CDT POLICY POST Volume 9, Number 23, December 12, 2003
A Briefing On Public Policy Issues Affecting Civil Liberties Online
from
The Center For Democracy and Technology
(1) Congress Sends Spam Bill to President for Signature
(2) CAN-SPAM Includes Criminal and Civil Provisions
(3) CAN-SPAM May Help Curtail Spam, but Bill Has Some Troubling Provisions
--------------------------------------------------
(1) Congress Sends Spam Bill to President for Signature
On December 8, 2003, the U.S. House of Representatives passed by unanimous
consent an amended version of S. 877, the "CAN-SPAM Act," sponsored by
Senators Conrad Burns (R-MT) and Ron Wyden (D-OR). The Senate on November 25
had passed identical language, so the action by the House clears the
legislation to be sent to the President, who is expected to sign it.
The final version of the bill sets rules for commercial email and makes
no distinction between solicited and unsolicited messages. It does not
prohibit unsolicited email. Rather, it prohibits certain deceptive practices
and requires every commercial email message to provide an opt-out option and
meet certain disclosure rules. The bill does not generally apply to
"transactional or relationship messages" - such as messages that facilitate
or complete a transaction already in progress or that deliver goods or
services, including product updates, to existing customers.
The CAN-SPAM Act imposes criminal sanctions for use of materially false or
misleading header information in commercial email messages, with fines or
imprisonment. The civil provisions also prohibit false or misleading header
information as well as deceptive subject lines that are likely to mislead a
recipient. In addition, the civil provisions require that commercial email
disclose certain specified information and provide recipients an opportunity
to decline to receive any additional messages.
One troublesome aspect of the bill is a labeling requirement for all
messages containing sexually explicit material. The law requires the Federal
Trade Commission to specify marks or notices that will facilitate filtering
of sexually oriented material, thereby inserting, in a small way, a federal
agency into the design of an Internet technology.
While CDT hopes that the bill will be effective in stemming the flood of
spam into users' mailboxes, it is clear that filtering technologies and
careful online behavior on the part of users will be more effective in
giving users control over unwanted commercial email.
For a copy of S. 877 as passed by Congress, go to
http://www.cdt.org/legislation/108th/junkemail/
To learn more about what users' can do to avoid spam, see CDT's report
"Why Am I Getting All This Spam," available at
http://www.cdt.org/speech/spam/030319spamreport.shtml
--------------------------------------------------
(2) CAN-SPAM Includes Criminal and Civil Provisions
The CAN-SPAM bill covers all commercial email, not only that which is
unsolicited, with a combination of criminal and civil provisions:
- Criminal Provision: The law will prohibit the use of materially
false or misleading header information - the information indicating
the source of the message - in commercial electronic mail messages.
By falsifying such information, spammers make it difficult for ISPs
to filter out spam. The criminal provision carries a penalty of a
fine or imprisonment for a period of up to 5 years.
Â
- Civil Provisions: The civil provisions prohibit not only false or
misleading header information, but also deceptive subject lines
that are "likely to mislead" a recipient.
Â
- Opt-out: The bill requires in all commercial email a return
address or Internet-based mechanism to allow recipients to opt-out
of receiving more email. Senders of email to someone who has opted
out would incur a civil penalty.
Â
- Aggravated violations: The bill also prohibits dictionary attacks,
"harvesting" of email addresses from Web sites, automated creation
of multiple email accounts, and the hijacking of computers to relay
otherwise unlawful commercial email.
Â
- Labeling: All unsolicited commercial email must include somewhere
in the body of the message identification that the message is an
advertisement or solicitation.
Â
- Labeling for "sexually oriented material:" The bill requires FTC
regulated marks or notices in the subject heading of any commercial
email that contains sexually explicit material.
Â
- Physical address: All unsolicited commercial email must include a
valid physical postal address of the sender.
Â
- Preemption: The CAN-SPAM bill supersedes state laws concerning
unsolicited commercial email messages, including California's opt-in
law, which was due to take effect on January 1. Spammers will
continue to be subject to state laws that prohibit falsity or
deception in any portion of a commercial email message.
Â
- Liability: The bill makes companies responsible for email sent on
their behalf.
Â
- Enforcement: In general, the law will be enforced by the Federal
Trade Commission. States can bring civil actions on behalf of their
residents. ISPs could bring civil actions to enjoin violation of the
Act or to recover actual or statutory damages. No private right of
action is provided for individuals.
