Legal Definitions - CAN-SPAM Act of 2003: Criminal Liability

The CAN-SPAM Act of 2003 (which stands for Controlling the Assault of Non-Solicited Pornography And Marketing) is a federal law that establishes rules for commercial email, gives recipients the right to have businesses stop emailing them, and spells out tough penalties for violations.

While many violations of the CAN-SPAM Act result in civil penalties (fines), a specific part of the law, Section 4, imposes criminal liability. This means that certain severe violations can lead to criminal charges, typically classified as misdemeanors. This criminal provision is specifically designed to target individuals who send spam by illegally accessing or taking over someone else's computer or email account without their permission, often through fraudulent or deceptive means, and then using that compromised access to distribute unsolicited commercial messages.

Here are some examples of situations where this criminal liability might apply:

• Example 1: Phishing for Account Access

  A scammer creates a convincing but fake website that mimics a popular email service's login page. They then send out emails to thousands of users, pretending to be the legitimate service provider, urging them to "verify" their account by clicking a link to this fake page. When unsuspecting users enter their email addresses and passwords, the scammer captures these credentials. The scammer then logs into these compromised accounts and uses them to send out millions of spam emails promoting a fraudulent investment scheme, making it appear as though the legitimate account holders are sending these messages.

  This illustrates criminal liability because the scammer gained unauthorized access to numerous innocent parties' email accounts through deceptive and fraudulent means (phishing) and then used those accounts to distribute unsolicited commercial emails (spam).

• Example 2: Botnet Operation

  A cybercriminal develops malicious software (malware) that, once downloaded by unsuspecting computer users, silently installs itself and turns their computers into "bots." These infected computers then become part of a larger network, known as a botnet, controlled remotely by the cybercriminal. The criminal then commands this botnet to send out a massive volume of spam emails advertising counterfeit products. These spam emails appear to originate from the individual, innocent computers within the botnet, rather than directly from the cybercriminal's own system.

  This demonstrates criminal liability because the cybercriminal gained unauthorized control over innocent parties' computers (through malware) and subsequently used that illicit access to send spam, violating the criminal provisions of the CAN-SPAM Act.

• Example 3: Exploiting a System Vulnerability

  A hacker discovers a significant security flaw in the email server of a small online retailer. This vulnerability allows the hacker to bypass authentication and gain unauthorized access to several employee email accounts without needing their passwords. The hacker then uses these compromised employee accounts to send out unsolicited commercial emails to the retailer's customer list, promoting a competing, fraudulent online store. The emails appear to come from the legitimate employees of the retailer.

  This scenario triggers criminal liability because the hacker illegally accessed and utilized innocent parties' email accounts (by exploiting a system vulnerability) to distribute spam, thereby falling under the criminal provisions of the CAN-SPAM Act.