The Law of Spam Harvesting
Many jurisdictions have criminalized the harvesting of email addresses from websites. While the exact law that applies to you will vary from jurisdiction to jurisdiction, any harvester runs the risk of serious legal liability for plying their trade.
For example, in the United States the CAN-SPAM Act regulates the sending of unsolicited commercial email messages. While CAN-SPAM has been criticized as generally weak on spammers, one area where it is clear is in the prohibition against harvesting. Specifically, the law defines every message sent to a harvested address as "spam" and imposes potential liability on the sender. This is regardless of whether the sender complies with the law's other requirements. In other words, including an opt-out link and following the Act's notice regulations is not enough to spare bulk mailers sending to harvested addresses from liability.
The implication of this is not only important for harvesters, it is also important for legitimate bulk email senders who do not sufficiently check their mailing lists for harvested addresses. These bulk senders may face liability under the law even if they are not themselves harvesting addresses.
Project Honey Pot is important because it is the first effort to identify harvesters and tag mailing lists with addresses that reveal their true, illegal origin. The addresses our honey pots distribute act like land mines on spammers mailing lists, not only tracking them back to their original source, but also identifying the senders who are directly or indirectly furthering the spam problem.
For more information, see the relevant portions of the CAN-SPAM Act below. It should also be noted that our honey pots are created in such a way that they may, given the notice text they contain, also give rise to a contractual private right of action under which individuals may be able prosecute spammers.
CAN-SPAM Act of 2003
SEC. 4. PROHIBITION AGAINST PREDATORY AND ABUSIVE COMMERCIAL E-MAIL.
- (b) UNITED STATES SENTENCING COMMISSION —
- (1) DIRECTIVE — Pursuant to its authority under section 994(p) of title 28, United States Code, and in accordance with this section, the United States Sentencing Commission shall review and, as appropriate, amend the sentencing guidelines and policy statements to provide appropriate penalties for violations of section 1037 of title 18, United States Code, as added by this section, and other offenses that may be facilitated by the sending of large quantities of unsolicited electronic mail.
- (2) REQUIREMENTS — In carrying out this subsection, the Sentencing Commission shall consider providing sentencing enhancements for —
- (A) those convicted under section 1037 of title 18, United States Code, who —
- (i) obtained electronic mail addresses through improper means, including —
- (I) harvesting electronic mail addresses of the users of a website, proprietary service, or other online public forum operated by another person, without the authorization of such person; and
- (II) randomly generating electronic mail addresses by computer; or
SEC. 5. OTHER PROTECTIONS FOR USERS OF COMMERCIAL ELECTRONIC MAIL.
- (b) Aggravated Violations Relating to Commercial Electronic Mail —
- (1) Address harvesting and dictionary attacks —
- (A) IN GENERAL — It is unlawful for any person to initiate the transmission, to a protected computer, of a commercial electronic mail message that is unlawful under subsection (a), or to assist in the origination of such message through the provision or selection of addresses to which the message will be transmitted, if such person had actual knowledge, or knowledge fairly implied on the basis of objective circumstances, that —
- (i) the electronic mail address of the recipient was obtained using an automated means from an Internet website or proprietary online service operated by another person, and such website or online service included, at the time the address was obtained, a notice stating that the operator of such website or online service will not give, sell, or otherwise transfer addresses maintained by such website or online service to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages; or
- (ii) the electronic mail address of the recipient was obtained using an automated means that generates possible electronic mail addresses by combining names, letters, or numbers into numerous permutations.
- (B) DISCLAIMER — Nothing in this paragraph creates an ownership or proprietary interest in such electronic mail addresses.
- (2) AUTOMATED CREATION OF MULTIPLE ELECTRONIC MAIL ACCOUNTS — It is unlawful for any person to use scripts or other automated means to register for multiple electronic mail accounts or online user accounts from which to transmit to a protected computer, or enable another person to transmit to a protected computer, a commercial electronic mail message that is unlawful under subsection (a).
- (3) RELAY OR RETRANSMISSION THROUGH UNAUTHORIZED ACCESS — It is unlawful for any person knowingly to relay or retransmit a commercial electronic mail message that is unlawful under subsection (a) from a protected computer or computer network that such person has accessed without authorization.
SEC. 7. ENFORCEMENT GENERALLY.
- (g) Action by Provider of Internet Access Service —
- (1) ACTION AUTHORIZED — A provider of Internet access service adversely affected by a violation of section 5(a)(1), 5(b), or 5(d), or a pattern or practice that violates paragraph (2), (3), (4), or (5) of section 5(a), may bring a civil action in any district court of the United States with jurisdiction over the defendant —
- (A) to enjoin further violation by the defendant; or
- (B) to recover damages in an amount equal to the greater of —
- (i) actual monetary loss incurred by the provider of Internet access service as a result of such violation; or
- (ii) the amount determined under paragraph (3).
- (2) SPECIAL DEFINITION OF `PROCURE' — In any action brought under paragraph (1), this Act shall be applied as if the definition of the term `procure' in section 3(12) contained, after `behalf' the words `with actual knowledge, or by consciously avoiding knowing, whether such person is engaging, or will engage, in a pattern or practice that violates this Act'.
- (3) STATUTORY DAMAGES —
- (A) IN GENERAL — For purposes of paragraph (1)(B)(ii), the amount determined under this paragraph is the amount calculated by multiplying the number of violations (with each separately addressed unlawful message that is transmitted or attempted to be transmitted over the facilities of the provider of Internet access service, or that is transmitted or attempted to be transmitted to an electronic mail address obtained from the provider of Internet access service in violation of section 5(b)(1)(A)(i), treated as a separate violation) by —
- (i) up to $100, in the case of a violation of section 5(a)(1); or
- (ii) up to $25, in the case of any other violation of section 5.
- (B) LIMITATION — For any violation of section 5 (other than section 5(a)(1)), the amount determined under subparagraph (A) may not exceed $1,000,000.
- (C) AGGRAVATED DAMAGES — The court may increase a damage award to an amount equal to not more than three times the amount otherwise available under this paragraph if —
- (i) the court determines that the defendant committed the violation willfully and knowingly; or
- (ii) the defendant's unlawful activity included one or more of the aggravated violations set forth in section 5(b).
- (D) REDUCTION OF DAMAGES — In assessing damages under subparagraph (A), the court may consider whether —
- (i) the defendant has established and implemented, with due care, commercially reasonable practices and procedures designed to effectively prevent such violations; or
- (ii) the violation occurred despite commercially reasonable efforts to maintain compliance with the practices and procedures to which reference is made in clause (i).
- (4) ATTORNEY FEES — In any action brought pursuant to paragraph (1), the court may, in its discretion, require an undertaking for the payment of the costs of such action, and assess reasonable costs, including reasonable attorneys' fees, against any party.