Copyright 2003 ALM Properties, Inc.

HEADLINE: Spam-Related Class Actions Are on the Horizon
And the U.S. government could end up as a defendant

BYLINE: By Jonathan Bick

The author is counsel to Brach, Eichler, Rosenberg, Silver, Bernstein, Hammer & Gladstone of Roseland and is an adjunct professor of Internet law at Pace Law School and Rutgers Law School. He is also the author of 101 Things You Need To Know About Internet Law [Random House 2000].

Bulk, unsolicited, commercial e-mail -- spam -- is generally recognized as an undesirable, harmful nuisance and responses, including traditional litigation, have been less than effective. A spam class action against the U.S. government, Internet Service Providers and others who facilitate spam may be appropriate.

By retarding Internet communication speed, spawning fraud, trespassing chattel and violating the Computer Fraud and Abuse Act, 18 U.S.C. 1030, spam causes or contributes to a wide variety of problems for network administrators, businesses, other organizations and individual users of the Internet.

Although an argument might have been made in the past that nothing could be done about spam, it has escalated beyond the nuisance phase to become a harmful and actionable impediment to personal productivity.

Jupiter Media Metrix, an e-commerce research firm, reported that the average American received more than 1,700 e-mails in 2002. And according to The Washington Post [Jan. 31, 2002], more than 40 percent of those e-mails were going to be spam.

Several courts have held that the transmission of spam constitutes a tort. See America Online v. LCGM, 46 F. Supp. 2d 444 [E.D. Va. 1998]; Hotmail Corp. v. Van$ Money Pie, Inc., 1998 U.S. Dist. LEXIS 10729, 47 U.S.P.Q. 2d 1020, 1022 [N.D. Cal. 1998]; and CompuServe Inc. v. Cyber-Promotions, Inc., 962 F. Supp. 1015 [S.D. Ohio 1997].

By its nature, the Internet has sufficient presence in every venue to justify federal pre-emption. Due to its control over the Internet's backbone operation and other operational necessities such as domain registration, the U.S. government is singularly able to control spam.

Additionally, the Internet sprung into existence because of federal action and, therefore, it is arguable that the United States is responsible for the benefits and the costs of the Internet, including spamming.

Traditional Remedies Inadequate

Class actions are normally a last resort because major class action litigation is time-consuming and expensive. In addition, because plaintiffs will be asking the courts to recognize new legal duties, the chances of success are unpredictable.

To date, five kinds of responses have been employed to combat spam, none of which has been successful.

The first response is direct individual action, such as responding to a spam by requesting that a user's e-mail address be removed from the spammer's list. This action is known as making an opt-out request. Spam commonly includes opt-out instructions, including an e-mail address or Web page's uniform resource locator [URL] for use in submitting such requests.

Other forms of individual action that have been used to stop spam include reporting and retaliation. Spam recipients have traced spam messages and complained to the spammer's service provider, the user's own Internet Service Provider and governmental agencies.

In addition, some spam recipients have engaged in sending hostile e-mail, posting attacks on the spammer's reputation, sending e-mail bombs and other denial-of-service attacks. Further, spammers have received threats of violence and property damage.

The second approach to countering spam is to employ technical mechanisms. Individual Internet users, ISPs and other third parties, such as organizations that act as e-mail agents, can implement these mechanisms.

Individually filtering e-mails [based on sender address and the content of subject lines], collaborative filtering by third parties based on group experiences and enabling destination operators to refuse delivery of spam are defensive technical techniques. Preventative technical mechanisms include masking and "un-listing" e-mail addresses.

The third type of response is a combination of communication and technical action. Typically, ISPs post policies that prohibit the use of their facilities for sending spam. ISPs can enforce the policies by banning those who violate the policy from using the ISP as a spam source. An ISP's terms of use agreement typically contains a no-spam clause and a description of the technical consequences of violating that policy.

ISPs have also attempted to filter out the domain names that are the apparent source of spam. However, those who send spam, in turn, have countered with various techniques -- "forged spamming" or "spoofing," as well as "domain name hijacking" -- to conceal their identities. See Dianne Plunkett Latham, "Spam Remedies," 27 WM. MITCHELL L. REV. 1649, 1650 [2001].

The fourth response to combat spam is litigation based on state and federal statutes, as well as common-law theories, including actions based on deceptive trade practices; defamation; false designation of origin [15 U.S.C. 1125 [a]]; libel; breach of contract; false statements in advertising; trespass to chattels; dilution of interest in service marks [15 U.S.C. 1125[c]]; exceeding authorized access and impairing computer facilities in violation of the Computer Fraud and Abuse Act [18 U.S.C. 1030]; fraud; forgery; harassment; and theft.

Last year, statutes introduced in Congress included the Unsolicited Commercial Electronic Mail Act of 2001; Wireless Telephone Spam Protection Act; Anti-Spamming Act of 2001; Who Is E-Mailing Our Kids Act; Protect Children From E-Mail Smut Act of 2001; Netizens Protection Act of 2001; and "CAN SPAM" Act of 2001.

