[dba-Tech] A new tool In the spam war?

http://www.theregister.co.uk/2005/01/14/arbitration_new_tool_in_spam_war/
<http://www.theregister.co.uk/2005/01/14/arbitration_new_tool_in_spam_war/> 
 

A new tool In the spam war

By Ethan
<http://forms.theregister.co.uk/mail_author/?story_url=/2005/01/14/arbitrati
on_new_tool_in_spam_war/> Preston, SecurityFocs
Published Friday 14th January 2005 05:29 GMT

Arbitration is part of the next wave of security measures, and can be
effective against spammers who illegally harvest email addresses from a
honeypot on your website, writes Ethan Preston.

Anti-spammers have a new weapon in their arms race with the spammers. A
robot recently rummaged through Mike Wendland's  <http://mikesejournal.com/>
website, harvesting email addresses to spam. But, as a participant of
Project Honeypot <http://www.projecthoneypot.org/> , Wendland was prepared
with an  <http://mikesejournal.com/archives/003057.php> anti-spam honeypot.
(Project Honeypot is coordinated by Matthew Prince, CEO of unspam
<http://www.unspam.com/> .)

The script automatically generates bogus web pages (like this
<http://www.projecthoneypot.org/honey_pot_example.php> ) that contain a
control email address for the robot to collect. Project Honeypot both
records the robot's IP address, the date and time the bogus web page is
downloaded, and also receives any email sent to the control email address.
The control email addresses are unique, so the Project can positively
correlate a robot's IP address and time-stamp with any spam sent to the
control email addresses. The end result: Wendland was able to identify the
illicit  <http://mikesejournal.com/archives/003071.php> harvester, an
ostensibly legitimate marketing company.

By identifying illicit harvesters, Project Honeypot opens up a new front in
the war on spam. Webmasters can now identify and block robots that harvest
email addresses from their websites. Indeed, because the Project collects
participants' data and publishes a list of IP addresses
<http://www.projecthoneypot.org/bots_and_servers.php> associated with spam
harvesters, webmasters and ISPs can block all the harvesting robots
identified through Project Honeypot.

Moreover, once harvesters have been identified, they can be prosecuted and
<http://www.projecthoneypot.org/law_of_harvesting.php> sued under the CAN
SPAM Act of 2004. And the states have their own anti-spam statutes, whose
penalties as seen recently can be quite severe.
<http://www.securityfocus.com/columnists/287> 

Given these new advances, the model license
<http://www.projecthoneypot.org/honey_pot_example.php>  used in Project
Honeypot's bogus web pages is one aspect of Project Honeypot that might get
overlooked. Even though a harvester's use of a website might be illicit, the
bogus web pages' license is nonetheless legally binding. This model license
contains a number of interesting provisions:

*	The model license states that the harvester, as the owner of the
robot, agrees to the license's terms when the harvester collects, stores,
transfers to the third party, or sends email to, a control email address. 

*	The model license also prohibits robots from using more system
resources than a human visitor would, or from collecting or storing any
email address from the participant's website. The harvester also agrees each
email address on the participant's website has a $50 value. 

*	Finally, when a harvester agrees to the web page's license, it also
consents to litigate in the courts where the participant resides. 

The model license is meant to provide Project Honeypot's participants with
effective legal remedies against harvesters. The last provision lets the
Project's participants haul harvesters from anywhere in the country into the
participant's local courts. This is both convenient and more economical for
the Project's participants, and may put a harvesting company at a
considerable disadvantage by forcing it to litigate in a distant court.

But is litigation an adequate remedy against harvesters? To indulge in
stereotypes for a moment, the anti-spam movement (like the computer security
discipline generally) has two sides: the geeks and the lawyers. The geeks
are often skeptical about the lawyers and the legal system - compared with
technical solutions, the legal system is slow, expensive, uncertain and
limited by national boundaries. And although geeks will applaud Project
Honeypot's technical innovation, they could be skeptical about whether the
Project's participants can actually collect money from harvesters that might
be half way around the  <http://mikesejournal.com/archives/003074.php>
world. Even if a network operator obtains a judgment from a local court,
enforcing a domestic judgment ( especially if
<http://travel.state.gov/law/enforcement_of_judgments.html> the domestic
court is American) in a foreign jurisdiction can be difficult and uncertain.


Is arbitration the next step for computer security?


What else can the lawyers add to Project Honeypot? Keep in mind that Project
Honeypot has already shown a good deal of legal acumen (PDF)
<http://www.ceas.cc/papers-2004/163.pdf> : once again, even though a robot's
access to a Project participant's website is illicit, the robot nonetheless
contractually binds its owner to the terms of the Project's model license.
In turn, harvesters are liable for breaching the license, and may have to
defend themselves in the Project participant's local court. But the
Project's model license actually can do more: virtually every document that
contains a contract can also incorporate an arbitration agreement as well.

