Web Watch

Saturday, April 09, 2005

ahoo Domain Keys: Another Ineffective Spam Remedy

To paraphrase an old Klingon proverb, there can be no spam solution, so long as e-mail is free. Yahoo today unveiled plans to launch its Domain Keys software as an open-source toolkit in 2004. The intent is to allow developers of major e-mail systems to integrate Yahoo’s public/private key authentication system into their own software and thus create momentum for a standard whose raison d’etre is identify verification. This is a commendable effort, but a closer look reveals that it will not only not stop the spam problem, it may have almost no effect at all.

The first hurdle is that spam is not currently illegal in the United States. A quick check on David E. Sorkin’s excellent spamlaws.com reveals that the United States is strangely bereft of such laws at the federal level, especially compared to other countries in the world. What is the good of identifying the senders of junk mail if we have no legal recourse against them?

Lawrence Lessig has already staked his Stanford Law School Professorship on the bet that legislation against unsolicited e-mail – if ever enacted – would significantly reduce the amount of the spam received in the United States. And it might, for a time, as US-based spamming operations are shut down (assuming the law was enforced). But then there would be a second hurdle – that an increasing amount of spam is coming from foreign countries whose legal systems have bigger problems than Americans being annoyed at receiving free junk mail.

There are problems from a technical perspective as well. Yahoo’s scheme works by authenticating the source ISP, requiring its infrastructure to be upgraded to support their technology, but not their users’. If authentication is not possible, then the theory is that the e-mail would be rejected by systems using this platform. But of course, unless 99.9% of e-mail users upgrade to such a system, rejecting e-mail from other users would be an even more draconian approach than challenge/response solutions.

The adoption of such a technology would segment across various dimensions, but economic factors would likely be the most important. In other words, large corporations, educational institutions and commercial ISP’s – all primarily in first world nations –would be able to deploy these solutions in a systematic fashion. But the rest of the world, without large IT departments to maintain their networks, would be left behind. Since one of the driving forces behind e-mail adoption has been universal communication, this is simply not acceptable. So in all likelihood, it would have to be integrated with a challenge/response architecture to be viable.

But challenge/response technology’s fundamental problem is making contact for the first time. Simply put, the first e-mail you send to someone will not be received by them – until you authenticate yourself. If your sending e-mail device has a different reply-to address, then this introduces significant delays in message transmission. A user’s level of Internet experience correlates positively with both the amount of spam they receive as well as the importance of e-mail in their daily lives. The reason most such power users have not adopted challenge/response technology is because the benefit of immediately receiving new e-mail – and the guarantee of receiving all e-mail – outweighs the annoyance of dealing with spam.

Regular US mail is a completely open system, where anyone can send a piece of mail to anyone else, without a return address, or with a false one. One of the reasons regular junk mail isn’t as annoying as spam is because of the variable cost associated with sending physical mail. Junk mailers will simply not send out a campaign unless their projected response rate is high enough to justify the cost of sending the mail. Since junk e-mail is available at zero variable cost to spammers, they can sell their services to unscrupulous organizations at far lower rates than physical mail, making spam campaigns far more cost effective. Thus the average person probably gets a lot more spam – and of a far more graphic nature, due the anonymous benefits of Internet commerce – than they get junk mail.

Associating a very small fee with each e-mail – say one tenth of a cent for “postage”, as has been proposed by some – would not affect the amount of e-mail sent by most individuals (1,000 e-mails would cost only $1) but it would effectively destroy the spamming business (1,000,000 e-mails would suddenly cost $1,000).

The difficulty is moving the world to a new standard – particularly when many foreign companies, especially in former Soviet republics, are employing some of the world’s most talented programmers to fight against spam reduction efforts. The only solution will likely be a brand new Internet.

0 Comments:

Post a Comment

<< Home