United States: The Spam Battleground

Does this sound familiar? You open your e-mail and you have 50 messages in your inbox. When you finally get through all of them, it turns out that 40 of the 50 messages were spam (unsolicited, bulk, commercial e-mail messages) from senders you don’t know. Spam messages offer a dizzying array of goods and services, such as printer toner cartridges, credit cards, online diplomas, and pornography and get-rich-quick schemes. As you delete spam after spam, you may wonder how all of these spammers find you and why the number of spam messages you receive seems to keep increasing. If it is any consolation, you are not alone. Spam is estimated to have increased by more than 60% in the last year alone. Internet service providers ("ISPs") estimate that 40%- 80% of their daily e-mail traffic consists of spam and several claim to each block more than 2 billion spam messages per day. The cost to U.S. businesses alone in trying to fight spam is estimated at somewhere between $8 billion-$20 billion per year in lost productivity, software and equipment costs, and human resource efforts. Moreover, the Federal Trade Commission ("FTC") reports that nearly two-thirds of all spam is sent with a false return address or a misleading subject line.

In early May 2003, the FTC held a conference to bring together spammers and anti-spammers in an attempt to come up with a solution to the billions of spam messages that flood e-mail inboxes daily. In the end, the over 400 participants, including lawmakers, consumers, lawyers, ISPs, anti-spammers, and spammers, couldn’t even agree on a definition of spam. Some say spam is any unsolicited e-mail sent in bulk. Others claim it must rise to the level of fraudulent and deceptive to qualify as spam. The more widely accepted definition is closer to the former than the latter.

The battle to curtail or permanently shut down spammers is ongoing and includes three main fronts - technological advances, litigation and legislation.

Businesses are constantly developing new technologies to deal with spam. A popular method is the use of e-mail filters to catch and block spam messages, but spammers have almost immediately found ways to fool those filters.

One of the latest anti-spam advances are "challenge-response" programs, which are designed to prevent delivery of an e-mail that the challenge-response program deems suspicious unless and until the sender performs a task easily performed by humans but not by computers. Once the response to the challenge is received, the e-mail is allowed through and the system does not block that sender again. The intention is that high volume spammers will not be able to individually respond to each challenge and their computers will not be able to respond for them.

Microsoft and Yahoo already use challenge-response programs as part of their new e-mail account registration processes. Since instituting its program, Microsoft claims that new e-mail account registrations have dropped by 20%, indicating that the program is working to curtail instances of spammers registering a large number of e-mail accounts. In an interesting twist, Yahoo has introduced a challenge-response program that challenges suspicious outgoing e-mail initiated from a Yahoo e-mail address. Outbound e-mails are challenged if and when the Yahoo e-mail address from which they are initiated exceeds the pre-determined limit set out in the individual user profile. The user profile is based on the number of messages the user normally sends and how long the user has had the e-mail address.

Challenge-response programs, like any other technological advance, are not a perfect solution. Critics contend that the programs will block legitimate senders and wreak havoc with newsletters and list serves. Still, the ISPs who are implementing challenge-response programs believe they are currently the most effective technological method to deal with spam.

On the litigation front, government and businesses are actively filing lawsuits against spammers. The FTC has brought suit against spammers who have lied about their products and/or identities, including 45 new criminal and civil suits filed in early May 2003. Earthlink, Microsoft, Verizon, AOL and Yahoo have each filed lawsuits against alleged spammers.

Earthlink spent over a year tracking down a single defendant, the "Buffalo Spammer," who was arrested in May 2003 on four felony and two misdemeanor charges ranging from forgery to identity theft, and now faces up to seven years in jail for his activities. The Buffalo Spammer is estimated to have sent 825 million unsolicited e-mails using 340 stolen identities, while eluding Earthlink’s investigators for more than a year and process servers for three months. Earthlink won a $16.4 million judgment and a permanent injunction in this case. Earthlink has won other lawsuits against spammers, including a record $25 million settlement, but most ISPs and other interested parties agree that collecting the money awarded in settlements and judgments is the exception, rather than the rule.

On June 17, 2003, Microsoft filed 13 U.S. lawsuits (twelve in Washington state, and one in California) seeking injunctions and damages under a variety of statutory and common law claims. After tracking a multitude of spam messages through 34 countries in an attempt to identify the spammers, many of the suits still had to be filed naming John Doe defendants. The lawsuits focus in particular on fraudulent practices, such as the use of false subject lines, unsolicited pornographic offers, and "spoofing," which involves using false e-mail addresses to make it appear that the spam messages originate from Microsoft’s Hotmail accounts.

In an effort that would bolster the effectiveness of technological advances and litigation, the federal government is considering, and many of the states have already enacted, legislation to provide civil and criminal penalties for spam-related activities.

