I Know What You Sent Last Summer

The Terminator is powerless to stop spam. It's up to the major ISPs to make the next move toward a solution.

by Hans Peter Brøndmo [October 15, 2003]

Hans Peter Brøndmo is currently serving as a Digital Impact fellow and senior vice president of strategy. He founded e-mail marketing company Post Communications in 1996. His recent book, "The Engaged Customer", is a national bestseller. Hans Peter is currently focusing his energy on helping large corporations "engage" their customers by managing and investing in the customer information they collect, treating it like a valuable capital asset. He has addressed more than 50 conferences in the past three years, is often featured in national media, and was recently invited to testify at a U.S. Senate hearing on the Internet and privacy. Hans Peter has founded three technology companies and performed his undergraduate and graduate studies at MIT.

Here's a hard one: You say that you're against anti-spam legislation and you're a spam "sympathizer." Yet if you come out in support of legislation, you may be restricting free speech. This is where the battle lines are being drawn around the recently passed California anti-spam California anti-spam legislation (CA SB 186). The problem is we're wasting time debating these issues because a State Senate bill will not have the slightest impact on solving the problem at hand: stopping spam. The only way to solve this problem is with an e-mail infrastructure solution, namely, secure identity e-mail.

While I'm of the mind SB 186 is well-intentioned, and while I'm as sick as the next guy of unsolicited e-mail cluttering all my inboxes, California's new law will not have even the slightest impact on the amount of spam I get, whether there's a Terminator in the governor's office or not. I won't rehash all the reasons other than to say that local and state laws will not and cannot be effective at regulating, and thereby stopping, a national and international phenomenon. The primary culprits don't play by the rules. They cannot be found. As we saw with its Utah analog, SB186 will serve to make spambulance chasers (lawyers fighting class action spam lawsuits) rich, and organizations of all sizes reluctant to utilize a medium that, when used correctly, is effective and well-received.

Now to free speech. Because SB 186 applies only to commercial speech it effectively exempts religious groups, as well as the very politicians who introduced the bill. It allows these groups to send unsolicited e-mail. Well, what if I want to shout my own personal message to every e-mail address I can harvest, buy or otherwise collect? Is that protected by the First Amendment? The answer, according to 186, appears to be yes, provided my message doesn't say, "Buy my product."

The logic doesn't work. I don't want quacks, pols and religious fanatics filling my inbox any more than I want Viagra ads and mortgage refinance deals.

What I want is control. Control over who sends me e-mail messages; control over what TV programs I watch, and when I watch them (TiVO takes care of that); and control over who calls me at home (seems like that will happen, although with some similar "exemptions").

Last time I checked, the First Amendment offered no guarantee I would provide messengers access to my home, nor that I would listen to their messages. It merely guarantees people can say whatever they like to whomever chooses to listen. Important word, choice. New technologies give us options to make real choices about which messages we'll receive and which we won't. In new and exciting ways, that's exactly what's going to happen.

Back to spam. Spammers are exceptions to the rule that says when someone knows who we are, we live constrained by the simple principles of action and consequence.

If we do or say something stupid, there are negative consequences. If we do or say it many times, we get a bad reputation. If we do or say something good, our reputation improves. Identity and behavior are directly tied to reputation. If I know what you sent last summer (and ever since), I'll be able to decide based on your past behavior (your reputation) whether your e-mail should be allowed in my inbox—or not.

As I've discussed, the problem with spammers is their actions have no consequences because they have no persistent identity. Therefore, they have no reputation. This is a result of e-mail being an insecure medium. SMTP, the e-mail protocol used by all Internet servers sending and receiving e-mail, allows a sender to say he's whomever he wants to be. There's no way for a recipient to verify a sender's identity. Passing laws that outlaw unsolicited commercial e-mail won't help. You cannot fine those who cannot be found.

Last spring, I described project Lumos, which proposes secure identity coupled with performance monitoring of high-volume e-mailers as the basis for a "fix" to the e-mail infrastructure. The "upgrade" will make spam, as we know it, impossible. On September 29th, the NAI E-mail Service Provider Coalition published a white paper (which I co-authored) outlining details of Project Lumos. The detailed blueprint describes how we solve the spam epidemic by including secure identity in all high volume e-mail, and associating a reputation score with every identity, thereby making all senders accountable for e-mail they send. In other words we're propsing to effectively eliminate anonymity for high volume e-mail senders.

Forget the latest spam filter algorithm and software that tries to guess which e-mails are spam and which aren't. Forget legislation that outlaws anonymous e-mail from untraceable destinations. It's time to call on a few corporations that can bring an end to this plague with a bit of strategic planning, cooperation and teamwork. The largest Internet service providers: AOL, MSN, Yahoo! and Earthlink, have the technology to solve the spam problem. All they have to do is require secure proof of identity of all messages that cross their gateways.

On October 5, The New York Times published an article, "Spam Fighters Turn to Identifying Legitimate E-Mail." It describes how the move towards identity is now accepted by all major players in the e-mail space (most notably, major ISPs) as a basic tenet of any long-term spam solution.

What are we waiting for? Once we upgrade the e-mail infrastructure to require secure, verifiable identity in all high volume e-mail, spam goes away. Fraudulent phisher e-mail attacks won't work, either. Pass more state legislation and you'll only provide lawyers with job security. Which gets your vote?

There's one alternative I haven't mentioned. We now have a Terminator governor who's demonstrated three times he's capable of time travel. We could just send him on a couple trips to the future and have him tell us what's going to work when he gets back.

—End