Focusing public attention on emerging privacy and civil liberties issues

SPAM - Unsolicited Commercial E-Mail

Top News

  • Federal Regulators Win Injunction Against Prescription Drug Spam Ring.Today, the Federal Trade Commission obtained a temporary injunctionagainst an international network of individuals responsible for billions of unsolicited commercial emails. The spammers allegedly used a world-wide network to barrage email users with deceptive offers for prescription drugs, including Viagra and weight loss medication. Federal regulators seek to shut down the network permanently, and recover monetary damages, which they estimate to be substantial. Four companies are accused of masterminding the spam plot, including two US firms, Tango Pay Inc. and Click Fusion Inc., as well two New Zealand entities. EPIC has advocated for restrictions on unsolicited commercial email, and supported substantial monetary penalties in federal regulatory actions. (Oct. 15, 2008)
  • Federal Court Applies Anti-Spam Protections to Web Site. Today, a federal court in Washington state allowed a spam lawsuit to proceed, even though the claimant is not an internet service provider. In Haselton v. Quicken Loans Inc., the web site Peacefire.org sued an alleged spammer for the harm inflicted by spam on Peacefire's online services. The court ruled that Peacefire, a web site that provides anti-censorship tools, is an "Internet access service," and therefore entitled to press its case under the CAN-SPAM act, the primary federal anti-spam law. The court further held that monetary damages are not limited to e-mail service providers. The ruling is consistent with other recent opinions that authorized anti-spam suits by Internet social-networking services such as Facebook and MySpace. EPIC has advocated for stronger anti-spam measures before Congress, state legislatures, and federal regulators. (Oct. 14, 2008)
  • EPIC Testifies Before the District of Columbia Council on Spam Legislation.EPIC Staff Counsel John Verdi testifiedbefore the District of Columbia Council on Bill 17-34, the District of Columbia Spam Deterrence Act of 2007. The bill would prohibit the transmission of false or misleading commercial email, create a civil cause of action and criminal penalties, and establish a private right of action for consumers. EPIC supported the legislation, noting that it provides stronger consumer privacy protections than the federal CAN-SPAM Act. (Mar. 12, 2008)
  • FTC Releases Spam Report.The Federal Trade Commission released a reporttoday that showed that spam filters and email address masking were effective in preventing spam generated by automatic email address harvesters. The study also showed that emails placed on web pages were more susceptible to harvesting than those posted on message boards or in newsgroups. (Nov. 28, 2005)
  • PIC: E-mail Users Should Be Able to Opt-Out from List Brokers.In commentsto the Federal Trade Commission on the CAN-SPAM Act, EPIC argued that individuals should be able to prevent direct marketing "list brokers" from selling lists containing their e-mail addresses. List brokers sell tens of thousands of lists containing e-mail addresses and other personal information, and are the driving force behind unwanted spam, telemarketing, and junk mail. For more information, see the EPIC Consumer Profilingpage. (June 27, 2005)
  • EPIC Comments on E-Mail Authentication.The Federal Trade Commission will hold a summit on e-mail authenticationfor spam prevention on November 9-10, 2004. In comments, EPIC has urged the Commission to carefully consider whether authentication schemes will erode e-mail users' anonymity. (Sept. 28, 2004)
  • FCC Imposes Rules on Internet Telephony; Bans Wireless Spam.The Federal Communications Commission has tentatively determined(pdf) that Internet phone calls are subject to wiretapping by law enforcement under the Communications Assistance for Law Enforcement Act (CALEA). EPIC had filed comments(pdf) earlier this year explaining that Internet telephony should not be subject to CALEA. Consistent with commentsfiled by EPIC in April, the Commission also ruled(pdf) that marketers cannot send commercial e-mail to wireless devices without the explicit consent of the consumer, a much stronger protection against spam than that provided by the CAN-SPAM Act passed by Congress last year. (Aug. 5, 2004)
  • EPIC Advocates Opt-In Privacy for Wireless Devices.In commentsto the Federal Communications Commission, EPIC urged the agency to create opt-in protections against "mobile service commercial messages," spam that is sent to cellular phones and other wireless devices. EPIC argued that without protections from these messages, individuals would be less likely to adopt wireless devices and that the cost of the messages would be transferred onto the device user. (Apr. 30, 2004)>
  • EPIC Comments on Do Not E-mail Registry.In commentsto the Federal Trade Commission, EPIC supported the creation of a Do Not E-mail Registry. If created, the Registry should list domain-level information rather than individual e-mail addresses. (Mar. 31, 2004)

Introduction

Spam is unsolicited commercial e-mail. It is sent, usually in bulk, through "open-relays" to millions of persons. Spam is cost-shifted advertising. It takes a toll on Internet users' time, their resources, and the resources of Internet Service Providers (ISP). Most recently, spammers have begun to send advertisements via text message to cell phones.

