18 June 2004 Plans to establish a list of email addresses that have permanently opted out of direct marketing have been ditched by the Federal Trade Commission (FTC), the US government agency leading the war on spam.
The FTC has concluded that a ‘Do Not Email’ registry of opted-out email addresses – similar to the list of phone numbers of people wishing to opt out of cold-calling – would be unworkable.
In a report out this week, the US trade regulator also poured scorn on the UK’s equivalent of the registry – a system of opt-in that was brought in at the end of 2003. The FTC cited statistics from email filtering company Brightmail that found the proportion of spam email in the UK had actually risen since the new regulations were introduced.
But the FTC saved most criticism for the notion of an email opt-out registry. Its feasibility study, ordered by the recently enacted ‘Can-Spam Act’ in the US, found that such a database might actually lead to an increase in unsolicited messages since spammers could use it to obtain ‘live’ email addresses.
The FTC admits it was unable to devise a secure and effective method of authenticating access to the database.
Over a three-month period, the FTC investigated a number of ways of making the system work, and found significant drawbacks with each.
One idea was to establish a system whereby marketing companies would send encrypted versions of their distribution lists to the FTC, which would then remove all opted-out email addresses before returning a newly ‘scrubbed’ list back to the company.
But the trade regulator concluded that spammers would still be able to use the registry to compare pre-scrubbed and post-scrubbed lists, therefore enabling them to clean up their mailing lists.
Another plan was to ‘seed’ the registry with secret FTC addresses. But the FTC concluded that this would not prevent spammers from misusing the registry since it would be almost impossible to trace a spam message from the seeded address back to its source.
The FTC believes the best hope is likely to come from the private sector. It called on the technology and Internet sectors to develop better means of authenticating users and preventing the hijacking of innocent people’s email addresses and IP addresses.
FTC chairman Timothy Muris said he planned to hold an “authentication summit” to discuss standards for determining the origin of an email.
Major email providers, which opposed the idea of a registry, have been working on their own authentication plans for some time.
AOL, for example, is championing the idea of SPF (Sender Policy Framework), a standard that verifies the sender of an email message. Microsoft has proposed ‘Caller ID for Email’, a protocol that would verify the sender line that appears in an email message, while Yahoo is advocating the implementation of ‘Domain Keys’, a standard that would involve the use of public/private key cryptography.
The Internet Engineering Task Force (IETF) has also established a working group to develop an authentication standard, which it intends to reveal this summer.