Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Spam
  2. 2. Spam Basics <ul><li>E-mail version of mass distribution of direct marketing solicitations, formally known as “unsolicited commercial e-mail” (UCE) </li></ul><ul><li>Cost –effective for the sender because of low marginal costs (low costs to add one more recipient to list) </li></ul><ul><li>Spammers free-ride on ISP networks which increase their costs to accommodate the growing volume of spam </li></ul><ul><li>There exists a conflict between antispam laws (focusing on fraud, trespass, hacking, infringement) and the Constitution (First Amendment freedom of speech, press) </li></ul><ul><li>Commerce clause may prohibit state antispam laws if they unduly burden on interstate commerce </li></ul>
  3. 3. Where does junk mail (spam) come from? <ul><li>From software called Spam ware . </li></ul><ul><li>Spam ware is software that automatically searches the Web to collect what it recognizes as email addresses. </li></ul>
  4. 4. Federal Laws Can Be Adapted To Prohibit Some Aspects of Spam <ul><li>Telephone Consumer Protection Act (TCPA) </li></ul><ul><ul><ul><li>Prohibits automated dialing systems that charge the call to the receiving landline or wireless phone </li></ul></ul></ul><ul><ul><ul><li>Prohibits fax flooding </li></ul></ul></ul><ul><ul><ul><li>Consumers have the right to be removed from the telemarketing list </li></ul></ul></ul><ul><li>Computer Fraud and Abuse Act (CFAA) </li></ul><ul><ul><ul><li>Intentional access that causes damage </li></ul></ul></ul><ul><ul><ul><li>Sending commands, data, or software that causes damage </li></ul></ul></ul><ul><ul><ul><li>Intentional fraudulent access to obtain something of value </li></ul></ul></ul><ul><li>FTC Act § 5 </li></ul><ul><ul><ul><li>Prohibits unfair and deceptive trade practices </li></ul></ul></ul><ul><li>Lanham Act </li></ul><ul><ul><ul><li>Federal trademark law </li></ul></ul></ul><ul><ul><ul><li>False designation of origin can apply to spam </li></ul></ul></ul>
  5. 5. State Laws Are Cracking Down On Spam <ul><li>Usually only apply to spam originating from within their state or destined to their state </li></ul><ul><li>California requires spam to include return addresses or toll-free numbers in the first message line so the recipient can opt out </li></ul><ul><li>California, Washington, and Virginia require spammers to comply with ISP’s privacy policies (criminal offense to falsify/impersonate the domain name of a spam sender- form of technical fraud) </li></ul><ul><li>Maryland criminalizes harassing or obscene e-mail </li></ul>
  6. 6. Constitutional and Tort Law In The Battle Against Spam <ul><li>Cyber Promotions, Inc. v. AOL, Inc. </li></ul><ul><ul><ul><li>AOL refused to deliver 2 million daily UCEs from Cyber Promotions </li></ul></ul></ul><ul><ul><ul><li>AOL not found to have violated Cyber Promotions’ First Amendment rights </li></ul></ul></ul><ul><li>Intel Corporation v. Hamidi </li></ul><ul><ul><ul><li>Former employee sent 30,000 e-mails on six occasions to all Intel employees </li></ul></ul></ul><ul><ul><ul><li>Spam constituted a trespass to chattels </li></ul></ul></ul>
  7. 7. New Legislation To Combat Spam <ul><li>Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) passed by Congress in December 2003 </li></ul><ul><li>Highlights of CAN-SPAM </li></ul><ul><ul><ul><li>Permits e-mail advertising </li></ul></ul></ul><ul><ul><ul><li>Prohibits misleading headers and other practices that mask origin of e-mail ads </li></ul></ul></ul><ul><ul><ul><li>Recipients must be allowed to opt out of future mailings </li></ul></ul></ul><ul><ul><ul><li>E-mail ads may not be sent to receipts who opt out </li></ul></ul></ul><ul><ul><ul><li>E-mails ads must be identified as such </li></ul></ul></ul><ul><ul><ul><li>State antispam laws are generally preempted </li></ul></ul></ul>
  8. 8. New Legislation To Combat Spam <ul><li>Highlights of CAN-SPAM continued </li></ul><ul><ul><ul><li>Does not give right to recipients to sue spammers </li></ul></ul></ul><ul><ul><ul><li>FTC may clarify law requirements </li></ul></ul></ul><ul><li>Enforcement </li></ul><ul><ul><ul><li>FTC proceedings </li></ul></ul></ul><ul><ul><ul><li>Criminal prosecutions </li></ul></ul></ul><ul><ul><ul><li>State attorney general actions </li></ul></ul></ul><ul><ul><ul><li>Private lawsuits brought by ISPs </li></ul></ul></ul>
  9. 9. CAN-SPAM Act of 2003
  10. 10. Background; Pre-emption <ul><li>Background </li></ul><ul><ul><li>Law signed by President Bush December 2003 </li></ul></ul><ul><ul><li>Law effective January 1, 2004 </li></ul></ul><ul><li>Pre-emption </li></ul><ul><ul><li>Pre-empts state laws regulating commercial email </li></ul></ul><ul><ul><li>States may continue to regulate email fraud </li></ul></ul><ul><ul><ul><li>Several states now implementing spam fraud laws </li></ul></ul></ul><ul><ul><li>Pre-empts California’s SB 186 </li></ul></ul><ul><ul><ul><li>No litigation brought under SB 186 </li></ul></ul></ul>
  11. 11. CAN-SPAM Refresher <ul><li>Prohibitions </li></ul><ul><ul><li>False header information (deception re source of email) </li></ul></ul><ul><ul><li>Deceptive subject lines (deception re content of email) </li></ul></ul><ul><ul><li>“ Aggravated offenses” – either of the above together with: </li></ul></ul><ul><ul><ul><li>Address harvesting </li></ul></ul></ul><ul><ul><ul><li>Dictionary attacks </li></ul></ul></ul><ul><ul><ul><li>Unauthorized relays </li></ul></ul></ul><ul><ul><ul><li>Unauthorized sending through third-party computers </li></ul></ul></ul><ul><ul><li>Sending more than 10 business days following opt out </li></ul></ul><ul><li>Required Inclusions </li></ul><ul><ul><li>Clear and conspicuous notice that email is commercial </li></ul></ul><ul><ul><ul><li>Does not apply if sender has “affirmative consent” of recipient </li></ul></ul></ul><ul><ul><li>Clear and conspicuous notice of ability to opt out </li></ul></ul><ul><ul><li>Working unsubscribe functionality </li></ul></ul><ul><ul><ul><li>Return email address </li></ul></ul></ul><ul><ul><ul><li>Internet-based mechanism </li></ul></ul></ul><ul><ul><li>Valid physical postal address (OK to include PO box with street address) </li></ul></ul>
  12. 12. Sample Disclosure <ul><li>This is a promotional email from Nextel Communications, Inc. If you wish to unsubscribe from Nextel customer emails or to change your email address, please click here or use the link below. Nextel Communications, Inc. is located at 2001 Edmund Halley Drive, Reston, VA 20191. </li></ul><ul><li>Placement Just below creative, but above disclaimers </li></ul><ul><li>Size Same as text in ad, larger than disclaimers </li></ul><ul><li>Color Black – same as ad, darker than disclaimers </li></ul>“ Commercial” notice Opt out notice and functionality Valid physical postal address
