No one wants to run seriously afoul of the law. No one wants to go to jail. But we live in an age in which a simple email message can send you to the slammer. Although unsolicited commercial email (UCE), or spam, isn't in the same category as, say, murder, it's almost universally hated, and that hate has led to the passage of a US law—the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) act—that makes some types of email illegal. Knowing how the law affects your messaging operations is both useful and important. Although I'm no lawyer, I want to attempt to explain some of the new law's finer points to help you stay on the right side of the folks with the badges. I also explain some provisions of the law that your users need to understand.
A Law Is Born
Over the past several years, spam has become increasingly prevalent and obnoxious. Long-time Internet users fondly remember a time when there was no spam. The common belief was that the Internet wasn't intended for commercial traffic. Of course, we all know what happened to that belief: It was buried in the gold rush to commercialize the Net. Ordinary users commonly receive 15 to 20 spam messages per day, and users (like me, unfortunately) whose addresses are widely distributed have seen that number rise into the hundreds. An arms race between spammers and their victims quickly developed, with a dizzying escalation of combative technologies and deployments. Unfortunately, technological antispam measures didn't carry the day, and many people began wondering about the possibility of passing laws to prohibit spam.
Of course, this inevitably led to the emergence of several arguments. The arguments regarding antispam laws can be filtered to three essential points:
- Antispam laws won't work because spammers can always send messages from somewhere outside the law's scope. For example, a spammer whose business is outlawed in Ohio can simply set up shop in Michigan, or in Brazil, or anywhere else Ohio law doesn't apply.
- Even if you identify spammers, someone still must enforce the law, which means either spending money on enforcement or leaving the law largely toothless.
- Antispam laws set a dangerous precedent. Even die-hard advocates of such laws have grudgingly admitted that inviting government to determine what kind of speech is "bad" or "illegal" is a poor idea—particularly given the diversity of opinions, beliefs, and lifestyles you find among the hundreds of millions of email users in the world.
None of these concerns has stopped the inexorable progress of state antispam laws. The state of Washington struck first, followed by a number of others, including California, Iowa, Louisiana, and Virginia. However, users soon saw that a patchwork of incompatible spam laws wasn't helping to quell the problem. The spam kept flowing. Advocates of legal solutions began to turn their efforts toward passing a national antispam law, and they succeeded in late 2003. President George W. Bush signed the CAN-SPAM Act into law in December 2003, and it took effect January 1, 2004. Understanding what this law does and doesn't permit is important because it has a potential impact on every business that sends email to anyone outside the business, including customers and partners.
What Is Spam?
You first need to understand what CAN-SPAM defines as spam because then you can see how the law applies to you. The bill's definition is a little complicated: Spam is UCE, but unsolicited and commercial have well-defined meanings that might conflict with an ordinary administrator's thoughts on the subject.
- Commercial email is "any electronic email message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet Web site operated for a commercial purpose)." Fortunately for us, email that merely mentions a company name or Web site isn't necessarily commercial; the primary purpose must be promotion. The Federal Trade Commission (FTC) has until January 2005 to devise rules for determining what an email message's "primary purpose" really is.
- Unsolicited email is OK if a preexisting relationship is in place between the sender and recipient. For example, if I buy a car from my local auto dealer, the law permits the dealership to send me messages about my car (e.g., recall or warranty notices). Likewise, a bank can send account information or notifications to its customers without their prior explicit permission. Messages sent to complete or confirm a transaction, provide account information, or provide status on subscriptions, memberships, accounts, and other relationships are exempt from the law. The law uses the phrase "transactional or relationship message" to cover these commercial-but-not-unsolicited messages, which remain legal. Because these messages make up the overwhelming majority of business-to-customer traffic at most organizations, this provision probably means that you don't have to change your mailing practices.
However, some messages automatically run afoul of the law, whether they're commercial or not. If the sender forges header information, relays messages through a third party without permission, or uses throwaway fake accounts from an ISP, those messages are illegal, as are any messages sent pursuant to other crimes or offenses, such as fraud, identity theft, obscenity, or child pornography.
What Does CAN-SPAM Prohibit?
