December 31, 1998

The Spam Wars

By Lawrence Lessig

A war of sorts was avoided last month – an Internet war. It was avoided by accident, and in time, the crisis is certain to recur.

The looming conflict is a spam war. A spam war is not the battle to clear our inboxes of uninvited junk. A spam war is the battle that will be fought as spam vigilantes flex their muscles and ISPs resist. The result won't be pretty, and the terms of a possible peace aren't obvious.

This skirmish began at MIT. In November, Jeff Schiller, MIT's network administrator, began receiving e-mail from people complaining that mail sent outside the MIT domain had been blocked. It took little effort to discover the mail was being blocked because an antispam vigilante, Open Relay Blocking System, had decided MIT had "bad e-mail practices." Without notice, MIT was placed on the ORBS list, and subscribers to ORBS began excluding MIT mail automatically.

No one likes to be accused of "bad e-mail practices," especially not an MIT type. It was salt in the wound when Hewlett-Packard confirmed its policy of blocking according to the ORBS list. MIT was told that mail from MIT to HP would not go through until MIT changed its network policy.

But MIT was not to be bullied. In Schiller's view, the institute's decision not to block all "third-party relay" e-mail (e-mail sent through the MIT server without authentication that the sender is associated with MIT) made sense. MIT is not prospam. Its network has measures to limit spam, in particular by policing the use of its third-party relay facility. But MIT's methods are not the methods of ORBS, which made MIT an ORBS enemy.

Rather than cave to the pressure of ORBS, Schiller decided to fight it out with HP. The plan was to bounce all e-mail from HP until HP stopped bouncing e-mail from MIT.

So it would have gone, had not a network god of sorts intervened. Responding to complaints from other ISPs, ORBS' network services provider, BC Tel, decided that ORBS' "unauthorized relay testing" was a violation of its own network policy agreement. BC Tel bumped ORBS off its network, and mail from MIT flowed again to HP. (ORBS will soon be relaunched as Internet Mail Relay Services Survey – IMRSS.)

I know it's bad taste to talk of war so soon after the holidays, but these battles will not go away. The power of the vigilantes will no doubt increase, as they hold out the ever-more-appealing promise of a world without spam. But the conflicts with these vigilantes will increase as well. Network service providers will struggle with antispam activists even as activists struggle with spam.

There's something wrong with this picture. This policy question will fundamentally affect the architecture of e-mail. The ideal solution would involve a mix of rules about spam and code to implement the rules. But there's little agreement about what the spam rules should be, and even less agreement about how they might be enforced. Somehow we need to resolve these differences in a way that puts the burden on those creating the problem.

I don't think MIT is the problem, but I must confess some bias in MIT's favor. (My own institution, Harvard, has been the target of the other major spam vigilante, the MAPS Realtime Blackhole List.)

Certainly, spam is an issue. But the real problem is that vigilantes and network service providers are deciding fundamental policy questions about how the Net will work – each group from its own perspective.

This is policy-making by the "invisible hand." It's not that policy is not being made, but that those making the policy are unaccountable. The self-righteous spam police may or may not be right about the solution to spam; that's not the point. The problem is that policy is being made by people who threaten that if you complain or challenge their boycotts through the legal system, then you will suffer their boycott all the more forcibly.

We are entering the age of Protocol Correctness, in which the mere suggestion of dissent is enough to condemn dissenting packets to oblivion. Is this how network policy should be made?

The answer is obvious, even if the solution is not. This is not how policy should be made. We know this, but we don't know what could replace it. We imagine policy decisions made in a context where dissent can be expressed without punishment, where collective decisions can be made. But no such context exists in cyberspace, nor in our imagination about what cyberspace might become.

The Net has thrived because decisions have been made from the bottom up, but wars also thrive under those circumstances. What's needed is an institution that can mesh the best of the bottom-up culture with a top-down perspective.

If necessity is the mother of invention, then one might hope, that these struggles will bring some sensible sort of Internet governance. But I've yet to see such a creature around these parts.

Lawrence Lessig is the Berkman Professor of Law at Harvard Law School. E-mail him at



[ ]