CAN SPAM ruling against whois privacy protection

A number of bloggers (Venkat B., John L. and Rebecca T.) have mentioned ZooBuh, Inc. v. Better Broadcasting, LLC (No.: 2:11cv00516-DN (D. Utah May 31, 2013)) recently.
In summary of the case is that ZooBuh is an ISP that has sued Better Broadcasting for spamming in violation of CAN SPAM. Their case hinged on the receipt of more than 12,000 emails from Better Broadcasting, LLC. ZooBuh said these emails caused the following harm

[ZooBuh] has had to create and maintain custom SPAM filtering software, has had to dedicate additional man hours to dealing with SPAM related issues, has had to purchase additional servers and other hardware, has received customer complaints, has lost customers, and has experienced server spikes, slowdowns, and crashes inhibiting ZooBuh’s ability to fulfill its contractual obligations with its customers.

The court issued a default judgement that found a number of things. The first is that ZooBuh is a real ISP and they were really harmed by the amount of spam sent by Better Broadcasting.
They found ZooBuh was a bona fide Internet Service Provider, and that they were adversely affected by the mail from Better Broadcasting LLC. To identify whether or not there was an adverse affect, the court looked at Facebook v. Power Ventures, Inc. In that case, Facebook proved to the court that receiving 60,000 messages with a userbase of 901 million and more than 300 employees was an adverse affect. In comparison, ZooBuh has 35,000 users and 3 employees with a message load more than 12,000.

In summary, the harm ZooBuh suffered, and continues to suffer, as the result of its collective SPAM problem is much more significant than the mere annoyance of having to deal with SPAM or the process of dealing with SPAM in the ordinary course of business (i.e., installing a spam filter to flag and discard spam). The harm ZooBuh suffered, and continues to suffer, is manifested in financial expense and burden; lost time; lost profitability; decreases in the life span of ZooBuh’s hardware; server and bandwidth spikes; server crashes; and pre-mature hardware replacements. ZooBuh is adversely affected by a collective spam problem, which includes the emails in question, and that the second part of the standing test is satisfied. Therefore, ZooBuh has standing as defined by the CAN-SPAM Act to assert claims as a private party plaintiff.

The court determined that Better Broadcasting did falsify headers, but not in the way many of us think about header falsification. In this case, the court’s ruling hinged on the use of privacy protection on the domains used in the From line. The court’s reasoning is a little complicated, and I’m not a lawyer, but here’s what I understand. The court looked for Federal court rulings to determine what the standard for header forgery was. The court couldn’t find any cases that addressed the issue, so instead looked at the California courts. Here’s where it gets weird. The California anti-spam law prohibits deceptive header information, a higher standard than CAN SPAM. Last year the California appellate ruled commercial email that contains a generic from line and is sent from a proxied domain is a violation of the California Business and Professions Code § 17529.5(a)(2) (Balsam v. Trancos, part 2). Because the California standard is more burdensome on the plaintiff and is not pre-empted by CAN SPAM the judge used that standard.
The emails received by ZooBuh had generic from lines that didn’t identify any real sender. The court provided examples such as “Accounting Degree” “Add a Sunroom” and “Adult Education.” What’s more, the domain in the from line was a domain registered to Domains by Proxy. This meant the recipient could not determine the source of the emails and thus constitutes a falsification or misrepresentation of header information in violation of CAN SPAM.

Because the California anti-spam statute has not been preempted, prohibits deception, and imposes a more onerous burden on a plaintiff than does the CAN-SPAM Act, the Trancos analysis reasonably extends to the CAN-SPAM Act. Accordingly, where an email contains a generic “from” name and is sent from a privacy-protected domain name, such that the recipient cannot identify the sender from the “from” name or the publicly available WHOIS information, such is “materially misleading” and is a violation of 15 U.S.C. § 7704(a)(1)(C).

I’ve been arguing against privacy protection on domains used in commercial email for a while. I do believe there are legitimate uses for privacy protection, I do not believe that businesses have any legitimate use for privacy protection. In a business context, the only reason to use whois privacy protection is to hide the business ownership. Any real business using email is required by federal law to provide the physical postal address of the sender. Better Broadcasting violated that provision too, but I’ll talk about that in the next blog post.

Related Posts

Proxy registrations and commercial email

Yesterday the law firm Venable, LLP published a document discussing the recent California appellate court decision in Balsam v. Trancos. Their take is that commercial email that contains a generic from line and is sent from a proxied domain is a violation of the California Business and Professions Code § 17529.5(a)(2).

Read More

Transparency in sending

Al has a post listing some of the bad things some sender representatives do when approaching ISPs for delisting.
One of the things I would add to the list is hiding behind a privacy protected domain registration. No matter how you dice it, having a business domain behind privacy protection makes a company look illegitimate. For any company sending commercial mail, it’s not even an issue as senders are required by law to include an address in every email. With this sort of requirement, it’s not like customers aren’t going to be able to find them.
This is an issue I feel so strongly about, I will not represent senders to ISPs unless they have a valid, unprotected whois registration. I do offer consulting and other services to them, but will not contact the ISPs on their behalf. This is not the reputation I want to create with the ISPs for myself or my other clients.
I challenge anyone who is running a business and using a whois privacy protection service to put the same address in their whois record as is on every email you send out.
I challenge ISPs to stop offering whitelisting, FBL or other services to senders who insist on using whois privacy services.

Read More

CAN SPAM pre-emption in the courts

Ethan Ackerman has a summary of recent cases where judges are splitting over rulings on CAN SPAM pre-emption.

Read More