Zoobuh v. Better Broadcasting et al
Filing
48
MEMORANDUM DECISION AND ORDER granting 40 Motion for Standing and Damages; granting 28 Motion for Default Judgment. Signed by Judge David Nuffer on 5/31/13 (alt)
UNITED STATES DISTRICT COURT
DISTRICT OF UTAH, CENTRAL DIVISION
ZOOBUH, INC., a Utah Corporation,
MEMORANDUM DECISION
AND ORDER GRANTING
DEFAULT JUDGMENT
Plaintiff,
vs.
BETTER BROADCASTING, LLC., a Utah
limited liability company; IONO
INTERACTIVE, a company doing business in
Utah; DOES 1-40,
Case No.: 2:11cv00516-DN
District Judge David Nuffer
Defendants.
Introduction
In this action involving unsolicited commercial email communications, commonly
referred to as SPAM, plaintiff, ZooBuh, Inc. moved for default judgment, monetary damages,
and a permanent injunction against defendants, 1 alleged spammers and alter egos, Better
Broadcasting, LLC and IONO Interactive. ZooBuh was represented by Evan A. Schmutz, and
Jordan K. Cameron of the law firm of Hill, Johnson & Schmutz, L.C. located in Provo, Utah.
Statement
The Controlling the Assault of Non-Solicited Pornography and Marketing Act located at
15 U.S.C. §§ 7701-7713 (“CAN-SPAM Act”) was passed into law in 2003. Somewhat of a
misnomer, the CAN-SPAM Act does not govern non-solicited and pornographic emails only, but
rather, in relevant part, prohibits sending any commercial email with header information that is
1
Motion and Memorandum for Entry of Default Judgement, docket no. 28, filed March 1, 2012; Motion to Enter an
Order Re Standing and Damages, docket no. 40, filed June 1, 2012.
materially false or materially misleading, and requires the provision of certain content in the
email bodies.
Plaintiff, ZooBuh, Inc. (“ZooBuh”) was first formed in Utah in 2002 and incorporated in
2007. 2 ZooBuh is an Internet access service which provides email, chat, and blogging services
to approximately 35,000 customers worldwide. 3 ZooBuh provides the service through its own
equipment. 4
Between February 18, 2011 and November 7, 2011, ZooBuh received at least 13,453
commercial emails sent and/or initiated by or on behalf of Better Broadcasting and/or Iono, its
alter ego, 5 in violation of various sections of the CAN-SPAM Act.
On November 10, 2011, ZooBuh filed a First Amended Complaint 6 against the
Defendants seeking statutory damages and a permanent injunction. The Defendants failed to
appear and answer the Complaint. This Court entered a default certificate against the Defendants
on March 7, 2012. 7 In support of ZooBuh’s claims and request for damages, the Court requested
that ZooBuh submit supplemental briefing and evidence on the issues of standing, violations of
the CAN-SPAM Act, and damages. 8
Based on the pleadings and evidence presented to it, the Court finds: 1) that ZooBuh is a
bona fide Internet access service who was, and is continually, adversely affected by its receipt of
SPAM emails, and therefore qualifies for standing as a private plaintiff under the CAN-SPAM
2
Declaration of F. Alan Fullmer (Fullmer Declaration) ¶¶ 2,5, docket no. 43, filed June 1, 2012.
Id. ¶¶ 4, 8.
4
Id. ¶¶ 12-16.
5
Id. ¶ 45.
6
Docket no. 20, filed November 10, 2011.
7
Entry of Default, docket no. 29, filed March 7, 2012.
8
Motion to Enter an Order and Memorandum Re Standing and Damages, docket no. 40, filed June 1, 2012;
Memorandum in Support of Motion to Enter Order and Memorandum Re Standing and Damages, docket no. 41,
filed June 1, 2012.
3
2
Act; 2) that the emails in question contain violations of 15 U.S.C. § 7704(a)(1)(A), 15 U.S.C. §
7704(a)(1)(C), and 15 U.S.C. § 7704(a)(5); 3) that the Defendants engaged in practices in
violation of § 7704(b)(2); 4) that ZooBuh is awarded damages in the amount of $1,608,360 and a
permanent injunction.
Analysis
I.
STANDING
It is well established that “the court sua sponte, can raise the issue of standing for the first
time at any stage of the litigation.” New England Health Care Employees Pension Fund v.
Woodruff, 512 F.3d 1283, 1288 (10th Cir. 2008) (citing Rector v. City and County of Denver,
348 F.3d 935, 942 (10th Cir.2003)). The CAN-SPAM Act dictates that a provider of Internet
access service “adversely affected” by a violation of 15 U.S.C. § 7704(a)(1), (b), or (d), or a
pattern or practice that violates paragraph (2), (3), (4), or (5) of section 7704(a), may bring a civil
action in any district court of the United States with jurisdiction over the defendant to enjoin
further violation by the defendant, or to recover damages. 15 U.S.C. §7706(g)(1). A standing
analysis under the CAN-SPAM Act consists of two parts: (1) whether the plaintiff is a bona fide
Internet access service (see Gordon v. Virtumundo, 575 F.3d 1040, 1050 (9th Cir. 2009) (citing
150 Cong. Rec. E72-02)); and, (2) whether the plaintiff is adversely affected by SPAM emails
(see 15 U.S.C. §7706(g)(1)). Whether a plaintiff has standing is a necessary question that the
Court must answer prior to awarding any damages under the statute.
a. Whether ZooBuh is a Bona Fide Internet Access Service
The CAN-SPAM Act defines Internet access service as “a service that enables users to
access content, information, electronic mail, or other services offered over the Internet, and may
also include access to proprietary content, information, and other services as part of a package of
3
services offered to consumers. Such term does not include telecommunications services.”
15 U.S.C. § 7702(11); 47 U.S.C. § 231(e)(4). The Ninth Circuit suggested that standing be
limited to “bona fide” Internet access services, which is defined in the Congressional Record.
“[W]e intend that Internet access service providers provide actual Internet access service to
customers.” See Gordon, 575 F.3d 1040, 1050 (9th Cir. 2009) (citing 150 Cong. Rec. E72-02).
The Ninth Circuit also suggested that there exists an ownership and control counterpart to being
a bona fide Internet access service. See Gordon, 575 F.3d at 1052. Gordon held that the plaintiff
did not qualify as an Internet access service despite providing email accounts because
Gordon [was] a registrant of a domain name, which he, through Omni, hosts on
leased server space. He neither ha[d] physical control over nor access to the hardware,
which GoDaddy own[ed], house[d], maintain[ed], and configure[d] . . . . Gordon’s
service appears to be limited to using his “Plesk” control panel, which he accesses via an
ordinary Internet connection through an ISP, to set up e-mail accounts and log-in
passwords and to execute other administrative tasks. Verizon enables his online access.
GoDaddy provides the service that enables ordinary consumers to create e-mail accounts,
register domain names, and build personalized web pages. Gordon has simply utilized
that service for himself and on behalf of others. Id.
Courts have extended the definition of Internet Access Services to “include[ ] traditional [ISPs],
any email provider, and even most website owners.” MySpace, Inc. v. The Globe.com, Inc., No.
06-3391, 2007 WL 1686966, at *3 (C.D. Cal. Feb.27, 2007) see also Facebook, Inc. v. ConnectU
LLC, 489 F.Supp.2d 1087, 1094 (N.D. Cal.2007).
The Plaintiff, ZooBuh, offers email services, blog hosting, and chat services to its
customers. 9 ZooBuh has customers in all 50 states and in 27 different countries. 10 ZooBuh is
widely recognized as a legitimate email provider and has been featured in various publications. 11
Unlike the Plaintiff in Gordon, ZooBuh owns, maintains and configures all the servers, routers,
and switches on its network through which it hosts and provides its internet access services to its
9
Fullmer Declaration ¶ 4.
Id. ¶ 7.
11
Id. ¶ 6.
10
4
customers. Every ZooBuh email account is registered, hosted and serviced through ZooBuh’s
own hardware. ZooBuh has sole ownership of all the hardware, complete and uninhibited access
to the hardware, and sole physical control over the hardware. ZooBuh also provides each of its
customers with their own web-based email portal (which ZooBuh designed, configured, and
maintains) through which the ZooBuh customers access their selected web-based services (i.e.,
email, blogs, chat.). 12 Accordingly, ZooBuh is a bona fide Internet access service and satisfies
the first part of the standing test under the CAN-SPAM Act.
b. Whether ZooBuh Is Adversely Affected by SPAM
The harm suffered by an Internet access service in order to establish standing under the
“adversely affected” part of the CAN-SPAM Act “need not be significant in the sense that it is
grave or serious, [but] the harm must be of significance to a bona fide IAS [internet access
service] provider--something beyond the mere annoyance of spam . . . .” Gordon, 575 F.3d at
1053-54. In most cases, evidence of some combination of operational or technical impairments
and related financial costs attributable to unwanted commercial e-mail suffice. See id. at 1054.
