SPAM still pays: The failure of the CAN-SPAM Act of 2003 and proposed legal solutions

Harvard Journal on Legislation

Volumn 45, Issue 1, 2008, Pages 165-198

  Soma, John ^a   Singer, Patrick ^a   Hurd, Jeffrey ^a  

^a UNIVERSITY OF DENVER   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 41949114572     PISSN: 0017808X     EISSN: None     Source Type: Journal    
DOI: None     Document Type: Article

References (258)

1. Controlling the Assault of Non-Solicited Pornography and Marketing Act, 15 U.S.C. § 7701 et seq. (2006).
2. For a detailed definition of spam, see DOUGLAS DOWNING, DICTIONARY OF COMPUTER AND INTERNET TERMS 471 (9th ed. 2006) ("Spam is unsolicited and unwelcome advertisements sent to people via e-mail or posted in newsgroups.").
3. Spam apparently gets its name from a Monty Python skit. Monty Python's Flying Circus (BBC One television broadcast Sept. 1970), available at http://video.google.com/videoplay?docid=5627694446211716271&q=monty+ python+spam&hl=en.
4. See, e.g., Brad Stone, Spam Doubles, Finding New Ways to Deliver Itself, N.Y. TIMES, Dec. 6, 2006, at Al.
5. Tom Zeller, Jr., New Law Barring Junk E-Mail Allows a Flood Instead, N.Y. TIMES, Feb. 1, 2005, at Al.
6. See, e.g., Microsoft Adds New Spam Filtering Technology Across E-mail Platforms, http://www.microsoft.com/presspass/features/2003/nov03/11- 17spamfilter.mspx (last visited Oct. 20, 2007) ("Recent reports also show that the volume of spam likely comprises more than 50 percent of total e-mail traffic today.");
7. Zeller, supra note 4 (noting that prior to the CAN-SPAM Act, spam comprised between 50% and 60% of all e-mail).
8. See Zeller, supra note 4;
9. see also MessageLabs, MessageLabs Intelligence, http://www. messagelabs.co.uk/intelligence.aspx (last visited Oct. 17, 2007).
10. According to Australian IT, a technology news website, nine out of ten e-mails are spam. Britain Under Spam Siege, AUSTRALIAN IT, Nov. 28, 2006, http://australianit.news.com.au/articles/0,7204,20835469%5E15 318%5E%5Enbv%5E,00.html.
11. Randall Stross, How to Stop Junk E-mail: Charge for the Stamp, N.Y. TIMES, Feb. 13, 2005, at C5.
12. Stone, supra note 3 at Al.
13. See Timothy J. Muris, Chairman, Fed. Trade Comm'n, Prepared Remarks at the Aspen Summit: Cyberspace and the American Dream (Aug. 19, 2003), http://www.ftc.gov/speeches/muris/030819aspen.htm#N_97.
14. The panelists at the forum included representatives of ISPs, marketers, law enforcement, legislators, technologists, and bulk e-mailers. Id.
15. Id.
16. 15 U.S.C. § 7701 et seq. (2006).
17. The term "rules of conduct" is used in Dominique-Chantale Alepin,"Opting-Out": A Technical, Legal and Practical Look at the CAN-SPAM Act of 2003, 28 COLUM. J.L. & ARTS 41, 44 (2004).
18. § 7704(a).
19. Id.
20. § 7707. For a more detailed discussion of the CAN-SPAM Act, see infra, Part III.B.
21. DEBORAH FALLOWS, PEW INTERNET & AMERICAN LIFE PROJECT, SPAM: HOW IT IS HURTING EMAIL AND DEGRADING LIFE ON THE INTERNET 7 (2003), http://www.pewinternet. org/pdfs/PIP_Spam_Report.pdf (last visited Oct. 4, 2007).
22. "Estimates of the financial costs of spam vary wildly. Research firms peg the price per worker at anywhere from $50 per worker to $1,400 per year. Others estimate the annual cost to American business to be between $10 billion and $87 billion." Id.
23. Meet the Kings of Spam, CBS NEWS, Aug. 5, 2002, http://www.cbsnews.com/stories/2002/08/05/tech/main517505. shtml [hereinafter Meet the Kings of Spam] ("'It's the marketing medium of the future. You can't get around it,' said [Tom] Cowles, [head of a large spam business,] whose MassiveFX e-mailing software allows a client to send a billion or so messages per month.").
24. Spam is generally filtered by software and hardware designed specifically for the task. Spam may be filtered by the e-mail client (e.g., Microsoft Outlook), by the e-mail server, by a separate device, or by all of the above in concert. Common methods of filtering involve white/black lists that identify valid and invalid senders, spam definitions, and Bayesian techniques. See, e.g., DICTIONARY OF COMPUTER AND INTERNET TERMS, supra note 2, at 471.
25. Troubleshooting problems with the spam filters generally involves identifying false-positives-i.e., legitimate e-mails that the filters identify as spam. See, e.g., Sharon Gaudin, False Positives: Spam's Casualty of War Costing Billions, DATAMATION, http://itmanagement.earthweb. com/secu/article.php/2245991 (last visited Oct. 4, 2007) ('"Of great importance to corporate is that 70 percent of people have not gotten e-mail that was expected.' ").
