Canadian Information Processing Society (CIPS)
 
 

CIPS CONNECTIONS

INTERVIEWS by STEPHEN IBARAKI, I.S.P.

Leading authority and anti-spam expert provides her views

This week, Stephen Ibaraki, I.S.P., has an exclusive interview with the internationally known, widely respected attorney, President and CEO of the Institute for Spam and Internet Public Policy (ISIPP), Anne P. Mitchell Esq.

As an original founder of Habeas Inc., Anne Mitchell served as President and CEO through its first year, establishing Habeas as an industry leader and changing the face of whitelisting of legitimate email. In addition, she served as the Director of Legal and Public Affairs for Mail Abuse Prevention System, one of the original and most well-respected anti-spam services on the Internet. Anne has actively consulted on legislative anti-spam issues on a state and national level. Mitchell is a graduate of Stanford Law School, a Professor of Law at Lincoln Law School of San Jose, and a member of the California Bar.

Discussion:

Anne, with your demanding schedule, we appreciate you taking the time to do this interview—thank you.

A: And thank you so much for the opportunity to speak with you!

Q: You have a most remarkable career. Please describe the challenges, successes, milestones, and the valuable lessons learned in each of your roles.

A: As in any area of advocacy where passions run high, and where those ultimately impacted include everyman and everywoman as well as businesses, there are at least two sides to every issue, and often many more. Divining the rationality amidst the passion, and the reality amidst the hyperbole, can be very difficult, and more so if you come in through one particular avenue or another. And once there, determining a course which is true, and which doesn't veer off into the extreme in any direction, can be very challenging. This I learned early on as a fathers' rights advocate, and it holds equally true in the anti-spam arena. While the issues may be different, there is a fundamental sense of right and wrong - of protection of personal boundaries - and of moral indignation, which runs high in both arenas

From these challenges have come the primary lessons which I have learned, and have had reinforced at every step along the way: before reaching any conclusions and forming an opinion reserve judgement and keep your mind open. Quietly observe, and research, research, research.

This, coupled with my own two personal credos: "You do what you gotta do" and "It is what it is", has stood me in very good stead.

As for milestones - well, in these sorts of arenas, one can measure one's effectiveness as much, if not more, by what those in opposition have to say as those in agreement. I knew that I'd made it as a fathers' advocate when my work started showing up on hit lists on the
N.O.W. website and in their published conference agendas. Similarly, when I started drawing the ire of those who insist on the "right" to email anything to anybody, even if they didn't ask for it, I knew that I was making an impact. That some of the more fringe anti-spammers accuse me of being too soft confirms for me that I am staying the true course.

Q: Where do you see yourself in two, five and ten year’s time?

A: Two years? Spam Czarina to the Gov. of California. Five years? Toasting that we have managed to stem the hemorrhage of spam and bring it down to a trickle. And in ten years time I hope to be retired other than continuing to teach, write, and speak.

Q: As one of the founders for Habeas Inc., comment on this accolade, “she is the Diva of Deliverability.” What processes made Habeas, the assured email delivery company?

A: Actually the "Diva of Deliverability" nickname came from Email Deliverability Summit II, which followed my departure from Habeas. And I'm sorry, but under the terms of my separation agreement with Habeas I am unable to comment regarding processes. But I can say that I believed in Habeas when I helped to found it, and I still believe in its potential.

Q: We want to learn more about your new email deliverability product and eDeliverability.com?

A: Thank you for asking about that! eDeliverability is my company, separate from my day job running the Institute for Spam and Internet Public Policy. The email deliverability product is EDAPP, which stands for "Email Deliverability Application". EDAPP is the brainchild of the developer, Will Bontrager, whom many of your readers may know from his MasterCGI and WillMaster sites.

EDAPP allows email senders to preauthorize and prevalidate legitimate bulk mailings with participating ISPs, spam filtering companies, and other email receivers.

Unlike any other email deliverability solution currently on the market, EDAPP allows the ISP to set their requirements for accepting incoming email through EDAPP, and senders can easily tailor to which ISPs they send using EDAPP, on a mailing-by-mailing basis, to conform with these requirements. There is a minimum standard for mailings in order to register as a sender with EDAPP at all, and ISPs can choose to accept mail meeting these standards, or to require stricter standards for EDAPP mail - the ISPs really like this, as mail coming through the EDAPP system is whitelisted and delivered on arrival, rather than being run through a gamut of spam filters and checks.

The system is also virtually unspoofable, yet requires no new hardware or software, making it easy and cost-efficient to use both as a sender, and as a receiver.

Q: What are your best recommendations about handling, managing, and filtering SPAM?

A: First and foremost: if you have users on your system, you should never *ever* discard any email addressed to them, no matter how spammy it looks, unless you have explicitly told them that this is part of your process, and they have affirmatively agreed to it. As receivers draw their spam filters ever tighter (and who can blame them?) the false positive problem - that of legitimate mail being erroneously blocked, bounced, or junkfoldered as spam, is increasing right along with the level of spam. And just as with spam, false positives can have devastating consequences. Macslash.com lost their domain when their ISP blocked their registrar's domain renewal notice as "spam". The Mac publication "TidBITS" had one issue go undelivered to thousands of their online subscribers because the word "Viagra" appeared in a review of a handheld device's spam-filtering capabilities. Imagine the consequences of advice from attorney to client, or doctor to patient, being blocked as spam - and to compound matters, not only does the recipient never get their mail, but often the sender has no idea that it was not delivered, so operates on the assumption that their email was received. So the lesson here is to never simply discard mail, which your system tags as spam – always make it available to the end users somewhere, unless they have agreed to rely on your judgement regarding what is spam and what isn't.

Second, and consistent with the industry standards which came out of Email Deliverability Summit II (available at http://www.isipp.com/standards.php), if you are a service provider, post somewhere publicly, and clearly, what your spam policies are, and what your requirements are for acceptance of incoming email, and apply them consistently. In fact, all of the standards are very good measures with respect to both spam and deliverability issues.

Third, I recently heard Meng Weng Wong, one of the founders of POBox.com, talk about SPF, for which he is a strong advocate. I think that it makes a great deal of sense, and it is trivial to implement. Your readers can find out more about setting up SPF at http://spf.pobox.com/.

Finally, although this seems long-term, rather than short-term, it's really not: get involved in legislative efforts. As has been seen in the past week in the States, there is a groundswell, and anti-spam resolutions and laws *will be* (and are being) adopted. They will either be good, or bad, and this is one of those cases where those in the trenches really can make a difference, because the policy and law makers don't have all of the data, and they *know* that they don't have all of the data - they are willing, indeed eager, to listen to constituents who know wherefrom they speak.

Q: How does your family view your work?

A: My husband constantly jokes "a Stanford law degree and you keep working for causes with no money…what a waste". But he really is just kidding - my family is extremely supportive, and very pleased about what I do, and have done previously. They're very proud of what I and those with whom I have worked have accomplished, as am I, and it's important to remember that aspect of it: those with whom I have worked - as often as not I am simply the catalyst - I may get the people together, but they are the ones who have to take it from there, as is the case with the Email Management Roundtable, and Email Deliverability Summits I and II.

Q: What aspects of your work motivate you to do what you do?

A: When I was more involved in fathers' rights advocacy, it was - and I know that this sounds cliché - it was knowing that I was actually making a difference in the lives of children - that if I could help even one child to have their father in their lives when they otherwise would not have, I knew that I had forever changed that child's life for the better.

With my anti-spam work, it is knowing that I am uniquely situated to really make a difference - I have the great fortune to have the right background, credentials, and experience to be able to go places others may not, to gain access to decision makers and policy makers, and to bring people together who might otherwise not ever hear what one another has to say. I speak many languages: legal, policy, legislative, and anti-spam - that's rare, and I'm very glad to be able to contribute my skills in this way.

Q: Describe the vision, mission, strategies, goals and values of the ISIPP.

A: The Institute for Spam and Internet Public Policy (ISIPP) was formed to bring together those with expertise in Internet, and specifically anti-spam, policies and processes, both public and private, in order to provide a cadre of experts and analysts to both the public and private sectors, and to leverage that experience and brainpower for the public good. And we've done this. We have an amazing wealth of resources in such people as David Baker, Esq., VP of Law and Public Policy for Earthlink; Joyce Graff, who spent 8 years as an analyst with Gartner in their electronic messaging group, including four years as the group's Vice President and Research Director; Michael Grow, Esq., Chair of the Technology Group at Arent Fox; John Levine, author of the "Internet for Dummies"; Mike Jackman, Executive Director of the California ISP Association; and Brad Templeton, Chairman of the Board of Directors of the Electronic Frontier Foundation, to name but a few.

Q: You work with many experts; please detail their contributions to your organization.

A: All of our experts are available for consulting and analysis work. Each brings a unique combination of experience, expertise, and skills to the table. The contributions are all outward facing - meaning that they contribute to those with whom they consult, and to the common good. Examples include Mike Grow's attending the Republican Technology Council Leadership Breakfast and Briefing on Spam, and my own work with Sen. McCain's office to draft language for an advertiser accountability amendment to the Burns-Wyden Can Spam act (which I'm thrilled to say was passed unanimously). We also consulted with California Senators Bowen and Murray this summer over legislative issues which ultimately saw their way into California's recently enacted SB 186.