Such impairments “include, but are not limited to, network crashes, higher bandwidth utilization,
and increased costs for hardware and software upgrades, network expansion and additional
personnel.” Id. at 1053 (internal citations omitted). The CAN-SPAM Act does not require that a
plaintiff prove that the emails at issue adversely affect the plaintiff, rather, that “[t]he e-mails at
issue in a particular case . . . contribute to a larger, collective spam problem.” See Gordon, 575
P.3d at 1054.
In Facebook v. Power Ventures, Inc., the Northern District of California provided a very
helpful analysis of the “adversely affected” requirement for standing. 844 F. Supp. 2d 1025
(N.D. Cal. 2012). There, the court determined that Facebook’s receipt and analysis of
12
Id. ¶¶ 12-16.
5
approximately 60,000 messages constituted an adverse effect. Id. at 1032. At the time,
Facebook’s network consisted of 901 million users and Facebook had over 3,000 employees.
See Facebook “Talking About It.” 13 The harm suffered by Facebook with respect to the emails
in question was attributable to Facebook’s having to spend time and effort to determine the
source of the emails, and taking steps to stop the emails. Power Ventures 844 F. Supp. 2d at
1031-32. In that case, the court held that Facebook did demonstrate an adverse effect, and that
such was especially true because there were a documented 60,000 messages, and “the costs of
responding to such a volume of spamming cannot be categorized as ‘negligible.’” Id. at 1032.
In its ordinary course of business, ZooBuh utilizes SpamHaus, Razor, Pyzor and
Spamassassin as a first line of defense for SPAM received on its system. 14 Despite its efforts to
mitigate the harmful effects of SPAM, ZooBuh has experienced hardware crashes, server spikes,
bandwidth spikes, kernel crashes, and customer complaints all as the result of a collective spam
problem of which the emails in question were a part. 15 If not for its continuous receipt of SPAM
email, ZooBuh could successfully service all of its approximately 35,000 customers through four
servers. 16 Instead, ZooBuh has had to double its server capacity, at significant expense, in order
to successfully service its customers. Even with eight servers, ZooBuh consistently deals with
server spikes and crashes, and the servers are constantly pushed to capacity, which significantly
decreases the life span of the servers and is expensive in power consumption. 17 Under these
facts, ZooBuh satisfies the “adversely affected” requirement as stated by the Gordon court.
13
https://www.facebook.com/pages/Talking-About-It/213156018796346?hc_location=timeline (last visited May 31,
2013).
14
Id. ¶ 17.
15
Id. ¶¶ 31-38.
16
Id. ¶ 25..
17
Id. ¶¶ 29-30.
6
ZooBuh’s network consists of approximately 35,000 users, 18 ZooBuh has three
employees, 19 and there are 13,453 emails at issue. 20 Accordingly, the subject emails created a
proportionately greater burden for ZooBuh than the 60,000 emails received by Facebook’s 901
million users and over 3,000 employees. Similar to Facebook, for each email, ZooBuh had to
expend man-hours and work to identify the source, examine the transmission information,
examine and analyze the header information, take efforts to determine how and why the specific
emails were able to circumvent and/or bypass preliminary filtering techniques, and to ultimately
attempt to make the emails stop. ZooBuh efforts to deal with the spam cannot be categorized as
negligible. See Power Ventures, 844 F. Supp. 2d at 1032. Under these facts, ZooBuh satisfies
the “adversely affected” requirement as stated by the Facebook court.
In summary, the harm ZooBuh suffered, and continues to suffer, as the result of its
collective SPAM problem is much more significant than the mere annoyance of having to deal
with SPAM or the process of dealing with SPAM in the ordinary course of business (i.e.,
installing a spam filter to flag and discard spam). The harm ZooBuh suffered, and continues to
suffer, is manifested in financial expense and burden; lost time; lost profitability; decreases in the
life span of ZooBuh’s hardware; server and bandwidth spikes; server crashes; and pre-mature
hardware replacements. ZooBuh is adversely affected by a collective spam problem, which
includes the emails in question, and that the second part of the standing test is satisfied.
Therefore, ZooBuh has standing as defined by the CAN-SPAM Act to assert claims as a private
party plaintiff.
18
Id. ¶ 8.
Id. ¶ 11.
20
Id. ¶ 45.
19
7
II.
ANTI-SPAM LAWS
Section 7704(a)(1) of the CAN-SPAM Act dictates that
It is unlawful for any person to initiate the transmission, to a protected computer, of a
commercial electronic mail message, or a transactional or relationship message, that
contains, or is accompanied by, header information that is materially false or materially
misleading. . . [h]eader information shall be considered materially misleading if it fails to
identify accurately a protected computer used to initiate the message because the person
initiating the message knowingly uses another protected computer to relay or retransmit
the message for purposes of disguising its origin.
15 U.S.C. §§ 7704(a)(1), 7704(a)(1)(C).
Section 7704(a)(1) further dictates that “header information that is technically accurate
but includes an originating electronic mail address, domain name, or Internet Protocol address
the access to which for purposes of initiating the message was obtained by means of false or
fraudulent pretenses or representations shall be considered materially misleading;” 15 U.S.C. §
7704(a)(1)(A). The conduct prohibited by section 7704(a)(1) is referred to in this order as
“Header Violations.”
Section 7704(a)(5) of the CAN-SPAM Act dictates that
It is unlawful for any person to initiate the transmission of any commercial electronic
mail message to a protected computer unless the message provides--(i) clear and
conspicuous identification that the message is an advertisement or solicitation; (ii) clear
and conspicuous notice of the opportunity under paragraph (3) to decline to receive
further commercial electronic mail messages from the sender; and (iii) a valid physical
postal address of the sender.
The conduct prohibited by section 7704(a)(5) is referred to in this order as “Content
Violations.” The CAN-SPAM Act provides statutory damages against parties who engage in a
pattern or practice in violation of § 7704(a)(5). 15 U.S.C. § 7706(g)(1).
a. Whether the Emails Contain Header Violations.
There are several decisions arising out of default judgment and summary judgment
proceedings wherein the courts awarded damages for Header Violations. In those cases, the
8
various courts determined that Header Violations existed where: the emails failed to identify that
they came from the defendant, see Tagged, Inc. v. Does 1 through 10, No. C 09-01713 WHA,
2010 WL 370331 (N.D. Cal. Jan 25, 2010); the emails did not accurately identify any party, see
Facebook v. Wallace, No. C 09-798 JF (RS), 2009 WL 3617789 (N.D. Cal. Oct. 29, 2009); and,
the emails contained inaccurate sender names, see Power Ventures, 844 F. Supp. 2d at 1034-35.
Though these decisions are helpful, they do not provide much analysis. Accordingly, it is helpful
to look outside of CAN-SPAM decisions for direction on the interpretation of the statute.
California Business and Professions Code § 17529.5(a)(2) is substantially similar to
§ 7704(a)(1) of CAN-SPAM in that it prohibits commercial email which “contains or is
accompanied by falsified, misrepresented, or forged header information.” Cal. B&P Code
§ 17529.5(a)(2). Though the language is similar to the CAN-SPAM Act, the California code has
been defined as prohibitive of “deceptive” header information only, thereby creating a more
onerous burden on a plaintiff than the “materially misleading” standard of the CAN-SPAM Act
and thereby avoiding pre-emption by the CAN-SPAM Act. See Hypertouch v. Valueclick, Inc.,
192 Cal. App. 4th 805, 825-830 (2011); Asis Internet Services v. Subscriberbase Inc., No. 0903503 SC, 2010 WL 1267763 (N.D. Cal. Apr. 1, 2010).
In consideration of the California Code’s more onerous burden, the recent California
appellate decision in Balsam v. Trancos is persuasive as to what constitutes a Header Violation
under CAN-SPAM. 138 Cal. Rptr, 3d 108. (Cal. Ct. App. 2012). In Trancos, the plaintiff sued
an email marketer, similar to Defendants in this case, for sending eight commercial email
advertisements on behalf of companies that hired the defendant. Id. at 112. Before sending the
emails, the email marketer privately registered the domains it used to send the emails with a
proxy service. Id. at 112-13. The proxy service, in turn, displayed the proxy service’s contact
9
information on the domain name registration records instead of the defendant’s contact
information. Id. . A recipient seeking to determine who sent the emails could not determine the
sender because the domains were cloaked and a WHOIS look-up would reveal the proxy
service’s contact information and not that of the defendant. Id. at 118-23.
The appellate court applied CAN-SPAM’s definition of header information and, noting
CAN-SPAM’s parallel provision to B&P Code § 17529.5(a)(2), the Court agreed that where the
domain names in the emails did not represent a real company and could not be readily traced
back to the sender, through available public databases such as WHOIS, such constituted
falsification or misrepresentation for purposes of the statute. Id. at 122-23. As to privately
registered domain names, the Court held “where, as in this case, the commercial e-mailer
intentionally uses privately registered domain names in its headers that neither disclose the true
sender’s identity on their face nor permit the recipient to readily identify the sender . . . such
header information is deceptive and does constitute a falsification or misrepresentation of the
sender’s identity,” thereby meeting the more strict standard of the California Code. Id. at 118.
Because the California anti-spam statute has not been preempted, prohibits deception,
and imposes a more onerous burden on a plaintiff than does the CAN-SPAM Act, the Trancos
analysis reasonably extends to the CAN-SPAM Act. Accordingly, where an email contains a
generic “from” name and is sent from a privacy-protected domain name, such that the recipient
cannot identify the sender from the “from” name or the publicly available WHOIS information,
such is “materially misleading” and is a violation of 15 U.S.C. § 7704(a)(1)(C).
In this case 13,333 of the emails contain a generic or nonsensical “from” line that does
not identify any real business or individual. Examples of the “from” lines include: “Accounting
Degree,” “Add a Sunroom,” “Adult Education,” “Air Conditioner,” “Airline Tickets,” “Ink
10
Cartridges,” and “Ultrasound Technician.” 21 Additionally, each of the 13,333 emails originated
from a sender domain that was privacy-protected. 22 Therefore, when a recipient of the email
sought to identify the emailer through the publicly available WHOIS database, the WHOIS
database record displayed the proxy service’s contact information on the domain name
registration records instead of the emailer’s contact information, thereby preventing the recipient
from identifying the emailer. 23 Each of these 13,333 emails violates 15 U.S.C. § 7704(a)(1).
Header Violations under the CAN-SPAM Act are not limited to false or misleading
header information. Under 15 U.S.C. § 7704(a)(1)(A), even header information that is
technically accurate violates the CAN-SPAM Act when the email “includes an originating
electronic mail address, domain name, or Internet Protocol address the access to which for
purposes of initiating the message was obtained by means of false or fraudulent pretenses or
representations.” 15 U.S.C. § 7704(a)(1)(A).
When a party registers a domain name with an ICANN compliant domain registrar, that
registrant enters into a registration agreement with the domain registrar. In most, but not all
cases, the domain registration agreement and the accompanying Terms and Conditions
(collectively “Registration Documents”) prohibit the use of the registered domain to send
unsolicited commercial email or engage in other SPAM practices. 24 Accordingly, in order to
obtain the domains from the registrar, the registrant represents that it does not intend to use, and
will not use, the domains for any purpose prohibited by the Registration Documents. If, as is the
case here, the registrant does intend to use the domains for prohibited purposes, the registrant
21
See list attached as Exhibit C to Fullmer Declaration.
Declaration of Bryceson Ringwood (Ringwood Declaration) ¶ 9, docket no. 42, filed June 1, 2012.
23
See id. ¶¶ 8-9.
24
See eNom Registration Agreement and Abuse Policy, attached as Exhibit E. to Fullmer Declaration; Moniker
Registration Agreement, attached as Exhibit F. to Fullmer Declaration.
22
11
obtained the domains under a false pretense, and the sending of any email in violation of the
Registration Documents violates 15 U.S.C. § 7704(a)(1)(A) on a per email basis.
In this case 13,452 of the emails originated from sender domain names registered with
eNom, Inc. and one email originated from a sender domain registered with Moniker Online
Services, LLC. 25 Each of these registrars requires the party registering the domain to accept its
Registration Documents. The Registration Documents of each registrar contain a provision
whereby the registrant indicates that they will not use the domain name for purposes of sending
unlawful commercial email or SPAM. Accordingly, in order to obtain the domain names used to
send the emails in question, the Defendants represented to the domain registrars that the domain
names would not be used for SPAM purposes. However, the domain names were intended to be
used, and were used, for SPAM purposes. Consequently, the Defendants obtained the sender
domains, from which they sent 13,452 emails, under false and fraudulent pretenses in violation
of § 7704(a)(1)(A).
b. Whether the Emails Contain Content Violations.
The CAN-SPAM Act requires that any commercial electronic mail message provide (i)
clear and conspicuous identification that the message is an advertisement or solicitation; (ii) clear
and conspicuous notice of the opportunity to decline to receive further commercial electronic
mail messages from the sender; and (iii) a valid physical postal address of the sender. 15 U.S.C.
§ 7704(a)(5) (collectively “Required Content”).
A determination of whether an email contains a Content Violation turns on the
interpretation of the term “clear and conspicuous.” In a commercial communication through an
electronic medium “clear and conspicuous” is defined as follows: the “disclosure must be
unavoidable . . . [and] [a]ny visual message shall be of a size and shade, with a degree of contrast
25
Ringwood Declaration ¶ 10.
12
to the background against which it appears, and shall appear on the screen for a duration and in a
location sufficiently noticeable for an ordinary consumer to read and comprehend it.” F.T.C. v.
Affiliate Strategies, Inc., No. 5:09-CV-04104-JAR-KGS, 2011 WL 3300097, *2 (D. Kan.Aug. 1,
2011).
The question presented to the Court in this case is whether Required Content provided in
the emails through a remotely hosted image is clearly and conspicuously displayed. This Court
determines that it is not.
The body of an email message can be drafted as text only, HTML, or both by using the
MIME protocol. 26 Text emails are “plain text,” which means there is no formatting, such as
fonts, sizes, and colors. Every email client, even one with the most strict security settings, would
likely be capable of reading text emails. 27 HTML allows a message to specify font families,
sizes, colors, and to have italic, underline or bold letters. Email clients that are configured to
read HTML will also read and display text, as HTML-capable email clients are capable of
reading and displaying plain text. In contrast, email clients that are only capable of reading text,
or email clients that are only configured to read text, will not read and display HTML. 28
MIME is an Internet standard that extends the format of email to support message bodies
with multiple parts. MIME is specified in six linked RFC memoranda: RFC 2045, RFC 2046,
RFC 2047, RFC 4288, RFC 4289 and RFC 2049.2. 29 Because MIME extends the format of
26
Letter of Opinion of F. Alan Fullmer (Fullmer Opinion) ¶ 22, docket no. 38, filed May 31, 2012. For an
explanation of these terms, see Fullmer Opinion ¶¶ 1-5.
27
Id. ¶¶ 23-24.
28
Id. ¶¶ 26, 28-29.
29
Id. ¶ 30. The RFC protocols together define email specifications for all Internet users. The Internet Engineering
Task Force (“IETF”) codifies standardizing decisions which are then published in Request for Comments (“RFC”).
Many RFCs are the standards on which the Internet is formed. By way of example, the Internet Email RFC
standards include: RFC 2049, which defines a message representation protocol specifying considerable detail about
US-ASCII message headers, and leaves the message content, or message body, as flat US-ASCII text. This set of
documents, collectively called the MIME, redefines the format of messages to allow for: (1) textual message bodies
in character sets other than US-ASCII; (2) an extensible set of different formats for non-textual message bodies; (3)
13
email to support message bodies with multiple parts, MIME allows email to be drafted in a
manner that the email can be read in more than one format. For example, using the MIME
protocol, an email can be drafted to have a text part, a HTML part, or both. MIME also allows
the emailer to include images as part of the message. There are three main types of images that
can be included within an email: “Attached,” “Inline,” and “Remote.” 30 At issue in this case are
Remote images. Remote images are not part of the email body, but rather a link to a web server
that could be anywhere on the Internet and controlled by any unknown third party.
31
The United States Department of Homeland Security through the United States Computer
Emergency Readiness Team (“US-CERT”) is charged with providing response support and
defense against cyber-attacks for the Federal Civil Executive Branch and with information
sharing and collaboration with state and local government, industry and international partners.
US-CERT interacts with federal agencies, industry, the research community, state and local
governments, and others to disseminate reasoned and actionable cyber security information to
the public. US-CERT repeatedly warns against downloading remotely-hosted images in
email. 32 In the National Cyber Alert System, Cyber Security Tip ST04-007, US-CERT advised
as follows:
Disable the automatic downloading of graphics in HTML mail – Many spammers send
HTML mail with a linked graphic file that is then used to track who opens the mail
message—when your mail client downloads the graphic from their web server, they
know you’ve opened the message. Disabling HTML mail entirely and viewing messages
in plaint text also prevents this problem.
National Cyber Alert System, Cyber Security Tip ST04-007, 2. 33
multi-part message bodies, and (4) textual header information in character sets other than US-ASCII. (Fullmer
Opinion at 5, footnote 2.
30
Id. ¶¶ 31-32.
31
Id. ¶¶ 35.
32
Id. ¶¶ 44-46.
33
Id. ¶ 47. . This document is attached to the Fullmer Opinion as Exhibit C.
14
In the document entitled Recognizing and Avoiding Email Scams, US-Cert again warns
“[t]here are a number of ways you can configure your email client to make you less susceptible
to email scams. For instance, configuring your email program to view email as ‘text only’ will
help protect you from scams that misuse HTML in email.” Recognizing and Avoiding Email
Scams, 8. 34
Industry also warns of rendering HTML in email messages. In the document entitled
Technical and Policy Requirements for Sending Email to AOL, AOL warns emailers that they
will not support many of the features of HTML. 35 AOL also states that “[o]ne reason [the client
does not support all features of HTML] is because of the security hazards involved with sending
HTML e-mails. These e-mails can expose the unwary user to hostile viruses or other intrusive
programs. . . . The common theme here is end-user security. Malicious e-mailers can bury a wide
variety of harmful actions within the HTML e-mail, including programs that activate upon
download.” Technical and Policy Requirements for Sending Email, 2-3. 36
In addition to the security threats inherent in remotely hosted images and the industry
standards which typically prevent the display of remotely hosted images in email messages,
remotely hosted images are not permanent. If the remotely hosted image no longer exists on the
hosting server for any reason, then the image cannot be downloaded to the email client and can
never be viewed by the recipient. Remotely hosted images typically do not have a very long
shelf-life which means there is a small window of time where the image is viewable by the
recipient. 37
34
Fullmer Opinion ¶ 49. This document is attached to the Fullmer Opinion as Exhibit D.
Fullmer Opinion ¶ 50. This document is attached to the Fullmer Opinion as Exhibit E.
36
Fullmer Opinion ¶ 51.
37
Id. ¶¶ 36-37.
35
15
Given the strong concerns and recommendations against the downloading of remotely
hosted images in emails, the industry standards that prevent the automatic download of Remote
images in email, and the non-permanent nature of Remote images, the content of remotely hosted
images in email communications is not unavoidable and is not likely to appear on the recipient’s
screen for a duration and in a location sufficiently noticeable for an ordinary consumer to read
and comprehend it. See F.T.C. v. Affiliate Strategies, Inc., 2011 WL 3300097, at*2. This
opinion does not address what would constitute a “clear and conspicuous” provision of the
Required Content, it merely addresses what is not. It is the opinion of the Court that there are
many ways that an emailer could provide the Required Content in a “clear and conspicuous”
fashion that would not include the use of Remote images.
In this case none of the Required Content appeared to be provided in the emails in any
way. Nevertheless, if the Required Content was provided, it was through remotely hosted
images, which images would be blocked by the majority, if not all, email clients, which images
would only exist for a short time on a third party server, and which images would not likely be
viewed by a recipient. In fact, at the time the emails were received and reviewed by the Plaintiff,
none of the Remote images were viewable. 38 Accordingly, none of the emails in question
provided clearly and conspicuously displayed Required Content and every email violates 15
U.S.C. § 7704(a)(5). Because all of the email in question violates 15 U.S.C. § 7704(a)(5), there
is a pattern or practice by the Defendants of violating 15 U.S.C. § 7704(a)(5) and statutory
damages are appropriate.
38 38
Id. ¶¶ 61-65, 67-70.
16
III.
DAMAGES
Under the CAN-SPAM Act, a plaintiff may elect to recover monetary damages in an
amount equal to the greater of actual losses or statutory damages. 15 U.S.C. § 7706(g)(1)(B). It
is well established that “[a] plaintiff may elect statutory damages regardless of the adequacy of
the evidence offered as to his actual damages and the amount of the defendant’s profits . . . and if
statutory damages are elected, the court has wide discretion in determining the amount of
statutory damages to be awarded, constrained only by the specified maxima and minima.”
Facebook. v. Wallace, 2009 WL 3617789 at *2 (citing Columbia Pictures Television, Inc. v.
Krypton Broad. of Birmingham, Inc., 259 F.3d 1186, 1194 (9th Cir. 2001)) (internal quotations
omitted).
In this case, ZooBuh elected to recover statutory damages pursuant to 15 U.S.C. §
7706(g)(3)(A) which are calculated by multiplying the number of violations by up to $100 in the
case of Header Violations and up to $25 in the case of Content Violations.
15 U.S.C. § 7706(g)(3)(A).
In Wallace, the court awarded the plaintiff $710,737,650 in damages. 2009 WL 3617789
at *2. The damage award was calculated by multiplying the number of emails by “$50.00 per
violation of the CAN-SPAM Act.” Id. In determining to award $50.00 per violation, the court
looked at various factors. Specifically, the court stated that “[t]he record demonstrates that
Wallace willfully violated the statutes in question with blatant disregard for the rights of
Facebook and the thousands of Facebook users whose accounts were compromised by his
conduct.” Id. Wallace’s conduct included violating a temporary restraining order and
preliminary injunction. Id. Though the defendant’s actions were severe, the court did not
believe that the actions merited an award in excess of seven billion dollars. Id. Accordingly,
17
instead of awarding the full $100 per violation and treble damages, the court scaled back its
award to $50 per violation.
In Tagged, the court awarded the plaintiff $151,975 for 6,079 emails sent by the
defendant. 2010 WL 370331, *12. There, the court awarded $25 per email because the
defendant sent only 6,079 emails compared to the greater number of spam messages sent in other
cases which had given larger damages awards. See id. at 11.
In Asis Internet Services v. Rausch, the Court awarded the plaintiff $865,340 for various
violations of 15 U.S.C. § 7704(a)(1) (which carries up to a $100 penalty) and
15 U.S.C. § 7704(a)(2) (which carries up to a $25 penalty). 2010 WL 1838752, *7 (N.D. Cal.
May 3, 2010). Specifically, the court awarded $25 per violation of 15 U.S.C. § 7704(a)(1) and
$10 per violation of 15 U.S.C. § 7704 (a)(2). The court compared the case to Wallace and stated
that “[t]his case involves far fewer emails than in [Wallace].” Id at *7. Further, the defendant
“did not willfully violate an injunction” as was the case in Wallace. Id. After pronouncing the
base award, the court considered the evidence that the defendant had also engaged in dictionary
attacks and automated scripting in violation of 15 U.S.C. § 7704(b). See id. at *8-9. Based on
that fact, the court awarded treble damages as allowed by the statute for a total damage award of
$2,596,020. Id. at *9.
The instant case is most similar to Asis. Here, there are 13,453 commercial emails in
question, each containing one or more violations of the CAN-SPAM Act. Specifically, there are
13,333 emails that violate 15 U.S.C. § 7704(a)(1)(C) (which carries an up to $100 penalty),
13,453 emails that violate 15 U.S.C. § 7704(a)(1)(A) (which carries an up to $100 penalty), and
13,453 emails that violate 15 U.S.C. § 7704(a)(5) (which carries up to a $25 penalty). The
emails also contain significant evidence of other spamming practices, which illustrate the willful
18
nature of the violations. Such practices include, but are not limited to, the registration of many
.info domain names, image tracking, Bayes Poisoning, scripting, etc. 39 Accordingly, this Court
applies the Asis standard and awards $25 per violation of 15 U.S.C. § 7704(a)(1)(C) and §
7704(a)(1)(A), and $10 per violation of 15 U.S.C. § 7704(a)(5) for a total base damage award of
$804,180.
Under the CAN-SPAM Act, the Court can award aggravated damages where the
defendant “use[d] scripts or other automated means to register for multiple electronic mail
accounts or online user accounts from which to transmit to a protected computer, or enable
another person to transmit to a protected computer, a commercial electronic mail message.”
15 U.S.C. § 7704(b)(2); 15 U.S.C. § 7706(g)(3)(C). Under these circumstances “[t]he court may
increase a damage award to an amount equal to not more than three times the amount otherwise
available.” 15 U.S.C. § 7706(g)(3)(C).
In this case, there is significant evidence that the Defendants used an automated process
through which to create the sender email addresses from which to send the emails in question.
Specifically, the sender email addresses, when viewed alphabetically, demonstrate a pattern of
words selected in an ascending alphabetical order. Additionally, some of the words cross
domain names, indicating that the same script generated the domains by using a dictionary file. 40
Such practices violate 15 U.S.C. § 7704(b) and entitle a plaintiff to treble damages. 15 U.S.C. §
7704(b)(2); 15 U.S.C. § 7706(g)(3)(C); Asis, 2010 WL 1838752 at *9. Accordingly, this Court
exercises its discretion to double the statutory damage award and applies the Asis standard for a
total damage amount of $1,608,360..
39
Id. ¶ 66.
Id. ¶ 66.
40 40
19
Under the CAN-SPAM Act, the Court can enter an injunction to enjoin further violations
by the Defendants. See 15 U.S.C. § 7706(g)(1)(A). ZooBuh has substantially prevailed in this
matter and has demonstrated the existence of violations of the CAN-SPAM Act in the emails in
question. Accordingly, an injunction is entered against the Defendants in this case. The
Defendants shall no longer send any commercial email to any ZooBuh customer.
ORDER
ZooBuh’s motions for default judgment 41 and for an order regarding standing and
damages 42 are GRANTED. Defendants are ordered to pay ZooBuh damages in the amount of
$1,608,360. In addition, Defendants are enjoined from further violations of the CAN-SPAM
Act.
Dated May 31, 2013.
BY THE COURT:
____________________________
David Nuffer
United States District Judge
41
42
Docket no. 28, filed March 1, 2012.
Docket no. 40, filed June 1, 2012.
20
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?