Monday, June 10, 2013

Remotely hosted images can't provide clear and conspicuous disclosure in email

ZooBuh, Inc. v. Better Broadcasting, LLC, No.: 2:11cv00516-DN (D. Utah May 31, 2013)

This CAN-SPAM case caught my eye because of its discussion of disclosures.  CAN-SPAM prohibits sending any commercial email with header information that is materially false or materially misleading, and requires the provision of certain content in the email bodies. ZooBuh, an internet access service with about 35,000 customers, sued Better Broadcasting and other defendants; when the defendants defaulted, the court found that ZooBuh had standing as a bona fide internet access service.  ZooBuh was awarded damages in the amount of $1,608,360 and a permanent injunction.

The court found that the header information here was materially misleading.  CAN-SPAM provides that “[h]eader information shall be considered materially misleading if it fails to identify accurately a protected computer used to initiate the message because the person initiating the message knowingly uses another protected computer to relay or retransmit the message for purposes of disguising its origin.”  In addition, “header information that is technically accurate but includes an originating electronic mail address, domain name, or Internet Protocol address the access to which for purposes of initiating the message was obtained by means of false or fraudulent pretenses or representations shall be considered materially misleading.”

Reasoning from cases relying on California’s stricter anti-spam law, the court concluded that when a sender “intentionally uses privately registered domain names in its headers that neither disclose the true sender’s identity on their face nor permit the recipient to readily identify the sender . . . such header information is deceptive.”  Thus, “where an email contains a generic ‘from’ name and is sent from a privacy-protected domain name, such that the recipient cannot identify the sender from the ‘from’ name or the publicly available WHOIS information,” it violated CAN-SPAM.  Many of the emails here contained “generic or nonsensical” “from” names, including “Accounting Degree,” “Add a Sunroom,” “Adult Education,” “Air Conditioner,” “Airline Tickets,” “Ink Cartridges,” and “Ultrasound Technician,” and they all originated from privacy-protected sender domains.

In addition, and potentially sweeping more broadly, the court found that access to the sender domains was obtained by means of false or fraudulent pretenses or representations, because registrants with ICANN-compliant registrars must usually promise not to send spam or unsolicited commercial email.  “If, as is the case here, the registrant does intend to use the domains for prohibited purposes, the registrant obtained the domains under a false pretense,” so defendants violated CAN-SPAM when they sent commercial email from domain names registered with registrars who bar sending unlawful commercial email or SPAM.  (This isn’t quite as troubling as many interpretations of the CFAA, but it seems recursive: this is unlawful spam because the agreements barred sending unlawful spam, making the spam unlawful.)

Beyond the headers, the emails also violated CAN-SPAM’s content requirements.  The law requires clear and conspicuous identification that a message is an ad, along with clear and conspicuous notice of the opportunity to opt out of further messages, and a valid physical postal address.  The court accepted a definition from an FTC case, F.T.C. v. Affiliate Strategies, Inc., No. 5:09-CV-04104-JAR-KGS, 2011 WL 3300097, *2 (D. Kan.Aug. 1, 2011): “clear and conspicuous” means the “disclosure must be unavoidable . . . [and] [a]ny visual message shall be of a size and shade, with a degree of contrast to the background against which it appears, and shall appear on the screen for a duration and in a location sufficiently noticeable for an ordinary consumer to read and comprehend it.”

The question presented was whether providing disclosure through a remotely hosted image was clear and conspicuous. The court held that it was not.  Multiple authoritative sources recommend in the strongest possible terms that email recipients configure their systems to avoid automatically downloading/displaying remotely hosted images, in order to protect the security of their systems.  Industry standards “typically prevent the display of remotely hosted images in email messages”; for example, AOL simply doesn’t support full HTML in email.  Moreover, remotely hosted images aren’t permanent.  As a result, “the content of remotely hosted images in email communications is not unavoidable and is not likely to appear on the recipient’s screen for a duration and in a location sufficiently noticeable for an ordinary consumer to read and comprehend it.”

The court stated that it was not defining what would be clear and conspicuous, but noted that “[e]very email client, even one with the most strict security settings, would likely be capable of reading text emails” and that there were likely many ways to provide clear and conspicuous disclosures without remote images.  Here, none of the required content appeared to be provided, but if it was, it was only provided through remote images.  When ZooBuh received and reviewed the emails at issue, none of the remote images were viewable. 

Given the pattern of violations, the court doubled the statutory damage award to $1,608,360 and enjoined defendants from further violations of the CAN-SPAM Act.

No comments: