Home / Blogs

Defendants Convicted in 1st Criminal CAN-SPAM Trial

Venkat Balasubramani

In what seems to be the 1st criminal trial under CAN-SPAM, the defendants were convicted in June on a variety of counts. The court rejected defendants' motion for acquittal or new trial. (US v. Kilbride, 2007 U.S. Dist. Lexis 63172 (Aug. 24, 2007), access a pdf version of the order here.) Defendants challenged the conviction in the trial court (where proceedings are ongoing) and the court issued an order rejecting that challenge.

It's tough to figure out what's earthshattering about the case. After reading the court's reasonably detailed opinion recounting the evidence, you're left with the feeling that the government did a thorough job in assembling evidence, and defendants engaged in a variety of questionable conduct. Put these two together (and the fact that cooperating defendants testified), and the conviction does not seem surprising.

Among other facts, the court notes the following:

  • defendants earned $1,417,161 in 2003 by sending millions of pornographic messages
  • a third party set up servers in Amsterdam which defendants could access from Arizona (and California)
  • defendants sent emails stating they should be cautious in "covering their tracks"
  • defendants set up sham entities, including one called "Ganymede" in Mauritius
  • various controlled entities made payments to each other for services which were never rendered (these were sham transactions)

How exactly did defendants violate the statute?

Forged/Altered Transmission Information

First, defendants sent emails which contained false or altered transmission information (in violation of section 1037(a)(3)). At the end of the day, the defendants engaged in plenty of peripherally questionable conduct. As to how they actually altered or forged transmission information, the evidence was more equivocal:

Defendants intentionally concealed from the headers any information that would allow themselves, as initiators of the emails, to be identified. This was done in a number of ways. They had Jennifer Clason make up domain names which were then registered to a Mauritius company which had a bogus contact person and phone number. The email software enabled Clason frequently to change the domain names from which the emails were sent. When compiling the "from" information for the emails, Clason would make up the user name to be placed before the domain names. The user name was not that of any individual associated with Defendants or Ganymede. The program was designed by Rogers to show a different return path, created by taking the recipient's user name and placing it before the domain name Clason made up. Although the emails all contained routing information with the common denominator "knllc.net," this was shown as an entity sending the emails from The Netherlands. And as Ellifson testified, knllc.net was a Wisconsin corporation neither owned nor operated by Defendants.

While defendants argued that the emails accurately identified the entity which sent the emails, the court rejected this argument, finding that "[the entity] was a front, a shill, and Defendants intentionally designed the header information to impair the ability of recipients and others to identify defendants." (Take that Mummagraphics!)

Registration of Domain Names/Accounts Using False Information

Here, defendants argued that the domain names were technically registered to an entity and this entity (which actually existed) was reflected on the WHOIS record of all of the domain names through which defendants transmitted emails. Thus, defendants did not violate this section of the statute. The court rejects this argument, finding that the use of the words "actual registrant" in the statute was intended by Congress to get at the person or entity who ultimately controlled the domain names. Here, it was obvious that defendants controlled the domain names and did not have any real contractual relationship with the entity to whom the domain names were registered (except that this entity was their alter ego). The court thus concludes that defendants violated 1037(a)(4):

In truth, the persons who created, registered, used, and profited from the domain names were Defendants. They were the men behind the curtain, the actual registrants.

[I'm not entirely sold by this logic. The CEO of a corporation or even the marketing director may actually "control" a domain name, but in the garden variety situation, it's obviously appropriately registered to the corporation.]

Obscenity Charges

Defendants were also convicted of straightforward obscenity charges, something one does not see so often in this day and age, at least in federal criminal proceedings. There are a slew of academic issues - such as which particular community standards should apply, given that the materials were transmitted/made available on the internet - which didn't prevent the court from refusing to overturn the verdict on the obscenity charges.

* * *

What does this case illustrate?

First and foremost, I would bet that this prosecution put more of a dent in spam than all of the other non-ISP civil cases combined. This is a great example of the government taking down a reasonably large sized spam operation.

Second, it's always tough to get direct/on point evidence of a violation. Even in this case, where the court dealt with fairly egregious facts, it still seemed like the court stretched the statute in certain places. Non-ISP spam plaintiffs should take note.

Third, if you are a potential defendant and you have multiple entities, make sure you have documentation which shows that the entities are not sham entities or don't have sham relationships. If the defendants had in place adequate documentation, they could have made much more colorable arguments. (The sham nature of the documents/relationships was fairly pivotal in this case.)

Fourth, "off-shoring" and "off-shore" entities often promise privacy, anonymity, and the magical ability to be beyond the reach of United States jurisdiction. This is almost always an empty promise.

By Venkat Balasubramani, Tech-Internet Lawyer at Focal PLLC Follow Venkat on Twitter hereVisit Page
Related topics: Cybercrime, DNS, Domain Names, Law, Privacy, Spam, Whois

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Re: Defendants Convicted in 1st Criminal CAN-SPAM Trial Suresh Ramasubramanian  –  Sep 10, 2007 11:54 PM PDT

Let's put it this way. 

* A lot of these cases are prosecuted under multiple counts, multiple laws.

* CAN-SPAM provides for several "enhancers" - aggravated violations - that often involve criminal acts employed in the sending of spam (forgery, compromise or relay through servers, setting up fake shell companies etc)

As long as the perps are in a country and a money trail leads back to that country - offshoring doesn't help.

Beyond that - if they're elsewhere, there are still MLATs, the Council of Europe convention on Cybercrime (to which the US is a signatory as are several other countries) etc.. it just takes a lot longer to do cross border enforcement.

Re: Defendants Convicted in 1st Criminal CAN-SPAM Trial Richard Golodner  –  Sep 27, 2007 7:04 AM PDT

One down, how many more to go? This seems like a very convoluted way to resolve this problem of prosecuting spammers, but hopefully this will serve as an example that the long arm of the law may in fact, reach out and bust you for sending this kind of junk.
I commend the efforts of those involved and would love to see it happen more often.
Most sincerely, Richard Golodner

To post comments, please login or create an account.



New TLDs

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC


Sponsored byVerisign

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign