September 18, 2020

FTC: Do-Not-Email List Won't Help

Yesterday the Federal Trade Commission released its recommendation to Congress regarding the proposed national Do Not Email list. They recommended against the creation of such a list at the present time, because the list would provide little or no reduction in spam, but would increase costs for legitimate emailers and might raise security risks.

Congress, in the CAN-SPAM Act, asked the FTC to study the feasibility of instituting a national Do Not Email list, akin to the popular Do Not Call list. Yesterday’s FTC recommendation is the result of the FTC’s study.

The FTC relied on interviews with many people, and it retained three security experts – Matt Bishop, Avi Rubin, and me – to provide separate reports on the technical issues regarding the Do Not Email list. My report supported the action that the FTC ultimately took, and I assume that the other two reports did too.

I understand that the three expert reports will be released by the FTC, but I haven’t found them on the FTC website yet. I’ll post a link to my report when I find one.

Comments

  1. I was told they would be posting the expert reports soon. In the meantime, mine is available at http://www.cs.jhu.edu/~rubin/Rubin.ftc.DoNotEmail.pdf.

  2. Do Not Call has really worked well, though. It’s one of the few pieces of government regulation that seems to be a complete success.

    I guess the down side is that all those homeless guys who used to work at the telemarketers are out on the streets again.

    Having read Avi Rubin’s analysis, it would have been useful for him to distinguish why his arguments do not apply to Do Not Call, which has worked so well.

  3. Jacob Scott says:

    Here are link to all three expert reports:
    Matt Bishop
    Edward Felton
    Avi Rubin

    Hope this is helpful.

  4. I see a couple of problems with the commentaries.

    The first is that everyone is concerned that the Do Not Email list could help spammers to weed out bad addresses from their email lists. The idea is that the DNE list contains valid addresses, and even if it is protected by being stored as hashes, legitimate emailers could still effectively compute the intersection of their email lists and the DNE list. This would be a list of “high quality” email addresses which could then be resold to spammers outside the country.

    The problem with this is that it overlooks that the DNE list will itself soon acquire its own baggage of obsolete email addresses. It won’t always be shiny and new. As time passes and people change addresses, it will eventually have many more bad addresses than good ones. The DNE list will be of little help to spammers at that point.

    I also still wonder why there are not more marketing calls coming from outside the country. I saw a report last week on outsourcing to India, some of which was in fact telemarketing, as well as many kinds of telephone customer service and support. If this is economical, why aren’t more offshore phone marketers stealing the Do Not Call list, as these reports predict would happen with the Do Not Email list, and using the list to make marketing calls into the U.S.?

    It’s interesting to speculate, if we were starting with a clean sheet of power to construct something like email, given what we know today about the problems with spam, viruses, phishing, etc., how would we do it? This doesn’t necessary have to be mere idle philosophizing, as a new protocol could come into existence alongside and parallel to email, with its own conventions, syntax, port numbers, etc. If a spam-proof alternative to email were available with similar usefulness, people could begin using it along with email, and gradually switch over. It wouldn’t mean outlawing email, just out-competing it.

  5. Jacob Scott says:

    Here’s some rebuttals based on the FTC’s Do Not Email Registry Report, the attached expert reports, and the attached Do Not Email Registry RFI:

    The registry_will_ always be “new and shiny”. The degree to which you have invalid emails in the registry effects its usefulness, especially with regards to the costs incurred by scrubbing and/or checking for remailing of these bad addresses. See III.A.8 in the RFI (page 2 of Appendix 1 of the FTC report). The DNE Registry is being designed expressly counter to your suggestion.

    On the topic of telemarketing – first, a phone call is going to be more expensive than an email message. Next, although I have not looked at the law that established the Do Not Call Registry, it may have language similar to the CAN-SPAM Act that makes you liable if you hire someone (in or out of the country) who abuses the DNC Registry. Finally, see IV.C of the FTC Report (page 26, upper left column):

    “The success of the National Do Not Call Registry stems in large measure from the fact that most telemarketers and their clients are law abiding businesses that care about their reputations and want to follow the law.”

    “Because the telephone system is a “caller-pays” model, it enables carriers to bill charges to numbers from which calls are placed… creates an auditable trail, which facilitates accountability.”