A Hole in the CAN-SPAM Act
Copyright 2004 ALM Properties, Inc. All Rights Reserved.
New Jersey Law Journal
May 10, 2004
HEADLINE: A Hole in the CAN-SPAM Act;
BYLINE: By Jonathan Bick; Bick is of counsel to WolfBlock Brach Eichler of Roseland and is an adjunct professor of Internet law at Pace Law School and Rutgers Law School.
The most prevalent way to circumvent antispammers takes advantage of the millions of third-party computers attached to the Internet. These computers can be made to act as relay or "proxy" servers because they are generally available to the public to send commercial e-mail. Open proxies, typically owned by businesses, more and more are in the hands of individuals with home computers permanently connected to the Internet by high-speed, or broadband, access services.
Contrary to widely held belief, this use of proxy servers by bulk e-mailers is not a per-se violation of the CAN-SPAM Act of 2003,1 which sets civil fines for senders of commercial e-mail that does not include valid return addresses.
First, a little background: A proxy server is a computer that acts as an intermediary between a browser and a real server with desired content. Sometimes it is used to mask the identity of the user while relaying the request for content. A proxy server takes an e-mail, strips off identifying information and forwards it to wherever the user wants it to go.
Bulk e-mailers often make use of proxy server software that acts as a focal point for outgoing Internet requests. Proxy servers preserve system assets by directing every outgoing and incoming data transaction through a centralized portal.
Characteristically, organizations limit their proxy servers to local users through the use of a "firewall." However, some organizations either fail to erect such a barrier or, as a public service, allow their proxy servers to be accessed by remote users. Outgoing requests from remote users can be routed through such an unprotected proxy server, which then appears as their point of origin. Incoming responses are then received by the proxy server and routed to the remote user.
Information requests sent through such proxy servers cannot be traced straightforwardly back to the originating IP address and can be used to evade attempts to obstruct queries from the originating IP address. Blocking queries from innocent third party proxy servers is unproductive, because it creates an endless game of hide-and-seek.
The CAN-SPAM Act requires all senders of commercial e-mail - i.e. any e-mail, the primary purpose of which is the commercial advertisement or promotion of a commercial product or service - to conform to certain notice and identification requirements and to avoid misleading and deceptive practices.
The statute pertains by and large to distribution of "commercial electronic mail message[s]," defined as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service [including content on an Internet Website operated for a commercial purpose]." See 15 U.S.C. 7702[A].
Thus, for corporations that market products and services to customers and potential customers over the Internet, a threshold question is whether a particular e-mail communique meets the definition. In short, was the e-mail's "primary purpose" the commercial advertisement or promotion of such individual's or company's products or services?
The CAN-SPAM Act empowers the Federal Trade Commission to be the initial arbiter of the lawfulness of an unsolicited e-mail message. The FTC also has primary enforcement responsibility and, in some cases, industry-specific regulatory authorities. The act sets civil and criminal sanctions for sending spam meant to deceive recipients as to its source or content. It also enables state attorneys general and Internet service providers [ISPs] to bring actions against violators. A state may demand injunctive relief, damages equal to the actual monetary loss suffered or statutory damages up to $250 per unlawful e-mail to a maximum of $2 million. E-mail recipients have no private right to sue spammers directly.
The act appends two qualifications to the definition of a commercial electronic mail message lawful status. First, the term "commercial electronic mail message" does not include a "transactional or relationship message," the latter of which is defined as any of the sorts of e-mails that would "facilitate, complete, or confirm a commercial transaction that the recipient has previously agreed to enter into with the sender." Second, an e-mail that simply references the sender's company or Web site or other commercial entity or link does not, by itself, cause the associated message to be treated as a commercial electronic mail message.
One of the act's key provisions, 15 U.S.C. §[7701[b], states Congress's determination that "senders of commercial electronic mail should not mislead recipients as to the source or content of such mail." This suggests that disguising header information - such as may occur by using proxies - is prohibited. But Congress in this instance used neither the term "header" nor "proxy."
In Hypertouch, Inc. v. BobVila.com, No. C040880MMC, N.D. Cal., it was alleged that BobVila.com violated the CAN-SPAM Act by sending Hypertouch and its customers unsolicited commercial e-mail containing Bob Vila's Home Again Newsletter content. The complaint stated that the unsolicited commercial e-mails each contained, or were each accompanied by, header information that was materially false or materially misleading.
Specifically, the identities provided by the defendants of the machines delivering mail to plaintiff's mail server did not match IP addresses of the contacting machine. In other words, the defendant's machines gave the names of other machines rather than their own when sending e-mail to the plaintiff's servers. In the plaintiff's view, therefore, the e-mail violated the act, 15 U.S.C. §[7705[a],2 even though that section makes no mention of proxy servers.
It may be argued that the use of proxies does "conceal" the source of a request, since the origin server doesn't ever see the original client's IP address. But if an unsolicited commercial e-mail's content contains appropriate notice of the source, it is not misleading recipients. There is no misrepresentation or mistake. Thus, it can be argued that with appropriate notice, use of proxy servers does not circumvent the CAN-SPAM Act.
Proxy servers aren't designed to conceal. They also reduce Internet traffic. Origin servers need deal with fewer client requests, since many can be handled by proxy servers distributed throughout the network. It seems ironic to base a CAN-SPAM Act violation claim for unlawful use of server resources on a process whose use will in fact conserve the same resources the act was intended to save.
Conducting business on the Internet means making tough decisions. If Internet users really feel that the cost of not knowing the identity of the client outweighs the benefit of reduced overall traffic, they have a simple solution - refuse all requests from third-party proxy servers. While this will likely exclude desirable clients as well as spam, it's hardly unfair to ask a business to perform this kind of cost/benefit analysis.
Maybe some computer owners have no unambiguously good choice here, but the courts have no business creating one for them. In particular, it makes sense for some Internet users to stop transacting with third-party proxy servers. Users might wish to begin requiring that users "authenticate" their identities and use these verified credentials to "authorize" only certain amounts of access. The simple act of requiring registration and passwords may effectively limit spam.
In sum, a bulk commercial e-mailer's use of a proxy is not "per se" outlawed by the CAN-SPAM Act. In order to ensure that each e-mail must include a valid return e-mail address and other header information, such as the Internet protocol address, that accurately identifies the sender and Internet location from which the message has been sent, the bulk commercial e-mailer may employ an appropriate notice either with and/or within the content section of each e-mail.
In addition to an appropriate notice conspicuously placed in the content, bulk e-mailers should be sure an e-mail's "from" address is the source address rather than the proxy address. Such effort combined with compliance with other CAN-SPAM Act requirements will allow e-marketers to lawfully use proxy servers. These techniques will also help overcome antispam activists' efforts that have resulted in blocking all incoming e-mail from particular sources.
Still, proxy use by some bulk e-mails may be unlawful. Since the FTC
is the initial arbiter, bulk e-mailers may be wise to contact the commission
anonymously prior to using a proxy server.
1. The Controlling the Assault of Non-Solicited Pornography and Marketing Act, Pub. L. No. 108-187, 117 Stat. 2699 , became effective January 1, 2004. Codified at 15 U.S.C. 7701-13; 18 U.S.C. 1001, 1037; 28 U.S.C. 994; and 47 U.S.C. 227.
2. 15 U.S.C. §[7705[a] reads:
§[ 7705. Businesses knowingly promoted by electronic mail with false or misleading transmission information
[a] In general. It is unlawful for a person to promote, or allow the promotion of, that person's trade or business, or goods, products, property, or services sold, offered for sale, leased or offered for lease, or otherwise made available through that trade or business, in a commercial electronic mail message the transmission of which is in violation of section 5[a] [15 USCS §[7704[A]] if that person--
 knows, or should have known in the ordinary course of that person's trade or business, that the goods, products, property, or services sold, offered for sale, leased or offered for lease, or otherwise made available through that trade or business were being promoted in such a message; ...