The Federal Trade Commission (the “FTC” or “Commission”) submits this Report pursuant to Section 9 of the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (the “CAN-SPAM Act”), 15 U.S.C. § 7708, which calls for the Commission to: (1) set forth a plan and timetable for establishing a National Do Not Email Registry; (2) explain any practical, technical, security, privacy, enforcement, or other concerns that the Commission has regarding such a Registry; and (3) explain how a Registry would be applied with respect to children with email accounts.

When it directed the Commission to set forth a plan for and to comment on the feasibility of a National Do Not Email Registry, Congress was cognizant of the Commission’s highly successful deployment of the National Do Not Call Registry.

In essence, Section 9 of the CAN-SPAM Act asks the Commission to determine whether and how the success of the National Do Not Call Registry can be replicated in the context of spam. This Report concludes that a National Do Not Email Registry, without a system in place to authenticate the origin of email messages, would fail to reduce the burden of spam and may even increase the amount of spam received by consumers. Therefore, the Commission proposes a plan that first requires authentication – strengthening of the email system so that the origin of email messages cannot be falsified – as a first step and a prerequisite to any type of Registry.

The Commission reaches its conclusion after soliciting and obtaining input from dozens of individuals and organizations and using a number of information-gathering techniques, including: a Request for Information (“RFI”) that resulted in responses from some of the nation’s largest Internet, computer, and database management firms; interviews with over 80 individuals representing 56 organizations, including consumer groups, email marketers, Internet Service Providers (“ISPs”), and technologists; requiring the seven ISPs that collectively control over 50 percent of the market for consumer email accounts to provide detailed information about their experiences with spam; soliciting public comments through an Advance Notice of Proposed Rulemaking (“ANPR”) concerning the CAN-SPAM Act rules; and retaining the services of three of the nation’s preeminent computer scientists.

The Commission therefore strongly believes that implementation of a National Do Not Email Registry would not reduce the volume of spam, particularly given currently available technology to authenticate the origin of email messages. The Commission thus proposes a program to encourage the widespread adoption of email authentication standards that would help law enforcement and ISPs better identify spammers. If, after allowing the private market sufficient time to develop, test, and widely implement an authentication standard, no single standard emerges, the Commission could begin the process of convening a Federal Advisory Committee to help it determine an appropriate email authentication system that could be federally required. If the Commission were to mandate such a standard, after a reasonable period of time following the effective date of such a standard, the Commission will consider studying whether an authentication system combined with enforcement or other mechanisms (e.g., better filters) had substantially reduced the burden of spam.

If spam continued to be a substantial problem, if a Registry could significantly reduce it once an authentication system is in place, and if other technological developments removed the security and privacy risks associated with a Registry, the Commission will consider issuing an ANPR proposing the creation of a National Do Not Email Registry.

Before expending resources on the implementation of a Registry, the marketplace should be encouraged and allowed to correct a flaw in the email system’s architecture that enables spam – the lack of domain-level authentication. Without effective authentication of email, any Registry is doomed to fail. With authentication, better CAN-SPAM Act enforcement and better filtering by ISPs may even make a Registry unnecessary.

Download National Do Not Email Registry, A Report to Congress

PDF format, 1.35MB, 60Pages.

Federal Trade Commission
Timothy J. Muris, Chairman
Mozelle W. Thompson, Commissioner
Orson Swindle, Commissioner
Thomas B. Leary, Commissioner
Pamela Jones Harbour, Commissioner

Introduction and Overview

The Federal Trade Commission (the “FTC” or “Commission”) submits this Report pursuant to Section 9 of the Controlling the Assault of Non- Solicited Pornography and Marketing Act of 2003 (the “CAN-SPAM Act”), 15 U.S.C. § 7708 (2003), which requires the Commission to: (1) prepare a report setting forth a plan and timetable for establishing a National Do Not Email Registry; (2) explain any practical, technical, security, privacy, enforceability, or other concerns that the Commission has regarding such a Registry; and (3) explain how such a Registry would be applied with respect to children with email accounts.

Unsolicited commercial email (“UCE” or “spam”) poses a serious threat to electronic communication over the Internet for consumers and businesses. Deception and fraud appear to characterize the vast majority of spam. Spam, even if not deceptive, may also lead to significant disruptions and inefficiencies in Internet services as when it spreads viruses that wreak havoc for computer users. Moreover, a serious Internet infrastructure problem flows from the sheer volume of spam that is now being sent. These problems are significant for consumers and businesses and threaten their confidence in the Internet as a medium for communication.

Solving the spam problem begins with recognition that spammers are essentially anonymous. The current email system enables spammers to hide their tracks and thereby evade ISPs’ anti-spam filters and law enforcement.

A prerequisite for fighting spam is ending this anonymity through a robust authentication standard that ensures that a message actually comes from the domain listed in the message’s headers. Without authentication, a Registry will, at best, have no impact on spam and, at worst, result in more spam. Effective authentication would improve CAN-SPAM Act compliance and, coupled with better filtering by ISPs, would greatly reduce the volume of spam.

This Report therefore proposes a plan that recognizes the need for an authentication standard.3 Section II of this Report describes the information gathering methods the Commission used to prepare this Report. Section III provides a basic explanation of the email system, including how it enables spam by permitting the sending of unauthenticated messages and how the creation of an authentication system is a first step to help bring the spam epidemic under control. Section IV describes three possible models for a National Do Not Email Registry and explains the practical, technical, security, privacy, enforceability, and other concerns that the Commission has regarding each Registry model.

Finally, Section V sets forth a plan and timetable for establishing a Registry.

Comments (0)

Name

Email

Comment

smaller | bigger

Add Comment