CAN-SPAM

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

The CAN-SPAM Act of 2003 (15 U.S.C. 7701, et seq., Public Law No. 108-187, was S.877 of the 108th United States Congress), signed into law by President of the United States George W. Bush on December 16, 2003, establishes the United States' first national standards for the sending of commercial e-mail and requires the Federal Trade Commission (FTC) to enforce its provisions. The acronym CAN-SPAM derives from the bill's full name: Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003. This is also a play on the usual term for unsolicited email of this type, spam. The bill was sponsored in Congress by Senators Conrad Burns and Ron Wyden.

The CAN-SPAM Act is occasionally referred to as the "You-Can-Spam" Act because while the bill does not explicitly legitimize e-mail spam, it preempts laws that allowed for (amount other things) easier prosecution and rights to private action. In particular, it does not require e-mailers to get permission before they send marketing messages. It also prevents states from enacting stronger anti-spam protections, and prohibits individuals who receive spam from suing spammers. The Act has been largely unenforced, despite a letter to the FTC from Senator Burns, who noted that "Enforcement is key regarding the CAN-SPAM legislation." In January 2004, the month the law went into effect, less than 1% of spam complied with the CAN-SPAM Act of 2003.

The law required the FTC to report back to Congress within 24 months of the effectiveness of the act. No changes were recommended. It also requires the FTC to promulgate rules to shield consumers from unwanted mobile phone spam. On December 20, 2005 the FTC reported that the volume of spam has begun to level off, and due to enhanced anti-spam technologies, less was reaching consumer in boxes. A significant decrease in sexually-explicit e-mail was also reported.

Later modifications changed the original CAN-SPAM Act of 2003 by (1) Adding a definition of the term "person"; (2) Modifying the term "sender"; (3) Clarifying that a sender may comply with the act by including a post office box or private mailbox and (4) Clarifying that to submit a valid opt-out request, a recipient cannot be required to pay a fee, provide information other than his or her email address and opt-out preferences, or take any other steps other than sending a reply email message or visiting a single page on an Internet website.

The mechanics of CAN-SPAM

Applicability

CAN-SPAM defines a "commercial electronic mail message" as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose)." It exempts "transactional or relationship messages." The FTC issued final rules (16 C.F.R. 316) clarifying the phrase "primary purpose" on December 16, 2004. Previous state laws had used bulk (a number threshold), content (commercial), or unsolicited to define spam.

The bill permits e-mail marketers to send unsolicited commercial e-mail as long as it adheres to 3 basic types of compliance defined in the CAN-SPAM Act: unsubscribe, content and sending behavior compliance:

Business Impact

Do you use email in your business? The CAN-SPAM Act, a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations.

Despite its name, the CAN-SPAM Act doesn’t apply just to bulk email. It covers all commercial messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,” including email that promotes content on commercial websites. The law makes no exception for business-to-business email. That means all email – for example, a message to former customers announcing a new product line – must comply with the law.

Each separate email in violation of the CAN-SPAM Act is subject to penalties of up to $16,000, so non-compliance can be costly. But following the law isn’t complicated. Here’s a rundown of CAN-SPAM’s main requirements:

  1. Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.
  2. Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.
  3. Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.
  4. Tell recipients where you’re located. Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.
  5. Tell recipients how to opt out of receiving future email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.
  6. Honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.
  7. Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.

Download a compliance guide for business here:

Error creating thumbnail: /bin/bash: /usr/bin/convert: No such file or directory GPL Ghostscript 9.50: Unrecoverable error, exit code 1

Unsubscribe compliance

  • A visible and operable unsubscribe mechanism is present in all emails.
  • Consumer opt-out requests are honored within 10 days.
  • Opt-out lists also known as Suppression lists are only used for compliance purposes.

Content compliance

  • Accurate from lines (including "friendly froms")
  • Relevant subject lines (relative to offer in body content and not deceptive)
  • A legitimate physical address of the publisher and/or advertiser is present.
  • A label is present if the content is adult.

Sending behavior compliance

  • A message cannot be sent through an open relay
  • A message cannot be sent to a harvested email address
  • A message cannot contain a false header

Content is exempt if it consists of:

  • religious messages;
  • political messages;
  • content that broadly complies with the marketing mechanisms specified in the law; or
  • national security messages.

There are no restrictions against a company emailing its existing customers or anyone who has inquired about its products or services, even if these individuals have not given permission, as these messages are classified as "relationship" messages under CAN-SPAM.

If a user opts out, a sender has ten days to cease sending and can only use that email address for compliance purposes. The legislation also prohibits the sale or other transfer of an e-mail address after an opt-out request. The law also requires that the unsubscribe mechanism must be able to process opt-out requests for at least 30 days after the transmission of the original message.

Use of automated means to register for multiple e-mail accounts from which to send spam compound other violations. It prohibits sending Internet pornography without the label later determined by the FTC of "SEXUALLY EXPLICIT." This label replaced the similar state labeling requirements of "ADV:ADLT" or "ADLT."

CAN-SPAM in makes it a misdemeanor to send spam with falsified header information. A host of other common spamming practices can make a CAN-SPAM violation an "aggravated offense," including E-mail address harvesting|harvesting]], dictionary attacks, IP address spoofing, hijacking computers through Trojan horses or worms, or using open mail relays for the purpose of sending spam.

Private right of action

CAN-SPAM provides a limited private right of action to Internet Access Services that have been adversely affected by the receipt of emails that violate the Act. A CAN-SPAM plaintiff must satisfy a higher standard of proof as compared with government agencies enforcing the Act; thus, a private plaintiff must demonstrate that the defendant either sent the email at issue or paid another person to send it knowing that the sender would violate the Act. Despite this heightened standard, private CAN-SPAM lawsuits have cropped up around the country, as plaintiffs seek to take advantage of the statutory damages available under the Act.

Overriding state anti-spam laws

CAN-SPAM preempts (supersedes) state anti-spam laws that do not deal with fraud and was rushed through Congress just before a tougher anti-spam law passed in California.

The relevant portion of CAN-SPAM reads:

This chapter supersedes any statute, regulation, or rule of a State or political subdivision of a State that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto.

Though this move was criticized by some anti-spam activists, some legal commentators praised it, citing a heavily punitive California law seen as over broad and a wave of dubious suits filed in Utah.

CAN-SPAM and the FTC

CAN-SPAM allows the FTC to implement a national do-not-email list similar to the FTC's popular National Do Not Call Registry against telemarketing, or to report back to Congress why the creation of such a list is not currently feasible. The FTC soundly rejected this proposal, and such a list will not be implemented. The FTC concluded that the lack of authentication of email would undermine the list, and it could raise security concerns.

The legislation prohibits e-mail recipients from suing spammers or filing class-action lawsuits. It allows enforcement by the FTC, State Attorneys General, Internet service providers, and other federal agencies for special categories of spammers (such as banks). An individual might be able to sue as an ISP if (s)he ran a mail server, but this would likely be cost-prohibitive and would not necessarily hold up in court. Individuals can also sue using state laws about fraud, such as Virginia's which gives standing based on actual damages, in effect limiting enforcement to ISPs.

Senator John McCain is responsible for a last-minute amendment which makes businesses promoted in spam subject to FTC penalties and enforcement remedies, if they knew or should have known that their business was being promoted by the use of spam. This amendment was designed to close a loophole which allowed those running affiliate programs to allow spammers to abuse their programs, and encouraged such businesses to assist the FTC in identifying such spammers. The McCain amendment, as it is known, was authored for Senator McCain's office by Anne P. Mitchell.

Senator Corzine sponsored an amendment to allow bounties for some informants. The FTC has limited these bounties to individuals with inside information. The bounties are expected to be over $100,000, but none have been awarded yet.

Reaction

Those opposing spam greeted the new law with dismay and disappointment, almost immediately dubbing it the "You Can Spam" Act. Internet activists who work to stop spam stated that the Act would not prevent any spam in fact, it appeared to give federal approval to the practice, and it was feared that spam would increase as a result of the law. CAUCE (Coalition Against Unsolicited Commercial Email) stated:

"This legislation fails the most fundamental test of any anti-spam law, in that it neglects to actually tell any marketers not to spam. Instead, it gives each marketer in the United States one free shot at each consumer's e-mail inbox, and will force companies to continue to deploy costly and disruptive anti-spam technologies to block advertising messages from reaching their employees on company time and using company resources. It also fails to learn from the experiences of the states and other countries that have tried "opt-out" legal frameworks, where marketers must be asked to stop, to no avail."

AOL Executive Vice President and General Counsel Randall Boe stated:

"[CAN-SPAM] not only empowered us to help can the spam, but also to can the spammers as well . . . Our actions today clearly demonstrate that CAN-SPAM is alive and kicking — and we're using it to give hardcore, outlaw spammers the boot.

Advertising organizations such as the Direct Marketing Association (USA) (DMA) have sought to weaken implementation of the law in various ways. These include lengthening the time for honoring opt-outs from 10 business days to 31 calendar days, limiting the validity of opt-out requests to no more than two to three years, and eliminating rewards to persons who assist the Federal Trade Commission in enforcement of the act. The DMA has also opposed provisions requiring the subject line of spam to indicate that the message is an advertisement.

Criminal enforcement

On February 16, 2004, Anthony Greco, 18, of Cheektowaga (town), New York, was the first person to be arrested under the CAN-SPAM Act of 2003. After pleading guilty, he was sentenced in a closed session.

Within a few months, hundreds of lawsuits had been filed by an alliance of ISPs. Many of these efforts resulted in settlements; most are still pending. Though most defendants were "John Does," many spam operations, such as Scott Richter's, were known.

On April 29, 2004, the United States government brought the first criminal and civil charges under the Act. Criminal charges were filed by the United States Attorney for the Eastern District of Michigan, and the FTC filed a civil enforcement action in the Northern District of Illinois. The defendants were a company, Phoenix Avatar, and four associated individuals: Daniel J. Lin, James J. Lin, Mark M. Sadek, and Christopher Chung of West Bloomfield, Michigan. Defendants were charged with sending hundreds of thousands of spam emails advertising a "diet patch" and "hormone products." The FTC stated that these products were effectively worthless. Authorities said they face up to five years in prison under the anti-spam law and up to 20 years in prison under U.S. mail fraud statutes.

On September 27, 2004, Nicholas Tombros plead guilty to charges and became the first spammer to be convicted under the Can-Spam Act of 2003. He was sentenced in July 2007 to three years probation, six months house arrest, and fined $10,000.

On April 1, 2008, Mounir Balarbi, of Tangier, Morocco, was the first person outside the United States to have an arrest warrant validated under the CAN-SPAM Act of 2003. Mounir's trial was held in absentia, and he was sentenced in a closed session.

On January 16, 2008, Jeffrey Goodin, 45, an Azusa, California, man was convicted by a jury in United States district court in Los Angeles in United States v. Goodin, U.S. District Court, Central District of California, 06-110, under the CAN-SPAM Act (the first conviction under the Act), and on June 11, 2007, was sentenced to 70 months in federal prison. Out of a potential sentence of 101 years prosecutors had asked for a sentence of 94 months. Goodin was already detained in custody as he had missed a court hearing.

As of late 2008, CAN-SPAM has been all but ignored by spammers. A review of spam levels in October 2006 estimated that 75% of all email messages were spam, and the number of spam emails complying with the requirements of the law were estimated to be 0.27% of all spam emails.

By mid 2010, about 90% of email were spam.

On August 25, 2005, three people were indicted on two counts of fraud and one count of criminal conspiracy. On March 6, 2006 Jennifer R. Clason, 33, of Raymond, New Hampshire, plead guilty and was to be sentenced on June 5, 2006. She faced a maximum sentence of 5 years on each of the three counts and agreed to forfeit money received in the commission of these crimes. On June 25, 2007, the remaining two were convicted of spamming out millions of e-mail messages that included hardcore pornographic images. Jeffrey A. Kilbride, 41, of Venice, California, and James R. Schaffer, 41, of Paradise Valley, Arizona, were convicted on eight counts in U.S. District Court in Phoenix, Arizona. Both were sentenced to over five years in prison, and ordered to forfeit $1,300,000. The charges included Conspiracy (crime), fraud, money laundering, and transportation of pornography, all of which were affirmed through an United States v. Kilbride to the United States Court of Appeals for the Ninth Circuit. The trial, which began on June 5, was the first to include charges under the CAN-SPAM Act of 2003, according to the United States Department of Justice. The specific law that prosecutors used under the CAN-Spam Act was designed to crack down on the transmission of pornography in spam. Two other men, Andrew D. Ellifson, 31, of Scottsdale, Arizona, and Kirk F. Rogers, 43, of Manhattan Beach, California, also plead guilty to charges under the CAN-SPAM Act related to this spamming operation. Both were scheduled to be sentenced on June 5, 2006 in Phoenix.

Civil enforcement

In July 2005, the Federal Trade Commission lodged civil CAN-SPAM complaints against nine companies alleging that they were responsible for spam emails that had been sent by them or by their affiliates. Six of the seven companies, Cyberheat of Tucson, Arizona, APC Entertainment, Inc., of Davie, Florida, MD Media, Inc., of Bingham Farms, Michigan, Pure Marketing Solutions, LLC, of Tampa, Florida, TJ Web Productions, LLC, of Tampa, Florida, and BangBros.com, Inc., RK Netmedia, Inc., and OX Ideas, Inc., LLC, of Miami, Florida entered into consent judgment. Impulse Media Group, Inc. of Seattle, Washington chose to defend itself against the allegations made by the FTC.

The Department of Justice asserted that the CAN-SPAM statute imposed Strict liability on producers such as Impulse Media for the actions of its non-agent, independent-contractor affiliates. However, the two courts to consider that argument rejected the DOJ's contention. In March 2008 the remaining defendant, Impulse Media Group, went to trial. At trial, it was determined that IMG's Affiliate Agreement specifically prohibited spam bulk-email and that if an affiliate violated that agreement, it would be terminated from the program. In fact, several affiliates had been terminated for that very reason. After a 2½ day trial, the jury retired to determine whether Impulse Media should be held liable for the bad acts of its affiliates. Three and one-half hours later, the jury returned with a verdict that IMG was not liable and that the emails were the fault of the affiliates.

In March 2006, the FTC was awarded its largest victory to date - a $900,000 judgment against Jumpstart Technologies, LLC for numerous violations of the CAN-SPAM act.

Effectiveness

In 2009, a time series model of spam received in the United States between 1998 and 2008 revealed that the CAN SPAM Act had no significant impact on spamming behavior. Following January, 2004 when the Act went into effect, there was no noticeable decrease in spam rates. Additionally, spam had not been shown to increase in compliance with the regulations set forth in the CAN SPAM Act. Lastly, spam sending bots did not appear to have been displaced outside US jurisdiction after the passing of the Act.

See also

General categories:

Related acts:

References

  • Lee, Younghwa (June 2005). "The CAN-SPAM Act: A Silver Bullet Solution?". Communications of the ACM, p. 131–132.


Cases

External links