Software

E-mail security shouldn't be this tough

Andy Moon advances an idea for e-mail security that would allow consumers to choose a trusted verification authority and would require registration and compliance from senders. Could this work to beat spam and e-mail borne threats?

E-mail security is a hot topic, as it has been for quite some time, and everyone is looking for the spam-filtering panacea. There are dozens of security vendors out there, who are all touting their proprietary solution, and there are also many different white- and blacklists, each implemented with varying degrees of success. Personally, I have used at least a half dozen different solutions, and like a large percentage in a recent survey, I am very concerned about the proliferation of e-mail-based threats out there.

Habeas Study Confirms Strong, Ongoing Demand for Email in Direct Marketing, Mobile and Web 2.0 Applications (Business Wire)

It really comes down to a question of the near zero-sum game of privacy versus security. In order to keep spam, adware, and other malware out of our environments, we are going to have to give up privacy to someone, but the question is, who? Obviously Microsoft and Google would love to be the repository of all of that information, but my answer is that the consumer should be able to choose who they want to trust to handle that data in a way that the customer approves of.

For e-mail, there could be a central certification authority that legitimate senders could opt in to by choosing to verify information with a company of their choice. The central authority could be managed by the FCC, and people who wanted to restrict their e-mail to only those who verified their identity could subscribe to this whitelist. The consumer could verify different pieces of their identity, much like services such as PayPal implement, through companies they are comfortable with. Businesses could register as well, as long as they meet different requirements related to unsolicited e-mail and unsubscribe policies.

It seems like a win-win solution to me; if a consumer's e-mail account is hijacked by spammers, the offending computer can at least be identified and the owner notified that her computer may be a zombie. If a business is truly engaging in legitimate activities, they shouldn't mind certifying compliance, registering, and agreeing to strict regulations. Do you think that such a system would help weed out spam?

13 comments
temp
temp

There is a way to get authentication that is enforceable; on a one to one basis that requires no work and no filters; and requires no central authority looking into your private life. In the near future you buy an email address from a company that using a prepaid credit card to protect your identity. The marketers then post a cash bond of one dollar at the same company and send you a message with a dollar bond attached to the email message. If you feel the message is a waste of your time, you click a header in the email and take the dollar. An automatic transfer is made from the marketer's bond account to your email account. However, if you see a message and it's curiously interesting the marketer has successfully targeted you and reached a viable prospect. Marketers track the buying activity related to the email address and they contact you through the same email address. The marketer never has to know your identity and you can remain as anonymous as you like. Since you set the bond amount at a dollar, marketers are going to do their homework. Although a dollar is still less than a catalogue by ground mail, they are charged nothing when targeted email is accepted. There is no mediation, no central authority, no list keeping only automatic e-bonding. Economics and the freedom of the internet is the cause of spam. The solution based on economics that can protect individual freedom is the answer. Un-bonded email accounts will become a thing of the past for folks on and off the grid. See Vanquish Inc. and the Lab tab. They have not yet opened the bonding feature, but it is only a matter of time. The patents are in place. I am an investor.

dogknees
dogknees

As well as losing a certain amount of privacy, we lose the possibility of anonymity. While I'm generally not concerned by this (note my user name), there are legitimate situations where anonymity is a useful or even necessary option. Think of certain groups in countries that seriously limit free-speech. Without anonymity, they would never be heard by the rest of us. This is one of the great strengths of the net, to empower the powerless to get their story out to the world. It's not easy to come up with a system that allows them the freedom to be heard, but doesn't allow a spammer/phisher/... the same ability. Is the gain worth the cost? I guess it depends on who's being asked.

Answerfactory
Answerfactory

Similar to Trusted Computing, DRM, and Palladium ( actually this idea is part of TCA ), this is a generally bad idea. Once a 3rd party is required for any service, such as email, you now have given that party the ability to non-arbitrarily control your access to that service. If the party ceases to operate( goes out of business ), makes a mistake, decides they want to a charge for a previously free service, or make other changes against your will, you are now powerless to prevent it. First it was the spammers, then it was the social derelicts, then it was the critics, then it was the political non-conformists, and final it was you. They were preventing you from sending email as you did not subscribe to the party line. -V

temp
temp

However, a third party solution that simply provides the structure for individual control is the solution. Direct sender and recipient cash bonds provide individual control yet allows open access from the world. Yes, at a price, but it's going be much less costly than managing email the way we do now. An individual message is still free. Only poorly targeted or insulting messages cost the senders and it's your decision. The third party economic structure using cash accounts force marketers to target your real interest. If they succeed then reaching you is free. Self managing all your email becomes easy. It's not filters or postage or mediation or government controls that will make email really valuable. It's empowering you to require relevance any marketing addressed to you. You are empowered to take cash from anyone who insults your tastes. It's coming from Vanquish Inc. I'm and investor. See the lab tab for more detail. When you see what a great job they are doing at running the non-bonded version of their service, you'll become a believer.

jakatam
jakatam

And big brother is watching. So you should have to give up your personal information before you can send or receive email? Jakatam

Andy J. Moon
Andy J. Moon

Think about it. I go to Google and have them verify my address, name, and whatever other information I am comfortable giving, and the company certifies that I have verified my identity. My email could be treated differently once I am verified, based on what each individual or company decides. If you only want to hear from people who have verified their name, address, and banking information, you can have it that way. Food for thought.

Tomb
Tomb

Ok, so you verify to an authority that you are a legitimate user and people should accept e-mail from you, then you get infected with a Spam Bot. What now?

Magic Alex
Magic Alex

what would you do if your credit card were lost or stolen? cancel the account!

grax
grax

Apart from the verification process being a little more complex and the increased cost, this looks like a good service. "If they do not verify I will not receive their email." Check your "Pending" Folder. They're all in there - just like Bluebottle. Thanks for the info.

brian
brian

SpamArrest is another company providing email screening like BlueBottle. I have been with SpamArrest for over two years and I am very satisfied with the service. There are two hitches: 1) I run a small business and depend on incoming emails from new people not on my 'approved list'. Some of these folks are intimidated by the process of replying to a verification email and entering a code. If they do not verify I will not receive their email. 2) Although a minor hitch, there is a short lag time in receiving an email, i.e., you are on a conference call with a business partner and they send you an email pertinent to the discussion - there is a lag time in receiving the email due to the filtering services polling intervals.

grax
grax

open an account with Bluebottle.com I've been using it for 16 months with absolutely no unsolicited traffic. Sadly, they've just decided to discontinue their free service but, for $10/year, I think it's a good deal. They don't pay me for saying this - perhaps they should.

taylorstan
taylorstan

It would be a "no call" list for email. My phone stopped ringing with in a few weeks after signing up for it. Would love to stop my junk box from filling up before my inbox does...lol

Neon Samurai
Neon Samurai

If I remember back far and correctly enough, I remember a software company suggesting a similar aproach. Email would only be recieved from whitelist or trusted accounts and the protocol would be modified so that an email could be tracked back too it's source. I think the software company did some testing on the traceable email part but it was a company that few trust far enough for the idea to ever become adopted. I could be remembering completely wrong though.