Legal

Tulsi v. Google response

On Friday Google’s lawyers filed their response to the Gabbard Campaign’s first amended complaint. They asked for the case to be moved to the Northern District of CA as per the contractual agreement that the campaign signed. They also asked for a dismissal as they are not a government entity nor acting in place of a government entity and thus are not covered under either the 1st or the 14th amendments.

Tulsi v. Google: 1st amended complaint

Friday the Tusli Gabbard campaign filed the expected first amended complaint against Google for suspending her adwords account immediately after the first Democratic debate. A full copy of the complaint is available.

Profiting off spam

The FTC filed suit against Match.com for using fake accounts to entice people into signing up for accounts. (WA Post) Part of the FTC’s allegations include that Match flagged the accounts and prevented them from contacting paying Match users while simultaneously allowing the users to contact free Match users.

Update on Tulsi Gabbard sues Google

Back in July the Tulsi Gabbard campaign sued Google for deactivating their “advertising account” on the night of the first Democratic debate. I’ve been waiting for the Google response, which was due to be filed today.

Tulsi Gabbard Sues Google

Today Tulsi Gabbard’s campaign sued Google for $50 million. Why? Because during the night of the first debate Google disabled her “advertising account” (I’m assuming she means adwords) preventing her from being able to purchase ads to direct searchers to her website. There’s also a paragraph in there that they’re “disproportionally putting her email into the spam folder.”

Techdirt lawsuit settled

Back in 2017 Techdirt wrote a series of articles about Shiva Ayyadura. Shiva claims he invented email. (narrator voice: he didn’t). I wrote about the lawsuit when it was dismissed on First Amendment grounds. The parties cross appealed, and have been in settlement talks for 18 months.

The Commission finds that nCrowd, Inc. committed one violation of paragraph 6(1)(a) and one violation of paragraph 6(2)(c) of Canada’s Anti-Spam Legislation (the Act) in relation to commercial electronic messages sent to recipients in Canada. The Commission also finds that Brian Conley is liable, under section 31 of the Act, for those violations. Accordingly, the Commission imposes an administrative monetary penalty of $100,000 on Brian Conley. CRTC

The commission’s report is well worth a read as it discusses many of the things I’ve noticed from spamming operations over the years. It’s pretty standard business practice for spammers to have a complex set of sorta but not really different businesses. They all interact and share data, but not legal liability. They’re mostly treated as one business by the principles and there’s no real dedication to any one brand name.

CAN-SPAM Again

The US CAN-SPAM act is the primary US legislation covering commercial email. It’s been around since 2003, but I still see a steady stream of questions about it, and the folkloric answers to some of them are all over the place.

First major GDPR fine

Only now I realize there should have been a pool around GDPR enforcement. We could have placed bets on the first company fined, the first country to fine, over/under on the fine amount, month and year of action. But, it’s too late, all bets are closed, we have our first action.

Who didn't invent email, part 2

Back in 2014, Steve wrote an article discussing Shiva Ayyadurai,and his claims that he was the inventor of email. In that article he links to a number of articles from Techdirt. Earlier this year, Shiva sued Floor64, the parent company of Techdirt, as well as Michael Massnick the Founder, CEO and editor and Leigh Beadon, a writer for Techdirt. (Original Complaint pdf from ReCAP). Ars Technica has a good article on Shiva and his claims.

The complaint asserts that the defendants defamed Shiva in their articles, caused him economic harm and inflicted emotional distress on him.
Today the judge dismissed the case (Memorandum and Order, pdf from ReCAP) against Michael and Leigh. The legal standard for punishable defamatory statements is there must be a way to prove them true or false. The judge ruled that since there is not a single definition of email, that there is no way to definitively prove Techdirt’s statements as true or false.
No one disputes the Shiva coded a system that encompasses the features we expect of any desktop or web based mail client. As many people have mentioned, the fact he was 14 and put together a complex program is impressive in and of itself. No one is disputing what he did accomplish.
To my mind the fundamental core of email is interoperability. It’s that I can sit in my lab at the University of Wisconsin, type a message, hit send and have someone in Boston receive the message. I can sit here in my office in California and write to my client in the the UK. The bits of the email client, which define email according to Shiva, are not email. They’re important for usability, but they’re not what makes email email.
According to Ars Technica, Shiva is going to appeal the dismissal.
EDIT: Techdirt has posted an article on the lawsuit and the dismissal.

FTC solicits CAN-SPAM feedback

The FTC (US Federal Trade Commission) is soliciting comments on CAN-SPAM legislation:
A. General Issues

Botnet herder / spam kingpin arrested

Via Krebs on Security, a russian named Pyotr Levashov has been arrested in Spain. According to news reports (NY Times, Reuters ) the arrest happened in response to a warrant issued by the US, but no details were given as to what he was being charged with. The DoJ says the case is currently under seal and will not comment on charges.
There is widespread agreement that this person is involved in major spamming operations. He’s one of Spamhaus’ Top 10 spammers (ROKSO listing). He’s been implicated in fraud during the 2012 elections in Russia. Some reports are speculating that he was involved in the hacking of the 2016 elections here in the US, but there’s no current evidence that’s true.

More CASL enforcement

Last week the CRTC published a CASL enforcement action wherein they fined an individual $15,000 for 10 violations of the act.

Another CASL fine assessed

This week the Canadian Radio-television and Telecommunications Commission (CRTC) announced a $50,000 fine against Blackstone Learning Corp. for violations of CASL.

In early 2015, the CRTC identified over 380,000 emails sent without the consent of recipients and fined Blackstone $640,000. Blackstone appealed the ruling and the Commission lowered the fine to $50,000.
I strongly recommend folks who are interested in how the CRTC is enforcing CASL read the full release. In it, the CRTC walks us through the process of investigation. In this case, Blackstone argued that they had implied consent based on the public nature of the recipients email addresses and the fact they’re published on different websites. The commission disagreed.

Affiliates can be liable for fraud

An article popped up on LinkedIn about a recent 2nd court of appeals ruling that I thought was interesting.

Back in 2011, the FTC and the state of Connecticut filed suit against a company called LeanSpa and their affiliate marketer called LeadClick. LeanSpa sold various diet products through negative option marketing. LeadClick was the affiliate company they used to help drive traffic and customers to their websites.
LeadClick and their parent company was included in the suit because the FTC alleged that they were aware of and facilitated the false claims made by their affiliates. The case went to court and LeadClick lost. They appealed to the 2nd Circuit court. Last week the 2nd Circuit Court upheld the trial court’s finding of liability for LeadClick.
In its press release for the case, the FTC says:

Electronic records outside US not covered by US warrants

The 2nd Circuit Court of Appeals ruled against the Government today in US Government vs. Microsoft. The government is investigating a drug dealer and want access to records held by Microsoft. Microsoft turned over metadata stored on US machines. But they refused to turn over the specific emails stored on machines in Dublin. The company’s position is that the federal government needs to follow the rules of the Mutual Legal Assistance Treaty between the US and Ireland.
This has been winding its way through the appeals court.
The court’s ruling today states “§ 2703 of the Stored Communications Act does not authorize courts to issue and enforce against U.S.‐based service providers warrants for the seizure of customer e‐mail content that is stored exclusively on foreign servers.”
An interesting ruling, and I see pros and cons to the ruling. It does complicate anti-spam enforcement a bit and make it easier for criminals to hide their data overseas while they might be in the US. But it’s already easy for them to do that. Many arrests of spam gangs and others for crimes committed on the Internet over email involve multiple law enforcement agencies across the world.
Full text of the ruling (.pdf link)

US-EU Privacy Shield Approved

Since the Safe Harbor rules were struck down by EU courts, the US and EU have been in negotiations to replace it. This morning (pacific time) the EU approved the new rules called Privacy Shield. WSJ Article

Sanford Wallace goes to Jail

Sanford Wallace has been sentenced to 2 years in jail by the US District court in San Jose for contempt of court and electronic mail fraud. Sanford has been around for more than 2 decades. He is one of the spammers that drove me to learn how to read headers and report spam back in the late nineties.

Sanford has been in and out of courts and the news almost as long as he’s been spamming. When I dug into Pacer this morning to grab a copy of the sentencing report I see multiple cases, some going back as far as 1996. There aren’t electronic records for Concentric Network v. Wallace, et al. (case: 5:96-cv-20829-RMW) but the final disposition of the case says “Permanent Injunction.”

Ask Laura: Confused about CAN SPAM

Let's talk CAN SPAM

Earlier this week I posted about the increased amount of B2B spam I’m receiving. One message is not a huge deal and I just delete and move on. But many folks are using marketing automation to send a series of emails. These emails often violate CAN SPAM in one way or another.
This has been the law for 13 years now, I find it difficult to believe marketers are still unaware of what it says. But, for the sake of argument, let’s talk about CAN SPAM.

Fraud, terms of service and email marketing

Here at the Atkins house we’re still both recovering from the M³AAWG plague. I don’t know what it was that we shared during the conference, but it’s knocked many folks over. I don’t have a lot to blog about this afternoon so I was looking through some of my old blog posts to get at least some content up before I give up for the weekend.
I found an old post about permission (Permission: It May Not Be What You Think It Is). The post discusses where a woman sued Toyota over emails from an online marketing campaign. I’d totally forgotten about that blog post, so I started looking at what happened with the case.
In the original case Toyota created a social media campaign where people could opt their friends in to be the target of a prank.

Hands off address books

Germany’s highest court has ruled that Facebook’s practice of harvesting email addresses from their users contact lists in order to send invitations to them constitutes “advertising harassment” and violates German law on data protection and unfair trade practices. This in response to a suit filed by the Federation of German Consumer Organisations (VZBV)

Still Spamming…

This morning I woke up to news that Sanford Wallace pled guilty to spamming. Again.
Sanford was one of the very early spammers (savetrees.com). He moved to email from junk faxing when Congress made junk faxing illegal in 2005. He sued AOL when AOL blocked his mail. He lost and the courts maintained that blocking spam was not a violation of the sender’s rights. Sanford then moved on to using open relays to avoid blocks. He was eventually disconnected from his backbone provider (AGIS) for abuse. Sanford sued AGIS for breach of contract and was reconnected for a brief period of time.
After his disconnection from AGIS, Sanford and a few of the other folks proposed a backbone provider that allowed bulk email marketing. That never really went anywhere.
Reading these old articles is a major blast in the past. The legal case between AGIS and Cyberpromotions was the event that led to my involvement in email marketing and spam. I even spent a Saturday afternoon in the late 90s with about a dozen people on a con call with Sanford and Walt talking about his backbone idea. My position was pretty simple: it wasn’t going to work, but as long as there was consent it was his network and he could do what he wanted.
I kinda lost track, just because he moved onto other ways of advertising and I got deeper and deeper into deliverability consulting. He did show up on my radar a few years ago when Facebook sued him for breaking into user accounts and using those accounts to spam. He lost a $711 million dollar judgement to Facebook, but given he didn’t have the resources the judge in that case recommended criminal charges.
Criminal charges were filed a few years later. Yesterday, Sanford pled guilty to fraud and criminal contempt as well as violating a court order to stay off Facebook’s network.
He now faces $250,000 in fines and up to 16 years in jail. Given his history, I expect he’ll figure out some way to still send spam even if he’s locked up.
Sanford is one of the reasons so many folks have such a low opinion of anyone who describes their business as “legitimate email marketing.” Sanford used the same phrase back in the late 90s. Of course no one, with the possible exception of him, actually believed that. But when someone like that adopts the moniker “legitimate email marketer” it’s hard to take them seriously when someone like Sanford has been using that since the late 90s.

Another CASL fine

The Canadian Radio-television and Telecommunications Commission (CRTC) announced today that Porter Airlines had agreed to pay a fine of $150,000 for violations of the Canadian Anti-Spam Law (CASL).
After investigating the airline, CRTC found multiple violations of the statute. These violations include no unsubscribe link or the unsubscribe link was not prominent enough.
Some of the messages at issue failed to have proper identification. Finally, Porter Airlines couldn’t prove consent for at least some subset of the subscribers.
This is another in a series of enforcement actions where CRTC fined companies for violations of CASL. But none of those enforcement actions really seem overly punitive. There were multiple people publicly concerned about CRTC aggressively fining companies and even driving them out of business. These concerns now appear to be unfounded. Certainly, CRTC is enforcing the law but in a way to help companies come into compliance with it.
Another major concern some individuals had was the private right of action under CASL. I recently attended a conference where one of the talks was related to CASL and enforcement. What was said there is that there are some constraints on bringing a case. For instance cases can’t be brought in lower courts, they have to be brought in the provincial (I think) courts. This puts an additional burden on plaintiffs. Reading between the lines, my impression was this was intended by the regulatory agency and lawmakers to stop nuisance type suits, but allow for real action when needed.
Finally, I have yet to hear about any enforcement action that resulted in fines for corporate officers rather than the corporation as an entity.
All in all, the chicken littles claiming that this law was going to drive email marketers out of business seem to have been wrong. In fact, when I asked a question during the session “have you heard of any companies stopping marketing in Canada due to CASL” the first response was a scoff. This was not the purpose or intent of the law, and it doesn’t appear to be enforced that way.

3 new CAN SPAM cases

Xmission, a Utah ISP, has filed suit against 3 companies alleging violations of CAN SPAM. The cases were filed in the Utah District Court in April and June. I’ve downloaded some of the documents and complaints and they are now in RECAP. I’ve also included the complaints here (and the links from here on out are almost all .pdfs of the court documents).
Xmission v. Adknowledge (Case 2:15-cv-00277).
Xmission v. Clickbooth (Case 2:15-cv-00420).
Xmission v. Thompson and Company (Case 2:15-cv-00385).
In all the cases Xmission is alleging similar violations of CAN SPAM.
Falsified header information: part 1
Xmission asserts that the domains in the headers were spoofed, unregistered or belonged to an unrelated 3rd party. One of the complaints listed subject lines of the emails sent, so I dug through my spam folder for similar emails. I found a few examples of what I suspect are the spams mentioned in the suit.

ROKSO lawsuit settled

Earlier this year Ken Magill reported that a judge in the UK was allowing a libel case against Spamhaus to go forward. I thought for sure I’d blogged about the case at the time, but apparently I didn’t.
The short version is that today Spamhaus announced the lawsuit was settled and the complainants paid for Spamhaus’ legal fees.
As with most legal cases the details are complex and convoluted. Let me try to sum up.

Recipients need to be able to unsubscribe

The The Canadian Radio-television and Telecommunications Commission (CRTC) announced today that Plentyoffish Media paid a $48,000 fine for CASL violations. According to the CRTC news release, Plentyoffish Media was failing to allow consumers to unsubscribe from mail in compliance with CASL.
CASL requires that any commercial electronic email message contain an easy and free unsubscribe mechanism. Plentyoffish sent mail to its members without an unsubscribe mechanism. According to their webpage (HT: Sanket) there were some messages that users were unable to opt-out of without closing their account.

Arrests in ESP data breach

The FBI announced today arrests of three people in the ESP data breaches from the compromises of various ESPs a few years ago.
Krebs on Security: Feds Indict Three in 2011 Epsilon Hack
Department of Justice: Three Defendants Charged with One of the Largest Reported Data Breaches in U.S. History
After stealing over a billion addresses from 8 ESPs, the lists were monetized through affiliate marketing. The owner of the affiliate program was one of the people arrested.
More on Monday.

CRTC fines Compu-Finder $1.1 million for CASL violations

The Canadian Radio-television and Telecommunications Commission (CRTC) is the principle agency tasked with enforcing Canada’s anti-spam law. Today they issued a Notice of Violation to Compu-Finder including a $1.1 million dollar fine for 4 violations of CASL. The violations include sending unsolicited email and having a non-working unsubscribe link. According to the CRTC, complaints about Compu-Finder accounted for 26% of all complaints submitted about this industry sector.
This is the first major fine announced under CASL.
One of the first things that jumped out at me about this is the action was taken against B2B mail. There are a lot of senders out there who think nothing of sending unsolicited emails to business addresses. In my experience, many B2B senders think permission is much less important for them than B2C senders. I think that this enforcement action demonstrates that, at least to the CRTC, permission is required for B2B mail.
The other thing that jumped out is that given the extent of the complaints (26%) the financial penalties were only slightly more than 10% of the $10M maximum penalty. It seems the CRTC is not blindly applying the maximum penalty, but is instead actually applying some discretion to the fines.
I’ve looked for the actual notice of violation, but haven’t been able to find a copy. If I find it, I will share.

This message cannot be considered spam

Every once in a while I get spam, usually from a foreign country, that contains the (in)famous Murkowski statement.

CASL enforcement

As most people know, the Canadian Anti-Spam Law (CASL) went into effect July 1 of this year. This month, the CRTC concluded its first investigation.

CASL is more privacy law than anti-spam law

Michael Geist, a law professor in Canada, writes about the new CASL law, why it’s necessary and why it’s more about privacy and consumer protection than just about spam.

Happy Canada Day, CASL now in effect

It’s Canada Day, and this year it has special connotations for email senders who are in Canada or sending to Canadian residents.
CASL is now in effect. For in depth guidance, go visit Matt Vernhout’s excellent series on CASL. But for those of you who just want the Cliff notes here’s the high points
If you are in Canada or you are sending to residents in Canada:

Spam disclaimer of the day

Things are extremely busy here so blogging is not getting quite the attention it should. I hope to return to more extensive posts soon. Meanwhile, you’ll have to put up with short posts.
Today is a disclaimer I received in a spam. This is one of my addresses that has, somehow, ended up on UK-specific lists.

Is harvesting illegal under CAN SPAM

This issue comes up repeatedly, as many people have read the CAN SPAM act and believe that CAN SPAM specifically prohibits sending mail to harvested address. This is not how I read the law.
The FTC publishes a CAN SPAM Compliance Guide for Businesses that only mentions harvesting in the context of criminal penalties for violations. They list the following 7 main requirements of CAN SPAM.

Transcript of Google hearing

I’ve not had a chance to read it, yet, but the transcript of the September hearing for the wiretapping case against Google is available. (pdf download)

CASL and existing opt-in addresses

The Canadian Anti-Spam law takes effect this summer. EmailKarma has a guest post by Shaun Brown that talks about how to handle current opt-in subscribers under the law.

Canada announces CASL regulation start date

This morning Industry Canada published its final regulations regarding the implementation of the Canadian Anti-Spam Law. Email related provisions of the law will take effect June 1, 2014.
What does this mean? It means that anyone sending mail from Canada or anyone sending mail that is accessed in Canada is required to have explicit opt-in consent for sending that mail, with a few exceptions. These exceptions include commercial electronic messages that are:

ICANN goes after Dynamic Dolphin

ICANN sent a letter to domain registrar Dynamic Dolphin notifying them of their non-compliance with the ICANN Registrar Agreement.
HT: Neil Schwartzman
(Today appears to be retro-blogging day. First I blog about s.1618 then I blog about Scott Richter.)

Google wiretapping case, what the judge ruled

Yesterday I reported that the judge had ruled on Google’s motion to dismiss. Today I’ll take a little bit deeper look at the case and the interesting things that were in denial of the motion to dismiss.
Google is being sued for violations of federal wiretapping laws, the California invasion of privacy act (CIPA) and wiretapping laws in Florida, Pennsylvania and Maryland. This lawsuit is awaiting class certification for the following groups.

No expectation of privacy, says Google

I spent yesterday afternoon in Judge Koh’s courtroom listening to arguments on whether or not the class action suit against Google based on their scanning of emails for advertising purposes can go forward. This is the case that made news a few weeks ago because Google stated in their brief that users have “no expectation of privacy” in using online services.
That does appear to be what Google is actually saying, based on the arguments by attorney Whitty Somvichian. He made it clear that Google considers everything that passes through their servers, including the content of emails, covered under “information provided to Google” in the privacy policy. Google is arguing that they can read, scan, and use that content to display ads and anything else they consider to be in the normal course of business.
I have pages and pages of notes but I have some paying work to finish before I can focus on writing up the case. There were multiple reporters and bloggers in the courtroom, but I’ve not found many article. Some I’ve found are:

Patent trolling, meet RPost

Yesterday I mentioned Ubicomm and their patent trolling based on an ancient Xerox patent they acquired earlier this year. I think the mere fact that Xerox sold the patent says all we need to know about how applicable it is.
The other patent troll in the email space right now is RPost. Steve did a blog post about RPost patent trolling about a year ago.
This summer, RPost’s legal team started calling different companies in the email space. I got a call the first week in July. After introducing himself as their lawyer and reassuring me he was not sending me legal threats, he started to ask all sorts of questions about our technology. I declined to answer any of them.
The lawyer then said he had some paperwork to send me and asked for an email address. I told him we do not accept legal service by email and that he could send me any relevant paperwork to our address of record. If I had any questions about RPost having a real product, it was answered when the lawyer didn’t tell me that RPost technology is all about secure delivery of legal papers.
Others in the email space started reporting similar calls and letters from RPost around the same time.
It’s been 2 months (almost to the day) since RPost’s lawyer called me and we have yet to receive anything from them. Clients of mine, however, have received papers from RPost. The papers instruct recipients to read RPost’s patents and notify RPost if they are infringing.
Yes, RPost are such cheapskates they expect their target companies to do the work identifying any potential infringement. Or possibly it’s just that they have so little money they can’t afford to pay their legal team. Certainly my experience is that telling them to send us postal mail is enough expense? time? to stop them from moving forward.
My recommendations to anyone receiving a letter from RPost (or anyone else claiming patent infringement) are pretty simple.

Patent trolling

I’ve recently become aware of activity from a couple patent trolls in the email space.
One is UbiCommLLC. They appear to be suing the Internet for violating a patent they acquired from Xerox. The lawsuit claim is that shopping cart abandonment emails violate a patent they own.
I did a little reading on this recently. UbiComm LLC formed itself in January of this year and acquired a Xerox patent the following month. They’ve since gone on an infringement spree, suing other printer companies, retailers, ESPs and that’s just what I can find in 2 minutes of searching.
The patent is U.S. Patent No. 5,603,054 titled “Method for Triggering Selected Machine Event When the Triggering Conditions of an Identified User Are Perceived.” I read a little of this patent and best I can tell (and I’m not a lawyer) this has zero to do with email and even less to do with shopping carts. Instead, this appears to be a way to identify where an individual is inside a local network and send a message to the machine closest to that person.
This is what I think the use case for the patent is. Take an office building, or even an office complex, or even an international corporation with hundreds of computers and printers and smart phones. Each one of those is connected to the network and is capable of displaying a message to a particular person. Each person in the building wears some sort of tag that is also hooked up to the network. I want to send a message to Bob, so I send a message to Bob. The local network figures out where Bob is, figures out what machine is closest to him and then presents that message to Bob on that machine.
This is conceptually different than email. The sending network doesn’t have to figure out where Bob is, it just sends the message to Bob’s email account. Bob chooses when and where to download the message. It’s not like shopping cart abandonment messages are targeted to my phone when I’m in the car, my office computer when I’m at work and my home computer when I’m at home.
In my non-legal opinion these are nuisance suits. The lawyers at Ratner Prestai seem to agree with me and give good suggestions on how to plan for such a thing.

Gmail says no expectation of privacy, kinda.

Consumer Watch put out a press release yesterday about a court filing made by Gmail that says Gmail users have no expectation of privacy. I pulled a bunch of the docs yesterday, but have had no real time to read or digest them.
For recap users everything I pulled (and stuff other people have pulled) are available at Archive.org.
The initial complaint was filed under seal at the request of Google. The redacted complaint doesn’t tell us a lot, but it’s available for people to read if they’re interested.
The doc everyone is talking about is Google’s Motion to Dismiss. Everyone is up in arms about Google saying, in that filing, “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” (page 28, line 9). What no one seems to have mentioned is that this is actually a quote from a case that Google is referencing. The whole paragraph may lead one to a different conclusion.

