CIPS CONNECTIONSINTERVIEWS by STEPHEN IBARAKI, FCIPS, I.S.P., ITCP, MVP, DF/NPA, CNPAnne P. Mitchell: President and CEO, Institute for Spam and Internet Public Policy This week, Stephen Ibaraki has an exclusive interview with the internationally renowned attorney and anti-spam authority, Anne P. Mitchell Esq., President and CEO of the Institute for Spam and Internet Public Policy (ISIPP). As an original founder of Habeas Inc., Anne Mitchell served as President and CEO through its first year, establishing Habeas as an industry leader and changing the face of whitelisting of legitimate email. In addition, she served as the Director of Legal and Public Affairs for Mail Abuse Prevention System, one of the original and most well-respected anti-spam services on the Internet. Anne has actively consulted on legislative anti-spam issues on a state and national level. Mitchell is a graduate of Stanford Law School, a Professor of Law at Lincoln Law School of San Jose, and a member of the California Bar. Moreover, together with serving on the Asilomar Microcomputer Workshop Planning Committee, Anne is advisor for Kinar Secure Email, Relemail Email Privacy Certification, and Virus Bulletin. Discussion: Q: Anne, you are a pioneer in anti-spam legislation and your work is having a significant impact worldwide. We appreciate you taking the time to do this interview—thank you. A: Thank you so much for inviting me back! Q: How would you position yourself in the area of Spam—some have wanted you to take even a harder stance? A: There are always people on the edges of these sorts of issues. They help to define not only the fringe, but the middle ground as well. On the one hand, we have the strident anti-spammers, who believe that no email which was not affirmatively requested should ever be sent or delivered. On the other hand, we have people who believe that nobody has a right to stop anything they send from being delivered - wanted or otherwise. My own position encompasses the positions both left and right of center which, as it happens, are essentially the mirror counterparts to each other. It turns out that the vast majority of both senders and receivers want the same thing: for users to get email that they want and to not get email that they don’t want. Q: You have achieved a milestone as one of the most significant figures in Spam. Where do you go from here? A: Gosh Stephen, I wouldn’t position myself that way, but I’m very flattered, thank you. My focus for now is to continue doing what I do best – bringing both sides to the table, translating and facilitating dialogue and discourse, and advising policy makers in both the public and private sector. >Q: Can you describe what you have learned from each of your advisory roles and where do you see their impact in the future?> A: The theme which runs consistent and unchanging is that it is primarily, if not only, the technically savvy minority who understand just how big the threats are on the Internet today. The vast majority of people, and especially the typical end user, just have no grasp of not only what is out there, but what is inside, on their computer, right at this very moment. Current estimates are that as many as 80% of all Internet-connected PCs are infested with viruses, spyware, Trojans, and the like. 80%! That’s astounding! And again, facilitating communication – explaining the positions and concerns which each party has, is what I bring to the table. Q: What is the future direction for EDAPP, the e-mail deliverability product from Will Bontrager, of MasterCGI and WillMaster fame? At this time EDAPP is on the back burner. Q: What is the status of anti-spam legislation and how should it evolve? How will it be changed or updated? A: Speaking directly to United States legislation, it’s been slightly more than a year since CAN-SPAM went into effect, and slowly but surely we are seeing both our Federal agencies and our national ISPs go after more and bigger spam operations. The Federal wheels turn slowly, but they do turn. And they are turning in the right direction. The Federal Trade Commission is working on clarifying and refining some of the language, a responsibility with which they were tasked by the language of CAN-SPAM itself. But all the laws in the world aren’t, on their own, going to deal spam the death blow. Nor is technology or user education. All three have to be brought to bear in a concerted effort by all stakeholders. Q: What are your suggested best practices for handling, managing and filtering SPAM? Where do you see this going in the future? A: First, and foremost, if you are an ISP it is paramount that you don’t ever throw away any email which is addressed to your users, unless you have made it abundantly clear that that is your policy, and you have taken adequate precautions to minimize false positives (good email being accidentally identified as spam) to the fullest extent. I can’t emphasize strongly enough that throwing away wanted email is one of the worst things you can do in the name of anti-spam efforts as an ISP. Second, it is imperative that you have it clear in your organizational mindset just what exactly you consider to be spam. We can all agree that email hawking herbal Viagra or weight loss products is spam. But once you dispense with that sort of email, there is a huge fuzzy area, and if you don’t have clear in your mind what you consider to be acceptable and what isn’t, then you’ll never be able to deal with the corner cases. More importantly, you’ll never be able to convey to people who are trying to send email to your system, or even to convey to your own users, what is acceptable and what isn’t. Q: Can you talk about SPF, endorsed by Meng Weng Wong, one of the founders of POBox.com? A: I’m really not in a position to talk intimately about SPF at this time. What I can say is that there is definitely a need for a functioning email authentication system, and that all of the current proposals have their advantages and their disadvantages. Our email sender accreditation database, the IADB, recognizes publication of any of the current systems, including SPF and Domain Keys. Q: What would be your specific recommendations on getting involved in legislative efforts? (How can one get involved; what resources should they use or leverage?) A: Of course, this differs from country to country and within countries, from province to province or state to state. And it depends on what you are most primarily interested (spam, spyware, privacy, consumer protection, ISP or business protection, etc.). For someone in the United States I would recommend contacting your