Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

Does handing out business cards constitute opt-in?

Does handing out business cards constitute opt-in?

  • Comments 3

Over the past year, one of the complaints that we have gotten around spam filtering is filtering out gray mail.  For those of you who don’t know what gray mail is, it is marketing or bulk mail that is sent out en masse and may or may not be wanted by the recipient.  Of course, there are varying levels of gray within a gray mailer.  Those who are double opt-in are light gray whereas those for whom you go to a web page and download some software and have check boxes on by default, sometimes in small print, are a heavier shade of gray.  More promoters still have confusing wording such as “Uncheck the box if you do not wish to receive mail from us” which utilizes a double negative.  Since users are starting to get wiser and are beginning to uncheck boxes because checking the box frequently opts you in, by force of habit they don’t read too carefully and check the box and have done the opposite of what they thought they were doing.  These types of mailers are dark gray.  Darkest yet are the mailers who sell your email address to others.  The case can be made – fairly easily in my opinion – that those who do this sort of thing are spammers.

Anyhow, the point is that for the medium shades of gray, the first three cases I listed, technically speaking you have opted into the promoter’s, advertiser’s, or newsletter writer’s communication stream.  Because there are some people who may legitimately want to receive this mail, at a company wide level a spam rule to block all mail from that sender is inappropriate.  For some people this type of mail will be spam (or rather, it will be called spam), and for others it will be false positives.  The problem of gray mail is that it is both unwanted and wanted at the same time.  As a spam filter, the rule of thumb is generally to be more lenient than too harsh and mail that plays both sides should be let in.  To deal with the problem of unwanted mail to some users (which they refer to as spam), user level rules such as a blocked sender is the appropriate course of action.

The term “spam” is frequently thrown about by people, but the definition is unsolicited commercial or bulk email.  It is not necessarily unwanted mail because if you opted into the communication stream, it is not unsolicited.  You may not have meant to do it because they used a psychological trick, but that doesn’t mean it is spam.  It just means that the people behind the platform are a bunch of ethically challenged jerks.  Still, to them, there’s really no way to differentiate between a user who deliberately opted in to receive communication from the mailer and one who accidentally opted in because they were tricked.  But since a user must take action to receive communication, the mail is not unsolicited.  Therefore, it is not spam.  Incidentally, this illustrates the value in double opt-in mail.  If you use clear language and a user must take action to opt into receiving communications from you first of all by clicking a check box, and then sending them a confirmation email in which they must click the link, this removes virtually any ambiguity that the user wanted to receive mail from you.  They absolutely did, and they took action twice, and you can send mail with a clean conscience and deserve to have your mail delivered, particularly if you have a 1-click unsubscribe solution.

But when it comes to unsubscribes, you might wonder “Why doesn’t a person who calls gray mail spam, erroneous or not, simply unsubscribe from the email communication?”  Indeed, why don’t they?  I believe that there are two reasons:

  1. They have been trained to not click unsubscribe. 

    As an industry, we in the antispam world have actually done a pretty good job at educating users not to respond to spam.  Maybe not everyone knows it, but a good proportion of people do.  They do this because they know that unsubscribes don’t work and that spammers use them to verify that a user’s email address is still valid and is actively monitored.  This increases the value of the email address.

    Since we have trained users so well, when they see a valid unsubscribe in an email, they think “Oh, this message is spam.  And what’s this?  An unsubscribe?  I’m not going to click it because it means that the spammer knows my address is valid and the antispam vendors tell me not to do it!”  Of course, we in the industry, when we say “Don’t click unsubscribe” actually mean “Don’t click unsubscribes in spam.  For legitimate newsletters it is fine to do it.”  Unfortunately, when it comes to gray mail many users cannot tell the difference.  They are trained to be defensive.  And the whole point is that even though it is technically gray, they still believe it is spam.  So, if they are trained not to click unsubscribes in spam, then it their perception of the message is spam then they will not click the unsubscribe.

    I don’t fault users for this, it’s not their job to tell the difference between spam and non-spam when the distinction is kind of blurry.

  2. Users expect their antispam solution to take care of spam/gray mail. 

    This is where the discussion gets interesting.  When it comes to software, users are always becoming more and more demanding.  I hardly need to bring up evidence of this, but look no further than Microsoft Word.  Consider all of the features that were in the first version of Word compared to Word 2010 – we have things like auto-correct, grammar checks, collating, sending via mail with 1-click solution, and much more.  These are all in response to user demands for such features.  In similar fashion, users expect their spam filters to be able to tell the difference between spam, gray mail and wanted mail.  If a user believes that gray mail is spam, then they believe that the spam filter should be able to figure that out and block it.  The expectation is that a filter should not only be configured to block obvious spam, but should also be able to block non-obvious spam or borderline spam.

    Whether or not this is a reasonable expectation, users want to be able to not receive the mail they don’t want to receive.  It should be blocked at the spam filtering layer without them having to build a custom set of blocked senders.  A simple “Report as Spam” and the message should heretofore be blocked forever from every arriving in their inbox.  Thus, the requirements for a spam filter at a global level need to get pushed down to the custom level.  This increases the management overhead of a filter (if content == A and recipient == B, block A).  These custom rules must be evaluated and only fire if a narrow set of circumstances is met.  It is much less efficient than if a given spam rule set executes across the global user base.

Anyhow, I bring all of this up because even though gray mail is opt-in, just how opt-in is it really?  When we were first dealing with this issue of gray mail, we asserted that a company executive that goes to conferences and hands out business cards is seriously risking having their email address harvested and added to gray mailing lists.  They were technically opting in though adding their email to that list was certainly and unethical thing to do.  It’s really a bait-and-switch technique where you think you are doing one thing but ending up with quite another.

Well, as it turns out, I recently went to a conference and handed out my business card for a draw to win a prize.  I didn’t win (d’oh), however, the week after I got back I did receive a sales email from the company that was sponsoring the draw.! It was a pleasure meeting me last week, and if I ever want to have my Anti-spam and Anti-virus needs addressed, I should go ahead and contact them!

Now the question is the following: Is this particular email spam or not?  Did I express consent to receive the mail or not?  I certainly did not do so explicitly, but one could argue that there is no such thing as a free lunch.  If I am going to win an expensive prize, then the cost to me is to receive a one time communication from that company.  But what if it is to receive several communications from that company?  Did I sign up for that?  What about the rules of the contest?  Should I have read the fine print beneath the placard that said I might receive communications?  I would have thought that I was handing out my business card in good faith and I was merely trying to win a prize, not provide the company with a means of populating their distribution list.  After all, we’re all security professionals, we should know what constitutes best list management practices.  But on the other hand, maybe I am a little naive to have this as my expectation.

So what do you think?  Spam or not?

Leave a Comment
  • Please add 7 and 4 and type the answer here:
  • Post
  • That depends upon whose definition you use -- and I don't fully agree with your definition.  I consider stealth "opt in" not to be opt in at all, and I consider mail generated by that to be spam.  To me, if I didn't explicitly say "send me crap", then the crap you sent is spam.

    On the other hand, there are plenty of people who do explicitly subscribe to stuff, and who then consider it to be spam when they decide they don't want it any more.  That doesn't fit my definition of spam, nor yours, but it absolutely fits *theirs*.

    Going by the CAN-SPAM Act, though, the answer to your question is that the mail in question is not legally spam -- you have established a relationship with them, which permits them to send you email.

    I think the real question, though, doesn't go to the intricacies of defining spam, but the common-sense business practice of not irritating your (potential) customers.  Many folks seem to have forgotten that.

  • Although it's not my intent to engage in a personal attack, I think you're guilty of engaging in more than a little sloppy thinking here.  If someone is using psychological tricks to pad out their mailing list, and claiming that list is "opt-in", (such as the pre-checked "mail me" checkbox), that's not a grey area.  That's spam.  It's high on the list of email "thou shalt nots".  When a user must take action to AVOID receiving email, that's spam.  The fact that I handed you my business card, does not constitute permission.  If you then place all the email addresses from all the business cards you collect on a mailing list, you can't then claim you have permission. It's not at all nebulous.  Permission is obtained by asking for it.  If you didn't in fact request permission, but simply presumed it, then you don't have it.

    This is not to say that there isn't a gray area, just that it's not nearly as broad as you're imagining it to be.  Permission, how to obtain it, what to expect from it, how to manage it, is, in actuality VERY clear cut, and the ENTIRE definition of spam hinges on the lack of permission multiplied by the scale of sending to a large list.

  • I disagree, Brian.  If you go to someone's web page and download something and at the end there are Terms and Conditions, and one of those terms and/or conditions is that you have to take action in order to not receive communications, then while it is bad mailing practice, I wouldn't call it spam.  The fact is that a user browsed to the page, decided to take action and then as a consequence receives communication.

    The fact is that had said user not browsed to the page and decided to get free software or whatever, the mailer would not have acquired their mail address.  While this mechanism of email acquisition is dark gray, it is not the same as a spammer doing a directory harvest attack and building lists that way.

Page 1 of 1 (3 items)