1. No category

Spam!: You Can`t Live With It, You Can`t . . . No. But What About Your

Advertisement
Follow ABA
myABA | Log In
JOIN THE ABA
Membership
ABA Groups
Resources for Lawyers
Publishing
CLE
Advocacy
News
SHOP ABA
About Us
MEMBER DIRECTORY
Home
Membership
Events & CLE
Committees
Initiatives & Awards
Publications
About Us
Contact Us
Volume 14, Number 2 - November/December 2004
Spam!
You can't live with it, you can't . . . no. But what about your client?
By Eran Kahana
Just before he clicked the "Send" button, my client had a gut feeling that he
should give me a call. His hesitation was the result of a blurry memory about
reading something about a new (well, not so new anymore) law relating to
unsolicited e-mail. And a good thing it was that he called. He was completely
unaware of the limitations and penalties contained in the "Controlling the Assault
of Non-Solicited Pornography and Marketing Act of 2003," better known as CANSPAM.
Spam, aka unsolicited commercial e-mail (UCE), is everywhere. It's growing
quickly and appears oblivious to legislative efforts, filters and other eradication
efforts. Some spam messages are (ludicrously) creative such as the one asking for
your help in moving multi- million dollar fortunes from Sierra Leone to Nigeria
(and "all" the sender wants is your personal contact information). Others are just
plain irritating, unabashedly peddling counterfeit Viagra, a plethora of porn sites
that would make almost anyone blush, PhDs without attending classes, mortgage
refinancing, etc.
Nearly everyone who uses e-mail will confirm they get spammed on a daily basis,
some more than others. But what is surprising is the actual magnitude of just how
pervasive this is. A January 2004 Wall Street Journal piece (published a few days
after CAN-SPAM went into effect) reported that UCE made up 60 percent of all email, a sharp increase from the 42 percent level recorded a year before.
Consumer Reports magazine also chimed in several months later. Their study
showed that of 2,000 e-mail users surveyed, 47 percent reported receiving more
CALENDAR
spam than before CAN-SPAM went into effect; 69 percent noted that more than
half of all the e-mail they received was spam. Kelkea Inc., a developer of spamblocking solutions, reports that spam accounts for 80 percent of all e-mail traffic.
So what is spam anyway? You could pull a Justice Potter Stewart and say you just
know it when you see it. (Stewart was talking about pornography in the case of
Jacobellis v. Ohio.) A more formal definition offered by Kelkea suggests the
following:
A message is spam if: (1) the recipient's personal identity and context [of the
message] are irrelevant because the message is equally applicable to many other
potential recipients; (2) the recipient has not verifiably granted deliberate, explicit
and still- revocable permission for it to be sent; and (3) the transmission and
reception of the message appears to the recipient to give a disproportionate
benefit to the sender.
Some might prefer the "no-frills" definition offered by Princeton University: Spam
is simply "unwanted e-mail (usually of a commercial nature sent out in bulk)."
Whatever the preferred definition may be, spam is a serious problem. It dilutes the
attractiveness and possibly even the usefulness of e-mail as we know it. Internet
service providers (ISPs) and recipients bombarded with spam messages inevitably
turn to filtering and blocking technologies to alleviate the scourge. One such
blocking system is the MAPS Open Proxy Stopper (OPS), which maintains a list of
Internet protocols (IPs) that have been used to transmit spam and blocks them.
Spam also carries a significant cost; one borne almost completely by ISPs and
their users, not the spammers. In legislating CAN-SPAM, Congress referred to a
European Union study that found that spam costs Internet subscribers around the
world $9.4 billion each year. It also noted that the estimated costs to "United
States businesses from spam and lost productivity, network system upgrades,
unrecoverable data, and increased personnel costs, combined, will top $10 billion
in 2003."
