Internet and e-mail policy and practice
including Notes on Internet E-mail


2013
Months
Sep

Click the comments link on any story to see comments or add your own.


Subscribe to this blog


RSS feed


Home :: Email

16 Sep 2013

How not to stop spammers Email

Spam Arrest is a company that sells an anti-spam service. They attempted to sue some spammers and, as has been widely reported, lost badly. This case emphasizes three points that litigious antispammers seem not to grasp:

  • Under CAN SPAM, a lot of spam is legal.
  • Judges hate plaintiffs who try to be too clever, and hate sloppy preparation even more.
  • Never, ever, file a spam suit in Seattle.

Spam Arrest's anti-spam service uses challenge/response (C/R). When a message arrives from a hitherto unknown address, their robot replies and waits for the putative sender to confirm that he, she, or it is a nice person and not a spambot. Laura explains all the reasons that C/R is a considered ineffective and abusive, mostly that the people who get the challenges are not necessarily the people who sent the mail, and the people who respond to challenges are not necessarily the people you want to hear from.

Since CAN SPAM says that spam is legal so long as you follow some simple labelling and opt out rules (something Spam Arrest's lawyer certainly knows, but more about that later), they tried a different approach. The challenge page added language in which the sender promised not to send unsolicited ads, in what's known as a clickwrap contract, and pay $2,000 if they did.

The lawsuit was against several commercial mailers including Replacements Ltd., a seller of spare china and cutlery which in my experience is a very aggressive but legal mailer, and Sentient Jets, a jet charter service. Spam Arrest claimed that Replacements and Sentient had sent mail in violation of the no spam contract, and threw in some other claims of tortious interference betweeen Spam Arrest and its customers, state consumer protection claims, and a computer fraud and abuse act (CFAA) claim that Sentient had accessed Spam Arrest's computers without permission.

The alleged clickwrap contract was the first problem. For a contract to exist, there has to be a "meeting of minds" between the parties, and the court found no evidence that Sentient had met. While it was clear that people at Sentient had clicked on all those challenges, it was utterly unclear who they were, and whether those people were able to bind Sentient to a contract, since Sentient has hundreds of employees, and they were more likely to be clerks than corporate officers. And even if the contract were valid, the judge said:

Putting aside Spam Arrest's failure to raise a factual dispute as to the formation of a contract or its breach, it also has not proven any damages arising from a breach of contract. Its $2,000 liquidated damages provision is invalid, and Spam Arrest has offered no evidence that would permit a jury to conclude that Sentient Jet's alleged breach of any contract caused quantifiable damage. In particular, it cannot show that any customer left Spam Arrest as a result of email from Sentient Jet. Indeed, there is scarcely any evidence that any Spam Arrest customer has left as a result of receiving spam from anyone. For many of the same reasons, Spam Arrest's tort claim and its statutory claims do not, as a matter of law, pass muster. Spam Arrest's tortious interference and CPA claim are not triable for the same reasons that its breach of contract claims are not. Spam Arrest's attempt to invoke the CFAA is doomed because there is no evidence that Sentient Jet has done anything that the statute prohibits.

This was trying to be way too clever. Judges hate that.

Spam Arrest further hurt its chances by sloppy preparation, e.g., the messages at issue were described in a large spreadsheet.

The spreadsheet, which the court cites with the notation "SS," is the most comprehensive data set on the 600 Sentient Jet verifications at issue. Todaro Decl., Ex. 6 (Dkt. # 39); Nguyen Decl. ¶¶ 21-22 (Dkt. # 69) (explaining each column of data in spreadsheet). The court relied on the version Sentient Jet submitted, despite Spam Arrest's complaint that the version it produced in discovery is "similar" but perhaps not identical. Nguyen Decl., ¶¶ 21 (Dkt. # 39) (comparing Dkt. # 39 to Dkt. # 73-2). Sentient Jet submitted an electronic version of the spreadsheet, whereas Spam Arrest relied solely on an unwieldy 90-page printout for which it provided no courtesy copy.

A 90 page printout of a spreadsheet, with no electronic version? Maybe they thought they were making it harder for Sentient, but mostly they annoyed the judge.

Spam Arrest's records of what mail Sentient sent to what customer were, to put it mildly, deficient. The judge said:

No one knows what was in the 600 or so emails Sentient Jet sent to Spam Arrest customers that triggered the verification process. Sentient Jet sends commercial emails, and generally uses its "charterinfo@sentient.com" and "info@sentient.com" addresses for that purpose. ... Although a jury might conclude that some (perhaps most) of the 600 emails were commercial solicitations, there is almost no evidence from which a jury could conclude that any specific Spam Arrest customer received a commercial solicitation from Spam Arrest.
The only customer-specific evidence is a set of seven declarations from Spam Arrest customers who state that they received unsolicited commercial email from Sentient Jet years ago. None of them can recall the content of the email or produce copies of the email.

He went on in this vein, eventually tossing out the whole case.

From previous orders in the case, it was clear that both parties in the case had already greatly annoyed the judge. Spam Arrest had settled with Replacements the previous week. In the order granting the settlement, the judge said:

By the time Replacements and Spam Arrest resolved their differences, the parties had filed more than 125 pages of briefing on their cross-motions for summary judgment. Spam Arrest apparently believed that it needed more. Once Replacements was no longer part of the case, Spam Arrest filed a motion for leave to file more briefing so that it might explain how Replacements' departure impacted the case. This would seem to be a tacit admission that Spam Arrest's original briefing did not adequately highlight the differences between its claims against Sentient Jet and its claims against Replacements. The court disagrees. Supplemental briefing is decidedly unnecessary.

The order further discusses many documents that had been filed under seal, i.e., not part of the public record.

The remaining six motions raise a host of disputes over whether the court should keep under seal unredacted versions of the summary judgment motions themselves and dozens of documents that support them. In considering those disputes, the court begins with its local rules, specifically Local Rule 5(g), which acknowledges the "strong presumption of public access to the court's files." ... Because filing anything under seal is disfavored, the rules require the parties to meet and confer to "explore all alternatives to filing a document under seal." ... In particular, the rules require parties to "redact[] sensitive information . . . that the court does not need to consider. Only a party "who cannot avoid filing a document under seal" should attempt to do so. ... A party must "minimize the number of documents it files under seal and the length of each document it files under seal." ... Only in "rare circumstances" should a party file an entire motion under seal. [citations elided]

Noting that there were over 30 documents under seal, he said:

First, the parties sealed many documents because they include email addresses or other identifying information for Spam Arrest customers and (less frequently) other third parties. Spam Arrest's desire to redact its customers' email addresses is understandable; it can hardly purport to protect its customers from spam while publicizing their email addresses. What is not understandable is why the parties believe that the unredacted email addresses are of any value to the court. Every Spam Arrest customer has a unique identification number. With one exception (Dkt. # 43), every document the parties have filed that contains a customer's email address either contains identification numbers (permitting the court to identify individual customers in documents that aggregate data on hundreds of customers) or is a document in which the email address makes no difference whatsoever. The parties were either aware or should have been aware that the email addresses would play no part at all in the court's consideration of these motions. There was thus no need to file unredacted versions those documents under seal, and the parties violated [ a court rule] by doing so. The same is true of an exhibit with a redacted credit card number, accompanied by a sealed exhibit revealing the credit card number. The credit card number is not useful to the court; the parties should have simply redacted it without burdening the court with another sealed document. The duty to minimize the number of documents filed under seal carries with it the duty to exercise judgment about redacting extraneous information. The parties too frequently abandoned that duty.
Second, Spam Arrest has taken frivolous positions with respect to some documents. In several instances, Spam Arrest either filed a document under seal or required Sentient Jet to file a document under seal only to later concede that there was no basis to seal the document. In one instance, Spam Arrest took the position that it could seal the names of customers providing declarations on its behalf. Spam Arrest did not explain how it could hide the names of its witnesses from the public. Later, it filed the same declarations publicly, redacting only email addresses.
Third, Spam Arrest takes the position that virtually every piece of data about its business is confidential, while offering little or no evidence to support that position. That "confidential" data includes, but is not limited to, the following: the number of Spam Arrest customers at various times, the number of customers who have left Spam Arrest at various times, Spam Arrest's profits and losses, Spam Arrest's aggregate revenue and revenue per customer, Spam Arrest's calculations of "downstream revenue" for its customers, Spam Arrest's advertising expenditures, and how much Spam Arrest charges its customers.
Although Spam Arrest insists that this information is confidential, it has not provided a shred of evidence from any person at Spam Arrest who can explain why the data is confidential. Instead, Spam Arrest relies on cursory declarations from its counsel. These are wholly insufficient.

If I were a plaintiff or a plaintiff's lawyer, I would not want a judge saying things like this about me. The judge subsequently told the parties to refile nearly all of the sealed documents with the private parts redacted like they should have in the first place.

A different legal approach I might have tried here in New York would be to have the clickwrap language state that the recipient wants no commercial mail, that the recipient opts out of any advertisements that might have triggered the C/R, and that commercial mail will only be accepted if the recipient specifically reverses the opt-out subsequent to the C/R interaction. Then if they send more ads, it's a CAN SPAM violation for failure to honor an opt out. That avoids the contract issue, since CAN SPAM isn't about contracts.

But this case was in Seattle, the same court where the infamous Gordon vs. Virtumundo CAN SPAM case was litigated, and the precedent from that case is that a recipient only has standing under CAN SPAM if it can show damages from the specific spams being litigated. That's close to impossible, since the damage from spam is its cumulative volume, with individual spams having only a tiny cost. Spam Arrest's lawyer surely is aware of all this, since he was Virtumundo's lawyer in that case. So for anyone on the west coast (the decision was confirmed by the Ninth Circuit) CAN SPAM is out, too.

I could imagine that a better case might have had some chance of success, first building software that kept good records to support the legal claims, limiting the claims to ones that the plaintiff could clearly prove, providing a concise set of documents that the judge could deal with easily, and not getting greedy, making the per message penalty small enough that it could have some plausible connection to what it might cost to deal with spam. But this wasn't it. As Prof. Goldman noted in his analysis, you can't win cases like this just by showing up.


  posted at: 09:53 :: permanent link to this entry :: 0 comments
Stable link is https://jl.ly/Email/spamarrest.html

Topics


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

CAUCE
It turns out you don’t need a license to hunt for spam.
4 days ago

A keen grasp of the obvious
Italian Apple Cake
562 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

My Mastodon feed



© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.