Opening up the CAN-SPAM Act

March 1, 2004

The first United States federal law placing restrictions on the use of unsolicited commercial e-mail (UCE), or “spam,” went into effect on 1 January 2004. While it is early days yet, the reactions of both anti-spam activists, and of spammers, to the new provision, known as the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (“CAN-SPAM” or the “Act”),[1] suggests that the Act is unlikely to have much effect in stemming the rising tide of spam messages (many originating from US spam gangs) that is clogging mailboxes the world over. Some of the apparent weaknesses of CAN-SPAM as an effective tool to thwart spam may arise from dubious drafting decisions, and some may be reflective of endemic shortcomings of any attempts to control spam by national legislation, given the inherent fluidity and anonymity of e-mail distribution through the Internet.

Although the US Congress had been considering different anti-spam measures for several years,[2] it was comparatively slow to pass a legislative response to spam.[3] But

in the face of an overwhelming public perception that spam was proliferating at an unacceptable rate,[4] and recognizing that spam was imposing massive cumulative costs on American business and consumers,[5] Congress finally acted in late 2003 to create a national standard for the acceptable use of e-mail solicitations.[6]

The Act

The Act includes a compelling list of Congressional Findings in section 2(a). Among these are:

· The rapid growth in the volume of UCE threatens the convenience and efficiency of e-mail.

· UCE accounts for more than half of all e-mail traffic.

· Most UCE are fraudulent or deceptive.

· UCE results in costs to recipients of UCE, including the costs of storage and costs associated with the time spent accessing, reviewing, and discarding the mail.

· UCE also is costly to Internet service providers, businesses, and educational institutions because of the need to increase storage or bandwidth or both.

· The receipt of a large volume of UCE increases the chances that wanted e-mail will be discarded or ignored.

CAN-SPAM attempts to address these problems in two ways: (1) by requiring that all commercial e-mail promulgators operate on an “opt out” basis, ie they must provide recipients of a commercial message with a reliable means to elect not to receive any future mailings from the particular sender; and (2) by restricting certain common and deceptive practices employed by spammers, so as to provide greater transparency and accountability for senders of commercial e-mail.

The “opt out” provisions of CAN-SPAM are provided in section 5(a) of the Act. These provisions make it a criminal offense to omit from any commercial e-mail a functional means of unsubscribing from future e-mails (along with advice to the recipient making clear that the e-mail is a commercial one and that the recipient is entitled to opt out of future such communications). Senders are also required to provide within their commercial e-mail an accurate return postal address.

The provisions aimed at stopping common deceptive spammer tactics include prohibitions against using forged e-mail headers and/or return addresses, or using false or misleading subject lines, against “harvesting” of e-mail addresses by automated means, against the use or hijacking of intermediate “relay” computers to disguise the origin of commercial e-mail, against continuing to send commercial e-mails to, or distributing to other spammers the e-mail addresses of, recipients who have opted out, and against using multiple e-mail accounts for the purpose of concealing spam activities. See sections 3(8), 4(c) and 5(a) and (b). Additional provisions of the Act place further restrictions on sexually-oriented commercial e-mail.[7]

The CAN-SPAM Act also requires the Federal Trade Commission (“FTC”), the agency generally charged with enforcement of the Act (under section 7), to formulate and present to Congress plans for implementation of a “do not e-mail” list by which consumers could globally opt out of all UCE (as with the highly popular “do not call” lists recently implemented in the US to curb telemarketing), and a plan for electronic submission to the FTC, and handling of, consumer complaints regarding UCE (sections 9, 10, 11 and 14(e)).

Violators of the CAN-SPAM Act could, based on the Act’s enforcement provisions, incur serious civil and criminal penalties. A party who, for instance, were found to have forged e-mail headers, or to have hijacked relay computers to distribute spam, could (if other aggravating factors were found, such as that the spammer’s activities were employed in aid of a separate fraudulent scheme) face up to five years’ imprisonment, in addition to fines and forfeitures (section 4(b) to (e)). In addition to initiating procedures under the specific provisions of the CAN-SPAM Act, the FTC is empowered to seek remedies against violators of the Act under its general consumer protection mandate and its delegated powers to prevent deceptive trade practices by employing the enforcement provisions of the Federal Trade Commission Act (section 7(a) and (d)).

