From: John Glube
Sent: Monday, June 21, 2004 2:21 PM
From: Meng Weng Wong
Sent: June 20, 2004 1:16 PM
Subject: [spf-discuss] overall paradigm shift in email, plus
rambling philosophical discussion
Some comments on philosophy.
<...>
There has been an ongoing debate between
responsible senders and commercial black list
operators surrounding the meaning of solicited.
This is shown by the perspective on the one hand
of the need for verified consent (or as some call
it - double opt-in) and the view point (despite
an RFC setting out best practice) that
unconfirmed opt-in and implied consent based on a
pre-existing business relationship is sufficient.
People are free to choose whatever blacklist fits their needs best,
regardless of the recommendations of any particular RFC. This is a matter
of personal choice, and since the recipient pays for every email they
receive, the IETF has no standing to tell recipients how to spend their
money.
At least in the US, the Federal government has
weighed in on the debate and established the
criteria of "affirmative consent." Despite the
views of a number of groups, this precludes the
concept of implied consent at least when sending
commercial email. Time will tell whether the FTC
views "affirmative consent" as including the need
for verified opt-in.
This recent debacle of a law was largely written by and heavily lobbied for
by the direct marketing industry, who was the principle beneficiary. It
does not represent the interests of the vast majority of end-users who pay
for every piece of UBE they receive. Under the new law, any business entity
can send me unsolicited email, as long it is not forged, until I actively
tell them to unsubscribe me. Of course, it is widely know that it is not
safe to use unsubscribe links, since abusive mailers will only harvest and
sell those addresses as "known live accounts" to other spammers.
Considering the fact that there are millions of registered businesses in the
U.S., the cost of forming a new one is only a couple of hundred dollars and
they can be dissolved at a moment's notice, the new law puts some
restrictions on honest email marketers who are not a problem, while giving a
free pass to the abusive ones. I couldn't think of a worse outcome.
The issue of filters is a separate kettle of
fish. One of the more pressing issues is whether
there is a need for recipients to be responsive
when false positives are drawn to the recipient's
attention.)
Since recipients pay for messages they receive, they have no responsibility
to do anything on behalf of any sender. They are also free to discard
anything they wish for any reason without any notification to the sender.
..............
That having been said, just as recipients are
asking senders to account for their behaviour, so
recipients must also account for their behaviour.
That is simply untrue. Recipients pay for all email they receive.
Therefore, no one can tell them they have to account for anything. If you
don't want to get blasted in public by a recipient, don't send them mail.
Since it arrives postage due, it is up to the sender to make doubly sure
that it was actually requested. If they don't, they should stop complaining
about "irresponsible user complaints". A user's inbox is not public
property. It belongs to and is paid for by the user. No sender has any
right to tell any recipient what to do with _anything_ that hits their
inbox. To imply that recipients share some kind of responsibility to enable
legitimate businesses to make money from email as a communications medium at
the recipients' expense is quite illogical. In fact, it is totally
outrageous :)
Now, I can hear the howls of protest coming from
those who believe:
* I have no obligation to establish an Internet
which allows people to make a living; and,
That is correct, nor does anyone else.
* I don't care if I block some solicited email as
long as we stop all spam.
That is an exaggeration that doesn't serve you well. A more reasonable
statement of the opposing position might be, "I don't care if I block some
solicited email as long as I block a lot of spam".
This position is premised in part on the view
that technical measures can be established which
will eradicate spam.
This is a straw man. No one but you proposed such a scenario.
<...>
How do we deal with the problem:
* Establish a system were there is mutual
responsibility and accountability between senders
and recipients.
There is nothing mutual about the relationship between senders and
recipients of bulk email. Recipients pay money to receive commercial emails
that the senders profit from. The benefits all flow in one direction. You
simply cannot claim that someone who pays for something sent unsolicited has
any responsibility to the sender. The same can be said for accountability.
I am tired of hearing about how consumers benefit from telemarketing, junk
faxes and UBE by hearing about products that they might not otherwise know
about. The incredible response to and resounding success of the "Do Not
Call" registries belie the marketers claims of how valuable consumers find
their activities. Email is much the same way. Given the choice, most users
would jump at the chance to put themselves on a "Do Not Spam" registry. Not
that this is practical, but it shows the depth of sentiment against UBE.
Several years ago, Alan Ralsky was "subscribed" to nearly every print email
catalogue known to man by email recipients who were sick of paying for the
privilege of deleting his unsolicited junk. His response to this was that
their actions were "abusive". Didn't he benefit by hearing about thousands
of products that he was likely unaware of? It's funny how it works when the
shoe is on the other foot. His privacy is inviolate but the rest of us are
just marks to be mined.
<...>
* It also means recipients should use methods of
authentication which rely on one unified standard
for generating the needed data, (as recently
outlined by you and presently being refined with
the helpful input of many on this list.)
What is the basis for senders to tell recipients how to authenticate their
incoming mail?
* We want to impose requirements which don't
jeopardize responsible business operations.
