When Spam Is Outlawed, Only Outlaws Will Spam
Spam is known to the law as "unsolicited commercial electronic mail," or UCE, and is usually defined as email in which someone is trying to sell someone else a product or service, or otherwise part recipients from their money. Recently, the State of California passed a tough new anti-spam statute that goes into effect on 01-Jan-04. The new California statute departs from others of its kind in a number of respects (something California is becoming increasingly good at doing). One of the more telling departures is that it uses the legally informal term "spam" throughout, although it does use the more legalistic "UCE" where a more specific definition is needed.
I don’t need to tell TidBITS readers that spam is a worsening problem afflicting the Internet. According to Brightmail, spam has increased from only 7 percent of total email traffic in April 2001 to a whopping 54 percent in September 2003.
Sending spam carries very little cost to the spammer because the costs are borne by ISPs, which pass them on to consumers in the form of increased access charges. According to a report from San Francisco-based Ferris Research, spam cost companies in the United States over $10 billion last year – just imagine the late Carl Sagan saying "billions and billions" and you’ll get the picture – in lost worker productivity, technical solutions, and wasted bandwidth. An abstract of the study is available free. The full study requires a subscription.
Users are mad as hell about spam. A Harris poll taken two and a half years ago showed that 49 percent of users wanted an outright ban on spam. In a followup, titled "Large Majority of Those Online Wants Spamming Banned," Harris found that that number jumped to 80 percent by late 2002, and it’s probably even higher now.
The number of complaints received by state Attorneys General and the U.S. Federal Trade Commission has skyrocketed, and consumer pressure to control spam is being felt at all levels of state and federal government. To date, 36 states have passed laws dealing with spam.
The Washington and California statutes are the most aggressive of the batch. Both have been vigorously challenged in the courts on various grounds, and both have ultimately been upheld. Heartened by these judicial affirmations, California has now enacted an even stronger statute that is already generating renewed controversy.
A New Model — In 1998 California enacted one of the first and strongest anti-spam statutes in the nation (see "California Outlaws Spam" in TidBITS-448). Defining spam as unwanted commercial email intended to sell a product or service, the law required spammers to identify their email by putting "ADV:" in the subject line or "ADV:ADLT" for adult-oriented email. While individuals were not granted the right to sue, ISPs were empowered to sue spammers for violations and to obtain a judgment for significant penalties. The law was promptly challenged. In Ferguson v. FriendFinders, Inc. a lower court found it to be an unconstitutional violation of the U.S. Constitution’s interstate commerce clause. The California appellate court disagreed and the law remained in force.
There is no indication that California’s law has stemmed the tide of spam or even caused much spam to be labeled. Indeed, the volume of spam flooding the Internet has steadily increased despite such laws. Undaunted by failure, in September 2003 the California legislature enacted an even more sweeping statute.
The new law keeps certain features of the old one. For example, spammers must still include "ADV" or "ADV:ADLT" in the subject line, and must provide an 800 number or valid email address allowing recipients to request removal. But the changes in the new law are very significant.
The new statute completely bans all UCE unless specifically requested or authorized by the recipient. Like the old law, it is still limited to spammers using equipment in California or sending to recipients in California. But individuals now have the right to sue spammers for violating the law and to collect either actual damages or $500 per spam up to a limit of $1 million per "incident." An "incident" is "a single transmission or delivery to a single recipient or to multiple recipients of unsolicited commercial email advertisement containing substantially similar content."
One of the more sweeping provisions of the new statute prohibits anyone from collecting email addresses from the Internet for the purpose of sending spam to Californians or from California. In short, California is targeting address harvesting regardless of where the acts occur if the intent is to use the addresses to spam Californians.
There are a number of legal and practical hurdles this new statute will have to overcome. The following are some examples.
Commerce Clause — The commerce clause is found in the U.S. Constitution, Article I, Section 8, Clause 3.