Now that you know how the law defines spam, we can take a look at the specific actions the law prohibits. You might assume that sending any messages that meet the definition of spam is illegal, but unfortunately that's not true. Six key restrictions govern the types of mail that can't be sent.
Misleading headers. The first restriction is simple: You can't send messages that have false or misleading headers, even if they're sufficiently well formed to get the message delivered. Any message that forges the sender name or domain, the sender IP address, or any other header information falls into this category. Interestingly, any message sent through an SMTP relay "with the purpose of disguising its origin" also qualifies. I'll be interested to see under what circumstances such a purpose can be proved.
Misleading subject lines. The second restriction is also simple. You can't send messages that have misleading subject lines, the intention of which would be to mislead a person about the message's contents or subject matter.
Opt out. The third restriction is where things start to get a little more problematic. The law requires that all commercial messages include a working, valid return address that recipients can use to opt out of further communication. That address must be maintained for at least 30 days after the message is sent. This restriction obviously interlocks with the requirement that all header information be valid. The law specifies that, besides just sending a reply message, you may allow other means for opting out, which means that you could include an Unsubscribe me URL in the message. A specific provision permits multiple-choice settings so that users can pick and choose which types of commercial email they want to receive. If you've ever registered for an online newsletter or for a print newspaper's Web site, you're probably already familiar with this approach. One easy way to comply with this requirement is to send your messages with a return address that points to a public folder, which you can easily monitor. In fact, you could write a simple event sink or script that would automatically remove users from your mailing list.
One new wrinkle is that the law requires senders to include a valid postal or physical address in commercial messages. Doing so is easy, but a quick survey of the vendor messages and press releases landing in my Inbox shows that many companies haven't yet complied. Because this step is such an easy one, you should probably ensure that your commercial mass mailings include it, just to be safe. You can include this information in the message itself, or you can use a third-party disclaimer product such as Red Earth Software's Policy Patrol, Exclaimer's Exclaimer for Microsoft Exchange suite, or Franz Krainer's DisclaimIt.
Hands off. The fourth restriction follows naturally from the third: Once someone has opted out, you can no longer legally send that person messages of the type he or she opted out from, and you can't sell, lease, or transfer that person's address. There's a 10-day window before this provision takes effect, presumably to allow the sender to send a You have unsubscribed notice. The big weakness in this provision, unfortunately, is that users must opt out from each individual sender—there's no centralized registry of users who don't want spam, as there is for telemarketing calls. Although this situation is awful for users, it relieves administrators of legitimate businesses of the burden of working with a centralized registry. Currently, no Microsoft Exchange Serverbased tools automate this process, although with a little careful scripting, you could set up a mailbox for logging the addresses of people who want to opt out.
Sexually explicit. The fifth restriction requires special markings for sexually oriented mail: The subject line must include the words "SEXUALLY EXPLICIT." Unfortunately, the law's definition of "sexually oriented" applies only to explicit material, so you can bet that spammers will construe the law to mean that they can continue to send some types of ads without marking them. Sexually explicit messages might not contain explicit images, either, although sending hyperlinks to such images remains legal. (That, of course, raises a question: If you send an HTML message with an <img> tag that points to your server—instead of attaching the image—does it fall under the law?)
Vicarious spam. The sixth restriction covers vicarious spam: Hiring a company that you know, or have reason to believe, is a spammer is against the law. The law doesn't cover the use of affiliate programs; because an affiliate program isn't a hiring relationship, it probably doesn't apply, which means the flood of "free satellite TV" and "get a $50 gift card" spam messages isn't likely to diminish. I'm hopeful that this restriction will curb some of the spam that comes from hosts outside the United States because US companies will no longer be able to hire them unless they comply with the law.
As with most laws, the antispam bill takes some aggravating circumstances into consideration. If you break the law and one or more of the following aggravating circumstances are present, the penalties increase:
- You can't randomly generate addresses. For example, you can't create a long list of common names and use it to send email to each firstname.lastname@example.org.
- You can't harvest addresses from online sources, then use them to send spam. Note that you can still gather addresses on paper, over telephone, or through any other means that doesn't involve using a "Web site, proprietary service, or other online public forum;" in fact, the law permits harvesting with the consent of the forum operator.
- You can't automatically generate fake accounts to send spam. Most Webmail providers have switched to systems that require a human to type a code that appears as an image; the image is distorted so that optical character recognition (OCR) software can't read it. Supposedly, such systems make it impossible for scripts to sign up for accounts, so spammers instead pay people to sign up for them. That behavior is perfectly legal, provided the other restrictions described above are met.
Penalties for Noncompliance
The law sets forth some hefty penalties—for example, fines as high as $2 million and prison terms of 3 to 5 years—depending on the number of spam messages sent and whether the messages are connected to another felony, such as fraud. The FTC is tasked with enforcement, although the government hasn't bestowed any money toward enforcement efforts. Other agencies get involved if designated federal departments already regulate the spammer. A list of such companies would include banks, credit unions, airlines, insurance or financial services companies, and media companies. For example, the US Department of Agriculture can enforce the law against land banks.
One welcome aspect of the law decrees that a state attorney general can file civil suits against spammers on behalf of state residents. I'm looking forward to the day when an eager attorney general, yearning to be the next Eliot Spitzer, takes on one of the larger spamming houses. ISPs can sue spammers, too. However, no means exist for an individual to file civil suits; our power is limited to filing complaints with the FTC. Noted attorney Lawrence Lessig suggested offering a bounty or reward for people who turn in spammers, but that provision didn't make the final version of the law.
The real question is whether any of the agencies that have the ability to go after spammers will have the resources to do so. Although spam is a huge annoyance, it's clear that it isn't sufficiently notable to grant the FTC and other agencies enough additional budget money to make antispam efforts worthwhile. I expect to see more action from civil suits (such as the ones AOL filed earlier this year) because ISPs can recover damages under the law.
What Should You Do?
This discussion would be pointless without some specific recommendations for what you should do—or not do—to comply with the law. An entire industry dedicated to CAN-SPAM compliance is already springing up, and I recommend investigating whether one of these firms is right for you. Even without an external advisor, though, you should be aware of a few things you should and shouldn't do:
- Don't hire spammers, and exercise due diligence to make sure the marketing or mass-mailing companies you use are complying with the law.
- Always use legitimate headers in your messages, with a real return address.
- Employ some method of monitoring your return address to watch for opt-out notifications. The common practice of stating, "Don't reply to this mail because it's unmonitored," probably doesn't comply with the law— not to mention that it annoys recipients.
- Include a valid postal address in your commercial mailings. This practice doesn't seem to be necessary for individual messages to consumers, but it's definitely required for mass mailings.
- Consider moving to an all-opt-in system for your mailings. Although sending messages to your existing customers is perfectly legal, sending messages to people who aren't already customers might not be OK. For example, the common practice of sending messages to people whose addresses you collect at trade shows or conferences might not be legal under the new law. Opt-in mailings give you perfect safety at the cost of some hassle and additional expense.
The big problem for Exchange administrators is that Exchange doesn't offer built-in tools for CAN-SPAM compliance. Because the law is fairly new, very few products and services offer compliance tools, although I expect such tools to arrive on the market at a rapid clip. Companies such as EmailLabs offer hosted mass-mailing services that provide CAN-SPAM compliance. If you anticipate a high volume of mailings, these services probably offer the most cost-effective route to compliance.
The Future of Spam
A few weeks after the law passed, two spam-filtering companies carried out an informal sampling and found that less than 1 percent of the spam their filters caught complied with the new law. That finding isn't surprising. It will take time to determine whether the new law will have the intended effect. Because the law's viability depends so much on enforcement, I suspect that a few high-profile cases against major spammers will help encourage others to comply with the law, but until then you shouldn't expect any major changes. In the long run, this law will probably help, although perhaps not as much as some of the stronger state antispam laws that it superseded. However, it won't solve the spam problem on its own.
To achieve success, we need a continuing process of building technical solutions (e.g., Microsoft's "Caller ID for E-Mail" specification, which you can find information about at http://www.microsoft.com/mscorp/twc/privacy/spam_callerid.mspx), legal pressure, and—most important—financial incentives. If spam becomes unprofitable, spammers will vacate the business. Until then, we'll have to keep an eye on the consequences of this law. For now, you can help protect your legitimate mailings by taking a few simple measures to comply with the law's provisions.