Plans to establish a list of email addresses able to permanently opt out of direct marketing have been ditched by the Federal Trade Commission (FTC), the US government agency leading the war on spam. The FTC concluded that a ‘Do Not Email’ registry of opted-out email addresses – similar to the list of phone numbers of people wishing to opt out of cold-calls – would be unworkable.
An FTC feasibility study, ordered by the recently enacted ‘Can-Spam Act’ in the US, found that such a database might actually increase unsolicited messages since spammers could use it to obtain ‘live’ email addresses. The FTC says it was unable to devise a secure and effective method of authenticating access to the database. Over a three-month period, it investigated a number of ways of making the system work, and found significant drawbacks with each.
One idea was to establish a system whereby marketing companies would send encrypted versions of their distribution lists to the FTC, which would then remove all opted-out email addresses before returning a newly ‘scrubbed’ list back to the company.
But the trade regulator concluded that spammers would still be able to use the registry to compare pre-scrubbed and post-scrubbed lists, therefore enabling them to clean up their mailing lists.
Another plan was to ‘seed’ the registry with secret FTC addresses. But the FTC concluded that this would not prevent spammers from misusing the registry since it would be almost impossible to trace a spam message from the seeded address back to its source.
The FTC believes the best hope is likely to come from the private sector. Indeed, many email providers have been working on their own authentication plans for some time. AOL, for example, is championing the idea of SPF (Sender Policy Framework), a standard that verifies the sender of an email message. Microsoft has proposed ‘Caller ID for Email’, a protocol that would verify the sender line that appears in an email message, while Yahoo is advocating the implementation of ‘Domain Keys’, a standard that would involve the use of public/private key cryptography.
The Internet Engineering Task Force (IETF) has also established a working group to develop an authentication standard, which it intends to reveal this summer.