Q: For the uninitiated, detail your latest industry standards—what value do they bring?

A: I'm really glad that you asked this because we are very proud of this accomplishment - it really illustrates what can be done when you get everybody to the same table.

At both Email Deliverability Summits I and II, we brought to the table an equal number of CEOs or other executive decision makers from email receivers (ISPs and spam filtering companies) and email senders (email service providers, online marketers, and the like). And when I say "to the table", I mean literally "to the table". At Summit II, we had twenty receivers and twenty senders in a room for eight solid hours (we broke only for lunch), around a huge conference table (it was actually four large tables put together). This was by invitation only, and to attend you had to be either the CEO, or other executive decision maker. This was no feel-good-tell-everyone-we-hate-spam-and-then-go-home photo op; this was a real working group with the people who have the ability and authority to make things happen.

Out of these two Summits came a lot of wonderful initiatives and resolutions, including the formation of the cross-industry Email Processing Industry Alliance, and the promulgation of five new industry standards. These standards speak to both senders and receivers, and address and set a minimum acceptable level for such things as bounce handling (an email address must be removed from a mailing list if the sender receives three consecutive bounces over the course of fifteen or more days), unsubscribe processing (1-click unsubscribe being the ideal) and publication of requirements for acceptance and transiting of email. The really amazing thing was not just that there was no acrimony, and only cooperation amongst these 40 senders and receivers - including some of the largest in the U.S. on both sides - but that often the group most affected by a given standard was the one pushing for the greatest restriction! For example, with bounce handling, the senders were actually the ones pushing for stricter guidelines, saying "we can remove an address after it bounces just twice, sometimes even after the first bounce" - and it was the ISPs saying "give yourselves 3 bounces in a row, to allow for transient failures, and full mailboxes when people go on vacation". Now, granted, the types of organizations which are going to participate in an email deliverability summit are the responsible ones, but it bears noting, again, that those there were among the largest - the leaders - Digital Impact, Cheetahmail, RappDigital Innovyx, YesMail, AOL, MSN, Spam Assassin, Outblaze. And they all, each and every one, agreed to and adopted these standards. In fact many have already implemented them.

Q: Can you provide commentary on the Email Deliverability Database (EDDB)?

: Another one of the industry standards which came out of the Summit has to do with open communication between sending and receiving systems, so that ISPs and other receivers can communicate a problem to a sending system, or vice versa, before it reaches a point that a receiving system has to protect itself against a questionable mailing, or before legitimate communications have been impacted or lost. We kept hearing from both sides "if only we could figure out who to call...". And I can't tell you the number of the times I've heard of one ISP inadvertently blocking all mail from another ISP, and nobody knows who to contact at the blocking ISP's NOC. Email Deliverability Database is a way to address that - both senders and receivers can register with the database, access to which is restricted to approved participants, and instantly find the contact information up to the highest levels at participating providers and senders.

Q: What is the current state of law regarding e-mail and spam and are there international equivalents?

A: That is impossible to sum up in a nutshell - or even in a short article. In fact, that is precisely why we are hosting the first- ever national U.S. Spam and the Law conference in January. Because, to quote from our website, "United States laws, case law, and legislation regarding spam is nothing if not a confusing hodge-podge of frequently incomprehensible, often ineffectual attempts at achieving balance between senders and receivers of email. The attorneys themselves often can't make heads or tails of all of the different state laws and case law operating in tension with each other, let alone the average business person on whom they operate."

We're also hosting an "International Spam Laws and Public Policies" conference this coming summer.

Q: What issues drove the Email Management Roundtable? Who were its members?

A: The Email Management Roundtable was the precursor to the Email Deliverability Summits - focusing on the same issues, and with receivers involved. It was an initiative to have EMR meet with an analogous group of senders, which led to the first Email Deliverability Summit.

Q: Name your top ten concerns and their solutions.

A: All concerns are a subset of one over-riding concern: to make sure that end users get the email they want, while not getting the email that they don't want.

There is no one solution, and there are many necessary components. Good, strong, straight-forward legislation is but one - and it must include advertiser accountability - if you use the services of a spammer to advertise your product, you're as liable as the person who actually pressed "send" and injected the spam containing your message into the Internet stream.

Ongoing and open communication between receivers and senders is another - the Summits and EDDB go a long way towards that end, as does the newly-formed Email Processing Industry Alliance.

The adoption of sensible, responsible industry standards is yet another, and an area in which we're so pleased to have contributed.

None of these things by themselves will eradicate spam, and in fact some of them on their own will do nothing to directly impact the flow of spam, per se. Rather they help to distinguish legitimate mail – a necessary, but not sufficient, step towards taming the spam beast, which has been overlooked until now. In an increasingly "either yer wi' me or agin' me" spam/anti-spam world, until now nobody had bothered to identify the "wi'", only the "agin". Identifying wanted legitimate mail and making sure that it gets delivered allows receiving systems to focus their resources more strategically against the spam, and also addresses the ever-growing problem of false positives.

Q: What are the best resources to research this further?

A: Any of the national analysis firms (Gartner, Ferris, Pew), the growing body of scholarly legal work (Sorkin, Lessig), and the more reputable of the advocacy organizations (SpamCon, CAUCE, EFF). And of course, our own ISIPP site (http://www.isipp.com).

Q: What assets and processes proved to be the most valuable for you in your work?

A: Balance, tenacity, attention to detail, focus, and above all, not taking oneself too seriously, a thick skin, and a good sense of humor. In terms of personal assets, without question my forte for alternative dispute resolution, and bringing two seemingly opposing sides together over the nexus of their common concerns. After working to help divorcing, warring parents to peacefully co-exist for the sake of their children, getting in the middle of senders and receivers is a walk in the park!

Q: Describe the major challenges you face in your job and how you overcome them.

A: Believe it or not, dealing with the more fringe anti-spammers represents as great a challenge as dealing with any other group. Zealots are zealots no matter the end of the spectrum. Dealing with this sort of challenge goes back to keeping an open mind, developing a thick skin, maintaining your sense of humor, and not taking yourself to seriously.

The other great challenge is simply time - there is so much to be done, in such short order - how do I overcome that? I don't sleep much.

Q: As an anti-spam expert, please share your most important tips.

A: There are times to get wound up, and times to just hit delete.

And for goodness sake... step away from the computer - and go outside and breathe some fresh air and remember that there is a whole big *non-virtual* world out there, which, when all is said and done, is far more important than any of this.

Q: Where is it all heading? What do you see as the major technologies in the future? What products and services will dominate and which ones will disappear? How about predictions about their implementation?

A: Just as I don't believe there will ever be any one solution, I don't believe that there will ever be one be-all-and-end-all technology which will dominate in this area. One size does not fit all, and there is a place for many different types and levels of tools and solutions. For example, some people actually like challenge/response systems. Others truly want to see all email which comes in addressed to them, and to personally review each and every piece. Yet others are happy to lose the occasional "good mail" if it means that they will get very little spam. Every solution has, and will have, both benefits and downsides. Some are just plain silly, others entirely impractical; but they all represent an effort to address a serious problem, and for that they deserve credit.

So where do I think this will all end up? I think that at some point in the not too distant future, things will start to become more standardized on a network level - while things will become more differentiated on the user end. In other words, as legitimate mail becomes more readily identifiable in its own right as legitimate mail, we will see more consistency in how both legitimate mail is delivered, and how questionable mail and spam are handled. With some consistency across the board, the final processing choices then are in the hands of the end users - to use a challenge response system, to use an end-user level spam filter, to just accept all and then delete, whatever that individual user's choice is. Already we are seeing that some of the major ISPs are touting "putting the choice in the end-users' hands", and consider that to be one of their competitive advantages. And as there comes a time when fewer and fewer users can remember a time when they didn't have at least one computer and email address, the general level of user sophistication will rise, along with user understanding as to what their ISP can do, and what they themselves must do about spam.

Q: What are the most common problems/issues and their solutions facing businesses and users today?

A: 1) Making sure that users get the email they want.

2) Making sure that users don't get the email that they don't want.

3) The impact which dealing with spam has on workplace productivity.

4) Keeping offensive email out of the workplace.

Q: Do you have some stories about very challenging situations and their resolution?

A: Getting senders who have always done things a certain way to consider doing things differently (such as moving to a confirmed opt- in model) is as, but no more, challenging as getting ardent anti-spammers to relax their grip on a firmly-held belief that once a spammer always a spammer. The trick is to find a common ground, even if that ground is only an inch-by-inch square to start. Convince the sender to test out the new level of permission mailing. Then convince the receiver to accept just that email from the sender - after all, if the mail is wanted, surely they want to deliver it to their users. Little by little both 'sides' start to relax and let their guard down. Eventually they both realize, as did those who attended the Summits that they have as much in common as not, if not more. Legitimate senders don't really want to send unwanted mail any more than receivers want to receive it - if only because it means that they are spending money, and using resources, for something which in the best case scenario will yield no return and which may lead to quite negative results.

