Monday, 11 October 2004

Massachusetts settles first state CAN-SPAM lawsuit

CNet reports that Massachusetts has settled its lawsuit against DC Enterprises and its principal owner, William Carson of Florida. This was the first suit brought by a state under the CAN-SPAM Act (pdf). According to CNet, the settlement calls for a $25,000 payment and a promise not to violate CAN-SPAM (or Massachusetts' mortgage-broker and advertising laws) in the future.

Contrary to public sentiment, the state does not appear to have requested that the alleged spammer be drawn and quartered.

Posted at 8:01:04 AM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/254
Topics: Spam

Thursday, 6 May 2004

CAN-SPAM Library

New: Gigalaw has launched the CAN-SPAM Library (www.canspamlibrary.com) — a collection of law, articles, studies, commentary, discussion, and links on the CAN-SPAM Act. Well worth reading (and linking). Via GrepLaw.

Posted at 10:07:06 PM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/224
Topics: Cyberlaw, Spam, Technology

Thursday, 29 April 2004

First criminal charges under CAN-SPAM Act

Yesterday, Uncle Fed brought the first group of criminal charges under the CAN-SPAM Act. About time.

The Act makes it a felony to send multiple, commercial, unsolicited email under certain conditions. With most of the spam traversing the Internet, those conditions are easily satisfied. The lengths that some spammers will go to, to hide their identities, is well documented. In this case, one such length was rather funny in a cloak & dagger sort of way. The Washington Post reports that "investigators said, packages were sometimes delivered to a restaurant, where a greeter accepted them and passed them along to one defendant."

I would also like to note that the evidence keeps piling up that I was right when I predicted that it would take a high profile civil judgment or a high profile prison sentence before the CAN-SPAM Act would have any appreciable effect on the level of spam. One defendant, Mark Sadek, was reportedly "shocked" when Uncle Fed showed up at his door to arrest him. "No one's done this before," said Sadek's attorney. This man would obviously not have changed his behavior under the status quo. Arresting him personally is a pretty effective deterrant — but so would be arresting one of his competitors. If the prosecutors win this one, it could be just the remedy I was looking for.

Posted at 8:19:06 PM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/221
Topics: Spam

Friday, 12 March 2004

FTC Chair continues to question do-not-spam registry

The San Jose Mercury News reports that FTC Chair Timothy Muris continues to question the wisdom of a do-not-spam registry. The CAN-SPAM Act requires the FTC to consider implementing such a registry. Yesterday, Muris reiterated the same reasons he cited when he questioned the registry idea before the bill became a law. His argument appears to boil down to a jurisdicitonal problem: "The problem, he said, is tracking down the spammers. Many are overseas. Many use aliases or conceal their identities by routing e-mail through hacked or unprotected computers." This argument has at least three major flaws.

First, Muris seems to be focusing on one provision of the Act to the exclusion of others. The core protection of the Act is its prohibition on sending unsolicited commercial email to individuals who have requested not to receive it. However, it is an additional violation — with separate civil and criminal penalties — to disguise the origin and routing information in the header of such messages. The Act grants both a substantive right and a right of action in federal court to any ISP adversely affected by such behavior. Therefore, the pool of potential plaintiffs includes all service providers whose computers were "hacked or unprotected" and used to send spam, in addition to the ISPs whose customers received illegal spam. With that many potential plaintiffs, at least one of them will have the will and means to fight the good fight. Indeed, four titans filed a major CAN-SPAM lawsuit earlier this week ("Spam's Tet Offensive").

Second, national borders are not as big a problem as Muris would have us believe. A huge proportion of spam advertises goods and services that are on sale in the U.S. or at least made available for purchase by people within the U.S. These sellers must have either (1) assets located in the U.S. or (2) mechanisms for moving money out of the U.S. Otherwise, they would have no means to sell things to Americans. U.S. authorities can attach those assets or garnish those money flows to enforce a judgment under the CAN-SPAM Act. Internet-based transactions depend on credit cards or other payment clearinghouses that overwhelmingly have physical presences in the U.S. — think Visa, MasterCard, and PayPal. We may not be able to put a citizen of the Caymen Islands in an American jail for violating CAN-SPAM, but we can ensure that he makes no money from those activities.

Finally, the Act goes to some length to apply liability to spam customers and vendors. By "customer," I mean someone who hires the services of a spammer to advertise a product — i.e., someone who buys the advertising space. By "vendors," I mean someone who sells goods or services to a spamming outfit. Both of these bases for liability require notice to the customer or vendor. However, this notice should be easy to serve (to customers, at least), because spam would be useless if it failed to identify the product being sold and how to buy it. Thus, we have even more people on the hook for sending illegal spam. Once one of these people goes to jail or gets socked with a $1 million judgment, I believe the demand for spam will decline precipitiously.

Mr. Muris, I encourage you to rethink your position.

Posted at 6:40:50 AM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/210
Topics: Spam

Thursday, 11 March 2004

Spam's Tet Offensive

Yesterday, four major email providers teamed up to file CAN-SPAM lawsuits against alleged spammers: America Online, Microsoft, EarthLink, and Yahoo!. They spread the fun around four different states (California, Washington, Georgia, and Virginia) and three different federal circuits (9th, 11th, and 4th, respectively).

Loyal DTM :<| readers know that this is not the first civil lawsuit filed under the CAN-SPAM Act. However, this does appear to be the first well-funded enforcement action and could produce the statutory maximum civil liability award of $1 million per ISP-plaintiff. These well-connected companies might also hand the feds a criminal case on a silver platter, and the defendants are at risk of incurring serious jail time.

I sound like a broken record when I say this, but it will take a high-profile, high-dollar judgment against a spammer before consumers feel the real effect of the CAN-SPAM Act. Words on a page are nice if you are a librarian, but words on a page do not strike fear into the hearts of businessmen until they cause other businessmen to go to prison.

News coverage: C|Net, San Jose Mercury News, Washington Post, New York Times.

Posted at 10:06:29 PM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/209
Topics: Spam

FTC "primary purpose" spam rule is a chance to revisit Central Hudson

Yesterday the Federal Trade Commission (FTC) announced that it would begin hearing public comments today on a rule that the CAN-SPAM Act requires it to propound — a definition that permits a determination whether an email's "primary purpose" is commercial. (Click here to read the proposed rule and here to submit a comment.)

The statute applies to commercial messages, so someone has to define precisely what commercial means. Naturally, Congress passed that buck to the FTC. The U.S. Supreme Court has grappled with the definition of "commercial speech" since it first recognized the concept in 1976, in Virginia Pharmacy (abstract). I rarely agree with Clarence Thomas, but I find his logic on commercial speech unassailable. There is simply no articulable definition that captures all commerciality without also capturing noncommercial elements. Likewise, there is no articulable definition that avoids capturing noncommercial speech without missing large swaths of the commercial sector. To borrow two terms from another line of constitutional jurisprudence, all definitions of "commercial speech" that have ever been suggested have been overinclusive or underinclusive. How can we justify regulating a class of speech that we cannot even define?

Since 1995, Justice Thomas has consistently railed against the commercial-speech doctrine of Central Hudson. In the last few years, the Court seems to have been moving slowly, reluctantly towards his position in 44 Liquormart, Ruben, and Glickman. Although he lost the Glickman fight, it was a 5-4 decision, and the commercial speech issue was not squarely implicated. With a challenge to the FTC's "primary purpose" rule propounded under CAN-SPAM — no matter what the final rule actually says — there will be no room for the Court to dodge the underlying First Amendment question. One can only hope the case rises that far.

Posted at 9:55:01 PM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/208
Topics: Civil Liberties, Spam

Friday, 5 March 2004

First CAN-SPAM lawsuit

A tiny Bay Area ISP named Hypertouch has filed the first lawsuit under the CAN-SPAM Act. The Washington Post has a sketchy article, stating only that Hypertouch sued BVWebTies LLC (producer of BobVila.com, online home of home improvement guru Bob Vila) and BlueStream Media. Fortunately, Hypertouch has a somewhat more detailed press release and has provided copies of its complaint in many formats (linked from its press release). The suit involves email containing ads for Bob Vila's "Home Again Newsletter."

I have said many times (1, 2, 3, 4, 5, 6, 7) that it will take a reasonable amount of time and a high-profile lawsuit with some big civil penalties or jail time before CAN-SPAM has the desired effect.

Posted at 7:07:43 AM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/204
Topics: Spam

Saturday, 31 January 2004

Confusion in a CAN

Wired Business News reported this week on widespread confusion among spammers as to what, exactly, the CAN-SPAM Act requires of them ("Spam Law Generates Confusion").

Lack of clarity in the law is generally a bad thing, although I will note one exception. Securities regulators have often said that they intentionally decline to clarify what, exactly, constitutes bad faith, unfair dealing, misappropriation of information, and other things forbidden by securities laws. The reason? Financial types are smart and act in the marketplace with blinding speed. The instant after regulators clearly define those concepts, some unethical investor will find a way to do anything he wants by staying just outside the articulated definition.

Is this situation analogous? Probably not. First off, I do not believe the CAN-SPAM Act is as unclear as the folks interviewed for the Wired article article think it is. Then again, I am a lawyer, and the article says, "In the rush to understand what Can-Spam requires, many people without legal training fell back on their own readings of the law, said Anne Mitchell, President and CEO of the Institute for Spam and Internet Public Policy, or ISIPP, which hosted the [Spam and the Law Conference]. As a result, she said, confusion about Can-Spam is rampant."

I certainly would not be able to read the statute as well as I can now if I had not gone to law school. However, I can offer a partial solution. The February issue of the Journal of Internet Law should be shipping right about now, and my paper on the Act is in it. I tried hard to explain the law and some of the technology in a way that non-lawyers and non-techies can understand. As promised, I will post the paper here after the JIL hits news stands.

Posted at 9:34:37 AM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/197
Topics: Spam

Thursday, 29 January 2004

FTC proposes adult-content label for spam

Yesterday, the Federal Trade Commission (FTC) made its first proposal for a mandatory label for "adult" spam. (Via C|Net) The CAN-SPAM Act requires the FTC to pass a rule by the end of March establishing such a label for sexually-explicit spam. The FTC is now seeking public comment on its label, and the comment period will end on 17 February. What label did the FTC propose? "SEXUALLY-EXPLICIT-CONTENT:."

At first glance, this character string seems to be long enough and specific enough that the unwary are unlikely to trigger it accidentally and have their (presumably legitimate) email filtered out of recipients' inboxes. However, the law of large numbers guarantees that someone, somewhere, will trigger this by accident.

Furthermore, the Act requires that this label be the first thing the user sees when he opens the email — before he sees any of the labelled content. The purpose, of course, is to protect children from "adult" content. Unfortunately, I can think of few labels that would more quickly attract the attention of every minor I know.

I would prefer a label containing a long string of randomly-generated characters that could never be confused with the email's real content — i.e., a string of a thousand or more characters that might resemble a PGP key. True, this solves only the first problem. It would become familiar to porn-seeking children everywhere soon enough. I doubt there is any way to prevent that.

Posted at 1:33:22 PM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/195
Topics: Spam

Wednesday, 14 January 2004

ISPs & others form "neighborhood watch" for spam

C|Net reports that a group of ISPs and telecommunication companies have banded together to create a "neighborhood watch" program for fighting spam. This is the sort of industry self-help that the CAN-SPAM Act encourages with its liability shield for private mail-handling policies. This partnership seems to go beyond similar efforts that existed in the past. Is this one attributable to CAN-SPAM? Probably not, but the law certainly did not hurt.

Posted at 4:10:02 PM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/187
Topics: Spam, Technology

Friday, 9 January 2004

Treasury breaks privacy policy because it's convenient

The Alcohol and Tobacco Tax & Trade Bureau (an arm of the U.S. Treasury Department) lied to us.

Declan explains on C|NET that in March 2003 TTB solicited comments from the general public on "a proposal that could raise the price of malt beverages like Bacardi Breezer and Smirnoff Ice." The Bureau promised: "For the convenience of the public, we will…post comments received in response to this notice on the TTB Web site. All comments posted on our Web site will show the name of the commenter, but will not show street addresses, telephone numbers, or e-mail addresses." Far be it from us to expect an express promise to be kept. Fortunately (for democratic interests) but unfortunately (for TTB), the agency was overwhelmed with comments.

As news of the proposed regulations circulated around malt beverage aficionados online, word-of-mouth took over and comments started flooding in to nprm@ttb.gov. By October, the Treasury Department had received about 9,900 e-mail messages, plus 4,800 comments sent through the U.S. mail or fax — and decided it could no longer keep its promise.

"The unusually large number of comments received…has made it difficult to remove all street addresses, telephone numbers and e-mail addresses from the comments for posting on our Internet Web site in a timely manner," the Treasury Department said in a follow-up notice, published last month in the Federal Register. "Therefore, to ensure that the public has Internet access to the thousands of comments received…at the earliest practicable time, we will post comments received on that notice on our Web site in full, including any street addresses, telephone numbers, or e-mail addresses contained in the comments."


If a private company pulled a stunt like this and published the addresses of 10,000 people, its executives would go to prison. The government, however, has a long history of treating itself differently. See, for example, Congress' eagerness to spam voters a week after passing the CAN-SPAM Act.

Via beSpacific

Posted at 12:22:15 AM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/183
Topics: Cybercrime, Cyberlaw, Privacy, Spam

Wednesday, 7 January 2004

FBI uses web bug to track extortionist?

Abandoning the incentives not to report cybercrime (see my last blog entry), Best Buy called in the FBI when it received emails threatening to expose security weaknesses in its e-commerce site unless the retail giant forked over $2.5 million. The Bureau worked with Best Buy to snare Thomas E. Ray III, of Mississippi, the would-be scammer. The most interesting feature of this case is in the tools used by the FBI to catch the alleged blackmailer. The Bureau responded to Ray's messages with its own emails laced with something that allowed it to trace the IP address from which he read them.

Unfortunately, the early press reports are unclear as to exactly what that something was. The St. Paul Pioneer Press reports that the investigation "was aided by a computer-tracing technique." The FBI got "permission from the courts to use a specialized e-mail device — called the Internet Protocol Address Verifier — to track down the author." I have no idea what an "Internet Protocol Address Verifier" is, but it sounds an awful lot like a web bug.

Web bugs are tiny pictures embedded in email messages using HTML. When an HTML-enabled mail client opens the message, it renders the HTML — including any image tags. The sender can embed an image tag that will query his own web server for an image file, then examine his server logs to determine from what IP address the query came. For example, I could send an email with HTML tags pointing to images stored on www.danfingerman.com, then record the IP addresses of all requests for that image. After I collect the IP addresses and dates & times the image was accessed, I could take a page from RIAA's playbook and find a way to intimidate ISPs into telling me which individuals were using each IP address at the relevant date and time. Then I would know who read my email, the exact date and time, and I could get more information with some extra effort — like the reader's home address and phone number or the geographic location where he read the message.

Web bugs got the name bug after spammers started using them to verify email addresses. Recording calls to an image stored in a static location on a web server is not very helpful when you send email to millions of addresses and have no good way to link each IP address & time/date combination to a particular email address. (Believe it or not, the DMCA does have limits.) Spammers began to design web server software with dynamic links to a single image measuring 1x1 pixel. The images are tiny so that most people will not notice them (how often do you really view the source code of your email?) and to make them load quickly — before most people could hit the delete key. The relevant HTML tag written into each individual email would include a directory path that included the address to which that message was sent. Then, the web server's log would record the image request with the email address (as a simple text string) as part of the directory path to the image. This made it obvious which email addresses the queries were coming from. "Verified" email addresses are like gold for spammers, and they would use this information to charge higher prices for their services — because they could now guarantee that a higher percentage of their emails were being delivered to addresses where an actual person would see them.

The Pioneer Press article makes the FBI's Internet Protocol Address Verifier sound a bit like a web bug, but it is ambiguous. For example, it calls the verifier "a specialized e-mail device." Furthermore, the St. Paul Star Tribune had this to say ("Feds thwart extortion plot against Best Buy"):

The federal search warrant was obtained the morning of Oct. 24 [2003] and allowed the FBI, with Best Buy's cooperation, to use an Internet device known as an Internet Protocol Address Verifier. It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address. The response allowed investigators to identify Ray as the sender of the e-mail threats, according to the government.

Assistant U.S. Attorney Paul Luehr said the address verifier was one of several investigative tools the government used to track Ray down.

"It was a tool that helped us confirm that other leads were moving in the same direction," said Luehr, who declined to discuss details of the investigation.


Did you see that? The Star Tribune called the verifier "a program." A web bug could never be confused with a "program." The source of my confusion should now be obvious.

If anyone knows what the heck an Internet Protocol Address Verifier really is, please let me know.

Posted at 12:11:01 PM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/178
Topics: Civil Liberties, Cybercrime, Cyberlaw, Spam

Tuesday, 6 January 2004

Spam still flowing

Jonathan Krim of the Washington Post reports that the flow of spam has not decreased since the beginning of the year ("Spam Is Still Flowing Into E-Mail Boxes"). Irresponsible journalism is rare in that paper; this is the only example of it I can recall in several years. Although he does not say so explicitly, Krim's tone throughout the article suggests that the CAN-SPAM Act is a failure. The main unstated assumption, of course, is that five days is sufficient for the Act to reduce spam in a measurable way (the Act became effective on 1 January).

Some reasons why this is irresponsible follow, in no particular order.

Assuming perfect compliance with CAN-SPAM, we should not expect to see any decrease in spam until 10 January. The Act became effective on 1 January and gives spammers a ten-day grace period to remove an address from a mailing list after receiving an opt-out request. Even 10 January is a ludicrously early date to measure CAN-SPAM's success because it assumes that a large number of people submitted opt-out requests on 1 January for spam that was sent on that day. (Spam and opt-out requests sent prior to the Act's effective date are not subject to its requirements.)

Even if it were reasonable to expect the law to have a measurable effect in "Internet time," the evidence that Krim presents in this article could not, even in principle, measure any effect. The "data" comes solely from an informal survey of executives from ISPs and email filtering companies. This is problematic for two reasons. First, anecdotes are not a valid basis for measuring empirical phenomena. Second, these anecdotes come from parties with obvious interests in the effect being measured. ISPs spend lots of money fighting spam and want to eliminate it entirely. Filtering companies sell services to ISPs and consumers. A widespread public perception that spam is a bigger problem than it really is will help ISPs lobby for stricter laws and help filtering companies sell more services. (I am not trying to minimize the spam problem here; I am merely pointing out a probable source of bias in the data presented.)

CAN-SPAM is designed to permit spam to be sent until the receiver opts out or unless the message is deceptive in one of several ways. Therefore, the overall volume of spam (measured at the ISP level, with no knowledge of opt-outs or deceptiveness) bears no relation to the Act's success or failure. Any ISP that claims it can differentiate between misleading spam and non-misleading spam — which several of Krim's interviewees did — has just admitted to reading its customers' email. I wonder whether they first secured permission from those customers?

Laws take time to be enforced properly. After the first case of mad cow disease was uncovered in the U.S., the media widely reported the enforcement problems that both the Clinton and Bush administrations faced with the rules restricting the types of feed that cattle were permitted to consume. Nearly a year after the rules were first implemented in 1997, the compliance rate was estimated at 50%. Five years later, the compliance rate was estimated at 97%. And cattle ranchers are people whom most of us would regard as forthright, upstanding citizens who generally try to comply with the law. Few of us can say the same about spammers — whose livelihood for years has depended on deception and evasiveness. Even if we equate spammers with cattle ranchers, we can look forward to a 50% reduction in illegal spam a year from now — to say nothing of the legal spam that will remain.

I have said many times that we should give CAN-SPAM a reasonable amount of time to work (1, 2, 3, 4, 5, 6, 7). I have said almost as many times that it will probably take one prosecution — either civil or criminal — before the level of spam will drop significantly.

I want spam to stop as much as the next guy. The CAN-SPAM Act is no silver bullet, but it is a reasonable first step. So stop whining and give it a chance to work!

Update: Wednesday, 7 January. Saul Hansell of the New York Times jumps on the bandwagon: "Spam Keeps Coming, but Its Senders Are Wary"

Posted at 12:19:22 AM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/173
Topics: Spam

Tuesday, 30 December 2003

Do spammers fear CAN-SPAM?

Alan Ralsky, Detroit's resident spam lord, told the New York Times that he intends to comply with the CAN-SPAM Act to the best of his ability because he fears a $6 million fine and going to prison. ("An Unrepentant Spammer Vows to Carry On, Within the Law") He says he stopped sending email ads earlier this month, even before President Bush signed the bill into law, to give himself time to bring himself into compliance. Ralsky intends to resume his business in January — legally — once his new systems are complete. He claims that he will identify himself in each email and honor any opt-out requests that he receives.

We should, of course, take Ralsky's self-serving statements with a grain of salt. He sees himself as an honest businessman with an undeserved bad reputation. He expects ISPs to stop filtering his mail after CAN-SPAM takes effect — despite that the law does not require them to do so and that they have at least as great an incentive as before to continue filtering.

If you are still wondering how out of touch Ralsky is, consider an event that occurred thirteen months ago. In November 2002, Mike Wendland of the Detroit Free Press wrote a profile of Ralsky's $750,000 mansion, dubbed the house that spam built. Two weeks later, Wendland reported that anti-spam activists had used the information in his first column to figure out Ralsky's home address.

"They've signed me up for every advertising campaign and mailing list there is," [Ralsky] told [Wendland]. "These people are out of their minds. They're harassing me."

That they are. Gleefully. Almost 300 anti-Ralsky posts were made on the Slashdot.org Web site, where the plan was hatched after spam haters posted his address, even an aerial view of his neighborhood.

"Several tons of snail mail spam every day might just annoy him as much as his spam annoys me," wrote one of the anti- spammers.

Posted at 6:27:50 PM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/165
Topics: Cybercrime, Spam

Sunday, 28 December 2003

Congressional spam

The New York Times points out, rather amusingly, that most members of Congress were engaged in sending a massive wave of unsolicited email to their constituents this weekend — barely ten days after unanimously approving the CAN-SPAM Act. Article: "We Hate Spam, Congress Says (Except Ours)."

"They are regulating commercial spam, and at the same time they are using the franking privilege to send unsolicited bulk communications which aren't commercial," David Sorkin, a professor at the John Marshall Law School in Chicago, said. "When we are talking about constituents who haven't opted in, it's spam."

Posted at 6:30:55 PM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/159
Topics: Civil Liberties, Cyberlaw, Politics, Spam, Technology

Wednesday, 24 December 2003

Year 2003 in cyberlaw

Doug Isenberg, founder of GigaLaw, summarizes the year 2003 in cyberlaw: "Internet law in 2003 was full of surprises, with Congress passing an antispam bill, the courts blessing pop-up advertising, the music industry losing lawsuits and the Supreme Court finally upholding an Internet law." (Via Inter Alia)

Posted at 8:58:15 PM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/152
Topics: Cyberlaw, Spam, Technology

Thursday, 18 December 2003

MS & NY highlight non-preempted state spam laws

Microsoft and New York State Attorney General Eliot Spitzer are going after spammers — in state courts. The claims they intend to file strike at the misleading nature of email marketing, not the commerciality of the messages. In other words, they are suing under state laws that are not preempted under the CAN-SPAM Act. News coverage: C|Net, New York Times, Seattle Times.

Posted at 9:41:46 AM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/136
Topics: Cyberlaw, Spam

Wednesday, 17 December 2003

CAN-SPAM coauthors respond to criticism

The two coauthors of the CAN-SPAM Act, U.S. Senators Ron Wyden (D-Ore.) and Conrad Burns (R-Mont.), published an essay yesterday in response to criticism of their bill. They state in no uncertain terms what I have been saying all along — that CAN-SPAM is not a silver bullet but that it is a good first step. The money line: "Big-time spammers will inevitably violate the Can-Spam Act because it strikes at the heart of how their sleazy businesses work." (Thanks to GrepLaw for the heads up.)

Also, I did not mention yesterday that President Bush signed the Act.

Posted at 2:00:15 PM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/133
Topics: Cybercrime, Cyberlaw, Politics, Spam, Technology

Webb filters CAN-SPAM

Today, Washington Post columnist Cynthia Webb writes about the CAN-SPAM Act. She nicely summarizes the major criticisms of it, taking excerpts from other journalists. Article: "Un-Canning Spam"

Posted at 9:25:45 AM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/132
Topics: Cybercrime, Spam

Monday, 15 December 2003

Spam rage defendant pleads not guilty

I would not have picked Charles Booher's way of becoming famous, but famous he is. He also pleaded not guilty the other day to charges of making threats. The San Jose Mercury News has coverage.

Posted at 10:47:38 AM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/121
Topics: Civil Liberties, Cybercrime, Cyberlaw, Privacy, Spam, Technology

Friday, 12 December 2003

Virginia launches felony spam prosecutions

Virginia's Attorney General, Jerry Kilgore, announced yesterday that his office has launched two prosecutions on felony charges related to sending spam. One well known spammer, Jeremy Jaynes, a.k.a. Gaven Stubberfield, was arrested in Raleigh, NC, where his alleged coconspirator, Richard Rutowski, negotiated his surrender to authorities. (The New York Times and Washington Post have coverage: NYT "Virginia Indicts 2 Under Antispam Law," WP "Virginia Indicts Two Men On Spam Charges.")

Much ado has been made of the federal CAN-SPAM Act's preemption of state spam laws, so let us compare a few features of the Virginia and federal statutes.

The crime defined under the Virginia law becomes a felony when the spammer sends more than 10,000 illegal messages in a day or 100,000 in a month. CAN-SPAM's bar is set much lower, requiring only 100 and 1,000 messages, respectively, to trigger felony penalties. The maximum prison sentence is 5 years under both laws, assuming that aggravating factors are present. Finally, the Virginia law permits a fine up to $2,500, whereas CAN-SPAM permits fines under Title 18 U.S.C., which can reach many times higher than $2,500.

In addition, the Virginia law requires that spam pass through the state. Unless an email is sent to a Virginia resident, it can be impossible to prove beyond a reasonable doubt that the message passed through the state's borders, unless it was handled and its header stamped by a mail server in that state. Virginia is more the exception than the rule in this area, as the home of America Online (AOL), the world's largest ISP. It is unlikely that any spam would not reach at least one AOL customer. The other 49 states would have a harder time proving this element of the crime. CAN-SPAM, on the other hand, is triggered when spam affects any "protected computer," as defined in 18 U.S.C. 1030(e)(2)(B): "a computer…which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States." That definition includes all computers that connect to the Internet.

Posted at 10:55:40 AM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/114
Topics: Cybercrime, Spam

Tuesday, 9 December 2003

Response to Anita Ramasastry's criticism of CAN-SPAM

GrepLaw gives a pointer to Anita Ramasastry's FindLaw article criticizing the CAN-SPAM Act. She scores a few points, but she ignores several important provisions that render her conclusions — in my opinion — wrong.

CAN-SPAM's major faults, in Ramasastry's view:

  • Not all spam is prohibited
  • Individual consumers cannot file lawsuits to enforce the Act
  • Many spammers are already located abroad or will soon relocate abroad — beyond the reach of U.S. authorities
  • Many spammers have few assets and are therefore judgment-proof
  • Spammers can ignore the hypothetical do-not-spam registry that the FTC has not yet designed and implemented
  • The hypothetical registry will be challenged under the First Amendment
  • State spam laws are preempted
  • Technological solutions to the spam problem are preferable to a statutory one.

First, on the prohibition of some but not all spam. This criticism seems somewhat disingenuous, since Ramasastry later recognizes that the First Amendment would prevent a prohibition of all advertising via email. Furthermore, She appears to assume that any do-not-spam registry will be struck down under the First Amendment. The do-not-call registry is a good model to look at — precisely because its legal status is currently undergoing judicial review. This litigation will, eventually, clarify the law. Besides, if it is struck down, the obvious workaround is to implement the registry in a new way, that deals with the First Amendment problems.

Second, on enforcement by individual consumers. CAN-SPAM expressly provides for enforcement by at least 110 government bodies, plus any ISP "adversely affected" by illegal spam. The public servants will have strong political incentives to file spam lawsuits, and ISPs will have strong economic incentives. Why add hundreds of millions of consumers to this list when their lawsuits will inevitably be less well-funded than the institutional enforcers? With potential damage awards of $6 million for public enforcers and $3 million for private enforcers, those entities will easily be able to recoup their legal costs (even if they are not awarded attorney fees, as provided in the Act).

Third, on the difficulty of enforcing CAN-SPAM against foreign and judgment-proof spammers. The Act's third-party liability provisions will solve much of this problem. The Act attaches liability to (1) any business knowingly promoted via illegal spam and (2) any vendor that provides goods or services to a spamming operation with knowledge that those goods or services will be used to send spam. These provisions give third parties one free bite — before the first potential plaintiff sends a cease & desist letter, putting them on official notice. Much advertising currently distributed via spam promotes products on sale within the U.S. or manufactured or sold by people in the U.S. Once the first such person is prosecuted, the demand for advertising space in spam will decline precipitously. Spam will inevitably decline, as fewer people are willing to pay for it.

