FTC Pans Do-Not-E-Mail Registry, Pushes Authentication
The FTC report, required by the CAN-SPAM Act, said a do-not-e-mail registry should be put off until the e-mail industry gets a chance to devise authentication standards. Without establishing secure e-mail identity through such standards, it said, a do-not-e-mail registry probably would cause more unwanted e-mail as spammers use it to verify valid e-mail addresses.
"Without an effective system of authenticating the sender of e-mail, any registry would fail," FTC chairman Timothy Muris said at a news conference. "I wouldn't put my e-mail on such a registry."
The 60-page report concludes that without authentication, the FTC could not identify who was violating the list. It said proposed technology solutions could not guarantee that spammers would not misuse the registry to find fresh e-mail addresses. Further, it concluded that a do-not-e-mail list would give consumers unrealistic expectations that such a registry would drastically reduce spam, like the no-call list has curtailed telemarketing calls.
Since CAN-SPAM called for a timetable to implement a registry, the FTC plans to hold an industry summit on authentication this fall, possibly as early as September. If the private market fails to reach an authentication standard, the FTC said it then would convene an advisory committee as a preliminary step to implementing a federal solution.
Muris stressed that the FTC is loath to take such a step, which would require further legislation by Congress.
The Direct Marketing Association, an outspoken foe of a do-not-e-mail registry, applauded the FTC's emphasis on private industry establishing e-mail identity standards, even to the point of holding out the threat of a federally imposed solution.
"They're very concerned about e-mail and the fact that you can't find who is doing this," said Jerry Cerasale, DMA senior vice president for government affairs. "They can't find the people who are doing fraudulent things."
The move to e-mail authentication has accelerated in recent months. Last month, Microsoft agreed to merge its Caller-ID protocol with the open source SPF protocol championed by AOL. Yahoo supports DomainKeys, its own authentication technology. The standards are under review at the Internet Engineering Task Force.
"We're well down this path in there being a good first step in dealing with the server anonymity issues," said Michael Sippey, managing director at Quris, Denver, an e-mail service provider.
E-mail authentication schemes aim to fix a flaw in the e-mail system that gives senders anonymity. This has led to a sharp rise in so-called phishing attacks. A typical phishing message would appear to a receiver to come from eBay or PayPal, asking for credit card information or passwords. According to the Anti-Phishing Working Group, there were 1,125 phishing attacks in April.
Despite a flurry of activity on establishing e-mail identity standards, the FTC's report noted that they have not been tested widely and could take more than two years to implement. Also, the major ISPs have yet to agree to a single standard, with Yahoo still planning to implement DomainKeys instead of SPF-Caller-ID.
"Right now, we're really focused on DomainKeys' role, as it does provide better authentication," said Miles Libbey, Yahoo's anti-spam product manager.
The FTC long has doubted the feasibility of a do-not-e-mail registry and its effectiveness. Muris voiced concerns over such a list several times in the past year. At yesterday's news conference, he said a do-not-e-mail registry was much different from the popular no-call list.
"A national registry was a great solution to unwanted telemarketing calls," he said. "At this time it's not the solution to unwanted e-mail."
The FTC said its experience in pursuing 62 spam cases to date shows that the No. 1 problem is finding the spammer behind a maze of fake headers, open proxies and zombie drones. The registry would not improve this, the report stated.
"It's not a problem, if you can find them, to prosecute them," Muris said. "Finding them is extraordinary."
Matthew Prince, founder of UNspam, a Chicago company that helps build e-mail registries, said a do-not-e-mail registry would make enforcement easier by clearing jurisdictional boundaries for prosecuting spam cases and generating needed funding for enforcement.
"[The FTC] really shortchanged the benefits of an anti-spam list," he said.