E-mail marketing partnerships are common. A large web retailer might join forces with many online affiliates to market to their mailing lists. But those mailings inevitably result in some consumers unsubscribing, and the retailer is obligated to make sure all its partners no longer send out e-mails to those consumers on its behalf.
Sharing those e-mail addresses with outside firms can be risky, as customer data can be stolen and misused. UnsubCentral has built its business since 2004 on providing a way to make sure a company’s marketing partners delete the e-mail of consumers who unsubscribe-a requirement of the federal CAN-SPAM anti-spam law-without making the e-mail addresses itself available to partners, who could abuse it. The security company announced yesterday that it has added an option to makes its security even stronger.
Until now, UnsubCentral clients and their partners exchanged suppression lists using the MD5 hash algorithm. That hashing technology takes an e-mail address and converts it into a string of numbers and letters that cannot be reversed to create the original address. A retailer then can share the hashed version of its unsubscribe list with an affiliate, which hashes its own e-mail list. If any of the hashes match, they correspond to e-mail addresses of consumers who no longer want to receive e-mail. The affiliate can delete that person, without ever seeing the actual e-mail address.
Now UnsubCentral is adding a new option that uses the SHA-256 algorithm, which is many times stronger than MD5. In fact, it is authorized for use by the U.S. National Security Agency for securing secret-level documents, although top secret documents require even stronger security, says Alex Araujo, director of technology at UnsubCentral. In addition, UnsubCentral is now adding an additional security technology known as Salt that effectively puts a password at the end of an e-mail, making it still harder to come up with the correct string of letters and numbers through a brute force attack.
The vendor is taking these measures even though there have been no instances of anyone cracking any of UnsubCentral’s MD5 e-mail hashes in the company’s history, Araujo says. Nonetheless, he says, big companies with dedicated security teams are aware of the availability of SHA-256 and Salt, and prefer to use those stronger security measures. Those requests come especially from financial services companies, but also from very large retailers, he says.
This is not meant to be a scare tactic, adds Russ Riley, director of marketing at UnsubCentral. MD5 is absolutely as secure as most people need it to be. But he says the vendor wants to accommodate those large companies with security teams demanding the stronger systems. There is good reason to secure suppression lists, because those lists include overwhelmingly real e-mail addresses in current use, Araujo says. In the world of e-mail marketing, it’s tough to come by legitimate e-mail addresses you don’t already have, he says. If those suppression lists are circulated in human-readable form, unscrupulous marketers can add the addresses to their lists.
Abuse of those suppression lists can lead to legitimate marketers being penalized by e-mail inbox providers for failing to respect the wishes of consumers, or facing fines for violating the CAN-SPAM act.
“The effects of non-compliance with the CAN-SPAM Act can be extremely detrimental to brand advertisers, leading to a significant decrease in deliverability to the inbox, poor reputation in the eyes of the ISPs and a lack of trust from online consumers,” says James Campbell, managing director of the Email Sender and Provider Coalition. “We commend UnsubCentral for adding these increased security features to their suite of solutions to help their clients protect both their brands and their customers.”
SHA-256 and Salt are new options available to UnsubCentral clients, but the vendor will still offer MD5 hashing. There is currently no extra charge for taking the SHA-256 option, and Araujo says both hashing systems are similar in terms of the programming efforts they require. UnsubCentral has hundreds of clients, Riley says. He says the company charges by the size of e-mail suppression lists, the number of lists and other factors.