Spam- Anne Mitchell Clarifies The McCain Amendment


Question? What is the McCain Amendment as it relates to CAN-SPAM?
Level: Advanced

This is a tough one so I tracked down a real expert- Anne Mitchell, Esq., CEO of the Institute for Spam and Internet Public Policy, and a Professor of Law in California for the answer.

This interview is an attempt to try to clarify the news I reported here earlier coming out of report on the lawsuit that went all the way up and down the chain.

It wasn't easy catching her as she was busy preparing for a workshop, but I think we have some solid answers for readers. (And thanks Anne for taking the time!) So to recap we're talking about the recent announcement by the Federal Trade Commission and California Attorney General Bill Lockyer that they have settled a lawsuit in which they went after a spammer both for the spam they sent, and for the spam which their affiliates sent. Let's dive in!

Wayne: Anne, the burning question here is how is it possible that they went after the vendor and affiliates as well?

Anne: I'm really glad that you asked that Wayne. When CAN-SPAM was passed, there was a lot of gnashing of teeth and wiping of eyes as people decried it to be the U-CAN-SPAM Act, and said that it was a worse than useless law. Unfortunately, what *nobody* seemed to be aware of - and even though we mentioned it in every press interview the press never picked up on it (perhaps because they didn't realize how big it was) - was this little section of CAN-SPAM which we refer to affectionately as "The McCain Amendment". This section of CAN-SPAM, which I call the "vendor liability" section, basically says that if you stand to benefit from the spam, *even if you don't send* the spam, you are on the hook legally just as much as if you *had* been the one who
pushed 'send'.

Wayne: Good- no more using affiliate mules I hope. So we go to the top of the money chain. OK the ramifications of this are potentially huge. I find it hard to believe most people didn'tknow about this?

Anne: Well, as I said, the press didn't seem to really understand what an incredible tool this was for anti-spam enforcement, and the people who were slamming CAN-SPAM were so upset over it being an opt-out law instead of opt-in law that they weren't really interested in looking for any Easter eggs, so to speak.

Now, I happen to know that Senator McCain's office, as they were contemplating introducing this amendment to the bill which eventually became CAN-SPAM, specifically wanted to take aim at those vendors who either used affiliates to do their spamming, or who turned a blind eye to spamming affiliates.

Wayne: I have seen the myopia some merchants display. But how do you know that for sure?

Anne: Because they called me when they first were contemplating the amendment, and asked me how best they could do that, and in fact I helped to author the McCain amendment.

Wayne: Very cool. Authoring amendents is beyond me- so how does it actually work?

Anne: It's pretty simple. We distinguish between "senders" (those who hit 'send' and inject the spam into the Internet stream) and "vendors" (those whose wares are being advertised in the spam or who otherwise benefit from the spam payload). Now, often the sender and the vendor are one and the same. But often they are two different entities. And in those cases, prior to the McCain amendment, the vendor was able to say "hey, it wasn't me who sent it. You're barking up the wrong tree. Now go away." And that would often be the end of it, primarily because the sender was so well hidden, or when they could be traced they were in another country, beyond U.S. jurisdiction.

Vendor liability addresses all of these problems in one fell swoop. No longer can the vendor who utilizes spam hide behind their affiliates or hired spam guns. And it's easy as anything to find the vendor because hey, they want you to give them money. And in order to give them money, you have to be able to find them. And because you are giving them money, that almost always means that they have a connection - their bank or credit card processor or such - to the United States, even if they themselves are hiding offshore. Which means that jurisdiction is no longer a problem.

Wayne: I always love the money trail. OK so the burning question I am sure on people's mind will be: "What about the legitimate businesses who truly don't knowthat they may have a rogue affiliate, or that the marketing expert they engaged to do their email campaign is actually spamming or using the services of a spammer? It's easy enough to imagine this could hurt legitimate business people who accidentally or innocently fall in with the wrong crowd.

Anne: The standard for nailing someone under the McCain Amendment is that they either knew or should have known that they were benefitting from spamming activity. It's not rocket science. When you are in business, you have to do reasonable due diligence for all sorts of things, and to whom you give your email campaign for sending is no exception.

The exact language from the law is that the vendor:

1) knows, or should have known in the ordinary course of that person's
trade or business, that the goods, products, property, or services
sold, offered for sale, leased or offered for lease, or otherwise made
available through that trade or business were being promoted in such a

(2) received or expected to receive an economic benefit from such
promotion; and

(3) took no reasonable action -

(A) to prevent the transmission; or

(B) to detect the transmission and report it to the Commission.

Wayne: Good! Sounds like this could be the beginning of a real tool for reform.

Anne: Yes, unfortunately, in their infinite wisdom, as the legislature was finalizing CAN-SPAM, they reserved the power to enforce the McCain amendment (which is, by the way, in the actual code is called "SECTION 6. BUSINESSES KNOWINGLY PROMOTED BY ELECTRONIC MAIL WITH FALSE OR MISLEADING TRANSMISSION INFORMATION", or just "Section 6") to just the Federal Trade Commission, meaning that even though state attorneys general and even ISPs are empowered to bring a lawsuit under CAN-SPAM, only the FTC can bring a vendor liability action under Section 6. But, as has been demonstrated by this announcement, states and the FTC are very cooperative in this regard, and if a state attorney general, or even a larger ISP, felt they had a case under Section 6, the FTC would certainly want to hear about it.

Wayne: Anne, this is great stuff. Thank you so much for explaining it to me and the folks here and taking time out of your busy schedule!

Anne: You're welcome!

Author Postscript: I forgot to ask Anne if this applied to SPIM (spam sent through IM) but perhaps when she is done workshopping I can get some more intel. I can also hope this type of bite gets put into something to contain unruly "adware" vendors who continually claim to be "victims".

About this Entry

This page contains a single entry by published on April 18, 2006 7:03 PM.

Yapbrowser...Not Something You'd Want to Plugin To! was the previous entry in this blog.

Facetime Security Lab Researchers Net Two Microsoft MVP Security Awards is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.