Project Management and the Do Not Call Registry: The Government’s Big IT Success

It was a quintessential D.C. summer morning, hot, humid, sticky. But among the small crowd assembled in the Rose Garden, no one had more reason to sweat than Stephen Warren. As President Bush stepped through the Oval Office doors just after 8:30 a.m. on June 27, 2003, to announce the official launch of the Do Not Call (DNC) Registry, the CIO of the Federal Trade Commission was listening anxiously to the earpiece of his cell phone. Warren needed to make sure that the system, which had launched at 12:01 that morning, didn’t crash while handling the surge of early bird requests. It’s not a good career move, after all, to make a liar of the president. The sweat trickled slowly down Warren’s back as the number of registrants kept climbing, but the system held steady as the commander in chief reached the podium.

“Unwanted telemarketing calls are intrusive, they are annoying, and they’re all too common. When Americans are sitting down to dinner, or a parent is reading to his or her child, the last thing they need is a call from a stranger with a sales pitch,” said Bush, whose words aired live on Today and The Early Show.

Related Stories

The Next Step: Do Not Spam!

How to Launch a Successful Project  

Spurred on by the publicity, consumers began flocking to www.donotcall.gov and calling the toll-free number to place their phone numbers on the Do Not Call list. Within 72 hours, consumers signed up more than 10 million phone numbers, making it a federal offense for telemarketers to disrupt their dinner hour, or indeed call at any hour of the day or night.

Not many IT projects are tackled at lightning speed under the glare of national media attention. Fewer still involve a courtroom drama that shuts them down three months after going live. Yet, despite these challenges, the Do Not Call registry delivered on its ultimate goal: giving consumers a painless way of preventing unwanted phone calls. This is the story of how the FTC pulled off one of the most successful IT projects in the history of government. Using such strategies as splitting the project into manageable phases, creating a performance-based contract and lining up a vendor before Congress came through with funding, Warren and his staff got the consumer registry up and running in fewer than 100 days.

“We view the Do Not Call Registry as one of the most successful privacy protections in the United States,” says Chris Hoofnagle, associate director of the Electronic Privacy Information Center in Washington, D.C.

Planning for a Green Light

In 1994, Congress passed a law directing the FTC to come up with a way to prohibit deceptive or abusive telemarketing practices. A year later, the FTC’s Telemarketing Sales Rule prohibited telemarketers from making repeat calls to consumers who’ve asked them not to call again. In 2000, when the FTC conducted a yearlong review to examine the impact of the Do Not Call provision, it became clear that it wasn’t strong enough. Consumers were getting so fed up with unwanted telemarketing calls that many states had established their own Do Not Call lists. In January 2002, the FTC proposed a regulation requiring telemarketers to subscribe to a national Do Not Call Registry and prohibiting them from calling consumers on that list.

Warren joined the FTC in December 2001?just as the agency began investigating how it could create such a registry. FTC Chairman Timothy Muris had tapped Lois Greisman, associate director of the Division of Planning and Information in the FTC’s Bureau of Consumer Protection, to represent the business side of the project. He also wanted Warren?the new guy?in on the process from the outset.

“Usually the policy and legal people decide ’This is what I want’ with no thought to feasibility, cost or alternatives,” says Greisman. “For the first time, IT people sat down with policy and legal folks in the planning stage.” Warren, who had previously been CIO for the Department of Energy’s bureau responsible for cleaning up nuclear weapons production sites, helped the task force consider the feasibility of various technical options as it hashed out the details of how to build a list and get it in the hands of telemarketers.

The group identified five key components that the system should have: the consumer registry, telemarketer access to the list, a complaint system for consumers to report telemarketers who ignored the list, access to complaints and the list database for law enforcement agencies, and an interface to enable data sharing between the federal and state lists.

Warren quickly realized that the FTC didn’t have the resources to build a DNC system internally. So he decided to line up a vendor in advance to give the project a running start as soon as it got the green light. With so much demand from consumers for the registry?the agency had received 64,000 responses to its call for public comment, and most were vehemently in favor?the FTC was under enormous pressure to make the system work flawlessly. So the task force agreed with Warren’s recommendation to share risk with the chosen vendor by setting up a performance-based contract.

While Warren and his team evaluated vendors, political momentum for the project grew. Chairman Muris went before Congress in January 2003, asking for funding and permission to charge telemarketers for list access. Muris urged Congress to act quickly to get the list up and running in fiscal 2003, which ended Sept. 30. He outlined an aggressive time line, based on Warren’s recommendation to split the project into chunks and roll it out in phases: build and launch the consumer registry in fewer than 100 days, launch the telemarketer registration and offer the list download two months later, and begin enforcement one month after that.

Meanwhile, the FTC awarded the DNC project contract to AT&T, contingent upon receipt of funding. The performance-based contract aligned incentives with the FTC’s goals. The FTC wanted easy registration?and so did AT&T, since its fees would be based in part on the number of successful registrations.

In February 2003, Congress appropriated $18.1 million to launch and enforce the DNC Registry?including $3.5 million earmarked for the contractor in 2003, and approximately $2.5 million to cover internal IT costs to upgrade infrastructure systems and redesign the FTC’s website. On March 11, President Bush signed the Do-Not-Call Implementation Act. By the end of March, the final legislative hurdles had been cleared, releasing the funds to start the project.

Bumps in the Road

Well before funding came through, the team had hashed through the details of how the consumer registry should operate. Consumers would be able to sign up either through a toll-free number with an interactive voice response (IVR) system or online at DoNotCall.gov. To sign up by phone, consumers would have to call from the number they wanted to register so that the automatic number identification service that enables caller ID could cross-check against the phone number they punched into their keypad. On DoNotCall.gov, consumers would be able to enter up to three phone numbers and provide an e-mail address for verification. The system would then generate an e-mail containing a link that the consumer would have to click on within 72 hours to confirm the registration. Privacy concerns led the team to limit the information retained to the phone numbers themselves; even the e-mail addresses used for online confirmation would be hashed, then discarded and the hashed copy used to complete registration.

The AT&T manager in charge of the Do Not Call project was Marjorie Windelberg. She routinely worked 100-hour weeks, keeping a sleeping bag in her office for months, and estimates that she met or talked with more than 500 people during the implementation. Along the way, there were some scary bumps in the road. For example, IVR provider West nearly backed out of the project in April because it couldn’t provide service for deaf and hard-of-hearing callers. So Windelberg hooked West up with the AT&T relay services group, which could assist deaf and hard-of-hearing consumers from a center in Georgia.

AT&T built the DNC system using a multilayered or N-tier architecture that would give both the FTC and AT&T the flexibility to modify the hardware or software of individual pieces of the system as needed. Envision a giant set of Legos where interlocking bumps are (in most cases) XML code. Each Lego piece or layer is designed to handle a specific task; as demand for a task increases, that layer can easily be expanded. The beauty of the N-tier architecture is that it allowed AT&T to cope with the initial onslaught of traffic efficiently. AT&T could add as many servers as needed to handle the early surge in volume and later repurpose them when the spike leveled off. Based on stress testing in June 2003, AT&T nearly doubled the number of servers at the AT&T data center from 16 to 28. “We gained a lot of flexibility being able to add and subtract servers and change their function,” Windelberg says. The N-tier approach is also asynchronous, meaning that if, say, the database is slammed, phone numbers to be added to the registry can be held in a queue as servers continue accepting new phone numbers.

In addition to building the consumer registry website and IVR system, the FTC wanted to encourage the 25 states that had already developed their own DNC lists to share their data with the national list. In June, states began submitting their lists electronically and via CD-ROM; by late October, Windelberg’s team would enable states to upload their data to the national list (or download updates from the national list to their own lists) using Web services. It quickly became apparent that not all of the state data was usable, so AT&T had to write routines to screen out dirty data (an East Coast state, for example, wasn’t allowed to submit numbers with Western area codes.) Ultimately, the FTC would collect nearly 9 million phone numbers from state lists.

While Windelberg oversaw the myriad details of developing the DNC system, Warren and his staff redesigned and streamlined the FTC’s website. They also installed a new T3 line and two more Web servers to handle the anticipated load from consumers with questions about the registry. And they posted and linked the FTC’s revamped privacy policy to explain how the phone numbers it would be collecting would be used.

By June 27, everything was in place. Yet despite the endless planning, a small crisis erupted on day one. Rejected e-mails started queuing up in the DNC e-mail servers as confirmation e-mails bounced back multiple times. At first, Warren and AT&T worried that it was a denial-of-service attack. Or maybe they’d misconfigured the servers. Turns out, though, that ISPs were interpreting the flood of DNC confirmation e-mails as spam, which they automatically blocked. AT&T quickly alerted its counterparts within the ISP community, and FTC attorneys began calling their ISP contacts to assure them that it was anything but spam. (Warren called his sister, a senior product manager at EarthLink, to help him clear up the problem there.) Within a few days, the situation was under control.

The first week proved to be “a continuous spike,” Windelberg says. But the system never faltered, and within seven days, 18 million consumers had successfully placed their numbers on the list.

No Rest for the Weary

No sooner had the Rose Garden ceremony ended than the race was on to meet the next deadline?delivery in two months of a website that would allow telemarketers to register, pay for and download relevant portions of the list, which is segmented by area codes. Although charities, political groups and telephone surveyors are exempt, telemarketers would face a fine of up to $11,000 each time they called a number on the DNC list. So the challenge was to cater to telemarketers across the spectrum with different call volumes, from individual agents using the phone to sell, say, vacation time-shares or a dating service, to national telemarketing operations with multiple call centers. Any entity requiring more than five area codes would have to pay an annual $25 fee for each area code downloaded; the annual fee for the entire list is $7,375.

To address the range in telemarketers’ call volumes, Windelberg’s team built three options for accessing telephone numbers. Mom-and-Pop operations can go to www.telemarketing.donotcall.gov and type in up to 10 phone numbers at a time to see if they are legal to call. Telemarketers requiring a few area codes can download the numbers they need, and large telemarketers can download the entire national list (more than 300 area codes) in either XML or plain text format. All new entries are added to the list within 24 hours of registration.

Payment by credit card or electronic funds transfer (EFT) is handled through the Treasury Department’s www.pay.gov site, which completed an upgrade necessary to support the list just a week before the FTC began collecting fees. The FTC also needed Pay.gov to send a message confirming that EFTs had cleared before it could allow telemarketers using that payment method to download phone numbers. “That level of responsiveness was not designed into Pay.gov,” says Warren. “There was constant communication [with the Treasury Department]. Many weekends, people [were] working through handshakes. [It was] down to the wire on every one of these things.”

To meet the telemarketing site’s go-live date of Sept. 2 (the day after Labor Day), the AT&T developers engaged in a variation of extreme programming. For six weeks, testers sat beside coders, testing code as soon as it was written. But after hitting the second tight deadline, there was no rest for the weary. The clock then began ticking on the delivery deadlines for a state interface and the enforcement pieces of the puzzle.

The Courtroom Drama

As September drew to a close, 13,000 telemarketers had subscribed to the registry; more than 400 had downloaded the entire list. But they were not at all happy at the prospect of crossing more than 51 million phone numbers off their lists of potential customers by the compliance deadline of Oct. 1. The American Teleservices Association (ATA) and the Direct Marketing Association had both filed suit against the FTC, arguing that enforcement of Do Not Call would cause hundreds of thousands of telemarketers to lose their jobs. The suits claimed that the FTC didn’t have jurisdiction to oversee the DNC Registry and attacked the registry’s constitutionality.

On Sept. 23, a federal judge in Oklahoma ruled that the FTC lacked congressional authorization to create the list. But on Capitol Hill, support for the registry was overwhelming. Just two days after the Oklahoma ruling, Congress passed a law authorizing the FTC to implement Do Not Call. Yet within minutes of the law’s passage, a federal judge in Denver ruled that DNC unfairly limited telemarketers’ right to free speech. The FTC appealed the ruling and asked the judge to stay his order pending the appeal. The judge refused.

The FTC had no choice but to shut off access to the system. On Sept. 26, Windelberg had her team power down the telemarketer site. Then the judge insisted that the consumer site go dark as well, which it did on Oct. 3. “Usually, when you pull the plug, you just pull the plug,” says Warren. “We had to bring down the system in a stable configuration, then be able to bring it up again without any loss. We hadn’t built it so we could turn it on a dime. But we turned it on a dime.”

With nothing more to do but wait, Warren decided to go ahead with a long-planned trip to Italy. On Oct. 7, he was stuck on a train in Cinque Terre when his cell phone rang. The 10th U.S. Circuit Court of Appeals had sided with the FTC, saying it should be able to enforce the DNC list since the government was likely to prove that curbing unwanted phone calls is in the public interest. The injunction was put on hold and the registry had to go back online ASAP.

“I was going to have Stephen extradited,” jokes Greisman. “But I thought I already owed him so much, it was not a good move. Besides, his people were up to it.” On Oct. 10, the telemarketer site was up and running. The next day, the consumer registry and state data-sharing interface were also back online and the complaint log went live for the first time.

On Oct. 17, the Do Not Call list officially went into effect as law enforcement agencies gained access to the complaint data that was beginning to flow in. AT&T had designed the complaint system to accept a complaint (online or via phone) only if the number called had been on the DNC Registry for at least three months. Valid complaints were uploaded nightly into the FTC’s existing Consumer Sentinel complaint logging system, where they were accessible to some 900 law enforcement agencies, including the three groups charged with enforcing the Do Not Call program: the FTC, the Federal Communications Commission and state attorneys general.

By the end of 2003, consumers had submitted more than 150,000 complaints; 45 telemarketers were the targets of more than 100 complaints each. By April, several states?including California, Illinois, North Carolina and Ohio?had sued telemarketers for calling consumers who had signed up for the national DNC list. The FCC has also moved to fine AT&T $780,000 for ignoring the DNC list.

In February 2004, the 10th U.S. Circuit Court of Appeals upheld the constitutionality of the DNC Registry. But Tim Searcy, executive director of the ATA, vows he’ll take the ATA’s suit to the U.S. Supreme Court. In the meantime, he says that call centers have closed, people have lost their jobs and telemarketers have blamed reduced earnings on Do Not Call.

Even so, consumer satisfaction with the system is almost unprecedented. A January Harris poll found that more than half of all U.S. adults (57 percent) say that they have signed up for the registry. Of those who registered, 92 percent report receiving fewer telemarketing calls, and 25 percent say they have received no telemarketing calls since signing up. As of April 2, the list contained 58.8 million phone numbers.

The process worked so well that FTC officials are following it as they explore the feasibility of developing a Do Not Spam list. (See The Next Step: Do Not Spam!) “We showed that as a small, independent agency, we could play in Internet time and deliver,” Warren says.