“In 2004, I asserted that Unspam’s proposed registry would be ineffective at limiting or curbing unsolicited email. In 2017, this has proven to be true.” – Pete Ashdown, Founder of Xmission
The most pernicious of government programs are those that are small and unnoticed. Without oversight, they often deliver questionable value to a very limited audience without being recognized for such. These programs tend to fester for years or decades before getting noticed but are often hard to kill even when they are. By all accounts, the state Do Not Contact registry seems to be one of them.
A Questionable Start
The Utah Child Protection Registry, also known as the Do Not Contact list, took effect July 1, 2005 after then attorney general Mark Shurtleff lobbied heavily for it. A similar registry was created in Michigan the year before and the same company awarded the contract, Unspam Technologies, has held both continuously since then. The Utah legislature has made some slight modifications to the relevant code in the years since, but it has gone untouched since 2009.
The bill creating it, HB 165, was passed in 2004, the final version of the bill receiving a 24-0 vote in the Senate and 66-0 vote in the House. The committee responsible for it had little discussion about the bill before providing a unanimous recommendation with all testimony provided by Pat Shea and Mark Shurtleff. There does not appear to have been any technical input as to the feasibility of the registry, though the FTC outright rejected the possibility of a national registry citing security and technical concerns.
A lawsuit by free speech advocates arguing against it was dismissed in 2009 and it has existed quietly since then. During that fight, Mark Shurtleff quietly hired Unspam’s lawyer to work in their office, racking up bills well over $100K. In addition to these cost overruns, the program failed to produce the anticipated revenues, generating only $187K of the promised $3M to $6M as of April 2007. Per the contracts with Unspam, they keep 80% of the revenues they collect. Figures from the Utah Division of Consumer Protection show a total of $319,359.58 in revenue to the state between July 1, 2005 and June 2017 with Unspam keeping over $1.25M. The annual revenues have also been largely unchanged during this time period aside from an outlying bump in 2007-2008.
A lack of oversight?
The two state registries operating by Unspam were both created through the work of their own lobbying. Unspam Vice President of Governmental Affairs (read: lobbyist) Michelle Scharff’s position was previously held by Evelyn Everton, both of whom worked on Orrin Hatch’s 2012 re-election campaign and have been in and out of various paid lobbyist and campaign positions over many years. Unspam employs a separate lobbyist just for the Michigan equivalent of Utah’s program. A search of LinkedIn shows most current and former employees were from similar backgrounds, lobbying rather than technology.
But what do their current employees actually do? With no proposed or passed modifications to the law governing the registry since 2009, it doesn’t seem to make sense to hire a well-known lobbyist as what appears to be a full time employee. With seemingly little volume change since 2008 and the ability to have what few changes there are run in an automated fashion also doesn’t seem to justify at least four people on their management team plus a director of media relations (though it appears founder Matthew Prince is currently busy working at CloudFlare, a DDoS protection company). LinkedIn does not show any technical employees currently at the company. Additionally, public data from the mobile phone game Ingress shows both CEO Eric Langheinrich (game name elanghe) and Scharff (game name michadi) are often spending hours on multiple weekdays playing the game all across Utah, Nevada, Idaho, and Wyoming, not in the office performing work duties.
I attempted to use the contact form on the registry’s website to obtain more information, but the request went unanswered. Curiously, Scharff reportedly asked questions about me in a private Facebook group within a day of having sent the request. This seems to hint that Unspam is receiving messages but may be selective about which ones they will choose to respond to. I ended up sending a formal GRAMA request to the Utah Division of Consumer Protection, the agency responsible for administering the program, in order to find out more about the program.
When asked for performance and financial audits, the Utah Division of Consumer Protection was unable to offer any. “The Division and its vendor periodically test the Registry. There are no formal performance or financial audits,” replied Jennifer Bolton, Public Information Officer for DCP. The RFP information provided did not indicate that any competing bids were received or considered. With Unspam’s current contract expiring July 1, 2017, DCP responded that they are still working on a RFP to see who will continue to run it, but that short runway makes it look like no other applications will be able to bid much less be considered. This paints a troubling picture of a sweetheart deal for a company with political connections and lobbying muscle.
Since the registry was created in 2004, anti-spam technology has evolved into something that would make the tools of that time look like Tinkertoys. Large companies such as Google, Microsoft, and Yahoo employ complex algorithms that are very effective at blocking unwanted messages with a low rate of false positives. Even smaller companies such as Telegram employ anti-spam measures that do not rely on blocking messages to specific recipients.
Unspam’s website claims that they have a unique product for scrubbing contact lists of people who do not wish to receive messages, but this seems like a dubious claim. There are multiple companies selling services to scrub phone, email, and other contact lists, several projects on the open source software repository GitHub that can perform these actions, and even tutorials on StackOverflow, a popular programming question and answer website, providing instructions on using common decades-old UNIX utilities such as sed, awk, and grep to accomplish this. It’s hard to see why, from a technology perspective, the state doesn’t hire a contractor for a day to create a system that automates this entire process at a much lower cost than outsourcing. Even someone with a modest technical understanding would likely be able to build a similar product. Government Technology Magazine also called into question the claims of the technology being unique or novel.
Looking at their list of patents seems to not support the claim of unique technology. Scrubbing a list of one-way hashes is something you learn in Crypto 101. Generating white noise to mask traffic is as old as the Internet itself. Same deal with honeypots. The patents are ones that seem to be likely to die in any real legal fight, but Unspam is using their existence as a mark of authority despite the USPTO’s rather dismal record of properly vetting patents, particularly in the technology field, for obviousness and prior art.
“Those who advertise paid registries that can keep your email off spammer lists are not much better than the spammers themselves,” said Pete Ashdown, founder of XMission. “They are both taking advantage of consumer technical ignorance.” He also emphasized that he believes today as he did in 2004 that such a system would be and has been almost entirely ineffective at reducing unwanted electronic communication.
But does it work?
In order to determine if the program cost is worthwhile you have to know its efficacy. As previously mentioned, DCP did not have any performance or financial audits on hand. They also declined to provide any figures on how many companies were participating or how many individuals had registered with the program. Based on the revenues, though, it would appear that the program hit its plateau almost a decade ago and shows little evidence of growth or decline.
Just last year a Utah-based company was hit with fines for $487K in fines for violating the federal Do Not Call registry. There is no evidence that they were a participant in the state Do Not Contact registry nor that the state took any legal action against them for violations thereof. (When asked, DCP declined to provide a list of participating companies in the registry.) This is not the first instance where Utah appears to have failed to enforce this law. If the goal is to prevent unwanted commercial messages to Utahns, the results from high profile cases don’t seem to show that this is doing it.
Curiously, Unspam has operated the Project Honey Pot system for years, a way to purposefully collect and analyze electronic junk messages including email and comments to develop better filters. This approach is directly contradictory to the idea of a registry that scrubs emails from marketing lists, instead focusing on the unwanted content. Bayesian filtering has been successfully employed in email systems for at least 15 years and is currently in use by almost every single email provider. Why would Unspam operate two competing approaches, the superior of them being free? It’s also a tacit admission that any registry-based system is ineffective at stopping unwanted messages.
Audit and investigate
Given the questions concerning the efficacy of the program and revenues to the state, it seems that it’s very much time for the state to check up on this mostly forgotten program. I would encourage State Auditor John Dougall to work his magic and for the legislature to take appropriate action to wind down this program should it prove to not serve its intended purpose. The technology for preventing unwanted electronic communication has certainly evolved far past the badly antiquated method of scrubbing contact lists this program uses. These kinds of programs don’t cost much, but they are a good example of how a good intentions law left unchecked can potentially become a pretty big windfall for connected interests.
A copy of the GRAMA response from the Utah Division of Consumer Protection can be found here. Michigan’s Secretary of State was contacted to provide additional details on their version of the registry and did not respond by publication time.