Web and Internet News

Utah company uses student directory to spam USU students

Posted by NCmlnr on Apr 21, 2006 - 09:24 PM

Web and Internet News

A Utah-based company, operated by a BYU student, obtained email addresses of Utah State University students from the printed USU student directory by typing them into a list, and then sending a message to everyone on that list. USU computer services confirmed that over the weekend approximately 15,000 emails from the same company were received by student and staff inboxes in just a few short minutes.

It's been done to some degree before by local businesses, over-zealous candidates for ASUSU office and unintential mailings or technical errors. What differed here was the scope of the mailing, affecting every email address contained in the recent edition of the USU student directory.

This year was the first that the student directory (printed by a private company, but sponsored by ASUSU) contained email addresses. Phone conversations with staff at USU revealed that discussions were held on the possible misuse of the email list before printing, but no disclaimers or terms of use for the information were included in the publication itself. The USU web site directory attempts to circumvent such abuse by limiting the number of records returned on a search - making it labor intensive to "harvest" a large body of emails.

Worried about privacy?

ASUSU sponsors the student directory, and provides the information to a third-party for printing.

The directory indicates that a student can restrict their information by visiting the USU Registrars office or downloading the Privacy Hold form

The Directory Information includes all of the following: Name, Address, Phone Number, Date of Birth, Major Field of Study, Participation in Officially Recognized Activities or Sports, Weight and Height of Athletic Members, Dates of Attendance, Degrees and Awards Received, Most Recent Previous Educational Agency or Institution Attended, and Current Class Schedule.

Notice the lack of EMAIL being private

Unfortunately, opting for restriction severely limits other things like telephone access for registration, etc.

USU should allow students more options such as ability to hide certain details, or just not allow access via public (rather than staff oriented) databases.

Also, why does providing the use to USU automatically allow USU to share this with third-parties such as the company printing the guide? Shouldn't that be covered via privacy law? Private companies must give customers the election to opt of of information sharing to third parties AND to other affiliated groups within the same group of companies - ie, a banking division sharing information with an insurance division of the same company.

If ASUSU is to continue providing student information for the directory, they should give students the option to opt out of the directory itself, or even specific information, WITHOUT having to opt out of all directory services for the University in general.

At the very least, ASUSU should require a disclaimer that the cc.usu.edu email address is government property, not be be used to send commercial email to, and the addresses as an aggregate are protected by a "terms of use" agreement upon using the directory.

Now, with this recent event, many of those contacted at USU stated that the issue is a concern and being discussed, as well as the technical side that would need to be developed or enforced to avoid such an issue in the future.

Currently USU prohibits bulk emails to be sent through it's system unless authorized via the bulk email service. This seems to be more of an internal policy seemingly directed more at USU students and staff, but a reference can be found via a search for "bulk email" on the USU web site.

Why the discussion? The major cost of email is borne by the recipient and those providing email services to the recipient. Costs include the time to deal with spam, the network and server structure to route and handle the information, the overhead of hard drive space to store emails, the electricity and internet connections the network uses in its course of routing such to recipients.

A bulk email's recipient cost is multiplied by the number of recipients, while the cost to the sender is nearly the same if sent to one hundred or one hundred million - only scaled by the time-cost of the computers used to send the email.

Anyone who sends bulk emails to any email system purposfully shifts marketing costs from themselves to others. In this case, the "other" was a state-owned facility, supported in part by tax-paying citizens. Should any organization (commercial or otherwise) be able to market to groups using state-provided services such as the USU email system? Students and staff themselves are prohibited from using any computer / email access for commercial activities or bulk emailing.

US Courts are fairly unanimous on their rulings of commercial speech and that the burden for such should fall on the sender, and not the recipient. Example - the commercial fax laws and penalties. Nearly every case has been found in FAVOR of the recipients right to not recieve commercial faxes. Why? The burden and cost is on the recipient, much like in the case of bulk email. Courts generally rule that a commercial sender has the right to deliver advertising and promotional material at their cost, but cannot "force entry" into a private domain such as a fax machine, where the cost is forced on the recipient.

The incident brings up some interesting discussion points. What is the state of spam and email lists at USU? Shoud student emails be used to promote local services and commercial interests? What USU policies and procedures for controlling access to and use of student contact information are needed?

The company says the email was offering a free service and therefore was not deemed to be commercial email. The site promoted in the email, however, is operated commercially - ie, pricing information, free trials, paying advertisers - by an entity registered with the State of Utah as a business. The Federal CAN-SPAM Act defines commercial mail as:

"The term `commercial electronic mail message' means any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet web site operated for a commercial purpose)." <span class="pn-tiny">emphasis added </span>

The email sent clearly advertised content on a web site operated for commercial purposes. Prices are listed on the site for advertisers in other areas of the state.

CAN-SPAM regulates commercial email, and states that such must have certain characteristics to comply, such as an ability to opt-out of further mailings, accurate contact information (such as reply to and from fields that will return to the actual sender of the email) and identifies aggravated conditions such as the harvesting of emails from particular sources with the intent to send commercial emails.

While the relevance of the CAN-SPAM act to this particular incident could only be interpreted by the court system, if it did apply then the email in question failed the specified criteria:

  • Did not contain an option to opt out to future mailings
  • Had a fake return address (nobody@example.com - typical of programming scripts commonly run on web servers for mass emailing).

Regardless of legal status, the email was spam by any generally held definition of spam - ie, unsolicited email. Does it make good business sense to "spam" potential users by using mass email marketing? Do those advertising with such a business need to be concerned of their own reputation as spam is generally looked down on - regardless of its apparent immediate benefit?

After all, most spam could be construed to be "beneficial" - doesn't everyone want to "Enlarge..." this or that or to "Never work again!" <span class="pn-tiny">(sarcasm should be noted!) </span>

While the recent incident might have been a one time event and rather benign in content, what would prohibit other less benign interests from doing the same via the USU email system such as a massive porn promotion, "male enhancement" or illegal pyramid scheme?

USU computer services stated that it could easily happen now, but they are discussing ways to deal with it. Normally, email sits in a queue for some time and suspicious emails can be handled before being delivered, and 80% of the nearly three-quarter million emails per day of generic spam is caught via filters. As the particular incident happened over the weekend and all at once, the queue was released and all 15,000 emails were delivered. Previous attempts to "throttle" - limit the number of emails through at one time - affected too many legitimate users, said USU Computer Services, and so no throttling mechanism was in place.

The script or mailing system used to send the email seemed to have some programming errors, as many emails started with the number "20" and were undeliverable. As used by some internet systems and URLs, "20" is used to denote a "space", ie computers would see "my email@somewhere.not" as "my%20email@somewhere.not".

As spam filters and other attempts to limit spam gain popularity, spammers will find other ways to try to deliver their message. In this case, targeted emails could be one way to exploit a system. Mass email sent to a few targeted domains with many users, all within a short period before administrators can respond. The deluge would be over before filter rules or blocks were put in place.

Spam is a nuisance, but email will continue to be a cheap effective way to take a message to thousands or millions of people at once. Mass email marketing falls into that gray area...one bounded more by ethics, general business guidelines and the image the emailer is trying to maintain, than by legal factors.

In the realm of commercial email, most companies refrain from sending unsolicited emails and instead opt to limit internet marketing to specific requests or opt-in lists. They forego the instant surge of interest a mass mailing might generate to focus on the long-term reputation and image of their business. and instead limit emails to existing customers and parties that express an interest before the flood of marketing begins.

In terms of full-disclosure, the email in question offered a service similar to a section of TrueAggie.com. This articles intent is not to malign the competing service provided to students or company involved, but to shed light on the issue of spam and using USU contact information for email marketing. In fact, TrueAggie.com had several discussions with the other company on whether to partner and share information between web sites before this incident occurred, and had met with the owner in person. The text of the article was read to the owner to comment on any particular wording and some changed due to feedback fro him. The intent is to report as news on the state of the USU email system and the facts of the email campaign. As such, we do not mention the name of the company or owner.

TrueAggie.com does not send unsolicited email advertising this site or services, free or otherwise, or share contact information with third-parties other than what users elects to share via their own account settings.

Want to report spam?

USU doesn't have a built in spam reporting system. Spam reports can be directed to the Computer Services Help Desk if desired.

Online, many spam reporting systems are in place, probably the best being SpamCop.net

There, you can report spam and SpamCop will analyze it, try to find the source, and add the source to a database of known spam servers as well as reporting it to ISP's and hosting services.

Another method is investigating the source (using email headers to find the originating IP address) and contacting Internet Service Providers. Many have spam policies in place, and will remove spamming accounts. Careful here, though, some less-trustworthy ISP's are in league with or even owned by spammers. Attempts to contact them might bring repercussions - such as overloading your email, putting your address as the FROM field in their next batch of spam (known as a Joe Job), and other mean-spirited attacks.



No comments posted yet
Only logged in users are allowed to comment. register/log in