The CAN-SPAM prohibitions also extend to those who, even without committing any violative conduct under the Act, conspire to commit such conduct, thus in principle invoking the broad federal anti-conspiracy policies and remedies against even attempted spam schemes (section 4(a)). Finally, the Act provides that certain especially egregious spam activity (such as employing automated address harvesting or “dictionary attacks” to generate lists of recipient e-mail addresses, or employing proscribed spam activities in connection with other crimes such as fraud or identity theft) can justify imposition of enhanced penal sentences (either for the unlawful spamming activity itself, or for another crime that the perpetrator facilitated by such spamming) under the federal sentencing guidelines (section 4(b)).

In addition to the basic, and in theory quite strong, enforcement mechanisms entrusted to the FTC, the CAN-SPAM Act also authorises civil causes of action to be brought against violators of the Act by: (a) state attorney-generals or other agencies, who can, absent FTC objection, seek injunctive relief, statutory damages up to $2,000,000 (with the additional possibility of punitive damages in special cases), and attorney’s fees, for violations of the Act adversely affecting their state’s citizens; and (b) Internet Service Providers adversely affected by violations of the Act, who can seek similar injunctive and statutory damages remedies, up to a recovery of $1,000,000. Finally, the prohibitions and penalties of the Act extend not just to the actual sender of UCE, but also to any businesses retaining or working in concert with such sender (section 6).

All Bark, No Bite?

With such seemingly-extensive, and initially impressive, enforcement provisions, the CAN-SPAM Act might be expected to provide hope to beleaguered spam recipients, and to engender fear (and compliance) on the part of bulk commercial e-mailers. So far, though, neither of these outcomes has been evident.

Anti-spam activists and other commentators have, to the contrary, blasted the CAN-SPAM Act as intrinsically flawed and compromised from the start. Probably the biggest policy-based complaints from the anti-spam camp are that the Act shifts the burden of avoiding unsolicited e-mail, in the first instance, from the sender to the receiver, by virtue of its “opt out” provisions. Vocal anti-spam advocates have derisively dubbed the Act the “You-Can-Spam” Act, arguing that it provides a federal imprimatur for unsolicited e-mail by deeming it presumptively lawful as long as accurate return address/header information, and functional “unsubscribe links,” are provided.[8] E-mail users are justifiably wary of unsubscribe links, which have become fatally tainted because of spammers’ employment of bogus links, or worse, links that actually serve to verify the recipient’s e-mail address as a prime target for further spam.[9] Therefore, it is not clear that consumers will be willing to rely upon purported unsubscribe links even when they are legitimate and functional in compliance with CAN-SPAM. Critics also point out that the Act pointedly refrains from providing any private right of action to individual victims of spam (vesting all enforcement authority, instead, in the hands of federal and state agencies and, to some extent, Internet service providers).[10]

Anti-spam activists further view with great suspicion the fact that the CAN-SPAM Act was enthusiastically supported by many direct marketers and other users of UCE, who feared, and managed through their lobbying to avert, more stringent (and, the activists assert, more potent) legislation.[11] Moreover, the Act explicitly pre-empts most state laws concerning UCE, including stringent laws that were already on the books in California and other states.[12] These state laws contained proscriptions and penalties viewed by anti-spam forces as more effective, and as properly placing the burden of spam avoidance squarely on marketers, not e-mail recipients (such as deeming all UCE prima facie unlawful unless the recipient had previously indicated consent to its receipt, ie an “opt in” rule as opposed to CAN-SPAM’s opt out provision that makes at least the first unsolicited commercial e-mail sent to a recipient lawful so long as he could affirmatively opt out, and providing private rights of action to spam recipients).[13]

Critics have likewise argued that CAN-SPAM’s relatively marketer-friendly approach is at odds with that adopted by the EU in its DPEC (which took an “opt in” approach to most UCE) and with the policies implemented in countries such as the United Kingdom, which has now, pursuant to the DPEC, put into force regulations requiring prior opt in before any commercial e-mail can be sent to an individual consumer, although the regulations permit an “opt out” approach as to UCE sent to businesses.[14]

