Random Stuff
 
Home
Tools & Documents:
  Email Address Validator
  Anti-Spam
  Explanations
Games:
  Solitaire
 

Opt-out vs Opt-in

Tues, 9 Dec 2003

Background

I feel compelled to write on this subject since the U.S. government has recently, in their wisdom (and despite proclaiming to represent a nation who, by and large, hate spam), have passed a law that effectively legalises spamming. This act: the 'CAN-SPAM Act', or more accurately the 'YOU-CAN-SPAM Act', allows unsolicited commercial electronic mail messages (spam) to be sent by organisations providing they don't rape open relays or similar, don't fake headers and provide a working opt-out mechanism.

Don't get me wrong, the sections of the act outlawing the misappropriation or other people's resources and the faking of header information are good. The act also states that it does not affect an ISPs ability to enforce it's own email blocking policies. These parts of the act mean that those sending spam legally must do so in an easily traceable manner - which will make them easy targets for listing on blocklists such as the SBL.

The dangers of Opt-Out emails

Allowing opt-out email gives every organisation or company department on the planet the legal right to send you at least one spam, from which you must unsubscribe to prevent them spamming you again. Just think about that, about every single one of these emailling you just once. You'd never see your mailbox again. You'd be swamped. Forever. You'd spend your entire life battling with unsubscribe systems in the vain hope that some time before you perish you'll have successfully unsubscribed from every one of them and will be able to enjoy a spam free mailbox. You'd be kidding yourself, of course.

So what is the solution?

The solution is confirmed opt-in email. 'Opt-in' means that you must request that you be added to an organisation's mailing list before they be allowed to spam you. 'Confirmed' means that the email address is verified before it is added to the mailing list.

It is fairly easy to fake sender (and most other header) information in emails. For this reason confirmation can normally only be achieved by the following process:

  1. User requests to be added to mailing list
  2. User is sent confirmation email
  3. User must reply to confirmation email to be added to list

This process ensures that you cannot possibly be added to the list without your consent, and that if anyone attempts to sign your email address up to the list without your consent then you just need to ignore the confirmation email to prevent them succeeding - giving them very little incentive to even bother trying.

Furthermore, using a confirmed opt-in scheme, the onus is on the list mainainter to keep records of the replies to confirmation emails to show people were correctly added to the list. This is in contrast to an unconfirmed opt-in scheme where the onus would be on the recipient to show that they did not sign up to the list, something that it is nearly impossible for them to do.

In some situations, for example an ecommerce site, confirmation of a user's email address will often be an essential part of registering with the system. In these circumstances it may be appropriate to allow the user to opt-in to a mailing list by providing a tick box for them to tick if they want to receive email from you. It is generally preferential that they have to tick the box to opt-in, rather than tick the box to opt-out, as in this is less likely to cause users who fill in your form in a hurry to sign themselves up by mistake - which will inevitably lead to complaints that you are running an opt-out rather than opt-in list.

Misuse of terminology

Spammers will often deliberately misuse of of the terms surrounding properly run confirmed opt-in mailing lists, in order to discredit them or make them seem overly arduous.

Common misuses include:

Opt-In
Used to describe any list onto which an email address has found itself and from which the user has not been seen to opt-out. If they've not opted out then they must have opted in. Clearly.
Double opt-in
Either used instead of 'confirmed opt-in' as a way of making the process seem longer and more arduous than 'opt-in' while providing no extra protection, or as the natural extention to the misused form of 'opt-in': after a user has been added to a mailing list and sent one or more items of spam and yet have still not opted out then they must have "opted in twice".

References:

 
This site is best viewed with any browser Valid HTML 4.01! © Copyright 2011, Stephen White