As the Internet has evolved to provide ever more opportunities to separate fools from their money, the number of people trying to do just that has also increasedShow full article

Hide full article

As the Internet has evolved to provide ever more opportunities to separate fools from their money, the number of people trying to do just that has also increased. It was not always this way. Many years ago when I had my first AOL account, I never received a single piece of unwanted email. When I last tried AOL I received over 20 unwanted solicitations every day, even though I never used the account for email.

What happened? Can we go back to those halcyon days of yore? Can we stop the deluge of unsolicited commercial email, also known as "spam?"

"What happened?" is an easy question to answer. More ordinary people began using the Internet. A few brave souls took the risk of using the new medium to hawk their wares and some appeared to become fabulously successful - though that appearance seldom matched the reality. Others wanted to get in on the action and get rich quick. Junk email was born, grew, and proliferated like a runaway cancer.

Can we go back to the halcyon days of yore? No. You can't go home again, you can't put the genie back in the bottle, and you can't stop folks from trying to sell you things you don't want.

Can we stop the deluge? We can do some things to make spam more tolerable. We can report spam, which requires technical know-how and a bit of work every each time you're targeted. We can also look for legislative solutions. Back in NetBITS-005, I pointed out that once we turn to the government to help us deal with the undesirable elements on the Internet, we open the door to (shudder) regulation of the Internet. That is exactly what is happening across the U.S. with spam - it is being regulated by an increasing number of states, and Congress is actively considering enacting federal legislation to address the subject.

<http://db.tidbits.com/article/05032>
<http://db.tidbits.com/article/04474>

We have now entered an era where many believe it is more desirable to have the government tell us what we can and cannot send across the Internet than to deal with the problems caused by unrestricted Internet use.

The Problem -- In 1997 there were no state or federal statutes in the United States that specifically addressed email or Internet advertising. Since that time several states have enacted statutes, and others have established commissions to study the issue and make recommendations to state legislatures. On the federal level, the Federal Trade Commission (FTC) has completed two studies on Internet email and marketing; these studies concluded that a serious problem exists and will increase with Internet use. Congress has considered multiple bills addressing the issue; although none have passed yet, it is likely only a matter of time before Congress presents a bill to the President for signature. The FTC reports are available online; see "Protecting Consumers Online," 21-Dec-99, and "Report to the Federal Trade Commission of the Ad-Hoc Working Group on Unsolicited Commercial Email," 1997.

<http://www.ftc.gov/opa/1999/9912/ fiveyearreport.htm>
<http://www.cdt.org/spam/>

The problem addressed by the FTC, Congress, and the state legislatures is known colloquially as "spam." It is known more formally as "unsolicited commercial email," or UCE. UCE generally takes the form of an advertisement for a service or product that is sent to Internet users just as flyers, coupons, and other solicitations are sent to regular postal customers. To spammers, email offers a way to target thousands or even millions of potential customers at virtually no cost. The spammer needs only a computer and an email account. With those tools, he can prepare a single solicitation and email it to dozens, hundreds, or thousands of people at a time by using a list of email addresses gathered from a variety of public sources, such as Usenet news and links on Web pages.

As personal use of the Internet increased, so did the number of people using email to advertise their products and services. Many users didn't like receiving these solicitations, particularly since a large number offer things such as pornography, sexual aids, and other items that many people find offensive. The recipients then responded with torrents of complaints directed back to the spammers, who rapidly found their own email accounts filling up not with orders, but with complaints and demands to stop sending solicitations. Most spammers therefore began to conceal their own email address, instead including phone numbers or obfuscated links to Web sites where the user could place an order.

UCE is different from postal "junk mail" in one important way: When a seller sends a flyer, he must pay for the paper, printing, envelope, and postage for each item (a real cost, even considering the significant discounts for bulk postal mail). By contrast, when a spammer sends a thousand email solicitations, he pays virtually nothing. The recipients, however, do pay for their Internet accounts based either on time spent online or amount of data transferred. Even users with flat-rate pricing pay for spam: their fees are based on estimates of the resources users will consume, so although spam may not result in direct additional costs to the user, it could cause flat-rate pricing to increase across the board. Either way, the user pays the cost of the UCE. According to 1998 estimates in the report to the FTC (see above), users were paying up to $2.00 per month just for UCE, in addition to the time spent replying to or deleting unwanted messages, or reporting abuses. Internet service providers (ISPs) were dedicating increasing amounts of resources and time addressing customer complaints. In addition, the UCE was taking up disk space on the ISP servers - sometimes to the point of forcing the server to shut down until the UCE was cleared out.

Stamping Out Spam -- Now that we know the problem, what can be done about it? In the next part of this article, we'll look at the myriad solutions proposed at the state and federal levels, and why government intervention may not be a panacea for the spam problem.

Hide full article

Dragon speech recognition software for Macintosh, iPhone, and iPad!
Get the all-new Dragon Dictate for Mac from Nuance Communications
and experience Simply Smarter Speech Recognition.
Learn more about Dragon Dictate: <http://nuance.com/dragon/mac>

TidBITS has published a variety of articles about how to deal with unsolicited commercial email (UCE), more commonly referred to as "spam" (see "Responding to Spam" in TidBITS-442)Show full article

Hide full article

TidBITS has published a variety of articles about how to deal with unsolicited commercial email (UCE), more commonly referred to as "spam" (see "Responding to Spam" in TidBITS-442). As the problem has increased with the widespread popularity of the Internet, lawmakers have begun to pay serious attention to the bulk email that's flooding their constituents' mailboxes. In the first part of this article, I covered the legal definitions of spam and some of the studies done by governmental bodies into the severity of spam. In this installment, I'll talk about how various governments propose to handle this growing problem.

<http://db.tidbits.com/article/05032>
<http://db.tidbits.com/article/05907>

Response by Congress and the States -- Email solicitation has much in common with other forms of commercial bulk marketing such as junk mail and broadcast advertising. Advertising speech is protected by the First Amendment and an outright ban on any type of advertising, including bulk mail solicitations, would be unconstitutional. But commercial speech can be regulated to a greater degree than private speech.

