I Know What You Sent Last Summer

Here’s a hard one: You say that you’re against anti-spam legislation and you’re a spam “sympathizer.” Yet if you come out in support of legislation, you may be restricting free speech. This is where the battle lines are being drawn around the recently passed California anti-spam legislation (CA SB 186). The problem is we’re wasting time debating these issues because a State Senate bill will not have the slightest impact on solving the problem at hand: stopping spam. The only way to solve this problem is with an email infrastructure solution, namely, secure identity email.

While I’m of the mind SB 186 is well-intentioned, and while I’m as sick as the next guy of unsolicited email cluttering all my inboxes, California’s new law will not have even the slightest impact on the amount of spam I get, whether there’s a Terminator in the governor’s office or not. I won’t rehash all the reasons other than to say that local and state laws will not and cannot be effective at regulating, and thereby stopping, a national and international phenomenon. The primary culprits don’t play by the rules. They cannot be found. As we saw with its Utah analog, SB186 will serve to make spambulance chasers (lawyers fighting class action spam lawsuits) rich, and organizations of all sizes reluctant to utilize a medium that, when used correctly, is effective and well-received.

Now to free speech. Because SB 186 applies only to commercial speech it effectively exempts religious groups, as well as the very politicians who introduced the bill. It allows these groups to send unsolicited email. Well, what if I want to shout my own personal message to every email address I can harvest, buy or otherwise collect? Is that protected by the First Amendment? The answer, according to 186, appears to be yes, provided my message doesn’t say, “Buy my product.”

The logic doesn’t work. I don’t want quacks, pols and religious fanatics filling my inbox any more than I want Viagra ads and mortgage refinance deals.

What I want is control. Control over who sends me email messages; control over what TV programs I watch, and when I watch them (TiVO takes care of that); and control over who calls me at home (seems like that will happen, although with some similar “exemptions”).

Last time I checked, the First Amendment offered no guarantee I would provide messengers access to my home, nor that I would listen to their messages. It merely guarantees people can say whatever they like to whomever chooses to listen. Important word, choice. New technologies give us options to make real choices about which messages we’ll receive and which we won’t. In new and exciting ways, that’s exactly what’s going to happen.

Back to spam. Spammers are exceptions to the rule that says when someone knows who we are, we live constrained by the simple principles of action and consequence.

If we do or say something stupid, there are negative consequences. If we do or say it many times, we get a bad reputation. If we do or say something good, our reputation improves. Identity and behavior are directly tied to reputation. If I know what you sent last summer (and ever since), I’ll be able to decide based on your past behavior (your reputation) whether your email should be allowed in my inbox — or not.

As I’ve discussed, the problem with spammers is their actions have no consequences because they have no persistent identity. Therefore, they have no reputation. This is a result of email being an insecure medium. SMTP, the email protocol used by all Internet servers sending and receiving email, allows a sender to say he’s whomever he wants to be. There’s no way for a recipient to verify a sender’s identity. Passing laws that outlaw unsolicited commercial email won’t help. You cannot fine those who cannot be found.

Last spring, I described project Lumos, which proposes secure identity coupled with performance monitoring of high-volume emailers as the basis for a “fix” to the email infrastructure. The “upgrade” will make spam, as we know it, impossible. On September 29th, the NAI E-mail Service Provider Coalition published a white paper (which I co-authored) outlining details of Project Lumos. The detailed blueprint describes how we solve the spam epidemic by including secure identity in all high volume email, and associating a reputation score with every identity, thereby making all senders accountable for email they send. In other words we’re propsing to effectively eliminate anonymity for high volume email senders.

Forget the latest spam filter algorithm and software that tries to guess which emails are spam and which aren’t. Forget legislation that outlaws anonymous email from untraceable destinations. It’s time to call on a few corporations that can bring an end to this plague with a bit of strategic planning, cooperation and teamwork. The largest Internet service providers: AOL, MSN, Yahoo and Earthlink, have the technology to solve the spam problem. All they have to do is require secure proof of identity of all messages that cross their gateways.

On October 5, The New York Times published an article, “Spam Fighters Turn to Identifying Legitimate E-Mail.” It describes how the move towards identity is now accepted by all major players in the email space (most notably, major ISPs) as a basic tenet of any long-term spam solution.

What are we waiting for? Once we upgrade the email infrastructure to require secure, verifiable identity in all high volume email, spam goes away. Fraudulent phisher email attacks won’t work, either. Pass more state legislation and you’ll only provide lawyers with job security. Which gets your vote?

There’s one alternative I haven’t mentioned. We now have a Terminator governor who’s demonstrated three times he’s capable of time travel. We could just send him on a couple trips to the future and have him tell us what’s going to work when he gets back.

Related reading

Overhead view of a row of four business people interviewing a young male applicant.