26. Muris, supra note 9.
27. Meet the Kings of Spam, supra note 17.
28. DICTIONARY OF COMPUTER AND INTERNET TERMS, supra note 2, at 267 (An "Internet Service Provider (access provider) is a company that provides its customers with access to the Internet, typically through DSL, a cable modem, or dial-up networking.").
29. Meet the Kings of Spam, supra note 17.
30. See Muris, supra note 9, for an example of the extremely low response rate required to make spamming profitable-i.e., 0.0001%.
31. Whether legal or non-legal, any solution to the problem of spam e-mail will require technological relevance. However, the public and private entities that develop relevant technologies will be motivated by legal and economic risks and incentives. See John C. Klensin, Taking Another Look at the Spam Problem, INTERNET PROTOCOL J., Dec. 2005, at 15, available at http://www.cisco.com/web/about/ac123/ac147/archived_issues/ ipj_8-4/ipj_8-4.pdf ("In order to design effective technological countermeasures with predictable and acceptable side-effects, we must first understand what measures society is willing to take-what laws it is willing to pass and enforce to make spam a criminal or civilly-punishable act-to set an appropriate context and set of boundary conditions.").
32. See Alepin, supra note 12, at 44;
33. Gaudin, supra note 18.
34. For details about spam filters, see DICTIONARY OF COMPUTER AND INTERNET TERMS, supra note 2, at 471-72.
35. See Gaudin, supra note 18;
36. see also Stefanie Olsen, Canning Spam Without Eating Up Real Mail, CNET NEWS.COM, July 12, 2002, available at http://www.news.com/2100-1023-943337.html;
37. Gene J. Koprowski, Spam Filtering and the Plague of False Positives, TECHNEWSWORLD, Sept. 30, 2003, available at http://www.technewsworld.com/story/31703.html.
38. See Muris, supra note 9.
39. For an excellent description of how e-mail systems work (and why a National Do Not E-mail Registry will not work), see FED. TRADE COMM"N, NATIONAL DO NOT EMAIL REGISTRY: A REPORT TO CONGRESS (2004) [hereinafter 2004 FTC REPORT], available at http://www.ftc.gov/reports/ dneregistry/report.pdf.
40. Muris, supra note 9.
41. See Meet the Kings of Spam, supra note 17.
42. See infra Part II for more details about current proposed non-legal solutions to the problem of spam.
43. Id.
44. See Gates: Buy Stamps to Send E-mail, CNN.COM, Mar. 5, 2004, http://www.cnn.com/2004/TECH/internet/03/05/spam.charge.ap;
45. Microsoft Research, The Penny Black Project, http://research.microsoft. com/research/sv/PennyBlack/(last visited Oct. 4, 2007) ("In a nutshell, the idea is this: 'If I don't know you, and you want to send me mail, then you must prove to me that you have expended a certain amount of effort, just for me and just for this message.'"). The idea behind the Penny Black project has been around for over a decade. See Cynthia Dwork & Moni Naor, Pricing via Processing or Combatting Junk Email, 740 LECTURE NOTES IN COMPUTER SCI. 139 (1993), available at http://research.microsoft.com/research/sv/PennyBlack/junk1 .pdf.
46. Id.
47. CertifiedEmail Program Description, http://postmaster.aol.com/whitelist/ certifiedemail. html#begin (last visited Oct. 20, 2007).
48. See, e.g., Verne Kopytoff, Spam Mushrooms, S.F. CHRON., Sept. 2, 2004, at C1;
49. John Korsak, Want to Stop Spam? Multiple Techniques in Unison is the Answer, 24 COMPUTER TECH. REV. 1, 36 (2004);
50. CAN-SPAM Act Continues to Come Up Short in Efforts to Curb Unsolicited E-mail, BUSINESS WIRE, Dec. 14, 2006, http://www.tmcnet.com/usubmit/2006/12/14/2170295.htm.
51. Mike Musgrove, Paid E-mail Seen as Sign of Culture Change, WASH. POST, Feb. 7, 2006, at D5 ("With the accompanying seal, recipients can be confident that an e-mail came from, say, the American Red Cross-one early customer of the service-and not from some hacker in Russia trying to trick users out of their credit card numbers.").
52. See Goodmail Systems, Who Accepts Certified Email?, http://www.goodmailsystems. com/partners/who_accepts.php (last visited Nov. 17, 2007).
53. Goodmail Systems, CertifiedEmail, http://web.archive.org/web/ 20060301005319/www. goodmailsystems.com/certifiedmail/(last visited Nov. 17, 2007).
54. See Microsoft Research, supra note 35.
55. Cynthia Dwork & Andrew V. Goldberg, Common Misconceptions about Computational Spam-Fighting, http://research.microsoft.com/research/sv/ PennyBlack/spam-com.html (last visited Oct. 4, 2007).
56. See Gates: Buy Stamps to Send E-mail, supra note 35;
57. Microsoft Research, supra note 35.
58. Dwork & Naor, supra note 35.
59. See Dwork & Goldberg, supra note 42.
60. See Russ Jones, The False Promise of Frictionless Commerce, GLENBROOK PARTNERS, Jan. 15, 2003, http://www.glenbrook.com/ 2003/01/the_false_promi.html.