Can legislation deter spammers? Critics don't think so. They argue that the
volume of spam actually increased after CAN-SPAM was signed into law, and
suggest that legislation is intrinsically inadequate to address the problem. Simply
put, spammers who already engage in irresponsible mass-marketing methods will
not be deterred. Also, they point out that legislation is poorly drafted and
authored by legislators who have no technical experience; that prohibitions are
overbroad and, therefore, unconstitutional.
Critics' sites are also trained at the anti-spam blacklists, such as the MAPS RBL
(Mail Abuse Prevention System Realtime Blackhole List, arguably the most
popular). Their problem with MAPS is that it assists a large number of ISPs in
surreptitiously blocking large amounts of nonspam from innocent people.
But criticism aside, an important principle behind the act is to facilitate the
coordination of efforts between law enforcement officials across the country. That,
according to Congress, was lacking:
Many states have enacted legislation intended to regulate or reduce unsolicited
commercial electronic mail, but these statutes impose different standards and
requirements. As a result, they do not appear to have been successful in
addressing the problems associated with unsolicited commercial electronic mail, in
part because, since an electronic mail address does not specify a geographic
location, it can be extremely difficult for law abiding businesses to know with
which of these disparate statutes they are required to comply. (Emphasis added.)
So, if you're going to help a client who is planning a mass e-mailing campaign
comply with CAN-SPAM, what should you be aware of and what additional
suggestions should you be making?
The first step is to determine if your client's plan should even be concerned with
CAN-SPAM. Try the following question: "Is this proposed campaign an
advertisement or promotion of goods or services?" If it is, then it must abide by
the act's limitations. And now, for the inevitable disclaimer: It is important to read
carefully through the act. While this article highlights the main points of the
legislation, it is only intended as a primer. Now that we've established that, let's
review the following guidelines and suggestions that you should review with your
client.
It's important to note at the outset that messages that fall under the category of
"relationship/transactional" are for the most part exempt from the act. Such emails include, for example, announcements relating to safety concerns with a
product your client's customer bought, product updates, upgrades, recall
information, confirming a subscription to an e-mail newsletter, etc. Here the act
merely requires that the e-mail not contain false or misleading routing
information.
Confirm that information contained in the e-mail header is neither "materially
false nor materially misleading." A "header," in case you're wondering, is an
identification badge for the e-mail; it contains important information about the
e-mail that sets it apart from other e-mails you get.
There are three aspects to watch out for here:
First, the e-mail address, domain name, or IP address must not have been
obtained by means of what the act calls "false or fraudulent pretenses." That
means that your client may not create and use an account or domain name
with false information for the purpose of disguising the origin of the e-mail. If
this happens, the header is considered materially misleading.
Second, the "from" line in the header must accurately identify your client; if
it does not, the header is considered materially false or materially misleading.
(Note the discussion about updating domain registry information later on.)
Third, if another user's computer is going to be used to relay or retransmit
the e-mail, then the header must accurately contain that computer's name; if
it does not, the header will be considered materially false or materially
misleading. (Your client must also have explicit permission from that
computer's owner to use it to relay.) Also, you need to take reasonable steps
to make sure your client's business is not being promoted by a third party
using false or materially misleading headers. If you find out this is happening,
you are required to take action against the offender.
If your client recently relocated its offices, make sure they update their
profile with the domain registry — such as Network Solutions. That is
important because a common method of determining a sender's identity
involves plugging their domain name into "Whois.com." If your client's
mailing address has changed and is not reflected in the registry information,
you may be in violation of the requirement to use accurate headers and
certainly are in violation of the act's requirement of including a "valid physical
postal address" in the body of the e-mail.
Now here is an opportunity to be proactive and make a suggestion to your
client to steer away from using P.O. boxes for the address. These have an air
of secrecy and are inconsistent with your goal of clearly identifying your
client's location.
