Spam Diaries posted a few times last week about the Spamhaus amicus brief filed by Matthew B. Prince.  You can find a slimmed down version of the brief (less the twenty or so corporate disclosure statements) here.  It's worth making a few brief comments on the tack taken by Mr. Prince.  (The brief was nicely written, I just have a few conceptual quibbles.) 

Thumbnail version of the facts [many documents helpfully posted by e360 here]:  e360 sued the Spamhaus Project in state court alleging that Spamhaus improperly listed e360 on Spamhaus's registry of known spammer organiations (ROKSO, as it is popularly known).  Spamhaus appeared, exercised its removal rights (removing the dispute to federal court) but then withdrew altogether from the case.  e360 sought and obtained an injunction and other remedies.  Spamhaus now appeals the default judgment/injunction.  Prince filed an amicus brief on behalf of numerous persons and organizations in support of reversal.

Before briefly commenting on the amicus brief, I thought it was worth pointing out the interesting procedural quirk of the case: ordinarily, a party who claims it is beyond jurisdiction of the court can just ignore the lawsuit and then try to fight it at the enforcement end.  Or the party may appear, fight and lose the jurisdictional issue and then appeal the jurisdictional ruling at the end.  Here, e360Spamhaus appeared, availed itself to the jurisdiction of the federal court – where it could have raised the personal jurisdictional argument – and then bailed out on the litigation.  There is probably mixed authority out there on whether e360Spamhaus can now contest jurisdiction.  [correction:  the previous sentences referred to e360, not Spamhaus.]

The brief makes several arguments:  (1) entities such as Spamhaus which provide "rating services" with respect to emailers are essential to the functioning of the internet and email; (2) the relevant statutory scheme provides support for immunity for Spamhaus; and (3) personal jurisdiction is not appropriate in this case under International Shoe (and its progeny).  

The last argument is not very appealing, particularly in a case involving email.  While there are some outlier cases where jurisdiction based on email is not appropriate (see, e.g., Fenn), by and large courts have no trouble finding jurisdiction where someone sends out a bunch of inappropriate messages into the ether (Verizon v. Ralsky, cited in the amicus brief, is one widely cited case for this proposition).  Indeed, many of the cases upon which far-reaching concepts of jurisdction are based (and which are often cited by plaintiffs in spam cases) are defamation cases.  Ironically, Ralsky relies on cases similar to this case and which actually support e360's position:  you cannot continuously malign someone, ignore their C&D, and then claim you are not subject to jurisdiction in their home state. 

The other two arguments are intriguing, but at the end of the day don't confront the critical question in this case – does something about email warrant special status for an "offshore rating entity" totally beyond the reach of US law?  The brief argues that Spamhaus and other similar entities "are critical to the sustained functioning of Internet email."  However, the fact that Congress did not explicitly provide for a "ratings agency exception" in CAN-SPAM undermines this argument. 

The brief argues that (1) CAN-SPAM leaves the door open for immunity where an ISP takes action in good faith to block email (or other offensive content); and (2) Section 230 protects actions taken by the "provider or user of an interactive computer service" with respect to "restricting access" to material that is problematic. 

At the end of the day, both the CDA and CAN-SPAM are clear that they don't really apply to Spamhaus.  And that's what makes this argument so unappealing.  First, CDA only applies to "information provided by another information content provider."  Information available on Spamhaus's site undermines its potential claims to Section 230 immunity: 

Spamhaus publishes the Register Of Known Spam Operations (ROKSO) - a database collating information and evidence on the '200' known worst spam gangs worldwide, used by ISPs to avoid signing up known spammers who would abuse their networks and by Law Enforcement Agencies to help target and mount prosecutions against professional spammers. 

The provisions of CAN-SPAM similarly do not apply to Spamhaus.  The relevant CAN-SPAM section provides:

Nothing in this Act shall be construed to have any effect on the lawfulness or unlawfulness, under any other provision of law, of the adoption, implementation, or enforcement by a provider of Internet access service of a policy of declining to transmit, route, relay, handle, or store certain types of electronic mail messages. 

It's apparent from both statutory provisions that only ISPs – either that obtain information from third parties or that merely transmit messages – are immunized under Section 230 or CAN-SPAM, respectively, with respect to their anti-spam efforts.  Spamhaus does not fit into either category.  It actually publishes the ratings at issue.  And it does not perform any of the blocking or filtering functions.

Notwithstanding the fact that entities such as Spamhaus are "critical to the sustained functioning of Internet email," Congress did not deign to account for such entities in CAN-SPAM (and the CDA).  Absent this, Spamhaus becomes just another off-shore organiation trying to meddle in the affairs of local residents, arguing it is not subject to personal jurisdiction, despite having taken action which it knew affected local residents.  This argument sounds vaguely similar to the typical jurisdictional arguments made by the very spammers Spamhaus is trying to combat.  In this sense, the argument is particularly unappealing.

Update:  I've uploaded the Appellant's Brief (71 page .pdf) which you can access here. 

Also, an emailer points out that Spamhaus may fit under section 230(c)(2)(B), as an entity which "make[s] available to . . . others the technical means to restrict access to [objectionable] material . . . ."   I think that's right, and depends on the scope of the phrase "technical means."  One case addressing a factually analogous scenario is OptInRealBig.com, LLC v. Ironport Sys., Inc., 323 F. Supp. 2d 1037 (N.D. Cal. 2004).  For some reason, the court  analyzed the issue under 230(c)(1) and did not delve into whether Ironport satisfied (c)(2)(B). 

The last word:  the precise issue was answered in the affirmative in a recent California state case:  Pallorium, Inc. v. Jared, No. G036124, 2007 Cal. App. Unpub. LEXIS 241 (Cal. Ct. App. Jan. 11, 2007) (unpublished, summary and link to opinion here).  (I was wrong, the CDA does probably insulate Spamhaus!  The issue of whether Spamhaus creates or merely distributes/publishes ROKSO will not be relevant under this provision.)