But the single most important problem with these techniques is the arms race that they produce[59]. Spammers have access to the same filters that network administrators use to block spam — at least if the filters are heuristic[60]. They can therefore play with the message content until it can defeat the filter. That then requires filter writers to change the filters. Some do it well; some don’t. The consequence is that the filters are often over and under inclusive — blocking much more than they should or not blocking enough.

The second code-based technique for blocking spam focuses upon the e-mail practices of the sender — meaning not the person sending the e-mail, but the “server” that is forwarding the message to the recipient. A large number of network vigilantes — by which I mean people acting for the good in the world without legal regulation — have established lists of good and bad e-mail servers. These blacklists are compiled by examining the apparent rules the e-mail server uses in deciding whether to send e-mail. Those servers that don’t obey the vigilante’s rules end up on a blacklist, and people subscribing to these blacklists then block any e-mail from those servers.

This system would be fantastic if there were agreement about how best to avoid “misuse” of servers. But there isn’t any such agreement. There are instead good faith differences among good people about how best to control spam[61]. These differences, however, get quashed by the power of the boycott. Indeed, in a network, a boycott is especially powerful. If 5 out of 100 recipients of your e-mail can’t receive it because of the rules your network administrator adopts for your e-mail server, you can be sure the server’s rules — however sensible — will be changed. And often, there’s no appeal of the decision to be included on a blacklist. Like the private filtering technologies for porn, there’s no likely legal remedy for wrongful inclusion on a blacklist. So many types of e-mail services can’t effectively function because they don’t obey the rules of the blacklists.

Now if either or both of these techniques were actually working to stop spam, I would accept them. I’m particularly troubled by the process-less blocking of blacklists, and I have personally suffered significant embarrassment and costs when e-mail that wasn’t spam was treated as spam. Yet these costs might be acceptable if the system in general worked.

But it doesn’t. The quantity of spam continues to increase. The Raducatu Group “predicts that by 2007, 70% of all e-mail will be spam”[62]. And while there is evidence that the rate of growth in spam is slowing, there’s no good evidence the pollution of spam is abating[63]. The only federal legislative response, the CAN-SPAM Act, while preempting many innovative state solutions, is not having any significant effect[64].

Not only are these techniques not blocking spam, they are also blocking legitimate bulk e-mail that isn’t — at least from my perspective[65] — spam. The most important example is political e-mail. One great virtue of e-mail was that it would lower the costs of social and political communication. That in turn would widen the opportunity for political speech. But spam-blocking technologies have now emerged as a tax on these important forms of social speech. They have effectively removed a significant promise the Internet originally offered.

Thus, both because regulation through code alone has failed, and because it is actually doing harm to at least one important value that the network originally served, we should consider alternatives to code regulation alone. And, once again, the question is, what mix of modalities would best achieve the legitimate regulatory end?

Begin with the problem: Why is spam so difficult to manage? The simple reason is that it comes unlabeled. There’s no simple way to know that the e-mail you’ve received is spam without opening the e-mail.

That’s no accident. Spammers know that if you knew an e-mail was spam, you wouldn’t open it. So they do everything possible to make you think the e-mail you’re receiving is not spam.

Imagine for a moment that we could fix this problem. Imagine a law that required spam to be labeled, and imagine that law worked. I know this is extremely difficult to imagine, but bear with me for a moment. What would happen if every spam e-mail came with a specified label in its subject line — something like ADV in the subject line[66].

Well, we know what would happen initially. Everyone (or most of us) would either tell our e-mail client or ask our e-mail service to block all e-mail with ADV in the subject line. It would be glorious moment in e-mail history, a return to the days before spam.

But the ultimate results of a regulation are not always its initial results. And it’s quite clear with this sort of regulation, initial results would be temporary. If there’s value in unsolicited missives to e-mail inboxes, then this initial block would be an incentive to find different ways into an inbox. And we can imagine any number of different ways:

Senders could get recipients to opt-into receiving such e-mail. The opt-in would change the e-mail from unsolicited to solicited. It would no longer be spam.

Senders could add other tags to the subject line. For example, if this spam were travel spam, the tags could be ADV Travel. Then recipients could modify their filter to block all ADV traffic except Travel e-mails.

Senders could begin to pay recipients for receiving e-mails. As some have proposed, the e-mail could come with an attachment worth a penny, or something more. Recipients could select to block all ADVs except those carrying cash.

The key to each of these modified results is that the recipient is now receiving commercial e-mail by choice, not by trick. This evolution from the initial regulation thus encourages more communication, but only by encouraging consensual communication. Nonconsensual communication — assuming again the regulation was obeyed — would be (largely) eliminated.

So in one page, I’ve solved the problem of spam — assuming, that is, that the labeling rule is obeyed. But that, of course, is an impossible assumption. What spammer would comply with this regulation, given the initial effect is to radically shrink his market?

To answer this question, begin by returning to the obvious point about spam, as opposed to viruses or other malware. Spammers are in the business to make money. Money-seekers turn out to be relatively easy creatures to regulate. If the target of regulation is in it for the money, then you can control his behavior by changing his incentives. If ignoring a regulation costs more than obeying it, then spammers (on balance) will obey it. Obeying it may mean changing spamming behavior, or it may mean getting a different job. Either way, change the economic incentives, and you change spamming behavior.

So how can you change the incentives of spammers through law? What reason is there to believe any spammer would pay attention to the law?

People ask that question because they realize quite reasonably that governments don’t spend much time prosecuting spammers. Governments have better things to do (or so they think). So even a law that criminalized spam is not likely to scare many spammers.