Fourth, on the purported shortcomings of the do-not-spam registry. For god's sake, give the thing a chance before you accuse it of failing. As I said above, the FTC can learn from the outcome of the pending do-not-call litigation, and there is an infinite variety of implementations that the do-not-spam registry could take. I proposed one not long ago. Also, the possibility that some spammers will evade it is not a reason not to try. CAN-SPAM's third-party liability provisions do not currently apply to registry violations, presumably because the registry does not exist and the Act only empowers the FTC to consider the idea of the registry. That shortcoming can easily be rectified by an amendment to the statute or FTC rule.

Fifth, on state spam laws. How, exactly, is the fundamental shortcoming of the Westphalian territorial legal system solved by having fifty state laws, no matter how restrictive? What if a spammer in California sent spam only to residents of other states and other countries? No state or country would have jurisdiction. The major complaint in this area that does have some validity is the preemption of California's tough opt-in law with the federal opt-out standard. This is a valid criticism, but it goes to the policy choices that Congress made when it traded opt-in for the possibility of an effective opt-out registry.

Sixth, on technological solutions. You cite Congress's findings on the rapid rise of spam traffic in an era that had no comprehensive spam law. The primary method of dealing with spam has been technological measures. And the volume of spam rose rapidly during that period. One of CAN-SPAM's greatest strengths is that it expressly permits ISPs to implement private mail policies — a provision that should exempt them from tort liability for doing so. It looks somewhat like § 230 of the Telecommunications Act of 1996 in that respect.

Posted at 5:42:09 PM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/106
Topics: Cybercrime, Cyberlaw, Spam

Congress approves CAN-SPAM

Yesterday the House of Representatives unanimously approved the minor changes made to the CAN-SPAM bill by the Senate two weeks ago. Meanwhile, President Bush has said that he will sign the bill.

See press coverage in the New York Times and at Internet.com.

Posted at 10:48:27 AM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/104
Topics: Politics, Spam

Sunday, 7 December 2003

Finished writing CAN-SPAM summary & comments

I finished writing my formal summary and commentary on the CAN-SPAM Act for the Journal of Internet Law. I would like to thank everyone who posted and emailed comments over the last two weeks; they all helped me clarify the issues. Several of you asked me to post the paper here. I will do so, as soon as I get "permission" — i.e., confirmation that posting it here will not jeopardize its publication next month. Meanwhile, my preliminary thoughts are still available here.

Posted at 10:22:21 AM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/97
Topics: Cybercrime, Cyberlaw, Spam

Thursday, 4 December 2003

Mechanics of the CAN-SPAM registry

There have been many questions about how a do-not-spam registry should be implemented. This proposal suggests a regime for funding for the registry and the highest level logical operation of its database. My plan would allow consumers to choose (through market forces) an opt-in system while still adhering to the overall opt-out structure of the CAN-SPAM Act. For that reason, I believe it solves some of the nagging First Amendment problems that come with a government-madated opt-in system.

If you have not already seen my summary of the CAN-SPAM Act, I suggest you check it out before reading this.

The registry should not necessarily be funded by taxes, because that would require people without email accounts to share the burden a system that carries no direct benefit for them. ISPs stand to benefit the most (in financial terms, at least), because a successful registry will reduce their bandwidth and other costs substantially. I would hesitate to levy mandatory fees on ISPs because they would look too much like the fees imposed on bell companies to fund rural telephone lines and the 911 system. I would prefer to leave ISPs as unregulated as possible while still having them share in the cost of the registry. I would not be averse to paying a few dollars to get myself into the registry, but ISPs should not have a free ride while consumers fund the entire thing.

My proposal is to make ISPs intermediaries between the FTC, which would manage the registry, and consumers, who will have ultimate control over the status of their addresses.

First, charge ISPs a monthly fee for having their domains listed in the registry. This fee would be assessed according to the number of email addresses at each domain, and those addresses would be automatically opted out of receiving spam. If a user wants to change that status, he would ask his ISP, which would relay the request to the FTC. An ISP would be charged a small transaction fee for each username it changes from its default status, as an incentive to "guess" what most customers will prefer. Individuals whose ISPs do not list their domains in the registry would have the option of opting out individually, paying the same transaction fee directly to the FTC. This option would be available to anyone in the U.S. with an email address, even those who maintain email addresses at their own personal domains and do not use an email address provided by an ISP.

To keep the size of the database's output manageable, it would need to spit out three separate lists. The first list would contain all the domains listed in the registry. The second list would contain all the individual email addresses that have requested opt-out status. Any email address covered by these two lists would be off-limits to spam. The final list would contain the addresses of ISP customers who have decided to switch away from their ISPs' default opt-out status. Addresses on list #3 are fair game for spam.

My plan would require some taxpayer funding for startup costs, although these could be recouped over the first few years by charging slightly higher fees during that time. After that, the monthly fees for listing domains and the per-user transaction fees would cover operational costs. ISPs will inevitably pass some of those costs on to consumers. However, there is harsh competition among ISPs, so the market would quickly allocate those costs efficiently. I believe this is more equitable than a program funded wholly by taxes. The recently-implemented do-not-call registry is funded by taxes because telephone penetration is nearly 100% in this country. However, many fewer people have email accounts than telephones, so full funding by tax dollars seems unfair to me.

The system is national in scope, so it will be large enough that the fees per domain and and per user can be small. Only a few indigent people and organizations could legitimately complain about the cost, and these might be exempted from paying fees. To start, the exemptions might be granted to educational institutions, 501(c)(3) organizations, and individuals below the poverty line. I have little experience in this area of social policy, so I would leave it to others to work out those details.

This structure would allow the market to demonstrate once and for all whether the public really favors an opt-in or an opt-out system. Many people have speculated on this question, but the truth is that nobody knows for sure. We may see a surge of subscriber defections away from ISPs that choose to be listed, or we may see a surge of individuals listing their own addresses. The point is that consumers, not the government and not spammers, would finally have direct control over the marketing they receive.

Posted at 1:44:52 PM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/92
Topics: Politics, Privacy, Spam, Technology

Wednesday, 3 December 2003

Clarifying my position on opt-out

Some feisty discussion has broken out in the comments section of my blog post where I summarized and explained some features of the CAN-SPAM Act. I have been accused of favoring an opt-out system over opt-in. This is probably my fault for overstating my position as a reaction to most people's knee-jerk favoring of opt-in.

I do not favor opt-out in all its manifestations — I just think that most people decide to favor opt-in without considering the issues thoroughly. There are serious free-speech problems with the government mandating a regime that forbids a certain type of speech to be distributed in a certain channel. Those problems are reduced (although not entirely eliminated) by an opt-out regime that provides consumers with an en mass opt-out mechanism like a do-not-spam registry. The problems are further reduced the more fine-tuned the en mass mechanism becomes. The present FTC/FCC do-not-call registry is a blunt instrument, requiring consumers to choose all or nothing.

Someone may yet convince me that opt-in is the way to go; but, until that happens, I choose to err on the side of free expression.

Posted at 10:35:05 AM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/91
Topics: Civil Liberties, Politics, Privacy, Spam, Technology

Australian spam law

Oz is about to get its own national spam law, and I am curious to know how it differs from the American CAN-SPAM bill, which I have written a lot about in recent days. If anyone can find the text of the Australian bill online, please let me know.

Posted at 9:03:26 AM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/90
Topics: Politics, Spam, Technology

Saturday, 29 November 2003

More Congressional ineptitude

Yesterday I wrote about one Senator who tried to regulate technologies that he did not understand. Today, I have to rebuke the entire House of Representatives for something far worse.

