Following the success of do-not-call anti-telemarketing lists, the idea of do-not-spam lists has suddenly caught on with politicians. Big mistake.
In June, a Michigan do-not-spam-list bill was passed into law. Earlier that month, U.S. Sen. Charles Schumer [D-New York] introduced a bill that would create a national "do not e-mail" registry. Under the auspices of the Stop Pornography and Abusive Marketing (SPAM) Act, Schumer has proposed that unsolicited commercial e-mail must include "ADV" (for "advertisement") in its subject line. That's another bad idea. (For starters, not all e-mail is in English.)
On Wednesday, Schumer held a press conference in an effort to gather more support for the national do-not-spam registry idea, using a national survey conducted by the ePrivacyGroup and the Ponemon Institute that shows how e-mail users overwhelmingly favor a federal do-not-spam list. One of the survey's 17 spam-related questions was phrased as follows: "The U.S. Federal Trade Commission has instituted a telemarketing do-not-call list. Do you think that there should be a federal do-not-e-mail list?" Of the 1,042 people who answered this multiple choice question, 74 percent answered yes; 11 percent, maybe; and 14 percent, not sure.
I must admit that before diving head first into the underbelly of spam, I would have answered "yes" as well. Asking people whether they favor a do-not-spam registry is a misleading question. To any non-expert, the question suggests that such registries would work much the way do-not-call lists work. They won't. As a result, we have various politicians --- a community with great potential to make worthwhile contributions to the fight against spam --- wasting an enormous amount of time, effort, and taxpayers' dollars on initiatives that are doomed to fail and that mislead voters into thinking that their representatives are solving a problem.
If I learned one thing from this spring's Spam-related panel discussions at the Federal Trade Commission, it is that the return on investment (investigation, prosecution, court costs, etc.) from the handful of successful prosecutions that have so far taken place is in the red. Sure, they're making an example out of a few really bad folks, but the payback so far has been way out of line with the investment. Is this the path to which we really want to commit?
From his cell phone following Schumer's press conference, ePrivacyGroup CEO Vincent Schiavone challenged me. "Come on, David" said Schiavone, "You don't think that a do-not-spam list won't at the very least reduce the amount of spam that's out there?" Schiavone raises a fair point. Given the magnitude of spam, should those fighting it be focused on tactical measures that could bring about temporary abatement versus strategic solutions that could put an end to it altogether? If politicians involved in the fight against spam were also doing the latter, I might not be so concerned about their focus on the former. But they're not. If silly ideas like do-not-spam lists and ADV tags are our government's best stuff, we're in big trouble.
So why won't do-not-spam registries work? For starters, the mere existence of such a list might make the spam problem worse. Many fear what might happen if the list gets compromised or is somehow released onto the Internet. What could be worse than a do-not-spam list falling into the hands of spammers?
Advocates of such a list don't see this as a problem. According to experts, the system would work this way: A central do-not-spam registry resides where those intending to send you bulk e-mail could check to make sure you haven't entered your e-mail address as a place not to send unsolicited commercial e-mail. To prevent the registry from being compromised, your e-mail address isn't actually stored. Instead, an encrypted version of it is stored, and the maintainer of the registry (presumably a government institution like the FTC, which maintains the National Do Not Call Registry), is the only organization with the key to decrypt it. To verify whether an e-mail address is in the registry, a bulk e-mailer submits the address. The same process that encrypts the entries in the database encrypts that submission. Then, the registry looks for a match between the encrypted submission and the encrypted e-mail addresses in the registry. Should there be a match, it would be a signal to the bulk e-mailer to remove that name from their database.
But there's a hitch. A spammer with access to the registry could use the aforementioned process as another way of finding active e-mail addresses. Today, spammers are said to do this by including links in their e-mails that appear to be a way for you to cancel future e-mails (known as "opting out") from that sender. But, many people suspect that the links, which often fail, are used to determine if there's a live person on the other side of that inbox. If the e-mail address is in a do-not-spam registry, then the fact that there's a live person using that inbox is virtually guaranteed and the spammer has you.
According to Schiavone, any spammer engaged in this tactic would be caught rather quickly. If a recipient complained about the registry not working, says Schiavone, then through audit trails and such, one could probably zero in on the offending bulk sender. But that suggests that we know who is using the registry, and according to Schiavone, it wouldn't be public. Only legitimate, registered companies would have gated access to it.
This is where we enter spam's realm of unclear definitions--a confusing cavalcade of terminology that, in defense of a spammer, any lawyer could easily challenge. This is not an insignificant point. The test of any law that includes the definitions of terms like "legitimate companies", "pre-existing business relationship" (legalese for the right to send you unsolicited mail), and "spam" itself will require those definitions to be absent of any gray area. This doesn't even take into account the untold sums of money and time that will be expended on dead-end prosecutions.
What is a "legitimate company?" Does anybody know? Since when would a spammer consider itself to be a legitimate company? What if the so-called spammer is somewhere on the Pacific Rim? Haven't we learned from the Napster fiasco that if the U.S. becomes a difficult place to engage in certain practices, those so engaged will simply move off-shore? The amount of spam I get from countries like Korea, Taiwan, Japan, and China seems to be growing daily.
When I asked Schiavone to define spam, he referred me to Senators Burns' and Wyden's definition from their Can Spam Act of 2003, which gets into a fairly convoluted definition of consent involving pre-existence or establishment of a business relationship between the sender and the recipient. Absent from the definition, as far as I can tell, is: What happens when a third party, acting as an agent in some transaction, captures an e-mail address as well as the permission (often unbeknownst to the customer) to do with that e-mail address what they please . (I've been victimized by this rather rampant practice myself.) I'm sure there's an answer, but it involves a lot more gray area.
I asked Dennis Darnoi, a senior adviser to Michigan State Senator Mike Bishop, who played an active role in that state's do-not-spam list legislation, what Michigan thinks spam is. Echoing Burns-Wyden, Darnoi said, "Spam is defined as any unsolicited commercial e-mail where there is no evidence of a pre-existing business relationship. Pre-existing is defined to include only direct contact between the recipient and sender." Darnoi added that there also must be an opt-out method. "If someone opts-out of receiving e-mail from a person they have a pre-existing business relationship with, that must be honored." (Darnoi's definition of opt-out is, "Providing a vehicle in the e-mail for the recipient to refuse future e-mails such as: 'We apologize if this press release is not of interest to you. Please click here to opt-out of future releases. We take opt-out requests very seriously and honor them immediately.' ")
I probed further: "Let's say you go into a Ford dealership and fill out an entry form to win a new SUV, and the form asks for your e-mail address-- but there's no privacy statement on the form. Now let's say Ford gives that data to a research company, which later sends you an e-mail on behalf of Ford. Does that constitute a pre-existing business relationship? After all, you supplied your e-mail address with no strings attached. Is the state of Michigan prepared to commit to investigating every case where there's a dispute over whether or not a pre-existing business relationship exists? Do you realize how many cases that will be?"
Darnoi's response: "If someone consents to handing over his e-mail, and he receives a solicitation from Ford or a research company on behalf of Ford, then there is no issue, provided that Ford or said research company offered an opt-out message in their e-mail. But, if that person received a solicitation from the same research company on behalf of another client other than Ford, then that would be under the law an unsolicited e-mail."
But there is a caveat, according to Darnoi. "If Ford put on their entry form that by including your e-mail, you are consenting to Ford sharing that information, and the individual goes ahead and puts his/her e-mail down, and then gets a solicitation from Mars Candy bars because Ford and Mars share the same research company, then the individual has only him/herself to blame."
I probed this deep to make a point about the sort of investigative work that would have to take place for every individual case brought before the courts. Today, state and federal authorities are inundated with millions of complaints. If they plan to follow up on every one, the legal system will need to go on a hiring spree.
Another challenge concerns the opt-out issue. A decent lawyer would have a field day with Darnoi's description of opt-out. The Can Spam Act, which offers definitions for just about every technical term found within it, offers no official definition for opt-out, which, as it turns out, is a very technical issue. Instead, it attempts to identify within the bill some potential opt-out mechanisms opt-out mechanisms
The Can Spam Act requires that one of two options exist to terminate future e-mails: through the return address (which must be legitimate), or through one or more links or menu options that engage an automated termination process. However, the Act says you haven't broken the law if your opt-out mechanism fails due to technical or capacity problems-- as long as those problems are "corrected within a reasonable time period." This disclaimer creates a loophole that any lawyer could drive a Mack truck through. Never mind the lack of a precise definition of "reasonable time period." The number of technical problems that can occur between the sender and the recipient (some of which are out of either one's control) , would create mind boggling problems for the legal system.
Another problem with most of this legislation is that it focuses on commercial spam only. The amount of non-commercial crap -- chain letters, Internet beggars, political messages, stock information---is going up as well, and provides another reason why something as tactical as a do-not-spam registry is an ill-conceived idea in the long run.
But if you're still not convinced, consider the technical difference between the telephone system and the Internet e-mail system. According to Verisign principal scientist Phillip Hallam-Baker, "Telephone 'do not call' lists are relatively easy to enforce." Baker should know. As a broker of phone number authenticity between Telco's, Verisign's fingerprints are all over the world's telecommunications infrastructure. Hallam-Baker goes on to say, "The telephone companies make a record of every number dialed for billing purposes. It is easy to determine whether a telemarketer is in compliance by examining their call logs. This does not work on the Internet. Cryptography will be needed to authenticate the origin of Internet e-mail, and at the present time, doing so is voluntary. Very few senders use it." Also, there's no standard method for doing it, which is equally important if all the different e-mail systems out there can be expected to interoperate with such information.
The bottom line is that I don't care about the result of that survey, which leads people to believe that do-not-spam lists can work. Might such lists cause some temporary abatement to spam? Maybe. Is it worth the time, money, and effort that go into creating and enforcing the legislation? Not a chance.
How could legislators' time be better spent? Since last fall, I've been advocating the idea of an international coalition to combat spam. Such a coalition would have two goals. One, it would fortify the existing e-mail standards in a way that produces long-term spam abatement (or eradication). Two, it would educate lawmakers on how to build laws around those standards with fewer gray areas or gaping holes. If politicians really want to produce something useful for their constituencies, they need to pressure the technology industry to fast track the development and implementation of those standards.
What needs to be fixed? As Verisign's Hallam-Baker suggests, we need an interoperable, tamper-proof, and royalty-free standard method for guaranteeing the authenticity and traceability of the sender's identity. At the very least, all of us can set up our e-mail systems to reject any mail that doesn't include such credentials. The standard could even build in a way of communicating to a sender that the credentials are needed before the original e-mail will be made available to the recipient.
Another standard we need is for opt-out-which I like to call relationship termination. Forget all the current means for terminating relationships. Instead, in the same way that our e-mail systems understand what it means when we press the SEND button (and all sorts of interesting technical things happen in the background, transparent to us), we should do the same for a "terminate relationship" command. Suppose an e-mail came with the aforementioned tamper-proof credentials. I should be able to issue a command from my e-mail client that terminates the relationship with that sender. But before doing so, my e-mail system could test the sending system to see if it's enabled for the "termination protocol." If it is, perhaps I set a flag that lets the e-mail through. Developers of e-mail servers can program their software to handle the commands appropriately, and laws can be passed that make it unlawful to disable that functionality or to attempt tampering with the credentials.
These approaches, unlike do-not-spam lists, will begin to produce a series of black-and-white tests that are much easier to enforce -- should politicians really feel the need to pass laws. The technologies are also strategic in that they don't discriminate. It doesn't have to be commercial spam and it doesn't have to originate in the United States.
Burns, Wyden, Schumer, and the rest are well intentioned. But if they're really working for their constituents, they need to start thinking longer term. Much longer term.
Use TalkBack to let your fellow ZDNet readers know what you think. For more of my commentaries on spam, check the archives or search ZDNet on "JamSpam," the name of the effort that I've been spearheading in hopes of getting the technology industry to work more closely together for the outcome we all seek: the end of spam.
