Greetings: I am writing on behalf of Return Path Inc., the leading provider of services for email list management. Return Path recognizes the essential importance of email for the continued development of electronic commerce. Along with many other organizations, Return Path seeks to ensure that the Internet's electronic mail delivery system is not overwhelmed by email abuse and that email remains an important mechanism for the conduct of electronic commerce. INTRODUCTION I am writing to comment on the proposed Privacy Guidelines ("Proposed Guidelines") drafted by the Responsible Email Communications Alliance (RECA). Return Path commends RECA for making the effort to develop and promulgate best current practices for email marketing. From the Internet's inception, best current practice documents have played a pivotal role in its development. These documents, which include protocols known as Requests for Comments (RFCs), became the foundation for a global system which allows distant parties to communicate and network with each other using disparate and often incompatible equipment. This system flourished because it emerged from a consensus to adhere to agreed- upon standards. The Internet is thus a self-regulating community. These comments are divided into five sections covering five problematic issues with the Proposed Guidelines: 1. The Proposed Guidelines conflict with existing standards established by recognized and authoritative organizations. 2. The Proposed Guidelines incorrectly assume adoption of fair information practices will resolve problem of abusive email. 3. The Proposed Guidelines are oriented towards senders providing notice and choice to recipients when proper focus is obtaining and verifying permission from recipients. 4. The Proposed Guidelines do not adequately address the problem of harassment or forged subscriptions. 5. The enforcement scheme of the Proposed Guidelines is inadequate. Each issue is discussed in greater detail below. 1. THE PROPOSED GUIDELINES CONFLICT WITH EXISTING STANDARDS ESTABLISHED BY RECOGNIZED AND AUTHORITATIVE ORGANIZATIONS The Internet community has directed much discussion and effort towards resolving the problem of email abuse, a problem costing hundreds of millions of dollars each year. In October 1995 the Internet Engineering Task Force (IETF) released RFC 1855, Netiquette Guidelines (ftp://ftp.isi.edu/in-notes/rfc1855.txt). In May 1999 the London Internet Exchange (LINX) adopted a Best Current Practice for Combating Unsolicited Bulk Email (http://www.linx.net/noncore/bcp/ube-bcp.html), and concurrently the RIPE Network Coordination Centre adopted a Good Practice for Combating Unsolicited Bulk Email (http://www.ripe.net/ripe/docs/ripe- 206.html). In June 1999 the IETF released RFC 2635, DON'T SPEW: A Set of Guidelines for Mass Unsolicited Mailings and Postings (spam) (ftp://ftp.isi.edu/in-notes/rfc2635.txt). More recently the Wireless Advertising Association ("WAA") published its WAA Guidelines on Privacy and Spam at http://www.iab.net/waa/press/privacy_press.html in November 2000. The economics of unsolicited email are the same regardless of whether it is transmitted through a wireless medium or through more tangible media. Consequently, the WAA standards are equally applicable to email conveyed via more conventional transport methods. All best practices documents emphasize the necessity of obtaining and verifying the permission of recipients before they are added to electronic mailing lists. This practice is generally known as "opt-in" and is contrasted with "opt-out" which permits senders to arbitrarily subscribe recipients to mailing lists until they ask for mailings to cease. In addition to the organizations identified above, the US Direct Marketing Association has affirmed that opt-in is the preferred policy for bulk email. The Canadian Direct Marketing Association has also embraced opt-in as a best current practice. An opt-out approach to bulk email will lead to network congestion and abandonment of email, thus causing a significant adverse impact on electronic commerce. The US Small Business Administration estimates that there are approximately 25 million small businesses in the United States. If recipients receive only one message from only one percent of these businesses in the next year, an average of nearly seven hundred unsolicited messages would arrive in each user's mailbox every day. The Internet infrastructure would collapse under this amount of traffic. Moreover, it should be obvious that such a barrage of messages would lead to widespread abandonment of email as a communications medium. RECA should also reconsider the terminology it has adopted with respect to email address verification procedures. Any method which requires action by the recipient in order to halt further mailings is by definition an opt-out procedure. Therefore, "Notified Opt-in" and "Simple Opt-in" are both actually opt-out methods because the recipient must respond in order to terminate the subscription. The attempt by RECA to impose new definitions on terms which already have widely accepted meanings is misleading. 