Spam

596 views
533 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
596
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Spam

  1. 1. Spam
  2. 2. Spam Basics <ul><li>E-mail version of mass distribution of direct marketing solicitations, formally known as “unsolicited commercial e-mail” (UCE) </li></ul><ul><li>Cost –effective for the sender because of low marginal costs (low costs to add one more recipient to list) </li></ul><ul><li>Spammers free-ride on ISP networks which increase their costs to accommodate the growing volume of spam </li></ul><ul><li>There exists a conflict between antispam laws (focusing on fraud, trespass, hacking, infringement) and the Constitution (First Amendment freedom of speech, press) </li></ul><ul><li>Commerce clause may prohibit state antispam laws if they unduly burden on interstate commerce </li></ul>
  3. 3. Where does junk mail (spam) come from? <ul><li>From software called Spam ware . </li></ul><ul><li>Spam ware is software that automatically searches the Web to collect what it recognizes as email addresses. </li></ul>
  4. 4. Federal Laws Can Be Adapted To Prohibit Some Aspects of Spam <ul><li>Telephone Consumer Protection Act (TCPA) </li></ul><ul><ul><ul><li>Prohibits automated dialing systems that charge the call to the receiving landline or wireless phone </li></ul></ul></ul><ul><ul><ul><li>Prohibits fax flooding </li></ul></ul></ul><ul><ul><ul><li>Consumers have the right to be removed from the telemarketing list </li></ul></ul></ul><ul><li>Computer Fraud and Abuse Act (CFAA) </li></ul><ul><ul><ul><li>Intentional access that causes damage </li></ul></ul></ul><ul><ul><ul><li>Sending commands, data, or software that causes damage </li></ul></ul></ul><ul><ul><ul><li>Intentional fraudulent access to obtain something of value </li></ul></ul></ul><ul><li>FTC Act § 5 </li></ul><ul><ul><ul><li>Prohibits unfair and deceptive trade practices </li></ul></ul></ul><ul><li>Lanham Act </li></ul><ul><ul><ul><li>Federal trademark law </li></ul></ul></ul><ul><ul><ul><li>False designation of origin can apply to spam </li></ul></ul></ul>
  5. 5. State Laws Are Cracking Down On Spam <ul><li>Usually only apply to spam originating from within their state or destined to their state </li></ul><ul><li>California requires spam to include return addresses or toll-free numbers in the first message line so the recipient can opt out </li></ul><ul><li>California, Washington, and Virginia require spammers to comply with ISP’s privacy policies (criminal offense to falsify/impersonate the domain name of a spam sender- form of technical fraud) </li></ul><ul><li>Maryland criminalizes harassing or obscene e-mail </li></ul>
  6. 6. Constitutional and Tort Law In The Battle Against Spam <ul><li>Cyber Promotions, Inc. v. AOL, Inc. </li></ul><ul><ul><ul><li>AOL refused to deliver 2 million daily UCEs from Cyber Promotions </li></ul></ul></ul><ul><ul><ul><li>AOL not found to have violated Cyber Promotions’ First Amendment rights </li></ul></ul></ul><ul><li>Intel Corporation v. Hamidi </li></ul><ul><ul><ul><li>Former employee sent 30,000 e-mails on six occasions to all Intel employees </li></ul></ul></ul><ul><ul><ul><li>Spam constituted a trespass to chattels </li></ul></ul></ul>
  7. 7. New Legislation To Combat Spam <ul><li>Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) passed by Congress in December 2003 </li></ul><ul><li>Highlights of CAN-SPAM </li></ul><ul><ul><ul><li>Permits e-mail advertising </li></ul></ul></ul><ul><ul><ul><li>Prohibits misleading headers and other practices that mask origin of e-mail ads </li></ul></ul></ul><ul><ul><ul><li>Recipients must be allowed to opt out of future mailings </li></ul></ul></ul><ul><ul><ul><li>E-mail ads may not be sent to receipts who opt out </li></ul></ul></ul><ul><ul><ul><li>E-mails ads must be identified as such </li></ul></ul></ul><ul><ul><ul><li>State antispam laws are generally preempted </li></ul></ul></ul>
