Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Social Engineering and Spyware | Main | About Passwords »

April 16, 2006

About the "Email Tax"

On April 3, 2006, I was one of several witnesses who testified before a Select Committe in Sacramento, CA. The title of the hearing chaired by Senator Dean Florez was: "AOL: You Have Certified Mail! Will Paid E-mail Lead to Separate, Unequal Systems or is it the Foolproof Answer to Spam?"

This hearing grew out of the hubbub caused by AOL's announcement that it was going to use Goodmail as a sender accreditation service, and the outcry from various groups unified around the DearAOL campaign. That campaign did a good job of branding the notion of an "email tax" into the minds of many.

AOL managed to mis-communicate a lot of what it was doing with regard to whitelisting senders. And, just when you think they got their message out correctly, they "step in it" again by censoring email messages that included links to the DearAOL Web site. If they ever get to the bottom of that caper, I bet they'll find it was the work of an overzealous employee in the email department who was upset by the inflammatory (and often ill-informed) comments posted in the DearAOL blog, and didn't want any AOLer to learn about it. Unfortunately, the results make AOL look, once again, like an Evil Email Empire. They really have to stop aiming the rifle at their own feet and pulling the trigger.

Back to the Sacramento hearing, I was on the first panel of witnesses in a section titled "Defining the Issue." The following is a copy of my prepared statement read into the record.

My name is Danny Goodman, a freelance writer for the past 25 years (San Mateo County resident since 1983) and author of the book Spam Wars (2003, SelectBooks), as well as 41 other computer-related titles. To help me monitor electronic mail (email) systems that consumers face, I currently have email accounts at America Online, Comcast, EarthLink, Google, and Hotmail. My primary email activity is based at my own domain (dannyg.com), where I have managed the email server since 1995, including responsibility for all spam filtering. Spam and virus statistics from that domain are posted daily at my Spam Wars web site (spamwars.com/stats.html).

I appear here today to share my thoughts from the point of view of my primary audience, the electronic mail-using consumer. Issues surrounding email spam are complex, but I will limit this discussion to the area of deliverability of email messages, which appears to be the crux of some recent controversy.

As I document in my book, an absolute definition of “spam” is difficult to establish. My working definition is as follows:

An automated email message sent to the recipient without explicit prior consent.

In practice, however, spam is in the eye of the recipient. To one ISP customer, the twelfth mortgage refinancing invitation of the day is highly undesirable; to another customer of the same ISP, that same message may be the only piece of email received the entire day, and may, in a sense, be welcomed as entertainment or even proof that one’s email is still working. However, if the volume of that kind of message increases beyond the recipient’s acceptable threshold, such email messages suddenly become a “spam problem.”

Overlooked in many legislative activities surrounding spam is that the subject matter of the message is of no importance to the “problem.” Thus, narrowing definitions to phrases such as “unsolicited commercial email” is a wasteful exercise. Instead, the problem with spam is that unlike unsolicited postal mail, spam places the greatest burden not on the sender, but on: a) the infrastructure that relays and receives messages; and b) the recipient, whose communications, computer, and time resources are gobbled up by a relentless flow of unwanted messages.

From the recipient’s point of view, the issue is one of consent, not content. An ideal relationship between sender and recipient is a two-way agreement: the sender transmits automated messages to the recipient because the recipient has explicitly requested to receive such messages. In other words, recipients are best served in what is called a “confirmed opt-in” scenario (the Direct Marketing Association refers to this technique as “double opt-in”). In this technique:

  1. The recipient signs up to receive mailings (typically at a web site) by submitting an email address to the sender.

  2. The sender responds via email to the submitted email address with a coded link.

  3. The recipient clicks on the link or enters the code into the sender’s web site to confirm that the subscription is a legitimate one.

This approach eliminates the possibility of “being subscribed” to a mailing list without the addressee’s prior consent. A sender who transmits automated messages exclusively to subscribers through the confirmed opt-in mechanism (and promptly handles subscription cancellations) is, in my opinion, a responsible email sender, not a spammer.

(Admittedly, some confirmed opt-in recipients either forget that they had confirmed their subscriptions, mistakenly report subscribed mailings as spam, or inherit reissued email addresses that had previously confirmed subscriptions. Thus, at times, even a responsible sender might be accused of spamming, but certainly not at the levels of a sender who indiscriminately transmits messages to address lists gathered through a variety of means, legal and otherwise.)

The bottom line for consumers’ relationships with their ISPs is that recipients want to receive messages that they want and would prefer that their ISPs filter or segregate messages that they don’t want, regardless of content. As simple as that request sounds, it presents enormous difficulties for ISPs.

Email filtering technologies improve all the time, as do spammers’ determination to bypass those filters. Even the best filtering technologies at the ISP level will be less than perfect. Some spam will get through; and some desired messages will get rejected, deleted, or sidetracked into “spam suspects” folders. In addressing its customers’ spam concerns, an ISP must constantly balance filtering undesirable email against delivering desirable email—and sometimes it’s the same message for different recipients.

I should also note that senders come in all shapes and sizes. Among the senders whose messages seem to be most undesirable among spam fighters in the United States are those who violate one or more provisions of the U.S. CAN-SPAM law. These are predominantly senders who use numerous deceptive tactics, fail to identify themselves, send to addresses illegally harvested from the Internet, rarely permit unsubscriptions, and relay their messages anonymously through hijacked computers around the world. It is their goal to minimize the expense of delivering as many messages to as many email addresses as possible so that even a minimal response rate will result in a profitable campaign.

It is this criminal class of spammer, along with the growing underworld of scammers and those dedicated to hijacking personal computers that cause the greatest grief to ISPs. Customers expect their ISPs to act as shields to this Bad Stuff. The efforts that responsible ISPs and organization email administrators expend—in terms of software, hardware, and personnel—to fight off this incessant flood is the real “email tax” that everyone pays, like it or not. Every email user pays that tax with time and/or money (e.g., a portion of subscription fees).

That an ISP would turn to an email sender accreditation service as a tool to manage incoming email is not surprising. My understanding of these services is that they assist an ISP in determining if a particular sender adheres to defined guidelines. On the one hand, the mass of sleazy spammers who commit the most and worst offenses would never subscribe to any such service because of both the expense and the need to identify themselves truthfully. On the other hand, if an ISP used such a service as the exclusive gatekeeper to incoming automated email, it would fail to deliver some desired messages from legitimate and responsible email senders who can’t or won’t pay for accreditation. Customers of such an ISP would soon revolt and leave for the other readily available ISP alternatives (or use other email systems accessible through the Internet, including free ones). It wouldn’t take long for a host of unaccredited but responsible confirmed opt-in senders to warn potential subscribers away from “ISP X” because it doesn’t deliver their mailings. Woe unto the ISP who is perceived to be an arbitrary censor of desirable incoming email.

Additionally, if an ISP uses such a service as just one of many tools to manage email, customers would equally revolt if they discover that a sender who pays his way automatically gets a “free ride” for unwanted messages into inboxes. Just as spam is in they eye of the recipient, a garbage email message will still be considered a garbage email message, no matter how many “gold stars” the ISP attaches to it. If the service and ISP do a poor job of eliminating unwanted messages of any kind, the customer has little incentive to remain a customer. Woe unto the ISP who allows itself to become known as a spam conduit.

As I stated earlier, email users simply want to receive messages they want and not be flooded with messages they don’t want. An ISP that applies tools that fail at that basic task risks losing its customers in what has become a highly competitive marketplace.

My personal take on the DearAOL uproar is that it has turned out to be a tempest in a teapot. On the other hand, it's great that there are people and organizations out there to keep an eye on powerful business entities and call those companies to task for potentially abusing their powers. Those behind DearAOL also learned (as if they didn't already know) that a short, catchy word banner ("email tax") leaves an impression more powerful and longer lasting than the meat of the details being said in front of it. Reminds me of "Mission Accomplished."

Posted on April 16, 2006 at 01:24 PM