Spammers get e-mail addresses in three ways: by scavenging, the practice of automatically collecting e-mail addresses listed or posted on webpages and electronic bulletin boards; by guessing, where the spammer uses dictionary terms or randomly-generated strings to develop e-mail addresses; and by purchasing e-mail addresses through list brokers.

"Remove me" options on spam are often fake. That is, if you respond to request removal, you very well may be subjecting yourself to more spam, because by responding, the sender knows that your e-mail account is active. A 2002 study performed by the FTC demonstrated that in 63% of the cases where a spam offered a "remove me" option, responding either did nothing or resulted in more e-mail.

In December 2003, Congress passed 108 S. 877, the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, known as the "CAN-SPAM" Act. The Act creates new penalties for sending deceptive spam advertising, but does not "can" truthful unsolicited commercial e-mail.

The Act defines spam as any message where the "primary purpose" is the "commercial advertisement or promotion of a commercial product or service." "Transactional or relationship" messages, that is, messages for account maintenance, product recall or safety information, or those necessary to complete a sale initiated by the recipient, are exempted from some provisions of the Act.

Under CAN-SPAM, unsolicited commercial messages must include notice that the message is an advertisement or solicitation, an opt-out notice, and a valid postal address of the sender.

CAN-SPAM prohibits falsification of transmission information and deceptive subject headings. The Act creates criminal prohibitions against those who knowingly transmit spam through others' computers without authorization. Also, the Federal Trade Commission may pursue individuals who knowingly hire others to send deceptive spam. However, these and other criminal provisions are encumbered by unusually burdensome litigation requirements. For instance, the prohibition on deceptive subject headings would require the government to prove in court that the sender knew that the message would mislead a reasonable recipient.

Spam with "sexually oriented" material must be labeled with a notice that will be developed by the Federal Trade Commission and the Attorney General in 2004.

The Act gives the Federal Trade Commission the authority to create a do-not-spam registry. The agency must issue a report to Congress on the feasibility of such a registry mid-year 2004, and may implement it in fall 2004.

Enforcement of the Act is limited to the Federal Trade Commission, state attorneys general, and Internet Service Providers. Some individuals may be able to qualify as Internet Service Providers, and bring lawsuits under the Act. But, damages are capped, and spammers can obtain a reduction in fines if they can show implementation of "reasonable practices" to avoid violation of the Act. In November 2003, the Internet Committee of the National Association of Attorneys General described this reduction in fines as "unprecedented in consumer protection law" and "an additional barrier to enforcement."

States have been much more aggressive in passing spam laws. Approximately 35 had anti-spam legislation prior to the passage of CAN-SPAM. CAN-SPAM supercedes most of those state laws, making them invalid. Most notably, California's spam law which was set to go into effect on January 1, 2004, was preempted. That law would have created opt-in protections against spam.

David Sorkin, author of Technical and Legal Approaches to Unsolicited Electronic Mail , catalogs a complete list of enacted state spam laws and pending federal legislation online at Spamlaws.com. Thus far, state spam laws have been upheld in at least two cases: Ferguson v. Friendfinders, Inc . 94 Cal.App.4th 1255, 115 Cal.Rptr.2d 258 (Cal.App.1st Dist. 2002); and State v. Heckel , 143 Wash. 2d 824, 24 P.3d 404 (2001).

Technological approaches have been somewhat successful in stemming spam. ISPs have engaged in filtering, especially when encountering bulk transmissions of e-mail, that has made it more difficult for spammers to reach users. Users have engaged in filtering, and the use of white and black lists. Perhaps the best approach to spam is to create a legislative framework to give individuals more control over their inbox, and to employ technological tools to stem the tide of spam.

  • 108 S. 877, The CAN-SPAM Act of 2003, THOMAS Database.
  • Letterfrom the NAAG Internet Committee Objecting to CAN-SPAM (PDF).

