Relevant Regulations - The CAN-SPAM Act - 未經邀約的電子由現規範趨勢及可行性之探討

Chapter 4 The CAN-SPAM Act

4.3 Relevant Regulations

According to The CAN-SPAM ACT, email senders shall not use false or fraudulent header information with a from line to identify a person initiating

35 The “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003” was singed on December 16,2003,by President George W. Bush. The Act will be codified at 18 U.S.C.

1037.

36 Cooley Alert ,The CAN-SPAM Act: How it Affects You, Cooley Godward LLP (2004).

37 15 U.S.C. 7702 (2) (A)

38 15 U.S.C. 7702 (17) (A) (i)-(v): (i) to facilitate, complete, or confirm a previously agreed upon commercial transaction, (ii) to provide warranty, product recall, or product safety or security information with respect to a commercial product or service used or purchased by the recipient, (iii)to provide notification concerning a change in terms or features, notification of a change in recipient’s standing or status, account balance information, or any type of account statement with respect to a subscription, membership, account, loan, or comparable ongoing commercial

relationship. (iv)to provide information directly related to an employment relationship or employee benefit plan in which the recipient is participating; or (v)to deliver goods or services (including upgrades)that the recipient is entitled to receive under the terms of a prior transaction.

39 15 U.S.C. (17) (B)

the message.⁴⁰ Besides, email senders shall conspicuously and clearly give recipients an opportunity to turn down future email from the senders, and provide a reply in the manner specified in the email, a reply email address or Internet-linked page for the recipients’ use.⁴¹ Such mechanism shall remain operating within no less than 30 days after transmission of the original message. When receiving a recipient’s reply, the email sender shall not transmit other emails to the recipient within 10 business days after receiving such request.⁴²

Additionally, the CAN-SPAM Act also provides that the sender shall conspicuously and clearly identify whether the message is an advertisement or solicitation⁴³ and provides a valid physical postal address of the sender.⁴⁴ The sender is prohibited from using scripts or other automated means to register multiple email accounts or online user accounts from which messages are intended to be transmitted to a protected computer.⁴⁵ Moreover, if the sender initiates transmission of any email message that includes sexually oriented material, the sender shall mark the email subject heading in the manner prescribed by the Fair Trade Commission.⁴⁶

Commercial E-Mail

Sexually Oriented Material

Source: Technology Commentaries: the Federal CAN-SPAM Act-New Requirements for Commercial E-mail.

4.4 Law Suits and Damages

Who can bring suitss against spammers? The Act empowers a number of federal agencies, including the FTC, to bring forth enforcement actions.⁴⁷ States and ISPs may, with certain exceptions, sue violators of the CAN-SPAM Act.⁴⁸ However, the recipient does not have any right to claim damages against spammers, but he/she can initiate state-law-based “spam”

suits.

Under the CAN-SPAM Act, each separately addressed unlawful message received by or addressed to such residents is treated as a separate violation.

Each violation may be punished up to US$250 with the total amount not exceeding US$2000,000.⁴⁹

4.5 Mobile Spam

In the Untied States, about one in six mobile phone users report receiving unsolicited text messages on their phones from advertisers. Although every major wireless company has spam filters and other methods to block spam, the U.S.A. subscribers will receive about 1 billion text-based spam messages in 2007.⁵⁰

Mobile service commercial messages (MSCMs) are defined as those

“transmitted directly to a wireless device that is utilized by a subscriber of a

commercial mobile service……in connection with that service” under Article 13of the CAN-SPAM Act.⁵¹ The Act makes it clear that Congress specifically

contemplated restrictions on email messages.⁵² In addition, The CAN-SPAM

47 15 U.S.C. 7706(a)(1).

48 15 U.S.C. 7706(f).

49 15 U.S.C.7706(f)(3).

50 Billing World & OSS Today Magazine at

http://www.billingworld.com/rev2/main/featureArticle.cfm?featureID=7843, last visited on May, 5,2007

51 15 U.S.C. 7712

52 Grappling with mobile spam at

Act requires the Federal Communication Commission (“FCC”) to promulgate rules governing the use of wireless email devices and mobile service by September 26, 2004. The FCC adopted rules that prohibit sending unwanted commercial email messages to wireless devices without prior permission, which took effect in March 2005. The FCC’s ban covers messages sent to cell phones and pagers, if the message uses an Internet address that includes an Internet domain name. Though FCC’s ban does not cover commercial messages from one mobile phone to another or from a computer to mobile phones, the Telephone Consumer Protection Act (“TCPA”) has restricted the use of telephone and fax machines from delivering unsolicited advertisements and has also established a “ do not call list.”⁵³

4.6 Relevant Cases

After enacting of the CAN SPAM Act, the FTC and ISPs filed several cases against spammers. Here are some relevant cases:

4.6.1Robert Braver v. Robert Soloway, et al.⁵⁴

Plaintiff Rover H. Braver is an Oklahoma ISP owner who received a bulk of emails from the defendant, Soloway and his companies. The plaintiff brought the suit against Soloway in state court. The decision was based on Federal CAN SPAM Act and Oklahoma law (fraudulent use of electronic and Oklahoma Unsolicited Commercial electronic mail statute). Based on Braver’s having received Soloway’s spam on about 200 separate dates and that the spam violated two separate Oklahoma laws, the plaintiff won a $10 million judgment.⁵⁵

4.6.2 FTC v. Cleverlink Trading Limited, et al.⁵⁶

In 2004, the defendant, Cleverlin Trading Limited, operated numerous

http://www.usatoday.com/tech/columnist/ericjsinrod/2004-04-08-sinrod_x.htm, last visited on May 5, 2007

53 Federal Communication Commission, at http://www.fcc.gov/cgb/consumerfacts/canspam.html

last visited on May 10, 2007.

54 Oklahoma Western U.S District Court-West District of Oklahoma civil docket for case:

5:05-cv-00210.

55 Oklahoma Man wins $ 10 million judgment against a spammer at

http://www.circleid.com/posts/oklahoma_man_wins_10_million_judgment_against_ a_spammer, last visited on March 5,2007

56 Spammer’s invitation to Date Lonely Housewives Halted by Court at FTC’s request at www.ftc.gov/opa/2005/05/housewives.htm, last visited on March 4, 2007.

websites containing sexually oriented materials. The commercial email messages directed consumers to the defendant’s paid content web sites by containing hyperlinks that, when clicked, took consumers to the defendants’ websites.⁵⁷ The FTC charged that the spam violated nearly every provision of the CAN-SPAM Act. It contained misleading headers and deceptive subject lines. It did not contain a link that allowed consumers to opt out of receiving furture spam or disclose, as required by law, that it was sexually explicit. The FTC complaint was filed with the U.S. District Court for the Northern District of Illinois, Eastern Division, in Chicago. The Judge ordered a temporary halt to the spamming and froze the assets of the defendant.

4.6.3 Verizon Case

Defendants sent nearly 100,000 unsolicited text messages to Verizon wireless customers. The messages notified them to claim a Bahamas cruise they supposedly won. Plaintiff Verizon Wireless filed a case against Passport Holidays in the U.S. District Court in Trenton, N.J.

Verzon accused Passport Holidays of sending unsolicited messages to its users and charged the text messages violated the FTCP. In the process of the litigation, Passport Holidays stated that the spam was actually sent by Marketing LLC and Specialized Programming. Based on this statement, Verizon Wireless filed an amended complaint in which it named Marketing LLC and Specialized Programming as defendants. In 2007, the Court ruled that the defendants must pay Verzon Wireless more than US$ 200,000 and barred their further contact with Verzon Wireless’ consumers.⁵⁸

4.7 The Enforceability of National Do Not Registry

The FTC submitted a report relating to false claims of SPAM pursuant to section 9 of the CAN-SPAM Act on April 30, 2003.⁵⁹ After that, the FTC submitted another report on National Do Not Email Registry Plan to Congress in June 2004.⁶⁰

57 FTC v. Cleverlink Trading Limited et al, United States District court for the Northern District of Illinois Eastern Division, Case no. 0502889.

58 http://www.sophos.com/pressoffice/news/articles/2007/02/textspam.html

59 False Claims in Spam, a reported by the FTC’s Division of Marketing Practices, April 30, 2003.

60 National Do Not Email Registry A Report to Congress, Federal Trade Commission, June 2004.

4.7.1 False Claims in Spam

The FTC reviewed approximately 1,000 pieces of unsolicited commercial emails from July 2002 to Oct. 2002. The messages reviewed by FTC consisted of random samples from three FTC data sets: spam forwarded to FTC by the public (approximately 450 pieces), messages received by undercover FTC email boxes (approximately 450 pieces) and spam received by FTC employees in their official inboxes (approximately 1,000 pieces).⁶¹ The FTC analyzed false claims appearing in “From” and “Subject” lines as well as in the body of the messages. Investment/business opportunities, adult and finance offers comprised 55% of the types of offers being made in spam analyzed by FTC. Nearly 33% of the Spam contained false information in the

“From” line. Of the messages containing indicators of falsity in the “From”

line, nearly half claimed to be from someone with a personal relationship with the recipient.⁶²As to “subject” line, 22% of the spam contained false information in order to lure consumers into opening the message to see the contents related to the representations in the “subject” line. Though false

“Subject” lines are found in all types of offers, over one-third of adult offers appear to misrepresent the contents of the message.⁶³ Moreover, over half of finance-related spam contained false “From” or “Subject” lines.

The FTC analyzed the falsity in the message text and found approximately 40% of the message had at least one indication of falsity. 90% of spam advertising investments and business opportunities contained signs of falsity.⁶⁴ 66% of spam contained false “From” lines, “Subject” lines or message texts. Moreover, 96 % of spam concerning investments and business opportunities contained false “From” lines, “Subject” lines or message texts.⁶⁵

Since then several states have enacted laws in recent years requiring senders of spam to begin every subject line with the phrase “ADV” in messages sent to recipients of those states. The FTC found that only 2% of spam complied with the rules. 17% of spam advertising pornographic websites contained

61 Supra 53 at 1

62 Supra 53 at 4

63 Supra 53 at 6

64 Supra 53 at 9

65 Supra 53 at 10

“adult images” in the body of the message and 41% of spam contained false information in their “From” or “Subject” lines.⁶⁶

4.8 The Do Not Email Registry Report

The FTC worries that the current email system enables spammers to hide their tracks, and that spammers use many techniques to hide, including spoofing, open relays, open proxies, and zombie drones, which make it difficult to identify spammers through email headers and impede law enforcement.⁶⁷ In order to solve these problems, the FTC has proposed an authentication system to identify the origin of email messages. Additionally, ISPs also have tried to develop a system.⁶⁸

The FTC solicited models from the public to enforce the National Do Not Email Registry. Now, there are three possible ways to enforce this Registry:

(1) Registry of individual email addresses (2) permitting ISPs and other domain holders to register their objection to receiving spam addressed to any email addresses located at their domains and (3) Registry of individual email addresses with a third-party forwarding service.⁶⁹

However, a National Do Not Email Registry containing individual email addresses could suffer from a significant security weakness that would enable spammers to treat the Registry as National Do Spam Registry. It could be a risk if spammers use the Registry to determine valid email addresses. The Consumers Union has stated that if the Commission were to adopt an individual email address Registry and distribute the Registry to marketers, the consumers would not sign up for it for security concerns.⁷⁰

The FTC has pursued a vigorous law enforcement program against deceptive spam, and to date has filed 62 cases, in which spam was alleged to be responsible for overall deceptive or unfair practice. The FTC experiences in these cases show that the primary law enforcement challenge is locating and identifying the targeted spammer. The FTC and ISPs can only trace spammers by tracing the flow of funds from victims to spammers. However,

66 Supra 53 at 13

67 Supra 54 at 8

68 Supra 54 at 14-15

69 Supra 54 at 15

70 Supra 54 at 15-16

all of spammers, such are purely malicious for viruses. A prosecutor in Washington State spent four months and sent out 14 per-suit civil investigation demands (CIDS) to identify the spammer in one case⁷¹. Similarly, a Virginia attorney spent four months subpoenaing many witnesses before having enough information to file a case against a spammer.⁷²

ISPs have experienced similar obstacles in bringing suits against spammers.

ISPs estimated that they expend an average of 133 hours per spammer.

4.9 Conclusion

The U.S has tried to fight against spammer in all ways it can. However, the law enforcement is not effective as expected. In my opinion,

(a) Many spammers have moved their bases to other countries after the enactment of the CAN- SPAM Act, therefore; avoiding regulation under the CAN SPAM Act.

(b) The purpose of adopting the National Do Not Email Registry is good, but if we can not develop an effective way to trace spammers, they may use the lists and send commercial emails to consumers. Such registry is criticized by FTC’s report above and many scholars.

(c) It is easier to trace outsourcing companies than spammers, therefore; through the enforcement, it is more possible to punish outsourcing companies than spammers.

(d) Since the U.S. adopted the opt-out system, spammers can continue sending commercial emails without explicit rejection. Compared with the opt-in system adopted by the EU, it is relatively less effective.

(e) In order to regulate spam effectively, the context of the CAN- SPAM Act should not only pertain to commercial emails but also include political or religious emails.

(f) Private people cannot bring suits against spammers under the CAN- SPAM Act, so they have to use state law to claim damages. However, because the state laws vary, a private person usually is not aware of his/her rights under the state law.

Chapter 5 The Spam Solution of EU

71 WAOAG: Selis, 15. The Commission’s spam cases rountinely require the issuance of numerous CIDS.

72 VAOAG: Mcguire, 5-11

5.1 The Attitude of the EU

The reason why the EU tries to regulate spam is that it affects the fundamental rights of individuals. Spammers not only receives personal information and email account addresses illegally but also make it impossible for individuals to control the flow of information into their inboxes.⁷³ Moreover, spam transmits pornography and viruses via the Internet.

The EU is aware that only laws are not enough to solve the spam problem.