Papa John's settles texting suit

Last year a class action law suit was filed against Papa John’s for violation of the Telephone Consumer Protection Act (TCPA) for texts received by Papa John’s customers. Customers allege they never opted in to receive promotional text from the company. Papa John’s claim that they didn’t send the marketing, but instead was sent by third party contractors.
A blog post on lawyers.com says that Papa John’s settled the case for $16.5 million.

CAN SPAM ruling against whois privacy protection

A number of bloggers (Venkat B., John L. and Rebecca T.) have mentioned ZooBuh, Inc. v. Better Broadcasting, LLC (No.: 2:11cv00516-DN (D. Utah May 31, 2013)) recently.
In summary of the case is that ZooBuh is an ISP that has sued Better Broadcasting for spamming in violation of CAN SPAM. Their case hinged on the receipt of more than 12,000 emails from Better Broadcasting, LLC. ZooBuh said these emails caused the following harm

Arrest made in Spamhaus dDOS

According to a press release by the Openbaar Ministerie (the Public Prosecution Office), a dutch man with the initials SK has been arrested in Spain (English translation) for the dDOS attacks on Spamhaus. Authorities in Spain have searched the house where SK was staying and seized electronic devices including computers and mobile phones.
Brian Krebs has more, including multiple sources that identify SK as Sven Olaf Kamphuis. Sven Olaf Kamphuis was quoted in many articles about the dDOS, including the NY Times and various reports by Ken Magill.
ETA: Spamhaus thanks the LEOs involved in the arrest.

No room for cowards

Brian Krebs was the keynote speaker at a MAAWG meeting a few years ago. He is a tech journalist that knows and understands the dark underworld of online crime. Yesterday, his website was taken down by a dDOS attack and the Fairfax County SWAT team was called to his house by someone.
Brian does work that is risky. His contributions to what we know about online crime are extremely valuable.
His post talking about what happened yesterday is well worth reading.
ETA: The ArsTechnica article on the event.

More on CASL

Three great articles on CASL.

HT: Neil Schwartzman

Another one bites the dust

NASK (the Polish domain registry) has taken over a number of domain names used in spreading viruses and infections.

Canada publishes updated proposed regulations for CASL

Based on initial feedback collected in 2011, updated regulations for CASL have been published by the Industry Canada. Interested stakeholders have until February 4, 2013 to comment on the proposed regulations.
Edit: to identify correct Canadian Govt Agency (Thanks, Neil!)

Penkava v. Yahoo: dismissed

Carson Penkava, who was suing Yahoo! under California wiretapping laws, filed for dismissal with prejudice at the end of November. No reasons were given.

Motion to dismiss in Penkava v. Yahoo case

Earlier this month Yahoo filed a motion to dismiss in the Penkava v. Yahoo. This is the class action lawsuit where an Alabama resident is attempting to sue Yahoo for violation of the California wiretapping law.
Here’s the short synopsis.
People send mail to Yahoo. Yahoo “creeps and peeps” on that mail so they can profit from it. Plaintiff doesn’t like this, and thinks that he can use the California Invasion of Privacy Act (“CIPA”), (Cal. Penal Code § 630, et seq;) to stop Yahoo from doing this. Additionally, there is a whole class of people who live in every state but California who have also been harmed by Yahoo’s actions. The plaintiff would like the court to make Yahoo stop doing this. (First Amended Complaint)
Yahoo’s motion to dismiss is actually pretty dry and there aren’t really any zinger pull quotes that make sense without reading the whole 35 pages. The short version is that what Yahoo is doing is not a violation of California law, it is simply handling email as it has to be done to get it to recipients. Plus, California law cannot apply to mail sent from a non-CA resident to a non-CA resident because that would violate the dormant commerce clause. The class as defined makes no sense. Finally, the plaintiff continues to send mail to Yahoo addresses knowing the mail is being “scanned” and that is implicit permission for Yahoo to do it.
In the initial complaint there was an allegation that Yahoo’s behaviour was a violation of Federal and/or California Wiretapping laws. These allegations appear to have been dropped in the First Amended Complaint.
Right now there is a hearing scheduled for March 13, 2013. I’ll keep an eye on the filings.

Canadian anti-spam regulations

Canada passed an anti-spam law in 2010. Implementation of this law (CASL) were initially scheduled to go into effect in 2011. That deadline has passed and it’s not looking good for a 2012 date, either.
Canada’s Radio-television and Telecommunications Commission is the agency responsible for enforcement and rulemaking. This week they published 2 bulletins to help guide companies on how to comply with the law.
Guidelines on the use of toggling as a means of obtaining express consent under Canada’s anti-spam legislation
Guidelines on the interpretation of the Electronic Commerce Protection Regulations (CRTC)
The bulletins themselves offer examples of acceptable and unacceptable ways to acquire consent and process unsubscribes. I encourage everyone that sends mail into Canada to go review them. I’ll be writing about the regulations after I’ve taken some time to digest the recommendations.

Harvesting is alive and well

I’m finding out that email address harvesting off websites is alive and well on the Internet. We have a rotating address on the contact page, which does get harvested but usually the spam is attempting to sell me blog related services. I didn’t expect to get a very different collection of emails to the address I posted here. I’m quite surprised that address is getting a completely different type of spam from the contact address.
The one thing that harvesters appear to have in common is sending CAN SPAM violating email. Both the contact address and the questions address get lots of mail that is in violation of US (and California) law. One of these days I might get bored enough to file a suit against one of them and blog about it.

Let them go!

Unsubscribing should be so simple. Even if someone signed up for mail, senders should let them go when they unsubscribe. Unfortunately, there are a lot of senders that make it difficult to unsubscribe. In fact, many companies are still hiding unsubscribe links behind login pages.

Who are Rpost?

Rpost are an email service provider of sorts. You may not have heard of them, as they focus on a fairly niche market – electronic contract and document delivery. Their main services are “Registered Email” – which provides the sender of the message with proof that the recipient has read the message, and proof of the content of the message, and “Electronic Signatures” – which allows users to send documents signed cryptographically, or with a real signature scrawled with a mouse. This is all the sort of thing that would be mildly useful for exchanging contracts via email rather than by fax. Laura and I talked with them some years ago, and decided it was a reasonably useful service, but one that would be difficult to monetize.
They’ve recently started claiming infringement on their patents, so I thought I’d take a look at their actual product to see what it had evolved into.
Their current website has some very visible bugs in it’s HTML, and while it mostly looks pretty, the workflow isn’t terribly compelling. I signed up for a free account and sent myself an email. I saw the word “patented” and lists of trademarks prominently on many of the pages.
There’s no obvious way to see messages I’ve sent through their web interface, nor is there any inbox or way to see delivery status from the web interface. Rather you’re sent email to your real email account about each message. Rpost were originally focusing on MUA plugins, and that seems to still be their main approach, with the web interface more of an afterthought. They list 22 MUA plugins, in their Apps marketplace. They don’t have one for Mail.app (the MUA shipped with OS X) nor for any other Mac mail client. They do list a client for iPhone, but clicking on it shows that it’s not been released yet. Web interface it is, then.
I’d assumed that the proof of reading would be handled in the same way other “secure” messaging services tend to work – the email sent contains a link to a web page, and opening that link (optionally after entering a password) to see the real message is the “proof” that the mail was read. It turns out that’s not the case. The full message is in the email that’s sent. The “proof” that it was read is our old friend the single pixel tracking gif. It’s standard open-tracking, nothing more, with all the accuracy and reliability issues that implies. I also get mail telling me about the delivery (subject, recipient, timestamp, message-id) and a promise that I’ll get a “RegisteredReceipt™” in two hours.
On the technical side of things, RPost are using SPF correctly. They are not using DKIM to authenticate the message, nor any sort of in-band cryptography such as S/MIME or PGP. They’re including Return-Receipt-To, Disposition-Notification-To and X-Confirm-Reading-To headers, in the hope that the recipients MUA will send a notification to one of them. Most MUAs don’t – it’s considered a privacy / security violation, generally. I wonder if the RPost MUA plugins make your MUA respond to one of those?
Using opaque cookies in the Return-Receipt-To: etc. email addresses makes sense, as you can then use receipt of mail to one of those addresses as “proof” that the recipient opened the email. Unfortunately, the email addresses RPost use in those fields are trivially derived from the Message-ID – you take the local part of the Message-ID and add “read@rpost.net” on the end. And RPost include the Message-ID of the message in the notification they send to the sender. So it would be very easy for an unscrupulous sender to send a fake notification that would make it appear the recipient had opened an email when they hadn’t.
There are several email specification violations in the mail sent – the Resent-Message-ID is truncated, and syntactically invalid, the Resent-Date field is syntactically invalid, the email addresses used in the Return-Receipt-To, Disposition-Notification-To and X-Confirm-Reading-To fields are a little broken – in a way that I’m pretty sure leaves them syntactically invalid. The body of the message is HTML, and it violates basic HTML specifications – it has invalid comments, and it nests entire HTML documents inside paragraphs – “… <p><html><head><meta content type></head><body> … stuff …</body></html></p> …”.
One of the important things to do when sending email that you want to be delivered is to try and look like legitimate email, and not like spam. As well as the syntax issues, the mail uses unusual capitalization of several headers (“to:” is valid, but you’ll always see “To:” in legitimate email) and it sends the message as HTML only, not as multipart mime with a plain text alternative. All those things give the mail sent via RPost a spamassassin score of 4.4, with a squeaky clean subject and body. It wouldn’t take much in the message provided by the user to push that the extra 0.6 to reach a SpamAssassin score of 5.0 and end up in the junk folder.

Penkava v. Yahoo: wiretapping

According to stipulations filed yesterday Penkava and Yahoo! have agreed to go to private arbitration. This will happen before September 1, 2013. Also filed yesterday was an agreement that Yahoo! has until September 7, 2012 to respond to the complaint.

What's up with CASL?

Al has a guest post from Kevin Huxham of CakeMail talking about how a majority of people surveyed don’t know anything about the Canadian Anti-Spam Legislation.
I have to admit, I’ve not talked about CASL very much here as I’ve been waiting for the implementation and rulemaking. Unfortunately, the implementation date has been pushed back again and again and it doesn’t look like the law will be in effect until 2013.
CASL takes an incredibly narrow look at permission. It prohibits any commercial mail sent without the recipient’s consent to email addresses, social networking accounts and phones (SMS). Not only that, it also prohibits adddress harvesting and installation of computer programs without consent of the owner of the computer.
This law affects all email sent to a Canadian citizens and does allow for private right of action.
I know that a lot of companies that market in Canada have been working out permission issues before the law takes effect. They are also looking at how to comply with the permission requirements for addresses collected after the law goes into effect.
One of the challenges of this law is going to be identifying what addresses are covered. In some cases senders will have physical addresses, but they’re not going to have physical addresses for all addresses. And that may mean that CASL will actually impact more that just Canadian residents.

Wiretapping and email

An Alabama resident is suing Yahoo for violating the California wiretapping law. Specifically he’s suing under CA Penal Code section 631. The thing is, this section of the law deals with wiretapping over “telephone or telegraph” wires. That doesn’t seem to apply in this case as Yahoo isn’t using either telephone or telegraph wires to transmit their packets.
Holomaxx tried the wiretapping argument when they sued Yahoo and Hotmail. That case cited a cause of action under both federal law and California law. The wiretapping claim was addressed specifically by the lawyers for the defendants.

Gevalia spamming

A number of people have contacted me over the last week pointing out that Paul Wagner was handed a negative jury verdict in his lawsuit against Gevalia and Connexus. (background Wash Post Article Washington Post verdict article, Ken Magill Article).
I spent some time this afternoon downloading different documents from Pacer trying to understand what was going on in the case and what the implications were. This lawsuit was originally filed in 2008 and has had nearly 600 documents filed with the court. Suffice it to say, I didn’t start at the beginning and work forward, I started at the end and worked backwards.
Beyond Systems, Inc. filed suit against Kraft and Connexus for spamming addresses under the California and Maryland anti-spam laws.
This recent “mini-trial” assessed 3 questions:

Proxy registrations and commercial email

Yesterday the law firm Venable, LLP published a document discussing the recent California appellate court decision in Balsam v. Trancos. Their take is that commercial email that contains a generic from line and is sent from a proxied domain is a violation of the California Business and Professions Code § 17529.5(a)(2).

