Spamming is the transmission of mass, unsolicited email on subjects as diverse as "get-rich-quick ads, weight loss ads, health aid promises and even phone sex services."[1]  Spammers tend to send their messages in large bursts to long lists of email addresses:  a large ISP, such as America Online, may receive millions of such messages for delivery to its customers in a single day.[2]

Spamming is attractive to advertisers because it achieves wide coverage at very low cost. Mass electronic mail is substantially cheaper than bulk rate mailing, telemarketing and other methods of direct-to-customer advertising, and has the additional advantage that recipients of spamming usually must read the spammers' messages in order to determine that they are unwanted.[3]  These advantages have spawned new companies, such as Cyber Promotions, Inc., that offer advertisers the capability to send spam to millions of unsuspecting recipients.

Spamming causes a number of problems, both for the addressees and for the ISPs that receive and store junk email addressed to their customers.  Addressees may incur downloading charges each time they retrieve a spammed message.  ISPs are harmed when their servers are "clogged" by junk email, interrupting customer service and possibly damaging ISP software.  ISPs that deliver spam also lose customer goodwill, as shown by the heavy volume of complaints ISPs receive when their customers are spammed.[4]

As the following discussion shows, while spamming is not per se unlawful, spamming that harms the facilities, reputation or customer relationships of an ISP may give rise to civil or criminal liability.  As the following also points out, ISPs may lawfully take a range of self-help measures to protect themselves and their customers from unsolicited email.  Finally, we describe below some bills, pending in the 106th Congress, that are designed to control spamming.

The Congress has not enacted an email equivalent of the so-called "Junk Fax Act," which makes it unlawful for any person to "use any telephone facsimile machine, computer or other device to send an unsolicited advertisement to a telephone facsimile machine. . ."[5]  Until such a statute is enacted, the mere transmission of junk email, without more, is not unlawful.  Where spam causes harm to an ISP or its customers, however, the spammer may be liable under a number of causes of action, including the Computer Fraud and Abuse Act, the Lanham Act and tort theories such as trespass to chattels.[6]  Each of these theories merits a brief discussion.

The federal Computer Fraud and Abuse Act ("CFAA")[7] and similar state laws establish civil and criminal liability for certain acts that result in damage to computer systems, destruction or alteration of programs or data stored in those systems, or denial of authorized access to those systems.[8] Although no court has ruled on the application of these statutes to spamming, at least one reported case involves CFAA claims against both a spammer and the ISP whose customers were spammed.[9]

The CFAA is a promising cause of action for ISPs when spammers clog ISP servers, preventing subscribers from accessing the system or otherwise harming the system, its facilities or programs.  The relief available under the CFAA's private right of action includes injunctions and other equitable remedies, as well as damages.[10]  ISPs also should be aware of anti-hacking statutes in the criminal codes of states in which their facilities are located.  The provisions of the state laws are remarkably diverse, and some statutes may be more favorable to plaintiffs than the CFAA.  Accordingly, complaints alleging CFAA violations by spammers typically will include state claims, as well.

In a case brought by CompuServe against Cyber Promotions, Inc., a U.S. district court in Ohio enjoined Cyber Promotions from sending any unsolicited advertisements to any email address maintained by CompuServe.[11]  In support of its action, the court found it likely that CompuServe could establish a claim against Cyber Promotions for the tort of trespass to chattels, which is defined in the Restatement as the intentional use of, or intermeddling with, a chattel in possession of another.[12] 

Cyber Promotions argued that trespass to chattels cannot be established unless a defendant "actually takes physical custody of the property or physically damages it . . ."[13]  The court, however, applying Ohio law supplemented by relevant provisions of the Restatement, found that an actionable trespass occurs whenever a defendant's conduct diminishes the value of the plaintiff's property.[14]  Applying this view of the law to the case before it, the court held that Cyber Promotions' electronic transmissions to CompuServe's facilities were sufficiently tangible to constitute a trespass.  The court further found that "the enormous volume of mass mailings that CompuServe receives places a tremendous burden on its equipment," with the result that data processing and storage resources are diverted from the task of serving CompuServe's subscribers.[15]  Similarly, the court found that receipt of unwanted email caused harm to "plaintiff's business reputation and goodwill with its customers." [16]  These forms of injury, while concededly involving no physical damage to CompuServe's equipment, diminished the value of that equipment to CompuServe and satisfied the injury element of the tort.

While the CompuServe decision is useful precedent, two cautionary notes concerning this case are in order.  First, the court in CompuServe stated that in order to prove a trespass -- i.e., unauthorized entry -- an ISP arguably is required to show that the spammer was given notice that its transmissions no longer were welcome on the ISP's system.[17]   Second, the court's conclusion that mass email that burdens, but does not damage or prevent the operation of, an ISP's facilities constitutes an actionable trespass is somewhat adventurous and may not be supported by the tort law of other states in which similar actions are brought. 

Spammers sometimes conceal the source of their messages by falsifying the point of origin information in the message header, removing sender information in the header and replacing it with another address, or configuring their servers to simulate other computers.  In many cases the false information generated by spammers suggests that their messages originate with other entities, including reputable, well-known ISPs that have no relationship with the spammers.

Conduct of this kind violates criminal statutes and gives rise to both state and federal causes of action.  For example, where a spammer misuses a domain name or other identifying information that is protected as a trademark, the victim of the practice may bring a trademark infringement action under the Lanham Act[18] and state anti-dilution statutes.  Even where the identifying information misappropriated by the spammer is not trademarked, the spammer's conduct may constitute unfair competition under section 43(a) of the Lanham Act[19] and may violate state consumer protection statutes, as well.

ISPs have taken a number of measures to protect their subscribers from mass, unsolicited email.  One approach is simply to refuse to deliver email that originates with known spammers.  Another is to "bomb" the sender by returning undelivered or undeliverable email in bulk to the originating server.  Still another is to implement software that permits the ISP's subscribers to decide whether they wish to receive spam, and that blocks spam addressed to any subscriber who has not elected to receive it. 

All of these measures are lawful, although the "bombing" approach may present some slight legal risk where the practice causes harm to a spammer's server or system.  As the following discussion shows, the courts so far have been supportive of self-help measures adopted by ISPs to deal with spam, and have endorsed the fundamental principle that ISPs have no obligation to deliver all electronic mail that reaches their systems.

Spammers are legally helpless against ISPs' refusals to deliver their messages unless they can find some "right" to have their messages delivered, or some "obligation" of ISPs to transmit or deliver all communications that reach their systems.  Cyber Promotions has tried to establish that ISPs are obligated under the First Amendment, or as common carriers, to deliver bulk email messages to their subscribers;  but those efforts so far have failed.

In the AOL case, Cyber Promotions argued that AOL's refusal to deliver bulk email constituted a form of state action, subject to the free speech provisions of the First Amendment.  Cyber Promotions' principal argument was that AOL was in the same position as the company town in Marsh v. Alabama[20] and the shopping center in Amalgamated Food Employees Union v. Logan Valley Plaza,[21]  which the Supreme Court found to be state actors when they suppressed certain expressive activity.  The court rejected this argument, however, finding that AOL is not equivalent to a state actor because it does not serve any "exclusively public function" and because Cyber Promotions had numerous, alternative outlets for its advertising messages.[22]

When Cyber Promotions raised its First Amendment argument again in the CompuServe case, the court merely recounted with approval the reasoning of the AOL court.[23]  The CompuServe court also made short work of an alternative argument, to the effect that large ISPs must serve everyone indifferently because they are a kind of common carrier.  The court found that CompuServe's service was neither "essential to society" in the same sense as traditional public utility services, nor a monopoly service of the kind traditionally regulated under common carrier principles.[24]     

If an ISP has no obligation to deliver spam, then logically it has the right to return spam to its point of origin.  We should be aware, however, of Cyber Promotions' claim that AOL violated the CFAA and committed various torts when its "bombing" allegedly caused other ISPs to terminate their contracts with Cyber Promotions or refuse to enter into contracts with Cyber Promotions.[25]  While the court in AOL did not rule on this claim and it seems unlikely that such complaints will garner much sympathy, the most conservative approach an ISP might take is to delete, rather than return, undelivered email from spammers.[26]

An ISP's safest response to spamming is to offer its subscribers the choice to elect whether or not they wish to receive spam.  AOL, for example, has implemented a program called Preferred Mail, through which AOL's servers can be programmed to deliver messages from known spammers only to those subscribers who have elected to receive bulk email.  This approach limits the ISP's exposure by making the subscriber, rather than the ISP, the decision maker.  It also requires spammers, if they wish to reach all of the ISP's subscribers, to take deceptive measures to evade the blocking software -- conduct that will make the spammers especially vulnerable to charges of computer fraud and abuse, trespass to chattels, unfair competition, trademark infringement and other claims.[27]

At both the state and federal levels, legislators have attempted to craft statutes that would control the ongoing deluge of mass, unsolicited email.  In the state legislatures, a number of statutes have been passed that give ISPs rights against those who violate their anti‑spam policies, require spammers to honor requests to "opt out" of their mailings, or prohibit the use of false header information to conceal the source of spam and defeat ISPs' blocking software.  So far, however, only Louisiana has tried to ban spam outright ‑ and Louisiana's statute is the target of a First Amendment challenge to its lawfulness.

In the Congress, at least eight anti‑spam bills have come and gone without becoming law.  In the current Congress, six such bills have been introduced and still are pending at different stages of the process.

Some of the pending bills make it unlawful for a spammer to violate an ISP's posted anti‑spam policy.  H.R. 3113, for example, introduced by Rep. Heather Wilson of New Mexico, permits ISPs to recover actual damages or $500 per violation ‑ whichever is greater ‑ for transmissions that violate a posted anti‑spam policy.  H. R. 2162, introduced by Rep. Gary Miller of California, gives ISPs a civil cause of action in the amount of $50 per message, up to a maximum of $25,000 per day, for violations of anti‑spam policies.

Other pending bills require spammers to honor "opt‑out" requests ‑ i.e. declarations by email account holders that they do not wish to receive mass unsolicited commercial messages.  H.R. 3113, for example, requires all spammers to include a valid return address that can be used by recipients to request removal of their names from the spammer's mailing list; and requires the Federal Communications Commission to maintain a global opt‑out list of email account holders that do not wish to receive spam from any sender.  Similarly, H.R. 1910, introduced by Rep. Gene Green of Texas, prohibits the sending of spam to any recipient who has opted out of future mailings from the sender.  S. 759, introduced lay Senators Markowski and Torricelli, requires ISPs to maintain and make available lists of their users who had elected not to receive spam (but also requires ISPs to let their customers opt out of the ISPs' anti‑spam policies).

Some of the pending bills also address the use of false return address information to obscure the origin of spam and defeat blocking software installed to enforce ISPs' anti‑spam policies.  Notably, H.R. 3113, as noted earlier, requires that all mass, unsolicited email include valid return address information.  H.R. 2162 creates criminal penalties for "hijacking" the domain names of others in sending spam messages; and H.R. 1910 would prohibit the sending of unsolicited bulk email containing false sender information, a false return address, or other false header information.