FTC Gathers Expert Opinion for CAN-SPAM Report to Congress

The FTC has been holding a series of conference calls this month with email, security, and spam experts in preparation for the report due Congress in mid-December of this year, which marks the second anniversary of the passage of the CAN-SPAM Act. Many call participants spoke at the agency’s Spam Forum in April 2003, as the FTC prepared recommendations for Congress on spam legislation that resulted in CAN-SPAM later that year.

FTC attorneys Mike Davis and Katie Harrington McBride moderated a call yesterday, while representatives of the agency’s economic bureau listened in. What they heard is though overall the Act has been effective, experts believe there are still plenty of obstacles to overcome. Particular obstacles include the unsubscribe process, suppression list regulation, adoption of authentication technologies, enforcement, and preemption of state laws that regulate commercial email.

One point raised in yesterday’s call is larger ISPs have fared well as a result of the Act, given they have the resources to both filter junk email and aggressively prosecute spammers. Smaller ISPs and businesses, meanwhile, are suffering under increased spam volume. “AOL is such a large organization, spammers treat them differently,” said Chris Lewis, Nortel’s senior network security analyst.

Unsubscribe procedures need more work, it was generally agreed. Eric Castelli of Lashback, an email unsubscribe service, says his company has documented that 8.5 percent of unsubscribe links lead to the mailer supplying its suppression list to other organizations, which can, under the law, email that list. Spammers are also rapidly changing domains and using registrars that don’t publish contact information, which also blocks recipients’ ability to opt out of lists.

Nortel’s Lewis noted that open proxy zombie PCs, which churn out spam unbeknownst to their owners, are behind 80 percent of spam “and those numbers are not decreasing. The CAN-SPAM Act does not seem to have had any effect with these.”

Conferees were more or less unanimous on the need for more money to direct toward enforcement, and the preemption of state laws regulating email, such as recent legislation in Utah and Michigan, that cannot be overturned without a lawsuit. The Act’s requirements for non-misleading sender and subject lines also drew praise.

There was division on the call marketers are making for a sunset provision for suppression lists, which would remove unsubscribed addresses from such lists after a proposed five-year period. Marketers cite email address churn as a driver for such a regulation.

“I strongly oppose sunset provisions,” said respected spam and security consultant and author John R. Levine. “I’ve had same address for 13 years. The assumption all addresses go away after five years is simply wrong.”

The calls, transcribed by a court reporter, will eventually become part of the public record.