CEI filed comments today in response to a Federal Trade Commission request for comment about email authentication. The FTC will be holding a summit on November 9-10 about what authentication schemes will help the spam problem. The FTC, in its Federal Register notice, characterizes the summit as a “first step” towards “an active role in spurring the market’s development, testing, evaluation, and deployment” of authentication systems. Of course, what the FTC is really saying is that industry better play a card or else the government will force its hand.
I’m worried about the FTC role here. This summit is a foray into the technical standards setting process, which to me seems like it goes beyond the FTC’s consumer protection and antitrust mission.
Some spam is indeed fraudulent (which might give it a consumer protection link), but by and large spam imposes costs not because it is fraudulent but because of its sheer volume. A recent TechNewsWorld article reveals that some spammers are actually complying with sender authentication!
What is needed is a combination of authentication and accreditation. Authentication will help prevent spoofing and phishing by revealing the identity of an email’s originator, and accreditation will use a reputation-based system to determine if the originator is likely a spammer. Determining who is or is not, or what is or is not, a spammer requires a system based on value judgments as to what constitutes spam and would be best managed by a private body–or better yet, multiple bodies and consumers–than by a slow-moving and costly political bureaucracy.
Just as an authentication mandate might help the Federal Trade Commission enforce legislation such as the CAN-SPAM Act, so would requiring GPS devices in all cars help traffic police–but the costs to liberty in both scenarios are great. The Commission should limit its involvement in authentication and accreditation standards to the purpose of the summit–educating the public about email authentication–but tread no further.