This FTC report was prepared pursuant to the CAN-SPAM Act. The Commission concluded that without a technical system to authenticate the origin of e-mail messages, a Do Not Email registry would not reduce the amount of spam, and, in fact, might increase it.
The report stated that “spammers would most likely use a Registry as a mechanism for verifying the validity of e-mail addresses and, without authentication, the Commission would be largely powerless to identify those responsible for misusing the Registry. Moreover, a Registry-type solution to spam would raise serious security, privacy, and enforcement difficulties.” (p. I) The report added that protecting children from “the Internet’s most dangerous users, including pedophiles,” would be difficult if the Registry identified accounts used by children in order to assist legitimate marketers from sending inappropriate messages to them. (p. I) The FTC described several registry models that had been suggested, and computer security techniques that some claimed would eliminate or alleviate security and privacy risks.
The FTC stated that it carefully examined those techniques — a centralized scrubbing of marketers’ distribution lists, converting addresses to one-way hashes (a cryptographic approach), and seeding the Registry with “canary” e-mail addresses — to determine if they could effectively control the risks “and has concluded that none of them would be effective.” (p. 16)
The FTC concluded that a necessary prerequisite for a Do Not Email registry is an authentication system that prevents the origin of e-mail messages from being falsified, and proposed a program to encourage the adoption by industry of an authentication standard. If a single standard does not emerge from the private sector after a sufficient period of time, the FTC report said the Commission would initiate a process to determine if a federally mandated standard is required. If the government mandates a standard, the FTC would then consider studying whether an authentication system, coupled with enforcement or other mechanisms, had substantially reduced the amount of spam. If not, the Commission would then reconsider whether or not a Do Not Email registry is needed.