The Federal Trade Commission on Tuesday said that a national do-not-spam list would make the spam problem worse, not better.
Howard Beales, head of the commission's Bureau of Consumer Protection, and washingtonpost.com reporter David McGuire answer questions about what the government is doing about spam.
FTC's Howard Beales
Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.
Hello Howard, thanks so much for joining us. In its report to Congress Tuesday on the feasibility of a "do-not-spam" registry, , the FTC signaled that it would not create such a list anytime soon. What led the commission to ultimately reject the no-spam proposal?
Howard Beales: We concluded that a registry could not cut down on spam, but that improved authentication can. The key to stopping spam on a broad scale is to improve the email system so that spammers can no longer hide their identities, or hide the origins of their email messages. Authentication can help us do that. Without improved authentication, a registry will not reduce the flow of spam. At best, it would be ignored by spammers. It could even make the spam problem worse, by providing outlaw spammers with a list of valid email addresses.
New York, N.Y.:
I've heard the argument that only real marketers would use the do not email list but the pill-peddling and other scam artist spammers will ignore it. But why not set up the registry anyway if it will at least cut back on the "real" marketing spam?
Howard Beales: The scam artists can use a registry as a source of valid email addresses. With more valid addresses, it will be easier for them to get through filters at the ISPs and get their messages delivered to consumers. The result will be more of the really bad spam. Besides, "real" marketing is a very small fraction of the spam problem.
Why don't we go after the companies/people who hire the spammers? Make it very unpleasant for these companies to advertise in this way.
Howard Beales: That's what we do -- it is the only practical way to enforce the law today. Even that, however, is time consuming. For example, we look up who owns the domain name that a spam is promoting. Often, it turns out to be one of the many sites owned by M. Mouse or D. Duck of Orlando, Florida. So we subpoena the payment information. Often, its a stolen credit card. So we buy the product, and watch our credit card statement to see who places the charge. Then we can subpoena banks and processors to try to find the real people behind the scam. It works, but it's slow and time consuming.
The FCC could have taken the stance of allowing the NO-SPAM list proposal to go forward while taking a wait-and-see attitude, rather than coming down on one or the other side of the question. Given that (1) FCC doesn't appear to have any other suggestions on how to combat spam other than to push the ball back into the technology court, and (2)that FCC does recognize spam as a big problem, why didn't FCC act neutrally and simply wait to see whether the list actually would work?
Howard Beales: We want solutions that work. Since we're the ones who would have to implement a registry, we can't just be neutral and see what happens -- we either have to spend our time and effort developing and implementing a registry, or we have to spend those resources on solutions that work. Authentication can make a real difference, and we think that is a much more productive place for us to focus.
The need for better e-mail authentication standards was trumpeted throughout the do-not-spam report. What would an authentication standard look like? How would it work? And how long will Americans have to wait before they see it put in place?
Howard Beales: These are among the questions that we plan to explore at an authentication summit this fall.
The approaches that have received the most attention so far focus on authenticating the domain name of the sender. With such a system, if you got an email from email@example.com, you could be sure it really came from the domain ftc.gov. There are at least two approaches under consideration. In one, ISPs would register the IP addresses that they use to send out email. The receiving ISP would then look up the IP addresses that the (claimed) sender uses to see if they match the IP address that the message is coming from. In the other system, ISPs would use public key, private key cryptography to add a header to each email that could only have come from the originating ISP. In either case, authentication would be done by ISPs.
We don't know how quickly it could happen, but these approaches are much quicker to implement than changing the mail protocols. Our goal is to see how we can help speed the process along.
San Francisco, Calif.:
1. What can a company do with their email marketing program to make sure they don't violate the rules?
2. To what extent does the Can Spam act override California State law which is much more penal? The Can Spam act is very vague in that regard, saying that it supercedes all state law and then adding a huge exception to that rule.
3. Are there any government regulations going into more detail on specifics of the can spam act?
Howard Beales: We are in the process of developing rules that will implement CAN SPAM, and hopefully clear up some of the uncertainties. We know that a variety of compliance questions have arisen, and we will try to get those issues resolved as quickly as possible.
New York, N.Y.:
Senator Schumer from my state said that even though its not the best solution out there, a do not spam registry is the best solution we have. He also said that FTC was against a do not call list a few years ago, and then Congress forced them to do it and now its a huge success. Can you comment on that?
Howard Beales: For Do Not Call, it was the FTC that wrote the rules and then asked Congress for the authority to raise the money to put it into effect. We proposed the Registry in December of 2001, and opened it for signups in June, 2003. As far as I know, the FTC never opposed a do not call registry; it certainly hasn't since I've been Bureau Director.
We think the registry is not a solution at all, because it will likely lead to more spam as spammers use it as a source of valid email addresses. If you want more spam, there are easier ways to get it!
Is it true that most spam only comes from 200 spammers? Is the FTC focusing on this lot?
Howard Beales: The truth is, no one knows, because it is so easy for spammers to hide their identity. And, we've heard confident assertions that there are really only a dozen or so "kingpins," and equally confident assertions of 200, or 1000. Frankly, I think the number is probably larger, because cases against allegedly large spammers don't seem to affect the overall volume of spam out there. If there were only a few, those cases should make a noticeable difference. Or, it could be true that there really are only 200 at any one time, but it's very easy for others spammers to enter the business.
We are constantly looking for spammers, and the larger the better. Without authentication, they will remain hard to find.
Manhattan Beach, Calif.:
I have my own domain and mail server. Spam to this domain could be banned without revealing actual email addresses. Thus a list which contains only domains (e.g. acme.com) would fine for me. Have you considered simply creating a list of domains that spammers would not be allowed to send mail to?
Hi. I would agree a no-SPAM list would cause problems. That said - if we're looking to the technology world to provide us with new authentication technologies - what assurances do we have that it will end up being a vendor neutral, free technology? I can see a scenario where Microsoft, for example, volunteers to provide all sorts of authentication protections - that only work with Microsoft products - for a fee. This could end up with consumers having to chose 1 provider to obtain a SPAM free email or having to pay multiple service fees to maintain their current internet mail accounts.
Howard Beales: We plan to explore both the competitive and the cost implications of authentication at our summit. We want to see it as widely used as possible, because it won't help much if lots of mail remains un-authenticated because some ISPs don't participate. And, different authentication approaches may differ in their costs. We need to get the dialog going if we're going to make progress.
If a do-not-spam list will not work, what recommendations do you have for the individual computer user? Something has got to be better than the status quo.
Howard Beales: The best advice to individual computer users is to keep your email address as private as possible. Several experts told us that the anonymity of individual email addresses is the last remaining barrier to spam. Don't post your email in chat rooms or the like. When we did an experiment doing that, one account started getting spam 8 minutes after we posted the address. You can also use filters, and use your ISP's filters, to try to reduce the problem. You can use an email address that's hard to guess, like combining letters and numbers. And, when all else fails, the delete key still works.
Mr, Beales, how open-minded was the FTC from the
beginning? I ask, only because Chairman Muris
made several comments rejecting the
registry proposal as far back as August,
long before the Can-Spam law was
passed and long before you received any
proposals. Seems like you guys had your
minds made up before doing any of the
Howard Beales: We were skeptical before the law was passed. But when Congress told us to come up with a plan, we launched a full, comprehensive and objective inquiry. We talked to more than 80 people from 56 organizations, we solicited information from people who might be interested in selling us the necessary hardware and services, we received more than 7,000 public comments, and we hired three independent experts to help us understand the technology issues. All of that material is available on our web site. We thought the conclusion was very clear -- we can't make a registry work without authentication.
Since the advent of the internet, the privacy enjoyed has often been both a harm (as it is here) and a boon - what effect would the authentication ideas that are being put forth have on individuals privacy for the average user on the net?
Howard Beales: The authentication ideas that seem most promising wouldn't have any impact on privacy. They would only verify that your email came from your ISP, not your individual email address or anything about you.
Would the FTC like us to forward all our spam to them so they can research where it is coming from? If so, provide an email address.
Howard Beales: We get about 200,000 spams a day in our mailbox, firstname.lastname@example.org. We use it to identify possible targets, and to try to get a sense of whether a particular spam is a large problem or a small one. But, as I said in an earlier answer, we mostly follow the money rather than trying to track the spammer. It's just too easy for the spammer to cover his tracks.
I presently block 100-percent of spam using a "challenge"-based system by utilizing the built-in filters of my FREE e-mail software. Unless a person is already on my "whitelist," the sender is sent an automatic response asking them to "authenticate" their e-mail by including a "token" within the body of the message. The only e-mail that winds up in my inbox is legitimate and, most importantly, people I don't know (and thus aren't on my whitelist) can reach me.
It took ten-minutes to set-up by following a step-by-step tutorial found on the Web. I've been 100-percent spam-free for a little over 6-months now.
Please explain how government legislation which is handcrafted by Congress and special interest lobbyists (working for direct marketers and anti-spam companies), and costs millions and millions of dollars to create and "enforce," is better than the free anti-spam solution I'm already using?
Howard Beales: Spam is more than an annoyance. It is mostly fraudulent, trying very hard to part consumers from their money. It is the primary vehicle for spreading viruses and worms that threaten the network and all of us. And it imposes significant costs on ISPs and network providers who have to be able to handle all that worthless traffic. I think it's a problem that it makes sense for the government to try to solve.
I'm glad your solution works for you. But what happens to an automated order acknowledgement, or an automated notice that your shipment has been delayed?
Unfortunately, we're out of time. I'd like to thank Howard Beales for joining us today and our users for asking so many thoughtful questions.