Slashdot Mirror
Opt-in vs. Opt-out
Sarcasmo writes: "The Internet Law Journal has a very in-depth piece on the issue of opt-in vs. opt-out that takes on the good and the bad from both sides. How the current situation will (or will not) be handled, will depend on what conclusion lawmakers come to on this core debate. An opt-in requirement is TILJ's conclusion. What's yours?" This is a good, well-reasoned analysis - exactly the type of analysis that holds no weight in legislatures.
Obviously you are not involved in the administration of real mail servers. It's only a few seconds to you as the end user. But it's a lot of traffic for the ISPs which have to pay per MB.
Sebastian
When your bank or brokerage sends you a copy of its privacy policy, full of ambiguous language, and saying "Since we protect your privacy, there's no need for you to opt out of our information sharing among our family of companies", do two things:
1) Opt-out. Yes, it means writing a letter and putting a stamp on it. Deal with it.
2) In your letter, mention that you're opting-out because it's your only option available under the law, but that you're doing so under protest - and that you consider anything less than opt-in a violation of your privacy rights. Congratulate the bank on coming up with a wording ("information sharing") that sounds so harmless that most consumers are unlikely to realize what it really means.
3) Print out a second copy and send it to your Representative and Senator. Use proper "Cc:" snail-mail etiquette -- you want your bank to know you're telling your Congresscritter, and you want your Congresscritter to know that your bank knows.
Thank the critter (especially if he or she voted for it) for the new privacy law that's forced banks to do this very small ("opt-out") notification. Tell them that you realize the bank (or more accurately, the DMA, on request of its members) to use a low response rate to this "you have an opportunity to opt-out" mailing campaign as "evidence" that the consumers really do like to eat their spam, "or they'd opt-out, but since 0.00001% actually bothered to opt-out, the other 99.99999% must like receiving special offers through the mail and telephone and email!".
Tell your congresscritters that silence does not imply assent.
You know the argument's bogus. But the DMA, with millions of dollars in lobby funds, is gonna try to make it. And they'll succeed, unless you - yes, you there, behind the keyboard - get off your ass and do something.
Silence does not imply assent. But the DMA is going to try very hard to convince your congresscritter that it does.
The logical response is to deny the DMA the silence it needs to pull off the scam.
The only way opt-out will ever work is if there's a relatively easy way to make a complaint and collect a couple hundred dollars (a sum large enough that many people will file complaints).
At least the DMA has to fight this opt-in vs opt-out battle. When they win with opt-out, then the battle will be for no meaningful consequences for not honoring the opt-out request effectively.
PJRC: Electronic Projects, 8051 Microcontroller Tools
You can add a secondary mailing address to your credit card. When the address is checked, it can be checked against that address as well as your billing address. It makes things easier to mail to work with and get around the problem of not sending everything home.
While on the whole I think TILJ makes a good argument against the DMA's claims, it looks like they made one big goof:
Am I misreading that, or did they just say "it's okay to spam people to tell them about opt-in"? Didn't someone just win a lawsuit on exactly such (or at least very similar) spam?
--
BACKNEXTFINISHCANCEL
KACHING!
They owe you $500/call. It is illegal to telemarket cell phones. See Junkbusters
What do you mean it doesn't cost anything other than a few seconds?!?!?
How bout it probably costs a dollar or so of the price you pay for net access??!?! You think servers and bandwidth just grow on trees and don't cost an ISP time and money to maintain?
What about lost revenues when some spammer piece of shit floods a server and crashes it? What then, genius?!?! What about the time and effort that I could have spent jerking off to goatse.cx when, instead, I'm stuck sorting through spam that makes it through my filters??!?!
If I wanna by your crappy products, I'll let *you* know - don't tell me about them yourself. If I buy your dick-pump, that doesn't mean I want my info sold to a Dutch bestiality website!
I'll let the bunny-huggers bitch and moan about wasting paper...
Man, talk about trolling...But, since I'm here.
What you say is true about spammers, but that isn't really what this is about. If you are talking about being able to opt-out of receiving the mail, it certainly isn't the type of spammers you are talking about. This is about a company who wants to send you email after you sign up on their page. And for these things, I think opt-out is fine. You are signing up to receive something from them (whatever it may be) and it should be your responsibility to tell them if you want them to do something different with your data. I equate it to going to McDonalds. You have to ask them to not put pickles on your burger, because it's not what they normally do. If you want the company to do something different (like not send you mail) then you have to tell them. Of course I fully support being able to tell them not to send you anything also.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
Of course, faking registration would be a violation of federal law, subject to investigation and arrest by the appropriate agencies.
The basic Idea is to make it highly Un-profitable to be sending spam. And a real hassle with internet bounty hunters tracking you down all of the time.
Check out the Vinny the Vampire comic strip
"It is a greater offense to steal men's labor, than their clothes"
Several months ago, we set up a tiny business and visa merchant account to do a bit of e-commerce from our little web site, and since then we've had a couple attempted fraudlent transactions. This is a brief story about what information we have available as a (tiny) merchant, with the current state of today's information sharing.
When we get a suspicious transaction, which usually means the shipping and billing addresses are very different, the first thing we do is stall. Normally we process the order in the afternoon when there's just enough time left to get to UPS or the post office (but since this is only a part-time effort, sometimes I'll do it at lunch time or some other window of opportunity... worst case in the next morning before work). For a suspicious order, stalling a day or two and then attempting to run the credit card almost always ends up in the card being declinded. Often times we'll get transfered to an operator who instructs us to hold the card (not give it back to the customer), but since we only do on-line orders and don't have a brick-n-morter store, that's not possible.
A couple months ago, we had a very interesting fraudlent transaction that didn't get declined. Robin immediately recognized that it was similar to another declined card from a few weeks prior, where the shipping address was to Indonesia and a billing address in the US, where the billing name was an anglo-sounding name, and the shipping name was the same last name, but an obviously eastern sounding first name. The order was placed on a Friday, so we waited and ran the card Sunday evening. We expected it to be declined, but it went through.
Now at this point, a giant database of all the spending habits of every card holder (or at least the one for this particular card) would be nice. I'm sure lots of people at the Direct Marketing Association dream of such a database, as is eluded to in section 1.B of the article, but the sad fact is that as a (very small) merchant, all we have is whatever information the customer typed into the form on our web site, and the phone number of our bank and credit card processing company (Nova in our case).
So, Robin called the bank, and not quite knowing exactly what to do, she said "I've got a transaction here that I'm not very comfortable with". They did the usual address verification, and the US address we received didn't match the card's billing address. The bank will never disclose the card holder's actual billing address... you only get "match", "partial match" or "no match". The operator did actually disclose that the zip code matched. They couldn't do much more, but they gave Robin the number of the bank that had issued the card.
Then Robin called the card holder's bank, and started a similar "I've got a questionable transaction here" conversation. They were really glad that we called... they really like it when merchants call if they see anything unusual. Again, the bank would not disclose any details to us about the card holder. They would not disclose any specific details about the card holder's purchase history. They did look into the history and warned us that the card holder had contested the charged from several internet-based purchases. The bank had the card holder's phone number on file. They would not give us the phone number, but they called the card holder for us and transfered us into the call. The woman wasn't home, but Robin got her answering machine and left a message with our number to call and confirm that she had actually placed an order with us.
By the next day we hadn't heard back, so we reversed the charge to the card and sent an email to the contact address that we could not process the order due to having the incorrect billing address, and that we would process it when we received a voice phone call.
As compelling as the Direct Marketing Association's arguement is, that a giant database of consumer spending habits would be useful in combatting fraud, the truth is that there is already a pretty good system in place that doesn't disclose almost any private information to merchants. The banks have this information, and they automatically monitor spending patterns on all credit cards and place a hold on cards that appear to be abused. Anyone who's made a few large purchases in a row has probably received a call from their bank to confirm. When a merchant has a questionable transaction, they can call their bank and ultimately the customer's bank. While the banks won't disclose virtually any private information about the customer, they are very helpful when it comes to detecting fraud. In almost every case, they manage to decline new transactions when there's been unusual spending patterns, and in the rare cases where the bank hasn't already placed a hold on the card, they are very helpful and effective without disclosing the card holder's private information.
PJRC: Electronic Projects, 8051 Microcontroller Tools
Yes and no...
No. If they gather it from places who can gather such data on you.
Yes. If you contract that information out to statistic gathering websites who pay you to take surveys.
I don't actually exist.
I have zillions of email addresses. Since I own whole domains, any username on any of them used exclusively for myself will come to me. So I should have a right, under an opt-out system, to opt-out of them all, right? If the opt-out system won't take domain wildcards, then I have no choice but to opt-out of each and every discrete address, in advance. Assuming usernames are made from just English letters and decimal digits, and run up to 8 characters, then I will need to do 2901713047668 opt-outs. That overflows an unsigned 32-bit integer 675 times. Then there are usernames with dashes, dots, underscores. And they can be longer (I've used as long as 60 and I bet it can go way more than that). Oh wait! I also have zillions of subdomains, too, with the power of wildcard DNS entries that have MX records.
In order to opt out just with that number I gave above, and to get it done within a year, I'd have to send in, and they would have to process, 91951 opt-outs EVERY SECOND of the whole year!
now we need to go OSS in diesel cars
I don't get how opt-out could actually work. If you are actually stupid enough to reply to the "remove me" addresses on spam, your address is upgraded to "verified", and thus gets premium prices from other spammers who buy spam lists. So if you give your address to an "opt-out" list, then an "honest" spammer will try to remove you, but since honest spammers are as rare as six-foot puca rabbits, you won't actually be opted out of any spam.
It's what the spammers want to think of it as.
It's simply confirmed opt-in. Even the fairly clueless marketdroids understand how important it is to confirm important decisions. They just don't think it's important to confirm opt-in, because any errors are in their favor, and they want to send you spam.
Every legitimate email list already do at least most of this. I'm on a couple that give out regular messages about your subscription, a quick reminder how to opt out or change other settings, and they all confirm subscription before they execute them.
Spammers, however, are scam artists. They really do think they can make "Opt in" mean "I can opt you in, or anyone else can, whenever we feel like it, but it's ok cause you can opt out again whenever you want," and we'll just look at them like a cute and precocious child that has just shown such marvelous cleverness. We're not supposed to notice that the (horribly overrated) cleverness was directed at thievery, no, we should fork over the loot as reward for their dimples and bullshit skill.
"That old saw about the early bird just goes to show that the worm should have stayed in bed."
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
I made the mistake of giving my cell phone number to a catalog company I ordered from around Christmas-time, so that in case there was a problem with my order they could easily contact me. (Since the present was for my wife, I didn't want to give my home phone number.) Now I get regular calls from companies associated with this marketing firm on my cell phone. This in spite of the fact that I have twice demanded that they remove all references to me from their database. We've now sent them a registered letter demanding they do so.
Not only that, but this MemberWorks company started charging my old CC account for services I did not order. We quickly cancelled that CC and got a new one. Looks like I'm going to have to change my cell phone number as well :-(. Which means notifying all my friends and business contacts of the new number. Some of whom I'll no doubt miss.
So when the DMA self-servingly argues that "opt-out" provides even the same, much less better, consumer protections, I can tell you from personal experience they're blowing smoke out their collective posteriors.
But, once the accusation is made, they would have to rebut the accusation by offering proof.
Fight Spammers!
Fight Spammers!
If you do a good job of writing down who called and when they called you'll have the evidence you need to make it more than well worth while to take a 1/2 day off of work and sue them.Chances are that the judge hates telemarketers too and will have a very sympathetic ear.
I don't want free as in beer. I just want free beer.
The DMA says that opt-in increases the likelihood of identity theft. What about all the people who go through your mail looking for credit-card offers?
It's hard to be religious when certain people are never incinerated by bolts of lightning.
"Since an 'opt-in' approach reduces the amount of information available to sellers regarding the consumer's preferences, spending habits and typical behavior patterns, it hampers sellers' efforts to detect 'unusual' purchases and alert the consumer to possible fraud."
I can't wait to get e-mail informing me that I must not be who I seem, because the REAL Lore Sjöberg would be sure to take advantage of these LOW LOW PRICES!
If you don't want my koalas, baby, don't shake my eucalyptus tree.
Doesn't matter. You can ask the phone company whether or not something is a cell phone or not. It is illegal to telemarket a cell phone, PERIOD.
From the TCPA (emphasis mine):
No person may Initiate any telephone call (other than a call made for emergency purposes or made with the prior express consent of the called party) using an automatic telephone dialing system or an artificial or prerecorded voice, To any emergency telephone line, including any 911 line and any emergency line of a hospital, medical physician or service office, health care facility, poison control center, or fire protection or law enforcement agency; To the telephone line of any guest room or patient room of a hospital, health care facility, elderly home, or similar establishment; or To any telephone number assigned to a paging service, cellular telephone service, specialized mobile radio service, or other radio common carrier service, or any service for which the called party is charged for the call;
Opt-in is better, but under a lawsuit (which has happened before), confirmed/double opt-in is best. Vendors catch all the joe jobs, the spoofs, and also have proof of their users intent to subscribe. This *should* hold up in court should someone sue after double-opting-in. (But IANAL)
--
WolfSkunks for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.keenspace.com";
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
Lost profits do not equal 'costs'. What the DMA calls costs are in fact lost profits.
The idea of opt-in requiring more direct mail is another deliberate falsehood. In Europe there is a box to tick on the original sign up, leave it blank and you are opted out. When the privacy directive came into force there was a long phase in period. The idea opt-in would generate more mail is a deliberate lie.
All 'opt-in' amounts to is attaching an implicit provision to every consumer contract that stipulates that the information provided is confidential.
In Europe the banks and credit card companies keep their customer's balances and purchases secret. They consider themselves to be under the same duty of secrecy as a lawyer. In the US this information is considered fair game to sell to anyone the bank chooses.
Most successful dotcom companies have made an issue of protecting their customer's privacy.
The only reason why the US is resisting European style privacy laws is the vast quantity of campaign bribes. Once privacy becomes an issue however the Congress types won't stay bribed and compete against each other to pass the most draconian privacy bill and claim ownership of the issue.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
War is peace. Freedom is slavery. Opt-in is a security risk. For those who haven't read the article, here's a beautiful quote: Ironically, this is only a problem because we have such weak privacy laws and infrastructure. It's still pathetically easy to steal someone's identity: a SS#, an addressed envelope and a little social engineering. Of course it's illegal, but since when has that stopped anyone? It needs to be difficult as well. And the less information about me floating around the public datastream, the more difficult it is.
question: is control controlled by its need to control?
answer: yes
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
Bulk Opt Out, version 1.0.0
For people with bulk email addresses.
now we need to go OSS in diesel cars
Call me crazy, but I just don't trust that my info won't "accidentally" find its way into some other database, somewhere.