CAN-SPAM Violations For Private WHOIS Information and Putting Disclosures in Remotely Served Images – ZooBuh v. Better Broadcasting
[Post by Venkat Balasubramani]
Zoobuh, Inc. v. Better Broadcasting, LLC, 11cv00516-DN (D. Utah May 31, 2013)
Spam litigation has waned. In its place, text message litigation has blossomed. Still, once in awhile an interesting spam decision comes along, though unfortunately this one falls into the “default judgments make bad law” category.
ZooBuh, a Utah-based ISP, sued Better Broadcasting and Iono Interactive for allegedly sending ZooBuh 13,453 spam messages. Neither defendant appeared. At ZooBuh’s initial request for default judgment, the court requested supplemental briefing. Upon taking a closer look at ZooBuh’s complaint, the court decides to award it $1,608,360 in damages.
Is ZooBuh a legit ISP?: Citing and contrasting to Gordon v. Virtumundo, the court easily concludes that ZooBuh is a legitimate ISP that has standing under CAN-SPAM. Unlike Gordon, who registered a domain name and had a third party provide hosting services, the court notes that ZooBuh has approximately 35,000 customers worldwide, and it uses its own equipment to provide services. The court also says that ZooBuh is “adversely affected” by the emails in question. The costs of dealing with thirteen thousand messages for a smaller ISP would not be “negligible.”
Whether the emails contained inaccurate header information: CAN-SPAM contains a restriction on sending emails using “materially false or . . . misleading” header information. Header information is only thought to cover information actually used to route or describe the routing of emails, and not peripheral information that can appear on the from line (e.g., that an email is from “John Doe,” “John D.,” “J.D.,” or “Customer Service at T&MLBlog”). Ignoring the most obvious precedent on this issue (hello, Mummagraphics!) the court says that the majority of federal decisions are not instructive. Accordingly, the court looks to Balsam v. Trancos, a California appeals court decision construing California’s anti-spam statute, as persuasive authority. The court in Trancos concluded that sending emails using a private registration service where the sender’s identity is not disclosed on the face of the emails violates California’s anti-spam statute.
Taking its cue from Trancos, the court says that the emails here use misleading header information. First, the bulk of the emails contained “a generic or nonsensical ‘from’ line[s] that [do] not identify any real business or individual.” Thus, a recipient could not identify the sender from the face of the email. Second, the court says that the emails violate section 7704(a)(1)(A), which prohibits the transmission of emails through addresses or domain names that are procured “by means of false or fraudulent pretenses.” The domain names were registered through Moniker and eNom, and the applicable domain name registration agreements require the registrants to represent that they will not use the domain names for “SPAM purposes.” Because the domain names were used here “for SPAM purposes,” the court says that the domain names were procured fraudulently.
Whether the emails contained the requisite disclaimers: CAN-SPAM also requires commercial emails to be identified as advertisements (and to contain opt-outs and the sender’s physical address). These disclosures must be “clear and conspicuous.” The emails did possibly contain the disclosures, but the problem was that the disclosures were contained as remotely hosted images, i.e., these images do not show up in emails where the email client was not set to automatically download images, and in some cases can be screened out altogether.
The court walks through the various types of email formats, and the different ways that images can be conveyed via emails (attached, inline, or remotely). Remotely hosted messages are not part of the email body, but link to images that are hosted elsewhere. Citing to security concerns (a US-CERT report on avoiding cyber-attacks) and the fact that remote hosted images are avoidable and not permanent, the court says that including the necessary disclosures in these types of images is not sufficient:
Given the strong concerns and recommendations against the downloading of remotely hosted images in emails, the industry standards that prevent the automatic download of Remote images in email, and the non-permanent nature of Remote images, the content of remotely hosted images in email communications is not unavoidable and is not likely to appear on the recipient’s screen for a duration and in a location sufficiently noticeable for an ordinary consumer to read and comprehend it.
Damages: The court does some back-of-the-envelope calculations regarding where defendants fit in on the spectrum of culpability, and concludes this case is most like Asis v. Raush (where the court awarded $865,340). Here, the court awards $1,608,360.
I wonder how often plaintiffs end up collecting on these types of judgments. Regardless, the court’s decision was a bummer in several respects.
First, its decision on the header issue goes against the prevailing trend, starting with Mummagraphics (see Eric’s post here on that case: “Fourth Circuit Rejects Anti-Spam Lawsuit–Omega World Travel v. Mummagraphics“). To my knowledge, no federal decision has held that sending emails through privacy protected domain names per se violates CAN-SPAM. (Cf. US v. Kilbride, a criminal case where the court relied on, among other things, use of private registration with the intent to conceal, in order to find a violation of the statute.) CAN-SPAM recognizes that there can be multiple parties in the chain, and includes two mechanisms for allowing the recipient to express their preferences to not receive further emails: (1) the emails must contain a valid street address; and (2) the emails must contain an opt-out mechanism. There’s nothing in CAN-SPAM that says sending emails through private domains is misleading or otherwise prohibited. There’s certainly nothing that talks about what information should be contained on a from line, other than that you can’t spoof someone else’s domain name or email address.
[Eric’s note: in fact, because CAN-SPAM requires disclosure of a street address in the email text, the further disclosure about the domain name owner in the WHOIS record is superfluous.]
The court’s conclusion about the from line/private registration issue was bad, but the court totally goes off the rails in its analysis of the 7704(a)(1)(A) issue. This section on its face says that if you obtain a domain name, email address, or IP address by fraud, and then use any of these to send or transmit a message, you violate this statute. This should encompass fraud, as it’s typically defined. Perhaps Congress was getting at identity theft here. But to read it to say that a violation of an anti-spam provision of an ISP agreement means that you’ve procured the domain name fraudulently (in violation of this provision) is . . . slightly circular.
Finally, the court’s conclusion on the remote image issue was also interesting. Certain types of communications may not practically allow for the requisite disclosures, and courts have interpreted laws to cover overlapping communications in wacky ways. One example is Facebook messages and CAN-SPAM. Another example is communications accessible by telephone, that can fall under one of several categories. (Twitter, and required FTC disclosures is one that courts have yet to address, but will probably do so in the future.) That wasn’t the case here, but there’s nothing in the text of CAN-SPAM or the regulations that expressly say that the disclosure cannot be in this type of an image file. As with any disclosure, taking steps to ensure that the end user cannot avoid the disclosure is a prudent approach.
Additional coverage: “Remotely hosted images can’t provide clear and conspicuous disclosure in email” (Rebecca Tushnet)
[image credit: Shutterstock/Richard Laschon (comic style spam icon)]