Based on two Federal Trade Commission reports (see the first part of this article), as well as the increasing number of consumer complaints, Congress and several states began considering legislative solutions to the problem. Congress has not yet passed any legislation, but 20 states have considered the issue and 15 have enacted laws on the subject. Others are actively considering legislation to address the problem.

<http://www.ftc.gov/opa/1999/9912/ fiveyearreport.htm>
<http://www.cdt.org/spam/>

The state and federal statutes - both proposed and enacted - contain many similar provisions. A business that wishes to advertise on the Internet can generally avoid violating the statutes by complying with certain rules such as:

• Include valid headers and particularly include a return address such that the recipient of an email solicitation can reply to a valid email address that is monitored to ensure that it does not become full and begin bouncing email.

• Include instructions in the body of the message providing an email address, a toll-free telephone number, or both, so a recipient can ask to be removed from the mailing list.

• Maintain an "opt out" list of persons who have asked not to receive email solicitations and ensure they are removed from the mailing list. (Statutes are unclear on the sender's responsibility regarding future iterations of the email list.)

• Use accurate and informative subject lines on all solicitations. Any solicitation for adult material should be clearly identified in the subject line with the initial characters being "ADV:ADLT." All other solicitations should begin with "ADV:"

State of the States --Responding to increasing consumer complaints about a variety of scams, a proliferation of unwanted pornographic solicitations, and other abuses, some state legislatures began considering how to regulate Internet email marketing in a manner that would both protect the consumer and allow legitimate businesses to advertise their products. The resulting proposed and enacted statutes are chaotic; although many provide criminal penalties, most create a private right of action for damages, and several empower the state's Attorney General to pursue a civil action for damages and injunction.

<http://www.spamlaws.com/state/>

Email legislation at both the state and federal levels also shares significant similarities. Although each state has adopted a slightly different definition of spam, there are enough factors in common to present a pattern. Of the 15 states that have passed laws on spam so far, 8 have made violating one or more of the following prohibitions a criminal offense that will subject an individual or corporation to fines and possible incarceration:

• False or misleading routing or transmission information in the headers.
• Misleading or deceptive subject line.
• Use of a third party domain without permission.
• Offering to sell software primarily intended for these purposes.

Other provisions contained in state laws that may create civil liability on an individual or corporation include:

• No means of opting out or getting off of a mailing list.
• Continuing to send email after receipt of an opt out request.
• Violation of primary ISP policies.
• Failing to label UCE as "ADV:" in the subject line.

Ten of the 15 states permit individuals to sue a spammer for violation in addition to other criminal or civil penalties the state may impose. In most of theses states, recipients of spam that violates the prohibitions noted above can sue the sender for statutory damages that range from $10 per item in Delaware and other states to $500 per item in Washington state. In addition, a provider of interactive computer services (like an ISP) may sue for higher damages. In Washington state, the amount is $1,000 per item. To illustrate the significance of these provisions, in one pending case in Washington state, an ISP that received 5,800 UCEs is suing a corporation for violations of the state anti-spam law. At $1,000 each, the sender's exposure is $5,800,000.

Most of the state statutes provide that anyone sending email solicitations to residents of their state are subject to the jurisdiction of the state courts. This is a form of law known as a long-arm statute. Anyone who tries to sell a product in a state - even if they are doing so from out of state via catalog or email solicitations - has the protection of the state laws if a buyer refuses to pay, for example, and also has the responsibility to obey state laws such as the consumer protection and anti-spam statutes. Thus, a recipient of UCE may file suit in the courts of his own state. A spammer who sends to recipients in multiple states and violates the law in one or more may find himself responding to multiple suits filed in several different state courts.

An interesting provision contained in four of the state statutes is that the sender of UCE must honor the policies of the ISP they use. For example, if a person were to use AOL to send email across the Internet, and the email violated AOL's written and posted policies, that sender's violation of the AOL policies would also be a violation of law in California, Iowa, Louisiana and North Carolina.

California and Tennessee have passed laws that require all UCE to be labelled as an advertisement. The subject line of email offering goods or services for sale must begin with the letters "ADV:". In California, if the solicitation is for material that can legally be viewed or possessed only by a person over 18, the subject line must begin with the letters "ADV:ADLT."

Under the long-arm provisions that grant jurisdiction over non-compliant UCE sent to state residents, it is possible that a spammer in any state who sends a solicitation to a California resident but omits the "ADV:" label may become subject to penalties in California. At the current time the courts have not shed any light on this jurisdictional question - the issue involves not only long-arm jurisdiction, but also something called "conflict of laws," where an action may fall within the statutes of more than one state. In such cases, the court is required to determine which state law to apply to the case. Conflicts analysis can become very complex.

The states that have enacted anti-spam statutes of one type or another are California, Connecticut, Delaware, Iowa, Illinois, Louisiana, Maryland, North Carolina, Nevada, Oklahoma, Rhode Island, Tennessee, Virginia, Washington State, and West Virginia.

Maine has enacted a statute establishing a commission to study the problem and make recommendations to the legislature for appropriate legislation.

Possible Federal Statutes -- A wide variety of bills addressing email solicitation have been proposed in the House and Senate since 1997. While none have received the concurrence of both houses (and thus none have been presented to the President for signature) it is instructive to examine the types of concerns Congress is attempting to address for two reasons. First, it is highly likely that Congress will pass a bill on this issue, and second, two of the fifteen states that have anti-spam laws have specifically included a provision that says their law will expire if a federal statute is passed.

The federal legislation proposed to date does not contain the more stringent provisions of the state laws. In general, the federal bills do not criminalize violations and nearly all of them permit email solicitation in some form so long as the user has a meaningful way to opt out of the mailing list. Only one proposed federal statute has included a provision that UCE be labelled in the subject line, and only one has contained a provision requiring that senders of UCE honor an ISP's policies.

The most recent submission to Congress is the Unsolicited Electronic Mail Act of 2000. If enacted, the statute would make it illegal for spammers to violate the usage policies of an ISP, would require use of valid return or Reply-to addresses and that spammers maintain and honor an opt-out list. It also requires that email solicitations be clearly marked in some standardized way, to be determined by the FTC. That bill was recently amended in committee in March, and must be introduced to the floor of the House of Representatives, then to the Senate if it passes the House. At either stage it can be sent back to committee for further revision. If it finally passes both the House and the Senate, it will be presented to the President for signature.

