 |
Cybertelecom Federal Internet Law & Policy An Educational Project |
Sending Spammers to the Slammer
|
SPAM: Enforcement: Sending Spammers to the Slammer |
|
|
|
The next big question is who gets to whack the spammers? DOJ and the FTC carry primary federal jurisdiction, although a host of other agencies can also whack spammers, including (and I am not making this up) the Secretary of the Agriculture under the Packers and Stockyards Act (who says Congress doesn’t have a sense of humor). The FCC has specific authority to deal with wireless phone SPAM. The provisions which may be enforced by the FTC may also be enforced by states and privately by ISPs. Individuals suffering the onslaught of generous opportunities have no direct recourse, and any recourse they might have had under state law has been preempted.
Governments
DOJ has authority to whack spammers who hack into computers to send or relay multiple SPAMs or falsifies the header in multiple SPAMs. Congress directs DOJ to “use all existing law enforcement tools to investigate and prosecute” spammers (let’s see, as DOJ, do I go after terrorists or whack spammers? Well Congress directed me to…. With limited enforcement resources and other priorities, it is questionable the degree to which DOJ will be an active prosecutor of spammers). Under DOJ authority, spammers can land in jail for up to 5 years, get hit with some serious fines (note that FTC authority lacks the ability to put spammers in the slammer), and forfeiture of assets. 18 USC s 1037(b).
The Federal Trade Commission, which as a part of its day-to-day duties seeks to protect the consumer, has authority under the act with is crafted more towards the protection of the recipient. Like DOJ, the FTC may take action against a spammer where an individual has received an email from or a hacked computer or relayed through a hacked computer, or where the email has a falsified header (note that the “multiple” requirement imposed on DOJ authority is lacking with FTC authority).
Unlike the DOJ, the FTC has authority to enforce the opt-out requirements, the prohibition against using harvested or dictionary attack email addresses, sexual content restrictions, false subject lines prohibitions, and the required inclusion of specified information. The FTC may also enforce labeling provisions if it elections to implement such restrictions.
The remedies available to the FTC include fines and injunctive relief (cease and desist orders).
Other federal agencies may also prosecute spammers particular to their own individual authority (things such as wire fraud, food and drug law, and customs violations). Additional agencies that have been involved in spam prosecution include the FBI, US Postal Inspection Service, and the SEC.
States may generally enforce those provisions which may be enforced by the FTC (there is a degree of ambiguity between Sec. 7(f)(1) & (2) that state officials should clarify; for some of these provisions the state will have to establish a pattern of behavior). 15 USC 7706(f). The remedies available to state officials include injunctive relief and the greater of actual damages or statutory damages. Statutory damages amount to $250 per piece of SPAM with a ceiling at $2,000,000 per violation. The state can seek treble damages for aggravated violations. States can also recover attorney’s fees. States must serve notice on the FTC prior to implementing an action; the FTC may join the action; and if the Feds already have an action pending, the state is precluded from initiating an action. Actions must be brought in federal court.
The CAN SPAM Act mostly preempts state laws; in particular, it was reported that the CAN SPAM Act was rushed through Congress in order to preempt a tough California SPAM law that was on the verge of being enacted. According to 15 USC s 7707(b)(1):
This chapter supersedes any statute, regulation, or rule of a State or political subdivision of a State that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto.
Thus the CAN SPAM Act leaves a loop hole where some state SPAM laws are not preempted.
- Gordon v. Virtumundo, 575 F.3d 1040 (9th Cir. 2009). "In Gordon, the Ninth Circuit held that "the express language of § 7707 demonstrated Congress's intent that the CAN-SPAM Act broadly preempt state regulation of commercial e-mail with limited, narrow exception," and further held that "the exception language, read as Congress intended, refers to `traditionally tortious or wrongful conduct.'" Id. at 1061-62. " See also DAVISON DESIGN & DEVELOPMENT INC. v. Riley, (NDCA 2013) (citing Gordon).
