The U.S. House of Representatives passed a version of the "Controlling the
Assault of Non-Solicited Pornography and Marketing Act of 2003," on
Saturday. Commonly referred to as the "CAN-SPAM" bill, the House agreed on
a version of the bill very similar to the bill passed by the Senate in
October. This makes it likely (but not certain) that the U.S. will soon
have a national law governing unsolicited commercial e-mail (UCE) -- better
known as "spam" (or any number of less polite terms) by the rest of us.
Very few outside of the Washington beltway or the Direct Marketing
Association (DMA) seem convinced that the CAN-SPAM bill is going to put a
halt to spam. A number of people, including
several state Attorneys General have argued that CAN-SPAM will make
matters worse, rather than better. There is a fair amount of evidence to
support this opinion.
The CAN-SPAM bill actually has the effect of legitimizing spam so long as
it is non-fraudulent and provides the recipient with a means to "opt-out"
of future e-mails. This is a big win for the DMA, and a major loss for the
rest of us. Having to opt-out of receiving spam from each and every
"legitimate" source of spam is a burden that should not be placed on the
user. Given that there are thousands of legitimate businesses that will
seek to make use of e-mail marketing, users are going to be doing a lot of
What about a "do-not-spam" list? The CAN-SPAM Act does contain a provision
to create a national "do-not-spam" list. This can only be seen as a
tactical error of gargantuan proportions. While a "do-not-call" list may
succeed in reducing or eliminating unwanted telemarketing calls, spammers
operating beyond U.S. borders are unlikely to be deterred by the CAN-SPAM
provisions. Indeed, getting a copy of the the "do-not-spam" list will
likely be a high priority for offshore spammers looking for a
roster of known-good e-mail addresses. Users who place their e-mail
addresses on a "do-not-spam" list may avoid spam from legitimate
businesses, but will still find themselves subjected to unwanted e-mail
from offshore spammers. Happily, the CAN-SPAM bill does not require the
Federal Trade Commission to create a "do-not-spam" list, it only permits
the creation of such a list. Given that the FTC has objected to this
provision, implementation seems unlikely.
Even worse, the bill overrides state legislation that may be more stringent
than the CAN-SPAM bill. This is presented as a solution to the difficulty
for "law-abiding businesses" to comply with anti-spam laws, but complying
with multiple state laws is a cost of doing business. This should not be an
excuse to shift the burden to users and organizations rather than
businesses seeking to advertise their goods or services. By overriding
state laws that require "opt-in" rather than "opt-out," the CAN-SPAM Act is
giving merchants free reign to send unwanted spam, at least until the user
asks to be left alone. While one may argue that any laws against spam are
unlikely to be effective, at least laws like those passed in California are
stacked in favor of the user rather than the spammers.
Some have claimed that the CAN-SPAM Act may make anonymous e-mails illegal
altogether. John Gilmore argues
that the bill would make it a crime "to use any false or misleading
information in a domain name or email account application, and then send an
email." However, this is a somewhat liberal interpretation of the bill,
which actually says:
Whoever, in or affecting interstate or foreign commerce, knowingly...
(3) materially falsifies header information in multiple commercial electronic messages and intentionally initiates the transmission of such messages,
(4) registers, using information that materially falsifies the identity of the actual registrant, for 5 or more electronic mail accounts or online user accounts or 2 or more domain names, and intentionally initiates the transmission of multiple commercial electronic mail messages...
A close reading of this language indicates that merely sending an anonymous
e-mail or e-mail with a falsified header would not automatically be a
crime. The provisions only apply to those "in or affecting" commerce, which
would seem to exclude a user who sends an anonymous e-mail for
non-commercial purposes. It might be that the language could be abused to
include someone who has sent an anonymous e-mail that may have some impact
on a business, perhaps a whistleblower or disgruntled customer sending out
negative commentary about a company, but then the user would have to send a
relatively large number of e-mails. Further on, the bill classifies
"multiple" as "more than 100 electronic mail messages during a 24-hour
period," up to 10,000 during a 1-year period.
Unlike some of the state laws, which allow users to sue spammers directly,
the CAN-SPAM Act seems to put users at the mercy of others to take action
against spammers who do not comply. The Act explicitly addresses the
ability of state and federal agencies to prosecute spammers under the
provisions of the Act, and provides authorization for ISPs to bring action
There are a few good things about the CAN-SPAM Act. The bill specifically
states that nothing in the bill requires an ISP to carry or deliver
spam. This prevents spammers from claiming that an ISP is in any way
required to deliver spam, even if it is explicitly legal. The bill also
contains a provision that allows the court to force a spammer to pay legal
fees for the party that initiates proceedings. This may make it more likely
that prosecutors will take on spammers who violate provisions of the bill.
CAN-SPAM also makes it illegal to for spammers to use open relays or other
methods of hijacking computers to send spam, and requires a working method
to opt-out of e-mail. Again, these provisions are unlikely to deter
offshore spammers, but the provisions are welcome nonetheless.
Finally, the bill provides for vendor liability. This means that if a
vendor contracts with a third party to send e-mail on their behalf, the
vendor can be held liable for failure to comply with the CAN-SPAM
provisions. This prevents companies from contracting with offshore
spammers to escape legal liability.
In all, however, the CAN-SPAM Act is disappointing legislation. It fails to
affirm users' rights to consent to e-mail marketing, and instead burdens
them with the responsibility of opting out of unwanted marketing. The bill
will negate tougher state laws against spam that have the backing of the
general populace in favor of weakened provisions that are backed by
lobbyists. After more than six years of Congressional foot-dragging, we
will likely be stuck with a law that does little good, and may even serve
to exacerbate the problem. It may well be that the spam problem is not
solvable by legislation, but, even if it is, the CAN-SPAM act is not the
law we need.
(For those who are interested, the full text of the proposed law is
available in PDF
to post comments)