FC: Politech members reply: ACLU's bulk mail was spam

[Declan McCullagh <declan () well com>]

[At least the ACLU has said consistently that most anti-spam laws suffer 
from First Amendment problems, so it can't be accused of hypocrisy here. :) 
More seriously, groups that deal with privacy should tread carefully when 
sending out bulk email to those who didn't explicitly request it. Previous 
Politech message: http://www.politechbot.com/p-04497.html --Declan]

---

Subject: RE: ACLU replies to Politech, says exposed email was not to
 members
Date: Mon, 24 Feb 2003 19:09:32 -0500
Thread-Index: AcLcYJHq1cFIjvApTOO5v2bgSZ/+twAAI7IA
From: "Kelly Talcott" <KTalcott () pennie com>
To: declan () well com

Oh, so none of the recipients actually asked for the ACLU to send them its 
newsletter, just as none of them asked for information about curing 
erectile dysfunction, working from home, curing credit ills, or performing 
strange acts with farm animals.  Do spam filters check for "civil 
liberties"?  And what do those of us concerned about the assault on our 
e-mail boxes do in the meantime?

Kelly D. Talcott

---

Date: Mon, 24 Feb 2003 16:29:05 -0800
From: Brad Templeton <bt () templetons com>
To: Declan McCullagh <declan () well com>
Cc: politech () politechbot com, EWHITFIELD () aclu org, jim.harper () privacilla org
Subject: Re: FC: ACLU replies to Politech, says exposed email was not to 
members
Organization: http://www.templetons.com/brad

On Mon, Feb 24, 2003 at 06:46:37PM -0500, Declan McCullagh wrote:
> Previous Politech message:
>
> "Whoops! ACLU exposes email addresses -- just like Eli Lilly?"
> http://www.politechbot.com/p-04494.html
>
> What, no double opt-in? :)
>
> -Declan
>

I have to say that you can't put a smiley face on there.  What the
ACLU did was indeed a spam.   Repurposing of mailing lists, though
of course very common in the postal service direct mail world, is
simply something that doesn't scale (or rather scales way too well)
in the E-mail world.

If I give you my E-mail address for some purpose, and you feel you
can pass it on for others to put on their mailing lists, our
mailboxes quickly become full of messages, even if they are not
offers of Nigerian money.  It is just too easy to send mail, there
is nothing putting any limit on it.

Sadly, even double opt-in is not enough.  Double opt-in is a defence
against people using mailing lists to annoy folks.  They submit
my name to a mailing list, with a forged mail from me, it makes
sense for the mailing list to confirm with me because of the
insecurity of the method by which my name arrived.

However, in this case, my name is coming from a reliable source.
There is little doubt that I gave my E-mail to organization A for
mailing list A.  The only doubt is whether I intended that to mean
that A could pass it around to other orgs and other mailing lists.

Problem is, I don't want a lot of mail saying "We found your name
at source X, can we add it to our mailing list about great Viagara
sources?"   Source X should be the one knowign that, and not giving
out my name unless it knows I am open to that.

I just can't see any way we can have mailing lists be repurposed
without the express consent of the owner of the mailing addresses
within them, without creating a bloat problem in our mailboxes even
from so called legitmitate mailers.   There are tricks you can
do (I give out a different address to each company so I can tell
if they do this, and they usually don't) but you should not have to.

When you give out your mailing address, it should be just for the
folks you give it to, and they should not had it out -- even to others
who want to query if they can add you to their list -- unless you
said that's what you want.

It's OK if _they_ mail you to ask if they can hand you out, and
hopefully do it only once.  You voluntarily entered into a relationship
with them, you have some market power over them.  But once they pass
out your name, you have little recourse.

I wish I could see a way to make it scale, but even the ACLU doesn't
get an exemption from this.   This is spam by all the definitions
and the ACLU should be paddled on the backside soundly for it.

---

From: "McCloskey, Bill"
To: "'declan () well com'" <declan () well com>
Subject: RE: Whoops! ACLU exposes email addresses -- just like Eli Lilly?
Date: Mon, 24 Feb 2003 14:44:39 -0600

Not the first time.  I have at home a nice list of all ACLU's Maryland
activists garnered from a TO: list from about two years ago.  I can say that
since I called them on it, it has not recurred.

Bill McCloskey
4709 Overbrook Road
Bethesda, Md. 20816-3029
301-652-7583
bmcclos325 () aol com

---

Date: 24 Feb 2003 19:21:28 -0500
Message-ID: <Pine.BSI.4.40.0302241703180.19770-100000 () tom iecc com>
From: "John R Levine" <johnl () iecc com>
To: "Declan McCullagh" <declan () well com>
Cc: "jim.harper () privacilla org" <jim.harper () privacilla org>
Subject: Re: FC: Whoops! ACLU exposes email addresses -- just like Eli Lilly?

> [ ACLU, having gotten the FTC to spank Eli Lilly for disclosing e-mail
>  addresses, makes exactly the same mistake ]
> Everyone who e-mails large groups is at risk for this kind of error.

Actually, I'm with the FTC here.  The problem is that people at both Lilly
and the ACLU appear to be confusing their Outlook address books with a
database.

>From a technical point of view, the addresses in the To: line of an e-mail
message have nothing to do with the actual addresses to which the mail is
sent.  (This is a deliberate and useful feature.)  Any sort of mailing
list management system, even the simplest freeware ones, never put the
list of recipients anywhere where it could leak into the message.  I
manage lists here with thousands of addresses using the freeware
Majordomo2 list manager, addresses have never leaked into messages, and
it's unlikely they'll ever do so.

If an organization has valuable mailing lists, it should treat them like
any other valuable data and manage them with software that's appropriate
to do the job.  The FTC was exactly right when it said that Lilly "failed
to maintain or implement internal measures appropriate under the
circumstances" and the ACLU was just as negligent.  This needn't involve
spending lots of money (or any money), but it does require a little
thought.

Regards,
John Levine, johnl () iecc com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner
"More Wiener schnitzel, please", said Tom, revealingly.




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------