Contact:  Office of Policy and Legislative Affairs
Agency: Licensing and Regulatory Affairs

According to a study conducted by Symantec Corporation 76 percent of children who use the Internet have one or more e-mail accounts. Also, 47 percent of the children surveyed had received spam with links to pornographic websites.

In 2003 the federal CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act of 2003 attempted to address the issues posed by unwanted commercial e-mail. The act established requirements for those sending commercial e-mail, penalties for spammers and companies whose products are advertised in violation of the law, and gives consumers the right to ask e-mailers to cease spamming them. Most state anti-spam laws, including one in Michigan, were preempted.

The battle against spam is very difficult, because spammers are very good at hiding their identities. Several methods have been developed to exploit the largely anonymous nature of the e-mail system. These include “spoofing” in which header information is falsified or hidden, open relays and proxies, and “zombie drones” where spammers exploit millions of computers with a variety of malicious, viruses, worms, and Trojans.

As if spam wasn’t bad enough, the popularity of instant messaging has given rise to a new threat called “spim”. “Spim” refers to unsolicited, unwanted messages that can pop up via programs such as America Online’s Instant Messenger (AIM), Yahoo! Messenger, or MSN Instant Messenger. Those who send such messages use automated programs that simulate instant messaging users and send messages to screen names generated randomly or harvested off the Internet. One estimate is that such messages doubled between 2002 and 2003 to one half billion.

Wireless spam is in its infancy in the United States, but it has reached critical proportions in Europe where the Parliament of the European Union has mandated adoption of laws by its members to combat it. In March 2004 the Federal Communications Commission began a rulemaking proceeding on protecting cell phone customers from unsolicited and unwanted commercial messages. The federal CANSPAM requires the FCC to create such rules.

There has been much discussion in recent days of a recent United States Supreme Court decision in Ashcroft v. American Civil Liberties Union. In the Ashcroft case the ACLU challenged the federal Child Online Protection Act (COPA). The Supreme Court decided in a very narrow holding to vacate a U. S. Court of Appeals decision and remand the case for further proceedings. The court found that COPA’s reliance on community standards does not by itself render the statute overbroad but did not express any view on whether the statute was substantially overbroad for other reasons or unconstitutionally vague. Senator Bishop issued a news release saying the proposed Michigan Children’s Protection Act was a “constitutional alternative to COPA”. He points out in his news release that the ACLU, which is the lead plaintiff in the case, supported his bill.

Description of Bill: Senate Bill 1025 creates the Child Protection Registry in the Department of Labor & Economic Growth. A person would be permitted under the bill to register “contact points” to which one or more minors have access. A person would be prohibited from sending a message to a contact if the primary purpose is to advertise or sell a product or service that a minor is prohibited by law from purchasing, viewing, possessing, participating in, or otherwise receiving. A person desiring to send such messages would be required to purchase the state’s registry of “contact points” and to scrub those addresses off his or her list. A person would be prohibited from releasing the names on the registry to another or providing access to the addresses on the list, except as provided in the bill. The registry would be exempt from the Freedom of Information Act. Violations of the bill’s requirements would carry both civil and criminal penalties. Criminal penalties are provided by reference in the bill to Public Act 53 of 1979. Civil actions could be brought by the following:

•   An authorized person on behalf of a minor who has received a message violating the act.
•   A person through whose facilities a message violating the act was transmitted (e.g. an Internet Service Provider).
•   The Attorney General.

The bill is tie-barred to House Bill 5979.

Senate Bill 1025 is similar to a bill that passed the Utah Legislature in 2003. The Utah program does not go into effect until July 1, 2005, the same date that the proposed registry in Michigan would go into effect.

House Bill 5979 makes a violation of the Michigan’s Child Protection Registry Act a violation of Act 53 of 1979. The Senate bill contains an amendment requested by the State Police providing for seizure and forfeiture of property used in connection with a violation of Act 53 and known by the owner to have been used in that manner. The bill is tie-barred to Senate Bill 1025.

Summary of Arguments

Pro: The public purpose in this bill is clear. The potential for spammers to prey on children by sending inappropriate material to wireless telephones or computers to which children have access increases every day. The federal CANSPAM law provides only partial protection from e-mail spam and does not apply to the text and digital messages now being sent to wireless telephones.

The bill has been carefully crafted to overcome potential constitutional challenges. The federal CANSPAM law provides an exemption for “computer crimes”. By tying the criminal penalties in the bill to Act 53 of 1979 the bill ensures that the courts are not likely to consider Michigan’s law preempted by the federal law if a legal challenge is filed.

It is possible to successfully prosecute individuals for violating laws such as the one proposed here. Although the image of spammers is that they send their messages from Vanuatu, Moldova, or some other foreign destination, it is reported that over 56% of spam originates in the United States. Indeed, by taking advantage of a server or proxy that is not configured properly, a spammer located in the United States can easily make it appear that a message originated in another country. In one often-cited case, State of Washington v Heckel, the spammer was located in neighboring Oregon. The success of Washington in prosecuting the Heckel case is evidence that the proposed registry is enforceable in Michigan. Despite significant obstacles in tracing spammers hiding behind false headers, open relays or proxies, or zombie drones, the FTC has brought 62 cases in which spam was an integral part of the case. Although significant time is often required to prepare a case, the effort is often worthwhile. In Washington the prosecutor spent four months and sent out 14 civil investigative demands to identify the spammer, but they did identify the spammer.

Although the FTC may be correct in their conclusion that the development of effective authentication standards is preferable to a registry, the development of authentication standards may take some time. None of the competing concepts have been widely tested. It is possible that agreement on a standard and ultimate implementation could be delayed for many years while spammers continue to target Michigan’s children.

The potential that the registry could be used by spammers to acquire thousands of confirmed e-mail addresses can be substantially reduced by “salting” the list with dummy addresses controlled by the department. If a bulk e-mailer fails to scrub its list and sends spam to the list, the agency will quickly know about it. The individual will then be prosecuted for violating the laws prohibition against using the registry in this manner. There are also ways to encrypt registry data to protect the list from misuse.

Con: Despite the efforts to assure an exemption from federal preemption under CANSPAM, there is still a potential problem in the bill in that there are private rights of action. There is also a concern that there might be commercial speech issues under the Central Hudson test for evaluating state restrictions on commercial speech.

The Federal Trade Commission has studied three possible registry models for implementation on the national level. On June 15, 2004 the FTC announced that a national registry would “fail to reduce the amount of spam consumers receive, might increase it, and could not be enforced effectively”. The FTC also states that “the high value of email addresses would likely make a Registry the National Spam Do Spam Registry”. The FTC has opted instead to focus on the development of e-mail authentication procedures. If the federal government believes that a registry is unenforceable and might increase spam, Michigan would be well advised to reconsider the implications of the current bills.

Fiscal/Economic Impact

(a) Department

Budgetary: The bill will impose costs on the department to administer the proposed registry. The bill creates the option for the department to contract with a third party to operate the registry. Because of the technical and specialized nature of the proposed function, this may be an attractive option. It is possible that such a contract produce sufficient revenue to pay the vendor and return significant funding to the department.

Revenue: There would be no fee for a person to register “contact points”. Persons sending messages covered by the bill would pay to obtain the registry for purposes of scrubbing their lists. A typical list of a commercial sender includes 100,000 names, and it is estimated that as many as 1 million contact points might be registered in Michigan. As a practical matter, the registry would have to be purchased frequently by senders, because it would be illegal to send covered messages to a contact point that has been on the list for more than 30 days. It is estimated that annual revenue in Utah, a much smaller state, could be in the $3-6 million range.

Comments:

(b) State

Budgetary: The bill will result in enforcement costs to the Attorney General. These cases will be extraordinarily complex to investigate and will require significant effort to prepare.

Revenue: The Attorney General will receive 15% of the revenue to the Child Protection Registry Fund and any civil penalties collected in actions initiated by the Attorney General. In addition, an amendment in House committee allows the department to reimburse the Attorney General for costs that exceed the 15% of the Fund revenue.

Fine money could be significant. For instance, Missouri has reportedly collected $3 million in fines in connection with financing its do not call law. However, much of this amount may have been criminal penalties. Criminal penalties in Michigan are constitutionally earmarked for libraries.

Comments:

(c) Local Government

Comments: The bill has no impact on local government.

Other State Departments: Senate Bill 1025 directly affects the Attorney General. The Michigan State Police may also be affected in that it may be asked to investigate cases. House Bill 5979 contains an amendment sought by the State Police.

Any Other Pertinent Information: Representatives from a company called Unspam testified in favor of the bill in both the House and Senate. The company is one of the bidders for Utah’s registry. The American Civil Liberties Union supports the bill. There was no opposition to the bill.

Administrative Rules Impact: Administrative rules will be required to define how “contact points” will be registered and the mechanism for persons desiring to send covered messages to verify compliance. The rules would also establish the fees. The bill limits the fee to 3 cents per contact point.