Re: Another sad proof of why the industry can't handle the UCE issue
- Date: Fri, 22 Oct 1999 16:36:34 +0100
On Fri, Oct 22, 1999 at 01:54:48PM +0200, Paul Wouters wrote:
> >
> > ... but "you can never mail me, ever" sets some uncomfortable precedents
> > of its own.
>
> Actually, it' very comfortable. If you do as that user told you when it chose
> the opt-out. It would in fact be an excellent reason to entice people to opt-in.
> "Sorry, but you choose the opt-out, don't blame us now".
If we try to make the issue too complex, we are much, much more likely
to be held to random with a "Do you want to receive ANY mails from
us ever, marketing or otherwise? Yes/No". Network Solutions have already
committed this sin.
> This is a fairly direct contact. You know your customer. Most UCE is sent
> by indirect contact or address harvesting with no prior contact at all.
> Example 1 is not an issue. First, you will dictate that to become a client or
> user, you must provide an email address for network-issues. Second, as long
> as you don't announce outages every day, they won't consider this spam.
> (and in the latter, they will be too busy to complain about the outages to worry
> about spam :)
That sounds awfully like a decision based on content to me :) :)
Regarding the two ways out (either don't take email addresses or give the
extra option of "only really important email"): what worries me more is
when someone tries to stretch this above example. HEAnet has a grand total
of about 30 separate clients - great, no problem. What about one of the
corporate ISPs? What about one of the home ISPs? What about Netscape
or Microsoft or RealNetworks?
Is "there is a new version of RealPlayer" important information for a
customer of RealNetworks? You'd be amazed how many of their "customers"
(and their sysadmins) are sick of getting their updates. We're have
acquaintance spam, through the back door.
From a legal perspective, we find ourselves at the other extreme.
The IE Domain Registry is prevented from publishing a WHOIS database
because (by my understanding) our otherwise-excellent Data Protection
Act both prevents them from publishing their existing database, and
prevents them from requiring customers to allow them to publish contact
data.
> > e.g.2: A while ago an important FTP server was hacked (can't remember
> > which) and in the day or so it was compromised several dozen people
> > downloaded a backdoored version of the software there. The maintainer
> > contacted the people who left their email addresses to let them know
> > what happened - and, unbelievably, got spam complaints.
>
> (I guess you mean wintue). Well, that is plain silly. Perhaps a clearer
> notification of the option "supply email as password" is needed in some ftp
> clients. Perhaps these were automated spam detectors, and the mail got sent
> in a way that identified it as spam (eg bcc:ed list)?
Actually, someone else identified this one: it was tcp_wrappers (thanks).
The correct answer is clear enough: the whole point of giving one's email
address as password is so that one can be contacted if problems come to
light at a later stage. This was absolutely correct use of a little-used
feature.
The problem is that some people have an attitude that the mailbox
is sacrosanct (which it is) and that no one should use it without
explicit permission (which is semi-reasonable) and that they
didn't consider that that is what the email-address-as-password
is for - therefore the ftp admins were spammers (which they
weren't).
> One should never
> base the decision of a certain email being UCE or not on content. Because then you're censoring.
> Rejection of email should be based on distribution issues, not on content.
Yes yes yes yes yes - but. If this were ordinary bulk UCE, I'd agree
completely, but this is abuse of a supplier-customer relationship,
one where the defense is based on the content of the message ("this
is an important issue about software we know you're using" vs. "we
thought you might like to know about XYZ addon only $49.95"), and
so the judgement must take that into account. Whether that relationship
is being abused is between the supplier, the customer, and the RBL.
> But it's not a solution. It is a better then nothing approach. As carrier, I don't want to
> need to consider what is marketingspeak and what is not. Also, the RBL isn' guarenteed
> survival.
Maybe, but it's our last bastion before decending into the equally
unrealiable world of legal solutions, and it's not broke yet!
We should work toward a useful legal solution, but right now it's
50-50 as to whether it comes out in our favour, or the marketers'.
Self regulation (and, closely related, public humiliation) isn't dead
yet. We should use wherever we can until it dies, or until we win.
Regards,
Dave