Another factor that may add to the scepticism regarding the efficacy of CAN-SPAM is that even the penalties that it does make available are to be enforced in the first instance by the FTC, which brings to the fray of spam fighting a slate largely clean of any significant victories or effective action against spammers.[15] For instance, the FTC has long accepted consumers’ e-mail submissions of deceptive UCE. However, the agency has in most cases, rather than taking any action on individual fraudulent spam communications, simply “archived” the spam in an impressively comprehensive, but not obviously useful, “museum of spam.”[16] The FTC’s chairman has voiced his opposition to a “do not e-mail list” and expressed his belief that “legislation cannot do much to solve the spam problem.” While these assessments would not sound out of place coming from some industry observers pessimistic about the true feasibility of enforcing compliance on rogue spammers who hide behind the Internet’s anonymity, they nonetheless appear in dubious, defeatist taste coming from the head of the agency charged with attempting to make such legislation effective.[17] The supine FTC also has not shown itself especially imaginative in applying prior laws to thwart spam – it has not, for instance, taken the aggressive, but not unjustifiable, position that sending UCE with forged headers and return/unsubscribe information is by itself (regardless of the UCE’s other content) an instance of wire fraud under 18 U.S.C. § 1843.[18]

Early Results: Far From Promising

That the CAN-SPAM Act falls well short of successfully addressing the very problems that Congress correctly found were caused by rampant spam can hardly be doubted, and the spammers themselves seem to have come to the conclusion that, Act or no Act, they may with impunity continue with business as usual. Indeed, early indications are that the vast majority of UCE continues not to comply with the Act’s requirements regarding opt out capabilities and non-forged headers.[19] However, it is not clear that the inclusion of more stringent anti-spam terms in the CAN-SPAM Act would by itself have led to a different outcome, as even jurisdictions that have adopted strict “opt in” rules are not necessarily going to see meaningful diminutions in the incidence of non-compliant solicitation e-mails.[20]

In fact, some have suggested that no legal approach can successfully stop spam, because of the multi-jurisdiction problems of tracking and holding accountable anonymous spammers operating through computers and relays in multiple remote countries and the low barriers to entry allowing new spammers readily to spring up and replace any who might be identified and put out of business.[21] On this view, the only parties affected by or compliant with anti-spam legislation will be the good and accountable corporate citizens who would be likely, even absent such legislation, to honour their customers’ preferences not to receive solicitations.

On the other hand, given that some authorities assert that the great majority of spam originates from just a handful of spam gangs, many based in the US or other identifiable locations,[22] it seems inadvisable to despair entirely of a judicial and law enforcement approach that could hope to put a significant dent in spam simply by locking up or bankrupting the spam kingpins, at the same time that the computer and e-mail industry pursues more and more potent technological measures (such as Bayesian filtering and “challenge/response” authentication systems[23] for e-mail) to intercept, and reduce the value to the sender of engaging in, abusive UCE.

Conclusion

If, as seen as probable, the CAN-SPAM Act proves insufficient, by itself, to thwart the explosion of spam, and if even improved anti-spam technology continues to be vulnerable to the spammers’ relentless chicanery, the United States will be driven to adopt measures far more stringent than the CAN-SPAM Act. Equally important, it will have to develop a complement of effective regulatory, judicial, and law enforcement strategies (ideally in conjunction with other jurisdictions) to take on the world’s UCE bandits.

Jeffrey D. Sullivan (jsullivan@bakerbotts.com) is an associate in the intellectual property group of the New York office of Baker Botts, L.L.P. Michael B. de Leeuw (deleemi@ffhsj.com) is an associate in the litigation department of the New York office of Fried, Frank, Harris, Shriver & Jacobson LLP.


[1] Passed as Senate Bill S.877 (to be codified, in part, at 18 U.S.C. § 1037).

[2] See, e.g., Summary of Anti-Spam Bills in the 106th Congress, Tech Law Journal (June 21, 1999), at www.techlawjournal.com/cong106/spam/Default.htm (describing six bills that were introduced during the 106th Congress (1999-2000), including the first version of CAN-SPAM).

[3] The European Union, for instance, had finalised a Directive on Privacy and Electronic Communications (“DPEC”), providing, among other things, regulation of e-mail solicitations, by 12 July 2002.

[4] See Enrique Salem, Can-Spam Act is a Start, CNET News.com (Dec. 11, 2003), at http://news.com.com/2010-1028-5119513.html (noting public dissatisfaction with spam, currently estimated to make up as much as 67% of all e-mail traffic).

[5] See, e.g., Jay Lyman, Spam Costs $20 Billion Each Year in Lost Productivity, E-Commerce Times (Dec. 29, 2003), http://www.ecommercetimes.com/perl/story/32478.html (citing analysts’ assertion that businesses’ cost of dealing with spam were increasing at approximately 100% each year).

[6] The CAN-SPAM Act is drawn by its terms not to “spam,” but to “multiple commercial electronic mail messages” (with “multiple” being defined in specific numeric terms of messages sent per day, week, or month), a category that would presumably include, but not necessarily be limited to, UCE/spam. See S.877 §4 (d)(3). However, the Act does expressly exempt from the definition of the class of regulated/proscribed communications any “transactional or relationship messages,” which are generally defined as communications from a business to its pre-existing customers with respect to a prior business transaction or ongoing business relationship, as such messages from existing transaction partners have generally not been viewed as “spam” per se (because affirmative consent to receipt of such messages is inferred from the context of the prior transaction or ongoing business relationship). Id. § 3(17).

[7] See, section 5(d) (requiring that any commercial e-mails regarding sexually-oriented materials, unless sent pursuant to the recipient’s prior consent to receive such material, be clearly labelled as pertaining to adult subject matter and that the initially-viewable content of the e-mail not contain the sexually-oriented content).

[8] See, e.g., United States set to Legalize Spamming on January 1, 2004, Spamhaus, at www.spamhaus.org/news.lasso?article=150 (providing commentary from leading anti-spam website spamhaus.org):

Against the advice of all anti-spam organizations, the U.S. House of Representatives has passed the CAN-SPAM Act, a bill backed overwhelmingly by spammers and dubbed the “YOU-CAN-SPAM” Act because it legalizes spamming instead of banning it. Spam King Alan Ralsky told reporters the passage of the House bill “made my day.” Spammers say they will now pour money into installations of new spam servers to heavily ramp up their outgoing spam volumes “all legally.”

* * *

With the passage of CAN-SPAM, spamming will be officially legal throughout the United States, CAN-SPAM says that 23 million U.S. businesses can all begin spamming all U.S. email addresses as long as they give users a way to opt-out, which users can do by following the instructions of each spammer. Anyone with any sense would of course realize that if CAN-SPAM becomes law, opting out of spammers lists will very likely become the main daytime activity for most U.S. email users in 2004. The second main activity will be sorting through mailboxes crammed with ‘legal’ spam every few minutes to see if there’s any email amongst the spam.

[9] See, e.g., Hermit, National SPAM Law Not as Bad as Utah‘s, Utah Politics (December 16, 2003), at www.utahpolitics.org/archives/oooo19.shtml (“[C]ompetent computer professionals will tell you to never hit unsubscribe, as it verifies your address.”).

[10] See, e.g., CAN-SPAM May Help Curtail Spam, but Bill Has Some Troubling Provisions, CDT Policy Post, Volume 9, Number 23 (December 12, 2003), at www.cdt.org/publications/pp_9.23.shtml (“[T]he CAN-SPAM Act lacks what might have been the most effective means of enforcement – a narrowly drawn individual right of action.”). Laws restricting unsolicited commercial communications in other contexts have provided private rights of action (cf. 47 U.S.C. § 227, the “anti junk fax” law, permitting recipients of unsolicited advertising facsimiles to seek damages of up to USD$1,500 in small claims court) have been regarded as highly successful deterrents to abusive solicitations, by creating hundreds of “private attorneys general” to pursue miscreants whose activities might otherwise escape pursuit by the government’s investigative apparatus. See Lori Enos¸ Can Spam Ever Be Stopped?, E-Commerce Times (May 14, 2001), at www.ecommercetimes.com/perl/story/9581.html (quoting expert to the effect that “most fax spammers ‘stopped pretty quickly’ after the junk-fax law was passed” due in part to its private right of action provision).

[11] See, eg, David Berlind, Score one for the spammers: CAN SPAM bill to become law, Tech Update (November 30, 2003), at techupdate.zdnet.com/techupdate/stories/main/Score_one_for_the_spammers.html?tag=tu.fd.sc.link (“It’s no wonder the [Direct Marketing Alliance, a coalition of bulk advertisers] likes the CAN SPAM bill. It gives marketers unbridled rights to invade our inboxes at least once.”); see also Joseph J. Lewczak and Ivana Starr, Congressional Cure-All For Consumers’ Clogged Inboxes Federal Law Provides Uniform Set of Commercial Email Rules, FindLaw Corporate Counsel Center, at http://articles.corporate.findlaw.com/articles/file/01009/009360 (providing summary of the Act by counsel for e-mail marketing companies: “The Act’s impact on state SPAM laws is a tremendous victory for the marketing industry.”).

