Security

Minor Protection

Michigan and Utah implement child protection registries to keep inappropriate e-mail out of children's inboxes, and raise questions in the process.

by / November 4, 2005 0
Unsolicited, adult-oriented e-mail advertisements don't discriminate -- they infiltrate inboxes everywhere, even those of children unable to buy their wares.

In July, Michigan and Utah implemented new e-mail registries to keep e-mail advertisements containing adult content from reaching children. The registries are getting mixed reviews, largely because previous efforts to regulate online content were shot down.

In 2004, Congress asked the Federal Trade Commission (FTC) to investigate the feasibility of a national Do Not E-mail Registry. The FTC recommended against a national registry, citing security concerns and considerable enforcement challenges. Despite the rejection of a federal registry, Michigan and Utah decided to proceed with their own state registries.


Parental Control
Laws in both states prohibit sending e-mail solicitations about alcohol, tobacco, pornography or online gambling to any e-mail address on their registries.

"If children can't have access to it in the offline world, they can't have access to it in the online world," said Dennis Darnoi, chief of staff for Michigan State Sen. Michael Bishop, who pioneered efforts to introduce Michigan's child protection registry.

Utah Attorney General Mark Shurtleff likened the registry to a v-chip for the Internet. "It's simply a tool for parents," he said. "If parents don't want to receive material that's harmful or illegal for minors to have, then they simply say, 'I don't want it.'"

While signing up through the registry accomplishes this for them, not everything will be cut and dry, admits Darnoi.

"There will be things that do fall into the great gray category, and we're just going to have to figure that out as we go," he said. For example, there have been some questions about whether e-mail solicitations offering contracts should be included on the forbidden content list. "I suspect that, unless it is a clear-cut case, prosecution or charges are unlikely."

Shurtleff points out that compliance is not an option for those companies marketing products and services inappropriate or illegal for children.

"If companies want to continue doing business [in Utah], they've got to 'scrub' their lists through the system so they don't continue to send material to those homes that say they don't want it," Shurtleff added.

This includes companies nationwide that perform any e-mail marketing containing adult content in the two states. Violators can face as much as three years in jail and up to $30,000 in fines.

But not everyone supports the registries.

A group of e-mail providers plans to sue the state of Utah, claiming the registry violates free speech, according to Shurtleff, who said the state is not worried and will continue to let people register. Ironically, Darnoi said the Michigan registry's strongest endorsement has come from the American Civil Liberties Union (ACLU), which testified on behalf of the bill. "They said if you're going to do something like this, this is the way you go about doing it."

E-mail marketing has been useful for getting advertisements to the most contacts without paying. With the registries in place, e-mail marketers who want to market adult products or services in Michigan and Utah must pay a fee to scrub their lists against the registries to filter out registered e-mail addresses -- and the longer the list, the more costly it becomes.

In Utah, e-marketers pay the registry half of one cent per e-mail. In Michigan, the fee can be up to 3 cents per e-mail. The fees in both states are fed back to the registries to maintain and enforce them.


Scrubbed Clean
To comply with the registries, businesses must scrub their lists monthly, which they can do by visiting the Web site -- which works for both registries. Once businesses have been legitimately identified, an application is available for download on the site.

This downloaded application enables them to securely transmit their lists to both registries, created and maintained by Utah-based Unspam. Once scrubbed, the lists are automatically returned to businesses, altered to contain only those e-mail addresses not included in the registry.

"We're averaging that the scrubbing process right now is taking less than a minute to complete," said Unspam CEO Matthew Prince. "We have assured the state that we'll be able to do it in less than an hour at absolute full load, but we will continue to scale the system to ensure that responses are delivered back as quickly as possible."


We're Not Talking Spam
In 2003, Bishop introduced a bill proposing a Do Not E-mail Registry much like the national Do Not Call Registry, which would minimize unsolicited spam to e-mail addresses protected by the list. The "anti-spam" bill would have prevented mass spammers from sending any commercial e-mail to addresses on a list created and maintained by a third party.

The same year, Congress passed the national Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act, which required e-marketer advertisements to include a clear subject line, an easy-to-find opt-out option, accurate header information and a verifiable physical address.