And just who is the "we" here? I don't mind if responsible businesses make
money from email communications, but I also don't care if the actions that
we need to take to prevent the theft of services we paid for adversely
affect such businesses. Just as I have no responsibility to make my phone
line available for "legitimate businesses" to inform me of their latest
products and services, I similarly have no responsibility to make my email
inbox available to them.
My priority is to stop UBE flowing into my inbox while not affecting private
communications. If some solicited bulk email gets blocked in the process,
since I am ultimately paying for the service, that is my choice to make, not
the sender's. Even if I solicit bulk email from a company, there is no
contractual relationship that states that I have to either accept or read
any of it. Now, if they offer to pay me and I accept, then at least it
would be a voluntary mutual agreement. Until that occurs, recipients simply
have no responsibility whatsoever to protect the interests of any sender.
(This is self evident and why so much effort is
going into developing a system which minimizes
the need for change.)
Actually, the reason for avoiding disturbance of current email practices has
absolutely nothing to do with the commercial interests of bulk emailers. It
is simply to avoid massive disruption in the delivery of private email and
to avoid unnecessarily difficult changes to existing mail services paid for
by recipients.
* Recipients should be honest in informing
senders why a particular message was not accepted.
Recipients have no responsibility to tell anyone why they rejected a
particular piece of email unless they choose to. It is just like postal
mail. No one has to provide a reason if they simply cross off the delivery
address and write "Refused" across the front of the envelope. In that case,
the sender has to pay return postage in addition to outgoing postage. If
the recipient has no responsibility to provide the reason for rejection in
that case, the recipient certainly has no responsibility to the sender in
the case where the recipient pays for the whole transaction.
Some folks will say, but this will help spammers.
Yes, I appreciate it may. But in dealing with the
problem, we need to uphold and support the
responsible actors on both sides.
There is no reason for me, as a recipient, to uphold responsible senders.
That is their responsibility. I hope they will defend themselves, but that
is not my job, nor is it even in my personal interest. I simply don't care
one way or the other if anyone can use email as a marketing medium. It's
just like my telephone. I pay for it for my own use, and I have no
responsibility to make it available to marketers, no matter how responsible
they claim to be.
Or to put it in engineering terms, just as we ask
senders to exercise 'quality control,' so to we
should ask recipients to exercise 'quality
control.'
Until you start paying them, you can't ask recipients to do anything. This
is not a mutual relationship.
Although I would like to see a situation develop
where all recipients adopt the acceptance mode
for delivery over the rejection mode, (as
Jonathan suggests) I am not certain we can
realistically enforce this requirement as the
choice of delivery mode is up to the recipient.
This is amazing. As a recipient, you are suggesting that I accept and pay
for all email that hits my inbox. I would then spend my entire work week
tracking down spammers who sent me those unsolicited messages. Since the
new CAN SPAM Act has taken away my ability to bring direct civil action
against spammers, I have to convince either my ISP, my State Attorney
General or the FCC to file such a suit. My ISP will be happy to put a block
on an IP, but will not start a lawsuit against an individual spammer. That
is arguably the correct business decision for them. My State government is
practically broke, so prosecuting spammers, mostly in Southern States who
will not actively participate, has a priority of about 150 on a list of 100
items. The Federal Government has issued exactly one arrest warrant for two
spammers in the six months since the new law was passed, despite billions of
messages that clearly violated the law during that period. The expectation
that somehow the spammers will be "brought to justice" is clearly
unrealistic, so it would be foolish for any recipient to operate in
acceptance mode.
Having said this, I agree with Jonathan's comment
catching the bad guys is almost always going to
be reactive. Although I am not certain on this
point, I gather that the acceptance mode enhances
the ability of law enforcement to catch and
punish the bad actors, (by creating data which
can then be sent on to the appropriate party). If
my understanding is correct, people may want to
consider stating this to reinforce the
desirability of recipients utilizing the
acceptance mode.
There have been lot's of complaints filed and evidence submitted. Let's see
a little bit of law enforcement activity first before advocating an
irresponsible (to end-users) policy.
Underlying all these comments is the simple
position, if we want to reinforce and support the
validity of email, then we must work towards a
model which ensures mutual respect and
accountability between responsible actors.
Again, I see the false assumption that the relationship between bulk mail
senders and recipients is a mutual one. This is clearly the state of
affairs that the direct marketing industry would hope for, but it is very
far from reality.
This is not saying spammers have rights. This is
not saying people should go around suing people.
This is simply saying for any society to work,
and the 'Net is a society, the need for mutual
respect and accountability between responsible
actors is a natural underpinning of an orderly
society.
When one party pays for property or a service, the other party wishing to
use the payers property bears the burden of proof as to why this does not
constitute trespass. The recipient, as the payer, has no responsibility to
the sender. We can have a perfectly orderly society where bulk senders take
all the responsibility for their actions. It is not as if the two groups
are mutually interdependent. The recipients can easily get along without
any of the output from the bulk emailers. The reverse cannot be said.
--
Seth Goodman