- "In Gordon, the plaintiff alleged false e-mails under Washington state law, claiming that those e-mails' headers "fail[ed] to clearly identify Virtumundo as the e-mails' sender and therefore misrepresent or obscure the identity of the sender." Examples of reportedly inaccurate "from lines" in those e-mails included "CriminalJustice@vm-mail.com," "PublicSafetyDegrees@vmadmin.com," and "TradeIn@vm-mail.com." Even so, Gordon held that such claims were "for, at best, `incomplete' or less than comprehensive information" regarding the sender (Virtumundo), as the plaintiff had conceded that the domain names were properly registered to the sender and that a publicly available online database search on WHOIS accurately identified the sender as the domain names' registrant and provided other identifying information. Gordon thus concluded that the plaintiff's "technical allegations regarding the header information find no basis in traditional tort theories and therefore fall beyond the ambit of the exception language in the CAN-SPAM Act's express preemption clause.""
- "Recognizing the same ambiguity, the Fourth Circuit applied the maxim of noscitur a sociis, a canon of statutory construction that "counsels that a word is given more precise content by the neighboring words with which it is associated." United States v. Williams, ___ U.S. ___, 128 S.Ct. 1830, 1839, 170 L.Ed.2d 650 (2008). Reading "falsity" in conjunction with "deception," which connotes a type of tort action based on misrepresentations, we are likewise persuaded that the exception language, read as Congress intended, refers to "traditionally tortious or wrongful conduct." Omega, 469 F.3d at 354. We find further support for this reading in the statutory text, which counsels against any interpretation that preempts laws relating to "acts of fraud." See 15 U.S.C. § 7707(b)(2). Indeed, the Committee explained that while "a State law requiring some or all commercial e-mail to carry specific types of labels, or to follow a certain format or contain specified content, would be preempted[,] . . . a State law prohibiting fraudulent or deceptive headers, subject lines, or content in commercial e-mail would not be preempted." S.Rep. No. 108-102, at 21 (emphasis added); see also 150 Cong. Rec. at E73-01 (recognizing broad preemption, except state laws prohibiting falsification techniques and deception). The Committee's repeated reference to "fraud" and "deception" is telling and confirms that Congress did not intend that states retain unfettered freedom to create liability for immaterial inaccuracies or omissions.
Further scrutiny of congressional intent solidifies our reading of the preemption clause. As discussed supra, the CAN-SPAM Act prohibits only deceptive subject line headings or materially false or materially misleading header information. See 15 U.S.C. § 7704(a); accord 15 U.S.C. § 7701(b)(2) ("[S]enders of commercial electronic mail should not mislead recipients as to the source or content of such mail." (emphasis added)). Significantly, Congress intended this standard to regulate commercial e-mail messaging practices "on a nationwide basis."[21] 15 U.S.C. § 7701(b)(1). It was because the patchwork 1063*1063 of state laws had proven ineffective that Congress sought to implement "one national standard," S.Rep. No. 108-102, at 21, applicable across jurisdictions. The CAN-SPAM Act expresses this goal:
Many states have enacted legislation intended to regulate or reduce unsolicited commercial electronic mail, but these statutes impose different standards and requirements. As a result, they do not appear to have been successful in addressing the problems associated with unsolicited commercial electronic mail, in part because, since an electronic mail address does not specify a geographic location, it can be extremely difficult for law-abiding businesses to know with which of these disparate statutes they are required to comply.15 U.S.C. § 7701(a)(11); see also S.Rep. No. 108-102, at 21-22 ("[I]n contrast to telephone numbers, e-mail addresses do not reveal the State where the holder is located. As a result, a sender of e-mail has no easy way to determine with which State law to comply."). Moreover, a single e-mail could instantaneously implicate the laws of multiple jurisdictions as it journeys through cyberspace, traveling over various facilities before reaching its intended recipient, whose location is often unknown. Therefore, "one state's Internet laws may impose compliance costs on businesses throughout the country." Omega, 469 F.3d at 356 (citing PSINet, Inc. v. Chapman, 362 F.3d 227, 239-41 (4th Cir.2004)). The CAN-SPAM Act was designed to ensure that "legitimate businesses would not have to guess at the meaning of various state laws when their advertising campaigns ventured into cyberspace." Kleffman v. Vonage Holdings Corp., No. 07-2406, 2007 WL 1518650, at *3 (C.D.Cal. May 23, 2007) (concluding that the CAN-SPAM Act preempted California state law claims).