In addition, Section 9 of the CAN-SPAM Act requested that the FTC study the feasibility of creating a national registry because of the FTC's successful, nationwide Do Not Call Registry.

According to the FTC's report, presented to Congress in June 2004, "Spammers have demonstrated and continue to demonstrate that they will do whatever it takes to send out their UCE [unsolicited commercial e-mail] and will not police themselves."

Given the evidence of non-compliance, the FTC said it doubted the effectiveness of an e-mail registry. "Perhaps most tellingly, notwithstanding the CAN-SPAM Act, most spammers continue to disguise their e-mail to bypass filters and engage in obfuscatory tactics to conceal their identities," the FTC's report said.

This raises a question about how legislation can prevent mass commercial e-mails from reaching e-mail addresses belonging to minors if the senders can't be found.

"A lot of the undesirable material comes in spam, but not all of it does," said Anne Mitchell, president of the Institute for Spam and Internet Public Policy.

Therein lies the confusion, she said. Legitimate companies also send e-mails that may comply with the CAN-SPAM Act, but still contain adult content not suitable for children -- Playboy and Budweiser are just two examples.

"These are not laws about spam; they were never laws about spam," she said. "These are laws about exactly what they say they're about: keeping undesirable material away from kids -- which is actually a huge problem."

She used the analogy of laws preventing advertising to minors in print, on television and the radio -- stating that you'd never see an ad for Marlboro in Highlights, a magazine for children.


Double-Blind Security ... Or Is It?
The FTC's report said a national Do Not E-mail Registry raises serious concerns about security and privacy. When Michigan and Utah sought the ideal solution for their child protection registries, security was also a concern.

"We wanted to make sure -- absolutely certain -- that this technology would encrypt people's e-mail addresses so that it was secure," said Shurtleff. "We finally feel like we're there."

The technology uses a form of hashing -- called MD5 -- to take an arbitrary length of data and transform it into an unrecognizable 27-character code.

"You can take the complete works of Shakespeare, put them into the hashing algorithm and you'd get a 27-character long code. Or you could take a single letter, the letter application is available for download on the site.

This downloaded application enables them to securely transmit their lists to both registries, created and maintained by Utah-based Unspam. Once scrubbed, the lists are automatically returned to businesses, altered to contain only those e-mail addresses not included in the registry.

"We're averaging that the scrubbing process right now is taking less than a minute to complete," said Unspam CEO Matthew Prince. "We have assured the state that we'll be able to do it in less than an hour at absolute full load, but we will continue to scale the system to ensure that responses are delivered back as quickly as possible."


We're Not Talking Spam
In 2003, Bishop introduced a bill proposing a Do Not E-mail Registry much like the national Do Not Call Registry, which would minimize unsolicited spam to e-mail addresses protected by the list. The "anti-spam" bill would have prevented mass spammers from sending any commercial e-mail to addresses on a list created and maintained by a third party.

The same year, Congress passed the national Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act, which required e-marketer advertisements to include a clear subject line, an easy-to-find opt-out option, accurate header information and a verifiable physical address.

In addition, Section 9 of the CAN-SPAM Act requested that the FTC study the feasibility of creating a national registry because of the FTC's successful, nationwide Do Not Call Registry.

According to the FTC's report, presented to Congress in June 2004, "Spammers have demonstrated and continue to demonstrate that they will do whatever it takes to send out their UCE [unsolicited commercial e-mail] and will not police themselves."

Given the evidence of non-compliance, the FTC said it doubted the effectiveness of an e-mail registry. "Perhaps most tellingly, notwithstanding the CAN-SPAM Act, most spammers continue to disguise their e-mail to bypass filters and engage in obfuscatory tactics to conceal their identities," the FTC's report said.

This raises a question about how legislation can prevent mass commercial e-mails from reaching e-mail addresses belonging to minors if the senders can't be found.

"A lot of the undesirable material comes in spam, but not all of it does," said Anne Mitchell, president of the Institute for Spam and Internet Public Policy.

Therein lies the confusion, she said. Legitimate companies also send e-mails that may comply with the CAN-SPAM Act, but still contain adult content not suitable for children -- Playboy and Budweiser are just two examples.

"These are not laws about spam; they were never laws about spam," she said. "These are laws about exactly what they say they're about: keeping undesirable material away from kids -- which is actually a huge problem."

She used the analogy of laws preventing advertising to minors in print, on television and the radio -- stating that you'd never see an ad for Marlboro in Highlights, a magazine for children.


Double-Blind Security ... Or Is It?
The FTC's report said a national Do Not E-mail Registry raises serious concerns about security and privacy. When Michigan and Utah sought the ideal solution for their child protection registries, security was also a concern.

"We wanted to make sure -- absolutely certain -- that this technology would encrypt people's e-mail addresses so that it was secure," said Shurtleff. "We finally feel like we're there."

The technology uses a form of hashing -- called MD5 -- to take an arbitrary length of data and transform it into an unrecognizable 27-character code.

"You can take the complete works of Shakespeare, put them into the hashing algorithm and you'd get a 27-character long code. Or you could take a single letter, the letter Q for instance, put it into the hashing algorithm and you'd have a different, but the same length 27-character long code," explained Unspam's Prince.

"It's similar to your fingerprint," he added. "If I have your fingerprint, I can't tell how old you are, how tall you are, what color your eyes are -- I can't tell anything about you.

"But if you come back into the room and give me your fingerprint again, I can say, 'This is the same person who gave me a fingerprint in the past,'" Prince continued. "A fingerprint doesn't reveal anything about identity, it simply confirms identity, and that's the same way the hashing works."

Hashing is fundamentally different from encryption in that it can't be undone, Prince said. "There is no way to go from that output back to the original input, because data is literally lost in the translation."

The system is double-blind, so that both sides are hashed before being uploaded to the database, which not only protects the e-mail addresses of minors, but also protects the identities of adults on advertising lists who do wish to receive solicitations with adult content.

Bill McClellan, director of government affairs for the Electronic Retailing Association, wonders if this really is secure. Although McClellan said the registries don't affect the association's membership -- because most members have an opt-in system that only sends e-mails upon request -- he still has to keep the registries under consideration.

"Once I send over a list and it comes back scrubbed, I've got my old list and my new list, and you've just given me the addresses of all the children you want to protect."

The laws in both states cover this possibility.

"The system itself keeps the sender's list secret from the government, and keeps the government's list secret from the sender, except in those few instances where there's a match for a child's address. In that case, the sender is alerted and put on notice that if they continue to send materials to that e-mail address or otherwise distribute that e-mail address, then they will be in violation of the law," explained Prince.

For e-marketers already in compliance with the law, violating the law wouldn't make much sense. As for those who seek to discover the hashed e-mail addresses on the registries, "Throwing random data at the system is cost prohibitive," said Prince.


Future Solutions
An e-mail registry in two states might not be a big deal to comply with, but what about 50 disparate state registries across the nation? This could pose a significant challenge, Mitchell said, because the question then becomes how to charge a national company across multiple states and make it work.

"No state is doing something that is going to bankrupt any e-mail sender, but if you had 50 such processes, and they all cost a certain amount, it would become financially unfeasible for senders," she said.

The flip side?

"Every other model of business-to-consumer communication costs the business money, so for all these years the e-mail marketers have gotten away with almost a free ride, and they should be willing to bear the financial burden," Mitchell said. "And I don't believe there is any legitimate e-mail marketer out there that does not agree with that, but there's a point at which it becomes onerous."

McClellan added that a national standard could be the only way to do this successfully. "A patchwork of 50 different laws is impossible to reconcile," he said.

This does not seem likely in the near future, however, because there is no technology advanced enough to handle the scale of a national registry effectively, according to the FTC's report. "If technological developments remove the security and privacy risks associated with a registry, the Commission will consider issuing an ANPR [Advanced Notice of Proposed Rulemaking] proposing the creation of a national Do Not E-mail Registry," the report said.

Better e-mail authentication to track down the origins of all e-mail advertisements, better enforcement of the CAN-SPAM Act and better ISP filters might make a registry unnecessary, according to the FTC the report.

For now, Mitchell said, other states will watch the registries to measure their effectiveness.
Sherry Watkins Contributing Writer