Canadian Anti-Spam Law

A few years ago, Canada passed an anti-spam law (CASL). In the time since then, the Canadian Radio-Television and Telecommunications Commissions (CRTC) have been working to establish the regulations to implement the law. Those regulations appear to have been published recently. Matt Vernhout, a email expert and Canadian citizen, published a link to the regulations and a summary of the rules.
There still doesn’t seem to be a firm date for when CASL will be enforced law. Matt says he’s hearing that the date will be around October. We’ll see if it slips from that.

CA court requires sender identification on emails

Venkat analyzes the appeals court decision in Balsam v. Trancos, Inc.. In this case the appeals court decided that emails have to identify some actual person or entity they are sent by or from. Emails that do not identify the sender are in violation of the California anti-spam statute.
Venkat talks about all the reasons he thinks this is a problematic ruling, and the CA courts and anti-spam activists certainly have their share of bad rulings. I’m less convinced. The crux of the case seems to be that the advertiser used a number of random domains to hide the responsible party for an email. Rotating domains is a very, very common spammer tactic that is specifically a way to avoid domain based filters.
I understand Venkat’s concern but as someone who gets a lot of these spams I think the court is certainly ruling within the spirit of the CA statute. These mailers are using random domains to avoid filters and mislead recipients as to the source of the mail. Even if the domains are legitimately owned by the advertiser, they are usually hidden behind privacy protection and give the recipient no real information about who is sending the mail.
Another interesting point is the court speaking out against privacy registration. Personally, I don’t think any business should ever hide their domain registration behind privacy protection. If you’re a business, then you should stand up and give real contact information. I know it can be scary, particularly for people working out of their home, but if you’re a real business, you need to have an address registered with your state. Furthermore, if you’re a business sending email, all that email must contain a physical postal address. Your address already needs to be public, and including that in whois records isn’t actually going to change anything.

The internet protests SOPA / PIPA

For those who don’t know, a number of major websites will be going offline tomorrow to protest SOPA and PIPA, including wordpress, reddit, Wikipedia and the cheezeburger sites. Tomorrow may be the most productive day ever on the modern internet. Google will also be linking to information about SOPA tomorrow.
I had some people ask me about the bills today and have been looking for explanations of the issues and why these laws are so problematic.

SOPA and PIPA update

There is quite a bit of vocal opposition to the SOPA (Stop Online Piracy Act) making its way through the House of Representatives and PIPA (Protect Intellectual Property Act) making its way through the Senate. The opposition seems to have had an effect. I blogged about the bills late last year.
CNet reported today that the DNS provision was pulled from SOPA. This resolves one, but certainly not the only problem with SOPA. Also today, OpenCongress.org posted a letter from 6 co-sponsors of the Senate bill to Majority Leader Reid asking him to cancel the vote on PIPA.
Congratulations to everyone who worked so hard to make their voice heard by their elected representatives.

The Constitutionality of SOPA

Lawrence Tribe, a professor of constitutional law at Harvard, says SOPA violates the first amendment.

Court rules blogger is not a journalist

Last week a federal judge ruled a blogger, Crystal Cox, was not a journalist and not subject to first amendment protections. I haven’t been following the case very closely, but was a little concerned about the precedent and the liability for people like me who blog.
Reading some of the articles on the case, though, I’m less worried. This isn’t a blogger making some statements. Instead, Ms. Cox acted more like a stalker and harasser than a reporter. The judge even concluded that had she been granted protection as a journalist it was unlikely she could prevail as there was little factual basis for her statements.
Others have done better summaries of the case and the effect and I encourage everyone to read them.
Seattle Weekly
New York Times
Ars Technica
Forbes

I also discourage folks from applying this ruling to all bloggers. It’s not clear she was doing anything journalistic. I did find it interesting that some of her techniques to ruin the lawyer’s search results were defined as Search Engine Optimization. I’ve long thought SEO was akin to spam: say something often enough in enough places and you start to dominate the conversation. Not because you have anything useful to say, but because no one can get an idea in otherwise.

SOPA / PIPA

I’ve not mentioned anything about the Stop Online Piracy Act (SOPA) and it’s companion bill the Protect Intellectual Property Act (PIPA) that are currently making their ways through Congress. Both bills put a lot of obligation on the ISPs to stop bad traffic on the Internet. Unfortunately, it seems no one writing the bill asked anyone with technical or operational experience for input. Many of the obligations are going to significantly impact ISP functioning and will probably degrade service for users.
The Messaging Anti-Abuse Working Group sent a letter to congress yesterday (PDF link), outlining the issues with SOPA and PIPA. I found it explained the bills and the flaws much better than many other summaries.

Yahoo awarded $610 million

The Federal district court in New York awarded Yahoo $610 million dollars in a suit they filed in 2008.

Gordon v. Virtumundo, the sequel

I was slightly surprised that Gordon was still pressing on with his case against Virtumundo.
It seems that Mr. Gordon appealed, again, to the 9th circuit.

Spam is not illegal

I was recently taken to task for claiming that unsolicited bulk email was spam.

New EU directives

The EU has published consumer protection directives. Members states have 2 years to implement and enforce these directives.
The interesting bit is this:

Everyone's a lawyer

There used to be one thing you would inevitably see when having a heated discussion on the internet. At some point, someone would compare one of the participants with Hitler or the Nazi’s. That’s been a known “fact” on the internets since long before I joined.
That rule was, of course, started in the days of Usenet, where it was difficult (if not impossible) to actually ban a troublemaker. These days we’re in the era of web forums and blog comment sections. It’s much easier to ban a commenter for being disruptive.
What is amusing to me, is how often I will see someone declare that the blog (or forum) owner is somehow legally liable for everything every commenter says because they have now taken the step of moderating comments.
Reality is slightly more complex. There is case law that holds moderators liable, and there is case law that doesn’t. This reality doesn’t stop internet lawyers from declaring, however, that the website owners are going to end up liable for all comments just because they moderated some or all of the comments.

Spammer prosecuted in New Zealand

Today (well, actually tomorrow, but only because New Zealand is on the other side of the date line) the NZ Department of Internal Affairs added a 3rd statement of claim against Brendan Battles and IMG Marketing. This third claim brings the total possible fines to $2.1 million.
Brendan is a long term spammer, who used to be in the US and moved to New Zealand in 2006. His presence in Auckland was noticed by Computerworld when a number of editors and staffers were spammed. When contacted by the paper, Brendan denied being involved in the spam and denied being the same Brendan Battles.
New Zealand anti-spam law went into effect in September 2007. The Unsolicited Electronic Messages Act 2007 prohibits any unsolicited commercial email messages with a New Zealand connection, defined as messages sent to, from or within New Zealand. It also prohibits address harvesting.
The Internal Affairs department also appears to be investigating companies that purchased services from Brendan Battles.

Appeals court rules in e360 v. Spamhaus

On August 30, 2007 I wrote my very first blog post: 7th Circuit court ruling in e360 v. Spamhaus. Today, 4 years later (almost to the day) that case may finally be over.

Robust protection under the CDA

Venkat also commented on the Holomaxx v. MS/Y! ruling.

As with blocking or filtering decisions targeted at malware or spyware, complaining that the ISP was improperly filtering bulk email (spam) is likely to fall on unsympathetic ears. It would take a lot for a court to allow a bulk emailer to conduct discovery on the filtering processes and metrics employed by an ISP. (Hence the rulings on a 12b motion, rather than on summary judgment.) Here the court reiterates the “good faith” standard for 230(c)(2) is measured subjectively, not objectively. That puts a heavy burden on plaintiffs to show subjective bad faith.
Read More

Amendment was futile

Judge Fogel published his ruling in the two Holomaxx cases today.

CAN SPAM and the first amendement

From Venkat at Eric Goldman’s blog we find the federal court has rejected an attempt to claim spam was “protected anonymous speech.”

Patenting whitelisting, then suing people who use it

Thanks to Ken for pointing this one out.
A number of companies, including Surewest, AT&T, Cisco and Comcast are being sued by a company called BuyerLeverage for violating a pair of patents because they’re using Return Path as part of their mail filtering decisions.
I pulled the docs (1-11-cv-00645-LPS).
The patents all seem to center around a system where there is another layer between sender and recipient. The sender and recipient negotiate a deposit before email is delivered.
The oldest patent was filed in October 2001 (Patent 7,072,943).

Holomaxx v. Yahoo and MS: The hearing

I visited Judge Fogel’s courtroom this morning to listen to the oral motions in the Holomaxx cases. This is a general impression, based on my notes. Nothing here is to be taken as direct quotes from any participant. Any errors are solely my own. With that disclaimer in mind, let’s go.
The judge is treating these two cases as basically a single case. When it came time for arguments, the cases were called together and both Yahoo and Microsoft’s lawyers were at the defendant’s table.
Oral arguments centered on the question of CDA immunity and to a lesser extent if there is an objective industry standard for blocking and dealing with blocks. Nothing at all was mentioned about the wiretapping arguments.
The judge opened the hearing with a quick summary of the case so far and what he wanted to hear from the lawyers.
Judge Fogel pointed out that current case law suggests that the CDA provides a robust immunity to ISPs to block mail. The plaintiff can’t just say that the blocks were done in bad faith, there has to be actual evidence to show bad faith. The law does permit subjective decisions by the ISPs. Also, that it is currently hard to see any proof of bad faith by the defendants.
The judge asked the plaintiff’s attorney for his “absolute best argument” as to the bad faith exhibited by the defendants.
The plaintiff responded that they are a competitor who is being stonewalled by the defendants. That their email is not spam (as it is CAN SPAM compliant) and it is wanted email. The defendants are not following the “objective industry standard” as defined by MAAWG.
The judge responded clarifying that the plaintiff really claimed he didn’t need to present any evidence. “Yes.” Judge Fogel mentioned the Towmbly standard which says that a plaintiff must have enough facts to make their allegations plausible, not just possible.
Yahoo!’s lawyer pointed out that both case law and the statutes require a robust showing to invalidate claims under the CDA. And that the purpose of the CDA is to protect ISPs from second guessing. She started to bring up the absolute numbers of emails, but was interrupted and told the numbers weren’t relevant. My notes don’t say if that was the judge or Holomaxx’s lawyer that interrupted, and the numbers discussion did come up again.
Yahoo continued that the CAN SPAM compliance is not a litmus test for what is spam. The decision for what is and is not spam is left to the subjective judgement of the ISP. She also pointed out that the numbers are important. She defined the amount of spam as a tax on the network and a tax on users.
She also addressed the anti-competitive claim. Even if Holomaxx is right, and neither defendant was conceding the point, and it is doubtful that the anti-competitive point can be proven, competition alone cannot establish bad faith. What evidence is there that either defendant exhibited bad faith? In Yahoo’s case there is zero advertiser overlap and in the Microsoft case Holomaxx showed one shared customer.
She then pointed out that the MAAWG document was a stitched collection of experiences from desks. That the document itself says it is not a set of best practices. She also pointed out that there was nothing in the document about how to make spam blocking decisions. That it was solely a recommendation on how to handle people who complain.
According to Yahoo!’s lawyer the plaintiffs brought this suit because they disagreed with the ISPs’ standards for blocking and they were upset about how they were treated. That the worst Holomaxx can say is the MS and Y! had bad customer service.
At this point there was some discussion between the judge and lawyers about how they were currently in a “grey area” between Rule 9(b) and Rule 12(b)6. I am not totally sure what this was about (one of my lawyer readers can help me out?) but there was also mention of using these rules in the context of the ISPs’ robust immunity under the CDA.
Finally, the judge asked Microsoft’s lawyer if he had anything more to add. He reiterated that the MAAWG document was not a standard, it was a collection of options. He also brought up the volume issue again, asserting that even if it is a true standard that the volume of unwanted mail sent by Holomaxx does not mean ISPs need to follow it.
Judge Fogle asked him if he meant there was no legal obligation for the ISPs to be warm and fuzzy.
The judge and defendant lawyers talked around a few general ideas about the MAAWG document. First that there was no obligation to tell senders enough information so that senders could reverse engineer spam filters. Microsoft also brought up the volume issue again, saying that the volume of unwanted 3rd party mail that the plaintiff was sending was, in itself, proof that the mail was bad.
Holomaxx interrupted claiming that the volume is a red herring. Judge Fogel countered with “but the gross number of unwanted emails is a huge number of emails.” Holomaxx’s lawyer argued that both Yahoo and Microsoft had large, robust networks, and the volume is irrelevant. I thought this was funny, given how often both of them have outages due to volume. However, the Holomaxx lawyer did have a point. Facebook sends billions of emails a day and both Yahoo and Hotmail can cope with that volume of mail and that volume dwarfs what Holomaxx sends.
The judge asked if he should look at the percentage of complaints about the mail rather than the gross number. Holomaxx replied that both were just a drop in the bucket and neither number was relevant.
Holomaxx then claimed again that MAAWG was a standard. The judge pointed out it was a standard for customer service, not a standard for blocking. Holomaxx disagreed and said that the MAAWG document was a standard for both how to block and how to deal with blocks afterwards.
The judge asked Holomaxx if there was any actual evidence of their claims. He talked about a case he heard a few years ago. Some company was suing Google because their search results were not on the front page of Google results. That company didn’t prevail because they never offered any actual evidence that Google was deliberately singling them out. He asked Holomaxx how they were being singled out.
Holomaxx replied there was no industry standard to measure against.
The judge wrapped up the hearing by pointing out that he was being asked to show where the exceptions to the CDA were and that he had to consider the implications of his ruling. He agreed that bad faith was clearly an exception to CDA protection, but what was the burden of proof required to identify actual bad faith. He seemed to think this was the most important point and one that would take some deliberation.
Overall, the hearing took about 15 minutes, which seemed in line with the case immediately before this one.
My impression was that the judge was looking for Holomaxx to argue something, anything with facts rather than assertion. But, I am scientist enough to see that may be my own biases at work. But the judge gave Holomaxx the opportunity to show their absolute best evidence, and Holomaxx provided exactly zero, instead falling back to it’s true because we said it’s true.
The judge will issue a written ruling, I’ll keep an eye out for it and post it when it’s out.

