State of Utah leaks email addresses from children's no-spam list
Some months ago, I wrote about laws which would establish do-not-spam lists for children.
In yesterday's news, there was an article about how the state of Utah had accidentally exposed a few email addresses from their do-not-spam-children registry. This incident is being framed as revealing a fundamental flaw in the system. To wit: the registry will not only not protect children, but it actually increases the risk that children's email addresses will be exposed.
It's worth noting that the leak did not come from the registry maintainer, Unspam Technologies, but from the state itself. In this case, the email addresses in question had been listed in complaints filed by parents, and the state failed to redact them when making the citations available to the E-mail Sender and Provider Coalition. (This is the same organization which successfully lobbied against a similar child protection law in Georgia.)
The actual do-not-spam-children registry maintained by Unspam is stored in a hashed format which makes it impossible to extract email addresses. To quote Mathew Prince, CEO of Unspam: "Even if ordered by a court or held at gunpoint, there is no feasible way that I, any Unspam employee, or any state official could provide you even a single address that has been submitted for compliance by any sender,"
In all fairness, I should point out that although it's impossible for Unspam to provide any email address, a spammer could compare their before and after lists after having their lists filtered through the Unspam database, and obtain children's email addresses in that manner. This is the technique which was probably used by the spammer who sent threatening letters to Blue Frog subscribers earlier this year.
In yesterday's news, there was an article about how the state of Utah had accidentally exposed a few email addresses from their do-not-spam-children registry. This incident is being framed as revealing a fundamental flaw in the system. To wit: the registry will not only not protect children, but it actually increases the risk that children's email addresses will be exposed.
It's worth noting that the leak did not come from the registry maintainer, Unspam Technologies, but from the state itself. In this case, the email addresses in question had been listed in complaints filed by parents, and the state failed to redact them when making the citations available to the E-mail Sender and Provider Coalition. (This is the same organization which successfully lobbied against a similar child protection law in Georgia.)
The actual do-not-spam-children registry maintained by Unspam is stored in a hashed format which makes it impossible to extract email addresses. To quote Mathew Prince, CEO of Unspam: "Even if ordered by a court or held at gunpoint, there is no feasible way that I, any Unspam employee, or any state official could provide you even a single address that has been submitted for compliance by any sender,"
In all fairness, I should point out that although it's impossible for Unspam to provide any email address, a spammer could compare their before and after lists after having their lists filtered through the Unspam database, and obtain children's email addresses in that manner. This is the technique which was probably used by the spammer who sent threatening letters to Blue Frog subscribers earlier this year.
4:07 PM |
permalink
0 Comments:
Post a Comment
<< Home