Re: [Asrg] Nothing will stop spam???

At 9:31 PM -0400 7/3/03, Kee Hinckley wrote:
> > individual signs up, they would provide the consent token
> > for the FTC to use when then sent a confirmation email. The FTC WEB
> This would probably degenerate to a simple password, since anything 
> else would require tight integration between the email client and 
> the web browser (and a signup may occur when the email client isn't 
> available, or even over the phone).  That's not necessarily bad, but 
> it should be recognized.  The other issue here is that this requires 
> modifying tens, if not hundreds, of thousands of web forms and their 
> backend databases.  Given that, it seems wise to make it possible to 
> include the consent token in the email address, potentially as an 
> option.  (Although of course that won't work with the FTC site, 
> since they decided to invent their own concept of what an email 
> address looks like.)
Sleeping on this I came up with some more issues (okay, I didn't 
sleep very well).
1. Like many systems, this ties in tightly with identity.  If I move 
to a new ISP (or Comcast gets sold *again*) my email address changes. 
How do I manage notifying all of my contacts.  Some people seem to 
think the address book model works, but I correspond with several 
orders of magnitude more people than are in my address book, and some 
of them I only send mail to every few years--I don't want to have to 
notify them all of a change, nor is it clear to me *how* I would 
notify them of a change without hitting the consent system again. 
It's probably technically feasible, albeit difficult, to do so if I 
know in advance of the change--but that doesn't always happen.  Right 
now people struggle with simple things like transferring their 
address book, never mind transferring consent.  A regular occurrence 
on wormalert is mail from someone to all of their contents with a 
brief comment like "sorry, just mailing myself a copy of my address 
book".  That's how they do it--they put everyone in the to, including 
their new address.  So.  Without a persistent concept of identity, 
consent is rather transient to the recipient, never mind the sender.
2. If a consent token does degenerate to a password, then two 
problems occur.  One, it can be sold along with your email address, 
just as email addresses are sold now.  You've basically made it 
simple for someone to transfer your consent.  the only way around 
that is to tie a consent token to the sender, which means complicated 
software, and a knowledge of what addresses will be used to contact 
you.  (Again, I think people working on this should focus first on a 
URL scheme for whitelisting.  E.g. 
whitelist:some-piece-of-information-identifying-senders.)  Secondly, 
a single password doesn't contain information about what you've 
consented to.  Did I tell them I want a receipt for my order, or that 
I want a daily advertisement?
Note that the latter problem is what I see as a major failing of 
do-not-spam-me lists.  How does a vendor know whether the presence of 
an address on that list applies to what aspect of an existing 
business relationship?  And if it doesn't, then what's the point? 
They shouldn't be sending you email anyway.  This isn't an issue with 
phone call lists because Sears doesn't call you up every day with a 
new ad, so you don't lose anything by putting yourself on a donotcall 
list.
--
Kee Hinckley
http://www.messagefire.com/          Anti-Spam Service for your POP Account
http://commons.somewhere.com/buzz/   Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg