From: Seth Goodman
Sent: June 22, 2004 2:47 PM
Subject: RE: [spf-discuss] overall paradigm shift in email, plus
rambling philosophical discussion
Seth,
Originally, I was going to respond in detail to
your earlier note.
However, upon reflection, it is better to focus
on areas where we can agree.
We could have a healthy debate. I have expressed
my position based solely on the concepts of
solicited bulk email.
You have responded. The underpinning of your
position is to treat solicited bulk email and
unsolicited bulk email as the same for analytical
purposes in developing an underlying philosophy.
In my view, as I have said before this is a
flawed analysis. Quite frankly, I strongly
disagree and on this I doubt we will square the
circle.
However, there is no point in rehashing positions.
Time is short as SPF implementation is the day's
order.
One thing which is crucial. We need to make the
process of publishing an SPF record for the vast
majority of domain holders who have relatively
simple set ups as easy as possible to ensure
rapid and wide spread implementation.
As to leveraging existing security certificates,
this may help in the process of verifying
identity.
I understand the thought as it relates to
obtaining a domain and so ultimately publishing
an SPF record, as this authenticates the
information provided as to whom is applying for
and has obtained the domain.
However, if it is decided to go this route, it
raises issues of cost, barriers against
involvement and privacy concerns, especially in
the US, with the lack of Federal privacy
legislation, applicable to private organizations.
I am not thrilled with seeing large corporations
carrying out this task.
Personally, I favour a publicly administered
licensing system which could be used as a
pre-cursor to a domain wide Den list, being able
to send email and so forth if that becomes
necessary.
Just as you need a drivers license to drive a
car, so too you need an email license to get a
domain and send email.
This could be administered at a very local level,
with all data being shared on a national and
international basis as needed for law enforcement
purposes.
But, then I come from a land which believes in
peace order and good government, as opposed to
life, liberty and the pursuit of happiness.
The use of security certificates in the
reputation process is a separate issue.
* A brief back drop
In 1997, the CMA - which is the Canadian
Marketing Association issued a policy guideline
to its members which in essence stated:
"thou shall not send unsolicited bulk commercial
email without prior consent, unless thou have a
pre-existing business relationship."
In 2004, after Privacy legislation which was
passed by Canada's Parliament came into full
force, the CMA modified its policy, so that in
essence the policy now means:
"thou shall not send unsolicited bulk commercial
email without prior consent."
I am not a member of the CMA, but the Canadian
marketing community has by and large had an opt-in
stance for quite some time.
In Canada, the ISPs have strong Asps, however
enforcement in some quarters has been an issue.
Since the case of Yahoo v Head in March, we are
now starting to see things tighten up. This case
embarrassed a lot of people.
Most service providers have blocked Port25.
Customers have the option on filtering. The
provider can filter for you, or you can do your
own filtering.
* The various laws
Turning to enforcement, dealing with spam however
one defines it is primarily a Federal Government
responsibility.
The Department heading the parade is Industry
Canada, which overseas the regulatory agency
titled the Competition Bureau which is akin to
the US FTC.
Breaches of the legislation dealing with
Competition can be dealt with civilly or
criminally. Criminal breaches are Federal
offences and handled by the Federal Department of
Justice.
Canada has Privacy legislation which in essence
says "thou cannot use private information for any
purpose without the prior consent of the person
whose private information you have." An email
address is deemed private information.
A number of provinces have enacted Provincial
legislation which mirrors the Federal legislation.
Canada has a Privacy commissioner. The privacy
commission endeavours to resolves disputes. There
is discretion to treat breaches of the
legislation as federal offences, with
prosecutions being handled by the Federal
Department of Justice.
There are provisions in the Criminal Code which
generally deal with fraud and theft. Unlike the
US, there are no specific provisions concerning
email fraud.
Even if there were, under Canada's constitution,
Criminal Code offences are prosecuted by the
applicable Provincial Department of Justice where
the offence occurs. This is a problem.
However, between the Privacy laws and the
Competition Act, which allows for significant
fines and jail time, there are laws of general
application which the authorities can use to deal
with the problem. Find the person, follow the
money.
Internet Service Providers are administered by
the CRTC which is equivalent to the US FCC.
* Government action
In the late 90's, Industry Canada has been
reviewing how to tackle the spam problem.
In 2002, Industry Canada issued a white paper
with a request for comments.
For a while any attempt to move the file forward
was stalled.
Remember GBDe.org and their policy paper?
Industry Canada told the world it thought this
was a good document. As a result through 2003,
Canadian officials attended conferences and so
forth, but there was little movement.
In 2003, there were private members bills
introduced both in the Senate and the House of
Parliament, but they went no where.
The Minister of Justice publicly mused yes we
need to look at the situation.
What was holding things up? The debate over
whether any law should be opt-in or opt-out.
After Yahoo sued the Head brothers residing in
Kitchener-Waterloo, Ontario in March, 2004 a lot
of people began asking questions.
* The Present Status
In May, an article was written in the Toronto
Star by Michael Geist, a law professor with the
University of Ottawa essentially calling the
Federal Government's bluff. Professor Geist
suggested there were adequate laws on the books
without resolving the opt-in/opt-out debate to
start going after spammers within Canada.
This was in early May.
As to my personal involvement, after Professor
Geist wrote his article, I got in touch with him.
He gave me a list of senior civil servants to
write.
I wrote one letter to the various civil servants
at all the relevant agencies. I copied Professor
Geist and offered to start a letter writing
campaign. He indicated this was not necessary.
I did receive one response. It was a letter from
the CRTC telling me in essence, the Federal
policy was that ISPs are best equipped to deal
with the spam problem and by the way you should
reference certain material on Industry Canada's
web site.
I responded by saying in essence "thanks, but I
already knew Industry Canada's position since I
told you this and by the way, given the Head case
what is the Government going to do?" A copy of
the second letter was also sent to the various
civil servants.
(The letter was much stronger, but this was the
upshot.)
* A Task Force Is Formed
On May 11, the Industry Minister announced the
appointment of a task force to look into the
problem. The task force was given a year to come
up with a plan. One of the task force members is
Professor Geist.
http://www.ic.gc.ca/cmb/welcomeic.nsf/558d63659099294285256488005
2155b/85256a5d006b972085256e91004e31e1!OpenDocument&Highlight=2,s
pam
The majority of editorial opinion was "What? Do
something now."
(Of course, this shows a lack of understanding of
the problem while expressing the growing
frustration of the end user with spam volumes.)
Shortly thereafter, there was an announcement the
ISPs were going to form a task force to start
toughening up network abuse.
* The Political Situation
In late May, the Prime Minister called a Federal
election and we go to the polls on June 28.
The election is extremely close and it seems
likely we will have a minority government. If the
Conservatives win a majority, it is likely we
will see more immediate action.
If the Liberals win and are returned to power for
a fourth mandate, Government will continue on
with the present plan.
Of course, not much is happening during the
election as what happens next all depends on
which party is elected.
If it is a minority government, the parties
holding the balance of power will be a leftist
leaning separatist party from Quebec and a
national leftist leaning party, the Government
might respond to public pressure.
* The core problem?
Spammers are taking advantage of the border and
using the email flaw to avoid detection, even
though folks have an idea of what's going on.
Also some professional spammers have moved their
operations off shore in an attempt to hide their
involvement and shield their assets.
Sender authentication helps to start the trail
towards identifying those involved.
* What to do?
People need to complain instead of simply
filtering and then deleting. This means people
need to be told how to file complaints.
We need an education campaign to assist end users
in dealing with spam.
There is need for a joint task force to have lead
responsibility on the civil and criminal side,
with specialized staff to analyze data and start
building cases.
There is close co-operation between Canadian,
American, Australian and UK regulatory agencies.
Additional International arrangements are
required.
ISPs need to tighten up controls of network
abuse.
There is a belief technical means can go a long
way to controlling abuse. This is reflected in
the task force mandate.
We also need law enforcement. Professor Geist
wrote his article to bring pressure on Government
to adjust the task force mandate.
I followed this up with my own letters. I have
urged others to do the same.
Continued public pressure will help to compel
Federal authorities to move as quickly as
possible to come to grips with the problem.
Kind regards,
John Glube
The FTC Wants One Standard For Sender Authentication
http://www.learnsteps4profit.com/dne.html
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.708 / Virus Database: 464 - Release Date: 18/06/2004