CAN SPAM ruling against whois privacy protection

A number of bloggers (Venkat B., John L. and Rebecca T.) have mentioned ZooBuh, Inc. v. Better Broadcasting, LLC (No.: 2:11cv00516-DN (D. Utah May 31, 2013)) recently.
In summary of the case is that ZooBuh is an ISP that has sued Better Broadcasting for spamming in violation of CAN SPAM. Their case hinged on the receipt of more than 12,000 emails from Better Broadcasting, LLC. ZooBuh said these emails caused the following harm

[ZooBuh] has had to create and maintain custom SPAM filtering software, has had to dedicate additional man hours to dealing with SPAM related issues, has had to purchase additional servers and other hardware, has received customer complaints, has lost customers, and has experienced server spikes, slowdowns, and crashes inhibiting ZooBuh’s ability to fulfill its contractual obligations with its customers.

The court issued a default judgement that found a number of things. The first is that ZooBuh is a real ISP and they were really harmed by the amount of spam sent by Better Broadcasting.
They found ZooBuh was a bona fide Internet Service Provider, and that they were adversely affected by the mail from Better Broadcasting LLC. To identify whether or not there was an adverse affect, the court looked at Facebook v. Power Ventures, Inc. In that case, Facebook proved to the court that receiving 60,000 messages with a userbase of 901 million and more than 300 employees was an adverse affect. In comparison, ZooBuh has 35,000 users and 3 employees with a message load more than 12,000.

In summary, the harm ZooBuh suffered, and continues to suffer, as the result of its collective SPAM problem is much more significant than the mere annoyance of having to deal with SPAM or the process of dealing with SPAM in the ordinary course of business (i.e., installing a spam filter to flag and discard spam). The harm ZooBuh suffered, and continues to suffer, is manifested in financial expense and burden; lost time; lost profitability; decreases in the life span of ZooBuh’s hardware; server and bandwidth spikes; server crashes; and pre-mature hardware replacements. ZooBuh is adversely affected by a collective spam problem, which includes the emails in question, and that the second part of the standing test is satisfied. Therefore, ZooBuh has standing as defined by the CAN-SPAM Act to assert claims as a private party plaintiff.

The court determined that Better Broadcasting did falsify headers, but not in the way many of us think about header falsification. In this case, the court’s ruling hinged on the use of privacy protection on the domains used in the From line. The court’s reasoning is a little complicated, and I’m not a lawyer, but here’s what I understand. The court looked for Federal court rulings to determine what the standard for header forgery was. The court couldn’t find any cases that addressed the issue, so instead looked at the California courts. Here’s where it gets weird. The California anti-spam law prohibits deceptive header information, a higher standard than CAN SPAM. Last year the California appellate ruled commercial email that contains a generic from line and is sent from a proxied domain is a violation of the California Business and Professions Code § 17529.5(a)(2) (Balsam v. Trancos, part 2). Because the California standard is more burdensome on the plaintiff and is not pre-empted by CAN SPAM the judge used that standard.
The emails received by ZooBuh had generic from lines that didn’t identify any real sender. The court provided examples such as “Accounting Degree” “Add a Sunroom” and “Adult Education.” What’s more, the domain in the from line was a domain registered to Domains by Proxy. This meant the recipient could not determine the source of the emails and thus constitutes a falsification or misrepresentation of header information in violation of CAN SPAM.

Because the California anti-spam statute has not been preempted, prohibits deception, and imposes a more onerous burden on a plaintiff than does the CAN-SPAM Act, the Trancos analysis reasonably extends to the CAN-SPAM Act. Accordingly, where an email contains a generic “from” name and is sent from a privacy-protected domain name, such that the recipient cannot identify the sender from the “from” name or the publicly available WHOIS information, such is “materially misleading” and is a violation of 15 U.S.C. § 7704(a)(1)(C).

I’ve been arguing against privacy protection on domains used in commercial email for a while. I do believe there are legitimate uses for privacy protection, I do not believe that businesses have any legitimate use for privacy protection. In a business context, the only reason to use whois privacy protection is to hide the business ownership. Any real business using email is required by federal law to provide the physical postal address of the sender. Better Broadcasting violated that provision too, but I’ll talk about that in the next blog post.

Related Posts

Internet fraud and private whois records

The Verge has a long article about Internet Marketing and how much fraud is perpetrated by people who label themselves Internet Marketers.
It was interesting, but I didn’t think it was necessarily relevant to email marketers until I saw this quote from Roberto Anguizola at the FTC Bureau of Consumer Protection.

Read More

Yahoo changes

Thanks to tips by a couple blog readers and some clients, I have been looking into Yahoo disabling links in the bulk folder. It does appear Yahoo is no longer allowing users to click on links in emails that Yahoo places in the bulk folder.
In fact, some of the spam in my Yahoo mailbox even has a notice about this.

Read More

Social invading everything

I discovered, inadvertently, that there is a business networking site modeled after dating site. If you’re selling something you go on the site and register as a seller. If you’re buying something you go on the site and register as a buyer. Buyers can post RFIs and sellers can respond.
Decent enough business model, they’ve even fleshed it out so the site itself acts as an invoicing and billing mechanism.
That’s how I discovered it, one of our very large international telco customers decided they wanted to use this site for billing. Many large telcos expect vendors to use their proprietary site, so I wasn’t that surprised when they asked. And, given they’re international being able to bill them electronically just means I don’t have to remember to use the international stamps.
At the behest of our customer, I signed up at the website. It’s like most social networking sites, create a profile, categorize yourself, make everything public. The thing is, I don’t want to use this site to find new customers. I am just using it because one of my current customers is expecting it. Don’t get me wrong, Abacus is a great product and our customers are extremely happy with it, but it’s pretty niche. It’s not something that’s going to be searched for on a generic website.
I thought that when I set my profile to private that would be some sort of signal to keep me out of the main directory of the site. This morning I realized that wasn’t true when I got a bunch of emails telling me about all these companies looking for “business software” (the closest category I could find).
Getting a bunch of irrelevant mail was annoying enough. Even worse, there was no unsub link in the email. Eventually, I discovered an entire page of email options that were not made clear to me up front. I also sent mail to support and suggested that they talk to their lawyers to clarify whether their opt-out option was consistent with CAN SPAM. I’m pretty sure it doesn’t, but I am not a lawyer.
To the company’s credit, they did have good support and my questions through support were answered in a timely fashion. One of their support reps even called me on the phone to clarify what it was that I wanted to happen and walk me through their email options. She was very upfront about yes, they opted everyone in to all the mail at the very beginning of the process. “We’re like match.com for businesses!”
I’m sure there are some businesses that will find this service to be great. But it’s not what I want or need. Despite the fact that their support was so helpful, I don’t have a great feeling about this company. It seems a bit dishonest that I thought I was signing up for a billing portal, but was actually joining “match.com for businesses. Why couldn’t they make that clear in the 7 emails in 2 days “inviting” me to sign up?
I know I’m a little more sensitive to bad mailing processes than most people, but this was quite an unpleasant experience from the multiple identical emails and reminders before I signed up to the irrelevant stuff I got afterwards.

Read More