Arbitration is a dispute resolution process similar to litigation, except
that the arbitrating parties privately agree to the rules of arbitration and
select private individuals (called arbitrators) to administer and decide the
arbitration (rather than public officials, like judges). The parties in
arbitration can (within limits) use their own procedural rules to make the
proceeding shorter, simpler and less expensive than litigation. Parties can
also use IT professionals with training in computer security as arbitrators,
rather than judges with no computer science background. Finally, arbitration
agreements can provide penalties for unauthorized disclosure of information
about the arbitration proceedings, while litigation is open to the public.

Arbitration also has another significant advantage over litigation: most
<http://www.uncitral.org/english/status/status-e.htm#Convention%20on%20the%2
0Recognition%20and%20Enforcement%20of%20Foreign%20Arbitral%20Awards%20(New%2
0York,%201958)> of the countries around the world have signed the New York
<http://www.uncitral.org/english/texts/arbitration/NY-conv.htm> Convention
on the Recognition and Enforcement of Foreign Arbitral Awards, which
requires the signatory countries to recognize and enforce foreign
arbitration awards except in very limited circumstances. Thus, arbitration
awards can be enforced more readily than domestic court judgments.

The international enforcement of arbitration awards has implications well
beyond Project Honeypot. Today, most networks have some kind of contractual
language in their login banners, or otherwise require users accessing the
network to agree to the terms of a network license. For instance, more
traditional <http://www.securityfocus.com/infocus/1757>  honeypot operators
use "consent banners" to insulate themselves from
<http://www.securityfocus.com/infocus/1703> liability under wiretapping
laws. Anywhere network operators use licenses or contracts, they can include
arbitration provisions. The ability to enforce arbitration awards against
foreign spammers, harvesters, and other network intruders could mean a more
prominent role for the legal system in modern computer security practice.


Flies in the ointment


Although any contract can contain an arbitration agreement, there's a
wrinkle. To be enforceable, network licenses (like Project Honeypot's model
license) must be recognized as valid arbitration agreements in both the
network operator's jurisdiction and the network intruder's jurisdiction. The
New York Convention only requires signatory countries to recognize written
arbitration agreements. Unfortunately, the New York Convention was written
in 1958, and its definition of a written agreement includes contracts or
arbitration agreements "signed by the parties or contained in an exchange of
letters or telegrams."

Fortunately, many
<http://www.uncitral.org/english/status/status-e.htm#UNCITRAL%20Model%20Law%
20on%20International%20Commercial%20Arbitration%20(1985)> countries have
updated their arbitration laws to include
<http://www.uncitral.org/english/texts/arbitration/ml-arb.htm> electronic
agreements like Project Honeypot's model license. Other
<http://www.uncitral.org/english/status/status-e.htm#UNCITRAL%20Model%20Law%
20on%20Electronic%20Commerce%20(1996)> countries have generally updated
their contract laws, so that electronic agreements must be treated like
<http://www.uncitral.org/english/texts/electcom/ml-ecomm.htm> any other
written contract. Nevertheless, making sure an arbitration agreement is
enforceable against a particular network intruder involves more than
checking to see whether the intruder's home jurisdiction is a New York
Convention signatory.

Used properly, arbitration could be an important refinement of modern
computer security practices - but it is not a silver bullet. Network
intruders still have to be identified, and electronic arbitration agreements
must be enforceable in both the network operator's jurisdiction and the
network intruder's jurisdiction. Moreover, once an arbitration award is
made, it still has to be enforced in network intruder's jurisdiction, where
the intruder may attempt to challenge the award. Nevertheless, arbitration
against network intruders can still be cheaper and more convenient than
litigation, and valid arbitration awards are much easier to enforce abroad
than domestic court judgments. And the options to make arbitration
confidential or to use technically experienced arbitrators may also drive
network operators to arbitration. At the very least, arbitration is another
legal option that savvy computer security professionals need to know about.

Copyright © 2005,  <http://www.securityfocus.com/> SecurityFocus logo

Ethan Preston is an attorney in Chicago, Illinois, whose practice includes
information technology, intellectual property, and privacy law. His
publication credits include The Global Rise of a Duty to Disclose
Information Security Breaches and Computer Security Publications:
Information Economics, Shifting Liability and the First Amendment.



The information in this e-mail is confidential and may also be legally
privileged. The contents are intended for recipient only and are subject
to the legal notice available on request from : webmaster at alcontrol.co.uk
ALcontrol Laboratories is a trading division of ALcontrol UK Limited.
Registered Office: Templeborough House, Mill Close, Rotherham, S60 1BZ.
Registered in England and Wales No 4057291