Andy Moon advances an idea for e-mail security that would allow consumers to choose a trusted verification authority and would require registration and compliance from senders. Could this work to beat spam and e-mail borne threats?
E-mail security is a hot topic, as it has been for quite some time, and everyone is looking for the spam-filtering panacea. There are dozens of security vendors out there, who are all touting their proprietary solution, and there are also many different white- and blacklists, each implemented with varying degrees of success. Personally, I have used at least a half dozen different solutions, and like a large percentage in a recent survey, I am very concerned about the proliferation of e-mail-based threats out there.
It really comes down to a question of the near zero-sum game of privacy versus security. In order to keep spam, adware, and other malware out of our environments, we are going to have to give up privacy to someone, but the question is, who? Obviously Microsoft and Google would love to be the repository of all of that information, but my answer is that the consumer should be able to choose who they want to trust to handle that data in a way that the customer approves of.
For e-mail, there could be a central certification authority that legitimate senders could opt in to by choosing to verify information with a company of their choice. The central authority could be managed by the FCC, and people who wanted to restrict their e-mail to only those who verified their identity could subscribe to this whitelist. The consumer could verify different pieces of their identity, much like services such as PayPal implement, through companies they are comfortable with. Businesses could register as well, as long as they meet different requirements related to unsolicited e-mail and unsubscribe policies.
It seems like a win-win solution to me; if a consumer's e-mail account is hijacked by spammers, the offending computer can at least be identified and the owner notified that her computer may be a zombie. If a business is truly engaging in legitimate activities, they shouldn't mind certifying compliance, registering, and agreeing to strict regulations. Do you think that such a system would help weed out spam?