BLOG

CAN SPAM ruling against whois privacy protection

A number of bloggers (Venkat B., John L. and Rebecca T.) have mentioned ZooBuh, Inc. v. Better Broadcasting, LLC (No.: 2:11cv00516-DN (D. Utah May 31, 2013)) recently.

In summary of the case is that ZooBuh is an ISP that has sued Better Broadcasting for spamming in violation of CAN SPAM. Their case hinged on the receipt of more than 12,000 emails from Better Broadcasting, LLC. ZooBuh said these emails caused the following harm

[ZooBuh] has had to create and maintain custom SPAM filtering software, has had to dedicate additional man hours to dealing with SPAM related issues, has had to purchase additional servers and other hardware, has received customer complaints, has lost customers, and has experienced server spikes, slowdowns, and crashes inhibiting ZooBuh’s ability to fulfill its contractual obligations with its customers.

The court issued a default judgement that found a number of things. The first is that ZooBuh is a real ISP and they were really harmed by the amount of spam sent by Better Broadcasting.

They found ZooBuh was a bona fide Internet Service Provider, and that they were adversely affected by the mail from Better Broadcasting LLC. To identify whether or not there was an adverse affect, the court looked at Facebook v. Power Ventures, Inc. In that case, Facebook proved to the court that receiving 60,000 messages with a userbase of 901 million and more than 300 employees was an adverse affect. In comparison, ZooBuh has 35,000 users and 3 employees with a message load more than 12,000.

In summary, the harm ZooBuh suffered, and continues to suffer, as the result of its collective SPAM problem is much more significant than the mere annoyance of having to deal with SPAM or the process of dealing with SPAM in the ordinary course of business (i.e., installing a spam filter to flag and discard spam). The harm ZooBuh suffered, and continues to suffer, is manifested in financial expense and burden; lost time; lost profitability; decreases in the life span of ZooBuh’s hardware; server and bandwidth spikes; server crashes; and pre-mature hardware replacements. ZooBuh is adversely affected by a collective spam problem, which includes the emails in question, and that the second part of the standing test is satisfied. Therefore, ZooBuh has standing as defined by the CAN-SPAM Act to assert claims as a private party plaintiff.

The court determined that Better Broadcasting did falsify headers, but not in the way many of us think about header falsification. In this case, the court’s ruling hinged on the use of privacy protection on the domains used in the From line. The court’s reasoning is a little complicated, and I’m not a lawyer, but here’s what I understand. The court looked for Federal court rulings to determine what the standard for header forgery was. The court couldn’t find any cases that addressed the issue, so instead looked at the California courts. Here’s where it gets weird. The California anti-spam law prohibits deceptive header information, a higher standard than CAN SPAM. Last year the California appellate ruled commercial email that contains a generic from line and is sent from a proxied domain is a violation of the California Business and Professions Code § 17529.5(a)(2) (Balsam v. Trancos, part 2). Because the California standard is more burdensome on the plaintiff and is not pre-empted by CAN SPAM the judge used that standard.

The emails received by ZooBuh had generic from lines that didn’t identify any real sender. The court provided examples such as “Accounting Degree” “Add a Sunroom” and “Adult Education.” What’s more, the domain in the from line was a domain registered to Domains by Proxy. This meant the recipient could not determine the source of the emails and thus constitutes a falsification or misrepresentation of header information in violation of CAN SPAM.

Because the California anti-spam statute has not been preempted, prohibits deception, and imposes a more onerous burden on a plaintiff than does the CAN-SPAM Act, the Trancos analysis reasonably extends to the CAN-SPAM Act. Accordingly, where an email contains a generic “from” name and is sent from a privacy-protected domain name, such that the recipient cannot identify the sender from the “from” name or the publicly available WHOIS information, such is “materially misleading” and is a violation of 15 U.S.C. § 7704(a)(1)(C).

I’ve been arguing against privacy protection on domains used in commercial email for a while. I do believe there are legitimate uses for privacy protection, I do not believe that businesses have any legitimate use for privacy protection. In a business context, the only reason to use whois privacy protection is to hide the business ownership. Any real business using email is required by federal law to provide the physical postal address of the sender. Better Broadcasting violated that provision too, but I’ll talk about that in the next blog post.

3 comments

  1. Neil Schwartzman says

    I once encountered an instance where an Adult site balked at removing privacy protection as part of the process to gaining access to services I was charged with protecting. They cited stalking of their models as a concern. I suggested they use their corporate head office address, or set up a proxy at their lawyers’ offices as a way to satisfy California law a well as their quite legitimate concerns. I disavowed them of the notion of using a POB or fake WHOIS entries, since that is arguably deceptive.

    That said, the only people who *must* be concerned about this standard from a legal standpoint are those who are spamming. Provided you are certain you will *never* be charged under CANSPAM the issue is one of failing to meet a best practice (WHOIS proxies are prohibited under the MAAWG.org best practices, for example), which can have a deleterious effect as noted above.

    IOW, merely having WHOIS proxy in place would not precipitate a CANSPAM suit. Unfortunately.

  2. Al Iverson says

    I think there’s a reasonable, personal use case for an individual blogger not wanting crazy people to show up at his/her home. However, I would agree completely that WHOIS proxy services have no place being used in a domain used for commercial purposes.

  3. John L says

    Re Neil’s point, the Mumma case said that if it is easy to identify the sender from the body of the mail, technical faults don’t matter. In this case, the spammer was playing games with From lines like “super deals” and the required opt-out and stuff hidden in remote images so WHOIS was the last hope to identify them.

Comment:

Your email address will not be published. Required fields are marked *

  • AOL compromise

    Lots of reports today of a security problem at AOL where accounts are sending spam, or are being spoofed in spam runs or something. Details are hazy, but there seems to be quite a bit of noise surrounding this incident. AOL hasn't provided any information as of yet as to what is going on.4 Comments


  • ReturnPath on DMARC+Yahoo

    Over at ReturnPath Christine has an excellent non-technical summary of the DMARC+Yahoo situation, along with some solid recommendations for what actions you might take to avoid the operational problems it can cause.No Comments


  • AOL problems

    Lots of people are reporting ongoing (RTR:GE) messages from AOL today.  This indicates the AOL mail servers are having problems and can't accept mail. This has nothing to do with spam, filtering or malicious email. This is simply their servers aren't functioning as well as they should be and so AOL can't accept all the mail thrown at them. These types of blocks resolve themselves. 1 Comment


Archives