In possibly the first legal review of Spam published in the UK, Stephen Groom looks at the issues.
e legal review.
- While the DTI still wavers over whether to go for opt-in or opt-out in implementing the spam control measures contained in the EU Distance Selling Directive, two recent US cases focus on the steps available to ISPs in seeking to control spammers' abuse of their networks.
- Other recent reports reveal the dangers of hoax emails. These either spread damaging and completely untrue messages about particular brands or their products or appear on the face of it to be quite plausible pieces of "viral marketing", (eg send this email about the virtues of the new SNIBBO WAP phone to ten friends, copy in SNIBBO and receive a free phone) but are in fact nothing to do with SNIBBO (or in one particular recent real live case NOKIA).
- Despite this, marketers' enthusiasm for this form of marketing appears undiminished, but what are the legal implications of this practice and does the American experience teach us any useful lessons?
- In the attached special analysis article read about:
- the nasty, brutish and short history of SPAM to date
- Is Spam legal? US and UK dimensions
- Email addresses – data protection points
- The e-mail hoax threat
- Viral marketing – legal issues
- Sum-up
A legal voyage round unsolicited commercial e-mail
Stephen Groom
Osborne Clarke
1997 – The Cyber Promotions Cases
Unsolicited electronic mail or "spam" has assumed an increasingly high profile over the last five years.
In the early days of the net "netiquette" (the code of conduct which evolved amongst the original users of the Internet) was sufficient to deal with unsolicited e-mails. Original users took the view that the Internet was not to be used for commercial purposes and on receiving unsolicited e-mail would track down its source if this were possible and then flood the transmitting server with hostile e-mail. This practice became known as "flaming", but spamming activity became so widespread that even the concerted action of original net-users was not sufficient to stem the flow.
Legal remedies took over as shown particularly by US case law resulting from activities of a US Company called Cyber Promotions Inc. ("CPI").
CPI's business consisted of sending unsolicited e-mail advertisements both on its own behalf and on behalf of its customers. These were sent to large numbers of internet users, many of whom were subscribers to various internet service providers ("ISP's").
The ISP's became concerned as their subscribers' mailboxes (and the relevant space on the ISPs' servers ) filled up with spam.
These concerns led to a number of law-suits brought by ISP's against CPI and similar organisations. The judgement of the court in the case of CompuServe -v- Cyber Promotions in February 1997 (US District Court for the Southern District of Ohio) typifies the approach that the US Courts adopted in these cases.
CompuServe provided its subscribers with an e-mail address, mailbox and link, via the CompuServe network, to the Internet. It was this link which allowed CPI and others to send spam to CompuServe subscribers.
Alarmed at the increasing amount of spam subscribers were receiving, CompuServe informed CPI that it was no longer permitted to use CompuServe's servers for this purpose.
CPI did not respond positively and CompuServe tried a different approach. This was to try to screen out the "junk mail" and block its receipt by subscribers. This did not work either because CPI changed the point of origin information in the header sections of their e-mails so as to conceal where they were being sent from. Alternatively, CPI might have configured its own servers to conceal their true domain names.
As these tactics failed, CompuServe brought proceedings for trespass against CPI.
There was evidence before the court that the volume of mass mailings which CompuServe received placed a heavy burden on its equipment. This was increased by the practice of disguising the origin of e-mails so that the CompuServe computers were forced to store undeliverable e-mails and to try to return them to e-mail addresses which did not exist.
In these circumstances, the Court held that because the mass mailings used up disk space and processing power in CompuServe's computers and prevented these resources being available to CompuServe's subscribers, the value of CompuServe's equipment was diminished.
In addition, CompuServe submitted that by November 1996 it had received nearly 10,000 complaints from subscribers about unwanted spam and many subscribers had terminated their CompuServe accounts because of this.
It was the finding of the Court that CPI's actions amounted to trespass to the extent that they involved "intermeddling" with CompuServe's property and harmed CompuServe's business reputation and goodwill.
In the US trespass to personal property may be committed by intentionally using or "intermedelling" with the property concerned. "Intermedelling" involves "intentionally bringing about physical contact with a chattel" and in a previous case the Court had held that electronic signals generated and sent by computer were sufficiently physically tangible to support a cause of action for trespass.
Accordingly the Court granted CompuServe a preliminary injunction.
May 1997 – EU Distance Selling Directive is signed off by the Council of Ministers.
Implementation of the Directive is due by June 2000 and Article 10 includes the following:
"Member states shall ensure that means of distance communication, other than those referred to in paragraph 1 [paragraph 1 does not refer to e-mail] which allow individual communications may only be used where there is no clear objection from the consumer".
Member states are given the freedom to choose whether to adopt an "opt in" or "opt out" approach.
November 1997 – Canadian DMA takes action
The Canadian DMA placed a series of restrictions on its members in order to reduce the number of unsolicited marketing e-mails which they were sending.
It was thought that this represented the first compulsory rules put in place by an industry body to govern on-line marketing.
The spam-cutting measures required members to seek consent before they sent spam to consumers, unless there was already a relationship.
Consumers had to be presented with a "clear and unambiguous" opportunity to decline further e-mail communications.
The CDMA president was quoted as follows:
"Through the requirement for consent, we are acknowledging the existing non-commercial culture of the Internet and the fact that the recipient pays part of the cost of delivering an e-mail message".
1998 – Novell report published as to effects of unsolicited e-mail.
A report published by Novell UK called "A Spammer in the Works" suggested that junk e-mail was already costing British and Irish businesses more than £5billion a year in wasted time.
The majority of the 801 people surveyed spent up to 15 minutes a day reading, deleting or responding to spam, some of which was labelled deceptively or vaguely in order to conceal its true contents until the file was opened.
1998 – New US anti-spam law.
Washington State introduces legislation which remains to this day the most rigorous in its anti-spamming stance.
The law prohibits commercial e-mail that contains false or otherwise misleading information in the subject line.
It also bans commercial e-mail that contains an invalid reply address or disguises the transmission path. The law permits message recipients, ISP's and the attorney general's office to file civil suits for compensatory and punitive damages.
April 1999 – VirginNet sues Surrey businessman.
VirginNet was reported to have issued a writ against Surrey businessman Adrian Paris for sending out bulk e-mails. This was believed to be the first case in the UK in which an ISP sued for damages for trespass as well as for breach of the contract by which the defendant made use of the VirginNet server. The defendant allegedly sent out more than 250,000 junk e-mails using his Virgin account. VirginNet said that it closed down accounts opened by the businessman on several occasions and had received in excess of 1,500 complaints from subscribers about the bulk e-mails. The case subsequently settled quietly with a payment of £5000 costs and damages by Paris to VirginNet and his undertaking not to spam VirginNet's subscribers again.
July 1999 – UN proposes e-mail tax.
A report released by the UN Development Programme called on governments to introduce legislation to require Internet users to pay a tax of one US cent on every 100 e-mails sent. The funds generated, the report said, would go to the third world to "offset inequalities in the global community".
November 1999 – DTI consults on Distance Selling Directive
In the UK, the DTI publishes its consultation paper in relation to implementation of the EU Directive on distance selling. This includes a separate section devoted to the implementation of the parts of the directive affecting unsolicited commercial e-mails.
The DTI points out that a number of EU states including Austria, Italy, Germany and Sweden had gone or were likely to go for "opt in" and invites representations on the issue.
Although clearly undecided on the matter, the DTI cites difficulties of enforcement as one reason for choosing "opt out" as opposed to "opt in".
Update: As of 4 May 2000, the DTI was still undecided on this crucial point.
December 1999 – AOL gets judgement against spammer.
It is reported that AOL has obtained a $600,000 default judgement against the Christian Brothers and its president Jason Vale for misusing AOL's facilities to send out spam advertising apricot seeds as a cancer cure. The defendant refused to defend itself and ignored AOL's cease and desist demands.
December 1999 – Yahoo! UK launches spamguard.
Yahoo! announced that it had become the first of the UK's major web-based e-mail providers to launch a service aimed at combating the growing problem of spamming on the net.
The Company's spam-guard tool was developed using in-house technology. It worked by detecting spam e-mail and directing it to a separate bulk mail folder from which Yahoo! mail users had the option of deleting it or browsing it for messages in which they might be interested.
January 2000 – DMA launches e-MPS.
The UK's Direct Marketing Association launches its e-mail preference service, backed by a worldwide initiative on the part of the International Federation of Direct Marketing Agencies (FEDMA).
January 2000 – Hoax e-mails reported.
It is reported that KFC are on the wrong end of the circulation of 100,000 e-mails making unfounded allegations about its production process. The e-mail falsely claimed that the company had cut production costs by breeding artificial birds with no beaks, feet, feathers or bones.
KFC's PR machine went swiftly into gear and the myth was quashed with an article in the national press, a detailed e-mail reply and a message on its website, but the source remains unknown and such activities seem to be on the rise.
February 2000 – Colorado considers "ADV" subject box requirement.
The State of Colorado is reported to be considering an anti-spam bill that requires unsolicited e-mail to carry the label "ADV:" at the beginning of the e-mail's subject line.
March 2000 – IKEA ends "viral" marketing campaign.
IKEA ended a "viral" marketing campaign for its new San Francisco store in response to consumer criticism. The programme offered discounts to customers who agreed to send an e-mail postcard about the store opening to ten friends. Apparently the approach generated 37,000 announcement e-mails in one week.
