Regulating Cyberspace: A Case Study in SPAM – Phase Two

Lydia Pallas Loren
Northwestern School of Law of Lewis and Clark College
(Created July, 1999, updated August, 2000)

Phase One | Phase Two | Phase Three

PHASE TWO: Regulating From The Top Down Through Statute

STEP ONE: The State Level

While OSPs have been quite successful in their suits against the senders of UCEs, the causes of action asserted are not air tight and would be extremely difficult for individuals to use because individuals do not experience the same level of mass mailings. Strong support for legislation banning, or at least regulating, UCE has resulted in the passage of several state laws in this area. Summarized below are three state laws aimed at curbing certain practices relating to UCE, although more than just these three states have passed this kind of legislation. (Summaries of all state laws regulating spam can be found at www.spamlaws.com). The full text of each of the three laws discussed here is hyperlinked as well.

 

California

California has adopted two different provisions concerning unsolicited email. The first, codified at Section 17538.4 of the Business and Professions Code, prohibits the sending of unsolicited commercial email that advertises the lease, sale, rental, gift offer, or other disposition of any realty, goods, services, or extension of credit unless the sender has taken certain steps. First, the sender must establish a toll-free number or valid sender operated return email address that a recipient of the UCE can call or email to notify the sender not to email any further UCE. Cal. Bus. & Prof. Code § 17538.4(a)(2) (West 1998). Second, the recipient must include a statement informing the recipient of the toll-free number or valid return email address. That statement must be the first text in the body of the message and it must be of the same size as the majority of the text of the message. § 17538.4(b). In addition to including this information in the body of the message, California law also requires that every UCE must include "ADV:" as the first four characters in the subject line, or "ADV:ADLT" as the first eight characters if the material being advertised may only be viewed or purchased by someone who is 18 years of age or older. § 17538.4(g). Finally, once notified that an individual does not want to receive any unsolicited advertising material from an entity, that entity must not send any email to that individual. § 17538.4(c). Violations of section 17538.4 is a misdemeanor. Cal. Bus. & Prof. Code § 17534 (West 1998). In addition to Section 17538.4, California has given a weapon to on-line service providers through the adoption of section 17538.45. Cal. Bus. & Prof. Code § 17538.45 (West 1998). This section permits an OSP to bring suit against anyone who sends UCE via OSP equipment located in the State of California if the UCE is sent in violation of the OSP’s policy that either prohibits or restricts the use of that equipment to deliver UCE. § 17538.45(b)-(c)Only OSPs are authorized to bring suit, not individuals who receive UCE. Actual damages are recoverable or the OSP can elect to recover statutory damages in the amount of $50 per email message with a $25,000 per day cap. § 17538.45(f). While this law applies to subscribers of the OSP as well as to non-subscribers who are merely sending UCE "through" the California OSP’s equipment, in order to prevail the OSP must prove that the defendant had actual notice of: (1) the OSP’s policy on the sending of UCEs; and (2) the fact that the defendant’s unsolicited electronic mail "would use or cause to be used" the OSP’s equipment in California. § 17538.45(f)(3).

Washington

The Washington law on UCE prohibits the use of false or misleading information in the subject line. This law also prohibits the use of a third party’s Internet domain name without permission of the third party or otherwise misrepresenting or obscuring any information in identifying the point of origin of the transmission path of the UCE. Wash. Rev. Code §§ 19.190.005-.050 (1998). The law only applies to email that is initiated from a computer located within Washington or to an electronic mail address that the sender knows or has reason to know is held by a Washington resident. Unlike the California sections concerning UCE, the Washington law neither provides for criminal prosecution, nor does it limit the cause of action to OSPs. Washington permits the recipient of an email sent in violation of the Washington law to sue and recover $500 or actual damages; OSPs can recover actual damages or $1,000. Additionally, Washington law expressly authorizes OSPs to block UCEs that the OSPs believes violate the law and exempts OSPs from liability for such blocking activity.

 

Virginia

Virginia has approached the issue of UCE by defining certain types of UCE to constitute "computer trespass" and thus unlawful under that state’s computer trespass statute. Va. Code Ann. § 18.2-152.4. UCE will only constitute computer trespass if, in connection with the transmission of unsolicited bulk electronic mail, the sender falsifies or forges the electronic mail transmission or other routing information. § 18.2-152.4(A)(7). A unique aspect of the Virginia law is that it also makes it a criminal violation to sell or distribute software designed for facilitating the sending of mass UCE with false electronic mail or routing information. § 18.2-152.4(B). Violation of either of these provisions is a class 3 misdemeanor. Additionally, malicious violation which results in damages over $2,500 is a felony. §18.2-152.4(C). The statute also provides for a private right of action by individuals or on-line service providers. § 18.2-152.12. Plaintiffs may seek actual damages or may elect statutory damages of the lesser of $10 per message sent or $25,000 per day, plus attorney’s fees.

 

 

NOTES, COMMENTS, AND QUESTIONS:

1. Prohibiting falsification of return address. UCE can be even more burdensome if the sender falsely identifies the account or server from which the messages are sent. This false information is then used by computers for various purposes, including sending notification of undeliverable addresses to the listed "sender" of the original UCE message. If the sender identification is incorrect, these undeliverable messages then burden the falsely used account or service provider. If the false account or service provider do not exist, the situation can become even worse. In attempting to send an "undeliverable" message to the false sender, an error message may be generated, indicating that the "undeliverable" message was, itself, undeliverable! All of this results in multiple messages, in addition to the original UCE message. The falsification of return email addresses was part of the problem in the CompuServe v. Cyber Promotions case.

Those who send UCE falsify the return address for various reasons, as discussed in the introduction to this module. Falsification helps to avoid filters that might otherwise block the messages. If a false return address is given not only does the message pass through the filters, but it is quite possible that the falsified address will be subject to filtering in the future, despite the fact that the no UCE has ever actually been sent from that server or by that account holder. Falsification also helps the sender of the UCE avoid the retaliation that is sometimes targeted at the sender of UCE. If a false address is given, recipients of UCE cannot tell the true origin and may bombard the account and/or server with nasty emails, or even worse, email bombs or viruses. The actual sender avoids the wrath of cybercitizens who have taken justice into their own hands It is important to note that retaliation in the form of email bombing, SYN floods, Denial of Service attacks, or hacking into the sending computer, even if the target is the true originator of UCE, will often constitute a federal offense under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. as well as many state laws.

Because of the multiple problems created by falsifying information, most legislation directed at UCE, at a minimum, prohibits such falsification. As noted above, California requires a valid, sender operated return email be listed in any UCE or a toll-free number. Also, in California knowingly using the Internet domain of another in connection with the sending of email messages without permission is a violation of the California Penal Code if it causes damage to a computer, a computer system or a computer network. Cal. Penal Code § 502(c)(9) (West 1998). So long as there is no injury, the penalty for a first offense is $250. Violations that result in injury or repeat offenders are subject to a fine of up to $5,000 and/or imprisonment in a county jail for up to one year. § 502(d)(4). The major portion of the Virginia statute concerning UCE and the Washington statute are both directed solely at falsification in commercial email messages.

If falsification is eliminated, has the UCE "problem" been solved?

2. Facilitating the use of filters. One approach to dealing with UCE has been to use various filtering technologies. Filters can be set up in most email programs by individual email account holders. For example, if I prefer to not read any email sent by a certain individual whose email account is "johndoe@aol.com", I can program my mail program to delete all mail that contains johndoe@aol.com in the "from" line. If I wanted to, I could also set my filter to delete all messages that contained "@aol.com" in the "from" line, thus filtering out all email from any AOL account. Filters can also be set up at the server level. An OSP might determine that all mail coming from a particular account, or even a particular domain name, is UCE and none of that OSPs customers want to receive UCE. The OSP could then filer all mail sent from that particular location.

This system of filtering works well on two conditions. First, all senders of UCE must be known so that the filter can be put in place. Second, all senders of UCE must accurately identify the origin of the message. Assuming the law will provide effective deterrent for falsification, thus satisfying the second condition, the real problem is the first condition. Not all senders of UCE are known, or can ever be known. New UCE senders arrive in cyberspace everyday. Relying on filters based on the origin of the message will not be a complete filter of UCE. Thus, some of the new laws proposed and the one enacted by California, are designed, at least in part, to facilitate the use of filters. California requires that the first characters of the subject line of all UCE messages be "ADV:" and if the product or service being advertised is directed at adults, the first characters must be "ADV:ADLT". If all UCEs are required by law to include these characters, then setting up a filter to delete all message that contain those characters in the subject line will filter all UCE except those that are violating the law. In this way, the California law facilitates a technological solution to the UCE problem. But this technological solution would not work effectively without the assistance of the law.

Finding ways in which the law and the technology can work together to solve a problem can be an effective way of regulating cyberspace activity. Enforcement, however, may still be a problem. See note 6, below. As you study law in cyberspace, consider ways in which the requirements of the law could facilitate a technological solution to a problem.

3. Opt-in v. Opt-out. While UCE is almost universally loathed, some people are interested in receiving email offers of new products or services. The marketers who would like to continue sending UCE point to these individuals as a reason why UCE should not be completely prohibited. Legislators have been receptive to the idea of developing a way to permit mass emailers to continue sending email to those who desire it. A major issue has been whether to use an "opt-out" or "opt-in" system.

In an "opt-in" system, individuals would have to take an affirmative step to be included on a list of those to whom UCE can be sent. Most of the laws proposed or enacted actually include a variant of an "opt-in" system. The opt-in nature of these laws is typically embodied in the definition of what is an unsolicited commercial email. For example, the California law is directed at "unsolicited e-mailed documents" which is defined to not include email sent to a recipient with whom the sender has an existing business of personal relationship, or email sent at the request of, or with the express consent of, the recipient. Therefore, if individuals have requested to receive the messages, i.e., opted-in, by definition the sender is not sending unsolicited email. Virginia law also only places restrictions on "unsolicited" electronic mail. While that statute does not provide a definition of "unsolicited" it does state that "(t)ransmission of electronic mail from an organization to its members shall not be deemed to be unsolicited bulk electronic mail," thus indicating that mail sent to individuals with whom the sender has some kind of connection were not intended to be encompassed within the restrictions.

While these laws do embody some form of opt-in provisions, they are not a true opt-in system because they do not take the next step of placing an absolute ban on the sending of email to recipients who have not opted-in. Under these laws, individuals who have not opted-in can still be sent UCE. What these laws provide are certain restrictions with which the sender must comply in order to legally send the UCE to those who have not opted-in. These restrictions include, for example, no falsified return addresses and, in California, inclusion of "ADV:" as the first four characters of the subject line.

The California law is more accurately characterized as taking an "opt-out" approach. Individuals who do not want to receive additional UCE from any particular sender can either use the toll-free number or the valid sender operated return email listed in any UCE to notify the sender to not send anymore UCE to that individual. Under California law it is a crime to then send UCE to a person once that notification has been given. This is a type of "opt-out" scheme. A more universal "opt-out" scheme would provide for the creation of a master list of email addresses that do not wish to receive any email and then require that senders of UCE abide by that list. Oregon, for example, has an opt-out system in place for telephone solicitation. Individuals may request identification in the telephone directories that they do not wish to receive telephone solicitations. Someone engaging in telephone solicitations of such an individual is guilty of an unlawful trade practice and subject to fines up to $25,000, plus attorney’s fees. Or. Rev. Stat. § 646.569 (1998).

Which is a more appropriate approach to UCE: opt-in or opt-out? Should the law have both an opt-in and an opt-out provision, or is one enough? Is your evaluation affected by your bias toward UCE?

4. Industry specific regulation of UCE. In addition to laws of general applicability, different industries may develop their own regulations concerning UCE. Lawyers are not immune to the regulation of their email. Indeed, it is generally accepted that the first case of mass scale spamming was by lawyers. In April 1994, the husband and wife immigration law team of Laurence Canter and Martha Siegel posted advertisement messages to over 6,000 USENET groups offering assistance in the "green card lottery." Their actions created the first uproar over spam.

One way to regulate the email practices of lawyers is through the rules of ethics of each state. At least one state has incorporated into its ethics rules provisions regulating unsolicited emails sent by lawyers. In Oregon an unsolicited email communication to someone who is known to be in need of legal services on a particular matter must include the word "Advertisement" in type that is larger and darker than the type of the email message, or if that is not possible, it must be set-off from both the beginning and end of the message. Oregon Code of Professional Responsibility, DR 2-101(H). While not required in the subject line of the email, the mandated inclusion of the word "Advertisement" in the body of the text could be used as a basis for filtering, as discussed in note 2.

5. Constitutional Problem 1: First Amendment. Unlike the situation in the CompuServe v. Cyber Promotions case, the state laws summarized above all involve government action directed at regulating a certain type of speech. In the United States, when government regulation is involved, the requisite state action is present to trigger the prohibitions of the First Amendment. Indeed all of the Internet, because it is communication in one form or another, is speech. Thus attempts at regulation of any activity in cyberspace, in the United States, will almost always raise potential First Amendment problems. This does not mean that regulation cannot occur, but that such regulation must pass First Amendment muster. Understanding the tests that are applied to determine whether any particular regulation violates the First Amendment requires study of that body of law which is covered in the module on The First Amendment in Cyberspace. When considering regulation directed at UCE, remember that such activity is, mostly likely, commercial speech which must be analyzed under Supreme Court jurisprudence relating to commercial speech. See note 2 to Unit 5 in the module on the The First Amendment in Cyberspace [Link]. See also, Joshua A. Marcus, Commercial Speech on the Internet: Spam and the First Amendment, 16 Cardozo Arts & Ent. L. J. 245 (1998).

6. Constitutional Problem 2: Due Process and Jurisdiction. Regulation of any activity in cyberspace is only as effective as the jurisdiction to enforce that regulation. When a state attempts to enforce its laws, a court must first determine whether it has jurisdiction over the matter. Both personal jurisdiction and subject matter jurisdiction must be satisfied.

In the United States, personal jurisdiction over defendants in criminal cases is typically a matter of obtaining physical custody of the person to be charged. Determining personal jurisdiction over out-of-state defendants in civil cases is governed by state long-arm statutes and, ultimately, by the Due Process Clause of the Constitution. The requirements of Due Process and fundamental fairness are more fully explored in the module on Jurisdiction in Cyberspace.

In civil cases, a court may exercise personal jurisdiction over a nonresident defendant only if there are sufficient "minimum contacts" between the defendant and the forum state. If a defendant has "purposefully availed" himself of the forum state, minimum contacts exist. Consider the court’s statement in CompuServe v. Cyber Promotions that the defendants' contact with plaintiff's computers was "clearly intentional" and that "[a]lthough electronic messages may travel through the Internet over various routes, the messages are affirmatively directed to their destination." Does this mean that senders of UCE have "purposefully availed" themselves of the forum of each and every state in which recipients of their messages are located and are thus subject to that state’s jurisdiction?

A court must also consider the subject matter jurisdiction for the matter at issue. The subject matter jurisdiction of the court is governed by federal and state rules dictating which laws the various courts are competent to adjudicate. When discussing subject matter jurisdiction in cases involving cyberspace activities it is also important to consider whether the state has the authority to regulate the activity in question; does that activity come within the jurisdiction of that state, or is the state attempting to regulate activity occurring extra-territorially. Because of the non-physical nature of cyberspace, out of state defendants often assert that the state is attempting to enforce its laws beyond its borders. State will argue that they are merely trying to enforce their laws against out-of-state defendants because the defendant’s actions have an effect within the territory of the state .

The various state laws that have been passed concerning UCE each specify the activity that the statute attempts to reach. For example, in California the law provides that it "shall apply when the unsolicited e-mailed documents are delivered to a California resident via an electronic mail service provider's service or equipment located in this state." Washington, on the other hand, specifies that its regulation is directed at those who initiate transmission of UCE from a computer located in Washington or "to an electronic mail address that the sender knows, or has reason to know, is held by a Washington resident." While a sender of UCE can easily determine whether they are initiating a transmission from computer located in Washington, determining the residence of any particular UCE recipient is an entirely different matter. Washington’s law softens this requirement by insisting on knowledge on the part of the sender, but Washington’s law also provides that knowledge that the recipient is a Washington resident shall be attributed "if that information is available, upon request, from the registrant of the Internet domain name contained in the recipient’s electronic mail address." California’s law does not require that the sender know the recipient is a resident of California.

Does Washington’s law comply with the requirements of the Due Process Clause? How about California’s law? Is the problem one of subject matter jurisdiction or personal jurisdiction?

7. Constitutional Problem 3: Commerce Clause. The Commerce Clause of the United State Constitution gives Congress the power to regulate interstate commerce. However, this clause also has been read to have a reverse side to it, referred to as the "dormant commerce clause." The dormant commerce clause is a phrase used to describe the implication of the Commerce Clause that individual states may not regulate interstate commerce, and that state regulation of commerce occurring within that state may not unduly burden interstate commerce. Because of the interstate (and international!) nature of cyberspace, any regulation of activity in cyberspace by states is subject to attack on dormant commerce clause grounds. Dormant commerce clause attacks on state regulations of cyberspace activity have been successful in other contexts. See American Civil Liberties Union v. Johnson, 1998 U.S. Dist. LEXIS 9849 (June 30, 1998) (enjoining enforcement of New Mexico’s Communications Decency Act-style law); American Library Association v. Pataki, 969 F. Supp. 160 (S.D.N.Y., 1997) (enjoining enforcement of a New York cyber pornography law) available at: <http://www.aclu.org/court/nycdadec.html >, see also Dan L. Burk, Federalism in Cyberspace, 28 Conn. L. Rev. 1095 (1996) {copies of this article may be obtained in .pdf format from available through SSRN}. Both the Washington and California Spam laws have been held by lower courts to be unconstitutional on dormant commerce clause grounds. See Washington v. Heckel (King County Court, March 2000); Ferguson v. Friendfinder, (San Francisco County Court, June 2000) http://www.law.washington.edu/LCT/lctnews.html . The Washington Attorney General's office has requested the Washington Supreme Court review the lower court's ruling (see statement).

Merely because a state regulation impacts interstate commerce, however, does not automatically make the law unconstitutional. In Pike v Bruce Church, 397 U.S. 137 (1970) the Supreme Court laid down the balancing test used to judge facially neutral regulations that affect interstate commerce. Pike requires a two fold inquiry. The first level of examination is directed at the legitimacy of the state's interest served by the regulation at issue, while the second level weighs the burden on interstate commerce in light of the local benefit derived from the statute. This balancing of interests seeks to determine whether the burden on interstate commerce created by the law at issue is justifiable given the local benefits derived from the law. Only if the legitimate local benefits outweigh the burden on interstate commerce will the statute pass constitutional muster.

How might you build a case either for or against the constitutionality on dormant commerce clause grounds of the various state laws summarized above?

A state regulation can also burden interstate commerce by creating inconsistent requirements, or even the possibility of inconsistent regulation. The classic examples of individual state regulation that is inconsistent with the encouragement of interstate commerce is the requirement of certain types of mudguards on trucks, Bibb v. Navajo Freight Lines, Inc., 359 U.S. 520 (1959), and state regulation of the maximum number of freight and passenger cars allowed in any railroad train, Southern Pac. Co. v. Arizona ex rel. Sullivan, 325 U.S. 761 (1945). The Internet poses new challenges for state regulation. Addressing the potential problems of inconsistent state regulation, one court stated:

  • The courts have long recognized that certain types of commerce demand consistent treatment and are therefore susceptible to regulation only on a national level. The Internet represents one of those areas; effective regulation will require national, and more likely global, cooperation. Regulation by any single state can only result in chaos, because at least some states will likely enact laws subjecting Internet users to conflicting obligations.

    American Library Association v. Pataki, 969 F. Supp. 160 (S.D.N.Y.1997) available at: <http://www.aclu.org/court/nycdadec.html>

  • Does this mean that all state regulation of Internet activity is unconstitutional?

     

     

    STEP TWO: The Federal Level

    After considering the problems with state regulation of UCE, the next logical place to consider regulation is the federal government. For the past several years, bills have been introduced in the United States Congress concerning UCE. These bills have taken various approaches to regulating UCE. The approaches in these bills have ranged from amending the federal prohibition on sending "junk faxes," 47 U.S.C. § 227 (1994), to include UCE, to creating elaborate regulatory mechanisms for policing those who send UCE through a governmental agency such as the Federal Trade Commission. Absolute bans have also been introduced. See, e.g., Netizen’s Protection Act of 1997, H.R. 1748, 105th Cong. (1997). Several different bills with different approaches have been introduced in Congress.

     

    Unsolicited Commercial Electronic Mail Act of 2000

    In July, 2000 on July 18th, the US House of Representatives passed HR 3113, the "Unsolicited Commercial Electronic Mail Act of 2000", in a vote of 427-1. This legislation was the product of extensive negotiations between consumer groups, Internet Service Providers (ISPs), e-commerce businesses, and direct marketers. The key provisions of HR 3113 include:

     

    Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2000 [it spells "CAN SPAM" in case you were wondering]

    On May 11, 2000 the "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2000" was introduced in the Senate, S.2542. Like H.R. 3113, this Senate bill prohibits the use of false return addresses, requires senders of UCE to inform recipients of the ability to "opt-out" of receiving further emails, and requires senders to adhere to requests by recipients to opt-out. This bill also makes the distribution of spam enabling software unlawful. Additionally, under this proposed law ISP would be able to"decline to transmit unsolicited commercial e-mail messages to its subscribers without compensation from the sender." The FTC would be given enforcment authority, as would state attorney generals in certain circumstances. ISP would also have a private cause of action, however individuals would not.

     Inbox Privacy Act of 1999

    Introduced by Senator Frank Murkowski, S. 759 would prohibit the sending of unsolicited commercial email messages to those who have notified the sender that they do not wish to receive such messages. Under this law, a person who secures a good or service from, or otherwise responds electronically to an offer in a commercial electronic mail message shall be deemed to have constructively authorized the receipt of unsolicited commercial email from the provider of the good, service, or offer. Unique to this law is a domain name wide opt-out provision, permitting the owner of a domain name to chose to be included on a list that would be maintained by the Federal Trade Commission and posted on the web. Sending unsolicited commercial email to any accounts on domain names contained on that list would be a violation of federal law. While the opt-out list is for domain name only, if the domain name is an Internet service provider, individual account holders may elect to receive UCE. Internet service providers who have opted out would be required to maintain a list of those subscribers that have chosen to continue receiving UCE. As of July 1999, the bill does not specify how such a list of account holders is to be made available, but rather leaves it to the FTC to promulgate rules.

    Is this combination system of domain name wide opt-out and individual account holder opt-in a good compromise between the competing interests at stake?

    As with other laws directed at UCE, the Inbox Privacy Act of 1999 requires senders of UCE to clearly and accurately identify themselves and the routing information, and to indicate that recipients can notify the sender that they do not wish to receive additional UCE from that sender. This act, however, specifies the procedure recipients and senders are supposed to follow: a recipient would send a message with the word "remove" in the subject line. Why might such a uniform procedure be beneficial?

    Enforcement of this act is three-fold. First, persons who believe the Act has been violated could submit complaints to the FTC that would then investigate and prosecute violations. This Act would also give increased authority to the FTC to regulate commercial email practices through rules adopted by that agency. Second, states would also be permitted to bring actions for violations of the Act if the interests of the state were being adversely affected. Finally, on-line service providers could bring a civil action against violators. Remedies for such private actions include injunctions, damages of up to $50,000 per day of violation, and attorney’s fees. Are all three of these enforcement mechanisms necessary?

     

    Can Spam Act (House version of the "can spam" act)

    Introduced by Representative Gary Miller, H. R. 2162 prohibits the transmission of UCE to a provider that is in violation of the provider’s policy. In addition to posting the policy on the provider’s website, this Act provides for some technical mechanisms with which a provider must comply. A provider that has a policy banning UCE must include

  • "in the initial banner message that is automatically transmitted upon the establishment of a connection to any standard port for accepting electronic mail of any mail host designated to receive mail for the provider (which connection results from an attempt to send any electronic mail), of a textual message reading `NO UCE'" H.R. 2162, 106th Cong. (1999).
  • Enforcement of the prohibition on UCE is through civil action. However, only electronic mail service providers who suffer damage or loss by reason of a violation may bring a civil action for relief. In this case, is the law facilitating a technological solution, or dictating one?

