When Josh Tinnin tried to send e-mail to the U.S. Federal Trade Commission this month, he received an unwelcome surprise: He couldn't. Tinnin's message to the FTC bounced back because the agency subscribes to a blacklisting service designed to limit the amount of spam making its way into the agency's in-boxes. SBC Pacific Bell, Tinnin's Internet service provider, appeared on the blacklist as a haven for senders of junk e-mail.
"I didn't know that the government was using blacklists," said Tinnin, who lives in Fremont, Calif. "That was surprising."
Businesses and individual Internet users have turned to blacklists to try to stanch the steadily increasing flow of bulk e-mail. But the FTC appears to be the first federal agency to adopt the often-buggy lists, and some legal experts say the practice raises novel issues and may violate Americans' First Amendment right to "petition the government."
FTC spokeswoman Claudia Farrell said the commission began filtering its incoming mail in August "as an ongoing effort to protect agency computing resources and productivity of agency staff." The FTC's chief information officer and general counsel oversee the use of the blacklist "to ensure that legitimate communications from the general public can be received," Farrell said.
Blacklists started as a method to identify known sources of spam and permit system administrators to block messages from those sources. But as the tide of spam continued to surge, many blacklist operators began adding not only the Internet addresses of actual spammers but also entire Internet service providers and hosting services suspected of harboring spammers.
This guilt-by-association approach means that an increasing number of legitimate e-mail messages are being returned as undeliverable or even deleted without being read. In September, Yahoo's storefronts site was added to a list of suspected spammers, and in July, U.K. telecommunications giant BT's main e-mail hub appeared on SpamCop's blacklist. Blacklist operators defend the approach, saying that some "collateral damage" is to be expected in the war on spam.
The FTC, which is the federal agency primarily responsible for prosecuting those who send illegal spam, relies on e-mail as an important way to maintain communication with the public. For example, those wishing to comment on a formal rulemaking on barriers to electronic commerce can send a message to firstname.lastname@example.org. And requests for documents under the Freedom of Information Act can be sent to email@example.com.
Sonia Arrison, a technology policy analyst at the free-market Pacific Research Institute, found her e-mail to Howard Beales, director of the FTC's bureau of consumer protection, returned as undeliverable. Beales spoke at a PRI privacy event in January, and Arrison was trying to send him a proposal on, ironically, how to limit spam.
"It was surprising to see that a government agency was bouncing my mail. Shouldn't they all be open to the public?" Arrison said. "I tried multiple times, and it was blocked every time. It was pretty unsettling."
Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, says there may be constitutional problems with the FTC's use of third-party blacklists.
"Why wouldn't this violate the First Amendment right to petition the government?" Tien said. "There are some strong analogies to the First Amendment arguments against censorware. Obviously some people can't communicate with the FTC. Worse yet, the decision isn't even based on anything bad that they've done. Still worse yet, the commercial blacklist appears to 'own' the decision about who can send e-mail to the FTC."
The First Amendment says no agency or law may limit the right of Americans to petition the government.
The FTC's Farrell defended the blacklist approach, saying it has helped in filtering pornography and viruses sent through e-mail.
"If an e-mail is blocked because the sender's ISP does not employ prudent controls to ensure that they are not a source of spam, we have established alternate mechanisms to receive the affected e-mail," Farrell said.
Farrell declined, however, to describe those mechanisms. She would not reveal what blacklists were in use, saying, "we have developed and deployed our own filtering approach using in-house resources." In addition, the FTC did not respond to a list of follow-up questions sent last week.
The FTC appears to be relying on at least three blacklists: Monkeys.com, Njabl.org, and Relays.osirusoft.com.
Other approaches In August, Neil Schwartzman tried to send mail to firstname.lastname@example.org, an address the FTC created to allow members of the public to submit examples of spam. The FTC has the authority to investigate and prosecute people who send fraudulent or deceptive messages, and has legally assailed spammers who fall into that category.
Schwartzman--who lives in Montreal and publishes the SpamNews newsletter--discovered the FTC was relying on the Monkeys.com blacklist, one of the more zealous ones. That meant customers at Bell Canada's Sympatico.ca Internet provider were barred from contacting the FTC via e-mail. "How responsible is it to block the largest ISP in Canada based on the dodgy collateral information that a relatively unknown blacklist has to offer?" Schwartzman said. "Honestly, if the FTC wants spam protection--and I don't know anyone who doesn't want spam protection these days--let them go out and spend some real money and get a real supplier, instead of using the freebie lists that have collateral damage. There certainly is no lack of companies that can supply government-level quality. Why are they using a do-it-yourself kit? I'm sorry, but that's irresponsible."
Schwartzman said that Monkeys.com, which appears to have discontinued its blacklist service in the last few months, was charging $200 to be removed from its blacklist.
Ray Everett-Church, counsel to the Coalition Against Unsolicited Commercial E-mail, says he knows of no other government agency that has followed the FTC's lead--and recommends that the agency rethink its approach.
"If they are encouraging people to use electronic media to communicate with the government, it would make sense to leave those channels open," said Everett-Church, who works as a privacy consultant. "They could certainly limit them in terms of time period and specific purpose. But to broadly filter on all contact addresses raises some difficult issues in terms of our ability to communicate with our government."
One other approach the FTC could adopt would be to filter mail sent to individual employees, but not that sent to public addresses used for comments on official proceedings, Everett-Church said. Another alternative would be using Web forms instead of e-mail addresses for public comment.
Ari Schwartz, an analyst at the Center for Democracy and Technology, said he wasn't too concerned about the FTC's use of blacklists.
"Individuals who sent the mail should be alerted to why the message was blocked and given an alternate means to communicate with the FTC," Schwartz said. "You're not guaranteed to communicate with every government agency through every communications mechanism. We don't list the pager numbers for everyone who has pagers inside the federal government, for instance. But you do have to be able to communicate with them."