In Virginia, Ohio, and Maryland, Kingpin Spammers Go to the Slammer:
State Laws Rightly Criminalize Fraudulent Bulk Spamming

By ANITA RAMASASTRY

Wednesday, Dec. 15, 2004

According to a recent report from an Internet security firm, in September 2004, a whopping 82% of inbound email messages to consumers consisted of spam. Does the sheer volume of spam mean it is impossible to stop?

The answer is potentially no. According to one spam watchdog group, Spamhaus, only 200 spam operators are responsible for 80 percent of the spam received by internet users in North America and Europe - and it is well-known exactly who these "spam kingpins" are. Shutting these operators down, then, should drastically reduce the spam clogging our inboxes.

Some states have gotten serious about these spam kingpins - passing laws that provide for criminal penalties for fraudulent spam.

Three States Now Have Anti-Spam Laws, But All Fifty Should Adopt Them

Virginia was the first state to enact such a law. Maryland followed with its own anti-spam law. And just last month, Virginia successfully prosecuted a kingpin spammer. And now, Ohio State legislators have passed a similar bill, which Ohio's Governor is expected to sign soon.

Meanwhile, the federal government, in 2003, passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act (known as the CAN-SPAM Act).

Like the Virginia and Maryland laws, the Ohio law will provide stiff criminal penalties for sending certain types of false and deceptive commercial email. Only fraudulent, deceitful spammers will be targeted. And only advertisements, as opposed to political or charitable speech, will come under the statute's reach.

These limitations ought to defeat any First Amendment challenges to the Ohio law: After all, the power to outlaw fraudulent and false speech has long been viewed as consistent with the First Amendment, and to some extent, commercial speech receives less First Amendment protection than political speech.

Under the law, Ohio's Attorney General will be given the power to file both criminal and civil charges against these spammers. Criminal penalties will include a minimum of six months in jail.

Civil penalties can consist of the actual damages caused by the spam - which, if the spam aids identity theft or another crime, could be very large. Alternatively, civil penalties can simply consist of $25,000 per violation, or $2-$8 for each offending email. Forfeiture of assets - for instance, computer equipment used to send the spam -- is also a possible penalty. Internet Service Providers also have the ability to bring suit.

Other states should enact similar legislation; otherwise, spammers - or their Internet Service Providers - may simply opt to locate in the states without such laws, and then try to evade prosecution. Individual states can't do this alone. Nor can the federal government: As I noted in an earlier column, the federal law is unlikely to truly put a dent in spam. Decreasing spam requires multi-faceted approaches

The Proposed Ohio Law: Supplementing and Coexisting With CAN-SPAM

The stated goals of the Ohio legislation are as follows: to "prohibit a person from transmitting multiple commercial electronic mail messages, falsifying routing information in those messages, falsifying registration information for multiple electronic mail accounts, or falsifying the right to use five or more internet protocol addresses, and to prohibit unauthorized access to a computer to transmit multiple commercial electronic mail messages."

The Ohio law was crafted so as not to conflict with the federal CAN-SPAM Act, but rather to add to it. Accordingly, under the doctrine of federal preemption, both laws ought to co-exist. (The federal preemption doctrine says that federal law, deemed supreme under the Constitution's Supremacy Clause, trumps conflicting state law.)

Indeed, CAN-SPAM itself made clear that it did not preempt state spam laws as they relate to falsity or deception in email advertisements. Thus, any state can opt to pass a law like Ohio's and, as I have argued above, ideally all fifty ought to.

Virginia's Anti-Spam Law: Why It Potentially Has Huge Reach

As noted above, Virginia has initiated a prosecution under its law. Under the Virginia law - which again, is similar to those in Maryland and Ohio, spam that fits the law's constraints is criminal. To come within the law, however, the e-mail must be unsolicited, and must contain false information as to its origin or transmission.

The sending of such email is initially punishable as a class 1 misdemeanor. But it can also rise to the level of a class 6 felony -- punishable by a one- to five-year prison sentence, a fine of up to $2,500, or both -- if any one of the following conditions applies: The volume of spam transmitted exceeds 10,000 in any 24-hour time period, 100,000 in any 30-day time period, or one million in any one-year time period; revenue generated from specific spam exceeds $1,000, or total revenue from all spam transmitted to any ISP exceeds $50,000; or the defendant knowingly hires, employs, uses or permits any minor to assist in the transition of spam.

The e-mail at issue must be sent to, from, or through a computer or computer network located in Virginia. Importantly, routing email through Virginia is enough: Even an out-of-state spammer sending to out-of-state recipients can be prosecuted if the email is routed through Virginia. That means the law has potentially wide reach: Reportedly, more than half of the world's e-mail flows through Virginia, which is home to America Online and numerous federal agencies.

Will State Anti-Spam Laws Work? Targeting Spam Kingpins in Virginia

In December 2003, Virginia's Attorney General filed charges against North Carolina resident Jeremy Jaynes, a/k/a "Gaven Stubberfield," for allegedly using fraudulent means to send unsolicited bulk e-mail. According to Spamhaus, "Stubberfield" is well-known for sending pornographic and "get rich quick" offers via email; in November 2003, he was ranked as number 8 on the group's top 10 spammers list.

The Virginia indictment alleged that Jaynes sent, through Virginia servers, more than 10,000 e-mails a day during three days in July and August 2003 - and more than 100,000 emails over a 30-day period. Jaynes allegedly got his recipients' email addresses from sources such as stolen America Online and eBay databases or lists.

Among the products Jaynes hawked were software promising to clean computers of sensitive information; a service for picking penny stocks in which to invest; and a "FedEx refund processor" that promised $75-an-hour work but, according to state prosecutors, did little more than give buyers access to a website that listed delinquent FedEx accounts.

Prosecutors claimed that the emails not only contained deceptive or false offers, but also bogus contact information and company names, falsified routing information within message headers, and phony domain names.

In a typical month, prosecutors said, Jaynes received 10,000 to 17,000 credit card orders, -- about one for every 30,000 e-mails he sent. On each order, he was believed to earn about $40. On the whole, Jaynes allegedly made $400,000 to $750,000 a month, while only spending perhaps $50,000 on bandwidth and other overhead. Prosecutors believe Jaynes had a net worth of up to $24 million.

In November of this year, a Virginia jury recommended a nine-year prison term for Jaynes. Sentencing is set for February, before Virginia Circuit Court Judge Thomas Horne. Horne could reduce the recommended sentence, or he may follow the jury's recommendation; he cannot increase the penalties, however, beyond what the jury recommended.

Meanwhile, Jaynes' sister, Jessica DeGroot, was convicted of identical charges but given no jail time; she was fine $7,500. A third defendant, Richard Rutkowski, 30, was acquitted.

Jaynes and DeGroot are expected to appeal their convictions.

Virginia's Latest Prosecution: Allegations of False Human Growth Hormone Claims

More recently, Virginia's Attorney General indicated a Texas woman for allegedly violating the anti-spam law. Jennifer Murray of Fort Worth faces five felony charges, each one carrying a maximum penalty of five years in prison.

The indictment alleges that, between October 2003 and February 15, 2004, Murray sent false bulk emails through Virginia servers. Specifically, she is accused of sending more than 10,000 illegal e-mails during a 24-hour period on each of four days within that period. Like Jaynes, Murray is accused of falsifying or forging e-mail transmission or other routing information. Due to the purported volume of her email traffic, prosecutors have charged her with a felony.

According to prosecutors, Murray's bulk emails promoted Human Growth Hormones ("HGH"), claiming they would increase sexual potency and vigor by up to 75%; promote body fat loss up to 82%; increase wrinkle reduction up to 61%; boost energy level up to 84%; improve memory up to 62%; and build muscle strength up to 88%. Prosecutors say these claims, too, were false.

Recent Maryland Court Ruling Troublesome but not Fatal

Although Maryland now has robust criminal penalties in place for deceptive spamming, its previous anti-spam consumer statute is currently under attack. On December 9, a Maryland state judge ruled that Maryland's 2002 Commercial Email Act is unconstitutional because it seeks to regulate commerce outside the state. Maryland's Commercial Email Act permits individual consumers to sue spammers who send fraudulent or deceptive email messages.

The Maryland court's ruling dismissed a lawsuit brought against a New York e-mail marketer by a George Washington University law student. The student set up a Maryland corporation for the purpose of fighting spammers.

The Maryland law applies to e-mail sent to or from Maryland residents. The statute is more vague about the actual location of the resident. This potentially affects businesses who send e-mail to people who live in Maryland, but who receive it elsewhere.

According to news reports, in the case in question the email sender was in New York, the recipient was in Washington and the Internet service provider was in Virginia. Maryland's Attorney General admits that whether the Maryland law applies in that case "is a real question."

The judge concluded that the law unconstitutionally attempts to regulate commerce that may never enter Maryland.

This recent ruling may seem troublesome but similar challenges have been overturned on appeal. The Washington State Supreme Court and a California appellate court previously upheld state laws that had been declared unconstitutional by lower courts on grounds similar to the Maryland ruling.

Maryland's law is modeled after the Washington state law and thus should be upheld if challenged.

More States Should Follow Virginia's Lead to Go After False, Harmful Spam

Virginia's successful prosecution is an important first step in state enforcement actions against spammers. Ohio and Maryland should be lauded for following Virginias' lead.

But if other states do not enact similar legislation, the states that have done so may be thwarted - for spammers can still proceed if they make sure they use out-of-state servers, and do not route their email through states with anti-spam laws. Truly protecting emailers requires a multi-state solution. Even then, spammers may go offshore to evade detection - but spamming will be that much harder to accomplish, as it ought to be.


Anita Ramasastry is an Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology.

FindLaw Career Center

    Select a Job Title


      Post a Job  |  Careers Home

    View More