Can CAN-SPAM Can Spam?

by Brady Johnson <brj@fremontlaw.com>

Talk about deja vu. I recall having written this introduction for a TidBITS article about spam before, each time changing the unhappy statistics about spam volumes in an upward direction. I always start by looking at Brightmail and other sites that track spam to see how the efforts have fared so far. Sad to say, the news has never been good. Even Congress has acknowledged this in the opening lines of the CAN-SPAM Act, enacting this sorry comment into law: “Unsolicited commercial electronic mail is currently estimated to account for over half of all electronic mail traffic, up from an estimated 7 percent in 2001, and the volume continues to rise.”

In fact, according to Brightmail, spam is rising faster than the mercury on a hot summer day. In 2002, spam accounted for 40 percent of all email, meaning that if Congress’s 7 percent number is correct, between 2001 and 2002 there was a nearly 600 percent increase. By the end of 2003 that number had soared to 58 percent. If the trend continues, 65 percent of our email will be spam by the end of 2004. <http://www.brightmail.com/spamstats.html>

To stem this tide, Congress has enacted the “Controlling the Assault of Non-Solicited Pornography and Marketing Act,” or CAN-SPAM. On 16-Dec-03 President Bush signed the bill into law and it became effective on 01-Jan-04. <http://www.spamlaws.com/federal/108s877.html>
CAN-SPAM has generated much discussion and debate, with much of the wired community angrily dismissing it as a deal with the devil and the marketing community hailing it as a significant step forward in the battle to combat spam.

Reading the various commentaries on CAN-SPAM, it quickly becomes clear that a key disagreement turns on the definition of “spam.” To many regular Internet users, “spam” includes any unsolicited bulk email from any source. To these users, CAN-SPAM addresses only a small subset of spam while legitimizing the rest of it. The marketing community and others maintain that bulk email that is not misleading or deceptive is fair exercise of their commercial free speech rights and is no more objectionable than junk snail mail. Thus, they claim that it should not be included in the definition of “spam.” To these users, CAN-SPAM represents a major step forward.

What Is “Spam” Anyway?
I feel obligated to point out that spam is actually a pinkish processed meat product made by Hormel. Hormel has belatedly taken issue with using their product’s name for noxious email and is attempting to block trademarks that include “spam” such as SpamArrest. <http://abcnews.go.com/sections/scitech/Business/techtv_spam030801.html>

But to many folks, “spam” simply refers to any unwanted email from a stranger trying to sell a product, tout a position, advertise a commercial Web site, or sway the reader’s opinion in some way. As anti-spam legislation has been enacted in the various states, the definition has morphed and narrowed to “unwanted commercial email” or “UCE,” exempting non-commercial email such as political or charitable solicitations. CAN-SPAM narrows this definition even further.
CAN-SPAM uses the term “spam” only in the title acronym and in one of the initial recitations. (Recitations in a statute have no legally binding effect and are merely statements of policy reasons to aid courts in interpreting it.) CAN-SPAM defines “commercial electronic mail” as email, “the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.” Political and charitable solicitations are still excluded from this definition, as are “transactional or relationship messages,” which are email messages from a party with whom you have an existing connection of some kind.

CAN-SPAM gives the Federal Trade Commission (FTC) the authority to change the definition of “transactional or relationship messages... to the extent that such modification is necessary to accommodate changes in electronic mail technology or practices and accomplish the purposes of this Act.” However, the FTC does not have authority to alter the definition of “commercial electronic mail.”

Key CAN-SPAM Provisions
CAN-SPAM’s most severe prohibitions focus on certain types of deceptive and fraudulent email. These can subject the spammer to substantial criminal penalties of three years in prison for a first offense and five years for a subsequent offense, or for deceptive commercial email that is sent in furtherance of another felony. This would include, for example, the many messages claiming to be from exiled political leaders seeking help to launder and share their hoards of untold wealth if only the recipient would provide a valid bank account number to them first. Those messages - already the subject of prosecutions under existing criminal statutes - are subject to further criminalization under CAN-SPAM.

Other criminal acts include using a computer, server, or domain to send or relay commercial email without the lawful owner’s permission, and using false headers or misleading subject lines. These activities are also subject to civil actions and penalties in addition to criminal prosecution.

CAN-SPAM uses an opt-out model, requiring that all commercial email include a method of opting out of future mailings from the sender and must include the sender’s real email address and snail mail contact information. The statute specifies that spam must contain a mailto, Web link, or other online mechanism that the recipient can use to opt out. All commercial email subject to CAN-SPAM is required to identify itself as an advertisement. The statute does not specify how spammers should identify their email, leaving that to the FTC, which has until April Fools Day (01-Apr-04) to publish the identifying marks that spammers must use. Like other provisions of CAN-SPAM, this identification requirement does not apply to mail sent to anyone who has affirmatively consented to receiving the messages.

CAN-SPAM considers certain actions to be “aggravated violations” potentially subject to more severe penalties. These include the common practice of harvesting email addresses from various Internet sources and of using “dictionary attacks.” Hijacking someone else’s server is also an aggravated violation.

One heavily criticized component of the Act is the provision preempting all state laws addressing spam with certain very limited exceptions. The only state laws that survive this evisceration are those that prohibit falsity or deception in commercial email such as the Washington state statute and large parts of the California statute, and those that only incidentally affect email. Examples of statutes with incidental effects on email would include general computer trespass laws, consumer protection statutes, and other laws that apply generally to conduct that may sometimes include email. That means that much existing state law has fallen by the wayside and that the California opt-in statute which was to take effect this year has been essentially nullified in most material respects.

As far as enforcement goes, CAN-SPAM allows no private right of action, meaning that individual victims of spammers cannot go to court and sue for violation of the statute. Authorized enforcers are the FTC and other federal government agencies, state Attorneys General, and Internet service providers. It’s worth noting that Internet service providers often have their own acceptable use policies relating to email and spam. The new federal statute does not disturb these private rules, meaning that an ISP retains authority under those policies to cancel or suspend a user and often to claim damages, etc. for violation. Leaving ISP authority in place provides an independent, if seldom-used, basis of liability against spammers.

Will CAN-SPAM Work?
I don’t think so. CAN-SPAM is a decent enough starting point, but in my opinion it has too many flaws to make it effective to stop or even slow spam.

CAN-SPAM’s good points are that it is a federal statute and thus applies uniformly throughout the United States. This eliminates the sometimes confusing patchwork of different laws in the states that have enacted anti-spam statutes. It also goes a long way toward resolving jurisdictional issues involving whether a state has authority to control a business operating outside its boundaries. These jurisdictional disputes were quite common under state spam enforcement.
It’s also good to see the various “aggravated violations” called out and codified, since having them more clearly made illegal will simplify the job of prosecutors.

Also, anything that increases the potential liability for spammers may sway the economic balance of spam. If sending spam could result in prison, spammers will have to determine if the rewards are worth the potential risk. While added liability may not impact the scofflaws who will ignore any legal mandate or prohibition unless they are arrested, increasing the risk of prison or significant monetary penalties will probably scare off businesses that might been considering skirting the law before.

But despite those good points, CAN-SPAM’s flaws abound. Let’s examine them.

International Problems
Unfortunately, CAN-SPAM applies only in the United States. True, U.S. law and international treaties do confer jurisdiction on U.S. courts to address issues arising internationally if they impact the U.S. But while that may sound nice on paper, it suffers from two major problems.

First, there is the problem of actual enforcement. Spammers operating outside the U.S. are often not subject to U.S. courts, and even where they are, any judgment or court order is worthless unless it can be enforced. This fact means that the only way an enforcement agency can compel a foreign spammer to comply with the law is via diplomatic pressure from the U.S. Show of hands: how many people think that enforcing U.S. spam law is likely to become a high priority for U.S. diplomatic efforts any time soon? Now, if we could show that spammers were actually fronts for terrorist organizations...

Second, CAN-SPAM's opt-out approach is directly at odds with the approach taken by much - perhaps most of the rest of - the first world. The European Union has adopted a Directive (a policy document) that establishes an opt-in approach. Each individual member nation must then enact specific laws implementing the Directive. (The first URL below goes to the English language version of the Directive; the second URL leads to versions in other languages.)

<http://europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_201/
l_20120020731en00370047.pdf>
<http://europa.eu.int/information_society/topics/ecomm/useful_information/
library/legislation/text_en.htm#dir_2002_58_ec>

Australia has also adopted an opt-in law broadly prohibiting commercial email being sent to Australians. In short, while it seems likely that most spam comes from the U.S. or is touting products and services of U.S.-based companies, opt-in appears to be the model of choice in most of the technologically developed world, with the U.S. falling out of step with the rest of the global community.

These conflicting approaches are likely to cause problems similar to, and perhaps worse than, those that existed within the U.S. before the federal law was passed, and when there were various state statutes with differing mandates and standards. In the U.S., at least all of those states were subject to the same federal government and general rules of legal analysis and interpretation. On the international scene, the problems caused by such wildly conflicting anti-spam models are likely to be worse. Since the U.S. law is less restrictive, it appears to me that the E.U. nations and Australia may continue to be flooded with spam that is legal in the U.S., but illegal in their countries.

Opt-Out Problems
The unfortunate choice of an opt-out model requires that recipients contact the sender to opt out of future messages. While this may work for legitimate marketers who actually include a working unsubscribe mailto or Web link in the message, most spam is not legitimate, and use such links merely as unscrupulous means of confirming or harvesting email addresses. By encouraging people to use these opt-out links, CAN-SPAM may actually increase the amount of illegal spam. It also potentially increases the risk of identity theft and other crimes targeting the unsophisticated Internet user.

Enforcement Problems
CAN-SPAM puts the entire burden of enforcement on the shoulders of already overworked federal and state enforcement agencies, which show no signs of rushing to prioritize spam enforcement. It seems likely that ISPs will take action, but most ISPs lack the resources to mount intensive investigations to track down spammers in other countries, or to support the sort of litigation that may be required to bring them down.

To be fair, prior to CAN-SPAM, most enforcement had to take place at the individual level, much of it in states without strong anti-spam statutes. Most individuals can't afford the expense of a full-fledged spam investigation any more than many ISPs can. But CAN-SPAM does not permit individual victims to file private suits for violating its terms. It seems counterproductive not to allow individual enforcement since it would both aid in the overall effort to combat spam, and would result in remedies to the actual spam victims - the end users - in cases where the spammer could be found and held accountable.

Lastly, even once spammers are dragged into court, CAN-SPAM may suffer from loopholes. For instance, the "primary purpose" prong of the spam definition means that spammers can include personal notes in their messages that incidentally offer something for sale, then argue that the solicitation was not the "primary purpose" of the email. I suspect that most people reading this have received spam along the lines of: "Hi there! How are you doing? I am having a great time. By the way, I ran across this item <insert product here> and thought you might be interested." While this ambiguity may not pass the laugh test in court, it is the sort of thing that will almost certainly have to be tested in court before it has any appreciable impact, thus further delaying any potential benefit until one of the authorized enforcers chooses to put the question to a judge. This is another reason that individual enforcement would have been a good thing - it seems more likely that an individual or consumer group would take up this issue sooner than I expect one of the authorized enforcers to do it.

Summing Up
In previous articles, I have concluded that if spam is outlawed, only outlaws will spam. An increasing amount of spam is already in violation of our current state laws and has not been eliminated or even reduced as the result of having been outlawed. Legitimate companies have attempted to comply, but the less-than-legitimate scum will freely violate the new law unless and until they are physically caught.

In the final analysis, CAN-SPAM is a good start, but is far too flawed to be an effective tool against spam. Like the state laws, it will successfully prevent legitimate companies from resorting to spam (not that most legitimate companies were spamming before), but it will have no impact on spammers outside of U.S. jurisdiction and thus not subject to the U.S. law, or on unscrupulous spammers who will ignore the law unless they are arrested. The inconsistency with anti-spam laws used in other parts of the world may harm those nations' efforts to control spam by allowing spam from the U.S. to circumvent their laws.

Put bluntly, CAN-SPAM tells spammers that they can spam, so long as they are careful to drive their truckloads of spam through the truck-sized loopholes in the statute. What's perhaps most disappointing is that we've waited for years for a federal anti- spam law, and the one we ended up with isn't nearly as good as it could have been, or even as good as some of the now-preempted existing state laws are. That's a shame, and it's one we'll undoubtedly have to live with for some time.