Just a quick follow-up to a post I wrote a few weeks ago about “Spam King” Sanford Wallace.  Wallace had been defaulted by a federal district court in California in a suit brought by MySpace for running a spamming and phishing scam on the site.

The court recently awarded MySpace $230 million against Wallace in what is apparently the largest spam award yet.  Of course, chances are that MySpace will never see a penny of that money—or if they do, it will be a miniscule fraction of the award.  Of course, no one will shed a tear if MySpace drives Wallace into bankruptcy.  It won’t stop him anyway.

And MySpace doesn’t need the money.  But it’s a symbolic victory and a great public relations plug for the company.  It gives MySpace bragging rights to its users, attorneys general of all 50 states, and the federal government that it takes these issues seriously and doesn’t waver—even though getting a default judgment is not all that difficult to do.  Hopefully, MySpace will pursue it further and try to actually collect on the award.

According to a new survey by Forrester Research, 41% of large companies (those having at least 20,000 employees) either read or analyze the contents of outbound e-mail.  They’re either paying other employees to read them or presumably using any number of commercially available software programs to analyze them. 

44% of the companies surveyed investigated a confidential data breach involving e-mail in the past year, while 26% said they fired an employee for violating the company’s e-mail policy.  Companies also expressed concern over employees leaking information on message boards, blogs, and other electronic media.

Quite frankly, I’m surprised only 41% of large companies are doing this (although it depends on the industry).  I would have expected it to have been much higher given the daily parade of data and privacy breaches in the news.  After all, it’s large companies that have the financial and human resources to implement widescale e-mail monitoring systems.  Smaller companies may be in a much different situation.

Of course, many employers find it distasteful to engage in this type of monitoring.  It can, if not handled properly, be destructive to employee morale and have lasting effects.  Nevertheless—for better or worse—many employees are slowly coming to grips with their employers’ monitoring efforts.  It’s just becoming a fact of life. 

But the truth is, I’ve had clients whose employees have e-mailed confidential and sensitive company data.  Some workers do it without thinking about it, while others are far more malevolent in their intentions.  This is especially the case when employees leave their companies on bad or poor terms.  So it’s a very real problem for employers that has very real consequences.  Thus, like it or not, monitoring will only continue to increase. 

Bottom Line:  Be careful.  You don’t have any right to privacy when you’re at work.  So don’t think that anything you send—whether to a spouse, boyfriend, girlfriend, doctor, stockbroker, or anyone else—is private.  Even if you have to send it and it can’t wait until you get home, an employer is within its rights to read your e-mail, no matter how private the subject matter.  Of course, what it does with that information is another matter.

It’s always refreshing to see companies take affirmative steps to try and protect users from malicious programs that can be inadvertently downloaded onto their computers.  Yahoo and McAfee are joining forces to unveil a new security feature designed to warn Yahoo users about potentially dangerous links to software such as adware, spyware, keystroke loggers, and other malicious programs.  Yahoo users will see a red exclamation point and a warning next to any links that McAfee has identified as containing harmful software.

It’s a good start and is one more weapon in the fight against increasingly sophisticated hi-tech criminals.  However, it’s only a matter of time before this new service becomes the target of lawsuits by companies who are identified as “false positives.”  That is, legitimate companies whose links are mistakenly identified as being malicious.

Remember the “real-time blackhole list (“RBL”)?”  This was a Mail Abuse Prevention Service (MAPS) which published lists of ISP addresses which were known to be associated with spammers.  A network could then filter out any questionable e-mail traffic and it would disappear in a metaphorical “black hole” and never reach its destination.

This prompted lawsuits from companies (who called themselves “e-mail marketers”) against RBL providers who claimed that they were being defamed by being erroneously or improperly included on these lists.   (They also included “false light” and restraint-of-trade claims.)  While most suits were dismissed or unsuccessful, they were designed to target and harass RBL providers who devised an otherwise sensible solution to an evergrowing spam problem.

It’s only a matter of time before some disgruntled company sues Yahoo and/or McAfee for being falsely identified to users as a provider of malicious software.  (Due to the Yahoo Terms of Service agreement, users will be unable to successfully sue if some malicious links or sites slip through.)   Still though, despite the threat of lawsuits, Yahoo and McAfee should be commended for trying to develop a solution—however temporary or imperfect—to this problem.  Of course, if any of my clients end up being falsely identified as providers of malicious software, then those companies will hear from me.  Until then, the battle continues.  

The short answer:  No.  Spam will continue to be one of the internet’s most enduring problems.  But it’s always nice to see a few small victories here and there.  Sanford Wallace, who earned the ignominious title of “Spam King,” is in the news once again. 

It seems that Mr. Wallace, in his infinite wisdom, decided to ignore a California federal district court’s order that he turn over requested documents to MySpace, one of the many plaintiffs who have sued him over the years (including AOL, Concentric Network Corp.,  Compuserve, Bigfoot, and the Federal Trade Commission), and provide a deposition to MySpace’s counsel.  According to the complaint, Mr. Wallace ran a phishing scam on MySpace and spammed thousands of its users.  Some people will just never learn.

The Spam King claimed that he was unable to comply because he was unaware of the requests and court orders, as he doesn’t accept mail (why might that be?) and also stated that he had a difficult time finding counsel (yes, we lawyers are always reluctant to take on new clients during a recession). 

The court didn’t buy it—no surprise there—and entered a default judgment against him.  Mr. Wallace is no stranger to default judgments:  He had previously been defaulted in May of 2006 in an action brought by the FTC and ordered to pay a fine of $4,089,500.  Moral of the story for Mr. Wallace:  Don’t break the law.  Moral of the story for everyone else:  Don’t ignore court orders.

