application is available for download on the site.

This downloaded application enables them to securely transmit their lists to both registries, created and maintained by Utah-based Unspam. Once scrubbed, the lists are automatically returned to businesses, altered to contain only those e-mail addresses not included in the registry.

"We're averaging that the scrubbing process right now is taking less than a minute to complete," said Unspam CEO Matthew Prince. "We have assured the state that we'll be able to do it in less than an hour at absolute full load, but we will continue to scale the system to ensure that responses are delivered back as quickly as possible."

We're Not Talking Spam

In 2003, Bishop introduced a bill proposing a Do Not E-mail Registry much like the national Do Not Call Registry, which would minimize unsolicited spam to e-mail addresses protected by the list. The "anti-spam" bill would have prevented mass spammers from sending any commercial e-mail to addresses on a list created and maintained by a third party.

The same year, Congress passed the national Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act, which required e-marketer advertisements to include a clear subject line, an easy-to-find opt-out option, accurate header information and a verifiable physical address.

In addition, Section 9 of the CAN-SPAM Act requested that the FTC study the feasibility of creating a national registry because of the FTC's successful, nationwide Do Not Call Registry.

According to the FTC's report, presented to Congress in June 2004, "Spammers have demonstrated and continue to demonstrate that they will do whatever it takes to send out their UCE [unsolicited commercial e-mail] and will not police themselves."

Given the evidence of non-compliance, the FTC said it doubted the effectiveness of an e-mail registry. "Perhaps most tellingly, notwithstanding the CAN-SPAM Act, most spammers continue to disguise their e-mail to bypass filters and engage in obfuscatory tactics to conceal their identities," the FTC's report said.

This raises a question about how legislation can prevent mass commercial e-mails from reaching e-mail addresses belonging to minors if the senders can't be found.

"A lot of the undesirable material comes in spam, but not all of it does," said Anne Mitchell, president of the Institute for Spam and Internet Public Policy.

Therein lies the confusion, she said. Legitimate companies also send e-mails that may comply with the CAN-SPAM Act, but still contain adult content not suitable for children -- Playboy and Budweiser are just two examples.

"These are not laws about spam; they were never laws about spam," she said. "These are laws about exactly what they say they're about: keeping undesirable material away from kids -- which is actually a huge problem."

She used the analogy of laws preventing advertising to minors in print, on television and the radio -- stating that you'd never see an ad for Marlboro in Highlights, a magazine for children.

Double-Blind Security ... Or Is It?

The FTC's report said a national Do Not E-mail Registry raises serious concerns about security and privacy. When Michigan and Utah sought the ideal solution for their child protection registries, security was also a concern.

"We wanted to make sure -- absolutely certain -- that this technology would encrypt people's e-mail addresses so that it was secure," said Shurtleff. "We finally feel like we're there."

The technology uses a form of hashing -- called MD5 -- to take an arbitrary length of data and transform it into an unrecognizable 27-character code.

"You can take the complete works of Shakespeare, put them into the hashing algorithm and you'd get a 27-character long code. Or you could take a single letter, the letter Q for instance, put it into the hashing algorithm and you'd have a different, but the same length 27-character long code," explained Unspam's Prince.

"It's similar to your fingerprint," he added. "If I have your fingerprint, I can't tell how old you are, how tall you are, what color your eyes are -- I can't tell anything about you.

"But if you come back into the room and give me your fingerprint again, I can say, 'This is the same person who gave me a fingerprint in the past,'" Prince continued. "A fingerprint doesn't reveal anything about identity, it simply confirms identity, and that's the same way the hashing works."

Hashing is fundamentally different from encryption in that it can't be undone, Prince said. "There is no way to go from that output back to the original input, because data is literally lost in the translation."

The system is double-blind, so that both sides are hashed before being uploaded to the database, which not only protects the e-mail addresses of minors, but also protects the identities of adults on advertising lists who do wish to receive solicitations with adult content.

Bill McClellan, director of government affairs for the Electronic Retailing Association, wonders if this really is secure. Although McClellan said the registries don't affect the association's membership -- because most members have an opt-in system that only sends e-mails upon request -- he still has to keep the registries under consideration.

"Once I send over a list and it comes back scrubbed, I've got my old list and my new list, and you've just given me the addresses of all the children you want to protect."

The laws in both states cover this possibility.

"The system itself keeps the sender's list secret from the government, and keeps the government's list secret from the sender, except in those few instances where there's a match for a child's address. In that case, the sender is alerted and put on notice that if they continue to send materials to that e-mail address or otherwise distribute that e-mail address, then they will be in violation of the law," explained Prince.

For e-marketers already in compliance with the law, violating the law wouldn't make much sense. As for those who seek to discover the hashed e-mail addresses on the registries, "Throwing random data at the system is cost prohibitive," said Prince.

Future Solutions

An e-mail registry in two states might not be a big deal to comply with, but what about 50 disparate state registries across the nation? This could pose a significant challenge, Mitchell said, because the question then becomes how to charge a national company across multiple states and make it work.

"No state is doing something that is going to bankrupt any e-mail sender, but if you had 50 such processes, and they all cost a certain amount, it would become financially unfeasible for senders," she said.

The flip side?

"Every other model of business-to-consumer communication costs the business money, so for all these years the e-mail marketers have gotten away with almost a free ride, and they should be willing to bear the financial burden," Mitchell said. "And I don't believe there is any legitimate e-mail marketer out there that does not agree with that, but there's a point at which it becomes onerous."

McClellan added that a national standard could be the only way to do this successfully. "A patchwork of 50 different laws is impossible to reconcile," he said.

This does not seem likely in the near future, however, because there is no technology advanced enough to handle the scale of a national registry effectively, according to the FTC's report. "If technological developments remove the security and privacy risks associated with a registry, the Commission will consider issuing an ANPR [Advanced Notice of Proposed Rulemaking] proposing the creation of a national Do Not E-mail Registry," the report said.

Better e-mail authentication to track down the origins of all e-mail advertisements, better enforcement of the CAN-SPAM Act and better ISP filters might make a registry unnecessary, according to the FTC the report.

For now, Mitchell said, other states will watch the registries to measure their effectiveness.

Sherry Watkins  |  Contributing Writer