Create an equivalent to the telephone "Do Not Call" registry for e-mail?
The X-ASVP Controlling Committee (XCOM) today announced an effort to
lobby Congress for legislation that would define the X-ASVP "UCE entity"
as legally equivalent to a listing in a "National Do Not E-mail
The Controlling the Assault of Non-Solicited Pornography and
Marketing Act of 2003 (the “CAN-SPAM Act”), 15 U.S.C. § 7708,
called for the Federal Trade Commission to: (1) set forth a plan and
timetable for establishing a National Do Not Email Registry; (2)
explain any practical, technical, security, privacy, enforcement, or
other concerns that the
Commission has regarding such a Registry; and (3) explain how a
Registry would be applied with respect to children with email accounts.
In June 2004, the FTC published a report in which they concluded that "under present conditions, a National Do Not Email Registry in any form would not have any beneficial impact on the spam problem. It is clear, based on spammers’abilities to exploit the structure of the email system, that the development of a practical and effective means of authentication is a necessary tool to fight spam. Therefore, the Commission encourages the private market to develop an authentication standard. Authentication is not only required to make a Registry effective, but may even substantially address the underlying problem that prompted Congress to consider the establishment of a Registry."
Gerald Klaas, CISSP, Chair of the X-ASVP Committee, believes that X-ASVP represents such a private market approach to develop an authentication standard, and a de-facto DNE Registry usable until such authentication standard and technical enforcement mechanisms are in place. Klaas said, "there is no other technology available today that globally assigns a URL lookup for every possible e-mail address and effectively deals with the security issues that concerned the FTC when they wrote the DNE Registry report in June 2004".
The X-ASVP protocol defines
a web location (URL) derived from e-mail addresses where an e-mail
address owner can post publicly available preference settings.
For purposes of enforcing the provisions of the CAN-SPAM Act of 2003,
XCOM recommends that Congress define a "NO" setting in the UCE entity
as equivalent to an e-mail address listing in a "National
Do Not E-mail Registry". Such legislation would make it illegal
under the provisions of CAN-SPAM to send unsolicited commercial e-mail
(UCE), commonly known as "spam", to e-mail addresses where the owner
had posted a "NO" setting [in the UCE entity defined by the X-ASVP
"Spam is the bane of e-mail communications," said Gerald Klaas, one of the experts who devised the system. "This plan would be easy to use, meet FTC concerns, and provide new tools to stop spammers from gaining unauthorized access to your Inbox."
While the term "National Do Not E-mail Registry" implies the creation of a large, central database run by the government, adoption of this legislation would allow the legal equivalent of the DNE Registry without actually creating a large, central database. The recommendation to use a specific feature of the X-ASVP protocol as the legal equivalent to registration in a "National Do Not E-mail Registry", would instantly create the "database" in a virtual sense. Since X-ASVP is a distributed peer-to-peer protocol, the "database" would be maintained in a peer-to-peer network using existing web-based technology, where no one entity has control of the data records. Using X-ASVP, "DNE Registry" records would be hosted by individual address owners and ISP's who maintain complete control over their "database record" since it is physically located on their own web server.
Klaas said, "the X-ASVP protocol is not subject to the dictionary
attacks or the "Fort Knox" vulnerability that concerned the FTC, nor is
it a centralized database where people have to submit their e-mail
address to the government. X-ASVP represents a distributed,
peer-to-peer system, where individuals maintain control of their own
UCE setting, meaning they can "register" or "deregister" their address
at any time simply by editing their X-ASVP meta-document page."
The X-ASVP Committee encourages you to write your representatives,
and ask them to amend the CAN-SPAM Act to recognize publishing of a
X-ASVP meta-document displaying the "UCE entity" (
<BULKMAIL><UCE>NO</UCE></BULKMAIL> ) to be
equivalent to registration in a National Do Not E-mail Registry, and
provisions of The CAN-SPAM Act of 2003, to indicate that this e-mail
address has "opted-out" of receiving unsolicited commercial
e-mail. Congress should specifically amend the definition of "commercial
electronic mail message" in the CAN-SPAM Act of 2003, to remove the
term "primary" as thus far the FTC has failed to define the term
"primary purpose" as it appears in The Act. This minor amendment
to the CAN-SPAM Act would thus make it illegal to send Unsolicited
Commercial E-mail ("spam") to any e-mail address that has this UCE entity posted
in the standard method [defined by the X-ASVP protocol].