Winter-Spring 2004

The CAN SPAM Act, or How to Earn Big Dollars Suing Spammers

Pop quiz! When was the first reported SPAM? Clearly an issue of mythology, it was purportedly in 1978 when an aspiring salesman posted an advertisement for a new DEC computer to Arpanet. Where does the nickname "SPAM" come from? Leading mythologists suggest that it comes from a Monty Python skit where the actors inanely repeat the phrase "SPAM, SPAM, SPAM, SPAM." Who is going to sue you for misuse of a trademark for calling unwanted email "SPAM"? Hormel—with their fine selection of canned meats—but Hormel is apparently far less apoplectic about the use of its trademark than once rumored. See SPAM Corporate Info, SPAM and the Internet.

As the wonders of SPAM have grown, taking governmental action to protect innocent email boxes has become a new political mandate. After approximately 25 legislative attempts dating back to 1997, Congress finally came up with a proposal that made it through the filters. On January 1, 2004, the CAN SPAM Act went into effect.

The New Law

At first read the CAN SPAM Act can seem a bit convoluted. On second read the CAN SPAM Act can seem a bit convoluted! On third read...and so on. The Act says that fraudulent email headers are a bad thing. And then it says it again and again. And if it is not clear that you need to include opt out language in your SPAM, it repeats this a few times, too. My theory is that having immersed themselves in the universe of SPAM, Congress thought it might be clever to whack spammers by filling their inboxes with statutory language.

To the trained eye, however (translation: to an attorney who spends too much time in a grey padded cubicle attempting to discern the cryptic will of the legislatures, seeking revelations on how their clients might be redeemed), the Act will begin to elucidate meaning. The high prophets of the US Supreme Court have taught us that Congress always knows what it is talking about and there is no such thing as meaningless repeated repetition. Applying these sacred principles, the trained eye discerns that it is not just that Congress does not like fraudulent headers, and if you did not understand them the first time, then they will say it again that they really, really donÍt like fraudulent headers.

What Congress is up to is creating parallel sets of authority: one for the Department of Justice and another for the Federal Trade Commission. The DOJ authority is directed at culprits and their wayward deeds; FTC authority is directed more at the victims of the wayward deeds, affording protection for those who might suffer the slights and arrows of outrageous opportunities for fortune from a "government official" in Nigeria.

Wayward Deeds

The CAN SPAM Act can be reduced to a simple nutshell: don't falsify the header of commercial email. If anyone has any trouble understanding that, Congress spells it out: don't falsify the from field; don't falsify the subject line; don't falsify the IP address; don't falsify the domain name; don't falsify the origin; and don't falsify the relay points.

There are a few other do's and don'ts. First, do SPAM. SPAM itself is legal as long as the header is not falsified (and the spammer complies with the rest of the do's and don'ts).

Spammers must clearly and conspicuously identify SPAM as a commercial solicitation. The SPAM must include a valid post office address of the sender. Sexual content must have a subject line clearly identifying it as such, or have a message that only indicates how to access the content and is not the content itself. Spammers may not use harvested email addresses nor may they use dictionary automation to create email addresses.

At this time, there is no officially designated SPAM label that must appear in the subject line. The FTC has authority to impose such a requirement in the future.

Spammers must give recipients the opportunity to opt-out of receipt of further SPAM. This means that spammers can SPAM you at least once legally. The opt-out option must be clear and conspicuous. The option must involve a working email address (for at least 30 days after the transmission of the email) or some other Internet-mechanism (no requiring recipients to call your 1-900 phone number) that permits the recipient to request no further SPAM from the sender to that recipient's email address (every time you change email addresses, spammers have another bite at the apple). After receipt of the opt-out request, the spammer may SPAM the recipient for 10 days and then must stop. In typical CAN SPAM Act style, Congress pounds in the idea that these opt out provisions apply to the spammer, anyone acting on behalf of the spammer, anyone assisting the spammer, and anyone who might have bumped into the spammer at a cocktail party.

One final "do": Do continue to use blacklists; at least, the CAN SPAM Act states that it does not make unlawful "the adoption, implementation, or enforcement by a provider of Internet access service of a policy of declining to transmit, route, relay, handle, or store certain types of electronic mail messages."


What is SPAM? During this election season when some imprudent candidates might think it clever to sway you by bombing your inbox with persuasive prose, is this SPAM? To the untrained legal eye, the answer is "of course this is SPAM; bleah!" But as we all know, attorneys and politicians do not speak the English that most Americans speak. The CAN SPAM Act restricts Commercial Electronic Email Messages (I just love the repetition of this Act; the Act restricts Electronic Electronic-mail. I know the Supreme Court says that Congress knows what it is talking about and every word has meaning; when I discern what a non-electronic electronic-mail is, I will promptly issue an addendum to this article). Under the Act, Commercial Email has the primary purpose of an advertisement or the promotion of a good or service. Commercial Email does not include a commercial transactional email, such as when a dot-com sends you a confirming email that your order of Mashuganuts has just been delivered.

