Don't be fooled by the flag waving. eWEEK security expert Larry Seltzer warms the so-called National Anti Spam Registry is a wolf in sheep's clothing.One interesting e-mail that recently found its way into my inbox was from an organization calling itself the "
National Anti Spam Registry." The site is filled with American flags and the Statue of Liberty and references to the recently-signed and about to go into effect federal CAN-SPAM act.
As I wrote in my recent analysis of that law, CAN-SPAM calls in Section 9 for a report by the FTC to relevant congressional committees to set forth a plan for "a nationwide marketing Do-Not-E-Mail registry." This report would include an analysis of potential problems with such a list (and boy, would there be a lot of problems); and also specifically deal with children's e-mail accounts.
The legislation also specifically mentions that the registry is not to be implemented less than 9 months after the enactment of the act. It's scheduled, I believe, for January 1, 2004, meaning that October 1, 2004 is the earliest that we could see its "nationwide marketing Do-Not-E-Mail registry."
So now the NASR appears. If it's not the registry envisioned by the new law, what is it?
Despite the flag waving, its authenticity is difficult to determine. The site is filled with misspellings and grammatical errors. Some of what the site claims to do is plainly phony, some of it tempting, but suspicious, and some of it is impenetrable gobbledygook.
But who is behind the National Anti Spam Registry? The only contact information on the page, apart from a few e-mail addresses, is a postal box in Hammond, La. Much more interesting is the Whois information for nationalantispamregistry.com. The addresses for all the contacts is in Tonawanda, N.Y., which is on the Niagara river just north of Buffalo.
On closer inspection, the zip code looks wrong (in fact, it's not a valid zip code), and there doesn't appear to be a street with that specific name from the record in Tonawanda.
Now, it's not illegal to put inaccurate information in Whois records, and it's arguably a wise thing to do, but it's suspicious from an organization trying to engender trust in the public. The phone contact is a Hammond number.
The FAQ and other descriptions describe a service that sounds vaguely like a centralized opt-out facility. One major criticism of the law is that it doesn't mandate opt-in relationships, but rather mandates that marketers honor opt-out requests. So the idea of the NASR is that you register with them and they handle all the opt-outs.
At the same time, it's hardly clear that such a thing is possible; unless you grant the National Anti Spam Registry control over your mail account, it would be difficult indeed to do what they appear to be claiming to do.
Besides, this plan assumes that the opt-out will be honored. The NASR "How to avoid spam" page itself says "If you are receiving junk email NEVER respond to them and NEVER request to be removed, you are just confirming to the spammer that your email is active." So how will this company opt-out for you without having the same problem?
The site also says "you can register your email address free to be submitted to the F.T.C and be included in the National Do Not Email registry." Guess what: when there is such a registry you will be able to register your address yourself, almost certainly for free, and in all likelihood third parties won't be able to register you.
This pitch, in particular, reminded me of the first spam on Usenet years ago. It came from a lawyer offering to help people register for the green card lottery, which can be done for free, directly by individuals.
As I recall, there was quite a stink that someone had posted off-topic messages on a newsgroup! It seems so quaint now, but eventually Usenet was ruined by such people, just as they are now trying to ruin Internet e-mail. The FTC recently shut down such an operation that posed as a government agency.
Next Page: The Interview And The Punch Line
So I called the phone number from the Whois record to ask the Registry what was up. Surprise—an actual human being answered, took a message and said that the NASR would call me back later that day.
Of course, I didn't hear from them again. Looks like the information we get about the NASR will have to come from their site, for what little that's worth.
The real fun begins when you read the site's privacy policy. I suppose it's just a stock privacy policy on which they did a search-and-replace. For example, there are places in it where there obviously should be an active link, but there's only plain text.
In any event, you'd expect an anti-spam registry to be sensitive about the use of private information, such as, just for example, your e-mail address. Instead, it appears that private information can be passed around to strangers and their friends, as long as they become part of the "National Anti Spam Registry group."
Here's the text in question:
"By providing National Anti Spam Registry with your personally identifiable information, you authorize National Anti Spam Registry to internally share that information with other companies in the National Anti Spam Registry group, including companies that become part of the National Anti Spam Registry group in the future. You can see a current list of National Anti Spam Registry companies here: www.nationalantispamregistry.com."
"Any company in the National Anti Spam Registry group (including National Anti Spam Registry) is authorized to share your personally identifiable information with any other company of the National Anti Spam Registry group for the following purposes: to manage, administer, provide, expand and improve the existing National Anti Spam Registry group products and services, and to offer new products and services; to adapt such products and services to your tastes and preferences; to send service updates to National Anti Spam Registry users; to send, by traditional and/or electronic means, technical, operational and commercial information relating to the products and services offered by the National Anti Spam Registry group or through any of the sites operated by the National Anti Spam Registry group, currently and in the future; and to send you survey forms, which you are not required to fill in."
"Of course, National Anti Spam Registry and the National Anti Spam Registry group companies will always give you the option to opt out of receiving any information or notices as described above, other than legal notices and other notices that are necessary to the functioning of the Products and Services, during the time that you are using the Products and Services or maintain an active registration with the National Anti Spam Registry Corporation. Companies in the National Anti Spam Registry group may have a physical address in a foreign country. In any event, National Anti Spam Registry will take precautions to maintain the confidentiality and security of all user information sent abroad."
This doesn't give me a warm fuzzy about registering with the National Anti Spam Registry Corp. It tells me that I will get e-mail from other companies with which I did not register. "Anti Spam Registry" indeed! In addition, I don't take much comfort from the company's assertion that I can opt out later.
So CAN-SPAM is not even up and running and we're already seeing entrepreneurs sleazing off of it. Not an uplifting story; perhaps the more they try to fix the problem the worse it will get.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
(Sponsor)
(Sponsor)
(Sponsor)
Commentary 
