Tuesday, 9 December 2003

Response to Anita Ramasastry's criticism of CAN-SPAM

GrepLaw gives a pointer to Anita Ramasastry's FindLaw article criticizing the CAN-SPAM Act. She scores a few points, but she ignores several important provisions that render her conclusions — in my opinion — wrong.

CAN-SPAM's major faults, in Ramasastry's view:

  • Not all spam is prohibited
  • Individual consumers cannot file lawsuits to enforce the Act
  • Many spammers are already located abroad or will soon relocate abroad — beyond the reach of U.S. authorities
  • Many spammers have few assets and are therefore judgment-proof
  • Spammers can ignore the hypothetical do-not-spam registry that the FTC has not yet designed and implemented
  • The hypothetical registry will be challenged under the First Amendment
  • State spam laws are preempted
  • Technological solutions to the spam problem are preferable to a statutory one.

First, on the prohibition of some but not all spam. This criticism seems somewhat disingenuous, since Ramasastry later recognizes that the First Amendment would prevent a prohibition of all advertising via email. Furthermore, She appears to assume that any do-not-spam registry will be struck down under the First Amendment. The do-not-call registry is a good model to look at — precisely because its legal status is currently undergoing judicial review. This litigation will, eventually, clarify the law. Besides, if it is struck down, the obvious workaround is to implement the registry in a new way, that deals with the First Amendment problems.

Second, on enforcement by individual consumers. CAN-SPAM expressly provides for enforcement by at least 110 government bodies, plus any ISP "adversely affected" by illegal spam. The public servants will have strong political incentives to file spam lawsuits, and ISPs will have strong economic incentives. Why add hundreds of millions of consumers to this list when their lawsuits will inevitably be less well-funded than the institutional enforcers? With potential damage awards of $6 million for public enforcers and $3 million for private enforcers, those entities will easily be able to recoup their legal costs (even if they are not awarded attorney fees, as provided in the Act).

Third, on the difficulty of enforcing CAN-SPAM against foreign and judgment-proof spammers. The Act's third-party liability provisions will solve much of this problem. The Act attaches liability to (1) any business knowingly promoted via illegal spam and (2) any vendor that provides goods or services to a spamming operation with knowledge that those goods or services will be used to send spam. These provisions give third parties one free bite — before the first potential plaintiff sends a cease & desist letter, putting them on official notice. Much advertising currently distributed via spam promotes products on sale within the U.S. or manufactured or sold by people in the U.S. Once the first such person is prosecuted, the demand for advertising space in spam will decline precipitously. Spam will inevitably decline, as fewer people are willing to pay for it.

Fourth, on the purported shortcomings of the do-not-spam registry. For god's sake, give the thing a chance before you accuse it of failing. As I said above, the FTC can learn from the outcome of the pending do-not-call litigation, and there is an infinite variety of implementations that the do-not-spam registry could take. I proposed one not long ago. Also, the possibility that some spammers will evade it is not a reason not to try. CAN-SPAM's third-party liability provisions do not currently apply to registry violations, presumably because the registry does not exist and the Act only empowers the FTC to consider the idea of the registry. That shortcoming can easily be rectified by an amendment to the statute or FTC rule.

Fifth, on state spam laws. How, exactly, is the fundamental shortcoming of the Westphalian territorial legal system solved by having fifty state laws, no matter how restrictive? What if a spammer in California sent spam only to residents of other states and other countries? No state or country would have jurisdiction. The major complaint in this area that does have some validity is the preemption of California's tough opt-in law with the federal opt-out standard. This is a valid criticism, but it goes to the policy choices that Congress made when it traded opt-in for the possibility of an effective opt-out registry.

Sixth, on technological solutions. You cite Congress's findings on the rapid rise of spam traffic in an era that had no comprehensive spam law. The primary method of dealing with spam has been technological measures. And the volume of spam rose rapidly during that period. One of CAN-SPAM's greatest strengths is that it expressly permits ISPs to implement private mail policies — a provision that should exempt them from tort liability for doing so. It looks somewhat like 230 of the Telecommunications Act of 1996 in that respect.

Posted at 5:42:09 PM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/106
Topics: Cybercrime, Cyberlaw, Spam
Email this entry to:

Your email address:

Message (optional):

Powered by Movable Type