spam. spam basics e-mail version of mass distribution of direct marketing solicitations, formally...
TRANSCRIPT
SpamSpam
Spam BasicsSpam Basics E-mail version of mass distribution of direct marketing E-mail version of mass distribution of direct marketing
solicitations, formally known as “unsolicited commercial solicitations, formally known as “unsolicited commercial e-mail” (UCE)e-mail” (UCE)
Cost –effective for the sender because of low marginal Cost –effective for the sender because of low marginal costs (low costs to add one more recipient to list)costs (low costs to add one more recipient to list)
Spammers free-ride on ISP networks which increase Spammers free-ride on ISP networks which increase their costs to accommodate the growing volume of spamtheir costs to accommodate the growing volume of spam
There exists a conflict between antispam laws (focusing There exists a conflict between antispam laws (focusing on fraud, trespass, hacking, infringement) and the on fraud, trespass, hacking, infringement) and the Constitution (First Amendment freedom of speech, Constitution (First Amendment freedom of speech, press)press)
Commerce clause may prohibit state antispam laws if Commerce clause may prohibit state antispam laws if they unduly burden on interstate commercethey unduly burden on interstate commerce
Where does Where does junk mail (spam) junk mail (spam) come from?come from?
From software called From software called Spam wareSpam ware..
Spam wareSpam ware is software that is software that automatically searches the Web to automatically searches the Web to collect what it recognizes as email collect what it recognizes as email addresses.addresses.
Federal Laws Can Be Adapted To Federal Laws Can Be Adapted To Prohibit Some Aspects of Spam Prohibit Some Aspects of Spam Telephone Consumer Protection Act (TCPA)Telephone Consumer Protection Act (TCPA)
Prohibits automated dialing systems that charge the call to the Prohibits automated dialing systems that charge the call to the receiving landline or wireless phonereceiving landline or wireless phone
Prohibits fax floodingProhibits fax flooding Consumers have the right to be removed from the telemarketing listConsumers have the right to be removed from the telemarketing list
Computer Fraud and Abuse Act (CFAA)Computer Fraud and Abuse Act (CFAA) Intentional access that causes damageIntentional access that causes damage Sending commands, data, or software that causes damageSending commands, data, or software that causes damage Intentional fraudulent access to obtain something of valueIntentional fraudulent access to obtain something of value
FTC Act FTC Act § 5§ 5 Prohibits unfair and deceptive trade practices Prohibits unfair and deceptive trade practices
Lanham Act Lanham Act Federal trademark lawFederal trademark law False designation of origin can apply to spamFalse designation of origin can apply to spam
State Laws Are Cracking Down State Laws Are Cracking Down On Spam On Spam
Usually only apply to spam originating from Usually only apply to spam originating from within their state or destined to their statewithin their state or destined to their state
California requires spam to include return California requires spam to include return addresses or toll-free numbers in the first addresses or toll-free numbers in the first message line so the recipient can opt outmessage line so the recipient can opt out
California, Washington, and Virginia require California, Washington, and Virginia require spammers to comply with ISP’s privacy policies spammers to comply with ISP’s privacy policies (criminal offense to falsify/impersonate the (criminal offense to falsify/impersonate the domain name of a spam sender- form of domain name of a spam sender- form of technical fraud)technical fraud)
Maryland criminalizes harassing or obscene e-Maryland criminalizes harassing or obscene e-mailmail
Constitutional and Tort Law In Constitutional and Tort Law In The Battle Against Spam The Battle Against Spam
Cyber Promotions, Inc. v. AOL, Inc.Cyber Promotions, Inc. v. AOL, Inc. AOL refused to deliver 2 million daily UCEs from AOL refused to deliver 2 million daily UCEs from
Cyber PromotionsCyber Promotions AOL not found to have violated Cyber Promotions’ AOL not found to have violated Cyber Promotions’
First Amendment rightsFirst Amendment rights Intel Corporation v. HamidiIntel Corporation v. Hamidi