On its face, the commerce clause merely gives Congress the authority to "regulate Commerce with foreign Nations, and among the several States, and with the Indian Tribes." However, a huge body of law has grown up around this short phrase. The commerce clause issues are fascinating (well, to me anyway). Unfortunately, they are also incredibly complex and far beyond the scope of this article. So I will simply point out that the issue exists, that there is a lot of debate over how the commerce clause should be applied to Internet commerce, and that the issues are far from resolved. Partly because of the commerce clause issues, when Congress enacts legislation on spam it may abrogate state laws either entirely or in part.
Implicit in the commerce clause is the "dormant commerce clause." That doctrine holds that there are certain areas in which states cannot legislate even if Congress has not acted. The principle commerce clause challenges to spam arise under the dormant commerce clause doctrine. The argument runs like this:
State boundaries are irrelevant to the Internet, and thus to spam. All Internet email is necessarily interstate. It travels across interstate lines and is relayed via servers that could be anywhere in the world. Any regulation by any state necessarily affects interstate commerce, and one state’s laws will necessarily affect spammers in other states. Thus, argue opponents of spam legislation, no state regulation of spam is possible without violating the commerce clause. Only Congress can legislate over such an inherently interstate activity.
The previous California statute survived a dormant commerce clause challenge because the court found that the statute applied only to (a) spammers using equipment located in California; and (b) spammers sending email to California residents. Because the effect of the law restricted only California-specific conduct, the court found that the commerce clause was not violated.
I anticipate a renewed challenge to the new statute under the commerce clause. I suspect that at least one clause in the new statute will not fare so well under a commerce clause analysis, and will be stricken. The new statute makes it "unlawful for any person or entity to collect electronic mail addresses posted on the Internet if the purpose of the collection is for the electronic mail addresses to be used" to initiate or advertise in an unsolicited commercial email advertisement to or from California. This provision applies to everyone, everywhere, who is collecting email addresses if the purpose is to spam Californians – regardless of whether they actually carry through on it.
First Amendment — There has been much hoopla recently over a Colorado federal court decision blocking the Federal Trade Commission’s (FTC) "Do Not Call" list because it may violate telemarketers’ free speech rights. Telemarketing is similar to spam in a number of respects, and the arguments leveled against the "Do Not Call" list can easily be applied to spam laws. Indeed, advocates of spam have consistently argued to state legislatures that anti-spam laws violate the First Amendment. However, to date those arguments have not been a key part of the court decisions upholding the statutes.
The federal court of appeals has now stayed the Colorado federal court’s decision and the "Do Not Call" list is moving forward. However, I anticipate that we will see additional First Amendment challenges to spam laws, and the California statute is ripe for challenge.
Jurisdiction — Most of the complaints about the jurisdiction of a state to go after spammers in another state or abroad are actually enforcement issues. The legal issues of when a state has jurisdiction over out-of-state entities are fairly well established.
I believe that all states have enacted a form of law called a "long arm statute." In essence, long arm jurisdiction extends to any person or entity who takes advantage of the benefits of a state’s laws. Even minimum contact with a state confers jurisdiction if the contact is enough to invoke the protections of state law. So, for example, a company that sells products via a catalog and has customers in a particular state can sue a customer under state law for failing to pay. But that company can also be sued by the customer under state law for failure to deliver or other breaches.
There is little question that a spammer soliciting sales in California is subject to California law. But this is a good point to segue from the legal challenges to the practical ones. A big practical question is: how do you find spammers?
In order to start a lawsuit, the plaintiff must physically hand the defendant a copy of the complaint. This is known as "service of process." It is difficult to serve someone unless you can find them. In the 1998 case that I helped Adam and his fellow TidBITS editors bring, the defendant played a shell game with false company offices, at least two fake names, and multiple fictitious addresses. After the litigation started, he actually changed his business address once a month. (See "TidBITS Sues Spammer" in TidBITS-439, and "Spam Damned in Washington State" in TidBITS-583.)
[This paragraph currently unavailable]
The solution to not being able to find someone to serve papers is to use a process called "service by publication," in which the court approves publication of the complaint in the local papers. After a period of time, the complaint is considered to have been served and the case can proceed.