<http://www.spamlaws.com/federal/hr3113.html>
<http://www.spamlaws.com/federal/ summary.html#hr3113>

At the present time, it is uncertain just what effect a future federal statute would have on existing state legislation. There is some precedent in the so-called junk fax legislation however. The federal Telephone Consumer Protection Act prohibits unsolicited faxes being sent to consumers and imposes a penalty of $500 per fax sent in violation of the statute. Washington and other states have a similar statute providing a nearly identical remedy for unsolicited faxes. It is quite likely that state and federal statutes regarding UCE will coexist in the same way that the anti-fax statutes have.

Unsolved Mysteries -- For the most part, none of the statutes addresses a key issue in the spam wars: most spammers don't want to be found. They conceal their identities and return addresses for a reason. They know that it is just as easy for their victims to send them opt-out email as it is for them to send the spam in the first place. If the spammers let the victims actually have a say, the spammers will be inundated with opt-out requests and will have to do an honest day's work trying to keep their mailing lists clear of those who have opted out.

[This paragraph is currently unavailable.]

Obviously, hiring attorneys and private investigators can be expensive. Washington state's law also provides that the state's Attorney General can bring an action against a spammer. The Attorney General's office has greater resources than the average individual to locate spammers. But the Attorney General's office is inundated with spam complaints and is being selective about the cases they bring. That leaves unsolved the problem of how to deal with scofflaw spammers who will simply ignore federal and state law, falsify their return address and routing headers, and continue spamming.

Another problem is that of the international spammer. A person who sends spam from another country is not subject to the jurisdiction of U.S. courts unless the U.S. and that country have a treaty giving jurisdiction. Enterprises in the Bahamas and other nations without strong regulation of unfair business practices and without jurisdictional treaties with the U.S. have already been the source of problems with offshore Internet gambling sites. As the legal environment for spammers becomes less friendly in the United States, U.S. residents can expect to see more and more spam coming from outside national borders.

The issue has only begun to be discussed internationally. No other nation has the volume of Internet traffic that the U.S. does, and not all cultures encourage unrestricted capitalism as strongly the U.S. does. So it may be some time before a meaningful international solution develops.

Summing Up -- In the United States, Internet accounts are becoming pervasive. Advertisers prominently display Web URLs, more and more media provide some content on the Web, and small businesses are putting up Web sites in potentially vain attempts to compete with the big boys. Individuals and business without Internet access are beginning to feel as out of touch as those without telephones.

With the commercialization of the Internet come the abuses, the hard sells, the unwanted solicitations. And with those abuses come complaints, followed closely by government regulation. That regulation is currently in fast-paced flux with states enacting a sometimes confusing welter of overlapping laws, and the federal government considering whether and how to enact federal regulation of commercial speech on the Internet.

In most respects, regulation of abuses like spam are important, necessary and generally well received. But there is another, more insidious consideration. The more we ask the government to intervene in the Internet, the more regulations we will receive. Not all of those regulations will be to our liking, and some very well may be the exact opposite of what we as consumers would like to see. We would all do well to bear in mind the warning of the sages: Be careful what you wish for.

Hide full article

MacTech Conference, for IT Pros and Apple developers, is Nov 3-5,
in Los Angeles. The 3-day event is packed with sessions & evening
activities. Learn from the best. Meet and spend time with peers.
TidBITS readers save $50 at <http://macte.ch/conf_tidbits>!

After my recent two-part article on spam laws (see "Email Spam: The Bandwagon Plays On" beginning in TidBITS-528), many readers wrote privately and to TidBITS Talk with requests for practical informationShow full article

Hide full article

After my recent two-part article on spam laws (see "Email Spam: The Bandwagon Plays On" beginning in TidBITS-528), many readers wrote privately and to TidBITS Talk with requests for practical information. The survey of how United States law is addressing the problem was all very interesting, they wrote, but what can ordinary Internet users actually do about spam without having to sue someone?

<http://db.tidbits.com/series/1169>

I often find myself telling clients that litigation is usually one of the worst ways to resolve a dispute. It is often slow and tedious, costly both in terms of money and time, follows arcane rules (some of which date back to "I Claudius!") and is inherently risky in the end. If there is any other alternative, using it is often the best course of action.

On the individual spam-fighting level, you can create filters in Eudora, Outlook Express, and other email clients that will catch the more obvious spam. If you're not inclined to do that, services such as Brightmail can do it for you. If you want to take a more active role, you can sign petitions, write your elected representatives, and, of course, boycott companies with inconsistent or nonexistent spam policies.

I have compiled a short list of Web sites that offer those things and more. Many of these were recommended by those who wrote in (thank you!), while others are sites I've found and use myself. There are many more sites than those I mention below. If you run across others that you think are particularly noteworthy, please send a note to TidBITS Talk introducing the resource.

<http://www.tidbits.com/about/tidbits-talk.html>

I should add that I am not specifically endorsing any of these sites, and the fact that I may not include a particular site does not mean I think it's no good; I probably just don't know about it. For the benefit of TidBITS readers, I will keep this list posted on the Web and will occasionally update it based on what I find and what I see mentioned on TidBITS Talk, so please do write in with new sites and with any good or bad experiences you may have with the posted sites.

<http://www.fremontlaw.com/antispam/ antispamsites.html>

Server Filtering Services -- These anti-spam tools provide an email account with server-based filtering so you don't have to create all the filters yourself in your email program. Even better, they filter out spam before it ever reaches you so you don't waste time or disk space downloading the junk.

Brightmail acts as a mail proxy server for your email and filters suspected spam for you. To use Brightmail, you have to set up a free account and modify your email client program settings to get mail through the Brightmail server. Brightmail does not simply trash suspected spam, but saves it at its site where you can view the messages and decide which to keep and which to delete. Their FAQs list more information, including topics for individuals, corporations, and ISPs.

<http://www.brightmail.com/>
<http://www.brightmail.com/support/faq/>

For a fee, SpamCop offers a service similar to Brightmail where SpamCop acts as a proxy server for your email account and filters out spam before it reaches you. They hold the filtered mail for up to a week so that the user can review it.

