ietf-asrg
[Top] [All Lists]

Opt-In (Was Re: [Asrg] Proposal for Opt-Out)

2003-03-28 22:08:04
At 9:54 PM +0000 3/28/03, Jon Kyme wrote:
 > means of consent.  There are other, much simpler, ways to define
 consent.


I'm not sure that "simpler" is the right word. Some of the possible
applications of consent expression that have been mentioned in the group
include opt-out, configuration of up-stream filters and (I'd add) opt-in.

It's a key problem - I believe an explicit consent expression mechanism
would be a significant *enabling* technology.

The most popular consent mechanism right now is straight opt-in. That requires no additional technology, but has serious problems with proof (anyone can type a random email address on a web site, and anyone often does).

The most popular system mentioned in anti-spam circles is probably confirmed opt-in. That also doesn't require any special technology, but I think could be greatly improved by specifying a set of conventions.

So let's try.  Here's a first quick pass.

User == person who has (in theory) requested email
Provider == person who will be sending mail

1. User provides email address via some mechanism (phone, web, email...)

2. Provider stores that email address along with documentation of the mechanism. (E.g. date, address and mechanism).

3. Provider sends a brief message to the user stating the following (and only the following):
        - what they believe the user has consented too
        - documentation of the initial contact mechanism
        - an optional web address for confirming
        - a contact address (web/email and optionally phone) for complaints
The message is sent From:/Reply-To: a confirmation address. The envelope From is set to a bounce handler.

4. If User does not not confirm by either replying (From/Reply-To) or clicking on the confirmation url within 30 days, the Provider does one of two things: a. If this is the only contact from User, they *delete* the email address from their database. (Not mark it as do-not send--but Delete it). (Counter point--maybe they should track it to avoid abuse, in which case they'd need to store it (or a hash)). b. If this is a request from an existing User, they mark that user as not wanting any further messages from this list.

5. If the user confirms that they do want the information, they store the confirmation.

Possible addition (which requires more software). This relates to a proposal at the Spam Conference (by Praed I believe) that bulk mail should always provide a bonded contact where one can obtain proof of subscription. (This is akin to erotica having to have archives proofing all models were of legal age.)

I wouldn't call this proposal something that requires "significant" technology. Most of the pieces are already there. Some list software already has the option of storing all confirmations. What it primarily defines is a process.
--
Kee Hinckley
http://www.puremessaging.com/        Junk-Free Email Filtering
http://commons.somewhere.com/buzz/   Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg