A Tale of Two Anti-Spam Laws
By Ken Magill
Well, lookee here! The most-criticized anti-spam law in the world has nabbed yet another criminal.
Eric L. Crocker, 39, of Binghamton, NY, last week pleaded guilty to one count of violating the U.S. CAN-SPAM Act before United States District Judge Maurice B. Cohill, according to the U.S. Department of Justice.
Crocker is one of 12 people charged in connection with a significant computer hacking forum known as Darkode, which has since been dismantled, the DOJ said in a release.
“In connection with the guilty plea, the court was advised that Crocker knowingly accessed a protected computer without authorization, namely a computer that had been infected by the Facebook Spreader and Slenfbot, and did intentionally initiate the transmission of multiple commercial electronic mail messages from or through such computer,” the statement said.
Crocker’s sentencing is scheduled for Nov. 23. He faces up to three years in prison, a $250,000 fine, or both.
Presumably, the 11 other bad guys are still on the hook, as well.
Anti-spam zealots hate the CAN-SPAM Act. They call it the “You-Can-Spam Act” because it is opt-out based, meaning it does not outlaw unsolicited commercial email.
On the other hand, anti-spam zealots absolutely love Canada’s anti-spam law because it is opt-in based, strict and highly punitive.
But which one is truly the better law?
At some point, results simply speak for themselves. In comparing the results of the U.S. CAN-SPAM Act and Canada’s anti spam law, that point is now.
From solely a results standpoint, CAN-SPAM towers over CASL to an embarrassing degree. Yes, CAN-SPAM has been in force for 11-plus more years than CASL, but the first CAN-SPAM enforcement alone towers over everything CASL has accomplished in 13 months.
In April of 2004, the Federal Trade Commission announced it had shut down Detroit-based spamming operation Phoenix Avatar.
“Since January 1, 2004, consumers have complained to the FTC about 490,000 spam messages linked to Phoenix Avatar,” the FTC said in a statement.
By comparison, the Canadian Radio-television and Telecommunications Commission has so far fined three companies for alleged CASL violations.
In March the CRTC announced it had fined dating site PlentyofFish $48,000 for a noncompliant unsubscribe mechanism
A freedom-of information request by Business in Vancouver reportedly revealed PlentyofFish, was responsible for 0.03 percent of spam complaints to the Commission, or 70 complaints out of 225,000.
Also in March, the CRTC announced it had fined a Quebec-based management-training company $1.1 million.
According to the CRTC, Compu-Finder accounted for 26 percent of all the complaints it received about Compu-Finder’s industry sector. Not 26 percent of all the spam complaints the CRTC received to that point, 26 percent about its industry sector.
How many complaints can the CRTC possibly be receiving about business-to-business management-training spam, especially when companies tend to have IT professionals who can block incoming messages from any traceable source they want?
In June, the CRTC fined regional airline Porter $150,000 for allegedly failing to have required contact information in some emails, failing to honor some opt outs within 10 business days and being unable to provide acceptable proof of permission to send.
According to the Toronto Star, Porter Airlines spokesperson Brad Cicero said the errors were made as part of a company switch to a new email platform.
“’It was a very small percentage of the database we have,’ Cicero said, noting that because of the switchover, the isolated errors were not immediately apparent.
“’When we found out, we made the changes . . . they haven’t recurred since then,’ he said.”
The first enforcement action under CAN-SPAM alone shut down an operation responsible for at least 489,000 more spam complaints than all three fines levied under CASL. And I’m being generous here.
It is highly unlikely the three companies fined under CASL came even close to accounting for 1,000 spam complaints to the CRTC. If the numbers were impressive, the CRTC would have touted them.
Instead, it took a freedom-of-information request to pry even one of those numbers out of the CRTC—70.
Meanwhile, the list of enforcement actions against actual bad guys under CAN-SPAM is long.
The difference between CAN-SPAM and CASL is CAN-SPAM wasn’t designed to bludgeon commercial entities over minor nuisance behavior.
The American FTC is no better than the CRTC. Both are staffed with bureaucrats who abuse their power (redundant).
But for some reason, the FTC seemingly doesn’t abuse its power with the CAN-SPAM Act. Maybe the difference is in the spirit in which the laws were written.
CAN-SPAM was written to protect companies from a Byzantine maze of state anti-spam laws and individual lawsuits, while giving law enforcement and ISPs the tools to go after truly bad actors.
For almost a dozen years, CAN-SPAM has been applied in the spirit in which it was written and has claimed a bunch of deserving scalps.
CASL, however, seems to have expressly been written to clamp down on relatively minor nuisance behavior by commercial email senders. Or if it wasn’t written with such intent, it is at least being applied that way.
Any honest assessment of CASL so far leads to one obvious conclusion: Having the strongest anti-spam law in the world hasn’t remotely translated into having the “best” one.