Former employee sent 30,000 e-mails on six Former employee sent 30,000 e-mails on six occasions to all Intel employees occasions to all Intel employees
Spam constituted a trespass to chattelsSpam constituted a trespass to chattels
New Legislation To Combat New Legislation To Combat SpamSpam
Controlling the Assault of Non-Solicited Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003Pornography and Marketing Act of 2003 (CAN-(CAN-SPAM) passed by Congress in December 2003SPAM) passed by Congress in December 2003
Highlights of CAN-SPAMHighlights of CAN-SPAM Permits e-mail advertisingPermits e-mail advertising Prohibits misleading headers and other practices Prohibits misleading headers and other practices
that mask origin of e-mail adsthat mask origin of e-mail ads Recipients must be allowed to opt out of future Recipients must be allowed to opt out of future
mailingsmailings E-mail ads may not be sent to receipts who opt outE-mail ads may not be sent to receipts who opt out E-mails ads must be identified as suchE-mails ads must be identified as such State antispam laws are generally preemptedState antispam laws are generally preempted
New Legislation To Combat New Legislation To Combat SpamSpam
Highlights of CAN-SPAM continuedHighlights of CAN-SPAM continued Does not give right to recipients to sue spammersDoes not give right to recipients to sue spammers FTC may clarify law requirementsFTC may clarify law requirements
EnforcementEnforcement FTC proceedingsFTC proceedings Criminal prosecutionsCriminal prosecutions State attorney general actionsState attorney general actions Private lawsuits brought by ISPsPrivate lawsuits brought by ISPs
CAN-SPAM Act of 2003CAN-SPAM Act of 2003
Background; Pre-emptionBackground; Pre-emption BackgroundBackground
Law signed by President Bush December 2003Law signed by President Bush December 2003 Law effective January 1, 2004Law effective January 1, 2004
Pre-emptionPre-emption Pre-empts state laws regulating commercial emailPre-empts state laws regulating commercial email States may continue to regulate email States may continue to regulate email fraudfraud
Several states now implementing spam fraud lawsSeveral states now implementing spam fraud laws Pre-empts California’s SB 186Pre-empts California’s SB 186
No litigation brought under SB 186No litigation brought under SB 186
CAN-SPAM RefresherCAN-SPAM Refresher ProhibitionsProhibitions
False header information (deception re source of email)False header information (deception re source of email) Deceptive subject lines (deception re content of email)Deceptive subject lines (deception re content of email) ““Aggravated offenses” – either of the above together with:Aggravated offenses” – either of the above together with:
Address harvestingAddress harvesting Dictionary attacksDictionary attacks Unauthorized relaysUnauthorized relays Unauthorized sending through third-party computersUnauthorized sending through third-party computers
Sending more than 10 business days following opt outSending more than 10 business days following opt out Required InclusionsRequired Inclusions
Clear and conspicuous notice that email is commercialClear and conspicuous notice that email is commercial Does not apply if sender has “affirmative consent” of recipientDoes not apply if sender has “affirmative consent” of recipient
Clear and conspicuous notice of ability to opt outClear and conspicuous notice of ability to opt out Working unsubscribe functionalityWorking unsubscribe functionality
Return email addressReturn email address Internet-based mechanismInternet-based mechanism
Valid physical postal address (OK to include PO box with street address)Valid physical postal address (OK to include PO box with street address)
Sample DisclosureSample Disclosure
This is a promotional email from Nextel Communications, Inc. If you wish to This is a promotional email from Nextel Communications, Inc. If you wish to
unsubscribe from Nextel customer emails or to change your email address, unsubscribe from Nextel customer emails or to change your email address, please please click hereclick here or use the link below. or use the link below.http://nextel.m0.net/m/u/nex/n.asp?e=khirschmanhttp://nextel.m0.net/m/u/nex/n.asp?e=khirschman%40digitalimpact.com&cid=XXXXXXXXXXX%40digitalimpact.com&cid=XXXXXXXXXXX
Nextel Communications, Inc. is located at 2001 Edmund Halley Drive, Nextel Communications, Inc. is located at 2001 Edmund Halley Drive, Reston, VA 20191. Reston, VA 20191.
