Background Brief
TRUSTe Board member Hans Peter Brondmo looks at spam's cost to viable emailers. »Learn More

Public Policy Update
Emily Hackett of the Internet Alliance lays out the sections of state anti-spam legislation that CAN-SPAM does not preempt. »Learn More

Knowledge You Need
Ken Takahashi of DoubleClick explains how online marketers can improve the deliverability of their email campaigns. »Learn More

From the Executive Director
Just out: the 2004 TRUSTe Annual Report. »Learn More

Resource
The FTC is soliciting public comment on the Gramm-Leach-Bliley Act. »Learn More

New Member Benefits
Share information and make contacts at TRUSTe and IAPP's new regional networking meetings, coming soon to a city near you. »Learn More

Stay Current!
Upcoming privacy and security events around the nation. »Learn More

TRUSTe Tech Tip
Watch your language: May and might in your privacy statement may cause problems. »Learn More

Welcome New Licensees
The newest Web sites to display the TRUSTe seal. »Learn More

The Changing Face of Email
By Hans Peter Brondmo

The code of the email infrastructure has a bug, and spam is the most visible symptom that things no longer work as they should. Yet, as is the case with all computer bugs, this one can and will be fixed. At the recent World Economic Forum in Davos, Switzerland, Bill Gates postulated that the spam problem will be solved within a couple of years. I agree with him.

The reason we have spam is that there is no way to hold senders accountable for the mail they send. Spammers hide their identity by constantly changing and forging the headers -- from address, subject line, and so on -- of the email they send. Senders can be whoever they want to be as far as the recipient is concerned.

So far almost all attempts at solving the spam problem have been to devise clever ways to "guess" whether incoming email is coming from a legitimate sender or from somebody trying to sell you herbal extracts to expand the size of a body part you may very well not even have. Guessing whether email is spam is done by looking for commonly used "spammy" key words or by using sophisticated technology that detects patterns or "signatures" of spam mail that are then be used to filter out the bad stuff. Filters make mistakes and discard legitimate, perhaps even important emails, resulting in email becoming less reliable. Second, they are reactive and very susceptible to clever countermeasures. Filters propagate an endless war of attrition. The only ones winning that war are the spammers and the companies developing filter software.

The solution to spam, and its evil cousin, "phishing" -- emails designed to steal personal information in order to commit identity theft fraud -- is to bake accountability into the email infrastructure. Accountability starts with the ability to authenticate senders, not individuals, but email service providers must ensure that they are who claim to be. Once it is known who is sending messages, good senders -- those who maintain a persistent identity -- will earn reputations while bad senders will be assumed to be those who have no reputation. Expect new accreditation and reputation services, such as TRUSTe's Bonded Sender program, to emerge to ensure that it becomes possible to earn and maintain a good standing in the emerging accountable email network.

Much of the email infrastructure needs to be upgraded if we want to rid the world of spam. All the major ISPs and a number of technology and service providers are working hard to do just that. It will require collaboration and some difficult choices to be made, but the bug in the email code will soon be fixed, making spam as we know it a thing of the past.

Hans Peter Brondmo is senior vice president of Digital Impact.

What State Anti-Spam Legislation Does CAN-SPAM Preempt?
By Emily Hackett

In response to a California bill that would have entirely banned spam as of January 1, 2004, Congress roused from inaction to quickly pass the "CAN-SPAM Act of 2003" late last year. California may have been the first state to attempt to ban spam, but over the past five years, 35 other states have enacted laws regulating unsolicited commercial email.

The swift passage of CAN-SPAM, and its near-immediate effective date, left many marketers confused, as there was no time for rulemaking or for the online marketing industry to gear up to comply with these new requirements.

CAN-SPAM entirely preempts laws in Alaska, New Mexico, Ohio, Pennsylvania, and Wisconsin. In general, certain sections of most states' anti-spam legislation will survive the federal preemption provision of the act. This provision specifically excludes from preemption any state (or local government) statute, regulation, or rule that "prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto."

What state legislation, then, does CAN-SPAM leave in place?

1. Most state anti-spam laws include falsity and deception provisions and have private right-of-action provisions that will continue to apply. These laws frequently lay out set amounts for damages, thus avoiding the need to prove actual damages. In addition, many states have unfair-competition or unfair-business-practices laws that may apply in instances when other laws are violated or when deceptive practices are alleged.

2. CAN-SPAM preempts state laws requiring certain information (including subject-line labeling) in email messages, but not laws requiring that such information not be false or deceptive.

3. Some state laws make all software that aids in sending spam illegal. Those laws are likely not preempted, since they regulate software, not email. Of course, a court might not agree with this interpretation.

4. In general, CAN-SPAM preempts state laws that allow email service providers (ESPs) to enforce their own policies. However, when these policies prohibit falsity and deception a court may well disagree with that interpretation. In particular, laws allowing ESPs a private right of action to enforce state laws against falsity and deception will likely survive preemption.

The debate now continues in the states as lawmakers continue to file and discuss spam legislation. At present there are 89 spam bills pending in 30 states. Of those, 51 were introduced (in 18 states) after CAN-SPAM went into effect on January 1, 2004. The Internet Alliance is carefully watching to see if any of the states find a way to get around preemption and impose more regulations on reputable email marketers.

Emily Hackett is executive director of the Internet Alliance. For details on the specific provisions of CAN-SPAM, see Rebecca Richards' article in the December issue of the TRUSTe newsletter.

The Future of Email Delivery - It's in the Past
By Ken Takahashi

A marketer's primary concern used to be developing a targeted, relevant campaign that generated results. Today, the average online marketing manager's concern is whether or not her email campaign will actually get to her customer's inbox. AOL, for example, blocks or filters 60 to 70 percent of the email that it receives from the outside world. And almost all of the email filtering solutions out there treat blue-chip companies in the same light as they do spammers.

As each quarter goes by, many marketing managers are seeing lower response rates and performance with their subscriber base. Companies with larger budgets have outsourced their e-messaging endeavors to specialists such as DoubleClick, whose client base has seen steady performance in deliverability, click-throughs, HTML opens, and conversion.

Based on my experience at DoubleClick, here are a few tips for improving deliverability of your marketing-oriented emails to consumers:

1. Follow the Market

How do you follow the market? It all has to do with your "from" address: If your customer adds your "from" address to his address book or safe list, your email bypasses almost all the filtering criteria on his ISP's anti-spam systems. Stick to one "from" address and make sure it's short and sweet. Your customers will eventually start to recognize the email you are sending them.

2. Predict the Market

ISPs are always looking for ways to know where emails are coming from. Spoofing an email address (sending an email from spammer@spammer.com but masking it as coming from goodguy@non-spammer.com) has become standard spammer practice. Although spoofing addresses is now illegal under CAN-SPAM, it is still being done. If the "from" address can't be trusted, what can? The IP address. An IP address (the identifying address of the sending machine) can't be spoofed, at least in high volumes.

A mail administrator at an ISP will always look at the originating server's IP address to make sure it's not one of a known spammer. However, almost all email service providers share IP addresses to maintain maximum throughput. That means that your mail is going out of dozens -- if not hundreds -- of IP addresses. At the same time, all those IP addresses are being shared with every entity trying to send its email campaigns from the same email service provider. When an ISP, or even worse a blacklist, sees a questionable email address, it knows to block mail from that IP address. The end result: You are being judged on your neighbor's actions. To remedy this problem, be sure that you can isolate all your email to be sent from one IP address, and that this address is dedicated exclusively to you.

3. Change Your Attitude

Too many marketers spend too much of their time worried about nonmarketing concerns such as where their messages end up. Since their mailing lists are performing poorly in comparison to last year, the only way frustrated marketers see to regain their revenue is to send more email more frequently. Imagine how the ISPs and your consumers view these practices.

A forward-thinking marketer might send fewer messages per campaign but will send more targeted messages. As marketers, we sit on a mountain of profile data as well as behavioral and transactional data. Let's start using them. Targeting campaigns just to the people on our lists who might actually respond -- the old-fashioned way -- should be the direction we are headed in. It's just smart marketing.

Ken Takahashi is director of ISP relations at DoubleClick.

TRUSTe Releases Its 2003 Annual Report

On February 18, 2004, TRUSTe published its 2003 annual report. The report summarizes our progress on five key organizational goals, and details the steps we have taken to stay at the forefront of privacy issues and to enhance the value of the TRUSTe seal among companies, government agencies, and consumers.

We are proud of the following achievements:

• Establishing email standards and launching the Bonded Sender program, which gives legitimate emailers a mechanism for identifying their messages to ISPs and consumers
  
  
• Forming a Wireless Advisory Committee, in conjunction with AT&T Wireless, that convened consumer advocates, wireless carriers, and wireless content providers to establish privacy standards for this fast-developing technology.
  
  
• Continuing to expand our presence in Europe and Asia through partnerships with key organizations and presentations at international conferences.
  
  
• Entering into a partnership with the Internet Association of Privacy Professionals,which will provide IAPP membership benefits to TRUSTe seal holders and educational programming to members of both organizations.

I'd like to thank our members, TRUSTe's board of directors, and others who continue
to show concern for privacy issues. Your support has been critical to TRUSTe's success in 2003, and your help is critical in 2004.

You can download a copy of 2003 Year in Review, in PDF format, from the TRUSTe Web site. If you have comments or suggestions on our past and future progress, contact me at fmaier@truste.org.

-- Fran Maier

The FTC is seeking public comment on its proposed rulemaking for Section 503 of the Gramm-Leach-Bliley Act, which requires financial institutions to provide notice to customers describing the institution's policies and practices regarding the disclosure of personal information to third parties. The FTC has proposed alternative types of privacy notices. Members of the public have until March 24, 2004, to submit their written comment on the rulemaking. Download the advance notice, which gives instructions on how to submit your comment, from the FTC Web site.

Introducing the IAPP-TRUSTe KnowledgeNet!

The KnowledgeNet is a series of free networking luncheons generously hosted at the local offices of Ernst & Young. KnowledgeNet events offer TRUSTe sealholders and IAPP members -- exclusively -- the opportunity to gather informally, meet the board and staff of both organizations, share notes, and network with other privacy professionals. The first meetings will take place in March and April. Here is the tentative schedule:

March 10 -- Boston
March 17 -- New York
March 24 -- Washington, DC (McLean, VA location)
April 7 -- Chicago
April 14 -- San Francisco
April 28 -- Seattle

TRUSTe sealholders in these cities should look forward to receiving an email invitation in the coming weeks. If for some reason you do not receive an invitation and wish to attend, contact Erin Bley of the IAPP at (207) 351-1519

In addition, we would like to identify local member chairs for each region. Chairs will be responsible for coordinating the next event, taking digital photos, and submitting a short written report afterward.

You can help bake a feeling of trust into your privacy statement by using forthright language. If your statement reads as legalese or jargon, customers may construe it as evasive. Good legal departments often use language such as may or might to avoid overextending their client's privacy promises. But when overused in a privacy statement, such language sounds wishy-washy at best and furtive at worst.

Here are some examples of when it might be helpful -- or not -- to use conditional language:

1. May or might is not appropriate when dealing with important trust issues, such as sharing with third parties. Does the following sound trust-inspiring? "We might share your personal information if you give it to us." Not likely. While this may be a true statement, users are bound to ask themselves: Whom would this site share my information with? And why?

Here is an alternative way to describe your practices: "When you enter your personal information, we will need to share it with third parties that work on our behalf to fulfill our service to you, such as shipping couriers and credit card processors . . ."

2. May/might is appropriate when only a section of the site applies to some users: "If you are logged in as a member and click on one of the offers, you may be served with a cookie . . ."

3. May/might could be appropriate for describing truly unknown issues, where it is essential to use contingent language: "We may disclose your personally identifiable information as required by law and when we believe that disclosure is necessary to protect our rights and/or to comply with a judicial proceeding, court order, or legal process served on our Web site." However, even in this last example, language such as "We reserve the right to disclose" may communicate your message better.

As a general rule, use may and might sparingly to avoid sounding evasive. You want your privacy statement to describe actual practices that are consistent with the Fair Information Practice of Notice.

-- Robert Behrens, JD, senior account manager

TRUSTe would like to congratulate the following new licensees on successfully completing our certification process:

AndreaImmer.com, Browsercraft, Bizen-YA Corp., Carnegie First, CI Host, DermStore, Efile Tax Returns, HCL Finance, Home Loan Haven, Jericho Systems, Manhattan Creative/Diligent, MediaOne Network, Nutak LLC dba DeleteNow, RL International, 2nd Story Software, Trac Medical Solutions, World Winner.

Got Feedback?
We would like to hear what you think of the TRUSTe Advocate. Send an email with your comments and suggestions to newsletter@truste.org.

TRUSTe is an independent, nonprofit organization that administers the Internet's first and largest privacy seal program.

685 Market Street, Suite 560
San Francisco, CA 94105
(415) 618-3400
Email: privacyseals@truste.org
Web: www.truste.org