FTC Requests Vendor Input on Do-Not-Spam List

The Federal Trade Commission (FTC) has issued a request for information (RFI) on a do-not-spam registry, asking vendors for input on how such a program might be implemented. The RFI is aimed at exploring the feasibility of such a list.

An agency representative said the FTC is looking for information including: what kinds of data might be collected, types of models vendors would provide and whether adequate, enforceable security and privacy protections could be created.

“We are looking for companies such as those involved in anti-spam efforts and large database firms, but any company with a technical background can respond,” said Dan Salsburg, an attorney with the FTC. Responses are due March 10.

The Can Spam Act, passed on Dec. 16, 2003, makes it a misdemeanor to intentionally send bulk unsolicited commercial email (UCE) with falsified headers and sets civil penalties for other common spamming practices. In addition, the law requires the FTC to file a number of reports on other proposed ways to quell UCE, including a national do-not-spam list similar to the FTC’s popular do-not-call registry.

The agency must file a plan for the email registry by June 16, plus a timetable, or else explain to Congress why the creation of such a list is not feasible, Salsburg said.

“The act authorizes us to actually implement the plan no earlier than Sept. 16, 2004, but we are not directed to do it,” Salsburg noted.

Salsburg said he had no idea whether responding to the RFI could be costly or time-consuming for vendors. “There may be some that have already thought this through sufficiently that they can turn [the response] around quickly,” he said. “There may be those who haven’t given much thought to it, and it might be time-consuming for them.”

The FTC attorney also said vendors do sometimes team up to present their technology.

Public sentiment runs high in favor of such a list, according to a recent study by Synovate, a marketing research firm.

However, the FTC testified at 2003 Senate hearings on the legislation that a do-not-spam list raises significant technical, security and privacy questions that would need to be resolved. Tim Muris, chairman of the FTC, said he had “reservations” about the registry.

“It could be everyone’s nightmare,” Salsburg said. “That’s why Congress wants us to comment on the technical and security issues.”

Two anti-spam companies had widely different reactions to the RFI.

“Brightmail is absolutely planning on participating. Brightmail is already in several different discussions with the FTC on how they can best assist in the do-not-spam registry effort,” said a company spokesperson in an email message.

Andrew Lochart, director of product marketing at Postini, isn’t so keen on the idea. “We have a great deal of concern at Postini at such a list being put together,” he said. “First, I don’t see why a spammer would ever observe the list. The spammers we’re all complaining about don’t give a damn about this like that. They can’t be found, they can’t be traced, so they can’t be prosecuted, and violating one more rule or code of behavior on the Internet isn’t going to matter to them.”

Further, the existence of such a list “scares the hell out of me,” Lochart said. “If I were a spammer it would be like the holy grail. ‘Wow, the government has compiled a list of millions of valid email addresses.’ I can’t think of a model the FTC would use that could prevent spammers from just getting a copy of it and going to town.”

Salsburg said the FTC is keeping an open mind.

“Some people have commented that there is a distinction between phone numbers which are either widely known or easy to guess, and email addresses which are best kept private. But this is not a position the FTC has taken. We’re interested in seeing whatever ideas people have,” Salsburg said.

Related reading