Â
- Do-Not-Mail registry: The CAN-SPAM bill requires the FTC to report
to Congress on the feasibility of a "Do Not Mail" registry.
Â
- Studies on rewards for information about violations and on ADV
labeling: The Act requires that the FTC report to the Congress
about a system for rewarding those who supply information about
violations of the statute. It also requires that the FTC set forth
a plan for requiring commercial email to be identifiable through
use of an "ADV" or similar label in the subject line.
The Act takes effect (with the exception of the "do-not-spam registry")
on January 1, 2004.
CDT's detailed summary of the CAN-SPAM bill as passed is at
http://www.cdt.org/speech/spam/031211cdt.pdf [pdf]
--------------------------------------------------
(3) CAN-SPAM May Help Curtail Spam, but Bill Has Some Troubling Provisions
With the exception of the labeling requirements, CDT supported in principle
the core provisions of the CAN-SPAM Act as appropriate but limited steps in
addressing spam. The bill may indeed have some positive effect in slowing
the growth of spam, if not actually reducing it. The bill should help ISPs
filter spam and sue spammers. Prohibitions on dictionary attacks and
harvesting could also be meaningful. We expect that the FTC and some state
Attorneys General will diligently use the enforcement mechanisms and will
be open to consumer complaints.
>From a consumer perspective, the opt-out provision is useful with respect
to legitimate companies. However, CDT advises users not to exercise an
opt-out if they are not sure of the legitimacy of the sender - otherwise,
users may just be confirming to an outlaw spammer that their email address
is valid.
Clearly, passage of this legislation is only one step in the effort to
curtail spam. As discussed in the CDT study, "Why Am I Getting All This
Spam?," effectively stemming the flow of spam will still depend on consumer
awareness of the online behaviors that spammers exploit and effective use
of filtering technologies by users and ISPs.
CDT is concerned that the CAN-SPAM Act lacks what might have been the most
effective means of enforcement - a narrowly drawn individual right of
action. We had recommended an approach that would have allowed individuals
to bring claims in small claims court involving no burdensome discovery
and no class actions. Congress did not include such a provision.
Given the difficulties of enforcing inconsistent state laws on the Internet,
CDT supported federal preemption of inconsistent state spam laws. But we did
so recognizing that the effect of the CAN-SPAM Act on the amount and nature
of spam is highly uncertain. Therefore, we recommended a mechanism to force
Congress to revisit the issue substantively. We felt that the best way to
do this would have been with a sunset of the preemption. If the preemption
provision were to have sunsetted in three to five years, Congress would have
been required to formally confront the question of whether the bill was
effective. As it is, if this law does not stem the tide of spam, Congress
will still face public pressure to pass more effective provisions or open
the issue again to state regulation.
Finally, we are concerned about how the provisions on falsified or concealed
header information could be interpreted. On balance, however, we think that
it would be unreasonable to interpret the statute as prohibiting use of
non-spoofed pseudonymous email addresses even for multiple commercial emails.
CDT raised some of these concerns in a letter to the House Commerce Committee
on Oct. 15, 2003: http://www.cdt.org/speech/spam/031015cdt.shtml
--------------------------------------------------
Detailed information about online civil liberties issues may be found at
http://www.cdt.org/.
This document may be redistributed freely in full or linked to
http://www.cdt.org/publications/pp_9.23.shtml.
Excerpts may be re-posted with prior permission of ari@cdt.org
Policy Post 9.23 Copyright 2003 Center for Democracy and Technology
--
Michael Clark, Grassroots Webmaster
mclark@cdt.org
PGP Key available on keyservers
Center for Democracy and Technology
1634 Eye Street NW, Suite 1100
Washington, DC 20006
http://www.cdt.org/
voice: 202-637-9800
fax: 202-637-0968
========== HURIDOCS-Tech listserv ==========
Send mail intended for the list to <huridocs-tech@hrea.org>.
Archives of the list can be found at:
http://www.hrea.org/lists/huridocs-tech/markup/maillist.php
To subscribe to the list, send a message to <majordomo@hrea.org>,
with the following text in the message: subscribe huridocs-tech
To unsubscribe from the list, send a message to <majordomo@hrea.org>,
with the following text in the message: unsubscribe huridocs-tech
If you have problems (un)subscribing, contact <owner-huridocs-tech@hrea.org>.
[Reply to this message] [Start a new topic] [Date Index] [Thread Index] [Author Index] [Subject Index] [List Home Page] [HREA Home Page]