Laws

Want some history?

I was doing some research today for an article I’m working on. The research led me to a San Francisco Law Review article from 2001 written by David E. Sorkin. Technical and Legal Approaches to Unsolicited Electronic Mail (.pdf link). The text itself is a little outdated, although not as much as I expected. There’s quite a good discussion of various ways to control spam, most of which are still true and even relevant.

From a historical perspective, the footnotes are the real meat of the document. Professor Sorkin discusses many different cases that together establish the rights of ISPs to filter mail, some of which I wasn’t aware of. He also includes links to then-current news articles about filtering and spam. He also mentions different websites and articles written by colleagues and friends from ‘back in the day’ discussing spam on a more theoretical level.
CNET articles on spam and filtering was heavily referenced by Professor Sorkin. One describes the first Yahoo spam folder. Some things never change, such as Yahoo representatives refusing to discuss how their system works. There were other articles discussing Hotmail deploying the MAPS RBL (now a part of Trend Micro) and then adding additional filters into the mix a few weeks later.
We were all a little naive back then. We thought the volumes of email and spam were out of control. One article investigated the effectiveness of filters at Yahoo and Hotmail, and quoted a user who said the filters were working well.

Security, safety and the cavalry

In some ways it’s been really hard to focus on email for the last few months. There are so many more important issues in the world. Terrorism, Brexit, the US elections compromised by a foreign government, nuclear threats from multiple countries, the repeal of ACA, mass deportations and ICE raids here in the US. I find myself thinking about what to blog. Then I glance at the news and wonder if there’s any value in another blog post about deliverability.
Generally I’ve tried to keep politics and world events mostly off the blog. But sometimes events are such that I need to talk about them.
Last October I had the chance to speak at the Email Innovations Summit in London. Steve and I took the chance to spend some time doing tourist things in London – including a photo walk along the Thames.

As an American I’m always a little surprised by the security in London. I grew up a few miles outside of DC. I could talk about prohibited airspace and security measures before I was 10. London is so much more open than even the DC of my youth. The surprise there is that London has been a much bigger target and attacked more than any city in the US.
The last few times we were in London I noticed a bit more visible security. In 2013 it was armed security walking through Tube stations. Last year it was Underground trains that were one long car. They were a bit weird and visually disconcerting. The part that really made me think, though, was this was a way to stop people hiding explosives between cars and to facilitate evacuations if something happened.
Last night Steve and I were talking and I mentioned the attack in London didn’t seem like terrorism to me. And it didn’t, not really. He then pointed out that explosives and guns are difficult to come by in the UK and this was classic terrorism. Oh. Sometimes our cultural differences come out in the strangest places.
Thinking about bigger issues like this make it hard to focus on email. There’s a regularly shared joke in deliverability, “There’s no such thing as a deliverability emergency.” And there isn’t, not really. Yes, even if a whole range of IPs is listed on Spamhaus, it’s still not an emergency and there’s no fast response team to deal with it.
There are abuse issues that are higher stakes than getting to the inbox. Child abuse materials. Harassment. Privacy issues. Terror threats. Every online services company, particularly the social media companies, have to deal with these kinds of things. Many of them are dealing poorly. Others have employees who are doing their best, but lack the tools, support, and training to do it well. Many companies don’t understand why they need to police their customer base.
The reality is, though, that abuse on the net (as opposed to abuse of the net) is a huge issue that needs to be dealt with. These are not small issues. The Internet is global and there’s no internet police. Law enforcement in different jurisdictions have to work together with technology experts to address crime and harassment on the internet.
It may surprise you to hear that the people who create spam filters and try and protect your inbox are the same people who fight crime on the internet. Spam and email are a vital part of online crime, so it falls on the abuse team to work with and educate law enforcement about tracing the source of email. The people you never see in ops, and abuse and support are vital to protecting folks online.
During the closing talk at MAAWG the chair was discussing how we can protect our online spaces. He stated “There is no cavalry; no second wave. It’s us or no one.” That’s a huge thing. My friends and colleagues are the people who stand protecting users online. It feels like a huge burden, but it’s something we can do to make the world a better and safer place.

Let's talk CAN SPAM

Earlier this week I posted about the increased amount of B2B spam I’m receiving. One message is not a huge deal and I just delete and move on. But many folks are using marketing automation to send a series of emails. These emails often violate CAN SPAM in one way or another.
This has been the law for 13 years now, I find it difficult to believe marketers are still unaware of what it says. But, for the sake of argument, let’s talk about CAN SPAM.

This message cannot be considered spam

Every once in a while I get spam, usually from a foreign country, that contains the (in)famous Murkowski statement.

Canada publishes updated proposed regulations for CASL

Based on initial feedback collected in 2011, updated regulations for CASL have been published by the Industry Canada. Interested stakeholders have until February 4, 2013 to comment on the proposed regulations.
Edit: to identify correct Canadian Govt Agency (Thanks, Neil!)

Canadian Anti-Spam Law

A few years ago, Canada passed an anti-spam law (CASL). In the time since then, the Canadian Radio-Television and Telecommunications Commissions (CRTC) have been working to establish the regulations to implement the law. Those regulations appear to have been published recently. Matt Vernhout, a email expert and Canadian citizen, published a link to the regulations and a summary of the rules.
There still doesn’t seem to be a firm date for when CASL will be enforced law. Matt says he’s hearing that the date will be around October. We’ll see if it slips from that.

SOPA and PIPA update

There is quite a bit of vocal opposition to the SOPA (Stop Online Piracy Act) making its way through the House of Representatives and PIPA (Protect Intellectual Property Act) making its way through the Senate. The opposition seems to have had an effect. I blogged about the bills late last year.
CNet reported today that the DNS provision was pulled from SOPA. This resolves one, but certainly not the only problem with SOPA. Also today, OpenCongress.org posted a letter from 6 co-sponsors of the Senate bill to Majority Leader Reid asking him to cancel the vote on PIPA.
Congratulations to everyone who worked so hard to make their voice heard by their elected representatives.

Political insanity with email

In one of the more boneheaded email related moves I’ve seen from a political group ever the Obama / Biden campaign has announced that people can go to their website, enter in the email address of a Republican friend, pay some money, and the campaign will send an email to your (soon to be ex-) friend on your behalf.

SOPA / PIPA

I’ve not mentioned anything about the Stop Online Piracy Act (SOPA) and it’s companion bill the Protect Intellectual Property Act (PIPA) that are currently making their ways through Congress. Both bills put a lot of obligation on the ISPs to stop bad traffic on the Internet. Unfortunately, it seems no one writing the bill asked anyone with technical or operational experience for input. Many of the obligations are going to significantly impact ISP functioning and will probably degrade service for users.
The Messaging Anti-Abuse Working Group sent a letter to congress yesterday (PDF link), outlining the issues with SOPA and PIPA. I found it explained the bills and the flaws much better than many other summaries.

New EU directives

The EU has published consumer protection directives. Members states have 2 years to implement and enforce these directives.
The interesting bit is this:

Fines for not honoring unsubscribes

Virgin Blue has been fined $110,000 by the Australian government for not honoring unsubscribes.

Canada passes anti-spam bill

Call it C-28, call it FISA, call it COPL, just don’t call it a pipe dream any longer.
Today the Canadian anti spam law received royal assent and is now law. ReturnPath is saying it will take effect September 2011, but that’s the only date I’ve seen published. The full text of the bill as passed by the House of Commons can be found at http://www2.parl.gc.ca/content/hoc/Bills/403/Government/C-28/C-28_3/C-28_3.PDF
It’s fairly dense and I’m still reading through the final version. Of critical importance for anyone marketing in Canada is that it sets requirements that commercial email be sent with the permission of the recipient. This is different from CAN SPAM here in the US which doesn’t require consent of the recipient, but allows anyone to send unsolicited email as long as it meets the standards set by the law.
CBC Story

Return Path blog post
CAUCE posts
Thin Data implementation guide

The dark side of email marketing

Everyone I talk to when dealing with issues inevitably has to tell me they are legitimate email marketers. They’re not spammers, they’re just business people. I often find it difficult to fathom why they need to tell me this. It’s not like email marketers are criminals or anything.
Two recent stories reminded me how evil some folks are. While I’ve not had any direct contact (that I know of) with any of the players on this end of things I have zero doubt that if they called me they would tell me that they were legitimate email marketers.
In one case, a members of a spam gang kidnapped the teenage daughter of someone investigating their activities. The gang held her for more than 5 years in horrific conditions. Yesterday Joseph Menn, author of “Fatal System Error” posted on Boing Boing that his friend got his daughter back. It is a heartbreaking story and incredibly sobering.
In another case, the Russian police arrested a man who ran spammit.com, a clearinghouse for viagra sellers to find spammers to send their mail. Reports say that mail volumes dropped by a fifth after the site was taken offline.
There is real evil in the email marketing industry. Sure, they’re spammers and we can all stand up and say they’re not legitimate. But, this is what the ISPs and Spamhaus and law enforcement are dealing with on a regular basis.

Click-wrap licenses again

Earlier this week ARS Technica reported on a ruling from the Missouri Court of Appeals stating that terms and conditions are enforceable even if the users are not forced to visit the T&C pages. Judge Rahmeyer, one of the panel members, did point out that the term in question, under what state laws the agreement would be enforced, was not an unreasonable request. She “do[es] not want [their] opinion to indicate that consumers assent to any buried term that a website may provide simply by using the website or clicking ‘I agree.'”
What does this have to do with email? Well, it means that reasonable terms in the agreements may still be binding even if the user does not read the full terms of the opt in before submitting an email address. In practical terms, though, there’s very little that has changed. Hiding grants of permission deep in a terms document has long been a sneaky trick practiced by spammers and list sellers. Legitimate companies already make terms clear so that users know what type of and how much mail to expect by signing up to a list. They also know that the legal technicalities of permission are not as important as meeting the recipients expectations.