PlacementPlacement Just below creative, but above disclaimersJust below creative, but above disclaimers
SizeSize Same as text in ad, larger than disclaimersSame as text in ad, larger than disclaimers
ColorColor Black – same as ad, darker than disclaimersBlack – same as ad, darker than disclaimers
“Commercial” notice
Opt out notice and functionality Valid physical postal address
Enforcement and PenaltiesEnforcement and Penalties
Civil enforcementCivil enforcement Federal Trade CommissionFederal Trade Commission
Applicable general regulatory agency enforces for financial institutionsApplicable general regulatory agency enforces for financial institutions OCC, Fed, FDICOCC, Fed, FDIC
Standard enforcement powers of particular agencyStandard enforcement powers of particular agency State enforcement agenciesState enforcement agencies
$250 per violation; $2 million cap$250 per violation; $2 million cap Injunctive reliefInjunctive relief
““Internet access services” – primarily ISPsInternet access services” – primarily ISPs $25/$100 per violation; $1 million cap$25/$100 per violation; $1 million cap Injunctive reliefInjunctive relief
““Good actor” damage reductionGood actor” damage reduction Court may triple damages for aggravated violationsCourt may triple damages for aggravated violations
Criminal enforcementCriminal enforcement DOJ enforcementDOJ enforcement One year in prisonOne year in prison Up to five years for aggravated or repeated violationsUp to five years for aggravated or repeated violations
CAN-SPAM Regulatory UpdateCAN-SPAM Regulatory Update
Request for InformationRequest for Information issued for Do-Not-Email List issued for Do-Not-Email List Issued March 2004Issued March 2004 Seeks technical information re implementation and securitySeeks technical information re implementation and security
Advanced Notice of Proposed RulemakingAdvanced Notice of Proposed Rulemaking Issued March 2004Issued March 2004 Two purposesTwo purposes
Seeks comments on merits of DNESeeks comments on merits of DNE Seeks ideas for future rulemakings:Seeks ideas for future rulemakings:
transactional or relationship emailstransactional or relationship emails 10-business-day rule for unsubscribe10-business-day rule for unsubscribe ““primary purpose” testprimary purpose” test forward-to-a-friendforward-to-a-friend Multiple sender problemMultiple sender problem
ESPC submitted comments on bothESPC submitted comments on both Next stepsNext steps
FTC to issue proposed regulations and invite further commentFTC to issue proposed regulations and invite further comment FTC to publish DNE implementation plan and report to CongressFTC to publish DNE implementation plan and report to Congress
CAN-SPAM Litigation UpdateCAN-SPAM Litigation Update March 2004March 2004
AMEY casesAMEY cases AOL, MSN, Yahoo! and Earthlink cooperating in litigation effortAOL, MSN, Yahoo! and Earthlink cooperating in litigation effort Several spammers sued; focus on false header violationsSeveral spammers sued; focus on false header violations Goal – well-publicized suits and ensuing personal bankruptcies should Goal – well-publicized suits and ensuing personal bankruptcies should
dissuade spammers from this line of businessdissuade spammers from this line of business Hypertouch v BobVila.comHypertouch v BobVila.com
Aggressive, litigious, small ISP suing Bob Vila’s online businessAggressive, litigious, small ISP suing Bob Vila’s online business Probably not a case of intentionally fraudulent header information, but an Probably not a case of intentionally fraudulent header information, but an
example of how sloppy practices can invite unnecessary attention example of how sloppy practices can invite unnecessary attention April 2004April 2004
First government prosecutions filed April 27 by FTCFirst government prosecutions filed April 27 by FTC Defendants in Michigan and AustraliaDefendants in Michigan and Australia Fraudulent header informationFraudulent header information Promoting fraudulent productsPromoting fraudulent products TRO; asset freezeTRO; asset freeze
FTC Predictions (1)FTC Predictions (1) Do-Not-Email RegistryDo-Not-Email Registry
FTC questioning effectiveness (spammers will ignore)FTC questioning effectiveness (spammers will ignore) FTC skeptical of security (valuable list of real names)FTC skeptical of security (valuable list of real names) Required to propose somethingRequired to propose something Prediction:Prediction:
FTC will propose a do-not-spam registryFTC will propose a do-not-spam registry FTC will recommend against implementationFTC will recommend against implementation FTC will support industry “Lumos” initiativesFTC will support industry “Lumos” initiatives
““primary purpose” test (i.e., what is a commercial email)primary purpose” test (i.e., what is a commercial email) FTC sympathetic to possibly overly broad interpretationsFTC sympathetic to possibly overly broad interpretations Offered multiple methods of determining purpose in ANPROffered multiple methods of determining purpose in ANPR Prediction:Prediction:
FTC will embrace a “totality of the circumstances” testFTC will embrace a “totality of the circumstances” test FTC analysis will take into account the sender’s intent, not just the FTC analysis will take into account the sender’s intent, not just the
content and the impression of the recipientcontent and the impression of the recipient
FTC Predictions (2)FTC Predictions (2) forward-to-a-friend/affiliate marketing programsforward-to-a-friend/affiliate marketing programs
FTC concerned about marketers inducing third parties to send email on the FTC concerned about marketers inducing third parties to send email on the marketer’s behalf and recipients having no unsub recoursemarketer’s behalf and recipients having no unsub recourse
Prediction:Prediction: FTC will impose CAN-SPAM obligations (disclosure; unsub; dedupe) on FTC will impose CAN-SPAM obligations (disclosure; unsub; dedupe) on
induced forwardinginduced forwarding Non-induced forwarding (traditional FTAF w/o more) will not be subject to Non-induced forwarding (traditional FTAF w/o more) will not be subject to
CAN-SPAMCAN-SPAM Contingent compensation affiliate marketing programs will be treated as Contingent compensation affiliate marketing programs will be treated as
induced forwardinginduced forwarding multiple sender problem/list rental issuesmultiple sender problem/list rental issues
FTC concerned with administrative complexity in multiple sender situationsFTC concerned with administrative complexity in multiple sender situations FTC also concerned with compliance resulting in consumer confusionFTC also concerned with compliance resulting in consumer confusion Prediction:Prediction:
Where a list owner is mailing on behalf of multiple third parties in a single Where a list owner is mailing on behalf of multiple third parties in a single email, and list owner is disclosed, list owner will be treated as senderemail, and list owner is disclosed, list owner will be treated as sender
Fingers crossed: disclosed list owner will be “sender” for all list rental Fingers crossed: disclosed list owner will be “sender” for all list rental campaigns (even single advertiser campaigns)campaigns (even single advertiser campaigns)
Compliance RecommendationsCompliance Recommendations
Review the FTC’s “clear and conspicuous” guidanceReview the FTC’s “clear and conspicuous” guidance FTC “dot com disclosure” guidance:FTC “dot com disclosure” guidance:
http://www.ftc.gov/bcp/conline/pubs/buspubs/dotcom/index.html#IIIhttp://www.ftc.gov/bcp/conline/pubs/buspubs/dotcom/index.html#III Important factors: placement, prominence, distractions, Important factors: placement, prominence, distractions,
understandabilityunderstandability Avoid accidentally deceptive subject linesAvoid accidentally deceptive subject lines Review unsubscribe practicesReview unsubscribe practices
Offering ability to unsubscribe from sender or just program?Offering ability to unsubscribe from sender or just program? Is 10-business day rule manageable?Is 10-business day rule manageable?
Use commercial notice despite possible “affirmative consent” exceptionUse commercial notice despite possible “affirmative consent” exception Use your company name in the “from” lineUse your company name in the “from” line
Any party initiating is sufficient to comply with CAN-SPAMAny party initiating is sufficient to comply with CAN-SPAM Make sure DNS registrations are up to dateMake sure DNS registrations are up to date
Avoid attention from small litigious internet access servicesAvoid attention from small litigious internet access services
What can you do to help prevent What can you do to help prevent spamspam??
Spam ware software failed when an Spam ware software failed when an email address was obscured in some email address was obscured in some wayway
For example, writing “at” instead of For example, writing “at” instead of the @ symbol.the @ symbol.
CyberBrief:CyberBrief: Spam ware Spam ware
The Center for Democracy and The Center for Democracy and Technology (CDT) investigated how Technology (CDT) investigated how junk-mail spammers get hold of email junk-mail spammers get hold of email addresses. addresses.
They created 100s of email addresses They created 100s of email addresses and used each one only once. and used each one only once.
After After 6 months6 months, over , over 8,000 unsolicited 8,000 unsolicited emailsemails arrived to these email addresses. arrived to these email addresses.
How does it work?