The name of the law plays on the concept of “canning” unsolicited email messages, but is also a “backronym” for Controlling the Assault of Non-Solicited Pornography and Marketing, giving it a full and meaningful title. Junk correspondence by way of email had been steadily climbing since the early 1990s—perhaps in lockstep with Internet-capable PCs intended for home use. This spam, as it is collectively called, does more than just distress its recipients: It is notorious for hosting malware and phishing schemes, and disrupts productivity at a purported $20 billion in annual damages.
The CAN-SPAM act—which arguably began the modern study of cyber security from a public policy stance—was drafted as a countermeasure to the aforementioned issues and threats. It would supersede all forerunning state protections and require the FTC to report on its progress in the span of two (2) years. But opponents of the CAN-SPAM Act were quick to highlight the law’s ineffectiveness. Not only did it legalize the sending of unsolicited emails, which infuriated web activists groups like the Coalition Against Unsolicited Commercial Email (CAUCE); its rules which prohibited certain “sending behavior” were not enforced.
This was confirmed in early 2004 when two (2) spam-filtering vendors discovered that less than one (1) percent of unsolicited emails complied with the provisions of the CAN-SPAM Act. This meant the law was not immediately effective, drawing almost-as-immediate ridicule from its detractors as well the consensus that it was really the “You Can Spam” act. When viewing the law objectively, these sentiments are certainly not unwarranted. The CAN-SPAM Act, for example, requires email recipients to “opt-out” of unsolicited correspondence. This, by default, enables spam because it does not require senders to “opt-in” for permission to distribute their commercial emails.
The mechanics of the CAN-SPAM Act, which seem to favor commerce more than they do privacy, fuels the prospect of malware and phishing attacks, too. CAUCE suggested the law guarantees spammers at least one (1) attempt at reaching a user’s inbox. But as far as most Security Experts are concerned, one (1) attempt is sometimes all it takes for a system, large or small, to be compromised. This, coupled with preventing natural persons to file suit in the wake of damages, have led to repeated calls to assess the effectiveness of the CAN-SPAM Act. Some of its opponents, however, argue that its provisions are too strict and have sought to weaken them.
Social media, SMS/text messaging and a host of other factors have changed the digital landscape since the passing of the CAN-SPAM Act of 2003, prompting the FTC to announce a formal evaluation of the law in mid-2017. What will become of the law remains to be seen. What’s clear, however, is a future unlikely to change its course, and the need for heightened security and privacy protection as society grows increasingly digital.