Spam may be regulated through the cooperation of jurisdiction and technology. Therefore, EU law aims at two objectives: to reduce the amount of spam and guarantee the individual’s control over personal information and contacts.⁷⁴

5.2 From opt-out to opt-in

The early thinking of the EU was to protect their citizens and consumers from “high-pressure selling methods”⁷⁵ and “certain particularly intrusive means of communication.”⁷⁶ So, regulating spam is governed by some Directives, which are not special for electronic communication.

Though EU Directive 95/46/EC (Framework Data Protection Directive) is not special for electronic communication, some provisions regarding the processing of personal information consider email addresses as personal data.⁷⁷ Therefore, the Directive applies to the processing of emails. Among other things, freely given, informed, specific and unambiguous consent must be provided by the addressee before the address is collected.⁷⁸ Collectors of email addresses must specify the explicit and legitimate collection purpose.⁷⁹ If someone collects email addresses from public Internet places such as websites, chat rooms, newsgroups and so on, he/she has violated the above Directive.

The above Directive indirectly protects the use of email accounts. EU

73 European Union vs. Spam: A legal response, Nicola Lugaresi. Trento University, Law School.

74 Id. at 1.

75 Recital 5, Dir. 97/7/EC.

76 Recital 17, Dir. 97/7/EC.

77 Article 2 (a), Dir 95/46/EC.

78 Article 2(a) and 2(h), Dir. 95/46/EC.

79 Article 6(b), 10and 11, Dir. 95/46/EC.

Directive 97/7/EC (Distance Contracts Directive) tries to regulate the transmission of emails. However, unlike transmission by automated calling systems and facsimile machines, which requires prior consent of the receiver,⁸⁰ the transmission of other communication such as email can be used without clear objection of consumers.⁸¹ The Directive does not define the meaning of “clear objection”.

Similarly, Directive 97/66/EC (Telecommunication Sector Privacy Directive) confirms the opt-in rule only with regard to automated calling systems or fax machines for the purposes of direct marketing.⁸² After that, EU Directive 2000/31/EC (Electronic Commerce Directive) confirms that member states could adopt the opt-in system for unsolicited commercial communications by electronic mail. ⁸³ Finally, Directive 2002/58/EC (Electronic Communications Privacy Directive) confirms that prior consent given by consumers is required when sending unsolicited commercial email.⁸⁴

5.3 The Introduction of EU Directive 2002/58/EC (Electronic Communications Privacy Directive)

Article 13 of EU Directive 2002/58/EC (“Directive 2002”)defines spam as

“electronic mail for the purposes of direct marketing.”⁸⁵ The term

“electronic mail” covers any electronic communication including email, SMS, MMS and so on.⁸⁶ Since the 2002 Directive does not define “SPAM” as bulk of unsolicited commercial emails, sending one commercial email for marketing purpose could be deemed as “SPAM” under Article 13 of the 2002 Directive.

As we know, it is illegal to send commercial emails to consumers without their prior consent if we adopt the opt-in system. However, there are some provisions that may be exempted from this prohibition. For example, senders may send to the same email account information regarding similar products or services.⁸⁷ Nevertheless, recipients still should be given the

80 Article 10 (1), Dir. 97/7EC.

81 Article 10 (2), Dir. 97/7/EC.

82 Article 12 (1), Dir. 97/66/EC.

83 Article 7(2) and recital 14, Dir. 2000/31/EC.

84 DPWP, Opinion 7/2000, § 2, comment to article 3.

85 Article 13, Dir. 2002/31/EC.

86 DPWP, Opinion 5/2004,§3.1..

87 Article 13 (2), Dir/ 2002/58/EC.

opportunity to object to the emails, as they are given in the opt-out system.⁸⁸ An issue could occur if such an email account is provided by a company or a family. In this situation, the prior consent must be given by the representative, not the actual user.⁸⁹

Article 13 (4) of the 2002 Directive prohibits the practice of sending electronic mails by concealing the identity of the sender, or without a valid address where the recipient can exercise the opt-out system.⁹⁰ However, the opt-in system only applies to a natural person.⁹¹ Since Directive 2002 only requires that Member States must provide sufficient protection of a natural person from spam.⁹² The Member states are free to adopt the opt-in/ opt-out system for a legal person. Such distinction between natural and legal persons makes law enforcement more difficult. It’s hard for senders to identify whether this email account belongs to a natural person or a legal person. A better way is to require Member States to comply with the opt-in system regardless of a natural person or legal person.

Directive 2002 also encourages the industry filtering initiatives, through email system arrangements that allow recipients to view the sender and subject line for an email and to delete messages without having to download the contents or attachments,⁹³ for example, with “ADV” label in the subject line.⁹⁴ It is noted that without prior consent from consumers, it will not be legal even by labeling “ADV”.

Like the Do Not Email Registry in United States, Opt-out registry is considered under Directive 2002, however; it also exposes the same risk of

在文檔中未經邀約的電子由現規範趨勢及可行性之探討 (頁 19-0)