Is SOPA’s “Follow the Money” Meme Infecting Anti-Spam Litigation? – Project Honey Pot v. Does
[Post by Venkat Balasubramani]
Project Honey Pot v. Does, 11-cv15 (LMB/JFA) (E.D. Va.; May 21, 2012)
Project Honey Pot is a “spam-tracking network that ‘allows spammers, phishers, and other e-criminals to be tracked throughout their entire ‘spam life cycle’’.” It had, and maybe still has, great ambitions and was founded by Matthew Prince, of Unspam fame. As detailed by Eric in this blog post, Unspam is (or was) a for profit company that operated a “do not email kids” registry aimed at allowing people to comply with Utah’s “don’t email the kids” law: “Utah’s ‘Don’t Email the Kids’ Registry a ‘Financial Failure.'” Prince also publicly defended Utah’s ill-fated key word advertising law: “Keyword Advertising as Corporate Identity Theft—Sen. Eastman Defends New Utah Law Banning Keyword Advertising.” (Prince is now CEO of CloudFlare, which offers, among other things, services that help you comply with EU’s cookie regulations: “CloudFlare To Launch Service For Sites Dealing With Tortuous EU Cookie Law.”)
Anyway, PHP filed and voluntarily dismissed a couple of lawsuits in Virginia without any apparent docket activity. This time around, it tried to go after banks who allegedly offered payment processing services to online pharmacies, along with two individual defendants.
The complaint alleged that one of the Doe plaintiffs attempted to buy a prescription drug through an online pharmacy. He paid for it by debit card but never received any medication in the mail. He didn’t suffer any out-of-pocket loss (the bank credited him the amount charged and changed his debit card number), but he alleged that since this transaction, he has received “voluminous spam email.” The complaint alleged claims under CAN-SPAM, the Virginia Computer Crimes Act, a slew of state law claims, as well as RICO claims.
Several banks filed motions to dismiss on the basis of personal jurisdiction. The court dismissed these defendants in December 2011, finding that the complaint raised speculative allegations regarding any conspiracy between the banks and the pharmacy operators. PHP dismissed one of the individual defendants, intimating that this defendant was a victim and not one of the perpetrators. The court dismissed the other defendant due to PHP’s failure to effect service, and closed the file. (This is a simplified version of the procedural history; there are a few other details that are not relevant here, including the fact that PHP filed an appeal before the case was fully resolved.)
PHP filed a motion to alter or amend the judgment and reopen the action as to two of the banks. Apparently PHP’s counsel obtained a dataset of 900,000 transactions for “Glavmed” from a well-known security blogger, Brian Krebs. (See “SpamIt, Glavmed Pharmacy Networks Exposed.”) The dataset included numerous records allegedly “tied to Virginia residents.” PHP also pursued third party discovery and obtained transaction records from 2006 through 2010. 63 of these transaction records identified the processing bank, and 51 of these identified transactions were allegedly tied to two of the defendant-banks.
The court denies PHP’s motion to reopen the case, largely on the basis that PHP did not offer any justification for why it failed to come forward with the evidence earlier. The court also says that even if it considered this evidence, it would still dismiss the defendant-banks. PHP relied on the “conspiracy theory of personal jurisdiction.” Because the pharmacies deal with Virginia residents and since the banks deal with the pharmacies, in PHP’s view, this was sufficient for personal jurisdiction. The court says there are three flaws with this view. First, PHP cannot show that either of the banks in question have any “direct contacts” with Virginia. Second, PHP’s evidence:
still does not link the defendant banks with Virginia customers, [the individual defendants], or the single transaction at issue in this case.
Finally, the court says that even if PHP could show that the banks processed transactions for any merchants with Virginia customers, personal jurisdiction would not be proper due to the “extremely attenuated nature of the banks’ contacts with the forum.”
The court doesn’t reach the underlying merits of PHP’s claims against the banks, but the opinion is tinged with enough discussion of the banks’ “attenuated” connection with any underlying spam activity that you don’t get any warm fuzzies regarding PHP’s claims against the banks.
There are a couple of problems with PHP’s theory on the merits. First, the Doe plaintiff didn’t suffer any financial injury. Standing issues aside, there is no such thing as a standalone legal claim for receiving spam emails. (Cf. Cherny v. Emigrant Bank.) It’s fairly well established that you can only sue under CAN-SPAM if you are the provider of Internet Access Services, and PHP’s factual allegations did not include any IAS-specific harms. (See Gordon v. Virtumundo.) I don’t see the basis for any CAN-SPAM claims in this scenario. (It’s unclear exactly how “Project Honey Pot” fits into the picture. It all sounds very Righthavenesque.)
Even assuming PHP or Doe can sue the payment processors under CAN-SPAM, under what theory will it hold a payment processor liable? They payment processors did not send any emails. Nor were their products or services advertised via any emails. Courts have allowed parties to proceed against third parties in the chain in some trademark (Gucci v. Frontline; Akanoc) cases, but outside the context of affiliate liability, I’m not aware of any such cases in the spam context. (See also, the Perfect 10 v. Visa and Perfect 10 v. ccBill cases, dealing with payment processor liability in the copyright context, discussed by Eric in these posts: “Credit Card Providers Aren’t Liable for Third Party Infringement–Perfect 10 v. Visa“; “Ninth Circuit Opinion in Perfect 10 v. CCBill.”)
CAN-SPAM contains provisions governing third party (affiliate) liability, but the banks clearly did not fit within the statute. (See the Cyberheat case where the government was able to make a case for affiliate liability but had some damaging facts. A key distinction in this case is that the banks did not procure or initiate the emails in question.) Section 6 of CAN-SPAM discusses liability for third party service providers in certain limited scenarios, but the section authorizing civil actions by IASs does not list Section 6 under the list of sections that support a civil cause of action brought by an IAS. Any attempt to go after a third party in the chain based on a vague conspiracy theory (as opposed to satisfying CAN-SPAM’s standards for affiliate liability) would be an extension of liability that has no basis in the statute.
PHP’s attempt to hold the banks liable is similar to the “follow the money” instincts underlying SOPA/PIPA. (Check out Eric’s post on the OPEN Act for why he is not a fan of this approach: The OPEN Act: Significantly Flawed But More Salvageable Than SOPA/PROTECT-IP.) PHP figures that if it obtains any sort of a favorable ruling against the banks, it can then wave this ruling around to try to get banks to terminate relationships with reported spammers. As the trademark and copyright rulings illustrate, trying to impose this type of liability against payment processors who provide services to alleged infringers or counterfeiters is far from easy. But while there is case law plaintiffs can rely on in those contexts, it seems like a long shot at best, with little or no basis in the statute, in the anti-spam context.
Maybe PHP has achieved some lucrative settlements behind the scenes, but this ruling makes me wonder what it’s been doing. The whole thing has a quixotic feel to it.