New Jersey:
342 Grand Avenue
Englewood, NJ 07631
Phone: 201-567-6144
New York:
324 W 83rd St. Suite. 4S
New York, NY 10024
Phone: 212-874-6181


As seen in


Volume 22 No.1 Winter 2005

Computer and Internet Law

Update On The CAN-SPAM Act of 2003
By Victoria M. Brown

Expectations of federal government protection from spam (unsolicited email) were not met when the when Congress enacted the CAN-SPAM Act in December 2003 (see Section 9 of the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, 15 U.S.C. § 7708).

In short summary, this Statute did not ban spam but sought merely to regulate it by certain identifying controls. The CAN-SPAM Act imposes civil and criminal penalties on spammers who do not properly identify themselves. The statute prohibits false headers and misleading subject lines. Each spam letter, once opened, must have an “opt out” provision at the top. An opt-out provision is a provision whereby the reader can opt to notify the sender to discontinue sending them further emails. Under the statute pornographic spam must have warning labels to prevent it being opened by unsuspecting readers. All spam messages must note a physical postal address and be labeled as advertisements. Enforcement of this law against a spam sender (and others that knowingly promote and enable a spam sender, such as a host or server) is limited to claims brought by the Federal Trade Commission with no private right of action.

The CAN-SPAM Act, as federal legislation, effectively pre-empted conflicting state legislation. Thus, California’s statute that banned spam outright and permitted private parties to litigate was struck down. The California statute was similar to that which had been adopted by the European Union. In enacting anti-spam statutes, the European Union and the United States placed different weight on the consideration of the right of a company to market itself versus the right of an individual to privacy.

Many anti-spam organizations reacted negatively to the CAN-SPAM Act because it did not ban spam. After enactment of the CAN-SPAM Act email users continued to be harassed by legal and illegal spammers.

Now U.S. companies market through spam following the guidelines of the CAN-SPAM Act. CAUCE (Coalition Against Unsolicited Commercial E-Mail at is an organization that seeks to eliminate spam. On its website CAUCE expressed disappointment in the CAN-SPAM Act and noted that both the House and Senate versions of this law were passed without any public hearings, “instead being written and passed solely through back-room compromises and with the input of the marketing industry and Internet Service Provider lobbies, but with scant regard for the interests of America’s consumers and business Internet users”.

Spam is estimated to clog at least 40% of an ordinary email inbox. As of 2003 the amount of spam sent was doubling every 18 months. The statistics for 2004 are not yet complete. It has been estimated that 90% of spam is sent by only 200 people, many of whom send from unidentifiable IP (internet protocol) addresses or from overseas accounts that are not subject to U.S. law.

Spammers who cannot be identified or spam from overseas accounts (such accounts usually come out of under-developed or developing countries that have no spam laws), are not likely to be prosecuted under the CAN-SPAM Act. Thus, even with some reduction of spam via the CAN-SPAM Act, the perpetrators of most spam which violates the Act remain at large due to the lack of a means to technologically identify them or a law that can be uniformly applied and enforced worldwide.

The CAN-SPAM Act provided for the consideration of a “Do Not Call” list by the Federal Trade Commission (“FTC”). In June 2004, the FTC came out with a report “National Do Not Email Registry, A Report to Congress”. The FTC recommended that Congress not enact a Do Not Call list at this time. A review of the FTC June 2004 report concludes that if such a Do Not Call List were to be enacted, the list would be used by wrongful spammers to harvest more email addresses for their spamming operations. Thus, the major concern for the FTC regarding a Do Not Call Registry is proper identification of persons or companies that seek to view the list.

Illegal spam is increasingly coming from organized crime and causing greater concern. The worst use of spam is what is referred to as “phishing” which uses spam to get readers personal credit card information and passwords as follows: a spammed letter enters a victims email inbox, the victim opens it, there is a great offer (eg. a Jacuzzi for $500) and the victim clicks on the website noted in the email so that the victim can purchase the product. The victim then enters a “dummy” website, clicks on the product and gives his/her credit card information and passwords and never gets the product. Organized crime now has the victims credit card information and passwords and personal information and impersonates the victim in stealing from the credit card and any other source possible based on the information given (this type of crime is call “phishing”). Identify theft also becomes a problem when this type of information is stolen.

In its June 2004 report the FTC expressed the need for a mechanism to verify the validity of email addresses because “without authentication, the Commission would be largely powerless to identify those responsible for misusing the Registry.” The Commission concludes:

If, after allowing the private market sufficient time to develop, test, and widely implement an authentication standard, no single standard emerges, the Commission could begin the process of convening a Federal Advisory Committee to help it determine an appropriate email authentication system that could be federally required. If the Commission were to mandate such a standard, after a reasonable period of time following the effective date of such a standard, the Commission will consider studying whether an authentication system combined with enforcement or other mechanisms (eg. better filters) had substantially reduced the burden of spam.

If spam continued to be a substantial problem, if a Registry could significantly reduce it once an authentication system is n place, and if other technological developments removed the security and privacy risks associated with a Registry, the Commission will consider issuing an ANPR proposing the creation of a National Do Not Email Registry.”

Before expending resources on the implementation of a Registry, the marketplace should be encouraged and allowed to correct a flaw in the email system’s architecture that enables spam ­ the lack of domain-level authentication. Without effective authentication of email, any Registry is doomed to fail. Without authentication, better CAN-SPAM Act enforcement a better filtering by ISPs may even make a Registry unnecessary.

ISP’s (internet service providers) are struggling with a technical solution to the problem of identifying a spammer’s true email address and once this is done, blocking it. The system that shuttles email between senders on the internet is the “Simple Mail Transfer Protocol” system (“SMTP”) has been in use since 1983 and has no mechanism in place to identify the origins of the sender.

In July 2004 in the L.A. Times, staff write Chris Gaither reported that AOL (working with Microsoft), Yahoo and other big service providers were trying to find a way to verify the true addresses of senders of email but they were coming up with different systems and methods. The article emphasizes that for any system to work properly, such system or standard has to be widely adopted.

The wide adoption of one system to identify emails sent is a problem recognized by International Telecommunication Union (ITU) of the United Nations which held an ITU WSIS Thematic Meeting on Countering Spam July 7-9th, 2004 to discuss the matter. Discussions at the meeting focused on what kind of international cooperation may be advisable to stop spam, but no conclusions were reached at this juncture.

Finding a technological worldwide unified system of adequate identification of an email sender is now the focus of the Federal Trade Commission, the United Nations, internet service providers and software companies. Until the best and most efficient technical means of identification comes to the forefront, legislators cannot effectively create and/or enforce spam legislation.

Victoria M. Brown of Of Victoria M. Brown, LLC is a NJ and NY attorney

Having NJ offices at
342 Grand Avenue, Englewood, NJ 07631
(201 567 6144)

Member of the Bergen County Computer Law and Internet Committee