In a separate recent spam case, Edward Davidson, who sent hundreds of thousands of e-mails with false headers, was sentenced to 21 months in prison and ordered to pay $715,000 to the IRS.  I suspect, however, that the bulk of the prison sentence was for the tax evasion charges, as it’s only a misdemeanor under the CAN-SPAM act to falsify header information.  Yet Mr. Davidson reportedly made at least $3.5 million sending out these e-mails.  And who says crime doesn’t pay?

While these cases are always satisfying to read, they are few and far between.  Spam is here to stay, regardless of the number of criminal prosecutions brought or default judgments entered.  First, the CAN-SPAM act only applies to spammers in the U.S.  A growing amount of spam is coming from overseas.  Most—if not all—of these foreign spammers are beyond the reach of U.S. law.  

Furthermore, many American spammers are reportedly using foreign servers to send their spam into this country.  Of course, if they could be identified, then the CAN-SPAM Act could be used against them (but it probably wouldn’t stop them anyway—just ask Sanford Wallace).  But you have to identify them first, which is exceedingly difficult when the servers are located outside of the U.S. 

So until the stakes for spammers increase substantially and other countries jump on the enforcement bandwagon, sending spam is still quite profitable—fines, penalties, and imprisonment notwithstanding.  Death penalty for spam, anyone?

Talk about a slow news day.  A recent article in USA Today discusses the so-called “fine print” in ISP contracts and then concludes that it doesn’t really matter anyway.  This non-story highlights the fact that ISP contracts, which their company lawyers draft, give ISPs rights to read their subscribers’ e-mail, block their subscribers from accessing certain websites, and can terminate their subscribers for overusage of their networks.  The horror.  Imagine that?  A business that protects itself.  The shareholders will be outraged.

As an attorney who drafts these contracts, this article is much ado about nothing.  Yes, ISPs put all sorts of language into these agreements to make sure that their services are not abused by users.  But simply because an ISP has the right to read a user’s e-mail or block a user from accessing certain sites doesn’t mean that it will actually do so.  The article makes it sound inevitable.

An ISP, like every other business in America, is keenly aware of the public relations disaster that would result if it was disclosed that they routinely read their users’ e-mails, blocked access to websites, or simply terminated their users accounts due to overusage, without good cause.  They would quickly and perhaps permanently lose users as the media and blogosphere savaged them.  And as they know all too well, everything in cyberspace lives on indefinitely. 

But think of the public relations disaster that would result if it was disclosed that an ISP was aware or suspected that a user was engaging in wide scale spamming, copyright infringement, or the downloading of child pornography.  Or that certain users were hogging bandwidth to the point that other subscribers’ service was affected, while the ISP took a laissez-faire attitude?  It’s not exactly a model of corporate responsibility in these post-Sarbanes Oxley times.  The blogosphere would again be buzzing, albeit for different reasons.  You’re damned if you do, and damned if you don’t.

Furthermore, some of these clauses are economic necessities.  The RIAA has begun targeting ISPs whose users engage in massive and sustained downloading of copyrighted music through their networks.  If an ISP suspects that a user is downloading copyrighted material and does nothing, it can be held liable for contributory copyright infringement in certain instances.  But by terminating the offending user’s account, it may insulate itself from liability.  The “fine print” of the contract allows an ISP to do so.

Is an ISP contract really that different from signing a lease with a landlord?  A landlord has the right to access your apartment with or without notice and can potentially invade your privacy.  A landlord puts certain restrictions as to how its property can be used and how many people can live in it.  And a landlord can evict you under the right circumstances.  While internet access is certainly important nowadays, so is having a place to live.  Yet many tenants have rules not unlike what their ISPs impose, but don’t assume that their landlords will exercise them indiscriminately.

So the contractual provisions such as those described in the article are not necessarily a bad thing.  It all depends upon the circumstances.  If an ISP does include a provision that a court finds to be unfair or onerous, it can be struck from the contract (to say nothing of the scrutiny the ISP would get from that state’s attorney general).  So it’s not as if an ISP can do anything it wants.  While it may sound like this is a case of “ISPs gone wild,” the simple fact is that—for the moment at least—this was an article in search of a story.  But when an ISP does overreach or overreact, I’m sure we’ll hear about it somehow.

     Although it should hardly be considered to be news anymore, an appellate court in New York has ruled that a series of e-mails constituted “signed writings” within the meaning on New York’s Statute of Frauds.  Consequently, they could be used to modify an employment agreement which provided that all modifications had to be signed by the parties.

     The court found that when each party typed his name at the end of his respective e-mail prior to sending it, this signified each party’s “intent to authenticate” the e-mail’s contents.  Thus, the e-mails fell within the scope of the modification provision of the employment agreement, and the contract was deemed to have been modified in accordance with the e-mail’s contents.

      There’s nothing remarkable about this ruling.  It relates back to the standard caveat nowadays that parties need to be careful about what they put in their e-mails, as they can obviously impact legal rights.  In this instance, if the parties didn’t want the e-mails to be considered writings, they should have had an express provision in the employment agreement which excluded e-mails from modifying the contract.  

     In fact, provisions such as these are becoming increasingly common as more and more people communicate via e-mail.  It depends, however, upon the client.  I have several technology clients who prefer e-mails and pdfs to actual paper when communicating with just about everyone, including their customers, prospects, employees, contractors, and attorneys.  While this may be easier and more efficient, it’s also easy—given the daily deluge of e-mails—to delete or overlook them (especially if they get caught in spam filters).  Thus, for those of you who prefer to communciate this way, just be aware of the potential ramifications.