<http://www.spamcop.net/>

The Spam Bouncer requires a Unix shell account, procmail, and the savvy to use both of them. The Spam Bouncer is essentially a series of procmail filters that allow you to block or flag spam as it's received.

<http://www.spambouncer.com/>

Tracking Down Spammers -- This next group of sites provide information on tracking down spammers so they can be reported to ISPs and, if necessary, to law enforcement. Keeping track of spammers is important for another reason: the more data users can provide to lawmakers, the greater the chance of realistic laws will be implemented and enforced. Also see Geoff Duncan's TidBITS article, "Responding to Spam," in TidBITS-442.

<http://db.tidbits.com/article/05032>

Get That Spammer provides information and tools for tracking down spammers. The Tools link provides an array of Web-based tools to help track down systems abused by spammers - although you have to understand a bit about how email and DNS operate to use the tools effectively. The Information link lists the latest legal developments and articles discussing policy and practical approaches to stopping spam. The site also provides instructions to ISPs about crafting better acceptable use policies, advice to users on how to file complaints (complete with a sample complaint letter), and much more information, tips, and tools for dealing with spammers.

<http://kryten.eng.monash.edu.au/gspam.html>

The free SpamCop service allows its registered users to send received spam to SpamCop, which will then generate complaint messages to the appropriate ISP administrators and others.

<http://www.spamcop.net/>

Spam Education -- These educational sites provide information about spam, additional suggestions on how to deal with it, and often links to other anti-spam sites. They also list contact information for reporting spammers, and for encouraging lawmakers to enact appropriate legislation.

F.R.E.E. is the Forum for Responsible and Ethical Email. F.R.E.E. provides a spam primer that educates users about why spam is such a bad thing, and also provides information on reading email headers, building filters to block spam, crafting complaints, and much more.

<http://www.spamfree.org/>

Spam.abuse.net is an informational site that not only describes the damage done by spammers, but also provides a list of non-spamming, spam.abuse.net-endorsed marketing companies and sites.

<http://spam.abuse.net/>

The Mail Abuse Prevention System's Anti-DMA info page provides information about the Direct Marketing Association's efforts to protect spam and spammers.

<http://maps.vix.com/rbl/anti-dma.htm>

Spam Law in the United States -- The following sites offer information specific to legal efforts to curb unsolicited email in the U.S.

CAUCE, the Coalition Against Unsolicited Commercial Email, is a well-known anti-spam group providing information on current anti-spam efforts, legislative updates and discussion, and other advice on how to combat spam. CAUCE tracks spam issues in the U.S. and abroad, and they even have a cool t-shirt.

<http://www.cauce.org/>

The John Marshall Law School Cyberspace Law site provides information and links to statutes, cases, and other legal materials about spam. The site is updated and maintained by Professor David Sorkin.

<http://www.jmls.edu/cyber/index/spam.html>

The Spam Laws site, also maintained by David Sorkin, is a bit more up to date than the John Marshall site but also provides information on U.S. federal and state laws addressing spam.

<http://www.spamlaws.com/us.html>
<http://www.spamlaws.com/federal/>
<http://www.spamlaws.com/state/>

SueSpammers.org is an excellent resource to track developments in spam law across the U.S.

<http://www.suespammers.org/>

The Mad About Spam Web site provides a petition users can sign to send a message to their U.S congressional representatives about neutralizing the Direct Marketing Association's efforts to protect spam and spammers.

<http://www.madaboutspam.org/>

International Spam Law -- Finally, although the bulk of Internet usage is still centered in the United States, spam is an international issue and could become increasingly so if U.S. legislation becomes more restrictive. The following sites deal with anti-spam legislation in various global locales.

David Sorkin's Spam Laws site also includes a section on European Union directives, policies, and directions on regulating the Internet and spam as Internet usage increases in Europe. Another section covers spam and Internet regulation elsewhere in the world.

<http://www.spamlaws.com/eu.html>
<http://www.spamlaws.com/world.html>

CAUCE has a number of affiliates around the world, including EuroCAUCE, CAUBE.AU (Coalition Against Unsolicited Bulk Email, Australia), and CAUCE India. If you're a resident of one of those areas, check out the appropriate CAUCE affiliate site for links to local legislative issues.

<http://www.euro.cauce.org/>
<http://www.caube.org.au/>
<http://www.india.cauce.org/>

Electronic Commerce and the European Union is a site that provides information about European Union policies regarding the increasing amount of commerce being done on the Internet.

<http://www.ispo.cec.be/Ecommerce/>

Hide full article

With ChronoSync you can sync, back up, or make bootable backups.
Sync or back up your Mac to internal or external hard drives, other
Macs, PCs, or remote network volumes you can mount on your Mac.
Learn more at <http://www.econtechnologies.com/tb.html>!

Spam is known to the law as "unsolicited commercial electronic mail," or UCE, and is usually defined as email in which someone is trying to sell someone else a product or service, or otherwise part recipients from their moneyShow full article

Hide full article

Spam is known to the law as "unsolicited commercial electronic mail," or UCE, and is usually defined as email in which someone is trying to sell someone else a product or service, or otherwise part recipients from their money. Recently, the State of California passed a tough new anti-spam statute that goes into effect on 01-Jan-04. The new California statute departs from others of its kind in a number of respects (something California is becoming increasingly good at doing). One of the more telling departures is that it uses the legally informal term "spam" throughout, although it does use the more legalistic "UCE" where a more specific definition is needed.

I don't need to tell TidBITS readers that spam is a worsening problem afflicting the Internet. According to Brightmail, spam has increased from only 7 percent of total email traffic in April 2001 to a whopping 54 percent in September 2003.

<http://www.brightmail.com/spamstats.html>
<http://www.brightmail.com/pressreleases/070103_ uk_spam_summit.html>

Sending spam carries very little cost to the spammer because the costs are borne by ISPs, which pass them on to consumers in the form of increased access charges. According to a report from San Francisco-based Ferris Research, spam cost companies in the United States over $10 billion last year - just imagine the late Carl Sagan saying "billions and billions" and you'll get the picture - in lost worker productivity, technical solutions, and wasted bandwidth. An abstract of the study is available free. The full study requires a subscription.

<http://www.ferris.com/offer/spam.html>

Users are mad as hell about spam. A Harris poll taken two and a half years ago showed that 49 percent of users wanted an outright ban on spam. In a followup, titled "Large Majority of Those Online Wants Spamming Banned," Harris found that that number jumped to 80 percent by late 2002, and it's probably even higher now.

<http://www.harrisinteractive.com/harris_poll/ index.asp?PID=348>

The number of complaints received by state Attorneys General and the U.S. Federal Trade Commission has skyrocketed, and consumer pressure to control spam is being felt at all levels of state and federal government. To date, 36 states have passed laws dealing with spam.

<http://www.spamlaws.com/state/>

The Washington and California statutes are the most aggressive of the batch. Both have been vigorously challenged in the courts on various grounds, and both have ultimately been upheld. Heartened by these judicial affirmations, California has now enacted an even stronger statute that is already generating renewed controversy.

A New Model -- In 1998 California enacted one of the first and strongest anti-spam statutes in the nation (see "California Outlaws Spam" in TidBITS-448). Defining spam as unwanted commercial email intended to sell a product or service, the law required spammers to identify their email by putting "ADV:" in the subject line or "ADV:ADLT" for adult-oriented email. While individuals were not granted the right to sue, ISPs were empowered to sue spammers for violations and to obtain a judgment for significant penalties. The law was promptly challenged. In Ferguson v. FriendFinders, Inc. a lower court found it to be an unconstitutional violation of the U.S. Constitution's interstate commerce clause. The California appellate court disagreed and the law remained in force.

<http://db.tidbits.com/article/05109>
<http://www.spamlaws.com/cases/ferguson.html>

There is no indication that California's law has stemmed the tide of spam or even caused much spam to be labeled. Indeed, the volume of spam flooding the Internet has steadily increased despite such laws. Undaunted by failure, in September 2003 the California legislature enacted an even more sweeping statute.

<http://www.spamlaws.com/state/ca1.html>

The new law keeps certain features of the old one. For example, spammers must still include "ADV" or "ADV:ADLT" in the subject line, and must provide an 800 number or valid email address allowing recipients to request removal. But the changes in the new law are very significant.

The new statute completely bans all UCE unless specifically requested or authorized by the recipient. Like the old law, it is still limited to spammers using equipment in California or sending to recipients in California. But individuals now have the right to sue spammers for violating the law and to collect either actual damages or $500 per spam up to a limit of $1 million per "incident." An "incident" is "a single transmission or delivery to a single recipient or to multiple recipients of unsolicited commercial email advertisement containing substantially similar content."

One of the more sweeping provisions of the new statute prohibits anyone from collecting email addresses from the Internet for the purpose of sending spam to Californians or from California. In short, California is targeting address harvesting regardless of where the acts occur if the intent is to use the addresses to spam Californians.

There are a number of legal and practical hurdles this new statute will have to overcome. The following are some examples.

Commerce Clause -- The commerce clause is found in the U.S. Constitution, Article I, Section 8, Clause 3.

<http://www.house.gov/Constitution/ Constitution.html>

On its face, the commerce clause merely gives Congress the authority to "regulate Commerce with foreign Nations, and among the several States, and with the Indian Tribes." However, a huge body of law has grown up around this short phrase. The commerce clause issues are fascinating (well, to me anyway). Unfortunately, they are also incredibly complex and far beyond the scope of this article. So I will simply point out that the issue exists, that there is a lot of debate over how the commerce clause should be applied to Internet commerce, and that the issues are far from resolved. Partly because of the commerce clause issues, when Congress enacts legislation on spam it may abrogate state laws either entirely or in part.

Implicit in the commerce clause is the "dormant commerce clause." That doctrine holds that there are certain areas in which states cannot legislate even if Congress has not acted. The principle commerce clause challenges to spam arise under the dormant commerce clause doctrine. The argument runs like this:

State boundaries are irrelevant to the Internet, and thus to spam. All Internet email is necessarily interstate. It travels across interstate lines and is relayed via servers that could be anywhere in the world. Any regulation by any state necessarily affects interstate commerce, and one state's laws will necessarily affect spammers in other states. Thus, argue opponents of spam legislation, no state regulation of spam is possible without violating the commerce clause. Only Congress can legislate over such an inherently interstate activity.

The previous California statute survived a dormant commerce clause challenge because the court found that the statute applied only to (a) spammers using equipment located in California; and (b) spammers sending email to California residents. Because the effect of the law restricted only California-specific conduct, the court found that the commerce clause was not violated.

I anticipate a renewed challenge to the new statute under the commerce clause. I suspect that at least one clause in the new statute will not fare so well under a commerce clause analysis, and will be stricken. The new statute makes it "unlawful for any person or entity to collect electronic mail addresses posted on the Internet if the purpose of the collection is for the electronic mail addresses to be used" to initiate or advertise in an unsolicited commercial email advertisement to or from California. This provision applies to everyone, everywhere, who is collecting email addresses if the purpose is to spam Californians - regardless of whether they actually carry through on it.

First Amendment -- There has been much hoopla recently over a Colorado federal court decision blocking the Federal Trade Commission's (FTC) "Do Not Call" list because it may violate telemarketers' free speech rights. Telemarketing is similar to spam in a number of respects, and the arguments leveled against the "Do Not Call" list can easily be applied to spam laws. Indeed, advocates of spam have consistently argued to state legislatures that anti-spam laws violate the First Amendment. However, to date those arguments have not been a key part of the court decisions upholding the statutes.

The federal court of appeals has now stayed the Colorado federal court's decision and the "Do Not Call" list is moving forward. However, I anticipate that we will see additional First Amendment challenges to spam laws, and the California statute is ripe for challenge.

Jurisdiction -- Most of the complaints about the jurisdiction of a state to go after spammers in another state or abroad are actually enforcement issues. The legal issues of when a state has jurisdiction over out-of-state entities are fairly well established.

