June 15, 2004 12:31 PM PDT
FTC: Thumbs-down on 'do not e-mail' list
The U.S. Federal Trade Commission, which manages a national "do not call" list designed to let people opt out of telemarketing calls, said Tuesday that similar technology would be useless in fighting spam because unscrupulous marketers would use it as a source of valid e-mail addresses.
Any "do not e-mail" registry would be "ineffective and burdensome to consumers," FTC Chairman Tim Muris told reporters at a press conference. "Consumers will be spammed if we do a registry and spammed if we do not." More promising, Muris said, were anti-spam technologies--such as Sender Policy Framework ( SPF) and DomainKeys--being considered by Internet standards bodies.
Muris' remarks prompted an angry reaction from Sen. Chuck Schumer, D-N.Y., who proposed a national "do-not-e-mail" registry last year.
"We are very disappointed that the FTC is refusing to move forward on the 'do not e-mail' registry," Schumer said in a statement read to CNET News.com. "The registry is not the perfect solution, but it is the best solution we have to the growing problem of spam, and we will pursue congressional alternatives in light of the FTC's adamancy."
The Direct Marketing Association, which has long opposed a do-not-e-mail registry, applauded the FTC's 5-0 vote Tuesday. "Such a national registry could impede the development of e-commerce while doing absolutely nothing to reduce spam in consumers' in-boxes," the association said in a statement.
Under last year's Can-Spam Act, the first federal anti-spam law, the FTC was strongly encouraged--but not required--to create such a registry.
The law required the FTC to submit a report to Congress by mid-June that "sets forth a plan and timetable for establishing a nationwide marketing 'do not e-mail' registry." The report was supposed to include background on any "practical, technical, security, privacy, enforceability or other concerns" the FTC had with the idea.
The 37-page report, prepared by the FTC in consultation with three prominent computer scientists and after soliciting information from firms that wanted to operate such a registry, represents the most exhaustive analysis to date of the benefits and drawbacks of a "do not e-mail" list. It concludes: "Under present conditions, a national 'do not e-mail' registry would not have any beneficial impact on the spam problem."
The report considers three proposed types of registries--a gargantuan list of more than 300 million e-mail addresses, a much smaller list of no-spam-wanted domains, and a third-party verification service that commercial senders would be required to use for unsolicited communications--and concludes that "none of them would be effective."
Probably the biggest drawback to the schemes, the FTC decided, is that spammers place tremendous value on valid e-mail addresses. A registry of individual e-mail addresses would not be made public because it would be instantly snatched up by spammers. But even if a government contractor were to run the database and merely verify whether a particular address was on it, spammers could learn which of their addresses were "live" and being read by a human.
In addition, the FTC said, a list of millions of addresses would be a tempting target for malicious hackers. One way around that would be to store just encrypted e-mail addresses--scrambled through a one-way "hash function." That might foil a hacker, but it would still permit spammers to run the same hash function and verify whether their existing e-mail addresses were on the list.
Complicating any centralized registry is the fact that not all spammers live in the United States. If the list were published openly or surreptitiously leaked on a Web site, overseas spammers would not be bound by U.S. law.
Muris said the FTC's next step would be to convene a public workshop on e-mail authentication technology as early as September, which could lead to a federal law requiring that all computers connected to the Internet adopt that standard. The report says the FTC is "aware of the risks inherent in regulating technology," but "an effective mandatory authentication protocol would require legislation" enacted by Congress.