Anyone who still needs convincing that do-not-e-mail registries pose potentially nightmarish threats to the very registrants their operators claim to protect needs look no further than an incident last week involving anti-spam concern Blue Security.
An irate spammer—believed to be Russian—apparently used the Blue Security’s “do-not-intrude” registry’s list-scrubbing process to find names on his own list that are also on Blue Security’s registry. He then threatened some of Blue Security’s registrants with more spam unless they opt out of the service.
“You are recieving this email because you are a member of BlueSecurity (http://www.bluesecurity.com,” the typo-ridden e-mail begins.
“You signed up because you were expecting to recieve a lesser amount of spam, unfortunately, due to the tactics used by BlueSecurity, you will end up recieving this message, or other nonsensical spams 20-40 times more than you would normally.
“How do you make it stop?
“Simple, in 48 hours, and every 48 hours thereafter, we will run our current list of BlueSecurity subscribers through BlueSecurity’s database, if you arent there.. you wont get this again.
“We have devised a method to retrieve your address from their database, so by signing up and remaining a BlueSecurity user not only are you opening yourself up for this, you are also potentially verifying your email address through them to even more spammers, and will end up getting up even more spam as an end-result.”
Menlo Park, CA-based Blue Security employs a piece of software that visits companies’ Web sites when they are deemed to have sent unsolicited e-mail to one of its subscribers. The software finds complaint or opt-out forms on the companies’ sites, and automatically fills them out and sends them. The idea is that when Blue Security’s subscriber base becomes large enough, the onslaught of complaints from registrants’ computers will be crippling enough to convince the offending spammers to stop mailing Blue Security subscribers.
Blue Security reportedly claims a little under 500,000 registrants.
If true, that’s half a million people gullible enough to believe a do-not-e-mail registry will keep spam out of their inboxes.
Blue Security labeled the incident a desperate attempt to undermine its business model.
A desperate attempt to undermine its business model? Proof that the model is dangerously flawed is more like it. Imagine being on the receiving end of one of those e-mails.
Better yet, imagine a child being on the receiving end of a similar e-mail from an irate pornographer. Even better, imagine little Jacob or Emily getting a nicely worded introductory e-mail from a pedophile. The Blue Security incident proves these scenarios are real possibilities as a result of the efforts of Unspam, the company that runs so-called child-protection do-not-e-mail registries in Utah and Michigan.
Critics have contended all along that exactly what happened to Blue Security’s subscribers is likely to happen to children listed on Unspam’s state registries. As a result of last week’s attack on Blue Security’s registrants, Unspam’s critics can no longer reasonably be dismissed as alarmist.
Even Utah’s legislators know the critics are right. An amendment to Utah’s child-protection no-e-mail law went into effect at the beginning of this month requiring Utah to send registrants a confirmation message that reads in part: “The most effective way to protect children on the Internet is to supervise use and review all e-mail messages and other correspondence. … While every attempt will be made to secure the Child Protection Registry, registrants and their guardians should be aware that their contact points may be at a greater risk of being misappropriated by marketers who choose to disobey the law.”
The hypocrisy is stupefying.
As reported here before, Unspam has in its contracts with Michigan and Utah provisions that exempt it from liability if a marketer uses Unspam’s registry to extrapolate and verify kids’ addresses for nefarious purposes.
The chilling bottom line: Like their critics, legislators in Utah—we’re not sure about Michigan yet—and executives at Unspam knew it was not just possible, but likely that a Blue-Security-type no-e-mail-registry attack would happen, but went ahead with their plans anyway. And they did it with kids’ contact information.
If there were a Dangerously Stupid Online Idea Hall of Fame, surely kids’ do-not-e-mail registries and their cynical creators would get a wing dedicated to them.