Q: You must have both interesting and funny stories to tell from your many rich experiences—please share a few.

A: When I first joined MAPs as in-house counsel, I had to notify several colleagues as to my move. It was quite a move, following on the heels of my fathers' rights work. So I was a bit perplexed when I would call a colleague and say "Hi, I just wanted to let you know that I've closed my practice, and am now working in-house for Mail Abuse Prevention System", and they wouldn't bat an eyelash, or indeed even comment on my change of careers. Until I realized that while I was saying that I had moved to "Mail Abuse Prevention System", they were hearing "Male Abuse Prevention System" - which made perfect sense to them!

Q: If you were doing this interview, what five questions would you ask of someone in your position and what would be your answers?

A: 1) Why is spam so prevalent - nobody actually buys any of this stuff, especially from spam they have received, right?

Believe it or not, people actually do make money from sending spam. It isn't always due to sales of the product advertised, although sometimes it is. Affiliate program spam is very big. People make thousands of dollars by getting paid for every click- through which they generate for somebody else's website - and they do that by sending out spam with the URL of the affiliate site.

2) It seems like there has been an increase in spam over the course of the past few months. Is that accurate, and if so, to what do you attribute it?

Spam has been proliferating at an astonishing rate. I have no doubt that this is due at least in part to the equally astonishing proliferation of anti-spam measures. The more spam that is blocked, the more spam which must be sent in order to realize the same financial return. If the rate of response and return has gone from 10% to 1% due to effective spam blocking techniques, then the spammer must send out ten times as much spam in order to realize the same financial return.

3) What are the greatest challenges faced by legitimate bulk email senders today?

Without question, the single greatest challenge for legitimate email senders today is keeping their legitimate bulk email from being mistakenly blocked along with the spam. No matter how careful one is, no matter how clean the mailing list and how high the level of permission, everyone has problems with their legitimate mail being mistakenly caught up in spam filters, and becoming a false positive. This is where email deliverability applications and sender validation can really help. It's an unfortunate fact of life that it is come to this, but there you have it. Decrying that it shouldn't be the case, nor pretending that it isn't, doesn't help the mail get delivered.

4) Crossing over from fathers' rights advocacy to anti-spam law and policy is quite a change - how did you get involved in the anti-spam field?

Two words: Paul Vixie. Paul and I knew each other when I was still a law student at Stanford. At the time I was running a fathers' rights BBS out of my dorm room, on my Commodore 128. It was in law school that I really came into my own on the Internet, and by the time graduation rolled around I had already built up a strong Internet presence for the Fathers' Rights and Equality Exchange. At that time, however, Stanford's policy was that you could not keep a Stanford email account after you graduated, and it was important that we not lose our Internet presence. Paul very kindly provided me an account on his own machine, and thus shedevil@vix.com was born. As my online activities grew, and through my friendship with Paul, so too did my exposure to Internet and spam issues. I was probably one of the very first attorneys online to really understand and use the Internet as more than just an entertaining novelty, although I was quickly joined by scores of others. Still, even to this day, very few attorneys are as steeped in it all as I ended up being from the very beginning - completely through serendipity - I take no credit for it myself.

One day I was sharing with Paul how utterly burned out I was in my private practice. Unbeknownst to me at the time, MAPS was staring down the barrel of the first of its anti-spam lawsuits, and so it was that Paul asked me to come on-board as their Director of Legal and Public Affairs. And the rest, as they say, is history.

5) What are your proudest moments, your most significant accomplishments, to date with respect to your anti-spam work?

With ISIPP they are without question the drafting and adoption of the Advertiser Accountability Amendment to the Burns-Wyden bill, and the subsequent unanimous passage of Burns-Wyden in the Senate [editorial note: happened while being interviewed]; and the huge success of the Email Deliverability Summits in bringing together two usually opposing sides and creating agreement regarding very important and far-reaching issues and standards.

Prior to that, growing Habeas from a kernel of an idea to being one of the recognized leaders in the industry in under a year, and before that taking one of MAPS' most vociferous and vehement litigants and helping them to become a model for responsible bulk mailing.

Q: Do you have any more comments to add?

A: Yes - it's incredibly rewarding to have the great fortune to able to be involved on this level, and to this degree, in what are cutting edge issues and solutions. I feel very, very fortunate, and take my responsibility as an expert to get it right very seriously.

Q: Your breadth of talents, deep insights, incredible wealth of knowledge and experiences are so valuable to our audience—thank you for sharing.

A: It has been a privilege and has been absolutely my pleasure. Thank you so much for asking me, and please consider me a resource and contact me any time.