An abuse of email technology to transmit a large amount of unsolicited junk email in bulk, often for commercial reasons. Spam is often sent by botnets, networks of virus-infected computers, which hinders the prosecution of spammers. Some estimates state that nearly 80 percent of all email sent worldwide is spam.

For computer users, spam can be annoying. Spam is often used to send fraudulent offers or to disseminate malicious software such as viruses. Spammers harvest and compile bulk listings of email address through automated scanning of popularly used websites or by intercepting the transmission of electronic mailing lists.

Spam often has some form of false or misleading information and consistently offends recipients by promoting investment scams, pornography, or medications. The Federal Trade Commission (FTC) found that 66 percent of all spam has false, fraudulent, or misleading information somewhere in the email's routing information, subject line, or message content.

Most Americans agree that spam clutters email inboxes with unwanted communication and thus violates the privacy of email users and their “right to be let alone.” Current Supreme Court jurisprudence on the right to privacy in one's home also grants email recipients a right to privacy in what they receive in their email inboxes. One origin of this right in this context is from the case of Rowan v. United States Post Office Department, 397 U.S. 728 (1970), in which the U.S. Supreme Court recognized an individual's “right to be let alone” and held that a mailer's right to communicate ends at the mailbox of an uninterested addressee. The appellants challenged the constitutionality of a statute that effectively prohibited sexually explicit mailings on free speech grounds. Rejecting this argument, the Court pointed to the necessity that the “right to be let alone” must balance with the right of others to communicate: “Individual autonomy must survive to permit every householder to exercise control over unwanted mail.” Accordingly, the statute served to protect individuals' privacy and passed constitutional muster. The Court stated:

Similarly, the right of spammers to solicit others must end at the outer edge of each individual's private domain. The sanctuary of the home in the Rowan case included the mailbox. A mailbox and an email inbox serve the same purpose: to send and receive communications. Individuals maintain a higher expectation of privacy in email addresses. Email addresses maintain anonymity and are not a matter of public record. Each recipient must have a password to access an inbox, just as one must have a key to enter a residence. Thus, an inbox must be considered part of the home and enjoy at least the same protected status as the mailbox. It follows that no one has the right to impose ideas on unwilling recipients in the sanctuary of his or her email inbox. Spammers do not have a fundamental right to send unsolicited commercial emails to individuals' inboxes. Consequently, spam encroaches upon the personal space of individuals and violates their “right to be let alone,” their right to be free from objectionable intrusion, and their right to privacy.

Because email inboxes are personal space, they receive privacy protection. In CompuServe Inc. v. Cyber Promotions, Inc., 962 F. Supp. 1015 (U.S. Dist., 1997), an Internet service provider (ISP) sought to prevent a spammer from sending unsolicited commercial email to its subscribers based on a “trespass to chattels claim.” The ISP argued that the volume of messages generated by mass mailings substantially burdened its equipment and storage capacity. Defendant spammers ignored the ISP's notification that they were prohibited from continuing such activity and disregarded the ISP's request to cease and desist from sending unsolicited email to its subscribers. The spammers also modified their equipment and messages to circumvent the ISP's filtering software. The ISP in CompuServe asserted that this action represented a trespass upon its personal property. The court agreed, holding that “the use of personal property exceeding consent is a trespass.” Electronic signals generated and sent by computers have been held to be sufficiently physically tangible to support a trespass cause of action. Given the determination that ISPs maintain private property, email inboxes must therefore constitute personal private property rather than public property.

In Cyber Promotions, Inc. v. AOL, 948 F.Supp. 456 (1996), a federal district court found that AOL had the right to prevent spammers from reaching its subscribers over the Internet. The spammers claimed that AOL's conduct constituted state action to support their claim that AOL was required to respect their right to free speech. The court found that AOL did not exercise any “municipal powers or public services traditionally exercised by the State.” Even though AOL “technically” availed its email system to the public by connecting to the Internet, it did not open its property to the public by performing functions typically reserved for a municipality or a state. AOL's Internet email connection did not constitute an exclusive public function because several alternatives to email existed for commercial communication, such as the World Wide Web, U.S. mail, telemarketing, television, cable, newspapers, magazines, and leaflets. Email inboxes thus constitute personal, rather than community, space and thus enjoy a right to privacy.

Spam invades the privacy of email recipients by sending objectionable content to them, whether or not they want this type of material. Spam imposes significant costs on email users. By the first decade of the twenty-first century, spam cost both individuals and businesses a considerable amount of time and money. Both the privacy and cost issues contributed to demands that spam be curtailed, including by federal legislation.

Congress recognized the importance of email and the harms caused by spammers. To shift the costs of advertising to the spammer and to enhance the privacy of email users, Congress enacted the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act), 117 Stat. 2699. The statute became effective January 1, 2004. Finding that many spammers purposely mislead recipients and often conceal their identity, Congress justified the statute, asserting that there is a substantial government interest in regulating commercial email on a national level, spammers should not mislead recipients about the source or content of electronic messages, and recipients of commercial email have the right to decline additional spam messages. To enforce this statute, the FTC promulgated and enforced protocols for the commercial use of bulk email.

The statute prohibits predatory and abusive commercial email. The law penalizes those who knowingly engage in one or more of the following behaviors: (1) accessing a protected computer without authorization and intentionally initiating the transmission of multiple commercial email messages through that Computer; (2) sending several multiple commercial email messages with the intent to deceive or mislead recipients, or any Internet access service, as to the origin of such messages; (3) materially falsifying header information in several commercial emails and intentionally initiating the transmission of such messages; (4) registering for five or more email accounts or online user accounts or two or more domain names using false identification and intentionally sending spam from such accounts or domain names; and (5) falsely representing oneself to be the registrant of five or more Internet protocol addresses and intentionally initiating the transmission of spam. Individuals participating in these activities could be imprisoned for up to five years and be liable for a maximum of $6 million in fines.

The statute's opt-out provision requires commercial email messages to include a functioning return email address that a recipient may use to opt out of future spam from the sender. The email address provided must remain active for at least thirty days after the original message was transmitted. Once a consumer effectively chooses to opt out of future email messages, the sender must respect the decision. After this point, it would be unlawful for the initial sender or anyone acting on such person's behalf to transmit, or to assist in the transmission of, a commercial email message upon the expiration of ten business days after the receipt of the opt-out notice. The initial sender and any person with knowledge of the opt-out request must refrain from selling, leasing, exchanging, or transferring the recipient's email address. Also, commercial email messages must provide clear and conspicuous identification that the message is an advertisement or solicitation, notice of the opportunity to decline to receive further messages, and a valid physical postal address for the sender.

The CAN-SPAM statute also prohibits harvesting and dictionary attacks, and requires individuals to place warning labels on commercial emails with sexually oriented material. Email messages containing sexually explicit content must include in the subject line the marks or notices prescribed by the FTC. Such messages must further ensure that the message, when initially opened, contains only the content required by the opt-out provision and instructions on how to access the sexually explicit material, unless the sender receives the prior affirmative consent of the recipient. An individual in violation of this provision can face up to five years in jail and/or fines.

The CAN-SPAM Act restricted the role of the states in combating spam, and placed the FTC in charge of enforcement actions. However, the act, permitted state attorneys general to bring civil litigation for injunctions or to obtain damages, but only if the alleged violation threatens the interests of a resident of a particular state. Thus, the CAN-SPAM Act preempts or supersedes state laws that expressly deal with commercial emails (even if the state law is more stringent than CAN-SPAM). States may only prohibit false and deceptive commercial email messages and can regulate issues such as computer crime, tort, and trespass.

This legislative action enjoyed rare overwhelming bipartisan support. This support indicated a substantial legislative commitment to the spam issue and understanding of the severity of this problem. The act was a significant step forward in supporting the individual's “right to be let alone” in balancing privacy with free speech rights. The CAN-SPAM Act will serve to deter spammers from sending fraudulent or misleading email messages, from concealing their identity, and from using intrusive methods to collect email addresses. Email users will be able to identify spam messages as advertisements generally and as pornographic messages specifically due to the provisions of the act. The CAN-SPAM Act has had a valuable role in initiating legislative action, which would restrict spam, increase the privacy of the email inboxes of Americans, and relieve Americans from the financial burdens of unwanted advertising.

Despite the promise of the law, some observers argue that the statute is not effective enough in fighting spam. These critics believe that spam needs to be subject to further restriction through a combination of market-based initiatives and additional restrictive statutes and regulations.

The CAN-SPAM Act did not create an entirely effective solution to the spam problem because it allows spammers to continue to send messages to inboxes with impunity, forced spam recipients to take an affirmative act to curtail future incursions, provided lenient requirements and inadequate enforcement mechanisms, preempted stricter state anti-spam laws, and delayed the need for a global solution. Despite congressional acknowledgment of the spam problem, recognition of the substantial government interest in remedying such a problem, and the bipartisan support for this federal anti-spam legislation, Congress made concessions to several special interest groups and failed to provide consumers adequate protection from intrusive spam marketing techniques. Public opinion against spam helped motivate Congress to enact the CAN-SPAM Act. Even shortly after passage, the act failed to present an entirely effective solution to the expensive and intrusive problem of spam.

The spam law debate shifted into a controversy over two conflicting approaches: the opt-in and the opt-out mechanisms. The opt-in approach requires that all spammers obtain express permission before transmitting any email addresses. The more lenient opt-out approach allows spammers to send messages as long as each message offers a legitimate link from which one can request that the spammer refrain from sending future emails. Congress favored the opt-out approach because it allowed marketers and businesses with the most leeway to conduct their work.

The opt-out method of regulation has failed, however, to protect individual privacy fully. It continues to allow uninvited and unwelcome messages to individual inboxes in homes and businesses. Under current law, to halt unwanted email, individual users must take an affirmative step against each piece of unwanted mail; such a move wastes more time and money than the underlying problem. By implementing the opt-out approach, Congress developed a method that imposed additional costs on individuals because it is a competitive, repetitive, and labor-intensive method to oppose spam.

In terms of privacy, the opt-in approach protects consumers to a significantly greater degree and in a more effective manner. The opt-in approach prohibits unsolicited intrusions and requires that spammers send invited messages only. Like a vaccine prevents a disease, the opt-in approach stops the widespread dissemination of spam. Rather than imposing the costs of the remedy on all email users for each uninvited message like the opt-out approach, the opt-in approach imposes costs on spammers and those interested in receiving spam. In other words, it shifts the burden of sending spam onto spammers. Spammers must ask permission to enter an inbox instead of entering and then being asked to leave. The opt-in approach would ultimately serve to reduce the enormous volume of spam clogging networks and flooding the email system, and would halt the widespread waste of time and money directed at eliminating spam. Congress should adopt the opt-in approach to protect the privacy of email users.

The CAN-SPAM Act delayed efforts to pursue an internationally harmonized solution to spam by calling on the FTC to study the issues relating to the CAN-SPAM Act from 2014 to 2016. The U.S. law hampered efforts to form an international alliance to fight spam because the legislation failed to prohibit spam. The United States and the European Union (EU) ended up with contradictory legislation. The EU Directive, enacted in the fall of 2003, forbade email promotions unless the recipient provided the marketer prior consent. The EU holds the position that an email account must enjoy privacy and thus requires businesses to obtain explicit permission before sending email messages. To stop spam from systematically compromising the privacy of email users, many observers urged Congress to take action to harmonize the U.S. position on spam with that of the EU by supporting the opt-in approach.

The CAN-SPAM Act, in its current form, has ineffectively regulated commercial spam and has not reduced the amount of commercial spam. Internet junk email increased in the years since the legislation was enacted. Critics charge that the opt-out provision continues to be a major weakness of the legislation. One reason is that spammers have no incentive to comply with opt-out requests. Several fixes and compromises were proposed, including one that would provide an opt-out regulation for political spam and an opt-in regulation for commercial spam, which would effectively balance free speech interests with the right to privacy by allowing spammers to send unsolicited emails as long as recipients are able to block future unwanted emails.

Further Reading

See also: Computers and privacy; Consumer privacy; Data harvesting; Federal Trade Commission (FTC); Financial information, privacy right to; Marketing; Right to be left alone