IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

17 June 2004

U.S. Trade Agency Says "No" to Anti-Spam E-mail Plan

Establishing e-mail authentication system is first step, FTC reports

The U.S. Federal Trade Commission is telling the U.S. Congress that a proposed plan to protect Internet users from unwanted, unsolicited e-mail (spam) is not a good idea right now.

In a June 15 report, the FTC said the success of an anti-spam registry will depend on development of a system for authenticating the source of e-mail. The agency recommends a program to encourage the widespread adoption of standards that will prevent the falsification of the origin of e-mail messages and help law enforcement personnel, Internet service providers and computer users to identify spam.

Congress asked the FTC to conduct the study after witnessing the national success and popularity of the "Do Not Call" Registry. This system, implemented in 2003, allows consumers to ban telemarketers from calling them by registering their telephone numbers on a national list maintained by the FTC.

A comparable "Do Not E-Mail" registry could not be enforced and could make the problem worse, according to the findings reported in an FTC press release. After consultation with some of the nation's largest Internet, computer and database management firms, the FTC concluded that the security, privacy and effectiveness of a "Do Not E-Mail" registry could not be assured without universal e-mail authentication standards.

Without improved security, the FTC study also suggested, spammers might be able to invade an e-mail registry and use the addresses to spread even more spam and make the problem worse.

The full FTC report is available at http://www.ftc.gov/reports/dneregistry/report.pdf

Following is the text of the FTC press release:

(begin text)

Federal Trade Commission
June 15, 2004

New System to Verify Origins of E-Mail Must Emerge Before "Do Not Spam" List Can Be Implemented, FTC Tells Congress

The Federal Trade Commission today told Congress that, at the present time, a National Do Not Email Registry would fail to reduce the amount of spam consumers receive, might increase it, and could not be enforced effectively. In a report filed in response to a statutory mandate, the FTC also said that anti-spam efforts should focus on creating a robust e-mail authentication system that would prevent spammers from hiding their tracks and thereby evading Internet service providers' anti-spam filters and law enforcement. To help focus these efforts, the FTC today announced that it will be sponsoring a Fall 2004 Authentication Summit to encourage a thorough analysis of possible authentication systems and their swift deployment.

In December 2003, Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) which called for the Commission to develop a plan and timetable for establishing a National Do Not E-mail Registry; explain any practical, technical, security, privacy, enforcement, or other concerns; and explain how a Registry would be applied with respect to children with e-mail accounts.

The FTC's report analyzed three types of possible registries: a registry containing individual e-mail addresses; a registry containing the names of domains that did not wish to receive spam; and a registry of individual names that required all unsolicited commercial e-mail to be sent via an independent third party that would deliver messages only to those email addresses not on the registry.

The FTC studied these three possible registry models by reviewing registry proposals from some of the nation's largest Internet, computer, and database management firms; consulted with more than 80 individuals representing more than 50 organizations including consumer groups, e-mail marketers, anti-spam advocates, and others; demanded information from the seven ISPs that control over 50 percent of the market for consumer e-mail accounts; and retained the services of three of the nation's preeminent computer scientists.

The Report concludes that all three possible registry models could not be enforced effectively. A registry of individual email addresses also suffers from severe security/privacy risks that would likely result in registered addresses receiving more spam because spammers would use such a registry as a directory of valid email addresses. It ultimately would become the National Do Spam List. Furthermore, a registry of domains would have no impact on spam and a third-party forwarding service model could have a devastating impact on the e-mail system.

Instead of implementing a registry that would, at best have no impact on spam and, at worst, cause it to increase, the FTC's plan recognizes the need for an authentication standard. The FTC's Report explains that "without effective authentication of email, any registry is doomed to fail. With authentication, better CAN-SPAM Act enforcement and better filtering by ISPs may even make a registry unnecessary."

The Commission vote to issue the report was 5-0.

Copies of the report are available from the FTC's Web site at http://www.ftc.gov and also from the FTC's Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

(end text)