As one who writes extensively on cybersecurity issues , specifically the rise of email phishing , I like to think of myself as more cautious than the average online denizen. But one recent Monday morning, I found the hard truth behind a common cybersecurity refrain: With attacks, it's never a matter of if, but when.
Switching absentmindedly between my work and personal email accounts both hosted on Gmail I saw an order confirmation from Amazon.com. The email didn't surprise me: the night before I was up doing a little online shopping before bed. But the confirmation still looked odd. Was that the item I ordered?
It didn't look like it, so I opened the email and clicked on the item link. And in the several seconds it took the page to load, it hit me: The Amazon email was sent to my work email, and I never link my personal accounts to my work email. I'd been had. By a phishing scam.
I looked at my screen in horror. Was it ransomware? A malicious website? A haughty menacing message from a hacker amused at duping yet another victim?
No, it was message from a cybersecurity company, telling me my computer was safe. On the page, a video soon began to play discussing how users can learn to detect and avoid phishing emails.
I sighed in relief. But then something else struck me: Had a cybersecurity company sent me a phishing email as a part of a promotional campaign? Sure, the video was educational, but the cybersecurity company's logo was prominently featured on the landing page and in the video.
After some research, I discovered the cybersecurity company had been hired by my employer, ALM Media, as a part of an employee training program. Suffice to say, it worked. But the ordeal still had my mind reeling. Could companies legally send out phishing emails like this one? And was there anything to stop them from doing so?
The answer, I soon found out, rests on the interpretation of the federal "Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003" (C AN-SPAM Act ). The act defines what constitutes legal and illegal commercial emails (i.e. spam) and lays out criminal liabilities and fines for sending out illicit emails.
Among other requirements, the act stipulates that spam emails cannot contain misleading or false information in its header (its metadata container) or depictive information in its subject line. Spam also must provide "clear and conspicuous" identification that it is a promotional or advertising message, and include a way for its recipients to opt out of future mailings.
When I showed the phishing email I received to David Hickey, managing partner at the California law firm Hickey Smith, he quickly offered a legal analysis: If the email had been sent as unsolicited spam, and not as a part of company cybersecurity training program, "It would appear to violate the CAN-SPAM because of a number of reasons," he said. These include the fact that there was deceptive sender information, a deceptive subject line and absence of a physical address for the sender.
So the email, if sent unsolicited, was illegal, right? Not exactly. Though phishing email violates the CAN-SPAM Act, it might not fall within the law's jurisdiction in the first place. The act only applies to commercial emails, which it defines as those whose primary purpose "is the commercial advertisement or promotion of a commercial product or service."
Since the phishing email I received included an educational video, there could be a case for defining it as educational, instead of commercial. In the context of an employee training program, it was purely educational. But as unsolicited spam email, would this hold up?
Ari Scharg, partner at Edelson, was skeptical. "Even though the email itself might not have been trying to promote or advertise a special product, it [can be seen as] marketing a company, who if you actually go to their website you can buy products and services from."
Still, there is no definitive way to know whether the email was commercial or not, absent a court ruling. Eric Goldman, professor of law and co-director of the High Tech Law Institute at Santa Clara University School of Law, said that like other U.S. statutes, the CAN-SPAM Act struggles to "distinguish between commercial and noncommercial activity those boundaries are always murky."
To highlight the ambiguity of what constitutes a "commercial email," Goldman cited the example of emailing "an unsolicited resume to a potential employer." Such an email, he said, might be considered commercial since it advertises or promotes the product of a person's labor.
In addition, Goldman also highlighted law firm newsletters, which discuss "developments in their area or practice" and offer general legal advice. "Is a message's primary purpose the commercial advertisement of a commercial product or service? We don't know."
For the sake of clarity, let's assume all unsolicited phishing spam emails, even those that include educational elements, are found to be commercial emails. They would therefore be illegal, but would their senders face criminal liabilities and fines under the CAN-SPAM Act?
Hickey isn't so sure. "It is unlikely actions would be brought against them under [the act]," he said.
One significant reason for this "is that the CAN-SPAM Act is toothless, because there is no private right of action," Scharg added.
On paper, however, the CAN-SPAM Act does allow for a private right of action from what the law defines as "internet access services," essentially internet service providers.
But over the past decade, "Courts have routinely narrowed the scope of who would qualify as an internet access service and what they could complain about, and that has effectively dried up the private enforcement initiative," Goldman said.
Such rulings, he added, were in response to "a bunch of anti-spam advocates who really hoped to make a financial living off of bringing CAN-SPAM lawsuits ... and who would set up these low usage ISPs, wait for the incoming emails and then go right to the courthouse."
There are, though, other levels of enforcement. State attorneys, for example, can bring actions using the CAN-SPAM Act. However, the act pre-empts parts of state anti-spam laws, denying the private right of action at the state-level and restricting states from enacting more aggressive anti-spam legislation.
On the federal level, the act also allows many agencies, including the Department of Justice, to take action, though Goldman notes most federal agencies rarely do, save for the Federal Trade Commission (FTC).
And what's more, many consider enforcement by the FTC, the main body to take action under the act, to be lackluster anyway. "The FTC website shows a number of enforcement actions over the years, but frankly not in a number that one would have expected given the large number of violations of the act," Hickey said.
A part of the reason for low levels of enforcement, Goldman said, could be that spam is not as big of a nuisance as it once was, and therefore isn't priority for enforcement entities. "People aren't just upset about this as they used to be, it's a problem that has already been solved in practice."
He added, "At the server level, spam filters have gotten much better, so incoming spam is more frequently killed before it even reaches anyone's inbox. Then at the individual [inbox] level, spam filters have gotten better [as well]."
In an emailed statement, the FTC pushed back on the assertion that its enforcement was lacking: We have enforced the CAN-SPAM Act. We have brought more than 100 spam-related cases and about three dozen cases under the CAN-SPAM Act. We generally try to focus on big spammers who are targeting many people and focus our limited resources where we can have the most impact and help the most consumers.
Indeed there are signs that the FTC may be looking at updating how it enforces the act. On June 28, the agency issued a public review off the CAN-SPAM Act and requested public comment. The period for written submissions ends on Aug. 31.
