Seth Goodman wrote on August 8, 2004 at 5:02 AM
This law has yet to be passed, it appears to directly
contravene the intent of the Federal Legislation, and even
if it didn't, it will have to withstand lengthy and
aggressive court challenges by the DMA, the author of the
original legislation.
For those who are following this discussion, the specific
law Seth and I are referencing is found here:
http://info.sen.ca.gov/pub/bill/sen/sb_1451-1500/sb_1457_bill_200
40805_amended_asm.html
This bill does not generally regulate commercial email but
rather specifically:
prohibits falsity or deception in any portion of a
commercial electronic mail message or information attached
thereto.
It therefore clearly falls within the stated exception
found in sub-paragraph 8 (b) (1) of the CAN SPAM Act of
2003.
http://www.learnsteps4profit.com/antispamus.html
IMHO any attempt by the DMA to challenge the validity of
this legislation would fail.
Having said this, the bill is presently before the
California State Assembly Appropriations Committee. Whether
it will make it to a vote is unclear.
I am simply pointing to the California bill as the type of
legislation a State could pass if a State legislature had a
mind to act in this fashion.
Another type of legislation the States are passing using
the same exception in the CAN SPAM Act of 2003 can be found
here:
http://mlis.state.md.us/2004rs/billfile/hb1320.htm
(This law is modeled on Virginia's law which survived
passage of the CAN SPAM Act of 2003.)
- and -
Maryland Lawmakers Pass Anti-Spam Bill:
http://www.internetnews.com/ec-news/article.php/3339971
While in general, the federal CAN-SPAM Act pre-empts state
laws, said Maryland State Delegate Neil Quinter, co-author
of the bill, "There's a specific carve-out for state laws
addressing falsity or deception in spam e-mails. We drafted
the legislation carefully to fit within that carve-out."
Quinter and co-author State Senator Rob Garagiola said that
such state laws provide another set of potential enforcers
for the law. "We've empowered everybody up and down the
state of Maryland," Garagiola said. While CAN-SPAM allows
state attorneys general to file actions, Maryland's bill
allows prosecutors at the city or county level to join in
the fight.
Seth Goodman goes on to write:
You are also well aware that the rush to get CAN-SPAM
passed was due to the California law that was extremely
similar to the one that you refer to. Congress fully
intended to prevent States from enacting this type of law.
Whether California will win on some technicality is yet to
be seen.
The California law which Congress "rushed" to pre-empt at
the urging of the DMA regulated commercial email in a
general fashion.
As I note above, the law which is presently before the
California assembly does not generally regulate commercial
email, but merely
prohibits falsity or deception in any portion of a
commercial electronic mail message or information attached
thereto.
There is a reason why there is a strong similarity between
the proposed California bill and the CAN SPAM Act of 2003.
The Federal law, states it generally regulates commercial
email.
However, the underlying thesis behind the Federal law is
that the problem with UCE is the:
falsity or deception in any portion of a commercial
electronic mail message or information attached thereto.
This is what comes through from the testimony of Muris
before the US Senate in May.
This view is reinforced by rather candid comments made by a
representative of the FTC during a panel discussion on the
Federal law at the In Box Event in June.
Michael Goodman, a staff attorney for the FTC was one of
the panellists.
An attendee at the InBox Event published his notes from the
whole event as a blog.
http://inbox2004.blogspot.com/2004/06/can-spam.html
We find the following exchange:
Trevor: given the persistence of all deceptive practices,
is can-spam the right mechanism to handle this? how do we
deal with volume?
Michael: deceptive claims in email makes clear that this
practice is already prevalent in the industry. this is why
opt-in wasn't the answer. a legislative response is not the
answer to reducing volume.
Ted: folks are already breaking the law. don't confuse only
deceptive practices as being all spammers. there are plenty
of folks who follow the law who are spamming.
Ted: legislation will not stop all spam. it may deter it
some. JunkFAX law solved a big problem, but there are still
those who send junk faxes.
Barb: EU privacy legislation doesn't seem to have affected
the amount of junk mail coming from the EU."
For reference purposes, Trevor is Trevor Hughes, executive
director of the Email Service Provider Coalition.
He chaired the panel.
The three panellists were:
Michael being Michael Goodman, a staff attorney with the
FTC
Ted being Ted Gavin, Secretary and Chief Financial Officer,
The Spamcon Foundation
- and -
Barbara being Barbara Lawler, Chief Privacy Officer,
Hewlett Packard
As such, it can be said almost all of the prohibitions in
the Federal law are aimed at preventing this form of
behaviour.
However, this points to the fundamental flaw with the CAN
SPAM Act of 2003, being the refusal to use the law as a
means to control volumes.
This view is reinforced by the experience in Australia.
As to my comment:
On this point the jury is still out, but given what has
transpired to date, especially since the passage of the CAN
SPAM Act of 2003 there is cause for scepticism.
Seth wrote:
I'm glad that you are least sceptical. There are seven
months of history since the new law was passed. How long
should we wait before saying, "nothing is happening"? Does
this have to be like the tobacco situation or global
warming where some people maintained, "there is still no
absolute proof of a link between ... ". I guess that's
what you say when all the evidence points against you. You
claim all the evidence is not yet in.
In response I will simply say, when I write:
On this point the jury is still out, but given what has
transpired to date, especially since the passage of the CAN
SPAM Act of 2003 there is cause for scepticism.
I am simply being polite and restrained in my comment.
John
P.S. As to your suggestion the Federal law makes
unsolicited commercial email "legal," the counter argument
to this position is the provision in the Act which reads:
Nothing in this Act shall be construed to have any effect
on the lawfulness or unlawfulness, under any other
provision of law, of the adoption, implementation, or
enforcement by a provider of Internet access service of a
policy of declining to transmit, route, relay, handle, or
store certain types of electronic mail messages.
See paragraph 8 (c) of the CAN SPAM Act of 2003.
http://www.learnsteps4profit.com/antispamus.html
My position is that an emailer who sends commercial email
without "affirmative consent" as that phrase is defined in
paragraph 3 (1) of the Act, is sending unsolicited
commercial email or spam.
(This is also the view of FTC.)
However, Internet access services are free to establish:
a policy of declining to transmit, route, relay, handle, or
store certain types of electronic mail messages.
Therefore, before one can initiate the transmission of
commercial email without "affirmative consent" the emailer
needs to verify whether his, her or its Internet access
service has an acceptable use policy which allows such
behaviour.
Since almost all Internet access services in North America
have policies which prohibit the use of their network to
transmit, route, rely, handle or store unsolicited bulk
email, the quickest way to control UBE volumes is for all
Internet access services to adopt and enforce such a policy.
Unfortunately, I am aware of a number of cases where
Internet access services in North America hold themselves
out as having such a policy, but in reality do nothing to
enforce it, being more interested in selling bandwidth then
stopping UBE.
This in turn makes a mockery of the situation. It also
reinforces the fundamental flaw with the present
legislative solution.
Having said this, my understanding is that another reason
why Congress was reluctant to pass a law which prohibited
the sending of unsolicited commercial email was concern
over the free speech argument and whether such a ban would
survive a Court challenge.
Yes, I know ... but, I am simply reporting my understanding.
In essence, by passing the present law and asking for a
review by the FTC within 2 years, Congress in essence said
to the DMA, the large ISPs and Microsoft:
Okay you folks say you can control unsolicited commercial
email volume. Fine. We will give you that opportunity. But,
if you can't we reserve the right to revisit the issue.
See section 10 (a) of the Act.
http://www.learnsteps4profit.com/antispamus.html
Even though SPF and more importantly Sender-ID are
technical means to control anti-spoofing and anti-phishing,
we now see published reports such as the following:
Dave Anderson, CEO of Sendmail, told ComputerWire yesterday
that in less than twelve months he expects a coalition of
companies to announce that they will ask those sending
email to them to have implemented authentication.
Asked about Bill Gate's prediction that spam would be
licked by January 2006, Mr Anderson said: "I think that
deadline is too long. I think that six months from now
we'll look back and say 'Spam was really annoying, but
fraud is now killing email'.
Email authentication set for steep adoption curve?
http://www.cbronline.com/article_feature.asp?guid=B8E3E739-87E3-4
0DD-80F8-36F27656FFD6
My own view? Although I firmly believe sender
authentication is a part of the solution:
* There seem to be a number of potential security problems
with Sender-ID as discussed on the MARID working group
mailing list.
(On this point, the WG chairs have agreed to solicit peer
review of the operational and security aspects of Sender-ID
from the IETF graybeards which may help to flush out any
issues and point to possible resolutions.)
* To date there have been no large scale tests conducted of
Sender-ID to validate the veracity of the various
hypothesis behind the proposed PRA algorithm.
(Having said this, I note at least one large American ISP
has offered to conduct such tests involving both Sender-ID
and CSV. The results of these tests may help to clear the
air.)
* To date we have no confirmation of the willingness to
include in either marid protocol or core the explicit
requirement of a mail from spoof check before doing a PRA
check.
(In my view this is both appropriate and required given
that Submitter will not be fully implemented for a number
of years.)
* The ongoing issues surrounding MS's need for a defensive
patent claim, while requiring developers to sign a royalty
free license which at present is not compatible with the
needs of the open source community.
(MS has until August 23 to fully state its position. At
this juncture, one can only hope that the MS lawyers will
come forward with a workable solution.)
As a result, without resolution of these issues, along with
the implementation of reputation services which are open
and transparent, along with the establishment of
accreditation services which require verified opt-in and
are cost affordable for the vast majority of micro business
owners, at best one can only say "we shall see what we
shall see."
John Glube
Toronto, Canada
The FTC Calls For Sender Authentication
http://www.learnsteps4profit.com/dne.html
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.734 / Virus Database: 488 - Release Date: 04/08/2004