Table 1 – 15 USC 7701, et seq. (available at http://caselaw.lp.findlaw.com/casecode/uscodes/15/chapters/103/toc.html)

The Mechanism of Email Spoofing

Email spoofing or forging occurs when a user receives an email that appears to have originated from one source when it was sent from someone else.  Email spoofing is an attempt to trick a user into making a damaging statement, releasing sensitive information, and/or taking some other detrimental action.  SMTP (Simple Mail Transport Protocol, RFC 821) is a text based protocol where one or more recipients of a message are specified along with the message text and other encoded objects.  Each email header begins with a fieldname, which is always followed by a colon and a space, such as To: or Received:.  Any fieldname beginning with the prefix “X-“ is an optional field sometimes appended to the header of an email message by online email systems like hotmail.  The X- optional field (in some cases) identifies the sender of a given message (for example by providing the senders original IP address).

SMTP does not require that the address appearing after the From: field represent the actual sender.  SMTP does not check to see if the sender is using his or her own address, in some instances the SMTP service is configured verify the existence of the domain of the alleged sender.  The absence of verification within the SMTP protocol (or service configuration) makes it easy to for a bad actor (typically a disgruntled former employee) to spoof the sender of an email (i.e. pretending to be someone else whom he/she whishes to damage the reputation of).  The bad actor can simply telnet to port 25 of an SMTP server and directly enter the appropriate text commands, or the actor can obtain a program that will forge the message for the user automatically (e.g. Zmail).  Zmail is a python application that allows a user to send “emails from anyone, to anyone”, such a utility can be used with a script to send literally thousands of fake or anonymous emails. (see e.g. http://zmail.sourceforge.net/).  Making things even simpler for the bad actor: lists of open SMTP servers are easily obtained on the internet (open SMTP servers are servers that do not require authentication send messages).

Application of the CAN-SPAM Act to Cyber-Stalkers, Cyber-Bullies to Protect Private Email (or Corporate Email Systems)

CAN-SPAM generally allows an individual to opt-out of unsolicited email; however, the Act provides no other private right of action to regular citizens.  Other then the Department of Justice and the Federal Trade Commission, only Internet access services (IASs) have standing to sue for damages.  Interestingly, a rather broad interpretation has been applied by some Courts where the concepts of IAS and ISP (Internet Service Provider) are used interchangeably

Under Section 7702(11), “Internet access service” has the meaning given that term in 47 U.S.C. §23 1(e)(4) (“Section 231″).  Section 231 defines “Internet access service” as “a service that enables users to access content, information, electronic mail, or other services offered over the Internet, and may also include access to proprietary content, information, and other services as part of a package of services offered to consumers.”

The Ninth Circuit concluded that the legislative purpose of a statute is expressed by the ordinary meaning of the words used. Leisnoi, Inc. v. Stratman, 154 F.3d 1062, 1066 (9th Cir. 1998). The plain meaning of the statutory language is unambiguous; “Internet access provider” includes traditional Internet Service Providers (“ISPs”), any email provider, and even most website owners. See White Buffalo Ventures, LLC v. University of Texas at Austin, 420 F.3d 366, 373 (5th Cir. 2005); see also Hypertouch v. Kennedy Western, 2006 WL 648688 at *3 (N.D. Cal. Mar. 8,2006).

Courts have also defined services like FaceBook and MySpace as meeting the definition of an IAS provider under the CAN-SPAM Act  because these services provide access to content and communications between users for persons who access the Internet though an ISP. See MySpace, Inc. v. The Globe.com, Inc., Case No. 06-3391 (C.D. Cal. Feb. 27, 2007) and Facebook, Inc. v. ConnectU LLC, 489 F. Supp. 2d 1087 (N.D. Cal. 2007)

In one instance, the Western District Court of Washington in Gordon v. Virtumundo, Inc., Case No. 06-0204-JCC (August 1, 2007) refused standing to a Plaintiff that alleged harm of the type typically experienced by most e-mail users (the Court was especially dissatisfied with the Plaintiff’s serial litigation under the CAN-SPAM Act).  This case seems to be a rare exception to the general rule.

Most Courts define the term IAS broadly.  For example in Aitken v. Communications Workers of America, 496 F.Supp.2d 653, 182 L.R.R.M. (BNA) 2334 (E.D.Va.,2007.July 12, 2007), the Eastern District of Virginia held that an employer stated a claim for violation of the CAN SPAM Act based on pro-union emails to employees with misleading headers falsely indicating that they originated with the employer managers.  Based on the current case law it seems that almost any employer that operates their own email system can be considered an internet access provider.

Similarly in another recent case, Haselton v. Quicken Loans, Inc., Case No. C07-1777RSL (W.D. Wash., Oct. 14, 2008), the District Court of Washington defined IAS to include ISPs for purposes of the CAN-SPAM Act .  Significantly in this case the Court found that an IAS can be not only a company that provides end-users with a physical connection to the Internet, but any company that “enables access to content or information on the Internet” rather than to the Internet itself.  The Court ultimately found that a service that allowed users to access blocked websites on the Internet via the plaintiff’s proxy servers to be an IAS for purposes of the CAN-SPAM Act.  A “proxy server” refers generally to a computer system that runs an application or service (a program) that acts as a go-between for requests from client (the user) seeking resources from other servers on Internet (content).  Proxy servers can be used both filtering illegal or inappropriate web content or anonymize requests for files, web pages or other resource, available from a different server on the Internet.

          

Broad Definition of “Internet Access Service” (IAS) and Standing Under the CAN-SPAM Act of 2003 originally appeared on Law Blog 2.0 on July 22, 2009.