I'v made futher update to opt-out notes based on what was discussed today.
The notes are now separated into general section on what we want out
of opt-out, how to we can do it and how to enforce it and first part can
be used to evaluate opt-out proposals as well. I'm hoping we can finish
with the general discussion and in the future use the notes when talking
about actual proposals. And I do actually have idea on trying to mix #2
and #3 together with some properties of #1
---------------------------------------------------------------
I. Requirements/Goals for Opt-Out
1. General - To reduce amount of commercial email received
Pros:
a. We all want less commercial mail!!!
b. If at least some advertisers follow opt-out we should have less
mail unwanted email
Cons:
b. Many are afraid that opt-out may instead bring more commercial
mail by allowing advertisers to confirm your email addresses
2. To provide global opt-out system that large number of legitimate
commercial mail entities can all use at the same time
Pros:
a. Standard system that you can apply to large number of lists you
maybe on is convinient
b. Standard way for marketing companies to find your opt-out
preferences reduces their own cost of emailing and dealing with
unhappy customers
Cons:
a. This only works for legitimate business that abide by these
rules, everybody else will continue to do as they wish
b. Unless we have good enforcement even some legit business may
not agree to this
3. To provide local opt-out to only particular types of email
or even more specific for particular maillist
Pros:
a. You could potentially be very specific on what emails you want
to receive. For example if you're loooking for a car you'd be
interested to hear about car dealership offers and advertisers
could be very specific to your needs which works in your favor.
b. If advertisers know what you want they'd be able to a lot
better manage their own resources.
c. Certain global types is a must, for example children should
not be expected to receive any offers of adult nature or for
alcogol or cigarates and in fact this maybe againt the law
depending on locality and advertisers
Cons:
a. Its somewhat difficult to have everybody agree on classification
of commercial advertisements though some very broad global
scale maybe possible that will satisfy c.
b. Even if classification is agreed, some email offers may fall
into multiple categories, or are otherwise not as clear about
exact type, the reality is that classifying email to be sent
into certain category is still up to advertiser and this may
not agree with how user who opted out would classify it
4. To provide capabilities to temporary reduce amount of email received
Pros:
a. In some situations its usefull to be able to opt-out of all
commercial email for certain period (when you're on vacation)
and opt-in at another when you actually have time or interest
to read more email
Cons:
b. Most opt-out procedures are likely to take longer time then
several day or week that you may actually be on vacation and
temporary opt-out might not work that well, filters or automatic
forwarding of certain email to special mailbox maybe better
5. To filter out legitimate email marketing companies from "true" spammers
Pros:
a. There exists email marketing industry that provides real service
to users who really really opted to receive such emails. But
these companies suffer by being compared to spammers (some are
like that) and standards that these companies should follow
will to distiguish good marketing companies from bad.
b. If we had clear guidelines what email marketing companies need
to do to not be considered spammers and this is supported by
law, then they will follow it more often and our we'd have
less complaints about improper emails
Cons:
a. Bad spammers will inevitably try to diguise themselve as email
marketing companies and this can make things even worse.
Note: 5 points listed above can be used as way to evaluate exact opt-out
technology proposals. These proposals would fall into one or more of
the below categories:
II. Technlogies for Opt-Out
1. Distributed lists which use some type of encryption to allow validation
of particular address but not see enter list.
Pros:
a. Opt-out lists can be easily cleaned up before the transmission
b. Distribution of lists can be controlled by tightly controlled.
Some improper activities can be prevented by using special
email addresses specific for each authorized client
c1. Dictionary Attack prevention
An email that is not for valid user but easily guessable is
introduced. If emails are received to this address, this
indicates dictionary attack was tried
c2. Proper conduct in collecting emails by advertiser
Email addresses are added that are not actually used in email
(example - addresses added into webpages and collected by spiders)
If advertiser checks for these email address, he does not
have properly collected email list
d. Because all advertisers that use opt-out lists sign service
agreement both legal and criminal court actions are easier
Cons:
a. Because entire list is received by advertiser, its a lot easier
for it to just check very very large list of email addresses
and get practicly entire list of opt-out addresses (see above
c2 how they can possibly be caught)
b. Distribution lists can easily go sub-distributed and go beyoned
authenticated base and thereafter abused
c. Patents relating to the encryption technologies exists
d. Concerns about who and how will make opt-out lists and distribute
them
e. Concerns that opt-out lists will instead be used to verify if
email address in spammer database is real
f. Its possibly encryption technology maybe broken in some distant
future
g. It takes longest time to opt-out or change opt-out status with
this technology
2. Opt-out server. Here special service/server is made available to
legit bulk-mailers. Anybody wishing to check if the address is
opt-out or not can connect to that server and check
Variations:
2a. One unified service is made available by the authorized agency
2b. A number of special opt-out servers exist in parallel which
are used/run by different groups of commercial mailers
Pros:
a. Opt-out lists can be cleaned up before the transmission begins
b. Distribution of lists can be controlled by tightly controlled
with authentication means and distribution beyond authorized
advertiser is not allowed. Because its known who is accessing
the list, there exist way to also detect some improper activities
c1. Dictionary Attack prevention - see c1 in #1 above
c2. Proper conduct in collecting emails by advertiser - see c2 above
c. If improper activities are detected as in c1 or c2 or if
somebody is trying to access to check way too many addresses
(trying to verify their 100 million emails CD), the access
to client can be denied fairly fast!
d. Because access would involve service agreement, the law may
make it easier to prosecute the offenders
Cons:
a. Special opt-out verification protocol may have to be developed
b. Concerns about who and how will run opt-out service
c. Concerns that opt-out service will instead be used to verify if
email address in spammer database is real
d. Depending how service is setup, it may take long for opt-out to
work (i.e. until maketers do updates to their lists).
3. Opt-out system maintained together with mail servers on per-domain basis.
Variations:
3a. Service made available as part of mail server, new command added
to SMTP to check opt-out preference of user on email server
3b. Service made available as part of mail transmission and is more
tightly integrated with actually sending email, i.e. email being
sent contains some preference for opt-out check and email server
can based on that return email back with proper error code
Note: to a degree this is what some filters already do ...
3c. Service made available through separate protocol to be run by ISP
on per-domain basis.
Pros:
a. An opt-out is controlled by mail server operator and not any
questinable central agency.
b. Depending on how system is implemented it maybe a lot harder to
actually gather list of valid email addresses (mail server
operator may choose to answer opted-out for any email address
that does not exist, for example)
Cons:
a. A new protocol (or extensions to SMTP) need to be developed
b. It maybe a lot harder to clean up lists before emailing
(maybe this this also good thing?)
c. If implemented as in 3a all MX servers (even backups) may need
to answer yes on question of opt-out, this created
implementation problems and seems unnecessary
d. Access to opt-out verification has to be made public (or at
most on per email basis) and no serious authentication of who
can access it can be done. These allows easy avenue for abuse.
4. Modification of Email address to show opt-out choice.
Variations:
4a. General opt-out choice recognized by everybody, which may
actually be some variation of mail service domain/subdomain
4b. Opt-in choice specific to particular situation or mailing list
example - email+list(_at_)domain(_dot_)com
Pros:
a. Very easy to implement and does not require new technology, 4b
is already actively used by many
b. Address itself shows optout choice, so spammers can not do
email address cleanup for purposes of finding valid address
Note: this is also a Con!
c. Opt-out choice is controlled by each individual user and not by
external entity (be it central agency or mail service provider)
Cons:
a. This generally requires us to use different email address then
what we already do, often even more then one. It does not address
issues with existing currently use email addresses (see
section I on what we want to do), this is a BIG Con.
b. Use of "special" email address may also be taken by spammers as
verification that email address is valid!
Below are possible ways to deal with those that do not comply with opt-out
standards if any are to be developed
III. Enforcement of Opt-Out
Note: #1 and #2 below may well be done in parallel
1. Done by goverment by legislation to have all commercial email marketers
participate in some system or abide by specific protocol standards
Enforcement is afterwards left to courts
Pros:
a. There would be clear guidelines for commercial email senders to
follow and if they do not they will pay an actual price for it
b. Its a lot more likely commercial businesses will follow the law
Cons:
a. This maybe problematic when considering email as global system
and not specific to US or EU laws
b. It takes some time for laws to be passed and then be verified
in courts to be workable
2. Enforcement is left to ISP/mail server operators through use of
filters if email is found to be from commercial email marketer
that is known to mail server operator
Pros:
a. Filtering is already well adapted technology
b. When email is found to have violated opt-out choice, stopping
future email from the particular marketer is easy and fast
(blacklist) but it does require marketers to be well identified
Cons:
a. Use of filtering means some email will inevitably be filtered
b. Filters will never completed stop unwanted email even with
opt-out choice, some email marketers may choose not to follow it
------
William Leibzon
Elan Communications Inc.
william(_at_)elan(_dot_)net
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg