Digital Media Lawyer Blog

The enactment of the Federal CAN-SPAM Act preempted many State laws that attempted to prohibit marketers from sending mass commercial emails. However, CAN-SPAM did leave one key area of enforcement open to the states. The State may still enforce laws restricting commercial emails to the extent that such laws prohibit "falsity or deception." 15 U.S.C. § 7707(b)(1). However, this exception is proving about as narrow as the Grand Canyon.

The latest examples of State enforcement of spam are the actions by the New York and Texas Attorneys General against Tagged, Inc., which were both resolved in the past week. See Attorney General of New York, Internet Bureau, In the matter of: Tagged, Inc., Assurance of Discontinuance (Nov. 6, 2009), Texas v. Tagged, Inc., Travis County District Court, No. D-1-GV-09-002032, Agreed Final Judgment and Permanent Injunction (Nov 9, 2009).

Tagged, which was founded by serial Internet entrepreneur Greg Tseng, has been reported to be the third-largest social networking site in the world by Hitwise. While its market share traffic is still a fraction of that enjoyed by Facebook and MySpace, according to Hitwise, it is in a major growth phase, and has increased its share by 47% from September 2008 to September 2009. Id.

However, according to the statements made by the New York and Texas AG's, much of this growth was due to Tagged's deceptive marketing and spamming practices. These practices allegedly included the following:

• Tagged allegedly accessed the email address books of visitors, without clear and conspicuous disclosure that this was occurring, or obtaining permission. Tagged then used these contacts to initiate a campaign to sign up additional members.

• It sent invitation email messages to visitor contacts that falsely stated that a person who had signed up on Tagged had sent photos to the recipient that could be viewed on Tagged. According to the New York AG, "In reality . . . Tagged generated the email invitation automatically without regard to whether the person had ever uploaded photographs to Tagged.com or intended to share them with her contacts."

• Even though the invitation emails were generated by Tagged, Tagged inputted the name and email address of the person who had registered at Tagged in the "from" field of each email. If the registrant had uploaded a photo, the invitation emails also included this photo.

• The invitation message body included a box for the recipient to click "yes" or "no" in response to whether she wanted to view the photos. The message also said "Please respond or [name] may think you said no :(" -- despite the fact that the registrant had nothing to do with the sending of the invitation email. The purpose of this was to play on the emotions of the recipient, falsely suggesting that their friend's feelings might be hurt if they did not visit the Tagged site and view the photos.

Continue reading "The Tagged.com Spam Cases: New York and Texas Attorney General Actions Show the Effectiveness of States' Retained Powers to Regulate Spam" »

On October 23, 2009, Judge Vaughn Walker did something that doesn't happen very often. He rejected final approval of a class action settlement that was opposed by less than .001% of the members of the plaintiffs' class. The reason: he had come to believe that while the settlement would cost Ameritrade millions, and pay $1.87 million to the plaintiffs' counsel, it ultimately provided the plaintiffs themselves with no real benefits.

The case is the In re TD Ameritrade Accountholder Litigation, N.D. Cal. C-07-2852, a class action that was originally filed in 2007 regarding an allegedly long-term data security breach at Ameritrade. Ameritrade is a well-known brick and mortar and on-line stock broker, whose commercials star Sam Waterston of Law and Order fame.

In October 2006, Ameritrade customer Matthew Elvey, who graduated from Yale with a B.S. in computer science and mechanical engineering, and works as a website infrastructure consultant (as he describes his business, see his bio at http://www.elvey.com/) decided to test Ameritrade's data security system. So he provided Ameritrade with a unique email address that he had never provided to any other person. In November 2007, Elvey allegedly began to receive stock spam directed to this secret address. The spam allegedly touted low-priced, speculative stock of smaller companies that are traded over-the-counter, and was part of stock "pump and dump" schemes.

Elvey filed a class action against Ameritrade in 2007. The complaint focused on Ameritrade's Privacy Statement which allegedly told customers that "Ameritrade does not sell, license, lease or otherwise disclose your personal information to any third party for any reason . . . " According to Elvey's complaint, the "spam received by Plaintiffs was not consistent" with these representations.

The Elvey suit was later consolidated with a class suit filed by lead plaintiff Brad Zigler. The combined class action sued Ameritrade on breach of fiduciary duty, CFAA, and Nebraska and California unfair trade practices grounds. The plaintiffs claimed that Ameritrade had breached its duties to them by knowingly failing to correct defects in its security system and by failing to disclose the security breach that had led to the spam attacks on its customers. The plaintiffs claimed that they were damaged by "losing the benefit of the bargain on Ameritrade's brokerage fees, which were premised, in part, on Ameritrade's compliance with the privacy statement . . . ."

While TD Ameritrade filed a motion to dismiss the original Elvey complaint -- a motion that was never heard -- it did not file a similar motion for the consolidated complaint. Instead, it began settlement negotiations with the Plaintiffs. This resulted, in October 2008, with a proposed settlement which released Ameritrade for any damage claim, "of any kind," based on "any legal theory whatsoever," that "is, has been, or could have been asserted by" a member of the settlement class for: (i) an unauthorized disclosure of their information by Ameritrade, (ii) their receipt of SPAM e-mail and (iii) misrepresentations in Ameritrade's privacy statement. The settlement applied to any person who had provided Ameritrade with a physical or email address on or before September 14, 2007. It did carve-out a right for individuals to file identity theft claims on their own behalves -- but not as part of a class action.

Continue reading "In re. Ameritrade Accountholder Litigation: Court Rejects Class Settlement He Viewed as Providing Members of Plaintiff Class with No Real Benefits" »

In an unmitigated ruling for spammers' rights, on August 6, 2009, the Ninth Circuit affirmed a District Court ruling, and found that the owner of a domain name who used this domain name to set up email accounts for third parties, did not have standing to sue as an internet service provider under the federal CAN-SPAM statute. See Gordon v. Virtumundo, Inc., U.S.C.A., Case No. 07-35487.

The case involved James S. Gordon, who did business as gordonworks.com. According to the case report, Gordon is the registrant of an Internet domain name, "gordonworks.com", which he hosts on server space at GoDaddy.com, a domain registrar and web hosting company. By virtue of his ownership of an Internet domain, Gordon is able to post content to the Internet, create new email accounts, and set user names and log-on passwords.

Gordon used these tools to create six or so email accounts for friends. He later asked his friends to set up their own personalized domains and to abandon the gordonworks.com email accounts to him. He then continued to monitor these email accounts for spam, which then continued to accumulate over time. Gordon then began filing lawsuits in state and federal court against the firms that had sent these spam emails, seeking big dollar damages. For example, in his motion for summary judgment in the Virtumundo suit, Gordon sought statutory damages in the amount of $10,257,000, plus attorneys fees and costs, based on 7,890 allegedly unlawful emails.

The 9th Circuit panel described Gordon as a "professional plaintiff" and his various domains as "spam traps," which had the sole purpose of snagging as many email marketing messages as possible. His "clients" also used their personalized domains to gather commercial emails, which they then sent to Gordon in batches of 10,000 to 50,000, to fuel his lawsuits. In exchange, Gordon's clients shared in the proceeds from the settlements of the suits he filed. According to the court, "Since at least 2004, Gordon has held no employment. Hs has never been compensated for any of his purported Internet services, and his only income source has come from monetary settlements from his anti-spam litigation campaign."

Continue reading "CAN-SPAM update: Ninth Circuit Ruling Shuts down Anti-SPAM Cottage Industry" »

Internet fraud update: Under the FTC Act, the Federal Trade Commission is empowered to prevent businesses from using unfair methods of competition or engaging in unfair or deceptive practices. 15 U.S.C. § 45(a)(2). However, under the version of the FTC Act that existed prior to 2006, the FTC did not have the authority to regulate such practices unless the business involved "commerce" (i.e. sales, shipments) within in the United States. (Fn1) This meant that a business that was solely engaged in the export of goods to countries outside the U.S. was not subject to the FTC's jurisdiction.

With the rise of the Internet, it became easy for businesses to set up shop in the U.S., but limit their business solely to export to other countries, and thus avoid FTC prosecution for unfair and deceptive trade practices. Because the FTC's ability to share information about U.S. residents with foreign prosecutors was also limited, this meant that a lot of bad behavior by exporters went unchecked. According to the FTC, this could have made the United States a "haven for fraud."

In December 2006, Congress passed the U.S. SAFE WEB Act, which amended the FTC Act to fill these loopholes. The U.S. SAFE WEB Act permits the FTC to provide investigative assistance to foreign law enforcement agencies, including conducting investigations to collect information and evidence for these foreign agencies. 15 U.S.C. § 46(j). It also permits the FTC to share investigative materials, such as documents, written reports or answers to questions and transcripts of oral testimony with foreign law enforcement agencies. 15 U.S.C. § 57b-2(6).

In addition, the Act expanded the FTC's jurisdictional reach to permit it to directly regulate acts involving foreign commerce that: (i) cause or are likely to cause reasonably foreseeable injury within the United States; or (ii) involve material conduct within the United States.

Since the law was signed, the FTC has reported using it in only one prior investigation which was concluded earlier this year. (For a discussion of this case, see our blog post of July 17, 2009). The FTC has recently announced the second use of the U.S. Safe Web Act in its regulatory action against Los Angeles-based Jaivin Karnani and his company Balls of Kryptonite, LLC. ("Karnani").

According to the FTC's complaint, Karnani operates two websites, www.bestpricedbrands.co.uk and www.bitesizedeals.co.uk, which sell consumer electronics, such as cameras, video game systems, and computer software exclusively to customers in the United Kingdom. (Fn2) By using the suffixes "co.uk", stating prices in pounds sterling, referring to the "Royal Mail" and using U.K. addresses, the websites gave U.K. customers the impression that they were located in the U.K. and subject to U.K consumer protection laws.

The complaint also alleged that Karnani's websites didn't deliver what they promised. Customers were shipped goods with power chargers that were not compatible with U.K. power systems. Because the goods shipped were not manufactured for the U.K. or E.U. markets, customers did not receive manufacturer warranties. Goods were shipped slowly and customer complaints about this slowness were ignored. Customers were also charged high restocking fees.

Continue reading "U.S. SAFE WEB Act Used by FTC to Prevent U.S. Exporter from Pretending to Be U.K.-Based Site" »

On July 2, 2009, the FTC issued a press release announcing that a federal court had ordered "key players in an international spam ring to give up $3.7 million that they made by sending out illegal email messages pitching bogus hoodia weight-loss products and a 'human growth hormone' pill." The FTC claimed that this was the first case in which the FTC used the US SAFE WEB Act.

The US SAFE WEB Act was a Sen. John McCain-sponsored bill that was enacted in December 2006 and codified as portions of 15 U.S.C. §§ 44, 45, 46, 56 and 57-57c. With some exceptions, the US SAFE WEB Act does not create new areas of prohibited conduct for which a person could be subject to criminal or civil liability. Rather, it primarily provides the FTC with new powers to cooperate with foreign law enforcement agencies and new protections for persons who voluntarily provide information to aid FTC investigations.

For example, the Act permits the FTC to provide investigative assistance to foreign law enforcement agencies, including conducting investigations to collect information and evidence for these foreign agencies. 15 U.S.C. § 46(j). It also authorizes the FTC to spend funds for the costs of multilateral cooperative law enforcement groups. 15 U.S.C. § 46(l). This would seem to permit the FTC and foreign governments to create super-police agencies which could cooperate to gather information around the globe. However, the original Act limited these funds to $100,000 and specified that they had to be spent for the costs of five specific international groups. So while the concept of international policing agencies seems exciting, at least as of December 2006, Congress intended these to be quite modest efforts.

The Act permits the FTC to share investigative materials, such as documents, written reports or answers to questions and transcripts of oral testimony with foreign law enforcement agencies. 15 U.S.C. § 57b-2(6). However, the foreign government has to show that the materials are to be used to investigate or enforce foreign laws prohibiting fraudulent or deceptive commercial practices that are "substantially similar" to the practices prohibited by U.S. law.

The Act also contains secrecy provisions, so that the FTC does not have to disclose information provided by foreign sources under FOIA or other provisions of U.S. law. 15 U.S.C.§ 57b-2(f). The bill provides that the FTC was subject to the Right To Financial Privacy Act. However, it also specifies procedures under which disclosures mandated under the Right To Financial Privacy Act can be delayed or prohibited if it would jeopardize an FTC investigation. 15 U.S.C. § 57(b)-2a.

Continue reading "What is the US SAFE WEB Act and what does it mean for you?" »

Private parties frustrated by spam often face significant legal hurdles to bringing suit against the spammer. Businesses and individuals, except for internet service providers, cannot sue under the main Federal anti-spam statute -- CAN-SPAM. 15 U.S.C. § 7706. Some state anti-spam laws do permit email businesses and individuals to bring suit. For example, California's anti-spam laws permit any email recipient to sue. Cal Bus. & Prof. Code § 17529.8. However, CAN-SPAM also unfortunately provides that all state laws regulating commercial emails are preempted (can't be enforced), except to the extent that such laws prohibit "falsity or deception." 15 U.S.C. § 7707(b)(1). This rule has often meant that businesses and consumers seeking to sue spammers under state laws are out of luck.

The reason for their ill-luck is that courts have generally interpreted the terms "falsity and deception" in CAN-SPAM to refer to common-law fraud. This means that the state law is invalid except to the extent that it merely prohibits common-law fraud. So to bring suit under a state anti-spam statute that prohibited falsity or deception, the plaintiff would have to prove that the spammer intentionally made a misrepresentation of material fact, on which the plaintiff actually relied and which caused him actual damages. See, e.g., Omega World Travel, Inc., 469 F.3d 348, 353 (4th Cir. 2006).

To penetrate anti-spam defenses, many spam emails contain false "header" information -- in which a "friendly" email address, from an organization that the email recipient will not block -- is substituted for that of the actual sender (the spammer). Sometime the "from" box in a spam email will contain a variant of the recipient's email address, an email address of another person at the recipient's firm, an email address of another legitimate business, or a misspelled email address from any of the foregoing.

Spam emails also often contain deceptive information in the reference line, such as "A free gift for you", or "You have been selected for a cruise", etc. This material convinces the recipient to open and read the file.

While this header information may be false, it may be difficult for the recipient to argue that this false header information gives rise to the common-law tort of fraud. The false information may have permitted the spammer to get around the recipient's anti-spam software, or the recipient may have been induced by a false reference line to open the spam email. However, the recipient may have never relied on this false information to enter into a transaction in which he lost money. There lies the rub: if there was no actual reliance and no damages caused by the reliance -- then there is no cause of action for common-law fraud. This eliminates most private suits against spammers.

However, some recent decisions regarding California's anti-spam laws have begun to question the standard interpretation of "falsity and deception."

Continue reading "California's Anti-Spam Laws May Provide a Potent Weapon for Private Parties to Wield Against Spammers (Eventually)" »

CAN-SPAM (15 U.S.C. § 7701-7713) was enacted in 2003 in response to a national hue and cry over spam. At the time, unsolicited commercial email was estimated to account for half of all electronic mail traffic. According to the Congressional "findings" in the preamble to the Act, the sheer quantity of spam was doing real damage to the internet, creating costs for storage, accessing, reviewing and discarding unwanted emails, and reducing the reliability and usefulness of electronic mail to the recipient. The findings further stated that "The growth in unsolicited commercial mail imposes significant monetary costs on providers of Internet access services, businesses and educational and nonprofit institutions that carry and receive such mail, as there is a finite volume of mail that such providers, businesses, and institutions can handle without further investment in infrastructure." 15 U.S.C. § 7701(a).

Given these findings, one would think that CAN-SPAM would impose onerous penalties on spammers. Au contraire, mon frere! Instead of "canning" spam, the act became known as the "Yes, You CAN SPAM Act." In fact, the Act does nothing to outlaw the sending of unsolicited emails per se.

Rather, the sending of unsolicited emails is permitted as long as a few basic rules are followed. In general: (i) the "from" and "subject matter" lines in the header must be accurate, relevant to the subject matter of the email and not misleading. A commercial advertiser must also provide its physical address, and a label must also be present if the email contains adult content; (ii) the email must contain an "opt-out" mechanism, that must be honored within 10 days; and (iii) the email must not be not sent to an email address obtained through "address harvesting" or a "dictionary attack" and must not be sent via automatically created email accounts or a computer network to which the sender has gained access without authorization.

Another important element of CAN-SPAM is that it provides that "any statute, regulation, or rule of a State . . . that expressly regulates the use of electronic mail to send commercial messages" is "superseded" -- i.e., preempted. This means that states cannot enact laws that are expressly directed at preventing the sending of unsolicited email messages or at reducing the quantity of email messages that can be sent by a single person. In other words, CAN-SPAM means that the federal government has refused to prevent spamming per se and has declared that the states can't do it either (unless the spam is accompanied by "falsity or deception"). The effect is that much of the job of preventing spam per se is in private hands.

Continue reading "Six Years After CAN-SPAM: Effective Spam Control Can Require Both Technical and Litigation Solutions" »