Stopping Spam: We Can Do Better

Opinion: Slow progress toward a solution should not discourage us from working to stop spam.

The following column is by Jonathan Koomey, a project scientist at Lawrence Berkeley National Laboratory and a consulting professor in the Department of Civil and Environmental Engineering at Stanford University; Marshall Van Alstyne, associate professor of information economics at Boston University; and Erik Brynjolfsson, the Schussel Professor at MITs Sloan School of Management and Director of the MIT Center for Digital Business. The views expressed are those of the authors and not of their respective institutions.

In his Sept. 10 eWEEK column "Why we havent stopped spam," Larry Seltzer outlined his concerns with our anti-spam plan, which was published under the headline "Youve got spam" in the Sept. 6 edition of the Wall Street Journal.

We empathize with his frustration over the seeming intractability of the problem, but he shouldnt give up, and neither should the rest of us. Like us, he was initially optimistic but became discouraged by the slow progress toward a solution. This pattern recurs often with new technologies—an elegant solution is conceived early on, but messy implementation details arise, progress slows and many lose hope. Spam is a tough problem and wont be solved overnight, but it is by no means intractable.

Larrys column began by identifying inertia and inconvenience as preventing action on spam. Hes right that these can be formidable obstacles, but there are ways around them, and our approach was specifically designed with them in mind.

We suggested a hybrid choice system because it would allow e-mail users themselves to exercise choice. Using a hybrid system—including (i) the current approach plus (ii) authentication of e-mail senders and/or (iii) anonymous bonds bundled with e-mails, payable by e-mail senders and redeemable by e-mail recipients—also allows an easier and less risky transition to a better e-mail environment.

People who prefer the current system can continue using it as is, while people who prefer low costs can use authentication, and people who are willing to pay for a recipients attention can use bonding. We predict that the result will be a dramatic reduction in spam.

Larry raises the following objections to our plan:

1) He says success requires that there be someone "in charge" of the Internet;

2) He says that authentication is inadequate by itself to block spam (some measure of reputation is also needed);

3) He implies that difficulties of establishing a bonding system (including the need for personal authentication, security and cheap micro-payments) are too formidable to overcome.

Larry is correct that coordinating change can be difficult when there is no one "in charge," but if the benefits are large enough, even decentralized systems can change rapidly. Consider how quickly Internet users adopted Web browsers, HTML, HTTP and related standards, starting from just a few Web sites and no central command.

One advantage of the hybrid system is that individual e-mail companies can offer it to their users without requiring participation of other e-mail providers or needing a mandate from a central authority. Of course, the more companies that offer the system, the more effective it would be. A relatively small number of companies (Yahoo, AOL, MSN Hotmail, Google Mail) account for over half a billion e-mail accounts, a significant fraction of the worldwide total. If several of those companies mutually agreed on a hybrid system, their market power would drive others to adopt as well.

We agree with Larry that authentication by itself is inadequate to end spam, but authenticated e-mail would be an improvement over the current system. The phone system offers a great analogy: Existing laws, combined with the relative lack of anonymity for phone users, let us sue bad actors for sending junk faxes or calling people who are on the "do not call" list. Some telemarketing "spam" calls still get through, but they are few and far between.


Click here to read about how spam spread the storm trojan across the Internet.

Authentication allows e-mail recipients to more easily block mail from spamming addresses. Authentication can also help to enforce good behavior: If someone asks to be removed from an e-mail list and the spammer refuses to do so, or if the spammer sends out an obvious scam, the e-mail provider then blocks the spammer.

This is no different than removing book reviews from its site that dont follow its guidelines for good behavior. This is perfectly appropriate as long as the rules of the road are posted publicly. Of course there will be details to settle, but authentication would reduce spam significantly. Systems that rate online reputation would be helpful (and we strongly support them), but are not necessary for this effort.

We also agree with Larry that there are details to work out on bonding—the idea that senders could attach "bonds" worth a few pennies to their e-mail messages, payable to the recipient, as a way to vouch for the messages legitimacy. In particular, a bonding system will require micro- (or mini)-payments and user-level authentication.

Small e-mail providers have already implemented such systems, and these providers privately report that costs of operating bonding systems at a large scale should be low enough to be feasible. The question of malicious hacking is a serious one, but that, too, can be managed, as it has been for credit cards and online commerce.

It is an unfortunate historical artifact that this type of security wasnt built into our e-mail infrastructure from the beginning, but that certainly doesnt mean that we cant incorporate it now.

Instead of dwelling on the difficulties of bonding (which we think are surmountable), lets consider the opportunities. At present, legitimate advertisers like Citibank, Toyota and LL Bean cannot advertise credit, cars or clothing via e-mail for fear of tarnishing their brands and being identified as spammers. But what if they paid you?

It is an astonishing fact that advertisers spend $270 billion annually to reach you. That is almost $1,000 per person. Part of this expenditure could go directly to your pocket instead of into TV overhead, radio broadcasts or newspaper ads that clog up landfills. Ultimately, the cost-effectiveness and feasibility of bonding is an empirical question requiring serious testing at a large scale. We havent seen that testing happening yet, and we think its time to try. A hybrid system will allow us to get started and fine-tune the implementation details.

Will a hybrid system perfectly and completely solve the spam system? We doubt it. But, we cant let the perfect be the enemy of the good. Most e-mail users are fed up with spam, but they dont take action because they assume theres nothing they can do about it.

Ironically, that can become a self-fulfilling prophecy. Because of network effects, inertia of others makes it less worthwhile for any one individual to take action. However, if enough people adopt a hybrid system, then even todays skeptics will find it beneficial to join the movement. Lets make it happen!

Interested readers can access a relatively non-technical talk about bonding (without the integrals) here.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.