Click the comments link on any story to see comments or add your own.
Subscribe to this blog
27 Nov 2008
22 Nov 2008
A proposed anti-spam technique called Attention Bonds has been getting a lot of press lately. It's not a particularly new idea; Philip Raymond of Vanquish, Inc. has a patent on the technique applied for in 2002 and issued earlier this year.
In its latest incarnation, it's proposed by University of Michigan economists, starting with an analysis that comes to the not very surprising conclusion that we'd all be better off if something other than spam filters allowed more mail that people want to be delivered. Their propose a form of e-postage in which recipients can demand a monetary ``bond'' from unknown senders, which the receipient can either keep if the message is spammy, or return if the message turns out to be nice.
Attention bonds are an unfortunate idea, particularly in an international forum. The first problem is that they make the all too common assumption that the bad guys will play by the rules. As I note in my e-postage whitepaper, as soon as you make e-mail cost real money, you open up a wide range of financial frauds and scams, ranging from fake payments from fake banks to scams where the bad guys induce people to send them mail and collect all the payments. Although it would be possible to create a set of rules and tribunals to deal with the new problems, there's no reason to assume that the result would be any less expensive and awful than the situation now. There's also the closely related problem that we still don't have any workable authentication scheme for e-mail so there's no way to prevent bad guys from lying about who they are and forging mail purporting to be from your friends.
Second, they don't seem to appreciate how expensive it would be to build the necessary infrastructure, waving it away in one of their presentations by noting that phone systems bill to the second. The system that bills and settles payments among phone companies is big, complex, and expensive, and there are a lot more ISPs and networks than phone companies, even before you start to think about how you'd remit payments to individual mail users.
Internationally, an attention bond system would kill e-mail from LDCs and countries with non-convertible currencies. For you or me, a bond of a couple of dollars is no big deal, but for someone at a cybercafe in Ghana or Nepal, or a student in Iraq using facilities at school (I currently correspond with one), two dollars would be a large chunk of a week's disposable income, if they could buy the bond at all, which they probably couldn't since they don't have a bank account.
Even if you wave your hands and give everyone a bank account, the system is not set up for vast numbers of automated transactions. Paypal is the most widely used online payment system. It's a swell system, and their highly automated system is cheaper than manual credit card charges. but each transaction requires logging in and working through a series of screens, both to be sure the transaction is the one the user wants, and for Paypal to minimize the risk of fraud. Paypal currently handles about 500,000 payments per day (according to their SEC filings). Even if only one message in a hundred did a bond thing, when you consider how much e-mail flows around the world every day, that's still something like a thousand times more transactions than Paypal handles, and considerably more than the entire credit card system handles. Scaling that up wouldn't be either easy or cheap, and would require the investment of many billions of dollars. More hand-waving argues that there'd be multiple banks to spread the load around, so you need only verify a message's bond with the bank that's issuing its bond. That's OK, but we have to assume that spam will all have fake bonds that will need to be checked and rejected, which is nearly as expensive as a successful verification, but doesn't lead to a transaction that helps pay for the transaction system. Futhermore, if you, the recipient, expect to be paid, you'll need to check with your own bank to see if they trust the other bank to pay up, since it won't take long for the First Deceased Military Officers' Bank of Lagos, Nigeria to start issuing bonds that they will cheerfully verify but never pay. It's not impossible for your bank to provide you with an updated set of other banks whose bonds they'll accept, but lacking a central registry like Visa and Mastercard have, which would be a chokepoint, negotiating all of the agreements between all of the banks all over the world would be at the least painful, sort of a throwback to the way international banking worked in the 1930s with letters of credit to correspondent banks overseas.
A friend of mine noted that any e-postage system needs good authentication to make sure the money flows to and from the right people. But with good authentication, there's more direct ways to deal with spam, such as third party reputation systems. Rather than spend billions of dollars to build a system that people will hate becuase it'll be a non-stop source of fraud and scams, wouldn't it make more sense to address the spam problem more directly?
Addendum: one of the U.Mich group, Thede Loder, was at the ITU WSIS spam conference pitching attention bonds, and I had a chance to talk to him at some length. I hope he's now less underinformed about the realities of the world of e-mail, but based on subsequent e-mail correspondence, I'm not sanguine.
19 Nov 2008
14 Nov 2008
After all the uncomplimentary things I've said about ICANN, in fairness I should acknowledge that they do, finally, seem to have terminated famously sleazy registrar EstDomains, brushing off last ditch attempts by its owner to claim that his conviction for fraud was under appeal and that he wasn't an officer any more. His conviction was nine months ago, and there's well documented evidence of years of involvement in crime ranging from phishing to child porn, but better late than never.
I remain interested to see what, if anything, ICANN plans to do about registrar DynamicDolphin, whose owner also has been convicted of a felony.
Followup Note: On 24 November, the 281,000 domains registered by EstDomains become available to transfer to any other registrar who wants them. But who'd want a portfolio of domains that are mostly notable for being used for criminal purposes? What if no other registrar wants them? Are they all just deleted? Go into limbo? If they're in limbo, how could a registrant take them out of limbo? Does ICANN have a plan? Stay tuned and in two weeks we'll find out.
08 Nov 2008
My other sites
© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.