In July 2003, the Government adopted, at the Inter-Ministerial Committee for the Information Society, a series of measures to combat spam, the implementation of which was entrusted to the DDM. A contact group bringing together the main players in the Internet, both public and private, was set up. The work of this contact group has led to a concrete solution: a national platform for automatic spam reporting.
5.The legal framework The US legislation on "spam"
Preliminary remark: measurement of "spam"
Several sources provide encrypted data on the phenomenon of spam:
- the FTC (Federal Trade Commission) has been regularly analysing its "spam box" called UCE (Unsolicited Commercial Email) since 1998;
- Internet and e-mail providers publish statistics on the impact of spam on their subscribers. Some spam technology providers do the same;
- independent consulting firms carry out studies on the extent of the phenomenon.
- "Anti-spam" legislation
By 31 December 2003, 36 of the 50 US states had passed specific legislation regulating the sending of unsolicited commercial electronic messages, or "spam".
Meanwhile, in 2003, the US Congress passed the first federal law to combat spam: the CAN-Spam Act of 2003 (Controlling the Assault of Non- Solicited Pornography and Marketing Act).
This federal law came into force on January 1, 2004.
- Federal or state level
Anti-spam laws have been adopted at both state and federal levels.
The CAN-Spam Act is a federal law that pre-empts the 37 existing state anti-spam laws, unless such laws prohibit the transmission or transmission in emails of fraudulent or misleading content.
At the level of anti-spam legislation of States, the majority of them retain the mechanism of the right of opposition a posteriori ("opt-out") to receive e-mails and condemn prospecting by email with a false or invalid sender address. These provisions have given rise to an important dispute which has, in some cases, been the occasion for very heavy sanctions against spammers (cf. 7) Juriprudence).
However, some states, such as California, have provided for an opt-in regime.
- Opt-in or opt-out approach
The CAN-Spam Act is based on the the opt-out (right of opposition a posteriori).
Federal law allows the transmission of unsolicited commercial e-mails but requires that each commercial e-mail include a clearly identified opt-out mechanism that allows recipients to prohibit the sending of future commercial e-mails to their email address.
This opposition mechanism can take two forms:
- an e-mail address to which the addressee may reply;
- an internet response mechanism, such as a hyperlink to a web page that allows you to unsubscribe from a list.
This mechanism must work for at least 30 days after each message is sent and "opt-out" requests must be honoured within 10 business days.
Most commercial e-mails must also include, either in the subject or in the body of the message, a clear label stating that it is an advertisement or a solicitation.
All commercial mail must also contain the sender’s physical mailing address.
In addition, are illegal under the CAN-Spam Act:
- collection of consumer e-mail addresses from websites ("harvesting of emails");
- automated generation of possible e-mail addresses for the sender ("permutations emails");
- the use of programs to create multiple email accounts from which the sender sends messages.
Commercial e-mails that contain sexual references must include a sign or notice identifying me.
These emails must:
- contain the sign or notice defined by the FTC; - respect the obligations to specify the commercial nature of the message, to allow the recipient to ask not to receive further messages of this nature, and to indicate a valid postal address.
The CAN-Spam Act finally prohibits unsolicited communications on mobile phones.
- The Do-Not-Email registry
The CAN-Spam Act gave the FTC the ability to create a "Do-Not-Email" list that would have worked as a phone red list. But the FTC report, delivered to Congress in June 2004, rejects the creation of this list, arguing that it would not reduce the amount of spam consumers receive, that its effect could even be inverse, and that it would in any case be impossible to ensure its effective application. The FTC recommended focusing anti-spam efforts on the creation of a powerful e-mail address authentication system that would prevent spammers from hiding their routing in order to avoid anti-spam filters.spam from access providers and law enforcement.
- Exceptions or derogations
There are two limiting exceptions in the CAN-Spam Act.
- within the framework of an existing commercial relationship:
that is, when the sending of e-mails completes, confirms or facilitates a previous commercial relationship between the sender and the recipient (invoices, account statements...). In this case, the messages must be truthful and contain in their header the information of transmisson but are exempt from the requirements of the CAN-Spam law, and especially the mechanism of "opt-out".
- in the context of positive consent (opt-in):
that is, when the recipient has given its consent to the sender to receive commercial messages. In this case, the message does not need to include warning labels (labels indicating that it is a sexual advertisement or message) normally required by the CAN-Spam law for commercial messages. Nevertheless, all other requirements of the CAN-Spam law are maintained (opt-out mechanism, physical mailing address).
- Sanctions against spammers
Offences under the CAN-Spam Act:
- intentional falsification of the message header in order to mislead the recipient;
- concealment of the source of the message or the identity of the sender;
- the registration of more than 5 e-mail accounts with false information in order to send a commercial e-mail in violation of the law.
Penalties under the CAN-Spam Act can be up to 5 years in prison.
The CAN-Spam Act authorizes any attorney general of a state to bring an action against a spammer on behalf of the citizens of that state.
State Attorneys General are empowered to investigate, and to seek monetary penalties and/or penalties imposed by law, on behalf of the inhabitants of their respective states, for violations of the CAN-Spam Act.
The law provides for monetary penalties, up to $250 per illegal mail with a cap of $2 million per violation.
However, if the Court considers that the violation was committed knowingly and intentionally or if the "spammer" used tactics such as the automatic collection of addresses to generate an address list for an illicit campaign, penalties can be tripled.
