Its always gratifying, and a relief, to see government make a good decision. It just seems to stand out when they do.
The news this time is about the Federal Trade Commissions report to Congress that a Do-Not-Spam registry is a bad and impractical idea.
Not only did the FTC make the point that a registry wont work now, but it also made the constructive point that what e-mail needs first is an authentication system. You cant enforce a do-not-spam rule until you can demonstrate who actually sent an e-mail. They really do get it.
The industry and standards groups have been working at warp speed, as these things go, to develop an SMTP authentication standard. I think its going to happen and it will be adopted by enough of the large mail providers that it will pick up steam and gain widespread acceptance. It will reach the point where admins will be able to treat unauthenticated mail as second class or, perhaps, just send it to /dev/null.
But if the industry doesnt agree on an authentication standard, the FTC thinks the law should mandate one. This is probably just supposed to be a fire under the industrys butt, but it could be interesting because the discussions in standards group MARID (MTA Authorization Records in DNS) have been contentious over some specifics of implementation.
But I really dont think it matters that the implementation is controversial as long as it is accepted by enough major companies. Critical mass will force people to implement it.
I wasnt surprised to see New York Sen. Chuck Schumer complain about the decision (registration required). Schumer seems to think that the FTC simply lacks the will to declare a registry, but what it truly lacks is the will to make a gesture that is, at best, for appearances sake.
The CAN-SPAM Act ordered the FTC to study the potential for such a list and report back to Congress, and this report is the result. In the face of the other parts of CAN-SPAM, lets think about what value a do-not-spam registry could bring.
Almost all of the spam I get is in violation of multiple provisions of the new anti-spam law. If you could enforce those rules, spam wouldnt be a problem anymore. But of course, CAN-SPAM doesnt eliminate that spam, and its not clear that it can.
Making a Difference
So, why does anyone think a registry could make a difference? The best you could hope from a registry is a new bunch of civil suits wasting court resources to go after spammers who wont be found anyway.
But once we have a generally accepted SMTP authentication system in place, things change. You can imagine a lot of CAN-SPAM being a lot more enforceable. As a side effect, I would expect almost all of the big spammers to move operations offshore, but its possible that they would then become more filterable. Clearly, we would be in a better position than we are now, and filtering software would be able to work much better than it does.
Schumer also makes the inevitable and naive analogy to the do-not-call registry. But the phone system doesnt allow for identity spoofing as readily as does the e-mail system. And Im not so enthusiastic about how well the do-not-call registry is working either.
The law is riddled with exceptions for charities, for people doing phony surveys and for any vendor with whom you already do business. I get lots of calls, and Ive been on the registry since day one. Of course, a politician doesnt really need a functioning system, just a system they can take credit for.
And registry proponents seem oblivious to the potential for ironic abuse in the system; that the list would become available to spammers and turn into a “Please Spam Me” list. Face it, folks, were dealing with a completely amoral bunch, and they would abuse it if possible. Penalties for such abuse are just closing the barn door after the horse is long gone.
The proposals coming out of MARID are not perfect by any means, and it would be better if they were not controversial in the industry. But they have a much better chance of improving things on the ground for e-mail users than any phony global opt-out list.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer