Friday, Jan. 05, 2007

A Spammer's Revenge

Imagine that a message plops unbidden into your e-mail In box. Imagine that 10 just like it soon follow, all with a fake return address, none from a name you recognize. You take umbrage. You let it be known on your website that the sender is a scurrilous spammer, a clogger of In boxes, a violator of the right to privacy. It is a small gesture yet one you believe is important in the war on spam, and besides, it makes you feel good.

Until, of course, you get sued.

With pornography, sleazy offers and other unsolicited junk filling In boxes at record rates, revenge has blossomed into a righteous cause. But as Mark Mumma, an Internet-services provider and antispam crusader from Oklahoma City, Okla., will tell you, spats over spam can get messy. The recipient's privacy comes into play, but so does the sender's free speech. What states call spam the feds may consider innocuous commercial e-mail. And when spam rage takes over, you, like Mumma, can get sued for calling a spammer a spammer.

Mumma's problems began two years ago with a simple e-mail message: How about a relaxing cruise? Labeled an "E-deal," it came from a nonworking address and included bogus information in its header, the section that says where an e-mail has been. Mumma got the message, the e-deal falsely claimed, because he had asked for it.

Unfortunately for the sender, Mumma was an Internet pro. Since 1997 he had hosted Web pages, run e-mail services and maintained an antispam website that listed hundreds of addresses whose owners did not want unsolicited mail. He knew Oklahoma and federal law generally banned e-mails that lied about their origin or their paths through the Internet, and he wasn't shy about using the law to make a point. The text of the offending e-deal revealed that it had come from Cruise.com a subsidiary of Omega World Travel in Fairfax, Va. Mumma called Omega's general counsel, the curiously named John Lawless, and got him to promise that neither Mumma nor any of the addresses listed on Mumma's website would receive more mail.

But on the very next day, a second e-deal arrived. This time Mumma threatened to sue Omega for $150,000 under antispam laws unless it agreed to settle for $6,250, an arbitrary amount that Mumma considered reasonable. Omega refused to pay, and before it removed Mumma from the Cruise.com mailing list, nine more e-deals landed in his box. Then things got ugly.

Mumma posted photos of the company's founders on his website and called them Cruise.com spammers." They sued Mumma in Virginia federal court for besmirching their reputations, and he countersued for violations under state and federal antispam laws. Much to Mumma's shock, the trial judge dismissed his suit, ruling that the e-deals weren't misleading enough to be spam. In November the U.S. court of appeals in Richmond agreed. But the founders' case survived, and as it heads for trial before the federal district in Virginia, Mumma faces the possibility of owing $3.8 million in damages for speaking his mind.

And you wondered why spam was so hard to stop.

Truth be told, companies like Omega aren't the real problem. Sure, Cruise.com sent Mumma unsolicited e-mails with a funky return address. And it sent 11 of them. But Mumma might have stopped future messages by clicking on a highlighted link, something he refused to do because, he says, "that just gets you on more spam lists." Maybe so. It's clear, though, that unlike some Nigerian scam artist bent on fooling e-mail filters, the company didn't try to hide its identity.

Still, dramatic increases in spam reported by Ironport and other e-mail-- security firms show that antispam activists like Mumma are overmatched, and the law is not helping. Since Nevada adopted the nation's first antispam statute in 1997, 37 other states have provided the legal basis for dinging spammers that send misleading e-mails. But in 2003 the feds trumped most of those laws by enacting a statutory mouthful, the Controlling the Assault of Non- Solicited Pornography and Marketing Act.

As its unfortunate acronym suggests, the CAN-SPAM Act did not so much prohibit spamming as show companies how to do it. That's because Congress bungled an attempt to balance two constitutional interests: a privacy right (freedom from unwanted e-mails) and a free-speech right (freedom to send advertising--a type of speech--by e-mail). Instead of guarding privacy by allowing commercial e-mail only when people asked for it, Congress favored the speech rights of e-mailers: consumers bear the burden of telling spammers to stop. Congress also said e-mail couldn't be "materially" misleading about its source, but other than that, spam away.

It was the word "materially" that tripped up Mumma. The appeals court ruled that bogus return addresses and header information didn't make e-deals "materially" misleading; after all, Mumma was able to track down the messages' source. The court's decision further weakens privacy in favor of free speech--at least for spammers. For their critics, the message is harsher: keep your mouth shut, or you could get sued.