State Spam Laws Rarely Enforced

Anyone cleaning out a bulging e-mail in box probably has wished for a law regulating spam, the unsolicited electronic messages that promise instant weight loss, overnight riches and triple-X pictures.

Twenty states, including California, have laws governing the distribution of commercial e-mail to individuals and companies. Violations can lead to fines and even jail time.

But the laws almost never are enforced.

No one has been prosecuted under California’s 4-year-old anti-spam law. It’s the same in Delaware, which has one of the toughest laws in the country--at least on paper.

Only in the state of Washington has an attorney general filed a case.

“Anti-spam laws are, at best, a partial solution,” said law professor David Sorkin of John Marshall Law School in Chicago.

His Web site, at www.spamlaws.com, posts information about spam laws and cases.

Part of the problem is that the anonymous nature of the Internet makes it difficult to track down those who send illegal messages. And few attorneys general or district attorneys are willing to spend the time and money necessary to match message to mailer, particularly when overloaded with murders, rapes and other violent crimes.

“Out of sympathy to them, I’m sure they have other things on their docket that need to be taken care of,” said Tom Geller, executive director of the anti-spam SpamCon Foundation. “But if they want a case that will please the citizenry, I would urge them to raise the priority of spam prosecutions.”

Spam costs consumers an estimated $8.8 billion a year worldwide just in connection costs, according to a 2001 survey by the European Commission, which initiates policies for the European Union.

Consumer complaints fueled the passage of California’s 1998 spam law, which requires unsolicited commercial e-mail to begin its subject line with ADV or ADV:ADLT if the message is of a sexual nature. Filters on e-mail programs can be set to detect those characters and delete the messages before they appear in an in box.

The law, upheld last year by the state Court of Appeal, also requires that spam include a valid e-mail address or toll-free number that a recipient can use to get off a bulk e-mail list.

No law enforcement agency has taken action, however. Atty. Gen. Bill Lockyer said his office held off because district attorneys usually get the first shot at bringing cases under a new law.

But representatives of the Los Angeles County district attorney’s office said they are caught in a Catch-22 when it comes to bringing criminal charges under the law as written.

“To file a case, we would need to be able to examine the logs of an Internet service provider to prove who had sent the spam,” said Deputy Dist. Atty. Jonathan Fairtlough, with the department’s high-tech crimes unit.

That would require a search warrant or a subpoena, neither of which can be obtained unless charges are filed, he said.

Civil cases also could be brought, but the Los Angeles County department that would initiate them--the district attorney’s Consumer Protection Division--said it has not received an actionable complaint from consumers.

“Being that the Internet is a global institution, the consumer who has gotten an e-mail from somewhere in the world does not think to call the local D.A.,” said Tom Papageorge, deputy district attorney in charge of the division. “The average consumer just hits delete rather than making a copy of the e-mail, filling out a complaint and getting it to the local authorities.”

Lockyer said that in lieu of actions by district attorneys, his office may get involved. He has a team of lawyers studying the issue to determine whether they could successfully prosecute under the 1998 law.

“I’m hopeful it will only be a matter of weeks before we can come to some kind of conclusion,” Lockyer said.

Delaware has the strongest spam law in the country, banning unsolicited commercial e-mail outright. Under the 1999 law, the only way to legally send a state resident a commercial e-mail is to have his or her permission beforehand.

“There were so many consumer complaints that we wanted the strongest law possible,” said the state’s attorney general, Jane Brady. But there have been no prosecutions. “I have told my staff that I’m really losing patience, but it’s a very difficult process,” Brady said.

The difficulty in upholding these laws is not a lack of spam. Of the billions of e-mails that arrive each month at Atlanta-based EarthLink Inc., one of the world’s largest Internet service providers, as much as 25% is spam, a spokeswoman said.

The problem, Brady and other law enforcement officials say, is determining who sent an illegal spam.

Spammers started using various tactics to stay anonymous in the mid-1990s, when junk e-mail became a popular commercial ploy.

At first, they altered the “From” line of their messages to make it look as if it was sent by someone else. By 1997, more sophisticated spammers were routing their bulk e-mails through unsuspecting ISPs to hide the messages’ true origins. The technique, which makes tracing more difficult, was called hijacking an open relay.

ISPs struck back by installing equipment on their mail servers to prevent hijacking. The spammers then found ways to search electronically around the world for unprotected servers.

“They would use software to look for relays that could be hijacked and then just send a few e-mails through each,” Internet security consultant Steve Atkins said. “It became an arms race between spammers and the people trying to shut them down.”

The spammers are winning, mostly because of the vast number of unprotected mail servers, especially in countries relatively new to the Internet.

In fact, some major ISPs--including UXN in Europe--have taken the drastic step of blocking all e-mails that come from China because of that country’s high number of unprotected servers.

In Washington, the attorney general’s office took action soon after that state’s law was ratified in 1998. “We had gotten a lot of complaints not only from residents but also from Internet service providers who said that spam was costing them a lot of money to deal with,” senior counsel Paula Selis said.

The attorney general filed a civil suit against Oregon resident Jason Heckel, who allegedly was selling his booklet “How to Profit From the Internet” through spam. “His deal was that he was selling something that told people how to set up their own spam business. Kind of ironic for our first case,” Selis said.

Heckel challenged the constitutionality of the law, but it was upheld last year by the state’s Supreme Court. Now the case is scheduled to return to court in September. If Heckel is convicted, he could be fined as much as $500 for each spam.

With officials not prosecuting in California, private individuals and firms have attempted to take civil actions on their own. This can be done under the California law, although the biggest penalty the law allows for a private suit is an injunction to stop the spam.

Only one private case has made it to a Superior Court. It was brought in Sonoma County two years ago by Mark Ferguson against a matchmaking site, Friendfinder.

Ferguson said he was getting 200 spams a day. When he asked spammers to stop, they sent even more. “The spammers were just flaunting it,” he said. “It was like, ‘Ha, ha, you can’t catch us.’ ”

Ferguson, 39, began spending part of every day trying to battle spammers, a tradition he kept up even after his Web design business declined because of the tech downturn and he took an appliance delivery job.In 1999, Ferguson chose the Palo Alto-based Friendfinder as the target of a class-action suit because it seemed to be a highly successful operation.

“I was doing this to make a point,” Ferguson said. “If they can’t afford to fight, what good does it do?”

He also wanted a company that could pay a sizable settlement to him, the lawyers and anyone who joins the class action. Ferguson is attempting to go beyond the relief stipulated by the anti-spam law by alleging that handling spam wears down and causes physical damage to home computers.

The case first went to a Superior Court, where a judge dismissed it, saying that the law was unconstitutional because it violated interstate commerce freedoms.

Last year, the state Court of Appeal rejected the decision, affirming the constitutionality of the law.

Friendfinder has asked the state Supreme Court to consider the case. If the court declines or upholds the appellate court decision, Ferguson will be able to pursue his case.

Friendfinder owner Andrew Conru, who founded the Palo Alto-based company in 1996, said the firm has never sent an unsolicited commercial e-mail. “Spammers are just bad businesspeople,” Conru said.

Friendfinder has been vilified in anti-spam newsgroups by people who said they have received numerous spams advertising the site. Conru said these were sent out mostly by members of the company’s affiliate program, which pays a referral fee for every paid subscriber brought in.

Another private suit was filed last month by California’s largest law firm, Morrison & Foerster. It alleges that bulk e-mailer Etracks sent 6,500 illegal spams to employees and others who use the law firm’s e-mail accounts.

The law firm also is claiming damages because Etracks allegedly used the Morrison & Foerster mail server to distribute the e-mails.

Etracks--a Belmont, Calif., firm that distributes bulk e-mail for numerous companies--did not respond to a request for comment on the suit.

In the meantime, spam is a part of everyday life for computer users.

“The problem with spam is that it is the tragedy of the common,” SpamCon’s Geller said.

“Millions of people feel damaged very slightly. In order to gain true redress, you have to coordinate these millions to give power to an individual. That’s not easy to do.”

*

Texts of the lawsuits and decisions mentioned in this article as well as additional material are available at www.latimes.com/spamlaw.