Tech Industry

Taking Microsoft to task on spam

California state Sen. Debra Bowen tells CNET News.com that when it comes to acting against spam, Microsoft is talking out of both sides of its mouth.

Debra Bowen may hail from a Southern California coastal enclave a few hundred miles south of Silicon Valley, but that's just the right distance from which to lob a few bombs at the Redmond, Wash.-based software company.

The Redondo Beach state senator thinks Microsoft has a bad attitude when it comes to spam.

As a California legislator for the past 10 years, Bowen has drafted and introduced bills intended to tie spammers' hands and better protect consumers' privacy. But more recently, she has criticized Microsoft for lobbying against certain spam bills, including one she championed.

Bowen has gone so far as to say "trusting Microsoft to protect computer users from spam is like putting telemarketers in charge of the do-not-call list."

The head of a Senate subcommittee on new technologies, Bowen is no technophobe. She's among the many pet owners that have had their cats and dogs implanted with RFID (radio frequency identification) chips in order to find them if they're picked up by the pound. She's also a fan of science fiction writers William Gibson and Neal Stephenson, whose books have won popularity among the geek-chic crowd and have inspired some of Bowen's policy stances.

Q: You've harshly criticized Microsoft for lobbying against certain spam bills, including yours. Do you think your rhetoric is appropriate?
A: I do. I believe it's an accurate assessment of how Microsoft has acted on the issue of spam, which is basically to talk out of both sides of its mouth. If you read The Wall Street Journal, you'll find Bill Gates advocating a system of self-regulation in which Microsoft becomes, effectively, the post office for spam and collects the equivalent of a postage stamp for each piece of spam delivered.

Of course, that would also give them the ability to charge their Internet or software customers for the ability to block spam. So Microsoft has talked openly about wanting to license spammers or wanting to create a postage-stamp concept.

What's wrong with that?
I believe we are making this far too complicated. If Microsoft was against spam, it would have supported a bill like Senate Bill 12 that requires permission before unsolicited commercial e-mail gets delivered into someone's mailbox.

"I'm concerned that the bills in Congress, which require people to actively opt out of spam, are worse than nothing."
Instead, they danced around with all this stuff about how only scammers are spammers and how, if they've been paid the postage stamp, that it's somehow no longer spam.

Senator, the last time you spoke with us on the spam issue, your SB 12 had just gone down to defeat in committee, while a competing bill that Microsoft supported prevailed. You warned at the time that amendments to that competing bill would come to light, and yours would live to fight another day. What's happened?
Most of the SB 12 contents have gone into what was a competing bill. So, the bills have in effect been merged, and many of the items I was concerned about have been removed from the bill. The current measure that is still alive in the legislature looks a great deal like SB 12.

What's the status of that bill?
I believe it's on the assembly floor. We should be seeing it back in the Senate for concurrence fairly soon.

What's your view of the way federal lawmakers are approaching the spam fight?
I'm concerned that the bills in the U.S. Congress, which require people to actively opt out of spam, are worse than nothing. They don't solve the problem. They legitimize spam, and they put the burden on computer users to deal with it. It does this despite having certain knowledge that most spammers are hard to track down, don't maintain opt-out lists and move their e-mail addresses all the time.

They basically expect that spammers are going to become good boys and girls and keep a list of everyone that's asked to be removed from their spam lists, and I think they are extremely naive. We need to go the other way. People need to have control over their in-boxes, and we need a national permission-based standard.

You held a hearing last month about RFID. What worries you about the technology?
Well, the concern is not the technology itself, which is neutral. It is what happens if the tag gets attached to the identity of the purchaser through, for example, payment by credit card. Then you suddenly have a tag that has also recorded the identity of the purchaser and, as we heard at the hearing, you could have a situation in which you have a scanner or antenna in a doorway.

If a tag was embedded in a pair of sneakers, the sneakers could provide a link to identify the shoes' owner when she walks through the doorway. So it is the loss of privacy that is the concern with RFID tagging.

Is legislation part of the solution?

"I'm not in general a real big fan of
self-policing. I think it's been fairly ineffective."
I think it's too early to tell. The goal of the hearing was to engage in what I believe will be the first of many policy discussions on RFID. As you undoubtedly know, there are a lot of people who simply aren't aware of what some of these tags do. They may have noticed the tag. It can be sort of a long, metallic-looking thing, but people don't really know what it is.

