A national registry of consumer e-mail addresses would make things easier for spammers and could actually increase the total amount of spam, the Federal Trade Commission has concluded.
As part of the federal CAN-SPAM Act, which became law in January, the FTC was mandated to report on the feasibility of establishing a National Do Not E-Mail Registry, similar to the wildly successful Do-Not-Call registry. Today, the FTC published its report, which concluded the idea is a wash.
“We learned that when it comes down to it, consumers will be spammed if we do a registry and spammed if we do not,” FTC Chairman Timothy Muris told reporters at a press conference today. “Spammers would ignore the law,” Muris said. “Even worse, they’d use the registry as a source of valid — and spammable — addresses. It would be virtually impossible to stop them.”
According to the report, a national registry would fail to reduce the amount of spam consumers receive, might increase it, and could not be enforced effectively.
Instead, the FTC recommended that private industry, including ISPs, e-mail marketers, e-mail service providers and software companies, should work together to form a standard for e-mail authentication that would prevent spammers from hiding their tracks and evading Internet service providers’ anti-spam filters and law enforcement.
To jump-start these efforts, the FTC will sponsor a Fall 2004 Authentication Summit.
“Without an effective system for authenticating the source of e-mail,” Muris said, “any registry will fail.”
In February 2004, the Commission issued a Request for Information from businesses with the technical sophistication to design and manage a National Do Not Email Registry of about 300 million to 450 million addresses.
They then culled the 13 responses into three models: a centralized database for individuals similar to the Do-Not-Call Registry; letting ISPs and domain name holders refuse spam to their entire domains; and the establishment of an FTC-approved forwarding service to which all commercial e-mails — or even every e-mail — would be sent. The forwarding service would deliver messages only to those e-mail addresses not on the registry
However, e-mail marketers would need to receive a copy of the registry so that they could remove the addresses from their own lists; spammers would simply e-mail to the list. In effect, the Do Not E-mail Registry would become the first extant list of good e-mail addresses. The report quotes the Association of National Advertisers as stating, “[The] Registry would truly be the ‘Fort Knox’ list of e-mail addresses for a criminal spammer.”
Domain-level registration, the FTC concluded, “would merely put the government’s imprimatur on ISPs’ existing anti-spam policies without reducing the scope of spam.”
A third-party forwarding service would be ignored by the majority of spammers, deprive legitimate e-mail marketers of data on responses, and impose a costly new infrastructure on the e-mail system that likely could not stand up to the task of handling the immense volumes that would pass through it.
In producing the report, the FTC worked with 50 organizations, including consumer groups, e-mail marketers, anti-spam advocates, academics and technology providers. It also subpoenaed the top seven ISPs. The Commission vote to approve the report was unanimous.
Muris said the FTC hopes the ISP industry will voluntarily adopt a standard. “Like everything else on the Internet, there would be a consensus standard,” he said.
Emphasizing that the FTC would rather not get involved, Muris said if for some reason an industry standard and practices for authentication don’t develop or don’t work, the FTC could convene a federal advisory committee “to see if the public sector could do something if the private could not.”