  8. 8. New Legislation To Combat Spam <ul><li>Highlights of CAN-SPAM continued </li></ul><ul><ul><ul><li>Does not give right to recipients to sue spammers </li></ul></ul></ul><ul><ul><ul><li>FTC may clarify law requirements </li></ul></ul></ul><ul><li>Enforcement </li></ul><ul><ul><ul><li>FTC proceedings </li></ul></ul></ul><ul><ul><ul><li>Criminal prosecutions </li></ul></ul></ul><ul><ul><ul><li>State attorney general actions </li></ul></ul></ul><ul><ul><ul><li>Private lawsuits brought by ISPs </li></ul></ul></ul>
  9. 9. CAN-SPAM Act of 2003
  10. 10. Background; Pre-emption <ul><li>Background </li></ul><ul><ul><li>Law signed by President Bush December 2003 </li></ul></ul><ul><ul><li>Law effective January 1, 2004 </li></ul></ul><ul><li>Pre-emption </li></ul><ul><ul><li>Pre-empts state laws regulating commercial email </li></ul></ul><ul><ul><li>States may continue to regulate email fraud </li></ul></ul><ul><ul><ul><li>Several states now implementing spam fraud laws </li></ul></ul></ul><ul><ul><li>Pre-empts California’s SB 186 </li></ul></ul><ul><ul><ul><li>No litigation brought under SB 186 </li></ul></ul></ul>
  11. 11. CAN-SPAM Refresher <ul><li>Prohibitions </li></ul><ul><ul><li>False header information (deception re source of email) </li></ul></ul><ul><ul><li>Deceptive subject lines (deception re content of email) </li></ul></ul><ul><ul><li>“ Aggravated offenses” – either of the above together with: </li></ul></ul><ul><ul><ul><li>Address harvesting </li></ul></ul></ul><ul><ul><ul><li>Dictionary attacks </li></ul></ul></ul><ul><ul><ul><li>Unauthorized relays </li></ul></ul></ul><ul><ul><ul><li>Unauthorized sending through third-party computers </li></ul></ul></ul><ul><ul><li>Sending more than 10 business days following opt out </li></ul></ul><ul><li>Required Inclusions </li></ul><ul><ul><li>Clear and conspicuous notice that email is commercial </li></ul></ul><ul><ul><ul><li>Does not apply if sender has “affirmative consent” of recipient </li></ul></ul></ul><ul><ul><li>Clear and conspicuous notice of ability to opt out </li></ul></ul><ul><ul><li>Working unsubscribe functionality </li></ul></ul><ul><ul><ul><li>Return email address </li></ul></ul></ul><ul><ul><ul><li>Internet-based mechanism </li></ul></ul></ul><ul><ul><li>Valid physical postal address (OK to include PO box with street address) </li></ul></ul>
  12. 12. Sample Disclosure <ul><li>This is a promotional email from Nextel Communications, Inc. If you wish to unsubscribe from Nextel customer emails or to change your email address, please click here or use the link below. http://nextel.m0.net/m/u/nex/n.asp?e=khirschman%40digitalimpact.com&cid=XXXXXXXXXXX Nextel Communications, Inc. is located at 2001 Edmund Halley Drive, Reston, VA 20191. </li></ul><ul><li>Placement Just below creative, but above disclaimers </li></ul><ul><li>Size Same as text in ad, larger than disclaimers </li></ul><ul><li>Color Black – same as ad, darker than disclaimers </li></ul>“ Commercial” notice Opt out notice and functionality Valid physical postal address
  13. 13. Enforcement and Penalties <ul><li>Civil enforcement </li></ul><ul><ul><li>Federal Trade Commission </li></ul></ul><ul><ul><ul><li>Applicable general regulatory agency enforces for financial institutions </li></ul></ul></ul><ul><ul><ul><ul><li>OCC, Fed, FDIC </li></ul></ul></ul></ul><ul><ul><ul><li>Standard enforcement powers of particular agency </li></ul></ul></ul><ul><ul><li>State enforcement agencies </li></ul></ul><ul><ul><ul><li>$250 per violation; $2 million cap </li></ul></ul></ul><ul><ul><ul><li>Injunctive relief </li></ul></ul></ul><ul><ul><li>“ Internet access services” – primarily ISPs </li></ul></ul><ul><ul><ul><li>$25/$100 per violation; $1 million cap </li></ul></ul></ul><ul><ul><ul><li>Injunctive relief </li></ul></ul></ul><ul><ul><li>“ Good actor” damage reduction </li></ul></ul><ul><ul><li>Court may triple damages for aggravated violations </li></ul></ul><ul><li>Criminal enforcement </li></ul><ul><ul><li>DOJ enforcement </li></ul></ul><ul><ul><li>One year in prison </li></ul></ul><ul><ul><li>Up to five years for aggravated or repeated violations </li></ul></ul>
  14. 14. CAN-SPAM Regulatory Update <ul><li>Request for Information issued for Do-Not-Email List </li></ul><ul><ul><li>Issued March 2004 </li></ul></ul><ul><ul><li>Seeks technical information re implementation and security </li></ul></ul><ul><li>Advanced Notice of Proposed Rulemaking </li></ul><ul><ul><li>Issued March 2004 </li></ul></ul><ul><ul><li>Two purposes </li></ul></ul><ul><ul><ul><li>Seeks comments on merits of DNE </li></ul></ul></ul><ul><ul><ul><li>Seeks ideas for future rulemakings: </li></ul></ul></ul><ul><ul><ul><ul><li>transactional or relationship emails </li></ul></ul></ul></ul><ul><ul><ul><ul><li>10-business-day rule for unsubscribe </li></ul></ul></ul></ul><ul><ul><ul><ul><li>“ primary purpose” test </li></ul></ul></ul></ul><ul><ul><ul><ul><li>forward-to-a-friend </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Multiple sender problem </li></ul></ul></ul></ul><ul><ul><li>ESPC submitted comments on both </li></ul></ul><ul><ul><li>Next steps </li></ul></ul><ul><ul><ul><li>FTC to issue proposed regulations and invite further comment </li></ul></ul></ul><ul><ul><ul><li>FTC to publish DNE implementation plan and report to Congress </li></ul></ul></ul>
  15. 15. CAN-SPAM Litigation Update <ul><li>March 2004 </li></ul><ul><ul><li>AMEY cases </li></ul></ul><ul><ul><ul><li>AOL, MSN, Yahoo! and Earthlink cooperating in litigation effort </li></ul></ul></ul><ul><ul><ul><li>Several spammers sued; focus on false header violations </li></ul></ul></ul><ul><ul><ul><li>Goal – well-publicized suits and ensuing personal bankruptcies should dissuade spammers from this line of business </li></ul></ul></ul><ul><ul><li>Hypertouch v BobVila.com </li></ul></ul><ul><ul><ul><li>Aggressive, litigious, small ISP suing Bob Vila’s online business </li></ul></ul></ul><ul><ul><ul><li>Probably not a case of intentionally fraudulent header information, but an example of how sloppy practices can invite unnecessary attention </li></ul></ul></ul><ul><li>April 2004 </li></ul><ul><ul><li>First government prosecutions filed April 27 by FTC </li></ul></ul><ul><ul><ul><li>Defendants in Michigan and Australia </li></ul></ul></ul><ul><ul><ul><li>Fraudulent header information </li></ul></ul></ul><ul><ul><ul><li>Promoting fraudulent products </li></ul></ul></ul><ul><ul><ul><li>TRO; asset freeze </li></ul></ul></ul>
