For a long time, I was a proponent of the puzzle solution to ending spam, and to some extent I still am, but let me explain why the puzzle solution is not enough. The puzzle solution is designed to add friction to the sending of email by placing a processing burden on outbound mail servers. Essentially, it would slow mail servers so that spammers could never send 10 million emails in one day. It changes the economics of sending spam. Let's face it: Spam is really an economic question. The only reason spammers are sending spam is because it pays off. If you can change the economics so that it no longer pays off, then they will stop sending spam. They will go off and do something else to con people out of money, but they won't be sending spam.
Right now, spam is profitable, and that's why it persists. It's profitable because it's cheap to send and because some foolish people still click on spam and buy products from spammers. They are just as much to blame for this problem as the spammers themselves. It only takes one idiot out of 1,000 people clicking a spam email and buying a product to make it financially justifiable for that spammer to send 10 million more emails. In effect, one person can bankroll spam that will affect millions of other people. This is what's happening today all across the internet.
This is phishing, and it's a huge problem. I must get two or three phishing emails from con artists every day. Of course, I ignore them. Most of them are from banks that I don't bank with. But every once in a while, something comes in from a bank that I do bank with. It's pretty convincing stuff. If I were a new user to the internet, or if I wasn't covering this kind of topic, I might click on it and I think it was legitimate. It all looks legitimate. The logo is there, and the domain name looks right. It all looks very official. These scammers are very good and creating these official-looking "phishing" websites. In fact, they're making a living doing it, and I'm sure they're making a very good living, because many people log in. They'll give their usernames, passwords and social security numbers right to the con artists.
Then, it's over. The con artists have got you. They've got everything they need to make your life miserable from that day forward in terms of your finances and your credit rating. Once your identity is stolen, it is very difficult to get your finances back in order.
By the way, if you want to know how to beat identity theft, credit fraud, phishing scams and other threats to your finances and personal safety, definitely check out our downloadable Real Safety Guides.
I think that "phishers" or scammers have awakened a sleeping giant in using this tactic. They have enraged the financial world. The financial world has money, and it is influential. I believe it is going to get some laws put into place that will clamp down on these security breaches. What's at stake here is not just the personal victims of phishing attacks. What's at stake is the credibility of these financial institutions and the credibility of email as a medium of communication. If we can't get these problems solved, people may increasingly distrust email, period.
This threatens the very foundation of trust between customers and their financial institutions. What would happen if we all had to go back to banking by paper and postal services? Can you imagine actually writing out a physical check, licking a stamp and mailing it to your bank? We need to find a way to crack down on phishing and stop the spammers cold.
My personal belief is that we're going to require a global system of sender authentication. I regret saying that, because I think it's going to add a layer of bureaucracy to the internet and ultimately make it less free. Freedom is very, very important, especially in terms of online speech. But this problem is becoming so serious that we are looking at a situation where we need to know who is sending email.
Essentially, we need a system in which people who send email must effectively show their ID to send that email. I don't mean that they would send you a copy of their driver's license, but there must be some mechanism by which the identity of a company or individual is permanently and irrevocably attached to that particular message. Then there needs to be a system so that we, as end-users or receivers of the email, can click a link or go to a website to verify the identity of that sender.
This is no small proposal. There are many problems in making this a reality. The first of those problems is that not everybody agrees that this is a viable solution. The second problem is that if there is a cost involved, it becomes an economic issue, and you automatically exclude those who don't have the money to afford this personal identification mechanism, whatever it happens to be. You don't want to punish people in third world countries, people with lower incomes or non-profit organizations. You don't want to say to them, "You can't send email because you can't afford the filing fee." On the other hand, we need a system of authentication. We need to know who's sending emails, and we need to be able to verify it. I think we're past the point now of arguing that everybody should be able to anonymously send email. We must start requiring email sender certification.
At the same time, I do not believe that any particular government should do this. I think if the government gets involved, it will take two or three years longer than necessary to put it in place. This solution must come from the industry itself, and it should probably come from the big companies leading the industry: Microsoft, AOL, Yahoo and MSN. These are the companies that have the influence, the technology and the user base required to put something like this in place.
But here's the catch: These companies have to agree. Imagine sitting all these competitors in the same room and saying, "Map out a solution. Shake hands on it, implement it and exchange these certification systems with each other. Then, propagate it to the entire world." This is no small task, but I believe it is the very task that we must ask these industry leaders to undertake. We must agree to do this if we are going to live in a world where email communications can be trusted. We're at a crossroads now. We can go down the path of allowing email to continue being the Wild West, with anonymous emails flying around with no real control standards and no real authentication system, but things are going to get worse.
Or, we can go down another path. We need to reshape the email medium. We need to have a trusted system so that we can authenticate the identity of senders. It's a difficult thing to do, but we can go down that path. We can move on as a society, living in a world where the information technology infrastructure is more secure and more trusted, and we can experience all of the efficiencies of technology and communication that go along with that.
That is the path I think we must choose as a society. It has taken too long to get these big companies to sit down and agree to things. Here's the danger: If they cannot agree on a set of standards, eventually there will be enough pressure from financial institutions, internet users and legitimate email marketing companies to get Congress to pass new laws mandating some kind of sender certification or authentication system. That, my friends, is what we don't want. Again, I think the government won't do it right. It will be very bureaucratic, costly, delayed and inadequate. We do not want the government to come and regulate this medium. We want a private industry solution, and it probably needs to come from the big leaders and the big corporations.
I urge those reading to recognize that now is the time to call for serious reform of the email medium. We need a technical change. It's going to require upgrading all of the SMTP servers and all the POP servers. It needs to cover both the open source community -- all the Linux users and the Unix users -- and of course the Microsoft and Mac world, as well. It must be an open source standard. It can't be a proprietary technology, yet it needs to be secure. It needs to be unbreakable and unhackable. There can be no back doors.
The time for a move toward change is now. If we don't change, the very credibility of the email medium is at stake. If we don't change, governments are going to come in and mandate a solution that none of us want to live with. You can be sure of that.