Leading anti-spam expert provides her views
This week, Stephen
Ibaraki, I.S.P., has an exclusive interview with the internationally
known, widely respected attorney, President and CEO of the Institute
for Spam and Internet Public Policy (ISIPP), Anne P. Mitchell Esq.
As an original founder of
Habeas Inc., Anne Mitchell served as President and CEO through its
first year, establishing Habeas as an industry leader and changing
the face of whitelisting of legitimate email. In addition, she
served as the Director of Legal and Public Affairs for Mail Abuse
Prevention System, one of the original and most well-respected
anti-spam services on the Internet. Anne has actively consulted on
legislative anti-spam issues on a state and national level. Mitchell
is a graduate of Stanford Law School, a Professor of Law at Lincoln
Law School of San Jose, and a member of the California Bar.
Q: Anne, with your
demanding schedule, we appreciate you taking the time to do this
A: And thank you so much
for the opportunity to speak with you!
Q: You have a most
remarkable career. Please describe the challenges, successes,
milestones, and the valuable lessons learned in each of your roles.
A: As in any area of
advocacy where passions run high, and where those ultimately
impacted include everyman and everywoman as well as businesses,
there are at least two sides to every issue, and often many more.
Divining the rationality amidst the passion, and the reality amidst
the hyperbole, can be very difficult, and more so if you come in
through one particular avenue or another. And once there,
determining a course which is true, and which doesn't veer off into
the extreme in any direction, can be very challenging. This I
learned early on as a fathers' rights advocate, and it holds equally
true in the anti-spam arena. While the issues may be different,
there is a fundamental sense of right and wrong - of protection of
personal boundaries - and of moral indignation, which runs high in
From these challenges
have come the primary lessons which I have learned, and have had
reinforced at every step along the way: before reaching any
conclusions and forming an opinion reserve judgement and keep your
mind open. Quietly observe, and research, research, research.
This, coupled with my own
two personal credos: "You do what you gotta do" and "It is what it
is", has stood me in very good stead.
As for milestones - well,
in these sorts of arenas, one can measure one's effectiveness as
much, if not more, by what those in opposition have to say as those
in agreement. I knew that I'd made it as a fathers' advocate when my
work started showing up on hit lists on the
N.O.W. website and in their published conference agendas. Similarly,
when I started drawing the ire of those who insist on the "right" to
email anything to anybody, even if they didn't ask for it, I knew
that I was making an impact. That some of the more fringe
anti-spammers accuse me of being too soft confirms for me that I am
staying the true course.
Q: Where do you see
yourself in two, five and ten year’s time?
A: Two years? Spam
Czarina to the Gov. of California. Five years? Toasting that we have
managed to stem the hemorrhage of spam and bring it down to a
trickle. And in ten years time I hope to be retired other than
continuing to teach, write, and speak.
Q: As one of the founders
for Habeas Inc., comment on this accolade, “she is the Diva of
Deliverability.” What processes made Habeas, the assured email
A: Actually the "Diva of
Deliverability" nickname came from Email Deliverability Summit II,
which followed my departure from Habeas. And I'm sorry, but under
the terms of my separation agreement with Habeas I am unable to
comment regarding processes. But I can say that I believed in Habeas
when I helped to found it, and I still believe in its potential.
Q: We want to learn more
about your new email deliverability product and eDeliverability.com?
A: Thank you for asking
about that! eDeliverability is my company, separate from my day job
running the Institute for Spam and Internet Public Policy. The email
deliverability product is EDAPP, which stands for "Email
Deliverability Application". EDAPP is the brainchild of the
developer, Will Bontrager, whom many of your readers may know from
his MasterCGI and WillMaster sites.
EDAPP allows email
senders to preauthorize and prevalidate legitimate bulk mailings
with participating ISPs, spam filtering companies, and other email
Unlike any other email
deliverability solution currently on the market, EDAPP allows the
ISP to set their requirements for accepting incoming email through
EDAPP, and senders can easily tailor to which ISPs they send using
EDAPP, on a mailing-by-mailing basis, to conform with these
requirements. There is a minimum standard for mailings in order to
register as a sender with EDAPP at all, and ISPs can choose to
accept mail meeting these standards, or to require stricter
standards for EDAPP mail - the ISPs really like this, as mail coming
through the EDAPP system is whitelisted and delivered on arrival,
rather than being run through a gamut of spam filters and checks.
The system is also
virtually unspoofable, yet requires no new hardware or software,
making it easy and cost-efficient to use both as a sender, and as a
Q: What are your best
recommendations about handling, managing, and filtering SPAM?
A: First and foremost: if
you have users on your system, you should never *ever* discard any
email addressed to them, no matter how spammy it looks, unless you
have explicitly told them that this is part of your process, and
they have affirmatively agreed to it. As receivers draw their spam
filters ever tighter (and who can blame them?) the false positive
problem - that of legitimate mail being erroneously blocked,
bounced, or junkfoldered as spam, is increasing right along with the
level of spam. And just as with spam, false positives can have
devastating consequences. Macslash.com lost their domain when their
ISP blocked their registrar's domain renewal notice as "spam". The
Mac publication "TidBITS" had one issue go undelivered to thousands
of their online subscribers because the word "Viagra" appeared in a
review of a handheld device's spam-filtering capabilities. Imagine
the consequences of advice from attorney to client, or doctor to
patient, being blocked as spam - and to compound matters, not only
does the recipient never get their mail, but often the sender has no
idea that it was not delivered, so operates on the assumption that
their email was received. So the lesson here is to never simply
discard mail, which your system tags as spam – always make it
available to the end users somewhere, unless they have agreed to
rely on your judgement regarding what is spam and what isn't.
Second, and consistent
with the industry standards which came out of Email Deliverability
Summit II (available at
http://www.isipp.com/standards.php), if you are a service
provider, post somewhere publicly, and clearly, what your spam
policies are, and what your requirements are for acceptance of
incoming email, and apply them consistently. In fact, all of the
standards are very good measures with respect to both spam and
Third, I recently heard
Meng Weng Wong, one of the founders of POBox.com, talk about SPF,
for which he is a strong advocate. I think that it makes a great
deal of sense, and it is trivial to implement. Your readers can find
out more about setting up SPF at
Finally, although this
seems long-term, rather than short-term, it's really not: get
involved in legislative efforts. As has been seen in the past week
in the States, there is a groundswell, and anti-spam resolutions and
laws *will be* (and are being) adopted. They will either be good, or
bad, and this is one of those cases where those in the trenches
really can make a difference, because the policy and law makers
don't have all of the data, and they *know* that they don't have all
of the data - they are willing, indeed eager, to listen to
constituents who know wherefrom they speak.
Q: How does your family
view your work?
A: My husband constantly
jokes "a Stanford law degree and you keep working for causes with no
money…what a waste". But he really is just kidding - my family is
extremely supportive, and very pleased about what I do, and have
done previously. They're very proud of what I and those with whom I
have worked have accomplished, as am I, and it's important to
remember that aspect of it: those with whom I have worked - as often
as not I am simply the catalyst - I may get the people together, but
they are the ones who have to take it from there, as is the case
with the Email Management Roundtable, and Email Deliverability
Summits I and II.
Q: What aspects of your
work motivate you to do what you do?
A: When I was more
involved in fathers' rights advocacy, it was - and I know that this
sounds cliché - it was knowing that I was actually making a
difference in the lives of children - that if I could help even one
child to have their father in their lives when they otherwise would
not have, I knew that I had forever changed that child's life for
With my anti-spam work,
it is knowing that I am uniquely situated to really make a
difference - I have the great fortune to have the right background,
credentials, and experience to be able to go places others may not,
to gain access to decision makers and policy makers, and to bring
people together who might otherwise not ever hear what one another
has to say. I speak many languages: legal, policy, legislative, and
anti-spam - that's rare, and I'm very glad to be able to contribute
my skills in this way.
Q: Describe the vision,
mission, strategies, goals and values of the ISIPP.
A: The Institute for Spam
and Internet Public Policy (ISIPP) was formed to bring together
those with expertise in Internet, and specifically anti-spam,
policies and processes, both public and private, in order to provide
a cadre of experts and analysts to both the public and private
sectors, and to leverage that experience and brainpower for the
public good. And we've done this. We have an amazing wealth of
resources in such people as David Baker, Esq., VP of Law and Public
Policy for Earthlink; Joyce Graff, who spent 8 years as an analyst
with Gartner in their electronic messaging group, including four
years as the group's Vice President and Research Director; Michael
Grow, Esq., Chair of the Technology Group at Arent Fox; John Levine,
author of the "Internet for Dummies"; Mike Jackman, Executive
Director of the California ISP Association; and Brad Templeton,
Chairman of the Board of Directors of the Electronic Frontier
Foundation, to name but a few.
Q: You work with many
experts; please detail their contributions to your organization.
A: All of our experts are
available for consulting and analysis work. Each brings a unique
combination of experience, expertise, and skills to the table. The
contributions are all outward facing - meaning that they contribute
to those with whom they consult, and to the common good. Examples
include Mike Grow's attending the Republican Technology Council
Leadership Breakfast and Briefing on Spam, and my own work with Sen.
McCain's office to draft language for an advertiser accountability
amendment to the Burns-Wyden Can Spam act (which I'm thrilled to say
was passed unanimously). We also consulted with California Senators
Bowen and Murray this summer over legislative issues which
ultimately saw their way into California's recently enacted SB 186.
Q: For the uninitiated,
detail your latest industry standards—what value do they bring?
A: I'm really glad that
you asked this because we are very proud of this accomplishment - it
really illustrates what can be done when you get everybody to the
At both Email
Deliverability Summits I and II, we brought to the table an equal
number of CEOs or other executive decision makers from email
receivers (ISPs and spam filtering companies) and email senders
(email service providers, online marketers, and the like). And when
I say "to the table", I mean literally "to the table". At Summit II,
we had twenty receivers and twenty senders in a room for eight solid
hours (we broke only for lunch), around a huge conference table (it
was actually four large tables put together). This was by invitation
only, and to attend you had to be either the CEO, or other executive
decision maker. This was no
feel-good-tell-everyone-we-hate-spam-and-then-go-home photo op; this
was a real working group with the people who have the ability and
authority to make things happen.
Out of these two Summits
came a lot of wonderful initiatives and resolutions, including the
formation of the cross-industry Email Processing Industry Alliance,
and the promulgation of five new industry standards. These standards
speak to both senders and receivers, and address and set a minimum
acceptable level for such things as bounce handling (an email
address must be removed from a mailing list if the sender receives
three consecutive bounces over the course of fifteen or more days),
unsubscribe processing (1-click unsubscribe being the ideal) and
publication of requirements for acceptance and transiting of email.
The really amazing thing was not just that there was no acrimony,
and only cooperation amongst these 40 senders and receivers -
including some of the largest in the U.S. on both sides - but that
often the group most affected by a given standard was the one
pushing for the greatest restriction! For example, with bounce
handling, the senders were actually the ones pushing for stricter
guidelines, saying "we can remove an address after it bounces just
twice, sometimes even after the first bounce" - and it was the ISPs
saying "give yourselves 3 bounces in a row, to allow for transient
failures, and full mailboxes when people go on vacation". Now,
granted, the types of organizations which are going to participate
in an email deliverability summit are the responsible ones, but it
bears noting, again, that those there were among the largest - the
leaders - Digital Impact, Cheetahmail, RappDigital Innovyx, YesMail,
AOL, MSN, Spam Assassin, Outblaze. And they all, each and every one,
agreed to and adopted these standards. In fact many have already
Q: Can you provide
commentary on the Email Deliverability Database (EDDB)?
A: Another one of the
industry standards which came out of the Summit has to do with open
communication between sending and receiving systems, so that ISPs
and other receivers can communicate a problem to a sending system,
or vice versa, before it reaches a point that a receiving system has
to protect itself against a questionable mailing, or before
legitimate communications have been impacted or lost. We kept
hearing from both sides "if only we could figure out who to
call...". And I can't tell you the number of the times I've heard of
one ISP inadvertently blocking all mail from another ISP, and nobody
knows who to contact at the blocking ISP's NOC. Email Deliverability
Database is a way to address that - both senders and receivers can
register with the database, access to which is restricted to
approved participants, and instantly find the contact information up
to the highest levels at participating providers and senders.
Q: What is the current
state of law regarding e-mail and spam and are there international
A: That is impossible to
sum up in a nutshell - or even in a short article. In fact, that is
precisely why we are hosting the first- ever national U.S. Spam and
the Law conference in January. Because, to quote from our website,
"United States laws, case law, and legislation regarding spam is
nothing if not a confusing hodge-podge of frequently
incomprehensible, often ineffectual attempts at achieving balance
between senders and receivers of email. The attorneys themselves
often can't make heads or tails of all of the different state laws
and case law operating in tension with each other, let alone the
average business person on whom they operate."
We're also hosting an
"International Spam Laws and Public Policies" conference this coming
Q: What issues drove the
Email Management Roundtable? Who were its members?
A: The Email Management
Roundtable was the precursor to the Email Deliverability Summits -
focusing on the same issues, and with receivers involved. It was an
initiative to have EMR meet with an analogous group of senders,
which led to the first Email Deliverability Summit.
Q: Name your top ten
concerns and their solutions.
A: All concerns are a
subset of one over-riding concern: to make sure that end users get
the email they want, while not getting the email that they don't
There is no one solution,
and there are many necessary components. Good, strong,
straight-forward legislation is but one - and it must include
advertiser accountability - if you use the services of a spammer to
advertise your product, you're as liable as the person who actually
pressed "send" and injected the spam containing your message into
the Internet stream.
Ongoing and open
communication between receivers and senders is another - the Summits
and EDDB go a long way towards that end, as does the newly-formed
Email Processing Industry Alliance.
The adoption of sensible,
responsible industry standards is yet another, and an area in which
we're so pleased to have contributed.
None of these things by
themselves will eradicate spam, and in fact some of them on their
own will do nothing to directly impact the flow of spam, per se.
Rather they help to distinguish legitimate mail – a necessary, but
not sufficient, step towards taming the spam beast, which has been
overlooked until now. In an increasingly "either yer wi' me or agin'
me" spam/anti-spam world, until now nobody had bothered to identify
the "wi'", only the "agin". Identifying wanted legitimate mail and
making sure that it gets delivered allows receiving systems to focus
their resources more strategically against the spam, and also
addresses the ever-growing problem of false positives.
Q: What are the best
resources to research this further?
A: Any of the national
analysis firms (Gartner, Ferris, Pew), the growing body of scholarly
legal work (Sorkin, Lessig), and the more reputable of the advocacy
organizations (SpamCon, CAUCE, EFF). And of course, our own ISIPP
Q: What assets and
processes proved to be the most valuable for you in your work?
A: Balance, tenacity,
attention to detail, focus, and above all, not taking oneself too
seriously, a thick skin, and a good sense of humor. In terms of
personal assets, without question my forte for alternative dispute
resolution, and bringing two seemingly opposing sides together over
the nexus of their common concerns. After working to help divorcing,
warring parents to peacefully co-exist for the sake of their
children, getting in the middle of senders and receivers is a walk
in the park!
Q: Describe the major
challenges you face in your job and how you overcome them.
A: Believe it or not,
dealing with the more fringe anti-spammers represents as great a
challenge as dealing with any other group. Zealots are zealots no
matter the end of the spectrum. Dealing with this sort of challenge
goes back to keeping an open mind, developing a thick skin,
maintaining your sense of humor, and not taking yourself to
The other great challenge
is simply time - there is so much to be done, in such short order -
how do I overcome that? I don't sleep much.
