How much Goodmail is
going on?"> I also checked in with the American Red Cross, which was famously used by both sides as an example in last years Goodmail Flame Wars. Goodmail set up preferential treatment for nonprofits (it turned out to be cheap as opposed to free) and told me recently, as part of the earlier statement about over 300 sending brands using CertifiedEmail, that "[w]e also have a number of nonprofits, such as American Red Cross, Americans for the Arts, Lukemia and Lymphoma Society, and National Center for Missing and Exploited Children, and approximately 80 governmental agencies, ranging from municipal organizations up to federal agencies." When I spoke to the American Red Cross they said that they had been working on setting up Goodmail (not a simple process) and were almost ready to start, but hadnt in fact done so.Goodmail does claim that by the end of this quarter (March 31, I assume) at least 90 percent of AOLs 22 million users should have seen a CertifiedEmail. Im skeptical, especially since the only bank I see in its list of brands is KeyBankbanks were supposed to be the perfect CertifiedEmail customers. I suspect the problems are similar to the Red Cross: Setting up Goodmail on a large e-mail list is not a trivial tasknor should it beand the real volume is probably not far away. So it may be too early to judge Goodmail completely, but I still argue that the absence of any evidence of the catastrophe predicted by the DearAOL crowd shows that it was just bad science fiction to begin with. The clearest response I got was from Danny OBrien, activism coordinator at the EFF, who agrees its too early to draw conclusions. He points out, as I had realized on my own, that AOLs business model underwent a revenue transplant over the last year. He argues that as subscription revenues decline, AOL will be more and more tempted to get what it can out of other sources like Goodmail, especially if Goodmail is successful. Its still speculative, but its a better argument than they had last year. OBrien worries generally about the point "where Goodmail [or other for-pay certification systems that share with the ISP] starts picking up smaller, commodity ISPs and it becomes collectively harder for senders [to] object to the idea of switching to a pay service." According to RSAs annual Consumer Online Fraud Survey, consumers are more afraid than ever before that e-commerce and online banking is putting their data at risk. Click here to read more. OBrien shouldnt worry so much. A major part of the Goodmail value proposition is that CertifiedEmail messages appear markedly different from uncertified messages in the client. AOL and Yahoo can do this, as can others with a proprietary mail client, such as GMail. But the typical ISP account that uses SMTP and POP3 and where the user is probably using one of a dozen versions of Outlook or Outlook Express, or perhaps a Mac or Eudora or any of numerous other potential e-mail clients, has no easy mechanism for delivering the software changes to make this possible. Those users are no better-served by Goodmail than by more conventional accreditation services like Habeas. This difference also helps to explain why it makes sense for Goodmail to share revenue with its clients. Im still bullish on accreditation and Goodmail, although changes to e-mail do seem to take frustratingly long times. There are plenty of open- and standards-based efforts in this area and related ones, such as the Domain Assurance Council, which is attempting to standardize access to reputation services. And in the very long term I think that e-mail is the wrong venue for opt-in communications anyway. The sooner all that moves to RSS, which is a pull system from which users can unsubscribe when they wish, the better. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
More from Larry Seltzer
My final test was my sister, a heavy AOL user, who tells me that she hasnt seen anything that sounds like "CertifiedEmail." It could just be that she doesnt use the right brands, or perhaps she just hasnt noticed the CertifiedEmail stuff. But shes smart and observant and I would think shed remember it, especially in as much as its designed to be noticed. More likely, there isnt a whole lot of CertifiedEmail out there yet.