ietf-asrg
[Top] [All Lists]

[Asrg] 5b. Opt-Out, 3rd version

2003-03-27 02:37:38
I'v made futher update to opt-out notes based on what was discussed today.
The notes are now separated into general section on what we want out 
of opt-out, how to we can do it and how to enforce it and first part can 
be used to evaluate opt-out proposals as well. I'm hoping we can finish 
with the general discussion and in the future use the notes when talking 
about actual proposals. And I do actually have idea on trying to mix #2 
and #3 together with some properties of #1

---------------------------------------------------------------

I. Requirements/Goals for Opt-Out
   1. General - To reduce amount of commercial email received 
      Pros:
        a. We all want less commercial mail!!!
        b. If at least some advertisers follow opt-out we should have less 
           mail unwanted email
      Cons:
        b. Many are afraid that opt-out may instead bring more commercial 
           mail by allowing advertisers to confirm your email addresses

   2. To provide global opt-out system that large number of legitimate
      commercial mail entities can all use at the same time
     Pros:
        a. Standard system that you can apply to large number of lists you 
           maybe on is convinient
        b. Standard way for marketing companies to find your opt-out 
           preferences reduces their own cost of emailing and dealing with 
           unhappy customers
     Cons:
        a. This only works for legitimate business that abide by these 
           rules, everybody else will continue to do as they wish
        b. Unless we have good enforcement even some legit business may 
           not agree to this
   3. To provide local opt-out to only particular types of email 
      or even more specific for particular maillist
     Pros:
        a. You could potentially be very specific on what emails you want 
           to receive. For example if you're loooking for a car you'd be 
           interested to hear about car dealership offers and advertisers
           could be very specific to your needs which works in your favor.
        b. If advertisers know what you want they'd be able to a lot 
           better manage their own resources.
        c. Certain global types is a must, for example children should 
           not be expected to receive any offers of adult nature or for 
           alcogol or cigarates and in fact this maybe againt the law 
           depending on locality and advertisers
     Cons:
        a. Its somewhat difficult to have everybody agree on classification
           of commercial advertisements though some very broad global 
           scale maybe possible that will satisfy c.
        b. Even if classification is agreed, some email offers may fall 
           into multiple categories, or are otherwise not as clear about 
           exact type, the reality is that classifying email to be sent 
           into certain category is still up to advertiser and this may 
           not agree with how user who opted out would classify it
   4. To provide capabilities to temporary reduce amount of email received
     Pros:
        a. In some situations its usefull to be able to opt-out of all
           commercial email for certain period (when you're on vacation)
           and opt-in at another  when you actually have time or interest 
           to read more email
     Cons:
        b. Most opt-out procedures are likely to take longer time then 
           several day or week that you may actually be on vacation and 
           temporary opt-out might not work that well, filters or automatic
           forwarding of certain email to special mailbox maybe better
   5. To filter out legitimate email marketing companies from "true" spammers
     Pros:
        a. There exists email marketing industry that provides real service
           to users who really really opted to receive such emails. But 
           these companies suffer by being compared to spammers (some are 
           like that) and standards that these companies should follow 
           will to distiguish good marketing companies from bad.
        b. If we had clear guidelines what email marketing companies need
           to do to not be considered spammers and this is supported by 
           law, then they will follow it more often and our we'd have
           less complaints about improper emails
     Cons:
        a. Bad spammers will inevitably try to diguise themselve as email 
           marketing companies and this can make things even worse.

Note: 5 points listed above can be used as way to evaluate exact opt-out 
      technology proposals. These proposals would fall into one or more of 
      the below categories:

II. Technlogies for Opt-Out

  1. Distributed lists which use some type of encryption to allow validation 
     of particular address but not see enter list. 
     Pros:
        a. Opt-out lists can be easily cleaned up before the transmission
        b. Distribution of lists can be controlled by tightly controlled.
           Some improper activities can be prevented by using special
           email addresses specific for each authorized client
           c1. Dictionary Attack prevention
             An email that is not for valid user but easily guessable is
             introduced. If emails are received to this address, this 
             indicates dictionary attack was tried 
           c2. Proper conduct in collecting emails by advertiser
             Email addresses are added that are not actually used in email
             (example - addresses added into webpages and collected by spiders)
             If advertiser checks for these email address, he does not 
             have properly collected email list 
        d. Because all advertisers that use opt-out lists sign service 
           agreement both legal and criminal court actions are easier
     Cons:
        a. Because entire list is received by advertiser, its a lot easier 
           for it to just check very very large list of email addresses 
           and get practicly entire list of opt-out addresses (see above 
           c2 how they can possibly be caught)
        b. Distribution lists can easily go sub-distributed and go beyoned 
           authenticated base and thereafter abused
        c. Patents relating to the encryption technologies exists
        d. Concerns about who and how will make opt-out lists and distribute
           them
        e. Concerns that opt-out lists will instead be used to verify if 
           email address in spammer database is real
        f. Its possibly encryption technology maybe broken in some distant 
           future
        g. It takes longest time to opt-out or change opt-out status with 
           this technology

  2. Opt-out server. Here special service/server is made available to
     legit bulk-mailers. Anybody wishing to check if the address is 
     opt-out or not can connect to that server and check
     Variations:
        2a. One unified service is made available by the authorized agency
        2b. A number of special opt-out servers exist in parallel which
            are used/run by different groups of commercial mailers
     Pros:
        a. Opt-out lists can be cleaned up before the transmission begins
        b. Distribution of lists can be controlled by tightly controlled
           with authentication means and distribution beyond authorized
           advertiser is not allowed. Because its known who is accessing 
           the list, there exist way to also detect some improper activities
           c1. Dictionary Attack prevention - see c1 in #1 above
           c2. Proper conduct in collecting emails by advertiser - see c2 above
        c. If improper activities are detected as in c1 or c2 or if 
           somebody is trying to access to check way too many addresses
           (trying to verify their 100 million emails CD), the access 
           to client can be denied fairly fast!
        d. Because access would involve service agreement, the law may 
           make it easier to prosecute the offenders
     Cons: 
        a. Special opt-out verification protocol may have to be developed
        b. Concerns about who and how will run opt-out service
        c. Concerns that opt-out service will instead be used to verify if 
           email address in spammer database is real
        d. Depending how service is setup, it may take long for opt-out to 
           work (i.e. until maketers do updates to their lists).

  3. Opt-out system maintained together with mail servers on per-domain basis.
     Variations:
      3a. Service made available as part of mail server, new command added 
          to SMTP to check opt-out preference of user on email server
      3b.  Service made available as part of mail transmission and is more 
          tightly integrated with actually sending email, i.e. email being 
          sent contains some preference for opt-out check and email server 
          can based on that return email back with proper error code
          Note: to a degree this is what some filters already do ...
      3c. Service made available through separate protocol to be run by ISP
          on per-domain basis. 
     Pros:
        a. An opt-out is controlled by mail server operator and not any 
           questinable central agency. 
        b. Depending on how system is implemented it maybe a lot harder to 
           actually gather list of valid email addresses (mail server 
           operator may choose to answer opted-out for any email address 
           that does not exist, for example)
     Cons:
        a. A new protocol (or extensions to SMTP) need to be developed
        b. It maybe a lot harder to clean up lists before emailing
           (maybe this this also good thing?)
        c. If implemented as in 3a all MX servers (even backups) may need 
           to answer yes on question of opt-out, this created 
           implementation problems and seems unnecessary
        d. Access to opt-out verification has to be made public (or at 
           most on per email basis) and no serious authentication of who 
           can access it can be done. These allows easy avenue for abuse.
  4. Modification of Email address to show opt-out choice. 
     Variations:
      4a.  General opt-out choice recognized by everybody, which may 
           actually be some variation of mail service domain/subdomain
      4b.  Opt-in choice specific to particular situation or mailing list 
           example - email+list(_at_)domain(_dot_)com
     Pros:
        a. Very easy to implement and does not require new technology, 4b 
           is already actively used by many
        b. Address itself shows optout choice, so spammers can not do
           email address cleanup for purposes of finding valid address
           Note: this is also a Con!
        c. Opt-out choice is controlled by each individual user and not by 
           external entity (be it central agency or mail service provider)
     Cons:
        a. This generally requires us to use different email address then 
           what we already do, often even more then one. It does not address
           issues with existing currently use email addresses (see
           section I on what we want to do), this is a BIG Con.
        b. Use of "special" email address may also be taken by spammers as 
           verification that email address is valid!

Below are possible ways to deal with those that do not comply with opt-out
standards if any are to be developed

III. Enforcement of Opt-Out
   Note: #1 and #2 below may well be done in parallel
   1. Done by goverment by legislation to have all commercial email marketers
      participate in some system or abide by specific protocol standards
      Enforcement is afterwards left to courts
      Pros:
        a. There would be clear guidelines for commercial email senders to 
           follow and if they do not they will pay an actual price for it 
        b. Its a lot more likely commercial businesses will follow the law
      Cons:
        a. This maybe problematic when considering email as global system 
           and not specific to US or EU laws
        b. It takes some time for laws to be passed and then be verified 
           in courts to be workable
   2. Enforcement is left to ISP/mail server operators through use of 
      filters if email is found to be from commercial email marketer
      that is known to mail server operator
      Pros:
        a. Filtering is already well adapted technology
        b. When email is found to have violated opt-out choice, stopping 
           future email from the particular marketer is easy and fast 
           (blacklist) but it does require marketers to be well identified
      Cons:
        a. Use of filtering means some email will inevitably be filtered 
        b. Filters will never completed stop unwanted email even with 
           opt-out choice, some email marketers may choose not to follow it


------
William Leibzon
Elan Communications Inc. 
william(_at_)elan(_dot_)net

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>