[Asrg] Big Companies Add to Spam
October 28, 2003
Big Companies Add to Spam
By SAUL HANSELL
ver wonder how a certain company sending unsolicited e-mail messages got
Michael Rathbun, the director of policy enforcement at Allegiance Telecom,
an Internet service provider in Dallas, says he thinks he has much of the
Some five years ago, Mr. Rathbun bought a Palm hand-held organizer and, in
registering it on Palm's Web site, gave the company an e-mail address he
never used for anything else. Initially his in-box received only offers for
products related to the organizer, but eventually he started getting
advertising from some well-known companies like Bank of America, SBC
Communications and Sprint. Lately, that one address alone has been
receiving dozens of e-mails a month offering everything from travel clubs
to acne remedies.
"This is not stuff," Mr. Rathbun said, "that I should be getting from them."
The problem of spam or unwanted commercial e-mail is usually attributed to
outlaws and hucksters peddlers of pornography, get-rich-quick schemes and
pills of dubious merit who use hackers to send their fraudulent messages
in ways that cannot be traced.
But the torrent of spam that is flowing into people's electronic mailboxes
comes not only from the sewers but also from the office towers of the
biggest and most well-known corporations.
Established companies insist they send e-mail only to people who have
voluntarily agreed to receive marketing offers. A spokeswoman for Palm says
it does not know how Mr. Rathbun's e-mail address got into the hands of
spammers and says it has never sold its customer list.
But often companies rent e-mail lists from a cottage industry that has
emerged to lure Internet users, through a variety of schemes, into signing
up for e-mail marketing.
At best, if you have ever entered a contest to win a prize, subscribed to
an online newsletter or simply purchased a product on the Web, you may well
have also agreed, as many such fine-print contracts put it, "to receive
valuable offers from our marketing partners."
This practice falls under the rubric of what is called opt-in marketing, or
getting permission to send advertising messages.
But many e-mail executives admit that these same list companies also add to
their databases by buying, trading sometimes even stealing names.
"Everyone is looking for a quick buck now, and people are claiming to sell
opt-in data who don't have it," said Pesach Lattin, who runs Adspyre, a New
York e-mail marketing firm.
Moreover, some companies have allowed the e-mail addresses of their own
customers, either deliberately or inadvertently, to fall into the hands of
list peddlers who in turn sell them to e-mail marketers of all stripes.
Sometimes, the lists are stolen from corporate owners by employees or
vendors looking to make a quick profit. But in many cases, the big
companies are deliberately buying and selling access to names, relying on
privacy policies often hard to find on their sites that they say permit
"White-collar spam" is how Nick Usborne, a newsletter writer and Internet
marketing consultant, refers to this phenomenon.
"When a responsible company," Mr. Usborne said, "gets someone to sign up
for a newsletter and says, now that we have their e-mail address let's make
more money off it and send them e-mail they didn't ask for, that's
The antispam bill passed unanimously by the Senate last week imposes tough
penalties on people involved in the lowest forms of spam but it does not
deal with the central questions Mr. Usborne and others raise about
white-collar spam. It does nothing, for example, to establish rules
defining an appropriate list of names that a purveyor of a legitimate
product can use to send an offer by e-mail. Nor does it regulate the
transfer of names between companies.
The law would require that every e-mail message offer recipients a method
to remove themselves from an advertiser's mailing list. But with the way
that names are traded today, this method would do little to reduce the
amount of e-mail people receive, industry executives say.
"People don't realize that once you sign up for a contest or free stuff on
the Web and you forget to uncheck a box, these people will pass your name
to a hundred other people,'` said Paul Nute, a partner of Soho Digital, a
New York advertising agency that represents e-mail marketers. "You've just
raised your hand and said, `Send me the diet pill offers.' And there is no
way to get them all to stop."
A new state law scheduled to take effect in California on Jan. 1 tries to
take a stricter approach: it requires that commercial e-mail to or from
anyone in the state be sent only to people who specifically request
information from the advertiser. Many in the e-mail industry read the law
as curbing many of the more common ways that names are gathered and used,
but the exact limits will be left up to the courts to define.
Moreover, if the federal bill passed by the Senate is enacted it would void
most state spam laws, including California's. Although the Senate bill also
authorizes the Federal Trade Commission to create a do-not-spam list
modeled after the wildly popular do-not-call list that is already starting
to curb unwanted telemarketing calls, F.T.C. officials said that, unlike
telemarketing, it would be extremely difficult to determine the difference
between solicited and unsolicited e-mail. That is in part because so many
companies go beyond their own customers to rely on opt-in list collectors.
Not surprisingly, companies that are active users of conventional mail
solicitations have gravitated to e-mail, which can be far cheaper, to push
certain products. These include Morgan Stanley's Discover Card, Altria's
Gevalia Coffee, Schering-Plough's Claritin, and The New York Times, which
uses opt-in e-mail lists to sell subscriptions.
One such list maker is Xuppa.com, a 38-person firm working from a cramped
office in Midtown Manhattan across Seventh Avenue from Macy's department
store. It has gathered half a billion e-mail addresses since it started
four years ago, but most of those are no longer valid. The 65 million names
left on its lists, Lance Laifer, Xuppa's chief executive, says, have given
permission to receive marketing messages.
Visitors to Xuppa.com are encouraged to enter its $1 million sweepstakes.
To do so they must enter not only their e-mail address but postal address
and telephone number as well. Entering the contest gives Xuppa permission
to market to users. On the same Web page, some 75 other offers from
advertisers are displayed, each adjacent to a check box some already
checked by default. When Xuppa users enter the contest, their personal
information is passed to any advertiser whose offer is checked.
"There are a lot of people who would rather register and give their e-mail
addresses than pay for services," Mr. Laifer said.
This process of putting many offers on one page where users enter
information is called co-registration, and it has become one of the main
ways that names are gathered online.
Some such sites make it hard for users to see all the lists they are
joining. AmericanGiveAways.com, a site run by Synergy6, allows users to
register to earn free gifts. "By signing up with us," a notice at the
bottom of the page reads, "you are also agreeing to receive great offers,
special coupons and promotions from our partner sites."
Dozens of partners are listed on separate links, yet once a single button
is clicked each of the advertisers can claim with some degree of truth
that the user agreed to receive marketing messages.
Such sites stretch users' consent beyond any recognition, argues Seth
Godin, a former Yahoo executive, who coined the term "permission marketing"
to define the practice of sending e-mail marketing to people who ask for it.
"The people who are talking about permission marketing are almost entirely
doing it wrong," Mr. Godin said. "Greed and avarice drove people to wreck
The trade in e-mail names is not limited to the back alleys of the
Internet. Big traditional mailing list companies like Equifax and Experian
have been buying e-mail addresses, often from these contest sites, and
linking them with their vast stores of other information about people. They
use this so marketers can send e-mail to people with, say, a certain
disease, or who own a specific car, and so on.
The chain of permission can be stretched even further. Some names come from
customer lists of Internet companies that collapsed as the dot-com bubble
burst. For example, MatchLogic, a Colorado marketing company that gathered
13 million names was acquired by Excite(_at_)Home, a high-speed Internet service
controlled by AT&T.
names to any third party without permission. But when Excite(_at_)Home was
liquidated in bankruptcy in 2001, its mailing list was purchased by a group
of marketing firms led by RHC Direct of Salt Lake City. Some of those
companies in turn sold the list to others. Robert Caldwell, RHC's
president, says he believes it is also being traded by former MatchLogic
"Names get flipped and flipped and flipped until everyone's name is
everywhere," Mr. Caldwell said.
Nothing is wrong with that, he contended, because the people who originally
provided their e-mail addresses agreed to receive marketing messages.
"As much as people talk about privacy," he said, "they will give it up for
the chance to win a Lexus."
Mr. Rathbun, who also has an e-mail address exclusively used to enter a
MatchLogic contest, says it has received thousands of pieces of spam, some
from big companies.
Bankruptcy courts have generally allowed the sale of lists from failed
companies like MatchLogic. But those transfers were against Excite(_at_)Home's
privacy officer, now a lawyer with Baker & McKenzie. He said he would
advise any client not to send e-mail to that list "as there is insufficient
proof of the permission of the information."
Officials at many of the big companies marketing by e-mail admit that the
list companies are not always honest about the sources of their names. But
they say there is no way to test the quality of a list other than to send
e-mail to its addresses and find out how many complaints result.
"There are some irresponsible companies that are bringing a bad name to
those of us trying to be responsible,'` said Rajive Johri, executive vice
president for marketing for J. P. Morgan Chase's credit card unit, an
active user of opt-in e-mail.
"We do a lot of due diligence on the vendors we utilize," Mr. Johri said.
"At the same time, can I feel 100 percent sure that there are no abuses? No."
Asrg mailing list