In addition to the complaints about spam, the e-mail messages also enabled recipients to change one number in the URL to access other postcards and therefore other people's e-mail addresses, a serious violation of privacy protocol.
Despite this IKEA claims that many customers took advantage of the savings and the store now offers free discount coupons to all visitors to its website without the e-mail requirement.
March 2000 – Washington state anti spam law questioned.
Judge Palmer Robertson of Washington State's Kings County Superior Court found the State's anti-spam statute to be un-constitutional.
The defendant in the case was Jason Heckel, who ran a business called Natural Instincts which was alleged to have sent up to 1million pieces of spam every week.
The prosecution said that he had contravened Washington State legislation by including misleading information and disguising his e-mail's route across the Internet as well as supplying an invalid reply address.
Judge Robertson held, however, that the law under which the prosecution was brought violated the interstate commerce clause of the US constitution by unduly restricting interstate business activities.
The State of Washington had until April 10 to challenge the verdict by way of an appeal.
March 2000 – spam settlement sets trend?
Bibliotech, an Internet Company in London, has won undisclosed damages in the US from Sam Khuri for spamming. An anti-spamming agreement has been concluded between Khuri and Bibliotech, requiring him to he pay US$1,000 and legal costs to parties affected if he sends any unsolicited e-mails in the future.
March 2000 – draft e-commerce directive
Following the adoption of the latest draft e-commerce directive by the EU Council of Ministers, direct sellers and ISPs start discussions on a suitable framework for an opt-out register with a system of registers which marketers would have to "clean" their list against. The move is precipitated by a clause in the Directive allowing member states to ban spam altogether. Another clause would oblige spammers to show in the subject box that the message is an advertisement.
Is spam legal? – US and UK dimensions
The US Approach.
As indicated in the reference above to the CompuServe -v- Cyber Promotions Inc. case, trespass to personal property under US law may be committed by intentionally using or "intermedelling" with the property concerned. "Intermedelling" involves:
"intentionally bringing about physical contact with a chattel".
In the CompuServe case, the Judge developed this principle in the following way:
"there may…be situations in which the value to the owner of a particular type of chattel may be impaired by dealing with it in a manner that does not affect its physical condition…in such a case intermedelling is established even though the physical condition of the channel is not impaired".
The Position in the UK.
Clerk and Lindsell on tort sums up trespass as including:
"any impermitted contact with or impact upon another's chattel".
Are the software and data held by an ISP on its server "goods/chattels"?
In the context of the Criminal Damage Act 1971 the Court of Appeal has in the case of Cox -v- Riley held that "property" extends to "property of a tangible nature, whether real or personal". In that case it was held that where a deleted computer programme had been held on a plastic circuit card, the card could be identified as "property" which had been damaged by the deletion of the programme.
As to whether there has to be "damage" for trespass to occur is another question. The general consensus is that there does not have to be actual damage as indicated in the above reference to "any impermitted contact with or impact upon" goods.
In essence, it ought to be arguable that there is a trespass under UK law as long as there is deliberate action on the part of the trespasser and this has some form of impact on the property in question.
In a spamming context, therefore, if the ISP makes it quite clear to the spammer that its activities are to cease, any continued action on the part of the spammer thereafter should be an arguable trespass.
Computer Misuse Act 1990.
Section 3 defines an offence of "unauthorised modification of computer material". This requires among other things an intent to impair the operation of the computer and knowledge that doing the act which causes the modification is unauthorised.
On the basis that an individual may be regarded as intending the natural and foreseeable consequence of his or her acts, then provided the perpetrator is already well aware that the activity is not welcome and that any further sending of unsolicited e-mail is unauthorised, then there may be an argument that continuing to send the e-mail in those circumstances is an offence under the Act.
The Protection from Harassment Act 1997.
Under the 1997 Act, it is both a criminal and civil wrong for a person to carry on a course of conduct (i.e. at least twice) which amounts to harassment of another person or which he should have known amounts to harassment of that other person.
This might enable someone who felt harassed (the fact that there is a separate offence of "putting people in fear of violence" suggests that harassment does not necessarily require violence or threats of violence) to pursue a case for damages against unsolicited e-mailers.
E-mail addresses – data protection points
Is an e-mail address "personal data"
The 1998 Data Protection Act defines "personal data" as follows:
"data which relates to a living individual who can be identified:
from those data; or
from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller."
The question arises therefore as to whether an individual or "data subject" can be identified from his or her e-mail address.
The answer might be that it depends on the particular e-mail address. Stephen.groom@osborneclarke.com can clearly been seen as an e-mail address from which the writer of this paper could be identified. A corporate domain name in the UK is being used and using any available directory, the writer's whereabouts could be quickly traced.
But different considerations may apply to an address such as stephen@yahoo.co.uk. The person's full name is not stated and so he or she cannot be looked up in the telephone directory and all that is known is that the person might or might not call himself "Stephen" as a Christian name and he uses Yahoo! mail as his e-mail service provider. It seems highly arguable therefore that such an address is one from which the person behind it cannot be identified.
Having said this, the Data Protection Commissioner has recently indicated strongly that she regards all e-mail addresses as "personal data". The rationale for this appears to be that e-mail addresses are unique to one individual and that an electronic record can therefore be built up about that person. Although this rationale seems un-persuasive the writer is certainly not suggesting that at the present time those who e-mail addresses should do anything other than treat them as they would all other personal data as required by the 1988 Act.
The point remains, however, as to whether certain types of e-mail addresses might indeed be treated differently without fear of breaching the legislation.
A separate question that arises is in relation to "sensitive personal data"
There is a new category of personal data created by the new 1988 Act. This is "sensitive personal data". This is defined as consisting of information as to:
the racial or ethnic origin of the subject;
his political opinions;
his religious beliefs or other beliefs of a similar nature;
whether he is a member of a trade union;
his physical mental health or condition;
his sexual life;
commission or alleged commission by him of any offence, or any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
There may arguably be e-mails which give an indication as to one or more of the above factors themselves. For instance, jockmactavish@dundeecouncil.org or johnsmith@labourparty.org.
Certainly neither address would be conclusive as to these characteristics of the individual concerned, but there is no express requirement in the Act that the data should be conclusive as to these matters.
One of the most critical consequences of data being classified as "sensitive personal data" is that the data subject's explicit consent must be obtained before that data can be processed.
This is another area therefore, where depending upon the particular content of the e-mail address itself, aside from any other data, the address should be treated in an altogether way.
Scare stories on the web are increasingly sending panic amongst world brand owners.
In March 2000, Red Bull fell foul of a vicious example which was an e-mail claiming that the glucuronolactone contained in the drink was a US government- manufactured stimulant that had caused death, migraines and brain tumours when it was used during the Vietnam war. It added that an article in the British Medical Journal had revealed side effects of the stimulant. The Company found itself awash with e-mails from distressed customers and instantly penned an electronic reply to refute the claims.
The KFC experience in January 2000 has already been mentioned in an earlier part of this paper.
Clearly such communications are at the very least a malicious falsehood and possibly also a libel actionable of the suit of the owners of the relevant brands. The difficulty however is that the source of the message is often difficult to detect, which means that brand owners must resort to swift and constructive self help which should include the adoption of a crisis management plan covering the following areas:
Make sure every point of contact in the Company has a clear statement to make
This might deflect the pressure from the Company by referring to similar hoax problems that other companies have experienced recently and then stating quite clearly that the hoax is untrue using evidence to back it up.
The statement should also convey a positive brand message.
As a preventative measure businesses should encourage consumers to request brand information, thus reducing the impact of e-mail gossip.
KFC has promised to identify and prosecute the originators of the hoax to the maximum extent permitted by law but whatever action that they are able to take, they will certainly not want to follow the MacLibel example of a few years ago!
Viral Marketing – Legal Issues
"Viral Marketing" is an increasingly popular marketing technique in the States and now beginning to occur here in the UK also.
It consists of the adoption of a "chain letter" type of approach encouraging individuals to send a particular message to say 10 contacts and colleagues and thereby qualify for some form of free-gift or other incentive from the brand owner behind the promotion. The IKEA viral marketing described in an earlier section of this paper is an example.
What are the possible legal implications of this form of marketing?
First of all, the Data Protection Commissioner may take a dim view of encouraging individuals to provide personal data relating to friends and relations to a data processor without the prior consent of those individuals. Indeed it may well be that if those individuals are releasing the information relating to their colleagues and contacts from their own records, this disclosure may in itself be a breach of one of the basic data protection principles.
Furthermore, if the communication that is sent by the first individual to, say, his or her ten friends or contacts, involves copying in the original brand owner who began the promotion in the first place, these details are being provided to the brand owner without the particular individual concerned having an opt-out option. Now that individuals under the new Data Protection Act have a specific right to object to processing of their data for direct marketing purposes, this will in itself create difficulties.
Separately, it is also possible that the sending of the e-mail itself might be defamatory. The writer's experience is that the e-mail received includes a full list of all the other recipients, and if the product concerned, to take an extreme example, is an inflatable doll of the kind sold in Soho sex shops, it may well be arguably defamatory of the individuals listed for it to be suggested that such products might be of interest to them.
As with all things relating to the Internet, un-solicited commercial e-mail or spamming has come a long way in a very short space of time.
The writer's own feeling is that the wheel may well turn full circle within a very short space of time, with the anti-spamming ethos of netiquette of the very early years returning in the guise of "opt in" or "permission marketing" as the only viable way forward for this form of marketing.
Stephen Groom
Osborne Clarke
4.5.2000
©Osborne Clarke 2000