The CAN SPAM Act makes repeated reference to "protected computers." This is not a reference to the use of firewalls or virus protection (although these are good ideas). The term "protected computer" emanates from the Computer Fraud and Abuse Act. Originally "protected computers" were computers from financial institutions and the government. Gradually this definition has been expanded to include all networked computers. Don't make much of these arcane words; if your computer is receiving SPAM, it is a "protected computer."


The next big question is, who gets to whack the spammers? The Department of Justice and the FTC carry primary federal jurisdiction, although a host of other agencies can also whack spammers, including (and I am not making this up) the Secretary of Agriculture under the Packers and Stockyards Act (who says Congress doesn't have a sense of humor). The FCC has specific authority to deal with wireless phone SPAM. The provisions which may be enforced by the FTC may also be enforced by states and privately by ISPs. Individuals suffering the onslaught of generous opportunities have no direct recourse, and any recourse they might have had under state law has been pre-empted. Sorry guys (win one for the spammers who don't want to be sued).

DOJ has authority to whack spammers who hack into computers to send or relay multiple SPAM, falsify the header in multiple SPAMs, harvest email addresses, or fail to label sexual content. Congress directs DOJ to "use all existing law enforcement tools to investigate and prosecute" spammers (let's see, as DOJ do I go after terrorists or whack spammers? Well, Congress directed me toƒ. With limited enforcement resources and other priorities, it is questionable the degree to which DOJ will be an active prosecutor of spammers). Under DOJ authority, spammers can land in jail for up to five years and get hit with some serious fines (note that FTC authority lacks the ability to put spammers in the slammer).

The Federal Trade Commission has authority under the Act which is crafted more towards the protection of recipients. Like DOJ, the FTC may take action against a spammer where an individual has received an email from a hacked computer, where the email has a falsified header, where the spammer harvests email address, or where the spammer fails to label sexual content. Unlike the DOJ, the FTC has authority to enforce the opt-out requirements, false subject lines prohibitions, and the required inclusion of specified information. The FTC may also enforce labeling provisions if it elects to implement such restrictions. The remedies available to the FTC include fines and injunctive relief (cease and desist orders).

States may generally enforce those provisions which may be enforced by the FTC (for some of these provisions the state will have to establish a pattern of behavior). The remedies available to state officials include injunctive relief and the greater of actual damages or statutory damages. Statutory damages amount to $250 per piece of SPAM with a ceiling at $2,000,000 per violation. The state can seek treble damages for aggravated violations. States can also recover attorneys' fees. States must serve notice on the FTC prior to implementing an action; the FTC may join the action; and if the Feds already have an action pending, the state is precluded from initiating an action. Actions must be brought in federal court.

Oh, by the way, any existing State SPAM laws have been pre-empted by the Federal CAN SPAM Act (under the Supremacy Clause, the Feds can say that their law trumps state law).

Internet Service Providers: And now for the moment all networks have been waiting for, the new addition to their business plans: how to make money off of spammers. ISPs may generally bring actions for violations of provisions under FTC authority (note for some of these the ISP will have to establish a pattern of behavior). The remedies available to an ISP include injunctive relief and actual or statutory damages. Statutory damages are $100 per piece of SPAM with false headers and $25 per piece of SPAM for everything else. The maximum whack is $1,000,000 per violation. Treble (multiple by 3) damages are available for aggravated violations. Networks may also seek attorneys' fees. There is not a requirement that the action be filed in federal court.

To take advantage of this generous offer from Uncle Sam, you must be an "Internet access service." As a community network and a CTC, you probably fit this definition.

The term "Internet access service" means a service that enables users to access content, information, electronic mail, and other services offered over the Internet, and may also include access to proprietary content, information, and other services as part of a package of services offered to consumers. Such term does not include telecommunications services. 47 U.S.C. 231(e)(4).
How do you start having spammers pay for your retirement? The first step will be to find an attorney (probably a technologically sophisticated one) who is a skilled at litigation and collection of judgments. The next step is to devise a strategy with that attorney that includes which spammers to target (might be difficult to whack a spammer cowering on a beach in Brazil) and how to preserve evidence. Legal battles are nasty, brutish, but not short, and better left to people living under bridges. However, you may find attorneys willing to work on a contingency basis (you pay nothing, they get a cut only if they succeed) who will gladly take care of the matter for you.

Post a comment

Remember personal info?

* Denotes required field.