FTC: Consumer Privacy Comments Concerning Tigerden Internet Services--P954807
1 June 1997
Subject: Consumer Privacy 1997 -- Comment, P954807
Enclosed are six copies of the Internet Service Providers' Consortium (ISP/C) Policy Statement on Spam (Unsolicited Commercial E-mail) provided for the upcoming Privacy Workshop, submitted at the request of Ms Martha Landesburg. The policy is also provided as an ASCII file on the enclosed floppy disc.
I have already been selected as a participant on the Session Two panels. I am also the Ohio Area Representative for the ISP/C and have received its board of directors approval to speak on their behalf. The enclosed documents set forth their basic position on the issues for that panel.
ISP/C Policy Statement: Spam
FOR IMMEDIATE RELEASE
DALLAS, TEXAS, May 15, 1997: The Internet Service Providers' Consortium (ISP/C), an international trade association of Internet service providers, announced today the formulation of a policy position regarding junk e-mail, also referred to as "unsolicited commercial email" (UCE) and pejoratively called 'spam' by Internet users.
"Unwanted junk mail is an area of true consumer aggravation, and we believe it's also a detriment to our members' businesses which must be aired to the public," said Deb Howard, ISP/C president. "We feel our position will benefit both consumer and provider through advocacy of an 'opt-in' policy which will ensure users receive only email which they specifically request," she added.
The ISP/C position, which the ISP/C hopes to air at the upcoming June FTC Privacy Workshop, highlights the cost which receiving providers and their end users now pay for UCE. It also emphasizes the need for any evolving plan or regulation regarding UCE to address the cost-shifting issue. "Neither providers nor end users should be expected to subsidize a marketer's advertising costs by having to pay the price of 'postage-due' advertising e-mail," commented Tim Brown, Chair and Founder of the ISP/C board.
The position document is reproduced below
======ISP/C Position on Unsolicited Commercial E-Mail=========
The Internet Service Providers' Consortium (ISP/C) recognizes that the sending of large numbers of unsolicited electronic messages, also known as e-mail spam, is a growing problem causing widespread difficulties on the Internet.
The ISP/C, in its continuing commitment to promote responsible network use, is opposed to the sending of unsolicited commercial electronic (UCE) messages for advertising or marketing for the reasons outlined in this position document.
Unsolicited e-mail advertising is often an annoyance to the end user, and may cause the user to incur additional connection costs to retrieve their mail. UCE also places a very real cost on Internet Service Providers and their businesses which, in turn, is reflected in higher user cost for service.
Most importantly, if the trend of increasing quantities of UCE continues, it will render the Internet e-mail system unusable as a tool for personal and legitimate business communication by crippling this communication. This threat to e-mail's utility is reflected in the deafening cry by users to limit the amount of junk mail they receive, by whatever means possible, including legislation if necessary.
Because the Internet is a monument to international cooperation and shared technology, the ISP/C would prefer to see as little government intrusion by legislation as possible. It is the ISP/C position that the Internet should be self-regulating to the maximum extent, and thus we believe ISPs should address this issue to minimize the need for government involvement. However, the ISP/C realizes that legislation may indeed be necessary to curb the pernicious growth of the spamming industry.
Currently, no legislation directly governs the use of unsolicited e-mail messages as a form of direct marketing. However, at least four U.S. states have recently introduced bills into their legislatures which attempt to ban or regulate commercial e-mail on the Internet. There is also some Internet user support for amending the existing US Federal 'junk fax law' to explicitly include e-mail in its prohibition of unsolicited advertising transmissions.
As should also be recognized in the case for junk email, the U.S. junk fax law exists in recognition of the unethical cost-shifting nature of advertising which forces the receiver to pay a significant portion of an advertising campaign's cost. For UCE, the cost borne by thousands or millions of recipients vastly outweighs the cost to the sender. Because the cost of UCE which the receiving provider and the end user pays represents a forced subsidy of the sender's advertising campaign, the ISP/C considers UCE to be an unethical, irresponsible advertising technique, despite lack of current specific legal prohibition.
Costs borne by the receiving ISP can be broken down into two areas: technical cost, and administrative cost. Ultimately, these costs must be passed on to customers as higher service charges.
UCE direct technical costs borne by the receiving ISP include network bandwidth used, disk storage space consumed, and processing time needed to forward the messages, perhaps after filtering, to the end user. Although the cost for a single UCE message may be small, when messages to be processed swell into the thousands or millions, that cost becomes both significant and burdensome. If UCE quantities continue to rise, providers will face additional equipment expenditures to handle the UCE load.
A more pernicious form of technical cost to an ISP is incurred if the provider is used as a 'mail relay'. Spammers have increasingly exploited the cooperative nature of mail servers to exchange and forward mail. Spammers do this either to add additional obscurity to the origin of the mail, or to take advantage of the higher server capacity at other locations in order to send many more UCE messages than could be handled by the spammer's own server or low bandwidth connection alone.
Many spammers are running their business on low cost machines over low speed connections to the Internet. Since they need to reach a large number of people for their tactics to be successful, they will use other companies' mail servers as relays to do the actual work of delivering the mail to their targets. This is so that the spammer does not need to spend their own money on expensive equipment and lines, but instead piggy backs off of other people's resources. This is a form of cost shifting which has been categorized as theft of services, and trespassing by people who have been a victim of having their mail servers used.
In this scenario, the targeted relay machine must labor to take a single message and explode it into the thousands of copies which it must try to deliver to designated addressees. Such exploitation, almost always without the targeted provider's permission, slows the relaying server, making it sluggish and unresponsive, and, in some cases, may result in a system crash which could damage critical files when the system is subjected to a load it wasn't designed to handle.
Overloads and system performance degradation are made even more likely by the large number of undeliverable addresses typical in UCE address lists which cause large quantities of mail to bounce back. In many cases, the relay ISP also gets massive complaint mail and sometimes falls victim to retaliatory measures, such as mailbombing, taken by angry recipients of the unwanted UCE.
(To clarify, mailbombing is when individuals send repeated messages, and/or messages with large file attachments, in an attempt to get the attention of, or even cripple, the mail server the user feels has sent the offending spam. Unfortunately, because of the exploitation by the UCE's true sender, more often than not, such mailbombing affects only innocent parties who were not responsible for the junk mail in the first place.)
UCE also causes higher administrative cost for technical personnel and customer service. When a customer complains of getting unwanted mail, time must be spent to trace the source of the mail and take appropriate action to answer the complaint.
Because most responsible ISPs already prohibit the practice of sending UCE in their Acceptable Use Policies, there is a growing trend by UCE senders to attempt to avoid account cancellation or other punitive measures. One method is to employ mail header forgery to attempt to disguise the source of the mail. These 'stealth' mailer techniques are rarely successful, but do impose additional manpower costs to analyze the situation and isolate the abuser. For some providers, a full time administrator may be assigned to handle abuse complaints; for others, it may be an entire department.
Additional system administrative cost occurs because ISPs must continually pursue software upgrades and patches to tighten system security to thwart increasingly sophisticated spammer exploits. One example is the recent upgrade to 'sendmail' which many ISPs have had to implement to avoid being exploited as a mail relay site by spammers. Such measures are not trivial in nature, and may result in at interruption of service as the upgrades are installed.
In addition to system software upgrades, Internet providers attempting to perform mail filtering face a continual job to modify the filter parameters to compensate for the ever-mutating forgery and evasive techniques spammers employ. The result is a continual, expensive "cat-and-mouse" game with spammers.
The ISP/C regards the cost of UCE in the case of misappropriated system capacity and resources by spammers as outright theft of service. Assets used by the spammer for their own commercial gain are rendered unavailable to the paying customers of the ISP.
To avoid being continually subjected to this theft, ISPs are increasingly blocking known spamming domains by tuning mail server software, mail filtering, or packet blocking at network routers. These efforts require personnel, time and money, all of which would be better spent assisting paying customers in other ways.
For all the reasons above, the ISP/C finds UCE spamming unacceptable on a cooperative Internet. The ISP/C believes that responsible ISPs and NSPs should include clauses in their user policies which forbid unsolicited commercial mail spamming from their network and from networks buying connectivity service from them.
Various proposals have been proposed to mitigate some of the negative aspects of unsolicited commercial mail while still allowing the practice. Most of these proposals involve either some form of filtering at the receiving end, or require the end users to place themselves on 'remove' lists, 'don't mail' lists or otherwise to take specified actions to 'opt-out' of getting additional unwanted mail. All of these proposals examined thus far fail to address the cost which the receiver ISP or end user must bear.
The system and manpower costs of filtering and keeping filters up to date have been discussed earlier.
In the case of 'opt-out' schemes, the end user still must endure, and pay for, receiving the initial mailings, which could be hundreds per day as more and more UCE senders arrive on the scene. Additionally, experience has shown that 'remove' lists are rarely honored or removed names re-appear as new mailing lists are obtained or generated.
There has also been a significant rise in 'one-time' mailings which the sender claims won't be repeated. Likewise, the technology of 'don't mail' lists will not be used by the unscrupulous spammer who sends a fraud or scam mailing.
An alternative approach, 'opt-in', is already gaining acceptance by marketers who offer users the opportunity, through web pages, to select categories of subjects about which the user would be interested in getting advertising mail. Such mail then becomes *solicited* rather than UCE.
This approach eliminates the burden of receiving large quantities of unwanted mail by both provider and user alike. It also frees network resources from being burdened with large amounts of useless traffic. Importantly, this also targets lead generation for the marketer to achieve greater success for their marketing campaign as well by mailing only to those who are interested in their product or service.
For these reasons, the ISP/C supports a strict 'opt-in' approach whereby the end user receives only advertising mail which they have explicitly asked to receive. The ISP/C believes the burden of proof that a mailing is going to willing recipients must be borne by the sender.