Make sure your client doesn't use deceptive subject headings. It can be
considered as such if it's reasonable that the recipient would likely open the email based on the subject heading alone. If the contents have very little, or no,
bearing to what is in it, then it's highly likely the subject line would be
considered deceptive. (You've probably noticed from your own being- spammed
experience that this is a very common characteristic.)
Your client must include a functional return ("reply-to") unsubscribe address or
a clearly marked opt-out link. Practice pointer: Recommend to your client to
have both. The key here is to validate the inserted opt-out hyperlinks so that
"dead" ones are fixed before the message is sent.
From a technical perspective, this is very easy to do. Two of the most popular
Web design programs, Macromedia's Dreamweaver and Micorsoft's Frontpage,
have tools that validate links. (Also consider the fact that it is very annoying
for the recipient to have to deal with dead hyperlinks, not to mention that it
reflects poorly on the sender's company.)
It's also recommended that your client put in place a procedure that
periodically "pings" the unsubscribe e-mail address and makes sure it still
works. A similar procedure should continuously monitor the mailbox size and
ensure it's not flooded and remains operational for at least the minimum of
amount of required time. Although the act requires that the return e-mail
address remain valid for 30 days from the date the message was sent, it's a
good idea to extend that term to 90 days or longer.
An alternative, but a little more technically demanding method to comply with
this opt-out requirement is for the sender to provide a menu of opt-out
options that the recipient can choose from. This enables the recipient to tailor
what types of e-mail messages he or she wants or does not want and must
also contain a complete opt-out option.
Once an opt-out request is received, your client has 10 business days to stop
sending e-mails (within the same scope of the request) to that address. The
10-business- day period, with a slight modification, also covers third parties
acting on behalf of your client.
As alluded to earlier, the opt-out e-mail address your client provides must be
valid. Unless there is a legitimate technical glitch involving that e-mail address
(the mail server unexpectedly crashed), it is highly likely that a transmission will
be considered deceptive if recipients are unable to unsubscribe by replying to it.
Solution: Have a backup server. For a relatively minimal cost it can help your
client avoid the problem in the first place (if it switches to the backup on
detecting a failure with the primary mail server). Also, depending on how this
backup server is configured, it puts into place the mechanism for addressing the
requirement of having the problem corrected within a "reasonable" time period.
This ties in to the next thing you should look into. It's one thing to provide
the opt-out mechanism, but it's entirely another thing to actually take action
on it. Make sure your client has the policy and procedure in place to honor an
unsubscribe request. It is also a good idea to make the suggestion to your
client that he or she go one step further and send an e-mail to unsubscribers
confirming that they have been removed.
Make sure your client inserts disclaimers and disclosures in a clear and
conspicuous manner. The recipient should not get carpal tunnel from scrolling to
the opt-out instructions. Barnes & Noble, for example, uses the title "How to
unsubscribe" in their solicitation e-mails.
Instruct your client that address recycling is not permitted: Neither it, as the
sender, nor anyone else, may sell opted-out e-mail addresses. Furthermore, if
your client buys e-mail address lists for its marketing efforts, you should
inquire with the seller about whether it notified the owners of these addresses
that their address may be sold or transferred.
This inquiry goes toward complying with the prohibition on harvesting and
dictionary attacks. It also gives you some insight into the seller's business
practices and provides your client with an opportunity to be more selective
about where it gets its lists.
Look at this way: A seller that discloses its intention, obtains and records
permission is (arguably) more likely to have higher-value addresses that will
not negatively reflect on your client's business when it uses them. Also, it's
important to keep in mind that if someone suspects your client is spamming
them they can (among other things) report it and your client could find itself
on the MAPS RBL (the anti-spam blacklist).
If relevant, you should be familiar with how your client collects e-mail addresses.
If your client collected e-mail addresses using its Web site where its privacy
statement promised users it would never ever give up their e-mail address, then
that's it; it may not do so. And if there were no such promise and your client is
going to sell the list, it may not include anyone who asked to be removed from it.
Even before this was the law, it was (and still is) common sense and good
business practice.
Unless your client has what the act refers to as "affirmative consent," which
means the recipient expressly consented to receive the message, it must
clearly identify the message as an ad or solicitation. This is typically done by
inserting "ADV" in the subject line.
Another suggestion to consider in this regard is to adopt what is called a
double opt-in procedure. A user, for example, requests a subscription to a
newsletter from your client. Your client's system essentially says "OK, but
we're first sending you an e-mail to the address you entered. You, the wouldbe subscriber, now need to open your e-mail program, open that e-mail and
click on a hyperlink that will finalize your subscription process." Doing this
ensures, for example, that your client's newsletter won't be sent to someone
who was signed up by someone else.
The double opt-in is the best method by which to confirm affirmative consent.
And there is one more step: Make sure your client safely keeps these e-mail
transactions for a very long time; you never know when you might need it.
Storage space is so cheap, there is little reason not to do so.
The act sets a "knowing" standard for prohibiting e-mail relay and you should
advise your client to take reasonable steps to ensure its own mail server is not
used as one. Similarly, your client's employees should never be allowed to send
e-mails using someone else's server. This must be made clear in the employee
handbook and the IT folks should be instructed to take measures to prevent it.
If your client has affirmative consent from recipients that they want to receive
e-mails with sexual content, then that's pretty much all that's required (in
addition to the usual routing requirements mentioned above). However, if no
such prior affirmative consent was provided, then messages containing sexual
content must include the warning "SEXUALLY EXPLICIT" in bold ASCII text
(which ensures broadest readability across virtually all software platforms).
Failure to comply can lead to a fine or a five-year prison term.
Finally, advise your client about the penalties. The FTC can seek to enforce
with five years in jail for repeat offenders who also commit a felony. First-time
offenders can be slapped with a three-year prison term and proceeds from
the e-mailing campaign, computers, software and other equipment used for it
can be confiscated.
State attorneys general can enforce with a civil action against the spammer at
a rate of $250 per message, up to $2 million. ISPs can seek enforcement
through a civil action and get actual damages, $25 per offending e-mail,
limited to $1 million. A $100 fine per offending e-mail, with no cap, is
allowed where fraudulent information is used in the headers.
And just in case there are doubts whether the act will ever be enforced,
consider this: In what is now known as Case Number 04-80383, United
States of America v. Daniel J. Lin, James J. Lin, Chris Chung, and Mark M.
Sadek, Chung and Sadek have been arrested and arrest warrants are
outstanding for the other two. The act means business.
Apart from being mandatory, compliance with CAN-SPAM should not be
difficult and can actually be turned into a selling point for your client. Its
customers and e- mail recipients will appreciate knowing it is committed to
engage in responsible e-marketing practices. Your client will also appreciate
any effort that ensures its name is not associated with money-transfer scams
Viagra offerings, porn, effort-free PhD degrees or any other idiotic and
annoying e-mails.
For all these reasons and others mentioned throughout this article, the cost of
compliance is no doubt lower than failing to comply.
Kahana is an associate at Weinblatt & Gaylord, PLC, in St. Paul, Minn. His email is [email protected].
Back to Top
For the Public
ABA Approved Law Schools
Resources For
Bar Associations
Law School Accreditation
Public Education
Diversity
Government and Public
Sector Lawyers
Public Resources
Judges
Law Students
Lawyers of Color
Lesbian, Gay, Bisexual &
Transgender Lawyers
Military Lawyers
Stay Connected
Twitter
Facebook
Senior Lawyers
Solo and Small Firms
ABA Career Center
Contact Us Online
Women Lawyers
Young Lawyers
Lawyers with Disabilities
Terms of Use
|
Code of Conduct
|
Privacy Policy
|
Your Privacy Rights
|
Copyright & IP Policy
|
Advertising & Sponsorship
|
© 2012 ABA, All Rights Reserved

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz