NordVPN Promotion

Home / Blogs

How Not to Stop Spammers

Protect your privacy:  Get NordVPN  [ Deal: 73% off 2-year plans + 3 extra months ]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

Spam Arrest is a company that sells an anti-spam service. They attempted to sue some spammers and, as has been widely reported, lost badly. This case emphasizes three points that litigious antispammers seem not to grasp:

  • Under CAN SPAM, a lot of spam is legal.
  • Judges hate plaintiffs who try to be too clever, and hate sloppy preparation even more.
  • Never, ever, file a spam suit in Seattle.

Spam Arrest’s anti-spam service uses challenge/response (C/R). When a message arrives from a hitherto unknown address, their robot replies and waits for the putative sender to confirm that he, she, or it is a nice person and not a spambot. Laura explains all the reasons that C/R is a considered ineffective and abusive, mostly that the people who get the challenges are not necessarily the people who sent the mail, and the people who respond to challenges are not necessarily the people you want to hear from.

Since CAN SPAM says that spam is legal so long as you follow some simple labelling and opt out rules (something Spam Arrest’s lawyer certainly knows, but more about that later), they tried a different approach. The challenge page added language in which the sender promised not to send unsolicited ads, in what’s known as a clickwrap contract, and pay $2,000 if they did.

The lawsuit was against several commercial mailers including Replacements Ltd., a seller of spare china and cutlery which in my experience is a very aggressive but legal mailer, and Sentient Jets, a jet charter service. Spam Arrest claimed that Replacements and Sentient had sent mail in violation of the no spam contract, and threw in some other claims of tortious interference between Spam Arrest and its customers, state consumer protection claims, and a computer fraud and abuse act (CFAA) claim that Sentient had accessed Spam Arrest’s computers without permission.

The alleged clickwrap contract was the first problem. For a contract to exist, there has to be a “meeting of minds” between the parties, and the court found no evidence that Sentient had met. While it was clear that people at Sentient had clicked on all those challenges, it was utterly unclear who they were, and whether those people were able to bind Sentient to a contract, since Sentient has hundreds of employees, and they were more likely to be clerks than corporate officers. And even if the contract were valid, the judge said:

Putting aside Spam Arrest’s failure to raise a factual dispute as to the formation of a contract or its breach, it also has not proven any damages arising from a breach of contract. Its $2,000 liquidated damages provision is invalid, and Spam Arrest has offered no evidence that would permit a jury to conclude that Sentient Jet’s alleged breach of any contract caused quantifiable damage. In particular, it cannot show that any customer left Spam Arrest as a result of email from Sentient Jet. Indeed, there is scarcely any evidence that any Spam Arrest customer has left as a result of receiving spam from anyone. For many of the same reasons, Spam Arrest’s tort claim and its statutory claims do not, as a matter of law, pass muster. Spam Arrest’s tortious interference and CPA claim are not triable for the same reasons that its breach of contract claims are not. Spam Arrest’s attempt to invoke the CFAA is doomed because there is no evidence that Sentient Jet has done anything that the statute prohibits.

This was trying to be way too clever. Judges hate that.

Spam Arrest further hurt its chances by sloppy preparation, e.g., the messages at issue were described in a large spreadsheet.

The spreadsheet, which the court cites with the notation “SS,” is the most comprehensive data set on the 600 Sentient Jet verifications at issue. Todaro Decl., Ex. 6 (Dkt. # 39); Nguyen Decl. ¶¶ 21-22 (Dkt. # 69) (explaining each column of data in spreadsheet). The court relied on the version Sentient Jet submitted, despite Spam Arrest’s complaint that the version it produced in discovery is “similar” but perhaps not identical. Nguyen Decl., ¶¶ 21 (Dkt. # 39) (comparing Dkt. # 39 to Dkt. # 73-2). Sentient Jet submitted an electronic version of the spreadsheet, whereas Spam Arrest relied solely on an unwieldy 90-page printout for which it provided no courtesy copy.

A 90 page printout of a spreadsheet, with no electronic version? Maybe they thought they were making it harder for Sentient, but mostly they annoyed the judge.

Spam Arrest’s records of what mail Sentient sent to what customer were, to put it mildly, deficient. The judge said:

No one knows what was in the 600 or so emails Sentient Jet sent to Spam Arrest customers that triggered the verification process. Sentient Jet sends commercial emails, and generally uses its “[email protected]” and “[email protected]” addresses for that purpose. ... Although a jury might conclude that some (perhaps most) of the 600 emails were commercial solicitations, there is almost no evidence from which a jury could conclude that any specific Spam Arrest customer received a commercial solicitation from Spam Arrest.

The only customer-specific evidence is a set of seven declarations from Spam Arrest customers who state that they received unsolicited commercial email from Sentient Jet years ago. None of them can recall the content of the email or produce copies of the email.

He went on in this vein, eventually tossing out the whole case.

From previous orders in the case, it was clear that both parties in the case had already greatly annoyed the judge. Spam Arrest had settled with Replacements the previous week. In the order granting the settlement, the judge said:

By the time Replacements and Spam Arrest resolved their differences, the parties had filed more than 125 pages of briefing on their cross-motions for summary judgment. Spam Arrest apparently believed that it needed more. Once Replacements was no longer part of the case, Spam Arrest filed a motion for leave to file more briefing so that it might explain how Replacements’ departure impacted the case. This would seem to be a tacit admission that Spam Arrest’s original briefing did not adequately highlight the differences between its claims against Sentient Jet and its claims against Replacements. The court disagrees. Supplemental briefing is decidedly unnecessary.

The order further discusses many documents that had been filed under seal, i.e., not part of the public record.

The remaining six motions raise a host of disputes over whether the court should keep under seal unredacted versions of the summary judgment motions themselves and dozens of documents that support them. In considering those disputes, the court begins with its local rules, specifically Local Rule 5(g), which acknowledges the “strong presumption of public access to the court’s files.” ... Because filing anything under seal is disfavored, the rules require the parties to meet and confer to “explore all alternatives to filing a document under seal.” ... In particular, the rules require parties to “redact[] sensitive information . . . that the court does not need to consider. Only a party “who cannot avoid filing a document under seal” should attempt to do so. ... A party must “minimize the number of documents it files under seal and the length of each document it files under seal.” ... Only in “rare circumstances” should a party file an entire motion under seal. [citations elided]

Noting that there were over 30 documents under seal, he said:

First, the parties sealed many documents because they include email addresses or other identifying information for Spam Arrest customers and (less frequently) other third parties. Spam Arrest’s desire to redact its customers’ email addresses is understandable; it can hardly purport to protect its customers from spam while publicizing their email addresses. What is not understandable is why the parties believe that the unredacted email addresses are of any value to the court. Every Spam Arrest customer has a unique identification number. With one exception (Dkt. # 43), every document the parties have filed that contains a customer’s email address either contains identification numbers (permitting the court to identify individual customers in documents that aggregate data on hundreds of customers) or is a document in which the email address makes no difference whatsoever. The parties were either aware or should have been aware that the email addresses would play no part at all in the court’s consideration of these motions. There was thus no need to file unredacted versions those documents under seal, and the parties violated [a court rule] by doing so. The same is true of an exhibit with a redacted credit card number, accompanied by a sealed exhibit revealing the credit card number. The credit card number is not useful to the court; the parties should have simply redacted it without burdening the court with another sealed document. The duty to minimize the number of documents filed under seal carries with it the duty to exercise judgment about redacting extraneous information. The parties too frequently abandoned that duty.

Second, Spam Arrest has taken frivolous positions with respect to some documents. In several instances, Spam Arrest either filed a document under seal or required Sentient Jet to file a document under seal only to later concede that there was no basis to seal the document. In one instance, Spam Arrest took the position that it could seal the names of customers providing declarations on its behalf. Spam Arrest did not explain how it could hide the names of its witnesses from the public. Later, it filed the same declarations publicly, redacting only email addresses.

Third, Spam Arrest takes the position that virtually every piece of data about its business is confidential, while offering little or no evidence to support that position. That “confidential” data includes, but is not limited to, the following: the number of Spam Arrest customers at various times, the number of customers who have left Spam Arrest at various times, Spam Arrest’s profits and losses, Spam Arrest’s aggregate revenue and revenue per customer, Spam Arrest’s calculations of “downstream revenue” for its customers, Spam Arrest’s advertising expenditures, and how much Spam Arrest charges its customers.

Although Spam Arrest insists that this information is confidential, it has not provided a shred of evidence from any person at Spam Arrest who can explain why the data is confidential. Instead, Spam Arrest relies on cursory declarations from its counsel. These are wholly insufficient.

If I were a plaintiff or a plaintiff’s lawyer, I would not want a judge saying things like this about me. The judge subsequently told the parties to refile nearly all of the sealed documents with the private parts redacted like they should have in the first place.

A different legal approach I might have tried here in New York would be to have the clickwrap language state that the recipient wants no commercial mail, that the recipient opts out of any advertisements that might have triggered the C/R, and that commercial mail will only be accepted if the recipient specifically reverses the opt-out subsequent to the C/R interaction. Then if they send more ads, it’s a CAN SPAM violation for failure to honor an opt out. That avoids the contract issue, since CAN SPAM isn’t about contracts.

But this case was in Seattle, the same court where the infamous Gordon vs. Virtumundo CAN SPAM case was litigated, and the precedent from that case is that a recipient only has standing under CAN SPAM if it can show damages from the specific spams being litigated. That’s close to impossible, since the damage from spam is its cumulative volume, with individual spams having only a tiny cost. Spam Arrest’s lawyer surely is aware of all this, since he was Virtumundo’s lawyer in that case. So for anyone on the west coast (the decision was confirmed by the Ninth Circuit) CAN SPAM is out, too.

I could imagine that a better case might have had some chance of success, first building software that kept good records to support the legal claims, limiting the claims to ones that the plaintiff could clearly prove, providing a concise set of documents that the judge could deal with easily, and not getting greedy, making the per message penalty small enough that it could have some plausible connection to what it might cost to deal with spam. But this wasn’t it. As Prof. Goldman noted in his analysis, you can’t win cases like this just by showing up.

By John Levine, Author, Consultant & Speaker

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

DNS

Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

NordVPN Promotion