And numerous states have adopted legislation to address spam. See David Sorkin, "Spam Laws: United States: State Laws," at http:// www.spamlaws.com/state/index.html, lists 29 states that have passed some form of anti-spam legislation. And Congress is in the midst of considering various forms of anti-spam legislation.

However, many such statutes are not self-executing and need legal action to enforce them. For example, according to The Desert News [Aug. 1, 2002], a Utah firm [Nelson, Snuffer, Dahle & Paulsen] has filed a class-action suit against Sprint Communications for allegedly sending commercial e-mail in violation of a new state law that requires such e-mails to be clearly marked as advertisements.

The suit was filed May 21, 2002, and is now pending in the Third District Court of Salt Lake City. The suit is based on claims set forth in a Utah statute and on the result of a similar case upheld in Washington State.

Utah Code §§13-44-101 requires any sender of a commercial e-mail to state its legal name, street address, Internet domain name, and also to include a no-cost way of requesting that no more e-mail be sent. Further, the first four characters of the subject line must read "ADV:". The complaint alleges that Sprint has violated this section of the code.

The fifth type of response is to use a certification technology to limit those who might send e-mail. One technology being tested by Microsoft works as follows: To send certified e-mail, senders pay annual fees to certification groups. Those groups give software and/or hardware to those seeking to send certified e-mail. This certification software and/or hardware generates a unique, encrypted digital certificate for each message when it is sent.

Recipients of certified e-mail with appropriate software would be able to differentiate between certified e-mail and regular e-mail. Certified e-mail mailers who send spam would lose their certification.

Typical Spam Litigation

Private lawsuits are at the vanguard of the attack on spam. Among the first reported efforts to stop spam through litigation occurred in early 1995, when CompuServe was sued for allowing unsolicited e-mail advertisements. This case was settled out of court.

Since that case, there have been relatively few spam-related suits involving individual recipients of spam. Most spam litigation has been brought by ISPs that have received large quantities of spam that they must deal with. Consider the two cases of America Online, Inc. v. LCGM, Inc. [46 F. Supp. 2d 444], and Hotmail Corp. v. Van$ Money Pie, Inc., 47 U.S.P.Q. 2d [BNA] 1020 [1998].

In America Online, the defendants collected e-mail addresses of AOL members and put "aol.com" in the "from" line of the e-mail messages sent to AOL members to make it appear that AOL endorsed the defendants' bulk e-mailings.

The court found, among other things, that the defendants had engaged in activities resulting in false designation of origin and dilution of interest in service marks under the Lanham Act.

In Hotmail Corp., the court found that the defendants had violated the Hotmail subscriber service agreement, which specifically prohibited subscribers from using Hotmail to send unsolicited bulk e-mail. The court found that the spam activity resulted in false designation of origin; federal and state dilution; violation of the Computer Fraud and Abuse Act; state and common law unfair competition; breach of contract; fraud and misrepresentation; and trespass to chattels.

While electronic mail statutes can be a source of spam litigation, Individual Investor Group v. Howard, No. CV-S-99-00437-DWH [D. Nev. 1999], which is among the first actions commenced under Nevada's Electronic Mail Statute [Nev. Rev. Stat. 41.705-41.735 [2000]], was settled.

Spam-Related Class Actions

Under Rule 23[b][3] of the Federal Rules of Civil Procedure and equivalent provisions in many states, the plaintiff must demonstrate, that "questions of law or fact common to the members of the class predominate over any questions affecting only individual members." A class action designed to combat spam could be based on the federal law prohibiting unsolicited facsimile advertisements. This law defined "facsimile machine" broadly enough to include computers that send and receive electronic mail.

Alternatively, the Computer Fraud and Abuse Act, 18 U.S.C. 1030, has been cited as a basis for the claim in some Internet-related class action lawsuits filed recently in federal courts. While this act has been primarily used for privacy-related class actions, it appears to be suitable for spam class actions as well.

The act defines a "protected computer" simply as one that "is used in interstate or foreign commerce or communication." This definition has been interpreted to include computers using the Internet. The term damage means any impairment to information, a program, a system or the integrity of available data that: [i] causes losses of at least $5,000 during a one-year period; [ii] modifies or impairs the examination, diagnosis or treatment of any individual[s]; [iii] causes physical injury to any person; or [iv] threatens public health or safety [18 U.S.C. 1030[e][8] [2000]].

Fundamental class action rules require that facts in common and the damages in common to the class predominate over facts that are not in common. Spam can qualify under the damage section of the Computer Fraud and Abuse Act in four separate ways. However, most Internet users have suffered from each type of damage. Even if a court finds that not all Internet users suffered from all four types of damages, the court would likely understand that class action certification is an appropriate remedy under these circumstances and would likely hold that a nationwide class action was proper.

The first way spam may qualify under the damage section of the act involves the content. For example, some spam results in receiving commercial messages, particularly those that promote questionable ventures, such as pyramid schemes. Other spam may contain hostile file attachments or embedded code that can cause damage, such as the Melissa virus spam.

The next way involves the consumption of Internet resources. Spam consumes network bandwidth, memory, storage space and other resources. Internet users and system administrators must spend time reading, deleting, filtering and blocking spam. Even the application of anti-spam measures interferes with other e-mail traffic and other legitimate Internet uses, and thus requires the expenditure of resources.

The third way involves spam's threat to Internet security and reliability. In particular, a common spammer practice is to exploit "e-mail relays." An e-mail relay occurs when a spammer connects to a Simple Mail Transfer Protocol server operated by a third party -- where neither the spam sender nor the intended spam receivers are local users -- and directs the server to send copies of a message to a group of recipients. By using e-mail relays to disguise their origin, spammers cause others to pay the cost of resulting complaints.

It should also be noted that e-mail relaying usually represents theft of service because it is an unauthorized appropriation of computing resources. E-mail relaying consumes bandwidth and storage capacity and can result in performance corruption. Damages normally include staff time needed to deal with complaints, system disruption and reputation damage.

The fourth way spam may qualify under the damage section of the Computer Fraud and Abuse Act entails being subjected to e-mail bombs and other attacks via the Internet. Both company and individual users with no connection to a spammer may be the recipient of damaging e-mails. Additionally, Internet users may find that spam has resulted in filtering and blocking systems that interfere with legitimate Internet use.

Federal Government as Defendant

A plaintiff could bring a spam related class action against the United States and a number of federal officials alleging that they had unlawfully permitted unsolicited facsimile advertisements and, in doing so, violated the Computer Fraud and Abuse Act.

Targeting the federal government is based on its pre-emption of Internet activities and transactions. Alternatively, ISPs could be targeted because of the stake and control they have in local Internet activities.

To certify a class, the plaintiff must prove that all of the Rule 23 requirements are met. About 70 percent of the states have adopted class action rules similar to current federal Rule 23, and even states that have not adopted class action rules paralleling amended Rule 23 will generally use federal court class action principles. The prerequisites are addressed below with an eye toward spam cases.

§* There must be an identifiable class.

Before considering Rule 23[a], an identifiable class is required for class certification. The class definition should be clear enough to determine who is included in the class.

In this instance, it would be any person who has received spam because courts have been favorably disposed toward classes defined by reference to objective criteria that do not require an individualized inquiry.

§* The named plaintiffs must have standing.

Standing of the named plaintiffs is required before considering the explicit Rule 23 requirements. To satisfy standing, the class representative must suffer an injury and must have the same interests and the same injuries as the class members.

In the case of a spam-related action, a plaintiff could use each of the four separate Computer Fraud and Abuse Act types of damages noted above to show that he personally has suffered some actual injury as a result of the unlawful conduct of the defendant, that the injury fairly can be traced to the challenged action, and that it is likely to be addressed by a favorable decision.

§* Numerosity.

To satisfy this requirement, plaintiffs must prove that the class is so numerous that joinder is impracticable. Although there are no rigid numerical guidelines for determining the impracticability of joinder, it is unlikely that a class the size of all Internet users would fail to meet this requirement.

§* Commonality.

Rule 23[a][2] requires that there be questions of law and fact common to the class. Because the Internet treats most users in a common way, the commonality requirement should be relatively easy to satisfy.

§* Typicality.

The Rule 23[a][3] typicality requirement focuses on whether the class representatives' claims have the same essential characteristics as the claims of the class at large. Again, the underlying technicalities of the Internet treat most users in a common way such that typicality requirement should be relatively easy to satisfy.

§* Adequacy of representation.

Rule 23[a][4] requires that the named plaintiffs "will fairly and adequately protect the interests of the class." Due to the uniform nature of the Internet experience, which results from uniform technology which is the basis of the Internet, virtually any group of Internet users would meet the adequacy representation.

§* Predominance.

The Rule 23[b][3] predominance query investigates whether proposed classes are sufficiently cohesive to warrant adjudication by representation. In the case of Internet users that have been spammed, sufficient commonality of causation, liability, damages and extent of damages issues exists to satisfy the predominance requirement.

§* Superiority.

The superiority inquiry requires the court to find that the class action objectives will be achieved .To meet superiority, the plaintiffs must show that the class action device "would be better than, and not just equal to, other methods of adjudication." In light of the failure of all other litigation and nonlitigation remedies, a class action is likely to pass the superiority test.

Concerning the federal government's dominion over the Internet, we need only consider that it controls and funds the backbone of the Internet and that it regulates the domain name registrars. Its ability and legitimacy to control and govern the Internet conceptually falls under the general rubric of regulating interstate commerce.

However, the proposition of bringing a class action related to spam against the government has several practical difficulties.

First, there is a multitude of legitimate claimants. A court would be faced with a colossal number of parties, dwarfing the size of most other class actions suits.

Second, given the Internet's global nature, the question arises: What court site should be used, and whose laws would apply?