[12] See S.877 § 8(b); see also .Joseph J. Lewczak and Alison DeGregorio, California’s new SPAM law has been pre-empted by the passage of the federal CAN SPAM Act of 22003, which goes into effect on January 1, 2004, FindLaw Corporate Counsel Center, at http://articles.corporate .findlaw.com/articles/file/01009/009210.

[13] See Cal. Bus. & Profs. Code § 17529 (2003) (superseded).

[14] See DPEC, supra note 3; see also The Privacy and Electronic Communications (EC Directive) Regulations 2003.

[15] See, eg, Stephen H. Wildstrom, Why Spammers Laugh at CAN-SPAM, BusinessWeek online (January 7, 2004), at www.businessweek.com/technology/content/jan2004/tc2004017_2996_tc078.htm (“But neither the overburdened FTC nor hard-pressed U.S. Attorneys get any new enforcement resources [to enforce the CAN-SPAM provisions].”).

[16] See Michelle Delio, FTC: Where Spam Goes to Die, Wired (November 5, 2002), available at www.wired.com/news/politics/0,1283,55972,00.html (quoting FTC staff attorney: “No one sits down and actually reads all the spam that we receive daily . . . . That would be incredibly boring and totally futile.”).

[17] See FTC Chairman Calls Spam “One of the Most Daunting Consumer Protection Problems FTC Has Ever Faced,” Federal Trade Commission (August 19, 2003), available at http://www.ftc.gov/opa/2003/08/aspenspeech.htm#36237.

[18] The elements of wire fraud under Section 1843 are: (1) that the defendant voluntarily and intentionally devised or participated in a scheme to defraud another out of money; (2) that the defendant did so with the intent to defraud; (3) that it was reasonably foreseeable that interstate wire communications would be used; and (4) that interstate wire communications were in fact used. In the UCE context, the FTC might have argued that that recipients of forged UCE, who may spend thousands of dollars maintaining their e-mail servers and implementing spam filters, are “defrauded” of this investment to the extent that they rely upon the spammer’s false representation that its message is a legitimate commercial communication, that unsubscribing from the UCE is possible, and that the source of the e-mail is the (forged) returned address; in essence, the spammer is shifting the cost of transmitting and displaying his advertising from himself to the receiving company’s e-mail servers.

[19] See, eg, John Leyden, CAN-SPAM means we can spam, The Register (January 9, 2004), at http://theregister.co.uk/content/55/34790.html (reporting sampling in early January, 2004 that showed only three of 1,000 UCE samples contained the CAN-SPAM-mandated information and links).

[20] See, eg, John Leyden, UK anti-spam law goes live, The Register (December 10, 2003), at www.theregister.co.uk/content/6/34443.html (quoting U.K.-based spam expert: “Email users should not expect to see a huge impact on the volume of junk email they receive [following implementation of the U.K.‘s opt in rules for e-mails to consumers].”).

[21] See, eg, Anita Ramasastry, Why the New Federal “CAN Spam” Law Probably Won’t Work, FindLaw Corporate Counsel Center (Dec. 3, 2003), at (http://writ.corporate.findlaw.com/ramasastry/20031203.html) (“Ultimately, the real solution to spam, I believe, will be more likely technological than legal, or some combination of these two, and potential other, approaches.”).

[22] See, John Leyden, US Anti-Spam Laws “Will Legalise Spam,” The Register (Jan. 7, 2003), available at www.theregister.co.uk/content/archive/31506.html (citing Spamhaus contention that “around 200 individuals, most of whom are US-based, are responsible for around 90 percent of world’s spam messages (or at least nine in 10 of those who can be traced, anyway). Several are based in Boca Raton, Florida, which has earned an unenviable reputation as the world’s spam capitol.”).

[23] Such authentication regimes would require (before an e-mail was delivered) that the sender personally respond to a challenge automatically generated by the receiving party’s server, with the required response being of a type impossible for automatic-mailing software to generate. Similar approaches would involve requiring a sender’s name and return address to appear on a “white list” of senders trusted by the recipient, or implementing improved tracking and analysis of e-mail headers to detect the “true” originating address even when the header has been forged or ‘spoofed’.