In previous articles, we reported on the ever-growing problem of spam (unsolicited, commercial e-mail messages), the efforts being made on the technological, legislative and litigation fronts to reduce the spam problem, and we described the detailed requirements of the "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003" ("CAN-SPAM Act" or "Act").1 The CAN-SPAM Act has been in effect for over one year.2 This article provides an update on the CAN-SPAM Act, including final Federal Trade Commission ("FTC") and Federal Communications Commission ("FCC") rules. The intended result of the CAN-SPAM Act is to reduce the amount of spam. It is widely acknowledged, however, that the spam problem cannot be solved by legislation alone, and that technological approaches and the cooperation of other countries will also be necessary.3

No National Do Not E-Mail Registry

Under the Act, the FTC was required to submit a report to Congress setting forth a plan for establishing a nationwide marketing Do-Not-E-Mail registry. In its report last June, the FTC informed Congress that a National Do Not E-Mail Registry would not only fail to reduce the amount of spam currently received by consumers, but might actually increase the amount of spam received. For example, the report indicates that the registry could fall into the hands of spammers who would use it as the ultimate National Do Spam List. In addition, the FTC expressed skepticism that such a registry could be properly enforced. Instead of focusing anti-spam resources on a do not spam list, the FTC said that anti-spam efforts should be concentrated on developing stronger e-mail authentication systems.4

"SEXUALLY EXPLICIT:" Label Required in Subject Line

The Act required that the FTC adopt a rule mandating the inclusion of a mark or notice in spam that contains sexually oriented material. The FTC’s rule, which became effective on May 19, 2004, provides that spam containing sexually oriented material must include the warning "SEXUALLY EXPLICIT:" in all capital letters as the first nineteen (19) characters at the beginning of the subject line.5 The FTC rule also requires that this phrase appear clearly and conspicuously in the portion of the e-mail message that is initially viewable when the message is first opened, without any further actions by the recipient. The subject heading itself, and the portion of the message that is viewable by the recipient upon opening the message and without any further actions by the recipient, must exclude any sexually oriented materials. The sender of such spam must include only certain prescribed information in the portion of the message that is viewable by the recipient upon opening the message and without any further actions by the recipient. For example, when the message is initially viewable, it must include instructions concerning how to opt out of receiving future sexually oriented e-mail messages from the same sender, and any needed instructions on how to access, or activate a mechanism to access, the sexually oriented material, preceded by a clear and conspicuous statement that to avoid viewing the sexually oriented material, the recipient should delete the message without following such instructions.

"Primary Purpose" and "Dual Purpose" Messages

The Act required that, by December 16, 2004, the FTC issue regulations defining the relevant criteria to facilitate the determination of the "primary purpose" of an electronic mail message. Most of the Act’s restrictions apply to "commercial electronic mail messages" or "CEMMs," but not "transactional or relationship messages." Transactional or relationship messages are expressly excluded from the definition of commercial electronic mail messages, and are therefore minimally affected by the Act. Oftentimes, e-mail messages contain both commercial and transactional or relationship content, or commercial content and content that is neither transactional or relationship. These types of e-mail messages are called "dual-purpose" messages.

A "commercial electronic mail message" is any "electronic mail message the primary purpose of which is commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose)."6 Basically, a "transactional or relationship message" is an electronic mail message, the primary purpose of which is (1) to facilitate, complete, or confirm a commercial transaction that the recipient has previously agreed to enter into with the sender; (2) to provide warranty, product recall, safety or security information with respect to a product or service used or purchased by the recipient; (3) to provide notification concerning a subscription, membership, account, loan, or comparable ongoing commercial relationship between the sender and the recipient; (4) to provide information directly related to an employment relationship or related benefit plan involving the recipient; or (5) to deliver goods or services, including product updates, that the recipient is entitled to receive under a previously agreed to transaction with the sender.7

On December 16, 2004, the FTC issued its final rule defining the criteria for determining the primary purpose of an electronic mail message.8 The rule provides the following criteria for determining whether the primary purpose of a dual-purpose e-mail message is commercial9:

  • If the e-mail message contains only the commercial advertisement or promotion of a commercial product or service, the primary purpose of the message will be deemed to be commercial;
  • If the e-mail message contains both commercial content and "transactional or relationship" content, the primary purpose of the message will be deemed to be commercial if either: 1) a recipient reasonably interpreting the subject line of the e-mail would likely conclude that the message contains commercial content; or 2) the e-mail’s "transactional or relationship" content does not appear in whole or substantial part at the beginning of the body of the message; and
  • With respect to an e-mail message that contains both commercial content and content that is neither "commercial" nor "transactional or relationship," the primary purpose of the message will be deemed to be commercial if either: 1) a recipient reasonably interpreting the subject line of the message would likely conclude that the message contains commercial content; or 2) a recipient reasonably interpreting the body of the message would likely conclude that the primary purpose of the message is commercial. Factors relevant to this interpretation include the placement of commercial content, in whole or in substantial part, at the beginning of the body of the message; the proportion of the message dedicated to commercial content; and how color, graphics, type size, and style are used to highlight commercial content.