After reviewing the highlights of the CAN-SPAM Act for my blog last week, I was asked to write a more comprehensive review for the Journal of Internet Law. During my more careful, second reading of the bill, I noticed an inexcusable discrepancy. Early on, the bill defines a "commercial electronic mail message" (its verbose term for spam) as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service." § 3(2)(A). A few paragraphs later, the bill states, "It is the sense of Congress that [s]pam has become the method of choice for those who distribute…viruses, worms, and Trojan horses into personal and business computer systems." § 4(c).

This passage shows (1) that the House has no idea what those terms mean or what spam is, and (2) the House has no idea how it defined spam just a few paragraphs earlier!

Posted at 1:19:34 PM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/81
Topics: Cyberlaw, Spam, Technology

Wednesday, 26 November 2003

Man charged in "spam rage" case

This seems to be a first. Charles Booher of Sunnyvale, California has been arrested and charged with 11 counts for threats he made to a company he blamed for sending him spam and causing web popup ads on his computer. Wired News reports ("Man Arrested Over 'Spam Rage'"):

Booher threatened to send a "package full of Anthrax spores" to the company, to "disable" an employee with a bullet and torture him with a power drill and ice pick; and to hunt down and castrate the employees unless they removed him from their e-mail list, prosecutors said.

This case presents a good opportunity to mention a recurring a point about defining classes of speech for legal purposes. I have yet to see a case where this was not problematic, but it is never more so than when the communication of words alone constitutes a crime. Mr. Booher's words (as reported in Wired) clearly threatened physical violence, his intent to make a threat seems clear, and he communicated the threat to the threatened person — satisfying the basic requirements of most threat statutes. Do prosecutors have a slam dunk case? Maybe. But the inquiry only starts there.

It is what Wired failed to report that I find interesting. The article in Saturday's San Jose Mercury News makes Booher look much more sympathetic. (Article: "Spam sends local man into rage") There, we learn that Booher "is a three-time survivor of testicular cancer" and that the overwhelming flood of spam that triggered his emotional outburst was hawking — you guessed it — penile enlargement products. Suddenly, his response is understandable.

Before you send me angry email, note that I do not condone what Booher did. My point here is that it is irresponsible to condemn someone based on a small amount of information. When the condemnation implicates the most basic liberties of any free society, we have to be especially careful. Some of you may remember Jake Baker, the University of Michigan student who wrote a revolting rape/torture/murder fantasy story about a classmate and posted it on alt.sex.stories. Baker was charged with making threats, notwithstanding that he had unambiguously stated that the story was fiction. The subsequent uproar ended with his exoneration of all charges of making threats — a result demanded by the First Amendment. For those unfamiliar with the case, the Electronic Frontier Foundation (EFF) maintains an archive of relevant documents. (If you have a strong stomach, the story is still available online. However, you have been warned: This is pretty sick stuff.)

Posted at 5:32:16 PM | Permalink
| Comments (0)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/75
Topics: Civil Liberties, Cybercrime, Privacy, Spam, Technology

Tuesday, 25 November 2003

Spam canned throughout the land?

The House of Representatives approved the CAN-SPAM Act on Friday, by a vote of 392-5. The acronym stands for the not-so-clever moniker, "Controlling the Assault of Non-Solicited Pornography and Marketing Act." The Senate is expected to approve the measure this week, and President Bush has agreed "in principle" to sign the bill.

This bill would have been a reasonable first step to take against spam five years ago, and Congress should be ashamed of itself for dawdling so long. We should be debating the second or third revision of the Act by now. What is done is done, however, so let us explore what the CAN-SPAM act says.

Update, 29 Nov 2003. I have been asked to revise and augment this essay for publication in the Journal of Internet Law. Toward that end, I would appreciate any constructive comments from any reader.

The full text of the bill is available at C|Net. The news agency also gives a bullet-point summary amidst its coverage, and the Institute for Spam & Internet Public Policy (ISIPP) gives a ten-point summary. Finally, C|Net gives this brief summary of the entire bill:

If the measure becomes law, certain forms of spam will be officially legalized. The final bill says spammers may send as many "commercial electronic mail messages" as they like — as long as the messages are obviously advertisements with a valid U.S. postal address or P.O. box and an unsubscribe link at the bottom. Junk e-mail essentially would be treated like junk postal mail, with nonfraudulent e-mail legalized until the recipient chooses to unsubscribe.

First, a few preliminary comments before I get into specific provisions. Spam has been a scourge on the 'net since the early 1990s, when non-academics and non-scientists first logged on in large numbers. The volume of commercial email was low at first but has grown exponentially for years. The result has been frustration for users who drown in the flood of messages, higher costs for service providers who must process all the unwanted email, embarrassment for legitimate businesses whose servers are hijacked by spammers trying to disguise their identities, and the corruption of children whose parents try to shield them from pornography and other sex-based products. The Act does not go as far as many people think it should (which is why Congress's long inaction is so lamentable); but it is, as I said above, a reasonable first step. The House seems to have made a genuine effort not to be heavy-handed with the rights of advertisers. Still, the Act has some sharp teeth for consumers and, if it is properly enforced, has the potential to significantly reduce the burdens caused by spam.

Now, some comments on specific provisions. This is not intended to be a comprehensive analysis of the bill — but rather a few thoughts on the provisions I think are important or interesting.

Update (6pm):Several readers have asked me to insert anchors in my subject headings so they can link to specific pieces of this article. Here they are:

False Header Information

The "false header information" provision is perhaps the easiest part of the bill for non-technologists to grasp, because you can examine the underlying problem even if you do not understand the technology. Spammers often disguise the origin of their advertising to make it more difficult for individuals and ISPs to use automated methods to filter and delete spam. These disguises also induce recipients to open the spam mail and begin reading — by pretending to be legitimate messages (e.g., with a deceptive or misleading subject line). Imagine paper junk mail, delivered by the post office, that comes in an envelope whose return address seems to be from your bank or your doctor. When you open the envelope, you find a flier for hard core pornography.

When spam is disguised as legitimate mail, more people will open the message and read the first few lines before realizing its true nature. This gives the advertiser a better chance of selling his product, be it pornography, generic viagra, or home mortgage services. As more spam is dealt with by human beings (rather than filtered by computers), more advertisements get read, and more products will be sold — even if most people hit the delete key immediately. In paper based "direct mail" ad campaigns, a response rate of one buyer per 100 mailings is generally enough to break even. The cost of sending email is much lower than the cost of sending paper mail, so a response rate of one buyer per 100,000 mailings is likely to earn a profit. The cost of sending email only seems lower to the sender, however, because most of the costs are shifted to the receiver and the receiver's ISP.

