Convergence Conversation

When are we going to do something about spam?

Charles Arthur wrote a nice piece in The Guardian about e-mail that, once again, makes the point that there is (and has been for a decade) a rather straightforward way to reduce spam: digitally sign all e-mail.

Email as presently constituted is insecure and so prone to spoofing that a 10-year-old can do it. If - and it's a huge if - we had had S/MIME or PGP implemented everywhere by default from the outset of the net's arrival in the wider world, then we'd be used to the idea of checking an email's encryption certificate against its signature - even getting it done automatically - and rejecting the fakes.

[From When it comes to insecure email, my agitation is real | Technology | The Guardian]

When even I find it difficult to tell whether an e-mail from a bank is real or phish, the channel is almost useless as a business tool. Since stringent anti-spam legislation was passed, the problem has go worse. So, as I pointed out in The Guardian six years ago, we need to take action based on economics, not on law.

Making the sender pay doesn't have to involve an explicit charge. Suppose all email was encrypted and digitally signed and that your mail server would simply delete any email that wasn't.

[From Let's make the spammers pay | Technology | The Guardian]

This idea works because if you can change the cost of sending a spam message from zero to non-zero, no matter how small, then the economics of spam, based on very small response rates but very large numbers of messages, will fundamentally alter.  At the moment -- in fact, since the dawn of the Internet -- spam is subsidised.  It gets a free ride on the back of the Internet, because the mail protocols were never designed to handle anything other than free e-mail.

How do we go about make spam not free then?  There have been many proposals over the years, but they all revolve around the same concept: if it cost even a small amount of money to spam, there would be less of it, and there are, broadly, two different ways to make it cost a small amount: make it cost the spammer money to send the spam or make it pay for the receiver to get it.

One possibility is creating mail clients that demand money to accept mail: a legitimate company emails you and your mail client puts their message into escrow and asks for 50p from "the system".  Once the legitimate company has paid, the mail will be released to your account, the sender credited with 49p and "the system" keeps a penny for its trouble.  I remember a couple of start-ups trying to do something like this back in the day, but none of them took off.

But making the sender pay doesn't have to involve an explicit charge. Suppose all email was encrypted and digitally signed and that your mail server would simply delete any email that wasn't.

If a spammer wants to send a million emails, they have to perform a million public key encryptions, a million session key generations and a million symmetric encryptions. Even if it took a desktop PC only one-tenth of a second to generate signed spam, it will now take the spammer more than a day to send out the spam, as opposed to a few seconds at the moment.  And if he's sending it out via bots, then those PCs would grind to a halt, so hopefully someone would notice!

What's more, the spam will arrive encrypted in your mail box. When you click on it, you'll see a screen full of unintelligible nonsense instead of lurid photographs, pornographic subject lines and trick images that when loaded register to the spammer than your e-mail address is live. If you or your mail package does not recognise the sender then you won't bother to hit "decrypt". If a legitimate organisation wants to email you, they'll have to ask for your key (or get it from a directory) and ask you to add their key to your "trusted" key database.

We'll just add digital signatures then. My Microsoft mail package understands them perfectly, so there shouldn't be a problem. Yet earlier this week I tried to send an encrypted e-mail containing sensitive information to one of my colleagues and it didn't work and it took us half-an-hour to figure out that I'd got one of his old certificates selected as the default in my e-mail package. When even people who really understand how digital signatures work (approximately 0.001% of the population) can't figure out how to make their own mail work properly, the technology has problems.  What's the point of a converged infrastructure if we

a) can't make it secure, despite having had all the tools for years, and

b) can't make the security useable when we do implement it?

This is an area where some fundamental rethinking is long overdue, and Intellect ought to be a place where some of the stakeholders come together to make some progress.