News

Resources

Some Spam-Fighting Technologies

  • EPIC Tools for Protecting Online Privacy. Has links to products that purport to enhance privacy. Please note that EPIC does not lobby for, consult, or advise companies, nor do we endorse specific products or services.

Previous Top News

  • Senate Approves Weak Spam Bill. The Senate has passed the CAN Spam Act. EPIC earlier testified before the Senateon the need for strong, effective measures to reduce spam. EPIC favors "opt-in" mailing lists, a private right of action for consumers, and freedom for states to pursue spammers, combined with technical measures and international cooperation. Members of the Privacy Coalitionalso announced a "Framework for Effective Spam Legislation."For more information, see EPIC Spam page.(Oct 23, 2003)
  • Pew Releases Spam Survey. The Pew Internet and American Life Project has released a report(pdf) entitled "Spam: How it is hurting email and degrading life on the Internet." The report found, among other things, that spam has had an increasingly negative effect on email usage, but that it effects personal email more than work email. For more information, see the Pew Internet and American Life Projectweb site and the EPIC Spam page. (October 22, 2003)
  • Groups Announce Spam Policy Framework. Members of the Privacy Coalitionwill announce today a "Framework for Effective Spam Legislation."See press advisoryand EPIC Spam page. (Jul 18, 2003)
  • Senate to Consider Spam.The Senate Commerce Committeewill explore Unsolicited Commercial Email, or "spam," at a hearing on May 21st. EPIC Executive Director Marc Rotenberg's testimonywill focus on the need for strong, effective measures to reduce spam. EPIC favors "opt-in" mailing lists, a private right of action for consumers, and freedom for states to pursue spammers, combined with technical measures and international cooperation. For more information, see EPIC Spam page. (May 20, 2003)
  • "Buffalo Spammer" Arrested.In a rare criminal caseagainst an alleged spammer, New York authorities have arrested a man accused of sending at least 825 million unsolicited emails. The man was charged with stealing the identities of two individuals to open Internet accounts through which he sent unsolicited bulk email. The Internet Service Provider Earthlink won a $16.4 million civil judgmentagainst the same spammer in federal court earlier in the month. (May 14, 2003)
  • FTC Finds Two-thirds of Spam Fraudulent. A Federal Trade Commission analysis of a random sample of 1,000 pieces of unsolicited email, found that 66 percent of the spam contained false claims. The reportfollows two previous studies that found that 86 percent of email addresses posted to websites and newsgroups received spam, and that 63 percent of email address removal requests were not honored. The agency released the report as it launched a three-day forumdesigned to explore solutions to the problems associated with spam. (April 29, 2003)
  • European Parliament Vote in Favor of Surveillance of Communications.Despite a successful campaign organized by a group of 60 civil liberties organizations from 15 countries with wide endorsement by more than 16,000 individuals from 73 countries, the EP has approved data retention. The European directive now makes it much easier for police to collect from Internet service providers and telephone companies a wide range of traffic data of their subscribers' phone calls, emails and Internet communications. On the other hand, the measure bans almost every future 'spamming' unless the addressee 'opts-in', and restricts the use of 'cookies'. For more details, see the new EPIC's data retention page. Meeting minutesand vote resultsare available. (May 30, 2002)
  • FTC Chairman Announces Privacy Agenda.Timothy Muris, Chairman of the Federal Trade Commission (FTC), today released a new privacy agendafor the agency. The agenda calls for a 50% increase in privacy resources, improved privacy complaint handling, more protection for consumers from spam, telemarketing, pretexting and ID theft, and increased enforcement of privacy policies and existing laws such as the Fair Credit Reporting Act (FCRA) and the Children's Online Privacy Protection Act (COPPA). The Chairman concluded, however, that it was "too soon" to recommend broad-based online privacy legislation. (Oct. 4, 2001)
  • ReverseAuction.com Settles Privacy Violation Charges.In FTC v. ReverseAuction.com, the Federal Trade Commission charged in its complaintthat the auction site had pursued "unfair and deceptive" practices in collecting email addresses from eBay customers and sending spam containing false information about the status of their accounts. The settlementwill require ReverseAuction.com to inform all the users they deceived, allow these customers to remove their registration information, and delete all email addresses unfairly obtained from eBay's site. (Jan. 6, 2000)