Q: As an anti-spam
expert, please share your most important tips.
A: There are times to get
wound up, and times to just hit delete.
And for goodness sake...
step away from the computer - and go outside and breathe some fresh
air and remember that there is a whole big *non-virtual* world out
there, which, when all is said and done, is far more important than
any of this.
Q: Where is it all
heading? What do you see as the major technologies in the future?
What products and services will dominate and which ones will
disappear? How about predictions about their implementation?
A: Just as I don't
believe there will ever be any one solution, I don't believe that
there will ever be one be-all-and-end-all technology which will
dominate in this area. One size does not fit all, and there is a
place for many different types and levels of tools and solutions.
For example, some people actually like challenge/response systems.
Others truly want to see all email which comes in addressed to them,
and to personally review each and every piece. Yet others are happy
to lose the occasional "good mail" if it means that they will get
very little spam. Every solution has, and will have, both benefits
and downsides. Some are just plain silly, others entirely
impractical; but they all represent an effort to address a serious
problem, and for that they deserve credit.
So where do I think this
will all end up? I think that at some point in the not too distant
future, things will start to become more standardized on a network
level - while things will become more differentiated on the user
end. In other words, as legitimate mail becomes more readily
identifiable in its own right as legitimate mail, we will see more
consistency in how both legitimate mail is delivered, and how
questionable mail and spam are handled. With some consistency across
the board, the final processing choices then are in the hands of the
end users - to use a challenge response system, to use an end-user
level spam filter, to just accept all and then delete, whatever that
individual user's choice is. Already we are seeing that some of the
major ISPs are touting "putting the choice in the end-users' hands",
and consider that to be one of their competitive advantages. And as
there comes a time when fewer and fewer users can remember a time
when they didn't have at least one computer and email address, the
general level of user sophistication will rise, along with user
understanding as to what their ISP can do, and what they themselves
must do about spam.
Q: What are the most
common problems/issues and their solutions facing businesses and
A: 1) Making sure that
users get the email they want.
2) Making sure that users
don't get the email that they don't want.
3) The impact which
dealing with spam has on workplace productivity
4) Keeping offensive
email out of the workplace.
Q: Do you have some
stories about very challenging situations and their resolution?
A: Getting senders who
have always done things a certain way to consider doing things
differently (such as moving to a confirmed opt- in model) is as, but
no more, challenging as getting ardent anti-spammers to relax their
grip on a firmly-held belief that once a spammer always a spammer.
The trick is to find a common ground, even if that ground is only an
inch-by-inch square to start. Convince the sender to test out the
new level of permission mailing. Then convince the receiver to
accept just that email from the sender - after all, if the mail is
wanted, surely they want to deliver it to their users. Little by
little both 'sides' start to relax and let their guard down.
Eventually they both realize, as did those who attended the Summits
that they have as much in common as not, if not more. Legitimate
senders don't really want to send unwanted mail any more than
receivers want to receive it - if only because it means that they
are spending money, and using resources, for something which in the
best case scenario will yield no return and which may lead to quite
Q: You must have both
interesting and funny stories to tell from your many rich
experiences—please share a few.
A: When I first joined
MAPs as in-house counsel, I had to notify several colleagues as to
my move. It was quite a move, following on the heels of my fathers'
rights work. So I was a bit perplexed when I would call a colleague
and say "Hi, I just wanted to let you know that I've closed my
practice, and am now working in-house for Mail Abuse Prevention
System", and they wouldn't bat an eyelash, or indeed even comment on
my change of careers. Until I realized that while I was saying that
I had moved to "Mail Abuse Prevention System", they were hearing
"Male Abuse Prevention System" - which made perfect sense to them!
Q: If you were doing this
interview, what five questions would you ask of someone in your
position and what would be your answers?
A: 1) Why is spam so
prevalent - nobody actually buys any of this stuff, especially from
spam they have received, right?
Believe it or not, people
actually do make money from sending spam. It isn't always due to
sales of the product advertised, although sometimes it is. Affiliate
program spam is very big. People make thousands of dollars by
getting paid for every click- through which they generate for
somebody else's website - and they do that by sending out spam with
the URL of the affiliate site.
2) It seems like there
has been an increase in spam over the course of the past few months.
Is that accurate, and if so, to what do you attribute it?
Spam has been
proliferating at an astonishing rate. I have no doubt that this is
due at least in part to the equally astonishing proliferation of
anti-spam measures. The more spam that is blocked, the more spam
which must be sent in order to realize the same financial return. If
the rate of response and return has gone from 10% to 1% due to
effective spam blocking techniques, then the spammer must send out
ten times as much spam in order to realize the same financial
3) What are the greatest
challenges faced by legitimate bulk email senders today?
Without question, the
single greatest challenge for legitimate email senders today is
keeping their legitimate bulk email from being mistakenly blocked
along with the spam. No matter how careful one is, no matter how
clean the mailing list and how high the level of permission,
everyone has problems with their legitimate mail being mistakenly
caught up in spam filters, and becoming a false positive. This is
where email deliverability applications and sender validation can
really help. It's an unfortunate fact of life that it is come to
this, but there you have it. Decrying that it shouldn't be the case,
nor pretending that it isn't, doesn't help the mail get delivered.
4) Crossing over from
fathers' rights advocacy to anti-spam law and policy is quite a
change - how did you get involved in the anti-spam field?
Two words: Paul Vixie.
Paul and I knew each other when I was still a law student at
Stanford. At the time I was running a fathers' rights BBS out of my
dorm room, on my Commodore 128. It was in law school that I really
came into my own on the Internet, and by the time graduation rolled
around I had already built up a strong Internet presence for the
Fathers' Rights and Equality Exchange. At that time, however,
Stanford's policy was that you could not keep a Stanford email
account after you graduated, and it was important that we not lose
our Internet presence. Paul very kindly provided me an account on
his own machine, and thus
email@example.com was born. As my online activities grew, and
through my friendship with Paul, so too did my exposure to Internet
and spam issues. I was probably one of the very first attorneys
online to really understand and use the Internet as more than just
an entertaining novelty, although I was quickly joined by scores of
others. Still, even to this day, very few attorneys are as steeped
in it all as I ended up being from the very beginning - completely
through serendipity - I take no credit for it myself.
One day I was sharing
with Paul how utterly burned out I was in my private practice.
Unbeknownst to me at the time, MAPS was staring down the barrel of
the first of its anti-spam lawsuits, and so it was that Paul asked
me to come on-board as their Director of Legal and Public Affairs.
And the rest, as they say, is history.
5) What are your proudest
moments, your most significant accomplishments, to date with respect
to your anti-spam work?
With ISIPP they are
without question the drafting and adoption of the Advertiser
Accountability Amendment to the Burns-Wyden bill, and the subsequent
unanimous passage of Burns-Wyden in the Senate [editorial note:
happened while being interviewed]; and the huge success of the Email
Deliverability Summits in bringing together two usually opposing
sides and creating agreement regarding very important and
far-reaching issues and standards.
Prior to that, growing
Habeas from a kernel of an idea to being one of the recognized
leaders in the industry in under a year, and before that taking one
of MAPS' most vociferous and vehement litigants and helping them to
become a model for responsible bulk mailing.
Q: Do you have any more
comments to add?
A: Yes - it's incredibly
rewarding to have the great fortune to able to be involved on this
level, and to this degree, in what are cutting edge issues and
solutions. I feel very, very fortunate, and take my responsibility
as an expert to get it right very seriously.
Q: Your breadth of
talents, deep insights, incredible wealth of knowledge and
experiences are so valuable to our audience—thank you for sharing.
A: It has been a
privilege and has been absolutely my pleasure. Thank you so much for
asking me, and please consider me a resource and contact me any