state and federal representatives and also the state attorney general’s office, and asking them what you can do to get involved. There is a lot of opportunity right now for knowledgeable citizens to get involved on a citizen’s advisory level, including with federal agencies. Q: Can you describe your work with Sen. McCain's office and with California Senators, Bowen and Murray? What have you learned from the experiences? A: In my experience the average legislator starts out having little, if any more knowledge of these issues than does the average end-user. They rely on their staffers to research the issues and then to brief their boss (the legislator). So a legislator’s grasp and understanding of the issues is only as good as their staff’s understanding. This is where both people in the industry and other clued-in citizens can really make a difference, both by meeting with the staffers and providing them with relevant information, and by meeting with the legislators themselves. It is also critical to understand that legislators are almost always being pulled in many different directions on any one issue, and that each of their constituents, with their myriad concerns and competing interests, have valid points which need to be considered during the drafting or revision of any law. So anger, hostility, or even just righteous indignation, isn’t going to get you very far. Calm, rational, reasoned, informed and articulate discourse will get you much further. Q: (1) Can you comment on the future outcomes developing from the cross-industry Email Processing Industry Alliance (EPIA)? (2) Any future updates to the Email Deliverability Database (EDDB), which provides both senders and receivers the ability to register with the database, and instantly find the contact information up to the highest levels for participating providers and senders? (3) What are the outcomes from conferences such as the one for "International Spam Laws and Public Policies"? A: I’d like to address the three questions together, as each of these is but one aspect of our ongoing program to bring together both senders and receivers, and to facilitate communications leading to cross-industry cooperation in ensuring both that bad email (spam) does not get delivered, and that good, wanted email does get delivered. The EPIA’s primary function was to bring these to groups together on a regular basis, and the EDDB’s to provide a way for them to communicate quickly with each other on a one-to-one ad hoc basis. While the EDDB is still up and running, the vast majority of email senders now have someone on their full-time staff, often a manager or director of ISP relations, whose job it is to manage the sender-receiver relationship with their counterpart on the receiving side. Our highly successful conference program has essentially taken the place of the EPIA. We bring together all of the same people twice-yearly with the added benefit of bringing in speakers from all walks of the industries to talk about industry issues ranging from technical to legal to practical. Q: Why do you consider the ISIPP site as one of the best resources in this area (http://www.isipp.com)? A: Because we are the one organization which provides the services which we do, including an email sender’s accreditation program, which is truly neutral. Receivers (such as ISPs and spam filtering companies), and senders (such as email service providers), both know and trust us and know that what we care about is helping them to get rid of the spam and to get good mail through. We’ll help you do that whether you are a Fortune 500 company or a mom and pop newsletter. We have no other agenda, we are not beholden to investors or stock holders – we’re here to help. Q: Give one example of a major challenge in the last six months and how it was resolved? A: Getting email senders and receivers to understand that the IADB (our email senders’ accreditation program) is not a typical whitelist such as they were used to – where the receiver blindly accepts email from whomever is on the list because the list maintainer says that they should. It is a much more sophisticated product which provides factual information about a sender’s email practices and policies, such as what level of opt-in they use when building a list, to what industry standards they adhere to, etc., allowing each receiver to custom tailor the most useful information to them. The challenge was primarily one of novelty and a matter of explaining the paradigm shift. Now that they understand how practical and powerful this model is, they love it. Q: Now, share a surprising or amazing event within the past six months? A: Almost as soon as our July conference was over, we found ourselves deluged with companies and individuals contacting us, wanting a speaking opportunity at our next conference. We not only didn’t have to go looking for speakers for our next conference, but we had to turn speakers away! And all of them supremely qualified, highly-placed executives and legal professionals. It was, and is, incredibly gratifying. Q: One of your most significant achievements is the drafting and adoption of the Advertiser Accountability Amendment to the Burns-Wyden bill, and the subsequent unanimous passage of Burns-Wyden in the Senate. Can you detail the impact this will have? A: First, I wouldn’t say that it was one of my achievements. I was very honoured when Sen. McCain’s office called me and sought my opinion and input on what ultimately became the McCain amendment and the language of the amendment, but it was their achievement, not mine. Of course I was thrilled when I heard that it was unanimously passed out of committee! Advertiser accountability is huge, and an incredibly powerful leverage for law enforcement to have. I am constantly amazed that the press and the industries haven’t picked up on this ‘gotcha’ more than they have. Basically, if you advertise in spam, even if you aren’t the one who presses “send”, you are on the hook and legally liable. As I said, it’s huge. The Federal Trade Commission has recently used it in one of their cases and I’m sure that we’ll be seeing more of it as time goes by. Q: Here is where we turn it around. Pick five topic areas of your choosing and provide commentary. A: Area 1: Area 2: Area 3: Area 4: Area 5: Q: Anne, it is such a privilege to discuss these issues with you. You are one of most significant figures of our time and we thank you for sharing your deep insights, considerable wisdom, and talents with our audience. A: And again, thank you Stephen for inviting me back. I’m very honoured, and it’s always a pleasure. |