The effective date of the FTC’s primary purpose rule was initially February 18, 2005, but was postponed to March 28, 2005, following a determination that the rule is a "major rule" that requires sixty (60) days for Congressional review before going into effect.10

Unsolicited CEMMs Sent to Wireless Devices are Prohibited by the CAN-SPAM Act; Unsolicited Text Messages are Not

Pursuant to the Act, the FCC, in consultation with the FTC, was required to promulgate rules to protect consumers from receiving unwelcome mobile service commercial messages (i.e., CEMMs that are transmitted to a wireless device used by a subscriber of commercial mobile service).

On September 16, 2004, the FCC adopted new rules which establish that the CAN-SPAM Act prohibits unsolicited commercial messages sent to wireless e-mail devices, excluding unsolicited text messages sent through such means as short message service (SMS) (e.g., from one cell phone to another).11 The FCC decided that the Telephone Consumer Protection Act and the National Do-Not-Call Registry already provide certain protections to cell phone subscribers against receiving unsolicited commercial telemarketing calls. The rules generally became effective on October 18, 2004, with the exception of certain sections pertaining to information collection requirements.12

Rewards for Catching Spammers

The Act required that the FTC submit a report to Congress which sets forth a system for rewarding members of the public who supply information about violations of the Act, including procedures to award not less than 20% of the total civil penalty collected to the first person that identifies the person who violated the Act, and supplies information that leads to the successful collection of a civil penalty by the FTC.

The FTC issued its report on September 16, 2004.13 The report concludes that personal or business associates of spammers are the ones most likely to identify a spammer and supply "high-value" information (evidence that would be admissible in the enforcement action). These so called "potential whistleblowers" might not come forward if the person believed the negative considerations (e.g., possible loss of job and income) exceeded the positive considerations (e.g., possibility of a substantial reward). The report states that "[t]he Commission is unable to establish with any degree of certainty the dollar amount that might be high enough to overcome the[se] countervailing considerations, but believes that reward amounts in the range of $100,000, and in some cases as much as $250,000 are reasonable estimates." The report recommends that the reward be tied to the imposition of a final court order, rather than to the collection of civil penalties.

It will be interesting to see if Congress decides to establish a reward system for snagging spammers and, if it does, whether that system will resemble the one described in the FTC’s report.

Is the CAN-SPAM Act Reducing the Amount of Spam?

It seems that the answer to this question depends upon who you ask. Although there have been many lawsuits and FTC actions against spammers, including major lawsuits brought by Internet Service Providers such as Microsoft, AOL, Yahoo, and Earthlink, there are recent reports of an increase in the amount of spam since the Act went into effect on January 1, 2004. One anti-spam company reported that 77% of all e-mail traffic consisted of spam in 2004, and that 97% of it violated the CAN-SPAM Act. Postini Inc., an e-mail security service provider, announced that "unwanted email has remained virtually unchanged at 88 percent while only 12 percent of all email is legitimate." Postini said that its findings were based on the 14.7 billion messages it processed in January, 2005. On the other hand, AOL reported a substantial decline in unsolicited commercial e-mail in 2004, stating that the 2004 spam on its servers was 75% lower than in 2003. Also, AOL said that the number of spam-related complaints it received dropped down to 2.2 million per day in November 2004, from 11 million per day in November 2003.

The "Zombie" Trick

"Zombie" networks are one of the latest technology tricks used by spammers. As this author understands it, the zombie malicious software (often a virus inadvertently downloaded from a spam e-mail message) takes over a computer. That hijacked computer is used to send spam directly from the e-mail server of the hijacked computer’s Internet Service Provider (instead of sending spam from the hijacked computer itself). Consequently, it appears that the spam is coming directly from a legitimate Internet Service Provider, thereby making it difficult for anti-spam products to detect and block such spam.14 An anti-spam company, MX Logic Inc, found that 69% of spam was sent through zombie networks during a three-week survey it conducted in November and December, 2004.

Spam, Spam Go Away

No one wants spam. For instance, one study found that during 2004, only 14% of spam recipients actually read the spam they received in order to see what the message was about, and only 4% of such recipients actually purchased something that was advertised in the spam they read. At present, the extremely low cost of sending bulk spam results in spammers being able to earn a profit even with extremely low positive response rates. The break-even point has been estimated by some as being as low as 0.0001% of the total number of spam e-mails successfully sent. These statistics have caused some technology and industry representatives to consider charging the equivalent of postage for every outgoing e-mail message or for only those outgoing e-mail messages that are marked as spam by the recipient.

