Project Management and the Do Not Call Registry: The Government's Big IT Success

It was a quintessential D.C. summer morning, hot, humid, sticky. But among the small crowd assembled in the Rose Garden, no one had more reason to sweat than Stephen Warren. As President Bush stepped through the Oval Office doors just after 8:30 a.m. on June 27, 2003, to announce the official launch of the Do Not Call (DNC) Registry, the CIO of the Federal Trade Commission was listening anxiously to the earpiece of his cell phone. Warren needed to make sure that the system, which had launched at 12:01 that morning, didn’t crash while handling the surge of early bird requests. It’s not a good career move, after all, to make a liar of the president. The sweat trickled slowly down Warren’s back as the number of registrants kept climbing, but the system held steady as the commander in chief reached the podium.

"Unwanted telemarketing calls are intrusive, they are annoying, and they’re all too common. When Americans are sitting down to dinner, or a parent is reading to his or her child, the last thing they need is a call from a stranger with a sales pitch," said Bush, whose words aired live on Today and The Early Show.

Related Stories

The Next Step: Do Not Spam!

How to Launch a Successful Project  

Spurred on by the publicity, consumers began flocking to www.donotcall.gov and calling the toll-free number to place their phone numbers on the Do Not Call list. Within 72 hours, consumers signed up more than 10 million phone numbers, making it a federal offense for telemarketers to disrupt their dinner hour, or indeed call at any hour of the day or night.

Not many IT projects are tackled at lightning speed under the glare of national media attention. Fewer still involve a courtroom drama that shuts them down three months after going live. Yet, despite these challenges, the Do Not Call registry delivered on its ultimate goal: giving consumers a painless way of preventing unwanted phone calls. This is the story of how the FTC pulled off one of the most successful IT projects in the history of government. Using such strategies as splitting the project into manageable phases, creating a performance-based contract and lining up a vendor before Congress came through with funding, Warren and his staff got the consumer registry up and running in fewer than 100 days.

"We view the Do Not Call Registry as one of the most successful privacy protections in the United States," says Chris Hoofnagle, associate director of the Electronic Privacy Information Center in Washington, D.C.

Planning for a Green Light

In 1994, Congress passed a law directing the FTC to come up with a way to prohibit deceptive or abusive telemarketing practices. A year later, the FTC’s Telemarketing Sales Rule prohibited telemarketers from making repeat calls to consumers who’ve asked them not to call again. In 2000, when the FTC conducted a yearlong review to examine the impact of the Do Not Call provision, it became clear that it wasn’t strong enough. Consumers were getting so fed up with unwanted telemarketing calls that many states had established their own Do Not Call lists. In January 2002, the FTC proposed a regulation requiring telemarketers to subscribe to a national Do Not Call Registry and prohibiting them from calling consumers on that list.

Warren joined the FTC in December 2001?just as the agency began investigating how it could create such a registry. FTC Chairman Timothy Muris had tapped Lois Greisman, associate director of the Division of Planning and Information in the FTC’s Bureau of Consumer Protection, to represent the business side of the project. He also wanted Warren?the new guy?in on the process from the outset.

"Usually the policy and legal people decide ’This is what I want’ with no thought to feasibility, cost or alternatives," says Greisman. "For the first time, IT people sat down with policy and legal folks in the planning stage." Warren, who had previously been CIO for the Department of Energy’s bureau responsible for cleaning up nuclear weapons production sites, helped the task force consider the feasibility of various technical options as it hashed out the details of how to build a list and get it in the hands of telemarketers.

The group identified five key components that the system should have: the consumer registry, telemarketer access to the list, a complaint system for consumers to report telemarketers who ignored the list, access to complaints and the list database for law enforcement agencies, and an interface to enable data sharing between the federal and state lists.

Warren quickly realized that the FTC didn’t have the resources to build a DNC system internally. So he decided to line up a vendor in advance to give the project a running start as soon as it got the green light. With so much demand from consumers for the registry?the agency had received 64,000 responses to its call for public comment, and most were vehemently in favor?the FTC was under enormous pressure to make the system work flawlessly. So the task force agreed with Warren’s recommendation to share risk with the chosen vendor by setting up a performance-based contract.

While Warren and his team evaluated vendors, political momentum for the project grew. Chairman Muris went before Congress in January 2003, asking for funding and permission to charge telemarketers for list access. Muris urged Congress to act quickly to get the list up and running in fiscal 2003, which ended Sept. 30. He outlined an aggressive time line, based on Warren’s recommendation to split the project into chunks and roll it out in phases: build and launch the consumer registry in fewer than 100 days, launch the telemarketer registration and offer the list download two months later, and begin enforcement one month after that.

Meanwhile, the FTC awarded the DNC project contract to AT&T, contingent upon receipt of funding. The performance-based contract aligned incentives with the FTC’s goals. The FTC wanted easy registration?and so did AT&T, since its fees would be based in part on the number of successful registrations.

In February 2003, Congress appropriated $18.1 million to launch and enforce the DNC Registry?including $3.5 million earmarked for the contractor in 2003, and approximately $2.5 million to cover internal IT costs to upgrade infrastructure systems and redesign the FTC’s website. On March 11, President Bush signed the Do-Not-Call Implementation Act. By the end of March, the final legislative hurdles had been cleared, releasing the funds to start the project.

Bumps in the Road

Well before funding came through, the team had hashed through the details of how the consumer registry should operate. Consumers would be able to sign up either through a toll-free number with an interactive voice response (IVR) system or online at DoNotCall.gov. To sign up by phone, consumers would have to call from the number they wanted to register so that the automatic number identification service that enables caller ID could cross-check against the phone number they punched into their keypad. On DoNotCall.gov, consumers would be able to enter up to three phone numbers and provide an e-mail address for verification. The system would then generate an e-mail containing a link that the consumer would have to click on within 72 hours to confirm the registration. Privacy concerns led the team to limit the information retained to the phone numbers themselves; even the e-mail addresses used for online confirmation would be hashed, then discarded and the hashed copy used to complete registration.

The AT&T manager in charge of the Do Not Call project was Marjorie Windelberg. She routinely worked 100-hour weeks, keeping a sleeping bag in her office for months, and estimates that she met or talked with more than 500 people during the implementation. Along the way, there were some scary bumps in the road. For example, IVR provider West nearly backed out of the project in April because it couldn’t provide service for deaf and hard-of-hearing callers. So Windelberg hooked West up with the AT&T relay services group, which could assist deaf and hard-of-hearing consumers from a center in Georgia.

AT&T built the DNC system using a multilayered or N-tier architecture that would give both the FTC and AT&T the flexibility to modify the hardware or software of individual pieces of the system as needed. Envision a giant set of Legos where interlocking bumps are (in most cases) XML code. Each Lego piece or layer is designed to handle a specific task; as demand for a task increases, that layer can easily be expanded. The beauty of the N-tier architecture is that it allowed AT&T to cope with the initial onslaught of traffic efficiently. AT&T could add as many servers as needed to handle the early surge in volume and later repurpose them when the spike leveled off. Based on stress testing in June 2003, AT&T nearly doubled the number of servers at the AT&T data center from 16 to 28. "We gained a lot of flexibility being able to add and subtract servers and change their function," Windelberg says. The N-tier approach is also asynchronous, meaning that if, say, the database is slammed, phone numbers to be added to the registry can be held in a queue as servers continue accepting new phone numbers.

In addition to building the consumer registry website and IVR system, the FTC wanted to encourage the 25 states that had already developed their own DNC lists to share their data with the national list. In June, states began submitting their lists electronically and via CD-ROM; by late October, Windelberg’s team would enable states to upload their data to the national list (or download updates from the national list to their own lists) using Web services. It quickly became apparent that not all of the state data was usable, so AT&T had to write routines to screen out dirty data (an East Coast state, for example, wasn’t allowed to submit numbers with Western area codes.) Ultimately, the FTC would collect nearly 9 million phone numbers from state lists.

While Windelberg oversaw the myriad details of developing the DNC system, Warren and his staff redesigned and streamlined the FTC’s website. They also installed a new T3 line and two more Web servers to handle the anticipated load from consumers with questions about the registry. And they posted and linked the FTC’s revamped privacy policy to explain how the phone numbers it would be collecting would be used.

By June 27, everything was in place. Yet despite the endless planning, a small crisis erupted on day one. Rejected e-mails started queuing up in the DNC e-mail servers as confirmation e-mails bounced back multiple times. At first, Warren and AT&T worried that it was a denial-of-service attack. Or maybe they’d misconfigured the servers. Turns out, though, that ISPs were interpreting the flood of DNC confirmation e-mails as spam, which they automatically blocked. AT&T quickly alerted its counterparts within the ISP community, and FTC attorneys began calling their ISP contacts to assure them that it was anything but spam. (Warren called his sister, a senior product manager at EarthLink, to help him clear up the problem there.) Within a few days, the situation was under control.

The first week proved to be "a continuous spike," Windelberg says. But the system never faltered, and within seven days, 18 million consumers had successfully placed their numbers on the list.

No Rest for the Weary

No sooner had the Rose Garden ceremony ended than the race was on to meet the next deadline?delivery in two months of a website that would allow telemarketers to register, pay for and download relevant portions of the list, which is segmented by area codes. Although charities, political groups and telephone surveyors are exempt, telemarketers would face a fine of up to $11,000 each time they called a number on the DNC list. So the challenge was to cater to telemarketers across the spectrum with different call volumes, from individual agents using the phone to sell, say, vacation time-shares or a dating service, to national telemarketing operations with multiple call centers. Any entity requiring more than five area codes would have to pay an annual $25 fee for each area code downloaded; the annual fee for the entire list is $7,375.

To address the range in telemarketers’ call volumes, Windelberg’s team built three options for accessing telephone numbers. Mom-and-Pop operations can go to www.telemarketing.donotcall.gov and type in up to 10 phone numbers at a time to see if they are legal to call. Telemarketers requiring a few area codes can download the numbers they need, and large telemarketers can download the entire national list (more than 300 area codes) in either XML or plain text format. All new entries are added to the list within 24 hours of registration.

1 2 Page 1
Page 1 of 2
Learn how leading CIOs are reinventing IT. Download CIO's new Think Tank report today!