It would be logically incongruous to conclude that Congress endeavored to erect a uniform standard but simultaneously left states and local lawmakers free to manipulate that standard to create more burdensome regulation. We are compelled to adopt a reading of the preemption clause that conforms with the statute's structure as a whole and the stated legislative purpose. See 15 U.S.C. § 7701(b)(1). The CAN-SPAM Act established a national standard, but left the individual states free to extend traditional tort theories such as claims arising from fraud or deception to commercial e-mail communication. To find otherwise would create "an exception to preemption [that] swallow[s] the rule and undermine[s] the regulatory balance that Congress established," Omega, 469 F.3d at 356, and which would once again subject legitimate businesses to inconsistent and possibly incompatible state regulations."
Omega World Travel, Inc. v. Mummagraphics, Inc., 469 F.3d 348, 354 (4th Cir. 2006) (Oklahoma anti-spam law preempted) (holding that the CAN-SPAM Act preempted a defendant's Oklahoma statutory counterclaims "insofar as they applied to immaterial misrepresentations." 469 F.3d 348, 353-57 (4th Cir. 2006))
Silverstein v. Keynetics, Inc., Dist. Court, ND California 2016 Second Amended Complaint dismissed on grounds that it is preempted by federal law; deceptive unauthorized use of linkedin addresses in FROM field was not "material"
Silverstein v. Keynetics Inc., ___ F. Supp. 3d ___, 2016 WL 3479083, at *4 (N.D. Cal. June 27, 2016) Plaintiff's claims were preempted by federal law.
DAVISON DESIGN & DEVELOPMENT INC. v. Riley, Dist. Court, ND California 2013 (state law cause of action preempted where deception was not material)
DAVISON DESIGN & DEVELOPMENT INC. v. Riley, Dist. Court, ND California 2012 Holding that Can Spam Act preempts California state cause of action related to spam email
Balsam v. Trancos, Inc., 203 Cal. App. 4th 1083, 1096, 1102-03 (2012),"found no preemption applicable because the defendant's "deliberate use of randomly chosen, untraceable domain names on the `From' line of the subject e-mails for the stated purpose of concealing its role in sending them does involve deception as to a material matter — the sender's identity — as well as an element of wrongful conduct." (emphasis added). Specifically, it was undisputed that the defendant there had intentionally used only privately registered domain names "to prevent e-mail recipients from being able to identify it as the sender...." "Asis Internet Services v. Member Source Media, LLC, 2010 WL 1610066, at *3 (N.D. Cal. Apr. 20, 2010) "reliance and damages need not be demonstrated to save a lawsuit from preemption."
Asis Internet Services v. Subscriberbase Inc., 2010 WL 1267763 (N.D. Cal. Apr. 2, 2010). "reliance and damages need not be demonstrated to save a lawsuit from preemption."
Hoang v. Reunion, No. C-08-3518 MMC, 2010 WL 1340535, at *6 (N.D. Cal. Mar. 31, 2010). In Hoang, "each plaintiff received an e-mail indicating the sender was an actual person known to such recipient, when, in fact, the e-mails were sent by [the] defendant [advertiser]."
ISPs may generally bring actions for violations of the Can Spam Act.
15 USC 7706(g)(1): A provider of Internet access service adversely affected by a violation of section 7704 (a)(1), (b), or (d) of this title, or a pattern or practice that violates paragraph (2), (3), (4), or (5) of section 7704 (a) of this title, may bring a civil action in any district court of the United States with jurisdiction over the defendant—
(A) to enjoin further violation by the defendant; or
(B) to recover damages in an amount equal to the greater of—
(i) actual monetary loss incurred by the provider of Internet access service as a result of such violation; or
(ii) the amount determined under paragraph (3).
Standing: To take advantage of this generous offer from Uncle Sam, one must be an “Internet access service.” Internet access service is defined as
"a service that enables users to access content, information, electronic mail, or other services offered over the Internet, and may also include access to proprietary content, information, and other services as part of a package of services offered to consumers. Such term does not include telecommunications services."
15 U.S.C. § 7702(11); 47 U.S.C. § 231(e)(4). [Melaleuca]
Gordon, 575 F.3d 1040, 1050 (9th Cir. 2009) (citing 150 Cong. Rec. E72-02) ("[W]e intend that Internet access service providers provide actual Internet access service to customers" - holding that domain name owner, who used GoDaddy's email service and infrastructure, rebranded with his domain name, was not an 'Internet Access Service' under the Act).
ZOOBUH, INC. v. BETTER BROADCASTING, LLC, Dist. Court, D. Utah 2013 (finding email service which has customers in 50 states and 27 countries, and owns, maintains, and configures its own infrastructure and servers is an "internet access service".)
MySpace, Inc. v. The Globe.com, Inc., No. 06-3391, 2007 WL 1686966, at *3 (C.D. Cal. Feb.27, 2007);
Facebook, Inc. v. ConnectU LLC, 489 F.Supp.2d 1087, 1094 (N.D. Cal.2007)
"Adversely Affected": Derived From: ZOOBUH, INC. v. BETTER BROADCASTING, LLC, Dist. Court, D. Utah 2013
The harm suffered by an Internet access service in order to establish standing under the "adversely affected" part of the CAN-SPAM Act "need not be significant in the sense that it is grave or serious, [but] the harm must be of significance to a bona fide IAS [internet access service] provider—something beyond the mere annoyance of spam. . . ." Gordon, 575 F.3d at 1053-54. In most cases, evidence of some combination of operational or technical impairments and related financial costs attributable to unwanted commercial e-mail suffice. See id. at 1054. Such impairments "include, but are not limited to network crashes, higher bandwidth utilization, and increased costs for hardware and software upgrades, network expansion and additional personnel." Id. at 1053 (internal citations omitted). The CAN-SPAM Act does not require that a plaintiff prove that the emails at issue adversely affect the plaintiff, rather, that "[t]he e-mails at issue in a particular case . . . contribute to a larger, collective spam problem." See Gordon, 575 P.3d at 1054.
In Facebook v. Power Ventures, Inc., the Northern District of California provided a very helpful analysis of the "adversely affected" requirement for standing. 844 F. Supp. 2d 1025 (N.D. Cal. 2012). There, the court determined that Facebook's receipt and analysis of approximately 60,000 messages constituted an adverse effect. Id. at 1032. At the time, Facebook's network consisted of 901 million users and Facebook had over 3,000 employees. See Facebook "Talking About It." The harm suffered by Facebook with respect to the emails in question was attributable to Facebook's having to spend time and effort to determine the source of the emails, and taking steps to stop the emails. Power Ventures 844 F. Supp. 2d at 1031-32. In that case, the court held that Facebook did demonstrate an adverse effect, and that such was especially true because there were a documented 60,000 messages, and "the costs of responding to such a volume of spamming cannot be categorized as `negligible.'" Id. at 1032.
In its ordinary course of business, ZooBuh utilizes SpamHaus, Razor, Pyzor and Spamassassin as a first line of defense for SPAM received on its system. Despite its efforts to mitigate the harmful effects of SPAM, ZooBuh has experienced hardware crashes, server spikes, bandwidth spikes, kernel crashes, and customer complaints all as the result of a collective spam problem of which the emails in question were a part. If not for its continuous receipt of SPAM email, ZooBuh could successfully service all of its approximately 35,000 customers through four servers. Instead, ZooBuh has had to double its server capacity, at significant expense, in order to successfully service its customers. Even with eight servers, ZooBuh consistently deals with server spikes and crashes, and the servers are constantly pushed to capacity, which significantly decreases the life span of the servers and is expensive in power consumption. Under these facts, ZooBuh satisfies the "adversely affected" requirement as stated by the Gordon court.
