The Federal Trade Commission on Tuesday said that a national do-not-spam list would put more spam in people's e-mail in-boxes, not less. Matthew Prince, who helped draft a recommendation for a no-spam list, was online to discuss the decision. A transcript follows.
washingtonpost.com reporter David McGuire moderated the chat.
UnSpam's Matthew Prince
Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.
Hi Matthew, thanks for joining us. Your company was one of the most vocal advocates for a national do-not-spam registry. The FTC roundly shot down that idea in a report issued to Congress Tuesday. Where do you think the commission went wrong in its reasoning? Where does this concept go from here?
Matthew Prince: David, thanks for having me.
We were disappointed by the Federal Trade Commission's report, but it was by no means unexpected. It is difficult for a Federal agency to break new ground. What is striking to me is how much this issue is developing along the exact same lines as do-not-call did.
Back in 1991 Congress authorized, but did not require, the Federal Communications Commission (FCC) to create a national do-not-call list. At the time the FCC worried that the list would be unenforceable, that telemarketers (who were largely peddling fraudulent products at the time) would move off-shore, and that the expense and difficulty of setting up such a registry would be prohibitive. As a result they took no action to create the list.
In 1992, Florida became the first state to pass a do-not-call registry law. Over the next twelve years 45 other states have passed similar laws. With time and experience, governments have become very adroit at enforcing these DNC laws. As you know, because of the success at the state level, the Feds finally came around and created a national list just last year. That's the great thing about this country -- the states literally serve as laboratories of democracy from which good ideas percolate to the top.
So where does do-not-email go from here? Probably to the states, and we're already seeing some movement on that front.
Washington, D.C. :
How would a do-not-spam list work, exactly? With the do-not-call list, marketers have a list of phone numbers that they must not call. Wouldn't spammers just love to get their hands on a list of e-mail addresses? How would you keep spammers from abusing that info, since they must have access to the list in order to comply? Thank you
Matthew Prince: Let me tell you about our proposed solution, although it should be noted there are several other approaches that were suggested to the FTC.
Just like with Federal and state do-not-call laws, in order to get access to the list email marketers would need to register with the government. One of the issues the FTC emphasized was the anonymity of email marketers. If a registry is in place, marketers -- both illegitimate and otherwise -- will need to "come out of the woodwork." A registry then can help to solve some of the anonymity problem law enforcers currently face.
You are correct to point out that a list cannot be distributed in the same way as do-not-call -- part of the value of an email address is in its secrecy and distributing a list of them to email marketers is, I agree, a bad idea.
We proposed creating a mechanism whereby marketers who are registered would scrub their own lists against the government's registry. This approach would ensure that marketers could not discover any addresses from the compliance process they did not already have on their own lists.
To further ensure the security and privacy of registrants we proposed storing only a "hash" of each email address, not the addresses themselves. You can think of hashes like fingerprints. They are unique to each email address, but there's no way from the hash to figure out what the original address was -- just like from your fingerprint there's no way for me to find out how tall you are, what color your eyes are, etc.
By storing only a hash instead of the address itself, we believe the government can secure a registry and maintain the privacy and security of the individuals listed on it.
Does the federal Can-Spam law allow the states to implement their own do-not-spam rules?
Matthew Prince: This is an interesting question. The CAN-SPAM Act includes a preemption clause that generally limits what states can do. As a result, I think states will have a difficult time implementing a general do-not-email registry, similar to what the FTC was considering. However, there is some room left to states.
A couple of things are worth noting. First, by not acting the other day the FTC has arguably left the field of "do-not-email" open to the states. Second, the federal government is limited in its ability to preempt areas of law traditionally left to state police powers (such as the protection of the family, local law enforcement, etc). Finally, there are a few "loopholes" in CAN-SPAM's preemptions language. Specifically states are still allowed to pass laws regulating email that 1) cover "fraud" or "deception," 2) are not "specific to" email, and/or 3) cover "computer crimes."
There may be an opportunity here for states. Four states this legislative session (Utah, Michigan, Illinois, and Georgia) introduced Children's Protection Registry legislation. The laws allow parents to register any electronic "contact points" (email addresses, instant messenger ids, mobile phones that can receive text messages, etc) to which a child may have access as being off-limits to messages advertising products that are illegal for children to purchase in the offline world. Those products generally include: pornography, gambling, alcohol, tobacco, and prescription drugs.
These laws have generally been written to fit into as many of the holes in preemption as possible. For example, they regulate an area traditionally left to the states, they are not specific to email, they are defined as computer crimes, etc.
Utah's law was signed by the governor in March and its registry is scheduled to go into effect in 2005. The law is still pending in the other three states. While these laws will not cover every email address, it poses a real threat to spammers business models. It is also interesting to note that these laws generally include a private right of action that allows parents whose children receive these messages to sue the spammers who are sending them. If, like do-not-call, the states that pass these laws experience success, I would imagine the Congress will be interested in revisiting the issue.
In the meantime, Congress could act to make states rights to pass these laws more clear. That may be an appropriate reaction to the FTC's report -- effectively allowing states to continue to experiment so we can see if this is something we want to do as a nation.
Mr. Prince, it appears that the FTC spent a great deal of time consulting with direct marketers who opposed the list, as well as companies more interested in promoting their spam-filtering products. Do you believe the Commission spent enough time consulting with prosecutors and investigators who are actually involved in bringing spammers to justice?
Matthew Prince: I can't speak for the FTC. The people I have dealt with at the Commission are hard working and appeared to me to be making an honest attempt to be objective.
However, I was disappointed by the report's lack of addressing this from the perspective of prosecutors. One of the benefits of a no-spam registry is that it can make a prosecutor's job easier. Let me give two examples of how this can be the case.
First, a big problem prosecutors face when bringing anti-spam cases is establishing jurisdiction. Email addresses are relatively anonymous and therefore the sender does not know where the recipient is located. In this country in order to be subject to a jurisdiction's laws you must "purposefully avail" yourself of them. Spammers have been able to successfully plead that they don't know where their messages are going, and so they cannot be hailed into court.
The state of Washington recognized this problem when they drafted their anti-spam law. As a result they created an online registry of that state's residents' email addresses (registry.waisp.org). In part because of that registry, Washington has been the only state to successfully prosecute an out-of-state spammer under an anti-spam law. (It's also worth noting that when you talk to Washington officials they will tell you that none of the FTC's concerns over the list being "hacked" have presented themselves as problems in Washington.)
The other way that a registry can help with enforcement is to generate funds. Just like with do-not-call, marketers would be asked to pay a small fee to gain access to the list. These fees can be dedicated to enforcement. When you talk to prosecutors they'll tell you that they'd love to enforce anti-spam laws, but when making budgeting decisions more serious crimes (murder, rape, property theft, etc) have to come first. A registry can create a pot of money to go after the bad guy spammers even if, as critics have charged, only the legitimate marketers comply.
But isn't the problem with your hash idea that they could do it on an individual basis and verify the existence of said e-mail addresses? All it would take is sending the newly verified list offshore to send outside the reach of the federal government. You've made finding the e-mail addresses harder, but if they found it in the first place, now they know to hit you even more, because it is valid.
Matthew Prince: I agree that this is a concern, but I think it can be minimized. First, you have to look at the economics of spam. The marginal cost of sending each message is nearly zero. As a result, the cost difference between sending 1 message and 1 million messages is minimal. Spammers are currently sending to any address they can get their hands on and not caring if only a small percentage go through. Verifying that an email doesn't appear to be a priority. Moreover, there's an easier way to do it even without a registry: simply send an email message and see if it bounces back!
Second, we proposed a number of technical solutions that would watch for suspicious behavior from marketers checking against the registry and stop them before any addresses were reported. Our system processes a marketer's entire list as a batch -- not one address at a time. Therefore, if we notice that someone is simply throwing mud at the wall in order to see what sticks, we can stop the process without having compromised a single address. We've thought a lot about how to deal with this problem, and I'm sure the other companies who submitted proposals did as well.
Finally, I think it's important to remember that this is a voluntary act. People would be given the right to sign up for the registry, but it would not be mandated. If you're not getting a lot of spam now, signing up may not make sense for you. But, if you are then the registry can provide a tool that will make anti-spam laws easier to enforce.
Capitol Hill, D.C.:
It seems like most of the spam I receive lately is so focused on evading spam filters that the message is rendered nonsense. There are lots of misspelled and random words and only a hyperlink. The return address is falsified and the subject is automatically generated. Somehow, it no longer seems like marketing or selling, but just simple carpet-bombing. How would a DNS list combat this kind of intrusion?
Matthew Prince: Clearly there are some spammers who will not comply with any law. However, the list can make a prosecutor's job easier while at the same time generating funds to aid in enforcement. Prosecutors can then focus on the clear criminals -- or, as you put it, the "carpet bombers."
Do any other countries have a do-not-spam list initiative underway? What do you know about anti-spam efforts in Europe, for example, and how effective have they been if at all?
Matthew Prince: It's actually interesting that this proposal surfaced in the United States because, in may ways, this is the country that can benefit the least from it. Imagine if you're an America Online user in London. You email address looks something like:
You think that you're covered by the UK's anti-spam law. However, since there's no way to tell that your address is actually based in the UK spammers are able to escape prosecution. A registry can effectively put the world no notice that your address belongs to a UK citizen, and anyone sending to it must comply with UK laws.
Right now European anti-spam laws, while they appear stricter than the US laws on paper, have been even less effective. That's in part because of the problem I described above, but also in part because most of the spammers still appear to be living in the US.
I know of at least a couple countries toying with the idea of a registry. We've been approached by members of the British House of Commons and are giving a seminar there in July. A Canadian senator (Donald Oliver) also recently introduced a bill to create a registry in that country.
Cutting to the chase: Doesn't it benefit marketers to prune people who don't want to be contacted from their mail/call/email lists? Why spend the time and money to target people who are hostile to your offer?
Matthew Prince: Absolutely. I think this is especially true for "taboo" products like pornography and gambling. That's part of why I think people will be surprised by the level of compliance with Utah and other states' Children's Protection Registry laws.
How long will it take for private industry to come up with a viable tech solution to thwart spam? It's great that Microsoft, Pobox and others are working together, but it seems like relief is a long time coming.
Matthew Prince: I think that the solution to spam is going to require effort from a lot of different groups. Microsoft/Yahoo's proposals on email authentication I think are terrific. If implemented widely, they will make the enforcement of any anti-spam law more effective.
Filters, on the other hand, seem like a temporary fix to me. A strong argument can be made that filters have actually made the spam problem worse for the Internet as a whole because spammers have reacted by simply increasing their volume in order to get the same number of messages through.
What I think would be helpful is for technologists and law makers to sit down and discuss what each group really needs in order to beat this problem. Working together I think it's possible we can make a real dent in the problem.
Why is so little attention being paid to following the products being sold by spammers? It is an obvious approach to go after those entities who give a known email address and when it comes time to pay a known address? It is so obvious that there must be some reason this isn't being proposed.
Matthew Prince: This is one of the best parts of the Federal CAN-SPAM Act. Sen. McCain introduced an amendment which was adopted which allows prosecutors to go after not only the actual sender of the spam, but also the company or individual who makes the product being advertised.
This is the sort of provision which actually may do some good. It gives prosecutors a real power that they didn't have before. What has been wrong with anti-spam law to this point is they're mostly sentiment ("spam is bad!" "we don't like spam!") and very little action (actually empowering prosecutors with the tools they need to do their job).
I think it's telling that New York has been one of the most successful states at locking up spammers and they don't even have an anti-spam law on their books. Instead they use existing consumer protection laws, which were designed from the beginning to make the job of prosecutors easier. We need to start crafting anti-spam laws along those lines. Until we do that, there are likely to be very few anti-spam prosecutions from any entities other than the big ISPs who can afford >$100K legal bills.
Unfortunately, we're out of time. I'd like to thank Matthew Prince for taking the time to be with us today and our viewers for asking so many thoughtful questions.