Every day, we all open our e-mail inboxes and are greeted by an avalanche of e-mails we don't want, don't need, and never had to see. The most foolproof way to banish these particular strains of e-mails from our inbox should be unsubscribing, usually via a link in the e-mail itself. But all too often, we find that workflow looks something like this:

We click the unsubscribe link, and are taken to the website of the business sending the e-mail (let's call it YouPinFace). The site asks us to log in. Now, our interest in this site is so low, we haven't visited, let alone logged in, for months. Our login info is like so many cat videos posted to YouPinFace: briefly cherished, then forgotten.

We try some usernames and passwords to no avail. Sigh. So we click the "forgot username?" link, and boom, another e-mail with our YouPinFace username. Back to the site: enter username, click "forgot password?" and get yet another e-mail with a password reset link. Finally, we can log in to YouPinFace, only to be faced with multi-tiered menus that hide the e-mail unsubscription check box in the darkest, dankest corner of our account settings.

This is the most painful of unsubscribe scenarios. Luckily, it's not typical: most e-mail newsletters provide their readers with a one-click opt-out of e-mails option, a link that either takes them to a page confirming they're unsubscribed, or asks them to first enter the e-mail address they want to unsubscribe. But we've seen even some prominent websites and services interrupt this process with a login screen. Where do they get off putting a login between users and "their" e-mail preferences?

Unsubscribing isn't our only means of recourse for handling annoying e-mails—there's always the option to "report spam" and let the filters deal with companies encroaching on our inbox. But if we put aside the practical and focus on the ideological implications here, it should not be difficult at all to tell a company to stop bothering you. Spam filters get more effective every day, but they have no legal obligation to work. Unsubscribe links do. At least, in theory.



The CAN-SPAM Act has a section on the issue of unsubscribing from e-mails. In CAN-SPAM's Compliance Guide for Businesses, the FTC states, "you can’t charge a fee, require the recipient to give you any personally identifying information beyond an e-mail address, or make the recipient take any step other than sending a reply e-mail or visiting a single page on an Internet website as a condition for honoring an opt-out request." This seems pretty clear-cut to us: forcing users to log in to manage e-mail preferences is a two-plus-webpage process.

But when we inquired at the FTC for clarification, it was vague on this point. We asked FTC representative Cheryl Hackley which of the three above workflows were acceptable under CAN-SPAM, and Hackley wrote in an e-mail that "The FTC provides general guidelines for opt-out mechanisms and doesn't endorse any particular mechanism." When we pressed her about putting a log-in screen between users and their e-mail preferences specifically, Hackley responded that "there are specific guidelines for what must be included in an e-mail and honoring opt-outs, but again, the guidelines for opt-out mechanisms are general since there is not really a one-size-fits-all mechanism."

A second FTC representative, Claudia Farrell, would likewise not come down on either side of the issue, stating only that "Good unsubscribing practice is easy to use, and it works. Bad unsubscribing practice makes it difficult or impossible for a consumer to unsubscribe."



We tried two more partisan parties, the first of which was LinkedIn, a site that does, at least some of the time, force logins to manage e-mail preferences. A LinkedIn representative told us that the justification of asking for a login is to be certain that the person attempting to change e-mail preferences is the person receiving the e-mail.

In a statement, the representative wrote, "We… know that some members do not wish to receive these e-mails so we make it easy to discontinue them via the 'unsubscribe' link at the bottom of the message. We ask for the member’s password to confirm that it is truly the LinkedIn member who is accessing their account settings to update their email preferences… We are confident that our practices comply with all regulations."

The second party was Constant Contact, the company that runs SafeUnsubscribe, a product that many e-mail newsletters use to manage subscriptions. We asked the company specifically about the matter of identifying the user, and whether a login is really necessary for security purposes. Tara Natanson, manager of ISP relations, told Ars that "it is against the CAN-SPAM Act to require people to enter more than just their own e-mail address to unsubscribe from something." However, she noted that "most companies who require you to log in to stop receiving e-mail are dealing with things more complex than just an e-mail subscription to a newsletter."



But Natanson was certain that logins are not a question of identifying a user, as that can be done from the e-mail itself. An unsubscribe form can legally require the subscriber to enter the e-mail address to be unsubscribed, to confirm it's not a third-party who clicked the link by accident. When companies require logins, Natanson said, "it is more likely due to an older system or a firm choice." Natanson also pointed us to a blog post by Boomerang E-mail Marketing Solutions, which also unequivocally interprets the CAN-SPAM clause as "no forced logins allowed."

Skirting CAN-SPAM regulations does not carry a trivial penalty: violations can earn companies a penalty of up to $16,000, per e-mail. The interpretation of the unsubscribe clause seems perfectly clear to parties on both sides of issue. But the problem is that their interpretations are diametrically opposed to one another, and the neutral party in the middle is shy about making a definitive call.

Of course, we side with no-logins-to-unsubscribe; it seems to always make the process more difficult than it ought to be, even if it runs the (dubious) risk of being accidentally unsubscribed by others. But why the arbiters of the law are so unclear on this point is, well, unclear.