17 June 2004
U.S. Trade Agency Says "No" to Anti-Spam E-mail Plan
Establishing e-mail authentication system is first
step, FTC reports
The U.S. Federal Trade Commission is telling the U.S. Congress
that a proposed plan to protect Internet users from unwanted, unsolicited
e-mail (spam) is not a good idea right now.
In a June 15 report, the FTC said the success of an anti-spam
registry will depend on development of a system for authenticating
the source of e-mail. The agency recommends a program to encourage
the widespread adoption of standards that will prevent the falsification
of the origin of e-mail messages and help law enforcement personnel,
Internet service providers and computer users to identify spam.
Congress asked the FTC to conduct the study after witnessing the
national success and popularity of the "Do Not Call" Registry.
This system, implemented in 2003, allows consumers to ban telemarketers
from calling them by registering their telephone numbers on a national
list maintained by the FTC.
A comparable "Do Not E-Mail" registry could not be enforced and
could make the problem worse, according to the findings reported
in an FTC press release. After consultation with some of the nation's
largest Internet, computer and database management firms, the FTC
concluded that the security, privacy and effectiveness of a "Do
Not E-Mail" registry could not be assured without universal e-mail
Without improved security, the FTC study also suggested, spammers
might be able to invade an e-mail registry and use the addresses
to spread even more spam and make the problem worse.
The full FTC report is available at http://www.ftc.gov/reports/dneregistry/report.pdf
Following is the text of the FTC press release:
Federal Trade Commission
June 15, 2004
New System to Verify Origins of E-Mail Must Emerge Before "Do
Not Spam" List Can Be Implemented, FTC Tells Congress
The Federal Trade Commission today told Congress that, at the
present time, a National Do Not Email Registry would fail to reduce
the amount of spam consumers receive, might increase it, and could
not be enforced effectively. In a report filed in response to a
statutory mandate, the FTC also said that anti-spam efforts should
focus on creating a robust e-mail authentication system that would
prevent spammers from hiding their tracks and thereby evading Internet
service providers' anti-spam filters and law enforcement. To help
focus these efforts, the FTC today announced that it will be sponsoring
a Fall 2004 Authentication Summit to encourage a thorough analysis
of possible authentication systems and their swift deployment.
In December 2003, Congress passed the Controlling the Assault
of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) which
called for the Commission to develop a plan and timetable for establishing
a National Do Not E-mail Registry; explain any practical, technical,
security, privacy, enforcement, or other concerns; and explain
how a Registry would be applied with respect to children with e-mail
The FTC's report analyzed three types of possible registries:
a registry containing individual e-mail addresses; a registry containing
the names of domains that did not wish to receive spam; and a registry
of individual names that required all unsolicited commercial e-mail
to be sent via an independent third party that would deliver messages
only to those email addresses not on the registry.
The FTC studied these three possible registry models by reviewing
registry proposals from some of the nation's largest Internet,
computer, and database management firms; consulted with more than
80 individuals representing more than 50 organizations including
consumer groups, e-mail marketers, anti-spam advocates, and others;
demanded information from the seven ISPs that control over 50 percent
of the market for consumer e-mail accounts; and retained the services
of three of the nation's preeminent computer scientists.
The Report concludes that all three possible registry models could
not be enforced effectively. A registry of individual email addresses
also suffers from severe security/privacy risks that would likely
result in registered addresses receiving more spam because spammers
would use such a registry as a directory of valid email addresses.
It ultimately would become the National Do Spam List. Furthermore,
a registry of domains would have no impact on spam and a third-party
forwarding service model could have a devastating impact on the
Instead of implementing a registry that would, at best have no
impact on spam and, at worst, cause it to increase, the FTC's plan
recognizes the need for an authentication standard. The FTC's Report
explains that "without effective authentication of email, any registry
is doomed to fail. With authentication, better CAN-SPAM Act enforcement
and better filtering by ISPs may even make a registry unnecessary."
The Commission vote to issue the report was 5-0.
Copies of the report are available from the FTC's Web site at
http://www.ftc.gov and also from the FTC's Consumer Response Center,
Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580.
The FTC works for the consumer to prevent fraudulent, deceptive,
and unfair business practices in the marketplace and to provide
information to help consumers spot, stop, and avoid them. To file
a complaint in English or Spanish (bilingual counselors are available
to take complaints), or to get free information on any of 150 consumer
topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use
the complaint form at http://www.ftc.gov. The FTC enters Internet,
telemarketing, identity theft, and other fraud-related complaints
into Consumer Sentinel, a secure, online database available to
hundreds of civil and criminal law enforcement agencies in the
U.S. and abroad.