In the spring of 2008, a deluge of complaints hit the Federal Trade Commission about what appeared to be a new registration strategy deployed by the social networking site Reunion.com.
When people joined the site, Reunion.com asked them to provide their e-mail addresses and passwords. But what some people didn’t realize was that the site would then send solicitations to all their e-mail contacts—including their bosses and business associates, and even exes. What’s more, the ads made it appear as if the new members were searching for their e-mail contacts on the Reunion site.
“This company hacked my e-mail system, falsely telling my contacts that I was ‘looking for them’ on their social networking website,” one disgruntled user said, according to FTC reports.
“This has hurt my professional credibility, as several of my contacts who have received this e-mail (and confronted me about it) are colleagues, clients and my professional superiors. In addition it is a huge embarrassment,” complained another.
The e-mails “will reflect poorly on me,” lamented yet another.
Reunion isn’t the only company to draw complaints. Other social networking sites like Tagged also ask people to provide their e-mail log-ins upon joining and, in some cases, send invitations to everyone in registrants’ address books.
Privacy experts worry that people often sign up for sites quickly, without reading the fine print that tells them how their information will be used.
“It’s a nightmare for people,” says Pam Dixon, executive director of the World Privacy Forum, a nonprofit agency based in Cardiff-by-the-Sea, Calif., near San Diego. She says her organization has heard from many upset Web users who say they didn’t realize that providing their e-mail addresses and passwords would result in sites contacting all of their associates. “It violates the users’ expectation of privacy,” Dixon says.
New York Law School associate professor James Grimmelmann likens the strategy to sending a chain letter. “It’s a virus that essentially tricks people into tricking their own friends,” says Grimmelmann, who recently published an article in the Iowa Law Review about privacy and social networks.
But while some consumers feel victimized by these types of practices, recovering damages in court has so far proven elusive.
One argument is that, even though some registrants thought their privacy was compromised, it was the members themselves who provided Reunion with access to their contacts. Additionally, many of those who received the ads might have wasted time opening and reading them, but they didn’t necessarily spend any money because the site allows people to join for free.
Nonetheless, even without a monetary loss, some recipients have been peeved enough to argue that the e-mails violate anti-spam laws that outlaw misleading commercial messages. But so far they’ve faced an uphill battle in court.
The main hurdle is the federal Can-Spam law (aka Controlling the Assault of Non-Solicited Pornography and Marketing), which took effect in 2004 and makes it illegal to send misleading e-mails. The law specifically provides that consumers have no right of action. Instead, only the FTC, various government agencies, state law enforcement officials and Internet service providers can bring suit.
Some states, including California, had their own more plaintiff-friendly spam laws on the books when Congress enacted Can-Spam. But the federal law pre-empts all state laws except those dealing with falsity or deception.
“Can-Spam is a product of its time,” Grimmelmann says. “In the past, it was hard to know all the forms that spam would take.”
The parameters of that pre-emption are still taking shape as courts debate whether laws regarding any false statements will get around the pre-emption provision, or whether the laws have to be about statements that are so false that they’re fraudulent at common law. So far, however, courts appear to be taking a broad view of pre-emption.
In July 2008, four recipients of the Reunion messages filed a putative class action against the site, alleging that it ran afoul of a state law that bans e-mails with misleading subject lines or headers. That statute provides for damages of $1,000 per violation.
In October 2008, U.S. District Judge Maxine Chesney in the Northern District of California ruled that the claims were pre-empted by the federal anti-spam law. Chesney said that the pre-emption applies unless plaintiffs can prove common-law fraud—which requires damages. Writing that the plaintiffs failed to allege that they “relied to their detriment on any misrepresentation, and that, as a result of such reliance, they incurred damage,” she dismissed the case with leave to amend.
Chesney cited a 4th U.S. Circuit Court of Appeals ruling dismissing another spam case, 2006’s Omega World Travel Inc. v. Mummagraphics Inc. The Richmond, Va.-based court there threw out a spam lawsuit brought under Oklahoma state law, ruling that false statements in e-mail headers—packets of additional information including where the spam came from—were immaterial and, therefore, couldn’t overcome pre-emption.
But some Internet law experts say that Chesney went too far by equating a technical flaw in an e-mail header with the type of deception that Reunion allegedly engaged in.
“A lot of people think Reunion wasn’t correctly decided,” says cyberlaw expert Venkat Balasubramani, based in Seattle. “There’s a big spectrum between immaterial errors and common-law fraud.”
Last October, Chesney indicated she might reconsider the ruling and invited further briefing after an August ruling by the 9th U.S. Circuit Court of Appeals at San Francisco in Gordon v. Virtumundo, which also examines false header information.
One justification for the broad federal pre-emption seemed to be to discourage “professional plaintiffs”—people who deliberately registered e-mail addresses with marketers for purposes of ensnaring companies that sent ads not meeting the technical requirements of the law. In fact, in Gordon, the appellate decision criticizes the plaintiff, James S. Gordon Jr. “The Can-Spam Act was enacted to protect individuals and legitimate businesses—not to support a litigation mill for entrepreneurs like Gordon,” the court wrote.
HUBBUB OVER HEADERS
The Reunion plaintiffs argue that their case is stronger than Gordon’s because their e-mail headers allegedly involved substantive deception.
“We feel like there’s a real harm here,” says Karl Kronenberger of San Francisco, the lawyer for the Reunion.com plaintiffs. He says there are significant differences between sending messages with technical flaws in their headers and sending e-mails that wrongly purport to be from people’s friends.
Reunion’s lawyer, Ronald Jason Palmieri of Los Angeles, disagrees. “From the outset it has been our position that to avoid pre-emption, you have to prove the common-law elements of fraud. If not, then pre-emption means nothing,” he says.
He also says that the vast majority of registrants had no complaints about the process. “If you are not brain-dead, you understand what’s going on.”
In a related development, last August consumers filed a putative class action against Tagged for its registration practices. The plaintiffs lawyers argued that the site violated the federal Stored Communications Act, the Computer Fraud and Abuse Act, and other laws.
But observers say the plaintiffs could have a hard time fitting Tagged’s conduct into the federal statutes, which are aimed more at hacking and identity theft.
Meanwhile, Tagged and MyLife.com revised their registration procedures to make it less likely that consumers will be tricked into letting the site solicit their contacts.
Additionally, state attorneys general in New York and Texas extracted settlements with Tagged in November. The company agreed to pay $750,000 total and also said it had made changes, including clearly labeling buttons to “import friends” and “send invites.”
Tagged CEO Greg Tseng said in a post on the company’s blog that it had revamped procedures after receiving about 2,000 complaints.
Reunion also revised its sign-up procedures, but Palmieri says that doesn’t indicate that anything was amiss in the past. “The company adjusts with the times and certainly wants to be socially conscious,” he says. “So, without admitting any wrongdoing, if we can make the site more user friendly we’ll accommodate that.”
Meantime, some observers are calling for policymakers to end chain-letter-type campaigns. One possibility is that Congress will pass new, sweeping privacy legislation, Grimmelmann says. But even if it doesn’t, others in Washington might. “In the near term, I hope that the FTC will take action,” he says.