  13. 13. Enforcement and Penalties <ul><li>Civil enforcement </li></ul><ul><ul><li>Federal Trade Commission </li></ul></ul><ul><ul><ul><li>Applicable general regulatory agency enforces for financial institutions </li></ul></ul></ul><ul><ul><ul><ul><li>OCC, Fed, FDIC </li></ul></ul></ul></ul><ul><ul><ul><li>Standard enforcement powers of particular agency </li></ul></ul></ul><ul><ul><li>State enforcement agencies </li></ul></ul><ul><ul><ul><li>$250 per violation; $2 million cap </li></ul></ul></ul><ul><ul><ul><li>Injunctive relief </li></ul></ul></ul><ul><ul><li>“ Internet access services” – primarily ISPs </li></ul></ul><ul><ul><ul><li>$25/$100 per violation; $1 million cap </li></ul></ul></ul><ul><ul><ul><li>Injunctive relief </li></ul></ul></ul><ul><ul><li>“ Good actor” damage reduction </li></ul></ul><ul><ul><li>Court may triple damages for aggravated violations </li></ul></ul><ul><li>Criminal enforcement </li></ul><ul><ul><li>DOJ enforcement </li></ul></ul><ul><ul><li>One year in prison </li></ul></ul><ul><ul><li>Up to five years for aggravated or repeated violations </li></ul></ul>
  14. 14. CAN-SPAM Regulatory Update <ul><li>Request for Information issued for Do-Not-Email List </li></ul><ul><ul><li>Issued March 2004 </li></ul></ul><ul><ul><li>Seeks technical information re implementation and security </li></ul></ul><ul><li>Advanced Notice of Proposed Rulemaking </li></ul><ul><ul><li>Issued March 2004 </li></ul></ul><ul><ul><li>Two purposes </li></ul></ul><ul><ul><ul><li>Seeks comments on merits of DNE </li></ul></ul></ul><ul><ul><ul><li>Seeks ideas for future rulemakings: </li></ul></ul></ul><ul><ul><ul><ul><li>transactional or relationship emails </li></ul></ul></ul></ul><ul><ul><ul><ul><li>10-business-day rule for unsubscribe </li></ul></ul></ul></ul><ul><ul><ul><ul><li>“ primary purpose” test </li></ul></ul></ul></ul><ul><ul><ul><ul><li>forward-to-a-friend </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Multiple sender problem </li></ul></ul></ul></ul><ul><ul><li>ESPC submitted comments on both </li></ul></ul><ul><ul><li>Next steps </li></ul></ul><ul><ul><ul><li>FTC to issue proposed regulations and invite further comment </li></ul></ul></ul><ul><ul><ul><li>FTC to publish DNE implementation plan and report to Congress </li></ul></ul></ul>
  15. 15. CAN-SPAM Litigation Update <ul><li>March 2004 </li></ul><ul><ul><li>AMEY cases </li></ul></ul><ul><ul><ul><li>AOL, MSN, Yahoo! and Earthlink cooperating in litigation effort </li></ul></ul></ul><ul><ul><ul><li>Several spammers sued; focus on false header violations </li></ul></ul></ul><ul><ul><ul><li>Goal – well-publicized suits and ensuing personal bankruptcies should dissuade spammers from this line of business </li></ul></ul></ul><ul><ul><li>Hypertouch v </li></ul></ul><ul><ul><ul><li>Aggressive, litigious, small ISP suing Bob Vila’s online business </li></ul></ul></ul><ul><ul><ul><li>Probably not a case of intentionally fraudulent header information, but an example of how sloppy practices can invite unnecessary attention </li></ul></ul></ul><ul><li>April 2004 </li></ul><ul><ul><li>First government prosecutions filed April 27 by FTC </li></ul></ul><ul><ul><ul><li>Defendants in Michigan and Australia </li></ul></ul></ul><ul><ul><ul><li>Fraudulent header information </li></ul></ul></ul><ul><ul><ul><li>Promoting fraudulent products </li></ul></ul></ul><ul><ul><ul><li>TRO; asset freeze </li></ul></ul></ul>
