Consumer Privacy 1997 -- Request to Participate, P954807 FTC Public Workshop on Consumer Information Privacy Session Two: Consumer Online Privacy June 11-12, 1997 David E. Sorkin I wish to participate in Session Two of the FTC Public Workshop on Consumer Online Privacy for the purpose of addressing issues of unsolicited commercial e-mail. Please refer to the enclosed Comment for the scope of my intended remarks. Professional Data Assistant professor at The John Marshall Law School in Chicago, associate director of the Center for Information Technology and Privacy Law, and faculty editor of The John Marshall Journal of Computer & Information Law. Courses taught in 1997 include Cyberspace Law, Information Law and Policy, and Consumer Law. Developer of The John Marshall Law School's world wide web site (since 1994), and chair of John Marshall's Web Publishing Policy Subcommittee. Member of the steering committee of the Illinois Privacy Council, a citizens' group dedicated to advocacy and education in the field of individual privacy rights. Program chair of Cyber://Con.97, a conference on governance and standards in cyberspace, to be held in Chicago on June 4-7, 1997. Selected Publications "Revocation of an Internet Domain Name for Violations of 'Netiquette': Contractual and Constitutional Implications," John Marshall Journal of Computer & Information Law (1997) (bench memorandum for a national moot court competition held in 1996; the "netiquette" breach involved unsolicited commercial e-mail). "Unsolicited Commercial E-Mail and the Telephone Consumer Protection Act of 1991," Buffalo Law Review (forthcoming 1997). Contact Information David E. Sorkin Consumer Privacy 1997 -- Comment, P954807 FTC Public Workshop on Consumer Information Privacy Session Two: Consumer Online Privacy June 11-12, 1997 David E. Sorkin(1)
Introduction Unsolicited bulk e-mail represents a rapidly growing problem on the Internet. It consumes increasing amounts of bandwidth and imposes a great burden on recipients and network service providers in wasted time and system resources.(2) Because of the negligible marginal cost of sending large quantities of e-mail, senders have little incentive to reduce the quantity of unsolicited e-mail or target their messages. Retaliation by recipients has caused senders to alter their tactics in some instances, but has done little to stem the tide of unsolicited messages. The near-universal interconnectivity of today's Internet is being jeopardized by blacklisting, labelling of "rogue sites," and imposition of the "Internet Death Penalty." Unsolicited bulk e-mail is likely to become a much greater problem absent effective regulatory or technical solutions. Bulk vs. Commercial E-mail Opponents of unsolicited bulk e-mail tend not to limit their criticism to messages that are commercial in nature. However, pragmatic considerations have caused many of them to urge that the "junk fax" ban in the Telephone Consumer Protection Act of 1991 (TCPA),(3) which prohibits unsolicited advertisements transmitted via facsimile machine, be amended to include e-mail.(4) A significant portion of unsolicited bulk e-mail is not commercial in nature. Bulk e-mail has been used to disseminate religious, political, and racist messages, none of which would fall within the TCPA. Furthermore, the definition of "advertisement" in the TCPA is so narrow that it does not even include many commercial messages. Another problem with this approach involves the circumvention that likely would result. Fax machines are manufactured to identify the sender and the sender's telephone number. Even if the sender defeats that mechanism, there are normally other relatively simple ways to trace the source of a facsimile transmission. It is easy to conceal or alter the source of an e-mail message, and it frequently is impossible to trace a message all the way back to its sender. Furthermore, the high cost of international telephone calls generally suffices to prevent fax advertisers from shifting operations to other jurisdictions, but no such barrier exists in the case of e-mail. Unsolicited bulk e-mail is potentially more burdensome than unsolicited fax advertising mainly because of the volume of messages, rather than because of the burden imposed by each individual message. It therefore is unnecessary to prohibit advertisers from sending individual unsolicited commercial e-mail messages; the harm arises from the quantity. If an advertiser has reason to believe that a particular consumer may have an interest in purchasing high-risk automobile insurance, for example, there is little harm (and perhaps great benefit) in permitting the advertiser to send a single message to that consumer concerning the availability of such insurance, even though such a message would violate the TCPA if transmitted by facsimile. (The benefit is perhaps even more obvious in the case of a single personalized noncommercial message.) But the difficulties involved in distinguishing between individual and bulk messages may make such a distinction impracticable. In any event, while e-mail advertising involves a cost-shifting phenomenon similar to that characteristic of facsimile advertising, expanding the TCPA to cover e-mail is not an prudent approach. Outright Ban vs. an Opt-Out System The TCPA's facsimile advertising ban is actually an "opt-in" system, in that advertisers are permitted to send faxes to persons who have requested them and those with whom the advertiser has a pre-existing business relationship. Most forms of direct marketing, however, use an "opt-out" system, in which an advertiser is permitted to transmit messages to recipients who have not affirmatively notified the advertiser of a desire not to receive messages. Bulk e-mail advertisers have urged that an "opt-out" system is appropriate for e-mail advertising, in part because of the relatively low cost involved in receiving an e-mail message, and the relatively high cost of obtaining advance consent from the recipient before an e-mail advertisement is transmitted. (The Direct Marketing Association's privacy principles for online marketing recommend such an "opt-out" system.