    The Can Spam Act also creates a new federal crime. Anyone who "knowingly and without authorization uses the Internet domain name of another person in connection with the sending of one or more electronic mail messages and, as a result of such conduct, causes damage to a computer, computer system, or computer network" would be violating federal law. This provision would be an amendment to the Computer Fraud and Abuse Act, 18 U.S.C. § 1030.

      

    NOTES, COMMENTS, AND QUESTIONS:

    1. Federal and state regulation? All of these proposed federal laws would be in addition to the state laws that are already in place. Should federal and state law be permissible? What types of problems might exist with both layers of regulation? Both the Unsolicited Commercial Electronic Mail Act of 2000 and the Senate Can Spam Act have express preemption provisions that preempt state law causes of action that would be inconsistent with the federal law, although they both expressly exclude from preemption actions for tresspass and computer fraud and abuse claims. California has its own provision indicating that it will no longer be effective if federal legislation regulating UCE is adopted. Is the California provision necessary? Who decides whether both federal and state regulation is compatible or appropriate?

    2. Junk mail and junk fax comparison. There is no federal law banning sending of unsolicited postal mail, often referred to as junk mail. Over the course of a year individuals receive can receive hundreds and even thousands of pieces of junk mail. From an environmental impact perspective, this type of mail is much more damaging. Consider the tremendous amount of paper and ink wasted in printing, not to mention the environmental costs of the fuel required to run the plants that print them and the fuel required to deliver the tons of mail across the country. Should we be encouraging email as an environmentally friendly alternative and considering bans on junk mail? Or, is there a difference between the costs of these two forms of advertising?

    When faxes became a popular means of business communication, thousands of marketers used the opportunity to advertise their products by faxing information to potential customers. Federal law was enacted to stop this practice. See David Sorkin, Unsolicited Commercial E-Mail and the Telephone Consumer Protection Act of 1991, 45 Buff. L. Rev. 1001 (1997). Is UCE more like junk faxes, which have been prohibited, or more like junk mail, which has proliferated?

    3. Enforcement and the international nature of cyberspace. As with state law, if federal law were enacted, enforcement would become a critical issue. Many argue that federal law will merely cause senders of mass UCE to merely move off-shore, beyond the reach of federal legislation. While some believe the risk of such off-shore emailers is not that great, see, e.g., Unsolicited Commercial Email, Quick FAQ <http://www.cauce.org/faq.shtml#offshore> the possibility raises one of the most difficult issues in government regulation of any activity in cyberspace. Because the Internet connects people from all over the world, any one country’s laws cannot govern all of cyberspace. Regulation of cyberspace activity boils down to the ability to enforce that regulation. The United States cannot enforce its laws against an individual living in Turkey, unless, in criminal cases extradition can be obtained. In civil matters, a due process and fundamental fairness analysis will be employed. Even if a court finds that personal jurisdiction over a Turkish resident is appropriate, enforcement of any monetary judgement would turn on the finding assets located in a country willing to recognize the validity of the judgment entered by the U.S. court.

    An alternative is to have international treaties relating to the governance of cyberspace activity that are, in turn, enforced by each country. This would still relegate lawsuits to the judicial process of the country in which the defendant is located, or at least to countries in which the defendant is legitimately subject to jurisdiction.

     

    STEP THREE: The International Level

    The United States in not the only country that is attempting to regulate the sending of mass commercial emails. In Europe, the European Commission adopted Article 10 of the Directive of 20 May Concerning Distance Contracts (97/7/EC 23) relating to UCE. This is the same approach that is used toward junk telephone solicitors in Europe. Article 10 directs member countries to provide for a basic opt-out system for UCE, although it leaves the details of that system to each member state. Member states are in the process of adopting conforming legislation. Article 14 of that Directive permits member states to adopt provisions that are more stringent than the minimum required by the treaty.

    The European Union provides, on a small scale, an example of countries harmonizing their laws relating to the regulation of activity in cyberspace. Is the European approach to regulating UCE on that could be implemented on a larger scale?

    Go to the next unit of this module
    Return to the Main Module page
    Return to the Learning Cyberlaw homepage