Original URL: http://www.theregister.co.uk/2004/12/27/spam_punishment_too_harsh/

Spam punishment doesn't fit the crime

We need a common sense approach

By Mark Rasch

Posted in Security, 27th December 2004 16:12 GMT

Opinion I hate spam as much as the next person, but recent decisions by courts in Iowa and Virginia demonstrate how fear of technology (and justifiable annoyance) can force the legal system to impose fines and sentences that are grossly disproportionate to the harm caused by spammers.

This is not to defend or justify spammers, whose actions are at best deceptive, almost always annoying, generally illegal and frequently criminal. But when people who send email are punished more harshly than those who commit war crimes in Rwanda, and are fined more than companies that destroy the environment, it's time to revisit our strategy.

The Virginia case arose out of the actions of brother and sister team Jeremy Jaynes and Jessica DeGroot, who sent thousands of spam messages from July 11th to August 9th, 2004. They were convicted in the Commonwealth of Virginia (through which it is estimated 80 per cent of the world's Internet traffic flows - thank you, AOL).

For the month's worth of spam, at about 10,000 per day, Jaynes was sentenced in November to nine years in jail which is more than the median state sentence for crimes like sexual assault, robbery, assault, theft, larceny - in fact, every crime except homicide. The nine year sentence is almost three times the median sentence for all criminal offenses nationally, which is 36 months.

As serious a problem as spam is, I question whether nine years in the pokey is the appropriate sentence for a non-violent crime.

A second issue for the Commonwealth of Virginia is its use of state law to impose sentence on activity that took place mostly outside of the Commonwealth. In a similar situation, a state circuit judge in Montgomery County, Maryland this month dismissed a civil lawsuit by a George Washington University law student against a New York spammer.

The law student, Eirc Menhart, apparently set up a company and various email addresses and domains, including one called "Maryland-state-resident.com," for the purpose of attracting spam in order to take advantage of a Maryland law that permits state residents to sue spammers for up to $500 per spam received, and ISPs to sue for $1,000 per spam. When one Joseph Frevola allegedly sent Menhart a mess of emails, Menhart sued, claiming damages of $168,750.

An interesting idea, to be sure, but circuit judge Duke G. Thompson found that the Maryland statute could not be applied to Frevola's conduct, especially where Meinhart lived in the District of Columbia (not Maryland) and his ISP was in Virginia. Thus, the court ruled, the spammer could not be hauled into a Maryland court to answer for email messages that may have never entered or had any effect on Maryland or its residents.

One Billion Dollars

More troubling, and unaddressed by the Maryland court, is the concept of statutory damages for automated emailing, which can lead to serious disparity between the severity of the activity and the fines imposed.

Nowhere is that more that more clear than the recent case in Davenport, Iowa, where a state law entitles plaintiffs to compensation of $10 per spam message. An Iowa ISP sued 300 spammers in federal court for the amount of spam it received on a single day in 2000. The spammers did not show up, and the ISP, CIS Internet Services, obtained a default judgment against three spammy companies: $720m from AMP Dollar Savings of Mesa, Arizona; $360m from Cash Link Systems of Miami, Florida; and $140,000 from TEI Marketing of Florida. That totals to more than $1,000,000,000.00 - that's a Billion with a "B".

To put that award in perspective, the Bhopal accident a decade ago cost Union Carbide about $470m - less than half the claimed "damages" suffered by a small Iowa ISP.

There is no doubt that legislatures are trying to send a "strong message" to spammers. They are also trying to provide incentives to private litigants and ISPs to take spammers to court. But unsolicited commercial email, as annoying as it may be, is not the criminal equivalent of armed robbery, rape or negligent homicide.

I don't question that spam causes real financial harm - a 2002 study by Ferris Research estimated the productivity losses due to spam in the U.S. at $8.9bn. But we need a common sense approach to compensation and punishment - one that fairly compensates individuals and ISPs for their true losses (as any tort system should) and punishes the perpetrators in a way proportionate to the severity of the offense, and not merely society's annoyance with it.

Remember, what makes spam a crime is not its unsolicited nature or its volume, but rather the "fraudulent" flavor of the source address, IP address, or subject matter - all elements that, in the end, deceive virtually nobody. I don't know what an appropriate sentence would be, but nine years seems extreme. As for billion dollar damage awards, finding some spam in your inbox should not be the equivalent of winning the lottery - even if the spam promises you've won the lottery.

Copyright © 2004, SecurityFocus logo

Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

US ISP wins $1bn damages from spammers
Sibling spammers convicted
Spam King dodges $20m big stick
Spammer prosecutions waste time and money