A Legal Solution to Spam
My version of the FUSSP.
Spam is a menace to society.
In my many train journeys in India, the train stations were always populated by vendors hawking their tea, snacks, and other items to the travellers. The vendors advertised by yelling the name of their product while walking up and down the platform, sometimes very loudly, but always with panache. Any interested traveller could stop their activity and purchase the product, or continue on with their activity without any interruption. This scheme was mutually beneficial, and shows that advertising can be good for society.
By contrast, consider the mechanics of spam. Unlike the station vendor who must physically exert himself, a spammer can send millions of solicitations for the incremental cost of only few cents worth of electricity. The recipient, on the other hand, must physically scan and delete each e-mail. If it takes an average of one second to scan and delete a spam, then the spammer who successfully sends one million spams generates 11.57 days worth of work for the rest of society.
If this kind of imbalance were to be replicated at the train stations, one might have to imagine the following scenario. Suppose that after rail travellers obtained their tickets at the entrance to the station, they would face a line of station vendors. Then, they would have to say "Yes" or "No" to each and every one of the vendors before being allowed on to the platform. Such a scenario is obviously preposterous.
Spam should be treated legally.
Spam causes more costs to society than it creates benefits. Second, it harms society on the whole far more than it hurts any single individual. These two observations suggest that a legal solution is necessary. Laws are rules that the majority agrees to enforce in order to preserve society at large. They are mutually agreed-upon coercion, and they successfully dampen the destructive effects of the few on the many.
Certainly, the number of spammers is sufficiently small that society as a whole can afford to enforce laws that penalize them. The only task that remains is a means for citizens to pool their resources, and a means to identify the spammers. For purposes of discussion, assume that at any given time, there are 5,000 active spammers in the world. Each year, 1,000 newcomers become active spammers, and 1,000 spammers drop out. Because of the churn, enforcement of any laws against spam would have to be continuous.
Technical solutions are inadequate
Many computer scientists are developing clever algorithms to detect spam. As typical technologists, they overlook the fundamental flaw of any spam filtering solution. This recent paper reports that their filtering techniques seemed to plateau at 99.9% filtering accuracy on a fixed data set of emails. The paper then goes on to propose additional technological solutions for preventing spammers.
The problem with this paper is that the emails they analyzed were sent before those spammers had encountered the filtering mechanisms they tested. The paper also points out that any filtering technology can be beaten by using it against itself, but it neglects to draw the logical conclusion that the high accuracy of their techniques was achieved by using a biased data set. In other words, as soon as their experimental filtering mechanisms became widespread, and spammers learned to bypass them, their results would be meaningless. Of course, then they would come up with a new filtering scheme.
Why look for better and better filtering solutions when it simply can not work in the long run? Worse, these solutions require varying degrees of additional processor time, bandwidth usage, end-user time to train the systems, and the risk of false-positives. This represents costs borne by society far in excess of the benefit provided by spam. Again, this suggests a legal solution to stop spammers.
Email is fundamental flawed
For a long time, people have known about the problems of giving write permissions on anonymous FTP servers and publicizing their addresses. Anybody on the Internet can send whatever they want to those FTP servers. They generally store illegal software for redistribution, and hope that no one notices. If the FTP server were regularly checked by a human, it would not be hard to imagine advertisers sending files with creative file names, like "go.to.www.mysite.com.for.low.cost.mortgages.com.txt".
No one seems to have noticed that an email address is exactly like an anonymous, publicized FTP server with write permission. Instead of being called a directory, it is called an in box, and instead of storing files, it stores messages. The only difference is that a human regularly checks an in box whereas a human might not check an FTP server. People keep doors on their houses to keep people out, but having a typical email address is equivalent to removing the front door from the hinges and discarding it. It should be no wonder that all the trash of society comes bustling in.
Stop the ability to automate
Everybody usually enjoys getting an email from another person, just like people usually enjoy talking with others. Spammers, on the other hand, don't want to talk to you at all. They want to send their message with as little effort as possible. Therefore, the first step towards ending spam begins with a relatively simple technical solution called a CAPTCHA.
CAPTCHA is the acronym for a computer-generated test that humans can pass but computer programs cannot. A simple example is looking at an image with skewed words, and typing in some words from the image. In my proposed solution, every email received would first be automatically replied to with a message containing web link. The sender would then have to solve a CAPTCHA on the web page before the email would go through to the recipient.
A real person sending the message only faces the moderate inconvenience of opening a web page and submitting the solution to the CAPTCHA. On the other hand, a would-be spammer is stopped in their tracks. First, the spammer must supply a valid return address to the get the unique link to the puzzle. Second, the spammer must manually solve and submit the form in order for the message to go through.
The only way around for a spammer to get by would be to write a program to solve the CAPTCHA. But as the name implies, writing a computer program to solve it is incredibly difficult. The best programs can solve a a few of the early CAPTCHAs only 50-80% of the time. On the other hand, a slight change to the CAPTCHA algorithm would drop that success ratio instantly back to zero. In other words, the tables have been turned on the spammers. Instead of spam recipients constantly needing to improve their filters, spam senders have to constantly improve their CAPTCHA solvers, a task which quickly becomes unreachable.
A spammer could also hire people to solve the CAPTCHAs, but this would exact such a high cost that the spammer would not be able to send spam to millions of people. The profile of the spammer is increased from a single person working out of a home to an office with a staff and payroll. That makes the spamming operation an easier target. Due to the labor cost of solving the CAPTCHAs, the spammer would most likely not be reckless about their message, and would instead be likely to establish a long term advertising relationship with the recipient by gaining a coveted spot on their white list. This could be beneficial for both the advertiser and the recipient.
