This just in, from the Washington Post.

"The Virginia Supreme Court today invalidated the state’s "anti-spam" law, designed to prevent the sending of masses of unwanted e-mail, by saying the law broadly violated the First Amendment right to freedom of speech, in particular anonymous speech."

The Virginia spam law makes it a misdemeanor to send unsolicited bulk e-mail by using false transmission information, such as a phony domain name or Internet protocol address. The domain name is the e-mail address. The Internet protocol is a series of numbers, separated by periods, assigned to every e-mail account. The crime becomes a felony if more than 10,000 recipients are mailed in a 24-hour period.

Justice Agee, writing the opinion, held that the only way to engage in an anonymous protected speech would be to falsify IP address or domain name information, and because such act is prohibited by the Virginia spam law, the law must be struck.

Yesterday, May 12th, the Federal Trade Commission (FTC) released a new rule under the CAN-SPAM Act.  The new rule seeks to clarify some of the requirements CAN-SPAM imposes on senders of bulk email. 

• First, an E-mail recipient cannot be required by the sender to pay a fee, supply any information other E-mail address and opt-out  preference, or take any steps other than sending a reply E-mail  or visiting a single Web page to opt out.  From personal experience, many commercial websites add you automatically to their mailing list if you purchase something from them. This is fine; however, if you want to unsubscribe, often you have to click on a link in the email, go to a web page, enter your account information, or if you do not have an account - your order number, then find out where the email preferences menu is hidden, and finally fill out a couple of forms to submit an opt-out request.  All of this is gone - there must be a single web page.
• The definition of “sender” has been changed to make it easier  to determine which of multiple entities advertising in a single E-mail  message is responsible for complying with the Act’s opt-out requirements;
• A “sender” of commercial e-mail can include an accurately-registered post office box or private mailbox established under United States Postal Service regulations to satisfy the Act’s requirement  that a commercial e-mail display a “valid physical postal address.” 

The new changes provide small, but helpful to the Internet users, tweaks.  Kudos to the FTC for staying on top of the CAN-SPAM to make it more effective and user-friendly regulation.  It is unfortunately, however, that it takes so long to implement some of the more obvious changes.

Eric Goldman writes about how Federal Courts calculate spam damages for federal sentencing purposes. Interesting reading, considering that such spam damages are very difficult to attribute to a party. Is it the spam recipient’s damage from having to delete the emails, is it the ISP having to block or investigate complaints, or is it the spammer’s profits that should guide the damages? The number under each category can vary significantly, so this case is important.

In US v. Kilbride, 2007 WL 2774487 (D. Ariz. Sept. 21, 2007) the the judge ignores any alleged harm to end user-recipients because there was no evidence that the individuals suffered a pecuniary loss. Second, the court ignores the government’s argument that the loss should be measured by the defendants’ gain (over $1.1M in profits attributed to the spamming). Instead, the judge only gives credit to the evidence showing that the ISP (AOL) suffered less than $10,000 of "loss" from the spam, computed by AOL’s cost to investigate complaints over the spam (the government did not present evidence for other email service providers).

 

I now have the complaint. Thanks JP.

The news is slowly trickling through the news outlets so I would like to comment on it a little bit. For those not familiar with the story yet, a major anti-spam lawsuit has been filed in the U.S. District Court in Alexandria, Virginia. The suit was filed by Project Honeypot and seeks the identity of individuals responsible for harvesting millions of email addresses on behalf of spammers.

The lead attorney is Jon Praed, with whom I had the privilege to work, and I can only confirm what Honeypot are saying about him, [i]n the world of anti-spam lawyers, Jon is the best of the best.” I am sure that Jon would help the Internet community at large by taking this novel case to a success.

Now about the case. I do not have the complaint yet (will post it here as soon as I have it) but and the news sources provide sufficient initial information on the details. The complaint is filed on behalf of 20,000 honeypot users who have “installed” honeypots on their web pages. The honeypots are designed to be hidden from plain view so that only spiders can see them. Once a spider sees a honeypot, the honeypot issues a new and unique email address for the particular spider and then records the spider’s information. Project Honeypot then monitors the email addresses which were issued to spiders for spam. If a piece of spam comes then it can be linked to the spider and this allows Project Honeypot to identify spam email harvesters.

The lawsuit goes after the harvesters, and not the spammers. In fact, the harvester and the spammer may be the same person, but under CAN-SPAM Section 5(b)(1) it is unlawful to send spam if the spammer has actual knowledge or knowledge fairly implied from the circumstances that the spammed email address was obtained “using an automated means from an Internet website or proprietary online service operated by another person, and such website or online service included, at the time the address was obtained, a notice stating that the operator of such website or online service will not give, sell, or otherwise transfer addresses maintained by such website or online service to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.”