At least 27 states currently have anti-spam laws of varying strengths. In Connecticut, it is unlawful for any unauthorized person to use a computer or a computer network located in Connecticut with the intent to falsify or forge e-mail transmission or other routing information in connection with transmitting unsolicited bulk electronic mail through or into the computer network of an electronic mail service provider. It is also a computer crime in Connecticut for any person to knowingly distribute or market software that, as its main purpose, facilitates or enables the falsification of electronic mail transmission or routing information. Criminal penalties under Connecticut law for violation of these anti-spam provisions range from a Class B misdemeanor, punishable by up to 6 months in prison and up to $1,000 in fines, to a Class D felony, punishable by 1 to 5 years in prison and up to $5,000 in fines, if the person’s malicious actions cause more than $2,500 in damage to another’s property. With regard to civil remedies, Connecticut law allows individuals and ISPs to sue for recovery of actual damages, or to sue for the lesser of $10 for "each and every" spam e-mail or $25,000 per day, as well as reasonable attorneys’ fees and costs.¹ Virginia, home of AOL and Verizon, passed the strongest anti-spam law in the country at the end of April 2003. Virginia’s anti-spam statute establishes a class 6 felony, punishable by up to 1 to 5 years in prison and fines of up to $2,500, if a person violates the misdemeanor portion of the statute, and also either (1) sends unsolicited bulk e-mail ("UBE") in excess of defined amounts during defined time periods (e.g., in excess of 10,000 UBE in any 24-hour period), or (2) generates more than $1,000 in revenue from a single UBE transmission or more than $50,000 in revenue from UBE transmissions to a single electronic mail service provider.²

At the federal level, at least seven anti-spam proposals have been introduced in Congress, but none have yet been enacted. On June 19, 2003, the Senate Commerce Committee unanimously passed the first bill out of committee. That bill, called the CAN-SPAM Act, would require valid return e-mail addresses, truthful descriptions of products, and notice of opt-out provisions for all commercial e-mail. It would also penalize businesses that hire spammers to send out advertising; ban use of bulk e-mailing lists from web sites that purport not to sell e-mail lists to third parties; and ban use of software designed to harvest e-mail addresses from web sites or create dictionary attacks of random e-mail addresses. Under the CAN-SPAM Act, the FTC, individual state attorneys general and ISPs could sue on behalf of constituents who received spam, with penalties of up to $1 million in fines and up to a year in prison, but it would not allow class action or individual suits. There is also a provision to preempt state statutes, but that provision would not preclude the states from imposing higher penalties. In the House, the most prominent bill at the moment is the Rid Spam Act bill, which was drafted after meetings with industry groups and corporations. It includes an opt-out of future mailings provision, requires that senders include accurate electronic and physical addresses in their e-mails, bans the harvesting of e-mail addresses, and allows ISPs, but not consumers, to sue spammers.

There are at least three other Senate bills (Stop Pornography and Abusive Marketing (SPAM) Act, Criminal Spam Act, and Ban on Deceptive Unsolicited Bulk Electronic Mail Act) and two other House bills (Reduce Spam Act and Anti-Spam Act of 2003). Some or the more popular provisions of these bills include requiring "ADV" in the subject line of spam messages to indicate "advertising," setting up a national "Do Not E-Mail" registry, and banning false headers, subject lines and return e-mail addresses.

Reaction to the various proposals is mixed. Microsoft, Yahoo, AOL and eBay all support the CAN-SPAM Act. The Direct Marketing Association also supports the CAN-SPAM Act but opposes any proposals for mandatory ADV labeling or a national "Do Not E-Mail" registry. Other critics contend that a national Do-Not-E-Mail registry, similar to the national Do-Not-Call registry, would be vulnerable to hacking and used by the worst of the spammers as the ultimate mailing list. Anti-spam activists have challenged the Rid Spam Act bill because of what they perceive as the heavy influence of industry groups on the provisions of that bill.

The ongoing debates make it clear that no one version of any of these Congressional bills will be the perfect fix. Moreover, any federal law will have to clear the constitutional free speech issue that has defeated so many other well-intentioned bills in the past.

Further, regardless of how strong they may be, state and federal laws have limited to no ability to stop spammers who are operating outside of the United States. Cross-border spam is an increasing problem, and attempts to address it are ongoing. U.S. officials, working with officials from Australia, Canada and Japan, recently sent over 1,000 letters to organizations located in fifty-nine countries to request that those organizations close their open relays.³

In addition, the Organization for Economic Cooperation and Development ("OECD") recently issued guidelines to its thirty member countries, including the United States, calling for its members to develop domestic policies that would allow them to cooperate with other countries to combat "fraudulent and deceptive commercial practices." The OECD guidelines acknowledge that the rise of e-commerce and the Internet has highlighted the need for international cooperation to address what previously were mainly domestic issues. The guidelines recommend that member states grant their consumer protection agencies the authority to deal with cross-border fraud and deceptive commercial practices. The FTC has already submitted a proposal, called the International Consumer Protection Enforcement Act, to the House and Senate as part of its reauthorization. If approved, the Act would grant the FTC the authority to issue civil investigative demands, a.k.a. secret subpoenas, for subscriber information from ISPs; access FBI databases; and trade information with foreign law enforcement agencies. The Senate Commerce Committee recently voted the FTC’s proposal out of committee, but U.S. opponents are watching this matter closely because they allege that if granted, the FTC’s proposal would violate existing privacy laws and give the FTC powers broader than those afforded to federal and state law enforcement.

The spam issue is far from resolved, but developments to combat spam are occurring at a rapid pace. The three front attack of technological advances, litigation and legislative measures at the state, federal and international levels should eventually significantly reduce the spam problem.

Footnotes:
^{1. See} Conn. Gen. Stat. § 53-451 et seq. (1999).
2. See Va. Code Ann. §18.2-152:2 et seq. (2003)
3. Open relay e-mail servers allow spammers to route spam e-mail messages without facing such obstacles as spam filters. Open relay e-mail servers accept and forward e-mail from anyone, rather than from authorized users only. Spammers typically use them to falsify the sender’s e-mail address in the spam message.

This article does not constitute legal or other professional advice or services by JORDEN BURT LLP and/or its attorneys.

JORDEN BURT LLP is a law firm with a unique focus on financial services and a national reputation in high stakes litigation, financial regulation and product counseling.