2. THE PROPOSED GUIDELINES INCORRECTLY ASSUME ADOPTION OF FAIR INFORMATION PRACTICES WILL RESOLVE PROBLEM OF ABUSIVE EMAIL The Proposed Guidelines are based on the assumption that the problem of unsolicited email is in essence a privacy issue which can be resolved with the adoption of fair information practices. This assumption is flawed. Although fair information practices are an element contributing to a solution, it is not the entire solution. For example, the Proposed Guidelines do not take into account the impact of large quantities of email on receiving email servers. Dozens of cases have been documented of bulk email service providers overwhelming the email facilities of Internet service providers, in some cases causing lengthy service disruptions to hundreds of thousands of paying customers. Some mailings have been so massive that the impact on receiving mail servers is indistinguishable from a malicious denial of service attack. When Internet service providers take steps to protect their networks, bulk email senders have been known to deliberately and aggressively seek to circumvent those protective measures. In many cases bulk email senders ignore error messages returned by receiving email servers. In doing so, these bulk email senders fail to comply with the basic email protocols set forth in RFC 821 and other email standards promulgated by the IETF. Consequently, any guidelines governing the distribution of bulk email must take into account the capacities of receiving email servers. In addition, distributors of bulk email must honor all efforts by receiving domains to manage their networks and private property as they see fit. Effective guidelines must also acknowledge protocols and standards adopted by recognized standards-setting organizations such as the IETF and require compliance with those protocols and standards. 3. THE PROPOSED GUIDELINES ARE ORIENTED TOWARDS SENDERS PROVIDING NOTICE AND CHOICE TO RECIPIENTS WHEN PROPER FOCUS IS OBTAINING AND VERIFYING PERMISSION FROM RECIPIENTS The Proposed Guidelines assume that providing notice and choice to owners of email addresses adequately addresses the issue of unsolicited messages. However, the central issue is not whether email senders have provided sufficient notice to email recipients, but, rather, whether email recipients have provided permission to email senders. Therefore, the Proposed Guidelines should be reoriented towards defining methods for obtaining and verifying permission. A significant omission from the Proposed Guidelines is provisions governing the transfer or sale of mailing lists. Permission granted under one set of conditions is not transferable to another set of conditions, nor is permission granted to one entity necessarily transferable to another entity. Moreover, fair information practices mandate that when an email address is supplied for one purpose, explicit consent must be obtained before that email address may be used for any other purpose. Indeed, this secondary use principle is now a legal requirement in many jurisdictions. Another important omission from the Proposed Guidelines is provisions addressing the pernicious practice of email appending. Email appending must be proscribed because this practice by its very nature lacks any permission from the owner of an email address. In many cases, recipients have withheld their email addresses specifically for the purpose of ensuring that they do not receive email marketing messages. Furthermore, email appending often results in messages being sent to the wrong recipient. 4. THE PROPOSED GUIDELINES DO NOT ADEQUATELY ADDRESS THE PROBLEM OF HARASSMENT OR FORGED SUBSCRIPTIONS The very nature of web forms and email messages creates "cases where it is reasonably likely that there will be a significant amount of material inaccuracies in the Personal Information" (Proposed Guidelines Paragraph 3(a)). Research conducted by the Georgia Institute of Technology has shown consistently that more than half of those completing web forms provide invalid information. A study conducted in 2000 by the Pew Research Center found that a quarter of web surfers provided false names to websites. Given this reality, marketers have no basis for assuming valid information has been provided and ample reason for questioning the validity of information they have received. In addition, web forms are often used as a vehicle for harassment when the email addresses of innocent users are supplied without the knowledge and consent of those who are entitled to use those email addresses. There are even automated programs which take advantage of this fact and subscribe targets to as many as two thousand mailing lists with the click of a single button. No one who has been victimized in this fashion should be further victimized by having to unsubscribe from thousands of lists. Forged subscriptions and harassment resulting from inadequate list management procedures are the responsibility of those who distribute email messages. "Notified Opt-in", "Simple Opt-in" and "Opt-out" are not only inadequate methods for obtaining permission to use an email address, they are also methods which facilitate abuse and harassment. Verification of each email address before mailings to that email address commence is the easiest way to ensure that mailing lists do not include forged subscriptions and are not used for harassment. "Verified Opt-in" procedures must be followed whenever email addresses are submitted via email or a web form. A study conducted by NFO Worldwide has shown that 90% of users are willing to complete "Verified Opt-in" processes. More significantly, this research has shown that users are not only willing to complete "Verified Opt-in" processes, but they are also appreciative and grateful for the added privacy protections provided by "Verified Opt-in" procedures. 