Based on this section, the lawsuit can target the harvesters and the spammers. As it is a “John Doe” lawsuit, the initial phase of the litigation will likely be to unmask the identities of the people standing behind the harvesters. According to Project Honeypot statistics, close to 23% of the harvesters are U.S.-based and subject to the District Court’s jurisdiction. It may be harder to unmask the Romanian (10%) or Chinese (7%) harvesters, but out of 15,610 total spam harvesters identified, this makes at least 3,000 harvesters that are based in the United States. Once the identify of the harvesters is verified, the next step is probably to see whether they are the actual spammers or they resell the email addresses to a third party. My hunch is that under the threat of large civil damages and an expensive lawsuit, a harvester is likely to disclose any relationship he or she may have with a spammer.

The strategy behind the lawsuit is brilliant and it shows what Jon Praed and Honeypot can do very well - find novel ways to gain an advantage in the increasingly difficult war against spam. Because this lawsuit is of enormous importance and magnitude, feel free to check back as I will be updating as often as I can about the status of the case and I will try to throw some of my thoughts into it as well.

Sophos has produced its latest report on the top twelve spam relaying countries over the third quarter of 2006. As the chart below shows, the US is by far the largest spam relay with almost 1/4 of all the world’s spam originating from the US computers. Some experts believe this lead is due to the emergence of over 300 strains of the mass-spammed Stratio worm.

Top Twelve Spam Relaying Countries in July-September 2006 Chart

David Lennon, a U.K. teenager has been sentenced by a Magistrate Judge in Wimbledon Magistrates Court to a two-month curfew for sending 5 million e-mails to Domestic & General Group which crashed its servers. The conviction came under the Computer Misuse Act which explicitly outlaws the "unauthorized access" and "unauthorized modification" of computer material. 

Lennon’s case was reviewed earlier by another judge who held that massive amounts of e-mail did not violate the Computer Misuse Act because e-mail servers were set up to receive e-mail and therefore each individual email constitutes an "authorized modification" to the server under the Act. The previous ruling was challenged by the prosecution and was sent back to the Magistrate Court.

The Magistrate Judge, in realizing that some damage has been made, said,

Even given his age at the time, this was a grave offense and caused serious damage, so I need to impose something to make him think again.

It is interesting to note how the U.K. Courts have struggled with applying the Computer Misuse Act in computer contexts such as this one. Arguably, as the initial court held, sending e-mail messages to a server is "authorized" and should not be criminal even if done on a large scale basis (5 million).  In reality, some damage has been done to the servers because they crashed under the heavy load, and the Magistrate Judge seemed to realize this, but still seem uncomfortable.  In the United States, early e-mail spam cases were brought under the Computer Fraud and Abuse Act (or state equivalents) with mixed success. Although it is not exactly clear whether the CAN-SPAM Act has had any significant impact on the amount of spam, it has provided an easy to use and clear tool to fight spam in the United States.

Because of cases such as this one, the U.K. Computer Misuse Act has been considered insufficient to stop crimes such as large scale spam or denial-of-service attacks and amendments have been proposed which would increase penalties and would criminalize behavior such as "maliciously impairing the operation of a computer or preventing access to programs or data." [Will Sturgeon, U.K. cybercriminals threatened with 10-year term, CNET , Jan. 26, 2006]

A recent decision by the U.S. District Court for the District of Maryland upheld the Maryland Commercial Electronic Mail Act (MCEMA), Md. Code Com. Law § 14-3001 (2002). The challenge was made by an out-of-state advertising network arguing that the statute violates the dormant commerce clause of the United States Constitution. Plaintiff was an ISP who sued website operators claiming that operators were generating unsolicited commercial emails in violation of the Maryland Anti-Spam statute.

The court held that the benefits to ISPs and users in reducing strains on system and irritation from clutter created by unwanted messages clearly outweighed any burdens on interstate commerce, and that in enacting the CAN-SPAM, Congress expressly accorded states right to regulate false and misleading email transmissions. The court relied on Washington v. Heckel, 24 P.3d 404 (Wash. 2001), in which the Washington Supreme Court upheld that state’s nearly identical anti-spam statute against a dormant commerce clause challenge.

Beyond Systems, Inc. v. Keynetics, Inc., 2006 WL 687156, D.Md.,2006., Feb 14, 2006 (sorry, could not find readily available PDF of opinion, if you have a link, please share it)

Interesting materials on the technical and legal fight against spam - the 2006 MIT Spam Conference was held this week and the organizers have already posted webcasts of the events. Coming soon are ISOs of DVDs with materials and higher quality video streams.

You know that there is a problem when the UN comes out and gives an authoritative opinion.

"Some ISPs are very proactive, and are spending huge amounts of money combating spam. The problem is not all ISPs are doing this. A smaller group of ISPs profit from carrying spam or take no action, and those bad apples touch the rest of the ISP community," said Susan Schorr, regulatory officer with the ITU’s telecommunications development bureau.

The International Telecommunication Union (ITU) is the UN organization responsible for global telecom standards. According to them, ISPs should be required (by whom?) to enforce conduct codes regarding their customers and block spammers’ access to email.

"We’re proposing regulators could pass legislation to require ISPs to enter into enforceable codes of conduct for their customers," Schorr told ZDNet UK.

Nice idea, but does the ITU realize how hard it is to write new laws that force ISPs to create codes of conduct for their users? Shouldn’t the market do this?

[More at  ZDNet UK, UK -]

« Previous entries