Here is how the technology works, in a nutshell. An email's "header" is the addressing and routing information — such as the to, from, and date fields that you see at the top of each message. Most email software hides the bulk of the header from you, unless you take an extra step to have it displayed. This "hidden" information documents where the email originated and the route it took across the Internet to your inbox. Each computer on the Internet has a unique "IP address" consisting of four numbers separated by dots (periods). Each line of the "hidden header" contains the IP address of each computer that touched the email en route and states the action that computer performed. Usually, these intermediary computers simply receive the message and hand it off to another computer that is "closer" to the recipient; after five or six hops, the email arrives at your inbox, and the process stops. Each intermediary computer adds a line to the top of the header, so the very top line always documents your mail server's delivery to you. Each successive line below that will document where each computer got the message from, going all the way back to the original sender. For example, and email I received this morning has these two lines in its header:

  • Received: (from uucp@localhost) by andros.alumniconnections.com [198.212.10.70] (8.11.6+Sun/8.11.6) id hAPEpit20254; Tue, 25 Nov 2003 09:51:44 -0500 (EST)
  • Received: from voyager.bna.com(149.79.136.49) by andros via smap (V2.1) id xma010225; Mon, 24 Nov 03 15:04:27 -0500

The first line is from my mail forwarding service (which sent the message to my ISP after it added this stamp, and my ISP later delivered the message to me). The name of this computer is andros.alumniconnections.com, which resolves to the IP address 198.212.10.70. Before that, the message was handled by a computer named voyager.bna.com (149.79.136.49). This makes sense because the email in question was an Internet law newsletter from BNA, a publisher of print and electronic news, analysis, and reference products. Also note that each header line has a date & time stamp.

Some automated spam filters take advantage of this stamping process by searching the email header for computers that are known to be used for sending spam. The bottom line of the header should be the original sender, and the identities of the biggest spammers are well known, so it should be an easy matter to delete all messages coming from them. Spammers know this, however, so they go to great lengths to forge these headers and route their mail through other people's servers to disguise its true origin. CAN-SPAM's "false header information" provision would make this illegal. The practice is already arguably illegal under a patchwork of existing laws, which could be interpreted to cover this situation. However, there is no substitute for a clear, specific statute directly on point that removes all doubt.

Resource Misappropriation

The "resource misappropriation" provision is perhaps the most difficult for non-technologists to understand. Congress borrowed this idea from a line of judicial opinions based on a tort called trespass to chattel. A "chattel" is simply the legal term for an item of personal property — a toaster or a chair, for example. I cannot make toast or sit down when someone else is using my chattels without my permission. That property belongs to me, so the common law allows me to sue the person using it. If I prove my case, I would get money for the damages I suffered from the delay in satisfying my hunger or relaxing my legs, and the court would order the trespasser to stop. The crux of this policy is that a computer is a chattel just like a toaster or a chair. Intuitively, we all understand that if someone else is using my laptop, he is blocking me from using it at the same time.

In the spam context, we must look at the technology on a slightly deeper level than this simplistic first approach allows. The Internet relies on powerful computers called servers, which answer queries from many people at the same time. When I read Yahoo!'s home page, the odds are very high that many other people are reading it at the same time. Yahoo!'s web server can dish out thousands of pages at the same time. However, when the number of readers grows too high, even the most powerful server has trouble keeping up, and users experience delays — or worse, the server "crashes."

A similar phenomenon occurs with mail servers — the computers that process email after it is sent and before it is received. Suppose the average email user sends and receives an average of 20 legitimate messages per day and receives an average of 80 spam messages per day. His Internet Service Provider's (ISP) mail server will spend 80% of its time processing spam and only 20% processing the "real" mail — which is what the user (the ISP's paying customer) wants it to process. Instead of buying the server it wanted to buy, the ISP had to buy one with five times the processing power to accommodate the unwanted extra load. This does not increase the cost of the server linearly (by five times), but it does increase the cost of the server by a measurable amount. Similarly, the ISP has to pay for five times the bandwidth (transmission capacity) that its customers want to use. Even if the ISP filters out spam as a service to its customers, it must still pay for all this extra capacity — to receive each piece of mail, look at the contents of each message, and flag each message for deletion or delivery.

The first case to examine spam from this perspective was CompuServe v. Cyber Promotions, 962 F. Supp. 1015 (S.D. Ohio 1997). CompuServe, an ISP, sued Cyber Promotions (CP) over spam that CP was sending to CompuServe's customers. (CP is no longer in that line of business.) That court built on the analysis written by a California Court of Appeals from a year before in Thrifty-Tel, Inc. v. Bezeneck, 56 Cal. App. 4th 1559, 1567 (1996). The California court had held that "Electronic signals generated and sent by computer have been held to be sufficiently physically tangible to support a trespass cause of action." CompuServe, 962 F. Supp. at 1021. In other words, the electric impulses that computers use to communicate constitute a physical invasion of property when they are sent into a privately-owned system without permission. In Thrifty-Tel, a telephone company had sued the parents of children who engaged in "phreaking" — attempting to crack the company's authorization codes in order to make long distance calls without paying for them. The most famous decision in this line of cases is eBay v. Bidder's Edge, 100 F. Supp. 2d 1058 (2000), which extended the same reasoning to web servers.

Meaningful Unsubscribe Mechanism

Two pieces of the bill — the "working unsubscribe" and "anti-resubscribe" provisions — belong under the same conceptual umbrella, which I call the "meaningful unsubscribe mechanism."

The "working unsubscribe" provision would require each piece of spam to include instructions for the recipient to "opt out" of future advertising. This opt-out mechanism must function for 30 days after the spam is sent, to ensure that recipients have a reasonable opportunity to use it. Otherwise, the spammer could shut it down immediately after clicking send — before most people have received the junk mail.

Some spammers get around states' opt-out laws by removing people from lists when they make opt-out requests, then immediately adding the same person to a new list. This new list has a much higher economic value to the spammer because the addresses on it are "verified" — the spammer knows that each one belongs to and is being actively used by a live person. This formalistic interpretation of many state laws' opt-out requirements is not possible under CAN-SPAM's "anti-resubscribe" provision, which bars the spammer from adding opted-out addresses to other lists.

The "working unsubscribe" provision is the most controversial and troubling provision in the Act. A great controversy surrounds the question of whether spam should be an opt-in or an opt-out enterprise. An opt-in system would forbid unsolicited commercial email by requiring spammers to document that the owner of each email address on a mailing list has requested to be placed on that list. An opt-out system would permit unsolicited commercial email but requires spammers to remove an address from their lists when the person who owns it asks to be removed. The CAN-SPAM bill passed by the House came down on the side of opt-out.

The foundation of American law is the U.S. Constitution, and the First Amendment to the Constitution provides that "Congress shall make no law…abridging the freedom of speech, or of the press." Despite this plain language, the Supreme Court has held that not all speech is equal under the First Amendment. While indecent speech (e.g., ordinary pornography) is protected from most government interference, obscene speech and child pornography enjoy no First-Amendment protection whatsoever. (See, for example, Ashcroft v. Free Speech Coalition, 535 U.S. 234, 122 S. Ct. 1389 (2002) for child pornography and Miller v. California, 413 U.S. 15, 24-25 (1973); Smith v. U.S., 431 U.S. 291, 301-02, 309 (1977); and Pope v. Illinois, 481 U.S. 497, 500-01 (1987) for obscenity.) Commercial speech gets an intermediate level of protection. Central Hudson Gas & Electric Corp. v. Public Service Commission of N.Y., 477 U.S. 557, 564-65 (1980).

Since the First Amendment was ratified, it has been axiomatic that "prior restraints" on speech are one of the greatest evils threatening the health of our polity. A prior restraint is a government prohibition on a particular message before the speaker has a chance to communicate it. The freedom of speech and the fundamental liberty of self-expression demand that everyone be given an opportunity to voice his thoughts. Some speech is always socially harmful — such as threats of violence or statements made in the formation of a criminal conspiracy. However, it is simply not possible to articulate in advance a definition of all forms that such harmful speech will take without our definition also encompassing many forms of legitimate speech. Therefore, we only punish speech after it has been uttered, when we can analyze the facts of each case. True, this allows some harms to occur that we might otherwise prevent, but a system of prior restraints would create far more and far greater harms by having a "chilling effect" on socially-necessary speech.

Therefore, everyone must have a reasonable opportunity to stand in a public square, tap passers-by on the shoulder, and say, "Would you like to hear what I have to say?" However, the freedom of speech guarantees a right to speak — not a right to force others to listen. Each listener has the right to say, "No, I find your views offensive, and I do not want to listen to you." Spam may be the 21st century, commercial-speech embodiment of this tap on the shoulder. The mandated opt-out system is the listener's opportunity to decline.

Many people believe that commercial speech should get less protection than it does today. Consumer protection demands it, they argue. How else can we prevent hucksters from selling snake oil through lies and deceit? These arguments do have merit, and I do not mean to dismiss them here; they are just beyond the scope of this blog. However, it would be irresponsible not to note at this point that, in recent years, the Supreme Court has been backing away from the Central Hudson doctrine because it is proving impractical to differentiate commercial speech from other types of speech. In ten years, what is "commercial speech" today may get full constitutional protection.

Harvesting & Random Generation Prohibition

Spammers employ many strategies to collect email addresses for their spam lists. One common strategy is called "harvesting." Spammers write software that trolls the Internet for character strings that appear to be email addresses. The software scans the text of web pages, chat rooms, message boards, and usenet, recording all the email addresses it finds. The CAN-SPAM Act will make this practice illegal. The very next paragraph of the Act prohibits another common strategy, "randomly generating electronic mail addresses by computer." The combination of these two prohibitions will make it much harder for spammers to get a hold of functional email addresses.

Rights of Action

The Act allows states to enforce the act by suing spammers on behalf of their citizens and ISPs to sue on their own behalf or on behalf of their subscribers. This is a common-sense compromise between the factions advocating a private right of action (which would permit individuals to sue spammers for themselves) and those advocating federal enforcement (which would permit only the U.S. Attorney General to enforce the Act).

Both extreme positions carry dangers and benefits. With a private right of action, the courts might be clogged with individual or class action suits, and it would take too long to reach large judgments against spammers for the law to be effective. On the other hand, leaving enforcement in the Attorney General's hands exposes the law to the dangers of under-enforcement and political cherry-picking. First, spam may seem minor compared to violent crimes, which rightfully get prosecutors' prime attention. Spam prosecutions might fall by the wayside. Second, the economic and technological damage caused by any two pieces of spam are identical, but does anyone honestly believe that John Ashcroft would approve the prosecution of inkjet toner vendors if there are any pornography vendors still standing? With finite resources, any Attorney General (like any manager) must set priorities for his office, and I would never fault Ashcroft for setting clear guidelines. However, I frequently disagree with the content of his guidelines; and, in this context, his preferences would probably lead to systematic selective enforcement, which would be untenable under the First Amendment — which prohibits the government from treating different speech differently, based on its content or viewpoint. With all fifty states and hundreds of ISPs bringing spam suits, the danger of selective enforcement declines.

Preemption of State Laws

CAN-SPAM expressly "preempts" state laws dealing with spam. The Supremacy Clause of the U.S. Constitution (article 6, § 2) establishes that the Constitution, laws, and treaties of the United States "shall be the supreme law of the land" and that they preempt state laws where they are in conflict (and in certain other situations). California, in particular, has passed several statutes prohibiting spam. California's most recent statute, which will not take effect until January, is far more protective of consumers than CAN-SPAM. All of these laws would be rendered unenforceable by the federal Act.

Do Not Spam Registry

The House considered drafts of the bill that would have required the Federal Trade Commission (FTC) to maintain a "Do Not Spam" registry, similar to the "Do Not Call" registry that it recently established in conjunction with the Federal Communications Commission (FCC). Spammers would have been required to compare the email addresses in this registry to their own mailing lists and remove any addresses that match. In effect, it would have been illegal to send unsolicited commercial email to any address in the registry. However, the House rejected this provision (which would have required the FTC to create the registry) in favor of one that merely requires the FTC to study the issue and permits the it to create a registry if it sees fit.

Anyone taking odds on what the FTC will do? Before you answer, consider that the bill fails to allocate a single dollar to fund the registry.

Private Mail Policies

By making certain kinds of email illegal, the Act, by implication, renders all other kinds of email legal. However, some spam that Congress intended to make illegal will always slip through cracks in the law's definitions. (This is a fundamental shortcoming of human language, not necessarily a fault of Congress.) Therefore, the bill expressly permits ISPs to devise and implement their own, private email-handling policies.

Without this provision, ISPs would be vulnerable to lawsuits from spammers if they decide to block this slippery spam on their own. By blocking mail that is technically legal, the ISPs would arguably be liable for such torts as interference with business relations (for blocking legal business communications) and defamation (for falsely labelling messages as "spam"). Much like § 230 of the Telecom Act of 1996 (47 U.S.C. § 230), CAN-SPAM's "private mail policy" provision is designed to protect ISPs from an onslaught of litigation that would render them unable to conduct business. If ISPs cease operating out of fear of litigation, consumers would be unable to access the Internet at all.

Posted at 2:36:16 PM | Permalink
| Comments (11)
Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/74
Topics: Cybercrime, Cyberlaw, Politics, Spam, Technology

Monday, 27 October 2003

Update: Press digs anti-spam ruling

The press is agog with the anti-spam ruling won by California Attorney General Bill Lockyer, which I blogged on yesterday. See representative stories in Wired, San Jose Business Journal, and Computer World.

Posted at 9:12:44 AM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/29
Topics: Cyberlaw, Spam

Sunday, 26 October 2003

California wins anti-spam lawsuit

California Attorney General Bill Lockyer announced on Friday that his office had won the first-ever anti-spam lawsuit in the state. The court ordered defendant PW Marketing (and its owners) to pay "$2 million in civil penalties for violating state laws prohibiting unsolicited commercial email, false advertising and unfair business practices." It also entered an injunction against PW, prohibiting it from doing the following:


  • Sending unsolicited commercial emails.
  • Disguising their identity by sending email that appears to originate from an email address that is neither the actual address nor the address where replies can be received.
  • Sending emails that contain false or misleading information about the country or Internet mail server from where the advertisement is sent.
  • Accessing and using the computers, computer systems or computer networks of other persons or businesses without their permission or in violation of their terms of service.
  • Using false or misleading information to register for an email address, Internet service or Internet domain name.
  • Using, transferring or otherwise making available to other persons email address lists compiled for the purpose of sending spam.
  • For 10 years, owning, managing or holding any economic interest in any company that advertises over the Internet, without first providing written notice to the Attorney General.

Readers should note that California's anti-spam law will not take effect until January 2004 — so this judgment rests wholly on preexisting law.

Posted at 2:29:03 PM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/28
Topics: Cybercrime, Cyberlaw, Spam

Monday, 13 October 2003

Update on Google's reliability

The Washington Post (and perhaps other mainstream media) has picked up the story of Google's fallibility. This particular article speaks to the problem of result misreporting uncovered by Googlewhackers earlier this month, now being discussed on slashdot. The most thorough discussion of this problem yet published is Seth Finkelstein's paper, "Google Spam Filtering Gone Bad."

I have discussed this problem in this space before and will continue to monitor it.

Posted at 3:01:14 PM | Permalink

Trackback URL: http://www.danfingerman.com/cgi-bin/mt-tb.cgi/8
Topics: Spam, Technology



Powered by Movable Type