They don't know what data is transmitted. They don't understand that when someone uses a credit card to buy a particular product, the tag can potentially link that product to the identity of the purchaser. We have a lot to do to educate the public. We need to have a dialog about what is appropriate and how we'll solve the privacy concern before a bill is introduced.

Do you think that the retail industry can police itself on this and do the right thing?
They certainly should be part of the solution, because they know how the technology works and what's possible. And ultimately, whatever decisions get made about privacy issues, the cost will have to be built into the system. I'm not in general a real big fan of self-policing. I think it's been fairly ineffective. Exhibit No. 1 would be spam.

RFID hasn't exactly reached the level of spam in terms of public awareness. Why focus on this now?
The very architecture of the Internet itself enables spam and makes it difficult to track down spammers and close systems to spam. We have an opportunity with RFID tags--because we are very much in the beginning of the broad use of these things--to build systems that will help us solve the privacy and tracking concerns. And that will be far better than if we wait until we have an enormous problem later.

Even if you passed an RFID bill in this state, what good would it do? Many companies planning to use it--Wal-Mart Stores, Gillette, Procter & Gamble--are based in other states.
As a practical matter, California is such an enormous marketplace, with almost 34 million people, that whatever we do here means that retailers, wholesalers and so forth will have to make a decision about whether to make a separate standard for California--if we lead the pack, as we often do--or to simply adopt a particular standard that begins here and use it across the country. That actually happens more than you might think.

Isn't there a danger of restricting the development of this technology at such an early stage and perhaps squashing the potential benefits?
I don't think so. I think that what we want to do is guide development in a way that's positive overall for society. It's not good for anyone to spend lots of money to develop and apply a technology in a way that causes a consumer revolt.

With the rise of new technologies--the Internet, data mining, RFID--how much privacy are we as a society giving up? Where is all this headed from your perspective, and what's at stake?
Well, that's the $64 million question. And what gives people the greatest concern is the notion that our privacy is at stake--that we are losing control over our personal information. That feeling is what I believe drove the passage of Senate Bill 1 in California, which gives people the right to make decisions about who gets access to their financial information.

"I have to say, these technology issues are the most challenging and fun that any legislator could tackle."
When we take that beyond the realm of financial information and start collecting information about geographic whereabouts and so forth, the stakes are magnified and there is a great reason for people to engage in the discussion.

California is totally consumed by the recall election. And yet the high-tech industry has remained virtually silent about it. To what do you attribute high-tech's new political quiescence? Is it specific to the recall, or do you expect more of the same with the presidential election?
I don't imagine that the high-tech industry will be silent on the presidential election. The recall is an interesting thing. California does have a constitutional right for people to conduct a recall. While it's hard to argue that it's grassroots-driven, at this point, people are looking forward to making a choice and having a discussion about policy issues. The state of the California economy will be one of the major issues, and I expect that the tech industry will weigh in on that.

What got you so interested in high-technology?
I'm the daughter of engineers and granddaughter of engineers. If I hadn't been prohibited from taking a drafting class in high school, I might perhaps be an engineer instead of a legislator. So, I'm indulging my streak of geek, I suppose you could say.

You're a fan of sci-fi writers William Gibson and Neal Stephenson. How has that influenced your views as a policy-maker?
Both gentlemen have spent a lot of time thinking about where technology might go and what kind of a society we might see as a result of changes in technology. Their works have been very influential to me, as I start really speaking about what's likely to happen. Over the course of the time that I've worked on technology issues and read Stephenson and Gibson and other such writers, some things I read as science fiction in 1994 are now reality.

Such as?
"Snow Crash," one of Stephenson's first books, dealt with massive computer viruses, and just recently, we've been struggling with computer viruses. I'm told that Air Canada did all of its check-ins manually (during the recent virus attack). There are numerous examples. It just goes into my own personal mental database of what's happening with technology.

I have to say, these technology issues are the most challenging and fun that any legislator could tackle, because they're new. They all involve issues that no one ever thought about before, because the capability to do things like identify every single package of razor blades and know where they go just didn't exist.