According to a study conducted by the University of Maryland, the time spent in deleting junk e-mail costs U.S. companies nearly $22 billion a year. The University surveyed adult Internet users and found that they received an average of 18.5 spam messages per day, and spent on average 2.8 minutes per day deleting these messages. By some reports, spam accounted for anywhere from 60% to 75% of all global e-mail traffic in 2004, a situation that has forced many businesses to invest significant time and money in sophisticated anti-spam technology.

When it comes to spam, to quote one of the Rolling Stones’ lyrics: "you can’t always get what you want." Unfortunately, it looks like spam is here to stay for the foreseeable future.

Footnotes

1. An Overview of the CAN-SPAM Act of 2003

2. The CAN-SPAM Act, 15 U.S.C. § 7701 et seq., became effective on January 1, 2004, and can be found at http://www.spamlaws.com/federal/108s877.html.

3. In October 2004 the FTC announced its endorsement of the so-called "London Action Plan" on international spam enforcement cooperation, involving government and public agencies from 27 different countries. In February 2005 the FTC announced it had entered into a memorandum of understanding with the Data Protection Agency of the Kingdom of Spain with respect to cross-border anti-spam enforcement cooperation. These and other recent FTC pronouncements signal what appears to be an increase in multi-national anti-spam collaborative law enforcement efforts.

4. See June 2004 FTC Report to Congress, copy available at http://www.ftc.gov/reports/dneregistry/report.pdf.

5. See 16 C.F.R. § 316.4. The FTC counts the colon and the space immediately following the colon as the 18th and 19th required characters for purposes of 16 C.F.R. § 316.4.

6. See 15 U.S.C. § 7702(2)(A).

7. See 15 U.S.C. § 7702(17)(A).

8. See http://www.ftc.gov/opa/2005/01/primarypurp.htm and 70 FR 3109 (January 19, 2005), promulgating new 16 C.F.R. § 316.3 (effective March 28, 2005).

9. In order to survive any First Amendment challenge, the FTC in footnote 1 of 16 C.F.R. § 316.3(a) states that the FTC does not intend for these criteria to treat as a CEMM any e-mail message that is not commercial speech. See, e.g., Central Hudson Gas & Elec. Corp. v. Pub. Serv. Comm’n of New York, 447 U.S. 557 (1980) (Court established a test for determining constitutionality of regulating commercial speech that is not misleading and does not involve illegal activity).

10. See 5 U.S.C. § 801 et seq., http://www.ftc.gov/opa/2005/01/primarypurp.htm and 70 FR 3109 (January 19, 2005).

11. See 69 FR 55765 (creating new 47 C.F.R. § 64.3100) and 69 FR 77141 (modifying the effective date for portions of 47 C.F.R. § 64.3100).

12. See http://hraunfoss.fcc.gov/edocs_public/attachmatch/DA-05-331A1.doc. The FCC gave Commercial Mobile Radio Service (CMRS) carriers until January 21, 2005 to submit all of their electronic mail domain names for wireless messaging to the FCC for inclusion in the initial wireless domain names database. See 69 FR 77141. The FCC expects to periodically update this listing. "Those members of the public who rely upon the list to identify wireless domain names are urged to check the list monthly."

13. The report is available from the FTC’s web site at http://www.ftc.gov . See also http://www.ftc.gov/opa/2004/09/bounty.htm.

14. Anti-spam products often try to filter spam based on the source of the e-mail message. Every computer on the Internet has a unique identifying number, called an IP address. Once the IP address of a bulk spammer becomes known, that IP address may be added to an anti-spam "black list" so that all future incoming e-mail messages from that IP address will be automatically blocked or filtered. Sophisticated bulk spammers will therefore change their IP addresses often. An annoying converse situation in turn arises, when a known spammer discontinues use of an IP address. That IP address may eventually be "recycled" and assigned to a new legitimate user. The IP address may, however, remain on the "black list" of various anti-spam products, causing non-spam e-mail sent by the new legitimate user of the IP address to be blocked as spam.

Diane Duhaime is a partner at the law firm of Jorden Burt LLP, with offices in Simsbury, Connecticut, where she leads the firm’s technology and intellectual property law practice. Attorney Duhaime is a member and former chair of the Connecticut Bar Association’s Intellectual Property Law Section. The views expressed herein are solely those of the author. This article does not constitute the rendering of legal advice.

This article does not constitute legal or other professional advice or services by JORDEN BURT LLP and/or its attorneys.

JORDEN BURT LLP is a law firm with a unique focus on financial services and a national reputation in high stakes litigation, financial regulation and product counseling.