Antispam Legal Burden Rests With Affected Corporations

In the wee hours of the morning one day last month, a spammer began using a Microsoft Exchange server at Arrow Products Inc. to send bulk e-mail to Yahoo, Hotmail and other accounts. It's possible that the spammer had sent several thousand e-mails through the network by the time the IT department cut off the server's forwarding capability, said IT manager Richard Eggleston.

Eggleston wasn't happy. The idea of taking legal action crossed his mind, he said, but he dismissed it because of the cost and time it would require.

"It's enough to just get our normal work done and shut down something like that," said Eggleston, whose Elkhorn, Wis.-based company manufactures wood products. Just as when dealing with viruses, "there is just so much you can do," he said.

Eggleston is hardly alone. Corporations, with the exception of Internet service providers, generally aren't taking legal action against spammers, despite the emergence of antispamming laws in 19 states. But relying on technology rather than legal action may not be enough to combat spam. And it may be a risky strategy.

With few exceptions, state law enforcers aren't taking action against spammers. Officials see state antispam laws primarily as enablers of private lawsuits.

"It's one of those situations in consumer law where the burden of protection is on the consumer - if they can figure out who sent the spam," said Joanne McNabb, chief of the privacy protection office at the California Department of Consumer Affairs in Sacramento.

And while the Federal Trade Commission last week said it was stepping up its antispam enforcement, there's some skepticism about just how far federal authorities can go.

FTC officials characterized the move as a new initiative to crack down on spam - one that will go after deceptive e-mail claims and headers, fake opt-out links and other devices. These messages are "intrusive, unwelcome and annoying," said FTC Chairman Timothy Muris. "We want it off the Net."

But Ray Everett-Church, counsel for the Coalition Against Unsolicited Commercial E-Mail in San Jose, said he has yet to see the FTC pursue cases that "require a little more depth of investigation and greater resources and a little less of a slam-dunk." For instance, the FTC could take action against people and companies that sell the software used to create forged headers and hijack e-mail servers, he said.

Without aggressive enforcement by federal or state authorities, the enforcement burden will rest with businesses, experts say.

"If somebody doesn't stand up and start taking action, [the spammers] . . . will just move on to the next corporation," said Walter J. Yurkanin, an IT attorney at Mahoney, Silverman & Cross Ltd. in Joliet, Ill.

Businesses may have no choice but to get involved. In the case of a hijacked server used to forward spam, for instance, it's possible that a spam recipient could name the business that owns the server in a lawsuit, said Yurkanin. "If a corporation has potential liability somewhere down the road, they are going to have to take action," he said.

And cases of private litigation are emerging. Timothy Walton, an Internet attorney in Palo Alto, Calif., is an antispam trailblazer who has brought what may be one of the first class-action lawsuits against spammers. He won an appeals court victory last month, allowing his lawsuit to continue.

"I would love to see the government deal with this problem," Walton said. "But since I don't see it happening, private litigation is the next option."

Read accompanying story:

Copyright © 2002 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon