Spammers Should Know Their Source New Jersey Law Journal April 11, 2005 HEADLINE: Spammers Should Know Their Source; Establishing a chain of title for target databases is critical to avoid or defend legal actions BYLINE: Jonathan Bick   Bick is of counsel to WolfBlock Brach Eichler of Roseland and is an adjunct professor of Internet law at Pace Law School and Rutgers Law School. He is also the author of 101 Things You Need To Know About Internet Law [Random House 2000]. BODY: SPAM is a cost effective and lawful marketing tool. A spammer can send an e-mail advertisement to one million people at a cost of only $100. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, CAN-SPAM Act of 2003, 15 USC 7701, allows the use of unsolicited commercial e-mail. However, to avoid legal difficulties, those who use spam should consider doing more. In particular, it is highly advisable to establish an appropriate chain of title for target list databases they acquire. Database transfer transactions may be subject to claims of copyright violation. While printed compilations of data have always been protected under copyright law, computer data - data stored in the form of a database - have only been protected since 1978. As with all copyright law, copyright on databases protects only original works. As such, in most instances only the layout of the database is protected and not the inherent data itself. Prior to Feist Publications v. Rural Telephone Service, 499 U.S. 340 (1991), courts would commonly accept a database owner's argument that the efforts expended to collect and store data constituted a sufficient rationale to protect a database under copyright law. In Feist, however, the Supreme Court held that only the arrangement of collected facts could be granted protection. Copyright law does not prohibit the copying of facts, even newly discovered or expensively acquired facts, according to Harper & Row Publishers, Inc. v. Nation Enterprises, 471 U.S. 539, 556 (1985). A database chain of title is the history of all of the documents - including a description of the transfer of title or the right to use a particular set of data - starting with the harvesting of such data and ending with the most recent transfer of that data. A spam target list is a database of e-mails. A computer software application program produces and sends unsolicited commercial e-mails to the target list. A spammer can use the chain of title to show that the target list was lawfully obtained and the spam e-mails were lawfully sent. Ideally, a chain of title for a target database would include the source of the data, a verification that the source collected the data in a lawful manner and had the right to resell such data and proof that the data was lawfully resold to all those who had possession of the database. No standard procedure exists for securing or verifying such a chain; however, certificates of originality and licenses have been used regularly to achieve that purpose. In the field of spam target data, conveyances are typically done via the Internet with little personal knowledge of the other party. These conveyances are normally not recorded and when they are, such recordation is typically in the form of an e-mail exchange. It should also be noted that such e-mail spam target data exchanges rarely refer to more than the mere existence of the data set. Even when more information is included, it usually is limited to a description of the data fields, such as "First Name, Last Name, E-mail Address. ... " A description of the source of the data is normally not included. Too often, those who send unsolicited commerce e-mails are anxious to use the target data as quickly as possible. This zeal can lead to unlawful spam and avoidable legal difficulties if documentation is not complete and clear. While it is not necessary to document each owner of the data, it is desirable to document the key elements of the target data record exactly as they appear in the original. In the field of spam target data, total compliance is normally not possible, and substantial compliance is all that is necessary. Documenting the source of the data is particularly important. Thus, if the seller of a data set states that the data was harvested by a particular Web site, it is imperative that the buyer's due diligence confirms the existence of such a Web site. The buyer must also research the Web site's terms and conditions and copy the portion of the terms of use statement that allows the collection and resale of the data in question. For example, sweepstakes sites are often used to harvest data. Sweepstakes are "games of chance," where the choice of a winner is entirely random - no skills or payment by the winner are required. If the seller of a target data set said a sweepstake site harvested the set, the seller should visit that site and copy the portion of the site that demonstrates that the site collects and resells data. A typical notice which confirms the resale of data might state: this site requires that users voluntarily register and provide personally identifiable information to enter our sweepstakes and by submitting your personally identifiable information, you are authorizing the owners of this site and its affiliates to use, share, loan, rent, sell and/or disclose your personally identifiable information to third parties selected by the site owners' sole discretion. Such notices are usually found in the privacy policy section of a Web site. Particular care is required when the purported source of the target data is not available, the site is available but includes no notice and/or the site is available, has a notice, but the notice fails to allow resale of data. The price paid for the target data may also provide clues to the existence of a lawful title chain. A data set that is identical to another data set and resells in a relatively short period of time for a high price probably had a lawful source because law enforcement officials continue to prosecute providers of unlawful target data, and those using unsolicited commercial e-mail are willing to pay a premium to avoid legal difficulties. It is unlikely that establishing a lawful chain of title for target data is easy or cheap. Regardless, an entity that uses unsolicited commercial e-mails should never skip the chain of title portion of the research when acquiring target data. It is essential. At the very least, it will provide a spammer with the overall framework of a defense in the event he or she is charged with intentionally or negligently buying stolen intellectual property or violating the CAN-SPAM Act. By working to establish a chain of title for target data, a defense based on proof of substantial compliance with the CAN-SPAM Act will likely prevail, since most judges and juries either understand or could be convinced that full compliance is not possible. In short, those who attempt to establish a chain of title for a target database will not only avoid litigation and likely prevail in the event of legal difficulties, but will also be protected from hasty conclusions and other mistakes that are all too easy to made without preparing the necessary groundwork.