ZooBuh's network consists of approximately 35,000 users, ZooBuh has three employees, and there are 13,453 emails at issue. Accordingly, the subject emails created a proportionately greater burden for ZooBuh than the 60,000 emails received by Facebook's 901 million users and over 3,000 employees. Similar to Facebook, for each email, ZooBuh had to expend man-hours and work to identify the source, examine the transmission information, examine and analyze the header information, take efforts to determine how and why the specific emails were able to circumvent and/or bypass preliminary filtering techniques, and to ultimately attempt to make the emails stop. ZooBuh efforts to deal with the spam cannot be categorized as negligible. See Power Ventures, 844 F. Supp. 2d at 1032. Under these facts, ZooBuh satisfies the "adversely affected" requirement as stated by the Facebook court.
In summary, the harm ZooBuh suffered, and continues to suffer, as the result of its collective SPAM problem is much more significant than the mere annoyance of having to deal with SPAM or the process of dealing with SPAM in the ordinary course of business (i.e., installing a spam filter to flag and discard spam). The harm ZooBuh suffered, and continues to suffer, is manifested in financial expense and burden; lost time; lost profitability; decreases in the life span of ZooBuh's hardware; server and bandwidth spikes; server crashes; and pre-mature hardware replacements. ZooBuh is adversely affected by a collective spam problem, which includes the emails in question, and that the second part of the standing test is satisfied. Therefore, ZooBuh has standing as defined by the CAN-SPAM Act to assert claims as a private party plaintiff.
Damages: The remedies available to an ISP include injunctive relief, and actual damages or statutory damages. 15 U.S.C. § 7706(g)(1)(B) Statutory damages are $100 per piece of SPAM for email with false headers and $25 per piece of SPAM for everything else. The maximum whack is $1,000,000 per violation. Treble (multiple by 3) damages are available for aggravated violations. Networks may also seek attorneys fees. There is not a requirement that the action be filed in federal court. Can Spam Act Sec. 7(g)
Gordon v. Virtumundo, Inc., 575 F.3d 1040, 1048, 1054 (9th Cir. 2009) (type of harm necessary to assert CAN-SPAM Act claims excludes costs incurred by Internet access provider to take reasonable precautions against spam as part of normal operations)
ZOOBUH, INC. v. BETTER BROADCASTING, LLC, Dist. Court, D. Utah 2013 (reviewing different awards of statutory damages)
Facebook. v. Wallace, 2009 WL 3617789 at *2 (citing Columbia Pictures Television, Inc. v. Krypton Broad. of Birmingham, Inc., 259 F.3d 1186, 1194 (9th Cir. 2001)) (It is well established that "[a] plaintiff may elect statutory damages regardless of the adequacy of the evidence offered as to his actual damages and the amount of the defendant's profits . . . and if statutory damages are elected, the court has wide discretion in determining the amount of statutory damages to be awarded, constrained only by the specified maxima and minima.")
Heres a problem: who sent the spam? A spam may say that its from the ACME company, it may have the ACME company's address, and it may have the ACME company's logo. But did ACME send the spam? Was ACME spoofed? Or, perhaps, did someone without authority send the spam? Verifying the originator of the emails can be a challenge for an enforcement action. Kramer v. CASH LINK SYSTEMS, Court of Appeals, 8th Circuit 2013 (affirming no liability for defendant company where defendant's information was available online, spams had been routed through a foreign server, and individual who sent spam was apparently an independent contractor acting without authorization of the defendant company).
US Sentencing Commission Request for Comments
Proposed Sentencing Guidelines for United States Courts [pursuant to Can Spam Act], USSC 3/18/2004
Kramer v. CASH LINK SYSTEMS, Court of Appeals, 8th Circuit 2013 (affirming no liability for defendant company where defendant's information was available online, spams had been routed through a foreign server, and individual who sent spam was apparently an independent contractor acting without authorization of the defendant company).
Gordon v. Virtumundo, Inc., 575 F.3d 1040, 1048, 1054 (9th Cir. 2009) (type of harm necessary to assert CAN-SPAM Act claims excludes costs incurred by Internet access provider to take reasonable precautions against spam as part of normal operations)
Melaleuca v Hansen, CV 07-212-E-EJL-MHW (D OH June 29, 2010) (uploaded by Eric Goldman) (dismissing plaintiff's Can Spam claim for lack of standing; plaintiff is not an Internet Access Service) (Technology & Marketing Law Blog)
MELALEUCA, INC. v. Hansen, Court of Appeals, 9th Circuit 2013 (affirming in part, remanding in part)
US v Cyberheat , CV 05-457-TUC-DCB (DAR Mar 2, 2007) (company may be vicariously liable for acts of affiliate contractor which allegedly violated Can Spam Act).
Phillips v Worldwide Internet Solutions, Inc., (NDCa 2007) (no attorney fees absent "frivolousness, motivation, objective unreasonableness (both in the factual and in the legal components of the case) and the need in particular circumstances to advance considerations of compensation and deterrence.")
US v. Goodin, CR-06xxx (CD Cal 2007)
FTC Halts Illegal Spam Operation; Adult Site Violated CAN-SPAM Act, FTC 5/9/2008
Adult Website Operation Settles FTC Charges Unwitting Consumers Exposed to X Rated Spam, FTC March 4, 2008
Major Online Advertiser Settles FTC Charges. "Free" Gifts Werent Free' Settlement Calls of $650,000 Civil Penalty, FTC Nov 28, 2007
FTC, California Attorney General Seek Halt to Illegal Spam Operation, FTC 4/15/2005
Diet Patch Sellers Settle Can-Spam Charges, FTC 4/1/2005
Adult Web Site Settles FTC Charges, FTC 2/1/2005
Court Stops Spammers from Circulating Unwanted Sexually-Explicit E-mails, FTC 1/11/2005
"To date, the Commission has brought 63 cases in which spam was an integral element of the alleged deceptive or unfair practice." Report to Congress: A CAN SPAM Informant Reward System, p. 10 FTC Sept 2004
FTC settles with pop-up ad 'spammers', NW Fusion 8/9/2004
FTC Announces First Can-Spam Act Cases, FTC 4/30/2004
Law Enforcement Posse Tackles Internet Scammers, Deceptive Spammers, FTC 5/14/03
FTC Asks Court to Block Deceptive Spam Operation, FTC 4/17/03
FTC Press Release, Deceptive Spammers Settle FTC Charges (Oct. 23, 2002);
FTC Press Release, Federal, State, Local Law Enforcers Target Deceptive Spam and Internet Scams (Nov. 7, 2002);
FTC v. BTV Industries et al TRO, FTC 4/24/02
FTC v. ReverseAuction.com, Inc., No. 00-0032 (DDC Jan. 6, 2000) ("settling charges that an online auction site obtained consumers' personal identifying information from a competitor site and then sent deceptive, unsolicited e-mail messages to those consumers seeking their business").
Spam Scam Targets Kids and Their Parents, FTC 4/24/02
FTC Launches Crackdown on Deceptive Junk E-mail, FTC 2/13/02
FTC to Launch Attack on Deceptive Junk E-Mail, FTC 2/8/02
Spammers Settle FTC Charges, FTC 09/01/01`
FTC Unveils "Dirty Dozen Spam Scams" JULY 14, 1998
FTC Press Release, "You've Just Won a Playstation 2!" - or Maybe Not, Says FTC in Complaint Filed Against Internet Spammers (Apr. 24, 2002).