Still futile

As I mentioned last Thursday, both Yahoo and Microsoft filed oppositions to Holomaxx’s opposition to dismissal. Let me ‘splain… no, there is too much, let me sum up.
Holomaxx sued both Microsoft and Yahoo to force MS and Yahoo to stop blocking mail from Holomaxx.
The judge dismissed the initial complaint with leave to amend.
Holomaxx filed a first amended complaint.
Microsoft and Yahoo both argued that the first amendment complaint should be dismissed because it wasn’t fixed.
Holomaxx filed a motion in opposition to the motion to dismiss. Their arguments were reasonably simple.

Gathering data from PACER

I had someone ask on Facebook about getting some documents off of Pacer. I thought the information may be of use to other people out there.
PACER (public access to court electronic records) provides access to public documents filed in the Federal court system. Each court has their own website, but there is one login and the search and document display are the same. Documents cost 8 cents a page, capped at $2.40 for a single document.
Access to PACER isn’t always immediate. When I signed up there was a 7 – 10 day delay as usernames and passwords were sent by mail. There does seem to be a way now to get a password faster, for those of you who want data NOW!
Once you’ve got a username and password now you’re in business and can start digging up all these documents.
The first step is determining which court website to check. Generally, I’m looking for details because I saw a news report that does mention what court the case was filed in. So I just plug the court name (Northern District of California) in a search window and go from there. PACER also provides the facility to look up where a case is on their website. This wasn’t an option when I signed up for PACER so I’ve never used it, but it is there.
The court websites are often not very flashy (Web 0.5!) but there will be a link to retrieve documents or view documents through PACER. This is the link that will take you to the login page. Put in your username and password and click go. If you’re not filing, you don’t need to bother with the checkbox for the Notice of Redaction Responsibility to get in, nor do you need to add a client code.
Once you’re logged in you’ll notice a blue bar across the top of the page. This is your (web 0.5!) navigation bar. Click on Query to bring up the case search window. If you have the actual case number, you can put that in the top box and hit search. Otherwise, you can enter in a party name. For my recent research, I just enter “holomaxx” in the box marked Last/Business Name and click Search. Being web 0.5! you have to actually click the button, pressing enter doesn’t work.
That will take you to the Select a Case window. In this case, Holomaxx is a safe search because it brings up exactly the two cases I’m interested in: Holomaxx v. Yahoo and Holomaxx v. Microsoft. Clicking on the case number brings up a window with some basic information (the judge, last filing date) and a number of links.
The link that will show you documents is, unsurprisingly, History/Documents. Click there, and click again on All events to bring up a list of documents filed with the court.
The first column is a clickable link that lets you look at the document. The second column is that date it was filed. The third column is the title of the document. Generally when I’m looking at a new case I grab something that looks like “complaint” or “motion” to orient myself.
When I’m looking at PACER I tend to download everything I look at on a case, just so I only have to pay for it once. I also make extensive use of tabs and new windows, so I don’t have to reload the case page.
Download names vary by the actual court. For instance, the Northern California court gives me all the documents with the same name: show-temp.pl. But other courts give names like 384972395.pdf. In either case, you’re going to want to rename the documents to something useful before you have a disk full of show-temp-*.pl files. In some cases, there are documents and exhibits in a single filing. You will be asked if you want to download everything as a .zip file. I suggest you do this.
For a while I was trying to name things intuitively but then gave up because it gets too confusing. My current organizational technique is to set up a directory with the case name HolomaxxvYahoo_4926 and HolomaxxvMS_4924. The numbers are the last 4 digits of the case number and are there to make it easier to file and sort documents.
If you download a zip file, it opens up a directory containing all the files. The courts name these pretty simply: documentnumber-main.pdf, documentnumber-1.pdf, documentnumber2.pdf. The document numbers correspond to the order the documents were filed with the court. Once the file is unzipped, I copy the files into the directory I’ve set up for that case.
Now that you have the documents somewhat organized, you can shut PACER down and go read at your leisure. If you spend more than $10.00 on documents in a quarter, then you will get a bill from the Federal court system. If you haven’t spent that much, the court doesn’t bother billing you that quarter.
Some state courts have similar systems, but not all of them do and you can’t use a PACER login to access them.
In the course of writing this, I discovered new documents filed in the Holomaxx case filed by the defenands. Tune in tomorrow. Same bat-time. Same bat-blog.

Holomaxx doubles down

Holomaxx has, as expected, filed a motion in opposition to the motion to dismiss filed by both Yahoo (opposition to Yahoo motion and Hotmail (opposition to Microsoft motion). To my mind they still don’t have much of an argument, but seem to believe that they can continue with this.
They are continuing to claim that Microsoft is scanning email before the email gets to Microsoft (or Yahoo) owned hardware.

e360 and the appeals court

Oral arguments in Spamhaus’ appeal were held last week. Mickey blogged about it on Thursday. I heard from him and a bunch of the Spamhaus folks about it at MAAWG, but was busy enough that I didn’t get a chance to listen to it. Mickey is not exaggerating on how badly the judges, particularly Judge Posner, beat up on e360’s lawyer. More quotes are available at Appeals judges berate spammer for “ridiculous,” “incompetent” litigation.

Spam lawsuit guide

Mailchimp has released a guide to spam lawsuits with advice on how to not be a target.
I had the pleasure of meeting some of the Mailchimp legal staff last year when I was down there to do on-site training for their abuse desk employees. I was quite impressed with them and their understanding of privacy and email issues.

Further amendment would be futile

Both Microsoft and Yahoo filed their motions to dismiss the Holomaxx first amended complaint (FAC). Each company filed the same set of documents.

Another kind of email breach

In all the recent discussions of email address thievery I’ve not seen anyone mention stealing addresses by abusing the legal system. And, yet, there’s at least one ambulance chasing lawyer that’s using email addresses that were never given to him by the recipients. Even worse, when asked about it he said that the courts told him he could use the email address and that we recipients had no recourse.
I’m not sure the spammer is necessarily wrong, but it’s a frustrating situation for both the recipient and the company that had their address list stolen.
A few years ago, law firm of Bursor and Fisher filed a host of class action lawsuits against various wireless carriers, including AT&T. At one point during the AT&T lawsuit the judge ruled that AT&T turn over their customer list, including email addresses, to Bursor and Fisher. Bursor and Fisher were then to send notices to all the AT&T subscribers notifying them of the suit.
This is not unreasonable. Contacting consumers by email to notify them of legal action makes a certain amount of sense.
But then Bursor and Fisher took it a step further. They looked at all these valid email addresses and decided they could use this for their own purposes. They started mailing advertisements to the AT&T wireless list.

Auto-acks don't create a contract

From Eric Goldman’s blog Acknowledging Receipt of an Email Doesn’t Form a Contract–Stebbins v. Wal-Mart. I know a number of people who have tried the “if you do X, we will have a contract” trick and it’s nice to see the courts pointing out how silly this is.

Holomaxx status

Just for completeness sake, Holomaxx did also file an amended complaint against Microsoft. Same sloppy legal work, they left in all the stuff about Return Path even though Return Path has been dropped from the suit. They point to a MAAWG document as a objective industry standard when the MAAWG document was merely a record of a round table discussion, not actually a standards document. I didn’t read it as closely as I did the Yahoo complaint, as it’s just cut and paste with some (badly done) word replacement.
So what’s the status of both cases?
The Yahoo case is going to arbitration sometime in July. Yahoo also has until May 20 to respond to the 1st amended complaint.
The Microsoft case is not going to arbitration, but they also have a response deadline of May 20.
I’m not a legal expert, but I don’t think that what Holomaxx has written fixes the deficits that the judge pointed out in his dismissal. We’ll see what the Y! and MSFT responses say a month from today.

Amendment is futile, part 2

When Yahoo filed for dismissal of the Holomaxx complaint, they ended the motion with “Amendment would be futile in this case.” The judge granted Yahoo’s motion but did grant Holomaxx leave to amend. Holomaxx filed an amended complaint earlier this month.
The judge referenced a couple specific deficiencies of Holomaxx’s claims in his dismissal.

Holomaxx v. MSFT and Yahoo

I mentioned way back in January that Yahoo had filed a motion to dismiss the case against Holomaxx. Microsoft filed a motion to dismiss around that time, although I didn’t mention it here.
And, of course, Holomaxx filed a motion in opposition in both the Microsoft case and the Yahoo case. Nothing terribly interesting here, about what you’d expect to read.
On March 11 the judge ruled on both motions to dismiss and in both cases ruled that the case was dismissed. He did, however, give leave for the complaints to be amended in the future.
As I expected the Judge agreed that MSFT and Yahoo have protection under the CDA. First, the court made it clear that providers are allowed wide leeway in determining what is objectionable to their customers.

Spammers and the law

Robert Soloway, one of the people crowned with the title “Spam King”, has been released from jail. He was an extremely prolific spammer, generating over 10 trillion messages over the course of his career.
As Mr. Soloway exits jail, another spammer heads to serve his 20 year sentence. Peter Maxson Anyanyueze sent Nigerian 419 spams telling people they could profit from helping him move money around. The scam is that the victim needs to pay small amounts of money, sometimes totalling tens or hundreds of thousands of dollars.

Legal analysis of Hypertouch v. Valueclick

Venkat has an analysis of the Hypertouch v. Valueclick case and recent appeals court ruling.

CAN SPAM preemption of CA law

The California court of appeals returned a ruling yesterday in the Hypertouch v. ValueClick case. This is a case I haven’t talked about at all previously, but I think this ruling deserves a mention.
The short version is that Hypertouch sued Valueclick in 2008 under both CAN SPAM and the California anti-spam law. Eventually the judge in the case ruled that there was no clear evidence of fraud, therefore CAN SPAM preempted the California law.
Hypertouch appealed the case.
Yesterday the appeals court published their opinion and kicked the case back down to the lower court.

Amendment is futile.

Late last month, Yahoo filed a motion to dismiss in the Holomaxx v. Yahoo case. There’s nothing that unexpected in the filing. The lawyers set the tone of the entire document with their very first paragraph.