  16. 16. FTC Predictions (1) <ul><li>Do-Not-Email Registry </li></ul><ul><ul><li>FTC questioning effectiveness (spammers will ignore) </li></ul></ul><ul><ul><li>FTC skeptical of security (valuable list of real names) </li></ul></ul><ul><ul><li>Required to propose something </li></ul></ul><ul><ul><li>Prediction: </li></ul></ul><ul><ul><ul><li>FTC will propose a do-not-spam registry </li></ul></ul></ul><ul><ul><ul><li>FTC will recommend against implementation </li></ul></ul></ul><ul><ul><ul><li>FTC will support industry “Lumos” initiatives </li></ul></ul></ul><ul><li>“ primary purpose” test (i.e., what is a commercial email) </li></ul><ul><ul><li>FTC sympathetic to possibly overly broad interpretations </li></ul></ul><ul><ul><li>Offered multiple methods of determining purpose in ANPR </li></ul></ul><ul><ul><li>Prediction: </li></ul></ul><ul><ul><ul><li>FTC will embrace a “totality of the circumstances” test </li></ul></ul></ul><ul><ul><ul><li>FTC analysis will take into account the sender’s intent, not just the content and the impression of the recipient </li></ul></ul></ul>
  17. 17. FTC Predictions (2) <ul><li>forward-to-a-friend/affiliate marketing programs </li></ul><ul><ul><li>FTC concerned about marketers inducing third parties to send email on the marketer’s behalf and recipients having no unsub recourse </li></ul></ul><ul><ul><li>Prediction: </li></ul></ul><ul><ul><ul><li>FTC will impose CAN-SPAM obligations (disclosure; unsub; dedupe) on induced forwarding </li></ul></ul></ul><ul><ul><ul><li>Non-induced forwarding (traditional FTAF w/o more) will not be subject to CAN-SPAM </li></ul></ul></ul><ul><ul><ul><li>Contingent compensation affiliate marketing programs will be treated as induced forwarding </li></ul></ul></ul><ul><li>multiple sender problem/list rental issues </li></ul><ul><ul><li>FTC concerned with administrative complexity in multiple sender situations </li></ul></ul><ul><ul><li>FTC also concerned with compliance resulting in consumer confusion </li></ul></ul><ul><ul><li>Prediction: </li></ul></ul><ul><ul><ul><li>Where a list owner is mailing on behalf of multiple third parties in a single email, and list owner is disclosed, list owner will be treated as sender </li></ul></ul></ul><ul><ul><ul><li>Fingers crossed: disclosed list owner will be “sender” for all list rental campaigns (even single advertiser campaigns) </li></ul></ul></ul>
  18. 18. Compliance Recommendations <ul><li>Review the FTC’s “clear and conspicuous” guidance </li></ul><ul><ul><li>FTC “dot com disclosure” guidance: </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li>Important factors: placement, prominence, distractions, understandability </li></ul></ul><ul><li>Avoid accidentally deceptive subject lines </li></ul><ul><li>Review unsubscribe practices </li></ul><ul><ul><li>Offering ability to unsubscribe from sender or just program? </li></ul></ul><ul><ul><li>Is 10-business day rule manageable? </li></ul></ul><ul><li>Use commercial notice despite possible “affirmative consent” exception </li></ul><ul><li>Use your company name in the “from” line </li></ul><ul><ul><li>Any party initiating is sufficient to comply with CAN-SPAM </li></ul></ul><ul><li>Make sure DNS registrations are up to date </li></ul><ul><ul><li>Avoid attention from small litigious internet access services </li></ul></ul>
  19. 19. What can you do to help prevent spam ? <ul><li>Spam ware software failed when an email address was obscured in some way </li></ul><ul><li>For example, writing “at” instead of the @ symbol. </li></ul>
  20. 20. CyberBrief: Spam ware <ul><li>The Center for Democracy and Technology (CDT) investigated how junk-mail spammers get hold of email addresses. </li></ul><ul><li>They created 100s of email addresses and used each one only once. </li></ul><ul><li>After 6 months , over 8,000 unsolicited emails arrived to these email addresses. </li></ul>How does it work?