Court Issues MySpace Injunction Against Wallace
Last week a federal district court issued an injunction against frequent defendant Sanford Wallace. (Access a pdf version of the order here.) While the injunction itself is not noteworthy, the court’s CAN-SPAM analysis is.
MySpace sued Wallace on account of some 400,000 messages sent through, and 890,000 comments posted on, MySpace (all of the messages presumably promoted Wallace websites or products). Wallace allegedly created 11,000 MySpace accounts (using parallel AOL addresses). (He created the AOL addresses to circumvent the single email requirement, and created multiple MySpace accounts (presumably) to circumvent the restriction on number of messages which could be sent through each MySpace account.) He then allegedly engaged in a phishing scam on MySpace through which he obtained the user name/password of numerous MySpace users. Finally, he allegedly sent messages through MySpace to the “friends” of these users.
MySpace Messages Are Treated Like Emails for CAN-SPAM Purposes
Wallace first argued that the MySpace "messages" do not fall under CAN-SPAM because “the addresses to which those messages are sent lack a ‘domain name’ and have no route, instead remaining within the MySpace.com.” The court rejected the argument with rather sweeping language:
The plain language of the definition of “electronic mail address” entails nothing more specific than “a destination . . . to which an electronic mail message can be sent,” and the references to “local part” and “domain part” and all other descriptors set off in the statute by commas represent only one possible way in which a “destination” can be expressed. Indeed, the word “commonly” precedes the description of an address with a domain part and local part, indicating that this formulation is only one among many possible examples, rather than the exclusive way in which the Act recognizes the expression of an address. As Defendant himself points out, at the time the Act was passed in 2003, electronic messages could be sent in many ways, including through “instant messaging,” and the Court must presume that Congress was well-aware of these various forms of electronic communications when it drafted the Act. The plain language of “electronic mail address” encompasses these alternate forms while also recognizing that the most commonly used form of electronic address was the traditional “email” address with a local part and domain part (i.e., “firstname.lastname@example.org”).
I don’t think the conclusion is that simple. A few points to consider. First, the FTC itself acknowledges doubt with respect to whether CAN-SPAM applies to other forms of messaging. Several court cases similarly acknowledge such doubt. Second, CAN-SPAM focuses on domain names – it contains a definition for “domain name,” and contains a “misleading transmission information” prong, which speaks to “originating electronic mail address, domain name, or Internet Protocol address.” To me these (and several other tidbits) point to the fact that in CAN-SPAM, Congress was concerned with conventional email messages, as opposed to text messages, instant messages, or “in-network” messages.
Wallace Likely Violated the Misleading Header Information Prong (7704(a)(1))
MySpace next argued that by sending the 400,000 (or so) messages, Wallace violated the misleading header prong (7704(a)(1)) which prohibits the use of false/misleading header information. Wallace argued that he never altered any headers, and that messages sent by MySpace users to their friends are by definition transmitted with accurate header information. The court disagrees, noting that:
Congress intended to prohibit not only sending messages with inaccurate header information, but also sending messages with accurate header information, access to which was obtained through false or fraudulent pretenses. See Sen. Rep. No. 108-102 at 17 (2003).
Again, the conclusion does not seem so straightforward. CAN-SPAM actually contains a separate
provision dealing with domain names/email addresses obtained through
false/fraudulent means. Given this more
specific provision, it’s tough to stomach that section 7704(a)(1) was violated
by Wallace when he sent messages to various friends accounts. While Wallace may have improperly accessed such accounts, the messages were actually sent from such accounts - a misleading header prong violation would not seem to exist under these facts.
Failure to Label or Include Unsubscribe Mechanism (7704(a)(3) and 7704(a)(5))
MySpace argued that Wallace violated the provisions which
required labeling and an opt-out mechanism.
Wallace argued that the messages were not “commercial” email
messages. Again, the court disagrees,
inferring that since Wallace made approximately $1 million per year through his
internet business, he must have transmitted numerous commercial email messages,
including these messages through MySpace. The court's description of the messages do not indicate how exactly the messages promoted products or services. Given this, it's hard to justify the court's conclusion here.
Use of Scripts to Register for Email Addresses/Online User Accounts (7704(b)(2))
MySpace argued that Wallace violated the “use of automated means to register multiple addresses” prong (7704(b)(2)).
Shockingly, the court finds that MySpace “failed to . . .
provide evidence sufficient for the Court to infer [use of a bot].” Although MySpace presented evidence regarding
its registration process and how long it would take for someone to register
11,000 profiles, the court finds this evidence insufficient. The court speculates that Wallace could have
spent “23 eight-hour days, without breaks, to create 11,000 profiles.” It's difficult to see how the court concludes Wallace committed an overall violation without finding that he used some improper means to register the various MySpace accounts. If he validly obtained the accounts, the rest of the MySpace claims (excluding the phishing claims, which didn't seem to warrant much discussion) should, by definition, fail.
My take: the court
struggles to fit Wallace’s alleged conduct into a statutory scheme that does
not necessarily encompass such conduct.
An easier, cleaner claim may have been a claim under the Computer Fraud
and Abuse Act or some other statutory claims. Here, the identity of the parties and the numbers of messages probably influenced the court's decision. Unfortunately so.