Perspective: Can-Spam put to the test

The last six months have not been particularly kind to the antispam community.

Late last year, the U.S. Court of Appeals for the Fourth Circuit limited the reach of both state and federal spam laws to e-mails that contain "material" falsity or deception. And last week, a federal district court dismissed a Can-Spam claim on the basis that the plaintiff, James Gordon--who was not a traditional ISP--did not suffer the type of injury envisioned by the law, and thus lacked legal standing to sue.

The court also signaled its intention to award attorney's fees. While the decision will likely have minimal effect on claims brought by traditional ISPs, it is sure to take the sails out of the cottage industry built around spam litigation.

Since its inception, Can-Spam has had a mixed reception. Still, it is tough to deny that it has spawned an entire cottage industry of litigation built around filing spam lawsuits. Antispam activist Mark Mumma presents one such example, as does spam fighter Robert Braver, and Gordon himself, the plaintiff in the ill-fated Virtumundo lawsuit decided last week.

These individuals pursued Can-Spam cases even though they did not run ISP-based businesses, or they only ran small, token ones. (Their spam lawsuits received more of their resources than their ISP businesses.) Many set up Web pages to showcase their lawsuits and encouraged others to pursue similar claims.

Without a doubt, this aspect of the decision will force similar plaintiffs to think twice before filing suit.

Can-Spam provides for enforcement by governmental entities such as the Federal Trade Commission, and in certain situations, states attorney general. The only private entities that can bring lawsuits under Can-Spam are providers of "Internet access services" which are "adversely affected." This was a critical issue in the Virtumundo case.

The plaintiffs (Gordon and his entity) alleged they received 13,800 improper e-mails and sought damages in excess of $20 million. The defendants challenged whether Gordon fell within the statutory definition of an Internet access service (IAS), and in particular, whether Gordon was "adversely affected."

While the court did not squarely resolve the IAS-definition issue (alluding that traditional ISPs were proper private plaintiffs under Can-Spam), it held that the plaintiffs were not "adversely affected" under Can-Spam and could not maintain the lawsuit. The court noted that the plaintiffs used a third party--Verizon--for Internet access, and pointed out that the plaintiffs did not suffer harm "beyond the consumer-specific burden of sorting through an in-box full of spam." The plaintiffs did not suffer harm "related to bandwidth, hardware, Internet connectivity, network integrity, overhead costs, fees, staffing or equipment costs."

After disposing of the Can-Spam claims based on lack of harm specific to Gordon, the court also dismissed the Washington state law claims. The court largely tracked the Mummagraphics ruling from last year which held that Can-Spam was intended to cover material deceptions in e-mails.

The plaintiffs argued that the "from lines" were misleading because they often referenced "a topic area or type of advertisement" (rather than a specific person) and because the domain names used by the defendants did not contain (identically) the sender's name. The court showed little tolerance for Gordon's hyper-technical arguments.

For Gordon, this decision will likely be devastating. The decision notes both that he is a party to 10 other cases in western Washington alone, and that he makes a living from spam lawsuit settlements. The viability of all of these cases is immediately called into question. More importantly, the court delivered Gordon a severe blow in the form of attorney's fees. Without a doubt, this aspect of the decision will force similar plaintiffs to think twice before filing suit.

Another question is how and whether this will affect claims brought by real ISPs. Smaller spammers may now argue that there was no "significant" harm felt by their e-mails alone. In most cases, this argument will not prevail--the ISPs retain experts who testify as to the incremental costs caused by each additional piece of spam. Of course, only time will tell.

Biography
Venkat Balasubramani practices Internet law and litigation at Balasubramani Law and frequently represents clients involved in Can-Spam disputes. He maintains the Spam Notes blog. As an outside counsel, VB did some work for 180 Solutions, Zango's predecessor.

More Perspectives

[westrajc]

Lawyers Won't Protect Us!

Find the vermin and terminate them with extreme predudice! If you're a spammer, phisher, porn peddler, etc, you should go through life living in fear that every breath might be your last.

[SeizeCTRL]

Spammers

Known spammer's home addresses should be made public... so when I can't opt out from receiving his spam, I can show up at his door to be a little more convincing.

[MacHeads]

You already have his office's IP Address.

But then again this may be forged as may almost everything be
with SMTP protocols. Our company one day recieved about 900
spams a day from a small law company in the Middle of
Netherlands. They were the central node of a whole botnet
including 600 machines. I had to contact the company's ISP
myself and discuss what measure of interdiction they were
taking to help solve their issue (loads of angry callers) , Most
Oses , Machines out there can be bot netted these days (save for
a few) . Windows is the system of choice for spammers since it is
so easy to infiltrate , would you like someone to show up
because you were 00wned , of course not . What needs to be
done is a deprecation of the old SMTP protocols to get a new
one implemented one that first would check your DNS zone
before agreeing to send out a message and harden
authentification mechanisms , and more secure Oses (Windows
does need not apply) .

[thenet411]

SPAMMERs do NOT have a right to send!

No matter what the SPAMMERs think, no matter what the clueless, old, technically inept, judges think, SPAMMERs do not have the right to send their crap. NO ONE WANTS SPAM. Yet, these idiots are allowed to continue sending this crap. Why? Because judges are idiots. Judges are far too old to understand the Intertubes (yes, that was a jab at other people that are too old to understand the Internet). Understanding of the Internet and its impacts is certainly an age-related issue. Studies show that the majority of people over 45 have no clue what the Internet really is or how it works. Just because some people over that age may use it, doesn't mean that they know anything about it. Once people with a clue about how the Internet works, what its impacts are, and what SPAM really does to it, consumers who must deal with SPAM are screwed.

[MacHeads]

I Agree.

Judges at this point in time fail to grasp the global impact spam
has on every internet users at large , most machines sending
spams these days are virri ridden boxes or botnets being
controllled over the WWW. Any web application (Webmail CRM
etc etc etc ) need bandwith to work and spammers are just
freeloading on everyone's time and capacity to communicate
they are at best a hindrance at the worst a nuisance with more
and more links to Organized Crime as years pass. The problem
is the metaphors might have been badly chosen while
explainning the internet to a number of people .

An Able metaphor might have been more your PC=your car ;
You=Driver , Os = Steering Wheel , Your Internet Connection's
Bandwith = Your injectors , Spam = Dust Particles that can
choke the ignition of your air and gasoline mix if over a certain
quantity. While the stirring wheels come in different flavors they
sure have some influence on the driver's behavior at the wheel in
terms of "Feel" of the car but that is pretty much it . While a
driver does not have to undestand each single part of the car he
has to master the steering of the vehicle . Now if you drive
continusly dust impurities that SPAM is can bring misery to your
engine and others as well this is why we need to identify and
sanction spammers that at some point will force us all to think a
new electronic mail system altogether to keep them out of the
simplest communication system the internet provides from
person to person.

[rcrusoe]

Congress acts, and the problem gets worse

Since Congress passed the "You Can-Spam" act the amount of spam we receive at my company has more than doubled.

I shudder to think what will happen if they pass any "immigration reform" legislation.

[T38]

disturbing

I couldn't help but be disturbed by this line in the judges decision: "The court noted that the plaintiffs used a third party--Verizon--for Internet access..."

Many legitimate ISP's use a third party for Internet access. The ISP I used to work for used Time-Warner Telecom as it's "upstream" provider, and the one I currently work for uses (among others) AT&T. You've got the really large ISP's (such as AT&T, SAVVIS, Level 3 and Verizon) who provide coast-to-coast, border-to-border connectivity, and then there are a whole host of smaller ISP's that purchase bandwidth from these larger networks for transport to the Internet at large. Throwing out a complainant's suit because he purchases bandwidth from an upstream provider is ludicrous.

[BrianFH]

Parasites on parasites

I think the intent of the judgment is perhaps to derail the cottage industry based on suing as though one were a going concern suffering harm from spam, when actually he was inviting it in order to litigate.
The degradation of internet access and quality sounds to me more like a class-action kind of issue;
perhaps an association of genuinely and demonstrably harmed firms etc. could be formed to begin suing every substantive spammer in sight.

Of course, getting at foreign botnets is something only a firm or institution can afford, in any case. So such an association might have some legs in many areas where little suers have no access or power.

[www.sorehands.com]

I sue spammers

This 'cottage industry' as he puts it are people who ask companies to stop spamming and ignore the request. In Gordon's case, Virtumundo used from lines that said "Free IPOD" or "8 megapixel camera." A recipient of spam should not need to be an internet detective to identify the spammer. One should not have to open a spam, exposing their system a virus or trojan, only to identify the spammer.

Gordon sent Virtumundo over 6000 e-mail requests to stop spamming -- but it continued. A porn spammer that Balasubramani represented ignored requests to stop spamming, but then claimed it was "an affilite did it." These spammers keep paying the affiliates, ignoring complaints because it makes them money. I had one company (it looks like from discovery) terminate a spamming affiliate only to re-signup the same spamming affiliate.

This adversely affected ruling is wrong, the Court ruled that Gordon's ISP business was not adversely affected because it did not go over the bandwidth limit (Gordon used a leased server). Every spam that goes through an ISP affects it. The Court ruling implies that an ISP that properly plans its system requirement so that it does not get overloaded by spammers cannot recover under CAN-SPAM because it properly planned its system and had sufficient they capacity margins.

I'd love it if spammers would stop spamming and I could get back to writing code full time. Especially because I need to time to rewrite my e-mail client to run faster (I can double the -- because of all the spam that I receive. I already customized the code of my mail server to deal with spammers. They will claim it was not their spam, but it was someone elses spam that caused the overload.