Twelve Horse's Steve Spencer delivers the lowdown on the latest email laws.

For those of you who haven’t heard the rumblings yet, let me fill you in on one of the most controversial and earth-shaking things that has ever happened to email. New laws have been set into place in both Utah and Michigan to protect minors from receiving emails containing any inappropriate content. Sounds good doesn’t it? Well, in concept it might. But let’s explore what it really accomplishes, what it doesn’t, why it opens new doors for exposure of your data, and who is making bank while this all gets sorted out.

Let’s start with what these laws are all about. Basically, they allow anyone who lives in Utah or Michigan to register email addresses that are primarily used by, or often viewed by, minors within these states. These addresses are then stored, and considered “protected.” It may seem scary to think of the email addresses of all of those minors sitting out there, but it’s a bit safer than that. The addresses go through a process called hashing. This process turns the email address into a unique string of gibberish that cannot possibly be undone.

Companies who want to send email (to pretty much anyone, since no one knows which email addresses really belong in Utah or Michigan, and everyone in all other states will probably register on these sites as well) must take their entire list of email addresses, hash them (that whole turn them into gibberish thing), and send them to Michigan and Utah once per month. The states will then send back the portions of the lists that are not “protected.” A company then knows that what they have is safe to send to.

Still sounds good, right? Next, companies have to check in before they send Tommie or Sue any emails. And if the content is not for minors, they can’t send it. Well, as a parent I applaud the intentions. But let’s start to peel back the layers of this onion and see what that smell is.

Let’s start with the list of protected emails. The news has been plagued over the last year with stories of big companies who thought they could keep your data safe, but couldn’t. Can our state governments do any better? I would guess not. But that’s okay… the lists are hashed, right? True. But if a hacker got a hold of the list, it’s simple work to write a program to create every possible email address, hash it, and compare it to the list. If it’s a match, then they have just found another set of juvenile eyes to peddle their porn to. It would not be at all unrealistic for a hacker to perform just such a feat and crack the entire list in a week or two.

A bit scary, huh? What’s worse is that if that exposed list were to get out, our efforts to protect our children could prove something more akin to tying steaks around their necks and sending them to the wolves.

But that’s not the only data at risk. Remember, thousands of companies will need to hash their lists of millions and millions of people, and send them in every month to be checked. If any of those lists gets intercepted, then they, too, could be cracked through the same process.

On top of that, companies will be paying big to get their lists checked each month -- perhaps more companies than you might think. If emails cannot contain any content not consumable by a minor, that type of list would easily include emails that advertise vacation destinations, hotels, R-rated movies, wholesale club membership information, many video game titles, et cetera. Basically, most companies will get their lists checked just to be safe. For a large company, the expense would easily surpass $50,000 each month. Now multiply that by nearly every company on the planet. This is a cost that will in one way or another get passed on to you, the consumer.

Finally, we need to take a look at what emails these laws will actually stop. The most pervasive problems with inappropriate content in children’s email comes from spam about Viagra, Cialis, financial scams and free porn. The bulk of these are coming from deviants who operate offshore, illegally, and often through computers they have hacked or otherwise compromised. The people who do this are already breaking the law. So why would they stop sending the emails?

Even beyond that, what if children are actively searching out such content, or accidentally bumping into it? What if Tommie signs up for another Hotmail address that you don’t even know about? What happens when Sue browses the web and accidentally misspells X-Men?

The only solution that truly protects our children is one that pulls any inappropriate content from their mailboxes and their browsers. There are already companies offering free services to filter the web. We should be working with them, and finding partners to do the same with our email. As a parent and Utahan I share the goals that these laws represent. But putting together a half-baked plan that puts the data of our companies and our children at risk, while charging exorbitant fees from responsible companies for a solution that doesn’t even address the real problem is just wrong. 
  
Steve Spencer is president and chief technology officer of Twelve Horses, a leading provider of email and web-based marketing and business automation solutions. As President of Twelve Horses, Steve Spencer focuses on aligning the company’s software applications and professional services to further the company's commitment to deliverability, intelligence, automation and integration in electronic communications across multiple systems and channels. As CTO, Spencer drives Twelve Horses products as some of the richest, most track-able, and cost-effective electronic communication mechanisms on the market. He is also responsible for the development of Twelve Horses’ Data Replication Engine, used by customers internationally. He has 15 years experience in the IT and messaging industry at companies such as Unisys, Critical Path, and dotOne Corporation.