(5)) In economic terms, "opt-in" and "opt-out" systems are merely two approaches to minimizing the transaction costs that would be incurred if advertisers were forced to ascertain every consumer's preferences concerning unsolicited messages. In an "opt-in" system, the default selection permits no unsolicited messages, and direct marketers consequently bear relatively high transaction costs. An "opt-out" system permits unsolicited messages by default, and the transaction costs are shifted to those consumers who do not want to receive unsolicited messages. The overall transaction costs are likely to be minimized if the default choice mirrors the true preference of most consumers, at least where a substantial majority of consumers share the same preference, be it "in" or "out." If most consumers are indifferent, an "opt-out" system is likely to be more efficient, because those consumers whose preference for not receiving solicitations is sufficiently strong will affirmatively opt out. However, if a form of direct marketing places significant costs or other burdens on consumers (such as telemarketing or unsolicited facsimile advertising), then an "opt-out" system is unlikely to be efficient: the costs borne by consumers (both those who do affirmatively opt out and those who do not) are likely to exceed the net savings to advertisers. The same conclusion holds when the marginal cost to advertisers is so small that it does not serve as an effective constraint upon the volume of solicitations, even if the burden imposed by each individual message is insubstantial, because the cumulative burden on consumers is likely to exceed the benefit to advertisers. Similarly, if relatively inexpensive alternative means of communication are available to advertisers, then an "opt-in" system may be more efficient because the burden on consumers may be less than advertisers' cost of shifting to such alternatives.(6) An "opt-out" system is not an appropriate solution to the unsolicited e-mail problem. Although the cost of receiving a single e-mail message is relatively low, the cost and burden involved in receiving a very large number of unsolicited messages may be quite high, and the low marginal cost of sending e-mail messages makes such a result quite likely. This low marginal cost creates a disincentive for advertisers to target relevant audiences rather than sending messages indiscriminately. In addition, the subject matter of most e-mail advertising to date has been questionable, and there is little reason to believe that this will change, even if unsolicited e-mail is legitimized by law.(7) These facts, together with the likelihood that the volume of unsolicited messages will continue to increase over time, suggest that the true preference of virtually all consumers will be not to receive unsolicited e-mail. This true preference should be reflected in an "opt-in" system for e-mail advertising -- in effect, a ban on unsolicited e-mail. There are two general types of "opt-out" systems: company-specific exclusion lists, and universal exclusion lists. The former makes sense where there are a relatively small number of advertisers (for example, where most solicitations involve parties within a limited geographic area, or where there are high barriers to entry into the market), and possibly where consumers are likely to desire to receive some types of unsolicited advertisements but not others. Because of the ephemeral nature of online marketing, however, company-specific exclusion lists are virtually meaningless. Even now, when compliance with "opt-out" standards is entirely voluntary, many e-mail marketers claim that they are engaging in a one-time mailing, and therefore have no reason to maintain an exclusion list.(8) If exclusion lists are mandated, many advertisers may simply reconstitute themselves as a new entity each time they send out a round of solicitations. A universal exclusion list for unsolicited e-mail advertising would have its own problems. Several organizations have already begun to develop such lists, only to find that some advertisers have co-opted the list by intentionally sending advertisements to those whose e-mail addresses appear on the list.(9) Internet service providers could be required to maintain exclusion lists of their own subscribers -- an advertiser wishing to send messages to America Online subscribers would therefore need to match its mailing list against the exclusion list maintained by America Online, for example -- but the sheer number of service providers, and the small size of many of them, make this an equally impractical solution. Because there is no central directory of e-mail addresses (and because e-mail addresses tend to change frequently), it would be very difficult to construct an e-mail exclusion system analogous to identifying telemarketing objectors with asterisks in a telephone book. An "opt-out" system -- whether company-specific or universal -- is not a satisfactory solution to the unsolicited e-mail problem. Labelling and Filtering One middle-of-the-road approach to the problem is to require unsolicited