Email and law in the news

A couple things related to the intersection of email and law happened recently.
The 6th circuit court ruled that the government must have a search warrant before accessing email. The published opinion is interesting reading, not just because of the courts ruling on the law but also because of the defendant. Berkeley Premium Nutraceuticals toyed with spamming to advertise their product as a brief search of public reporting sites shows. The extent and effort they went to in order to stay below the thresholds for losing their merchant accounts is reminiscent of the effort some mailers go through to get mail through ISP filters.
The other bit of interesting reading is the Microsoft motion to dismiss the case brought against them by Holomaxx. It is a relatively short brief (33 pages) and 3 of those pages are simply a listing of the relevant cases demonstrating ISPs are allowed to filter mail as they see fit. 2 more pages are dedicated to listing the relevant Federal and State statutes. I strongly encourage anyone considering suing any large ISP to to read this pleading. These lawyers understand email law inside and out and they are not going to mess around. They also have both statute and case law on their side. They point this out before the end of page 1:

Canada passes anti-spam bill

Call it C-28, call it FISA, call it COPL, just don’t call it a pipe dream any longer.
Today the Canadian anti spam law received royal assent and is now law. ReturnPath is saying it will take effect September 2011, but that’s the only date I’ve seen published. The full text of the bill as passed by the House of Commons can be found at http://www2.parl.gc.ca/content/hoc/Bills/403/Government/C-28/C-28_3/C-28_3.PDF
It’s fairly dense and I’m still reading through the final version. Of critical importance for anyone marketing in Canada is that it sets requirements that commercial email be sent with the permission of the recipient. This is different from CAN SPAM here in the US which doesn’t require consent of the recipient, but allows anyone to send unsolicited email as long as it meets the standards set by the law.
CBC Story

Return Path blog post
CAUCE posts
Thin Data implementation guide

The myth of the low complaint rate

I have been reading the complaints filed by Holomaxx and will have some analysis and information about them probably Monday or Tuesday next week. I’ve been keeping an eye on the press and something that Ken Magill said caught my eye.

One beeelion dollars

Facebook won another round in their court case against a Canadian spammer last week. Their $873,000,000 judgment was upheld by the Quebec Superior court. At today’s exchange rates, the judgment translates to over CDN$1,000,000,000.
In fine spammer style the defendant, Adam Guerbuez, is flouting the judgment and claiming he won’t pay a dime. In fact, he’s already filed bankruptcy and is reported to have transferred a number of assets to family members. From what I’m hearing from some of my Canadian colleagues the courts up there take a very dim view of his behaviour. Like many things that go through the court system, though, it is unlikely that the process will be rapid.
This is one of the largest, if not the largest, fines levied for violations of the CAN SPAM act. I don’t think Facebook will see much, if anything, of the money. But, hey, maybe the Canadian courts will throw this spammer in jail for flouting their ruling.

Suing spammers

I’m off to MAAWG next week and seem to have had barely enough time to breathe lately, much less blog. I have a half written post, but it’s taking a little more research to put together. That can wait until I get the chance to do the research.
Instead I thought I’d talk about the North Coast Journal article “The Rise and Fall of a Spam Crusader.” It’s quite an interesting article and looks into the personal and business sacrifices that people make in order to chase down spammers.
In my experience a lot of the serial litigators have very poor practices around data collection and analysis. They don’t collect evidence, they just collect email and then make assertions and assumptions. This not every effective when having to convince a judge that you are right.
The article actually does nothing to change this impression. The cases ASIS won are the cases where the defendants didn’t respond. That also means that ASIS couldn’t collect.
I do disagree with Mr. Singleton, the lawyer, where he says CAN SPAM is dead. In many cases I’ve seen there aren’t clear CAN SPAM violations. So if he’s trying to sue these spammers under CAN SPAM his cause of action is wrong. Secondly, the article goes on to talk about the broader implications.

Does your signup pass muster?

On Eric Goldman’s blog, Venkat discusses a recent fifth circuit decision about an online signup process and what the court will look at when considering a claim that a user didn’t read an online disclaimer.

We're gonna party like it's 1996!

Over on deliverability.com Dela Quist has a long blog post up talking about how changes to Hotmail and Gmail’s priority inbox are a class action suit waiting to happen.
All I can say is that it’s all been tried before. Cyberpromotions v. AOL started the ball rolling when they tried to use the First Amendment to force AOL to accept their unsolicited email. The courts said No.
Time goes on and things change. No one argues Sanford wasn’t spamming, he even admitted as much in his court documents. He was attempting to force AOL to accept his unsolicited commercial email for their users. Dela’s arguments center around solicited mail, though.
Do I really think that minor difference in terminology going to change things?
No.
First off “solicited” has a very squishy meaning when looking at any company, particularly large national brands. “We bought a list” and “This person made a purchase from us” are more common than any email marketer wants to admit to. Buying, selling and assuming permission are par for the course in the “legitimate” email marketing world. Just because the marketer tells me that I solicited their email does not actually mean I solicited their email.
Secondly, email marketers don’t get to dictate what recipients do and do not want. Do ISPs occasionally make boneheaded filtering decisions? I’d be a fool to say no. But more often than not when an ISP blocks your mail or filters it into the bulk folder they are doing it because the recipients don’t want that mail and don’t care that it’s in the bulk folder. Sorry, much of the incredibly important marketing mail isn’t actually that important to the recipient.
Dela mentions things like bank statements and bills. Does he really think that recipients are too stupid to add the from address to their address books? Or create specific filters so they can get the mail they want? People do this regularly and if they really want mail they have the tools, provided by the ISP, to make the mail they want get to where they want it.
Finally, there is this little law that protects ISPs. 47 USC 230 states:

Spamhaus motion to reconsider

A few weeks ago, Spamhaus filed a motion to have the judge reconsider his recent $27,002 award to e360. Their brief hangs on three arguments.

Spam lawsuits: new and old

There’s been a bit of court activity related to spam that others have written about and I feel need a mention. I’ve not yet read the papers fully, but hope to get a chance to fully digest them over the weekend.
First is e360 v. Spamhaus. This is the case that actually prompted me to start this blog and my first blog post analyzed the 7th circuit court ruling sending the case back the lower court to determine actual damages. The lower court ruled this week, lowering the judgment to $27,002 against Spamhaus. The judge ruled that there was actual tortuous interference on the part of Spamhaus. In my naive reading of the law, this strikes me as not only an incorrect ruling, but one that ignores previous court decisions affirming that blocklists are protected under Section 230. Venkat seems to agree with me.

CAN SPAM Plaintiff ordered to pay 800K in lawyer fees

Asis Internet service has been ordered to pay over $800,000 in lawyer fees to Optin Global. Venkat has details. This is the same company that was recently awarded $2.5M judgment in a different case.

About that spam suit

John Levine has a longer blog post about the Smith vs. Comcast suit. Be sure to read the comment from Terry Zink about the MS related claims.

ISPs may face blocking challenges

Eric Goldman wrote an article about a Comcast subscriber suing a number of companies (including Comcast and Microsoft and TRUSTe) for blocking mail. As part of the judge’s decision he rules that the ISPs that blocked the plaintiff’s email are not protected under 47 USC 230(c)(2).

AARP, SureClick, Offerweb and Spam

On Tuesday Laura wrote about receiving spam sent on behalf of the AARP. The point she was discussing was mostly just how incompetent the spammer was, and how badly they’d mangled the spam such that it was hardly legible.
One of AARPs interactive advertising managers posted in response denying that it was anything to do with the AARP.

Tagged.com and the courts

I’ve seen multiple reports of Tagged.com and their interactions on various sides of the courtroom aisle.
On the good side, Tagged.com won a judgment against a spammer sending spam to Tagged.com users. (Tagged has a post on their blog about the win, but the direct link to that article doesn’t work).
On the minus side, yet another ruling against tagged.com. They’ve been accused of sending spam, including some mail that looks like a phish. They recently settled in a CA court, agreeing to dispose of certain addresses collected during a 3 month period in 2009.

Mickey's take on e360 settlement

Mickey has the full docs of the settlement, and talks about the implications of the confession of judgment.

Comcast and e360 settle lawsuit

e360 initially filed suit against Comcast early in 2008. They asserted a number of things, including that Comcast was fraudulently returning “user unknown” notices and that they were certified by ReturnPath. Comcast filed a countersuit alleging violations of CAN SPAM, violations of the computer fraud and abuse act, as well as a number of other things including abuse of process. In April of 2008 the judge ruled in favor of Comcast and dismissed e360’s case, while allowing the countersuit to proceed.
Over the last 18 months, the suit has moved through the courts. There have been significant delays in the case, and e360 seems to have been dragging their feet based on some of the motions filed by Comcast asking the judge to compel e360 to follow through on discovery.
Today, only weeks before the trial date, a settlement agreement was filed. The settlement agreement prohibits the defendants and any group associated with them from transmitting email to any domain owned by Comcast without affirmative consent (as defined by CAN SPAM). All mail sent by the defendants must comply with the Comcast Terms of Use or AUP. The defendants must not attempt to circumvent Comcast’s spam filters, must comply with CAN SPAM and must not help anyone else violate any of the provisions of the agreement.
The agreement also prohibits mail from defendants that:

Click-wrap licenses again

Earlier this week ARS Technica reported on a ruling from the Missouri Court of Appeals stating that terms and conditions are enforceable even if the users are not forced to visit the T&C pages. Judge Rahmeyer, one of the panel members, did point out that the term in question, under what state laws the agreement would be enforced, was not an unreasonable request. She “do[es] not want [their] opinion to indicate that consumers assent to any buried term that a website may provide simply by using the website or clicking ‘I agree.'”
What does this have to do with email? Well, it means that reasonable terms in the agreements may still be binding even if the user does not read the full terms of the opt in before submitting an email address. In practical terms, though, there’s very little that has changed. Hiding grants of permission deep in a terms document has long been a sneaky trick practiced by spammers and list sellers. Legitimate companies already make terms clear so that users know what type of and how much mail to expect by signing up to a list. They also know that the legal technicalities of permission are not as important as meeting the recipients expectations.

FBI indicts 19 for internet related fraud

A federal grand jury in Dallas returned an indictment this week charging 19 individuals with conspiracy to commit wire and mail fraud. 15 of the defendants are charged with email fraud. All in all, these defendants are accused of defrauding various companies, from telcos to web developers, of $15,000,000.

Canadian Law

A anti-spam bill was passed out of committee Monday in Canada. Other than chatting over drinks with a large contingent of Canadians, I haven’t followed the story too closely. However, Matt V. has a detailed summary of the bill at EmailKarma.
Have a great weekend.

Goodmail sued for patent infringement

Late last week RPost sued Goodmail for infringing two patents. One patent authenticates content and delivery of documents. The second verifies the message was received by the recipient.
Patent #6,182,219: Apparatus and method for authenticating the dispatch and contents of documents.

White House sending spam?

There has been some press about political spam recently. People are receiving email from the White House that they have not opted into. At a recent press conference a reporter challenged the press secretary to defend the practice.
Chris Wheeler over at Bronto blog points out that CAN SPAM doesn’t apply as this is political mail, and CAN SPAM only covers commercial email. He also notes that most of the mail came from “forward to a friend” links which the sender has little to no control over.
Gawker has a post up “Everything you need to know about Obama’s Spam-Gate.”
There are a lot of issues here. Chris asks a number of questions on his blog, that I encourage people to think about.

Maine prohibits marketing to minors

Last week, the state of Maine passed a law prohibiting marketing using personal information to minors without verifiable consent from a parent or guardian. From what I understand, this law started out as a prohibition on using health information for marketing and expanded to any personal information.
The law defines personal information as:

More Gordon v. Virtumundo news

Eric Goldman reviews the appeals court decision in Gordon vs. Virtumundo.

9th circuit ruling in Gordon v. Virtumundo

The 9th circuit court of appeals issued their ruling in Gordon v. Virtumundo today. The ruling was heavily in favor of Virtumundo. I have not had time to read the ruling, but both Venkat and Mickey have posts on the case and the ruling.
This is another solid blow against anti-spammers suing spammers under state laws and CAN SPAM. The problem is that many of the cases are brought by people, and lawyers, who fail to understand that just because they don’t like something doesn’t make it illegal. Spammers do a lot of bad things, but the ones you can track enough to sue are generally not breaking the law. Sadly, cases like Gordon and Mummagraphics makes it harder for ISPs to sue spammers that are actively harming the ISP and the customers.

Spam judgment not covered by insurance

Earlier this month a judge ruled that two insurance policies held by Scott Richter’s Media Breakaway were not liable to pay $6M in damages awarded in a previous case.
Myspace initially sued Media Breakaway in 2007 for allegedly using phished Myspace accounts to send emails advertising Media Breakaway websites. In summer 2008 and arbiter ruled in favor of Myspace and against Media Breakaway. After the ruling, Media Breakaway attempted to have insurance cover the fine. The insurance company denied the claims so Media Breakaway took them to court. Media Breakaway lost.
Scott has been around in the email marketing arena for a very long time. He’s had multiple run ins with the law, including a 2003 felony theft charge for stealing a number of things, including a Bobcat loader and a 2004 suit brought against him by the NY Attorney General’s office and Microsoft for spamming and deceptive advertising. That court case bankrupted his previous company, OptInRealBig. Scott has also appeared on the Daily Show, in a side-splittingly funny story about spam and email marketing…. er… high volume email deploying.

Aiding and abetting violations of CAN SPAM

The US DOJ announced today the guilty plea of David Patton. Patton was charged with “aiding and abetting violations of the CAN SPAM act. Software written by Patton’s company provided the ability to modify email headers and use open proxies to disguise the source of the email.
The Ralsky convictions are, to the best of my knowledge, the first criminal prosecution for CAN SPAM violations and so far 9 of the 12 defendents charged have pled guilty.

Guilty of violating CAN SPAM

Al Ralsky has long been known as “the king of spam.” He has a long history of spamming, suing ISPs who block his mail and refusing to provide him with connectivity. He was profiled in the Detroit Free Press based on his spamming activity more than 5 years ago. He also has a history of convictions for fraud and other related crimes.
Yesterday, he and some of his family and business partners pled guilty to another raft of charges including fraud, money laundering and CAN SPAM violations. This may be the first time someone has pled guilty to violating CAN SPAM. Press reports indicate there is jail time in his future.
Detroit Free Press article
Washinton Post article
DirectMag article
This is the type of mailer that all mailers compete with. Everyone had to deal with spam from Al Ralsky: recipients, senders and ISPs. Thanks to the justice department, FBI and everyone involved for their hard work.

CAN SPAM Checklist

Mickey has done a comprehensive checklist looking at all the things you should do to comply with CAN SPAM.

CAN SPAM pre-emption in the courts

Ethan Ackerman has a summary of recent cases where judges are splitting over rulings on CAN SPAM pre-emption.

Update on Canadian Law

Neil Schwartzman has an update on the status of the Canadian anti-spam law currently working its way through the legislature.

Privacy policies in court

Venkat has an analysis of a case where an individual provided a unique address to a vendor and that vendor released the address in violation of the posted privacy policy. The federal court rejected the suit due to the failure of the plaintiff to provide evidence of harm.
I posted last week about privacy policies and how often they are intentionally or unintentionally violated and when email addresses leak. Courts have consistently ruled against plaintiffs. It seems that the courts believe merely revealing information, even in contradiction to a posted privacy policy, is not actionable by the plaintiff.
As a consumer, I really don’t like the ruling. If a company is going to post a privacy policy, then they should follow it and if they don’t, I should be able to hold them responsible for their lies. Back in the land of reality, I am not surprised at the rulings. Individuals have never owned their personal information, it is the property of the people who compile and sell data
It does mean, however, that privacy polices are not worth the paper they’re written on.

Supreme Court declines to hear anti-spam case

Yesterday the Supreme Court declined to hear an appeal for Virginia v. Jaynes. This means that the Virginia state supreme court ruling overturning the Virginia anti-spam law currently stands.
Jeremy Jaynes was a well known spammer who went under the name Gavin Stubberfield. He was pretty famous in anti-spammer circles for sending horse porn spam. In 2003 he was arrested under the Virginia state anti-spam statute. He was initially convicted but the conviction was overturned on appeal.
Ethan Ackerman has blogged about this case, including a recap today.
Venkat Balasubramani has also blogged about this case.
Mickey Chandler has the docs.
John Levine weighed in.
News Articles: CNN, Washington Post, CNET

More on e360 v. Choicepoint

Venkat has a longer analysis of the e360 v. Choicepoint case I commented on last week. He’s predicting a quick finding in favor of Choicepoint. I’m not a legal expert by any means, but I can see both sides of this particular case. And I am not sure there is good case law to guide the judge. Definitely one to keep an eye on.

e360 sues a vendor

As if suing themselves out of business by going after Comcast and Spamhaus weren’t enough, e360 is now suing Choicepoint for breach of contract and CAN SPAM violations. As usual, Mickey has all the documents (complaint and answer) up at SpamSuite.
This may actually be an interesting case. On the surface it is a contractual dispute. Choicepoint sold e360 40,000,000 data records containing contact information including email addresses, snail mail addresses and phone numbers. Some of the records were marked “I” meaning they could be used for email. Some of the records were marked “O” meaning they could not be used for email.
Despite these terms being reasonably well defined in the contract, e360 sent email to addresses in records marked “O.” Some of those addresses resulted in e360 being sued by recipients. During the course of the suit, e360 contacted Choicepoint and asked for indemnification. Choicepoint refused for a number of reasons, including the fact that Choicepoint told e360 the addresses were not for mailing. In response, e360 filed suit.
The interesting and relevant part of this case is the CAN SPAM violation that e360 alleges.

Jon Leibowitz: New FTC chair

Jon Leibowitz is slated to be appointed the new chair of the FTC as reported by Bloomberg and CNet. This may mean tougher regulations online. In the past Mr. Leibowitz has advocated that online advertisers move to opt-in for website cookies. This may signal his intention to put more control in the hands of the consumer. According to Bloomberg, Mr. Leibowitz has also “advocated more aggressive enforcement by the FTC.” We may see more CAN SPAM prosecutions as a result.

Affiliate Liability

Eric Goldman published his notes on affiliate liability from his talk at SMX West. He mentions some cases where a company was sued under CAN SPAM. Unlike general legal statutes, where non-agents cannot create liability for a company, under CAN SPAM companies are liable for the actions of their advertisers. Despite this statutory difference, both the FTC and private litigants have had difficulty proving in court that the advertised company was liable for the activity of the affiliate.
Any company that is using affiliate marketing on the Internet needs to take a look at the article and the best practices defined by Eric.

Court rules for Reunion.com

Today a California judge ruled against plaintiffs suing reunion.com. Venkat has blogged about the case previously, and has an analysis of the ruling. The crux of the case is reunion.com requesting users provide passwords to email accounts and then sending mail claiming to be from the user to all the addresses in the users address book.
According to Mediapost:

e360 v. Spamhaus

Mickey has been posting new documents in the e360 v. Spamhaus case. I’ve not had the time to read them, yet, but have seen some of the excerpts. Spamhaus is moving for summary judgment and moving to strike Mr. Lindhart’s testimony.

First amendment and spam

One common argument that spammers use to support their “right” to spam is that they have a first amendment right to free speech. My counter to this argument has always been that most networks are private and not government run and therefore there is no first amendment right involved. I have always hedged my bets with government offices, as these are technically government run and there may be first amendment issues involved if the government office blocks email.
Recently the Third Circuit Court of Appeals ruled on Ferrone v. Onorato, No. 07-4299, 2008 WL 4763257 (3rd Cir. October 31, 2008) addressing this issue specifically. Evan Brown at InternetCases has a post up about the court’s finding. He says:

e360 v. Comcast

Mickey has new docs up at Spamsuite in the case between e360 and Comcast.

Reunion.com sued under CA anti-spam law

Ethan Ackerman posted a rather long analysis of the class action lawsuit filed against Reunion.com over at Eric Goldman’s Technology and Law Blog. Part of the case is related to Reunion.com’s scraping of address books, something I have discussed here before.
The analysis goes through the case step by step and is well worth a read. There are a lot of issues being explored, including the applicability of CAN SPAM to “forward to a friend” email. This case also touches on CAN SPAM and preemption of state laws.
Definitely a post worth reading and a case worth keeping an eye on.

Fingerpointing all around

Mickey has copies of affidavits filed by David Linhardt and his lawyers all denying they were responsible for missing the court’s deadline.

The dog ate my discovery responses

When we last visited our intrepid litigants, Spamhaus’ lawyers had filed a motion to dismiss citing yet another failure by e360 to meet a court ordered discovery deadline.
Let me set the stage.
e360 misses deadline after deadline during discovery. They skip depositions. They stall and provide incomplete answers weeks or months after they are due. Finally, in mid-July the Spamhaus’ lawyers file a motion for sanctions. The judge, while sounding a bit peeved (as I detailed in my Aug 29 post), gives e360 yet another chance to actually comply with discovery at a July 30 hearing.
And how, how does e360 respond to the taxed patience of the judge? They miss that deadline, too!
With the mid-August discovery deadline missed, Spamhaus’ lawyers file for dismissal. The plaintiffs race to repair the damage and find a scapegoat.
The scapegoat turns out to be Mr. Peters, one of the lawyers working the case. At the July 30 hearing he petitioned the judge to be released from the case as he was leaving Synergy (e360’s law firm). In their response to the motion to dismiss, the lead attorney blames Mr. Peters for the most recent e360 failure to comply with the judge’s ruling. According to the response Mr. Peters was, despite being removed from the case, responsible for complying with the July 30 ruling. Oh, and the mean old Spamhaus attorneys should have known that e360 was going to comply and did not contact Synergy before filing the motion to dismiss and it is just not FAIR, your honor!
With far more patience than I could muster, the judge agrees to a hearing about the motion to dismiss on September 4. At that time, he agrees to allow e360 to file a supplement to their response to the motion to dismiss and gives Spamhaus the opportunity to respond to that supplemental motion.
Wonder of wonders, e360 finally gets their act together and manages to meet a court ordered deadline when they filed their supplemental motion. Not only that, they included answers to the interrogatories sent by Spamhaus almost a year ago. Magically, the amount of damages e360 claims has gone up by an order of magnitude and 16 new people now know about e360’s financials. Too bad that the judge closed discovery on July 30.
e360’s answers included some interesting financial details, including the fact that e360 managed to sue itself out of business. That takes some serious talent. The other fascinating factoid is that a company with gross income of, roughly, 2.7 million dollars over 5 years is worth over 95 million dollars. While they do provide a formula for how they arrived at that figure, I am deeply suspicious of their claims.
Spamhaus’ response is on point and catalogs all the e360 discovery failures. This most recent failure to meet the court’s deadline is only one in a long line of failures. They emphasized the fact that they have petitioned the court four separate times to compel answers from e360. And, really, Judge, how many times do you want us to have to come back and waste everyone’s time pointing out that, yet again, e360 did not do what you told them they had to do?
The judge will be ruling by mail. No more hearings, the man is done with this. One thing that I have wondered about is why he seems to be prolonging the pain. But, the case has already been kicked back to him from the 7th Circuit Court of Appeals and I suspect he is loathe to do anything that might prompt a successful second appeal. Recent transcripts make it clear he is getting quite peeved that this is still on his docket. Really, all e360 had to do was provide the information they used to come up with the original 11M figure when the case was filed. Their reticence and inability to show any documentation on how they came up with that figure suggests that the figure may have been more wishful thinking than a real number.

Declan weighs in on the VA law

Declan McCullagh writes today about the VA anti-spam law being overturned by the state supreme court.

Virginia Court Ruling

John Levine has a insightful review of the recent ruling against the VA anti-spam law.

Court strikes down VA anti-spam law

The Virginia Supreme Court overturned the 2003 state law prohibiting sending unsolicited bulk email using false routing information, including phony domain names or IP addresses.

Spamhaus files for dismissal of e360 case

Spamhaus filed a motion today asking the judge to dismiss the e360 v. Spamhaus case for contempt. Mickey, as usual, has the docs up.
I have not posted much on the case recently, as there was only legal wrangling about discovery going on. The biggest problem being that e360 has dragged their feet, stalled and avoided discovery for the last 8 months. They have missed deadlines, turned over incomplete documents and ignored depositions. Since I last wrote about this case, discovery has been extended multiple times, the judge has compelled e360 to turn over docs and information and he sanctioned e360 for their failures to comply.
From my perspective, Spamhaus’ lawyers have been setting the stage for this motion for the last 4 – 5 months. Their interactions with e360’s lawyers, their motions to compel and their motion for sanctions have all formed a narrative of how e360 is stonewalling discovery.
This particular motion is only about 8 pages long, but references a 125 page exhibit. The very large exhibit is mostly documents that have been published before in the “Motion for Various relief due to Persistent Discovery Defaults” filed in July.
In the July motion, Spamhaus’ lawyers detail their repeated efforts to get discovery from e360, and the utter lack of cooperation. One of my favorite bits is that e360 responded (weeks late) to some of the initial interrogatories with (paraphrased), “It is too hard to write all this down, but we will tell you about it in the depositions.” My understanding of the law is that this is, in and of itself, a bit of a no-no. What really puts the icing on the cake, though, is that e360 then skipped 2 properly noticed depositions. They just did not appear, thus making their answers to the interrogatories utterly meaningless.
Spamhaus requested that the Judge impose sanctions on e360 for failing to appear at 2 depositions, not complying with the judge’s previous orders and generally being unable to actually produce any documentation that is complete or on time. Even better, when e360 did manage to produce a thumb drive it contained multiple email conversations between Mr. Linhardt and his lead counsel. This little oops happened because no one at the law firm bothered to actually examine any of the files before handing over the thumb drive. In fact, they only became aware of their error when opposing counsel notified them of the files. When e360 asked for the information back, Spamhaus’ lawyers refused pointing out that they handed over all the information willingly and that their failure to actually examine the files does not constitute an inadvertent disclosure.
The judge did sanction e360, although not with the severity that Spamhaus’ lawyers requested. He also ordered full discovery and documents turned over by August 15th. Based on my reading of the transcript (exhibit 4) the Judge sounds like he is tired of having to tell the e360 lawyers to do their jobs. The judge lectured e360 on their failure to get thing resovled.

Authenticating email in a court of law

Venkat has a discussion of authentication needed to present emails to a judge when asking for a summary judgment.

E360 drops suit against antispammers

E360 has asked for their suit against 3 anti-spammers to be dropped with prejudice. Docs at Spamsuite, commentary at The Spam Diaries.

Funding the lawsuit

Mickey asks if you want to be the sender that funds the lawsuit that establishes case law about your new, nifty process.

Israel Spam Law

Israel has passed a new anti-spam law requiring senders to only send opt-in email, according to the Jerusalem Post.

Yahoo suing lottery spammers

Yahoo filed suit against spammers using the Yahoo trademarks in lottery spam on May 19th.

$234M default judgment against spammers

MySpace has won a 234 million dollar judgment against Walt Rines and Sanford Wallace.
“MySpace has zero tolerance for those who attempt to act illegally on our site,” [MySpace Chief Privacy officer] Nigam said in a statement. “We remain committed to punishing those who violate the law and try to harm our members.”
These are two of the spammers responsible for me learning to read headers and report spam. Both of them have previous judgments against them. Wallace sued AOL to force AOL to accept his mail. Eventually the judge ruled against Cyber Promotions and Wallace.

FTC Rulemaking on CAN SPAM

The FTC announced today they will be publishing clarifications to CAN SPAM in the near future. According to the FTC

Spammers in the news

Eddie Davidson was sentenced yesterday to 21 months in jail for falsifying headers and tax evasion.
Sanford Wallace (the spammer that prompted me to start figuring out how to read headers) lost his suit with MySpace for failure to comply with court orders and failing to turn over documents.
Scott and Steve Richter are in the Washington Post today in an article discussing hijacked IP space. Reading the Post article, though, it appears that Scott legitimately bought a business with a /16 and there is no hijacking going on. Spammers have hijacked IP space illegitimately in the past, but this does not seem to be the case.

Legal filings this week

It has been one of those weeks here and there have been a couple legal things that have come up that I have not had the time to blog about.
One is a post over on Eric Goldman’s blog by Ethan Ackerman discussing the Jeremy Jaynes case. It is quite an info heavy post, but well worth a read.
In addition to not having the time to fully read Ethan’s post and understand the legal subtleties he is discussion, I have not quite had the time to blog about two e360 filings that showed up this week.
The first is a filing by Spamhaus’ lawyers asking for the judge to compel e360 to participate in the discovery process. If you remember e360 won a default judgment against Spamhaus for over $11M. Spamhaus filed an appeal and the Seventh Circuit Court upheld the judgment but vacated damages. Spamhaus and e360 were ordered to conduct discovery on the damages.
I would assume that e360 would be eager to demonstrate the amount of damages Spamhaus caused them, but it appears this is not the case. According to the filing e360 has been missing deadlines and even skipped a planned deposition. The exhibits show numerous email conversations between the lawyers, with e360’s lawyers making repeated promises to deliver, and then failing to follow through.
There are a couple statements in the filing that stood out. First, this paragraph which contains a statement that should have e360’s lawyers shaking in their shoes.

Judge rules in e360 v. Comcast

Yesterday Judge Zagel ruled on Comcast’s motion for judgment on the pleadings. I think the tone of the ruling was clear in the first 3 sentences.

Email related laws

I’ve been working on a document discussing laws relevant to email delivery and have found some useful websites about laws in different countries.
US Laws from the FTC website.
European Union Laws from the European Law site.
Two documents on United Kingdom Law from the Information Commissioner’s Office and the Data Protection Laws.
Canadian Laws from the Industry Canada website.
Australian Laws from the Australian Law website.

e360 v. Comcast: part 4

Today I have a copy of the e360 briefing on Comcast’s motion for judgment on the pleadings.
On a superficial level, the writing of e360’s lawyers not as clear or concise as that of the Comcast lawyers. When reading Comcast’s writings it is clear to me that the lawyers have a story to tell and it has a beginning, a middle and an end. They take the reader through the setup, then through the evidence and case law, then proceed to the remedies requested. There is a clear narrative and progression and it all makes sense and the reader is never left standing. This briefing meanders hither and yon, prompting one person to ask was this written on the back of a placemat in crayon.
I still think e360 is misunderstanding or misstating some crucial facts in this case.
e360 argues that because they comply with CAN SPAM, then their mail is therefore not spam. This is not true (see Al’s post, and my post and John’s post). Complying with CAN SPAM does not mean you are not sending spam. I will go even farther to say that sending super-duper-double-confirmed-with-a-cherry-on-top-opt-in email does not mean you will always get through an ISPs filters. The ISPs have moved away from being in the position of having to decide between a mailer who insists a recipient opted in and a recipient who marks mail as spam. Now, the ISPs look at complaints and if you annoy your recipients, then the ISP is going to filter that mail. It is all about relevancy. It is all about not sending mail that is going to make those users hit the “this is spam” button. And endusers have never cared about permission, spam is email they do not want and if you send it, they will complain about it.
They also seem to have this impression that Comcast is letting all e360’s competitors send email to Comcast. Again, it is all about relevancy. If e36o’s competitors are sending mail that users do not complain about then yes, that mail is going to get through. The problem here is not that Comcast is picking and choosing which ESP gets to mail the users, it is that the recipients are choosing which emails they do not object to. Send emails recipients find useful and relevant, and it does not matter that you scraped their address off a website, they will not report it as spam.
Comcast points out that under the Communications Decency Act (CDA) they are not liable for blocking content. The CDA provides for “Good Samaritan” blocking and screening of content under 2 separate circumstances: 230(c)(1) and 230(c)(2). 230(c)(1) says

e360 v. Comcast: part 3

A couple weeks ago I posted about e360 suing Comcast. The short version is that e360 filed suit against Comcast to force Comcast to accept e360’s email. Comcast responded with a motion for judgment on the proceedings. This motion asked the judge to rule on e360’s case without going through the process of discovery or depositions or all the normal wrangling associated with a legal case. Comcast appears to be saying to the judge even if everything e360 alleges is true, we have done nothing wrong.
The judge asked for each party to prepare full briefs on the motion. e360’s response is due tomorrow and the Comcast reply to that is due on March 27.
Comcast does not appear to be content with just having the case dismissed. Today they filed a counterclaim and third-party complaint. The counterclaim is against e360, the third-party complaint incorporates David Linhardt, Maverick Direct Marketing, Bargain Depot Enterprises, Northshore Hosting, Ravina Hosting, Northgate Internet Services and John Does 1-50. Docs are up over on SpamSuite.
Comcast states the nature of the action in 4 short paragraphs.

Affiliates: what is a company's responsibility

Many of my clients come to me when they end up with delivery problems due to the actions of affiliates. These can either be listings in some of the URL blocklists (either public or private) or escalations of IP based listings. In many of the cases I have dealt with affiliates, the affiliates have sloppy mailing practices or are out and out spammers.
Recently the FTC settled with Cyberheat over their liability for the behaviour of their affiliates. In this settlement Cyberheat is required to monitor their affiliates as follows:

e360 v. Comcast: part 2

Yesterday, I talked about e360 filing suit against Comcast. Earlier this week, Comcast responded to the original filing with some filings of their own.

e360 v. Comcast: part 1

A few weeks ago I very briefly touched on the recent lawsuits filed by e360 against Comcast and a group of anti-spammers. In the Comcast suit (complaint here) e360 argues that Comcast is unfairly and incorrectly blocking e360’s email and are liable for damages to e360’s business.
They have a number of claims, including

e360… AGAIN

This time e360 is in court suing a number of individuals for calling him a spammer.
Mickey has docs up on SpamSuite.com and Ken Magill has written about it as well.
Dave has also responded to ReturnPath, through Ken, with a public letter explaining why his statement disagrees with ReturnPath’s statement about his acceptance into the SenderScore Certified program.
Rumor has it that Dave is claiming he is out of money. If that’s true, who is funding these cases?

e360 in court again

Today’s edition of Magilla Marketing announced that Dave Linhardt and e360 have sued Comcast. Spamsuite.com has the text of the complaint up.
On the surface this seems quite silly. e360 is alleging a number of things, including that Comcast is committing a denial of service attack against e360 and locking up e360’s servers for more than 5 hours. Additionally, e360 is laying blame at the feet of multiple spam filtering companies, including Spamhaus, Trend Micro and Brightmail.
One of the more absurd claims is that Comcast is fraudulently transmitting ‘user unknown’ messages. At no point do they explain how or why they think this is the case, but simply assert:

Al Ralsky Indicted

Al Ralsky is a very prolific spammer and his name is well known among ISP abuse desks. Along with 10 other people he was indicted today after a 2 year investigation by the Justice Department, according to an article published today by the Detroit Free Press.

Useful websites

I’ve been working on a document discussing laws relevant to email delivery and have found some useful websites about laws in different countries.
US Laws from the FTC website.
European Union Laws from the European Law site.
Two documents on United Kingdom Law from the Information Commissioner’s Office and the Data Protection Laws
Canadian Laws from the Industry Canada website.
Australian Laws from the Australian Law website

7th circuit court ruling in e360 v. Spamhaus

Mickey has some commentary and the full ruling up on Spamsuite. In short the appeals court affirmed the default judgment, vacated the judgment on damages and remanded the case back to the lower court to determine appropriate damages.
There are a couple bits of the ruling that stand out to me and that I think are worthy of comment.
Spamhaus made a very bad tactical decision by initially answering and then withdrawing that answer. The appeals court ruled that action signaled that Spamhaus waived their right to argue jurisdiction and that they submitted to the jurisdiction of the court. Based on this, the appeals court upheld the default judgment against Spamhaus. Not necessarily the outcome any of us wanted, but that doesn’t set any precedent for future cases unless defendants answer and then withdraw the answer. Specifically on page 12 of the ruling the court says: