Spam and Privacy

co-authored by Brian Nelson

How does your private information get collected online and where does it go? One place it goes is called "spam"--the unsolicited mailing of bulk e-mail over the Internet.

Spam fills your e-mail box and clogs up network traffic. Current law gives you little protection from the deluge.

Have Your Spam

The name "spam" actually comes from the infamous mass-produced meat in a can. Hormel Foods unsuccessfully tried to stop this disparaging use of the name.

You can divide spam (that's Internet Spam) into three basic types with a single spam often falling into more than one category. First, you have your basic fraudulent offers, such as get rich quick pyramid schemes. Next, you have technology hijacking of servers to "spoof" message headers (this uses software to make e-mail messages look like they came from another person so you can't even request to be removed from the spammer's distribution list). Finally, you have your lovely junk mail that involves unsolicited advertising.

Variations on Spam

Some private information is gathered overtly, such as in questionnaires and registration forms on websites. Other information is gathered covertly. Your preferences can be tracked throughout a website or a series of sites.

Much of the information gathered on the Net isn't really that juicy. Sites track traffic and hits so that they can sell advertisers the promise of exposure. Still, as more information is personal, and that information is used to compose profiles about you, your right to privacy is at stake. Compounding this risk is that the company that collects your information may share or sell your information to other companies.

Recent events demonstrate that even mass mailings of e-mail by consent can result in problems and mixing technology and human error exacerbates these problems. In early April, AT&T mailed discount rate information to 1,800 customers of its Connect 'N Save long distance program. The problem was every customer ended up receiving all the names on the distribution list in the "to" field of their e-mail message. That's like a major "ouch."

About a week later, Nissan made a similar "technical" error and e-mailed information about their new sport utility vehicle to 24,000 qualified leads. These recipients had submitted their e-mail addresses to get information about the SUV. Again, everyone on the list got a peek at the entire mailing list. As if the violation of privacy issues were not bad enough, Nissan hurt itself by losing its rights to protect these sales leads as confidential company information.

Legislation

To a limited extent, we can deal with spam under some current laws. AOL and others have led the way in trying to limit spam under the laws in place today. However, these laws pre-date the explosive use of the Internet, and they aren't very effective as tools for limiting spam.

In the U.S. Congress, the annual effort to address Internet privacy is on its way. Representative Edward Markey (D-Mass.), the ranking minority member of the House Commerce Committee's Communications Panel, has prepared a bill to grant Web users broad rights to restrict the personal information that websites collect. Under this proposal, website operators would be required to notify visitors about the collection and use of data. Reportedly, Senator Conrad Burns (R-Montana) drafted similar legislation in the Senate.

State legislatures are also debating and adopting laws related to online solicitation and spam. Recently, Virginia's governor signed into law two bills that make unsolicited e-mail a crime under the states' Computer Crimes Act. The new laws allow Virginia to assert jurisdiction over a person who transmits spam through a Virginia Internet service provider. Spammers are also prohibited from falsifying e-mail transmission information or other routing information. Violators could be subject to civil damages, including the lesser of $10 per message or $25,000 per day.

Self-Regulation

Some argue that government regulation of spam would be counter-productive. Instead, they advocate for a system of self-regulation.

If you want to be part of the self-regulation movement and you control a website, you should develop and post a Privacy and E-mail Policy. This should state the type of information you collect, how you store the data, and what you do with the information. It should also provide a mechanism to allow users to notify you of their request to restrict your collection or use of their personal data. You should also designate an employee to monitor the implementation of the policy.

In the move toward self-regulation, some online watchdogs have developed as well. Organizations, such as BBBOnline (www.bbbonline.com/) and Truste (www.truste.com), allow companies to post a "seal of approval" on the companies' websites, provided that the companies meet certain minimum qualifications, including privacy standards. If a website that displays the seal violates the privacy policy, it's subject to audits, revocation of the right to use the seal, and even referral to the Federal Trade Commission.

Then there are the "spammers." Most are fly-by-nighters trying to take advantage of technology that advances faster than the law. Other spammers argue that the First Amendment of the U.S. Constitution protects their rights to free speech.

This position is strongest when they send e-mail with the recipient's prior consent. It's not quite as legitimate where the mail is unsolicited "junk mail," and it's simply unacceptable when mail contains false advertising, illegal offers, or is delivered by fraudulent means.

The First Amendment argument also misses a long line of pre-Internet cases by the U.S. Supreme Court that states that commercial speech is not as protected as individual free speech. It's difficult to argue that, as a matter of public policy, offering a pyramid sales scheme is the same as speaking out about politics.

The spammers' use of new technologies raises other interesting legal issues related to the protection of privacy. Spammers typically target large Internet Service Providers (ISPs). In response, ISPs use filtering software on their servers to try to recognize bulk e-mails as they arrive. In a technological game of cat and mouse, the spammers often develop new techniques to overcome the ISPs filtering systems.

If ISPs automatically search for spam and discard the messages before they are forwarded to the subscriber, is there an invasion of privacy? How does the ISP define "spam?" Does it matter whether there is a computer scanning headers and messages versus a person reading each incoming message?

New Packaging

Campaigns based on targeted e-mails by consent are the safest programs for the online advertiser. They lower your legal risks and often result in fewer complaints. They also may result in better response rates.

The strongest objections to spam and data collection arise when people don't know that the information they share can be stored and shared with others. Without their knowledge, their actions online are tracked and become part of large databases. At least, the law could require that people be notified of data collection.

For now, unless the website states otherwise, or the laws substantially change, you bear most of the risks when you share information online. As to fraudulent offers and spoofing, these solicitors should be stopped and punished.

Lack of privacy is probably creating barriers to more Net-commerce. The Internet is inherently interactive, and it's only logical that companies want to take a proactive approach to communicating with customers. If your company is online, maintaining and implementing a clear Privacy and E-mail Policy can be the first step in the right direction.