About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Population-scale PKI | Main | Identity and incentives »

Another thing invented by lawyers

By Dave Birch posted Feb 4 2008 at 10:05 AM
[Dave Birch] Over at SecureID News, Daniel Butler was asking whether digital identity can curb spam. Apart from reminding me that the first ever Internet e-mail spam came from a couple of lawyers in Phoenix -- who in April 1994 hired a programmer to post a message advertising their services around the U.S. green card lottery to thousands of newsgroups -- it also made me reflect yet again on why nothing is happening. The most obvious way forward would be to use encryption and signing: since both S/MIME and SSLv3 were standardised many years ago (in fact it's difficult to buy a mail package or web server that doesn't have them) it's a puzzle that we don't use them. Requiring all e-mail to be digitally-signed, and instructing mail servers to throw away any mail that didn't have a valid signature, would be an obvious way to stop spam from reaching inboxes, because it raises the cost of sending a spam e-mail from zero to very little: but that's enough.

I was working for a multinational organisation recently on a project of a sensitive nature concerning a new product launch. The customer asked us (and all other suppliers and subcontractors) to make sure that all e-mail was encrypted and signed. This is a good policy. I don't think they were particularly worried that international hackers were monitoring the e-mail servers (although they might well have been) but they were concerned about information being sent to the wrong people. This happened to me only last week when I got an e-mail from a company that we work with. The the e-mail contained minutes from a board meeting and an attachment concerning problems in meeting a service level agreement, and was meant for another Dave entirely. Naturally, I deleted the e-mail and informed the sender. This is just the sort of problem that would be solved if the mail had been encrypted to "the Board" (or whatever) and since I wouldn't have the key for "the Board" I wouldn't be able to read it. Anyway, we dutifully swapped the swapped the keys after a bit of messing around, and we're soon up and running. The secure regime lasted a week: after a few days we were asked to stop encrypting because encrypted e-mails were causing problems with the e-mail firewall (because it couldn't read them, obviosuly) and then after a few more days we were asked to stop signing as well because it was causing problems for Blackberry users in some way. Back to square one.

So what are we to do? We live in a world where you can't even send your personal data to Her Majesties Revenue and Customs in encrypted form, where your bank can't send you a digitally-signed e-mail despite the fact that you can't buy an e-mail package that doesn't have S/MIME in it and confidential corporate data is left on laptops. I know it's Monday morning, but sometimes I think we're not making any progress at all. Are lawyers at the root of this problem?

I was at a discussion about privacy recently. The group were discussing a response to the Ministry of Justice Thomas/ Walport data sharing review consultation. Pete Bramhall from HP sagely noted that the consultation document began with the statement that it assumed a familiarity with the Data Protection Act and other relevant legislation. How come, he pointed out, it did not assume a familiarity with rudimentary information technology, basic data security, elementary cryptography or, indeed, anything else that might help to develop a privacy-enhancing infrastructure for the modern world. Quite. Anything that comes out of this review will be by lawyers and for lawyers and, however much it may be subconscious, in the interests of lawyers.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a00d8341c4fd753ef00e5501325f48833

Listed below are links to weblogs that reference Another thing invented by lawyers:

Comments

Apologies, as I don't really feel qualified to post this, but the Internet would probably cease to be if certain forms were not observed...

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
(X) The police will not put up with it
( ) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(X) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(X) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

(X) Users of email will not put up with it

I will. If other people want to carry on receiving spam, that's fine by me.

(X) The police will not put up with it

Why? Are they sending out a lot of spam? I don't understand this objection.

(X) Requires immediate total cooperation from everybody at once

No. It requires the co-operation of a few key people. I can easily show my brother how to turn on S/MIME in Outlook so that I will receive his mails.

(X) Lack of centrally controlling authority for email

But my plan doesn't call for this, so that's not really an objection. My plan calls for anyone sending me an e-mail to encrypt using my public key.

(X) Huge existing software investment in SMTP

I'm not sure you understand how S/MIME works, it has nothing to do with SMTP.

(X) Armies of worm riddled broadband-connected Windows boxes

These are, indeed, the foot soldiers in the arms race, but we only have to tilt the economics a little. If each of these boxes went from 1% utilisation sending spam to 100% utilisation sending spam (because of the need for asymmetric encryption), then one by one they might get turned off. But you're right: it's the numbers here that are a problem.

(X) Extreme profitability of spam

At zero cents per message. But at 0.01 cents per message? If a spammer has to buy a hundred PCs where he was using three before, that's what it amounts to.

( ) Extreme stupidity on the part of people who do business with spammers

This box should always be checked: I have no technological defence against people who genuinely believe that the widow of the late Nigerian strongman Abacha wants to give them a million dollars.

(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

Well, there's always a first time. As I point out in the message, just turning on S/MIME doesn't work, but I can't help feeling that the answer is in here somewhere. We don't need to make spam impossible or even difficult. We just need to make it not free.

(X) Sorry dude, but I don't think it would work.

Thanks for joining in the debate, it's genuinely appreciated.

I've written many posts on getting S/MIME to work, as an exercise. I actually use it these days, and it is no surprise that it doesn't function in the market. Every couple of weeks it breaks down because of the assumptions. It's a good pedagogical tool, it is an important case study in how not to do it, because so much is wrong.

In contrast, Skype delivers a spam-free system, for free. To fix S/MIME, just draw a line from S/MIME across to Skype and start changing things. Every little thing, all things.

Pretty soon you discover the answer: leave. If you want to stop spam, don't change the tools, move somewhere where there is no spam.

The comments to this entry are closed.