If the spammer could solve the CAPTCHA all the time, then this system becomes equivalent to a challenge-response system. Several companies and software programs are beginning to offers such systems. Challenge-response by itself can stop spammers in their tracks. The challenge issuing server knows that anyone submitting a response must be a human. Therefore, the server can be designed to automatically block computers that issue responses too fast. The human-scale time delay introduced by the challenge-response system prevents spammers from sending thousands of emails per minute, thereby eliminating their economies of scale. If the challenge becomes a difficult CAPTCHA, then the automated spam is completely defeated.
White list friendly mail senders
After successfully solving a CAPTCHA, the sender has proved to be a human and to have used a valid return address. Therefore, the sender could be automatically added to a white list, and thereafter they could send messages freely without needing to solve another CAPTCHA. Thus, the inconvenience for friendly senders is even further lowered. By providing several CAPTCHAs of different forms (image-based, text-logic-based, sound-based), some of their accessibility problems can be reduced. The CAPTCHA system is akin to a bouncer at a bar who scrutinizes the ID of new visitors, but lets known visitors pass through with just a wink and a nod.
The only remaining problem is how to receive automated mailings from legitimate third-parties. A simple form of
netiquette can solve this problem. All the mailing list proprietors simply post their From email address at the time
of sign-up. For example, E*trade might state in their terms that all their mail will originate from
*@etrade.com
. Then, when anyone signs up from an E*Trade account, they just white list that address in their
email account.
This finally brings us to the legal remedy against spammers. The only way to spam would be to send an automated mailing with the forged return address of a well-known entity. One can quickly see that a large entity, like E*trade or your alumni association, would not take kindly to their address being forged. They would have the resources to find and sue the spammer. Unlike trying to debate the definition of spam, this crime in this case would be succinctly defined, forgery.
Advantage to the email recipient
There does not have to be any additional taxation, laws, or bureaucracy to implement this solution. Spammers would become forgers, and would be tried under existing legislation. Furthermore, because an entire group is offended at once, instead of many individuals, the resources will be there to bring legal action. Corporations and groups with automatic email systems could fund a coalition against email forgers. They could pay a fee to the coalition based on the number of members in their list, and the fees would be pooled to take legal action against forgers.
The onus of technical development falls largely on the spammers, whose task of solving CAPTCHAS becomes impossibly difficult. Not only because CAPTCHAs themselves are hard to solve by computers, but because different ISPs could use different CAPTCHA generation algorithms. The system can be implemented without any change to the underlying email protocols. No encryption or certification authority needs to be set up. End-users do not have to waste time endlessly training their email filters and buying new filtering software. All they have to do is maintain their white list, which most people already do in the form of their address book.
Conclusion
Spam is a menace to society, because it exacts a total cost on society far outweighing the benefit of the advertising. Because spam is the type of problem where the actions of a few hurt many people in a small way that adds up to a large amount, it suggests a legal solution. The technical solution of filtering does not work in the long run, because spammers can adapt to any filter.
The fundamental problem of spam is rooted in the recklessly open nature of the email system, where anybody can automatically send any amount of data to anybody else. This can be solved by a simple challenge-response system where the sender must first solve a problem (CAPTCHA) that is hard for computers to solve, but easy for humans. The recipient can white-list people they know and any automated mailing lists from which they receive mail.
A spammer must forge the return address of a well-known sender in order to get by this system. The cost of hiring people to solve the CAPTCHAs would significantly reduce spam and increase its quality. If the spammer did forge a well-known address, they would be liable to be sued for forgery by the maintainer of that address. Because the list owner represents a large number of people, there would be enough resources to file suit against the spammer. Companies could even form a coalition to pool legal resources.
This system would require no major technical overhaul of the email system, and any ISP could set up such a mail system today. I received about a dozen spams just during the course of writing this essay, so I would sign up for such an account immediately. I have not found any company that provides such a service. If you provide a service like this, you can contact me and I will list your company here.
Summary of Features
A CAPTCHA-based email system would have the following features:- No change required to existing mail servers or protocols. Only new mail servers implement the system.
- No risk of false-positives as with filtering solutions.
- Permanant solution, whereas the filtering paradigm continuously needs new filtering algorithms.
- Does not stop email advertising, but instead increases the costs for email advertisers to the point where they will stop illegal spam.
- Illegal spammers must commit forgery and misrepresent a large group, making it more likely they will be sued.
- Can be attached to a new or existing email account.
Links
- spamarrest - challenge-response email service
- iPermitMail - challenge-response email service
- Tagged Message Delivery Agent (TMDA) - open source software application that can perform challenge-response, but not CAPTCHA
- Junk Mail Buffering Agent - open source tool for doing challenge-response
- Spam blockers may wreak e-mail havoc, by Declan McCullagh.
- Proper principles for Challenge/Response anti-spam systems
- The Spam-Filtering Accuracy Plateau at 99.9% Accuracy and How to Get Past It. - CRM-114
- Inaccessibility of Visually-Oriented Anti-Robot Tests - w3.org
- Remarks by Bill Gates, RSA Conference 2004 - claims the end of spam using challenge-response systems and cryptographic domain authentication - looks like Microsoft will win again...
- Sender Policy Framework
- A plan for Spam by Paul Graham
- http://www.lessig.org/blog/2003/08/giving_in_to_challengeresponse.html - Lessig Blog: Comments on post "giving in to challenge/response"
- Foiling Spam with an Email Password System
Disclaimer: This content is provided as-is. The information may be incorrect.