I believe that all states have enacted a form of law called a "long arm statute." In essence, long arm jurisdiction extends to any person or entity who takes advantage of the benefits of a state's laws. Even minimum contact with a state confers jurisdiction if the contact is enough to invoke the protections of state law. So, for example, a company that sells products via a catalog and has customers in a particular state can sue a customer under state law for failing to pay. But that company can also be sued by the customer under state law for failure to deliver or other breaches.

There is little question that a spammer soliciting sales in California is subject to California law. But this is a good point to segue from the legal challenges to the practical ones. A big practical question is: how do you find spammers?

In order to start a lawsuit, the plaintiff must physically hand the defendant a copy of the complaint. This is known as "service of process." It is difficult to serve someone unless you can find them. In the 1998 case that I helped Adam and his fellow TidBITS editors bring, the defendant played a shell game with false company offices, at least two fake names, and multiple fictitious addresses. After the litigation started, he actually changed his business address once a month. (See "TidBITS Sues Spammer" in TidBITS-439, and "Spam Damned in Washington State" in TidBITS-583.)

<http://db.tidbits.com/article/05000>
<http://db.tidbits.com/article/06458>

[This paragraph currently unavailable]

The solution to not being able to find someone to serve papers is to use a process called "service by publication," in which the court approves publication of the complaint in the local papers. After a period of time, the complaint is considered to have been served and the case can proceed.

That may solve the legal issue, but it does nothing to solve the practical problem. After all, if you can't find the defendant, how are you going to collect on your judgment? At some point, it becomes necessary to identify and locate the defendant physically.

Enforcement -- Under long-arm statutes, even off-shore merchants doing business in the U.S. are subject to U.S. law, including the laws of the states they sell in. If the spammer is a legitimate business that values its reputation and customers, there is little problem enforcing a judgment. But most spammers are anything but legitimate business. They do everything possible to mask their identities and location, including hiding in other countries that don't have or enforce spam laws. If you obtain a judgment in a California court, will you try enforcing it in China? The Bahamas? It is highly unlikely. Even in countries that have reciprocal enforcement of judgments treaties with the U.S., the costs of enforcing a judgment abroad are usually prohibitive for the average spam victim.

Collection -- But let's say that you are one of the fortunate ones who locates, serves and gets a judgment against a spammer. Will you collect your riches? Again we run into the disparity between legitimate businesses who care about their reputation and customers, and the majority of spammers who care nothing for either. It is likely that even having identified the live body of the spammer, a plaintiff will have to pursue execution of the judgment. No, that doesn't mean executing the spammer (popular though that option might be with some people). "Execution" is legalese for the court procedures that include garnishing wages, bank accounts, and the like. Execution can be costly, time consuming, and often will net the plaintiff only a portion of the judgment. Of course, that will be further reduced by the amount of attorney fees racked up in the course of executing on the judgment.

Conclusion -- The new California statute definitely pushes the envelope. It bans all unsolicited commercial email unless the recipient has agreed to receive it. It creates a private right of action allowing individuals to sue for damages for each item or incident, and it bans harvesting email addresses for the purpose of spamming Californians.

The new statute will inevitably draw court challenges. While some of the statute may be stricken as overbroad or violating federal law or the Constitution, most of it appears to be in line with law that has already survived such challenges. The law is deliberately modular, or in legalese "severable," so that portions can be excised if a challenge is successful, while leaving the rest of the statute intact.

Unfortunately, spam laws won't stop spam, nor will they even stem the tide, if experience so far is any guide. The old California statute did not reduce or even noticeably slow the increase in spam. I hold no great hope that the new statute will do any better. Legitimate businesses have already altered their practices to comply with existing spam law, and will no doubt do their best to comply with the new one. But legitimate business accounts for only a small amount of the spam we receive. Most spammers will simply keep on spamming. The new law will doubtless create a flurry of new court actions against spammers, resulting in more default judgments that can't be collected. And the spammers will keep spamming.

Lest I sound unduly bleak, I am not suggesting that there is no solution to the spam problem. However I do not believe that the law will stop or reduce spam.

Legal remedies are great for deceptive, misleading and fraudulent marketing practices - but those things have been illegal for a long time. Spam laws should be able to give law enforcement needed tools to go after spammers (focusing on the most egregious ones), and to allow individuals who are so inclined to go after them as well. But the Internet is a global phenomenon. State boundaries are largely irrelevant to the Internet, and state spam laws will do little or nothing to solve the larger problem. On the other hand, passing more laws amounts to more regulation of the Internet, and sets an increasingly popular precedent for further regulation. Be careful what you wish for!

I believe that the solution to the problem of spam is technological. For example, I receive between 100 and 200 spam messages each day, but 98 percent of those are filtered out by Eudora 6.0's Bayesian spam filter. True, I must regularly review the collected mess of Nigerian political refugees looking for a kind stranger to help launder a few million dollars, the offers to enlarge various body parts (some of which I don't have), and the ever popular get-rich-quick schemes so that I can find any false hits and rescue them. But as annoying as this is, it is currently the cost of using a largely unregulated forum such as the Internet in a capitalist society that values free speech and privacy.

[Brady Johnson is a grouchy attorney in Seattle who really, really hates spam.]

Hide full article

Pear Note 2: More complete, understandable notes on your Mac.
Typed notes are blended with recorded audio, video, and slides
to create notes that make more sense when you need them most.
Learn more at <http://www.usefulfruit.com/tb>!

Talk about deja vu. I recall having written this introduction for a TidBITS article about spam before, each time changing the unhappy statistics about spam volumes in an upward directionShow full article

Hide full article

Talk about deja vu. I recall having written this introduction for a TidBITS article about spam before, each time changing the unhappy statistics about spam volumes in an upward direction. I always start by looking at Brightmail and other sites that track spam to see how the efforts have fared so far. Sad to say, the news has never been good. Even Congress has acknowledged this in the opening lines of the CAN-SPAM Act, enacting this sorry comment into law: "Unsolicited commercial electronic mail is currently estimated to account for over half of all electronic mail traffic, up from an estimated 7 percent in 2001, and the volume continues to rise."

