Vonage Beats the Anti-Spam Laws
"You Could Save up to 50% on Your Phone Bill!" screamed an email from voice-over-IP vendor Vonage. Naturally, users complained this unsolicited, bulk e-mail was spam. But some spam filters weren't having it -- a surprising number of these messages reached user inboxes. Vonage's marketing agent sent the e-mail from a list of "nonsense" domain names, including the unpronounceable urgrtquirkz.com. Surely that's illegal? Let's find out, in this week's Security Levity...
The U.S. CAN-SPAM Act defines illegal e-mail behavior in several ways. The relevant one relates to falsifying e-mail headers. California law has a similar provision against sending e-mail with falsified, misrepresented, or forged header information.
Craig E. Kleffman, a deputy DA at LA County, brought a class-action suit against Vonage in a California district court. He alleged that the use of several nonsense domains was, in fact, header misrepresentation. After all, none of these domains indicate that the messages were from Vonage or from an affiliate representing the company:
The district court disagreed and noted that the California law was anyway preempted by CAN-SPAM. However, it allowed Kleffman to appeal. The Ninth Circuit Court of Appeals later ruled similarly. To cut a long story short, the California Supreme Court published its ruling in the case on Monday.
The court noted, and Kleffman agreed, that the domains were properly registered to Vonage's marketing agent in Nevada. But Kleffman's argument was that the use of these domains was "likely to deceive" and that the section of state law referring to misrepresented headers proscribes this type of "unfair" business practice.
"We find," found Justice Ming Chin, "that a single e-mail with an accurate and traceable domain name neither contains nor is accompanied by 'misrepresented ... header information' ... merely because its domain name ... is 'random,' 'varied,' 'garbled' and 'nonsensical' when viewed in conjunction with domain names used in other e-mails. An e-mail with an accurate and traceable domain name makes no affirmative representation or statement of fact that is false."
In other words, simply constructing e-mail to bypass spam filters is not illegal. Nobody ever said that laws were perfect!
As a spam filter technologist, I serve users, not lawyers. I have to block whatever my customers define as spam; I'm nobody's legal arm.
- Some countries (China, Russia, etc.) aren't taking a legal approach to spam.
- In other countries, we get a great deal of help from regulators -- mainly if there is an opt-in law.
- In still others (such as the U.S.) direct marketers can play tricks like this to avoid filters. They may be legal, but we block them because users want us to.
Of course, most spammers -- more precisely the senders of most spam -- don't care about the law. The question here is what do about rogue direct marketers.
A good spam filter should, ultimately, block whatever the recipients perceive to be spam. There's no law compelling users to accept unwanted e-mail.