That's a really good point - we're just trying to make sure that bad actors can't be spammy and create accounts they have access to for lots of people without their approval (hence the approval step). It's very possible that we can find a happy balance between the two, and we are actively looking into it.
I'm not really sure what the problem is here: if I can book tickets for people without accounts, then those people won't get spam from you, as you don't have their email address... On the other hand, right now, I can sign up all my friends with their email address through your form (or from my account) -- and by so doing send them an email (even if it is a registration email) -- so you're already allowing me to "spam" my friends/every email address I can think of?