  16. 16. FTC Predictions (1) <ul><li>Do-Not-Email Registry </li></ul><ul><ul><li>FTC questioning effectiveness (spammers will ignore) </li></ul></ul><ul><ul><li>FTC skeptical of security (valuable list of real names) </li></ul></ul><ul><ul><li>Required to propose something </li></ul></ul><ul><ul><li>Prediction: </li></ul></ul><ul><ul><ul><li>FTC will propose a do-not-spam registry </li></ul></ul></ul><ul><ul><ul><li>FTC will recommend against implementation </li></ul></ul></ul><ul><ul><ul><li>FTC will support industry “Lumos” initiatives </li></ul></ul></ul><ul><li>“ primary purpose” test (i.e., what is a commercial email) </li></ul><ul><ul><li>FTC sympathetic to possibly overly broad interpretations </li></ul></ul><ul><ul><li>Offered multiple methods of determining purpose in ANPR </li></ul></ul><ul><ul><li>Prediction: </li></ul></ul><ul><ul><ul><li>FTC will embrace a “totality of the circumstances” test </li></ul></ul></ul><ul><ul><ul><li>FTC analysis will take into account the sender’s intent, not just the content and the impression of the recipient </li></ul></ul></ul>
  17. 17. FTC Predictions (2) <ul><li>forward-to-a-friend/affiliate marketing programs </li></ul><ul><ul><li>FTC concerned about marketers inducing third parties to send email on the marketer’s behalf and recipients having no unsub recourse </li></ul></ul><ul><ul><li>Prediction: </li></ul></ul><ul><ul><ul><li>FTC will impose CAN-SPAM obligations (disclosure; unsub; dedupe) on induced forwarding </li></ul></ul></ul><ul><ul><ul><li>Non-induced forwarding (traditional FTAF w/o more) will not be subject to CAN-SPAM </li></ul></ul></ul><ul><ul><ul><li>Contingent compensation affiliate marketing programs will be treated as induced forwarding </li></ul></ul></ul><ul><li>multiple sender problem/list rental issues </li></ul><ul><ul><li>FTC concerned with administrative complexity in multiple sender situations </li></ul></ul><ul><ul><li>FTC also concerned with compliance resulting in consumer confusion </li></ul></ul><ul><ul><li>Prediction: </li></ul></ul><ul><ul><ul><li>Where a list owner is mailing on behalf of multiple third parties in a single email, and list owner is disclosed, list owner will be treated as sender </li></ul></ul></ul><ul><ul><ul><li>Fingers crossed: disclosed list owner will be “sender” for all list rental campaigns (even single advertiser campaigns) </li></ul></ul></ul>
  18. 18. Compliance Recommendations <ul><li>Review the FTC’s “clear and conspicuous” guidance </li></ul><ul><ul><li>FTC “dot com disclosure” guidance: </li></ul></ul><ul><ul><li>http://www.ftc.gov/bcp/conline/pubs/buspubs/dotcom/index.html#III </li></ul></ul><ul><ul><li>Important factors: placement, prominence, distractions, understandability </li></ul></ul><ul><li>Avoid accidentally deceptive subject lines </li></ul><ul><li>Review unsubscribe practices </li></ul><ul><ul><li>Offering ability to unsubscribe from sender or just program? </li></ul></ul><ul><ul><li>Is 10-business day rule manageable? </li></ul></ul><ul><li>Use commercial notice despite possible “affirmative consent” exception </li></ul><ul><li>Use your company name in the “from” line </li></ul><ul><ul><li>Any party initiating is sufficient to comply with CAN-SPAM </li></ul></ul><ul><li>Make sure DNS registrations are up to date </li></ul><ul><ul><li>Avoid attention from small litigious internet access services </li></ul></ul>
  19. 19. What can you do to help prevent spam ? <ul><li>Spam ware software failed when an email address was obscured in some way </li></ul><ul><li>For example, writing “at” instead of the @ symbol. </li></ul>
  20. 20. CyberBrief: Spam ware <ul><li>The Center for Democracy and Technology (CDT) investigated how junk-mail spammers get hold of email addresses. </li></ul><ul><li>They created 100s of email addresses and used each one only once. </li></ul><ul><li>After 6 months , over 8,000 unsolicited emails arrived to these email addresses. </li></ul>How does it work?

×