That may solve the legal issue, but it does nothing to solve the practical problem. After all, if you can’t find the defendant, how are you going to collect on your judgment? At some point, it becomes necessary to identify and locate the defendant physically.
Enforcement — Under long-arm statutes, even off-shore merchants doing business in the U.S. are subject to U.S. law, including the laws of the states they sell in. If the spammer is a legitimate business that values its reputation and customers, there is little problem enforcing a judgment. But most spammers are anything but legitimate business. They do everything possible to mask their identities and location, including hiding in other countries that don’t have or enforce spam laws. If you obtain a judgment in a California court, will you try enforcing it in China? The Bahamas? It is highly unlikely. Even in countries that have reciprocal enforcement of judgments treaties with the U.S., the costs of enforcing a judgment abroad are usually prohibitive for the average spam victim.
Collection — But let’s say that you are one of the fortunate ones who locates, serves and gets a judgment against a spammer. Will you collect your riches? Again we run into the disparity between legitimate businesses who care about their reputation and customers, and the majority of spammers who care nothing for either. It is likely that even having identified the live body of the spammer, a plaintiff will have to pursue execution of the judgment. No, that doesn’t mean executing the spammer (popular though that option might be with some people). "Execution" is legalese for the court procedures that include garnishing wages, bank accounts, and the like. Execution can be costly, time consuming, and often will net the plaintiff only a portion of the judgment. Of course, that will be further reduced by the amount of attorney fees racked up in the course of executing on the judgment.
Conclusion — The new California statute definitely pushes the envelope. It bans all unsolicited commercial email unless the recipient has agreed to receive it. It creates a private right of action allowing individuals to sue for damages for each item or incident, and it bans harvesting email addresses for the purpose of spamming Californians.
The new statute will inevitably draw court challenges. While some of the statute may be stricken as overbroad or violating federal law or the Constitution, most of it appears to be in line with law that has already survived such challenges. The law is deliberately modular, or in legalese "severable," so that portions can be excised if a challenge is successful, while leaving the rest of the statute intact.
Unfortunately, spam laws won’t stop spam, nor will they even stem the tide, if experience so far is any guide. The old California statute did not reduce or even noticeably slow the increase in spam. I hold no great hope that the new statute will do any better. Legitimate businesses have already altered their practices to comply with existing spam law, and will no doubt do their best to comply with the new one. But legitimate business accounts for only a small amount of the spam we receive. Most spammers will simply keep on spamming. The new law will doubtless create a flurry of new court actions against spammers, resulting in more default judgments that can’t be collected. And the spammers will keep spamming.
Lest I sound unduly bleak, I am not suggesting that there is no solution to the spam problem. However I do not believe that the law will stop or reduce spam.
Legal remedies are great for deceptive, misleading and fraudulent marketing practices – but those things have been illegal for a long time. Spam laws should be able to give law enforcement needed tools to go after spammers (focusing on the most egregious ones), and to allow individuals who are so inclined to go after them as well. But the Internet is a global phenomenon. State boundaries are largely irrelevant to the Internet, and state spam laws will do little or nothing to solve the larger problem. On the other hand, passing more laws amounts to more regulation of the Internet, and sets an increasingly popular precedent for further regulation. Be careful what you wish for!
I believe that the solution to the problem of spam is technological. For example, I receive between 100 and 200 spam messages each day, but 98 percent of those are filtered out by Eudora 6.0’s Bayesian spam filter. True, I must regularly review the collected mess of Nigerian political refugees looking for a kind stranger to help launder a few million dollars, the offers to enlarge various body parts (some of which I don’t have), and the ever popular get-rich-quick schemes so that I can find any false hits and rescue them. But as annoying as this is, it is currently the cost of using a largely unregulated forum such as the Internet in a capitalist society that values free speech and privacy.
[Brady Johnson is a grouchy attorney in Seattle who really, really hates spam.]