61. Jones notes that a further challenge to implementation is that there are problems with systems only being efficient on a large scale. As a result, they are hard to implement because they only make sense once they are widely adopted and they are difficult to implement widely. "Taken together, in our opinion, it is difficult to come to market as a micropayment provider that must (1) simultaneously woo both consumers and digital content providers needed to (2) achieve early adoption traction before (3) someday achieving scale in order to (4) exploit a transaction cost advantage that is critical for (5) being financially viable. There are just too many inter-dependencies in this business model." Id.
62. Id.
63. Video: An Economic Response to Unsolicited Communication (Marshall Van Alstyne 2006), available at http://video.google.com/videoplay?docid= 1483515704800867685&q= spam+and+false-positives&hl=en.
64. See also Theodore Loder et al., An Economic Response to Unsolicited Communication, 6 ADVANCES ECON. ANALYSIS & POL'Y (2006), available at http://www.bepress.com/bejeap/advances/vol6/iss1/art2.
65. See Loder et al., supra note 48.
66. Id.
67. See Jones, supra note 46.
68. "Spam zombies," or "spam bots," are computers that are part of a distributed network designed to send spam e-mail. These networks, or "botnets," are created by infecting unwitting users' computers with malicious software designed specifically for the purpose of spamming. See, e.g., John Markoff, Attack of the Zombie Computers is a Growing Threat, N.Y. TIMES, Jan. 7, 2007, at Al.
69. See supra note 46 and accompanying text.
70. Central Hudson Gas & Elec. Co. v. New York, 447 U.S. 557, 561-62 (1980).
71. See, e.g.. White Buffalo Ventures LLC v. Univ. of Tex. at Austin, 420 F.3d 366, 374 (2005).
72. See Rowan v. U.S. Post Office Dep't, 397 U.S. 728 (1970) (postal mail);
73. FTC v. Main-stream Mktg. Servs., Inc., 358 F.3d 1228 (10th Cir. 2004) (phone calls);
74. Missouri ex rel. Nixon v. Am. Blast Fax, Inc., 323 F.3d 649 (8th Cir. 2003), cert, denied, 540 U.S. 1104 (2004) (junk faxes).
75. These cases are reviewed in Alepin, supra note 12, at 49-53.
76. 15 U.S.C § 7707(b) (2006).
77. For a definition of commercial speech, see Aitken v. Communications Workers of America, 496 F. Supp 2d 653, 664 (2007) (holding that "whether speech is commercial depends on whether it 'proposes a commercial transaction' or promotes specific products or services")
78. (citing Bd. of Trustees of State Univ. of N.Y. v. Fox, 492 U.S. 469, 473 (1989)
79. and Vill. of Schaumburg v. Citizens for a Better Env't, 444 U.S. 620, 632 (1990)).
80. Rowan, 397 U.S. at 737. Those that determine what constitutes "consumer privacy" rely in part on common sense.
81. Fraternal Order of Police v. Stenehjem, 287 F. Supp 2d 1023, 1027 (D.N.D. 2003), rev'd on other grounds, ("Simple common sense dictates that an unwanted call from a telemarketer would be an invasion of privacy.").
82. Central Hudson Gas & Elec. Co. v. New York, 447 U.S. 557, 561-62 (1980).
83. Id. at 562-63 ("The Constitution therefore accords a lesser protection to commercial speech than to other constitutionally guaranteed expression.")
84. Id. at 564 ("If the communication is neither misleading nor related to unlawful activity, the government's power is more circumscribed. The State must assert a substantial interest to be achieved by restrictions on commercial speech.").
85. See also Stenehjem, 287 F. Supp 2d at 1027.
86. Stenehjem, 287 F. Supp 2d at 1026
87. (citing Central Hudson, 447 U.S. at 577).
88. See also Alepin, supra note 12, at 52.
89. See City of Cincinnati v. Discovery Networks, Inc., 507 U.S. 410, 417 (1993).
90. Missouri ex rel. Nixon v. American Blast Fax, Inc., 323 F.3d 649, 654 (8th Cir. 2003), (internal quotations omitted)
91. (quoting Florida Bar v. Went For It, Inc., 515 U.S. 618, 628 (1995)).
92. American Blast Fax, 323 F.3d at 652.
93. See also Telephone Consumer Protection Act of 1991, 47 U.S.C. § 227 (2006).
94. See Moser v. FCC, 46 F.3d 970, 972 (9th Cir. 1995).
95. Courts have also distinguished advertising from solicitation, with advertising having more protection under the First Amendment than solicitation. Silverman v. Walkup, 21 F. Supp 2d 775, 778 (E.D. Tenn. 1998).
96. The Do Not Call Registry has been very effective at stopping telemarketing calls. See Press Release, Fed. Trade Comm'n, National Do Not Call Registry Celebrates One-Year Anniversary (June 14, 2004), http://www.ftc.gov/opa/2004/06/dncanny.shtm ("The Do Not Call Registry has made dinnertime interruptions a thing of the past.").
97. The Registry was upheld following a First Amendment "content based restriction" challenge in Mainstream Marketing Systems, Inc. v. FTC, 358 F.3d 1228, 1232-33 (10th Cir. 2004).
98. Note that the FTC has determined that an opt-in e-mail registry would be counterproductive. See 2004 FTC REPORT, supra note 29.
99. See, e.g., Bolger v. Youngs Drug Prods. Corp., 463 U.S. 60, 70 (1983) (quoting Consol. Edison Co. v. Pub. Serv. Comm'n, 447 U.S. 530, 542 (1980)).
