Spam!
You can't live with it, you can't . . . no. But what about your client?
By Eran Kahana
Just before he clicked the "Send" button, my
client had a gut feeling that he should give me a call.
His hesitation was the result of a blurry memory about
reading something about a new (well, not so new anymore)
law relating to unsolicited e-mail. And a good thing it
was that he called. He was completely unaware of the
limitations and penalties contained in the
"Controlling the Assault of Non-Solicited
Pornography and Marketing Act of 2003," better
known as CAN-SPAM.
Spam, aka unsolicited commercial e-mail (UCE), is
everywhere. It's growing quickly and appears oblivious
to legislative efforts, filters and other eradication
efforts. Some spam messages are (ludicrously) creative
such as the one asking for your help in moving multi-
million dollar fortunes from Sierra Leone to Nigeria
(and "all" the sender wants is your personal
contact information). Others are just plain irritating,
unabashedly peddling counterfeit Viagra, a plethora of
porn sites that would make almost anyone blush, PhDs
without attending classes, mortgage refinancing,
etc.
Nearly everyone who uses e-mail will confirm they get
spammed on a daily basis, some more than others. But
what is surprising is the actual magnitude of just how
pervasive this is. A January 2004 Wall Street
Journal piece (published a few days after CAN-SPAM
went into effect) reported that UCE made up 60 percent
of all e-mail, a sharp increase from the 42 percent
level recorded a year before.
Consumer Reports magazine also chimed in several
months later. Their study showed that of 2,000 e-mail
users surveyed, 47 percent reported receiving more spam
than before CAN-SPAM went into effect; 69 percent noted
that more than half of all the e-mail they received was
spam. Kelkea Inc., a developer of spam-blocking
solutions, reports that spam accounts for 80 percent of
all e-mail traffic.
So what is spam anyway? You could pull a Justice Potter
Stewart and say you just know it when you see it.
(Stewart was talking about pornography in the case of
Jacobellis v. Ohio.) A more formal definition
offered by Kelkea suggests the following:
A message is spam if: (1) the recipient's personal
identity and context [of the message] are irrelevant
because the message is equally applicable to many other
potential recipients; (2) the recipient has not
verifiably granted deliberate, explicit and still-
revocable permission for it to be sent; and (3) the
transmission and reception of the message appears to the
recipient to give a disproportionate benefit to the
sender.
Some might prefer the "no-frills" definition
offered by Princeton University: Spam is simply
"unwanted e-mail (usually of a commercial nature
sent out in bulk)."
Whatever the preferred definition may be, spam is a
serious problem. It dilutes the attractiveness and
possibly even the usefulness of e-mail as we know it.
Internet service providers (ISPs) and recipients
bombarded with spam messages inevitably turn to
filtering and blocking technologies to alleviate the
scourge. One such blocking system is the MAPS Open Proxy
Stopper (OPS), which maintains a list of Internet
protocols (IPs) that have been used to transmit spam and
blocks them.
Spam also carries a significant cost; one borne almost
completely by ISPs and their users, not the spammers. In
legislating CAN-SPAM, Congress referred to a European
Union study that found that spam costs Internet
subscribers around the world $9.4 billion each year. It
also noted that the estimated costs to "United
States businesses from spam and lost productivity,
network system upgrades, unrecoverable data, and
increased personnel costs, combined, will top $10
billion in 2003."
Can legislation deter spammers? Critics don't think so.
They argue that the volume of spam actually increased
after CAN-SPAM was signed into law, and suggest that
legislation is intrinsically inadequate to address the
problem. Simply put, spammers who already engage in
irresponsible mass-marketing methods will not be
deterred. Also, they point out that legislation is
poorly drafted and authored by legislators who have no
technical experience; that prohibitions are overbroad
and, therefore, unconstitutional.
Critics' sites are also trained at the anti-spam
blacklists, such as the MAPS RBL (Mail Abuse Prevention
System Realtime Blackhole List, arguably the most
popular). Their problem with MAPS is that it assists a
large number of ISPs in surreptitiously blocking large
amounts of nonspam from innocent people.
But criticism aside, an important principle behind the
act is to facilitate the coordination of efforts between
law enforcement officials across the country. That,
according to Congress, was lacking:
Many states have enacted legislation intended to
regulate or reduce unsolicited commercial electronic
mail, but these statutes impose different standards and
requirements. As a result, they do not appear to have
been successful in addressing the problems associated
with unsolicited commercial electronic mail, in part
because, since an electronic mail address does not
specify a geographic location, it can be extremely
difficult for law abiding businesses to know with which
of these disparate statutes they are required to comply.
(Emphasis added.)
So, if you're going to help a client who is planning a
mass e-mailing campaign comply with CAN-SPAM, what
should you be aware of and what additional suggestions
should you be making?
The first step is to determine if your client's plan
should even be concerned with CAN-SPAM. Try the
following question: "Is this proposed campaign an
advertisement or promotion of goods or services?"
If it is, then it must abide by the act's limitations.
And now, for the inevitable disclaimer: It is important
to read carefully through the act. While this article
highlights the main points of the legislation, it is
only intended as a primer. Now that we've established
that, let's review the following guidelines and
suggestions that you should review with your
client.
It's important to note at the outset that messages
that fall under the category of
"relationship/transactional" are for the most
part exempt from the act. Such e-mails include, for
example, announcements relating to safety concerns with
a product your client's customer bought, product
updates, upgrades, recall information, confirming a
subscription to an e-mail newsletter, etc. Here the act
merely requires that the e-mail not contain false or
misleading routing information.
Confirm that information contained in the e-mail
header is neither "materially false nor materially
misleading." A "header," in case you're
wondering, is an identification badge for the e-mail; it
contains important information about the e-mail that
sets it apart from other e-mails you get.
There are three aspects to watch out for here:
First, the e-mail address, domain name, or IP address
must not have been obtained by means of what the act
calls "false or fraudulent pretenses." That
means that your client may not create and use an account
or domain name with false information for the purpose of
disguising the origin of the e-mail. If this happens,
the header is considered materially misleading.
Second, the "from" line in the header must
accurately identify your client; if it does not, the
header is considered materially false or materially
misleading. (Note the discussion about updating domain
registry information later on.)
Third, if another user's computer is going to be used to
relay or retransmit the e-mail, then the header must
accurately contain that computer's name; if it does not,
the header will be considered materially false or
materially misleading. (Your client must also have
explicit permission from that computer's owner to use it
to relay.) Also, you need to take reasonable steps to
make sure your client's business is not being promoted
by a third party using false or materially misleading
headers. If you find out this is happening, you are
required to take action against the offender.
If your client recently relocated its offices, make sure
they update their profile with the domain registry
— such as Network Solutions. That is important
because a common method of determining a sender's
identity involves plugging their domain name into
"Whois.com." If your client's mailing address
has changed and is not reflected in the registry
information, you may be in violation of the requirement
to use accurate headers and certainly are in violation
of the act's requirement of including a "valid
physical postal address" in the body of the e-mail.
Now here is an opportunity to be proactive and make a
suggestion to your client to steer away from using P.O.
boxes for the address. These have an air of secrecy and
are inconsistent with your goal of clearly identifying
your client's location.
Make sure your client doesn't use deceptive subject
headings. It can be considered as such if it's
reasonable that the recipient would likely open the e-
mail based on the subject heading alone. If the contents
have very little, or no, bearing to what is in it, then
it's highly likely the subject line would be considered
deceptive. (You've probably noticed from your own being-
spammed experience that this is a very common
characteristic.)
Your client must include a functional return
("reply-to") unsubscribe address or a clearly
marked opt-out link. Practice pointer: Recommend to your
client to have both. The key here is to validate the
inserted opt-out hyperlinks so that "dead"
ones are fixed before the message is sent.
From a technical perspective, this is very easy to do.
Two of the most popular Web design programs,
Macromedia's Dreamweaver and Micorsoft's Frontpage, have
tools that validate links. (Also consider the fact that
it is very annoying for the recipient to have to deal
with dead hyperlinks, not to mention that it reflects
poorly on the sender's company.)
It's also recommended that your client put in place a
procedure that periodically "pings" the
unsubscribe e-mail address and makes sure it still
works. A similar procedure should continuously monitor
the mailbox size and ensure it's not flooded and remains
operational for at least the minimum of amount of
required time. Although the act requires that the return
e-mail address remain valid for 30 days from the date
the message was sent, it's a good idea to extend that
term to 90 days or longer.
An alternative, but a little more technically demanding
method to comply with this opt-out requirement is for
the sender to provide a menu of opt-out options that the
recipient can choose from. This enables the recipient to
tailor what types of e-mail messages he or she wants or
does not want and must also contain a complete opt-out
option.
Once an opt-out request is received, your client has 10
business days to stop sending e-mails (within the same
scope of the request) to that address. The 10-business-
day period, with a slight modification, also covers
third parties acting on behalf of your client.
As alluded to earlier, the opt-out e-mail address your
client provides must be valid. Unless there is a
legitimate technical glitch involving that e-mail
address (the mail server unexpectedly crashed), it is
highly likely that a transmission will be considered
deceptive if recipients are unable to unsubscribe by
replying to it. Solution: Have a backup server. For a
relatively minimal cost it can help your client avoid
the problem in the first place (if it switches to the
backup on detecting a failure with the primary mail
server). Also, depending on how this backup server is
configured, it puts into place the mechanism for
addressing the requirement of having the problem
corrected within a "reasonable" time period.
This ties in to the next thing you should look into.
It's one thing to provide the opt-out mechanism, but
it's entirely another thing to actually take action on
it. Make sure your client has the policy and procedure
in place to honor an unsubscribe request. It is also a
good idea to make the suggestion to your client that he
or she go one step further and send an e-mail to
unsubscribers confirming that they have been
removed.
Make sure your client inserts disclaimers and
disclosures in a clear and conspicuous manner. The
recipient should not get carpal tunnel from scrolling to
the opt-out instructions. Barnes & Noble, for
example, uses the title "How to unsubscribe"
in their solicitation e-mails.
Instruct your client that address recycling is not
permitted: Neither it, as the sender, nor anyone else,
may sell opted-out e-mail addresses. Furthermore, if
your client buys e-mail address lists for its marketing
efforts, you should inquire with the seller about
whether it notified the owners of these addresses that
their address may be sold or transferred.
This inquiry goes toward complying with the prohibition
on harvesting and dictionary attacks. It also gives you
some insight into the seller's business practices and
provides your client with an opportunity to be more
selective about where it gets its lists.
Look at this way: A seller that discloses its intention,
obtains and records permission is (arguably) more likely
to have higher-value addresses that will not negatively
reflect on your client's business when it uses them.
Also, it's important to keep in mind that if someone
suspects your client is spamming them they can (among
other things) report it and your client could find
itself on the MAPS RBL (the anti-spam
blacklist).
If relevant, you should be familiar with how your
client collects e-mail addresses. If your client
collected e-mail addresses using its Web site where its
privacy statement promised users it would never ever
give up their e-mail address, then that's it; it may not
do so. And if there were no such promise and your client
is going to sell the list, it may not include anyone who
asked to be removed from it. Even before this was the
law, it was (and still is) common sense and good
business practice.
Unless your client has what the act refers to as
"affirmative consent," which means the
recipient expressly consented to receive the message, it
must clearly identify the message as an ad or
solicitation. This is typically done by inserting
"ADV" in the subject line.
Another suggestion to consider in this regard is to
adopt what is called a double opt-in procedure. A user,
for example, requests a subscription to a newsletter
from your client. Your client's system essentially says
"OK, but we're first sending you an e-mail to the
address you entered. You, the would-be subscriber, now
need to open your e-mail program, open that e-mail and
click on a hyperlink that will finalize your
subscription process." Doing this ensures, for
example, that your client's newsletter won't be sent to
someone who was signed up by someone else.
The double opt-in is the best method by which to confirm
affirmative consent. And there is one more step: Make
sure your client safely keeps these e-mail transactions
for a very long time; you never know when you might need
it. Storage space is so cheap, there is little reason
not to do so.
The act sets a "knowing" standard for
prohibiting e-mail relay and you should advise your
client to take reasonable steps to ensure its own mail
server is not used as one. Similarly, your client's
employees should never be allowed to send e-mails using
someone else's server. This must be made clear in the
employee handbook and the IT folks should be instructed
to take measures to prevent it.
If your client has affirmative consent from recipients
that they want to receive e-mails with sexual content,
then that's pretty much all that's required (in addition
to the usual routing requirements mentioned above).
However, if no such prior affirmative consent was
provided, then messages containing sexual content must
include the warning "SEXUALLY EXPLICIT" in
bold ASCII text (which ensures broadest readability
across virtually all software platforms). Failure to
comply can lead to a fine or a five-year prison
term.
Finally, advise your client about the penalties. The
FTC can seek to enforce with five years in jail for
repeat offenders who also commit a felony. First-time
offenders can be slapped with a three-year prison term
and proceeds from the e-mailing campaign, computers,
software and other equipment used for it can be
confiscated.
State attorneys general can enforce with a civil action
against the spammer at a rate of $250 per message, up to
$2 million. ISPs can seek enforcement through a civil
action and get actual damages, $25 per offending e-mail,
limited to $1 million. A $100 fine per offending e-mail,
with no cap, is allowed where fraudulent information is
used in the headers.
And just in case there are doubts whether the act will
ever be enforced, consider this: In what is now known as
Case Number 04-80383, United States of America v.
Daniel J. Lin, James J. Lin, Chris Chung, and Mark M.
Sadek, Chung and Sadek have been arrested and arrest
warrants are outstanding for the other two. The act
means business.
Apart from being mandatory, compliance with CAN-SPAM
should not be difficult and can actually be turned into
a selling point for your client. Its customers and e-
mail recipients will appreciate knowing it is committed
to engage in responsible e-marketing practices. Your
client will also appreciate any effort that ensures its
name is not associated with money-transfer scams
Viagra offerings, porn, effort-free PhD degrees or any
other idiotic and annoying e-mails.
For all these reasons and others mentioned throughout
this article, the cost of compliance is no doubt lower
than failing to comply.
Kahana is an associate at Weinblatt & Gaylord,
PLC, in St. Paul, Minn. His e-mail is eran@weglaw.com.
|
