Opt-out vs Opt-in
Tues, 9 Dec 2003
I feel compelled to write on this subject since the U.S. government has
recently, in their wisdom (and despite proclaiming to represent a nation
who, by and large, hate spam), have passed a law that effectively legalises
spamming. This act: the 'CAN-SPAM Act', or more accurately the
'YOU-CAN-SPAM Act', allows unsolicited commercial electronic mail messages
(spam) to be sent by organisations providing they don't rape open relays or similar, don't fake headers and
provide a working opt-out mechanism.
Don't get me wrong, the sections of the act outlawing the
misappropriation or other people's resources and the faking of header
information are good. The act also states that it does not affect an ISPs
ability to enforce it's own email blocking policies. These parts of the act
mean that those sending spam legally must do so in an easily traceable
manner - which will make them easy targets for listing on blocklists
such as the SBL.
The dangers of Opt-Out emails
Allowing opt-out email gives every organisation or company department on
the planet the legal right to send you at least one spam, from which you
must unsubscribe to prevent them spamming you again. Just think about that,
about every single one of these emailling you just once. You'd never see
your mailbox again. You'd be swamped. Forever. You'd spend your entire
life battling with unsubscribe systems in the vain hope that some time
before you perish you'll have successfully unsubscribed from every one of
them and will be able to enjoy a spam free mailbox. You'd be kidding
yourself, of course.
So what is the solution?
The solution is confirmed opt-in email. 'Opt-in' means that you
must request that you be added to an organisation's mailing list before they
be allowed to spam you. 'Confirmed' means that the email address is verified
before it is added to the mailing list.
It is fairly easy to fake sender (and most other header) information in emails. For this reason confirmation can normally only be achieved by the following process:
- User requests to be added to mailing list
- User is sent confirmation email
- User must reply to confirmation email to be added to list
This process ensures that you cannot possibly be added to the list
without your consent, and that if anyone attempts to sign your email address
up to the list without your consent then you just need to ignore the
confirmation email to prevent them succeeding - giving them very little
incentive to even bother trying.
Furthermore, using a confirmed opt-in scheme, the onus is on the list
mainainter to keep records of the replies to confirmation emails to show
people were correctly added to the list. This is in contrast to an
unconfirmed opt-in scheme where the onus would be on the recipient to show
that they did not sign up to the list, something that it is nearly
impossible for them to do.
In some situations, for example an ecommerce site, confirmation of a
user's email address will often be an essential part of registering with the
system. In these circumstances it may be appropriate to allow the user to
opt-in to a mailing list by providing a tick box for them to tick if they
want to receive email from you. It is generally preferential that they have
to tick the box to opt-in, rather than tick the box to opt-out, as in this
is less likely to cause users who fill in your form in a hurry to sign
themselves up by mistake - which will inevitably lead to complaints that you
are running an opt-out rather than opt-in list.
Misuse of terminology
Spammers will often deliberately misuse of of the terms surrounding
properly run confirmed opt-in mailing lists, in order to discredit them or
make them seem overly arduous.
Common misuses include:
- Used to describe any list onto which an email address has found itself and from which the user has not been seen to opt-out. If they've not opted out then they must have opted in. Clearly.
- Double opt-in
- Either used instead of 'confirmed opt-in' as a way of making the process seem longer and more arduous than 'opt-in' while providing no extra protection, or as the natural extention to the misused form of 'opt-in': after a user has been added to a mailing list and sent one or more items of spam and yet have still not opted out then they must have "opted in twice".