100. 39 U.S.C § 3010 (2006).
101. See, e.g., Destination Ventures, Ltd. v. FCC, 844 F. Supp. 632, 635 (D.Or. 1994) ("In the case of fax advertising ... the recipient assumes both the cost of the associated with the use of the facsimile machine and, the cost of the expensive paper used to print out facsimile messages. It is important to note that these costs are borne by the recipient of the fax advertisement regardless of their interest in the product or service being advertised.").
102. White Buffalo Ventures LLC v. Univ. of Tex. at Austin, 420 F.3d 366, 374 (2005).
103. Id. at 369.
104. See also Jameel Harb, White Buffalo Ventures, LLC v. University of Texas at Austin: 77ie CAN-SPAM Act & the Limitations of Legislative Spam Controls, 21 BERKELEY TECH. L.J. 531, 546 (2006). Harb argues that legislation will not solve spam because the only effective solution-banning spam per se-will have a chilling effect on speech and thus violate the First Amendment. However, under the author's own analysis, spam is even more onerous than a junk fax or a prerecorded telemarketing call, both of which have been outlawed per se without the bans being ruled unconstitutional under the First Amendment. Applying the Fifth Circuit's reasoning in permitting the University of Texas to block all spam, it follows that Congress should be permitted to seek the same anti-spam result through federal legislation such as that proposed in Part IV.
105. White Buffalo Ventures, 420 F.3d at 374.
106. Id. at 375.
107. See also id. at 377 ("[D]eclaring server integrity to be a substantial interest without evidentiary substantiation might have unforeseen and undesirable ramifications in other online contexts.").
108. Id. at 374-76.
109. Id. at 369.
110. Harb, supra note 73, at 542 ("[B]ecause UT justified at least one of its substantial interests under the user efficiency rationale, the court held that UT's anti-spam policy survived First Amendment scrutiny and was constitutionally permissible under Central Hudson, irrespective of UT's failure to support its server efficiency argument.").
111. White Buffalo Ventures, 420 F.3d at 378.
112. See, e.g., Shunning Spam, CBS NEWS, July 13, 2003, http://www.cbsnews.com/stories/2003/07/10/sunday/main562630.shtml ("'The Can Spam act is basically about empowering the consumer, making sure that the consumer can say they don't want to receive this material, and then [imposing] stiff penalties for misrepresentation .... People have got to identify themselves and they can't use all these dodges and ruses to get around it.'").
113. Id.
114. Jonathan Krim, Anti-Spam Bill Gains in Senate; Big Internet Firms Endorse Measure, WASH. POST, June 20, 2003, at E5.
115. See also Press Release, Fed. Trade Comm'n, National Do Not Call Registry Celebrates One-Year Anniversary (June 24, 2004), http://www.ftc.gov/ opa/2004/06/dncanny.shtm ("We set out to give consumers a choice about the calls coming into their homes, and the program is a resounding success.").
116. See Zeller, supra note 4.
117. Id.
118. See also FED. TRADE COMM'N, THE CAN-SPAM ACT: REQUIREMENTS FOR COMMERCIAL EMAILERS (2004), http://www.ftc.gov/bcp/conline/ pubs/buspubs/canspam.htm.
119. 15 U.S.C. § 7704(a)(3) (2006).
120. § 7704(a)(5).
121. § 7706(c).
122. § 7706(d).
123. § 7706(b)(3).
124. § 7706(b)(10).
125. § 7706(b)(1)(B).
126. § 7706(b); § 7706(f); § 7706(g).
127. § 7706(g)(1)-(3).
128. This conclusion is held almost universally. See Stross, supra note 7 ("The law did not prohibit unsolicited commercial e-mail and has turned out to be worse than useless. 'Before Can-Spam, the legal status of spam was ambiguous,' said Professor David E. Sorkin, an associate professor at the Center for Information Technology and Privacy Law at the John Marshall Law School in Chicago. 'Now, it's clear: it's regarded as legal.'").
129. See also Harb, supra note 73, at 535 ("[T]he CAN-SPAM Act has been viewed as less restrictive [than the patchwork of numerous conflicting state laws], and ultimately as less effective. ... As it stands now, neither state nor federal attempts appear to have had any meaningful effect on reducing the aggregate level of spam.").
130. See generally Lily Zhang, The CAN-SPAM Act: An Insufficient Response to the Growing Spam Problem, 20 BERKELEY TECH. L.J. 301 (2005).
131. See generally Klensin, supra note 24;
132. The Spamhaus Project, Spamhaus Position on CAN-SPAM Act of 2003 (S.877/HR 2214) (2003), http://www.spamhaus.org/position/CANSPAM_Act_2003.html.
133. See Klensin, supra note 23.
134. See supra notes 11-15 and accompanying text.
135. Jared Strauss, The Do Not Call List's Big Hangup, 10 RICH. J.L. & TECH. 27, 28 (2004).
136. 15 U.S.C. § 7704(a)(5) (2006).
137. See, e.g., The Spamhaus Project, Should You Send "Removes" Back to Spammers?, http://www.spamhaus.org/removeisformugs. html (last visited Oct. 18, 2007) ("By sending back a 'remove me' opt-out request you are confirming to the spammer that your address is live, you are confirming that your ISP doesn't use spam filters, you are confirming that you actually open and read spams, and that you follow the spammer's instructions such as 'click this to be removed.' You are the perfect candidate for more spam.").