5. THE ENFORCEMENT SCHEME OF THE PROPOSED GUIDELINES IS INADEQUATE The enforcement provisions of the Proposed Guidelines are incomplete and inadequate. The substantive enforcement provisions are relegated to a set of unspecified "RECA Enforcement Guidelines". These provisions should be identified and incorporated into the Proposed Guidelines. According to the Proposed Guidelines, the RECA auditor is authorized merely to "acknowledge, investigate and report to the complainant" which leaves the RECA Enforcement Committee as the only entity authorized to impose the sanctions enumerated in paragraph 9(c). Under such a regime, RECA members are placed in the position of policing themselves. Unfortunately, schemes of this nature have proven ineffective time and time again. RECA must devote considerable effort to addressing the serious defects of the enforcement mechanism set forth in the Proposed Guidelines. In particular, RECA must develop an independent enforcement mechanism which does not rely on self- policing. RECOMMENDATIONS Although RECA is to be commended for its attempt to develop standards for the bulk email service industry, it has much further work to do. In addition to the standards promulgated by the IETF and other well-recognized standards-setting organizations mentioned above, RECA should take into consideration the principles articulated by Mail Abuse Prevention System ("MAPS") in its Basic Mailing List Management Principles for Preventing Abuse "Principles"). The MAPS Principles, published at http://mail- abuse.org/rbl/manage.html, have been accepted as authoritative by more than 20,000 companies, non-profit organizations, government agencies, educational institutions and individual users. If RECA members wish to communicate with MAPS subscribers, the Proposed Guidelines must take into account the MAPS Principles. Return Path urges RECA to adopt language which affirms the following principles: (i) Online businesses must adhere to generally accepted Internet protocols and best current practices, which includes forbearance from distribution of unsolicited broadcast email and mandates the adoption of verified opt-in policies; (ii) Online businesses must adopt permission marketing principles when compiling and using email lists; (iii) Online businesses must make adequate disclosure to customers about the manner in which their email addresses will be used; (iv) Online businesses must use customers' email addresses only to the extent and for the expressed purposes for which informed consent was given; (v) Online businesses must obtain consent before an email address is used for any purpose other than the purposes for which that address was originally supplied; (vi) Email addresses acquired from other sources may be used only under the conditions governing their original collection; (vii) Online businesses must provide a convenient and effective means for their customers to discontinue receiving promotional mailings; (viii) Online businesses must ensure that mailings cease promptly once a recipient has submitted an unsubscribe request; (ix) Online businesses must ensure that undeliverable addresses are removed promptly from their mailing lists; (x) Online businesses must ensure that their mailing lists are not used for harassment or other abusive purposes; (xi) Online businesses must consider the impact of their mailings on receiving hosts and networks; (xii) Online business must accept responsibility for the impacts of their mailings; accordingly, businesses distributing email on behalf of client businesses are accountable for the mailing list management practices of their customers; In addition to adoption of the foregoing principles, RECA must devote considerable attention to the development of a viable independent enforcement mechanism which does not rely on self-policing. CONCLUSION Thank you for providing an opportunity to comment on the Proposed Guidelines. Again, Return Path commends RECA for taking the effort to draft best current practices documents for the bulk email service industry. Return Path shares with RECA an avid interest in ensuring that electronic commerce flourishes, with email continuing to play a central role. Please do not hesitate to let me know if you have any questions or if Return Path can be of any assistance to RECA as it proceeds with development of an effective set of standards and a credible enforcement mechanism. Regards, Nick Nicholas Chief Privacy Officer Return Path Inc.