The US DOJ announced today the guilty plea of David Patton. Patton was charged with “aiding and abetting violations of the CAN SPAM act. Software written by Patton’s company provided the ability to modify email headers and use open proxies to disguise the source of the email.
The Ralsky convictions are, to the best of my knowledge, the first criminal prosecution for CAN SPAM violations and so far 9 of the 12 defendents charged have pled guilty.
Ethan Ackerman posted a rather long analysis of the class action lawsuit filed against Reunion.com over at Eric Goldman’s Technology and Law Blog. Part of the case is related to Reunion.com’s scraping of address books, something I have discussed here before.
The analysis goes through the case step by step and is well worth a read. There are a lot of issues being explored, including the applicability of CAN SPAM to “forward to a friend” email. This case also touches on CAN SPAM and preemption of state laws.
Definitely a post worth reading and a case worth keeping an eye on.
I tell my clients that they should comply with CAN SPAM (physical postal address and unsubscribe option) even if the mail they are sending is technically exempt. The bar for legality is so low, there is no reason not to.
Sure, there is a lot of spam out there that does not comply with CAN SPAM. Everything you see from botnets and proxies is in violation, although many of those mails do actually meet the postal address and unsubscribe requirements.
One of my spams recently caught my eye today with their disclaimer on the bottom: “This email message is CAN SPAM ACT of 2003 Compliant.” The really funny bit is that it does not actually comply with the law. Even better, the address it was sent to is not published anywhere, so the company could also be nailed for a dictionary attack and face enhanced penalties.
It reminds me of the old spams that claimed they complied with S.1618.
Whatever one might think about confirming opt-ins I think we can all agree that requiring someone to jump through hoops and confirm an unsubscription request will just annoy that person.
Today I attempt to opt-out from a discussion list. It’s one I *thought* I had opted out of previously, but I could find no record of the request anywhere. OK. So I imagined unsubscribing, I’ll just unsub again and keep better records.
After digging through the headers, I find the unsub link and dutifully mail off my unsubscribe request. I then receive an email that requires I click on a link to confirm my unsub request. This causes me to grumble a bit. I have heard all the arguments about forged unsub requests and the various reasons this is good practice. I believe none of them. Requiring people to confirm an unsubscription request is bad practice.
In this case, the mailing list is a discussion list so there is no CAN SPAM violation. However, I know that some commercial mailing lists have also implemented confirm your opt-out request. For commercial mailing lists, this is a CAN SPAM violation. It’s also just plain rude. If someone says, “Stop!” then you should stop, no questions asked