Open subscription forms going away?
A few weeks ago, I got a call from a potential client. He was all angry and yelling because his ESP had kicked him off for spamming. “Only one person complained!! Do you know him? His name is Name. And I have signup data for him! He opted in! How can they kick me off for one complaint where I have opt-in data? Now they’re talking Spamhaus listings, Spamhaus can’t list me! I have opt-in data and IP addresses and everything.”
We talked briefly but decided that my involvement in this was not beneficial to either party. Not only do I know the complainant personally, I’ve also consulted with the ESP in question specifically to help them sort out their Spamhaus listings. I also know that if you run an open subscription form you are at risk for being a conduit for abuse.
This abuse is generally low level. A person might sign up someone else’s address in an effort to harass them. This is a problem for the victim, but doesn’t often result in any consequences for the sender. Last week’s SBL listings were a response to subscription abuse happening on a large scale.
We’ve generally accepted that low friction signup forms are a win for business. There aren’t many consequences to the business to maintaining them. That doesn’t mean all signups are low friction. Almost any social networking site will require some sort of confirmation before allowing full access to their platform. Certainly the big platforms – Twitter, Facebook, and LinkedIn to name a few – require new users to click a link to confirm their address. This is standard process that most internet users are familiar with.
Not all “networking” sites require confirmation, though. Over at Spamtacular Mickey talks about the Ashley Madison hack. He’s been reading through the report from the Canadian and Australian governments. He quotes the report:
The level of accuracy required is impacted by the foreseeable consequences of inaccuracy, and should also consider interests of non-users. This investigation looked at ALM’s practice of requiring, but not verifying, email addresses from registrants. While this lack of email address verification could afford individuals the ability to deny association with Ashley Madison’s services, this approach creates unnecessary reputational risks in the lives of non-users — allowing, for instance, the creation of a potentially reputation-damaging fake profile for an email address owner. The requirement to maintain accuracy must consider the interests of all individuals about whom information might be collected, including non-users.
The lack of email address verification creates unnecessary reputational risks in the lives of non-users.
At one point there was an argument that confirmation was an unfamiliar process and senders couldn’t trust the end users would confirm. That was true. It’s not longer true, though. While Facebook doesn’t publish their confirmation numbers, informal discussions tell me well over 90% of signups are confirmed. Confirmation is a standard process for users to go through these days.
One of the things some of us discussed, related to the Spamhaus issue, was that if enough government officials were hit then there might be legislation requiring some level of confirmation or protection. I don’t think it will happen any time soon. I don’t even think it’s likely. But there are the possibly apocryphal story of congress passing the TCPA because their fax machines were inundated with junk faxes. Could a similar attack on email addresses lead to legislation about open subscription forms?