138. See Do-Not-Call Implementation Act, 149 CONG. REC. H412 (daily ed. Feb. 12, 2003) (statement of Rep. Dingle).
139. See also Strauss, supra note 97, at 28-30.
140. The ban on junk faxes has been updated by the Junk Fax Prevention Act of 2005, Pub. L. No. 109-21, § 2, 119 Stat. 359, 359 (codified as amended at 47 U.S.C. § 227(b)(1)(C) (2006)).
141. Initial FTC efforts to limit unsolicited telemarketing involved tasking the telemarketers themselves with maintaining do-not-call lists. This proved ineffective and so the National Do Not Call Registry was created. See FED. TRADE COMM'N, ANNUAL REPORT TO CONGRESS FOR FY 2005 (2006), available at http://www.ftc.gov/os/2006/07/P034305HscalYear2005 NationalDoNotCallRegistryReport.pdf.
142. The report stated: The National Do Not Call Registry is, by virtually every available measure, an effective consumer protection initiative. By the end of FY 2005, more than 107 million telephone numbers were registered, and the available data show that compliance with the National Do Not Call Registry provisions of the Amended Telemarketing Sales Rule ('TSR') is high and that, as a result, consumers are receiving fewer unwanted telemarketing calls. Id. (footnote omitted).
143. Strauss, supra note 97, at 28-30.
144. Missouri ex rel. Nixon v. Am. Blast Fax, Inc., 323 F.3d 649, 660 (8th Cir. 2003);
145. Mainstream Mktg. Sys., Inc. v. FTC, 358 F.3d 1228, 1251 (10th Cir. 2004).
146. See also Grant Gross, Court Upholds Junk Fax Ban, Spam Next?, IDG NEWS SERV., Mar. 23, 2004, http://www. infoworld.com/article/03/03/24/HNantispam_l.html.
147. Interestingly, Congress evaluated twenty-eight proposed anti-spam laws before passing the CAN-SPAM Act of 2003. See, e.g., Anti-Phishing Act of 2005, S.472, 109th Cong. (2005). In this context, the CAN-SPAM Act should be viewed as only the first step in the legislative effort to solve the problem of spam.
148. Strictly speaking, the CAN-SPAM Act does not define illegal spam, but instead proscribes various types of e-mail with codes of conduct. See discussion supra Introduction and Part III.B. For a discussion of UCE by the FTC,
149. see Spamming: Hearing Before the Subcomm. on Communications of the S. Comm. on Commerce, Science, and Transportation, 107th Cong. 6-16 (2001) (prepared statement of Eileen Harrington, Associate Director of Marketing Practices, FTC Bureau of Consumer Protection), available at http://frwebgate.access.gpo.gov/cgibin/useftp.cgi?IPaddress=162.140.64. 182&filename=88536.pdf&directory=/diska/wais/data/107_senate_hearings.
150. For a detailed discussion of the various codes of conduct found in the CAN-SPAM Act of 2003, see generally Alepin, supra note 12.
151. Eileen Harrington, Fed. Trade Comm'n Bureau of Consumer Prot., Statement to the Senate Subcomm. on Commc'n: Unsolicited Commercial E-mail, (Apr. 26, 2001), available at http://www.ftc.gov/os/2001/04/unsolicommemail.htm.
152. See also Spamming: The E-mail You Want to Can: Hearing before the Subcomm. on Communications of the S. Comm. on Commerce, Science, and Transportation, 106th Cong. 25 (1999) (prepared statement of Eileen Harrington, Associate Director of Marketing, FTC Bureau of Consumer Protection), available at http://frwebgate.access.gpo.gov/cgi-bin/useftp.cgi? IPaddress = 162.140.64.182&filename=610 40.pdf&directory=/data/wais/ data/106_house_hearings, ("Unsolicited commercial e-mail-'UCE,' or 'spam,' in the online vernacular-is any commercial electronic mail message sent, often in bulk, to a consumer without the consumer's prior request or consent.").
153. See the Introduction and Part III.B. for an overview of the codes of conduct found in the CAN-SPAM Act of 2003. See also Alepin, supra note 12.
154. Alepin, supra note 12.
155. See discussion infra Part IV.A.
156. Finally, A Ban on Spam in the Netherlands, XS4ALL NEWS (Amsterdam), May 18, 2004, http://www.xs4all.nl/nieuws/bericht.php?taal= en&id=28&is=28&msect=nieuws.
157. Press Release, The European Commission, Fighting Spam, Spy ware and Malicious Software: Member States Should Do Better, Says Commission (Nov. 27, 2006), available at http://europa.eu/rapid/pressReleasesAction.do? reference=ip/06/1629&format=HTML&aged =O&language= EN&guiLanguage=en.
158. "Because an open relay is an e-mail server configured to accept and transfer e-mail on behalf of any user anywhere, including unrelated third parties, spammers can route their e-mail through servers of other organizations, disguising the origin of the e-mail. An open proxy is a mis-configured proxy server through which an unauthorized user can connect to the Internet. Spammers use open proxies to send spam from the computer network's ISP or to find an open relay." Timothy J. Muris, Chairman, Fed. Trade Comm'n, Remarks at the Progress and Freedom Foundation Aspen Summit on Cyberspace and the American Dream (Aug. 19, 2003), available at http://www.ftc.gov/speeches/muris/ 030819aspen.shtm.
159. Id.
160. Central Hudson Gas & Elec. Co. v. New York, 447 U.S. 557, 561-62 (1980).
161. Id. at 564.
162. A content-based restriction is defined as follows: "A restraint on the substance of a particular type of speech. This type of restriction are [sic] presumptively invalid but can survive a constitutional challenge if it is based on a compelling state interest and its measures are narrowly drawn to accomplish that end." BLACK'S LAW DICTIONARY 337 (8th ed. 2004).
163. See also Boos v. Barry, 485 U.S. 312, 320-22 (1988).
164. Central Hudson, 447 U.S. at 566.
165. In Central Hudson, the Supreme Court held that promotional advertising regarding the fairness and efficiency of electricity rates furthered "a clear and substantial governmental interest" in energy conservation. Id. at 569.
166. See generally Strauss, supra note 97.
167. FTC v. Mainstream Mktg. Servs., Inc., 358 F.3d 1228, 1232-33 (10th Cir. 2004).
168. 2004 FTC REPORT, supra note 29.
169. Id.
170. Id.
171. Id.
172. Id. at 14.
173. Id. at 15.
174. See Muris, supra note 113.
175. See 2004 FTC REPORT, supra note 29.
176. "Do Not E-mail" Site a Scam, U.S. Officials Say, REUTERS, Feb. 13, 2004, available at http://www.usatoday.com/ news/nation/2004-02-13-no-spam-list-scam_x.htm.
177. Id.
178. FTC v. Mainstream Mktg. Servs., Inc., 358 F.3d 1228, 1233 (10th Cir. 2004).
179. See Spamhaus.org, Acceptable Use Policies ("AUP"), http://www.spamhaus.org/aups. html (last visited Oct. 3, 2007).
180. Message level authentication involves authenticating the content of the e-mail itself. For example, a technology called S/MIME uses public/private key cryptography to authenticate e-mail messages. See Webopedia Computer Dictionary, Definition of S/MIME, available at http://www.webopedia.eom/ TERM/S/S_MIME.htm (last visited Oct. 21, 2007).
181. Examples of user level authentication include Certified Server Validation ("CSV"), Sender Policy Framework ("SPF'), and Sender-ID. See also Mark Brownlow, Email Authentication (2006), http://www.email-marketing- reports.com/emailauthentication.htm (last visited Oct. 3, 2007).
182. An IP address is a number that uniquely identifies a network device. See Central Washington University Brooks Library, Glossary of Library & Computing Terms, http://www. lib.cwu.edu/research/help/cwuglos.html (last visited Oct. 3, 2007).
183. To date, the most popular form of user level authentication is SPF. SPF verifies the envelope sender address against an SPF record in DNS. The SPF record is configured by the domain operator to include the IP address of legitimate e-mail senders for the domain. For example, the operator of du.edu might indicate in his or her SPF record that mail from du.edu should come from 130.253.1.75. See Sender Policy Framework, Introduction, http://www. openspf.org/Introduction (last visited Oct. 3, 2007).
184. See also Craig Spiezl, The Urgent Need to Implement E-Mail Authentication, http://aotalliance.org/resources/why_email_authentication. pdf (last visited Oct. 3, 2007).
185. See Comcast, Frequently Asked Questions, http://www.comcast.net/ help/faq/index.jsp? faq=email 118405 (last visited Oct. 3, 2007).
186. CSV is a system that validates the IP address of the sending e-mail server. Mutual Internet Protocol Associates, Certified Server Verification, http://mipassoc.org/csv/(last visited Oct. 3, 2007). See also Dave Crocker, Challenges in Anti-Spam Efforts, INTERNET PROTOCOL J., Dec. 2005, at 2, 12, available at http://www.cisco.com/web/about/ac123/acl47/archived_issues/ipj_8-4/ipj_8-4.pdf.
187. Comcast requires that the IP address used by the sending e-mail server have a valid reverse DNS record. For example, when the Comcast e-mail system receives an e-mail from me@mydomain.com originating at IP address 4.4.4.4, it performs a reverse DNS lookup on that IP address. The resulting record must be valid according to Comcast's requirements. See Comcast, supra note 137.
188. The administrator must have control over the DNS servers for the sending domain to create a PTR Record for the sending IP address(es).
189. See Markoff, supra note 52, at A5.
190. The main types of authentication for e-mail are sender authentication, content authentication, and hybrid authentication. Sender authentication includes CSV, SPF, and Sender-ID. Content authentication includes Secure MIME ("S/MIME"), Pretty Good Privacy ("PGP"), and PGP/MIME. An example of hybrid authentication is Domain Keys Identified E-mail ("DKIM").
191. See Markoff, supra note 52, at A5 ("Last month, for the first time ever, a single Internet service provider generated more than one billion spam e-mail messages in a 24-hour period, according to a ranking system maintained by Trend Micro, the computer security firm.").
192. See 15 U.S.C. § 7705 (2006).
193. See, e.g., Saul Hansell, Totaling Up the Bill For Spam, N.Y. TIMES, July 28, 2003, at Cl.
194. Theodore Loder brought the location-of-the-filter argument to our attention. See Loder et al., supra note 48.
195. The possibility of using ISP trade associations is mentioned briefly in Alepin, supra note 12, at 63. However, the thrust of the suggestion is more toward how ISPs can protect themselves rather than how consumers and businesses can be protected by disincentivizing spam facilitation through the imposition of legal liability.
196. CompuServe, Inc. v. Cyber Promotions, Inc., 962 F. Supp. 1015 (S.D. Ohio 1997).
197. Id. at 1022-23.
198. Id. at 1023.
199. For a brief survey of pre-CAN-SPAM Act cases see Alepin, supra note 12, at 61-63.
200. See also Classified Ventures, L.L.C v. Softcell Mktg., Inc., 109 F. Supp 2d 898 (E.D. Ill. 2000) (trademark infringement);
201. Verizon Online Servs. v. Ralsky, 203 F. Supp 2d 601 (E.D. Va. 2002) (trespass to chattels).
202. Alepin, supra note 12, at 62.
203. See generally David Clark, The Design Philosophy of the DARPA Internet Protocols, 18 ACM SIGCOMM COMPUTER COMM. REV. 106 (1988), available at http://nms.csail.mit.edu/6829- papers/darpa-internet.pdf.
204. See 2004 FTC REPORT, supra note 29.
205. See DEFENSE ADVANCED RESEARCH PROJECTS AGENCY, DARPA'S STRATEGIC PLAN (2007), available at http://www.darpa.mil/body/pdf/ DARPA2007StrategicPlanfinalMarch14.pdf.
206. BERNADETTE H. SCHELL & CLEMENS MARTIN, WEBSTER'S NEW WORLD HACKER DICTIONARY 290 (2006).
207. Clark, supra note 153, at 116.
208. Id. at 107.
209. Id.
210. See Wikipedia, Telephone Exchange, http://en.wikipedia.org/wiki/ Telephone_exchange (last visited Oct. 21, 2007).
211. An e-mail server is a computer that stores e-mail. "Relaying" involves sending an e-mail message to a server that then retransmits it toward the recipient e-mail server. For more detail, see SCHELL & MARTIN, supra note 156, at 287.
212. See id. at 231.
213. Technologist John C. Klensin has argued that without a clear legal standard defining what constitutes illegal spam as opposed to other forms of e-mail, any technological solution will be futile. Klensin, supra note 23. According to Klensin, "to design effective technological countermeasures with predictable and acceptable side-effects, we must first understand what measures society is willing to take-what laws it is willing to pass and enforce to make spam a criminal or civilly-punishable act-to set an appropriate context and set of boundary conditions." Id.
214. See Loder et al., supra note 48.
215. See id.
216. See Ross Anderson, Why Cryptosystems Fail, 1993 1ST ACM CONF. ON COMPUTER & COMMC'N. SECURITY 215, available at http://www.cl.cam.ac.uk/~rja14/Papers/wcf.pdf.
217. Loder et al., supra note 48.
218. Id.
219. CSV is a system that validates the IP address of the sending mail server. This is done by querying DNS to determine if the sending IP address is associated with the domain name in the HELO element of the e-mail envelope. Additionally, the system may also query an accreditation service to determine the relative trustworthiness of the sending server. See Crocker, supra note 138, at 12 (discussing CSV).
220. See Comcast, supra note 137.
221. See White Buffalo Ventures LLC v. Univ. of Tex. at Austin, 420 F.3d 366, 374 (2005). The court noted that "declaring server integrity to be a substantial interest without evidentiary substantiation might have unforeseen and undesirable ramifications in other online contexts."
222. Id.
223. See Stross, supra note 7 ("This month, MCI found
224. AOL, Phishing Protection - AOL Internet Security Central, http://safety.aol.com/isc/SiteSecurity (last visited Oct. 3, 2007).
225. Microsoft, Windows Live Hotmail, http://get.live.com/mail/features (last visited Oct. 3, 2007).
226. White Buffalo Ventures, 420 F.3d at 375.
227. But see COMPUSERVE, 962 F. Supp. at 1017 (granting a preliminary injunction against spammer Cyber Promotions, Inc., on the basis of a claim that advertising e-mails constituted trespass to chattels).
228. Hansell, supra note 145 at C1.
229. Specifically, the recipient's time is spent in filtering spam and unfiltering legitimate e-mail that was filtered as spam, and the recipient's money is spent on anti-spam software and services.
230. See CAL. BUS. & PROF. CODE §17538.4 (West Supp. 2004);
231. DEL. CODE ANN. tit. 11, §§ 931, 937-38 (1999).
232. See Alepin, supra note 12, at 58; Kenneth C. Amaditz, Canning "Spam" in Virginia: Model Legislation to Control Junk E-mail, A VA. J.L. & TECH. 4, 74 (1999) (noting that general ISP reluctance to stop spam means that "an anti-spam law would be incomplete without a cause of action for e-mail users").
233. A "honeypot" is a computer system designed to detect unauthorized access and manipulation of information systems by attracting hackers and then monitoring what they do. See DICTIONARY OF COMPUTER AND INTERNET TERMS, supra note 2, at 244.
234. 15 U.S.C. §7707(b) (2006).
235. The statute provides in relevant part: A person or entity may, if otherwise permitted by the laws or rules of court of a State, bring in an appropriate court of that State - (A) an action based on a violation of this subsection or the regulations prescribed under this subsection to enjoin such violation, (B) an action to recover for actual monetary loss from such a violation, or to receive $500 in damages for each such violation, whichever is greater, or (C) both such actions. 47 U.S.C. §227(b)(3) (2000).
236. At least one court has made reference to this rationale for implementing standing. See Int'l Sci. & Tech. Inst., Inc. v. Inacom Commc'n, Inc., 106 F.3d 1146, 1157 (4th Cir. 1997).
237. See supra note 179.
238. See also Jeffrey D. Zentner, State Regulation of Unsolicited Bulk Commercial E-mail and the Dormant Commerce Clause, 8 VAND. J. ENT. & TECH. L. 477, 488 (2006) ("As soon as the Act was passed, however, one particular provision of the Act became a lightning rod for criticism. The provision at issue stated that the Act supersedes all state statutes, rules, and regulations that regulate the sending of commercial e-mail, except to the extent that any such regulation addresses falsification or deception in spam e-mails.").
239. 15 U.S.C. §7701(a)(11) (2006) ("Many States have enacted legislation intended to regulate or reduce unsolicited commercial electronic mail, but these statutes impose different standards and requirements. As a result, they do not appear to have been successful in addressing the problems associated with unsolicited commercial electronic mail, in part because, since an electronic mail address does not specify a geographic location, it can be extremely difficult for law-abiding businesses to know with which of these disparate statutes they are required to comply.").
240. See supra Part III.
241. Webchat Interview with Yael Weinman, Legal Counsel for Int'l Consumer Prot., U.S. Fed. Trade Comm'n Office of Int'l Affairs, and Michael Davis, Staff Attorney, U.S. Fed. Trade Comm'n Office of Int'l Affairs (Feb. 7, 2007), available at http://usinfo.state.gov/usinfo/Archive/2007/Feb/07-823804. html (noting that the FTC has brought 89 spam cases against 241 defendants since 1997, of which only 26 cases were brought after the passages of the CAN-SPAM Act).
242. See generally Meyer Potashman, International Spam Regulation & Enforcement: Recommendations Following the World Summit on the Information Society, 29 B.C. INT''L & COMP. L. REV. 323 (2006) (reviewing measures intended to address the international nature of spam).
243. Id. at 335.
244. See Alepin, supra note 12, at 70.
245. Id. ("Preliminary results from these efforts are encouraging-Nigeria has seemingly successfully combated the spam problem and Nigeria is no longer considered a 'safe haven' for spam.");
246. see also Chandra Devi, Using Laws and Tools to Fight Spam, NEW STRAITS TIMES (Malaysia), May 20, 2004, at 18. The point is to demonstrate that international spam fighting efforts can be effective, even though filtering spam at the ISP level is not an ideal solution because of the problem of false positives: legitimate e-mails filtered as spam. As discussed, user and content based authentication are better methods of fighting spam at the ISP level.
247. See supra Part IV.B.
248. Undertaking Spam, Spyware, and Fraud With Enforcers Beyond Borders Act of 2006, S. 1608, 109th Cong. (2006).
249. According to a summary of the Act's provisions found on the FTC web site, the Act is designed to do the following: (1) broaden reciprocal information sharing; (2) expand investigative cooperation with international law enforcers; (3) provide for more information from foreign sources; (4) protect the confidentiality of FTC investigations; (5) allow information-sharing with federal financial and market regulators; (6) confirm the FTC's remedial authority in cross-border cases; (7) enhance cooperation between the FTC and DOJ in foreign litigation; (8) clarify FTC authority to make criminal referrals; (9) provide for foreign staff exchange programs; (10) authorize expenditure of funds on joint cross-border projects; (11) allow the FTC to accept reimbursements from foreign agencies for cross-border work performed. FED. TRADE COMM'N, SUMMARY OF THE US SAFE WEB ACT, http://www.ftc.gov/reports/ussafeweb/ Summary%20of%20US%20SAFE%20WEB%20Act.pdf (last visited Oct. 3, 2007).
250. See Potashman, supra note 189, at 340.
251. See supra Part IVA.
252. See Finally, A Ban on Spam in the Netherlands, supra note 111.
253. Christopher Lueg et al., Mystery Meat: Where Does Spam Come From, and Why Does it Matter?, (2006) http://www-staff.it.uts.edu.au/~lueg/papers/ eicar06_print.pdf.
254. See supra note 113 and accompanying text.
255. See Finally, A Ban on Spam in the Netherlands, supra note 111;
256. The European Commission, supra note 112.
257. For spam relaying rates by country, see Press Release, Sophos, Sophos Reveals "Dirty Dozen" Spam Relaying Countries (July 24, 2006), http://www.sophos.com/pressoffice/news/articles/2006/07/dirtydozjul06.html. For an in-depth discussion of options and challenges to an international solution, see Potashman, supra note 189. International cooperation will be necessary to completely eliminate the spam problem, but the solution must start somewhere, and the world can benefit from proper law in the United States, which is currently the largest exporter of spam.
258. See Stefanie Olsen, U.S. Cooks Up the Most Spam, CNET NEWS.COM, Aug. 24, 2004, http://news.com.com/U.S. +cooks+up+most+spam/2100-1024_3-5322803.html.