CAN-SPAM May Apply to Interactive Messaging on Private Networks

On July 2, 2007, the United States District Court for the Central District of California issued an order granting MySpace, Inc. a preliminary injunction against Sanford Wallace, an individual who had engaged in spamming and phishing activity using MySpace in violation of the CAN-SPAM Act, 15 U.S.C. §§ 7704(a)(1), (a)(3), and (a)(5). MySpace, Inc. v. Wallace, No. 07-1929 (C.D. Cal. 2007). This opinion adds to the growing case law confirming that electronic mail and related posts using a website's internal account addresses fall within the scope of CAN-SPAM. See also, Facebook, Inc. v. ConnectU, 489 F. Supp. 2d 1087 (N.D. Cal. 2007) (stating that Facebook is an internet service provider for the purposes of the CAN-SPAM Act); MySpace, Inc. v. The Globe.com, No. CV 06-3391-RGK (JCx), 2007 WL 1686966 (C.D. Cal. 2007) (holding that MySpace is an internet service provider and that MySpace messages qualify as electronic mail under the CAN-SPAM Act).

The MySpace v. Wallace opinion is noteworthy for its (1) identification of schemes that are apt to affect entities providing interactive messaging services on private networks, (2) analysis of the meaning of an "electronic mail message" under CAN-SPAM, (3) evaluation of the sufficiency of evidentiary support needed to satisfy certain elements of CAN-SPAM causes of action, and (4) discussion of the permissible boundaries of injunctive relief. This memorandum briefly addresses each of these areas.

I. Facts

Beginning in October 2006, the defendant created more than 11,000 MySpace profiles and 11,383 unique email accounts to register those profiles. The defendant sent out a series of messages to MySpace users from the profiles directing them to a website where they were prompted to enter their MySpace username and password into a box that closely resembled the MySpace login box. The defendant used the usernames and passwords to log into the users' MySpace profiles and send further messages to the users' friends. The defendant sent nearly 400,000 messages and posted 890,000 comments from 320,000 "hijacked" accounts. The defendant also created groups on MySpace that redirected users to two websites that he maintained, and he altered the MySpace unsubscribe link in his messages to direct users to those websites.

II. Definition of "Electronic Mail Message" under the CAN-SPAM Act

The court held that messages sent from MySpace member accounts qualify as "electronic mail messages" and are thus covered by the CAN-SPAM Act.

• An "electronic mail message" is "a message sent to a unique electronic mail address." 15 U.S.C. § 7702(6). An "electronic mail address" is simply "a destination… to which an electronic mail message can be sent." MySpace, No. 07-1929, slip op. at 8. It is not necessary for an electronic mail address to have a "domain part" and a "local part" even though those components are mentioned in the statute. Id. It does not matter that the messages remain within the MySpace system. The messages qualify as "electronic mail messages," even though they do not use more complex traditional routing. Id. at 8-9.
• Even if the court were to apply a more narrow definition of "electronic mail message" requiring messages to have a route, MySpace messages would still qualify because each user's mail resides on a unique URL consisting of the member's username and a reference to the MySpace domain. Id. at 9.

III. Evidentiary Considerations

• For the purposes of a preliminary injunction, declarations were sufficient.
• Commercial nature of email: Admissions by the defendant that he earned $1 million per year from his websites and that he sent thousands of messages directing recipients to those websites was sufficient to show that the messages were commercial in nature, even without evidence about how exactly the websites generated revenue. Id. at 15.
• False or misleading header information: It is sufficient under § 7704(a)(1), which prohibits the use of false or misleading header information, that the defendant sent messages with header information that was accurate but that had been obtained fraudulently. Id. at 10-11.
• Return address: Section 7704(a)(3) prohibits sending commercial electronic mail that does not contain a functioning return address that a recipient can use to request that no further messages be sent. This section was satisfied by the defendant's use of hijacked profiles because return messages from recipients would go to the person with the hijacked profile rather than to the defendant. MySpace was able to demonstrate a pattern of activity, as required by the statute, by providing detailed information from its abuse team of three dates the defendant sent messages, how many profiles he used, and how many messages were sent each time. Id. at 12-14.
• Use of bots/scripts: § 7704(b)(2) prohibits the use of automated means to register multiple electronic mail or online user accounts in order to send commercial electronic mail messages. Evidence of the number of profiles and electronic mail addresses created by the defendant and use of consistent naming conventions was not sufficient to infer that the defendant used an automated bot for registration. MySpace should have also provided evidence of the time frame in which the profiles were created and of the existence of an automated bot that could circumvent the security features of its registration process. Id. at 17-18.

IV. Permissible Scope of an Injunction

• A court cannot order an injunction prohibiting all references to the plaintiff in electronic communications or advertisements created by the defendant. Such an injunction would violate the defendant's First Amendment rights to legitimate commercial speech. For example, the defendant has the right to mention the plaintiff in commercial electronic mail messages, even in a negative manner, as long as recipients are not misled into thinking that he is affiliated with the plaintiff. Id. at 23-24.
• The court can enjoin the defendant from:
• Using the plaintiff's services to send any electronic communications;
• Using the plaintiff's services for any commercial purpose;
• Establishing or maintaining a profile through the plaintiff's website;
• Referring to the plaintiff in any way that falsely suggests that the communication was approved by the plaintiff;
• Using the plaintiff's logo or graphics in a misleading fashion;
• Inducing a user to provide account information without the user's informed consent; and
• Encouraging or enabling another entity to do any of the above. Id. at 22, 24-7.