Ever wonder how a certain company sending unsolicited e-mail messages got your address?
Michael Rathbun, the director of policy enforcement at Allegiance Telecom, an Internet service provider in Dallas, says he thinks he has = much of the answer.
Some five years ago, Mr. Rathbun bought a Palm hand-held organizer and, in registering it on Palm's Web site, gave the com= pany an e-mail address he never used for anything else. Initially his in-box received only offers for products related to the organizer, but eventually = he started getting advertising from some well-known companies like Bank of America, SBC Communications and Sprint. Lately, that one address alone has been receiving dozens of e-mails a month offering everything from travel clubs to acne remedies.
"This is not stuff," Mr. Rathbun said, "that I should be getting from them."
The problem of spam or unwanted commercial e-mail is usually attributed = to outlaws and hucksters — peddlers of pornography, get-rich-quick schemes and pills of dubious merit — who use hackers to send their fraudulent messages = in ways that cannot be traced.
But the torrent of spam that is flowing into people's electronic mailbox= es comes not only from the sewers but also from the office towers of the bigge= st and most well-known corporations.
Established companies insist they send e-mail only to people who have voluntarily agreed to receive marketing offers. A spokeswoman for Palm says= it does not know how Mr. Rathbun's e-mail address got into the hands of spamme= rs and says it has never sold its customer list.
But often companies rent e-mail lists from a cottage industry that has emerged to lure Internet users, through a variety of schemes, into signing = up for e-mail marketing.
At best, if you have ever entered a contest to win a prize, subscribed t= o an online newsletter or simply purchased a product on the Web, you may well ha= ve also agreed, as many such fine-print contracts put it, "to receive valuable offers from our marketing partners."
This practice falls under the rubric of what is called opt-in marketing,= or getting permission to send advertising messages.
But many e-mail executives admit that these same list companies also add= to their databases by buying, trading — sometimes even stealing — names.
"Everyone is looking for a quick buck now, and people are claiming = to sell opt-in data who don't have it," said Pesach Lattin, who runs Adsp= yre, a New York e-mail marketing firm.
Moreover, some companies have allowed the e-mail addresses of their own customers, either deliberately or inadvertently, to fall into the hands of = list peddlers who in turn sell them to e-mail marketers of all stripes. Sometime= s, the lists are stolen from corporate owners by employees or vendors looking = to make a quick profit. But in many cases, the big companies are deliberately buying and selling access to names, relying on privacy policies — often har= d to find on their sites — that they say permit such actions.
"White-collar spam" is how Nick Usborne, a newsletter writer a= nd Internet marketing consultant, refers to this phenomenon.
"When a responsible company," Mr. Usborne said, "gets som= eone to sign up for a newsletter and says, now that we have their e-mail address let's make more money off it and send them e-mail they didn't ask for, that= 's white-collar spam."
The antispam bill passed unanimously by the Senate last week imposes tou= gh penalties on people involved in the lowest forms of spam but it does not de= al with the central questions Mr. Usborne and others raise about white-collar spam. It does nothing, for example, to establish rules defining an appropri= ate list of names that a purveyor of a legitimate product can use to send an of= fer by e-mail. Nor does it regulate the transfer of names between companies.
The law would require that every e-mail message offer recipients a metho= d to remove themselves from an advertiser's mailing list. But with the way that names are traded today, this method would do little to reduce the amount of e-mail people receive, industry executives say.
"People don't realize that once you sign up for a contest or free s= tuff on the Web and you forget to uncheck a box, these people will pass your nam= e to a hundred other people,'` said Paul Nute, a partner of Soho Digital, a New = York advertising agency that represents e-mail marketers. "You've just rais= ed your hand and said, `Send me the diet pill offers.' And there is no way to = get them all to stop."
A new state law scheduled to take effect in California on Jan. 1 tries to take a stricter approach: it requires that commercial e-mail to or from any= one in the state be sent only to people who specifically request information fr= om the advertiser. Many in the e-mail industry read the law as curbing many of= the more common ways that names are gathered and used, but the exact limits wil= l be left up to the courts to define.
Moreover, if the federal bill passed by the Senate is enacted it would v= oid most state spam laws, including California's. Although the Senate bill also authorizes the Federal Trade Commission to create a do-not-spam list modeled after the wildly popular do-not-call list that is already starting to curb unwanted telemarketing calls, F.T.C. officials said that, unlike telemarket= ing, it would be extremely difficult to determine the difference between solicit= ed and unsolicited e-mail. That is in part because so many companies go beyond their own customers to rely on opt-in list collectors.
Not surprisingly, companies that are active users of conventional mail s= olicitations have gravitated to e-mail, which can be far cheaper, to push certain produc= ts. These include Morgan Stanley's Discover Card, Altria's Gevalia Coffee, Schering-Plough's Claritin, and The New York Times, which uses opt-in e-mail lists to sell subscriptions.
One such list maker is Xuppa.com, a 38-person firm working from a cramped office in Midtown Manhattan across Seventh Avenue from Macy's department st= ore. It has gathered half a billion e-mail addresses since it started four years ago, but most of those are no longer valid. The 65 million names left on its lists, Lance Laifer, Xuppa's chief executive, says, have given permission to receive marketing messages.
Visitors to Xuppa.com are encouraged to enter its $1 million sweepstakes= . To do so they must enter not only their e-mail address but postal address and telephone number as well. Entering the contest gives Xuppa permission to ma= rket to users. On the same Web page, some 75 other offers from advertisers are displayed, each adjacent to a check box — some already checked by default. = When Xuppa users enter the contest, their personal information is passed to any advertiser whose offer is checked.
"There are a lot of people who would rather register and give their e-mail addresses than pay for services," Mr. Laifer said.
This process of putting many offers on one page where users enter information is called co-registration, and it has become one of the main wa= ys that names are gathered online.
Some such sites make it hard for users to see all the lists they are joining. AmericanGiveAways.com, a site run by Synergy6, allows users to register to earn free gifts. "By signing up with us," a notice at= the bottom of the page reads, "you are also agreeing to receive great offe= rs, special coupons and promotions from our partner sites."
Dozens of partners are listed on separate links, yet once a single butto= n is clicked each of the advertisers can claim — with some degree of truth — that the user agreed to receive marketing messages.
Such sites stretch users' consent beyond any recognition, argues Seth Go= din, a former Yahoo executive, who coined the term "permission marketing" to define t= he practice of sending e-mail marketing to people who ask for it.
"The people who are talking about permission marketing are almost entirely doing it wrong," Mr. Godin said. "Greed and avarice drove people to wreck the system."
The trade in e-mail names is not limited to the back alleys of the Inter= net. Big traditional mailing list companies — like Equifax and Experian — have been buying e-mail addresses, often from these contest sites, and linking them with their vast stores of other information about people. They use this so marketers can send e-mail to people with, say, a certain disease, or who own a specific car, and so on.
The chain of permission can be stretched even further. Some names come f= rom customer lists of Internet companies that collapsed as the dot-com bubble burst. For example, MatchLogic, a Colorado marketing company that gathered = 13 million names was acquired by Excite@Home, a high-speed Internet service controlled by AT&T.
MatchLogic had a clear privacy policy that said it would not transfer th= ose names to any third party without permission. But when Excite@Home was liquidated in bankruptcy in 2001, its mailing list was purchased by a group= of marketing firms led by RHC Direct of Salt Lake City. Some of those companie= s in turn sold the list to others. Robert Caldwell, RHC's president, says he believes it is also being traded by former MatchLogic employees.
"Names get flipped and flipped and flipped until everyone's name is everywhere," Mr. Caldwell said.
Nothing is wrong with that, he contended, because the people who origina= lly provided their e-mail addresses agreed to receive marketing messages.
"As much as people talk about privacy," he said, "they wi= ll give it up for the chance to win a Lexus."
Mr. Rathbun, who also has an e-mail address exclusively used to enter a MatchLogic contest, says it has received thousands of pieces of spam, some = from big companies.
Bankruptcy courts have generally allowed the sale of lists from failed companies like MatchLogic. But those transfers were against Excite@Home's stated privacy policy, said Christopher Kelly, Excite@Home's former chief privacy officer, now a lawyer with Baker & McKenzie. He said he would advise any client not to send e-mail to that list "as there is insufficient proof of the permission of the information."
Officials at many of the big companies marketing by e-mail admit that th= e list companies are not always honest about the sources of their names. But they = say there is no way to test the quality of a list other than to send e-mail to = its addresses and find out how many complaints result.
"There are some irresponsible companies that are bringing a bad nam= e to those of us trying to be responsible,'` said Rajive Johri, executive vice president for marketing for J. P. Morgan Chase's credit card unit, an active user of opt-in e-mail.
"We do a lot of due diligence on the vendors we utilize," Mr. Johri said. "At the same time, can I feel 100 percent sure that there = are no abuses? No."