- Bilateral or multilateral conventions/agreements concluded in the fight against spam
Although the Federal Trade Commission (FTC) has signed some bilateral cooperation agreements with Canada, the United Kingdom and Australia for consumer protection, the United States has not yet signed an agreement with other nations to combat spam.
Nevertheless, in December 2003, several British and American parliamentarians sent a joint letter to their respective governments, calling for a bilateral effort to combat unsolicited commercial electronic messages.
In addition, a bill pending before the US Congress should make it easier for the FTC to share information about investigations into fraudulent or deceptive marketing practices with foreign law enforcement institutions. Although spam is not the main subject of this law, it should facilitate international cooperation to strengthen "anti-spam" legislation.
The FTC has also established a working group of 136 members representing 36 states. This group holds a monthly conference call where members exchange information on the evolution of spam, technologies, investigative methods, targets and complaints.
The FBI had already set up, in collaboration with private companies, the SLAM-Spam project to fight spam. This project has made it possible to list around 100 important spammers, to identify sources of addresses for spammers, to identify "typical techniques" of spammers and to organize cooperation with other partners at federal or state level. The FBI also met with the G-8 group and Interpol.
Independent authority responsible for combating spam
The Federal Trade Commission (FTC) is usually responsible for regulating unfair trade practices in the United States.
Powers of injunction or sanction
- Competence to enforce the CAN-Spam Act under the FTC Act;
- special authority to make regulations to clarify or amend certain provisions of the CAN-Spam Act;
- power to investigate the feasibility of setting up a register: "Do Not Email";
- jurisdiction to seek criminal or civil penalties and restitution, including damages of up to $10,000 for each violation.
The latest FTC reports on spam in June 2005 show the growing importance of the authority:
- "the US Safe Web Act" is a legislative recommendation to Congress in which the FTC advocates in particular the adoption of a law entitled "Undertaking spam, spyware and fraud enforcement with enforcers across borders Act".
The text provides in particular for the possibility for the FTC to share with foreign authorities confidential information obtained during investigations relating to consumer protection. It aims to securely optimize the use of information held by a third party.
The law would strengthen its powers by allowing it to act in cross-border cases and participate in international networks against spam.
- "Subject line labeling as a weapon against spam" is a report to Congress in which the FTC does not recommend the obligation to indicate the advertising nature of an electronic message in the header.
- Actions: class or individual
Individuals receiving unsolicited commercial messages do not have the right to sue "spammers" under the CAN-Spam Act.
Their only recourse is to file a complaint with their state attorney general or the FTC.
The only private persons who can bring an action against "spammers" are Internet service providers (ISPs), to recover the losses caused by "spammers". However, the financial penalties granted at the criminal level are much lower than those obtained by State Attorneys General.
It should be noted that not-for-profit private law organisations are not entitled to act in the context of defending the interests of the recipients of "spam".
- Competent judge
In domestic law, actions against a "spammer" can be brought in any of the hundred federal district courts located in the country. In all cases where the Attorney General of a State has reason to believe that the interest of a national of that State has been or is threatened or affected by an act constituting a violation of the CAN-Spam Act, it may bring a civil action against the spammer on behalf of the State national.
- Governing law
Under domestic law, the CAN-Spam law is applicable to any e-mail sent from abroad to a Web user domiciled in the United States.
Investigative means to identify and combat spammers
Consumers and merchants can submit complaints about unsolicited commercial e-mails directly to the FTC by internet.
The FTC may decide to investigate and possibly take action if it is aware of significant and numerous complaints about a particular spammer. Sites are available for consumers to register their complaints against illegal electronic messages. (example: http://www.atg.wa.gov/).
The ASTA (Anti-Spam Technical Alliance), a group of 6 major access providers including 5 American (Yahoo!, Earthlink, Comcast, AOL, Microsoft), offers recommendations via a good practice guide from June 2004.
ASTA recommends that consumers install virus protection systems (to limit zombies). It also recommends to internet service providers to close open relays, port 25 (SMTP server or simple mail tranfer protocol), control outgoing traffic and block generators for automatic creation of email accounts.
Associations working for the protection of private data (such as "Consumer Union" or "Electronic Privacy Information Center") try to convince Congress to adopt the opt-in system." Consumer Union" also supports a Do-Not-Email list experience with a coding system.
However, the CAN-Spam Act has received support from the direct marketing association ("Direct Marketing Association").
- The Ontario Superior Court ruled on a spamming case for the first time on July 9, 1999. It refused to convict a Canadian service provider that had closed the hosting account of a client company operating a site that had sent a mass shipment of unsolicited mail. The Court relied on the principles of "Netiquette" which, in its view, excludes the sending of mass mails, unless the service provider has contractually provided for it.
- The California Supreme Court also confirmed that the anti-spam law in force in this state did not violate the US Constitution (April 2002).
- In the State of California, an Internet company was ordered to pay nearly $4 million in damages to Microsoft by decision of 16 July 2003. His spam, sent to MSN and Hotmail users, hijacked the trademarks registered by the American publisher.
- Similarly, a spammer was sentenced on 4 November 2004 to 9 years in prison in Virginia for sending hundreds of thousands of spam messages.
- However, a judgment of the Maryland judge of 15 December 2004 considered the anti-spam law of his state as unconstitutional, on the ground that it could not regulate a trade that is carried out outside the limits of the State.