commercial e-mail (or some variation thereof) to bear a label or tag identifying it as such. Much of the burden involved in receiving unsolicited e-mail results from the difficulty in readily identifying it. It may be more difficult to identify an unsolicited e-mail advertisement than to identify a telemarketing call or direct mail advertisement. Furthermore, while a typical consumer might receive five to ten pieces of junk mail in a single day, accompanied by one or two pieces of personal correspondence, an online consumer's electronic mailbox might well be flooded by hundreds or thousands of e-mail advertisements within which a single personal e-mail message is buried like a needle in an electronic haystack. A labelling standard could reduce or eliminate the burden imposed directly on individual consumers. Such a system could be designed to enable consumers to filter advertisements based upon specific content as well as simply distinguishing among bulk, commercial, unsolicited, personal, and similar categories of correspondence. E-mail software generally would have to be upgraded to enable such filtering, though large providers such as America Online should be able to provide such a capability for their users on a systemwide basis. Yet there are several problems with labelling as a solution to the unsolicited bulk e-mail problem. First, a significant part of the problem lies in the bandwidth demands that bulk e-mail places on network service providers -- a cost generally not realized by senders. Any official legitimization of unsolicited e-mail is likely to frustrate the efforts of service providers to address these bandwidth concerns. It is conceivable that a labelling protocol could be devised that would alleviate the bandwidth problem, but most of the labelling systems proposed to date merely enable filtering by the ultimate recipient. Second, e-mail advertisers clearly have an incentive to defeat or circumvent any labelling system that makes it possible for most recipients to delete their advertisements unread. And third, a government-mandated labelling system might well inhibit the development of more advanced protocols, such as methods for negotiating terms or payments interactively between sender and recipient. A voluntary labelling system could address some of these problems, provided it incorporates a means of filtering noncompliant messages. If e-mail software were configured to accept only messages bearing a legally binding representation that they were not unsolicited bulk e-mail, for example, a sender would have to actively misrepresent the nature of a message for it to get through. Such an approach has its own costs, of course, such as having to bounce back or delete all non-bulk messages not bearing the required representation at the recipient's end, and presumably upgrading all e-mail software for both senders and recipients. But it has the advantage of not providing official approbation for unsolicited e-mail, and potentially provides consumers with much more control than would a mandated labelling scheme. Jurisdictional Considerations If a governmental solution is to be mandated, either by legislation or regulation, it is important that the requirements imposed in different jurisdictions be consistent. This is particularly true for electronic mail (more so than for other forms of advertising) because of the international reach of the Internet and, more specifically, the difficulty involved in ascertaining the physical location of the recipient of an e-mail message. America Online is headquartered in Virginia, for example, but a consumer with an AOL address might be a resident of Nevada, New York, Canada, or Great Britain. An e-mail address only rarely provides a remote correspondent with reliable information regarding the addressee's location. One of the major problems with Internet regulation is the least common denominator effect: whatever jurisdiction enacts the most stringent requirement effectively sets the standard for all conduct everywhere (provided the jurisdiction has the resources and authority needed to enforce its rules). A statute prohibiting certain political speech enacted by a country in Europe or Southeast Asia is unlikely to affect most U.S. citizens -- even those who engage in such speech on the Internet -- if only because they have little to fear from such remote jurisdictions. But a Connecticut statute prohibiting unsolicited commercial e-mail to residents of that state may have an effect on companies anywhere in the country. Inconsistent regulations or labelling standards might pose an even greater danger. States or other countries(10) might well adopt labelling standards inconsistent with one another (such as tags required to appear in the subject line of a message), leaving senders unable to comply simultaneously with all potentially applicable standards. Sender identification requirements, exclusion list ("opt-out") systems, and consent ("opt-in") protocols could further complicate the situation absent internationally recognized standards. The DMA's Proposals The most widely-publicized recent proposal concerning unsolicited e-mail is that set forth as part of the Direct Marketing Association's online marketing principles. The DMA recommends what amounts to a virtually useless, voluntary, company-specific "opt-out" system. The DMA suggests that e-mail advertisements should be clearly identified as solicitations, but illustrates this with an example indicating that a recipient may have to read the entire first paragraph of a message in order to recognize it as a solicitation.(11) As of April 1997, the DMA is soliciting proposals to develop a universal exclusion list -- an E-mail Preference Service analogous to the association's telephone and mail preference services. For the reasons already discussed, however, even a mandatory universal exclusion list would not be an effective solution. The only advantage of the approaches recommended by the DMA is that they do not involve any governmental legitimization of unsolicited e-mail. Conclusion Unsolicited bulk e-mail is a major problem, and one that is likely to get worse. A legislative ban on unsolicited e-mail, or some variation thereof, could be an effective means of addressing the problem, but only if the legislation is adopted in similar or identical form in every relevant jurisdiction. Governmental regulation that stops short of a complete ban would serve merely to legitimize unsolicited e-mail and is likely to make the problem worse. Voluntary labelling schemes, "opt-out" systems, and other technological and market approaches are woefully incomplete, but at least they leave the door open for future solutions and avoid legalizing unsolicited e-mail. Respectfully submitted, ____________________________ 1. Assistant Professor of Law and Associate Director of the Center for Information Technology and Privacy Law, The John Marshall Law School, 315 South Plymouth Court, Chicago, Illinois 60604; telephone (312) 987-2387, fax (312) 427-9974; e-mail david@sork.com. 2. . Recipients must spend time downloading and sorting incoming messages. Even for those with so-called "flat-rate" Internet access (which usually does have a cap), there may be per-minute long distance or local measured service charges for the telephone call. The extra time required to download messages also represents a burden upon to the consumer, and makes the consumer's telephone line temporarily unavailable for other purposes. In addition, some providers charge for disk storage space, and others will bounce back or even delete without notice messages received when the space allocated to a user's mailbox is exhausted. Network service providers also bear costs associated with receiving unsolicited e-mail on behalf of their customers. Their bandwidth is used to receive such messages, and their computing facilities are used to store the messages, at least until they ultimately are retrieved by the recipient. They also may end up providing substantial support to the recipient, who may threaten to switch to a competitor unless the provider assists in blocking or filtering unwanted messages. 3. . 47 U.S.C. § 227(b)(1)(C) (1994). 4. . Some commentators have argued that the imprecise definition of "telephone facsimile machine" contained in the TCPA should be construed to include a personal computer that receives e-mail messages via modem, though the chances of such a theory prevailing are dubious. See David E. Sorkin, "Unsolicited Commercial E-Mail and the Telephone Consumer Protection Act of 1991," Buffalo Law Review (1997) (forthcoming); and Mark Eckenwiler, "Just the Fax, Ma'am," NetGuide, Mar. 1996, p. 37. 5. . Direct Marketing Association, Marketing Online: Privacy Principles and Guidance (March 1997) (available from the Direct Marketing Association, Inc., (202) 955-5030). 6. . In fact, advertisers are very likely to respond to the imposition of an "opt-in" system by shifting to other forms of marketing. In the online context, an advertiser might shift from sending unsolicited e-mail to hosting a site on the World Wide Web as a means of making initial contacts with consumers, and might attempt to attract consumers to the web site by placing banner advertisements on other web sites or by advertising the site's location in traditional print or broadcast media. 7. . Chain letters, multi-level marketing schemes -- frequently themselves involving bulk e-mail -- and advertisements for sexually-oriented web sites are typical examples; few truly legitimate businesses seem to be advertising via unsolicited e-mail. 8. . This practice may be motivated in part by policies established by advertisers' network service providers, requiring repeat e-mail advertisers to maintain exclusion lists. More likely, however, it probably results from a desire not to supply a valid return e-mail address for responses and complaints. 9. . An alternative method (one that has also been attempted, albeit unsuccessfully) is for a trusted third party to maintain a confidential exclusion list, which it would use to "cleanse" mailing lists submitted by advertisers. Advertisers could still ascertain whether specific names appeared on the exclusion list, however, and the administrative burden involved in such a process would likely be prohibitive. Furthermore, most advertisers would probably be hesitant to provide their own mailing lists to a third party without adequate safeguards protecting the information from competitors. The U.S. Postal Service maintains a list of individuals who desire not to receive sexually oriented advertisements, and advertisers planning to mail such materials must purchase a copy of the list. Use of the list for any other purpose is prohibited by law. A similar system could be implemented for e-mail advertising, but at substantial financial and administrative cost. 10.. Because the Internet is an international network, federal pre-emption of state legislation will not solve the problem of jurisdictional variations. International cooperation is necessary here, just as is being seen in the case of administration of the top-level Internet domain name system. 11. . Direct Marketing Association, Marketing Online: Privacy Principles and Guidance, p. 7 (March 1997). |