "whitelisted" or blacklisted--is delivered only if the sender's e-mail program solves a "puzzle" (much like guessing the combination of a lock) that requires a certain amount of computation time, e.g., 15 seconds, to solve. It is based on the principle that if I want to reach someone that I haven't corresponded with before, I would be very willing to have my computer do 15 seconds' worth of computation to reach him. However, if I were a spammer, trying to send to millions of addresses, the 15 seconds' overhead would be prohibitive.

In practice, observers agree, no single approach is likely to stop spam. More likely, a combination of approaches will succeed in diminishing the magnitude of the problem to "acceptable" levels. In the short run, users and sysadmins will have to invest effort in keeping their spam filters up to date, and devising new techniques to differentiate spam from legitimate e-mail.

Not all spam goes by e-mail. While almost all spam today is e-mailed, it was not always so, nor will it always be so. Up until the mid-'90s, so few people were online that e-mail was not a very effective marketing medium. At the time, Usenet newsgroups were a common means of online communication. Questions that would today be answered by a quick Web search were instead posted on newsgroups. Users were expected to post only relevant material to the group. But on April 12, 1994, spam was born. Laurence Canter and Martha Siegel, two Phoenix lawyers, posted a message to almost all newsgroups. They were offering their services to help U.S. immigrants apply for the "green-card lottery" set up by the Immigration and Naturalization Service (the INS). In response, Canter and Siegel were deluged with complaints. They received more than 30,000 e-mail messages. Some programmers prepared e-mail "bombs" to knock out the computer that provided their Internet service. Their fax machine spewed forth hundreds of pages of paper, mostly blank. Nonetheless, the technique spread, and soon migrated to e-mail.

In Europe and Asia, cellphones are a frequent target of spam text messages. The potential for this form of abuse will increase in the United States when a directory of cellphone users is amassed by the Cellular Telecommunications and Internet Association. A greater threat may be spim--spam via instant messaging. Currently, only 5% to 8% of instant messages in the workplace are spim, but the potential for harm is much greater; unlike spam, spim interrupts whatever a user is doing, threatening companies with an instant loss of productivity. And spam has also come full circle, with the recent targeting of message boards by spambots that search the Web for sites that allow visitor postings and insert ads.

The ethics of indiscriminate communications. What's wrong with spam? Well, spammers are exploiting for private gain a resource that they are not paying for. They pay only a monthly connection fee of about $20. The Internet allows massive replication and transmission of information; if everyone did it, the net would soon be brought to its knees. The practice could spread and make newsgroups and e-mail unusable."

Users can help defeat spam by not replying to it and never buying anything advertised in spam. Marketers bear a burden to insure that they do not inadvertently become spammers. If they buy mailing lists, how do they know that the addresses were gathered ethically? Just because the marketer claims it's an opt-in list, is it necessarily so?

Chain letters. Chain letters became a problem at about the same time as e-mail spam. A letter entitled, "MAKE MONEY FAST" originated in 1988, but was not widely circulated until several years later. The simplest form of a chain letter consists of a list of x people. You are supposed to send some money to the first person on the list. Then you remove the top person on the list, and add yourself at the bottom. You make y copies of the message and mail them to your friends. The claim is that you will eventually receive xy messages containing money. But chain letters cannot possibly work. If x = y = 5 in the above formula, you would stand to get messages from 3125 people. But if you were in the middle generation of the list, 511, or 48 million people, would have to receive letters in the 11th generation. Because they have the elements of fraud, chain letters are illegal.

Chain letters also have a tendency to take on a life of their own. The following example is not from cyberspace, but illustrates the problem. Craig Shergold was a 7-year-old boy who was dying of cancer. His last wish was to have his name entered in the Guiness Book of World Records for receiving the most greeting cards. He asked for cards via a chain letter. By May 1990, he had received 17 million greeting cards, and made the Guiness Book. Due to a successful operation to remove most of a brain tumor, he is no longer terminally ill. But he is still receiving 600 to 1000 letters a day, and the Guiness Book has eliminated the category. Since it was not asking for money, his letter evidently struck a more respondent chord among readers.

Chain-letter hoaxes. At least there was a real Craig Shergold. But Jessica Mydek never did exist. Her story is very similar to Shergold's. She was said to be seven years old and suffering from brain cancer. The doctors had given her six months to live. Supposedly corporate sponsors had agreed to donate three cents to cancer research for every person that forwarded the message about Jessica to the American Cancer Society. I received two or three copies of it myself, and likely you did too. After receiving thousands of such messages, the American Cancer Society issued a disclaimer, asking people not to forward the message.

Fear, as well as compassion, has served as an effective motive for propagating chain letters. One of the most common concerns a story that the FCC was going to impose per-minute charges for using a modem on a phone line. I received this message, ironically, from someone who teaches a computer-ethics course. There never was such a proposal; this seems to be the result of confusion with similar-sounding FCC proposals on other topics. But the story lives on; in mid-1999, the latest version was that the U.S. Postal Service wanted Congress to require postage for e-mail.

Some chain-letter hoaxes are simply due to confusion, but others are evidently malicious, designed to cast aspersions on companies by spamming in their name. This story concerns a Denver company called BusinessLink. Apparently, "BusinessLink" was writing fake spam ads for legitimate companies to create a backlash against them, and putting in their 800 numbers. This forced the victims to pay for angry calls complaining about something they had never done.

The Internet has opened up new opportunities for mass communication. Obviously, not all users are aware of the implications of such communications, or of the resources they consume. In an environment where new users are constantly joining in large numbers, this situation seems bound to continue. Internet users need to be aware of the vulnerabilities of these users, and need to avoid communications that can, intentionally or not, unfairly charge users for services they do not want to receive, degrade or crash their service, or play on their emotions to induce a response which is harmful to other people.