<http://db.tidbits.com/series/1169>

In fact, according to Brightmail, spam is rising faster than the mercury on a hot summer day. In 2002, spam accounted for 40 percent of all email, meaning that if Congress's 7 percent number is correct, between 2001 and 2002 there was a nearly 600 percent increase. By the end of 2003 that number had soared to 58 percent. If the trend continues, 65 percent of our email will be spam by the end of 2004.

<http://www.brightmail.com/spamstats.html>

To stem this tide, Congress has enacted the "Controlling the Assault of Non-Solicited Pornography and Marketing Act," or CAN-SPAM. On 16-Dec-03 President Bush signed the bill into law and it became effective on 01-Jan-04.

<http://www.spamlaws.com/federal/108s877.html>

CAN-SPAM has generated much discussion and debate, with much of the wired community angrily dismissing it as a deal with the devil and the marketing community hailing it as a significant step forward in the battle to combat spam.

Reading the various commentaries on CAN-SPAM, it quickly becomes clear that a key disagreement turns on the definition of "spam." To many regular Internet users, "spam" includes any unsolicited bulk email from any source. To these users, CAN-SPAM addresses only a small subset of spam while legitimizing the rest of it. The marketing community and others maintain that bulk email that is not misleading or deceptive is fair exercise of their commercial free speech rights and is no more objectionable than junk snail mail. Thus, they claim that it should not be included in the definition of "spam." To these users, CAN-SPAM represents a major step forward.

What Is "Spam" Anyway? I feel obligated to point out that spam is actually a pinkish processed meat product made by Hormel. Hormel has belatedly taken issue with using their product's name for noxious email and is attempting to block trademarks that include "spam" such as SpamArrest.

<http://abcnews.go.com/sections/scitech/Business /techtv_spam030801.html>

But to many folks, "spam" simply refers to any unwanted email from a stranger trying to sell a product, tout a position, advertise a commercial Web site, or sway the reader's opinion in some way. As anti-spam legislation has been enacted in the various states, the definition has morphed and narrowed to "unwanted commercial email" or "UCE," exempting non-commercial email such as political or charitable solicitations. CAN-SPAM narrows this definition even further.

CAN-SPAM uses the term "spam" only in the title acronym and in one of the initial recitations. (Recitations in a statute have no legally binding effect and are merely statements of policy reasons to aid courts in interpreting it.) CAN-SPAM defines "commercial electronic mail" as email, "the primary purpose of which is the commercial advertisement or promotion of a commercial product or service." Political and charitable solicitations are still excluded from this definition, as are "transactional or relationship messages," which are email messages from a party with whom you have an existing connection of some kind.

CAN-SPAM gives the Federal Trade Commission (FTC) the authority to change the definition of "transactional or relationship messages... to the extent that such modification is necessary to accommodate changes in electronic mail technology or practices and accomplish the purposes of this Act." However, the FTC does not have authority to alter the definition of "commercial electronic mail."

Key CAN-SPAM Provisions -- CAN-SPAM's most severe prohibitions focus on certain types of deceptive and fraudulent email. These can subject the spammer to substantial criminal penalties of three years in prison for a first offense and five years for a subsequent offense, or for deceptive commercial email that is sent in furtherance of another felony. This would include, for example, the many messages claiming to be from exiled political leaders seeking help to launder and share their hoards of untold wealth if only the recipient would provide a valid bank account number to them first. Those messages - already the subject of prosecutions under existing criminal statutes - are subject to further criminalization under CAN-SPAM.

Other criminal acts include using a computer, server, or domain to send or relay commercial email without the lawful owner's permission, and using false headers or misleading subject lines. These activities are also subject to civil actions and penalties in addition to criminal prosecution.

CAN-SPAM uses an opt-out model, requiring that all commercial email include a method of opting out of future mailings from the sender and must include the sender's real email address and snail mail contact information. The statute specifies that spam must contain a mailto, Web link, or other online mechanism that the recipient can use to opt out. All commercial email subject to CAN-SPAM is required to identify itself as an advertisement. The statute does not specify how spammers should identify their email, leaving that to the FTC, which has until April Fools Day (01-Apr-04) to publish the identifying marks that spammers must use. Like other provisions of CAN-SPAM, this identification requirement does not apply to mail sent to anyone who has affirmatively consented to receiving the messages.

CAN-SPAM considers certain actions to be "aggravated violations" potentially subject to more severe penalties. These include the common practice of harvesting email addresses from various Internet sources and of using "dictionary attacks." Hijacking someone else's server is also an aggravated violation.

One heavily criticized component of the Act is the provision preempting all state laws addressing spam with certain very limited exceptions. The only state laws that survive this evisceration are those that prohibit falsity or deception in commercial email such as the Washington state statute and large parts of the California statute, and those that only incidentally affect email. Examples of statutes with incidental effects on email would include general computer trespass laws, consumer protection statutes, and other laws that apply generally to conduct that may sometimes include email. That means that much existing state law has fallen by the wayside and that the California opt-in statute which was to take effect this year has been essentially nullified in most material respects.

As far as enforcement goes, CAN-SPAM allows no private right of action, meaning that individual victims of spammers cannot go to court and sue for violation of the statute. Authorized enforcers are the FTC and other federal government agencies, state Attorneys General, and Internet service providers. It's worth noting that Internet service providers often have their own acceptable use policies relating to email and spam. The new federal statute does not disturb these private rules, meaning that an ISP retains authority under those policies to cancel or suspend a user and often to claim damages, etc. for violation. Leaving ISP authority in place provides an independent, if seldom-used, basis of liability against spammers.

Will CAN-SPAM Work? I don't think so. CAN-SPAM is a decent enough starting point, but in my opinion it has too many flaws to make it effective to stop or even slow spam.

CAN-SPAM's good points are that it is a federal statute and thus applies uniformly throughout the United States. This eliminates the sometimes confusing patchwork of different laws in the states that have enacted anti-spam statutes. It also goes a long way toward resolving jurisdictional issues involving whether a state has authority to control a business operating outside its boundaries. These jurisdictional disputes were quite common under state spam enforcement.

It's also good to see the various "aggravated violations" called out and codified, since having them more clearly made illegal will simplify the job of prosecutors.

Also, anything that increases the potential liability for spammers may sway the economic balance of spam. If sending spam could result in prison, spammers will have to determine if the rewards are worth the potential risk. While added liability may not impact the scofflaws who will ignore any legal mandate or prohibition unless they are arrested, increasing the risk of prison or significant monetary penalties will probably scare off businesses that might been considering skirting the law before.

But despite those good points, CAN-SPAM's flaws abound. Let's examine them.

International Problems -- Unfortunately, CAN-SPAM applies only in the United States. True, U.S. law and international treaties do confer jurisdiction on U.S. courts to address issues arising internationally if they impact the U.S. But while that may sound nice on paper, it suffers from two major problems.

First, there is the problem of actual enforcement. Spammers operating outside the U.S. are often not subject to U.S. courts, and even where they are, any judgment or court order is worthless unless it can be enforced. This fact means that the only way an enforcement agency can compel a foreign spammer to comply with the law is via diplomatic pressure from the U.S. Show of hands: how many people think that enforcing U.S. spam law is likely to become a high priority for U.S. diplomatic efforts any time soon? Now, if we could show that spammers were actually fronts for terrorist organizations...

Second, CAN-SPAM's opt-out approach is directly at odds with the approach taken by much - perhaps most of the rest of - the first world. The European Union has adopted a Directive (a policy document) that establishes an opt-in approach. Each individual member nation must then enact specific laws implementing the Directive. (The first URL below goes to the English language version of the Directive; the second URL leads to versions in other languages.)

<http://europa.eu.int/eur-lex/pri/en/oj/dat/2002 /l_201/l_20120020731en00370047.pdf>
<http://europa.eu.int/information_society/topics /ecomm/useful_information/library/ legislation/text_en.htm#dir_2002_58_ec>

Australia has also adopted an opt-in law broadly prohibiting commercial email being sent to Australians. In short, while it seems likely that most spam comes from the U.S. or is touting products and services of U.S.-based companies, opt-in appears to be the model of choice in most of the technologically developed world, with the U.S. falling out of step with the rest of the global community.

These conflicting approaches are likely to cause problems similar to, and perhaps worse than, those that existed within the U.S. before the federal law was passed, and when there were various state statutes with differing mandates and standards. In the U.S., at least all of those states were subject to the same federal government and general rules of legal analysis and interpretation. On the international scene, the problems caused by such wildly conflicting anti-spam models are likely to be worse. Since the U.S. law is less restrictive, it appears to me that the E.U. nations and Australia may continue to be flooded with spam that is legal in the U.S., but illegal in their countries.

Opt-Out Problems -- The unfortunate choice of an opt-out model requires that recipients contact the sender to opt out of future messages. While this may work for legitimate marketers who actually include a working unsubscribe mailto or Web link in the message, most spam is not legitimate, and use such links merely as unscrupulous means of confirming or harvesting email addresses. By encouraging people to use these opt-out links, CAN-SPAM may actually increase the amount of illegal spam. It also potentially increases the risk of identity theft and other crimes targeting the unsophisticated Internet user.

Enforcement Problems -- CAN-SPAM puts the entire burden of enforcement on the shoulders of already overworked federal and state enforcement agencies, which show no signs of rushing to prioritize spam enforcement. It seems likely that ISPs will take action, but most ISPs lack the resources to mount intensive investigations to track down spammers in other countries, or to support the sort of litigation that may be required to bring them down.

To be fair, prior to CAN-SPAM, most enforcement had to take place at the individual level, much of it in states without strong anti-spam statutes. Most individuals can't afford the expense of a full-fledged spam investigation any more than many ISPs can. But CAN-SPAM does not permit individual victims to file private suits for violating its terms. It seems counterproductive not to allow individual enforcement since it would both aid in the overall effort to combat spam, and would result in remedies to the actual spam victims - the end users - in cases where the spammer could be found and held accountable.

Lastly, even once spammers are dragged into court, CAN-SPAM may suffer from loopholes. For instance, the "primary purpose" prong of the spam definition means that spammers can include personal notes in their messages that incidentally offer something for sale, then argue that the solicitation was not the "primary purpose" of the email. I suspect that most people reading this have received spam along the lines of: "Hi there! How are you doing? I am having a great time. By the way, I ran across this item <insert product here> and thought you might be interested." While this ambiguity may not pass the laugh test in court, it is the sort of thing that will almost certainly have to be tested in court before it has any appreciable impact, thus further delaying any potential benefit until one of the authorized enforcers chooses to put the question to a judge. This is another reason that individual enforcement would have been a good thing - it seems more likely that an individual or consumer group would take up this issue sooner than I expect one of the authorized enforcers to do it.

Summing Up -- In previous articles, I have concluded that if spam is outlawed, only outlaws will spam. An increasing amount of spam is already in violation of our current state laws and has not been eliminated or even reduced as the result of having been outlawed. Legitimate companies have attempted to comply, but the less-than-legitimate scum will freely violate the new law unless and until they are physically caught.

In the final analysis, CAN-SPAM is a good start, but is far too flawed to be an effective tool against spam. Like the state laws, it will successfully prevent legitimate companies from resorting to spam (not that most legitimate companies were spamming before), but it will have no impact on spammers outside of U.S. jurisdiction and thus not subject to the U.S. law, or on unscrupulous spammers who will ignore the law unless they are arrested. The inconsistency with anti-spam laws used in other parts of the world may harm those nations' efforts to control spam by allowing spam from the U.S. to circumvent their laws.

Put bluntly, CAN-SPAM tells spammers that they can spam, so long as they are careful to drive their truckloads of spam through the truck-sized loopholes in the statute. What's perhaps most disappointing is that we've waited for years for a federal anti-spam law, and the one we ended up with isn't nearly as good as it could have been, or even as good as some of the now-preempted existing state laws are. That's a shame, and it's one we'll undoubtedly have to live with for some time.

[Brady Johnson is a grouchy attorney in Seattle who really, really hates spam.]

Hide full article

MacTech Conference, for IT Pros and Apple developers, is Nov 3-5,
in Los Angeles. The 3-day event is packed with sessions & evening
activities. Learn from the best. Meet and spend time with peers.
TidBITS readers save $50 at <http://macte.ch/conf_tidbits>!